Accepted tor 0.2.9.14-1 (source) into proposed-updates->stable-new, proposed-updates
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 02 Dec 2017 15:06:10 +0100
Source: tor
Binary: tor tor-dbg tor-geoipdb
Architecture: source
Version: 0.2.9.14-1
Distribution: stretch-security
Urgency: medium
Maintainer: Peter Palfrader <weasel@debian.org>
Changed-By: Peter Palfrader <weasel@debian.org>
Description:
tor - anonymizing overlay network for TCP
tor-dbg - debugging symbols for Tor
tor-geoipdb - GeoIP database for Tor
Changes:
tor (0.2.9.14-1) stretch-security; urgency=medium
.
* New upstream version, including among others:
- Fix an issue causing DNS to fail on high-bandwidth exit nodes,
making them nearly unusable. Fixes bugs 21394 and 18580; bugfix on
0.1.2.2-alpha, which introduced eventdns. Thanks to Dhalgren for
identifying and finding a workaround to this bug and to Moritz,
Arthur Edelstein, and Roger for helping to track it down and
analyze it.
- Fix a denial of service bug where an attacker could use a
malformed directory object to cause a Tor instance to pause while
OpenSSL would try to read a passphrase from the terminal. (Tor
instances run without a terminal, which is the case for most Tor
packages, are not impacted.) Fixes bug 24246; bugfix on every
version of Tor. Also tracked as TROVE-2017-011 and CVE-2017-8821.
Found by OSS-Fuzz as testcase 6360145429790720.
- Fix a denial of service issue where an attacker could crash a
directory authority using a malformed router descriptor. Fixes bug
24245; bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2017-010
and CVE-2017-8820.
- When checking for replays in the INTRODUCE1 cell data for a
(legacy) onion service, correctly detect replays in the RSA-
encrypted part of the cell. We were previously checking for
replays on the entire cell, but those can be circumvented due to
the malleability of Tor's legacy hybrid encryption. This fix helps
prevent a traffic confirmation attack. Fixes bug 24244; bugfix on
0.2.4.1-alpha. This issue is also tracked as TROVE-2017-009
and CVE-2017-8819.
- Fix a use-after-free error that could crash v2 Tor onion services
when they failed to open circuits while expiring introduction
points. Fixes bug 24313; bugfix on 0.2.7.2-alpha. This issue is
also tracked as TROVE-2017-013 and CVE-2017-8823.
- When running as a relay, make sure that we never build a path
through ourselves, even in the case where we have somehow lost the
version of our descriptor appearing in the consensus. Fixes part
of bug 21534; bugfix on 0.2.0.1-alpha. This issue is also tracked
as TROVE-2017-012 and CVE-2017-8822.
Checksums-Sha1:
7b0b6c08d8455c9db109f449aee23c6fb1ab5683 1842 tor_0.2.9.14-1.dsc
3ab4c570b75243be603fa6fcf7a77622b984a0a0 5701086 tor_0.2.9.14.orig.tar.gz
3120329eb3f6089d712c95d7e6281c47bc0e00df 42816 tor_0.2.9.14-1.diff.gz
Checksums-Sha256:
d216d6970f36c32cd961872144061174b8803ee3cd0cc0d91b2f92d467978d98 1842 tor_0.2.9.14-1.dsc
44d9ddca1479f517b74067fe55e919d8d3643645618d5a1f6a5e033765781979 5701086 tor_0.2.9.14.orig.tar.gz
b6b04ae06848b6e5ba726462f0385cd5fb0da6f78c45fd5d3184c6a717a52c12 42816 tor_0.2.9.14-1.diff.gz
Files:
84161ab1722670d682b6b84c34a93169 1842 net optional tor_0.2.9.14-1.dsc
6fddd91f5532a51eb929295bfba31e10 5701086 net optional tor_0.2.9.14.orig.tar.gz
7cca436dc29cd523104ab5155943e510 42816 net optional tor_0.2.9.14-1.diff.gz
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEs4PXhajJL968BgN2hgLIIDhyMx8FAloiwKgACgkQhgLIIDhy
Mx/kYgf+JmgmxuKt7cVz8amF6uE/lkief9EWFgVZEubeV98WVgy5PJWA4+PZn6vZ
tkPMd7x8VcF63cZpt0WXn2+DHfS3yR/AJu/h7lqU/sBXr4PmEbrml6SpOGfz2I3R
xPPjOumHjjaASpKSi8mgUvMOCyci1fHdHSv3HR4M/AxxONlG1h4E+COFpXwy1J0a
R5RGPjMeC8O/SQdWGshljqoucnhxgfqyF7bBW9nrc7VyqmRb1uCjOy/DJ/GqZ8ua
6vqxRuUZtrV5vge1feRocEXz3HUSpoOLOJOl76WHSNJRdCN5dw/Mq0onKzRbdBnL
3a5roigUmtas7GZNIYDUiQci2F1nyg==
=wcMe
-----END PGP SIGNATURE-----