Hello,
you've probably known about heartbleed: [1][2]
While this is mostly a server-side attacks, it still regards us.
1) An attacker could read the memory of affected programs (xchat &
mumble are between them; icedove, iceweasel, gpg and tor-browser are
luckily not between them)
2) If someone wants to host a server with freepto, the security will be
greatly compromised.
Running aptitude update for a user will solve the issue (debian stable
has been quick in merging!).
Some proposals we should choose on QUICKLY:
a) do nothing, but post an "advisor" on
www.freepto.mx
b) create a new build of 0.1.2. Just rebuild the same tag, re-sign,
create torrent and all the stuff
c) create a new build merging the most urgent (and tested) hotfix we
already have on git
...feel free to add your own :)
I'm really busy these days, so I cannot really put my effort on the C,
even if I consider it the best given our scenario; I offer myself for
the "advisor" thing.
[1]
http://heartbleed.com/
[2]
https://blog.torproject.org/blog/openssl-bug-cve-2014-0160
--
boyska
gpg --recv-keys 0x58289ca9
