[tor-dev] Today's openssl vulnerability; preliminary analysis wrt Tor
nickm at torproject.org
Thu Jul 9 14:08:44 UTC 2015
tl;dr: CVE-2015-1793 does not appear to affect Tor. Update your
OpenSSL anyway; other applications are certainly affected.
Here's the announcement for today's major security issue in
OpenSSL1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o:
So far, I have only looked at the announcement itself, and the commit
messages--not yet the code. But from what I can tell, it should only
affect programs that have trusted certificates in their store. Tor
itself does not use trusted root certificates, so it is not affected.
(Similarly, TorBrowser should not be affected: it uses NSS, not OpenSSL.)
Still, you likely have lots of other programs that depend on OpenSSL
and trusted certificates to build certificate chains, and those
programs _will_ be affected. So, you should probably upgrade OpenSSL
as soon as feasible.
(I'll spend a little more time patches and reviewing Tor's code to
confirm my analysis above, and I invite others to do so as well. I'm
in recovery from my vacation today.)
More information about the tor-dev