Mail Archives: cygwin/2018/04/03/10:01:44

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2018/04/03/10:01:44

X-Recipient: archive-cygwin AT delorie DOT com

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:reply-to:date:from:to:subject:message-id

:mime-version:content-type; q=dns; s=default; b=ofNRiJOpVZm5j5Ak

bF0k7wiJIdh8aMTJvgxcQqkoxsbpRNIMpCRjyVjqpnuglHto8XAVpxssOhQqUBZ/

eDuXFiql/noI2yjcS/4F6d/n9XE0BznElyn3FwkRZzLCL5BvRibZXyP07aZHpyH0

WuprfMvsNZfGB+R2WQedYyCyqXA=

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:reply-to:date:from:to:subject:message-id

:mime-version:content-type; s=default; bh=sxieKlKbY7VVV7I4K4cygp

nGaho=; b=GLQnyx0Au1gyh2irm8vqPNbRuQAxs8vIufBsbfdxSthBuYfmUIp5IE

G9WDPzT7b0BRfxss7LXCWruFqNrFrYxaVuhnspf8bXQ/qn+Dw8wX6y1pAX06+/Q5

tsPIfvF94PZBgL6zhJvzc/AY4DxwlGuXil7CAVIPAKYQkCsSStvRg=

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

Authentication-Results: sourceware.org; auth=none

X-Virus-Found: No

X-Spam-SWARE-Status: No, score=-1.6 required=5.0 tests=ALL_TRUSTED,BAYES_00,KAM_ASCII_DIVIDERS,KAM_NUMSUBJECT autolearn=no version=3.3.2 spammy=H*UA:Internet, HX-HELO:sk:localho

X-HELO: localhost.localdomain

Reply-To: cygwin AT cygwin DOT com

Authentication-Results: sourceware.org; auth=none

X-Virus-Found: No

Date: Tue, 3 Apr 2018 15:51:21 +0200

From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>

To: cygwin AT cygwin DOT com

Subject: [ANNOUNCEMENT] Updated: openssl-1.0.2o-1

Message-Id: <announce.20180403135121.GA28377@calimero.vinschen.de>

MIME-Version: 1.0

User-Agent: Mutt/1.9.2 (2017-12-15)

X-UI-Out-Filterresults: notjunk:1;V01:K0:VfklU4favgM=:3HMNIDCwPGQvXY+un6+CGw 5Ugs27baTv/6w8LSOWQbRcTZFj+zpKHWQct7VcUbcSAj4vnpOmj6b6AoTAs01IQW8tt9NNwu6 yBFfdCibS/REr4H/G/QJUzjX5ShN6m9gE+ffEKULy4xKTwqu4heZY/lKxpAwuqoDAmP1Xml4z /823kyKFuTkEFD6CCM4Esu7dSdxyA8vnTpGfeKm+kfyy8EMBfcKQYU1tx/GdH7x1eHCLF7bNG Npll/+4Zbwyt//G6QRNto9cTvc3dmfusCXedKfhpwpy1BK9byNAODt7zp+jmUISc+95O+BojZ bBtufbT4a7RA0OcKCMS4ixE9wihZO6OkxS/I/yj8oJ3zaYGt9umt6PbLpJH0Cl+kZy1SAg8f4 Th0TL6rFAlSwvsIcVWyt/ayRlj1pkEE4YKt9iPiL6cC9sPPoNE071gQzkIEUr+qNPP0dnFgj/ XdJXvrY/+LnHzrN3n2JoQwy7naC48VxtNwY0tF1tZlSebQpW3MB8EY9aPe8smGGmovaDsrJM4 GR9dtniWX0wtS+PRk/SjNUuGphxxAFLHfOv+1xTHgJ0Zjsmz6ranJESeP4564Mp2dNtZJPiEn 3LQ5eYsfy6en+Wyiwuaq1A4Ncs6RH6vYwMrcpqAVUdv7SzETdaNbGsd3nydBQfdSKuUuxaDRP O0uExWODumEGNmif1XKMKdBeRnqE/DYB2Iu4K0eKC25rtZsUQ2gZn58q5sRWkokQauWpWGHJC KQusLwNH9G80OVFzgaVw1L2UD15CzZlDvEUT3A==

Hi folks,


I've updated the version of OpenSSL to 1.0.2o-1.  This is a security
bugfix release.

------------------------------------------------------------------------

OpenSSL Security Advisory [27 Mar 2018]
========================================

Constructed ASN.1 types with a recursive definition could exceed the stack (CVE-2018-0739)
==========================================================================================

Severity: Moderate

Constructed ASN.1 types with a recursive definition (such as can be found in
PKCS7) could eventually exceed the stack given malicious input with
excessive recursion. This could result in a Denial Of Service attack. There are
no such structures used within SSL/TLS that come from untrusted sources so this
is considered safe.

OpenSSL 1.1.0 users should upgrade to 1.1.0h
OpenSSL 1.0.2 users should upgrade to 1.0.2o

This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz project.
The fix was developed by Matt Caswell of the OpenSSL development team.

Incorrect CRYPTO_memcmp on HP-UX PA-RISC (CVE-2018-0733)
========================================================

Severity: Moderate

Because of an implementation bug the PA-RISC CRYPTO_memcmp function is
effectively reduced to only comparing the least significant bit of each byte.
This allows an attacker to forge messages that would be considered as
authenticated in an amount of tries lower than that guaranteed by the security
claims of the scheme. The module can only be compiled by the HP-UX assembler, so
that only HP-UX PA-RISC targets are affected.

OpenSSL 1.1.0 users should upgrade to 1.1.0h

This issue was reported to OpenSSL on 2nd March 2018 by Peter Waltenberg (IBM).
The fix was developed by Andy Polyakov of the OpenSSL development team.

rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)
=========================================================

Severity: Low

This issue has been reported in a previous OpenSSL security advisory and a fix
was provided for OpenSSL 1.0.2. Due to the low severity no fix was released at
that time for OpenSSL 1.1.0. The fix is now available in OpenSSL 1.1.0h.

There is an overflow bug in the AVX2 Montgomery multiplication procedure
used in exponentiation with 1024-bit moduli. No EC algorithms are affected.
Analysis suggests that attacks against RSA and DSA as a result of this defect
would be very difficult to perform and are not believed likely. Attacks
against DH1024 are considered just feasible, because most of the work
necessary to deduce information about a private key may be performed offline.
The amount of resources required for such an attack would be significant.
However, for an attack on TLS to be meaningful, the server would have to share
the DH1024 private key among multiple clients, which is no longer an option
since CVE-2016-0701.

This only affects processors that support the AVX2 but not ADX extensions
like Intel Haswell (4th generation).

Note: The impact from this issue is similar to CVE-2017-3736, CVE-2017-3732
and CVE-2015-3193.

OpenSSL 1.1.0 users should upgrade to 1.1.0h
OpenSSL 1.0.2 users should upgrade to 1.0.2n

This issue was reported to OpenSSL on 22nd November 2017 by David Benjamin
(Google). The issue was originally found via the OSS-Fuzz project. The fix was
developed by Andy Polyakov of the OpenSSL development team.

References
==========

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20180327.txt

------------------------------------------------------------------------

Have fun,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:reply-to:date:from:to:subject:message-id
	:mime-version:content-type; q=dns; s=default; b=ofNRiJOpVZm5j5Ak
	bF0k7wiJIdh8aMTJvgxcQqkoxsbpRNIMpCRjyVjqpnuglHto8XAVpxssOhQqUBZ/
	eDuXFiql/noI2yjcS/4F6d/n9XE0BznElyn3FwkRZzLCL5BvRibZXyP07aZHpyH0
	WuprfMvsNZfGB+R2WQedYyCyqXA=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:reply-to:date:from:to:subject:message-id
	:mime-version:content-type; s=default; bh=sxieKlKbY7VVV7I4K4cygp
	nGaho=; b=GLQnyx0Au1gyh2irm8vqPNbRuQAxs8vIufBsbfdxSthBuYfmUIp5IE
	G9WDPzT7b0BRfxss7LXCWruFqNrFrYxaVuhnspf8bXQ/qn+Dw8wX6y1pAX06+/Q5
	tsPIfvF94PZBgL6zhJvzc/AY4DxwlGuXil7CAVIPAKYQkCsSStvRg=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Authentication-Results:	sourceware.org; auth=none
X-Virus-Found:	No
X-Spam-SWARE-Status:	No, score=-1.6 required=5.0 tests=ALL_TRUSTED,BAYES_00,KAM_ASCII_DIVIDERS,KAM_NUMSUBJECT autolearn=no version=3.3.2 spammy=H*UA:Internet, HX-HELO:sk:localho
X-HELO:	localhost.localdomain
Reply-To:	cygwin AT cygwin DOT com
Authentication-Results:	sourceware.org; auth=none
X-Virus-Found:	No
Date:	Tue, 3 Apr 2018 15:51:21 +0200
From:	Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To:	cygwin AT cygwin DOT com
Subject:	[ANNOUNCEMENT] Updated: openssl-1.0.2o-1
Message-Id:	<announce.20180403135121.GA28377@calimero.vinschen.de>
MIME-Version:	1.0
User-Agent:	Mutt/1.9.2 (2017-12-15)
X-UI-Out-Filterresults:	notjunk:1;V01:K0:VfklU4favgM=:3HMNIDCwPGQvXY+un6+CGw 5Ugs27baTv/6w8LSOWQbRcTZFj+zpKHWQct7VcUbcSAj4vnpOmj6b6AoTAs01IQW8tt9NNwu6 yBFfdCibS/REr4H/G/QJUzjX5ShN6m9gE+ffEKULy4xKTwqu4heZY/lKxpAwuqoDAmP1Xml4z /823kyKFuTkEFD6CCM4Esu7dSdxyA8vnTpGfeKm+kfyy8EMBfcKQYU1tx/GdH7x1eHCLF7bNG Npll/+4Zbwyt//G6QRNto9cTvc3dmfusCXedKfhpwpy1BK9byNAODt7zp+jmUISc+95O+BojZ bBtufbT4a7RA0OcKCMS4ixE9wihZO6OkxS/I/yj8oJ3zaYGt9umt6PbLpJH0Cl+kZy1SAg8f4 Th0TL6rFAlSwvsIcVWyt/ayRlj1pkEE4YKt9iPiL6cC9sPPoNE071gQzkIEUr+qNPP0dnFgj/ XdJXvrY/+LnHzrN3n2JoQwy7naC48VxtNwY0tF1tZlSebQpW3MB8EY9aPe8smGGmovaDsrJM4 GR9dtniWX0wtS+PRk/SjNUuGphxxAFLHfOv+1xTHgJ0Zjsmz6ranJESeP4564Mp2dNtZJPiEn 3LQ5eYsfy6en+Wyiwuaq1A4Ncs6RH6vYwMrcpqAVUdv7SzETdaNbGsd3nydBQfdSKuUuxaDRP O0uExWODumEGNmif1XKMKdBeRnqE/DYB2Iu4K0eKC25rtZsUQ2gZn58q5sRWkokQauWpWGHJC KQusLwNH9G80OVFzgaVw1L2UD15CzZlDvEUT3A==