Back to tor PTS page

Accepted tor 0.2.5.16-1 (all source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates

To: debian-changes@lists.debian.org
Subject: Accepted tor 0.2.5.16-1 (all source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates
From: Peter Palfrader <weasel@debian.org>
Date: Sat, 09 Dec 2017 14:38:35 +0000
Mail-followup-to: debian-devel@lists.debian.org
Message-id: <E1eNgGx-0001gR-UQ@fasolo.debian.org>
Reply-to: debian-devel@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat,  2 Dec 2017 16:24:34 CET
Source: tor
Binary: tor tor-dbg tor-geoipdb
Architecture: all source
Version: 0.2.5.16-1
Distribution: jessie-security
Urgency: medium
Maintainer: Peter Palfrader <weasel@debian.org>
Changed-By: Peter Palfrader <weasel@debian.org>
Description: 
 tor - anonymizing overlay network for TCP
 tor-dbg - debugging symbols for Tor
 tor-geoipdb - GeoIP database for Tor
Changes:
 tor (0.2.5.16-1) jessie-security; urgency=medium
 .
   * New upstream version, including among others:
     - Fix a denial of service bug where an attacker could use a
       malformed directory object to cause a Tor instance to pause while
       OpenSSL would try to read a passphrase from the terminal. (Tor
       instances run without a terminal, which is the case for most Tor
       packages, are not impacted.) Fixes bug 24246; bugfix on every
       version of Tor. Also tracked as TROVE-2017-011 and CVE-2017-8821.
       Found by OSS-Fuzz as testcase 6360145429790720.
     - When checking for replays in the INTRODUCE1 cell data for a
       (legacy) onion service, correctly detect replays in the RSA-
       encrypted part of the cell. We were previously checking for
       replays on the entire cell, but those can be circumvented due to
       the malleability of Tor's legacy hybrid encryption. This fix helps
       prevent a traffic confirmation attack. Fixes bug 24244; bugfix on
       0.2.4.1-alpha. This issue is also tracked as TROVE-2017-009
       and CVE-2017-8819.
     - When running as a relay, make sure that we never build a path
       through ourselves, even in the case where we have somehow lost the
       version of our descriptor appearing in the consensus. Fixes part
       of bug 21534; bugfix on 0.2.0.1-alpha. This issue is also tracked
       as TROVE-2017-012 and CVE-2017-8822.
Checksums-Sha256: 
 822417dea67e2881785a129c1b1ae5cb289fa6ca3b57c07258fa8119486b7aab 1060700 tor-geoipdb_0.2.5.16-1_all.deb
 e5abd95783b0b58ce077f686bf88dae386d0bd8c11b0367084cbb808a6c2e3c2 1776 tor_0.2.5.16-1.dsc
 5a9a28c7ebff6653c346ebaadf95f1fd4b8b47f2c1ceb75f0f60bf64a6ee525f 3796024 tor_0.2.5.16.orig.tar.gz
 c7c5666bac4157d447876322e692386955f2e989e42359e3596529ad005ed57c 35637 tor_0.2.5.16-1.diff.gz
Checksums-Sha1: 
 0ed84c42b340473d023ea5b11662ab04973e9b10 1060700 tor-geoipdb_0.2.5.16-1_all.deb
 c3da4880bb6d6d8020927d02c4d8eb87ab5635c7 1776 tor_0.2.5.16-1.dsc
 10928f2027e80ebe1083e013ca1e170896dbddef 3796024 tor_0.2.5.16.orig.tar.gz
 6f640c70a5b9e7358035b0e0da30bd0f33c34f62 35637 tor_0.2.5.16-1.diff.gz
Files: 
 b0e54f177034a05f5f87e4cfa5edcf72 1060700 net extra tor-geoipdb_0.2.5.16-1_all.deb
 6f3b3cba93ecf938ca7bb9bc84478706 1776 net optional tor_0.2.5.16-1.dsc
 2d0d6da30a06419c307f05210a944ac3 3796024 - - tor_0.2.5.16.orig.tar.gz
 e6dcf1734be47cd6e9efb487cceb8cbf 35637 - - tor_0.2.5.16-1.diff.gz

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEs4PXhajJL968BgN2hgLIIDhyMx8FAloixdUACgkQhgLIIDhy
Mx8ylggAxIYsd8AaJjJoewnHzM7wFH/rSA4nAr3Db2moAzGHOfb7Na+kpwFAg1NQ
rWzAxR4edkhW/kNHFcw3u2DdRiXfnXKJfPgQVEb5+UbPyPJ2BXiU2fZ+ZcgBWna2
wHMadl2tEWwM2iu53NENsvNca8H4XiI/i6gyWyk6lY5FOg2UOVfxT/PW93zXF++T
ZiKUkD4X3baVYtQNg+IO9A7vhIOPPP3lGJ5VUWy+ptYILM8fv171k1mu0zAKMuir
vhJhCI5X2WkPSIRTIzqT1yl4feT7txdkcIPgn21G71jM6VhpJmtiSoNCtfgDuGGu
kdS7KuNHkNNd4/JZ00z8T9FVGllGxg==
=g2Ox
-----END PGP SIGNATURE-----