Summary: | <net-misc/tor-2.4: uses weak cryptography | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Walter <walter> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | blueness, bugzie, mk |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Walter
2013-09-08 03:41:13 UTC
(In reply to Walter from comment #0) > Need a version bump. > > Reproducible: Always > > Steps to Reproduce: > 1. Up in my nerd-cave, protectin' my secrets. > 2. NSA spies on me. > Actual Results: > Nerd cave compromise. > > Expected Results: > Nerd cave remains 100% sterile. > > Equally affects treehouses and other forms of above ground dwelling. I'm as paranoid as you, and I have a close eye on upstream. However as of right now, the tor team is still distributing 0.2.3.25 as the current stable and has issued a call for 0.2.4.17-rc testing [1]. My understanding is that >= 0.2.4.17 is being fast tracked because of suspected botnet useage of tor [2]. This is mitigated by the new NTor circuit level handshake [3]. Ping back this bug when you see >= 0.2.4.17 being pushed as the upstream stable if I don't beat you to it. Refs. [1] https://www.torproject.org/download/download.html.en [2] https://blog.torproject.org/blog/how-to-handle-millions-new-tor-clients [3] https://gitweb.torproject.org/tor.git/blob/refs/tags/tor-0.2.4.17-rc:/ChangeLog#l769 This sounds more like sec hardening than an actual CVE-worthy issue to me. (In reply to Chris Reffett from comment #2) > This sounds more like sec hardening than an actual CVE-worthy issue to me. I agree. Upstream is very vibrant and they'll push out a CVE if its CVE-worthy. Nonetheless, for people using tor and *expecting* anonymity, every flaw is important. My pessimistic guess is, though, that gov't agencies around the world, like the NSA, just record all the encrypted traffic they can today and will wait into the future when its crackable. I feel so ... vulnerable. All <2.4 ebuilds are off the tree. Don't close security bugs, please. @security, please vote. GLSA vote: no. GLSA Vote: No No GLSA - Closing Bug as Resolved |