--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu
Just like #882228 for stretch, I would like to update tor in jessie
to the maintenance update released by upstream.
In particular, the update of the directory authority set is relevant.
Please let me know if I may upload by 0.2.5.15 packages.
A debdiff (where I removed the large geoipdb diff) is attached.
Cheers,
--
| .''`. ** Debian **
Peter Palfrader | : :' : The universal
https://www.palfrader.org/ | `. `' Operating System
| `- https://www.debian.org/
diff -Nru tor-0.2.5.14/ChangeLog tor-0.2.5.15/ChangeLog
--- tor-0.2.5.14/ChangeLog 2017-06-08 15:46:39.000000000 +0200
+++ tor-0.2.5.15/ChangeLog 2017-10-25 14:06:39.000000000 +0200
@@ -1,3 +1,48 @@
+Changes in version 0.2.5.15 - 2017-10-25
+ Tor 0.2.5.15 backports a collection of bugfixes from later Tor release
+ series. It also adds a new directory authority, Bastet.
+
+ Note: the Tor 0.2.5 series will no longer be supported after 1 May
+ 2018. If you need a release with long-term support, please upgrade to
+ the 0.2.9 series. Otherwise, please upgrade to 0.3.1 or later.
+
+ o Directory authority changes:
+ - Add "Bastet" as a ninth directory authority to the default list.
+ Closes ticket 23910.
+ - The directory authority "Longclaw" has changed its IP address.
+ Closes ticket 23592.
+
+ o Major bugfixes (openbsd, denial-of-service, backport from 0.3.1.5-alpha):
+ - Avoid an assertion failure bug affecting our implementation of
+ inet_pton(AF_INET6) on certain OpenBSD systems whose strtol()
+ handling of "0xx" differs from what we had expected. Fixes bug
+ 22789; bugfix on 0.2.3.8-alpha. Also tracked as TROVE-2017-007.
+
+ o Minor features (geoip):
+ - Update geoip and geoip6 to the October 4 2017 Maxmind GeoLite2
+ Country database.
+
+ o Minor bugfixes (defensive programming, undefined behavior, backport from
0.3.1.4-alpha):
+ - Fix a memset() off the end of an array when packing cells. This
+ bug should be harmless in practice, since the corrupted bytes are
+ still in the same structure, and are always padding bytes,
+ ignored, or immediately overwritten, depending on compiler
+ behavior. Nevertheless, because the memset()'s purpose is to make
+ sure that any other cell-handling bugs can't expose bytes to the
+ network, we need to fix it. Fixes bug 22737; bugfix on
+ 0.2.4.11-alpha. Fixes CID 1401591.
+
+ o Build features (backport from 0.3.1.5-alpha):
+ - Tor's repository now includes a Travis Continuous Integration (CI)
+ configuration file (.travis.yml). This is meant to help new
+ developers and contributors who fork Tor to a Github repository be
+ better able to test their changes, and understand what we expect
+ to pass. To use this new build feature, you must fork Tor to your
+ Github account, then go into the "Integrations" menu in the
+ repository settings for your fork and enable Travis, then push
+ your changes. Closes ticket 22636.
+
+
Changes in version 0.2.5.14 - 2017-06-08
Tor 0.2.5.14 backports a fix for a bug that would allow an attacker to
remotely crash a hidden service with an assertion failure. Anyone
diff -Nru tor-0.2.5.14/ReleaseNotes tor-0.2.5.15/ReleaseNotes
--- tor-0.2.5.14/ReleaseNotes 2017-06-08 15:46:45.000000000 +0200
+++ tor-0.2.5.15/ReleaseNotes 2017-10-25 14:06:44.000000000 +0200
@@ -2,6 +2,50 @@
of Tor. If you want to see more detailed descriptions of the changes in
each development snapshot, see the ChangeLog file.
+Changes in version 0.2.5.15 - 2017-10-25
+ Tor 0.2.5.15 backports a collection of bugfixes from later Tor release
+ series. It also adds a new directory authority, Bastet.
+
+ Note: the Tor 0.2.5 series will no longer be supported after 1 May
+ 2018. If you need a release with long-term support, please upgrade to
+ the 0.2.9 series. Otherwise, please upgrade to 0.3.1 or later.
+
+ o Directory authority changes:
+ - Add "Bastet" as a ninth directory authority to the default list.
+ Closes ticket 23910.
+ - The directory authority "Longclaw" has changed its IP address.
+ Closes ticket 23592.
+
+ o Major bugfixes (openbsd, denial-of-service, backport from 0.3.1.5-alpha):
+ - Avoid an assertion failure bug affecting our implementation of
+ inet_pton(AF_INET6) on certain OpenBSD systems whose strtol()
+ handling of "0xx" differs from what we had expected. Fixes bug
+ 22789; bugfix on 0.2.3.8-alpha. Also tracked as TROVE-2017-007.
+
+ o Minor features (geoip):
+ - Update geoip and geoip6 to the October 4 2017 Maxmind GeoLite2
+ Country database.
+
+ o Minor bugfixes (defensive programming, undefined behavior, backport from
0.3.1.4-alpha):
+ - Fix a memset() off the end of an array when packing cells. This
+ bug should be harmless in practice, since the corrupted bytes are
+ still in the same structure, and are always padding bytes,
+ ignored, or immediately overwritten, depending on compiler
+ behavior. Nevertheless, because the memset()'s purpose is to make
+ sure that any other cell-handling bugs can't expose bytes to the
+ network, we need to fix it. Fixes bug 22737; bugfix on
+ 0.2.4.11-alpha. Fixes CID 1401591.
+
+ o Build features (backport from 0.3.1.5-alpha):
+ - Tor's repository now includes a Travis Continuous Integration (CI)
+ configuration file (.travis.yml). This is meant to help new
+ developers and contributors who fork Tor to a Github repository be
+ better able to test their changes, and understand what we expect
+ to pass. To use this new build feature, you must fork Tor to your
+ Github account, then go into the "Integrations" menu in the
+ repository settings for your fork and enable Travis, then push
+ your changes. Closes ticket 22636.
+
Changes in version 0.2.5.14 - 2017-06-08
Tor 0.2.5.14 backports a fix for a bug that would allow an attacker to
diff -Nru tor-0.2.5.14/configure tor-0.2.5.15/configure
--- tor-0.2.5.14/configure 2017-06-08 15:48:36.000000000 +0200
+++ tor-0.2.5.15/configure 2017-10-24 15:14:16.000000000 +0200
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for tor 0.2.5.14.
+# Generated by GNU Autoconf 2.69 for tor 0.2.5.15.
#
#
# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -577,8 +577,8 @@
# Identity of this package.
PACKAGE_NAME='tor'
PACKAGE_TARNAME='tor'
-PACKAGE_VERSION='0.2.5.14'
-PACKAGE_STRING='tor 0.2.5.14'
+PACKAGE_VERSION='0.2.5.15'
+PACKAGE_STRING='tor 0.2.5.15'
PACKAGE_BUGREPORT=''
PACKAGE_URL=''
@@ -1374,7 +1374,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures tor 0.2.5.14 to adapt to many kinds of systems.
+\`configure' configures tor 0.2.5.15 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1444,7 +1444,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of tor 0.2.5.14:";;
+ short | recursive ) echo "Configuration of tor 0.2.5.15:";;
esac
cat <<\_ACEOF
@@ -1593,7 +1593,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-tor configure 0.2.5.14
+tor configure 0.2.5.15
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2298,7 +2298,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by tor $as_me 0.2.5.14, which was
+It was created by tor $as_me 0.2.5.15, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -3163,7 +3163,7 @@
# Define the identity of the package.
PACKAGE='tor'
- VERSION='0.2.5.14'
+ VERSION='0.2.5.15'
cat >>confdefs.h <<_ACEOF
@@ -13221,7 +13221,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by tor $as_me 0.2.5.14, which was
+This file was extended by tor $as_me 0.2.5.15, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -13287,7 +13287,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //;
s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-tor config.status 0.2.5.14
+tor config.status 0.2.5.15
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
diff -Nru tor-0.2.5.14/configure.ac tor-0.2.5.15/configure.ac
--- tor-0.2.5.14/configure.ac 2017-06-08 15:29:49.000000000 +0200
+++ tor-0.2.5.15/configure.ac 2017-10-24 15:10:42.000000000 +0200
@@ -3,7 +3,7 @@
dnl Copyright (c) 2007-2013, The Tor Project, Inc.
dnl See LICENSE for licensing information
-AC_INIT([tor],[0.2.5.14])
+AC_INIT([tor],[0.2.5.15])
AC_CONFIG_SRCDIR([src/or/main.c])
AC_CONFIG_MACRO_DIR([m4])
AM_INIT_AUTOMAKE
diff -Nru tor-0.2.5.14/contrib/win32build/tor-mingw.nsi.in
tor-0.2.5.15/contrib/win32build/tor-mingw.nsi.in
--- tor-0.2.5.14/contrib/win32build/tor-mingw.nsi.in 2017-06-08
15:29:49.000000000 +0200
+++ tor-0.2.5.15/contrib/win32build/tor-mingw.nsi.in 2017-10-24
15:10:42.000000000 +0200
@@ -8,7 +8,7 @@
!include "LogicLib.nsh"
!include "FileFunc.nsh"
!insertmacro GetParameters
-!define VERSION "0.2.5.14"
+!define VERSION "0.2.5.15"
!define INSTALLER "tor-${VERSION}-win32.exe"
!define WEBSITE "https://www.torproject.org/";
!define LICENSE "LICENSE"
diff -Nru tor-0.2.5.14/debian/changelog tor-0.2.5.15/debian/changelog
--- tor-0.2.5.14/debian/changelog 2017-11-20 17:40:51.000000000 +0100
+++ tor-0.2.5.15/debian/changelog 2017-11-20 17:40:51.000000000 +0100
@@ -1,3 +1,10 @@
+tor (0.2.5.15-1) jessie; urgency=medium
+
+ * New upstream version:
+ - update directory authority set
+
+ -- Peter Palfrader <wea...@debian.org> Mon, 20 Nov 2017 17:04:17 +0100
+
tor (0.2.5.14-1) jessie-security; urgency=medium
* New upstream version, fixing a hidden service related Denial of
diff -Nru tor-0.2.5.14/debian/micro-revision.i
tor-0.2.5.15/debian/micro-revision.i
--- tor-0.2.5.14/debian/micro-revision.i 2017-11-20 17:40:51.000000000
+0100
+++ tor-0.2.5.15/debian/micro-revision.i 2017-11-20 17:40:51.000000000
+0100
@@ -1 +1 @@
-"4c928d615a084648"
+"aeff6ea06eeee57f"
diff -Nru tor-0.2.5.14/src/common/compat.c tor-0.2.5.15/src/common/compat.c
--- tor-0.2.5.14/src/common/compat.c 2017-03-05 01:44:18.000000000 +0100
+++ tor-0.2.5.15/src/common/compat.c 2017-07-05 19:43:31.000000000 +0200
@@ -2332,8 +2332,12 @@
char *next;
ssize_t len;
long r = strtol(src, &next, 16);
- tor_assert(next != NULL);
- tor_assert(next != src);
+ if (next == NULL || next == src) {
+ /* The 'next == src' error case can happen on versions of openbsd
+ * where treats "0xfoo" as an error, rather than as "0" followed by
+ * "xfoo". */
+ return 0;
+ }
len = *next == '\0' ? eow - src : next - src;
if (len > 4)
diff -Nru tor-0.2.5.14/src/config/geoip tor-0.2.5.15/src/config/geoip
--- tor-0.2.5.14/src/config/geoip 2017-05-08 14:08:01.000000000 +0200
+++ tor-0.2.5.15/src/config/geoip 2017-10-05 17:03:35.000000000 +0200
[cut]
diff -Nru tor-0.2.5.14/src/config/geoip6 tor-0.2.5.15/src/config/geoip6
--- tor-0.2.5.14/src/config/geoip6 2017-05-08 14:08:01.000000000 +0200
+++ tor-0.2.5.15/src/config/geoip6 2017-10-05 17:03:35.000000000 +0200
[cut]
diff -Nru tor-0.2.5.14/src/or/config.c tor-0.2.5.15/src/or/config.c
--- tor-0.2.5.14/src/or/config.c 2017-03-05 01:44:19.000000000 +0100
+++ tor-0.2.5.15/src/or/config.c 2017-10-23 15:03:58.000000000 +0200
@@ -872,7 +872,10 @@
"154.35.175.225:80 CF6D 0AAF B385 BE71 B8E1 11FC 5CFF 4B47 9237 33BC",
"longclaw orport=443 "
"v3ident=23D15D965BC35114467363C165C4F724B64B4F66 "
- "199.254.238.52:80 74A9 1064 6BCE EFBC D2E8 74FC 1DC9 9743 0F96 8145",
+ "199.58.81.140:80 74A9 1064 6BCE EFBC D2E8 74FC 1DC9 9743 0F96 8145",
+ "bastet orport=443 "
+ "v3ident=27102BC123E7AF1D4741AE047E160C91ADC76B21 "
+ "204.13.164.118:80 24E2 F139 121D 4394 C54B 5BCC 368B 3B41 1857 C413",
NULL
};
for (i=0; authorities[i]; i++) {
diff -Nru tor-0.2.5.14/src/or/connection_or.c
tor-0.2.5.15/src/or/connection_or.c
--- tor-0.2.5.14/src/or/connection_or.c 2017-03-05 01:44:19.000000000 +0100
+++ tor-0.2.5.15/src/or/connection_or.c 2017-06-27 17:04:44.000000000 +0200
@@ -427,9 +427,11 @@
set_uint32(dest, htonl(src->circ_id));
dest += 4;
} else {
+ /* Clear the last two bytes of dest, in case we can accidentally
+ * send them to the network somehow. */
+ memset(dest+CELL_MAX_NETWORK_SIZE-2, 0, 2);
set_uint16(dest, htons(src->circ_id));
dest += 2;
- memset(dest+CELL_MAX_NETWORK_SIZE-2, 0, 2); /*make sure it's clear */
}
set_uint8(dest, src->command);
memcpy(dest+1, src->payload, CELL_PAYLOAD_SIZE);
diff -Nru tor-0.2.5.14/src/or/or_sha1.i tor-0.2.5.15/src/or/or_sha1.i
--- tor-0.2.5.14/src/or/or_sha1.i 2017-06-08 15:48:47.000000000 +0200
+++ tor-0.2.5.15/src/or/or_sha1.i 2017-10-24 15:22:02.000000000 +0200
@@ -11,11 +11,11 @@
"a82a548f2c4b3ccc43e3c103ece17d0c80b177f0 src/or/circuitstats.c\n"
"0141da9f2ba23098d5990718db74ec69c859ee5d src/or/circuituse.c\n"
"a8a3d65652c8065781af4b59f58bfe9f115e5e5f src/or/command.c\n"
-"2cc49a7b07cb8b04c8ee9655aca6ab72ca2cdc3a src/or/config.c\n"
+"b6521bea17011694b9b4b84887f9fa1a86e734e0 src/or/config.c\n"
"c086c476b2eb3f7402af9a0cce916698e3f3ddca src/or/confparse.c\n"
"9c0f1c773f6ee700f3b411a2c819a5b8fdbfa0a6 src/or/connection.c\n"
"df931abd1e409feed69061eb507ea6b8eaef9d6b src/or/connection_edge.c\n"
-"bf4a024b61b2f3d4c326348ce9b28f3b935225d1 src/or/connection_or.c\n"
+"192d13d0cd386ec2165e5c02362cb87b9f19d68f src/or/connection_or.c\n"
"2f9f1710090afa3b1220f518ccf7e4aed54e2e30 src/or/control.c\n"
"65592635d55623efafe87cad9eb8eeb770edbaa2 src/or/cpuworker.c\n"
"f08745f29b0d0fa4fdf5a111be45502e9468c6b1 src/or/directory.c\n"
diff -Nru tor-0.2.5.14/src/test/test_addr.c tor-0.2.5.15/src/test/test_addr.c
--- tor-0.2.5.14/src/test/test_addr.c 2017-03-05 01:44:19.000000000 +0100
+++ tor-0.2.5.15/src/test/test_addr.c 2017-07-05 19:43:31.000000000 +0200
@@ -349,6 +349,15 @@
test_pton6_bad("1.2.3.4");
test_pton6_bad(":1.2.3.4");
test_pton6_bad(".2.3.4");
+ /* Regression tests for 22789. */
+ test_pton6_bad("0xfoo");
+ test_pton6_bad("0x88");
+ test_pton6_bad("0xyxxy");
+ test_pton6_bad("0XFOO");
+ test_pton6_bad("0X88");
+ test_pton6_bad("0XYXXY");
+ test_pton6_bad("0x");
+ test_pton6_bad("0X");
/* test internal checking */
test_external_ip("fbff:ffff::2:7", 0);
diff -Nru tor-0.2.5.14/src/win32/orconfig.h tor-0.2.5.15/src/win32/orconfig.h
--- tor-0.2.5.14/src/win32/orconfig.h 2017-06-08 15:29:49.000000000 +0200
+++ tor-0.2.5.15/src/win32/orconfig.h 2017-10-24 15:10:42.000000000 +0200
@@ -241,7 +241,7 @@
#define USING_TWOS_COMPLEMENT
/* Version number of package */
-#define VERSION "0.2.5.14"
+#define VERSION "0.2.5.15"
--- End Message ---
