Die Tor-Version in den Quellen ist total veraltert und sollte dringend aktualisiert werden. Ich habe aus den Quellen die Torversion 0.2.1.30 und in einem FAQ auf torproject.org ist schon die rede von einer Version 0.2.2.35. Das dürften schon eine Menge Versionen sein, die in den Quellen ausgelassen wurden und da die Versionsnummer aus einem FAQ ist, ist die Wahrscheinlichkeit nicht gerade gering daà das auch nicht die aktuelle Versionsnummer ist. Die aktuelle Torversion muà sehr dringend in die Quellen! The Torversion in the sources is totally outdated and should be urgently updated. I torproject.org from sources which Torversion 0.2.1.30 and an FAQ on is already the talk of a version 0.2.2.35. That should have been a lot of versions, which were omitted in the sources and because the version number is from a FAQ, is not just the probability that the low and not the current version number. The current Torversion must be very strongly in the sources! Translated by Google
Keywords: (none) => NO_PATCH, SecurityPriority: Normal => HighTarget Milestone: --- => Mageia 1
Hi, thanks for reporting this bug. in Mageia 1 we have 0.2.1.30 in cauldron 0.2.2.35 we can't update to a new release, only bug/security fix are alowed but indeed seems there is some CVE against tor. after a *quick* cheking, at least http://osvdb.org/show/osvdb/69944 Assigned to the package maintainer.
Keywords: NO_PATCH, Security => TriagedComponent: BuildSystem => SecurityHardware: i586 => AllVersion: unspecified => CauldronAssignee: sysadmin-bugs => bugsquadProduct: Infrastructure => MageiaSummary: Tor ist total veraltet => security update: torSource RPM: (none) => tor
Assignee: bugsquad => boklm
CC: (none) => doktor5000Version: Cauldron => 1Target Milestone: Mageia 1 => ---
(In reply to comment #1) > but indeed seems there is some CVE against tor. > after a *quick* cheking, at least http://osvdb.org/show/osvdb/69944 not affecting the mga1 package, citing from http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1676 : " Heap-based buffer overflow in Tor before 0.2.1.28 and 0.2.2.x before 0.2.2.20-alpha ..." But there's http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2778 which should be fixed by https://gitweb.torproject.org/tor.git/commitdiff/9d0777839be6642954a4c064c819d406d8bb7cb4
pushed in updates_testing
CC: (none) => dmorganecAssignee: boklm => qa-bugs
No POC for the CVE so testing functionality only. lib64tsocks1-1.8-0.beta5.7.mga1.x86_64 installed tsocks-1.8-0.beta5.7.mga1.x86_64 installed tor-0.2.1.30-1.1.mga1.x86_64 installed $ tor Jan 03 15:30:33.976 [notice] Tor v0.2.1.30. This is experimental software. Do not rely on it for strong anonymity. (Running on Linux x86_64) Jan 03 15:30:33.977 [notice] Initialized libevent version 2.0.10-stable using method epoll. Good. Jan 03 15:30:33.977 [notice] Opening Socks listener on 127.0.0.1:9050 Jan 03 15:30:33.977 [notice] Parsing GEOIP file. Jan 03 15:30:34.131 [notice] OpenSSL OpenSSL 1.0.0d 8 Feb 2011 looks like version 0.9.8m or later; I will try SSL_OP to enable renegotiation Jan 03 15:30:34.223 [warn] Please upgrade! This version of Tor (0.2.1.30) is obsolete, according to the directory authorities. Recommended versions are: 0.2.1.32,0.2.2.35,0.2.3.10-alpha Jan 03 15:30:34.587 [notice] We now have enough directory information to build circuits. Jan 03 15:30:34.587 [notice] Bootstrapped 80%: Connecting to the Tor network. Jan 03 15:30:34.617 [notice] Bootstrapped 85%: Finishing handshake with first hop. Jan 03 15:30:34.764 [notice] Bootstrapped 90%: Establishing a Tor circuit. Jan 03 15:30:35.056 [notice] Tor has successfully opened a circuit. Looks like client functionality is working. Jan 03 15:30:35.056 [notice] Bootstrapped 100%: Done. Aside from the warning of being obsolete.. Added FoxyProxy addon to firefox and added localhost:9050 as a socks5 proxy, could just be set in firefox (or whatever you want to use) proxy settings. Enabled the tor proxy and browsed to check.torproject.org Was told tor was enabled and given the apparent IP address. Used ctrl-c to exit the running tor process and used # service tor start to verify it started as a service and check.torproject.org OK'd the connection. Testing complete x86_64
Testing complete on i586 using the same procedure. Thanks Claire! Could someone from the sysadmin team push the srpm tor-0.2.1.30-1.1.mga1.src.rpm from Core Updates Testing to Core Updates. Advisory: This security update for the tor package corrects CVE-2011-2778. Multiple heap-based buffer overflows in Tor before 0.2.2.35 allow remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code by (1) establishing a SOCKS connection to SocksPort or (2) leveraging a SOCKS proxy configuration. https://bugs.mageia.org/show_bug.cgi?id=3953
CC: (none) => davidwhodgins
Sorry, forgot to add keyword and email. Could someone from the sysadmin team push the srpm tor-0.2.1.30-1.1.mga1.src.rpm from Core Updates Testing to Core Updates. Advisory: This security update for the tor package corrects CVE-2011-2778. Multiple heap-based buffer overflows in Tor before 0.2.2.35 allow remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code by (1) establishing a SOCKS connection to SocksPort or (2) leveraging a SOCKS proxy configuration. https://bugs.mageia.org/show_bug.cgi?id=3953
Keywords: (none) => validated_update
Update pushed.
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED