"Hello! I'm working on these releases today, and intend to publish them in about 24 hours from now. ---------- Forwarded message --------- From: Nick Mathewson <nickm at torproject.org> Date: Mon, Mar 8, 2021 at 10:55 AM Subject: Upcoming releases to fix denial-of-service issues in Tor To: <tor-packagers at lists.torproject.org> Hello! Early next week -- around Tuesday -- we plan to put out new Tor releases to fix a pair of denial-of-service issues that we have found. We are tracking these issues as "High" and "Medium" severity respectively under our security policy at https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/SecurityPolicy . We are tracking these issues as TROVE-2021-001 and TROVE-2021-002 at https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/TROVE . All currently supported Tor versions are affected. The impact of these issues is that a remote attacker participating in the directory protocol can cause a denial of service attack against Tor instances. Once the new versions are released, we will recommend that all relays and authorities should upgrade. The impact is worst for directory authorities: we have already distributed patches to the authority operators and encouraged them to upgrade. To the best of our knowledge these vulnerabilities are not being exploited in the wild. We'll be releasing more information about these issues after the fixes are available. best wishes, -- Nick"
Fixed versions now out.
Bumped in https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4b8a5df7e76856703e60d1b1ef6fdd0f6053d4b0. Tell us when ready to stable.
(In reply to Sam James from comment #2) > Bumped in > https://gitweb.gentoo.org/repo/gentoo.git/commit/ > ?id=4b8a5df7e76856703e60d1b1ef6fdd0f6053d4b0. Tell us when ready to stable. Its ready now.
(In reply to Anthony Basile from comment #3) > (In reply to Sam James from comment #2) > > Bumped in > > https://gitweb.gentoo.org/repo/gentoo.git/commit/ > > ?id=4b8a5df7e76856703e60d1b1ef6fdd0f6053d4b0. Tell us when ready to stable. > > Its ready now. Thank you!
x86 done
ppc done
ppc64 done
amd64 done
arm64 done
(In reply to Anthony Basile from comment #10) > (In reply to Sam James from comment #2) > > Bumped in > > https://gitweb.gentoo.org/repo/gentoo.git/commit/ > > ?id=4b8a5df7e76856703e60d1b1ef6fdd0f6053d4b0. Tell us when ready to stable. > > Its ready now. I'm not sure why the double post happened here.
arm done all arches done
Please cleanup
(In reply to John Helmert III from comment #13) > Please cleanup the vulnerable version is off the tree.
Thanks!
This issue was resolved and addressed in GLSA 202107-25 at https://security.gentoo.org/glsa/202107-25 by GLSA coordinator John Helmert III (ajak).