On 20/04/15 01:42, [email protected] wrote: > Are you planning on a security release prior to 1.4?
I can't speak for the whole Tails project, but my guess is "no". > There are several packages since 1.3.2 which should be updated now > before the 1.4 release. Tor Browser is just one of many. Tor Browser 4.0.8 essentially only ships a newer Tor (0.2.5.12), and the only really relevant fix (due to the supported Tails use cases) is the one for the client-side crash when accessing malicious hidden services, CVE-2015-2929. Obviously, it can be used to DoS the Tails user, which isn't so bad when stated simple like that, but since a complete Tor client crash is involved a malicious exit node operator could do worse. Example: A Tails 1.3.2 user (so Tor 0.2.5.11) and the attacker are both connected to the same IRC channel. The Tails user makes an HTTP (not HTTPS!) fetch of some (non-HS) website, and happens to pick the attacker's exit node, which injects a request to some object on a HS that makes the Tor client crash via CVE-2015-2929. By comparing the "ping timeout" message timing on the IRC channel with the time of the Tor client crash the HS caused, the attacker can correlate that IRC user to the HTTP fetch. Of course, this can can be generalized to (instead of IRC) any service that makes connection status public, and (instead of HTTP) any protocol that doesn't use effective end-to-end authentication *and* where one can inject requests (or redirect) to the crashing HS. While this is pretty bad, and something that would be great to fix ASAP in a Tails 1.3.3, my feeling is still that this correlation attack is pretty circumstantial and hence unlikely to actually be used effectively in the wild. > In addition, when browsing the changelog for 1.3.2, I notice there > were not any listing of changes to several packages which Debian > updated on their site. Usually you cover updating of security updates > and provide package names and links (advisories) accordingly. Were > these other packages updated in 1.3.2? 1.3.2 happened shortly after 1.3.1, so most such changes are listed there (also see the 1.3 and 1.3.1 security announcements). Tails 1.3.2 was built on March 30th, and has all Debian security fixes available at that point. The DSAs since then do not look severe, or am I missing anything? > Please consider a 1.3.3 release to fix several security issues before > the long wait to 1.4. Unless it's explained to us why staying on Tor 0.2.5.11 is worse than we think, or some other vulnerability is discovered, I do not think this will happen. Preparing and releasing a Tails release is simply too much work to justify it with our current understanding of these issues so that time is better spent on improving Tails 1.4, and automating our release process so same-day security fixes will be cheap one day. Cheers! _______________________________________________ Tails-dev mailing list [email protected] https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to [email protected].
