Mailing-List: contact cygwin-apps-help AT cygwin DOT com; run by ezmlm Sender: cygwin-apps-owner AT cygwin DOT com List-Subscribe: List-Archive: List-Post: List-Help: , Delivered-To: mailing list cygwin-apps AT cygwin DOT com Date: Mon, 14 Jan 2002 11:26:07 +0100 From: Corinna Vinschen To: cygapp Subject: Maintainers of CURL, MUTT, PYTHON and WGET, heads up! Message-ID: <20020114112607.M2015@cygbert.vinschen.de> Reply-To: cygwin-apps AT cygwin DOT com Mail-Followup-To: cygapp Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.22.1i =================================================================== == == == IMPORTANT == == == =================================================================== Hi, I'm going to update OpenSSL from version 0.9.6b to version 0.9.6c very soon now, probably next Sunday. You as the maintainers of the packages who depend on OpenSSL should check, if the existing binary packages will still run when I upgrade. The reasons I'm asking are - the fifth package depending on OpenSSL, OpenSSH, would have been broken by an upgrade. That's the reason I've uploaded a new version of OpenSSH a few hours ago. - The next OpenSSL binary package will not include support for two crypto algorithms which still have licensing problems in some contries, IDEA and RC5. So I'd like to ask you to check if your packages will still run with an patchlevel upgrade of OpenSSL. Otherwise I'd suggest to patch the code which checks the OpenSSL version (if any). The version of OpenSSL is returned by the function SSLeay(). It returns a hex number with the format MMNNFFPPS: M = major, N = minor, F = fix, p = patch, s = status. Accordingly the release version 0.9.6b returns SSLeay() = 0x00090602f == 0 9 6 b and f=release the release version 0.9.6c returns SSLeay() = 0x00090602f == 0 9 6 c f=release Description is in `man 3 OPENSSL_VERSION_NUMBER'. The situation in OpenSSH was, OpenSSH-3.0.2p1 unfortunately checks for exact equality against the version number of OpenSSL which is linked against: if ((SSLeay() != OPENSSL_VERSION_NUMBER) exit The current CVS version of OpenSSH contains a patch which checks for the version but w/o checking for the patch level: if ((SSLeay() ^ OPENSSL_VERSION_NUMBER) & ~0xff0L) exit I patched OpenSSH-3.0.2p1-4 so that it also uses that test. This version will have no problem when I upgrade to OpenSSL-0.9.6c. Please make sure that your package will still run next Sunday. I'm not going to use a different name for the DLL since it's not a version upgrade, just a patchlevel upgrade. The shared libs on U*X systems would still use the same name either (libcrypto.0.9.6.so, libssl.0.9.6.so). The next point is, please check if your packages depend on either the IDEA or the RC5 algorithms. If so, please rebuild w/o that dependency. Thanks, Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developer mailto:cygwin AT cygwin DOT com Red Hat, Inc.