[tahoe-lafs-trac-stream] [Tahoe-LAFS] #2215: mitigate heartbleed vulnerability

Tahoe-LAFS trac at tahoe-lafs.org
Tue Dec 16 18:15:27 UTC 2014


#2215: mitigate heartbleed vulnerability
-------------------------+-------------------------------------------------
     Reporter:  daira    |      Owner:  daira
         Type:  defect   |     Status:  assigned
     Priority:           |  Milestone:  1.11.0
  critical               |    Version:  1.10.0
    Component:  code     |   Keywords:  security integrity confidentiality
   Resolution:           |  capleak pyopenssl cffi packaging review-needed
Launchpad Bug:           |
-------------------------+-------------------------------------------------

Comment (by warner):

 Three options, not necessarily orthogonal.

 * 1: bundle a new version of openssl with pyopenssl
 * 2: require OpenSSL of at least 1.0.1j
 * 3: heroics: do some runtime check to determine whether our OpenSSL
 ("1.0.1j" or not) contains Heartbleed

 1 requires coordination with the pyopenssl upstream folks: we're currently
 hosting eggs for this, but ideally we wouldn't be.

 2 will probably cause build failures on some (debian) platforms that have
 patched the bug but not changed the version number

 3 is hard, and can't be done for all the OpenSSL bugs we know about (some
 are very hard to detect at runtime).

--
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/2215#comment:17>
Tahoe-LAFS <https://Tahoe-LAFS.org>
secure decentralized storage


More information about the tahoe-lafs-trac-stream mailing list