DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:mime-version:to:subject
	:references:in-reply-to:content-type:content-transfer-encoding;
	 q=dns; s=default; b=St/zeVpa9osp4+O0mjkt+VaEKR3qcRw7z6OfmQqWagH
	lIs48Bj8lFoLCTU7Mvu460WWPJlGfA8EP1SAISElMFG0jq7D31fjdiQYvwDWprK/
	xw5Yy1cCwRWa1seRXLt7oq3dNzWYKPmQeiL15jmwqLDlOhnOR4UyG8dYCxGxVNms
	=
Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm
Sender: cygwin-owner@cygwin.com
Mail-Followup-To: cygwin@cygwin.com
Message-ID: <536F1320.3010408@users.sourceforge.net>
Date: Sun, 11 May 2014 01:05:20 -0500
From: "Yaakov (Cygwin/X)" <yselkowitz@users.sourceforge.net>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: cygwin@cygwin.com
Subject: Re: Cygwin64 v1.7.29: ruby 1.9.3p484 still vulnerable to Heartbleed bug
References: <536E5F1C.8030705@liturgica.com>
In-Reply-To: <536E5F1C.8030705@liturgica.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

On 2014-05-10 12:17, Robert Miesen wrote:
> I recently installed the ruby package via Cygwin64 and, after running a
> simple script, discovered that the version of ruby installed by Cygwin
> also installs version 1.0.1f of the OpenSSL library, which is vulnerable
> to the Heartbleed bug.

Please don't spread misinformation.  If you suspect an issue, *ask a 
question* instead of making seemingly definitive statements.

I'm going to guess (since you didn't specify what your "simple script" 
was) that you ran something like:

$ ruby -ropenssl -e 'puts OpenSSL::OPENSSL_VERSION'
OpenSSL 1.0.1f 6 Jan 2014

OPENSSL_VERSION is a compile-time constant[1]:

> OPENSSL_VERSION
> Version of OpenSSL the ruby OpenSSL extension was built with

IOW, all this tells you is that the (bundled) openssl extension was 
compiled against 1.0.1f, which is true but irrelevant.  What is relevant 
is that it is dynamically linked against openssl:

$ /bin/ldd /usr/lib/ruby/1.9.1/x86_64-cygwin/openssl.so  | grep -v 
$(cygpath -W)
         cygruby191.dll => /usr/bin/cygruby191.dll (0x4738c0000)
         cygcrypt-0.dll => /usr/bin/cygcrypt-0.dll (0x442db0000)
         cygwin1.dll => /usr/bin/cygwin1.dll (0x180040000)
         cygcrypto-1.0.0.dll => /usr/bin/cygcrypto-1.0.0.dll (0x3eed10000)
         cygz.dll => /usr/bin/cygz.dll (0x3c0f60000)
         cygssl-1.0.0.dll => /usr/bin/cygssl-1.0.0.dll (0x3cb7d0000)

And therefore one simply needs to check the currently installed version 
of openssl:

$ cygcheck -c libopenssl100
Cygwin Package Information
Package              Version        Status
libopenssl100        1.0.1g-1       OK

$ openssl version
OpenSSL 1.0.1g 7 Apr 2014

$ ruby -rfiddle -e 'puts 
Fiddle::Function.new(DL.dlopen("cygcrypto-1.0.0.dll")["SSLeay_version"],[Fiddle::TYPE_INT],Fiddle::TYPE_VOIDP).call(0)'
OpenSSL 1.0.1g 7 Apr 2014

If your installation is current, these will be your results, and your 
Cygwin installation is NOT vulnerable to CVE-2014-0160.


Yaakov
(Cygwin ruby maintainer)

[1] 
http://www.ruby-doc.org/stdlib-1.9.3/libdoc/openssl/rdoc/OpenSSL.html 
(or install ruby-doc and run 'ri OpenSSL')

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple