Upstream has announced version 0.2.4.26 and 0.2.5.11 on March 17: https://lists.torproject.org/pipermail/tor-talk/2015-March/037281.html Mageia 4 should be updated to 0.2.4.26 and Mageia 5 should be updated to 0.2.5.11. Reproducible: Steps to Reproduce:
CC: (none) => jani.valimaaWhiteboard: (none) => MGA5TOO, MGA4TOO
Pushed 0.2.4.26 to core/updates_testing for mga4 and updated to 0.2.5.11 in SVN for mga5. Freeze push request is needed for mga5.
Thanks Jani! I requested the freeze push for Cauldron. tor-0.2.4.26-1.mga4 from tor-0.2.4.26-1.mga4.src.rpm is the Mageia 4 update.
Testing Procedure: https://bugs.mageia.org/show_bug.cgi?id=3953#c4 Advisory: ======================== The tor package has been updated to version 0.2.4.26, which fixes possible crashes that may be remotely trigger-able, which would result in a denial of service, and also fixes a few other bugs. See the release announcement for details. References: https://lists.torproject.org/pipermail/tor-talk/2015-March/037281.html ======================== Updated packages in core/updates_testing: ======================== tor-0.2.4.26-1.mga4 from tor-0.2.4.26-1.mga4.src.rpm
Version: Cauldron => 4Assignee: bugsquad => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => has_procedure
Testing on Mageia4x64 real hardware, using privoxy From current package : -------------------- tor-0.2.4.23-1.mga4 $ tor Mar 22 17:58:34.507 [notice] Tor v0.2.4.23 (git-598c61362f1b3d3e) running on Linux with Libevent 2.0.21-stable and OpenSSL 1.0.1m. (...) Mar 22 17:58:46.000 [notice] Tor has successfully opened a circuit. Looks like client functionality is working. Mar 22 17:58:46.000 [notice] Bootstrapped 100%: Done. Configured firefox to be used with privoxy (privoxy-3.0.21-2.3.mga4) https://check.torproject.org/ Congratulations. This browser is configured to use Tor. Stopped tor and privoxy To updated testing package : ------------------------- tor-0.2.4.26-1.mga4 $ tor Mar 22 18:29:38.485 [notice] Tor v0.2.4.26 (git-d461e7036fe5cddf) running on Linux with Libevent 2.0.21-stable and OpenSSL 1.0.1m. Mar 22 18:29:40.000 [notice] Tor has successfully opened a circuit. Looks like client functionality is working. Mar 22 18:29:40.000 [notice] Bootstrapped 100%: Done. Restarted privoxy and browsed to : https://check.torproject.org/ Congratulations. This browser is configured to use Tor. Works OK here.
CC: (none) => olchalWhiteboard: has_procedure => has_procedure MGA4-64-OK
Debian has issued an advisory for this on March 22: https://lists.debian.org/debian-security-announce/2015/msg00088.html The DSA will be posted here: https://www.debian.org/security/2015/dsa-3203
URL: (none) => http://lwn.net/Vulnerabilities/637570/
CVE request for one of the issues fixed in this update: http://openwall.com/lists/oss-security/2015/03/23/17
CVEs assigned for both DoS issues fixed in this update: http://openwall.com/lists/oss-security/2015/03/24/21 Advisory: ======================== The tor package has been updated to version 0.2.4.26, which fixes possible crashes that may be remotely trigger-able, which would result in a denial of service (CVE-2015-2688, CVE-2015-2689), and also fixes a few other bugs. See the release announcement for details. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2688 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2689 https://lists.torproject.org/pipermail/tor-talk/2015-March/037281.html http://openwall.com/lists/oss-security/2015/03/24/21
Summary: tor new versions 0.2.4.26 and 0.2.5.11 fix security issues => tor new versions 0.2.4.26 and 0.2.5.11 fix security issues (CVE-2015-268[89])
The tor mailing list message was a "pre-announcement," now the actual announcement has been posted on their blog. Replacing the URL in the advisory. Advisory: ======================== The tor package has been updated to version 0.2.4.26, which fixes possible crashes that may be remotely trigger-able, which would result in a denial of service (CVE-2015-2688, CVE-2015-2689), and also fixes a few other bugs. See the release announcement for details. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2688 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2689 https://blog.torproject.org/blog/tor-02426-and-02511-are-released http://openwall.com/lists/oss-security/2015/03/24/21
LWN reference with the CVEs: http://lwn.net/Vulnerabilities/637857/ I notified LWN that they're the same, they'll probably merge the entries.
Testing on Mageia4x32 using same procedure as in comment 4 From current package : -------------------- tor-0.2.4.23-1.mga4 $ tor Mar 30 22:19:29.715 [notice] Tor v0.2.4.23 (git-598c61362f1b3d3e) running on Linux with Libevent 2.0.21-stable and OpenSSL 1.0.1m. (...) To updated testing package : -------------------------- tor-0.2.4.26-1.mga4 $ tor Mar 30 22:31:14.775 [notice] Tor v0.2.4.26 (git-d461e7036fe5cddf) running on Linux with Libevent 2.0.21-stable and OpenSSL 1.0.1m. Browsed to : https://check.torproject.org/ Congratulations. This browser is configured to use Tor. Your IP address appears to be: 37.187.129.166 OK on Mageia 4 x32
Whiteboard: has_procedure MGA4-64-OK => has_procedure MGA4-64-OK MGA4-32-OK
Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0124.html
Status: NEW => RESOLVEDResolution: (none) => FIXED