From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 19749 invoked by alias); 11 May 2012 12:01:56 -0000 Received: (qmail 19726 invoked by uid 22791); 11 May 2012 12:01:54 -0000 X-SWARE-Spam-Status: No, hits=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00 X-Spam-Check-By: sourceware.org Received: from localhost (HELO localhost.localdomain) (127.0.0.1) by sourceware.org (qpsmtpd/0.43rc1) with ESMTP; Fri, 11 May 2012 12:01:40 +0000 Date: Fri, 11 May 2012 12:01:00 -0000 From: Corinna Vinschen To: cygwin@cygwin.com Subject: [ANNOUNCEMENT] Updated: openssl-1.0.1c-1, libopenssl098-0.9.8x-1 Message-Id: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) Reply-To: cygwin@cygwin.com Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com X-SW-Source: 2012-05/txt/msg00229.txt.bz2 I've updated the version of OpenSSL to 1.0.1c-1. I also updated the 0.9.8 libs to 0.9.8x-1. This is an upstream security release. The Cygwin release is build from the vanilla sources. Here's the official security advisory: ------------------------------------------------------------------------ OpenSSL Security Advisory [10 May 2012] ======================================= Invalid TLS/DTLS record attack (CVE-2012-2333) =============================================== A flaw in the OpenSSL handling of CBC mode ciphersuites in TLS 1.1, 1.2 and DTLS can be exploited in a denial of service attack on both clients and servers. DTLS applications are affected in all versions of OpenSSL. TLS is only affected in OpenSSL 1.0.1 and later. Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic fuzzing as a service testing platform. The fix was developed by Stephen Henson of the OpenSSL core team. Affected users should upgrade to OpenSSL 1.0.1c, 1.0.0j or 0.9.8x References ========== URL for this Security Advisory: http://www.openssl.org/news/secadv_20120510.txt ------------------------------------------------------------------------ To update your installation, click on the "Install Cygwin now" link on the http://cygwin.com/ web page. This downloads setup.exe to your system. Then, run setup and answer all of the questions. *** CYGWIN-ANNOUNCE UNSUBSCRIBE INFO *** If you want to unsubscribe from the cygwin-announce mailing list, look at the "List-Unsubscribe: " tag in the email header of this message. Send email to the address specified there. It will be in the format: cygwin-announce-unsubscribe-you=yourdomain.com@cygwin.com If you need more information on unsubscribing, start reading here: http://sourceware.org/lists.html#unsubscribe-simple Please read *all* of the information on unsubscribing that is available starting at the above URL. -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Project Co-Leader cygwin AT cygwin DOT com Red Hat -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple