#363 Openssl Heartbleed Bug and Retroshare
Hello, recently, a critical Bug in the heartbeat option of Openssl was found, dubbed Heartbleed bug: http://heartbleed.com/
This is a severe bug present in OpenSSL 1.0.1 through 1.0.1f (inclusive). The bug allows an attacker, to steal the private encryption key without needing any access priviledges and without leaving a trace on the attacked system.
Among thousands of websites using openssl, which have included google and yahoo, also Bitcoin was affected http://www.heise.de/security/meldung/Bitcoin-Entwickler-schliessen-Heartbleed-Luecke-2167392.html as is everyone using an Openssl library that was compiled with OpenSSL with -DOPENSSL_NO_HEARTBEATS and has the versions 1.0.1 through 1.0.1f (inclusive).
Retroshare uses openssl. This website here claims for example; http://www.gulli.com/news/19797-anonymitaet-retroshare-und-i2p-mit-neuer-version-2012-09-24 that retroshare
Version 0.5.4a_5582 uses openssl in version 1.0.1c.
For this reason, it is likely that retroshare is affected by the Hearbleed bug.
A recent open ssl version that is not affected by the Heartbleed bug came out only two days ago.
In case retroshare is affected by the Heartbleed bug, I would strongly suggest that retroshare gets updated as soon as possible to remove this bug.
Sorry, the sentence "as is everyone using an Openssl library that was compiled with OpenSSL with -DOPENSSL_NO_HEARTBEATS and has the versions 1.0.1 through 1.0.1f (inclusive)."
should read:
"as is everyone using an Openssl library with versions 1.0.1 through 1.0.1f (inclusive) if the Openssl library was NOT compiled with the -DOPENSSL_NO_HEARTBEATS option."
It seems that it is now confirmed that retroshare is vulnerable:
http://retroshare.sourceforge.net/forum/viewtopic.php?f=17&t=4031#p12260
The windows version of retroshare is shipped with some openssl library. please update this installer to the newest openssl version.
You should also put some warning in the forums and on the retroshare homepage, that linux users should update their openssl.
Finally, it should be investigated whether all retroshare users have to generate new certificates and identities and to re connect to each others friends with their new identities. If that is the case, a warnung should be issued in the forums and the retroshare homepage.
the windows installer got a new version, thereby the ticket can be closed.