Vulnerability in OpenSSL 1.0.x & Firefox 4 Silent Updates

Andrew Lewman andrew at torproject.org
Fri Aug 13 13:15:49 UTC 2010


On Wed, 11 Aug 2010 02:42:15 -0400
whowatchesthewatcherswatches at Safe-mail.net wrote:

> Vulnerability in OpenSSL 1.0.x
> http://marc.info/?t=128118169100001&r=1&w=2
> http://archives.neohapsis.com/archives/fulldisclosure/2010-08/0085.html
> 
> Tor server/client use vuln?

Unknown, the real bug seems to be explained here,
http://marc.info/?l=openssl-dev&m=128128256314328&w=2

I'll let Nick or someone more familiar with openssl explain the risk
better. 

> Firefox 4 Silent Updates
> http://news.slashdot.org/story/10/08/07/1239224/Like-Googles-Chrome-Mozilla-To-Silently-Update-Firefox-4

This is why we repeatedly say to stick with the firefox versions we
have analyzed.  New features aren't analyzed and/or mitigated with
torbutton yet.  Something like this should be caught and stopped by
future versions of torbutton.  

We've only analyzed the Firefox 3.5.x codebase.  3.6 is next, or maybe
we just skip and go to 4.x.  There is exactly one person working on
this, so if people want faster updates to torbutton, more help is
needed.

-- 
Andrew Lewman
The Tor Project
pgp 0x31B0974B
+1-781-352-0568

Website: https://www.torproject.org/
Blog: https://blog.torproject.org/
Identi.ca: torproject
skype:  lewmanator
***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/



More information about the tor-talk mailing list