On Wed, Aug 11, 2010 at 2:42 AM, <[email protected]> wrote: > Vulnerability in OpenSSL 1.0.x > http://marc.info/?t=128118169100001&r=1&w=2 > http://archives.neohapsis.com/archives/fulldisclosure/2010-08/0085.html > > Tor server/client use vuln?
Looking at the claims, it seems to only affect OpenSSL 1.0.0a and maybe 1.0.0. (I can reproduce it with 1.0.0.a, but not with 0.9.8x and earlier.) None of our binary packages ship with any version of OpenSSL 1.0.x (unless I'm missing something), so people using our binaries are probably safe. I'll ask around harder later today to make sure everything is in fact getting built in conformance with its instructions. If you're using a version of openssl 1.0.0a that comes with your operating system, with any luck your vendor will already have issued a patch. If not, there is an alleged patch posted in that thread at http://marc.info/?l=openssl-dev&m=128128256314328&w=2 ; I haven't evaluated it, and it doesn't seem to have gotten merged into openssl proper yet, so you shouldn't apply it blindly. It looks safe to me, but what do I know? Personally, I'd think re-linking your Tor against a statically built 0.9.8o would probably be a better bet than rebuilding your vendor openssl. It's also possible (though not certain) that Tor could be unaffected. If you look at the code in question, it only seems to gets invoked for the elliptic-curve crypto case, which Tor doesn't use or enable. OTOH, I haven't checked carefully enough to be sure there's no way to force an openssl 1.0.0a server into that codepath if it doesn't have any elliptic curve stuff configured, so caution is still warranted. -- Nick *********************************************************************** To unsubscribe, send an e-mail to [email protected] with unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
