Upstream has released new versions on June 8:
The issue is fixed in versions 0.2.9.11 and 0.2.8.14.
Pushed 0.2.8.14 to core/updates_testing for mga5.
Freeze push requested to update to 0.2.9.11 in Cauldron.
(In reply to Jani Välimaa from comment #2)
> Freeze push requested to update to 0.2.9.11 in Cauldron.
0.2.9.11 pushed to Cauldron.
Updated tor package fixes security vulnerability:
A remotely triggerable assertion failure caused by receiving a BEGIN_DIR cell
on a hidden service rendezvous circuit (CVE-2017-0376).
Updated packages in core/updates_testing:
Thanks Jani! Assigning to QA. Advisory and package in Comment 4.
Testing M5 64 bit
using the procedure in https://bugs.mageia.org/show_bug.cgi?id=19145#c11
Before update: tor-0.2.8.12-1.mga5
After update: tor-0.2.8.14-1.mga5
Started the tor daemon.
Configured Firefox as prescribed:
Preferences - Advanced - Connection, Configure:
Check the 'Configure manually' radio button:
In the bottom line headed SOCKS v5:
enter 'localhost' (no quotes); Port 9050
Check the 'SOCKS v5' radio button below
Confirm OK the changes.
" Congratulations. This browser is configured to use Tor.
Your IP address appears to be: 22.214.171.124
However, it does not appear to be Tor Browser."
Update deemed OK.
[Undo Firefox changes - simply revert to 'No proxy']
MGA5-32 on Asus A6000VM Xfce
No installation issues
Followed above procedure and get same Congratulations from Tor.
Reverted back to normal operation. OK
advisory MGA5-64-OK =>
MGA5-64-OK MGA5-32-OK advisory
An update for this issue has been pushed to the Mageia Updates repository.
This update also fixed CVE-2017-0375:
tor new security issue CVE-2017-0376 =>
tor new security issues CVE-2017-0375 and CVE-2017-0376