[tor-relays] Relays vulnerable to OpenSSL bug: Please upgrade
tor at t-3.net
tor at t-3.net
Wed Apr 9 14:29:32 UTC 2014
On 04/09/2014 04:39 AM, Roger Dingledine wrote:> On Tue, Apr 08, 2014
at 07:31:43PM
-0600, Jesse Victors wrote:
>> I'd recommend that every relay operator delete their keys as well,
>
> Not every. Those on OpenSSL 0.9.8, e.g. because they're using
Debian
> oldstable, were never vulnerable to this bug. I imagine there are
some
> FreeBSD or the like people out there in a similar boat. And Centos
> people, etc.
>
> --Roger
>
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
>
>
The most up-to-date CentOS was supposedly vulnerable? Same as RedHat.
But I don't know how to test for the vulnerability itself so I don't
really know.
Redhat's emailed warning to update OpenSSL went out yesterday as
"Security Advisory - RHSA-2014:0376-1". CentOS' updated OpenSSL
was available right away as well, and the CentOS 6.5 boxes pulled it
right down
in an update.
I did have some slightly older CentOS 5 boxes which had a version of
SSL
that was reportedly not vulnerable.
Page heartbleed.com said:
How about operating systems?
Some operating system distributions that have shipped with potentially
vulnerable
OpenSSL version:
Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
CentOS 6.5, OpenSSL 1.0.1e-15
Fedora 18, OpenSSL 1.0.1e-4
OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c
10 May 2012)
FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013
NetBSD 5.0.2 (OpenSSL 1.0.1e)
OpenSUSE 12.2 (OpenSSL 1.0.1c)
Operating system distribution with versions that are not vulnerable:
Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14
SUSE Linux Enterprise Server
FreeBSD 8.4 - OpenSSL 0.9.8y 5 Feb 2013
FreeBSD 9.2 - OpenSSL 0.9.8y 5 Feb 2013
FreeBSD Ports - OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC)
More information about the tor-relays
mailing list