the latest version of tor is 0.2.1.22, whereas the latest version in portage is 0.2.1.20-r1... a version dump would be appreciated :-) because of the patches a simple ebuild rename doesn't work... also, could i request an ebuild for the unstable version (currently 0.2.2.7-alpha)??? Reproducible: Always Steps to Reproduce: 1. emerge tor 2. ... 3. no profit Actual Results: install of tor-0.2.1.20-r1 Expected Results: install of tor-0.2.1.22
*** Bug 301703 has been marked as a duplicate of this bug. ***
(In reply to comment #0) > the latest version of tor is 0.2.1.22, whereas the latest version in portage is > 0.2.1.20-r1... Keywords in /keeps/gentoo/cvs/gentoo-x86 for net-misc/tor : | a a a a h i m m p p s s s s x x | l m m r p a 6 i p p 3 h p p 8 8 | p d d m p 6 8 p c c 9 a a 6 6 | h 6 6 a 4 k s 6 0 r r - | a 4 4 4 c c f | - - b | f f s | b b d | s s | d d ------------+-------------------------------- 0.2.1.19-r2 | + + + + + ~ 0.2.1.20-r1 | ~ ~ ~ ~ ~ ~ 0.2.1.21 | ~ ~ ~ ~ ~ ~ # ChangeLog for net-misc/tor # Copyright 1999-2010 Gentoo Foundation; Distributed under the GPL v2 # $Header: /var/cvsroot/gentoo-x86/net-misc/tor/ChangeLog,v 1.190 2010/01/16 11:14:46 fauli Exp $ *tor-0.2.1.21 (16 Jan 2010) 16 Jan 2010; Christian Faulhammer <fauli@gentoo.org> +tor-0.2.1.21.ebuild: version bump, bug 301169 by Tim O'Kelly <bugs_gentoo_org DOT Tim_OKelly AT neverbox DOT org>
Please note email from Tor developer Roger Dingledine dated Wed, 20 Jan 2010: Subject: Tor Project infrastructure updates in response to security breach Link to the above email: http://archives.seul.org/or/talk/Jan-2010/msg00161.html Due to the breach of the Tor project's three servers in January, the "Tor Project" advises users "should upgrade to Tor 0.2.1.22 or 0.2.2.7-alpha". Perhaps the severity of this bug should be increased from normal, also.
Seems to be security related.
And it justifies a instant stabilisation. Arches, please stabilise net-misc/tor-0.2.1.22
x86 stable
ppc64 done
sparc stable
amd64 stable
Marked ppc stable.
CVE-2010-0383 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0383): Tor before 0.2.1.22, and 0.2.2.x before 0.2.2.7-alpha, uses deprecated identity keys for certain directory authorities, which makes it easier for man-in-the-middle attackers to compromise the anonymity of traffic sources and destinations. CVE-2010-0385 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0385): Tor before 0.2.1.22, and 0.2.2.x before 0.2.2.7-alpha, when functioning as a bridge directory authority, allows remote attackers to obtain sensitive information about bridge identities and bridge descriptors via a dbg-stability.txt directory query.
GLSA vote: NO.
NO too, closing.
