tor update for squeeze

To: debian-release@lists.debian.org
Subject: tor update for squeeze
From: Peter Palfrader <weasel@debian.org>
Date: Sun, 16 Jan 2011 23:36:06 +0100
Message-id: <[🔎] 20110116223606.GZ8143@anguilla.noreply.org>

Hey,

Tor is releasing version 0.2.1.29, a release with lots of security
fixes, both minor and not so minor, including one for CVE-2011-0427
(heap overflow bug, potential remote code execution), a denial of
service involving compression bombs, and zeroing out of cryptographic
keys after use to resist cold boot attacks somewhat better.


I went over all the commits but, as already discussed on IRC, I ended up
with a version that was almost equivalent to 0.2.1.29 anyway, modulo
several comment updates, copyright statement updates, autoconf fu and a
very few fixes of which I'm not entirely sure they aren't security
relevant either.

Also, most of upstream's 0.2.1.28 was already in our tor 0.2.1.26-XX.

There seemed to be an agreement that putting 0.2.1.29 into squeeze was
the smartest course of action, especially with an eye to making future
security updates easier.

Therefore I have uploaded a tor package 0.2.1.29-1 to unstable.

If you still agree with this course of action please unblock.

Cheers,
weasel
-- 
                           |  .''`.  ** Debian GNU/Linux **
      Peter Palfrader      | : :' :      The  universal
 http://www.palfrader.org/ | `. `'      Operating System
                           |   `-    http://www.debian.org/

Reply to:

Follow-Ups:
- Re: tor update for squeeze
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Re: [SRM] perl lenny upload (CVE-2010-2761 CVE-2010-4410 CVE-2010-4411 CVE-2010-1974)
Next by Date: Re: [SRM] Updating ia32-libs* in lenny
Previous by thread: Re: Bug#608220: RFS: hugs98 (NMU, RC bugfix)
Next by thread: Re: tor update for squeeze
Index(es):
- Date
- Thread