From ${URL} : A bug was found in src/or/buffers.c::parse_socks(), where escaped() function on the request address is used rather than escaped_safe_str_client(). When a socks5 client application sends a request with a malformed hostname, the full hostaname is logged, while rejecting the connection, instead of logging [scrubbed] name, respecting the SafeLogging configuration. Upstream patch: https://gitweb.torproject.org/tor.git/commit/?id=19df037e53331ae528b876f225be08f198e0f8b6 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
this is an old but which has long been fixed.
(In reply to Anthony Basile from comment #1) > this is an old but which has long been fixed. since security is running around p.masking stuff, let me put it very cleary that THIS IS LONG FIXED. Don't p.mask.
Fix has been confirmed to be in the =net-misc/tor-0.2.7.6 source. 1826 log_warn(LD_PROTOCOL, 1827 "Your application (using socks5 to port %d) gave Tor " 1828 "a malformed hostname: %s. Rejecting the connection.", 1829 req->port, escaped_safe_str_client(req->address)); 1830 return -1; 1831 } GLSA Vote: No