DMARC-Filter: OpenDMARC Filter v1.4.2 delorie.com 60MKVZl62282031
Authentication-Results: delorie.com; dmarc=pass (p=none dis=none) header.from=cygwin.com
Authentication-Results: delorie.com; spf=pass smtp.mailfrom=cygwin.com
DKIM-Filter: OpenDKIM Filter v2.11.0 delorie.com 60MKVZl62282031
Authentication-Results: delorie.com;
	dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=UJjpQaZW
X-Recipient: archive-cygwin AT delorie DOT com
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org E63A84BA9039
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1769113893;
	bh=KF2fVsWdbipxrXHpZ93xAAmuTa2VDXVr7fr/N3ZQ1oo=;
	h=Date:Subject:To:References:In-Reply-To:List-Id:List-Unsubscribe:
	 List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:
	 From;
	b=UJjpQaZWnyGKlmaMmlF25CxaNkPChDWBqgEb3UpJSZ1KwHMgeBbijG0OSwm/RX2/6
	 7WsieXKpROUnHxXGkD+qh4o5R449ln3dOEgQKyyXOf0zmLMhrgMXnPnu446q+l3W1z
	 8EkaUo/17OBzAKfOG7xmHoz+E0+5fezOpqzzJxQw=
X-Original-To: cygwin AT cygwin DOT com
Delivered-To: cygwin AT cygwin DOT com
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org EE1AA4BA23EA
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org EE1AA4BA23EA
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1769113844; cv=none;
 b=hl/YppJ/2y9XLim1BHKjsRi1S/+WANW7OUqK4Az6fUaghS8uPjtauOoPBj0e3fHnyYqG8E9aKmNqhi/MfjhHs8DufbaXSj0PFbdR58WkqonjG9raeIMWEkKEuWXhVIbbMOKLUAVQdLCwp7/Prxaihqwe9dnRLeuXVLHEacUgB9E=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
 t=1769113844; c=relaxed/simple;
 bh=wTTbDK2Y5XH/w+U132ZMhz/Vzene+MDlUndutYDFJog=;
 h=DKIM-Signature:Message-ID:Date:MIME-Version:Subject:To:From;
 b=Vr5hp9VAooT8+KHdg1LX4Ze+Dr8qfDHgwbw3r3bOcU1R4+2GSxhrN2QuoQgyB4zeLZcTNG1IIkZ/LrWgFAkMfi/7w6iOy5z9xlWVhLrYHbSj3+d5q63Hdukl/kntA62IL/Bhsa7Ftkr1IBQhqg52L0x3UWfu9fcYzmLK8ToKBJw=
ARC-Authentication-Results: i=1; server2.sourceware.org
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org EE1AA4BA23EA
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1769113843; x=1769718643;
 h=content-transfer-encoding:in-reply-to:from:references:to
 :content-language:subject:user-agent:mime-version:date:message-id
 :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=E8Mtf9ghE+dK/77SfvpgJWjJ7q5kV+kB98imG1VRhLY=;
 b=X/ZgjZ3Fvc57SO/Ix7dlf9nD2662vTAfnvSih3pi6mZ2G9o/yGogt7Bqnd8caHjlkz
 ziW607UNXN3pFStUNlrLyuyrBkZNOBloJbyGRK2/MCd0eg8mi+HS/32aH34P7jUVqq5W
 lq4midyA6gPRKMaJ9dBP02gy4uC62ijZMNA5/GCtWPsyzCFUFe8LjfEAGOZ0KoXnLtpF
 c2T9tseEZdewnGsLIT9cmrnl/JZyyvL47zmd53ll1WKL1UsCpS48nJlGr7EcBN39mpM5
 O+brWst6WHSv/6Bk85l3ODyb1KqDtwp9+3jL64D0dnO6+0YvHvZlQxG9fuH7mx6qy9B+
 pwog==
X-Gm-Message-State: AOJu0YwN+gzidpRdxKFW7XfR57gUcNGw9m1eufmBGiKYryE66fLAziq1
 a0UI3zJnI1R+S9i1+6/m6NoKvNgwrPs30IDZxFTsnKmMIYoPZ9aUCBREyRP+hQ==
X-Gm-Gg: AZuq6aLjQGujNqe1Ptxd0kWrD1Mexx1Iqb9JQx1ML91P637DYIEYLAR20lcwadppgNS
 GnXSpuaMWiLgdp1JI3/UnBlZUH5o8jqJHcRjSMyhZOfG5vAGH10eKlCH3g3ebEdPzhE0pR7j/Lh
 TRAJNI1qlnZ4+X++z8UH1Cpz+OHLNFjtTdajUOK9+2joq9PAJnB2MdS70xPiacIzva3weFfeeRI
 H4TLrv3OVzlmSfttaDeYOsQin+nRAccuB3qynebn029fS/+DPZwDw1zEtLsgfsWqOKeaSjYc1Zd
 yO8HS6i+zEY9UJyw06iO74H2X9s0Fvns121JFC6sDoO2ALflQG3t2KvFvPOMNL2lRotx4D03Frj
 ba/WPNssyUCBsO0SZgEYJtTyppxVJcdCBis0dPd7fC5xfyuv2mNu5jhCnDIBi9JAw1EZAxVnVDK
 5U/utuO0InlgveLW9Y5XHGJ8xrOZ9oqo/kBjYOt8zv2MDzMJqkrgz9K7UZHAFp187rzbDw
X-Received: by 2002:a05:600c:8b61:b0:479:3a86:dc1e with SMTP id
 5b1f17b1804b1-4804c9ca954mr14516705e9.36.1769113842800; 
 Thu, 22 Jan 2026 12:30:42 -0800 (PST)
Message-ID: <2b687296-0fbd-4b48-867a-0ac8ce38be82@gmail.com>
Date: Thu, 22 Jan 2026 21:30:40 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: CVE-2025-13151 and Cygwin package libtasn1_6
Content-Language: en-GB
To: cygwin AT cygwin DOT com
References: <BN9P111MB2434F33C607CDE0AB042906EB097A AT BN9P111MB2434 DOT NAMP111 DOT PROD DOT OUTLOOK DOT COM>
 <6040d6ad-9d19-4f1b-9a0b-f8b379175830 AT gmail DOT com>
 <87v7gtsfpl DOT fsf AT Gerda DOT invalid>
In-Reply-To: <87v7gtsfpl.fsf@Gerda.invalid>
X-BeenThere: cygwin AT cygwin DOT com
X-Mailman-Version: 2.1.30
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
 <mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From: Marco Atzeri via Cygwin <cygwin AT cygwin DOT com>
Reply-To: Marco Atzeri <marco DOT atzeri AT gmail DOT com>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: "Cygwin" <cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com>

On 22/01/2026 18:46, ASSI via Cygwin wrote:
> Marco Atzeri via Cygwin writes:
>> On 22/01/2026 17:50, FOPPE, JEFFREY B CIV USAF AFMC AFLCMC/WFRQ via
>> Cygwin wrote:
>>> CVE-2025-13151 points out a vulnerability in libtasn1 versions 4.20
>>> and earlier.  The version provided through Cygwin is much earlier.
>>> It doesn't look like this package has been updated since 2019 and is
>>> listed as Orphaned.  A lot of other packages seem to depend on it.
>>> Does anyone know if a developer will look at updating this?
> 
>> Looking on it
> 
> It looks like it'll be a few more days before the release is done
> upstream.
> 
> 
> Regards,
> Achim.

Thanks Achim,

My understanding is that 4.21.0 is safe from this

https://lists.gnu.org/archive/html/help-libtasn1/2026-01/msg00001.html

I am testing the package build on Scallywag
https://cygwin.com/cgi-bin2/jobs.cgi

Locally it passed all tests.

Regards
Marco


-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple