Accepted tor 0.2.2.38-1 (source all amd64)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 22 Aug 2012 07:43:32 UTC
Source: tor
Binary: tor tor-dbg tor-geoipdb
Architecture: source all amd64
Version: 0.2.2.38-1
Distribution: stable
Urgency: low
Maintainer: Peter Palfrader <weasel@debian.org>
Changed-By: Peter Palfrader <weasel@debian.org>
Description:
tor - anonymizing overlay network for TCP
tor-dbg - debugging symbols for Tor
tor-geoipdb - geoIP database for Tor
Checksums-Sha1:
7b2cd0b3994ea2abe2b51a0c752e440a9d5d5578 1554 tor_0.2.2.38-1.dsc
abac1902d301c6bd5d522e4cc81aead3299cf968 2928500 tor_0.2.2.38.orig.tar.gz
495736def59bc87b9f4756820b7b18f95c7af24f 33411 tor_0.2.2.38-1.diff.gz
e4da4be5f977bdea242089ba10ab299e9deafe0d 1414796 tor-geoipdb_0.2.2.38-1_all.deb
bc488342533e0896116bfcd68f0e71cfe8f86363 1059930 tor_0.2.2.38-1_amd64.deb
17e1f7b2cdb5505ee008d8d688c0078d58529216 1139732 tor-dbg_0.2.2.38-1_amd64.deb
Checksums-Sha256:
abc156949d5cea11a3279c5f7aa32cde025a40de852c29c6a02f2f19178e91ff 1554 tor_0.2.2.38-1.dsc
8ee32e7fa14ddc1ded299e9c396b5628d473233528c3a22f8bfc7eac9094b4cf 2928500 tor_0.2.2.38.orig.tar.gz
64e3397a5b95ef3783545b0ca37cc362b0b50d98e6a4166de4e9c1372e05c9d1 33411 tor_0.2.2.38-1.diff.gz
4b9a445f519a96b12e6752c2c25cff088eabb9a23be6bfa5cbbe581e31cea2ef 1414796 tor-geoipdb_0.2.2.38-1_all.deb
f7329491557b712885101dfbff1df3dcf16948a7e7809e4ef7eeee6ba16cdc0c 1059930 tor_0.2.2.38-1_amd64.deb
6ac25ef5a09f3b965c626899bcea0f488863956ead35e8bf3f8a14adc92c3dd3 1139732 tor-dbg_0.2.2.38-1_amd64.deb
Changes:
tor (0.2.2.38-1) stable; urgency=low
.
* New upstream version, fixing three security issues, as discussed
in #684763:
- Avoid an uninitialized memory read when reading a vote or consensus
document that has an unrecognized flavor name. This read could
lead to a remote crash bug. Fixes bug 6530; bugfix on 0.2.2.6-alpha.
[CVE-2012-3518]
- Try to leak less information about what relays a client is
choosing to a side-channel attacker. Previously, a Tor client would
stop iterating through the list of available relays as soon as it
had chosen one, thus finishing a little earlier when it picked
a router earlier in the list. If an attacker can recover this
timing information (nontrivial but not proven to be impossible),
they could learn some coarse-grained information about which relays
a client was picking (middle nodes in particular are likelier to
be affected than exits). The timing attack might be mitigated by
other factors (see bug 6537 for some discussion), but it's best
not to take chances. Fixes bug 6537; bugfix on 0.0.8rc1.
[CVE-2012-3519]
* Note that contrary to the upstream release notes and changelog the
folloiwng issue is not fixed by this release. Discussion in the
upstream bug tracker suggests it is not triggerable in practice.
- Avoid read-from-freed-memory and double-free bugs that could occur
when a DNS request fails while launching it. Fixes bug 6480;
bugfix on 0.2.0.1-alpha.
[CVE-2012-3517; https://bugs.torproject.org/6480]
Files:
4c8496750c52d874bd992dbc98d0e889 1554 net optional tor_0.2.2.38-1.dsc
91a9dd2c9d7fbd946bda5a13edbe5667 2928500 net optional tor_0.2.2.38.orig.tar.gz
918d403e15f1c88d2f63898b06cd897a 33411 net optional tor_0.2.2.38-1.diff.gz
927aeb9113f2e1055196acde238223ae 1414796 net extra tor-geoipdb_0.2.2.38-1_all.deb
14bc4bfe57f2c459808a836d186c6ebd 1059930 net optional tor_0.2.2.38-1_amd64.deb
1884f011b01c2f12f9708366d231b7a1 1139732 debug extra tor-dbg_0.2.2.38-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBCAAGBQJQOj/NAAoJEDTSCgbh3sV35akH/AgXHpPdRzId2VMHU1nzRWH7
0iu6wMMtpS49uZJGS6UKa8ugImRdM+lsNKjng9rQ7KqfyPzLIDt8G9too4lN1xLn
ns4/WIz/S5eBnft8TjcmtlrZk22i+DGrkrjvVockKZxVDihutTC3V+RniEg2RLMn
gSLrbt6u64FLrJuH0LtjgnracpHldgphY7fa2uLmrrkdlNS3kViZ+9a6UqNynmv0
0hdexv3BbDzk+/cZ8sGBphd7IMupc32yCeOf8LbyEhRo1a5phOAC7izWato4uJFe
Gv4MFSb+Y3CjoB/duDuq5qlrcfgMPLL6PuFXlycSiKFNF2QuFfTXIzfGCqKR8ro=
=9OUW
-----END PGP SIGNATURE-----
Reply to: