Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 776586 (CVE-2021-28089, CVE-2021-28090, TROVE-2021-001, TROVE-2021-002) - <net-vpn/tor-{0.4.5.7, 0.4.4.8}: Multiple vulnerabilities
Summary: <net-vpn/tor-{0.4.5.7, 0.4.4.8}: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2021-28089, CVE-2021-28090, TROVE-2021-001, TROVE-2021-002
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://lists.torproject.org/pipermai...
Whiteboard: B3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-03-16 00:08 UTC by Sam James
Modified: 2021-07-10 02:54 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2021-03-16 00:08:20 UTC
"Hello!

I'm working on these releases today, and intend to publish them in
about 24 hours from now.

---------- Forwarded message ---------
From: Nick Mathewson <nickm at torproject.org>
Date: Mon, Mar 8, 2021 at 10:55 AM
Subject: Upcoming releases to fix denial-of-service issues in Tor
To: <tor-packagers at lists.torproject.org>


Hello!

Early next week -- around Tuesday -- we plan to put out new Tor
releases to fix a pair of denial-of-service issues that we have found.
  We are tracking these issues as "High" and "Medium" severity
respectively under our security policy at
https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/SecurityPolicy
.  We are tracking these issues as TROVE-2021-001 and TROVE-2021-002
at https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/TROVE
.  All currently supported Tor versions are affected.

The impact of these issues is that a remote attacker participating in
the directory protocol can cause a denial of service attack against
Tor instances. Once the new versions are released, we will recommend
that all relays and authorities should upgrade.  The impact is worst
for directory authorities: we have already distributed patches to the
authority operators and encouraged them to upgrade.

To the best of our knowledge these vulnerabilities are not being
exploited in the wild.

We'll be releasing more information about these issues after the fixes
are available.

best wishes,
--
Nick"
Comment 1 Sam James archtester gentoo-dev Security 2021-03-16 13:15:39 UTC
Fixed versions now out.
Comment 2 Sam James archtester gentoo-dev Security 2021-03-22 00:45:48 UTC
Bumped in https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4b8a5df7e76856703e60d1b1ef6fdd0f6053d4b0. Tell us when ready to stable.
Comment 3 Anthony Basile gentoo-dev 2021-03-22 12:50:58 UTC
(In reply to Sam James from comment #2)
> Bumped in
> https://gitweb.gentoo.org/repo/gentoo.git/commit/
> ?id=4b8a5df7e76856703e60d1b1ef6fdd0f6053d4b0. Tell us when ready to stable.

Its ready now.
Comment 4 Sam James archtester gentoo-dev Security 2021-03-22 17:44:01 UTC
(In reply to Anthony Basile from comment #3)
> (In reply to Sam James from comment #2)
> > Bumped in
> > https://gitweb.gentoo.org/repo/gentoo.git/commit/
> > ?id=4b8a5df7e76856703e60d1b1ef6fdd0f6053d4b0. Tell us when ready to stable.
> 
> Its ready now.

Thank you!
Comment 5 Sam James archtester gentoo-dev Security 2021-03-25 23:15:47 UTC
x86 done
Comment 6 Sam James archtester gentoo-dev Security 2021-03-25 23:18:02 UTC
ppc done
Comment 7 Sam James archtester gentoo-dev Security 2021-03-25 23:18:51 UTC
ppc64 done
Comment 8 Sam James archtester gentoo-dev Security 2021-03-25 23:40:26 UTC
amd64 done
Comment 9 Sam James archtester gentoo-dev Security 2021-03-26 23:52:38 UTC
arm64 done
Comment 10 Anthony Basile gentoo-dev 2021-03-27 12:42:47 UTC
(In reply to Sam James from comment #2)
> Bumped in
> https://gitweb.gentoo.org/repo/gentoo.git/commit/
> ?id=4b8a5df7e76856703e60d1b1ef6fdd0f6053d4b0. Tell us when ready to stable.

Its ready now.
Comment 11 Anthony Basile gentoo-dev 2021-03-27 12:50:15 UTC
(In reply to Anthony Basile from comment #10)
> (In reply to Sam James from comment #2)
> > Bumped in
> > https://gitweb.gentoo.org/repo/gentoo.git/commit/
> > ?id=4b8a5df7e76856703e60d1b1ef6fdd0f6053d4b0. Tell us when ready to stable.
> 
> Its ready now.

I'm not sure why the double post happened here.
Comment 12 Sam James archtester gentoo-dev Security 2021-03-27 16:05:04 UTC
arm done

all arches done
Comment 13 John Helmert III gentoo-dev Security 2021-03-27 17:02:50 UTC
Please cleanup
Comment 14 Anthony Basile gentoo-dev 2021-03-27 18:33:22 UTC
(In reply to John Helmert III from comment #13)
> Please cleanup

the vulnerable version is off the tree.
Comment 15 John Helmert III gentoo-dev Security 2021-03-27 18:50:23 UTC
Thanks!
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2021-07-10 02:54:42 UTC
This issue was resolved and addressed in
 GLSA 202107-25 at https://security.gentoo.org/glsa/202107-25
by GLSA coordinator John Helmert III (ajak).