Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 621360 (CVE-2017-0375, CVE-2017-0376)

Summary: <net-vpn/tor-0.3.0.8: multiple vulnerabilities (CVE-2017-{0375,0376})
Product: Gentoo Security Reporter: Michael Boyle <boylemic>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: arthur, blueness, tsmksubc
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://blog.torproject.org/blog/tor-0308-released-fix-hidden-services-also-are-02429-02514-02612-0278-02814-and-02911
Whiteboard: B3 [noglsa cve]
Package list:
net-vpn/tor-0.3.0.8
 Runtime testing required: ---

Description Michael Boyle 2017-06-10 00:52:46 UTC 
The hidden-service feature in Tor before 0.3.0.8 allows a denial of service (assertion failure and daemon exit) in the connection_edge_process_relay_cell function via a BEGIN_DIR cell on a rendezvous circuit. 

The hidden-service feature in Tor before 0.3.0.8 allows a denial of service (assertion failure and daemon exit) in the relay_send_end_cell_from_edge_ function via a malformed BEGIN cell.
Comment 1 Anthony Basile gentoo-dev 2017-06-10 15:37:35 UTC 
I just added 0.3.0.8 and it should be good for rapid stabilization:

KEYWORDS="amd64 arm ppc ppc64 sparc x86"
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-10 16:26:03 UTC 
@ Arches,

please test and mark stable: =net-vpn/tor-0.3.0.8
Comment 3 Agostino Sarubbo gentoo-dev 2017-06-10 17:11:55 UTC 
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2017-06-12 12:55:28 UTC 
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2017-06-13 12:36:05 UTC 
ppc64 stable
Comment 6 Markus Meier gentoo-dev 2017-06-13 18:23:51 UTC 
arm stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-06-21 12:04:26 UTC 
ppc stable
Comment 8 Yury German Gentoo Infrastructure gentoo-dev 2017-07-02 01:39:17 UTC 
sparc please continue stabilization.

GLSA Vote: No

New GLSA on Regression in guard family avoidance as depends.
Comment 9 Aaron Bauman (RETIRED) gentoo-dev 2017-09-10 21:57:57 UTC 
sparc was dropped to exp profile.
Comment 10 Aaron Bauman (RETIRED) gentoo-dev 2017-09-10 21:58:19 UTC 
@maintainer(s), please cleanup.
Comment 11 Anthony Basile gentoo-dev 2017-09-10 22:55:36 UTC 
(In reply to Aaron Bauman from comment #10)
> @maintainer(s), please cleanup.

done
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2017-09-10 23:02:26 UTC 
(In reply to Anthony Basile from comment #11)
> (In reply to Aaron Bauman from comment #10)
> > @maintainer(s), please cleanup.
> 
> done

Thanks, Doc!