From ${URL} : Tor 0.2.5.12 and 0.2.6.7 fix two security issues that could be used by an attacker to crash hidden services, or crash clients visiting hidden services. Hidden services should upgrade as soon as possible; clients should upgrade whenever packages become available. These releases also contain two simple improvements to make hidden services a bit less vulnerable to denial-of-service attacks. We also made a Tor 0.2.4.27 release so that Debian stable can easily integrate these fixes. The Tor Browser team is currently evaluating whether to put out a new Tor Browser stable release with these fixes, or wait until next week for their scheduled next stable release. Changes in version 0.2.5.12 - 2015-04-06 o Major bugfixes (security, hidden service): - Fix an issue that would allow a malicious client to trigger an assertion failure and halt a hidden service. Fixes bug 15600; bugfix on 0.2.1.6-alpha. Reported by "disgleirio". - Fix a bug that could cause a client to crash with an assertion failure when parsing a malformed hidden service descriptor. Fixes bug 15601; bugfix on 0.2.1.5-alpha. Found by "DonnchaC". o Minor features (DoS-resistance, hidden service): - Introduction points no longer allow multiple INTRODUCE1 cells to arrive on the same circuit. This should make it more expensive for attackers to overwhelm hidden services with introductions. Resolves ticket 15515. Changes in version 0.2.6.7 - 2015-04-06 o Major bugfixes (security, hidden service): - Fix an issue that would allow a malicious client to trigger an assertion failure and halt a hidden service. Fixes bug 15600; bugfix on 0.2.1.6-alpha. Reported by "disgleirio". - Fix a bug that could cause a client to crash with an assertion failure when parsing a malformed hidden service descriptor. Fixes bug 15601; bugfix on 0.2.1.5-alpha. Found by "DonnchaC". o Minor features (DoS-resistance, hidden service): - Introduction points no longer allow multiple INTRODUCE1 cells to arrive on the same circuit. This should make it more expensive for attackers to overwhelm hidden services with introductions. Resolves ticket 15515. - Decrease the amount of reattempts that a hidden service performs when its rendezvous circuits fail. This reduces the computational cost for running a hidden service under heavy load. Resolves ticket 11447. @maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
0.2.5.12 and 0.2.6.7 are both in the tree. They are ready for stabilization: KEYWORDS="amd64 arm ppc ppc64 sparc x86"
amd64 stable
x86 stable
(In reply to Agostino Sarubbo from comment #2) > amd64 stable We should stabilize both 0.2.5.12 and 0.2.6.7. The latter depends on =app-crypt/libscrypt-1.20.
I'm dropping keywords on the unstable version where possible. Here's where we're at right now: Keywords for net-misc/tor: | | u | | a a a p s | n | | l m r h i m m p s p | u s | r | p d a m p a 6 i p c 3 a x | s l | e | h 6 r 6 p 6 8 p p 6 9 s r 8 | e o | p | a 4 m 4 a 4 k s c 4 0 h c 6 | d t | o ------------+-----------------------------+-----+------- [I]0.2.5.11 | o o o o o o o o o o o o + o | o 0 | gentoo 0.2.5.12 | o + + o o o o ~ + + o o ~ + | o | gentoo 0.2.6.7 | o ~ + o o o o ~ + + o o o ~ | o | gentoo Note: we should also keyword 0.2.6.7 for sparc and x86-fbsd. This will allows us to eventually drop the 0.2.5 branch altogether.
Stable for amd64/x86/sparc
Arches and Maintainer(s), Thank you for your work. GLSA Vote: Yes
YES too, request filed.
CVE-2015-2929 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2929): ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. ** TEMPORARY ** Allows a malicious client to trigger an assertion failure and halt a hidden service. Could cause a client to crash with an assertion failure when parsing a malformed hidden service descriptor. CVE-2015-2928 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2928): ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. ** TEMPORARY ** Allows a malicious client to trigger an assertion failure and halt a hidden service. Could cause a client to crash with an assertion failure when parsing a malformed hidden service descriptor.
This issue was resolved and addressed in GLSA 201507-02 at https://security.gentoo.org/glsa/201507-02 by GLSA coordinator Kristian Fiskerstrand (K_F).