623370 – (CVE-2017-0377) <net-vpn/tor-0.3.0.10: Regression in guard family avoidance in 0.3.0 series

Bug 623370 (CVE-2017-0377) - <net-vpn/tor-0.3.0.10: Regression in guard family avoidance in 0.3.0 series

Summary: <net-vpn/tor-0.3.0.10: Regression in guard family avoidance in 0.3.0 series

Status:	RESOLVED FIXED

Alias:	CVE-2017-0377

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://blog.torproject.org/blog/tor-...
Whiteboard:	B3 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2017-07-01 19:39 UTC by ncl
Modified:	2017-10-08 19:35 UTC (History)
CC List:	3 users (show)

See Also:	CVE-2017-0375, CVE-2017-0376
Package list:	=net-vpn/tor-0.3.0.10
Runtime testing required:	Yes

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description ncl 2017-07-01 19:39:42 UTC

Due to a regression in circuit-building logic in the tor-0.3.0 release, a guard and exit from the same family may be used in a single circuit.

https://trac.torproject.org/projects/tor/ticket/22753

Other fixes are made in this release as well.

https://blog.torproject.org/blog/tor-0309-released-security-update-clients

=net-vpn/tor-0.3.0.9 is already in the portage tree, but not yet stablized.

Comment 1 Aaron Bauman (RETIRED) gentoo-dev

2017-07-17 01:36:17 UTC

@maintainer, please call for stable when ready.

Comment 2 Aaron Bauman (RETIRED) gentoo-dev

2017-08-27 21:36:35 UTC

@arches, please stabilize.

Comment 3 Anthony Basile gentoo-dev

2017-08-27 23:37:11 UTC

(In reply to Aaron Bauman from comment #2)
> @arches, please stabilize.

sorry missed this.  please stabilize =net-vpn/tor-0.3.0.10 which has been in the tree a while.

Comment 4 Aaron Bauman (RETIRED) gentoo-dev

2017-09-04 00:27:34 UTC

amd64/x86 stable

Comment 5 Markus Meier gentoo-dev

2017-09-05 04:39:53 UTC

arm stable

Comment 6 Anthony Basile gentoo-dev

2017-09-19 10:41:52 UTC

ppc64 stable.  there is a build failure for ppc.

Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev

2017-10-03 16:01:21 UTC

ppc stable

Comment 8 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-10-03 16:06:09 UTC

Thank you all,

@Security please vote.

Gentoo Security Padawan
ChrisADR

Comment 9 Aaron Bauman (RETIRED) gentoo-dev

2017-10-08 19:35:18 UTC

GLSA Vote: No