From secunia security advisory at $URL: Description: The security issue is caused due to clients reusing the TLS certificate on certain connections. This can be exploited to e.g. fingerprint and de-anonymise a user by e.g. using the user's certificate identity key to probe various guard relays to determine whether or not the user is connected to them. Solution: Update to version 0.2.2.34.
@arch teams. Please emergency stabilize tor-0.2.2.34.ebuild.
Thanks Tony. (In reply to comment #1) > @arch teams. Please emergency stabilize tor-0.2.2.34.ebuild. target KEYWORDS : "amd64 arm ppc ppc64 sparc x86" and why bsd in CC?
amd64: pass
amd64 : Ok (Haven't really thorougly tested build phase (-doc -hardened), just running it as client, relay and bridge and new defaults seems to work as expected).
amd64 done. Thanks Elijah and Tomas
Please, modify the tor-0.2.2.34.ebuild to add dependence of net-proxy/tsocks. If you upgrade to tor-0.2.2.34 and then make a --depclean, net-proxy/tsocks will be removed and torify no longer works: /usr/bin/torify: Can't find either tsocks or torsocks in your PATH. Perhaps you haven't installed either? Thanks.
(In reply to comment #6) > Please, modify the tor-0.2.2.34.ebuild to add dependence of net-proxy/tsocks. > If you upgrade to tor-0.2.2.34 and then make a --depclean, net-proxy/tsocks > will be removed and torify no longer works: > > /usr/bin/torify: Can't find either tsocks or torsocks in your PATH. Perhaps you > haven't installed either? > > Thanks. Or stabilize net-proxy/torsocks and make tor-0.2.2.34 depending on it.
(In reply to comment #7) > (In reply to comment #6) > > Please, modify the tor-0.2.2.34.ebuild to add dependence of net-proxy/tsocks. > > If you upgrade to tor-0.2.2.34 and then make a --depclean, net-proxy/tsocks > > will be removed and torify no longer works: > > > > /usr/bin/torify: Can't find either tsocks or torsocks in your PATH. Perhaps you > > haven't installed either? > > > > Thanks. > > Or stabilize net-proxy/torsocks and make tor-0.2.2.34 depending on it. This is a different issue and you should open a different bug for it, but that's okay for now. I will submit a stablereq for torsocks, but tsocks is out.
x86 stable
arm/sparc stable
ppc done
ppc64 ping. i'd like to remove the older vulnerable version which is the only stable ppc64 ebuild for tor.
Sorry ppc64, I didn't feel comfortable leaving an exploitable ebuild on the tree any longer. I've removed tor-0.2.1.30.ebuild. There are currently no stable tor ebuilds on ppc64.
ppc64 stable, last arch done
added vote request.
Thanks, folks. Given the package, GLSA Vote: yes.
I included this in the GLSA for 394969.
CVE-2011-2769 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2769): Tor before 0.2.2.34, when configured as a bridge, accepts the CREATE and CREATE_FAST values in the Command field of a cell within an OR connection that it initiated, which allows remote relays to enumerate bridges by using these values. CVE-2011-2768 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2768): Tor before 0.2.2.34, when configured as a client or bridge, sends a TLS certificate chain as part of an outgoing OR connection, which allows remote relays to bypass intended anonymity properties by reading this chain and then determining the set of entry guards that the client or bridge had selected.
This issue was resolved and addressed in GLSA 201201-12 at http://security.gentoo.org/glsa/glsa-201201-12.xml by GLSA coordinator Sean Amoss (ackle).
