** Summary changed: - Tor packages too old + Security fixes in tor 0.2.0.32 and .33
** Description changed: - Tor packages do not seem to be updated in Ubuntu. The list - http://packages.ubuntu.com/search?keywords=tor - contains only outdated packages. My 8.04installs package tor 0.1.2.19-2, which is one year old by now. - This is very bad as Tor is security software, and new versions frequently fix security issues. - - E.g., the latest version as of this writing (21 January 2009: Tor 0.2.0.33) comes with the following - changelog entry: "Fix a heap-corruption bug that may be remotely triggerable on some platforms" + Tor 0.2.0.33 comes with the following changelog entry: "Fix a heap-corruption bug that may be remotely triggerable on some platforms" (From http://archives.seul.org/or/announce/Jan-2009/msg00000.html) - In my view, Tor should either be removed from Ubuntu or updated - regularly. + ----- - Thanks - Jens + Tor 0.2.0.32 fixes a major security problem in Debian and Ubuntu + packages (and maybe other packages) noticed by Theo de Raadt, fixes + a smaller security flaw that might allow an attacker to access local + services, further improves hidden service performance, and fixes a + variety of other issues. + + o Security fixes: + - The "User" and "Group" config options did not clear the + supplementary group entries for the Tor process. The "User" option + is now more robust, and we now set the groups to the specified + user's primary group. The "Group" option is now ignored. For more + detailed logging on credential switching, set CREDENTIAL_LOG_LEVEL + in common/compat.c to LOG_NOTICE or higher. Patch by Jacob Appelbaum + and Steven Murdoch. Bugfix on 0.0.2pre14. Fixes bug 848 and 857. + - The "ClientDNSRejectInternalAddresses" config option wasn't being + consistently obeyed: if an exit relay refuses a stream because its + exit policy doesn't allow it, we would remember what IP address + the relay said the destination address resolves to, even if it's + an internal IP address. Bugfix on 0.2.0.7-alpha; patch by rovv. + + https://www.torproject.org/svn/trunk/ChangeLog ** Bug watch added: Debian Bug tracker #512728 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=512728 ** Also affects: tor (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=512728 Importance: Unknown Status: Unknown -- Security fixes in tor 0.2.0.32 and .33 https://bugs.launchpad.net/bugs/321102 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs -- universe-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/universe-bugs
