Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 621360 (CVE-2017-0375, CVE-2017-0376) - <net-vpn/tor-0.3.0.8: multiple vulnerabilities (CVE-2017-{0375,0376})
Summary: <net-vpn/tor-0.3.0.8: multiple vulnerabilities (CVE-2017-{0375,0376})
Status: RESOLVED FIXED
Alias: CVE-2017-0375, CVE-2017-0376
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://blog.torproject.org/blog/tor-...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-10 00:52 UTC by Michael Boyle
Modified: 2017-09-10 23:03 UTC (History)
3 users (show)

See Also:
Package list:
net-vpn/tor-0.3.0.8
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Boyle 2017-06-10 00:52:46 UTC
The hidden-service feature in Tor before 0.3.0.8 allows a denial of service (assertion failure and daemon exit) in the connection_edge_process_relay_cell function via a BEGIN_DIR cell on a rendezvous circuit. 

The hidden-service feature in Tor before 0.3.0.8 allows a denial of service (assertion failure and daemon exit) in the relay_send_end_cell_from_edge_ function via a malformed BEGIN cell.
Comment 1 Anthony Basile gentoo-dev 2017-06-10 15:37:35 UTC
I just added 0.3.0.8 and it should be good for rapid stabilization:

KEYWORDS="amd64 arm ppc ppc64 sparc x86"
Comment 2 Thomas Deutschmann gentoo-dev Security 2017-06-10 16:26:03 UTC
@ Arches,

please test and mark stable: =net-vpn/tor-0.3.0.8
Comment 3 Agostino Sarubbo gentoo-dev 2017-06-10 17:11:55 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2017-06-12 12:55:28 UTC
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2017-06-13 12:36:05 UTC
ppc64 stable
Comment 6 Markus Meier gentoo-dev 2017-06-13 18:23:51 UTC
arm stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-06-21 12:04:26 UTC
ppc stable
Comment 8 Yury German Gentoo Infrastructure gentoo-dev 2017-07-02 01:39:17 UTC
sparc please continue stabilization.

GLSA Vote: No

New GLSA on Regression in guard family avoidance as depends.
Comment 9 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-09-10 21:57:57 UTC
sparc was dropped to exp profile.
Comment 10 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-09-10 21:58:19 UTC
@maintainer(s), please cleanup.
Comment 11 Anthony Basile gentoo-dev 2017-09-10 22:55:36 UTC
(In reply to Aaron Bauman from comment #10)
> @maintainer(s), please cleanup.

done
Comment 12 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-09-10 23:02:26 UTC
(In reply to Anthony Basile from comment #11)
> (In reply to Aaron Bauman from comment #10)
> > @maintainer(s), please cleanup.
> 
> done

Thanks, Doc!