Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 754156 (TROVE-2020-005) - <net-vpn/tor-0.4.4.6: Possible weakness allowing traffic pattern observations of a relay
Summary: <net-vpn/tor-0.4.4.6: Possible weakness allowing traffic pattern observations...
Status: RESOLVED FIXED
Alias: TROVE-2020-005
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://gitlab.torproject.org/tpo/cor...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-11-12 15:38 UTC by Sam James
Modified: 2021-02-20 19:39 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-12 15:38:51 UTC 
"A security issue that could be used, under certain cases, by an adversary to observe traffic patterns on a limited number of circuits intended for a different relay."

From ChangeLog:
  o Major bugfixes (security, backport from 0.4.5.1-alpha):
    - When completing a channel, relays now check more thoroughly to
      make sure that it matches any pending circuits before attaching
      those circuits. Previously, address correctness and Ed25519
      identities were not checked in this case, but only when extending
      circuits on an existing channel. Fixes bug 40080; bugfix on
      0.2.7.2-alpha. Resolves TROVE-2020-005.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-12 15:39:29 UTC 
Please bump to 0.4.3.7, 0.4.4.6. Already fixed in 0.4.5.1-alpha.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-18 01:10:48 UTC 
Bumped in https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6027dbb8151494521f2307372a2f843f502425c0.

Let us know when ready to stable?
Comment 3 Anthony Basile gentoo-dev 2020-11-21 00:12:45 UTC 
(In reply to Sam James from comment #2)
> Bumped in
> https://gitweb.gentoo.org/repo/gentoo.git/commit/
> ?id=6027dbb8151494521f2307372a2f843f502425c0.
> 
> Let us know when ready to stable?

It should be good to go.
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2020-11-21 18:16:07 UTC 
x86 stable
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-22 03:27:11 UTC 
amd64 done
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-22 22:55:47 UTC 
arm done
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-22 23:21:03 UTC 
arm64 done
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-23 00:49:24 UTC 
ppc64 done
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-23 00:58:14 UTC 
ppc done

all arches done
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-23 00:58:43 UTC 
Please cleanup, thanks!
Comment 11 Anthony Basile gentoo-dev 2020-11-26 17:21:37 UTC 
(In reply to Sam James from comment #10)
> Please cleanup, thanks!

0.4.4.5 removed.
Comment 12 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-11-26 17:43:08 UTC 
Thank you!
Comment 13 Thomas Deutschmann (RETIRED) gentoo-dev 2021-02-20 19:39:19 UTC 
GLSA Vote: No

Repository is clean, all done!