[stable] tor, yet again (was: NEW changes in proposedupdates)

To: debian-release@lists.debian.org
Subject: [stable] tor, yet again (was: NEW changes in proposedupdates)
From: Peter Palfrader <weasel@debian.org>
Date: Sun, 21 Nov 2010 11:58:46 +0100
Message-id: <[🔎] 20101121105846.GD10569@anguilla.noreply.org>
In-reply-to: <[🔎] E1PJz8d-0001ys-Lz@franck.debian.org>
References: <[🔎] E1PJz8d-0001ys-Lz@franck.debian.org>

On Sun, 21 Nov 2010, Debian FTP Masters wrote:

> Processing changes file: tor_0.2.1.26-1~lenny+1_i386.changes
>   ACCEPT

Oh joy.

While this tor will work with an openssl patched to fix CVE-2009-3555
(the renegotiation/rfc5746 thing), it will break with the CVE-2010-3864
fix (TLS extension parsing race), which is already prepared and ready to
be released on security.d.o.  *sigh*

Upstream is currently evaluating a one-line patch in Tor as a workaround
for openssl changing its behavior again[0].

I'm really sorry you have to deal with all this mess.  Will keep you
posted.

weasel

0. https://bugs.torproject.org/2204
-- 
                           |  .''`.  ** Debian GNU/Linux **
      Peter Palfrader      | : :' :      The  universal
 http://www.palfrader.org/ | `. `'      Operating System
                           |   `-    http://www.debian.org/

Reply to:

References:
- NEW changes in proposedupdates
  - From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

Prev by Date: Processed (with 5 errors): Re: Bug#603368: unblock: evolution/2.30.3-4
Next by Date: Processed: reopening 603368
Previous by thread: NEW changes in proposedupdates
Next by thread: NEW changes in proposedupdates
Index(es):
- Date
- Thread