[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-dev] Today's openssl vulnerability; preliminary analysis wrt Tor

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-dev] Today's openssl vulnerability; preliminary analysis wrt Tor
From: Nick Mathewson <nickm@xxxxxxxxxxxxxx>
Date: Thu, 9 Jul 2015 10:08:44 -0400
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 09 Jul 2015 10:09:12 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:date:message-id:subject:from:to:content-type; bh=TD7aYp71FNzKlWplXnG7phZKWHSDXVxEVAPsMiDWb9U=; b=JrIcLjDkhVNBchAdb2DFs7igyawKnRPld3Q+0t3nudkKE35zE8UKu9qqcOrpWYLGMq LbH30pUnudMekMvDWofio+HV1aU3/MWIZTWpogQTc3xuiVt5yQzlzS1vwpCuVFjlQilu FD0ilUxhnF/MQfJ84b/PV5HF86wvn65efo/v6laMHmfTFiBtpdMdL3P7DhrWAU8OqOiR lD2GXdX9IOchVb0c3Oi1usn/5YWay15szeMrk3Cr3rGyx4V4F8T11XG7RsTSotZiwu4a 4GZ+onKILCrNPCEHfcHxVYPDybIrj92KEXnvVR7guITbIt2xHS9SImsxvJkzcnnFiYRn UMWg==
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

tl;dr: CVE-2015-1793 does not appear to affect Tor. Update your
OpenSSL anyway; other applications are certainly affected.



Hi, all!

Here's the announcement for today's major security issue in
OpenSSL1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o:

  https://www.openssl.org/news/secadv_20150709.txt

So far, I have only looked at the announcement itself, and the commit
messages--not yet  the code. But from what I can tell, it should only
affect programs that have trusted certificates in their store.  Tor
itself does not use trusted root certificates, so it is not affected.

(Similarly, TorBrowser should not be affected: it uses NSS, not OpenSSL.)

Still, you likely have lots of other programs that depend on OpenSSL
and trusted certificates to build certificate chains, and those
programs _will_ be  affected.  So, you should probably upgrade OpenSSL
as soon as feasible.

(I'll spend a little more time patches and reviewing Tor's code to
confirm my analysis above, and I invite others to do so as well. I'm
in recovery from my vacation today.)

best wishes,
-- 
Nick
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Prev by Author: [tor-dev] Hi, all!
Next by Author: Re: [tor-dev] tor#16518: Read-Only Filesystem Error opening tor lockfile in 0.2.6.9 but not 0.2.5.12
Previous by thread: [tor-dev] 3rd status report for OnioNS
Next by thread: Re: [tor-dev] Tor Browser videos Automation
Index(es):
- Author
- Thread