Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 484154 - <net-misc/tor-2.4: uses weak cryptography
Summary: <net-misc/tor-2.4: uses weak cryptography
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-09-08 03:41 UTC by Walter
Modified: 2014-06-19 02:33 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Walter 2013-09-08 03:41:13 UTC 
Need a version bump.

Reproducible: Always

Steps to Reproduce:
1. Up in my nerd-cave, protectin' my secrets.
2. NSA spies on me.
Actual Results:  
Nerd cave compromise.

Expected Results:  
Nerd cave remains 100% sterile.

Equally affects treehouses and other forms of above ground dwelling.
Comment 1 Anthony Basile gentoo-dev 2013-09-08 16:55:13 UTC 
(In reply to Walter from comment #0)
> Need a version bump.
> 
> Reproducible: Always
> 
> Steps to Reproduce:
> 1. Up in my nerd-cave, protectin' my secrets.
> 2. NSA spies on me.
> Actual Results:  
> Nerd cave compromise.
> 
> Expected Results:  
> Nerd cave remains 100% sterile.
> 
> Equally affects treehouses and other forms of above ground dwelling.

I'm as paranoid as you, and I have a close eye on upstream.  However as of right now, the tor team is still distributing 0.2.3.25 as the current stable and has issued a call for 0.2.4.17-rc testing [1].

My understanding is that >= 0.2.4.17 is being fast tracked because of suspected botnet useage of tor [2].  This is mitigated by the new NTor circuit level handshake [3].

Ping back this bug when you see >= 0.2.4.17 being pushed as the upstream stable if I don't beat you to it.



Refs.

[1] https://www.torproject.org/download/download.html.en
[2] https://blog.torproject.org/blog/how-to-handle-millions-new-tor-clients
[3] https://gitweb.torproject.org/tor.git/blob/refs/tags/tor-0.2.4.17-rc:/ChangeLog#l769
Comment 2 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-12 21:09:59 UTC 
This sounds more like sec hardening than an actual CVE-worthy issue to me.
Comment 3 Anthony Basile gentoo-dev 2013-09-12 22:00:41 UTC 
(In reply to Chris Reffett from comment #2)
> This sounds more like sec hardening than an actual CVE-worthy issue to me.

I agree.  Upstream is very vibrant and they'll push out a CVE if its CVE-worthy.

Nonetheless, for people using tor and *expecting* anonymity, every flaw is important.  My pessimistic guess is, though, that gov't agencies around the world, like the NSA, just record all the encrypted traffic they can today and will wait into the future when its crackable.

I feel so ... vulnerable.
Comment 4 Anthony Basile gentoo-dev 2014-05-17 12:15:32 UTC 
All <2.4 ebuilds are off the tree.
Comment 5 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-05-17 12:46:36 UTC 
Don't close security bugs, please.

@security, please vote.

GLSA vote: no.
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2014-06-19 02:33:16 UTC 
GLSA Vote: No

No GLSA - Closing Bug as Resolved