On Wed, 11 Aug 2010 02:42:15 -0400 [email protected] wrote:
> Vulnerability in OpenSSL 1.0.x > http://marc.info/?t=128118169100001&r=1&w=2 > http://archives.neohapsis.com/archives/fulldisclosure/2010-08/0085.html > > Tor server/client use vuln? Unknown, the real bug seems to be explained here, http://marc.info/?l=openssl-dev&m=128128256314328&w=2 I'll let Nick or someone more familiar with openssl explain the risk better. > Firefox 4 Silent Updates > http://news.slashdot.org/story/10/08/07/1239224/Like-Googles-Chrome-Mozilla-To-Silently-Update-Firefox-4 This is why we repeatedly say to stick with the firefox versions we have analyzed. New features aren't analyzed and/or mitigated with torbutton yet. Something like this should be caught and stopped by future versions of torbutton. We've only analyzed the Firefox 3.5.x codebase. 3.6 is next, or maybe we just skip and go to 4.x. There is exactly one person working on this, so if people want faster updates to torbutton, more help is needed. -- Andrew Lewman The Tor Project pgp 0x31B0974B +1-781-352-0568 Website: https://www.torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject skype: lewmanator *********************************************************************** To unsubscribe, send an e-mail to [email protected] with unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
