Summary: | <net-misc/tor-0.2.1.22: Multiple vulnerabilities (CVE-2010-{0383,0385}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Marshall Banana <JackyRyan> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | fauli, humpback, krinpaus |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | x86 | ||
OS: | Linux | ||
URL: | http://archives.seul.org/or/talk/Jan-2010/msg00161.html | ||
Whiteboard: | B4? [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Marshall Banana
2010-01-21 11:44:54 UTC
*** Bug 301703 has been marked as a duplicate of this bug. *** (In reply to comment #0) > the latest version of tor is 0.2.1.22, whereas the latest version in portage is > 0.2.1.20-r1... Keywords in /keeps/gentoo/cvs/gentoo-x86 for net-misc/tor : | a a a a h i m m p p s s s s x x | l m m r p a 6 i p p 3 h p p 8 8 | p d d m p 6 8 p c c 9 a a 6 6 | h 6 6 a 4 k s 6 0 r r - | a 4 4 4 c c f | - - b | f f s | b b d | s s | d d ------------+-------------------------------- 0.2.1.19-r2 | + + + + + ~ 0.2.1.20-r1 | ~ ~ ~ ~ ~ ~ 0.2.1.21 | ~ ~ ~ ~ ~ ~ # ChangeLog for net-misc/tor # Copyright 1999-2010 Gentoo Foundation; Distributed under the GPL v2 # $Header: /var/cvsroot/gentoo-x86/net-misc/tor/ChangeLog,v 1.190 2010/01/16 11:14:46 fauli Exp $ *tor-0.2.1.21 (16 Jan 2010) 16 Jan 2010; Christian Faulhammer <fauli@gentoo.org> +tor-0.2.1.21.ebuild: version bump, bug 301169 by Tim O'Kelly <bugs_gentoo_org DOT Tim_OKelly AT neverbox DOT org> Please note email from Tor developer Roger Dingledine dated Wed, 20 Jan 2010: Subject: Tor Project infrastructure updates in response to security breach Link to the above email: http://archives.seul.org/or/talk/Jan-2010/msg00161.html Due to the breach of the Tor project's three servers in January, the "Tor Project" advises users "should upgrade to Tor 0.2.1.22 or 0.2.2.7-alpha". Perhaps the severity of this bug should be increased from normal, also. Seems to be security related. And it justifies a instant stabilisation. Arches, please stabilise net-misc/tor-0.2.1.22 x86 stable ppc64 done sparc stable amd64 stable Marked ppc stable. CVE-2010-0383 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0383): Tor before 0.2.1.22, and 0.2.2.x before 0.2.2.7-alpha, uses deprecated identity keys for certain directory authorities, which makes it easier for man-in-the-middle attackers to compromise the anonymity of traffic sources and destinations. CVE-2010-0385 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0385): Tor before 0.2.1.22, and 0.2.2.x before 0.2.2.7-alpha, when functioning as a bridge directory authority, allows remote attackers to obtain sensitive information about bridge identities and bridge descriptors via a dbg-stability.txt directory query. GLSA vote: NO. NO too, closing. |