AFFLIB 3.0.3 is released ; AFFLIB 3.0.2 is withdrawn
3 views
Skip to first unread message
Simson
Nov 27, 2007, 12:30:13 AM11/27/07
to aff-announce
November 26, 2007
AFFLIB 3.0.2 is withdrawn
AFFLIB 3.0.3 is released
Dear AFF Users:
AFFLIB 3.0.3 has been released. This version fixes a bug in the AFF
encryption routines that was inadvertantly introduced between
AFFLIB 3.0.1 and AFFLIB 3.0.2.
As a result of this error, AFFLIB 3.0.2 has been withdrawn.
If you have a copy of AFFLIB 3.0.2, please delete it.
The bug in AFFLIB 3.0.2 resulted from a bug in a version of SHA256
that was bundled into AFFLIB between version 3.0.1 and 3.0.2. Both
SHA256 and AES256 are required for AFF encryption. Unfortunately, the
version of SHA256 that was bundled had a data-dependent bug. This bug
only affected systems which did not have a system-installed SHA256
implementation.
As a result of this bug, all private implementations of cryptographic
functions have been stripped from AFFLIB. If you do not have an
OpenSSL library that has SHA256, you will not be able to use AFF
encryption.
The practical result is that some users will not be able to use AFF
encryption without first updating their openssl library.
ATTENTION MACINTOSH USERS: APPLE'S 10.4 and 10.5 OPERATING SYSTEMS
SHIP WITH A VERSION OF OPENSSL THAT IS OUT-OF-DATE AND DOES NOT
INCLUDE SHA256. If you are using a Macintosh, you must download a copy
of OpenSSL that has SHA256 to use AFF encryption. You can easily
download a modern OpenSSL implementation using the Macports or fink
system.
I apologize for this problem. To prevent it from happening, we've
improved the validation of AFFLIB that runs both when AFFLIB is built
and each time it runs.
AFFLIB 3.0.2 is withdrawn
AFFLIB 3.0.3 is released
Dear AFF Users:
AFFLIB 3.0.3 has been released. This version fixes a bug in the AFF
encryption routines that was inadvertantly introduced between
AFFLIB 3.0.1 and AFFLIB 3.0.2.
As a result of this error, AFFLIB 3.0.2 has been withdrawn.
If you have a copy of AFFLIB 3.0.2, please delete it.
The bug in AFFLIB 3.0.2 resulted from a bug in a version of SHA256
that was bundled into AFFLIB between version 3.0.1 and 3.0.2. Both
SHA256 and AES256 are required for AFF encryption. Unfortunately, the
version of SHA256 that was bundled had a data-dependent bug. This bug
only affected systems which did not have a system-installed SHA256
implementation.
As a result of this bug, all private implementations of cryptographic
functions have been stripped from AFFLIB. If you do not have an
OpenSSL library that has SHA256, you will not be able to use AFF
encryption.
The practical result is that some users will not be able to use AFF
encryption without first updating their openssl library.
ATTENTION MACINTOSH USERS: APPLE'S 10.4 and 10.5 OPERATING SYSTEMS
SHIP WITH A VERSION OF OPENSSL THAT IS OUT-OF-DATE AND DOES NOT
INCLUDE SHA256. If you are using a Macintosh, you must download a copy
of OpenSSL that has SHA256 to use AFF encryption. You can easily
download a modern OpenSSL implementation using the Macports or fink
system.
I apologize for this problem. To prevent it from happening, we've
improved the validation of AFFLIB that runs both when AFFLIB is built
and each time it runs.
Reply all
Reply to author
Forward
0 new messages