[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Vulnerability in OpenSSL 1.0.x & Firefox 4 Silent Updates

On Wed, Aug 11, 2010 at 2:42 AM,
<whowatchesthewatcherswatches@xxxxxxxxxxxxx> wrote:
> Vulnerability in OpenSSL 1.0.x
> http://marc.info/?t=128118169100001&r=1&w=2
> http://archives.neohapsis.com/archives/fulldisclosure/2010-08/0085.html
> Tor server/client use vuln?

Looking at the claims, it seems to only affect OpenSSL 1.0.0a and
maybe 1.0.0.  (I can reproduce it with 1.0.0.a, but not with 0.9.8x
and earlier.)   None of our binary packages ship with any version of
OpenSSL 1.0.x (unless I'm missing something), so people using our
binaries are probably safe.  I'll ask around harder later today to
make sure everything is in fact getting built in conformance with its

If you're using a version of openssl 1.0.0a that comes with your
operating system, with any luck your vendor will already have issued a
patch.  If not, there is an alleged patch posted in that thread at
http://marc.info/?l=openssl-dev&m=128128256314328&w=2 ; I haven't
evaluated it, and it doesn't seem to have gotten merged into openssl
proper yet, so you shouldn't apply it blindly.  It looks safe to me,
but what do I know?  Personally, I'd think re-linking your Tor against
a statically built 0.9.8o would probably be a better bet than
rebuilding your vendor openssl.

It's also possible (though not certain) that Tor could be unaffected.
If you look at the code in question, it only seems to gets invoked for
the elliptic-curve crypto case, which Tor doesn't use or enable.
OTOH, I haven't checked carefully enough to be sure there's no way to
force an openssl 1.0.0a server into that codepath if it doesn't have
any elliptic curve stuff configured, so caution is still warranted.

To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/