This is the mail archive of the cygwin-announce mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Updated: openssl-0.9.8h-1, openssl-devel-0.9.8h-1

I've updated the version of OpenSSL to 0.9.8h-1.  This also includes the
openssl-devel package.

This is an upstream security and bugfix release.  The Cygwin release is
the vanilla version, no additional patches.

Official release message:
   OpenSSL version 0.9.8h released

   OpenSSL - The Open Source toolkit for SSL/TLS

   The OpenSSL project team is pleased to announce the release of
   version 0.9.8h of our open source toolkit for SSL/TLS. This new
   OpenSSL version is a security and bugfix release.  For a complete
   list of changes, please see

   Two moderate severity security flaws have been fixed in OpenSSL
   0.9.8h.  The OpenSSL security team would like to thank Codenomicon
   for reporting these issues:

   OpenSSL Server Name extension crash

   Testing using the Codenomicon TLS test suite discovered a flaw in
   the handling of server name extension data in OpenSSL 0.9.8f and
   OpenSSL 0.9.8g.  If OpenSSL has been compiled using the non-default
   TLS server name extensions, a remote attacker could send a
   carefully crafted packet to a server application using OpenSSL and
   cause it to crash.  (CVE-2008-0891).

   Please note this issue does not affect any other released versions
   of OpenSSL, and does not affect versions compiled without TLS
   server name extensions.

   OpenSSL Omit Server Key Exchange message crash

   Testing using the Codenomicon TLS test suite discovered a flaw if
   the 'Server Key exchange message' is omitted from a TLS handshake
   in OpenSSL 0.9.8f and OpenSSL 0.9.8g.  If a client connects to a
   malicious server with particular cipher suites, the server could
   cause the client to crash.  (CVE-2008-1672).

   Please note this issue does not affect any other released versions
   of OpenSSL.

   Users of OpenSSL 0.9.8f or 0.9.8g should update to the OpenSSL
   0.9.8h release which contains patches to correct these issues.

   We consider OpenSSL 0.9.8h to be the best version of OpenSSL
   available and we strongly recommend that users of older versions
   upgrade as soon as possible. OpenSSL 0.9.8h is available for
   download via HTTP and FTP from the following master locations (you
   can find the various FTP mirrors under


   The distribution file name is:

    o openssl-0.9.8h.tar.gz
      Size: 3439981
      MD5 checksum: 7d3d41dafc76cf2fcb5559963b5783b3
      SHA1 checksum: ced4f2da24a202e01ea22bef30ebc8aee274de86

   The checksums were calculated using the following commands:

    openssl md5 openssl-0.9.*.tar.gz
    openssl sha1 openssl-0.9.*.tar.gz


   The OpenSSL Project Team...

    Mark J. Cox             Nils Larsch         Ulf Möller
    Ralf S. Engelschall     Ben Laurie          Andy Polyakov
    Dr. Stephen Henson      Richard Levitte     Geoff Thorpe
    Lutz Jänicke            Bodo Möller

To update your installation, click on the "Install Cygwin now" link on
the web page.  This downloads setup.exe to your
system.  Then, run setup and answer all of the questions.


If you want to unsubscribe from the cygwin-announce mailing list, look
at the "List-Unsubscribe: " tag in the email header of this message.
Send email to the address specified there.  It will be in the format:

If you need more information on unsubscribing, start reading here:

Please read *all* of the information on unsubscribing that is available
starting at the above URL.

Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]