DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:reply-to:date:from:to:subject:message-id
	:mime-version:content-type; q=dns; s=default; b=DPUGAjbUWeoKMUN+
	sOaWB+ML+SYe0Xow0Te9ZpYtrr8kCIPU51Q2lSOyZXyaMsiJ8drGKlXT6nsUW1yj
	TM4c9N/l+vph/87KsuaN5pBIUhYhw2DZUtsl1t+sfbnruBvlPuLZpi5O1Xj0dSe/
	Y0u/lw5P8iJZSf3GzBd7X4T+VEc=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Reply-To: cygwin AT cygwin DOT com
Date: Tue, 8 Apr 2014 12:28:22 +0200
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: [ANNOUNCEMENT] Updated: openssl-1.0.1g-1
Message-Id: <announce.20140408102822.GA30976@calimero.vinschen.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)

I've updated the version of OpenSSL to 1.0.1g-1.

This is an upstream security release.  The Cygwin release is build from
the vanilla sources with just two patches for path handling and support
of 64 bit Cygwin.

Here's security advisory:

------------------------------------------------------------------------
OpenSSL Security Advisory [07 Apr 2014]
========================================

TLS heartbeat read overrun (CVE-2014-0160)
==========================================

A missing bounds check in the handling of the TLS heartbeat extension can be
used to reveal up to 64k of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1.

Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <agl AT chromium DOT org> and Bodo Moeller <bmoeller AT acm DOT org> for
preparing the fix.

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

1.0.2 will be fixed in 1.0.2-beta2.
------------------------------------------------------------------------

And here's the official upstream release message:

------------------------------------------------------------------------
   OpenSSL version 1.0.1g released
   ===============================

   OpenSSL - The Open Source toolkit for SSL/TLS
   http://www.openssl.org/

   The OpenSSL project team is pleased to announce the release of
   version 1.0.1g of our open source toolkit for SSL/TLS. For details
   of changes and known issues see the release notes at:

       	http://www.openssl.org/news/openssl-1.0.1-notes.html

   OpenSSL 1.0.1g is available for download via HTTP and FTP from the
   following master locations (you can find the various FTP mirrors under
   http://www.openssl.org/source/mirror.html):

     * http://www.openssl.org/source/
     * ftp://ftp.openssl.org/source/

   The distribution file name is:

    o openssl-1.0.1g.tar.gz
      Size: 4509047
      MD5 checksum: de62b43dfcd858e66a74bee1c834e959
      SHA1 checksum: b28b3bcb1dc3ee7b55024c9f795be60eb3183e3c

   The checksums were calculated using the following commands:

    openssl md5 openssl-1.0.1g.tar.gz
    openssl sha1 openssl-1.0.1g.tar.gz

   Yours,

   The OpenSSL Project Team.

------------------------------------------------------------------------


Peace,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple