| Summary: | tor new versions 0.2.4.26 and 0.2.5.11 fix security issues (CVE-2015-268[89]) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | jani.valimaa, olchal, sysadmin-bugs |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/637570/ | ||
| Whiteboard: | has_procedure advisory MGA4-64-OK MGA4-32-OK | ||
| Source RPM: | tor-0.2.5.10-2.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2015-03-18 14:47:26 CET
David Walser
2015-03-18 14:47:39 CET
CC:
(none) =>
jani.valimaa Pushed 0.2.4.26 to core/updates_testing for mga4 and updated to 0.2.5.11 in SVN for mga5. Freeze push request is needed for mga5. Thanks Jani! I requested the freeze push for Cauldron. tor-0.2.4.26-1.mga4 from tor-0.2.4.26-1.mga4.src.rpm is the Mageia 4 update. Testing Procedure: https://bugs.mageia.org/show_bug.cgi?id=3953#c4 Advisory: ======================== The tor package has been updated to version 0.2.4.26, which fixes possible crashes that may be remotely trigger-able, which would result in a denial of service, and also fixes a few other bugs. See the release announcement for details. References: https://lists.torproject.org/pipermail/tor-talk/2015-March/037281.html ======================== Updated packages in core/updates_testing: ======================== tor-0.2.4.26-1.mga4 from tor-0.2.4.26-1.mga4.src.rpm Version:
Cauldron =>
4 Testing on Mageia4x64 real hardware, using privoxy From current package : -------------------- tor-0.2.4.23-1.mga4 $ tor Mar 22 17:58:34.507 [notice] Tor v0.2.4.23 (git-598c61362f1b3d3e) running on Linux with Libevent 2.0.21-stable and OpenSSL 1.0.1m. (...) Mar 22 17:58:46.000 [notice] Tor has successfully opened a circuit. Looks like client functionality is working. Mar 22 17:58:46.000 [notice] Bootstrapped 100%: Done. Configured firefox to be used with privoxy (privoxy-3.0.21-2.3.mga4) https://check.torproject.org/ Congratulations. This browser is configured to use Tor. Stopped tor and privoxy To updated testing package : ------------------------- tor-0.2.4.26-1.mga4 $ tor Mar 22 18:29:38.485 [notice] Tor v0.2.4.26 (git-d461e7036fe5cddf) running on Linux with Libevent 2.0.21-stable and OpenSSL 1.0.1m. Mar 22 18:29:40.000 [notice] Tor has successfully opened a circuit. Looks like client functionality is working. Mar 22 18:29:40.000 [notice] Bootstrapped 100%: Done. Restarted privoxy and browsed to : https://check.torproject.org/ Congratulations. This browser is configured to use Tor. Works OK here. CC:
(none) =>
olchal Debian has issued an advisory for this on March 22: https://lists.debian.org/debian-security-announce/2015/msg00088.html The DSA will be posted here: https://www.debian.org/security/2015/dsa-3203
David Walser
2015-03-23 18:51:14 CET
URL:
(none) =>
http://lwn.net/Vulnerabilities/637570/ CVE request for one of the issues fixed in this update: http://openwall.com/lists/oss-security/2015/03/23/17 CVEs assigned for both DoS issues fixed in this update: http://openwall.com/lists/oss-security/2015/03/24/21 Advisory: ======================== The tor package has been updated to version 0.2.4.26, which fixes possible crashes that may be remotely trigger-able, which would result in a denial of service (CVE-2015-2688, CVE-2015-2689), and also fixes a few other bugs. See the release announcement for details. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2688 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2689 https://lists.torproject.org/pipermail/tor-talk/2015-March/037281.html http://openwall.com/lists/oss-security/2015/03/24/21 Summary:
tor new versions 0.2.4.26 and 0.2.5.11 fix security issues =>
tor new versions 0.2.4.26 and 0.2.5.11 fix security issues (CVE-2015-268[89]) The tor mailing list message was a "pre-announcement," now the actual announcement has been posted on their blog. Replacing the URL in the advisory. Advisory: ======================== The tor package has been updated to version 0.2.4.26, which fixes possible crashes that may be remotely trigger-able, which would result in a denial of service (CVE-2015-2688, CVE-2015-2689), and also fixes a few other bugs. See the release announcement for details. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2688 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2689 https://blog.torproject.org/blog/tor-02426-and-02511-are-released http://openwall.com/lists/oss-security/2015/03/24/21 LWN reference with the CVEs: http://lwn.net/Vulnerabilities/637857/ I notified LWN that they're the same, they'll probably merge the entries. Testing on Mageia4x32 using same procedure as in comment 4 From current package : -------------------- tor-0.2.4.23-1.mga4 $ tor Mar 30 22:19:29.715 [notice] Tor v0.2.4.23 (git-598c61362f1b3d3e) running on Linux with Libevent 2.0.21-stable and OpenSSL 1.0.1m. (...) To updated testing package : -------------------------- tor-0.2.4.26-1.mga4 $ tor Mar 30 22:31:14.775 [notice] Tor v0.2.4.26 (git-d461e7036fe5cddf) running on Linux with Libevent 2.0.21-stable and OpenSSL 1.0.1m. Browsed to : https://check.torproject.org/ Congratulations. This browser is configured to use Tor. Your IP address appears to be: 37.187.129.166 OK on Mageia 4 x32 Whiteboard:
has_procedure MGA4-64-OK =>
has_procedure MGA4-64-OK MGA4-32-OK Validating. Advisory uploaded. Please push to 4 updates Thanks Keywords:
(none) =>
validated_update An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0124.html Status:
NEW =>
RESOLVED |