Debian
tor package

tor 0.3.1.9-1 source package in Debian

Changelog

tor (0.3.1.9-1) unstable; urgency=high

  * New upstream version, including among others:
    - Fix a denial of service bug where an attacker could use a
      malformed directory object to cause a Tor instance to pause while
      OpenSSL would try to read a passphrase from the terminal. (Tor
      instances run without a terminal, which is the case for most Tor
      packages, are not impacted.) Fixes bug 24246; bugfix on every
      version of Tor. Also tracked as TROVE-2017-011 and CVE-2017-8821.
      Found by OSS-Fuzz as testcase 6360145429790720.
    - Fix a denial of service issue where an attacker could crash a
      directory authority using a malformed router descriptor. Fixes bug
      24245; bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2017-010
      and CVE-2017-8820.
    - When checking for replays in the INTRODUCE1 cell data for a
      (legacy) onion service, correctly detect replays in the RSA-
      encrypted part of the cell. We were previously checking for
      replays on the entire cell, but those can be circumvented due to
      the malleability of Tor's legacy hybrid encryption. This fix helps
      prevent a traffic confirmation attack. Fixes bug 24244; bugfix on
      0.2.4.1-alpha. This issue is also tracked as TROVE-2017-009
      and CVE-2017-8819.
    - Fix a use-after-free error that could crash v2 Tor onion services
      when they failed to open circuits while expiring introduction
      points. Fixes bug 24313; bugfix on 0.2.7.2-alpha. This issue is
      also tracked as TROVE-2017-013 and CVE-2017-8823.
    - When running as a relay, make sure that we never build a path
      through ourselves, even in the case where we have somehow lost the
      version of our descriptor appearing in the consensus. Fixes part
      of bug 21534; bugfix on 0.2.0.1-alpha. This issue is also tracked
      as TROVE-2017-012 and CVE-2017-8822.
    - When running as a relay, make sure that we never choose ourselves
      as a guard. Fixes part of bug 21534; bugfix on 0.3.0.1-alpha. This
      issue is also tracked as TROVE-2017-012 and CVE-2017-8822.
  * Build-depend on libcap-dev on linux-any so we can build tor with
    capabilities support to retain the capability to bind to low ports;
    closes: #882281, #700179.

 -- Peter Palfrader <email address hidden>  Fri, 01 Dec 2017 23:32:58 +0100

Upload details

Uploaded by:
Peter Palfrader
Uploaded to:
Sid
Original maintainer:
Peter Palfrader
Architectures:
any all
Section:
net
Urgency:
Very Urgent

See full publishing history Publishing

Series Pocket Published Component Section

Builds

Downloads

File Size SHA-256 Checksum
tor_0.3.1.9-1.dsc 1.8 KiB d767ca3b900a839b03083a0492c0e2d08ddf0bb15bf9323fd1280d1f115714d2
tor_0.3.1.9.orig.tar.gz 5.8 MiB 6e1b04f7890e782fd56014a0de5075e4ab29b52a35d8bca1f6b80c93f58f3d26
tor_0.3.1.9-1.diff.gz 47.7 KiB dde9f4b63e0ec28d4d649988a494b0bb0e10897df2cb22268c9b2042f080d59f

Available diffs

No changes file available.

Binary packages built by this source