Updated Knapsack package: OpenSSL 1.0.0m

[Luis Lavena]

Hello,

Due recent disclosed vulnerabilities in OpenSSL [1], An updated version of this package is available:

x86-windows

http://packages.openknapsack.org/openssl/openssl-1.0.0m-x86-windows.tar.lzma

  MD5: 1836409f45d3045243bb2653ad263f11

x64-windows

http://packages.openknapsack.org/openssl/openssl-1.0.0m-x64-windows.tar.lzma

  MD5: b2d4582de8e763c8984d4498f3746496

---

If you're using Knapsack packages (headers and libraries), extract the contents as indicated in the original post [2.1][2.2]

If you're just using RubyInstaller, extract only the DLLS from the package (using 7-Zip) located in inside the bin folder.

I'm updating RubyInstaller recipes to use this version in the next few minutes, so newer versions of RubyInstaller ships with it.

Regards,

[1] https://www.openssl.org/news/secadv_20140605.txt

[2.1] https://groups.google.com/forum/#!searchin/rubyinstaller/knap-build/rubyinstaller/-D9vNo459RU/r81EycDOfyYJ

[2.2] https://groups.google.com/forum/#!searchin/rubyinstaller/knap-build/rubyinstaller/4ulo3o1bQOM/2F1f24XWWaQJ

-- 

Luis Lavena
AREA 17
-
Perfection in design is achieved not when there is nothing more to add,
but rather when there is nothing more to take away.
Antoine de Saint-Exupéry

[Serdar Sutay]

Hrmmm maybe I spoke too soon Luis. Extracting libeay32.dll & ssleay32.dll into RubyInstaller I'm still getting 1.0.0k version in Ruby:

irb(main):001:0> require 'openssl'

=> true

irb(main):002:0> OpenSSL::OPENSSL_VERSION

=> "OpenSSL 1.0.0k 5 Feb 2013"

irb(main):003:0>

I found an openssl.so file in RubyInstaller which also might need an update?

Thanks for the help... 

-- Serdar

[Luis Lavena]

On Mon, Jun 9, 2014 at 7:19 PM, Serdar Sutay <ser...@opscode.com> wrote:

Hrmmm maybe I spoke too soon Luis. Extracting libeay32.dll & ssleay32.dll into RubyInstaller I'm still getting 1.0.0k version in Ruby:

irb(main):001:0> require 'openssl'

=> true

irb(main):002:0> OpenSSL::OPENSSL_VERSION

=> "OpenSSL 1.0.0k 5 Feb 2013"

irb(main):003:0>

The constant is defined at compilation time, not at runtime, that is why will report 1.0.0k, but the DLL being used is the one you extracted.

Because of that, Ruby is backporting some changes so next release can be verified *at runtime*:

https://bugs.ruby-lang.org/issues/9910

 

I found an openssl.so file in RubyInstaller which also might need an update?

No need, openssl.so links dynamically against libeay32.dll and ssleay32.dll, so the fixes in OpenSSL dlls will be used by Ruby's OpenSSL extension.

 

--
You received this message because you are subscribed to the Google Groups "RubyInstaller" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyinstalle...@googlegroups.com.
To post to this group, send email to rubyin...@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyinstaller.
For more options, visit https://groups.google.com/d/optout.

[Serdar Sutay]

Awesome... Thanks for the clarification Luis...