Package: release.debian.org Severity: normal User: [email protected] Usertags: pu
Hi, currently tor 0.2.2.37-1~squeeze+1 is in proposed-updates as discussed in #679224. Upstream has released a new security only update, 0.2.2.38 today: | Changes in version 0.2.2.38 - 2012-08-12 | Tor 0.2.2.38 fixes a rare race condition that can crash exit relays; | fixes a remotely triggerable crash bug; and fixes a timing attack that | could in theory leak path information. | | o Security fixes: | - Avoid read-from-freed-memory and double-free bugs that could occur | when a DNS request fails while launching it. Fixes bug 6480; | bugfix on 0.2.0.1-alpha. | - Avoid an uninitialized memory read when reading a vote or consensus | document that has an unrecognized flavor name. This read could | lead to a remote crash bug. Fixes bug 6530; bugfix on 0.2.2.6-alpha. | - Try to leak less information about what relays a client is | choosing to a side-channel attacker. Previously, a Tor client would | stop iterating through the list of available relays as soon as it | had chosen one, thus finishing a little earlier when it picked | a router earlier in the list. If an attacker can recover this | timing information (nontrivial but not proven to be impossible), | they could learn some coarse-grained information about which relays | a client was picking (middle nodes in particular are likelier to | be affected than exits). The timing attack might be mitigated by | other factors (see bug 6537 for some discussion), but it's best | not to take chances. Fixes bug 6537; bugfix on 0.0.8rc1. [ https://gitweb.torproject.org/tor.git/blob/release-0.2.2:/ReleaseNotes ] I would like to package this new version as 0.2.2.38-1, and upload it to squeeze so that we can get these issues fixed in Debian. May I proceed? Thanks, weasel -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
