[tor-relays] Relays vulnerable to OpenSSL bug: Please upgrade

tor at t-3.net tor at t-3.net
Wed Apr 9 14:29:32 UTC 2014

 On 04/09/2014 04:39 AM, Roger Dingledine wrote:> On Tue, Apr 08, 2014 
at 07:31:43PM
-0600, Jesse Victors wrote:
 >> I'd recommend that every relay operator delete their keys as well,
 > Not every. Those on OpenSSL 0.9.8, e.g. because they're using 
 > oldstable, were never vulnerable to this bug. I imagine there are 
 > FreeBSD or the like people out there in a similar boat. And Centos
 > people, etc.
 > --Roger
 > _______________________________________________
 > tor-relays mailing list
 > tor-relays at lists.torproject.org
 > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

The most up-to-date CentOS was supposedly vulnerable? Same as RedHat.
But I don't know how to test for the vulnerability itself so I don't 
really know.

Redhat's emailed warning to update OpenSSL went out yesterday as
"Security Advisory - RHSA-2014:0376-1". CentOS' updated OpenSSL
was available right away as well, and the CentOS 6.5 boxes pulled it 
right down
in an update.

I did have some slightly older CentOS 5 boxes which had a version of 
that was reportedly not vulnerable.

Page heartbleed.com said:

How about operating systems?

Some operating system distributions that have shipped with potentially 
OpenSSL version:

    Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
    Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
    CentOS 6.5, OpenSSL 1.0.1e-15
    Fedora 18, OpenSSL 1.0.1e-4
    OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 
10 May 2012)
    FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013
    NetBSD 5.0.2 (OpenSSL 1.0.1e)
    OpenSUSE 12.2 (OpenSSL 1.0.1c)

Operating system distribution with versions that are not vulnerable:

    Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14
    SUSE Linux Enterprise Server
    FreeBSD 8.4 - OpenSSL 0.9.8y 5 Feb 2013
    FreeBSD 9.2 - OpenSSL 0.9.8y 5 Feb 2013
    FreeBSD Ports - OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC)

More information about the tor-relays mailing list