[tor-talk] Tor and Openssl on old OSX [was Tor and Openssl bug CVE-2014-0160]

Andreas Krey a.krey at gmx.de
Tue Apr 8 22:37:30 UTC 2014


On Tue, 08 Apr 2014 22:06:31 +0000, Geoff Down wrote:
> 
...
> /library/tor/bin/tor:
>         /opt/local/lib/libz.1.dylib (compatibility version 1.0.0,
>         current version 1.2.5)
>         /opt/local/lib/libevent-2.0.5.dylib (compatibility version
>         7.0.0, current version 7.4.0)
>         /opt/local/lib/libssl.1.0.0.dylib (compatibility version 1.0.0,
>         current version 1.0.0)
>         /opt/local/lib/libcrypto.1.0.0.dylib (compatibility version
>         1.0.0, current version 1.0.0)
>         /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current
>         version 88.1.12)
> 
> libssl==openssl? If so, not vulnerable

Yes, and yes.

> > tor, when started, also tells the openssl version in the first message.
> 
>  Not any more, apparently, at Notice level. At Info level though:
> [info] tor_tls_init(): OpenSSL OpenSSL 1.0.0g 18 Jan 2012 looks like
> version 0.9.8m or later; I will try SSL_OP to enable renegotiation
>  Looks promising.

Mine does (I just patched my relays):

Apr 08 20:59:34.454 [notice] Tor v0.2.4.21 (git-505962724c05445f) running on Linux with Libevent 1.4.13-stable and OpenSSL 1.0.1g.

Andreas

-- 
"Totally trivial. Famous last words."
From: Linus Torvalds <torvalds@*.org>
Date: Fri, 22 Jan 2010 07:29:21 -0800


More information about the tor-talk mailing list