Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 144582 - net-misc/tor-0.1.22 stable request
Summary: net-misc/tor-0.1.22 stable request
Status: RESOLVED WONTFIX
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All All
: High enhancement
Assignee: Gustavo Felisberto (RETIRED)
URL:
Whiteboard:
Keywords:
Depends on: 145458
Blocks:
  Show dependency tree
 
Reported: 2006-08-20 20:15 UTC by Daniel Webert
Modified: 2006-12-17 11:25 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Webert 2006-08-20 20:15:55 UTC 
net-misc/tor-1.0.22 stable request

- works fine on x86 w/ gcc-4.1+glibc-2.4 for some time
- no bugs-in-zilla
Comment 1 Samuel Tardieu 2006-08-29 02:54:10 UTC 
I think you refer to 0.1.22, not 1.0.22. 0.1.22 has a security problem, I'll fill a new security issue right away.
Comment 2 xiando 2006-12-16 23:50:51 UTC 
tor-0.1.1.24 has a serious bug in it which is the primary reason for the release of version tor-0.1.1.26. (The summary of this bug, net-misc/tor-0.1.22, is way old, but I don't have permission to change it).

Please bump Tor to tor-0.1.1.26 as the latest stable version in portage. Also, please consider using the *-alpha branch of Tor for the "masked" versions of this package.
Comment 3 Jakub Moc (RETIRED) gentoo-dev 2006-12-17 05:01:11 UTC 
There's no 0.1.22 in the tree.

  05 Sep 2006; Gustavo Felisberto <humpback@gentoo.org>;
  -files/torrc.sample-0.1.0.14.patch, -tor-0.1.0.14-r1.ebuild,
  -tor-0.1.0.16.ebuild, -tor-0.1.0.17.ebuild, -tor-0.1.1.20.ebuild,
  -tor-0.1.1.22.ebuild:
  Removed older version that had sec issues.
Comment 4 xiando 2006-12-17 11:25:47 UTC 
Thanks for removing the very old versions.

However, every version prior to 0.1.1.26 has "a serious privacy bug for people who use the HttpProxyAuthenticator config option: Tor would send your proxy auth directly to the directory server when you're tunnelling directory requests through Tor. Specifically, this happens when publishing or accessing hidden services, or when you have set FascistFirewall or ReachableAddresses and you're accessing a directory server that's not reachable directly.".

Both tor-0.1.1.23 (latest unmasked) and tor-0.1.1.24 (latest masked) have this bug, which is why I highly recommend making tor-0.1.1.26 the default (latest unmasked) version in portage. I recommend -tor-0.1.0.18.ebuild -tor-0.1.1.23.ebuild -tor-0.1.1.24.ebuild and +tor-0.1.1.26.ebuild, rename the patch file, rename the build and change the patch file line, and done. 

I realize 0.1.1.26 is "new" and perhaps shouldn't be considered stable, but only very safe things from Tor's alpha branch are backported into the stable tree and it's quite safe to make 0.1.1.26 the latest version - especially because every prior version makes users who use the HttpProxyAuthenticator config option think they are getting privacy when they in reality are not.