Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: freeze-exception
Please unblock package tor. unblock tor/0.2.3.24-rc-1 Version 0.2.3.24-rc fixes two security issues over the version currently in testing, 0.2.3.22-rc. These issues have been assigned CVE-2012-2249 and CVE-2012-2250. Debian changelogs: | tor (0.2.3.24-rc-1) unstable; urgency=high | | * New upstream version: | - Fix a group of remotely triggerable assertion failures related to | incorrect link protocol negotiation. Found, diagnosed, and fixed | by "some guy from France". Fix for CVE-2012-2250; bugfix on | 0.2.3.6-alpha. | - Fix a denial of service attack by which any directory authority | could crash all the others, or by which a single v2 directory | authority could crash everybody downloading v2 directory | information. Fixes bug 7191; bugfix on 0.2.0.10-alpha. | - and more. | | -- Peter Palfrader <wea...@debian.org> Fri, 26 Oct 2012 09:15:09 +0200 | | tor (0.2.3.23-rc-1) unstable; urgency=low | | * New upstream version: | o Major bugfixes (security/privacy): | - Disable TLS session tickets. OpenSSL's implementation was giving | our TLS session keys the lifetime of our TLS context objects, when | perfect forward secrecy would want us to discard anything that | could decrypt a link connection as soon as the link connection | was closed. Fixes bug 7139; bugfix on all versions of Tor linked | against OpenSSL 1.0.0 or later. Found by Florent DaigniÚre. | - Discard extraneous renegotiation attempts once the V3 link | protocol has been initiated. Failure to do so left us open to | a remotely triggerable assertion failure. Fixes CVE-2012-2249; | bugfix on 0.2.3.6-alpha. Reported by "some guy from France". | - Fix a possible crash bug when checking for deactivated circuits | in connection_or_flush_from_first_active_circuit(). Fixes bug 6341; | bugfix on 0.2.2.7-alpha. Bug report and fix received pseudonymously. | For other fixes please see the upstream changelog. | | -- Peter Palfrader <wea...@debian.org> Sat, 20 Oct 2012 22:27:04 +0200 Full upstream changelog at https://gitweb.torproject.org/tor.git/blob/release-0.2.3:/ChangeLog I can prepare full diffs on request. Cheers, weasel -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121026122519.ga22...@valiant.palfrader.org