DMARC-Filter: OpenDMARC Filter v1.4.2 delorie.com 60N9MBix2892802
Authentication-Results: delorie.com; dmarc=pass (p=none dis=none) header.from=cygwin.com
Authentication-Results: delorie.com; spf=pass smtp.mailfrom=cygwin.com
DKIM-Filter: OpenDKIM Filter v2.11.0 delorie.com 60N9MBix2892802
Authentication-Results: delorie.com;
	dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=COhV9mXu
X-Recipient: archive-cygwin AT delorie DOT com
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 3C5E54BC89BA
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1769160130;
	bh=cuerxGOAS7A4L+bRcZRrMMpkT9S0TsQb2L7OTDy4PeE=;
	h=Date:Subject:To:References:In-Reply-To:List-Id:List-Unsubscribe:
	 List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc:
	 From;
	b=COhV9mXuqJ9767fMRuoPiAkCVLCGJW/tHX4gN0f7fc2Gi0PaAwbul+tCSmgwErCQv
	 ZIhTViRjH8k5gpyx1KAGU+L8VSNxouAP6zQGMISGQ1VPxX4FQTswzYvELt5Ilw7fdn
	 FSaaU414q2NLezVwTu+EdWrPsE05rHDDIVlbxdbE=
X-Original-To: cygwin AT cygwin DOT com
Delivered-To: cygwin AT cygwin DOT com
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 2B3804BA23C1
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 2B3804BA23C1
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1769160111; cv=none;
 b=e48XcJihfPDBa4pHC5InKW/4RvPiilaOwxKAaDNp3WI6kJQmA0dh45s6E9MBvNHE6jyQ8qSV9UA9JAENY/XDSZmn9Wa8WMMLx2+SG/5dtEc0RVIyBheNLj2o+s6IYrxG6yo1lQ++m8+oD435uw+QBr+6E19J79QvQ6Gn4lwJT4o=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
 t=1769160111; c=relaxed/simple;
 bh=di5MDzHL9VMT9/Famkejng+wS0CylZ5mDzPtGWR6y6k=;
 h=Message-ID:Date:MIME-Version:From:Subject:To:DKIM-Signature;
 b=OhLczMKcSAXBywTdUjzNT4D1JOaycnkNom9/vEiq0mXGB1tXZu5t3wWVyJT+zHbT+htxN0AsoUD2T9JInBM1B0unBZVRZDg8HqISraRer+iSgljYPqrcsL/ZXGtxncdxg8kit1oYhkEHpr04ux/40O2+nmnW8z1ecz0e9igMd8M=
ARC-Authentication-Results: i=1; server2.sourceware.org
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 2B3804BA23C1
Message-ID: <18d758ba-fa32-46b4-8948-b7b448e52d05@SystematicSW.ab.ca>
Date: Fri, 23 Jan 2026 02:21:47 -0700
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: CVE-2025-13151 and Cygwin package libtasn1_6
Content-Language: en-CA
To: cygwin AT cygwin DOT com
References: <BN9P111MB2434F33C607CDE0AB042906EB097A AT BN9P111MB2434 DOT NAMP111 DOT PROD DOT OUTLOOK DOT COM>
 <6040d6ad-9d19-4f1b-9a0b-f8b379175830 AT gmail DOT com>
 <87v7gtsfpl DOT fsf AT Gerda DOT invalid>
 <2b687296-0fbd-4b48-867a-0ac8ce38be82 AT gmail DOT com>
Organization: Systematic Software
In-Reply-To: <2b687296-0fbd-4b48-867a-0ac8ce38be82@gmail.com>
X-Stat-Signature: tc9txnjk9nzirsfcg3psix7tep44zeq1
X-Rspamd-Server: rspamout02
X-Rspamd-Queue-Id: 97FD520027
X-Session-Marker: 427269616E2E496E676C69734053797374656D6174696353572E61622E6361
X-Session-ID: U2FsdGVkX1/xchK2OZkrLStrBVmjGrbxLxiKYZZm94Q=
X-HE-Tag: 1769160108-371417
X-HE-Meta: U2FsdGVkX1/rEzTEay6F3PsTrvVBECAmoWzdxOplu9fbbzkhR8B/C7tSASTPor1lr+j/8zZH7XzhBGwjPBRr9yEuwCRM5cU5CiZTdbMuvMee4xYRQwYOXGe2W4nK9JzZ6iYdWkU4g3Ql3ZULos7llLBB/u+kOVQp3+wy9ahrDanZaoZNh2+JdeH1Wwfk7a/GEEE0ZW4o3pH/y7JdUSoNNkpXXWhmHDwx4Bte9BLZHYx7OYSgvqLh73WK1yIlLfd0mKSYce6urDfIv0fvelpWYaRHI8LUn+4zPTqrnF993cdOcka4NJWIH3KQv3JBJl3qFhDC1Oru4BgZaOtQ3DQ26AfqDMAQrmM8B/3KKEmxkMPdk9AGHiumHfXBno2syC/Ur3f5NOdiM8TZterGTCmN7JZkdrFKEPr7JSRTflFGlGHp3oGhIKHmiQmGpT7zHZn8F9hADqwp1Rc=
X-BeenThere: cygwin AT cygwin DOT com
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe: <https://cygwin.com/mailman/options/cygwin>,
 <mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
 <mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From: Brian Inglis via Cygwin <cygwin AT cygwin DOT com>
Reply-To: cygwin AT cygwin DOT com
Cc: Brian Inglis <Brian DOT Inglis AT SystematicSW DOT ab DOT ca>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
Errors-To: cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com
Sender: "Cygwin" <cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from base64 to 8bit by delorie.com id 60N9MBix2892802

On 2026-01-22 13:30, Marco Atzeri via Cygwin wrote:
> On 22/01/2026 18:46, ASSI via Cygwin wrote:
>> Marco Atzeri via Cygwin writes:
>>> On 22/01/2026 17:50, FOPPE, JEFFREY B CIV USAF AFMC AFLCMC/WFRQ via
>>> Cygwin wrote:
>>>> CVE-2025-13151 points out a vulnerability in libtasn1 versions 4.20
>>>> and earlier.  The version provided through Cygwin is much earlier.
>>>> It doesn't look like this package has been updated since 2019 and is
>>>> listed as Orphaned.  A lot of other packages seem to depend on it.
>>>> Does anyone know if a developer will look at updating this?
>>
>>> Looking on it
>>
>> It looks like it'll be a few more days before the release is done
>> upstream.

> My understanding is that 4.21.0 is safe from this
> 
> https://lists.gnu.org/archive/html/help-libtasn1/2026-01/msg00001.html
> 
> I am testing the package build on Scallywag
> https://cygwin.com/cgi-bin2/jobs.cgi
> 
> Locally it passed all tests.

Could also do with an update to gnutls 3.8.11?

-- 
Take care. Thanks, Brian Inglis              Calgary, Alberta, Canada

La perfection est atteinte                   Perfection is achieved
non pas lorsqu'il n'y a plus rien à ajouter  not when there is no more to add
mais lorsqu'il n'y a plus rien à retrancher  but when there is no more to cut
                                 -- Antoine de Saint-Exupéry

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple