Bug 21740 - tor new security issue CVE-2017-0380
Summary: tor new security issue CVE-2017-0380
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO MGA6-64-OK MGA5-64-OK
Keywords: advisory, has_procedure, validated_update
Depends on:
Blocks:
 
Reported: 2017-09-19 14:49 CEST by David Walser
Modified: 2017-09-21 15:44 CEST (History)
3 users (show)

See Also:
Source RPM: tor-0.3.0.10-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-09-19 14:49:18 CEST
Upstream has released new versions on September 18:
https://blog.torproject.org/new-tor-stable-releases-02815-02912-03011-fix-onion-service-security-issue

The issue is fixed in versions 0.2.8.15, 0.2.9.12, and 0.3.0.11.

BTW we should have stuck with 0.2.9.x in Cauldron as it is supported through 2020.

Mageia 5 and Mageia 6 are also affected.
David Walser 2017-09-19 14:49:27 CEST

Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 1 David Walser 2017-09-20 00:39:10 CEST
Updated packages uploaded by Jani.

Advisory:
========================

Updated tor package fixes security vulnerability:

Due to the code that reports an error during the construction of an
introduction point circuit, it is possible that some hidden services will
sometimes write sensitive information into their logs if the SafeLogging option
is disabled.  Note that SafeLogging is enabled by default (CVE-2017-0380).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0380
https://lists.torproject.org/pipermail/tor-talk/2017-September/043585.html
https://blog.torproject.org/new-tor-stable-releases-02815-02912-03011-fix-onion-service-security-issue
========================

Updated packages in core/updates_testing:
========================
tor-0.2.8.15-1.mga5
tor-0.2.9.12-1.mga6

from SRPMS:
tor-0.2.8.15-1.mga5.src.rpm
tor-0.2.9.12-1.mga6.src.rpm

Version: Cauldron => 6
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
CC: (none) => jani.valimaa
Assignee: jani.valimaa => qa-bugs

Comment 2 Lewis Smith 2017-09-20 09:12:40 CEST
Testing M6/64
for reference https://bugs.mageia.org/show_bug.cgi?id=19145#c11

BEFORE UPDATE installed from issued repos: tor-0.2.9.11-1.mga6

 # systemctl start tor

Configured Firefox:
Preferences - Advanced - Network - Connection, Configure:
  Check the 'Configure manually' radio button:
   In the bottom line headed SOCKS v5:
    enter 'localhost' (no quotes); Port 9050
   Check the 'SOCKS v5' radio button below
  Confirm OK the changes.
[To revert after testing, undo these changes]

Browsed to https://check.torproject.org/ , saw correctly the page:
"Congratulations. This browser is configured to use Tor.
 However, it does not appear to be Tor Browser."

AFTER UPDATE to: tor-0.2.9.12-1.mga6

 # systemctl restart tor

 https://check.torproject.org/ -> correct page as above.
Undo Firefox adaptations. This update OK.

Keywords: (none) => has_procedure
Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK
CC: (none) => lewyssmith

Comment 3 Lewis Smith 2017-09-20 09:38:49 CEST
Testing M5/64

BEFORE UPDATE: tor-0.2.8.14-1.mga5
AFTER UPDATE: tor-0.2.8.15-1.mga5

Configured Firefox as above for proxy.
 # systemctl restart tor

 https://check.torproject.org/
showed correctly "Congratulations. This browser is configured to use Tor."

Undo Firefox change. In fact it can suffice to just set the top radio button to e.g. No Proxy, which greys but remembers the manually defined details for future use. To confirm the configuration reversion:
 https://check.torproject.org/
shows "Sorry. You are not using Tor."

The update looks good. OKing, validating, advisory.

Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK MGA5-64-OK
Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 4 Mageia Robot 2017-09-21 15:44:32 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0353.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.