Upstream has released new versions on September 18: https://blog.torproject.org/new-tor-stable-releases-02815-02912-03011-fix-onion-service-security-issue The issue is fixed in versions 0.2.8.15, 0.2.9.12, and 0.3.0.11. BTW we should have stuck with 0.2.9.x in Cauldron as it is supported through 2020. Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO, MGA5TOO
Updated packages uploaded by Jani. Advisory: ======================== Updated tor package fixes security vulnerability: Due to the code that reports an error during the construction of an introduction point circuit, it is possible that some hidden services will sometimes write sensitive information into their logs if the SafeLogging option is disabled. Note that SafeLogging is enabled by default (CVE-2017-0380). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0380 https://lists.torproject.org/pipermail/tor-talk/2017-September/043585.html https://blog.torproject.org/new-tor-stable-releases-02815-02912-03011-fix-onion-service-security-issue ======================== Updated packages in core/updates_testing: ======================== tor-0.2.8.15-1.mga5 tor-0.2.9.12-1.mga6 from SRPMS: tor-0.2.8.15-1.mga5.src.rpm tor-0.2.9.12-1.mga6.src.rpm
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOOCC: (none) => jani.valimaaAssignee: jani.valimaa => qa-bugsVersion: Cauldron => 6
Testing M6/64 for reference https://bugs.mageia.org/show_bug.cgi?id=19145#c11 BEFORE UPDATE installed from issued repos: tor-0.2.9.11-1.mga6 # systemctl start tor Configured Firefox: Preferences - Advanced - Network - Connection, Configure: Check the 'Configure manually' radio button: In the bottom line headed SOCKS v5: enter 'localhost' (no quotes); Port 9050 Check the 'SOCKS v5' radio button below Confirm OK the changes. [To revert after testing, undo these changes] Browsed to https://check.torproject.org/ , saw correctly the page: "Congratulations. This browser is configured to use Tor. However, it does not appear to be Tor Browser." AFTER UPDATE to: tor-0.2.9.12-1.mga6 # systemctl restart tor https://check.torproject.org/ -> correct page as above. Undo Firefox adaptations. This update OK.
CC: (none) => lewyssmithKeywords: (none) => has_procedureWhiteboard: MGA5TOO => MGA5TOO MGA6-64-OK
Testing M5/64 BEFORE UPDATE: tor-0.2.8.14-1.mga5 AFTER UPDATE: tor-0.2.8.15-1.mga5 Configured Firefox as above for proxy. # systemctl restart tor https://check.torproject.org/ showed correctly "Congratulations. This browser is configured to use Tor." Undo Firefox change. In fact it can suffice to just set the top radio button to e.g. No Proxy, which greys but remembers the manually defined details for future use. To confirm the configuration reversion: https://check.torproject.org/ shows "Sorry. You are not using Tor." The update looks good. OKing, validating, advisory.
Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK MGA5-64-OKKeywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0353.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED