Bug#684763: pu: package tor/0.2.2.38-1
On Mon, 2012-08-13 at 18:01 +0200, Peter Palfrader wrote:
> | Changes in version 0.2.2.38 - 2012-08-12
> | Tor 0.2.2.38 fixes a rare race condition that can crash exit relays;
> | fixes a remotely triggerable crash bug; and fixes a timing attack that
> | could in theory leak path information.
> |
> | o Security fixes:
> | - Avoid read-from-freed-memory and double-free bugs that could occur
> | when a DNS request fails while launching it. Fixes bug 6480;
> | bugfix on 0.2.0.1-alpha.
> | - Avoid an uninitialized memory read when reading a vote or consensus
> | document that has an unrecognized flavor name. This read could
> | lead to a remote crash bug. Fixes bug 6530; bugfix on 0.2.2.6-alpha.
> | - Try to leak less information about what relays a client is
> | choosing to a side-channel attacker. Previously, a Tor client would
> | stop iterating through the list of available relays as soon as it
> | had chosen one, thus finishing a little earlier when it picked
> | a router earlier in the list. If an attacker can recover this
> | timing information (nontrivial but not proven to be impossible),
> | they could learn some coarse-grained information about which relays
> | a client was picking (middle nodes in particular are likelier to
> | be affected than exits). The timing attack might be mitigated by
> | other factors (see bug 6537 for some discussion), but it's best
> | not to take chances. Fixes bug 6537; bugfix on 0.0.8rc1.
>
> [ https://gitweb.torproject.org/tor.git/blob/release-0.2.2:/ReleaseNotes ]
>
>
> I would like to package this new version as 0.2.2.38-1, and upload it to
> squeeze so that we can get these issues fixed in Debian.
Apologies for not spotting earlier that there wasn't one attached, but
please could we have a debdiff against the package currently in p-u?
Regards,
Adam
Reply to: