[tor-relays] Recommendation: Upgrade your OpenSSL! (Nick Mathewson)

[teor]

> Date: Thu, 11 Jun 2015 14:30:35 -0400
> From: Nick Mathewson <nickm at torproject.org>
> 
> Hi, relay operators!
> 
> There have been a series of new openssl releases today: 0.9.8zg,
> 1.0.0s, 1.0.1n, and 1.0.2b.
> 
> They fix a set of security issues described in this announcement:
>    https://www.openssl.org/news/secadv_20150611.txt
> 
> Since some of these issues could allow a remote denial-of-service
> attack, I would suggest that everybody should upgrade as OpenSSL
> packages become available for your operating systems.   If you build
> OpenSSL from source, now's a good time to rebuild.  You probably don't
> need to run in circles freaking out, or anything -- just upgrade when
> you can.
> 
> Also, if you can possibly avoid it, it would be a good idea to stop
> using the OpenSSL 0.9.8 series entirely.  It's old and crufty and is
> missing many security improvements in later versions.  OpenSSL 0.9.8
> will not be supported in Tor 0.2.7.2-alpha or later.

Please also note that OpenSSL versions 0.9.8 and 1.0.0 are becoming unsupported at the end of 2015:

"As per our previous announcements and our Release Strategy
(https://www.openssl.org/about/releasestrat.html), support for OpenSSL versions
1.0.0 and 0.9.8 will cease on 31st December 2015. No security updates for these
releases will be provided after that date. Users of these releases are advised
to upgrade."

See the second-last section in https://www.openssl.org/news/secadv_20150611.txt

teor

teor2345 at gmail dot com
pgp 0xABFED1AC
https://gist.github.com/teor2345/d033b8ce0a99adbc89c5

teor at blah dot im
OTR D5BE4EC2 255D7585 F3874930 DB130265 7C9EBBC7

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20150612/95cba9e7/attachment.sig>