Plan for new TBBs re Openssl bug? - tbb-dev - lists.torproject.org

newer
TBB versions file

Plan for new TBBs re Openssl bug?

older
Tor unexpectedly exited

Roger Dingledine

7 Apr 2014 7 Apr '14

8:41 p.m.

https://www.openssl.org/news/vulnerabilities.html#2014-0160 http://heartbleed.com/ Is TBB affected? Is there a plan for an update? --Roger

Reply

Sign in to reply online Use email software

Show replies by date

Tom Ritter

7 Apr 7 Apr

8:52 p.m.

This is a server-side attack, so clients don't need to make any change, but you should look at the server configuration and see what version of what SSL library you're running. And actually, now that I think of it, look at tor itself and see how it impacts it. Worst case scenario would be people being able to steal tor node identity keys.... -tom On 7 April 2014 16:41, Roger Dingledine <arma@mit.edu> wrote:

Reply

Sign in to reply online Use email software

Roger Dingledine

9:27 p.m.

On Mon, Apr 07, 2014 at 04:52:05PM -0400, Tom Ritter wrote:

This is a server-side attack, so clients don't need to make any change,

Unless somebody is certain that the bug can't be triggered against Tor clients to have them send arbitrary memory to Tor relays (including, say, past stream history), it seems like we do indeed want new TBBs. I agree that it appears Tor Browser (which is based on libnss) is unaffected. --Roger

Reply

Sign in to reply online Use email software

Nicolas Vigier

10:29 p.m.

On Mon, 07 Apr 2014, Roger Dingledine wrote:

On friday tbb meeting, Mike was talking about doing a new 3.5.x release in the begining of the week, for a security release of one of the components.

Reply

Sign in to reply online Use email software

4076

Age (days ago)

4076

Last active (days ago)

Download

3 comments

3 participants

tags

participants (3)

Nicolas Vigier
Roger Dingledine
Tom Ritter