[Freepto] heartbleed & us

Supprimer ce message

Répondre à ce message
Auteur: boyska
Date:  
À: freepto
Sujet: [Freepto] heartbleed & us
Hello,
you've probably known about heartbleed: [1][2]
While this is mostly a server-side attacks, it still regards us.
1) An attacker could read the memory of affected programs (xchat &
mumble are between them; icedove, iceweasel, gpg and tor-browser are
luckily not between them)
2) If someone wants to host a server with freepto, the security will be
greatly compromised.

Running aptitude update for a user will solve the issue (debian stable
has been quick in merging!).

Some proposals we should choose on QUICKLY:
a) do nothing, but post an "advisor" on www.freepto.mx
b) create a new build of 0.1.2. Just rebuild the same tag, re-sign,
create torrent and all the stuff
c) create a new build merging the most urgent (and tested) hotfix we
already have on git
...feel free to add your own :)

I'm really busy these days, so I cannot really put my effort on the C,
even if I consider it the best given our scenario; I offer myself for
the "advisor" thing.

[1] http://heartbleed.com/
[2] https://blog.torproject.org/blog/openssl-bug-cve-2014-0160

--
boyska
gpg --recv-keys 0x58289ca9