[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Tor and Openssl on old OSX [was Tor and Openssl bug CVE-2014-0160]



Hi Andreas
On Tue, Apr 8, 2014, at 06:13 PM, Andreas Krey wrote:
> On Tue, 08 Apr 2014 13:31:01 +0000, Geoff Down wrote:
> > b) if some other object, where is it in OSX10.4 and how do I check the
> > version
> 
> That depends on whether your tor binary is build with shared libraries;
> 'otool -L path/to/your/tor' will show which libraries it uses.
/library/tor/bin/tor:
        /opt/local/lib/libz.1.dylib (compatibility version 1.0.0,
        current version 1.2.5)
        /opt/local/lib/libevent-2.0.5.dylib (compatibility version
        7.0.0, current version 7.4.0)
        /opt/local/lib/libssl.1.0.0.dylib (compatibility version 1.0.0,
        current version 1.0.0)
        /opt/local/lib/libcrypto.1.0.0.dylib (compatibility version
        1.0.0, current version 1.0.0)
        /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current
        version 88.1.12)

libssl==openssl? If so, not vulnerable

> 
> (Apart from that the Macos libraryes may be patched by apple
> from the original openssl.org versions.)
> 
> > c) if the version is a vulnerable one, how do I update it
> > ? 
> 
> Install new versions of the openssl libs as soon as apple provides
> them when you use the ones from the system.

 Not a supported OS any more.

> Then you (probably)
> need to recompile tor itself and make sure that it references the
> proper version of openssl libraries.
> 
> tor, when started, also tells the openssl version in the first message.

 Not any more, apparently, at Notice level. At Info level though:
[info] tor_tls_init(): OpenSSL OpenSSL 1.0.0g 18 Jan 2012 looks like
version 0.9.8m or later; I will try SSL_OP to enable renegotiation
 Looks promising.

> 
> You may also download and compile openssl yourself and link
> against that version, but I can't just write down how to
> do that - there are some macos specials to find out to do
> that, and I didn't yet.
> 

Thanks for this much help anyway :)

-- 
http://www.fastmail.fm - The professional email service

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk