mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-14 15:23:27 +01:00
Add a changes file for bug4822
This commit is contained in:
parent
db78fe4589
commit
0a00678e56
13
changes/bug4822
Normal file
13
changes/bug4822
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
o Major security workaround:
|
||||||
|
- When building or running with any version of OpenSSL earlier
|
||||||
|
than 0.9.8s or 1.0.0f, disable SSLv3 support. These versions had
|
||||||
|
a bug (CVE-2011-4576) in which their block cipher padding
|
||||||
|
included uninitialized data, potentially leaking sensitive
|
||||||
|
information to any peer with whom they made a SSLv3
|
||||||
|
connection. Tor does not use SSL v3 by default, but a hostile
|
||||||
|
client or server could force an SSLv3 connection in order to
|
||||||
|
gain information that they shouldn't have been able to get. The
|
||||||
|
best solution here is to upgrade to OpenSSL 0.9.8s or 1.0.0f (or
|
||||||
|
later). But when building or running with a non-upgraded
|
||||||
|
OpenSSL, we should instead make sure that the bug can't happen
|
||||||
|
by disabling SSLv3 entirely.
|
Loading…
Reference in New Issue
Block a user