DMARC-Filter: OpenDMARC Filter v1.4.2 delorie.com 60NB3cK82928298
Authentication-Results: delorie.com; dmarc=pass (p=none dis=none) header.from=cygwin.com
Authentication-Results: delorie.com; spf=pass smtp.mailfrom=cygwin.com
DKIM-Filter: OpenDKIM Filter v2.11.0 delorie.com 60NB3cK82928298
Authentication-Results: delorie.com;
	dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=pN5IYEih
X-Recipient: archive-cygwin AT delorie DOT com
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 5A2BC4BA2E32
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1769166216;
	bh=UBEXVv0Pp7b1YRMOXoMWAun2KBNAebexUCrO72HAtfc=;
	h=References:In-Reply-To:Date:Subject:To:List-Id:List-Unsubscribe:
	 List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:
	 From;
	b=pN5IYEihtrQmroFnE32ndZnGrlw6A23vl7eHpPfSh5jreNSbX92ZKX8GxVZ2OA1BX
	 vM5UH4J14xsrupx/GHaFFydmRxj+Izn6XBszlzS0XHCFi9U2r1T4M5EzkofQKQaDpT
	 yrK/t9CeueXZjBoaT3NjrBNLSNbMp/Lj0Y+BRKtM=
X-Original-To: cygwin AT cygwin DOT com
Delivered-To: cygwin AT cygwin DOT com
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org DFFBD4BA2E21
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org DFFBD4BA2E21
ARC-Seal: i=2; a=rsa-sha256; d=sourceware.org; s=key; t=1769166167; cv=pass;
 b=eWwZdN4Dg61LJEMBmEVsY8mObyZ6AE6K/7LGvKae17wsyRlU3h1QwiLZmlnuP6pi0Wu02GQK6dcTajIuMVLcUdpMvMrFNYpOlAm0p0dGW8US7ZjbbWEzVbYRqtpCxdYtIaMMer3kh2EmOg9qx78+I7zwZZdgyeHoK8p9ftbI13w=
ARC-Message-Signature: i=2; a=rsa-sha256; d=sourceware.org; s=key;
 t=1769166167; c=relaxed/simple;
 bh=yhde1pl+3a4dO+qBTJDat554rEDRCfA3kGeTz2rKOvs=;
 h=DKIM-Signature:MIME-Version:From:Date:Message-ID:Subject:To;
 b=kvoz1zuHg5j47Z9aGA6bYnHJ50dlsDsV+VaGGS36pyUUfJlK5r7ebBo/KeJ9iz6BbU3iO4cGyPovOPLQmTfsUMBPQN8HdZ1k/L5ZVXnpD+jjI+JMI0RJ+P7s0WxiKKh8BAHG99wG5VWRJmUznKTDeR7Rv44Y+7IKDIb+kQc2iWg=
ARC-Authentication-Results: i=2; server2.sourceware.org
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org DFFBD4BA2E21
ARC-Seal: i=1; a=rsa-sha256; t=1769166165; cv=none;
 d=google.com; s=arc-20240605;
 b=PD0wFOXlhLKtc2jKGznk7RE2ZRsH5POaw2EtisStF97ZjQ/4xSMSpmCPcW+ujOHMT0
 Pux3t9dwtjhQpSXk65DInbxGbFjvCMEz5zeYan3Fqh4AaPzMsDeGk0/OoQ/f1ruW8zND
 kqutbOTZYgL7lx0YITrnfJ0cLfqevDf2LAnIItVfHZsKhjKQTkSy7DRKkKh1RppN7xDJ
 TRsOQmRsbpIs92SOu+w5uGEQFRvpVwdVR8dYerUbBg3pQVJKd6VO/JLTNFw+IYdfCLCe
 Smg2SulWfNQUycInio0sZ2gq+0ON2RoE79+45qIMcXv87dDUl4ooI2QwpmuuyjUeNLuk
 g7mw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605; 
 h=to:subject:message-id:date:from:in-reply-to:references:mime-version
 :dkim-signature;
 bh=taGwbIUf80Ij2GmHwc0N1VbEeR3ddP2VdpO9g6BoIN0=;
 fh=YZH5uM5/yfouasGmhd4aBgFJjkmPDWmx6Ke4uaPtCZY=;
 b=lTscRVFwpt1VPQXlD9ZJFrCwBRWc2VlKymH6TVP/3ZIWVoZckp7pIQBeHE7BnHlj/e
 OHDMiCB+UgfZ8cCsUeqM6H6y8xhb3Gnhe7QpAVBlGilU3rr3J1XF0FFrLQ95jFLDWY+W
 V1BgucvfqeqsKi9BHQNAtSIzhmXG954ixdJ0WrAmT+lIW0Iv8Nsngg0YMIYiFdzMQNjD
 es2NpiCKoyazpzSZ90Mdef1/KQ9Tayhd4RHdFTwiqBlhLM2is6jLW328gYRgvLiokyIG
 Hxx5R6/qOSln7W98u9MB6bJ6l6SqofmjRPgWhmpDY9+aK/Q7tqkEPszk9ONzGEsSEvNj
 n+HQ==; darn=cygwin.com
ARC-Authentication-Results: i=1; mx.google.com; arc=none
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1769166165; x=1769770965;
 h=to:subject:message-id:date:from:in-reply-to:references:mime-version
 :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=taGwbIUf80Ij2GmHwc0N1VbEeR3ddP2VdpO9g6BoIN0=;
 b=pSTssw6+NF6RZnIOi7suwH1das4dgCEP5nG4SV9sA9qFR76yv4+g5kTZtRtFnpDls2
 xDiF9Pe8RdnZTasKfYnfq4689ygQSwrRDeh9Lh+mnxEQVw/4OSnbRY/z60Nx3Q3RfCSF
 lYMrwFHdikMY1UQyigNvsYTGhDytUhybqemt3BLbMu3r3xE36q7jEwLOMMaXlNSK1xUa
 uqxz8zlrN3DzlDGvBvnEOBabSmaOvPJYtz9Dr8DyUQUSorzd+BEEkgpHPWaoevyeAmcU
 h9oWNzk6Xoi3VxB/eDTsUpsm0Pg9LNgNh0Dyq1TjdQcTwJp9jSTE/9QdKFEFasyVGMNr
 NkxA==
X-Gm-Message-State: AOJu0YxeWYny9tMPOUwXa8ZFUirYHGy1hh/q/9yE7ujn6T0R+gmqn5RN
 W83v7DPxIQKaTYj9FAPIWDds3y9yaiKz6CmQnjALoMiYMg6mwte4PuNkxvy7YZEYmffDC/NQ/gI
 Astj1FAIzNd/wh+8AWrVMzj3kH4lN1KRfSA==
X-Gm-Gg: AZuq6aIkRoPw7Vy/QAOh/n5NsPJMOR4aviy6Bb09rwNQd32N5480NYICfCuhHkLmys0
 GBKg3c2LQjLZeC+SrDheuq1JODNttNYpHd8n8FegrBaZd/6bKqIxXQulWtTV2+56V9b4FzsYPHr
 KAreNx4CyA+GhIs69TGtWUEybOxEgIzQ8Qc9BxZnG0s5LQ9s3jbZZegs+v8PUs/ucY/DoG0pF6r
 F1k1hdzq4Hf4l1cAXkE6bfiS6780wrDtsdnUvyF849WS9VhUQVXCbRF8dp2lWKLtJXnB+bnGhKy
 ELtaThnIRbP+kHInG4tN7cefu+A=
X-Received: by 2002:a05:7300:cd87:b0:2af:fbb:97d6 with SMTP id
 5a478bee46e88-2b739bd2a29mr1205464eec.42.1769166165115; Fri, 23 Jan 2026
 03:02:45 -0800 (PST)
MIME-Version: 1.0
References: <BN9P111MB2434F33C607CDE0AB042906EB097A AT BN9P111MB2434 DOT NAMP111 DOT PROD DOT OUTLOOK DOT COM>
 <6040d6ad-9d19-4f1b-9a0b-f8b379175830 AT gmail DOT com>
 <87v7gtsfpl DOT fsf AT Gerda DOT invalid>
 <2b687296-0fbd-4b48-867a-0ac8ce38be82 AT gmail DOT com>
 <18d758ba-fa32-46b4-8948-b7b448e52d05 AT SystematicSW DOT ab DOT ca>
In-Reply-To: <18d758ba-fa32-46b4-8948-b7b448e52d05@SystematicSW.ab.ca>
Date: Fri, 23 Jan 2026 12:02:32 +0100
X-Gm-Features: AZwV_Qgba3lVlT0XpIkItRWoNpTa5mVx0v3tW5hyfo0_oVTmx2yXXXSEZvFZ9Wg
Message-ID: <CAB8Xom8epGnfoFs7LMQAmCuMcobVa5ykeaH_R3Xvei001JVmsA@mail.gmail.com>
Subject: Re: CVE-2025-13151 and Cygwin package libtasn1_6
To: The Cygwin Mailing List <cygwin AT cygwin DOT com>
X-Content-Filtered-By: Mailman/MimeDel 2.1.30
X-BeenThere: cygwin AT cygwin DOT com
X-Mailman-Version: 2.1.30
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
 <mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From: marco atzeri via Cygwin <cygwin AT cygwin DOT com>
Reply-To: marco atzeri <marco DOT atzeri AT gmail DOT com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "Cygwin" <cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com>

On Fri, 23 Jan 2026, 10:22 Brian Inglis via Cygwin, <cygwin AT cygwin DOT com>
wrote:

> On 2026-01-22 13:30, Marco Atzeri via Cygwin wrote:
> > On 22/01/2026 18:46, ASSI via Cygwin wrote:
> >> Marco Atzeri via Cygwin writes:
> >>> On 22/01/2026 17:50, FOPPE, JEFFREY B CIV USAF AFMC AFLCMC/WFRQ via
> >>> Cygwin wrote:
> >>>> CVE-2025-13151 points out a vulnerability in libtasn1 versions 4.20
> >>>> and earlier.  The version provided through Cygwin is much earlier.
> >>>> It doesn't look like this package has been updated since 2019 and is
> >>>> listed as Orphaned.  A lot of other packages seem to depend on it.
> >>>> Does anyone know if a developer will look at updating this?
> >>
> >>> Looking on it
> >>
> >> It looks like it'll be a few more days before the release is done
> >> upstream.
>
> > My understanding is that 4.21.0 is safe from this
> >
> > https://lists.gnu.org/archive/html/help-libtasn1/2026-01/msg00001.html
> >
> > I am testing the package build on Scallywag
> > https://cygwin.com/cgi-bin2/jobs.cgi
> >
> > Locally it passed all tests.
>
> Could also do with an update to gnutls 3.8.11?
>

I will look during weekend

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple