| delorie.com/archives/browse.cgi | search |
| X-Recipient: | archive-cygwin AT delorie DOT com |
| DomainKey-Signature: | a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:date:from:to:subject:message-id:reply-to | |
| :mime-version:content-type; q=dns; s=default; b=hgIOBeDkFTx5ZW1t | |
| soBVwdJjzpOu2mZgNa07rbGARDR+sx3Wui2Cevk0DZIec11v5LRxUMtnrp1pjbiY | |
| ZqPHvobEzg3aqysBdBHq2F4HXgixNguhvRS3l/k2jTNVn3TQqbEGaMCd4c+fRezl | |
| eBNbI2DZKPkiL4wfYd71YA68EO0= | |
| DKIM-Signature: | v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id |
| :list-unsubscribe:list-subscribe:list-archive:list-post | |
| :list-help:sender:date:from:to:subject:message-id:reply-to | |
| :mime-version:content-type; s=default; bh=VsDQjXelNhgNW9Xc0sthNL | |
| MrdS4=; b=sPeMwPysxdyN2RsaxP3H0NChETdvBuq83RfLjfxwcp2qlq1zClaNke | |
| 8wDzUjnMNfR70FlltLMfpmQ1U5Hj8cCSB8IB974uHhaAON09yEZDQigHQaMlzEON | |
| LGAYH1EjtCbLIudoe6G2leFm0cwrKTW56w9OnhkLo1qHtBobHALi8= | |
| Mailing-List: | contact cygwin-help AT cygwin DOT com; run by ezmlm |
| List-Id: | <cygwin.cygwin.com> |
| List-Subscribe: | <mailto:cygwin-subscribe AT cygwin DOT com> |
| List-Archive: | <http://sourceware.org/ml/cygwin/> |
| List-Post: | <mailto:cygwin AT cygwin DOT com> |
| List-Help: | <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs> |
| Sender: | cygwin-owner AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| Delivered-To: | mailing list cygwin AT cygwin DOT com |
| Authentication-Results: | sourceware.org; auth=none |
| X-Virus-Found: | No |
| X-Spam-SWARE-Status: | No, score=-4.1 required=5.0 tests=AWL,BAYES_50,KAM_LAZY_DOMAIN_SECURITY autolearn=no version=3.3.2 |
| X-HELO: | calimero.vinschen.de |
| Date: | Fri, 12 Jun 2015 12:52:46 +0200 |
| From: | Corinna Vinschen <corinna-cygwin AT cygwin DOT com> |
| To: | cygwin AT cygwin DOT com |
| Subject: | [HEADSUP] ABI breakage in OpenSSL 1.0.2b |
| Message-ID: | <20150612105246.GA22082@calimero.vinschen.de> |
| Reply-To: | cygwin AT cygwin DOT com |
| Mail-Followup-To: | cygwin AT cygwin DOT com |
| MIME-Version: | 1.0 |
| User-Agent: | Mutt/1.5.23 (2014-03-12) |
--TB36FDmn/VVEgNH/
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Hi guys,
this is a friendly warning that the latest OpenSSL version not only
introduced security bugfixes, but unfortunately also an inadvertent ABI
breakage.
Specifically, the HMAC_CTX stucture has a new "key_init" field of type
integer:
--- a/crypto/hmac/hmac.h
+++ b/crypto/hmac/hmac.h
@@ -75,6 +75,7 @@ typedef struct hmac_ctx_st {
EVP_MD_CTX o_ctx;
unsigned int key_length;
unsigned char key[HMAC_MAX_MD_CBLOCK];
+ int key_init;
} HMAC_CTX;
Thus the size of HMAC_CTX changed, which breaks binary compatibility.
The problem is currently discussed in the OpenSSL community:
https://mta.openssl.org/pipermail/openssl-dev/2015-June/001788.html
OpenSSH 6.8p1 is not affected, but there's no guarantee that other
tools linked against OpenSSL might not crash when using crypto
functions.
What you should do for the time being:
- Update to OpenSSL 1.0.2b and use it in the first place for security
reasons.
- If you have an application which suddenly crashes with 1.0.2b, and if
this application is crucial for your daily work, and if you're sure
that the security problems fixed in 1.0.2b don't affect you, then, and
only then, revert to OpenSSL 1.0.2a.
- If you *build* applications linked against OpenSSL, continue linking
against openssl-devel-1.0.2a-1.
I'll keep you informed (probably by updating OpenSSL) as soon as the as
the problem hasn't been addressed upstream.
Cheers,
Corinna
--=20
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Maintainer cygwin AT cygwin DOT com
Red Hat
--TB36FDmn/VVEgNH/
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJVern+AAoJEPU2Bp2uRE+gcfAP/R3kJ9L4WYc4B3OSiAr8UcDj
66t3eh9lry6Olm+hlcV84LpMNtX+qDehcP2UQ7n1pWfsnf/Hxa0+4b24xvjM3v++
marp6i9VWSQWJ4PDU0L3Z7KzY3ONbBUlF5u39GKPrEx0CHVpJzTA2JNc6Yr2q6Zj
3Twp30O35E4W6HlgmgN+VTyTiKPOtvlZs3Nf0/7qOQ/u3alnmv8XP8sr4Mj2ECVW
SrKNTPWQpXzZesHHqT/QLa33XMHYV6+LukyruaFwokV09U42aH/FbbegYvIzNbby
MzR583O0IZIsZk13BiXwBSUmZuNst1+DkjIZJNsIJ8YoevROPehg1MUblaMcBYN/
kLmWsqcmL/xrNnDIjc9xu9sE6PyYHKswjBHUc/jf0bVjwNaRd+Qk2hBgYILLcJQ/
uREkX08MjE3nKpmZbabSUfmpVcJR7iWUV2EHgUxz02HP2f0yCVT5lx4OsQhdaXpj
zeu8Q1LiKpNaN1nM7//ZPHlgzjuJr7sXjv2ho9BKjkDdAETsDauX5wu5GnxfIfrl
/ics/16hT23KUiKvz/1snaX5rXPwmA8fdl4E9BJ3roHuoj6+J13cW4IJeEovKlMj
JPTuVYn8QbeMrpbZ2rxVvOavdhSh41NkrStGSaoMcgg6q8CHeP03OmZpSOdg6Z++
i4bbNRLasHPAAUQoT/wC
=0cYZ
-----END PGP SIGNATURE-----
--TB36FDmn/VVEgNH/--
| webmaster | delorie software privacy |
| Copyright © 2019 by DJ Delorie | Updated Jul 2019 |