From: Daira Hopwood <daira@jacaranda.org>
Date: Tue, 22 Apr 2014 14:47:10 +0000 (+0100)
Subject: Be more generous to backports of Heartbleed fix to 1.0.1 through 1.0.1c.
X-Git-Url: https://git.rkrishnan.org/frontends/FTP-and-SFTP.txt?a=commitdiff_plain;h=cb62d513b11e8c78103907935f32e84d56dcf823;p=tahoe-lafs%2Ftahoe-lafs.git

Be more generous to backports of Heartbleed fix to 1.0.1 through 1.0.1c.

Signed-off-by: Daira Hopwood <daira@jacaranda.org>
---

diff --git a/src/allmydata/util/check_pyopenssl.py b/src/allmydata/util/check_pyopenssl.py
index 46c1d06d..ebf2e123 100644
--- a/src/allmydata/util/check_pyopenssl.py
+++ b/src/allmydata/util/check_pyopenssl.py
@@ -50,11 +50,15 @@ def check_openssl_version(SSL):
                 if '-DOPENSSL_NO_HEARTBEATS' in openssl_cflags.split(' '):
                     return
 
-                # Also allow these versions if a vulnerability test passes (we do this only if
-                # the version and compiler flag checks are inconclusive, to minimize the chance
-                # for the test to break or give the wrong result somehow).
-                if not is_vulnerable(SSL):
-                    return
+        if numeric_components == [1, 0, 1]:
+            # Also allow versions 1.0.1 through 1.0.1f if a Heartbleed vulnerability test passes.
+            # We assume that a library patched for Heartbleed is also patched for previous
+            # security bugs that affected 1.0.1 through 1.0.1c.
+            #
+            # We do this check only if the version and compiler flag checks are inconclusive, to
+            # minimize the chance for the test to break or give the wrong result somehow.
+            if not is_vulnerable(SSL):
+                return
 
     raise OpenSSLVersionError("refusing to use %s which may be vulnerable to security bugs.\n"
                               "Please upgrade to OpenSSL 1.0.1g or later." % (openssl_version,))