** Summary changed: - Security fixes in tor 0.2.0.32 and .33 + Security fixes in tor 0.2.0.32 .33 .34
** Description changed: + Tor 0.2.0.34 contains: + + o Security fixes: + - Fix an infinite-loop bug on handling corrupt votes under certain + circumstances. Bugfix on 0.2.0.8-alpha. + - Fix a temporary DoS vulnerability that could be performed by + a directory mirror. Bugfix on 0.2.0.9-alpha; reported by lark. + - Avoid a potential crash on exit nodes when processing malformed + input. Remote DoS opportunity. Bugfix on 0.2.0.33. + - Do not accept incomplete ipv4 addresses (like 192.168.0) as valid. + Spec conformance issue. Bugfix on Tor 0.0.2pre27. + + ----- + Tor 0.2.0.33 comes with the following changelog entry: "Fix a heap-corruption bug that may be remotely triggerable on some platforms" (From http://archives.seul.org/or/announce/Jan-2009/msg00000.html) ----- Tor 0.2.0.32 fixes a major security problem in Debian and Ubuntu packages (and maybe other packages) noticed by Theo de Raadt, fixes a smaller security flaw that might allow an attacker to access local services, further improves hidden service performance, and fixes a variety of other issues. o Security fixes: - The "User" and "Group" config options did not clear the supplementary group entries for the Tor process. The "User" option is now more robust, and we now set the groups to the specified user's primary group. The "Group" option is now ignored. For more detailed logging on credential switching, set CREDENTIAL_LOG_LEVEL in common/compat.c to LOG_NOTICE or higher. Patch by Jacob Appelbaum and Steven Murdoch. Bugfix on 0.0.2pre14. Fixes bug 848 and 857. - The "ClientDNSRejectInternalAddresses" config option wasn't being consistently obeyed: if an exit relay refuses a stream because its exit policy doesn't allow it, we would remember what IP address the relay said the destination address resolves to, even if it's an internal IP address. Bugfix on 0.2.0.7-alpha; patch by rovv. https://www.torproject.org/svn/trunk/ChangeLog -- Security fixes in tor 0.2.0.32 .33 .34 https://bugs.launchpad.net/bugs/321102 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
