[tor-dev] Today's openssl vulnerability; preliminary analysis wrt Tor

Nick Mathewson nickm at torproject.org
Thu Jul 9 14:08:44 UTC 2015


tl;dr: CVE-2015-1793 does not appear to affect Tor. Update your
OpenSSL anyway; other applications are certainly affected.



Hi, all!

Here's the announcement for today's major security issue in
OpenSSL1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o:

  https://www.openssl.org/news/secadv_20150709.txt

So far, I have only looked at the announcement itself, and the commit
messages--not yet  the code. But from what I can tell, it should only
affect programs that have trusted certificates in their store.  Tor
itself does not use trusted root certificates, so it is not affected.

(Similarly, TorBrowser should not be affected: it uses NSS, not OpenSSL.)

Still, you likely have lots of other programs that depend on OpenSSL
and trusted certificates to build certificate chains, and those
programs _will_ be  affected.  So, you should probably upgrade OpenSSL
as soon as feasible.

(I'll spend a little more time patches and reviewing Tor's code to
confirm my analysis above, and I invite others to do so as well. I'm
in recovery from my vacation today.)

best wishes,
-- 
Nick


More information about the tor-dev mailing list