Bug 29377 - tor new security issue CVE-2021-38385
Summary: tor new security issue CVE-2021-38385
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-08-17 16:48 CEST by David Walser
Modified: 2021-09-23 06:52 CEST (History)
6 users (show)

See Also:
Source RPM: tor-0.3.5.15-1.mga9.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2021-08-17 16:48:10 CEST
Tor has released new versions on August 16:
https://blog.torproject.org/node/2062

0.3.5.16 fixes a security issue.

Mageia 8 is also affected.
David Walser 2021-08-17 16:48:26 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 0.3.5.16

Comment 1 David Walser 2021-08-20 17:57:59 CEST
openSUSE has issued an advisory for this on August 19:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PMWWIBVBPI5X7QIC5VO3NJURIXL33ROT/
Comment 2 David Walser 2021-08-20 20:15:52 CEST
tor-0.3.5.16-1.mga8 uploaded to updates_testing by Jani.

CC: (none) => jani.valimaa
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
Assignee: jani.valimaa => qa-bugs
Status comment: Fixed upstream in 0.3.5.16 => (none)

Comment 3 Guillaume Royer 2021-08-23 20:46:38 CEST
MGA8 64 XFCE.

Updates Tor with QA repo.

I've checked Tor as follow:

systemctl stop tor
systemctl start tor
systemctl status Tor => Ok

tor.service - Anonymizing overlay network for TCP
     Loaded: loaded (/usr/lib/systemd/system/tor.service; enabled; vendor preset: disabled)
     Active: active (running) since Mon 2021-08-23 20:36:55 CEST; 7min ago
    Process: 29716 ExecStartPre=/usr/bin/tor --runasdaemon 0 --defaults-torrc /usr/share/tor/defaults-torrc -f /etc/tor/torrc --verify>
   Main PID: 29717 (tor)
      Tasks: 1 (limit: 4581)
     Memory: 37.4M
        CPU: 1.662s
     CGroup: /system.slice/tor.service
             └─29717 /usr/bin/tor --runasdaemon 0 --defaults-torrc /usr/share/tor/defaults-torrc -f /etc/tor/torrc

août 23 20:36:54 localhost Tor[29717]: Bootstrapped 0%: Starting
août 23 20:36:55 localhost Tor[29717]: Starting with guard context "default"
août 23 20:36:55 localhost Tor[29717]: Signaled readiness to systemd
août 23 20:36:55 localhost systemd[1]: Started Anonymizing overlay network for TCP.
août 23 20:36:55 localhost Tor[29717]: Bootstrapped 10%: Finishing handshake with directory server
août 23 20:36:55 localhost Tor[29717]: Bootstrapped 80%: Connecting to the Tor network
août 23 20:36:55 localhost Tor[29717]: Bootstrapped 90%: Establishing a Tor circuit
août 23 20:36:55 localhost Tor[29717]: Opening Control listener on /run/tor/control
août 23 20:36:55 localhost Tor[29717]: Opened Control listener on /run/tor/control
août 23 20:36:55 localhost Tor[29717]: Bootstrapped 100%: Done

Check Tor on: 

https://check.torproject.org/ => ok

CC: (none) => guillaume.royer

Comment 4 David Walser 2021-08-24 00:01:53 CEST
Debian has issued an advisory for this today (August 23):
https://www.debian.org/security/2021/dsa-4961
Comment 5 Hugues Detavernier 2021-09-03 15:30:26 CEST
Mga 8 Gnome

Installed Tor with QA repos (tsocks and Tor)

systemctl start tor
systemctl status tor

tor.service - Anonymizing overlay network for TCP
     Loaded: loaded (/usr/lib/systemd/system/tor.service; disabled; vendor preset: disabled)
     Active: active (running) since Fri 2021-09-03 17:16:52 CEST; 6s ago
    Process: 3743 ExecStartPre=/usr/bin/tor --runasdaemon 0 --defaults-torrc /usr/share/tor/defaults-torrc -f /etc/to>
   Main PID: 3744 (tor)
      Tasks: 1 (limit: 2320)
     Memory: 46.6M
        CPU: 982ms
     CGroup: /system.slice/tor.service
             └─3744 /usr/bin/tor --runasdaemon 0 --defaults-torrc /usr/share/tor/defaults-torrc -f /etc/tor/torrc

sept. 03 17:16:56 localhost Tor[3744]: I learned some more directory information, but not enough to build a circuit: >
sept. 03 17:16:56 localhost Tor[3744]: The current consensus contains exit nodes. Tor can build exit and internal pat>
sept. 03 17:16:56 localhost Tor[3744]: Bootstrapped 55%: Loading relay descriptors
sept. 03 17:16:56 localhost Tor[3744]: Bootstrapped 62%: Loading relay descriptors
sept. 03 17:16:56 localhost Tor[3744]: Bootstrapped 70%: Loading relay descriptors
sept. 03 17:16:56 localhost Tor[3744]: Bootstrapped 75%: Loading relay descriptors
sept. 03 17:16:56 localhost Tor[3744]: Bootstrapped 80%: Connecting to the Tor network
sept. 03 17:16:57 localhost Tor[3744]: Bootstrapped 85%: Finishing handshake with first hop
sept. 03 17:16:57 localhost Tor[3744]: Bootstrapped 90%: Establishing a Tor circuit
sept. 03 17:16:57 localhost Tor[3744]: Bootstrapped 100%: Done
~


tor --v
Sep 03 17:19:23.627 [notice] Tor 0.3.5.16 running on Linux with Libevent 2.1.12-stable, OpenSSL 1.1.1k, Zlib 1.2.11, Liblzma 5.2.5, and Libzstd 1.4.8.

Check Tor on: 

https://check.torproject.org/ => NOK

Sorry. You are not runing Tor.

CC: (none) => hdetavernier

Comment 6 Hugues Detavernier 2021-09-03 15:36:38 CEST
Tor services is enabled at startup and running.

After reboot, I've got always this:

Sorry. You are not runing Tor.
Comment 7 Dave Hodgins 2021-09-03 16:31:22 CEST
(In reply to Hugues Detavernier from comment #6)
> Tor services is enabled at startup and running.
> After reboot, I've got always this:
> Sorry. You are not runing Tor.

After starting tor.service and tor-master.service, the browser needs to be
configured to use a socks5 proxy. In firefox, Edit/Settings, click on the
Settings button under Network Settings (very end of the settings), then
select "Manual proxy configuration" enter "127.0.0.1" for the SOCKS Host
and "9050" for the Port.

After that, in my test https://check.torproject.org/ shows ...
 Congratulations. This browser is configured to use Tor.

Your IP address appears to be: 185.220.100.253

CC: (none) => davidwhodgins

Comment 8 Hugues Detavernier 2021-09-03 16:43:22 CEST
Thanks Dave.

It's all good.
Comment 9 Thomas Andrews 2021-09-12 23:02:29 CEST
(In reply to Hugues Detavernier from comment #8)
> Thanks Dave.
> 
> It's all good.

So this is OK for you, then? 

If you are satisfied with the results of your test, you should put the appropriate OK (MGA8-64-OK or MGA8-32-OK) in the Whiteboard field near the top of this page.

CC: (none) => andrewsfarm

Comment 10 Dave Hodgins 2021-09-12 23:48:08 CEST
I should have done so when I posted comment 7.
Ok added and update validated.

Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2021-09-22 20:42:31 CEST

Keywords: (none) => advisory

Comment 11 Mageia Robot 2021-09-23 06:52:01 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0426.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.