Bug#691499: unblock: tor/0.2.3.24-rc-1

Fri, 26 Oct 2012 05:27:15 -0700 

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: freeze-exception

Please unblock package tor.

unblock tor/0.2.3.24-rc-1

Version 0.2.3.24-rc fixes two security issues over the version
currently in testing, 0.2.3.22-rc.  These issues have been assigned
CVE-2012-2249 and CVE-2012-2250.

Debian changelogs:
| tor (0.2.3.24-rc-1) unstable; urgency=high
| 
|   * New upstream version:
|     - Fix a group of remotely triggerable assertion failures related to
|       incorrect link protocol negotiation. Found, diagnosed, and fixed
|       by "some guy from France". Fix for CVE-2012-2250; bugfix on
|       0.2.3.6-alpha.
|     - Fix a denial of service attack by which any directory authority
|       could crash all the others, or by which a single v2 directory
|       authority could crash everybody downloading v2 directory
|       information. Fixes bug 7191; bugfix on 0.2.0.10-alpha.
|     - and more.
| 
|  -- Peter Palfrader <wea...@debian.org>  Fri, 26 Oct 2012 09:15:09 +0200
| 
| tor (0.2.3.23-rc-1) unstable; urgency=low
| 
|   * New upstream version:
|     o Major bugfixes (security/privacy):
|       - Disable TLS session tickets. OpenSSL's implementation was giving
|         our TLS session keys the lifetime of our TLS context objects, when
|         perfect forward secrecy would want us to discard anything that
|         could decrypt a link connection as soon as the link connection
|         was closed. Fixes bug 7139; bugfix on all versions of Tor linked
|         against OpenSSL 1.0.0 or later. Found by Florent DaigniÚre.
|       - Discard extraneous renegotiation attempts once the V3 link
|         protocol has been initiated. Failure to do so left us open to
|         a remotely triggerable assertion failure. Fixes CVE-2012-2249;
|         bugfix on 0.2.3.6-alpha. Reported by "some guy from France".
|       - Fix a possible crash bug when checking for deactivated circuits
|         in connection_or_flush_from_first_active_circuit(). Fixes bug 6341;
|         bugfix on 0.2.2.7-alpha. Bug report and fix received pseudonymously.
|     For other fixes please see the upstream changelog.
| 
|  -- Peter Palfrader <wea...@debian.org>  Sat, 20 Oct 2012 22:27:04 +0200

Full upstream changelog at
https://gitweb.torproject.org/tor.git/blob/release-0.2.3:/ChangeLog

I can prepare full diffs on request.

Cheers,
weasel


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to