[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Last openssl update for Ubuntu breaks Tor



On Thu, 2010-12-09 at 19:02 +0100, ml@xxxxxxxxxxx wrote:
> Hi,
> 
> i have/had problems with Tor 0.2.2.19-alpha and 0.2.1.27 (recompiled) after
> the last openssl update under Ubuntu Maverick according "Ubuntu Security
> Notice USN-1029-1, December 08, 2010, openssl vulnerabilities, CVE-2008-7270,
> CVE-2010-4180".
> 
> Both Tor versions crash with core dumps and the last line in info.log is:
> "[info] cpuworker_main(): CPU worker exiting because Tor process closed
> connection (either rotated keys or died)."

I'm running "Tor version 0.2.1.27 (r5e842d29f970dcaa).", and have this
version of OpenSSL installed on Ubuntu: "0.9.8o-1ubuntu4.3". The
changelog mentions the CVE you refer to:


> openssl (0.9.8o-1ubuntu4.3) maverick-security; urgency=low
> 
>   * SECURITY UPDATE: ciphersuite downgrade vulnerability
>     - openssl-CVE-2010-4180-secadv_20101202-0.9.8.patch:
>       disable workaround for Netscape cipher suite bug in ssl/s3_clnt.c
>       and ssl/s3_srvr.c
>     - CVE-2010-4180
> 
>  -- Steve Beattie <sbeattie@xxxxxxxxxx>  Thu, 02 Dec 2010 16:24:31 -0800

However, I haven't experienced any problems with Tor. As far as I am
aware, nothing is unique about my setup -- just the default Tor install
with the default Ubuntu Maverick amd64 install.

Are we running the same versions of everything? Maybe the problem is
somewhere else (like your chroot setup)?

Attachment: signature.asc
Description: This is a digitally signed message part