Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 518654 (CVE-2014-5117)

Summary: <net-misc/tor-0.2.4.23: potential for traffic-confirmation attacks (CVE-2014-5117)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: blueness
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2014-07-31 09:46:15 UTC
CVE-2014-5117 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5117):
  Tor before 0.2.4.23 and 0.2.5 before 0.2.5.6-alpha maintains a circuit 
  after an inbound RELAY_EARLY cell is received by a client, which makes 
  it easier for remote attackers to conduct traffic-confirmation attacks 
  by using the pattern of RELAY and RELAY_EARLY cells as a means of communicating 
  information about hidden service names.


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Anthony Basile gentoo-dev 2014-07-31 11:47:50 UTC
It should be ready.  I've been testing it for about 1 day.

@arches, please stabilize =net-misc/tor-0.2.4.23

KEYWORDS="amd64 arm ppc ppc64 sparc x86"


I'll do arm, ppc and ppc64 in a minute.
Comment 2 Anthony Basile gentoo-dev 2014-07-31 12:33:10 UTC
Stable on arm, ppc and ppc64 with a run test + network.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2014-07-31 19:59:14 UTC
CVE-2014-5117 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5117):
  Tor before 0.2.4.23 and 0.2.5 before 0.2.5.6-alpha maintains a circuit after
  an inbound RELAY_EARLY cell is received by a client, which makes it easier
  for remote attackers to conduct traffic-confirmation attacks by using the
  pattern of RELAY and RELAY_EARLY cells as a means of communicating
  information about hidden service names.
Comment 4 Agostino Sarubbo gentoo-dev 2014-08-02 12:42:16 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2014-08-02 12:44:20 UTC
x86 stable
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2014-08-04 18:33:52 UTC
sparc stable
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2014-08-05 00:11:26 UTC
Arches, Thank you for your work
Maintainer(s), please drop the vulnerable version.

GLSA Vote: No
Comment 8 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-08-25 20:26:06 UTC
GLSA Vote: No
Comment 9 Yury German Gentoo Infrastructure gentoo-dev 2014-09-16 00:17:15 UTC
Maintainer(s), Thank you for cleanup!

Closing noglsa