We’ve just learned of 6 new vulnerabilities in OpenSSL. This comes hot on the heels of the Heartbleed saga, but hasn’t gained a large amount of press coverage. Possibly because there’s no catchy title for them all, like Heartbleed. Of the six, one of them allows for a man-in-the-middle attack,
“The attack can only be performed between a vulnerable client *and* server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.” which potentially undermines the security of a lot of network applications, including ToR. OpenSSL has released fixes for all of these defects and lists the vulnerable versions (and patches) on their website. We have already taken the steps to update all our servers and thus should not be vulnerable to any of these attacks. Of course, we will be monitoring the situation and will take necessary action if more attacks come to light.