From ${URL} : Major features (security, Linux): When Tor starts as root on Linux and is told to switch user ID, it can now retain the capability to bind to low ports. By default, Tor will do this only when it's switching user ID and some low ports have been configured. You can change this behavior with the new option KeepBindCapabilities. Closes ticket 8195. Major bugfixes (security, client, DNS proxy): Stop a crash that could occur when a client running with DNSPort received a query with multiple address types, and the first address type was not supported. Found and fixed by Scott Dial. Fixes bug 18710; bugfix on 0.2.5.4-alpha. Major bugfixes (security, compilation): Correctly detect compiler flags on systems where _FORTIFY_SOURCE is predefined. Previously, our use of -D_FORTIFY_SOURCE would cause a compiler warning, thereby making other checks fail, and needlessly disabling compiler-hardening support. Fixes one case of bug 18841; bugfix on 0.2.3.17-beta. Patch from "trudokal". Repair hardened builds under the clang compiler. Previously, our use of _FORTIFY_SOURCE would conflict with clang's address sanitizer. Fixes bug 14821; bugfix on 0.2.5.4-alpha. Major bugfixes (security, pointers): Avoid a difficult-to-trigger heap corruption attack when extending a smartlist to contain over 16GB of pointers. Fixes bug 18162; bugfix on 0.1.1.11-alpha, which fixed a related bug incompletely. Reported by Guido Vranken. @maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
I don't understand this report, all of those bugs are ancient. The current stable tor is in the 0.2.7 branch and we're heading towards 0.2.8 next. Those fixes go back to 0.2.5. There's nothing for me to do here. Can you please adivse if I'm missing something? Also, can you start putting the versions that are vulnerable in the title. "net-misc/tor: multiple vulnerabilities" is too vague as it does not specify what versions are affected. | | u | | a a a n p r s | n | | l m r h i m m i p i s p | u s | r | p d a m p a 6 i o p c s 3 a x | s l | e | h 6 r 6 p 6 8 p s p 6 c 9 s r 8 | e o | p | a 4 m 4 a 4 k s 2 c 4 v 0 h c 6 | d t | o --------------+---------------------------------+-----+------- [I]0.2.7.6 | o + + o o o o ~ o + + o o o + + | o 0 | gentoo 0.2.8.6 | o ~ ~ o o o o ~ o ~ ~ o o o ~ ~ | # | gentoo 0.2.9.1_alpha | o ~ ~ o o o o ~ o ~ ~ o o o ~ ~ | o | gentoo
The reported problems were all fixed in v0.2.8.6 which appeared in the Gentoo repository via https://gitweb.gentoo.org/repo/gentoo.git/commit/net-misc/tor?id=f13b59b3723707ac4e951f9ce38264c7f8748616. Current stable version is =net-misc/tor-0.2.8.9, vulnerable versions still in repository. New GLSA created. @ Maintainer(s): Please remove <net-misc/tor-0.2.8.6.
(In reply to Thomas Deutschmann from comment #2) > > @ Maintainer(s): Please remove <net-misc/tor-0.2.8.6. done
This issue was resolved and addressed in GLSA 201612-45 at https://security.gentoo.org/glsa/201612-45 by GLSA coordinator Aaron Bauman (b-man).
