Bug#514580: marked as done (directory mirrors can temporarily DoS clients)

Mon, 09 Feb 2009 16:20:07 -0800 

Your message dated Tue, 10 Feb 2009 00:02:16 +0000
with message-id <e1lwg4u-00073u...@ries.debian.org>
and subject line Bug#514580: fixed in tor 0.2.1.12-alpha-1
has caused the Debian Bug report #514580,
regarding directory mirrors can temporarily DoS clients
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
514580: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514580
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: tor
Version: 0.2.0.33-1
Severity: serious

There is a denial of service attack that directory mirrors can cause in
Tor client versions 0.2.0.8 up to and including 0.2.0.33.

(directory mirrors are not especially trusted or trustworthy)

Fixed in 0.2.0.34.

--- End Message ---
--- Begin Message --- 
Source: tor
Source-Version: 0.2.1.12-alpha-1

We believe that the bug you reported is fixed in the latest version of
tor, which is due to be installed in the Debian FTP archive:

tor-dbg_0.2.1.12-alpha-1_i386.deb
  to pool/main/t/tor/tor-dbg_0.2.1.12-alpha-1_i386.deb
tor-geoipdb_0.2.1.12-alpha-1_all.deb
  to pool/main/t/tor/tor-geoipdb_0.2.1.12-alpha-1_all.deb
tor_0.2.1.12-alpha-1.diff.gz
  to pool/main/t/tor/tor_0.2.1.12-alpha-1.diff.gz
tor_0.2.1.12-alpha-1.dsc
  to pool/main/t/tor/tor_0.2.1.12-alpha-1.dsc
tor_0.2.1.12-alpha-1_i386.deb
  to pool/main/t/tor/tor_0.2.1.12-alpha-1_i386.deb
tor_0.2.1.12-alpha.orig.tar.gz
  to pool/main/t/tor/tor_0.2.1.12-alpha.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 514...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Peter Palfrader <wea...@debian.org> (supplier of updated tor package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 10 Feb 2009 00:19:53 +0100
Source: tor
Binary: tor tor-dbg tor-geoipdb
Architecture: source all i386
Version: 0.2.1.12-alpha-1
Distribution: experimental
Urgency: low
Maintainer: Peter Palfrader <wea...@debian.org>
Changed-By: Peter Palfrader <wea...@debian.org>
Description: 
 tor        - anonymizing overlay network for TCP
 tor-dbg    - debugging symbols for Tor
 tor-geoipdb - geoIP database for Tor
Closes: 514579 514580
Changes: 
 tor (0.2.1.12-alpha-1) experimental; urgency=low
 .
   * New upstream version, fixing several security relevant bugs:
      - Avoid a potential crash on exit nodes when processing malformed
        input.  Remote DoS opportunity (closes: #514579).
      - Fix a temporary DoS vulnerability that could be performed by
        a directory mirror (closes: #514580).
   * patches/06_add_compile_time_defaults: Only set the User option in
     the config if we run as root.  Do not set it when run as debian-tor
     as Tor then always insists on changing users which will fail.  (If
     we run as any other user we don't set our debian defaults anyway.)
Checksums-Sha1: 
 c121abb355107d4fbb18a712e465378d70066ef7 1206 tor_0.2.1.12-alpha-1.dsc
 57424ca2416aafee25e5cd6fa4037f440f2a684d 2370592 tor_0.2.1.12-alpha.orig.tar.gz
 d0ae87fef6cc0ee0d8b27687ab0e78b8654c4552 77612 tor_0.2.1.12-alpha-1.diff.gz
 3a2e1bebb5fa5e9fc114441fc8697e5d9f448835 763244 
tor-geoipdb_0.2.1.12-alpha-1_all.deb
 e1043cd5a6f9d77e54aee462d3c7e6ac8e8ba1c4 1325078 tor_0.2.1.12-alpha-1_i386.deb
 f58c8021ede7d0518e2a2a371e8c218d6f414307 905100 
tor-dbg_0.2.1.12-alpha-1_i386.deb
Checksums-Sha256: 
 4a3ca5ec79b427d4bbb02d2c46492e989d9403c74eef085d94b28f0e63091b4d 1206 
tor_0.2.1.12-alpha-1.dsc
 ec93c69e9303a1724cf54b5ade1080ed032a92ad60db6f7935be0076ea26c278 2370592 
tor_0.2.1.12-alpha.orig.tar.gz
 c29d77e771d9d9af2ec5051a721eaee91ecee545ab1c102cbf8b70775b8aac38 77612 
tor_0.2.1.12-alpha-1.diff.gz
 f2b27c5538232253925c8746e3dbba85c314460b6ebaa4bb8dc473885987377b 763244 
tor-geoipdb_0.2.1.12-alpha-1_all.deb
 b27198668f4b1583527b06b6930e50db41c39ca9da65e87fa9ca7b31b366d058 1325078 
tor_0.2.1.12-alpha-1_i386.deb
 c93a58e8389fefe6e8a670f144e9826b1b1c877d52f7d8acda636252b93c6ea1 905100 
tor-dbg_0.2.1.12-alpha-1_i386.deb
Files: 
 68cf14bfec8674a1058dc4875ea1917f 1206 comm optional tor_0.2.1.12-alpha-1.dsc
 1f8d8929b2bf1579220ac7934309a5b7 2370592 comm optional 
tor_0.2.1.12-alpha.orig.tar.gz
 8a391809ee0b4ef200276315b9988065 77612 comm optional 
tor_0.2.1.12-alpha-1.diff.gz
 fc2b921677e07faa70c4380e55962742 763244 comm extra 
tor-geoipdb_0.2.1.12-alpha-1_all.deb
 9f239cf5970a0ae74ed83060bbbd504e 1325078 comm optional 
tor_0.2.1.12-alpha-1_i386.deb
 87c49d67bbcad3c8b4c5eb0349d97e8e 905100 comm extra 
tor-dbg_0.2.1.12-alpha-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkmQwlQACgkQz/ccs6+kS9297wCeO37o7hQyqmb/pbmtOqETsD7o
6cIAnjIoyUX/Q1zvXDIdaTgpivJpZjV6
=kjbs
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to