Hi, all! It looks like there is an openssl security advisory affecting some but not all of the ASN.1 parsing code. The announcement is here:
http://openssl.org/news/secadv_20120419.txt And the full-disclosure posting is here: http://seclists.org/fulldisclosure/2012/Apr/210 It looks like there is an openssl security advisory affecting some but not all of the ASN.1 parsing code. In short, the d2i_*_bio functions and the d2i_*_fp functions are vulnerable to hostile input, but the regular in-memory d2i_* functions, and the PEM_* functions, are not. Tor only calls the safe d2i_* functions and the safe PEM_* functions, and (as near as I can tell) doesn't call any part of OpenSSL that calls an unsafe function. So it appears that Tor is not affected by this. (I invite everybody to check my work here, of course.) So if you saw the original announcment and were wondering, "Do I need to upgrade my Tor's OpenSSL right now?" then the answer is "probably not." If you've got other programs that use OpenSSL, though, an upgrade could be in order: with any luck, your operating system (or the programs themselves) will handle that for you, if they've got a decent security update system. Just to be sure, future versions of the Tor packages we build ought to ship with OpenSSL 1.0.1a or later. yrs, -- Nick _______________________________________________ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
