stable: update Tor?

To: debian-release@lists.debian.org
Subject: stable: update Tor?
From: Peter Palfrader <weasel@debian.org>
Date: Thu, 21 Jan 2010 10:36:00 +0100
Message-id: <[🔎] 20100121093600.GH12945@anguilla.noreply.org>
Hi,

the Tor project recently announced that some of their servers were
compromised[1].  This required rotating two of the long term identity
keys that are shipped within Tor.

Clients use these "authority" keys to verify they downloaded the correct
list of relays on the network (the "consensus").  There are 6 such
authorities listed in the version shipped with lenny.

A majority of authorities (i.e. >= 4) need to sign such a consensus
document for it to be trusted by clients.  Two of the six authorities
shipped in stable will never sign again (their keys having been
rotated).

This means if another authority goes away for a couple of days (due to
hardware issues or for any other reasons) that Tor in stable will stop
working.  Therefore we should update Tor in stable.


I would like to upload a Tor 0.2.0.35-2 wich contains at least this
patch:

--- /home/weasel/tmp/config.c   2010-01-21 10:24:30.431070274 +0100
+++ src/or/config.c     2010-01-21 10:24:34.087057256 +0100
@@ -831,24 +735,27 @@
 {
   int i;
   const char *dirservers[] = {
-    "moria1 v1 orport=9001 v3ident=E2A2AF570166665D738736D0DD58169CC61D8A8B "
-      "128.31.0.34:9031 FFCB 46DB 1339 DA84 674C 70D7 CB58 6434 C437 0441",
+    "moria1 orport=9101 no-v2 "
+      "v3ident=D586D18309DED4CD6D57C18FDB97EFA96D330566 "
+      "128.31.0.39:9131 9695 DFC3 5FFE B861 329B 9F1A B04C 4639 7020 CE31",
     "moria2 v1 orport=9002 128.31.0.34:9032 "
       "719B E45D E224 B607 C537 07D0 E214 3E2D 423E 74CF",
     "tor26 v1 orport=443 v3ident=14C131DFC5C6F93646BE72FA1401C02A8DF2E8B4 "
       "86.59.21.38:80 847B 1F85 0344 D787 6491 A548 92F9 0493 4E4E B85D",
     "dizum orport=443 v3ident=E8A9C45EDE6D711294FADF8E7951F4DE6CA56B58 "
       "194.109.206.212:80 7EA6 EAD6 FD83 083C 538F 4403 8BBF A077 587D D755",
-    "Tonga orport=443 bridge no-v2 82.94.251.206:80 "
+    "Tonga orport=443 bridge no-v2 82.94.251.203:80 "
       "4A0C CD2D DC79 9508 3D73 F5D6 6710 0C8A 5831 F16D",
     "ides orport=9090 no-v2 v3ident=27B6B5996C426270A5C95488AA5BCEB6BCC86956 "
       "216.224.124.114:9030 F397 038A DC51 3361 35E7 B80B D99C A384 4360 292B",
-    "gabelmoo orport=443 no-v2 "
-      "v3ident=81349FC1F2DBA2C2C11B45CB9706637D480AB913 "
-      "80.190.246.100:80 6833 3D07 61BC F397 A587 A0C0 B963 E4A9 E99E C4D3",
+    "gabelmoo orport=8080 no-v2 "
+      "v3ident=ED03BB616EB2F60BEC80151114BB25CEF515B226 "
+      "80.190.246.100:8180 F204 4413 DAC2 E02E 3D6B CF47 35A1 9BCA 1DE9 7281",
     "dannenberg orport=443 no-v2 "
       "v3ident=585769C78764D58426B8B52B6651A5A71137189A "
       "213.73.91.31:80 7BE6 83E6 5D48 1413 21C5 ED92 F075 C553 64AC 7123",
+    "urras orport=80 no-v2 v3ident=80550987E1D626E3EBA5E5E75A458DE0626D088C "
+      "208.83.223.34:443 0AD3 FA88 4D18 F89E EA2D 89C0 1937 9E0E 7FD9 4417",
     NULL
   };
   for (i=0; dirservers[i]; i++) {

Thereby updating the list of authorities to the latest version.


While we are at it, I'd also like to backport a fix for a small DoS bug from
the current stable tor tree (0.2.1.x):

commit a89f51c936f8bd3c2aef3e9472d5310c83dc8fa7
Author: Roger Dingledine <arma@torproject.org>
Date:   Mon Nov 23 10:13:50 2009 -0500

    fix race condition that can cause crashes at client or exit relay
    
    Avoid crashing if the client is trying to upload many bytes and the
    circuit gets torn down at the same time, or if the flip side
    happens on the exit relay. Bugfix on 0.2.0.1-alpha; fixes bug 1150.

diff --git a/ChangeLog b/ChangeLog
index 64910dd..22da2f7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -4,6 +4,9 @@ Changes in Version 0.2.1.21 - 20??-??-??
       handshake from working unless we explicitly tell OpenSSL that we are
       using SSL renegotiation safely.  We are, of course, but OpenSSL
       0.9.8l won't work unless we say we are.
+    - Avoid crashing if the client is trying to upload many bytes and the
+      circuit gets torn down at the same time, or if the flip side
+      happens on the exit relay. Bugfix on 0.2.0.1-alpha; fixes bug 1150.
 
   o Minor bugfixes:
     - Do not refuse to learn about authority certs and v2 networkstatus
diff --git a/src/or/circuitlist.c b/src/or/circuitlist.c
index 5918bdd..c55ba4d 100644
--- a/src/or/circuitlist.c
+++ b/src/or/circuitlist.c
@@ -1097,6 +1097,7 @@ _circuit_mark_for_close(circuit_t *circ, int reason, int l
     edge_connection_t *conn;
     for (conn=or_circ->n_streams; conn; conn=conn->next_stream)
       connection_edge_destroy(or_circ->p_circ_id, conn);
+    or_circ->n_streams = NULL;
 
     while (or_circ->resolving_streams) {
       conn = or_circ->resolving_streams;
@@ -1120,6 +1121,7 @@ _circuit_mark_for_close(circuit_t *circ, int reason, int l
     edge_connection_t *conn;
     for (conn=ocirc->p_streams; conn; conn=conn->next_stream)
       connection_edge_destroy(circ->n_circ_id, conn);
+    ocirc->p_streams = NULL;
   }
 
   circ->marked_for_close = line;



Please let me know if I may upload such a package.

Cheers,
weasel

1. http://archives.seul.org/or/talk/Jan-2010/msg00161.html
-- 
                           |  .''`.  ** Debian GNU/Linux **
      Peter Palfrader      | : :' :      The  universal
 http://www.palfrader.org/ | `. `'      Operating System
                           |   `-    http://www.debian.org/
Reply to:
Follow-Ups:
- Re: stable: update Tor?
  - From: Philipp Kern <pkern@debian.org>
Prev by Date: Re: php5 SPU
Next by Date: Re: stable: update Tor?
Previous by thread: Re: php5 SPU
Next by thread: Re: stable: update Tor?
Index(es):
- Date
- Thread