tor: Tor security advisory: hidden services can be located quickly

Debian Bug report logs - #349283
tor: Tor security advisory: hidden services can be located quickly

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Chris Howie <cdhowie@nerdshack.com>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: tor: Tor security advisory: hidden services can be located quickly

Date: Sat, 21 Jan 2006 19:17:36 -0500

Package: tor
Version: 0.1.0.16-1
Severity: grave
Tags: security
Justification: user security hole

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Source: http://archives.seul.org/or/announce/Jan-2006/msg00001.html

Basically an attacker who can run a fast Tor server can find the location of a
hidden service in a matter of hours, possibly even minutes.  This is fixed in
0.1.1.12-alpha, but as this is an alpha release it may contain other bugs.

- -- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15-1-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFD0s8gqlk5sZw9W7kRArprAKCk6rq93AwexRo3Mnp3ovaPztZTugCfRdZM
noaYhcZw50wxwg4MiKZn5H4=
=RRVR
-----END PGP SIGNATURE-----

Message #10 received at 349283@bugs.debian.org (full text, mbox, reply):

From: Peter Palfrader <weasel@debian.org>

To: Chris Howie <cdhowie@nerdshack.com>, 349283@bugs.debian.org

Subject: Re: Bug#349283: tor: Tor security advisory: hidden services can be located quickly

Date: Sun, 22 Jan 2006 01:46:42 +0100

On Sat, 21 Jan 2006, Chris Howie wrote:

> Package: tor
> Version: 0.1.0.16-1
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> Source: http://archives.seul.org/or/announce/Jan-2006/msg00001.html
> 
> Basically an attacker who can run a fast Tor server can find the location of a
> hidden service in a matter of hours, possibly even minutes.  This is fixed in
> 0.1.1.12-alpha, but as this is an alpha release it may contain other bugs.

So your options are
 - do not run a hidden service
 - wait for a few weeks or months until 0.1.1.x becomes stable and
   I upload it to sid
 - use 0.1.1.x now (from experimental or my backports archive
   http://wiki.noreply.org/noreply/TheOnionRouter/TorOnDebian

Also, Tor continues to be as fine as ever for people who don't offer
hidden services, so maybe grave is a bit strong.

Cheers,
Peter

Message #17 received at 349283@bugs.debian.org (full text, mbox, reply):

From: Chris Howie <cdhowie@nerdshack.com>

To: Peter Palfrader <weasel@debian.org>

Cc: 349283@bugs.debian.org

Subject: Re: Bug#349283: tor: Tor security advisory: hidden services can be located quickly

Date: Sat, 21 Jan 2006 20:13:50 -0500

[Message part 1 (text/plain, inline)]

Peter Palfrader wrote:
> Also, Tor continues to be as fine as ever for people who don't offer
> hidden services, so maybe grave is a bit strong.

Nonetheless it is a serious security hole for people who *do* run hidden
services.  I thought grave might be a bit too high, but serious is specifically
for Debian Policy violations, and important seems a bit too weak.  If there was
something between grave and important (e.g. "a security issue with a particular
menu item") I would have picked that.

In the abscence of such a severity I stand by my decision of grave.  (Better it
be considered more severe than it is, than to be considered less severe than it
is.)

-- 
Chris Howie
http://www.chrishowie.com

-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCS/IT d-(--) s:- a--->? C++(+++)$> UL++++ P++++$ L+++>++++ E---
W++ N o++ K? w--$ O M- V- PS--(---) PE++ Y+ PGP++ t+ 5? X-
R(+)>- tv-(--) b- DI+> D++ G>+++ e>++ h(--)>--- !r>+++ y->+++
------END GEEK CODE BLOCK------

[signature.asc (application/pgp-signature, attachment)]

Message #22 received at 349283@bugs.debian.org (full text, mbox, reply):

From: Steve Kemp <skx@debian.org>

To: Chris Howie <cdhowie@nerdshack.com>, 349283@bugs.debian.org

Subject: Re: Bug#349283: tor: Tor security advisory: hidden services can be located quickly

Date: Sun, 22 Jan 2006 10:26:47 +0000

On Sat, Jan 21, 2006 at 07:17:36PM -0500, Chris Howie wrote:
> Package: tor
> Version: 0.1.0.16-1
> Severity: grave
> Tags: security
> Justification: user security hole

  Tor isn't included in a Debian stable release, so no need for
 a DSA.

Steve
--

Message #41 received at 349283@bugs.debian.org (full text, mbox, reply):

From: Peter Palfrader <weasel@debian.org>

To: 349283@bugs.debian.org

Subject: This is CVE-2006-0414

Date: Wed, 25 Jan 2006 21:55:19 +0100

The Common Vulnerabilities and Exposures project has assigned
CVE-2006-0414 for this issue.

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0414

-- 
 PGP signed and encrypted  |  .''`.  ** Debian GNU/Linux **
    messages preferred.    | : :' :      The  universal
                           | `. `'      Operating System
 http://www.palfrader.org/ |   `-    http://www.debian.org/

Message #48 received at 349283-close@bugs.debian.org (full text, mbox, reply):

From: Peter Palfrader <weasel@debian.org>

To: 349283-close@bugs.debian.org

Subject: Bug#349283: fixed in tor 0.1.1.20-1

Date: Tue, 23 May 2006 14:17:25 -0700

Source: tor
Source-Version: 0.1.1.20-1

We believe that the bug you reported is fixed in the latest version of
tor, which is due to be installed in the Debian FTP archive:

tor-dbg_0.1.1.20-1_i386.deb
  to pool/main/t/tor/tor-dbg_0.1.1.20-1_i386.deb
tor_0.1.1.20-1.diff.gz
  to pool/main/t/tor/tor_0.1.1.20-1.diff.gz
tor_0.1.1.20-1.dsc
  to pool/main/t/tor/tor_0.1.1.20-1.dsc
tor_0.1.1.20-1_i386.deb
  to pool/main/t/tor/tor_0.1.1.20-1_i386.deb
tor_0.1.1.20.orig.tar.gz
  to pool/main/t/tor/tor_0.1.1.20.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 349283@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Peter Palfrader <weasel@debian.org> (supplier of updated tor package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 23 May 2006 20:16:25 +0200
Source: tor
Binary: tor-dbg tor
Architecture: source i386
Version: 0.1.1.20-1
Distribution: unstable
Urgency: low
Maintainer: Peter Palfrader <weasel@debian.org>
Changed-By: Peter Palfrader <weasel@debian.org>
Description: 
 tor        - anonymizing overlay network for TCP
 tor-dbg    - debugging symbols for Tor
Closes: 338797 349283
Changes: 
 tor (0.1.1.20-1) unstable; urgency=low
 .
   * New upstream stable release: The 0.1.1.x tree is now the new stable
     tree.  Upload to unstable rather than experimental.
 .
 tor (0.1.1.19-rc-1) experimental; urgency=low
 .
   * New upstream version.
   * Remove support for my nodoc DEB_BUILD_OPTIONS variable.  It clutters
     stuff and I haven't used it in ages.
   * Update debian/tor.docs file.
 .
 tor (0.1.1.18-rc-1) experimental; urgency=low
 .
   * New upstream version.
   * update debian/tor.doc:
     - no longer ship INSTALL and README files, they are useless now.
     - doc/stylesheet.css, doc/tor-doc-server.html, doc/tor-doc-unix.html,
       doc/tor-hidden-service.html, doc/tor-switchproxy.html got replaced
       by doc/website/stylesheet.css and doc/website/tor-* which is more
       or less the same, only taken from the website.  Some links are
       probably broken still, but this should get fixed eventually.
 .
 tor (0.1.1.17-rc-1) experimental; urgency=low
 .
   * New upstream version.
   * Forward port patches/07_log_to_file_by_default.
 .
 tor (0.1.1.16-rc-1) experimental; urgency=low
 .
   * New upstream version.
 .
 tor (0.1.1.15-rc-1) experimental; urgency=low
 .
   * New upstream version.
   * Apparently passing --host to configure when not cross-compiling
     is evil now and greatly confuses configure.  So don't do it unless it
     actually differs from --build host.
 .
 tor (0.1.1.14-alpha-1) experimental; urgency=low
 .
   * New upstream version.
   * Include 0.1.0.17 changelog in experimental tree.
   * doc/FAQ is no longer shipped, so remove it from debian/tor.docs.
 .
 tor (0.1.1.13-alpha-1) experimental; urgency=low
 .
   * New upstream version.
   * Forward port patches/02_add_debian_files_in_manpage.
   * Forward port patches/03_tor_manpage_in_section_8.
   * Create /var/run/tor on init script start if it does
     not exist already.
   * Set default ulimit -n to 8k instead of 4k in /etc/default/tor.
   * Print that we're raising the ulimit to stdout in the init script.
   * Add CVE numbers to past issues in the changelog where applicable.
 .
 tor (0.1.1.12-alpha-1) experimental; urgency=low
 .
   * New upstream version, that was a quick one. :)
   * Forward port patches/02_add_debian_files_in_manpage.
 .
 tor (0.1.1.11-alpha-1) experimental; urgency=low
 .
   * New upstream version.
     - Implement "entry guards": automatically choose a handful of entry
       nodes and stick with them for all circuits.  This will increase
       security dramatically against certain end-point attacks
       (closes: #349283, CVE-2006-0414).
   * Forward port patches/07_log_to_file_by_default.
   * Forward port 0.1.0.16 changelog and change to copyright file.
 .
 tor (0.1.1.10-alpha-1) experimental; urgency=low
 .
   * New upstream version.
   * doc/tor-doc.css and doc/tor-doc.html are no longer in the upstream
     tarball, remove them from debian/tor.docs.
   * add the following new files to tor.docs: doc/socks-extensions.txt,
     doc/stylesheet.css, doc/tor-doc-server.html, doc/tor-doc-unix.html
 .
 tor (0.1.1.9-alpha-1) experimental; urgency=low
 .
   * New upstream version.
   * Remove 08_add_newlines_between_serverdescriptors.dpatch.
   * Update 06_add_compile_time_defaults.dpatch
   * Use bin/bash for the init script instead of bin/sh.  We are using
     ulimit -n which is not POSIX  (closes: #338797).
   * Remove the EVENT_NOEPOLL block from etc/default/tor.
   * Add an ARGS block to etc/default/tor as suggested in #338425.
 .
 tor (0.1.1.8-alpha-1) experimental; urgency=low
 .
   * New upstream version.
   * Add patch from CVS to
     "Insert a newline between all router descriptors when generating (old
     style) signed directories, in case somebody was counting on that".
     r1.247 of dirserv.c, <20051008060243.85F41140808C@moria.seul.org>
 .
 tor (0.1.1.7-alpha-1) experimental; urgency=low
 .
   * New upstream version.
   * More merging from 0.1.0.14+XXXX:
     - The tor-dbg package does not really need its own copy of copyright
       and changelog in usr/share/doc/tor-dbg.
   * Forward port 03_tor_manpage_in_section_8.dpatch
 .
 tor (0.1.1.6-alpha-2) experimental; urgency=low
 .
   * Merge 0.1.0.14+XXXX changes.
 .
 tor (0.1.1.6-alpha-1) experimental; urgency=low
 .
   * Experimental upstream version.
 .
 tor (0.1.1.5-alpha-cvs-1) UNRELEASED; urgency=low
 .
   * Even more experimental cvs snapshot.
   * Testsuite is mandatory again.
   * Forward port 03_tor_manpage_in_section_8.dpatch
   * Forward port 06_add_compile_time_defaults.dpatch
 .
 tor (0.1.1.5-alpha-1) UNRELEASED; urgency=low
 .
   * Experimental upstream version.
   * Allow test suite to fail, it's broken in this version.
   * Update list of files from doc/ that should be installed.
   * Forward port debian/ patches.
Files: 
 4896542ee9c29fa2ea729ae101aa72b1 691 comm optional tor_0.1.1.20-1.dsc
 51aac1749ff2549e8f3e1a172dc66992 828833 comm optional tor_0.1.1.20.orig.tar.gz
 d01b4e34253285f0ca6f94aced1bda7f 69059 comm optional tor_0.1.1.20-1.diff.gz
 1e9a05f5cd8cbf8b84d97a7419275e50 779498 comm optional tor_0.1.1.20-1_i386.deb
 dec65943ffaee82ea1440936e4d9be23 411828 comm extra tor-dbg_0.1.1.20-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4-cvs (GNU/Linux)

iD8DBQFEc1fMz/ccs6+kS90RAoVnAJ4kQ5TwEll9QbsO78liDWOMW5nS5gCeLeDC
Yunv7Jbht6OCyGeIH1djLGY=
=CZBf
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.