Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 102245

Summary: net-misc/tor important security update
Product: Gentoo Security Reporter: Hanno Böck <hanno>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: humpback, rockoo
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://archives.seul.org/or/announce/Aug-2005/msg00001.html
Whiteboard: B3 [glsa] jaervosz
Package list:
Runtime testing required: ---
Attachments:
Description Flags
torrc.sample-0.1.0.14.patch
none
tor-0.1.0.14.ebuild
none
Patch with correct paths none

Description Hanno Böck gentoo-dev 2005-08-12 07:56:51 UTC 
As 
http://archives.seul.org/or/announce/Aug-2005/msg00001.html 
says, there's an important security-update for tor (0.1.0.14).
Comment 1 Tim Yamin (RETIRED) gentoo-dev 2005-08-12 08:03:05 UTC 
*** Bug 102246 has been marked as a duplicate of this bug. ***
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-08-12 08:46:33 UTC 
Full details at: http://archives.seul.org/or/announce/Aug-2005/msg00002.html 
 
Versions affected: stable versions up through 0.1.0.13 and experimental 
versions up through 0.1.1.4-alpha. 
 
Impact: Tor clients can completely lose anonymity, confidentiality, 
and data integrity if the first Tor server in their path is malicious. 
Specifically, if the Tor client chooses a malicious Tor server for 
her first hop in the circuit, that server can learn all the keys she 
negotiates for the rest of the circuit (or just spoof the whole circuit), 
and then read and/or modify all her traffic over that circuit. 
 
Solution: upgrade to at least Tor 0.1.0.14 or 0.1.1.5-alpha.
Comment 3 Hanno Böck gentoo-dev 2005-08-13 10:11:57 UTC 
Created attachment 65861 [details]
torrc.sample-0.1.0.14.patch
Comment 4 Hanno Böck gentoo-dev 2005-08-13 10:14:31 UTC 
Created attachment 65862 [details]
tor-0.1.0.14.ebuild

Updated ebuild, changes:
- libevent dependancy (libevent-1.1a is not stable on all archs)
- Ported torrc-patch
Comment 5 Hanno Böck gentoo-dev 2005-08-13 10:15:04 UTC 
Created attachment 65863 [details]
Patch with correct paths
Comment 6 Gustavo Felisberto (RETIRED) gentoo-dev 2005-08-14 15:31:23 UTC 
I'm adding to portage now as x86 and amd64. Now we need ppc ppc64 sparc.
Comment 7 Stefan Cornelius (RETIRED) gentoo-dev 2005-08-14 15:44:24 UTC 
Arches, please test tor-0.1.0.14 and mark stable. Note the dependency to
libevent-1.1a that needs to be stabled on some arches, too. Thanks!
Comment 8 Matteo Spreafico 2005-08-15 05:46:23 UTC 
This is a duplicate of Bug 97141
Comment 9 Markus Rothe (RETIRED) gentoo-dev 2005-08-15 05:56:31 UTC 
stable on ppc64
Comment 10 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-08-15 06:12:04 UTC 
Stable on ppc.
Comment 11 Jason Wever (RETIRED) gentoo-dev 2005-08-15 19:38:46 UTC 
Stable on SPARC.
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2005-08-22 00:50:38 UTC 
Ready for GLSA vote. I vote yes.
Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-08-23 00:20:10 UTC 
I tend to vote YES.
Comment 14 Tavis Ormandy (RETIRED) gentoo-dev 2005-08-23 01:13:24 UTC 
also vote YES
Comment 15 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-08-24 22:20:59 UTC 
GLSA 200508-16