Bug 21740

Summary: tor new security issue CVE-2017-0380
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: jani.valimaa, lewyssmith, sysadmin-bugs
Version: 6Keywords: advisory, has_procedure, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5TOO MGA6-64-OK MGA5-64-OK
Source RPM: tor-0.3.0.10-1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2017-09-19 14:49:18 CEST 
Upstream has released new versions on September 18:
https://blog.torproject.org/new-tor-stable-releases-02815-02912-03011-fix-onion-service-security-issue

The issue is fixed in versions 0.2.8.15, 0.2.9.12, and 0.3.0.11.

BTW we should have stuck with 0.2.9.x in Cauldron as it is supported through 2020.

Mageia 5 and Mageia 6 are also affected.
David Walser 2017-09-19 14:49:27 CEST

Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 1 David Walser 2017-09-20 00:39:10 CEST 
Updated packages uploaded by Jani.

Advisory:
========================

Updated tor package fixes security vulnerability:

Due to the code that reports an error during the construction of an
introduction point circuit, it is possible that some hidden services will
sometimes write sensitive information into their logs if the SafeLogging option
is disabled.  Note that SafeLogging is enabled by default (CVE-2017-0380).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0380
https://lists.torproject.org/pipermail/tor-talk/2017-September/043585.html
https://blog.torproject.org/new-tor-stable-releases-02815-02912-03011-fix-onion-service-security-issue
========================

Updated packages in core/updates_testing:
========================
tor-0.2.8.15-1.mga5
tor-0.2.9.12-1.mga6

from SRPMS:
tor-0.2.8.15-1.mga5.src.rpm
tor-0.2.9.12-1.mga6.src.rpm

Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
CC: (none) => jani.valimaa
Assignee: jani.valimaa => qa-bugs
Version: Cauldron => 6

Comment 2 Lewis Smith 2017-09-20 09:12:40 CEST 
Testing M6/64
for reference https://bugs.mageia.org/show_bug.cgi?id=19145#c11

BEFORE UPDATE installed from issued repos: tor-0.2.9.11-1.mga6

 # systemctl start tor

Configured Firefox:
Preferences - Advanced - Network - Connection, Configure:
  Check the 'Configure manually' radio button:
   In the bottom line headed SOCKS v5:
    enter 'localhost' (no quotes); Port 9050
   Check the 'SOCKS v5' radio button below
  Confirm OK the changes.
[To revert after testing, undo these changes]

Browsed to https://check.torproject.org/ , saw correctly the page:
"Congratulations. This browser is configured to use Tor.
 However, it does not appear to be Tor Browser."

AFTER UPDATE to: tor-0.2.9.12-1.mga6

 # systemctl restart tor

 https://check.torproject.org/ -> correct page as above.
Undo Firefox adaptations. This update OK.

CC: (none) => lewyssmith
Keywords: (none) => has_procedure
Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK

Comment 3 Lewis Smith 2017-09-20 09:38:49 CEST 
Testing M5/64

BEFORE UPDATE: tor-0.2.8.14-1.mga5
AFTER UPDATE: tor-0.2.8.15-1.mga5

Configured Firefox as above for proxy.
 # systemctl restart tor

 https://check.torproject.org/
showed correctly "Congratulations. This browser is configured to use Tor."

Undo Firefox change. In fact it can suffice to just set the top radio button to e.g. No Proxy, which greys but remembers the manually defined details for future use. To confirm the configuration reversion:
 https://check.torproject.org/
shows "Sorry. You are not using Tor."

The update looks good. OKing, validating, advisory.

Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK MGA5-64-OK
Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 4 Mageia Robot 2017-09-21 15:44:32 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0353.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED