Public bug reported:
Binary package hint: tor
We found a big bug and put out a new bugfix release:
http://archives.seul.org/or/announce/Dec-2006/msg0.html
There's also a link to a patch for the 0.1.0.x Tor tree, if you're still
maintaining whichever Ubuntu it is that ships 0.1.0.16-2.
** A
Public bug reported:
http://archives.seul.org/or/announce/Aug-2006/msg1.html
We've provided a 0.1.0.18 tarball that should be a safe
replacement for your 0.1.0.16, if you can't upgrade to
the 0.1.1.x tree.
** Affects: tor (Ubuntu)
Importance: Untriaged
Status: Unconfirmed
** V
*** This bug is a security vulnerability ***
Public security bug reported:
Binary package hint: tor
I am the Tor project leader (aka the upstream).
In Sept-Oct 2007 there was a thread on ubuntu-devel and ubuntu-motu with
the subject "Tor Packages", wherein mako suggested that Ubuntu drop the
To
Intrepid and jaunty should move to 0.2.0.34. The current intrepid version
(0.2.0.31)
is not good enough. In particular, 0.2.0.31 has a bug where Tor fails to drop
privileges
correctly. (Tor 0.1.2.x has this bug too.)
I just had a look over the changelogs, and I think there are no config options
http://packages.ubuntu.com/jaunty/tor indicates that jaunty now
has 0.2.0.34. Does that mean we're ready for the next step? :)
--
Tor 0.1.2.x abandoned by upstream
https://bugs.launchpad.net/bugs/328442
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribe
I believe that 0.2.0.34 is better in all ways than 0.1.2.19. (Hard to say for
sure, of
course, but as far as we can tell...)
There were some new bugs introduced in 0.2.0.x, but those got ironed out between
0.2.0.30 and 0.2.0.34.
Whereas there are known serious bugs in 0.1.2.19 that are not fixed
See the initial summary above, and the links, e.g.
http://www.mailinglistarchive.com/ubuntu-de...@lists.ubuntu.com/msg24404.html
The Tor 0.1.2.x release (0.1.2.13) came out in April 2007. We've backported
things
to it for well over a year now, and it's time to let it go.
As for the bugs fixed in
For whoever is working on the packages, there are hardy and
intrepid 0.2.0.34 debs available here:
https://wiki.torproject.org/noreply/TheOnionRouter/TorOnDebian
built by the Debian maintainer.
You may or may not find them useful. :)
** Summary changed:
- Tor 0.1.2.x abandoned by upstream, updat
Ok. So the current status as I understand it is that Ubuntu would rather
ship known-vulnerable (and in the Intrepid case, known-remote-root-vulnerable!)
versions of Tor rather than use the Ubuntu debs that we provide.
Sounds like the correct solution is to a) take it out of Jaunty (as Martin said
I should mention that we've been holding back on the detailed security advisory
for bugs fixed in 0.2.0.33 and 0.2.0.34, until Ubuntu and the *BSDs have had
time
to upgrade.
I think the BSDs have upgraded now, so we're just waiting on Ubuntu. At some
point
we're going to have to release the advi
Ok.
Should we take Tor out of Jaunty, then?
--
Tor 0.1.2.x abandoned by upstream, update to 0.2.0.34
https://bugs.launchpad.net/bugs/328442
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.u
11 matches
Mail list logo
