Bug 21056 - tor new security issues CVE-2017-0375 and CVE-2017-0376
Summary: tor new security issues CVE-2017-0375 and CVE-2017-0376
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA5-64-OK MGA5-32-OK advisory
Keywords: validated_update
Depends on:
Reported: 2017-06-10 00:19 CEST by David Walser
Modified: 2017-06-16 23:05 CEST (History)
5 users (show)

See Also:
Source RPM: tor-
Status comment:


Description David Walser 2017-06-10 00:19:53 CEST
Upstream has released new versions on June 8:

The issue is fixed in versions and
David Walser 2017-06-10 00:20:00 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Jani Välimaa 2017-06-10 08:45:07 CEST
Pushed to core/updates_testing for mga5.
Comment 2 Jani Välimaa 2017-06-10 08:48:04 CEST
Freeze push requested to update to in Cauldron.
Comment 3 Jani Välimaa 2017-06-10 14:38:43 CEST
(In reply to Jani Välimaa from comment #2)
> Freeze push requested to update to in Cauldron. pushed to Cauldron.
Comment 4 David Walser 2017-06-10 14:40:06 CEST

Updated tor package fixes security vulnerability:

A remotely triggerable assertion failure caused by receiving a BEGIN_DIR cell
on a hidden service rendezvous circuit (CVE-2017-0376).


Updated packages in core/updates_testing:

from tor-

Whiteboard: MGA5TOO => (none)
Version: Cauldron => 5

Comment 5 David Walser 2017-06-10 14:40:42 CEST
Thanks Jani!  Assigning to QA.  Advisory and package in Comment 4.

CC: (none) => jani.valimaa
Assignee: jani.valimaa => qa-bugs

Dave Hodgins 2017-06-13 05:19:48 CEST

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 6 Lewis Smith 2017-06-13 16:00:04 CEST
Testing M5 64 bit
using the procedure in https://bugs.mageia.org/show_bug.cgi?id=19145#c11
duplicated below.

Before update: tor-
After update: tor-

Started the tor daemon.
Configured Firefox as prescribed:
 Preferences - Advanced - Connection, Configure:
  Check the 'Configure manually' radio button:
   In the bottom line headed SOCKS v5:
    enter 'localhost' (no quotes); Port 9050
   Check the 'SOCKS v5' radio button below
  Confirm OK the changes.

 https://check.torproject.org/ ->
" Congratulations. This browser is configured to use Tor.
Your IP address appears to be:
However, it does not appear to be Tor Browser."

Update deemed OK.
[Undo Firefox changes - simply revert to 'No proxy']

CC: (none) => lewyssmith
Whiteboard: advisory => advisory MGA5-64-OK

Comment 7 Herman Viaene 2017-06-14 15:22:05 CEST
MGA5-32 on Asus A6000VM Xfce
No installation issues
Followed above procedure and get same Congratulations from Tor.
Reverted back to normal operation. OK

CC: (none) => herman.viaene
Whiteboard: advisory MGA5-64-OK => MGA5-64-OK MGA5-32-OK advisory

Lewis Smith 2017-06-14 17:21:01 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2017-06-14 17:53:08 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Comment 9 David Walser 2017-06-16 23:05:34 CEST
This update also fixed CVE-2017-0375:

Summary: tor new security issue CVE-2017-0376 => tor new security issues CVE-2017-0375 and CVE-2017-0376

Note You need to log in before you can comment on or make changes to this bug.