Tor upstream developers sent a mail on the or-announce@freehaven.net announcing a vulnerability in: All versions of Tor in the 0.1.0.x series earlier than 0.1.0.18. All versions of Tor in the 0.1.1.x series earlier than 0.1.1.23. The experimental snapshot 0.1.2.1-alpha-cvs. (message-id <20060829092939.GO4355@moria.seul.org>) The vulnerability allows clients to be used as intermediate routing nodes, "stealing" traffic from users which have configured tor as being only a client. In Gentoo portage tree, the following versions are vulnerable: tor-0.1.0.14-r1 tor-0.1.0.16.ebuild tor-0.1.0.17.ebuild tor-0.1.1.20.ebuild tor-0.1.1.22.ebuild tor 0.1.0.18 should also be added to the portage tree for users of the 0.1.0 branch.
URL of the Tor security advisory: http://archives.seul.org/or/announce/Aug-2006/msg00001.html
I just added 0.1.0.18 to the tree. This version and 0.1.1.23 must be marked stable to close this issue. 0.1.0.* is the older still maintained version and 0.1.1.* is the new branch. I did not add x86-fbsd to the CC list because it is not in the list.
Thanks Gustavo > > I did not add x86-fbsd to the CC list because it is not in the list. > BTW, x86-fbsd have no stable version so no need to do anything for them. arches you can test 0.1.0.18 and 0.1.1.23 and mark them stable if appropriate, thanks
Accepting bug.
ppc stable
ppc64 stable
0.1.1.23 1) emerges fine 2) passes collision test 3) passes test suite 4) works 0.1.0.18 1) emerges fine 2) passes collision test 3) passes test suite 4) works Portage 2.1-r2 (default-linux/x86/2006.0, gcc-3.4.6, glibc-2.3.6-r4, 2.6.17-gentoo-r7 i686) ================================================================= System uname: 2.6.17-gentoo-r7 i686 AMD Athlon(tm) XP 2500+ Gentoo Base System version 1.12.4 app-admin/eselect-compiler: [Not Present] dev-lang/python: 2.4.3-r1 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: [Not Present] dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r3 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/splash /etc/terminfo" CXXFLAGS="-O2" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test" GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo/" LANG="de_DE@euro" LC_ALL="de_DE@euro" LINGUAS="de" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.informatik.rwth-aachen.de/gentoo-portage" USE="x86 3dnow 3dnowext X Xaw3d a52 alsa arts artworkextra asf audiofile avi bash-completion beagle berkdb bidi bitmap-fonts bootsplash branding bzip2 cairo cdda cddb cdparanoia cdr cli cracklib crypt css cups curl custom-cflags dbus dga directfb divx4linux dlloader dri dts dvd dvdr dvdread dvi eds emacs emboss encode esd evo exif expat fam fat fbcon ffmpeg firefox foomaticdb fortran ftp gb gcj gdbm gif gnome gpm gstreamer gtk gtk2 gtkhtml hal icq idn imagemagick imap imlib ipv6 isdnlog java javascript jikes jpeg jpeg2k ldap leim libg++ libwww lm_sensors mad maildir matroska mbox mikmod mime mmx mmxext mng mono motif mp3 mpeg mpeg2 mule nautilus ncurses nforce2 nls nocardbus nptl nptlonly nsplugin nvidia objc ogg opengl pam pcre pdf pdflib perl plotutils pmu png ppds pppd preview-latex print python qt3 qt4 quicktime readline reflection reiserfs samba sdk session slang spell spl sse ssl svg svga t1lib tcltk tcpd tetex theora thunderbird tiff truetype truetype-fonts type1-fonts udev usb vcd videos vorbis win32codecs wmf wxwindows xine xml xorg xosd xv xvid zlib elibc_glibc input_devices_mouse input_devices_keyboard kernel_linux linguas_de userland_GNU video_cards_radeon video_cards_vesa video_cards_fbdev" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS
0.1.0.18 1) emerges fine 2) passes multilib-strict test 3) passes collision test 4) passes test suite 5) works 0.1.1.23 1) emerges fine 2) passes multilib-strict test 3) passes collision test 4) passes test suite 5) works Portage 2.1-r2 (default-linux/amd64/2006.0, gcc-3.4.6, glibc-2.3.6-r4, 2.6.17-reiser4-r6 x86_64) ================================================================= System uname: 2.6.17-reiser4-r6 x86_64 AMD Athlon(tm) 64 Processor 3000+ Gentoo Base System version 1.12.4 ccache version 2.3 [enabled] app-admin/eselect-compiler: [Not Present] dev-lang/python: 2.4.3-r1 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r3 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=k8 -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-march=k8 -O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache collision-test distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test" GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp://ftp.gentoo.mesh-solutions.com/gentoo/ ftp://pandemonium.tiscali.de/pub/gentoo/ " LANG="en_US@euro" LC_ALL="en_US@euro" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_EXTRA_OPTS="--exclude-from=/etc/portage/rsync_excludes" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/portage/local/stuff" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="amd64 X a52 aac acpi alsa asf avi berkdb bitmap-fonts bzip2 cdda cddb cdr cli crypt cups dbus dlloader dri dvd dvdr emboss encode expat foomaticdb fortran gif glut gpm gstreamer gtk gtk2 hal idn imagemagick imlib isdnlog jpeg lcms lirc lzw lzw-tiff mad mng mp3 mpeg musicbrainz ncurses nls nptl ogg opengl pam pcre pdflib perl php png pppd python quicktime readline reflection ruby sdl session spl ssl svg tcpd tiff truetype-fonts type1-fonts udev usb v4l v4l2 xine xinerama xorg xpm xv zlib elibc_glibc input_devices_evdev input_devices_keyboard input_devices_mouse kernel_linux lirc_devices_hauppauge userland_GNU video_cards_fglrx video_cards_radeon" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, LINGUAS
x86 gone ^.^
so is amd64
sparc stable.
ok, ready for glep and closure.
This one is ready for GLSA vote.
Secunia talks about DoS (SA21708), but it's just a client DoS i vote no
Voting NO and closing. Feel free to reopen if you disagree.