From: Daira Hopwood Date: Tue, 22 Apr 2014 14:47:10 +0000 (+0100) Subject: Be more generous to backports of Heartbleed fix to 1.0.1 through 1.0.1c. X-Git-Url: https://git.rkrishnan.org/listings/nxhtml.html?a=commitdiff_plain;h=7769feacc9ef9c944c4d584279f50e9a9f5e25ef;p=tahoe-lafs%2Ftahoe-lafs.git Be more generous to backports of Heartbleed fix to 1.0.1 through 1.0.1c. Signed-off-by: Daira Hopwood --- diff --git a/src/allmydata/util/check_pyopenssl.py b/src/allmydata/util/check_pyopenssl.py index 46c1d06d..ebf2e123 100644 --- a/src/allmydata/util/check_pyopenssl.py +++ b/src/allmydata/util/check_pyopenssl.py @@ -50,11 +50,15 @@ def check_openssl_version(SSL): if '-DOPENSSL_NO_HEARTBEATS' in openssl_cflags.split(' '): return - # Also allow these versions if a vulnerability test passes (we do this only if - # the version and compiler flag checks are inconclusive, to minimize the chance - # for the test to break or give the wrong result somehow). - if not is_vulnerable(SSL): - return + if numeric_components == [1, 0, 1]: + # Also allow versions 1.0.1 through 1.0.1f if a Heartbleed vulnerability test passes. + # We assume that a library patched for Heartbleed is also patched for previous + # security bugs that affected 1.0.1 through 1.0.1c. + # + # We do this check only if the version and compiler flag checks are inconclusive, to + # minimize the chance for the test to break or give the wrong result somehow. + if not is_vulnerable(SSL): + return raise OpenSSLVersionError("refusing to use %s which may be vulnerable to security bugs.\n" "Please upgrade to OpenSSL 1.0.1g or later." % (openssl_version,))