X-Recipient: archive-cygwin AT delorie DOT com X-Spam-Check-By: sourceware.org Date: Tue, 10 Jun 2008 13:46:35 +0200 From: Corinna Vinschen To: cygwin AT cygwin DOT com Subject: [ANNOUNCEMENT] Updated: openssl-0.9.8h-1, openssl-devel-0.9.8h-1 Message-Id: MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.5.16 (2007-06-09) Reply-To: cygwin AT cygwin DOT com X-Mailer: Perl5 Mail::Internet v1.74 Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner AT cygwin DOT com Mail-Followup-To: cygwin AT cygwin DOT com Delivered-To: mailing list cygwin AT cygwin DOT com I've updated the version of OpenSSL to 0.9.8h-1. This also includes the openssl-devel package. This is an upstream security and bugfix release. The Cygwin release is the vanilla version, no additional patches. Official release message: ======================================================================= OpenSSL version 0.9.8h released =============================== OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 0.9.8h of our open source toolkit for SSL/TLS. This new OpenSSL version is a security and bugfix release. For a complete list of changes, please see http://cvs.openssl.org/getfile/openssl/CHANGES?v=1.1238.2.104 Two moderate severity security flaws have been fixed in OpenSSL 0.9.8h. The OpenSSL security team would like to thank Codenomicon for reporting these issues: OpenSSL Server Name extension crash ----------------------------------- Testing using the Codenomicon TLS test suite discovered a flaw in the handling of server name extension data in OpenSSL 0.9.8f and OpenSSL 0.9.8g. If OpenSSL has been compiled using the non-default TLS server name extensions, a remote attacker could send a carefully crafted packet to a server application using OpenSSL and cause it to crash. (CVE-2008-0891). Please note this issue does not affect any other released versions of OpenSSL, and does not affect versions compiled without TLS server name extensions. OpenSSL Omit Server Key Exchange message crash ---------------------------------------------- Testing using the Codenomicon TLS test suite discovered a flaw if the 'Server Key exchange message' is omitted from a TLS handshake in OpenSSL 0.9.8f and OpenSSL 0.9.8g. If a client connects to a malicious server with particular cipher suites, the server could cause the client to crash. (CVE-2008-1672). Please note this issue does not affect any other released versions of OpenSSL. Users of OpenSSL 0.9.8f or 0.9.8g should update to the OpenSSL 0.9.8h release which contains patches to correct these issues. We consider OpenSSL 0.9.8h to be the best version of OpenSSL available and we strongly recommend that users of older versions upgrade as soon as possible. OpenSSL 0.9.8h is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-0.9.8h.tar.gz Size: 3439981 MD5 checksum: 7d3d41dafc76cf2fcb5559963b5783b3 SHA1 checksum: ced4f2da24a202e01ea22bef30ebc8aee274de86 The checksums were calculated using the following commands: openssl md5 openssl-0.9.*.tar.gz openssl sha1 openssl-0.9.*.tar.gz Yours, The OpenSSL Project Team... Mark J. Cox Nils Larsch Ulf Möller Ralf S. Engelschall Ben Laurie Andy Polyakov Dr. Stephen Henson Richard Levitte Geoff Thorpe Lutz Jänicke Bodo Möller ======================================================================= To update your installation, click on the "Install Cygwin now" link on the http://cygwin.com/ web page. This downloads setup.exe to your system. Then, run setup and answer all of the questions. *** CYGWIN-ANNOUNCE UNSUBSCRIBE INFO *** If you want to unsubscribe from the cygwin-announce mailing list, look at the "List-Unsubscribe: " tag in the email header of this message. Send email to the address specified there. It will be in the format: cygwin-announce-unsubscribe-you=yourdomain DOT com AT cygwin DOT com If you need more information on unsubscribing, start reading here: http://sources.redhat.com/lists.html#unsubscribe-simple Please read *all* of the information on unsubscribing that is available starting at the above URL. -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Project Co-Leader cygwin AT cygwin DOT com Red Hat -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/