[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-relays] Security advisory: Please upgrade to today's OpenSSL.

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-relays] Security advisory: Please upgrade to today's OpenSSL.
From: Nick Mathewson <nickm@xxxxxxxxxxxxxx>
Date: Thu, 25 Mar 2021 10:15:48 -0400
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 25 Mar 2021 10:16:12 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

Hi, all!

There is a new version of OpenSSL out today, with a security advisory
that affects Tor.  The vulnerability is CVE-2021-3449, as described on
https://www.openssl.org/news/secadv/20210325.txt .  It affects OpenSSL
versions 1.1.1 through 1.1.1j.  OpenSSL 1.1.1k is the first version
with a fix.

I haven't tested this bug, but I believe that it would allow an
adversary to remotely crash Tor relays and authorities.  It won't have
any effect on Tor clients.

I suggest that everybody should upgrade to the latest OpenSSL when it
becomes available on their platform.

best wishes,
-- 
Nick
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Prev by Author: Re: [tor-relays] I was banned from PayPal
Next by Author: Re: [tor-relays] Tor project helping to attempt to cancel Richard Stallman
Previous by thread: Re: [tor-relays] Tor project helping to attempt to cancel Richard Stallman
Next by thread: [tor-relays] problem with new obfs4 bridge
Index(es):
- Author
- Thread