Bug#691499: unblock: tor/0.2.3.24-rc-1
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: freeze-exception
Please unblock package tor.
unblock tor/0.2.3.24-rc-1
Version 0.2.3.24-rc fixes two security issues over the version
currently in testing, 0.2.3.22-rc. These issues have been assigned
CVE-2012-2249 and CVE-2012-2250.
Debian changelogs:
| tor (0.2.3.24-rc-1) unstable; urgency=high
|
| * New upstream version:
| - Fix a group of remotely triggerable assertion failures related to
| incorrect link protocol negotiation. Found, diagnosed, and fixed
| by "some guy from France". Fix for CVE-2012-2250; bugfix on
| 0.2.3.6-alpha.
| - Fix a denial of service attack by which any directory authority
| could crash all the others, or by which a single v2 directory
| authority could crash everybody downloading v2 directory
| information. Fixes bug 7191; bugfix on 0.2.0.10-alpha.
| - and more.
|
| -- Peter Palfrader <weasel@debian.org> Fri, 26 Oct 2012 09:15:09 +0200
|
| tor (0.2.3.23-rc-1) unstable; urgency=low
|
| * New upstream version:
| o Major bugfixes (security/privacy):
| - Disable TLS session tickets. OpenSSL's implementation was giving
| our TLS session keys the lifetime of our TLS context objects, when
| perfect forward secrecy would want us to discard anything that
| could decrypt a link connection as soon as the link connection
| was closed. Fixes bug 7139; bugfix on all versions of Tor linked
| against OpenSSL 1.0.0 or later. Found by Florent DaigniÚre.
| - Discard extraneous renegotiation attempts once the V3 link
| protocol has been initiated. Failure to do so left us open to
| a remotely triggerable assertion failure. Fixes CVE-2012-2249;
| bugfix on 0.2.3.6-alpha. Reported by "some guy from France".
| - Fix a possible crash bug when checking for deactivated circuits
| in connection_or_flush_from_first_active_circuit(). Fixes bug 6341;
| bugfix on 0.2.2.7-alpha. Bug report and fix received pseudonymously.
| For other fixes please see the upstream changelog.
|
| -- Peter Palfrader <weasel@debian.org> Sat, 20 Oct 2012 22:27:04 +0200
Full upstream changelog at
https://gitweb.torproject.org/tor.git/blob/release-0.2.3:/ChangeLog
I can prepare full diffs on request.
Cheers,
weasel
Reply to: