Your message dated Sun, 21 Dec 2025 14:35:07 +0100
with message-id <[email protected]>
and subject line Re: Accepted tor 0.4.8.21-1 (source) into unstable
has caused the Debian Bug report #1115744,
regarding tor: CVE-2025-4444
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1115744: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1115744
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: tor
Version: 0.4.8.16-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for tor.
CVE-2025-4444[0]:
| A security flaw has been discovered in Tor up to 0.4.7.16/0.4.8.17.
| Impacted is an unknown function of the component Onion Service
| Descriptor Handler. Performing manipulation results in resource
| consumption. The attack may be initiated remotely. The attack's
| complexity is rated as high. The exploitability is considered
| difficult. Upgrading to version 0.4.8.18 and 0.4.9.3-alpha is
| recommended to address this issue. It is recommended to upgrade the
| affected component.
I think for stable this can be fixed via upcoming point releases or
piggy-backed later in a future DSA?
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-4444
https://www.cve.org/CVERecord?id=CVE-2025-4444
[1] https://github.com/chunmianwang/Tordos
[2]
https://forum.torproject.org/t/alpha-and-stable-release-0-4-8-18-and-0-4-9-3-alpha/20578
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: tor
Source-Version: 0.4.8.21-1
On Sun, Dec 21, 2025 at 11:19:54AM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Format: 1.8
> Date: Mon, 17 Nov 2025 15:05:05 -0500
> Source: tor
> Architecture: source
> Version: 0.4.8.21-1
> Distribution: unstable
> Urgency: medium
> Maintainer: Peter Palfrader <[email protected]>
> Changed-By: Jérôme Charaoui <[email protected]>
> Changes:
> tor (0.4.8.21-1) unstable; urgency=medium
> .
> * New upstream version.
This fixes as well #1115744, closing bug manually.
Regards,
Salvatore
--- End Message ---
