Bug#684763: pu: package tor/0.2.2.38-1
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
currently tor 0.2.2.37-1~squeeze+1 is in proposed-updates as discussed in
#679224.
Upstream has released a new security only update, 0.2.2.38 today:
| Changes in version 0.2.2.38 - 2012-08-12
| Tor 0.2.2.38 fixes a rare race condition that can crash exit relays;
| fixes a remotely triggerable crash bug; and fixes a timing attack that
| could in theory leak path information.
|
| o Security fixes:
| - Avoid read-from-freed-memory and double-free bugs that could occur
| when a DNS request fails while launching it. Fixes bug 6480;
| bugfix on 0.2.0.1-alpha.
| - Avoid an uninitialized memory read when reading a vote or consensus
| document that has an unrecognized flavor name. This read could
| lead to a remote crash bug. Fixes bug 6530; bugfix on 0.2.2.6-alpha.
| - Try to leak less information about what relays a client is
| choosing to a side-channel attacker. Previously, a Tor client would
| stop iterating through the list of available relays as soon as it
| had chosen one, thus finishing a little earlier when it picked
| a router earlier in the list. If an attacker can recover this
| timing information (nontrivial but not proven to be impossible),
| they could learn some coarse-grained information about which relays
| a client was picking (middle nodes in particular are likelier to
| be affected than exits). The timing attack might be mitigated by
| other factors (see bug 6537 for some discussion), but it's best
| not to take chances. Fixes bug 6537; bugfix on 0.0.8rc1.
[ https://gitweb.torproject.org/tor.git/blob/release-0.2.2:/ReleaseNotes ]
I would like to package this new version as 0.2.2.38-1, and upload it to
squeeze so that we can get these issues fixed in Debian.
May I proceed?
Thanks,
weasel
Reply to: