On Mon, Jan 6, 2014 at 2:04 PM, Lukas Tribus <luky-37@hotmail.com> wrote:
> Hi,
>
>
>> It does not look like 1.0.1f changed the default behavior of
>> ENGINE_rdrand (coderman's been following it).
>
> Yes it did, rdrand is no longer enabled by default. Here [1] is
> the backport in the OpenSSL_1_0_1-stable head [2].
>
> At least Debian [3] and Ubuntu backported this as well.


OpenSSL makes ZERO mention of this fix anywhere in the 1.0.1f release
itself, only the git history itself provides clue. Tor released an
update to intentionally work around this issue with notice to relay
and hidden service operators who may have been affected; Debian and
Ubuntu disabled via backport, and explicitly called this out in their
security errata (thank you all!).

however, debian and ubuntu neglected to mention packages that may have
been affected by generating long lived keys during a vulnerable
configuration (boo!).

in any case, end result: use 1.0.1f and be happy


best regards,

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx