[tor-relays] Security advisory: Please upgrade to today's OpenSSL.
nickm at torproject.org
Thu Mar 25 14:15:48 UTC 2021
There is a new version of OpenSSL out today, with a security advisory
that affects Tor. The vulnerability is CVE-2021-3449, as described on
https://www.openssl.org/news/secadv/20210325.txt . It affects OpenSSL
versions 1.1.1 through 1.1.1j. OpenSSL 1.1.1k is the first version
with a fix.
I haven't tested this bug, but I believe that it would allow an
adversary to remotely crash Tor relays and authorities. It won't have
any effect on Tor clients.
I suggest that everybody should upgrade to the latest OpenSSL when it
becomes available on their platform.
More information about the tor-relays