From cb62d513b11e8c78103907935f32e84d56dcf823 Mon Sep 17 00:00:00 2001 From: Daira Hopwood Date: Tue, 22 Apr 2014 15:47:10 +0100 Subject: [PATCH] Be more generous to backports of Heartbleed fix to 1.0.1 through 1.0.1c. Signed-off-by: Daira Hopwood --- src/allmydata/util/check_pyopenssl.py | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/src/allmydata/util/check_pyopenssl.py b/src/allmydata/util/check_pyopenssl.py index 46c1d06d..ebf2e123 100644 --- a/src/allmydata/util/check_pyopenssl.py +++ b/src/allmydata/util/check_pyopenssl.py @@ -50,11 +50,15 @@ def check_openssl_version(SSL): if '-DOPENSSL_NO_HEARTBEATS' in openssl_cflags.split(' '): return - # Also allow these versions if a vulnerability test passes (we do this only if - # the version and compiler flag checks are inconclusive, to minimize the chance - # for the test to break or give the wrong result somehow). - if not is_vulnerable(SSL): - return + if numeric_components == [1, 0, 1]: + # Also allow versions 1.0.1 through 1.0.1f if a Heartbleed vulnerability test passes. + # We assume that a library patched for Heartbleed is also patched for previous + # security bugs that affected 1.0.1 through 1.0.1c. + # + # We do this check only if the version and compiler flag checks are inconclusive, to + # minimize the chance for the test to break or give the wrong result somehow. + if not is_vulnerable(SSL): + return raise OpenSSLVersionError("refusing to use %s which may be vulnerable to security bugs.\n" "Please upgrade to OpenSSL 1.0.1g or later." % (openssl_version,)) -- 2.45.2