tor 0.3.1.9-1 source package in Ubuntu
Changelog
tor (0.3.1.9-1) unstable; urgency=high * New upstream version, including among others: - Fix a denial of service bug where an attacker could use a malformed directory object to cause a Tor instance to pause while OpenSSL would try to read a passphrase from the terminal. (Tor instances run without a terminal, which is the case for most Tor packages, are not impacted.) Fixes bug 24246; bugfix on every version of Tor. Also tracked as TROVE-2017-011 and CVE-2017-8821. Found by OSS-Fuzz as testcase 6360145429790720. - Fix a denial of service issue where an attacker could crash a directory authority using a malformed router descriptor. Fixes bug 24245; bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2017-010 and CVE-2017-8820. - When checking for replays in the INTRODUCE1 cell data for a (legacy) onion service, correctly detect replays in the RSA- encrypted part of the cell. We were previously checking for replays on the entire cell, but those can be circumvented due to the malleability of Tor's legacy hybrid encryption. This fix helps prevent a traffic confirmation attack. Fixes bug 24244; bugfix on 0.2.4.1-alpha. This issue is also tracked as TROVE-2017-009 and CVE-2017-8819. - Fix a use-after-free error that could crash v2 Tor onion services when they failed to open circuits while expiring introduction points. Fixes bug 24313; bugfix on 0.2.7.2-alpha. This issue is also tracked as TROVE-2017-013 and CVE-2017-8823. - When running as a relay, make sure that we never build a path through ourselves, even in the case where we have somehow lost the version of our descriptor appearing in the consensus. Fixes part of bug 21534; bugfix on 0.2.0.1-alpha. This issue is also tracked as TROVE-2017-012 and CVE-2017-8822. - When running as a relay, make sure that we never choose ourselves as a guard. Fixes part of bug 21534; bugfix on 0.3.0.1-alpha. This issue is also tracked as TROVE-2017-012 and CVE-2017-8822. * Build-depend on libcap-dev on linux-any so we can build tor with capabilities support to retain the capability to bind to low ports; closes: #882281, #700179. -- Peter Palfrader <email address hidden> Fri, 01 Dec 2017 23:32:58 +0100
Upload details
- Uploaded by:
- Peter Palfrader
- Uploaded to:
- Sid
- Original maintainer:
- Peter Palfrader
- Architectures:
- any all
- Section:
- net
- Urgency:
- Very Urgent
See full publishing history Publishing
Series | Published | Component | Section |
---|
Downloads
File | Size | SHA-256 Checksum |
---|---|---|
tor_0.3.1.9-1.dsc | 1.8 KiB | d767ca3b900a839b03083a0492c0e2d08ddf0bb15bf9323fd1280d1f115714d2 |
tor_0.3.1.9.orig.tar.gz | 5.8 MiB | 6e1b04f7890e782fd56014a0de5075e4ab29b52a35d8bca1f6b80c93f58f3d26 |
tor_0.3.1.9-1.diff.gz | 47.7 KiB | dde9f4b63e0ec28d4d649988a494b0bb0e10897df2cb22268c9b2042f080d59f |
Available diffs
- diff from 0.3.1.8-2 to 0.3.1.9-1 (142.5 KiB)
No changes file available.
Binary packages built by this source
- tor: anonymizing overlay network for TCP
Tor is a connection-based low-latency anonymous communication system.
.
Clients choose a source-routed path through a set of relays, and
negotiate a "virtual circuit" through the network, in which each relay
knows its predecessor and successor, but no others. Traffic flowing
down the circuit is decrypted at each relay, which reveals the
downstream relay.
.
Basically, Tor provides a distributed network of relays. Users bounce
their TCP streams (web traffic, ftp, ssh, etc) around the relays, and
recipients, observers, and even the relays themselves have difficulty
learning which users connected to which destinations.
.
This package enables only a Tor client by default, but it can also be
configured as a relay and/or a hidden service easily.
.
Client applications can use the Tor network by connecting to the local
socks proxy interface provided by your Tor instance. If the application
itself does not come with socks support, you can use a socks client
such as torsocks.
.
Note that Tor does no protocol cleaning on application traffic. There
is a danger that application protocols and associated programs can be
induced to reveal information about the user. Tor depends on Torbutton
and similar protocol cleaners to solve this problem. For best
protection when web surfing, the Tor Project recommends that you use
the Tor Browser Bundle, a standalone tarball that includes static
builds of Tor, Torbutton, and a modified Firefox that is patched to fix
a variety of privacy bugs.
- tor-dbgsym: debug symbols for tor
- tor-geoipdb: GeoIP database for Tor
This package provides a GeoIP database for Tor, i.e. it maps IPv4 addresses
to countries.
.
Bridge relays (special Tor relays that aren't listed in the main Tor
directory) use this information to report which countries they see
connections from. These statistics enable the Tor network operators to
learn when certain countries start blocking access to bridges.
.
Clients can also use this to learn what country each relay is in, so
Tor controllers like arm or Vidalia can use it, or if they want to
configure path selection preferences.