Debian Bug report logs -
#864424
tor onion services: remote assertion failure
Reported by: Peter Palfrader <weasel@debian.org>
Date: Thu, 8 Jun 2017 13:21:01 UTC
Severity: serious
Tags: security
Found in version tor/0.2.2.1-alpha-1
Fixed in versions 0.2.9.11-1~deb9u1, tor/0.2.9.11-1, tor/0.3.0.8-1, tor/0.2.5.14-1
Done: Peter Palfrader <weasel@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org:
Bug#864424; Package tor.
(Thu, 08 Jun 2017 13:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Peter Palfrader <weasel@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org.
(Thu, 08 Jun 2017 13:21:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: tor
Version: 0.2.2.1-alpha-1
Severity: serious
Tags: security
There is a remotely triggerable assertion failure in Tor onion services.
This is a DoS issue for any tor instance providing an onion service.
Tor in all of Debian's suites is affected.
It's tracked as TROVE-2017-005, https://bugs.torproject.org/22494, CVE-2017-0376.
[Additionally, Tor in experimental is affected by TROVE-2017-004,
https://bugs.torproject.org/22493 CVE-2017-0375.]
--
| .''`. ** Debian **
Peter Palfrader | : :' : The universal
https://www.palfrader.org/ | `. `' Operating System
| `- https://www.debian.org/
Reply sent
to Peter Palfrader <weasel@debian.org>:
You have taken responsibility.
(Thu, 08 Jun 2017 18:39:03 GMT) (full text, mbox, link).
Notification sent
to Peter Palfrader <weasel@debian.org>:
Bug acknowledged by developer.
(Thu, 08 Jun 2017 18:39:03 GMT) (full text, mbox, link).
Message #10 received at 864424-close@bugs.debian.org (full text, mbox, reply):
Source: tor
Source-Version: 0.2.9.11-1
We believe that the bug you reported is fixed in the latest version of
tor, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 864424@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Peter Palfrader <weasel@debian.org> (supplier of updated tor package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 08 Jun 2017 18:48:46 +0200
Source: tor
Binary: tor tor-dbg tor-geoipdb
Architecture: source
Version: 0.2.9.11-1
Distribution: unstable
Urgency: high
Maintainer: Peter Palfrader <weasel@debian.org>
Changed-By: Peter Palfrader <weasel@debian.org>
Description:
tor - anonymizing overlay network for TCP
tor-dbg - debugging symbols for Tor
tor-geoipdb - GeoIP database for Tor
Closes: 864424
Changes:
tor (0.2.9.11-1) unstable; urgency=high
.
* New upstream version.
- Fix a remotely triggerable assertion failure caused by receiving a
BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug
22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix
on 0.2.2.1-alpha. (closes: #864424)
Checksums-Sha1:
fcf10e208e1b4a62fad5d8eb9d609f94b73e4562 1827 tor_0.2.9.11-1.dsc
8b1f4e7580c7606d2b3c2bf69380f0c1cbfe850d 5584296 tor_0.2.9.11.orig.tar.gz
4ef736e81b823e562657b45d8dd6419aad1e73a3 41691 tor_0.2.9.11-1.diff.gz
Checksums-Sha256:
948faef97eb57c6a5fdb7ea7501d10676d747410c23c2eb579c1d9f643a70891 1827 tor_0.2.9.11-1.dsc
c1959bebff9a546a54cbedb58c8289a42441991af417d2d16f7b336be8903221 5584296 tor_0.2.9.11.orig.tar.gz
ecbf2b71cf73e6087c4ee6528903326196085ec278f82b1667d421575dd8c927 41691 tor_0.2.9.11-1.diff.gz
Files:
c5d329f7332c8dc0ace6b356a82ea150 1827 net optional tor_0.2.9.11-1.dsc
763ae964e916c2a7a4c5015d351fcf8b 5584296 net optional tor_0.2.9.11.orig.tar.gz
cc015c678b4a7f97cd0c3bac60dbda13 41691 net optional tor_0.2.9.11-1.diff.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJZOZPLAAoJEIYCyCA4cjMfOzAH+wQOTt10uv9ahpLiRtEraJ8E
Ajk/UKD297bo9Ly0PFE/7uhc323w3xpuNJ8D6g/GusNmnblv6BPLbtqCgDaLcifc
sRtEp9KCg7fMFSYJZ8cJs4Iq/MQ5F/7fhvDpeFCxlDIUMnw+p8FafgX6ooCYRhGh
zvbjSBbrMfq1gTAkzQiLdIEBtrE0GOorrvnNMxcF+QXkLEqWdNJr0o44LLQu7DlN
8TjL3yEhHv+zCNvRKfznmO1/AvyfvNdylROdYVVWS/5533k06ICIuuoO9X/4WvBy
oY/4vwYFlkd8VUdj7zWevJILreKVSvgPFSCv++HP/erwQ5Ujb1BbdCDVFRPusjA=
=EPS6
-----END PGP SIGNATURE-----
Reply sent
to Peter Palfrader <weasel@debian.org>:
You have taken responsibility.
(Thu, 08 Jun 2017 21:09:06 GMT) (full text, mbox, link).
Notification sent
to Peter Palfrader <weasel@debian.org>:
Bug acknowledged by developer.
(Thu, 08 Jun 2017 21:09:06 GMT) (full text, mbox, link).
Message #15 received at 864424-close@bugs.debian.org (full text, mbox, reply):
Source: tor
Source-Version: 0.3.0.8-1
We believe that the bug you reported is fixed in the latest version of
tor, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 864424@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Peter Palfrader <weasel@debian.org> (supplier of updated tor package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 08 Jun 2017 21:42:54 +0200
Source: tor
Binary: tor tor-dbg tor-geoipdb
Architecture: source
Version: 0.3.0.8-1
Distribution: experimental
Urgency: medium
Maintainer: Peter Palfrader <weasel@debian.org>
Changed-By: Peter Palfrader <weasel@debian.org>
Description:
tor - anonymizing overlay network for TCP
tor-dbg - debugging symbols for Tor
tor-geoipdb - GeoIP database for Tor
Closes: 864424
Changes:
tor (0.3.0.8-1) experimental; urgency=medium
.
* New upstream version.
- Fix a remotely triggerable assertion failure when a hidden service
handles a malformed BEGIN cell. Fixes bug 22493, tracked as
TROVE-2017-004 and as CVE-2017-0375; bugfix on 0.3.0.1-alpha.
- Fix a remotely triggerable assertion failure caused by receiving a
BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug
22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix
on 0.2.2.1-alpha. (closes: #864424)
Checksums-Sha1:
734dec62a0dc7017d1c5a5c59c19dfcb82649682 1820 tor_0.3.0.8-1.dsc
c5e117ad3cc703cb870b7b8a147d6301ace235a7 5796845 tor_0.3.0.8.orig.tar.gz
d130a775a4191bd7fd79610183b38851681ec629 41902 tor_0.3.0.8-1.diff.gz
Checksums-Sha256:
130470abf33fdffd85f1ab67d0b8834733b5d4760bdbd4e57b1a40960683d0e5 1820 tor_0.3.0.8-1.dsc
663a3ba7b8a124c0f8a7351eaa2dda6fd518de3f3c4ee28fff869bfb03860d48 5796845 tor_0.3.0.8.orig.tar.gz
90bfe46527ec99cacb0f23bbf627fc4cb7b79490e6eebed279e3d46b70be6c22 41902 tor_0.3.0.8-1.diff.gz
Files:
3d90f38eb41d9002b527d9f212c52528 1820 net optional tor_0.3.0.8-1.dsc
c5c88b7e17f652c9fb4fc2c2ee92943c 5796845 net optional tor_0.3.0.8.orig.tar.gz
bb37a5ad8ca4bc7edf84b3d7a650e354 41902 net optional tor_0.3.0.8-1.diff.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJZObA6AAoJEIYCyCA4cjMf4h4H/06bq1ScOEsODfKvNTQCcgXq
eaxKgRgVOiDxECXjEgINXvjI8Nf+7z7L4hWVw2l3292m7hsfGgAltMagwltAl+4w
qj0jaeBsoi/VwLjXZXXHrA8ZHK/mUNesZKuGTSrC4BoQC+PbYGBQaiuGgPBw6pZn
2ceiFfVFR2H8kTaUQK2xabBU1Mc83BHHy+vjsYV2aybio2SxPKeCdlVbFKdYitIO
90VzJf2rmGizzDjbnftFjwqZ3ceb/q4g9Q+LuR7QijiI+UBA0EYY+WLbia649+Vl
F9jtwiWkVAzvgStk9cVvzlXWMwEbYxqpS+TTN8kn8ifegAe2SkfkEeKba87BLu8=
=NNN2
-----END PGP SIGNATURE-----
Marked as fixed in versions 0.2.9.11-1~deb9u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 10 Jun 2017 04:30:02 GMT) (full text, mbox, link).
Reply sent
to Peter Palfrader <weasel@debian.org>:
You have taken responsibility.
(Sat, 24 Jun 2017 21:21:23 GMT) (full text, mbox, link).
Notification sent
to Peter Palfrader <weasel@debian.org>:
Bug acknowledged by developer.
(Sat, 24 Jun 2017 21:21:23 GMT) (full text, mbox, link).
Message #22 received at 864424-close@bugs.debian.org (full text, mbox, reply):
Source: tor
Source-Version: 0.2.5.14-1
We believe that the bug you reported is fixed in the latest version of
tor, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 864424@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Peter Palfrader <weasel@debian.org> (supplier of updated tor package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 08 Jun 2017 20:19:22 +0200
Source: tor
Binary: tor tor-dbg tor-geoipdb
Architecture: source all
Version: 0.2.5.14-1
Distribution: jessie-security
Urgency: medium
Maintainer: Peter Palfrader <weasel@debian.org>
Changed-By: Peter Palfrader <weasel@debian.org>
Description:
tor - anonymizing overlay network for TCP
tor-dbg - debugging symbols for Tor
tor-geoipdb - GeoIP database for Tor
Closes: 864424
Changes:
tor (0.2.5.14-1) jessie-security; urgency=medium
.
* New upstream version, fixing a hidden service related Denial of
Service bug:
- Fix a remotely triggerable assertion failure caused by receiving a
BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug
22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix
on 0.2.2.1-alpha. (closes: #864424)
* The previous release, 0.2.5.13, already incorporates the changes made in
Debian's updates of the 0.2.5.12 version. Therefore, drop
- debian/patches/tor-bug-20384-TROVE-2016-10-001
- debian/patches/tor-bug-21018-TROVE-2016-12-002-CVE-2016-1254
- debian/patches/update-authority-set
Checksums-Sha1:
12a3d1b7f9d69bce58271ecda9fd1f12b51f5520 1761 tor_0.2.5.14-1.dsc
f623ab0866a7a9ab881c81f9cbdbea59f821a88d 3685957 tor_0.2.5.14.orig.tar.gz
be3484574c906b7cacf00362a4271c66980e70b0 35155 tor_0.2.5.14-1.diff.gz
e7b34125211ff9e268b18cb85753208254f9df95 1015592 tor-geoipdb_0.2.5.14-1_all.deb
Checksums-Sha256:
e6b7f0a197d95764917de7e55d10715ef57f1ffb014df99e04b9a56f8c8324a3 1761 tor_0.2.5.14-1.dsc
114f6925add7ab88ea36aea0229f9b9b7c05971d2316b040b3811350f7f3ff34 3685957 tor_0.2.5.14.orig.tar.gz
47acb67c827a5b6d31441155337b16f25938758d953c863c1a2cf2d654f1d79e 35155 tor_0.2.5.14-1.diff.gz
ac4a50ed2d72f144f66a287cc21e8134b6f5e7c8b7cf4ce965d190d7d8f63693 1015592 tor-geoipdb_0.2.5.14-1_all.deb
Files:
58bc512b55a7be961fea1722c94214b9 1761 net optional tor_0.2.5.14-1.dsc
388484043ded7963c24d8edddd71bf07 3685957 net optional tor_0.2.5.14.orig.tar.gz
4c7457ad31fff946bc41d9fe20d6dfeb 35155 net optional tor_0.2.5.14-1.diff.gz
cd5b6da1102d9d9366a73e6d0d173323 1015592 net extra tor-geoipdb_0.2.5.14-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJZOZ6lAAoJEIYCyCA4cjMft90IAJ4rOtT+39m+KeVoyBTx2A9z
xan24457x0P5Jr6zdlpFLyNj9vtC5e4igtPrt/nAqJGRIskMEm3eRUozLkLZuaoL
U29SX2BMkqfcvOyRK3CIzS4oQ5IYWMMsfXBlDA6K2o3cU6s+vIuIrjSC55M3lfoE
lZxJCOpwzAT86ldX8GsDnkf0jnegpGTNmgONCdLNKHk8FSq9/15WCS8Xdkt6eSOy
v2Nxq7sE7WKpBEcFoqNCTIDt2/l/owg8QnCq3PJzeWt0kv6blhbF5y8GBXNHXndo
YIDBzjbdcHT3MPLb0MPzJ8/km7ChGJzUnUUE+A+uhxZf/0uNPD+WUc5YW/AxVPk=
=FBqb
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 23 Jul 2017 07:27:36 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:02:58 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon