102245 – net-misc/tor important security update

Bug 102245 - net-misc/tor important security update

Summary: net-misc/tor important security update

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:	http://archives.seul.org/or/announce/...
Whiteboard:	B3 [glsa] jaervosz
Keywords:

Duplicates (1):	102246 (view as bug list)
Depends on:
Blocks:

Reported:	2005-08-12 07:56 UTC by Hanno Böck
Modified:	2005-08-24 22:20 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
torrc.sample-0.1.0.14.patch (torrc.sample-0.1.0.14.patch,1.08 KB, text/plain) 2005-08-13 10:11 UTC, Hanno Böck	no flags	Details
tor-0.1.0.14.ebuild (tor-0.1.0.14.ebuild,1.25 KB, text/plain) 2005-08-13 10:14 UTC, Hanno Böck	no flags	Details
Patch with correct paths (torrc.sample-0.1.0.14.patch,1.09 KB, text/plain) 2005-08-13 10:15 UTC, Hanno Böck	no flags	Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hanno Böck gentoo-dev

2005-08-12 07:56:51 UTC

As 
http://archives.seul.org/or/announce/Aug-2005/msg00001.html 
says, there's an important security-update for tor (0.1.0.14).

Comment 1 Tim Yamin (RETIRED) gentoo-dev

2005-08-12 08:03:05 UTC

*** Bug 102246 has been marked as a duplicate of this bug. ***

Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-08-12 08:46:33 UTC

Full details at: http://archives.seul.org/or/announce/Aug-2005/msg00002.html 
 
Versions affected: stable versions up through 0.1.0.13 and experimental 
versions up through 0.1.1.4-alpha. 
 
Impact: Tor clients can completely lose anonymity, confidentiality, 
and data integrity if the first Tor server in their path is malicious. 
Specifically, if the Tor client chooses a malicious Tor server for 
her first hop in the circuit, that server can learn all the keys she 
negotiates for the rest of the circuit (or just spoof the whole circuit), 
and then read and/or modify all her traffic over that circuit. 
 
Solution: upgrade to at least Tor 0.1.0.14 or 0.1.1.5-alpha.

Comment 3 Hanno Böck gentoo-dev

2005-08-13 10:11:57 UTC

Created attachment 65861 [details]
torrc.sample-0.1.0.14.patch

Comment 4 Hanno Böck gentoo-dev

2005-08-13 10:14:31 UTC

Created attachment 65862 [details]
tor-0.1.0.14.ebuild

Updated ebuild, changes:
- libevent dependancy (libevent-1.1a is not stable on all archs)
- Ported torrc-patch

Comment 5 Hanno Böck gentoo-dev

2005-08-13 10:15:04 UTC

Created attachment 65863 [details]
Patch with correct paths

Comment 6 Gustavo Felisberto (RETIRED) gentoo-dev

2005-08-14 15:31:23 UTC

I'm adding to portage now as x86 and amd64. Now we need ppc ppc64 sparc.

Comment 7 Stefan Cornelius (RETIRED) gentoo-dev

2005-08-14 15:44:24 UTC

Arches, please test tor-0.1.0.14 and mark stable. Note the dependency to
libevent-1.1a that needs to be stabled on some arches, too. Thanks!

Comment 8 Matteo Spreafico 2005-08-15 05:46:23 UTC

This is a duplicate of Bug 97141

Comment 9 Markus Rothe (RETIRED) gentoo-dev

2005-08-15 05:56:31 UTC

stable on ppc64

Comment 10 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev

2005-08-15 06:12:04 UTC

Stable on ppc.

Comment 11 Jason Wever (RETIRED) gentoo-dev

2005-08-15 19:38:46 UTC

Stable on SPARC.

Comment 12 Thierry Carrez (RETIRED) gentoo-dev

2005-08-22 00:50:38 UTC

Ready for GLSA vote. I vote yes.

Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-08-23 00:20:10 UTC

I tend to vote YES.

Comment 14 Tavis Ormandy (RETIRED) gentoo-dev

2005-08-23 01:13:24 UTC

also vote YES

Comment 15 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-08-24 22:20:59 UTC

GLSA 200508-16