OpenSuSE has issued an advisory today (January 28): http://lists.opensuse.org/opensuse-updates/2014-01/msg00095.html The issue is fixed in 0.2.4.20. Ideally, we should try to keep this package updated always, to ensure effective operation. Obviously that'd be easier if the package had a maintainer. Here are the upstream release announcements for 0.2.4.19 and 0.2.4.20: https://lists.torproject.org/pipermail/tor-talk/2013-December/031392.html https://lists.torproject.org/pipermail/tor-talk/2013-December/031483.html Those were preceded by some release candidates: https://lists.torproject.org/pipermail/tor-talk/2013-July/028776.html https://lists.torproject.org/pipermail/tor-talk/2013-August/029344.html https://lists.torproject.org/pipermail/tor-talk/2013-September/029857.html https://lists.torproject.org/pipermail/tor-talk/2013-November/031110.html which themselves were preceded by some alphas (I don't have links for those). Reproducible: Steps to Reproduce:
CC: (none) => cazzaniga.sandro, fundawang, n54Whiteboard: (none) => MGA4TOO, MGA3TOO
Alphas links: https://lists.torproject.org/pipermail/tor-talk/2012-December/026933.html https://lists.torproject.org/pipermail/tor-talk/2013-January/027048.html https://lists.torproject.org/pipermail/tor-talk/2013-January/027058.html https://lists.torproject.org/pipermail/tor-talk/2013-February/027233.html https://lists.torproject.org/pipermail/tor-talk/2013-March/027563.html https://lists.torproject.org/pipermail/tor-talk/2013-April/027943.html https://lists.torproject.org/pipermail/tor-talk/2013-June/028485.html https://lists.torproject.org/pipermail/tor-talk/2013-June/028600.html
Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron. Advisory: ======================== Updated tor package fixes security vulnerability: Tor before 0.2.4.20, when OpenSSL 1.x is used in conjunction with a certain HardwareAccel setting on Intel Sandy Bridge and Ivy Bridge platforms, does not properly generate random numbers for relay identity keys and hidden-service identity keys, which might make it easier for remote attackers to bypass cryptographic protection mechanisms via unspecified vectors (CVE-2013-7295). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7295 http://lists.opensuse.org/opensuse-updates/2014-01/msg00095.html ======================== Updated packages in core/updates_testing: ======================== tor-0.2.4.20-1.mga3 tor-0.2.4.20-1.mga4 from SRPMS: tor-0.2.4.20-1.mga3.src.rpm tor-0.2.4.20-1.mga4.src.rpm
Version: Cauldron => 4Assignee: bugsquad => qa-bugsWhiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Procedure: https://bugs.mageia.org/show_bug.cgi?id=3953#c4
Whiteboard: MGA3TOO => MGA3TOO has_procedure
Using above procedure, everything is ok here.
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga4-64-ok
Same here on Mageia 4 i586, tor works fine with the procedure from comment 3.
CC: (none) => remiWhiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga4-32-ok mga4-64-ok
Tested on MGA4 x86_64. Bootstraps, creates circuits and passes data as expected.
CC: (none) => dpremy
Testing complete mga3 32 & 64
Whiteboard: MGA3TOO has_procedure mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Validating update. Advisory upload. Could a sysadmin push to core/updates for both Mageia 3 and Mageia 4? Thanks!
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok advisoryCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0059.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED