tor 0.3.0.13-0ubuntu1~17.10.1 source package in Ubuntu
Changelog
tor (0.3.0.13-0ubuntu1~17.10.1) artful; urgency=medium [ Peter Palfrader ] * Change "AppArmorProfile=system_tor" to AppArmorProfile=-system_tor, causing all errors while switching to the new apparmor profile to be ignored. This is not ideal, but for now it's probably the best solution. Thanks to intrigeri; closes: #880490. [ Simon Deziel ] * New upstream version: 0.3.0.13 (LP: #1731698) - Fix a denial of service bug where an attacker could use a malformed directory object to cause a Tor instance to pause while OpenSSL would try to read a passphrase from the terminal. (Tor instances run without a terminal, which is the case for most Tor packages, are not impacted.) Fixes bug 24246; bugfix on every version of Tor. Also tracked as TROVE-2017-011 and CVE-2017-8821. Found by OSS-Fuzz as testcase 6360145429790720. - Fix a denial of service issue where an attacker could crash a directory authority using a malformed router descriptor. Fixes bug 24245; bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2017-010 and CVE-2017-8820. - When checking for replays in the INTRODUCE1 cell data for a (legacy) onion service, correctly detect replays in the RSA- encrypted part of the cell. We were previously checking for replays on the entire cell, but those can be circumvented due to the malleability of Tor's legacy hybrid encryption. This fix helps prevent a traffic confirmation attack. Fixes bug 24244; bugfix on 0.2.4.1-alpha. This issue is also tracked as TROVE-2017-009 and CVE-2017-8819. - Fix a use-after-free error that could crash v2 Tor onion services when they failed to open circuits while expiring introduction points. Fixes bug 24313; bugfix on 0.2.7.2-alpha. This issue is also tracked as TROVE-2017-013 and CVE-2017-8823. - When running as a relay, make sure that we never build a path through ourselves, even in the case where we have somehow lost the version of our descriptor appearing in the consensus. Fixes part of bug 21534; bugfix on 0.2.0.1-alpha. This issue is also tracked as TROVE-2017-012 and CVE-2017-8822. - When running as a relay, make sure that we never choose ourselves as a guard. Fixes part of bug 21534; bugfix on 0.3.0.1-alpha. This issue is also tracked as TROVE-2017-012 and CVE-2017-8822. * New upstream version: 0.3.0.12 - Directory authority changes * New upstream version: 0.3.0.11 - Fix TROVE-2017-008: Stack disclosure in hidden services logs when SafeLogging disabled (CVE-2017-0380) * debian/rules: stop overriding micro-revision.i tor (0.3.0.10-2) UNRELEASED; urgency=medium * apparmor: use Pix instead of PUx for obfs4proxy, giving us better confinement of the child process while actually working with systemd's NoNewPrivileges. (closes: #867342) * Drop versioned dependency on binutils. The version is already newer in all supported Debian and Ubuntu trees, and binutils is in the transitive dependency set of build-essential. Patch by Helmut Grohne. (closes: #873127) * Do not rely on aa-exec and aa-enabled being in /usr/sbin in the SysV init script. This change enables apparmor confinement on some system-V systems again. (closes: #869153) -- Simon Deziel <email address hidden> Sun, 14 Jan 2018 14:15:21 -0500
Upload details
- Uploaded by:
- Simon Déziel
- Sponsored by:
- Stéphane Graber
- Uploaded to:
- Artful
- Original maintainer:
- Ubuntu Developers
- Architectures:
- any all
- Section:
- net
- Urgency:
- Medium Urgency
See full publishing history Publishing
Series | Published | Component | Section |
---|
Downloads
File | Size | SHA-256 Checksum |
---|---|---|
tor_0.3.0.13-0ubuntu1~17.10.1.tar.gz | 5.5 MiB | a1e7dd0e351c42b765cb3c040cc03245cdcf723b846a2e91298a80ea6bb4e715 |
tor_0.3.0.13-0ubuntu1~17.10.1.dsc | 1.9 KiB | 558ab4ca486423f77f7013d2bd94b3abd0a03e1dfb71432000b123a65e528afc |
Available diffs
Binary packages built by this source
- tor: No summary available for tor in ubuntu artful.
No description available for tor in ubuntu artful.
- tor-dbgsym: No summary available for tor-dbgsym in ubuntu artful.
No description available for tor-dbgsym in ubuntu artful.
- tor-geoipdb: No summary available for tor-geoipdb in ubuntu artful.
No description available for tor-geoipdb in ubuntu artful.