[tor-relays] Security advisory: Please upgrade to today's OpenSSL.

Nick Mathewson nickm at torproject.org
Thu Mar 25 14:15:48 UTC 2021

Hi, all!

There is a new version of OpenSSL out today, with a security advisory
that affects Tor.  The vulnerability is CVE-2021-3449, as described on
https://www.openssl.org/news/secadv/20210325.txt .  It affects OpenSSL
versions 1.1.1 through 1.1.1j.  OpenSSL 1.1.1k is the first version
with a fix.

I haven't tested this bug, but I believe that it would allow an
adversary to remotely crash Tor relays and authorities.  It won't have
any effect on Tor clients.

I suggest that everybody should upgrade to the latest OpenSSL when it
becomes available on their platform.

best wishes,

More information about the tor-relays mailing list