[Bug 1731698] Re: [SRU] Tor 0.2.9.14 and 0.3.0.13

2018-02-28 Thread Seth Arnold 
Thanks Simon!

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1731698

Title:
  [SRU] Tor 0.2.9.14 and 0.3.0.13

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tor/+bug/1731698/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1731698] Re: [SRU] Tor 0.2.9.14 and 0.3.0.13

2018-02-21 Thread Launchpad Bug Tracker 
This bug was fixed in the package tor - 0.3.0.13-0ubuntu1~17.10.1

---
tor (0.3.0.13-0ubuntu1~17.10.1) artful; urgency=medium

  [ Peter Palfrader ]
  * Change "AppArmorProfile=system_tor" to AppArmorProfile=-system_tor,
causing all errors while switching to the new apparmor profile to
be ignored.  This is not ideal, but for now it's probably the
best solution. Thanks to intrigeri; closes: #880490.

  [ Simon Deziel ]
  * New upstream version: 0.3.0.13 (LP: #1731698)
- Fix a denial of service bug where an attacker could use a
  malformed directory object to cause a Tor instance to pause while
  OpenSSL would try to read a passphrase from the terminal. (Tor
  instances run without a terminal, which is the case for most Tor
  packages, are not impacted.) Fixes bug 24246; bugfix on every
  version of Tor. Also tracked as TROVE-2017-011 and CVE-2017-8821.
  Found by OSS-Fuzz as testcase 6360145429790720.
- Fix a denial of service issue where an attacker could crash a
  directory authority using a malformed router descriptor. Fixes bug
  24245; bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2017-010
  and CVE-2017-8820.
- When checking for replays in the INTRODUCE1 cell data for a
  (legacy) onion service, correctly detect replays in the RSA-
  encrypted part of the cell. We were previously checking for
  replays on the entire cell, but those can be circumvented due to
  the malleability of Tor's legacy hybrid encryption. This fix helps
  prevent a traffic confirmation attack. Fixes bug 24244; bugfix on
  0.2.4.1-alpha. This issue is also tracked as TROVE-2017-009
  and CVE-2017-8819.
- Fix a use-after-free error that could crash v2 Tor onion services
  when they failed to open circuits while expiring introduction
  points. Fixes bug 24313; bugfix on 0.2.7.2-alpha. This issue is
  also tracked as TROVE-2017-013 and CVE-2017-8823.
- When running as a relay, make sure that we never build a path
  through ourselves, even in the case where we have somehow lost the
  version of our descriptor appearing in the consensus. Fixes part
  of bug 21534; bugfix on 0.2.0.1-alpha. This issue is also tracked
  as TROVE-2017-012 and CVE-2017-8822.
- When running as a relay, make sure that we never choose ourselves
  as a guard. Fixes part of bug 21534; bugfix on 0.3.0.1-alpha. This
  issue is also tracked as TROVE-2017-012 and CVE-2017-8822.
  * New upstream version: 0.3.0.12
- Directory authority changes
  * New upstream version: 0.3.0.11
- Fix TROVE-2017-008: Stack disclosure in hidden services logs when
  SafeLogging disabled (CVE-2017-0380)
  * debian/rules: stop overriding micro-revision.i

tor (0.3.0.10-2) UNRELEASED; urgency=medium

  * apparmor: use Pix instead of PUx for obfs4proxy, giving us
better confinement of the child process while actually working
with systemd's NoNewPrivileges.  (closes: #867342)
  * Drop versioned dependency on binutils.  The version is already
newer in all supported Debian and Ubuntu trees, and binutils
is in the transitive dependency set of build-essential.
Patch by Helmut Grohne.  (closes: #873127)
  * Do not rely on aa-exec and aa-enabled being in /usr/sbin in the
SysV init script.  This change enables apparmor confinement
on some system-V systems again.  (closes: #869153)

 -- Simon Deziel   Sun, 14 Jan 2018 14:15:21 -0500

** Changed in: tor (Ubuntu Artful)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1731698

Title:
  [SRU] Tor 0.2.9.14 and 0.3.0.13

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tor/+bug/1731698/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1731698] Re: [SRU] Tor 0.2.9.14 and 0.3.0.13

2018-02-21 Thread Launchpad Bug Tracker 
This bug was fixed in the package tor - 0.2.9.14-1ubuntu1~16.04.1

---
tor (0.2.9.14-1ubuntu1~16.04.1) xenial; urgency=medium

  [ Peter Palfrader ]
  * apparmor: use Pix instead of PUx for obfs4proxy, giving us
better confinement of the child process while actually working
with systemd's NoNewPrivileges.  (closes: #867342)
  * Do not rely on aa-exec and aa-enabled being in /usr/sbin in the
SysV init script.  This change enables apparmor confinement
on some system-V systems again.  (closes: #869153)
  * Update apparmor profile: replace CAP_DAC_OVERRIDE with
CAP_DAC_READ_SEARCH to match the systemd capability bounding set
changed with 0.3.0.4-rc-1.  This change will allow tor to start
again under apparmor if hidden services are configured.
Patch by intrigeri.  (closes: #862993)
  * Replace CAP_DAC_OVERRIDE with CAP_DAC_READ_SEARCH in systemd's service
capability bounding set.  Read access is sufficient for Tor (as root on
startup) to check its onion service directories (see #847598).
  * Change "AppArmorProfile=system_tor" to AppArmorProfile=-system_tor,
causing all errors while switching to the new apparmor profile to
be ignored.  This is not ideal, but for now it's probably the
best solution. Thanks to intrigeri; closes: #880490.

  [ Simon Deziel ]
  * Backport 0.2.9.14 to 16.04 (LP: #1731698)
  * debian/rules: stop overriding micro-revision.i
  * debian/control: drop build-conflicts
  * debian/control: Limit the seccomp build-dependency to [amd64 i386 x32 armel 
armhf]
  * Resync with Debian Stretch

tor (0.2.9.14-1) stretch-security; urgency=medium

  * New upstream version, including among others:
- Fix an issue causing DNS to fail on high-bandwidth exit nodes,
  making them nearly unusable. Fixes bugs 21394 and 18580; bugfix on
  0.1.2.2-alpha, which introduced eventdns. Thanks to Dhalgren for
  identifying and finding a workaround to this bug and to Moritz,
  Arthur Edelstein, and Roger for helping to track it down and
  analyze it.
- Fix a denial of service bug where an attacker could use a
  malformed directory object to cause a Tor instance to pause while
  OpenSSL would try to read a passphrase from the terminal. (Tor
  instances run without a terminal, which is the case for most Tor
  packages, are not impacted.) Fixes bug 24246; bugfix on every
  version of Tor. Also tracked as TROVE-2017-011 and CVE-2017-8821.
  Found by OSS-Fuzz as testcase 6360145429790720.
- Fix a denial of service issue where an attacker could crash a
  directory authority using a malformed router descriptor. Fixes bug
  24245; bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2017-010
  and CVE-2017-8820.
- When checking for replays in the INTRODUCE1 cell data for a
  (legacy) onion service, correctly detect replays in the RSA-
  encrypted part of the cell. We were previously checking for
  replays on the entire cell, but those can be circumvented due to
  the malleability of Tor's legacy hybrid encryption. This fix helps
  prevent a traffic confirmation attack. Fixes bug 24244; bugfix on
  0.2.4.1-alpha. This issue is also tracked as TROVE-2017-009
  and CVE-2017-8819.
- Fix a use-after-free error that could crash v2 Tor onion services
  when they failed to open circuits while expiring introduction
  points. Fixes bug 24313; bugfix on 0.2.7.2-alpha. This issue is
  also tracked as TROVE-2017-013 and CVE-2017-8823.
- When running as a relay, make sure that we never build a path
  through ourselves, even in the case where we have somehow lost the
  version of our descriptor appearing in the consensus. Fixes part
  of bug 21534; bugfix on 0.2.0.1-alpha. This issue is also tracked
  as TROVE-2017-012 and CVE-2017-8822.

tor (0.2.9.13-1) stretch; urgency=medium

  * New upstream version:
- update directory authority set

tor (0.2.9.12-1) stretch-security; urgency=medium

  * New upstream version:
- CVE-2017-0380 (TROVE-2017-008): Stack disclosure in hidden services logs
  when SafeLogging disabled
- other maintenance and security related fixes, see upstream changelog.

 -- Simon Deziel   Sun, 14 Jan 2018 14:17:46 -0500

** Changed in: tor (Ubuntu Xenial)
   Status: Fix Committed => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-8819

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-8820

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-8821

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-8822

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-8823

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1731698

Title:
  [SRU] Tor 0.2.9.14 and 0.3.0.13

To manage notifications about this bug go to:

[Bug 1731698] Re: [SRU] Tor 0.2.9.14 and 0.3.0.13

2018-02-17 Thread Simon Déziel 
Verified on artful:

$ dpkg -l tor tor-geoipdb | grep ^ii
ii  tor0.3.0.13-0ubuntu1~17.10.1 amd64anonymizing overlay 
network for TCP
ii  tor-geoipdb0.3.0.13-0ubuntu1~17.10.1 all  GeoIP database for Tor

$ torsocks wget -qO - https://ifconfig.co
51.15.53.83

** Tags removed: verification-needed verification-needed-artful
** Tags added: verification-done verification-done-artful

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1731698

Title:
  [SRU] Tor 0.2.9.14 and 0.3.0.13

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tor/+bug/1731698/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1731698] Re: [SRU] Tor 0.2.9.14 and 0.3.0.13

2018-02-14 Thread Otus 
Sure, below are the steps I did. However, I do not have an artful system
to test on so I'll leave that to someone else.


$ dpkg -l | grep ' tor '
ii  tor0.2.9.14-1ubuntu1~16.04.1
   amd64anonymizing overlay network for TCP

$ torsocks wget -qO - https://ifconfig.co
65.19.167.xxx

$ wget -qO - https://ifconfig.co
88.193.200.xxx


I also checked that the old version warning disappeared from 
atlas.torproject.org regarding my relay and that traffic continued to be 
relayed for a few hours.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1731698

Title:
  [SRU] Tor 0.2.9.14 and 0.3.0.13

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tor/+bug/1731698/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 1731698] Re: [SRU] Tor 0.2.9.14 and 0.3.0.13

2018-02-14 Thread Simon Déziel 
@Otus, many thanks for verifying on Xenial.

The SRU verification process [1] now requires to provide a brief
description of how the bug fix was verified. Would you be so kind to do
it, please? I generally give the "dpkg -l | grep tor" output to confirm
the right package version was tested and mention that I successfully
went through the reproduction steps as outlined in the bug description.

If you get a chance to test on Artful that would be nice otherwise I'll
try to do it myself as time permits.

1: https://wiki.ubuntu.com/StableReleaseUpdates#Verification

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1731698

Title:
  [SRU] Tor 0.2.9.14 and 0.3.0.13

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tor/+bug/1731698/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1731698] Re: [SRU] Tor 0.2.9.14 and 0.3.0.13

2018-02-14 Thread Otus 
Works here on xenial.

** Tags removed: verification-needed-xenial
** Tags added: verification-done-xenial

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1731698

Title:
  [SRU] Tor 0.2.9.14 and 0.3.0.13

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tor/+bug/1731698/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1731698] Re: [SRU] Tor 0.2.9.14 and 0.3.0.13

2018-02-13 Thread Stéphane Graber 
Hello Simon, or anyone else affected,

Accepted tor into xenial-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/tor/0.2.9.14-1ubuntu1~16.04.1 in a
few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested and change the tag from
verification-needed-xenial to verification-done-xenial. If it does not
fix the bug for you, please add a comment stating that, and change the
tag to verification-failed-xenial. In either case, without details of
your testing we will not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: tor (Ubuntu Xenial)
   Status: Triaged => Fix Committed

** Tags added: verification-needed verification-needed-xenial

** Changed in: tor (Ubuntu Artful)
   Status: Triaged => Fix Committed

** Tags added: verification-needed-artful

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1731698

Title:
  [SRU] Tor 0.2.9.14 and 0.3.0.13

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tor/+bug/1731698/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1731698] Re: [SRU] Tor 0.2.9.14 and 0.3.0.13

2018-02-10 Thread Simon Déziel 
Thanks for the feedback, please find the 2 new debdiffs with your
suggestions applied.

** Patch removed: "tor-16.04-v2.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/tor/+bug/1731698/+attachment/5008375/+files/tor-16.04-v2.debdiff

** Patch removed: "tor-17.04-v2.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/tor/+bug/1731698/+attachment/5008376/+files/tor-17.04-v2.debdiff

** Patch removed: "tor-17.10-v2.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/tor/+bug/1731698/+attachment/5008377/+files/tor-17.10-v2.debdiff

** Patch removed: "tor-0.2.9.14-16.04.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/tor/+bug/1731698/+attachment/5036965/+files/tor-0.2.9.14-16.04.debdiff

** Patch removed: "tor-0.3.0.13-17.10.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/tor/+bug/1731698/+attachment/5036971/+files/tor-0.3.0.13-17.10.debdiff

** Patch added: "tor-0.2.9.14-16.04.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/tor/+bug/1731698/+attachment/5052902/+files/tor-0.2.9.14-16.04.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1731698

Title:
  [SRU] Tor 0.2.9.14 and 0.3.0.13

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tor/+bug/1731698/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1731698] Re: [SRU] Tor 0.2.9.14 and 0.3.0.13

2018-02-10 Thread Simon Déziel 
** Patch added: "tor-0.3.0.13-17.10.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/tor/+bug/1731698/+attachment/5052903/+files/tor-0.3.0.13-17.10.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1731698

Title:
  [SRU] Tor 0.2.9.14 and 0.3.0.13

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tor/+bug/1731698/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1731698] Re: [SRU] Tor 0.2.9.14 and 0.3.0.13

2018-02-08 Thread Stéphane Graber 
Simon: Any chance you can update the debdiffs to have changelogs which
include the previous upload?

Without that, some of the update tools will be a bit confused. That's
not an issue for the dev release, but for SRUs it's preferable to only
add to the changelog, not remove entries.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1731698

Title:
  [SRU] Tor 0.2.9.14 and 0.3.0.13

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tor/+bug/1731698/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1731698] Re: [SRU] Tor 0.2.9.14 and 0.3.0.13

2018-02-08 Thread Stéphane Graber 
Also you appear to have missed running update-maintainer :)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1731698

Title:
  [SRU] Tor 0.2.9.14 and 0.3.0.13

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tor/+bug/1731698/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1731698] Re: [SRU] Tor 0.2.9.14 and 0.3.0.13

2018-02-08 Thread Stéphane Graber 
Oh, I'm not subscribed to this bug, that's why I keep missing
notifications :)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1731698

Title:
  [SRU] Tor 0.2.9.14 and 0.3.0.13

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tor/+bug/1731698/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1731698] Re: [SRU] Tor 0.2.9.14 and 0.3.0.13

2018-01-14 Thread Simon Déziel 
@Stéphane, here are the 2 new debdiffs.

** Patch added: "tor-0.3.0.13-17.10.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/tor/+bug/1731698/+attachment/5036971/+files/tor-0.3.0.13-17.10.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1731698

Title:
  [SRU] Tor 0.2.9.14 and 0.3.0.13

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tor/+bug/1731698/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1731698] Re: [SRU] Tor 0.2.9.14 and 0.3.0.13

2018-01-14 Thread Simon Déziel 
** Patch added: "tor-0.2.9.14-16.04.debdiff"
   
https://bugs.launchpad.net/ubuntu/+source/tor/+bug/1731698/+attachment/5036965/+files/tor-0.2.9.14-16.04.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1731698

Title:
  [SRU] Tor 0.2.9.14 and 0.3.0.13

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tor/+bug/1731698/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs