[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Tor and Openssl bug CVE-2014-0160

On Tue, 08 Apr 2014 13:31:01 +0000, Geoff Down wrote:
> a) whether it's the openssl binary (/usr/bin/openssl) that I need to
> check or some other 'openssl' object

It's not the binary.

> b) if some other object, where is it in OSX10.4 and how do I check the
> version

That depends on whether your tor binary is build with shared libraries;
'otool -L path/to/your/tor' will show which libraries it uses.

(Apart from that the Macos libraryes may be patched by apple
from the original openssl.org versions.)

> c) if the version is a vulnerable one, how do I update it
> ? 

Install new versions of the openssl libs as soon as apple provides
them when you use the ones from the system. Then you (probably)
need to recompile tor itself and make sure that it references the
proper version of openssl libraries.

tor, when started, also tells the openssl version in the first message.

You may also download and compile openssl yourself and link
against that version, but I can't just write down how to
do that - there are some macos specials to find out to do
that, and I didn't yet.


"Totally trivial. Famous last words."
From: Linus Torvalds <torvalds@*.org>
Date: Fri, 22 Jan 2010 07:29:21 -0800
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to