Summary: | <net-misc/tor-0.2.0.34: Multiple vulnerabilities (CVE-2009-{0936,0937,0938,0939}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Christian Faulhammer (RETIRED) <fauli> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | fauli, humpback, jesse, svrmarty |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://blog.torproject.org/blog/tor-0.2.0.34-stable-released | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Christian Faulhammer (RETIRED)
2009-02-13 10:13:49 UTC
Ebuild in the tree, arches please mark net-misc/tor-2.0.33 stable. Jesse, thanks for your notice...please open a new bug if you find a new issue. Security...my draft for the GLSA is now obsolete, as this bug should be handled there, too. And by the way, bugs should be filed with a full package atom cat-egory/package to make search easier. :) Of course I mean 0.2.0.34. Sparc stable. ppc64 done ppc done This only looks like Denial of Service issues, so rating B3. Can someone help me understand what the "Bugfix on 0.2.0.8-alpha" etc. parts mean? Is that the version the bug was introduced? amd64/x86 stable, all arches done. (In reply to comment #7) > amd64/x86 stable, all arches done. all vulnerable versions removed, please proceed for GLSA voting. i would vote "no" because these bugs can not be easily triggered, they are close to "client-side DoS, triggered by a malicious server or relay", which does not deserve a GLSA as for me. It's easy to combine with existing GLSA draft and the exit node issue is a daemon crash. Furthermore, note that inserting malicious nodes into the network is easer than in server-client models. YES It's very easy to set up a server! Voting YES, too. ok (yes-glsa) (In reply to comment #12) > ok (yes-glsa) Robert, do you want me to rework my GLSA draft or will you add these new vulnerabilites? We'll edit this in GLSAmaker, but you sure can sign up for an account :-) GLSA 200904-11 |