Your message dated Fri, 26 Oct 2012 18:51:56 +0100
with message-id <1351273916.5616.5.ca...@jacala.jungle.funky-badger.org>
and subject line Re: Bug#691499: unblock: tor/0.2.3.24-rc-1
has caused the Debian Bug report #691499,
regarding unblock: tor/0.2.3.24-rc-1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
691499: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691499
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: freeze-exception
Please unblock package tor.
unblock tor/0.2.3.24-rc-1
Version 0.2.3.24-rc fixes two security issues over the version
currently in testing, 0.2.3.22-rc. These issues have been assigned
CVE-2012-2249 and CVE-2012-2250.
Debian changelogs:
| tor (0.2.3.24-rc-1) unstable; urgency=high
|
| * New upstream version:
| - Fix a group of remotely triggerable assertion failures related to
| incorrect link protocol negotiation. Found, diagnosed, and fixed
| by "some guy from France". Fix for CVE-2012-2250; bugfix on
| 0.2.3.6-alpha.
| - Fix a denial of service attack by which any directory authority
| could crash all the others, or by which a single v2 directory
| authority could crash everybody downloading v2 directory
| information. Fixes bug 7191; bugfix on 0.2.0.10-alpha.
| - and more.
|
| -- Peter Palfrader <wea...@debian.org> Fri, 26 Oct 2012 09:15:09 +0200
|
| tor (0.2.3.23-rc-1) unstable; urgency=low
|
| * New upstream version:
| o Major bugfixes (security/privacy):
| - Disable TLS session tickets. OpenSSL's implementation was giving
| our TLS session keys the lifetime of our TLS context objects, when
| perfect forward secrecy would want us to discard anything that
| could decrypt a link connection as soon as the link connection
| was closed. Fixes bug 7139; bugfix on all versions of Tor linked
| against OpenSSL 1.0.0 or later. Found by Florent DaigniÚre.
| - Discard extraneous renegotiation attempts once the V3 link
| protocol has been initiated. Failure to do so left us open to
| a remotely triggerable assertion failure. Fixes CVE-2012-2249;
| bugfix on 0.2.3.6-alpha. Reported by "some guy from France".
| - Fix a possible crash bug when checking for deactivated circuits
| in connection_or_flush_from_first_active_circuit(). Fixes bug 6341;
| bugfix on 0.2.2.7-alpha. Bug report and fix received pseudonymously.
| For other fixes please see the upstream changelog.
|
| -- Peter Palfrader <wea...@debian.org> Sat, 20 Oct 2012 22:27:04 +0200
Full upstream changelog at
https://gitweb.torproject.org/tor.git/blob/release-0.2.3:/ChangeLog
I can prepare full diffs on request.
Cheers,
weasel
--- End Message ---
--- Begin Message ---
On Fri, 2012-10-26 at 14:25 +0200, Peter Palfrader wrote:
> Version 0.2.3.24-rc fixes two security issues over the version
> currently in testing, 0.2.3.22-rc. These issues have been assigned
> CVE-2012-2249 and CVE-2012-2250.
Unblocked; thanks.
As discussed on IRC, I've also aged the package to need one day in
unstable rather than the two implied by the urgency setting.
Regards,
Adam
--- End Message ---
