Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 623370 (CVE-2017-0377)

Summary: <net-vpn/tor-0.3.0.10: Regression in guard family avoidance in 0.3.0 series
Product: Gentoo Security Reporter: ncl
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: arthur, blueness, sudormrfhalt
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://blog.torproject.org/blog/tor-0309-released-security-update-clients
See Also: https://bugs.gentoo.org/show_bug.cgi?id=621360
Whiteboard: B3 [noglsa cve]
Package list:
=net-vpn/tor-0.3.0.10
 Runtime testing required: Yes

Description ncl 2017-07-01 19:39:42 UTC 
Due to a regression in circuit-building logic in the tor-0.3.0 release, a guard and exit from the same family may be used in a single circuit.

https://trac.torproject.org/projects/tor/ticket/22753

Other fixes are made in this release as well.

https://blog.torproject.org/blog/tor-0309-released-security-update-clients

=net-vpn/tor-0.3.0.9 is already in the portage tree, but not yet stablized.
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2017-07-17 01:36:17 UTC 
@maintainer, please call for stable when ready.
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2017-08-27 21:36:35 UTC 
@arches, please stabilize.
Comment 3 Anthony Basile gentoo-dev 2017-08-27 23:37:11 UTC 
(In reply to Aaron Bauman from comment #2)
> @arches, please stabilize.

sorry missed this.  please stabilize =net-vpn/tor-0.3.0.10 which has been in the tree a while.
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2017-09-04 00:27:34 UTC 
amd64/x86 stable
Comment 5 Markus Meier gentoo-dev 2017-09-05 04:39:53 UTC 
arm stable
Comment 6 Anthony Basile gentoo-dev 2017-09-19 10:41:52 UTC 
ppc64 stable.  there is a build failure for ppc.
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-03 16:01:21 UTC 
ppc stable
Comment 8 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-03 16:06:09 UTC 
Thank you all,

@Security please vote.

Gentoo Security Padawan
ChrisADR
Comment 9 Aaron Bauman (RETIRED) gentoo-dev 2017-10-08 19:35:18 UTC 
GLSA Vote: No