Accepted tor 0.3.1.9-1 (source) into unstable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 01 Dec 2017 23:32:58 +0100
Source: tor
Binary: tor tor-geoipdb
Architecture: source
Version: 0.3.1.9-1
Distribution: unstable
Urgency: high
Maintainer: Peter Palfrader <weasel@debian.org>
Changed-By: Peter Palfrader <weasel@debian.org>
Description:
tor - anonymizing overlay network for TCP
tor-geoipdb - GeoIP database for Tor
Closes: 700179 882281
Changes:
tor (0.3.1.9-1) unstable; urgency=high
.
* New upstream version, including among others:
- Fix a denial of service bug where an attacker could use a
malformed directory object to cause a Tor instance to pause while
OpenSSL would try to read a passphrase from the terminal. (Tor
instances run without a terminal, which is the case for most Tor
packages, are not impacted.) Fixes bug 24246; bugfix on every
version of Tor. Also tracked as TROVE-2017-011 and CVE-2017-8821.
Found by OSS-Fuzz as testcase 6360145429790720.
- Fix a denial of service issue where an attacker could crash a
directory authority using a malformed router descriptor. Fixes bug
24245; bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2017-010
and CVE-2017-8820.
- When checking for replays in the INTRODUCE1 cell data for a
(legacy) onion service, correctly detect replays in the RSA-
encrypted part of the cell. We were previously checking for
replays on the entire cell, but those can be circumvented due to
the malleability of Tor's legacy hybrid encryption. This fix helps
prevent a traffic confirmation attack. Fixes bug 24244; bugfix on
0.2.4.1-alpha. This issue is also tracked as TROVE-2017-009
and CVE-2017-8819.
- Fix a use-after-free error that could crash v2 Tor onion services
when they failed to open circuits while expiring introduction
points. Fixes bug 24313; bugfix on 0.2.7.2-alpha. This issue is
also tracked as TROVE-2017-013 and CVE-2017-8823.
- When running as a relay, make sure that we never build a path
through ourselves, even in the case where we have somehow lost the
version of our descriptor appearing in the consensus. Fixes part
of bug 21534; bugfix on 0.2.0.1-alpha. This issue is also tracked
as TROVE-2017-012 and CVE-2017-8822.
- When running as a relay, make sure that we never choose ourselves
as a guard. Fixes part of bug 21534; bugfix on 0.3.0.1-alpha. This
issue is also tracked as TROVE-2017-012 and CVE-2017-8822.
* Build-depend on libcap-dev on linux-any so we can build tor with
capabilities support to retain the capability to bind to low ports;
closes: #882281, #700179.
Checksums-Sha1:
8c132af553721ba81f0d2a297f5141f5b455435d 1824 tor_0.3.1.9-1.dsc
5d6d5f00691d35c782f9126b7ad70a678343a832 6092702 tor_0.3.1.9.orig.tar.gz
7b33ff16dfe470cc5bd3af53960a7ebc7204f415 48881 tor_0.3.1.9-1.diff.gz
Checksums-Sha256:
d767ca3b900a839b03083a0492c0e2d08ddf0bb15bf9323fd1280d1f115714d2 1824 tor_0.3.1.9-1.dsc
6e1b04f7890e782fd56014a0de5075e4ab29b52a35d8bca1f6b80c93f58f3d26 6092702 tor_0.3.1.9.orig.tar.gz
dde9f4b63e0ec28d4d649988a494b0bb0e10897df2cb22268c9b2042f080d59f 48881 tor_0.3.1.9-1.diff.gz
Files:
893c1b5715d321f859707836b2d00e61 1824 net optional tor_0.3.1.9-1.dsc
585e62d086ae7df7cd873f735d726118 6092702 net optional tor_0.3.1.9.orig.tar.gz
02e347d9a5e3bf1b8871dfd75eaa3d19 48881 net optional tor_0.3.1.9-1.diff.gz
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEs4PXhajJL968BgN2hgLIIDhyMx8FAloil1cACgkQhgLIIDhy
Mx8o1wf/ROiFY4BoZaa6kEdVwmR8cMJqUc8TLlbvOk1W37tGxMPGu/Y/LjBhRlhf
bbuu521zumWb5+sjZ5bxO5Y1r/jdV96p3nN2ZsiLo+P44kUyJsBrCiSfZU4DTP7n
Cy/vsJYAsHNkqnmxuWy+jISggP1EOHz9ce5LBsD8PFtiQgDkB7MtKnPM6sQ6QC6z
WbcpxeabFqyMjXx76sE1dmh1pTOdPyHCiIJdD0RJp8SIuNbbTBqFvMbYQWH9igoK
B06r8qH9Bg+RtMo3XjvN6XpcfKOLosgeP3rtlfwhdmfdh3Uny/iS2/Xc1s/ncTih
tcnQiJrwVTQBrqcCCuhVgz1K/km6WQ==
=0fxq
-----END PGP SIGNATURE-----