Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com From: Corinna Vinschen To: cygwin AT cygwin DOT com Subject: [ANNOUNCEMENT] Updated: openssl-0.9.7a-3, openssl-devel-0.9.7a-3 Reply-To: cygwin AT cygwin DOT com Message-Id: <20030319210651.993B51BDAA@redhat.com> Date: Wed, 19 Mar 2003 16:06:51 -0500 (EST) I've updated the version of OpenSSL to 0.9.7a-3. This also includes the openssl-devel package. This is a security update. It fixes another vulnerability of the RSA encryption. The official security advisory follows: Klima-Pokorny-Rosa attack on RSA in SSL/TLS =========================================== Czech cryptologists Vlastimil Klima, Ondrej Pokorny, and Tomas Rosa have come up with an extension of the "Bleichenbacher attack" on RSA with PKCS #1 v1.5 padding as used in SSL 3.0 and TLS 1.0. Their attack requires the attacker to open millions of SSL/TLS connections to the server under attack; the server's behaviour when faced with specially made-up RSA ciphertexts can reveal information that in effect allows the attacker to perform a single RSA private key operation on a ciphertext of its choice using the server's RSA key. Note that the server's RSA key is not compromised in this attack. This problem affects all applications using the OpenSSL SSL/TLS library. OpenSSL releases up to 0.9.6i and 0.9.7a are vulnerable. The enclosed patch modifies SSL/TLS server behaviour to avoid the vulnerability. To update your installation, click on the "Install Cygwin now" link on the http://cygwin.com/ web page. This downloads setup.exe to your system. Once you've downloaded setup.exe, run it and select "Net" ("Devel" for the openssl-devel package) and then click on the appropriate field until the above announced version number appears if it is not displayed already. If you have questions or comments, please send them to the Cygwin mailing list at: cygwin AT cygwin DOT com . I would appreciate it if you would use this mailing list rather than emailing me directly. This includes ideas and comments about the setup utility or Cygwin in general. If you want to make a point or ask a question, the Cygwin mailing list is the appropriate place. *** CYGWIN-ANNOUNCE UNSUBSCRIBE INFO *** If you want to unsubscribe from the cygwin-announce mailing list, look at the "List-Unsubscribe: " tag in the email header of this message. Send email to the address specified there. It will be in the format: cygwin-announce-unsubscribe-you=yourdomain DOT com AT cygwin DOT com If you need more information on unsubscribing, start reading here: http://sources.redhat.com/lists.html#unsubscribe-simple Please read *all* of the information on unsubscribing that is available starting at this URL. I implore you to READ this information before sending email about how you "tried everything" to unsubscribe. In 100% of the cases where people were unable to unsubscribe, the problem was that they hadn't actually read and comprehended the unsubscribe instructions. If you need to unsubscribe from cygwin-announce or any other mailing list, reading the instructions at the above URL is guaranteed to provide you with the info that you need. -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developer mailto:cygwin AT cygwin DOT com Red Hat, Inc. -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Bug reporting: http://cygwin.com/bugs.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/