-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 01 Dec 2017 23:30:27 +0100
Source: tor
Binary: tor tor-geoipdb
Architecture: source
Version: 0.3.2.6-alpha-1
Distribution: experimental
Urgency: medium
Maintainer: Peter Palfrader <wea...@debian.org>
Changed-By: Peter Palfrader <wea...@debian.org>
Description:
tor - anonymizing overlay network for TCP
tor-geoipdb - GeoIP database for Tor
Changes:
tor (0.3.2.6-alpha-1) experimental; urgency=medium
.
* New upstream version, including among others:
- Fix a denial of service bug where an attacker could use a
malformed directory object to cause a Tor instance to pause while
OpenSSL would try to read a passphrase from the terminal. (Tor
instances run without a terminal, which is the case for most Tor
packages, are not impacted.) Fixes bug 24246; bugfix on every
version of Tor. Also tracked as TROVE-2017-011 and CVE-2017-8821.
Found by OSS-Fuzz as testcase 6360145429790720.
- Fix a denial of service issue where an attacker could crash a
directory authority using a malformed router descriptor. Fixes bug
24245; bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2017-010
and CVE-2017-8820.
- When checking for replays in the INTRODUCE1 cell data for a
(legacy) onion service, correctly detect replays in the RSA-
encrypted part of the cell. We were previously checking for
replays on the entire cell, but those can be circumvented due to
the malleability of Tor's legacy hybrid encryption. This fix helps
prevent a traffic confirmation attack. Fixes bug 24244; bugfix on
0.2.4.1-alpha. This issue is also tracked as TROVE-2017-009
and CVE-2017-8819.
- Fix a use-after-free error that could crash v2 Tor onion services
when they failed to open circuits while expiring introduction
points. Fixes bug 24313; bugfix on 0.2.7.2-alpha. This issue is
also tracked as TROVE-2017-013 and CVE-2017-8823.
- When running as a relay, make sure that we never build a path
through ourselves, even in the case where we have somehow lost the
version of our descriptor appearing in the consensus. Fixes part
of bug 21534; bugfix on 0.2.0.1-alpha. This issue is also tracked
as TROVE-2017-012 and CVE-2017-8822.
- When running as a relay, make sure that we never choose ourselves
as a guard. Fixes part of bug 21534; bugfix on 0.3.0.1-alpha. This
issue is also tracked as TROVE-2017-012 and CVE-2017-8822.
Checksums-Sha1:
8bf9f7ca323ccb635ba10802e6e221fc8d18f9ec 1866 tor_0.3.2.6-alpha-1.dsc
abd4db9f33ac19adbce39f94cc6d8ac8bc9ce9f0 6310498 tor_0.3.2.6-alpha.orig.tar.gz
a31cc4ff31b887dbb53b84f491213d2a4f3cd69b 49024 tor_0.3.2.6-alpha-1.diff.gz
Checksums-Sha256:
f37959c83ce39945aff6622a094bba8508c2dd5276e043e80e23f7e06017d349 1866
tor_0.3.2.6-alpha-1.dsc
6770cf76973dcfc126ce98a7b1bf55cd0dffdacaf77f7389a08218559e9b2280 6310498
tor_0.3.2.6-alpha.orig.tar.gz
5ea5c457b3495b9744146902dea915964ec97663fa51dabb8f51bd7cdacd02ad 49024
tor_0.3.2.6-alpha-1.diff.gz
Files:
42b375af891d8b7317176d84905c0eeb 1866 net optional tor_0.3.2.6-alpha-1.dsc
5fa127de4d6b5730b15886459edd8e2b 6310498 net optional
tor_0.3.2.6-alpha.orig.tar.gz
80f750293dbec70ad5c34bcc19d05bc2 49024 net optional tor_0.3.2.6-alpha-1.diff.gz
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEs4PXhajJL968BgN2hgLIIDhyMx8FAloioGgACgkQhgLIIDhy
Mx+z6ggAnqfn+JmwxoADalxTDBWydYbpZSRdJ0O22GfkwuGn7oBEEr89dAQe9HQE
qQoy2LaaUJRULTqdu3uVd6ECeuHDu1yhPVbID9I+PmZSSNxPvuB6cimUv+Tvtbho
xRI7jWxj8v9hFCa6p7Y+kImIvEZH/CBUxcH1Tnwacyr490v1viyDsH1YvkMPkYcN
NL2fDkC9cm32/30qrXpCrSiCeaxOeFhk11EY9DcLwYDLAVBJzzH7fgDegFi1XVm7
/bsRjUm+z5uRU47bNTFyBfOpYH0/afUCG8XJUcGrME3Bz+c7bKcXE5aQ/t3YrVsp
bb8IxXFfNZzKmGUStX3M7t6hvllC8Q==
=rgWV
-----END PGP SIGNATURE-----
