First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 258833
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Christian Faulhammer <fauli@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 258833 depends on: Show dependency tree
Bug 258833 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2009-02-13 10:13 0000 
Security fixes:
Fix an infinite-loop bug on handling corrupt votes under certain
      circumstances. Bugfix on 0.2.0.8-alpha.
Fix a temporary DoS vulnerability that could be performed by
      a directory mirror. Bugfix on 0.2.0.9-alpha; reported by lark.
Avoid a potential crash on exit nodes when processing malformed
      input. Remote DoS opportunity. Bugfix on 0.2.0.33.
Do not accept incomplete ipv4 addresses (like 192.168.0) as valid.
      Spec conformance issue. Bugfix on Tor 0.0.2pre27.

------- Comment #1 From Christian Faulhammer 2009-02-13 10:35:19 0000 ------- 
Ebuild in the tree, arches please mark net-misc/tor-2.0.33 stable.  Jesse,
thanks for your notice...please open a new bug if you find a new issue. 
Security...my draft for the GLSA is now obsolete, as this bug should be handled
there, too.  And by the way, bugs should be filed with a full package atom
cat-egory/package to make search easier. :)

------- Comment #2 From Christian Faulhammer 2009-02-13 10:35:44 0000 ------- 
Of course I mean 0.2.0.34.

------- Comment #3 From Ferris McCormick 2009-02-13 14:43:48 0000 ------- 
Sparc stable.

------- Comment #4 From Brent Baude 2009-02-13 16:11:36 0000 ------- 
ppc64 done

------- Comment #5 From Brent Baude 2009-02-13 16:15:37 0000 ------- 
ppc done

------- Comment #6 From Robert Buchholz 2009-02-13 17:06:28 0000 ------- 
This only looks like Denial of Service issues, so rating B3. Can someone help
me understand what the "Bugfix on 0.2.0.8-alpha" etc. parts mean? Is that the
version the bug was introduced?

------- Comment #7 From Markus Meier 2009-02-15 11:05:04 0000 ------- 
amd64/x86 stable, all arches done.

------- Comment #8 From Christian Faulhammer 2009-02-19 14:15:33 0000 ------- 
(In reply to comment #7)
> amd64/x86 stable, all arches done.

 all vulnerable versions removed, please proceed for GLSA voting.

------- Comment #9 From Raphael Marichez 2009-02-22 00:00:50 0000 ------- 
i would vote "no" because these bugs can not be easily triggered, they are
close to "client-side DoS, triggered by a malicious server or relay", which
does not deserve a GLSA as for me.

------- Comment #10 From Robert Buchholz 2009-02-25 16:59:19 0000 ------- 
It's easy to combine with existing GLSA draft and the exit node issue is a
daemon crash. Furthermore, note that inserting malicious nodes into the network
is easer than in server-client models.
YES

------- Comment #11 From Stefan Behte 2009-02-26 22:25:28 0000 ------- 
It's very easy to set up a server!
Voting YES, too.

------- Comment #12 From Raphael Marichez 2009-03-01 14:00:42 0000 ------- 
ok (yes-glsa)

------- Comment #13 From Christian Faulhammer 2009-03-06 22:36:49 0000 ------- 
(In reply to comment #12)
> ok (yes-glsa)

 Robert, do you want me to rework my GLSA draft or will you add these new
vulnerabilites?

------- Comment #14 From Robert Buchholz 2009-03-07 00:20:05 0000 ------- 
We'll edit this in GLSAmaker, but you sure can sign up for an account :-)

------- Comment #15 From Robert Buchholz 2009-04-08 22:49:37 0000 ------- 
GLSA 200904-11
First Last Prev Next    No search results available      Search page      Enter new bug