[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-dev] Today's openssl vulnerability; preliminary analysis wrt Tor
tl;dr: CVE-2015-1793 does not appear to affect Tor. Update your
OpenSSL anyway; other applications are certainly affected.
Hi, all!
Here's the announcement for today's major security issue in
OpenSSL1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o:
https://www.openssl.org/news/secadv_20150709.txt
So far, I have only looked at the announcement itself, and the commit
messages--not yet the code. But from what I can tell, it should only
affect programs that have trusted certificates in their store. Tor
itself does not use trusted root certificates, so it is not affected.
(Similarly, TorBrowser should not be affected: it uses NSS, not OpenSSL.)
Still, you likely have lots of other programs that depend on OpenSSL
and trusted certificates to build certificate chains, and those
programs _will_ be affected. So, you should probably upgrade OpenSSL
as soon as feasible.
(I'll spend a little more time patches and reviewing Tor's code to
confirm my analysis above, and I invite others to do so as well. I'm
in recovery from my vacation today.)
best wishes,
--
Nick
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev