[tahoe-lafs-trac-stream] [tahoe-lafs] #1722: respond to OpenSSL ASN.1 parsing bug
tahoe-lafs
trac at tahoe-lafs.org
Thu Apr 19 19:40:08 UTC 2012
#1722: respond to OpenSSL ASN.1 parsing bug
----------------------------+----------------------------------------
Reporter: davidsarah | Owner:
Type: defect | Status: new
Priority: critical | Milestone: undecided
Component: packaging | Version: 1.9.1
Resolution: | Keywords: openssl security packaging
Launchpad Bug: |
----------------------------+----------------------------------------
Comment (by warner):
http://www.openssl.org/news/secadv_20120419.txt claims that the bug
doesn't affect the SSL/TLS code (because that code uses the in-memory ASN1
parsers, rather than the BIO/FILE parsers). The only time Foolscap passes
*in* a certificate is when setting up a Tub (i.e. reading back the .pem
file that was written out by an earlier invocation), in which case the
data was generated locally.
So my first hunch is that we're ok. If the openssl problem turns out to be
vulnerable to receipt of corrupt certificates over the wire (as opposed to
from local disk), then we'd be in trouble.
--
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1722#comment:1>
tahoe-lafs <https://tahoe-lafs.org>
secure decentralized storage
More information about the tahoe-lafs-trac-stream
mailing list