Author Topic: yDecode 1.72 released (important security update)  (Read 14817 times)


  • Administrator
  • Jr. Member
  • *****
  • Posts: 61
    • View Profile
yDecode 1.72 released (important security update)
« on: June 22, 2010, 08:30:40 PM »
yDecode 1.72 has been released.

This version brings support for updated SSL libraries and it is recommended you upgrade if you use SSL-enabled news server.

A problem with the SSL protocol has been identified and marked as CVE-2009-3555. In short, it enables man-in-the-middle attacker to insert data into SSL sessions by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context. In other words - it enables third person to position himself between you and your secured news server possibly compromising the data transferred between the server and your computer.

Furthermore, TLS extension has been developed and marked as RFC 5746 which fixes this issue and introduces new, secure renegotiation.

yDecode implements these by disabling older renegotiation method and implements the new, secure one. At the moment, not all the servers support RFC 5746 extension but eventually all of them will be updated. But with yDecode you already have a fix for this issue today which also means yDecode is the only secure yEnc decoder available at the moment.

Also, we made a small improvement in activation which should affect only a minor number of users.

Note: Updated SSL libraries are in the demo version installation file (ydec172.exe) so you have to update the demo as well before installing full version.

Download demo on download page and full version on registered user page.

Changes since last release:

yDecode 1.72:

  • SSL update - fixes renegotiation security issue (CVE-2009-3555) and implements new secure renegotiation based on RFC5746
  • improvements in activation (now capable of detecting proxy issues) and informative error message
« Last Edit: June 22, 2010, 10:25:43 PM by Zvonko »