Upstream has released new versions today (March 18): https://blog.torproject.org/node/1855 The issues are fixed upstream in 0.3.5.10. Mageia 7 is also affected.
Status comment: (none) => Fixed upstream in 0.3.5.10Whiteboard: (none) => MGA7TOO
Debian has issued an advisory for this on March 20: https://www.debian.org/security/2020/dsa-4644
Pushed tor 0.3.5.10 to core/release for cauldron and to core/updates_testing for mga7.
CC: (none) => jani.valimaaAssignee: jani.valimaa => qa-bugs
Version: Cauldron => 7Source RPM: tor-0.3.5.9-2.mga8.src.rpm => tor-0.3.5.8-1.mga7Whiteboard: MGA7TOO => (none)
Advisory: ======================== Updated tor package fixes security vulnerabilities: Tor before 0.3.5.10 allows remote attackers to cause a Denial of Service (CPU consumption) (CVE-2020-10592). Tor before 0.3.5.10 allows remote attackers to cause a Denial of Service (memory leak). This occurs in circpad_setup_machine_on_circ because a circuit-padding machine can be negotiated twice on the same circuit (CVE-2020-10593). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10592 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10593 https://blog.torproject.org/node/1855
Status comment: Fixed upstream in 0.3.5.10 => (none)
Could you pleasee mention the exact package name, that woud save me making a few wrong guesses. MGA7-64 Plasma on Lenovo B50 No installation issues.Installed tor-0.3.5.10-1.mga7 Ref bug 21740 for testing. # systemctl start tor # systemctl -l status tor ● tor.service - Anonymizing overlay network for TCP Loaded: loaded (/usr/lib/systemd/system/tor.service; disabled; vendor preset: disabled) Active: active (running) since Fri 2020-04-10 14:34:25 CEST; 21s ago Process: 8378 ExecStartPre=/usr/bin/tor --runasdaemon 0 --defaults-torrc /usr/share/tor/defaults-torrc -f /etc/tor/torrc> Main PID: 8379 (tor) Memory: 45.2M CGroup: /system.slice/tor.service └─8379 /usr/bin/tor --runasdaemon 0 --defaults-torrc /usr/share/tor/defaults-torrc -f /etc/tor/torrc After applying the chages in the Firefox settings, I could navigate to the testing site https://check.torproject.org/ and got the green onion and the congratulations. Seems OK. Loggging this after reverting to the normal settings. Anything more needed???
CC: (none) => herman.viaene
Good enough.
Whiteboard: (none) => MGA7-64-OK
Validating. Advisory in Comment 3.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0165.html
Status: NEW => RESOLVEDResolution: (none) => FIXED