--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: freeze-exception
Please unblock package tor.
This is a new upstream release, a new release candidate for Tor's
0.2.3.x tree.
It fixes a couple security issues:
- Avoid read-from-freed-memory and double-free bugs that could occur
when a DNS request fails while launching it. Fixes bug 6480.
- Avoid an uninitialized memory read when reading a vote or consensus
document that has an unrecognized flavor name. This read could
lead to a remote crash bug. Fixes bug 6530.
- Try to leak less information about what relays a client is
choosing to a side-channel attacker.
The full upstream changelog is at [1]. In total, this new upstream
release consists of 33 commits, only 10 of which touch actual code. The
rest is documentation, infrastructure and RPM-packaging updates. The
changes appear to be reasonable. I can provide the diffs on request.
In addition to the upstream changes, the debian package has been
improved slightly:
- Added a suggests for tor-arm,
- Updated and improved the long description of the binary packages
- Updated the Vcs-Git URL to use https (we like crypto).
Diff of the debian directory is attached.
I think this version is strictly better than 0.2.3.19-rc-1 currently in
testing, so I would appreciate if we could ship 0.2.3.20-rc-1 instead.
unblock tor/0.2.3.20-rc-1
Thanks for your consideration,
weasel
1.
https://gitweb.torproject.org/tor.git/blob/24d7a06f04d701c4dd263b911906cb1e97672e99:/ChangeLog
diff --git a/debian/changelog b/debian/changelog
index 9350c12..1a53919 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,19 @@
+tor (0.2.3.20-rc-1) unstable; urgency=low
+
+ * New upstream version, including a couple security fixes:
+ - Avoid read-from-freed-memory and double-free bugs that could occur
+ when a DNS request fails while launching it. Fixes bug 6480.
+ - Avoid an uninitialized memory read when reading a vote or consensus
+ document that has an unrecognized flavor name. This read could
+ lead to a remote crash bug. Fixes bug 6530.
+ - Try to leak less information about what relays a client is
+ choosing to a side-channel attacker.
+ * Suggest the tor-arm controller.
+ * Improve long descriptions with Roger's help.
+ * Use https:// instead of git:// for the Vcs-Git URL.
+
+ -- Peter Palfrader <wea...@debian.org> Tue, 07 Aug 2012 23:13:18 +0200
+
tor (0.2.3.19-rc-1) unstable; urgency=low
* New upstream version.
diff --git a/debian/control b/debian/control
index 76cce8e..503dd66 100644
--- a/debian/control
+++ b/debian/control
@@ -5,7 +5,7 @@ Maintainer: Peter Palfrader <wea...@debian.org>
Build-Depends: debhelper (>= 5), libssl-dev, dpatch, zlib1g-dev, libevent-dev (>= 1.1), binutils (>= 2.14.90.0.7), hardening-includes, asciidoc (>= 8.2), docbook-xml, docbook-xsl, xmlto, dh-apparmor
Standards-Version: 3.8.1
Homepage: https://www.torproject.org/
-Vcs-Git: git://git.torproject.org/debian/tor.git
+Vcs-Git: https://git.torproject.org/debian/tor.git
Vcs-Browser: https://gitweb.torproject.org/debian/tor.git
Package: tor
@@ -13,43 +13,37 @@ Architecture: any
Depends: ${shlibs:Depends}, adduser, ${misc:Depends}, lsb-base
Conflicts: libssl0.9.8 (<< 0.9.8g-9)
Recommends: logrotate, tor-geoipdb, torsocks
-Suggests: mixmaster, xul-ext-torbutton, socat, tor-arm, polipo (>= 1) | privoxy, apparmor-utils
+Suggests: mixmaster, xul-ext-torbutton, socat, tor-arm, polipo (>= 1) | privoxy, apparmor-utils, tor-arm
Description: anonymizing overlay network for TCP
- Tor is a connection-based low-latency anonymous communication system which
- addresses many flaws in the original onion routing design.
+ Tor is a connection-based low-latency anonymous communication system.
.
- In brief, Onion Routing is a connection-oriented anonymizing communication
- service. Users choose a source-routed path through a set of nodes, and
- negotiate a "virtual circuit" through the network, in which each node
- knows its predecessor and successor, but no others. Traffic flowing down
- the circuit is unwrapped by a symmetric key at each node, which reveals
- the downstream node.
+ Clients choose a source-routed path through a set of relays, and
+ negotiate a "virtual circuit" through the network, in which each relay
+ knows its predecessor and successor, but no others. Traffic flowing
+ down the circuit is decrypted at each relay, which reveals the
+ downstream relay.
.
- Basically Tor provides a distributed network of servers ("onion
- routers"). Users bounce their tcp streams (web traffic, ftp, ssh, etc)
- around the routers, and recipients, observers, and even the routers
- themselves have difficulty tracking the source of the stream.
+ Basically, Tor provides a distributed network of relays. Users bounce
+ their TCP streams (web traffic, ftp, ssh, etc) around the relays, and
+ recipients, observers, and even the relays themselves have difficulty
+ learning which users connected to which destinations.
.
- Note that Tor does no protocol cleaning. That means there is a danger that
- application protocols and associated programs can be induced to reveal
- information about the initiator. Tor depends on Privoxy and similar protocol
- cleaners to solve this problem.
+ This package enables only a Tor client by default, but it can also be
+ configured as a relay and/or a hidden service easily.
.
Client applications can use the Tor network by connecting to the local
- onion proxy. If the application itself does not come with socks support
- you can use a socks client such as tsocks. Some web browsers like mozilla
- and web proxies like privoxy come with socks support, so you don't need an
- extra socks client if you want to use Tor with them.
+ socks proxy interface provided by your Tor instance. If the application
+ itself does not come with socks support, you can use a socks client
+ such as torsocks.
.
- This package enables only the onion proxy by default, but it can be configured
- as a relay (server) node.
- .
- Remember that this is development code -- don't rely on the current Tor
- network if you really need strong anonymity.
- .
- The latest information can be found at https://www.torproject.org/, or on the
- mailing lists, archived at https://lists.torproject.org/pipermail/tor-talk/ or
- https://lists.torproject.org/pipermail/tor-announce/.
+ Note that Tor does no protocol cleaning on application traffic. There
+ is a danger that application protocols and associated programs can be
+ induced to reveal information about the user. Tor depends on Torbutton
+ and similar protocol cleaners to solve this problem. For best
+ protection when web surfing, the Tor Project recommends that you use
+ the Tor Browser Bundle, a standalone tarball that includes static
+ builds of Tor, Torbutton, and a modified Firefox that is patched to fix
+ a variety of privacy bugs.
Package: tor-dbg
Architecture: any
@@ -66,11 +60,15 @@ Package: tor-geoipdb
Architecture: all
Priority: extra
Depends: tor (>= ${source:Version}), ${misc:Depends}
-Description: geoIP database for Tor
- This package provides a geoIP database for Tor, i.e. it maps IPv4 addresses
+Description: GeoIP database for Tor
+ This package provides a GeoIP database for Tor, i.e. it maps IPv4 addresses
to countries.
.
- Bridges (special Tor relays that aren't listed in the main Tor directory) use
- this information to report which countries they get access from. This allows
- the Tor network operators to learn if certain countries started blocking
- access to bridges.
+ Bridge relays (special Tor relays that aren't listed in the main Tor
+ directory) use this information to report which countries they see
+ connections from. These statistics enable the Tor network operators to
+ learn when certain countries start blocking access to bridges.
+ .
+ Clients can also use this to learn what country each relay is in, so
+ Tor controllers like arm or Vidalia can use it, or if they want to
+ configure path selection preferences.
--- End Message ---
