Date: Thu, 11 Jun 2015 14:30:35 -0400 From: Nick Mathewson nickm@torproject.org
Hi, relay operators!
There have been a series of new openssl releases today: 0.9.8zg, 1.0.0s, 1.0.1n, and 1.0.2b.
They fix a set of security issues described in this announcement: https://www.openssl.org/news/secadv_20150611.txt
Since some of these issues could allow a remote denial-of-service attack, I would suggest that everybody should upgrade as OpenSSL packages become available for your operating systems. If you build OpenSSL from source, now's a good time to rebuild. You probably don't need to run in circles freaking out, or anything -- just upgrade when you can.
Also, if you can possibly avoid it, it would be a good idea to stop using the OpenSSL 0.9.8 series entirely. It's old and crufty and is missing many security improvements in later versions. OpenSSL 0.9.8 will not be supported in Tor 0.2.7.2-alpha or later.
Please also note that OpenSSL versions 0.9.8 and 1.0.0 are becoming unsupported at the end of 2015:
"As per our previous announcements and our Release Strategy (https://www.openssl.org/about/releasestrat.html), support for OpenSSL versions 1.0.0 and 0.9.8 will cease on 31st December 2015. No security updates for these releases will be provided after that date. Users of these releases are advised to upgrade."
See the second-last section in https://www.openssl.org/news/secadv_20150611.txt
teor
teor2345 at gmail dot com pgp 0xABFED1AC https://gist.github.com/teor2345/d033b8ce0a99adbc89c5
teor at blah dot im OTR D5BE4EC2 255D7585 F3874930 DB130265 7C9EBBC7