DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:reply-to
	:mime-version:content-type; q=dns; s=default; b=hgIOBeDkFTx5ZW1t
	soBVwdJjzpOu2mZgNa07rbGARDR+sx3Wui2Cevk0DZIec11v5LRxUMtnrp1pjbiY
	ZqPHvobEzg3aqysBdBHq2F4HXgixNguhvRS3l/k2jTNVn3TQqbEGaMCd4c+fRezl
	eBNbI2DZKPkiL4wfYd71YA68EO0=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Date: Fri, 12 Jun 2015 12:52:46 +0200
From: Corinna Vinschen <corinna-cygwin AT cygwin DOT com>
To: cygwin AT cygwin DOT com
Subject: [HEADSUP] ABI breakage in OpenSSL 1.0.2b
Message-ID: <20150612105246.GA22082@calimero.vinschen.de>
Reply-To: cygwin AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;	protocol="application/pgp-signature"; boundary="TB36FDmn/VVEgNH/"
Content-Disposition: inline
User-Agent: Mutt/1.5.23 (2014-03-12)

--TB36FDmn/VVEgNH/
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi guys,


this is a friendly warning that the latest OpenSSL version not only
introduced security bugfixes, but unfortunately also an inadvertent ABI
breakage.

Specifically, the HMAC_CTX stucture has a new "key_init" field of type
integer:

  --- a/crypto/hmac/hmac.h
  +++ b/crypto/hmac/hmac.h
  @@ -75,6 +75,7 @@ typedef struct hmac_ctx_st {
       EVP_MD_CTX o_ctx;
       unsigned int key_length;
       unsigned char key[HMAC_MAX_MD_CBLOCK];
  +    int key_init;
   } HMAC_CTX;

Thus the size of HMAC_CTX changed, which breaks binary compatibility.

The problem is currently discussed in the OpenSSL community:

https://mta.openssl.org/pipermail/openssl-dev/2015-June/001788.html

OpenSSH 6.8p1 is not affected, but there's no guarantee that other
tools linked against OpenSSL might not crash when using crypto
functions.

What you should do for the time being:

- Update to OpenSSL 1.0.2b and use it in the first place for security
  reasons.

- If you have an application which suddenly crashes with 1.0.2b, and if
  this application is crucial for your daily work, and if you're sure
  that the security problems fixed in 1.0.2b don't affect you, then, and
  only then, revert to OpenSSL 1.0.2a.

- If you *build* applications linked against OpenSSL, continue linking
  against openssl-devel-1.0.2a-1.

I'll keep you informed (probably by updating OpenSSL) as soon as the as
the problem hasn't been addressed upstream.


Cheers,
Corinna

--=20
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

--TB36FDmn/VVEgNH/
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVern+AAoJEPU2Bp2uRE+gcfAP/R3kJ9L4WYc4B3OSiAr8UcDj
66t3eh9lry6Olm+hlcV84LpMNtX+qDehcP2UQ7n1pWfsnf/Hxa0+4b24xvjM3v++
marp6i9VWSQWJ4PDU0L3Z7KzY3ONbBUlF5u39GKPrEx0CHVpJzTA2JNc6Yr2q6Zj
3Twp30O35E4W6HlgmgN+VTyTiKPOtvlZs3Nf0/7qOQ/u3alnmv8XP8sr4Mj2ECVW
SrKNTPWQpXzZesHHqT/QLa33XMHYV6+LukyruaFwokV09U42aH/FbbegYvIzNbby
MzR583O0IZIsZk13BiXwBSUmZuNst1+DkjIZJNsIJ8YoevROPehg1MUblaMcBYN/
kLmWsqcmL/xrNnDIjc9xu9sE6PyYHKswjBHUc/jf0bVjwNaRd+Qk2hBgYILLcJQ/
uREkX08MjE3nKpmZbabSUfmpVcJR7iWUV2EHgUxz02HP2f0yCVT5lx4OsQhdaXpj
zeu8Q1LiKpNaN1nM7//ZPHlgzjuJr7sXjv2ho9BKjkDdAETsDauX5wu5GnxfIfrl
/ics/16hT23KUiKvz/1snaX5rXPwmA8fdl4E9BJ3roHuoj6+J13cW4IJeEovKlMj
JPTuVYn8QbeMrpbZ2rxVvOavdhSh41NkrStGSaoMcgg6q8CHeP03OmZpSOdg6Z++
i4bbNRLasHPAAUQoT/wC
=0cYZ
-----END PGP SIGNATURE-----

--TB36FDmn/VVEgNH/--