[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Vulnerability in OpenSSL 1.0.x & Firefox 4 Silent Updates

On Wed, 11 Aug 2010 02:42:15 -0400
whowatchesthewatcherswatches@xxxxxxxxxxxxx wrote:

> Vulnerability in OpenSSL 1.0.x
> http://marc.info/?t=128118169100001&r=1&w=2
> http://archives.neohapsis.com/archives/fulldisclosure/2010-08/0085.html
> Tor server/client use vuln?

Unknown, the real bug seems to be explained here,

I'll let Nick or someone more familiar with openssl explain the risk

> Firefox 4 Silent Updates
> http://news.slashdot.org/story/10/08/07/1239224/Like-Googles-Chrome-Mozilla-To-Silently-Update-Firefox-4

This is why we repeatedly say to stick with the firefox versions we
have analyzed.  New features aren't analyzed and/or mitigated with
torbutton yet.  Something like this should be caught and stopped by
future versions of torbutton.  

We've only analyzed the Firefox 3.5.x codebase.  3.6 is next, or maybe
we just skip and go to 4.x.  There is exactly one person working on
this, so if people want faster updates to torbutton, more help is

Andrew Lewman
The Tor Project
pgp 0x31B0974B

Website: https://www.torproject.org/
Blog: https://blog.torproject.org/
Identi.ca: torproject
skype:  lewmanator
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/