On Mon, Jan 6, 2014 at 2:04 PM, Lukas Tribus <[email protected]> wrote: > Hi, > > >> It does not look like 1.0.1f changed the default behavior of >> ENGINE_rdrand (coderman's been following it). > > Yes it did, rdrand is no longer enabled by default. Here [1] is > the backport in the OpenSSL_1_0_1-stable head [2]. > > At least Debian [3] and Ubuntu backported this as well.
OpenSSL makes ZERO mention of this fix anywhere in the 1.0.1f release itself, only the git history itself provides clue. Tor released an update to intentionally work around this issue with notice to relay and hidden service operators who may have been affected; Debian and Ubuntu disabled via backport, and explicitly called this out in their security errata (thank you all!). however, debian and ubuntu neglected to mention packages that may have been affected by generating long lived keys during a vulnerable configuration (boo!). in any case, end result: use 1.0.1f and be happy best regards, _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
