I just received this from upstream: Hi folks, The Tor 0.1.0.10 release from a few days ago includes a fix for a bug that might allow an attacker to read arbitrary memory (maybe even keys) from an exit server's process space. We haven't heard any reports of exploits yet, but hey. So, I recommend that you all upgrade to 0.1.0.10. :) If you absolutely cannot upgrade yet (for example if you're the Debian Tor packager and your distribution is too stubborn to upgrade past libevent 1.0b, which has known crash bugs), I've included a patched tarball for the old 0.0.9 series at: http://tor.eff.org/dist/tor-0.0.9.10.tar.gz http://tor.eff.org/dist/tor-0.0.9.10.tar.gz.asc --Roger I'm working on the ebuild for the patched version and will be comitting it soon as stable. When it is in the tree i'll post here so that a GLSA may be issued.
Version in portage fixed. Current keywords: KEYWORDS="x86 ~ppc ~amd64 ~ppc64 ~sparc" As x86 was the only version with a packaged marked as stable i dont know what the other arches must do.
Thx Gustavo, this one is ready for GLSA decision.
Given the security nature of Tor, I tend to vote yes (make that half a yes). Gustavo: any hint whether this is public ? Can we disclose it ?
½ YES
*** Bug 96359 has been marked as a duplicate of this bug. ***
Opening
http://archives.seul.org/or/announce/Jun-2005/msg00001.html It is a public available list so i think yes we can disclose it.
I would also give a half vote for yes, but I'll make it a full yes so that we get a result ;-)
Looks like other arches had stable versions before... ppc and ppc64, pls test 0.0.9.10 and mark stable if possible macos and ppc-macos, you had a stable version quite a while ago, pls have a look at 0.0.9.10 too
stable on ppc64
Stable on ppc.
GLSA 200406-18 ppc-macos: please test and mark stable to benefit from GLSA
