Hi, whonix-gw apparently uses tor 0.2.8.10, the latest 0.2.8.x version being 0.2.8.12 (released 2016-12-19).
Why is it not updated? I guess there is very little risk in upgrading from 0.2.8.10 to 0.2.8.12. I'm using a default whonix-gw template with deb http://deb.whonix.org jessie main >From the tor 0.2.8.12 changelog: > o Major bugfixes (parsing, security, backported from 0.2.9.8): > - Fix a bug in parsing that could cause clients to read a single > byte past the end of an allocated region. This bug could be used > to cause hardened clients (built with --enable-expensive-hardening) > to crash if they tried to visit a hostile hidden service. Non- > hardened clients are only affected depending on the details of > their platform's memory allocator. Fixes bug 21018; bugfix on > 0.2.0.8-alpha. Found by using libFuzzer. Also tracked as TROVE- > 2016-12-002 and as CVE-2016-1254. https://deb.whonix.org/dists/jessie/main/binary-amd64/Packages: > > Package: tor > Version: 0.2.8.10-1~d80.jessie+1 > Architecture: amd64 > Maintainer: Peter Palfrader <wea...@debian.org> > Installed-Size: 3935 [...] > Priority: optional > Section: net > Filename: pool/main/t/tor/tor_0.2.8.10-1~d80.jessie+1_amd64.deb > Size: 1422520 > SHA256: b36f5e8fc4590f6fa8431e7114fb187ce9f892f406b9bc55cdf28ef611320f89 > SHA1: afb6720c65df114b772d02554f563fdbb385b7b7 > MD5sum: 7a9c9fd5616f51eec6420d3254273ee3 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6c79649b-0b96-1696-f94c-08203fdce167%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: OpenPGP digital signature
