From: Daira Hopwood Date: Sat, 12 Apr 2014 17:11:05 +0000 (+0100) Subject: OpenSSL version check: 1.0.2-beta and 1.0.2-beta1 are vulnerable. X-Git-Url: https://git.rkrishnan.org/%5B/frontends/%22news.html/something?a=commitdiff_plain;h=c4875a5d2781913a74b7bedfad5659f78bcc6a4c;p=tahoe-lafs%2Ftahoe-lafs.git OpenSSL version check: 1.0.2-beta and 1.0.2-beta1 are vulnerable. Signed-off-by: Daira Hopwood --- diff --git a/src/allmydata/__init__.py b/src/allmydata/__init__.py index 9883931d..de2ec26d 100644 --- a/src/allmydata/__init__.py +++ b/src/allmydata/__init__.py @@ -436,7 +436,8 @@ def check_openssl_version(SSL): if ((numeric_components == [0, 9, 8] and components[2] >= '8y') or (numeric_components == [1, 0, 0] and components[2] >= '0l') or (numeric_components == [1, 0, 1] and components[2] >= '1g') or - (numeric_components >= [1, 0, 2])): + (numeric_components == [1, 0, 2] and not components[2].startswith('2-beta')) or + (numeric_components >= [1, 0, 3])): return if numeric_components == [1, 0, 1] and components[2] >= '1d': diff --git a/src/allmydata/test/test_version.py b/src/allmydata/test/test_version.py index 58a58518..8628f281 100644 --- a/src/allmydata/test/test_version.py +++ b/src/allmydata/test/test_version.py @@ -154,6 +154,7 @@ class CheckRequirement(unittest.TestCase): self.failUnlessRaises(PackagingError, check_openssl_version, MockSSL("OpenSSL 1.0.1e 7 Abc 2014")) self.failUnlessRaises(PackagingError, check_openssl_version, MockSSL("OpenSSL 1.0.1e invalid_date")) self.failUnlessRaises(PackagingError, check_openssl_version, MockSSL("OpenSSL 1.0.1e 7 Apr")) + self.failUnlessRaises(PackagingError, check_openssl_version, MockSSL("OpenSSL 1.0.2-beta1")) self.failUnlessRaises(PackagingError, check_openssl_version, MockSSL("OpenSSL 0.10")) self.failUnlessRaises(PackagingError, check_openssl_version, MockSSL("OpenSSL 0.10.0")) self.failUnlessRaises(PackagingError, check_openssl_version, MockSSL("OpenSSL 1.0.0")) @@ -172,6 +173,7 @@ class CheckRequirement(unittest.TestCase): check_openssl_version(MockSSL("OpenSSL 1.0.1zzz")) check_openssl_version(MockSSL("OpenSSL 1.0.2")) check_openssl_version(MockSSL("OpenSSL 1.0.2a")) + check_openssl_version(MockSSL("OpenSSL 1.0.3")) check_openssl_version(MockSSL("OpenSSL 1.0.10a")) check_openssl_version(MockSSL("OpenSSL 1.1")) check_openssl_version(MockSSL("OpenSSL 1.1.0"))