[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Does Tor need to be recompiled *after* the opensslupdate?

hikki@xxxxxxxxxxxxx writes:

> > Unless tor was linked statically to openssl, using for instance the
> > --enable-static-openssl or --enable-static-tor configure options.
> > 
> > Checking that tor is not linked statically can be done with ldd:
> > 
> >  $ ldd /usr/bin/tor
> >  [...]
> >  libssl.so.10 => /usr/lib64/libssl.so.10 (0x00007f6081b5c000)
> I'm not sure what this means.
> $ ldd src/or/tor on my system says:
> [...]
> libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x0000...)
> Is my system *still* at risk?
> Do I need to recompile?

The dynamic versus static linking question is about whether the code
from OpenSSL was permanently included into your Tor binary (static
linking) or whether it gets loaded from a separate OpenSSL library
file every time you start Tor (dynamic linking).  In the static
linking case, the vulnerability can't be fixed without getting a
totally new Tor binary, because the vulnerable code is built into the
Tor binary itself.  In the dynamic linking case, the vulnerability
can be fixed by replacing the OpenSSL system libraries, because then
the new, safer ones will be used when Tor is started.

The ldd output above shows dynamic linking, meaning that the system
version of OpenSSL is being used, meaning that having upgraded the
OpenSSL libraries should be enough to make Tor safer against the
recently discovered problems without recompiling Tor.

Seth Schoen  <schoen@xxxxxxx>
Senior Staff Technologist                       https://www.eff.org/
Electronic Frontier Foundation                  https://www.eff.org/join
815 Eddy Street, San Francisco, CA  94109       +1 415 436 9333 x107
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to