[tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Wed Jan 4 20:51:45 UTC 2012
#4822: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
------------------------+---------------------------------------------------
Reporter: nickm | Owner:
Type: defect | Status: new
Priority: critical | Milestone: Tor: 0.2.1.x-final
Component: Tor Client | Version:
Keywords: | Parent:
Points: | Actualpoints:
------------------------+---------------------------------------------------
According to http://openssl.org/news/secadv_20120104.txt , there is an
information leakage vulnerability when making SSL3 connections with
SSL_MODE_RELEASE_BUFFERS, where uninitialized memory can get leaked, up to
15 bytes at a time. The bug is fixed in openssl 1.0.0f and 0.9.8s.
(I'm told this was found by wanoskarnet, reported by asn to agl, who got
it fixed in openssl.)
On Tor's side, the easiest fix is to just require TLS1 only, and not
support SSL3 any more. But that could create problems with our cipher
lists.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/4822>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list