[tahoe-lafs-trac-stream] [Tahoe-LAFS] #2215: mitigate heartbleed vulnerability
Tahoe-LAFS
trac at tahoe-lafs.org
Sat Apr 12 10:50:31 UTC 2014
#2215: mitigate heartbleed vulnerability
-------------------------+-------------------------------------------------
Reporter: daira | Owner:
Type: defect | Status: new
Priority: | Milestone: 1.11.0
critical | Version: 1.10.0
Component: code | Keywords: security integrity confidentiality
Resolution: | capleak pyopenssl cffi packaging review-needed
Launchpad Bug: |
-------------------------+-------------------------------------------------
Changes (by daira):
* keywords: security pyopenssl review-needed =>
security integrity confidentiality capleak pyopenssl cffi packaging
review-needed
Comment:
It was suggested on #cryptography-dev that (rather than looking at build
date as the patch currently does), we should call the
`tls1_process_heartbeat` function to directly check whether it is
vulnerable. (This is possible without invoking undefined behaviour.)
For pyOpenSSL >= 0.14, this can be done relatively easily by importing
`OpenSSL._util._lib`, which gives access to arbitrary OpenSSL functions
via cffi. For pyOpenSSL 0.13, however, it's basically impossible because
there is no way to add to the set of OpenSSL functions exposed by the
extension module. I don't know where that leaves us, given the cffi-
related build problems described in #2193 and #2117.
--
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/2215#comment:6>
Tahoe-LAFS <https://Tahoe-LAFS.org>
secure decentralized storage
More information about the tahoe-lafs-trac-stream
mailing list