Hi Chuck, On 2015-07-17 05:56 PM, Chuck Peters wrote: > > I am requesting "SRU micro version update exception" for Tor packages. Tor > packages with security fixes appear to be maintained upstream at > TorProject.org and Debian. Most of the time I think the Debian packages will > resolve the Ubuntu security issues. However because of the timing of the > release cycles of Debian and Ubuntu, backporting a TorProject.org package > could occasionally be used to resolve the issue. > > Justification: > It appears that Tor never receives any security updates, or at least it > hasn't since 2012. > http://people.canonical.com/~ubuntu-security/cve/pkg/tor.html > http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tor > http://packages.ubuntu.com/search?keywords=tor&searchon=names&suite=all§ion=all > https://packages.debian.org/search?keywords=tor&searchon=names&suite=all§ion=all > > According to the Security Team wiki [1] the "MOTU Swat team is responsible > for helping to coordinate community supported updates in Ubuntu". Six days > ago I emailed all members of the MOTU Swat team (one team members email > bounced) about the issue and no one replied. > > The primary reason the Tor network exists is provide people a way to improve > their "privacy and security on the Internet." [2] > > Thanks, > Chuck > > PS. > The number of CVE issues for each of the supported Ubuntu releases. > > Precise: 14 > Trusty: 5 > Utopic: 4 > Vivid: 4 > > Instructions on installing the TorProject.org packages: > https://www.torproject.org/docs/debian.html.en > > Debian squeeze-lts is understaffed to maintain all of the security issues, > and it has been updated with tor 0.2.4.27-1~deb6u1. > > I backported the unmodified Debian packages and uploaded them to my PPA. > https://launchpad.net/~cp/+archive/ubuntu/bug-fixes/ > > 1. https://wiki.ubuntu.com/SecurityTeam > 2. https://www.torproject.org/about/overview.html.en >
Due to the nature of Tor, I believe the risk exposed by using Tor packages that are insecure and don't contain the latest improvements far surpasses the risk of possibly introducing regressions by updating to a latest version. For that reason, a bug +1 from me. I will add Tor to the wiki page containing the list of micro-release exceptions. Thanks! Marc. -- technical-board mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/technical-board
