Updated: openssl-1.0.1g-1

Corinna Vinschen corinna-cygwin@cygwin.com
Tue Apr 8 10:45:00 GMT 2014


I've updated the version of OpenSSL to 1.0.1g-1.

This is an upstream security release.  The Cygwin release is build from
the vanilla sources with just two patches for path handling and support
of 64 bit Cygwin.

Here's security advisory:

------------------------------------------------------------------------
OpenSSL Security Advisory [07 Apr 2014]
========================================

TLS heartbeat read overrun (CVE-2014-0160)
==========================================

A missing bounds check in the handling of the TLS heartbeat extension can be
used to reveal up to 64k of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1.

Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
preparing the fix.

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

1.0.2 will be fixed in 1.0.2-beta2.
------------------------------------------------------------------------

And here's the official upstream release message:

------------------------------------------------------------------------
   OpenSSL version 1.0.1g released
   ===============================

   OpenSSL - The Open Source toolkit for SSL/TLS
   http://www.openssl.org/

   The OpenSSL project team is pleased to announce the release of
   version 1.0.1g of our open source toolkit for SSL/TLS. For details
   of changes and known issues see the release notes at:

       	http://www.openssl.org/news/openssl-1.0.1-notes.html

   OpenSSL 1.0.1g is available for download via HTTP and FTP from the
   following master locations (you can find the various FTP mirrors under
   http://www.openssl.org/source/mirror.html):

     * http://www.openssl.org/source/
     * ftp://ftp.openssl.org/source/

   The distribution file name is:

    o openssl-1.0.1g.tar.gz
      Size: 4509047
      MD5 checksum: de62b43dfcd858e66a74bee1c834e959
      SHA1 checksum: b28b3bcb1dc3ee7b55024c9f795be60eb3183e3c

   The checksums were calculated using the following commands:

    openssl md5 openssl-1.0.1g.tar.gz
    openssl sha1 openssl-1.0.1g.tar.gz

   Yours,

   The OpenSSL Project Team.

------------------------------------------------------------------------


Peace,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          cygwin AT cygwin DOT com
Red Hat



More information about the Cygwin-announce mailing list