[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?

To: undisclosed-recipients:;
Subject: [tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
From: "Tor Bug Tracker & Wiki" <torproject-admin@xxxxxxxxxxxxxx>
Date: Wed, 04 Jan 2012 20:51:45 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 04 Jan 2012 15:51:57 -0500
List-archive: <http://lists.torproject.org/pipermail/tor-bugs>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: Tor bug tracker status mails <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx

#4822: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
------------------------+---------------------------------------------------
 Reporter:  nickm       |          Owner:                    
     Type:  defect      |         Status:  new               
 Priority:  critical    |      Milestone:  Tor: 0.2.1.x-final
Component:  Tor Client  |        Version:                    
 Keywords:              |         Parent:                    
   Points:              |   Actualpoints:                    
------------------------+---------------------------------------------------
 According to http://openssl.org/news/secadv_20120104.txt , there is an
 information leakage vulnerability when making SSL3 connections with
 SSL_MODE_RELEASE_BUFFERS, where uninitialized memory can get leaked, up to
 15 bytes at a time.  The bug is fixed in openssl 1.0.0f and 0.9.8s.

 (I'm told this was found by wanoskarnet, reported by asn to agl, who got
 it fixed in openssl.)

 On Tor's side, the easiest fix is to just require TLS1 only, and not
 support SSL3 any more.  But that could create problems with our cipher
 lists.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/4822>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Follow-Ups:
- Re: [tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #3457 [Tor Client]: Expose more circuit state-change events to controllers
Next by Author: Re: [tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
Previous by thread: Re: [tor-bugs] #3457 [Tor Client]: Expose more circuit state-change events to controllers
Next by thread: Re: [tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
Index(es):
- Author
- Thread