Re: [Tails-dev] [tor-qa] Tor Browser 4.5.2 is ready for test…

Delete this message

Reply to this message
Author: Georg Koppen
Date:  
To: Daniel Kahn Gillmor
CC: The Tails public development discussion list
Subject: Re: [Tails-dev] [tor-qa] Tor Browser 4.5.2 is ready for testing
Daniel Kahn Gillmor:
> On Fri 2015-06-12 15:13:18 -0400, Georg Koppen wrote:
>> We actually rebuilt parts of the 4.5.2 bundles mentioned above to
>> include the latest Tor (0.2.6.9) and above all a fixed OpenSSL (1.0.1n).
>
> Please use OpenSSL 1.0.1o, and not 1.0.1n.
>
> 1.0.1n had an ABI breakage which was fixed in 1.0.1o. This might not be
> an issue for TBB in the common use case, particularly, if you're
> building all of TBB from source in one go, and nothing interacts with
> TBB's OpenSSL from outside TBB. But if any of your components were
> built against 1.0.1m or earlier (or end up being built against 1.0.1o or
> later in the future) and they need to interact with the 1.0.1n, you risk
> memory corruption.


Thanks for this hint. We finally decided to ship Tor Browser with
OpenSSL 1.0.1n. I know this is not ideal but burning another two days
seemed not worth the issue given that using Tor Browser should be
working as expected. Moreover, upon further investigation we believe
that you can even point your browser to a system tor or compile your own
tor and put it into the respective Tor Browser directory without risking
memory corruption.

Georg