Accepted tor 0.2.2.39-1 (source all amd64)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 12 Sep 2012 12:14:24 UTC
Source: tor
Binary: tor tor-dbg tor-geoipdb
Architecture: source all amd64
Version: 0.2.2.39-1
Distribution: stable-security
Urgency: high
Maintainer: Peter Palfrader <weasel@debian.org>
Changed-By: Peter Palfrader <weasel@debian.org>
Description:
tor - anonymizing overlay network for TCP
tor-dbg - debugging symbols for Tor
tor-geoipdb - geoIP database for Tor
Checksums-Sha1:
36b9d153dce381ef156576b828a4a9a88c3d4b7e 1554 tor_0.2.2.39-1.dsc
cc5021a7656c0cd22de42da9f0ce7335026852bf 2929303 tor_0.2.2.39.orig.tar.gz
2f3f34b4291d9c9d1274f585a75a7190783bf0f1 33626 tor_0.2.2.39-1.diff.gz
8c479f436cc4344c35f508e88d3cefe123c343a9 1414938 tor-geoipdb_0.2.2.39-1_all.deb
c859ee055c62b64e9560889e572c95d8589f2040 1059636 tor_0.2.2.39-1_amd64.deb
624db74e2549a36c592ecafb977c30549fe0509a 1139598 tor-dbg_0.2.2.39-1_amd64.deb
Checksums-Sha256:
6a334b1ca0e52d0972509215fe6d2617ba25c653256fe3976b62f55c61c1baec 1554 tor_0.2.2.39-1.dsc
0d0c778d4697d5c5bd4f732ca179c22e8e359c634617ca9b6665e33d1863622a 2929303 tor_0.2.2.39.orig.tar.gz
dfab8a3ddb5056ee2541f8401be535d1d14c46d00f49749895becd51f059d5c4 33626 tor_0.2.2.39-1.diff.gz
09c7756e262938607c4a45e20114c0de622a16e881a8fd2e11352ffd2addd440 1414938 tor-geoipdb_0.2.2.39-1_all.deb
ea0e4030ea4c334eff5daf2c653fc142edc4bcca8de0f8c6f603f76e41997327 1059636 tor_0.2.2.39-1_amd64.deb
c049b5c56fd9b06d7e0b89684fd3353a4dc8548692b8e757ae87cc8797a59da4 1139598 tor-dbg_0.2.2.39-1_amd64.deb
Changes:
tor (0.2.2.39-1) stable-security; urgency=high
.
* New upstream version:
- Fix an assertion failure in tor_timegm() that could be triggered
by a badly formatted directory object. Bug found by fuzzing with
Radamsa. Fixes bug 6811; bugfix on 0.2.0.20-rc.
- Do not crash when comparing an address with port value 0 to an
address policy. This bug could have been used to cause a remote
assertion failure by or against directory authorities, or to
allow some applications to crash clients. Fixes bug 6690; bugfix
on 0.2.1.10-alpha.
.
tor (0.2.2.38-1) stable; urgency=low
.
* New upstream version, fixing three security issues, as discussed
in #684763:
- Avoid an uninitialized memory read when reading a vote or consensus
document that has an unrecognized flavor name. This read could
lead to a remote crash bug. Fixes bug 6530; bugfix on 0.2.2.6-alpha.
[CVE-2012-3518]
- Try to leak less information about what relays a client is
choosing to a side-channel attacker. Previously, a Tor client would
stop iterating through the list of available relays as soon as it
had chosen one, thus finishing a little earlier when it picked
a router earlier in the list. If an attacker can recover this
timing information (nontrivial but not proven to be impossible),
they could learn some coarse-grained information about which relays
a client was picking (middle nodes in particular are likelier to
be affected than exits). The timing attack might be mitigated by
other factors (see bug 6537 for some discussion), but it's best
not to take chances. Fixes bug 6537; bugfix on 0.0.8rc1.
[CVE-2012-3519]
* Note that contrary to the upstream release notes and changelog the
folloiwng issue is not fixed by this release. Discussion in the
upstream bug tracker suggests it is not triggerable in practice.
- Avoid read-from-freed-memory and double-free bugs that could occur
when a DNS request fails while launching it. Fixes bug 6480;
bugfix on 0.2.0.1-alpha.
[CVE-2012-3517; https://bugs.torproject.org/6480]
.
tor (0.2.2.37-1~squeeze+1) stable; urgency=low
.
* Update tor in stable to 0.2.2.37 as per discussion in #679224:
- This version fixes a couple of minor security issues, like no longer
leaking uninitialized memory, properly rejecting inputs where the number
exceeds valid values for its storage types, or not adding more bytes to
input buffers while renegotiating.
- Furthermore, a few issues are resolved that might affect a user's
anonymity. These include things such as only building circuits when a
client knows a sufficient number of "exit" nodes, never using a bridge
as an exit, or reusing circuits in an unsafe manner.
- Additionaly it updates the list of directory authorities, makes building
with newer and older openssl libraries safer (probably not important for
us) and makes building on a few other platforms more robust.
- For details please consult the upstream changelog entries.
.
tor (0.2.2.37-1) unstable; urgency=medium
.
* New upstream version, including:
- Work around a bug in OpenSSL that broke renegotiation with TLS
1.1 and TLS 1.2. Without this workaround, all attempts to speak
the v2 Tor connection protocol when both sides were using OpenSSL
1.0.1 would fail. Resolves ticket 6033.
- When waiting for a client to renegotiate, don't allow it to add
any bytes to the input buffer. This fixes a potential DoS issue.
Fixes bugs 5934 and 6007; bugfix on 0.2.0.20-rc.
- and more. See upstream's changelog.
.
tor (0.2.2.36-1) unstable; urgency=low
.
* New upstream version, including updates to authority addresses, and
a couple minor security issues, see upstream's changelog.
Files:
39e3355ea625de0a0b41ca298ef3bea9 1554 net optional tor_0.2.2.39-1.dsc
9157a1f02fcda9d7d2c5744176373abd 2929303 net optional tor_0.2.2.39.orig.tar.gz
e7650783d87f9d63ec913fe119363101 33626 net optional tor_0.2.2.39-1.diff.gz
0bae08cf4cd0d8add83bd5fc836107bb 1414938 net extra tor-geoipdb_0.2.2.39-1_all.deb
530ac28045670103bf1911279ae5a56b 1059636 net optional tor_0.2.2.39-1_amd64.deb
eb46286358983112a65d7b4d22c2f82d 1139598 debug extra tor-dbg_0.2.2.39-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBCAAGBQJQUH1fAAoJEDTSCgbh3sV3pDUH/AyFKA9SLLQiHd82vKFtc/VU
0B5PD78ktJESPaOgGIxlrVwzTFBO6qLLUrfeBege5rZT9xaACkE8jjOzD63SROXx
gW7WQ8Z89QU8Dv/8Gbf7V+svB73Jw5X9dSzcRnEgE3hAxVSei/dLbymqtIiP4hjz
DZntK/MVa1lLgbFAjO0ZrLk/ETTj0vL9Xr6Juo9cFGsxhl0TISnNBI6KPyRuQX89
QhC+1ea07vHnwkDqjwnev/DzPytHWLMcfrRSzv946K9eS47VDYpYNhW2286Kg92m
gS3h1dtH+yYuCPzgllMSnNFHGn7HI/PWtBxiGcEYrknaoE+MB3/CP0qhfb17dPU=
=aESI
-----END PGP SIGNATURE-----