[tor-talk] Tor and Openssl bug CVE-2014-0160
Andreas Krey
a.krey at gmx.de
Tue Apr 8 17:13:16 UTC 2014
On Tue, 08 Apr 2014 13:31:01 +0000, Geoff Down wrote:
...
> a) whether it's the openssl binary (/usr/bin/openssl) that I need to
> check or some other 'openssl' object
It's not the binary.
> b) if some other object, where is it in OSX10.4 and how do I check the
> version
That depends on whether your tor binary is build with shared libraries;
'otool -L path/to/your/tor' will show which libraries it uses.
(Apart from that the Macos libraryes may be patched by apple
from the original openssl.org versions.)
> c) if the version is a vulnerable one, how do I update it
> ?
Install new versions of the openssl libs as soon as apple provides
them when you use the ones from the system. Then you (probably)
need to recompile tor itself and make sure that it references the
proper version of openssl libraries.
tor, when started, also tells the openssl version in the first message.
You may also download and compile openssl yourself and link
against that version, but I can't just write down how to
do that - there are some macos specials to find out to do
that, and I didn't yet.
Andreas
--
"Totally trivial. Famous last words."
From: Linus Torvalds <torvalds@*.org>
Date: Fri, 22 Jan 2010 07:29:21 -0800
More information about the tor-talk
mailing list