There is 2 new security issues in tor. https://blog.torproject.org/node/2009 https://bugs.torproject.org/tpo/core/tor/40316 https://bugs.torproject.org/tpo/core/tor/40286 This is fixed in mga 7/8 src: - tor-0.3.5.14-1.mga7 - tor-0.3.5.14-1.mga8
Thanks for doing this; assigning the bug to you as a reward!
Assignee: bugsquad => mageiaSource RPM: tor => tor-0.3.5.14-1.mga7, tor-0.3.5.14-1.mga8Whiteboard: (none) => MGA7TOO
Why ? this is ready for QA
assigning for QA as packages are in updates_testing
Assignee: mageia => qa-bugs
Summary: Security fixes in tor ( CVE-2021-28089/CVE-2021-28090 ) => tor new security issues fixed upstream in 0.3.5.14 (CVE-2021-28089, CVE-2021-28090)Source RPM: tor-0.3.5.14-1.mga7, tor-0.3.5.14-1.mga8 => tor-0.3.5.12-1.mga7.src.rpm, tor-0.3.5.12-1.mga8.src.rpm
Advisory: ======================== Updated tor package fixes security vulnerabilities: The dump_desc() function that we used to dump unparseable information to disk, was called incorrectly in several places, in a way that could lead to excessive CPU usage (CVE-2021-28089). A bug in appending detached signatures to a pending consensus document could be used to crash a directory authority (CVE-2021-28090). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28089 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28090 https://blog.torproject.org/node/2009
Installation TOR on M8 XFCE. Update with QA repo and: tor-0.3.5.14-1.mga8 No problem at installation and TOR run without error codes. I don't know enough about the software to properly evaluate how it works.Can you tell me what to do to know how evaluate it.
CC: (none) => guillaume.royer
Installed and tested without issues. Tested: - protocols: HTTP(S), IMAP, POP, DNS over SOCKS5; - clients: curl, waterfox, fetchmail, trojita; - method: explicit SOCKS5 proxy configuration, torsocks; - onion domains. $ curl --silent https://check.torproject.org/ | egrep 'Congratulations|Sorry' | uniq Sorry. You are not using Tor. $ curl --silent --proxy socks5h://127.0.0.1:9050 https://check.torproject.org/ | egrep 'Congratulations|Sorry' | uniq Congratulations. This browser is configured to use Tor. $ torsocks curl --silent https://check.torproject.org/ | egrep 'Congratulations|Sorry' | uniq Congratulations. This browser is configured to use Tor. $ curl --silent --proxy socks5h://127.0.0.1:9050 https://3g2upl4pq6kufc4m.onion/ | grep '<title>' <title>DuckDuckGo — Privacy, simplified.</title> System: Mageia 7, x86_64, Intel CPU. $ uname -a Linux marte 5.10.27-desktop-1.mga7 #1 SMP Wed Mar 31 00:16:43 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ rpm -q tor torsocks tor-0.3.5.14-1.mga7 torsocks-2.3.0-1.mga7
Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OKCC: (none) => mageia
I have noticed a problem with the rpm uninstall script of the tor package. The error caused by the following line in the uninstall script: rm -f /var/lib/tor/* It needs the "-R" option to remove directories. $ LANGUAGE=C urpme tor removing tor-0.3.5.14-1.mga7.x86_64 rm: cannot remove '/var/lib/tor/keys': Is a directory error: %preun(tor-0.3.5.14-1.mga7.x86_64) scriptlet failed, exit status 1 ERROR: 'script' failed for tor-0.3.5.14-1.mga7.x86_64 error: tor-0.3.5.14-1.mga7.x86_64: erase failed $ rpm -q --scripts tor preinstall scriptlet (using /bin/sh): /usr/share/rpm-helper/add-user tor $1 toruser /var/lib/tor /bin/false postinstall scriptlet (using /bin/sh): /usr/bin/systemd-tmpfiles --create tor.conf /usr/share/rpm-helper/add-service tor $1 tor preuninstall scriptlet (using /bin/sh): /usr/share/rpm-helper/del-service tor $1 tor /usr/share/rpm-helper/del-service tor $1 tor-master if [ $1 -eq 0 ]; then rm -f /var/lib/tor/* fi postuninstall scriptlet (using /bin/sh): if [ $1 -ge 1 ]; then # Use restart instead of try-restart, as tor-master may be "inactive" even # when there are tor.service and tor@.service instances running. systemctl restart tor-master.service >/dev/null 2>&1 || : fi
(In reply to Guillaume Royer from comment #5) > Installation TOR on M8 XFCE. > > Update with QA repo and: > > tor-0.3.5.14-1.mga8 > > No problem at installation and TOR run without error codes. > > I don't know enough about the software to properly evaluate how it works.Can > you tell me what to do to know how evaluate it. You got farther than I did. No error codes, but the app refused to run - I think because I simply have no idea of how to run it properly. Reading /usr/share/doc/tor/tor.html would seem to bear this out. This app is far too complicated for a novice to learn quickly enough to give an evaluation. Because the MGA7 update that PC LX tested is the same version as the one for MGA8, it is likely that functionality is the same. Since you had a clean install and were able to get the software to run without errors, and because of the critical nature of the update, I'm going to give it an OK for MGA8. Also because of the critical nature of the update, I'm going to validate it. The issues described in Comment 7 should be brought up in a new bug, especially if they are still valid in MGA8, but I don't believe they are urgent enough to hold this back. Advisory in Comment 4.
Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OKKeywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => ouaurelienCVE: (none) => CVE-2021-28089, CVE-2021-28090
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0180.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
Debian has issued an advisory for this on March 16: https://www.debian.org/security/2021/dsa-4871