Bug 12464

Summary: tor new security issue CVE-2013-7295
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: cazzaniga.sandro, dpremy, fundawang, n54, rverschelde, sysadmin-bugs, tmb
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/582880/
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok advisory
Source RPM: tor-0.2.3.25-4.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-01-28 19:24:26 CET 
OpenSuSE has issued an advisory today (January 28):
http://lists.opensuse.org/opensuse-updates/2014-01/msg00095.html

The issue is fixed in 0.2.4.20.  Ideally, we should try to keep this package updated always, to ensure effective operation.  Obviously that'd be easier if the package had a maintainer.

Here are the upstream release announcements for 0.2.4.19 and 0.2.4.20:
https://lists.torproject.org/pipermail/tor-talk/2013-December/031392.html
https://lists.torproject.org/pipermail/tor-talk/2013-December/031483.html

Those were preceded by some release candidates:
https://lists.torproject.org/pipermail/tor-talk/2013-July/028776.html
https://lists.torproject.org/pipermail/tor-talk/2013-August/029344.html
https://lists.torproject.org/pipermail/tor-talk/2013-September/029857.html
https://lists.torproject.org/pipermail/tor-talk/2013-November/031110.html

which themselves were preceded by some alphas (I don't have links for those).

Reproducible: 

Steps to Reproduce:
David Walser 2014-01-28 19:24:59 CET

CC: (none) => cazzaniga.sandro, fundawang, n54
Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 2 David Walser 2014-02-10 02:35:46 CET 
Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated tor package fixes security vulnerability:

Tor before 0.2.4.20, when OpenSSL 1.x is used in conjunction with a certain
HardwareAccel setting on Intel Sandy Bridge and Ivy Bridge platforms, does not
properly generate random numbers for relay identity keys and hidden-service
identity keys, which might make it easier for remote attackers to bypass
cryptographic protection mechanisms via unspecified vectors (CVE-2013-7295).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7295
http://lists.opensuse.org/opensuse-updates/2014-01/msg00095.html
========================

Updated packages in core/updates_testing:
========================
tor-0.2.4.20-1.mga3
tor-0.2.4.20-1.mga4

from SRPMS:
tor-0.2.4.20-1.mga3.src.rpm
tor-0.2.4.20-1.mga4.src.rpm

Version: Cauldron => 4
Assignee: bugsquad => qa-bugs
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 3 claire robinson 2014-02-10 19:46:32 CET 
Procedure: https://bugs.mageia.org/show_bug.cgi?id=3953#c4

Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 4 Manuel Hiebel 2014-02-11 18:18:50 CET 
Using above procedure, everything is ok here.

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga4-64-ok

Comment 5 Rémi Verschelde 2014-02-11 21:00:58 CET 
Same here on Mageia 4 i586, tor works fine with the procedure from comment 3.

CC: (none) => remi
Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga4-32-ok mga4-64-ok

Comment 6 David Remy 2014-02-12 04:32:33 CET 
Tested on MGA4 x86_64. Bootstraps, creates circuits and passes data as expected.

CC: (none) => dpremy

Comment 7 claire robinson 2014-02-12 08:51:13 CET 
Testing complete mga3 32 & 64

Whiteboard: MGA3TOO has_procedure mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok

Comment 8 Rémi Verschelde 2014-02-12 09:27:38 CET 
Validating update.

Advisory upload. Could a sysadmin push to core/updates for both Mageia 3 and Mageia 4? Thanks!

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok advisory
CC: (none) => sysadmin-bugs

Comment 9 Thomas Backlund 2014-02-12 18:45:54 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0059.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED