From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <cygwin-apps-return-38007-listarch-cygwin-apps=sources.redhat.com@cygwin.com>
Received: (qmail 66528 invoked by alias); 24 Mar 2017 19:00:16 -0000
Mailing-List: contact cygwin-apps-help@cygwin.com; run by ezmlm
Precedence: bulk
Sender: cygwin-apps-owner@cygwin.com
List-Id: <cygwin-apps.cygwin.com>
List-Subscribe: <mailto:cygwin-apps-subscribe@cygwin.com>
List-Archive: <http://sourceware.org/ml/cygwin-apps/>
List-Post: <mailto:cygwin-apps@cygwin.com>
List-Help: <mailto:cygwin-apps-help@cygwin.com>, <http://sourceware.org/lists.html#faqs>
Mail-Followup-To: cygwin-apps@cygwin.com
Received: (qmail 66406 invoked by uid 89); 24 Mar 2017 19:00:12 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-0.9 required=5.0 tests=BAYES_00,KAM_LAZY_DOMAIN_SECURITY,SPF_HELO_PASS autolearn=no version=3.3.2 spammy=3.4, overdue, SECURITY, announced
X-HELO: mx1.redhat.com
Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Fri, 24 Mar 2017 19:00:11 +0000
Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11])	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))	(No client certificate requested)	by mx1.redhat.com (Postfix) with ESMTPS id DC37E64A78	for <cygwin-apps@cygwin.com>; Fri, 24 Mar 2017 19:00:11 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com DC37E64A78
Authentication-Results: ext-mx02.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=cygwin.com
Authentication-Results: ext-mx02.extmail.prod.ext.phx2.redhat.com; spf=none smtp.mailfrom=yselkowitz@cygwin.com
DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com DC37E64A78
Received: from [10.10.120.107] (ovpn-120-107.rdu2.redhat.com [10.10.120.107])	by smtp.corp.redhat.com (Postfix) with ESMTPS id 6F7BF84417	for <cygwin-apps@cygwin.com>; Fri, 24 Mar 2017 19:00:11 +0000 (UTC)
Subject: Re: [SECURITY] gnutls
To: cygwin-apps@cygwin.com
References: <dad87a97-9272-263c-7e68-7c7e578da46a@cygwin.com> <e7c5dded-d562-4c34-15e9-8a931e692154@cygwin.com> <de3d6f0f-0803-9d66-0a29-5a81af2a4c8f@cygwin.com> <2a005d15-9f33-46e9-bd12-484702e15a52@cygwin.com>
From: Yaakov Selkowitz <yselkowitz@cygwin.com>
Message-ID: <1c5f0c00-aaa0-e6ad-4861-52780414dbd1@cygwin.com>
Date: Fri, 24 Mar 2017 19:00:00 -0000
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <2a005d15-9f33-46e9-bd12-484702e15a52@cygwin.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
X-IsSubscribed: yes
X-SW-Source: 2017-03/txt/msg00028.txt.bz2

On 2017-03-10 16:01, Yaakov Selkowitz wrote:
> On 2017-02-22 12:46, Yaakov Selkowitz wrote:
>> On 2016-09-26 14:13, Yaakov Selkowitz wrote:
>>> On 2016-09-26 02:00, Yaakov Selkowitz wrote:
>>>> Dr. Volker,
>>>>
>>>> Two security issues have been reported in GnuTLS:
>>>>
>>>> https://www.gnutls.org/security.html#GNUTLS-SA-2016-2
>>>> https://www.gnutls.org/security.html#GNUTLS-SA-2016-3
>>>>
>>>> At this point, I think the best way to proceed would be to:
>>>>
>>>> 1) release 3.3.24 with the patch for the latter, then;
>>>> 2) update to 3.4.15, which involves an ABI break.
>>>
>>> nettle is also overdue for an update (it's also blocking an update to
>>> filezilla); getting that in after 3.3.24 and prior to 3.4 would be best.
>>
>> Ping?  More vulnerabilities have been announced, so we need to revise
>> the above to 3.3.26 and 3.5.9.
>
> Ping 2?

Ping 3?

-- 
Yaakov