Bug 12464 - tor new security issue CVE-2013-7295
: tor new security issue CVE-2013-7295
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/582880/
: MGA3TOO has_procedure mga3-32-ok mga3...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2014-01-28 19:24 CET by David Walser
Modified: 2014-02-12 18:45 CET (History)
7 users (show)

See Also:
Source RPM: tor-0.2.3.25-4.mga4.src.rpm
CVE:


Attachments

Description David Walser 2014-01-28 19:24:26 CET
OpenSuSE has issued an advisory today (January 28):
http://lists.opensuse.org/opensuse-updates/2014-01/msg00095.html

The issue is fixed in 0.2.4.20.  Ideally, we should try to keep this package updated always, to ensure effective operation.  Obviously that'd be easier if the package had a maintainer.

Here are the upstream release announcements for 0.2.4.19 and 0.2.4.20:
https://lists.torproject.org/pipermail/tor-talk/2013-December/031392.html
https://lists.torproject.org/pipermail/tor-talk/2013-December/031483.html

Those were preceded by some release candidates:
https://lists.torproject.org/pipermail/tor-talk/2013-July/028776.html
https://lists.torproject.org/pipermail/tor-talk/2013-August/029344.html
https://lists.torproject.org/pipermail/tor-talk/2013-September/029857.html
https://lists.torproject.org/pipermail/tor-talk/2013-November/031110.html

which themselves were preceded by some alphas (I don't have links for those).

Reproducible: 

Steps to Reproduce:
Comment 2 David Walser 2014-02-10 02:35:46 CET
Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated tor package fixes security vulnerability:

Tor before 0.2.4.20, when OpenSSL 1.x is used in conjunction with a certain
HardwareAccel setting on Intel Sandy Bridge and Ivy Bridge platforms, does not
properly generate random numbers for relay identity keys and hidden-service
identity keys, which might make it easier for remote attackers to bypass
cryptographic protection mechanisms via unspecified vectors (CVE-2013-7295).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7295
http://lists.opensuse.org/opensuse-updates/2014-01/msg00095.html
========================

Updated packages in core/updates_testing:
========================
tor-0.2.4.20-1.mga3
tor-0.2.4.20-1.mga4

from SRPMS:
tor-0.2.4.20-1.mga3.src.rpm
tor-0.2.4.20-1.mga4.src.rpm
Comment 3 claire robinson 2014-02-10 19:46:32 CET
Procedure: https://bugs.mageia.org/show_bug.cgi?id=3953#c4
Comment 4 Manuel Hiebel 2014-02-11 18:18:50 CET
Using above procedure, everything is ok here.
Comment 5 Rémi Verschelde 2014-02-11 21:00:58 CET
Same here on Mageia 4 i586, tor works fine with the procedure from comment 3.
Comment 6 David Remy 2014-02-12 04:32:33 CET
Tested on MGA4 x86_64. Bootstraps, creates circuits and passes data as expected.
Comment 7 claire robinson 2014-02-12 08:51:13 CET
Testing complete mga3 32 & 64
Comment 8 Rémi Verschelde 2014-02-12 09:27:38 CET
Validating update.

Advisory upload. Could a sysadmin push to core/updates for both Mageia 3 and Mageia 4? Thanks!
Comment 9 Thomas Backlund 2014-02-12 18:45:54 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0059.html

Note You need to log in before you can comment on or make changes to this bug.