| Summary: | <net-misc/tor-0.2.2.34 TLS Certificate Reuse User De-Anonymisation Security Issue (CVE-2011-{2768,2769}) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | blueness, chiiph |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://secunia.com/advisories/46634/ | ||
| Whiteboard: | B4 [glsa] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Agostino Sarubbo
2011-10-28 14:06:14 UTC
@arch teams. Please emergency stabilize tor-0.2.2.34.ebuild. Thanks Tony. (In reply to comment #1) > @arch teams. Please emergency stabilize tor-0.2.2.34.ebuild. target KEYWORDS : "amd64 arm ppc ppc64 sparc x86" and why bsd in CC? amd64: pass amd64 : Ok (Haven't really thorougly tested build phase (-doc -hardened), just running it as client, relay and bridge and new defaults seems to work as expected). amd64 done. Thanks Elijah and Tomas Please, modify the tor-0.2.2.34.ebuild to add dependence of net-proxy/tsocks. If you upgrade to tor-0.2.2.34 and then make a --depclean, net-proxy/tsocks will be removed and torify no longer works: /usr/bin/torify: Can't find either tsocks or torsocks in your PATH. Perhaps you haven't installed either? Thanks. (In reply to comment #6) > Please, modify the tor-0.2.2.34.ebuild to add dependence of net-proxy/tsocks. > If you upgrade to tor-0.2.2.34 and then make a --depclean, net-proxy/tsocks > will be removed and torify no longer works: > > /usr/bin/torify: Can't find either tsocks or torsocks in your PATH. Perhaps you > haven't installed either? > > Thanks. Or stabilize net-proxy/torsocks and make tor-0.2.2.34 depending on it. (In reply to comment #7) > (In reply to comment #6) > > Please, modify the tor-0.2.2.34.ebuild to add dependence of net-proxy/tsocks. > > If you upgrade to tor-0.2.2.34 and then make a --depclean, net-proxy/tsocks > > will be removed and torify no longer works: > > > > /usr/bin/torify: Can't find either tsocks or torsocks in your PATH. Perhaps you > > haven't installed either? > > > > Thanks. > > Or stabilize net-proxy/torsocks and make tor-0.2.2.34 depending on it. This is a different issue and you should open a different bug for it, but that's okay for now. I will submit a stablereq for torsocks, but tsocks is out. x86 stable arm/sparc stable ppc done ppc64 ping. i'd like to remove the older vulnerable version which is the only stable ppc64 ebuild for tor. Sorry ppc64, I didn't feel comfortable leaving an exploitable ebuild on the tree any longer. I've removed tor-0.2.1.30.ebuild. There are currently no stable tor ebuilds on ppc64. ppc64 stable, last arch done added vote request. Thanks, folks. Given the package, GLSA Vote: yes. I included this in the GLSA for 394969. CVE-2011-2769 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2769): Tor before 0.2.2.34, when configured as a bridge, accepts the CREATE and CREATE_FAST values in the Command field of a cell within an OR connection that it initiated, which allows remote relays to enumerate bridges by using these values. CVE-2011-2768 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2768): Tor before 0.2.2.34, when configured as a client or bridge, sends a TLS certificate chain as part of an outgoing OR connection, which allows remote relays to bypass intended anonymity properties by reading this chain and then determining the set of entry guards that the client or bridge had selected. This issue was resolved and addressed in GLSA 201201-12 at http://security.gentoo.org/glsa/glsa-201201-12.xml by GLSA coordinator Sean Amoss (ackle). |
