Tor 0.2.8.6 has been released on August 2: https://blog.torproject.org/blog/tor-0286-released It has several security fixes/improvements and other changes and should probably be updated.
New version is now available in SVN. http://svnweb.mageia.org/packages?view=revision&revision=1044940
Pushed in Cauldron. Thanks! I suppose we should update this for Mageia 5 too.
Version: Cauldron => 5
Tor 0.2.8.7 has been released on August 24: https://blog.torproject.org/blog/tor-0287-released-important-fixes It looks like it should be updated again.
Summary: tor 0.2.8.6 => tor 0.2.8.7
Tor 0.2.8.8 has been released on September 23: https://blog.torproject.org/blog/tor-0288-released-important-fixes It's just a bugfix release.
Tor 0.2.8.9 has been released on October 17: https://blog.torproject.org/blog/tor-0289-released-important-fixes It fixes another security issue.
Summary: tor 0.2.8.7 => tor 0.2.8.9
(In reply to David Walser from comment #5) > Tor 0.2.8.9 has been released on October 17: > https://blog.torproject.org/blog/tor-0289-released-important-fixes > > It fixes another security issue. CVE request: http://openwall.com/lists/oss-security/2016/10/18/11
Debian has issued an advisory for the issue fixed in 0.2.8.9 on October 18: https://www.debian.org/security/2016/dsa-3694
URL: (none) => http://lwn.net/Vulnerabilities/703977/
(In reply to David Walser from comment #6) > (In reply to David Walser from comment #5) > > Tor 0.2.8.9 has been released on October 17: > > https://blog.torproject.org/blog/tor-0289-released-important-fixes > > > > It fixes another security issue. > > CVE request: > http://openwall.com/lists/oss-security/2016/10/18/11 CVE-2016-8860 has been assigned: http://openwall.com/lists/oss-security/2016/10/19/11
Summary: tor 0.2.8.9 => tor 0.2.8.9 fixes CVE-2016-8860
Pushed 0.2.8.9 to Cauldron and mga5 core/updates_testing.
CC: (none) => jani.valimaaCVE: (none) => CVE-2016-8860Assignee: jani.valimaa => qa-bugs
Testing Procedure: https://bugs.mageia.org/show_bug.cgi?id=3953#c4 Advisory: ======================== Updated tor package fixes security vulnerabilities: It has been discovered that Tor treats the contents of some buffer chunks as if they were a NUL-terminated string. This issue could enable a remote attacker to crash a Tor client, hidden service, relay, or authority (CVE-2016-8860). The tor package has been updated to version 0.2.8.9, which fixes this issue and several other bugs, including other security issues fixed in 0.2.8.6. See the release announcements for details. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8860 https://blog.torproject.org/blog/tor-0286-released https://blog.torproject.org/blog/tor-0287-released-important-fixes https://blog.torproject.org/blog/tor-0288-released-important-fixes https://blog.torproject.org/blog/tor-0289-released-important-fixes https://www.debian.org/security/2016/dsa-3694 ======================== Updated packages in core/updates_testing: ======================== tor-0.2.8.9-1.mga5 from tor-0.2.8.9-1.mga5.src.rpm
Whiteboard: (none) => has_procedure
Testing M5-64 real hardware; updated to tor-0.2.8.9-1.mga5. And as a precaution, re-started the Tor daemon. Configure Firefox to use Tor --------------------------- Preferences - Advanced - Connection, Configure: Check the 'Configure manually' radio button: In the bottom line headed SOCKS v5: enter 'localhost' (no quotes); Port 9050 Check the 'SOCKS v5' radio button below Confirm OK the changes. [To revert after testing, undo these changes] Browsed to https://check.torproject.org/ , saw correctly the page: "Congratulations. This browser is configured to use Tor. However, it does not appear to be Tor Browser." This update OK.
CC: (none) => lewyssmithWhiteboard: has_procedure => has_procedure MGA5-64-OK
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0356.html
Status: NEW => RESOLVEDResolution: (none) => FIXED