Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 102245
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Hanno Boeck <hanno@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
torrc.sample-0.1.0.14.patch torrc.sample-0.1.0.14.patch text/plain Hanno Boeck 2005-08-13 10:11 0000 1.08 KB Details
tor-0.1.0.14.ebuild tor-0.1.0.14.ebuild text/plain Hanno Boeck 2005-08-13 10:14 0000 1.25 KB Details
torrc.sample-0.1.0.14.patch Patch with correct paths text/plain Hanno Boeck 2005-08-13 10:15 0000 1.09 KB Details
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 102245 depends on: Show dependency tree
Bug 102245 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2005-08-12 07:56 0000 
As 
http://archives.seul.org/or/announce/Aug-2005/msg00001.html 
says, there's an important security-update for tor (0.1.0.14).

------- Comment #1 From Tim Yamin (RETIRED) 2005-08-12 08:03:05 0000 ------- 
*** Bug 102246 has been marked as a duplicate of this bug. ***

------- Comment #2 From Sune Kloppenborg Jeppesen 2005-08-12 08:46:33 0000 ------- 
Full details at: http://archives.seul.org/or/announce/Aug-2005/msg00002.html 
 
Versions affected: stable versions up through 0.1.0.13 and experimental 
versions up through 0.1.1.4-alpha. 
 
Impact: Tor clients can completely lose anonymity, confidentiality, 
and data integrity if the first Tor server in their path is malicious. 
Specifically, if the Tor client chooses a malicious Tor server for 
her first hop in the circuit, that server can learn all the keys she 
negotiates for the rest of the circuit (or just spoof the whole circuit), 
and then read and/or modify all her traffic over that circuit. 
 
Solution: upgrade to at least Tor 0.1.0.14 or 0.1.1.5-alpha.

------- Comment #3 From Hanno Boeck 2005-08-13 10:11:57 0000 ------- 
Created an attachment (id=65861) [details]
torrc.sample-0.1.0.14.patch

------- Comment #4 From Hanno Boeck 2005-08-13 10:14:31 0000 ------- 
Created an attachment (id=65862) [details]
tor-0.1.0.14.ebuild

Updated ebuild, changes:
- libevent dependancy (libevent-1.1a is not stable on all archs)
- Ported torrc-patch

------- Comment #5 From Hanno Boeck 2005-08-13 10:15:04 0000 ------- 
Created an attachment (id=65863) [details]
Patch with correct paths

------- Comment #6 From Gustavo Felisberto 2005-08-14 15:31:23 0000 ------- 
I'm adding to portage now as x86 and amd64. Now we need ppc ppc64 sparc.

------- Comment #7 From Stefan Cornelius (RETIRED) 2005-08-14 15:44:24 0000 ------- 
Arches, please test tor-0.1.0.14 and mark stable. Note the dependency to
libevent-1.1a that needs to be stabled on some arches, too. Thanks!

------- Comment #8 From Matteo Spreafico 2005-08-15 05:46:23 0000 ------- 
This is a duplicate of Bug 97141

------- Comment #9 From Markus Rothe 2005-08-15 05:56:31 0000 ------- 
stable on ppc64

------- Comment #10 From Michael Hanselmann (hansmi) (RETIRED) 2005-08-15 06:12:04 0000 ------- 
Stable on ppc.

------- Comment #11 From Jason Wever (RETIRED) 2005-08-15 19:38:46 0000 ------- 
Stable on SPARC.

------- Comment #12 From Thierry Carrez (RETIRED) 2005-08-22 00:50:38 0000 ------- 
Ready for GLSA vote. I vote yes.

------- Comment #13 From Sune Kloppenborg Jeppesen 2005-08-23 00:20:10 0000 ------- 
I tend to vote YES.

------- Comment #14 From Tavis Ormandy (RETIRED) 2005-08-23 01:13:24 0000 ------- 
also vote YES

------- Comment #15 From Sune Kloppenborg Jeppesen 2005-08-24 22:20:59 0000 ------- 
GLSA 200508-16
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug