[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-commits] [tor/maint-0.2.2] Add a changes file for bug4822
commit 0a00678e56ec3030b9028a7188f68ab6c10a3fa3
Author: Nick Mathewson <nickm@xxxxxxxxxxxxxx>
Date: Wed Jan 4 21:17:52 2012 -0500
Add a changes file for bug4822
---
changes/bug4822 | 13 +++++++++++++
1 files changed, 13 insertions(+), 0 deletions(-)
diff --git a/changes/bug4822 b/changes/bug4822
new file mode 100644
index 0000000..73f43f0
--- /dev/null
+++ b/changes/bug4822
@@ -0,0 +1,13 @@
+ o Major security workaround:
+ - When building or running with any version of OpenSSL earlier
+ than 0.9.8s or 1.0.0f, disable SSLv3 support. These versions had
+ a bug (CVE-2011-4576) in which their block cipher padding
+ included uninitialized data, potentially leaking sensitive
+ information to any peer with whom they made a SSLv3
+ connection. Tor does not use SSL v3 by default, but a hostile
+ client or server could force an SSLv3 connection in order to
+ gain information that they shouldn't have been able to get. The
+ best solution here is to upgrade to OpenSSL 0.9.8s or 1.0.0f (or
+ later). But when building or running with a non-upgraded
+ OpenSSL, we should instead make sure that the bug can't happen
+ by disabling SSLv3 entirely.
_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits