From: Nick Mathewson Date: Thu, 5 Jan 2012 02:17:52 +0000 (-0500) Subject: Add a changes file for bug4822 X-Git-Tag: tor-0.2.2.36~20^2^2^2~1 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0a00678e56ec3030b9028a7188f68ab6c10a3fa3;p=thirdparty%2Ftor.git Add a changes file for bug4822 --- diff --git a/changes/bug4822 b/changes/bug4822 new file mode 100644 index 0000000000..73f43f0452 --- /dev/null +++ b/changes/bug4822 @@ -0,0 +1,13 @@ + o Major security workaround: + - When building or running with any version of OpenSSL earlier + than 0.9.8s or 1.0.0f, disable SSLv3 support. These versions had + a bug (CVE-2011-4576) in which their block cipher padding + included uninitialized data, potentially leaking sensitive + information to any peer with whom they made a SSLv3 + connection. Tor does not use SSL v3 by default, but a hostile + client or server could force an SSLv3 connection in order to + gain information that they shouldn't have been able to get. The + best solution here is to upgrade to OpenSSL 0.9.8s or 1.0.0f (or + later). But when building or running with a non-upgraded + OpenSSL, we should instead make sure that the bug can't happen + by disabling SSLv3 entirely.