Bug 21056 - tor new security issues CVE-2017-0375 and CVE-2017-0376
Summary: tor new security issues CVE-2017-0375 and CVE-2017-0376
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5-64-OK MGA5-32-OK advisory
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-06-10 00:19 CEST by David Walser
Modified: 2017-06-16 23:05 CEST (History)
5 users (show)

See Also:
Source RPM: tor-0.2.9.10-1.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-06-10 00:19:53 CEST
Upstream has released new versions on June 8:
https://blog.torproject.org/blog/tor-0308-released-fix-hidden-services-also-are-02429-02514-02612-0278-02814-and-02911

The issue is fixed in versions 0.2.9.11 and 0.2.8.14.
David Walser 2017-06-10 00:20:00 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Jani Välimaa 2017-06-10 08:45:07 CEST
Pushed 0.2.8.14 to core/updates_testing for mga5.
Comment 2 Jani Välimaa 2017-06-10 08:48:04 CEST
Freeze push requested to update to 0.2.9.11 in Cauldron.
Comment 3 Jani Välimaa 2017-06-10 14:38:43 CEST
(In reply to Jani Välimaa from comment #2)
> Freeze push requested to update to 0.2.9.11 in Cauldron.

0.2.9.11 pushed to Cauldron.
Comment 4 David Walser 2017-06-10 14:40:06 CEST
Advisory:
========================

Updated tor package fixes security vulnerability:

A remotely triggerable assertion failure caused by receiving a BEGIN_DIR cell
on a hidden service rendezvous circuit (CVE-2017-0376).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0376
https://blog.torproject.org/blog/tor-0308-released-fix-hidden-services-also-are-02429-02514-02612-0278-02814-and-02911
========================

Updated packages in core/updates_testing:
========================
tor-0.2.8.14-1.mga5

from tor-0.2.8.14-1.mga5.src.rpm

Whiteboard: MGA5TOO => (none)
Version: Cauldron => 5

Comment 5 David Walser 2017-06-10 14:40:42 CEST
Thanks Jani!  Assigning to QA.  Advisory and package in Comment 4.

CC: (none) => jani.valimaa
Assignee: jani.valimaa => qa-bugs

Dave Hodgins 2017-06-13 05:19:48 CEST

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 6 Lewis Smith 2017-06-13 16:00:04 CEST
Testing M5 64 bit
using the procedure in https://bugs.mageia.org/show_bug.cgi?id=19145#c11
duplicated below.

Before update: tor-0.2.8.12-1.mga5
After update: tor-0.2.8.14-1.mga5

Started the tor daemon.
Configured Firefox as prescribed:
 Preferences - Advanced - Connection, Configure:
  Check the 'Configure manually' radio button:
   In the bottom line headed SOCKS v5:
    enter 'localhost' (no quotes); Port 9050
   Check the 'SOCKS v5' radio button below
  Confirm OK the changes.

 https://check.torproject.org/ ->
" Congratulations. This browser is configured to use Tor.
Your IP address appears to be: 109.163.234.2
However, it does not appear to be Tor Browser."

Update deemed OK.
[Undo Firefox changes - simply revert to 'No proxy']

CC: (none) => lewyssmith
Whiteboard: advisory => advisory MGA5-64-OK

Comment 7 Herman Viaene 2017-06-14 15:22:05 CEST
MGA5-32 on Asus A6000VM Xfce
No installation issues
Followed above procedure and get same Congratulations from Tor.
Reverted back to normal operation. OK

CC: (none) => herman.viaene
Whiteboard: advisory MGA5-64-OK => MGA5-64-OK MGA5-32-OK advisory

Lewis Smith 2017-06-14 17:21:01 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2017-06-14 17:53:08 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0176.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 9 David Walser 2017-06-16 23:05:34 CEST
This update also fixed CVE-2017-0375:
https://lists.opensuse.org/opensuse-updates/2017-06/msg00047.html

Summary: tor new security issue CVE-2017-0376 => tor new security issues CVE-2017-0375 and CVE-2017-0376


Note You need to log in before you can comment on or make changes to this bug.