tor 0.2.8.12 has been released on December 19, fixing a security issue: https://blog.torproject.org/blog/tor-02812-released Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Debian has issued an advisory for this on December 20: https://www.debian.org/security/2016/dsa-3741
URL: (none) => https://lwn.net/Vulnerabilities/709742/
CVE: (none) => CVE-2016-1254
New version pushed to core/updates_testing for mga5. For cauldron, new version is committed to SVN.
CC: (none) => jani.valimaaAssignee: jani.valimaa => qa-bugs
Please ask for a freeze push
CC: (none) => mageia
(In reply to Nicolas Lécureuil from comment #3) > Please ask for a freeze push Already done and new version is also available for cauldron.
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)
Been using the new tor version for several days without issues. $ rpm -q tor tor-0.2.8.12-1.mga5 $ uname -a Linux marte 4.4.39-desktop-1.mga5 #1 SMP Fri Dec 16 18:43:46 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
Can we be a little more definitive as to how this Tor works on Mageia and a procedure to test it. The Mageia rpm does not install Tor specifically. The only procedure we have is from: https://bugs.mageia.org/show_bug.cgi?id=3953#c4 Seems a little overly complex and I'm not quite sure the common user would know how to do all this. I use Tor all the time. The latest being: tor-browser-linux64-6.0.8_en-US.tar.xz 6.0.8 (based on Mozilla Firefox 45.6.0) I then use: http://www.ipchicken.com/ https://check.torproject.org/ to test it. I also add: StrictEntryNodes 1 EntryNodes {fr} StrictExitNodes 1 ExitNodes {nl} to tor-browser_en-US/Browser/TorBrowser/Data/Tor/torrc to further control the process. The latest Tor does quite nicely thank you albeit a little slowly. Is it too late to transition all this to just installing Tor from: https://www.torproject.org/download/download.html.en
CC: (none) => wilcal.int
Of course the package installs Tor specifically, what the heck do you think it is? It does not install the "Tor Browser Bundle" as available from their website, but configuring Firefox to use Tor gives you almost the same thing (at least for testing purposes). I'm not sure if the FoxyProxy extension was necessary, but Claire's test procedure is pretty simple (running one command and configuring Firefox to use a SOCKS proxy).
The best and easiest way to start tor is using systemd: systemctl start tor The simplest (not best) way to use Tor is to use it as a SOCKS 5 proxy. With Firefox, changing the network settings is enough to use tor. No extensions are needed. Firefox network settings can be seen/changed by opening this URL: about:preferences#advanced The SOCKS 5 proxy address is 127.0.0.1:9050.
Sorry I should have said that that it does not install the Tor Browser. I just think this is overly complex for the novice user. Do we have a wiki on this thing? Or maybe somewhere there's a page on how to set all this up.
It's not complex at all. PC LX just explained exactly how to set it up.
Configure TOR SOCKS Proxy in Firefox 1. Open menu Edit > Preferences > Advanced > Network > Settings. 2. Select Manual proxy configuration. 3. Enter SOCKS Host: 127.0.0.1 and Port: 9150 and select SOCKS v5 and clear all text in No proxy for: text box. 4. Press OK. http://www.wikihow.com/Use-Tor-With-Firefox
In VirtualBox, M5, KDE, 32-bit Using Firefox https://check.torproject.org/ reports: Sorry. You are not using Tor. Your IP address appears to be: 23.117.228.99 ( which is my IP ) bandwidthplace.com speed check: download: 15.35 Mbps upload: 4.55Mbps ping: 37ms AT&T internal speed check: 28.70 Mbps upload speed: 4.57Mbps Package(s) under test: tor default install of tor [root@localhost wilcal]# urpmi tor Package tor-0.2.8.9-1.mga5.i586 is already installed 1. In Firefox open Edit > Preferences > Advanced > Network > Settings. 2. Select Manual proxy configuration. 3. Enter SOCKS Host: 127.0.0.1 and Port: 9050 and select SOCKS v5, "No proxy for" text box: localhost, 127.0.0.1 4. Press OK. https://check.torproject.org/ reports Congratulations. This browser is configured to use Tor. Your IP address appears to be: 176.126.252.12 and changes ( which is not my IP ) bandwidthplace.com speed check: download: 1.24 Mbps upload: 3.76Mbps Ping: 302ms install tor from updates_testing [root@localhost wilcal]# urpmi tor Package tor-0.2.8.12-1.mga5.i586 is already installed https://check.torproject.org/ reports: Congratulations. This browser is configured to use Tor. Your IP address appears to be: 62.210.81.152 ( changed again ) bandwidthplace.com speed check: download: 0.45 Mbps upload: 3.74Mbps ping: 254ms In Firefox open Edit > Preferences > Advanced > Network > Settings Check "No proxy" I'm back to my real IP and full speed is restored.
Whiteboard: (none) => MGA5-32-OK
In VirtualBox, M5, KDE, 64-bit Using Firefox https://check.torproject.org/ reports: Sorry. You are not using Tor. Your IP address appears to be: 23.117.228.99 ( which is my IP ) bandwidthplace.com speed check: download: 14.37 Mbps upload: 4.54Mbps ping: 36ms AT&T internal speed check: 29.40 Mbps upload speed: 4.00Mbps Package(s) under test: tor default install of tor [root@localhost wilcal]# urpmi tor Package tor-0.2.8.9-1.mga5.x86_64 is already installed 1. In Firefox open Edit > Preferences > Advanced > Network > Settings. 2. Select Manual proxy configuration. 3. Enter SOCKS Host: 127.0.0.1 and Port: 9050 and select SOCKS v5, "No proxy for" text box: localhost, 127.0.0.1 4. Press OK. https://check.torproject.org/ reports Congratulations. This browser is configured to use Tor. Your IP address appears to be: 212.47.253.151 ( which is not my IP ) bandwidthplace.com speed check: download: 3.28 Mbps upload: 0.53Mbps Ping: 349ms install tor from updates_testing [root@localhost wilcal]# urpmi tor Package tor-0.2.8.12-1.mga5.x86_64 is already installed https://check.torproject.org/ reports: Congratulations. This browser is configured to use Tor. Your IP address appears to be: 178.217.187.39 ( changed again ) bandwidthplace.com speed check: download: 4.35 Mbps upload: 3.12Mbps ping: 336ms In Firefox open Edit > Preferences > Advanced > Network > Settings Check "No proxy" I'm back to my real IP and full speed is restored.
This update works fine. Testing complete for MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks
Keywords: (none) => validated_updateWhiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OKCC: (none) => sysadmin-bugs
Advisory please.
CC: (none) => lewyssmith
Advisory: ======================== Updated tor package fixes security vulnerability: It was discovered that Tor, a connection-based low-latency anonymous communication system, may read one byte past a buffer when parsing hidden service descriptors. This issue may enable a hostile hidden service to crash Tor clients depending on hardening options and malloc implementation (CVE-2016-1254). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1254 https://blog.torproject.org/blog/tor-02812-released https://www.debian.org/security/2016/dsa-3741
Thanks David. SRPM version taken from Comment 5.
Whiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0008.html
Status: NEW => RESOLVEDResolution: (none) => FIXED