[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Tor and Openssl bug CVE-2014-0160

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Tor and Openssl bug CVE-2014-0160
From: Andreas Krey <a.krey@xxxxxx>
Date: Tue, 8 Apr 2014 19:13:16 +0200
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 08 Apr 2014 13:23:16 -0400
In-reply-to: <1396960261.14581.104070685.0D260E8B@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <20140407231747.GH22584@xxxxxxxxxxxxxx> <1396922166.18015.103913225.2F40F147@xxxxxxxxxxxxxxxxxxxxxxxxxxx> <CAEydrT8QhtQ_1=rTF3oH_bkLjybQeNPuAENmiQ9ZH5FGghE_Hw@xxxxxxxxxxxxxx> <1396960261.14581.104070685.0D260E8B@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mutt/1.4.2.1i

On Tue, 08 Apr 2014 13:31:01 +0000, Geoff Down wrote:
...
> a) whether it's the openssl binary (/usr/bin/openssl) that I need to
> check or some other 'openssl' object

It's not the binary.

> b) if some other object, where is it in OSX10.4 and how do I check the
> version

That depends on whether your tor binary is build with shared libraries;
'otool -L path/to/your/tor' will show which libraries it uses.

(Apart from that the Macos libraryes may be patched by apple
from the original openssl.org versions.)

> c) if the version is a vulnerable one, how do I update it
> ? 

Install new versions of the openssl libs as soon as apple provides
them when you use the ones from the system. Then you (probably)
need to recompile tor itself and make sure that it references the
proper version of openssl libraries.

tor, when started, also tells the openssl version in the first message.

You may also download and compile openssl yourself and link
against that version, but I can't just write down how to
do that - there are some macos specials to find out to do
that, and I didn't yet.

Andreas

-- 
"Totally trivial. Famous last words."
From: Linus Torvalds <torvalds@*.org>
Date: Fri, 22 Jan 2010 07:29:21 -0800
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Tor and Openssl on old OSX [was Tor and Openssl bug CVE-2014-0160]
  - From: Geoff Down

References:
- [tor-talk] Tor and Openssl bug CVE-2014-0160
  - From: Roger Dingledine
- Re: [tor-talk] Tor and Openssl bug CVE-2014-0160
  - From: Geoff Down
- Re: [tor-talk] Tor and Openssl bug CVE-2014-0160
  - From: kendrick eastes
- Re: [tor-talk] Tor and Openssl bug CVE-2014-0160
  - From: Geoff Down

Prev by Author: Re: [tor-talk] [tor-dev] Linux kernel transproxy packet leak (w/ repro case + workaround)
Next by Author: Re: [tor-talk] Tor and Openssl on old OSX [was Tor and Openssl bug CVE-2014-0160]
Previous by thread: Re: [tor-talk] Tor and Openssl bug CVE-2014-0160
Next by thread: Re: [tor-talk] Tor and Openssl on old OSX [was Tor and Openssl bug CVE-2014-0160]
Index(es):
- Author
- Thread