[Bug 321102] Re: Security fixes in tor 0.2.0.32 and .33

Hew McLachlan hew.mclachlan at gmail.com
Sun Jan 25 12:57:35 UTC 2009 

** Summary changed:

- Tor packages too old
+ Security fixes in tor 0.2.0.32 and .33

** Description changed:

- Tor packages do not seem to be updated in Ubuntu.  The list
- http://packages.ubuntu.com/search?keywords=tor
- contains only outdated packages. My 8.04installs package tor 0.1.2.19-2, which is one year old by now.
- This is very bad as Tor is security software, and new versions frequently fix security issues.
- 
- E.g., the latest version as of this writing (21 January 2009: Tor 0.2.0.33) comes with the following
- changelog entry: "Fix a heap-corruption bug that may be remotely triggerable on some platforms"
+ Tor 0.2.0.33 comes with the following changelog entry: "Fix a heap-corruption bug that may be remotely triggerable on some platforms"
  (From http://archives.seul.org/or/announce/Jan-2009/msg00000.html)
  
- In my view, Tor should either be removed from Ubuntu or updated
- regularly.
+ -----
  
- Thanks
- Jens
+   Tor 0.2.0.32 fixes a major security problem in Debian and Ubuntu
+   packages (and maybe other packages) noticed by Theo de Raadt, fixes
+   a smaller security flaw that might allow an attacker to access local
+   services, further improves hidden service performance, and fixes a
+   variety of other issues.
+ 
+   o Security fixes:
+     - The "User" and "Group" config options did not clear the
+       supplementary group entries for the Tor process. The "User" option
+       is now more robust, and we now set the groups to the specified
+       user's primary group. The "Group" option is now ignored. For more
+       detailed logging on credential switching, set CREDENTIAL_LOG_LEVEL
+       in common/compat.c to LOG_NOTICE or higher. Patch by Jacob Appelbaum
+       and Steven Murdoch. Bugfix on 0.0.2pre14. Fixes bug 848 and 857.
+     - The "ClientDNSRejectInternalAddresses" config option wasn't being
+       consistently obeyed: if an exit relay refuses a stream because its
+       exit policy doesn't allow it, we would remember what IP address
+       the relay said the destination address resolves to, even if it's
+       an internal IP address. Bugfix on 0.2.0.7-alpha; patch by rovv.
+ 
+ https://www.torproject.org/svn/trunk/ChangeLog

** Bug watch added: Debian Bug tracker #512728
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=512728

** Also affects: tor (Debian) via
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=512728
   Importance: Unknown
       Status: Unknown

-- 
Security fixes in tor 0.2.0.32 and .33
https://bugs.launchpad.net/bugs/321102
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

More information about the universe-bugs mailing list