>New tor releases are tagged and signed, and available at
>https://dist.torproject.org/ . Please remember to check the
>Here are the changelog links:
>Note that these releases fix several vulnerabilities, including a
>remotely triggerable CPU DoS. Everybody running older versions should
>upgrade to one of these. For TROVE and CVE identifiers and more about
>the vulnerabilities, please see the ChangeLogs.
Further miscellaneous details:
> This is the third stable release in the 0.4.2.x series. It backports
> numerous fixes from later releases, including a fix for TROVE-2020-
> 002, a major denial-of-service vulnerability that affected all
> released Tor instances since 0.2.1.5-alpha. Using this vulnerability,
> an attacker could cause Tor instances to consume a huge amount of CPU,
> disrupting their operations for several seconds or minutes. This
> attack could be launched by anybody against a relay, or by a directory
> cache against any client that had connected to it. The attacker could
> launch this attack as much as they wanted, thereby disrupting service
> or creating patterns that could aid in traffic analysis. This issue
> was found by OSS-Fuzz, and is also tracked as CVE-2020-10592.
Description from ChangeLog:
o Major bugfixes (security, denial-of-service, backport from 0.4.3.3-alpha):
- Fix a denial-of-service bug that could be used by anyone to
consume a bunch of CPU on any Tor relay or authority, or by
directories to consume a bunch of CPU on clients or hidden
services. Because of the potential for CPU consumption to
introduce observable timing patterns, we are treating this as a
high-severity security issue. Fixes bug 33119; bugfix on
0.2.1.5-alpha. Found by OSS-Fuzz. We are also tracking this issue
as TROVE-2020-002 and CVE-2020-10592.
Description from ChangeLog:
o Major bugfixes (circuit padding, memory leak, backport from 0.4.3.3-alpha):
- Avoid a remotely triggered memory leak in the case that a circuit
padding machine is somehow negotiated twice on the same circuit.
Fixes bug 33619; bugfix on 0.4.0.1-alpha. Found by Tobias Pulls.
This is also tracked as TROVE-2020-004 and CVE-2020-10593.
The bug has been referenced in the following commit(s):
Author: Sam James (sam_c) <firstname.lastname@example.org>
AuthorDate: 2020-03-18 16:50:23 +0000
Commit: Anthony G. Basile <email@example.com>
CommitDate: 2020-03-18 16:54:30 +0000
net-vpn/tor: Security bump
Signed-off-by: Sam James (sam_c) <firstname.lastname@example.org>
Signed-off-by: Anthony G. Basile <email@example.com>
net-vpn/tor/Manifest | 3 ++
net-vpn/tor/tor-0.4.1.9.ebuild | 88 ++++++++++++++++++++++++++++++++++
net-vpn/tor/tor-0.4.2.7.ebuild | 90 +++++++++++++++++++++++++++++++++++
net-vpn/tor/tor-0.4.3.3_alpha.ebuild | 92 ++++++++++++++++++++++++++++++++++++
4 files changed, 273 insertions(+)
@maintainer(s): Thanks for being so quick (jinx)!
Please advise if you are ready for stabilization or call for stabilization yourself.
(In reply to sam_c (Security Padawan) from comment #2)
> @maintainer(s): Thanks for being so quick (jinx)!
> Please advise if you are ready for stabilization or call for stabilization
Its ready for stabilization:
KEYWORDS="amd64 arm arm64 ppc ppc64 x86"
New GLSA request filed.
This issue was resolved and addressed in
GLSA 202003-50 at https://security.gentoo.org/glsa/202003-50
by GLSA coordinator Thomas Deutschmann (whissi).
Re-opening for remaining architectures.
@maintainer(s), please cleanup.
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
(In reply to Sam James (sam_c) (security padawan) from comment #13)
> @maintainer(s), please cleanup.
Unable to check for sanity:
> no match for package: =net-vpn/tor-0.4.1.9
(In reply to NATTkA from comment #16)
> Unable to check for sanity:
> > no match for package: =net-vpn/tor-0.4.1.9
Actually, its time to move past 0.4.1 branch, so I removed it.
(In reply to Anthony Basile from comment #17)
> (In reply to NATTkA from comment #16)
> > Unable to check for sanity:
> > > no match for package: =net-vpn/tor-0.4.1.9
> Actually, its time to move past 0.4.1 branch, so I removed it.