"TROVE-2024-005 affects hidden service circuits using non-default vanguard configurations (where the vanguard mode is set to 'disabled' or 'full'), causing hidden service circuits to be built from circuit stubs that are incompatible with the circuit target, and to have an incorrect length. This bug is also tracked as issue #1424. TROVE-2024-006 affects hidden services and clients using non-default vanguard configurations, where the vanguard mode is set to 'disabled', or that have the vanguards feature compiled out. In some circumstances, this bug can lead to building hidden service circuits that contain the same relay in multiple positions. This bug is also tracked as issue #1425. Both issues can make users of this code more vulnerable to traffic analysis when running or accessing onion services." Fixes in 1.2.4.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d014b48e4912dc287a3fe5f5d2be866a55874409 commit d014b48e4912dc287a3fe5f5d2be866a55874409 Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2024-06-19 18:18:50 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2024-06-19 18:18:50 +0000 net-p2p/arti: drop 1.2.3 Bug: https://bugs.gentoo.org/934569 Signed-off-by: John Helmert III <ajak@gentoo.org> net-p2p/arti/Manifest | 85 ------ net-p2p/arti/arti-1.2.3.ebuild | 602 ----------------------------------------- 2 files changed, 687 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b74cdfaecf60999915fda90a00023773a0a1b83f commit b74cdfaecf60999915fda90a00023773a0a1b83f Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2024-06-19 18:18:26 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2024-06-19 18:18:26 +0000 net-p2p/arti: add 1.2.4 Bug: https://bugs.gentoo.org/934569 Signed-off-by: John Helmert III <ajak@gentoo.org> net-p2p/arti/Manifest | 88 ++++++ net-p2p/arti/arti-1.2.4.ebuild | 605 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 693 insertions(+)
