OT: OpenSSL 1.0.1f

coderman coderman at gmail.com
Tue Jan 7 17:35:56 UTC 2014

On Mon, Jan 6, 2014 at 2:04 PM, Lukas Tribus <luky-37 at hotmail.com> wrote:
> Hi,
>> It does not look like 1.0.1f changed the default behavior of
>> ENGINE_rdrand (coderman's been following it).
> Yes it did, rdrand is no longer enabled by default. Here [1] is
> the backport in the OpenSSL_1_0_1-stable head [2].
> At least Debian [3] and Ubuntu backported this as well.

OpenSSL makes ZERO mention of this fix anywhere in the 1.0.1f release
itself, only the git history itself provides clue.  Tor released an
update to intentionally work around this issue with notice to relay
and hidden service operators who may have been affected; Debian and
Ubuntu disabled via backport, and explicitly called this out in their
security errata (thank you all!).

however, debian and ubuntu neglected to mention packages that may have
been affected by generating long lived keys during a vulnerable
configuration (boo!).

in any case, end result: use 1.0.1f and be happy

best regards,

More information about the nginx mailing list