Hi guys,
this is a friendly warning that the latest OpenSSL version not only
introduced security bugfixes, but unfortunately also an inadvertent ABI
breakage.
Specifically, the HMAC_CTX stucture has a new "key_init" field of type
integer:
--- a/crypto/hmac/hmac.h
+++ b/crypto/hmac/hmac.h
@@ -75,6 +75,7 @@ typedef struct hmac_ctx_st {
EVP_MD_CTX o_ctx;
unsigned int key_length;
unsigned char key[HMAC_MAX_MD_CBLOCK];
+ int key_init;
} HMAC_CTX;
Thus the size of HMAC_CTX changed, which breaks binary compatibility.
The problem is currently discussed in the OpenSSL community:
https://mta.openssl.org/pipermail/openssl-dev/2015-June/001788.html
OpenSSH 6.8p1 is not affected, but there's no guarantee that other
tools linked against OpenSSL might not crash when using crypto
functions.
What you should do for the time being:
- Update to OpenSSL 1.0.2b and use it in the first place for security
reasons.
- If you have an application which suddenly crashes with 1.0.2b, and if
this application is crucial for your daily work, and if you're sure
that the security problems fixed in 1.0.2b don't affect you, then, and
only then, revert to OpenSSL 1.0.2a.
- If you *build* applications linked against OpenSSL, continue linking
against openssl-devel-1.0.2a-1.
I'll keep you informed (probably by updating OpenSSL) as soon as the as
the problem hasn't been addressed upstream.
Cheers,
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Maintainer cygwin AT cygwin DOT com
Red Hat
pgptPs42aMnYW.pgp
Description: PGP signature
