This is the mail archive of the cygwin mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[HEADSUP] ABI breakage in OpenSSL 1.0.2b

Hi guys,

this is a friendly warning that the latest OpenSSL version not only
introduced security bugfixes, but unfortunately also an inadvertent ABI

Specifically, the HMAC_CTX stucture has a new "key_init" field of type

  --- a/crypto/hmac/hmac.h
  +++ b/crypto/hmac/hmac.h
  @@ -75,6 +75,7 @@ typedef struct hmac_ctx_st {
       EVP_MD_CTX o_ctx;
       unsigned int key_length;
       unsigned char key[HMAC_MAX_MD_CBLOCK];
  +    int key_init;
   } HMAC_CTX;

Thus the size of HMAC_CTX changed, which breaks binary compatibility.

The problem is currently discussed in the OpenSSL community:

OpenSSH 6.8p1 is not affected, but there's no guarantee that other
tools linked against OpenSSL might not crash when using crypto

What you should do for the time being:

- Update to OpenSSL 1.0.2b and use it in the first place for security

- If you have an application which suddenly crashes with 1.0.2b, and if
  this application is crucial for your daily work, and if you're sure
  that the security problems fixed in 1.0.2b don't affect you, then, and
  only then, revert to OpenSSL 1.0.2a.

- If you *build* applications linked against OpenSSL, continue linking
  against openssl-devel-1.0.2a-1.

I'll keep you informed (probably by updating OpenSSL) as soon as the as
the problem hasn't been addressed upstream.


Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

Attachment: pgpesN7XO8B4u.pgp
Description: PGP signature

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]