[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Relays vulnerable to OpenSSL bug: Please upgrade

To: <tor-relays@xxxxxxxxxxxxxxxxxxxx>
Subject: Re: [tor-relays] Relays vulnerable to OpenSSL bug: Please upgrade
From: tor@xxxxxxx
Date: Wed, 09 Apr 2014 10:29:32 -0400
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 09 Apr 2014 10:29:45 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=t-3.net; s=default; t=1397053774; bh=V16iMXL8rmcTAWxHFeyTs8eHs8dOEqw0weyfW/zchK0=; h=From:To:Subject:Date; b=msKiBH8LuoQiskhJGerqA7VdlLXRxK2vVQnclQf8j9HQnMUU6//q/o9T2Qa47BWhy obbuWT9FqVLLrc+9TtmonHaDEq4lcaJ8E2vmmUU8Jd0hG+fAvM4kx/AwJAEsRoOMsq dCNc1Fq2VKftWLhlQcI2GVdy7R3eJZ1uiCe8j8og=
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

On 04/09/2014 04:39 AM, Roger Dingledine wrote:> On Tue, Apr 08, 2014at 07:31:43PM

-0600, Jesse Victors wrote:
>> I'd recommend that every relay operator delete their keys as well,
>

> Not every. Those on OpenSSL 0.9.8, e.g. because they're usingDebian> oldstable, were never vulnerable to this bug. I imagine there aresome

> FreeBSD or the like people out there in a similar boat. And Centos
> people, etc.
>
> --Roger
>
> _______________________________________________
> tor-relays mailing list
> tor-relays@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
>
>

The most up-to-date CentOS was supposedly vulnerable? Same as RedHat.

But I don't know how to test for the vulnerability itself so I don'treally know.


Redhat's emailed warning to update OpenSSL went out yesterday as
"Security Advisory - RHSA-2014:0376-1". CentOS' updated OpenSSL

was available right away as well, and the CentOS 6.5 boxes pulled itright down

in an update.

I did have some slightly older CentOS 5 boxes which had a version ofSSL

that was reportedly not vulnerable.

Page heartbleed.com said:

How about operating systems?

Some operating system distributions that have shipped with potentiallyvulnerable

OpenSSL version:

   Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
   Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
   CentOS 6.5, OpenSSL 1.0.1e-15
   Fedora 18, OpenSSL 1.0.1e-4

OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c10 May 2012)

   FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013
   NetBSD 5.0.2 (OpenSSL 1.0.1e)
   OpenSUSE 12.2 (OpenSSL 1.0.1c)

Operating system distribution with versions that are not vulnerable:

   Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14
   SUSE Linux Enterprise Server
   FreeBSD 8.4 - OpenSSL 0.9.8y 5 Feb 2013
   FreeBSD 9.2 - OpenSSL 0.9.8y 5 Feb 2013
   FreeBSD Ports - OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC)



_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Follow-Ups:
- Re: [tor-relays] Relays vulnerable to OpenSSL bug: Please upgrade
  - From: nb.linux

Prev by Author: Re: [tor-relays] Heartbleed" Exchange of keys now or later?
Next by Author: Re: [tor-relays] Recommended reject lines for relays affected by Heartbleed
Previous by thread: Re: [tor-relays] Relays vulnerable to OpenSSL bug: Please upgrade
Next by thread: Re: [tor-relays] Relays vulnerable to OpenSSL bug: Please upgrade
Index(es):
- Author
- Thread