Bug 19145

New version is now available in SVN.

http://svnweb.mageia.org/packages?view=revision&revision=1044940

Pushed in Cauldron.  Thanks!

I suppose we should update this for Mageia 5 too.

Version: Cauldron => 5

Tor 0.2.8.7 has been released on August 24:
https://blog.torproject.org/blog/tor-0287-released-important-fixes

It looks like it should be updated again.

Summary: tor 0.2.8.6 => tor 0.2.8.7

Tor 0.2.8.8 has been released on September 23:
https://blog.torproject.org/blog/tor-0288-released-important-fixes

It's just a bugfix release.

Tor 0.2.8.9 has been released on October 17:
https://blog.torproject.org/blog/tor-0289-released-important-fixes

It fixes another security issue.

Summary: tor 0.2.8.7 => tor 0.2.8.9

(In reply to David Walser from comment #5)
> Tor 0.2.8.9 has been released on October 17:
> https://blog.torproject.org/blog/tor-0289-released-important-fixes
> 
> It fixes another security issue.

CVE request:
http://openwall.com/lists/oss-security/2016/10/18/11

Debian has issued an advisory for the issue fixed in 0.2.8.9 on October 18:
https://www.debian.org/security/2016/dsa-3694

URL: (none) => http://lwn.net/Vulnerabilities/703977/

(In reply to David Walser from comment #6)
> (In reply to David Walser from comment #5)
> > Tor 0.2.8.9 has been released on October 17:
> > https://blog.torproject.org/blog/tor-0289-released-important-fixes
> > 
> > It fixes another security issue.
> 
> CVE request:
> http://openwall.com/lists/oss-security/2016/10/18/11

CVE-2016-8860 has been assigned:
http://openwall.com/lists/oss-security/2016/10/19/11

Summary: tor 0.2.8.9 => tor 0.2.8.9 fixes CVE-2016-8860

Pushed 0.2.8.9 to Cauldron and mga5 core/updates_testing.

CC: (none) => jani.valimaa
CVE: (none) => CVE-2016-8860
Assignee: jani.valimaa => qa-bugs

Testing Procedure:
https://bugs.mageia.org/show_bug.cgi?id=3953#c4

Advisory:
========================

Updated tor package fixes security vulnerabilities:

It has been discovered that Tor treats the contents of some buffer chunks as if
they were a NUL-terminated string. This issue could enable a remote attacker to
crash a Tor client, hidden service, relay, or authority (CVE-2016-8860).

The tor package has been updated to version 0.2.8.9, which fixes this issue and
several other bugs, including other security issues fixed in 0.2.8.6.  See the
release announcements for details.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8860
https://blog.torproject.org/blog/tor-0286-released
https://blog.torproject.org/blog/tor-0287-released-important-fixes
https://blog.torproject.org/blog/tor-0288-released-important-fixes
https://blog.torproject.org/blog/tor-0289-released-important-fixes
https://www.debian.org/security/2016/dsa-3694
========================

Updated packages in core/updates_testing:
========================
tor-0.2.8.9-1.mga5

from tor-0.2.8.9-1.mga5.src.rpm

Whiteboard: (none) => has_procedure

Testing M5-64 real hardware; updated to tor-0.2.8.9-1.mga5.

And as a precaution, re-started the Tor daemon.

Configure Firefox to use Tor
---------------------------
 Preferences - Advanced - Connection, Configure:
  Check the 'Configure manually' radio button:
   In the bottom line headed SOCKS v5:
    enter 'localhost' (no quotes); Port 9050
   Check the 'SOCKS v5' radio button below
  Confirm OK the changes.
[To revert after testing, undo these changes]

Browsed to https://check.torproject.org/ , saw correctly the page:
"Congratulations. This browser is configured to use Tor.
 However, it does not appear to be Tor Browser."

This update OK.

CC: (none) => lewyssmith
Whiteboard: has_procedure => has_procedure MGA5-64-OK

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0356.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED