Add a changes file for bug4822

2024-11-10 13:13:44 +01:00 · 2012-01-04 21:17:52 -05:00 · 2012-01-04 21:17:52 -05:00 · 0a00678e56
commit 0a00678e56
parent db78fe4589
1 changed files with 13 additions and 0 deletions
--- a/changes/bug4822
+++ b/changes/bug4822
@ -0,0 +1,13 @@
+  o Major security workaround:
+    - When building or running with any version of OpenSSL earlier
+      than 0.9.8s or 1.0.0f, disable SSLv3 support. These versions had
+      a bug (CVE-2011-4576) in which their block cipher padding
+      included uninitialized data, potentially leaking sensitive
+      information to any peer with whom they made a SSLv3
+      connection. Tor does not use SSL v3 by default, but a hostile
+      client or server could force an SSLv3 connection in order to
+      gain information that they shouldn't have been able to get. The
+      best solution here is to upgrade to OpenSSL 0.9.8s or 1.0.0f (or
+      later). But when building or running with a non-upgraded
+      OpenSSL, we should instead make sure that the bug can't happen
+      by disabling SSLv3 entirely.