On Sun, 22 Nov 2009 23:47:36 +0100 Erwin Lam <erwin...@dds.nl> wrote: >On Thursday 12 November 2009 03:15:20 Nick Mathewson wrote: >> On Wed, Nov 11, 2009 at 12:59:21PM -0500, Andrew S. Lists wrote: >> > On 11/05/09 15:52, Nick Mathewson wrote: >> > > On Thu, Nov 05, 2009 at 02:10:00PM -0500, Marcus Griep wrote: >> > >> Don't know if any one else has seen or taken a look at this. I >> > >> don't know if this affects Tor, though I believe that we do use >> > >> certificate renegotiation in the protocol, and that is the entry >> > >> vector for this particular vulnerability: >> > > >> > > FWIW, this doesn't affect Tor. The problem here is not >> > > renegotiation per se; the problem is doing renegotiation, then >> > > acting as though data sent _before_ the renegotiation were >> > > authenticated with the rengotiated credentials. >> > > >> > > The Tor protocol isn't vulnerable here because 1) it doesn't >> > > allow data to be sent before the renegotiation step, and 2) it >> > > doesn't treat a renegotiation as authenticating previously >> > > exchanged data (because there isn't any). >> > >> > The vulnerability itself might not effect Tor, but the OpenSSL >> > workaround for this vulnerability of disabling renegotiation by >> > default in 0.9.8l [1] might not play nice with a Tor >> > implementation. >>=20 >> Indeed it will not. We have a fix in svn to make the 0.2.1.x and >> 0.2.2.x-alpha series both work correctly with OpenSSL 0.9.8l. With >> any luck, we should get releases out before too long. > >Hi Nick, > >Would you mind releasing that updated version a.s.a.p. Tor doesn't work=20 >here at all anymore > You must be just a tad behind in your reading. The announcement has already been posted. Just go to the tor download page, and get it.
Scott Bennett, Comm. ASMELG, CFIAG ********************************************************************** * Internet: bennett at cs.niu.edu * *--------------------------------------------------------------------* * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * * -- Gov. John Hancock, New York Journal, 28 January 1790 * ********************************************************************** *********************************************************************** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talk in the body. http://archives.seul.org/or/talk/