Author: Georg Koppen Date: To: Daniel Kahn Gillmor CC: The Tails public development discussion list Subject: Re: [Tails-dev] [tor-qa] Tor Browser 4.5.2 is ready for testing
Daniel Kahn Gillmor: > On Fri 2015-06-12 15:13:18 -0400, Georg Koppen wrote:
>> We actually rebuilt parts of the 4.5.2 bundles mentioned above to
>> include the latest Tor (0.2.6.9) and above all a fixed OpenSSL (1.0.1n).
>
> Please use OpenSSL 1.0.1o, and not 1.0.1n.
>
> 1.0.1n had an ABI breakage which was fixed in 1.0.1o. This might not be
> an issue for TBB in the common use case, particularly, if you're
> building all of TBB from source in one go, and nothing interacts with
> TBB's OpenSSL from outside TBB. But if any of your components were
> built against 1.0.1m or earlier (or end up being built against 1.0.1o or
> later in the future) and they need to interact with the 1.0.1n, you risk
> memory corruption.
Thanks for this hint. We finally decided to ship Tor Browser with
OpenSSL 1.0.1n. I know this is not ideal but burning another two days
seemed not worth the issue given that using Tor Browser should be
working as expected. Moreover, upon further investigation we believe
that you can even point your browser to a system tor or compile your own
tor and put it into the respective Tor Browser directory without risking
memory corruption.
