[ANNOUNCEMENT] openssl 1.0.2h-1

[ANNOUNCEMENT] openssl 1.0.2h-1

[Yaakov Selkowitz]

The following packages have been uploaded to the Cygwin distribution:

* openssl-1.0.2h-1
* openssl-devel-1.0.2h-1
* openssl-perl-1.0.2h-1
* libopenssl100-1.0.2h-1
* mingw64-i686-openssl-1.0.2h-1
* mingw64-x86_64-openssl-1.0.2h-1

The OpenSSL toolkit provides support for secure communications between 
machines. OpenSSL includes a certificate management tool and shared 
libraries which provide various cryptographic algorithms and protocols.

This is an update to the latest upstream release, which includes fixes for 
CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2109, and CVE-2016-2176:

https://www.openssl.org/news/secadv/20160503.txt

Support for the SSLv2 protocol, which is vulnerable to DROWN, has been 
completely removed in this release, while maintaining ABI compatibility 
(which was not possible OOTB with 1.0.2g).

--
Yaakov

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: [ANNOUNCEMENT] openssl 1.0.2h-1

[Gerrit Haase]

2016-05-04 19:35 GMT+02:00 Yaakov Selkowitz:
>
> The following packages have been uploaded to the Cygwin distribution:
>
> * openssl-1.0.2h-1
> * openssl-devel-1.0.2h-1
> * openssl-perl-1.0.2h-1
> * libopenssl100-1.0.2h-1
> * mingw64-i686-openssl-1.0.2h-1
> * mingw64-x86_64-openssl-1.0.2h-1
>
> ...


Hello Yaakov,

25-Aug-2016: OpenSSL 1.1.0 is now available

https://www.openssl.org/news/newslog.html


:-)
Gerrit

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: [ANNOUNCEMENT] openssl 1.0.2h-1

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 991 bytes --]

On Aug 31 12:50, Gerrit Haase wrote:
> 2016-05-04 19:35 GMT+02:00 Yaakov Selkowitz:
> >
> > The following packages have been uploaded to the Cygwin distribution:
> >
> > * openssl-1.0.2h-1
> > * openssl-devel-1.0.2h-1
> > * openssl-perl-1.0.2h-1
> > * libopenssl100-1.0.2h-1
> > * mingw64-i686-openssl-1.0.2h-1
> > * mingw64-x86_64-openssl-1.0.2h-1
> >
> > ...
> 
> 
> Hello Yaakov,
> 
> 25-Aug-2016: OpenSSL 1.1.0 is now available

We can't and we won't switch to OpenSSH 1.1.0 unless at least the first
problems are ironed out.  There were a lot of partially backward
incompatible changes, one of them results in OpenSSH not working with
OpenSSL 1.1.0 yet.

So, for the time being, we stay with 1.0.2.  It will be supported by
upstream for at least another two years, so there's no reason for hurry.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: [ANNOUNCEMENT] openssl 1.0.2h-1

[Yaakov Selkowitz]

On 2016-08-31 06:10, Corinna Vinschen wrote:
> We can't and we won't switch to OpenSSH 1.1.0 unless at least the first
> problems are ironed out.  There were a lot of partially backward
> incompatible changes, one of them results in OpenSSH not working with
> OpenSSL 1.1.0 yet.
>
> So, for the time being, we stay with 1.0.2.  It will be supported by
> upstream for at least another two years, so there's no reason for hurry.

+1.  I suggest we wait until one or more of the major Linux distros has 
tackled this first so that patches for the API incompatibilities will 
already be available.

-- 
Yaakov

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: [ANNOUNCEMENT] openssl 1.0.2h-1

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 856 bytes --]

On Aug 31 11:42, Yaakov Selkowitz wrote:
> On 2016-08-31 06:10, Corinna Vinschen wrote:
> > We can't and we won't switch to OpenSSH 1.1.0 unless at least the first
> > problems are ironed out.  There were a lot of partially backward
> > incompatible changes, one of them results in OpenSSH not working with
> > OpenSSL 1.1.0 yet.
> > 
> > So, for the time being, we stay with 1.0.2.  It will be supported by
> > upstream for at least another two years, so there's no reason for hurry.
> 
> +1.  I suggest we wait until one or more of the major Linux distros has
> tackled this first so that patches for the API incompatibilities will
> already be available.

ACK.  Sounds good.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]