Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 96359

Summary: <=tor-0.1.0.10 contains a security flaw
Product: Gentoo Security Reporter: Richard Freeman <rich0>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED DUPLICATE    
Severity: normal    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Other   
Whiteboard:
Package list:
Runtime testing required: ---

Description Richard Freeman gentoo-dev 2005-06-17 03:43:52 UTC 
The following email was sent on the tor-announce mailing list:

Hi folks,

The Tor 0.1.0.10 release from a few days ago includes a fix for a bug
that might allow an attacker to read arbitrary memory (maybe even keys)
from an exit server's process space. We haven't heard any reports of
exploits yet, but hey.

So, I recommend that you all upgrade to 0.1.0.10. :):)

If you absolutely cannot upgrade yet (for example if you're the Debian Tor
packager and your distribution is too stubborn to upgrade past libevent
1.0b, which has known crash bugs), I've included a patched tarball for
the old 0.0.9 series at:
http://tor.eff.org/dist/tor-0.0.9.10.tar.gz
http://tor.eff.org/dist/tor-0.0.9.10.tar.gz.asc

--Roger


No ebuild exists yet for the new release (which was only announced a day or two ago) - it may work with just a bump.  Also - there is a patch for the current version of tor (0.0.9.10) linked in the email above.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-06-17 03:56:03 UTC 

*** This bug has been marked as a duplicate of 96320 ***