Daniel Kahn Gillmor: > On Fri 2015-06-12 15:13:18 -0400, Georg Koppen wrote: >> We actually rebuilt parts of the 4.5.2 bundles mentioned above to >> include the latest Tor (0.2.6.9) and above all a fixed OpenSSL (1.0.1n). > > Please use OpenSSL 1.0.1o, and not 1.0.1n. > > 1.0.1n had an ABI breakage which was fixed in 1.0.1o. This might not be > an issue for TBB in the common use case, particularly, if you're > building all of TBB from source in one go, and nothing interacts with > TBB's OpenSSL from outside TBB. But if any of your components were > built against 1.0.1m or earlier (or end up being built against 1.0.1o or > later in the future) and they need to interact with the 1.0.1n, you risk > memory corruption.
Thanks for this hint. We finally decided to ship Tor Browser with OpenSSL 1.0.1n. I know this is not ideal but burning another two days seemed not worth the issue given that using Tor Browser should be working as expected. Moreover, upon further investigation we believe that you can even point your browser to a system tor or compile your own tor and put it into the respective Tor Browser directory without risking memory corruption. Georg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Tails-dev mailing list [email protected] https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to [email protected].
