From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from omta002.cacentral1.a.cloudfilter.net (omta002.cacentral1.a.cloudfilter.net [3.97.99.33]) by sourceware.org (Postfix) with ESMTPS id 44DBD3857C5F for ; Wed, 1 Sep 2021 21:40:20 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 44DBD3857C5F Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=SystematicSw.ab.ca Authentication-Results: sourceware.org; spf=none smtp.mailfrom=systematicsw.ab.ca Received: from shw-obgw-4003a.ext.cloudfilter.net ([10.228.9.183]) by cmsmtp with ESMTP id LSgemnkyZps7PLXxzmZqZk; Wed, 01 Sep 2021 21:40:19 +0000 Received: from [192.168.1.105] ([68.147.0.90]) by cmsmtp with ESMTP id LXxymspuBcHSBLXxzm3lxP; Wed, 01 Sep 2021 21:40:19 +0000 X-Authority-Analysis: v=2.4 cv=I4EG+Psg c=1 sm=1 tr=0 ts=612ff343 a=T+ovY1NZ+FAi/xYICV7Bgg==:117 a=T+ovY1NZ+FAi/xYICV7Bgg==:17 a=IkcTkHD0fZMA:10 a=Ntg_Zx-WAAAA:8 a=iMpC6L0jGsNNbTZxuiUA:9 a=QEXdDO2ut3YA:10 a=RUfouJl5KNV7104ufCm4:22 Reply-To: cygwin-apps@cygwin.com Subject: Re: OpenSSL Package Upgrade to 1.1.1L To: cygwin-apps@cygwin.com References: Cc: Jonathan McNickle From: Brian Inglis Organization: Systematic Software Message-ID: <73dc7093-53be-f788-531d-f844a0cc1027@SystematicSw.ab.ca> Date: Wed, 1 Sep 2021 15:40:18 -0600 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-CA Content-Transfer-Encoding: 8bit X-CMAE-Envelope: MS4xfC5jibHhXaG0BtWjaAjA9eLTrAJkeWhJ6pAFYjYLAL/duzJhh5OFDqUFa79We2oJ3Jf2J0hriNJ4qTyxLezL/2I197ldk5zN71ADEU2l+gfzA/5kgEf4 B9Z+4SMocp63t7ZICqDsrZsd8/eHgUDSgALbyfjmgMlu23iuglh+oXWWTf/01XtCmcDsaed4gAyofANElBi6aPvHUppcE+jBYfY4pUljBDt+hdgZefoxiD7s iEtbrPNIBoAM6GIccAN6Yg== X-Spam-Status: No, score=-1161.4 required=5.0 tests=BAYES_00, KAM_DMARC_STATUS, KAM_LAZY_DOMAIN_SECURITY, NICE_REPLY_A, RCVD_IN_BARRACUDACENTRAL, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_NONE, TXREP autolearn=no autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: cygwin-apps@cygwin.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Cygwin package maintainer discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Sep 2021 21:40:30 -0000 On 2021-09-01 08:08, Jonathan McNickle wrote: > I was wondering if plans were in place to update OpenSSL to version 1.1.1l to fix the latest high sev security issue? > https://www.openssl.org/news/secadv/20210824.txt [redirected from patches (Cygwin DLL etc.) to apps (Packages)] SM2 Decryption Buffer Overflow (CVE-2021-3711) Severity: High is probably not a huge concern, as not SM2 is not a commonly specified cipher suite, except possibly in China; although the Read buffer overruns processing ASN.1 strings (CVE-2021-3712) Severity: Moderate is fairly serious, as OpenSSL assumes some ASN1 strings with given length are also nul terminated when they need not be, allowing DoS and disclosures. -- Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada This email may be disturbing to some readers as it contains too much technical detail. Reader discretion is advised. [Data in binary units and prefixes, physical quantities in SI.]