Upstream has released new versions on June 8: https://blog.torproject.org/blog/tor-0308-released-fix-hidden-services-also-are-02429-02514-02612-0278-02814-and-02911 The issue is fixed in versions 0.2.9.11 and 0.2.8.14.
Whiteboard: (none) => MGA5TOO
Pushed 0.2.8.14 to core/updates_testing for mga5.
Freeze push requested to update to 0.2.9.11 in Cauldron.
(In reply to Jani Välimaa from comment #2) > Freeze push requested to update to 0.2.9.11 in Cauldron. 0.2.9.11 pushed to Cauldron.
Advisory: ======================== Updated tor package fixes security vulnerability: A remotely triggerable assertion failure caused by receiving a BEGIN_DIR cell on a hidden service rendezvous circuit (CVE-2017-0376). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0376 https://blog.torproject.org/blog/tor-0308-released-fix-hidden-services-also-are-02429-02514-02612-0278-02814-and-02911 ======================== Updated packages in core/updates_testing: ======================== tor-0.2.8.14-1.mga5 from tor-0.2.8.14-1.mga5.src.rpm
Whiteboard: MGA5TOO => (none)Version: Cauldron => 5
Thanks Jani! Assigning to QA. Advisory and package in Comment 4.
CC: (none) => jani.valimaaAssignee: jani.valimaa => qa-bugs
Whiteboard: (none) => advisoryCC: (none) => davidwhodgins
Testing M5 64 bit using the procedure in https://bugs.mageia.org/show_bug.cgi?id=19145#c11 duplicated below. Before update: tor-0.2.8.12-1.mga5 After update: tor-0.2.8.14-1.mga5 Started the tor daemon. Configured Firefox as prescribed: Preferences - Advanced - Connection, Configure: Check the 'Configure manually' radio button: In the bottom line headed SOCKS v5: enter 'localhost' (no quotes); Port 9050 Check the 'SOCKS v5' radio button below Confirm OK the changes. https://check.torproject.org/ -> " Congratulations. This browser is configured to use Tor. Your IP address appears to be: 109.163.234.2 However, it does not appear to be Tor Browser." Update deemed OK. [Undo Firefox changes - simply revert to 'No proxy']
CC: (none) => lewyssmithWhiteboard: advisory => advisory MGA5-64-OK
MGA5-32 on Asus A6000VM Xfce No installation issues Followed above procedure and get same Congratulations from Tor. Reverted back to normal operation. OK
Whiteboard: advisory MGA5-64-OK => MGA5-64-OK MGA5-32-OK advisoryCC: (none) => herman.viaene
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0176.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
This update also fixed CVE-2017-0375: https://lists.opensuse.org/opensuse-updates/2017-06/msg00047.html
Summary: tor new security issue CVE-2017-0376 => tor new security issues CVE-2017-0375 and CVE-2017-0376