Debian Bug report logs -
#869153
tor: CVE-2017-11565: aa-exec is not longer in /usr/sbin and now apparmor is silently scraped
Reported by: Luciano Bello <luciano@debian.org>
Date: Fri, 21 Jul 2017 01:15:01 UTC
Severity: normal
Tags: patch, security
Found in versions tor/0.2.9.11-1~deb9u1, tor/0.2.9.10-1, tor/0.2.9.8-2
Fixed in version tor/0.3.1.5-alpha-2
Done: Peter Palfrader <weasel@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Peter Palfrader <weasel@debian.org>
:
Bug#869153
; Package src:tor
.
(Fri, 21 Jul 2017 01:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Luciano Bello <luciano@debian.org>
:
New Bug report received and forwarded. Copy sent to Peter Palfrader <weasel@debian.org>
.
(Fri, 21 Jul 2017 01:15:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: tor
Version: 0.2.9.11-1~deb9u1
Severity: important
Tags: security patch
Hi Peter,
I got this report[1]
aa-exec is not in /usr/sbin anymore, at least not in every arch [2].
Cheers, luciano
[1] https://twitter.com/pissquark/status/888142796414226432
[2] https://packages.debian.org/search?searchon=contents&keywords=bin%2Faa-exec&mode=path&suite=unstable&arch=any
Marked as found in versions tor/0.2.9.10-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Fri, 21 Jul 2017 05:03:03 GMT) (full text, mbox, link).
Marked as found in versions tor/0.2.9.8-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Fri, 21 Jul 2017 05:09:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Peter Palfrader <weasel@debian.org>
:
Bug#869153
; Package src:tor
.
(Fri, 21 Jul 2017 05:12:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Peter Palfrader <weasel@debian.org>
.
(Fri, 21 Jul 2017 05:12:09 GMT) (full text, mbox, link).
Message #14 received at 869153@bugs.debian.org (full text, mbox, reply):
Hi
On Thu, Jul 20, 2017 at 09:12:31PM -0400, Luciano Bello wrote:
> Source: tor
> Version: 0.2.9.11-1~deb9u1
> Severity: important
> Tags: security patch
>
> Hi Peter,
> I got this report[1]
> aa-exec is not in /usr/sbin anymore, at least not in every arch [2].
Just as additional information. This should not affect default
installations of Stretch, as in those cases with systemd as init
system, the provided unit is used.
(But needs to be double-checked).
Regards,
Salvatore
Severity set to 'normal' from 'important'
Request was from Peter Palfrader <weasel@debian.org>
to control@bugs.debian.org
.
(Fri, 21 Jul 2017 06:15:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Peter Palfrader <weasel@debian.org>
:
Bug#869153
; Package src:tor
.
(Mon, 24 Jul 2017 04:27:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Peter Palfrader <weasel@debian.org>
.
(Mon, 24 Jul 2017 04:27:02 GMT) (full text, mbox, link).
Message #21 received at 869153@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 tor: CVE-2017-11565: aa-exec is not longer in /usr/sbin and now apparmor is silently scraped
Hi
Someone requested a CVE for the issue in the init-Skript. It got
assigned CVE-2017-11565. We do not need a DSA for it, but any fix can
either still be done either via a point release or included in a
future tor DSA.
Regards,
Salvatore
Changed Bug title to 'tor: CVE-2017-11565: aa-exec is not longer in /usr/sbin and now apparmor is silently scraped' from 'aa-exec is not longer in /usr/sbin and now apparmor is silently scraped'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 869153-submit@bugs.debian.org
.
(Mon, 24 Jul 2017 04:27:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#869153
; Package src:tor
.
(Mon, 24 Jul 2017 05:51:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Peter Palfrader <weasel@debian.org>
:
Extra info received and forwarded to list.
(Mon, 24 Jul 2017 05:51:03 GMT) (full text, mbox, link).
Message #28 received at 869153@bugs.debian.org (full text, mbox, reply):
On Mon, 24 Jul 2017, Salvatore Bonaccorso wrote:
> Someone requested a CVE for the issue in the init-Skript. It got
> assigned CVE-2017-11565. We do not need a DSA for it, but any fix can
> either still be done either via a point release or included in a
> future tor DSA.
The more likely way forward is to disable apparmor support since it
breaks a number of use-cases. It's not clear what this does to that
CVE, but *shrugs*
--
| .''`. ** Debian **
Peter Palfrader | : :' : The universal
https://www.palfrader.org/ | `. `' Operating System
| `- https://www.debian.org/
Information forwarded
to debian-bugs-dist@lists.debian.org, Peter Palfrader <weasel@debian.org>
:
Bug#869153
; Package src:tor
.
(Mon, 24 Jul 2017 07:03:02 GMT) (full text, mbox, link).
Acknowledgement sent
to intrigeri <intrigeri@debian.org>
:
Extra info received and forwarded to list. Copy sent to Peter Palfrader <weasel@debian.org>
.
(Mon, 24 Jul 2017 07:03:03 GMT) (full text, mbox, link).
Message #33 received at 869153@bugs.debian.org (full text, mbox, reply):
Peter Palfrader:
> The more likely way forward is to disable apparmor support since it
> breaks a number of use-cases.
:/
I've tried as hard as I could to avoid this, and to resolve breakage
in a timely manner when it was identified. FTR I'm happy to keep doing
that for the foreseeable future: I'll do this work for Tails anyway,
and I'd rather do it directly in Debian than maintaining a delta. Now,
the outcome of this work is not good enough and you prefer to drop
AppArmor support, well, so be it, that's obviously your call.
Cheers,
--
intrigeri
Information forwarded
to debian-bugs-dist@lists.debian.org, Peter Palfrader <weasel@debian.org>
:
Bug#869153
; Package src:tor
.
(Mon, 24 Jul 2017 07:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to intrigeri <intrigeri@debian.org>
:
Extra info received and forwarded to list. Copy sent to Peter Palfrader <weasel@debian.org>
.
(Mon, 24 Jul 2017 07:03:04 GMT) (full text, mbox, link).
Message #38 received at 869153@bugs.debian.org (full text, mbox, reply):
Peter Palfrader:
> The more likely way forward is to disable apparmor support since it
> breaks a number of use-cases.
:/
I've tried as hard as I could to avoid this, and to resolve breakage
in a timely manner when it was identified. FTR I'm happy to keep doing
that for the foreseeable future: I'll do this work for Tails anyway,
and I'd rather do it directly in Debian than maintaining a delta. Now,
the outcome of this work is not good enough and you prefer to drop
AppArmor support, well, so be it, that's obviously your call.
Cheers,
--
intrigeri
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#869153
; Package src:tor
.
(Mon, 24 Jul 2017 07:09:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Peter Palfrader <weasel@debian.org>
:
Extra info received and forwarded to list.
(Mon, 24 Jul 2017 07:09:05 GMT) (full text, mbox, link).
Message #43 received at 869153@bugs.debian.org (full text, mbox, reply):
On Mon, 24 Jul 2017, intrigeri wrote:
> Peter Palfrader:
> > The more likely way forward is to disable apparmor support since it
> > breaks a number of use-cases.
>
> :/
>
> I've tried as hard as I could to avoid this, and to resolve breakage
> in a timely manner when it was identified. FTR I'm happy to keep doing
> that for the foreseeable future: I'll do this work for Tails anyway,
> and I'd rather do it directly in Debian than maintaining a delta. Now,
> the outcome of this work is not good enough and you prefer to drop
> AppArmor support, well, so be it, that's obviously your call.
I'm considering it at least. We'll see. (I think there's at least one
issue that came up recently that isn't in the BTS yet. I'll file a bug
when I get around to it.)
--
| .''`. ** Debian **
Peter Palfrader | : :' : The universal
https://www.palfrader.org/ | `. `' Operating System
| `- https://www.debian.org/
Information forwarded
to debian-bugs-dist@lists.debian.org, Peter Palfrader <weasel@debian.org>
:
Bug#869153
; Package src:tor
.
(Thu, 03 Aug 2017 13:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to intrigeri <intrigeri@debian.org>
:
Extra info received and forwarded to list. Copy sent to Peter Palfrader <weasel@debian.org>
.
(Thu, 03 Aug 2017 13:27:03 GMT) (full text, mbox, link).
Message #48 received at 869153@bugs.debian.org (full text, mbox, reply):
Peter Palfrader:
> (I think there's at least one issue that came up recently that isn't
> in the BTS yet. I'll file a bug when I get around to it.)
Yes, please :)
Cheers,
--
intrigeri
Added tag(s) pending.
Request was from Peter Palfrader <weasel@debian.org>
to control@bugs.debian.org
.
(Sat, 19 Aug 2017 08:33:07 GMT) (full text, mbox, link).
Reply sent
to Peter Palfrader <weasel@debian.org>
:
You have taken responsibility.
(Sun, 20 Aug 2017 10:21:16 GMT) (full text, mbox, link).
Notification sent
to Luciano Bello <luciano@debian.org>
:
Bug acknowledged by developer.
(Sun, 20 Aug 2017 10:21:16 GMT) (full text, mbox, link).
Message #55 received at 869153-close@bugs.debian.org (full text, mbox, reply):
Source: tor
Source-Version: 0.3.1.5-alpha-2
We believe that the bug you reported is fixed in the latest version of
tor, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 869153@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Peter Palfrader <weasel@debian.org> (supplier of updated tor package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 19 Aug 2017 10:21:30 +0200
Source: tor
Binary: tor tor-geoipdb
Architecture: source
Version: 0.3.1.5-alpha-2
Distribution: experimental
Urgency: medium
Maintainer: Peter Palfrader <weasel@debian.org>
Changed-By: Peter Palfrader <weasel@debian.org>
Description:
tor - anonymizing overlay network for TCP
tor-geoipdb - GeoIP database for Tor
Closes: 867342 869153
Changes:
tor (0.3.1.5-alpha-2) experimental; urgency=medium
.
* apparmor: use Pix instead of PUx for obfs4proxy, giving us
better confinement of the child process while actually working
with systemd's NoNewPrivileges. (closes: #867342)
* Do not rely on aa-exec and aa-enabled being in /usr/sbin in the
SysV init script. This change enables apparmor confinement
on some system-V systems again. (closes: #869153)
Checksums-Sha1:
92fe095eac351786b7a2d7f5ea25a8b1ab8f6f6b 1843 tor_0.3.1.5-alpha-2.dsc
e662ab1ce5fae6f82cf16d379d64350dead5a6e5 5997514 tor_0.3.1.5-alpha.orig.tar.gz
fada63cb06691fdd60961c84959f4e468886ce63 47546 tor_0.3.1.5-alpha-2.diff.gz
Checksums-Sha256:
4f0f98b69587d6fcb31cb8d1215dfe95d21f93c0ba8a3ea2dacdb2bca0ede19d 1843 tor_0.3.1.5-alpha-2.dsc
04281b87e8b97517ba52232cd58de06a816f5a136b9b7a7316be878b36df8313 5997514 tor_0.3.1.5-alpha.orig.tar.gz
47882eb8c84c0299cc1887cb7c887c939e025a15526d4bafe62dbd3120da889a 47546 tor_0.3.1.5-alpha-2.diff.gz
Files:
91f4210653f65481166b0d56f1db9ccd 1843 net optional tor_0.3.1.5-alpha-2.dsc
138b80f8b365225f8aa080388ef565a7 5997514 net optional tor_0.3.1.5-alpha.orig.tar.gz
c6400384cb05cf8977610bcf309d87dd 47546 net optional tor_0.3.1.5-alpha-2.diff.gz
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEs4PXhajJL968BgN2hgLIIDhyMx8FAlmZXKoACgkQhgLIIDhy
Mx84+AgAvnZKAgIdzk4rZNR1Yf6gqEr3Thz5F8s4LSI3NdI+sQPvKt+/CH0gBSL3
IRm2he3433Xi64QgDg16iylLZyOyF6OrKECzK13SWnGuc3b2OjvbOebz28GpCXND
YWTolkQy1rJLHHQWlRCkX/nW9oI95/3g6HBwv3xmhy/Oo20dQtCmkZsR8tyEWXJP
GnTqpXjxJC6wZJNTKpvFZaOoRsud/bLmksJ1VFWPyr4H6m3uzlz4DLWK7GumWSJ5
jZj+SizZ7/9ikKBz0XjTyUA6fyimTWsB6JzFEvoTlVCu0Qwm/+4LICHAQsRhfVBw
kMwf/fAdSRct5Xtcnjgf0hq+1F9nZg==
=2Fo5
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 23 Oct 2017 07:28:41 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:02:02 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.