ubuntu/+source/tor:applied/debian/jessie

Last commit made on 2018-06-23
Get this branch:
git clone -b applied/debian/jessie https://git.launchpad.net/ubuntu/+source/tor
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
applied/debian/jessie
Repository:
lp:ubuntu/+source/tor

Recent commits

e05e198... by Peter Palfrader on 2017-12-02

Import patches-applied version 0.2.5.16-1 to applied/debian/jessie

Imported using git-ubuntu import.

Changelog parent: 24853856e8d41526e3ef1fbe1931b64e0f14fed2
Unapplied parent: f2121464c71882756af9f31d219a98ebc137de8d

New changelog entries:
  * New upstream version, including among others:
    - Fix a denial of service bug where an attacker could use a
      malformed directory object to cause a Tor instance to pause while
      OpenSSL would try to read a passphrase from the terminal. (Tor
      instances run without a terminal, which is the case for most Tor
      packages, are not impacted.) Fixes bug 24246; bugfix on every
      version of Tor. Also tracked as TROVE-2017-011 and CVE-2017-8821.
      Found by OSS-Fuzz as testcase 6360145429790720.
    - When checking for replays in the INTRODUCE1 cell data for a
      (legacy) onion service, correctly detect replays in the RSA-
      encrypted part of the cell. We were previously checking for
      replays on the entire cell, but those can be circumvented due to
      the malleability of Tor's legacy hybrid encryption. This fix helps
      prevent a traffic confirmation attack. Fixes bug 24244; bugfix on
      0.2.4.1-alpha. This issue is also tracked as TROVE-2017-009
      and CVE-2017-8819.
    - When running as a relay, make sure that we never build a path
      through ourselves, even in the case where we have somehow lost the
      version of our descriptor appearing in the consensus. Fixes part
      of bug 21534; bugfix on 0.2.0.1-alpha. This issue is also tracked
      as TROVE-2017-012 and CVE-2017-8822.

f212146... by Peter Palfrader on 2017-12-02

Import patches-unapplied version 0.2.5.16-1 to debian/jessie

Imported using git-ubuntu import.

Changelog parent: c6fbb4dbf0c3cc4963de87905dd7722a350a5159

New changelog entries:
  * New upstream version, including among others:
    - Fix a denial of service bug where an attacker could use a
      malformed directory object to cause a Tor instance to pause while
      OpenSSL would try to read a passphrase from the terminal. (Tor
      instances run without a terminal, which is the case for most Tor
      packages, are not impacted.) Fixes bug 24246; bugfix on every
      version of Tor. Also tracked as TROVE-2017-011 and CVE-2017-8821.
      Found by OSS-Fuzz as testcase 6360145429790720.
    - When checking for replays in the INTRODUCE1 cell data for a
      (legacy) onion service, correctly detect replays in the RSA-
      encrypted part of the cell. We were previously checking for
      replays on the entire cell, but those can be circumvented due to
      the malleability of Tor's legacy hybrid encryption. This fix helps
      prevent a traffic confirmation attack. Fixes bug 24244; bugfix on
      0.2.4.1-alpha. This issue is also tracked as TROVE-2017-009
      and CVE-2017-8819.
    - When running as a relay, make sure that we never build a path
      through ourselves, even in the case where we have somehow lost the
      version of our descriptor appearing in the consensus. Fixes part
      of bug 21534; bugfix on 0.2.0.1-alpha. This issue is also tracked
      as TROVE-2017-012 and CVE-2017-8822.

2485385... by Peter Palfrader on 2017-11-20

Import patches-applied version 0.2.5.15-1 to applied/debian/jessie

Imported using git-ubuntu import.

Changelog parent: 673ed06427b3d9c6f2df47e19eac88cca46a1670
Unapplied parent: c6fbb4dbf0c3cc4963de87905dd7722a350a5159

New changelog entries:
  * New upstream version:
    - update directory authority set

c6fbb4d... by Peter Palfrader on 2017-11-20

Import patches-unapplied version 0.2.5.15-1 to debian/jessie

Imported using git-ubuntu import.

Changelog parent: 6a1909227ff74817dc3189b6ce0d95336c2339a3

New changelog entries:
  * New upstream version:
    - update directory authority set

673ed06... by Peter Palfrader on 2017-06-08

Import patches-applied version 0.2.5.14-1 to applied/debian/jessie

Imported using git-ubuntu import.

Changelog parent: e9d0cd71a87e652b860c2fe06e6887a4f1b9d4bf
Unapplied parent: 6a1909227ff74817dc3189b6ce0d95336c2339a3

New changelog entries:
  * New upstream version, fixing a hidden service related Denial of
    Service bug:
    - Fix a remotely triggerable assertion failure caused by receiving a
      BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug
      22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix
      on 0.2.2.1-alpha. (closes: #864424)
  * The previous release, 0.2.5.13, already incorporates the changes made in
    Debian's updates of the 0.2.5.12 version. Therefore, drop
    - debian/patches/tor-bug-20384-TROVE-2016-10-001
    - debian/patches/tor-bug-21018-TROVE-2016-12-002-CVE-2016-1254
    - debian/patches/update-authority-set

6a19092... by Peter Palfrader on 2017-06-08

Import patches-unapplied version 0.2.5.14-1 to debian/jessie

Imported using git-ubuntu import.

Changelog parent: 56d06e506b32ee5200ef3df12c437b1150a5ffd0

New changelog entries:
  * New upstream version, fixing a hidden service related Denial of
    Service bug:
    - Fix a remotely triggerable assertion failure caused by receiving a
      BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug
      22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix
      on 0.2.2.1-alpha. (closes: #864424)
  * The previous release, 0.2.5.13, already incorporates the changes made in
    Debian's updates of the 0.2.5.12 version. Therefore, drop
    - debian/patches/tor-bug-20384-TROVE-2016-10-001
    - debian/patches/tor-bug-21018-TROVE-2016-12-002-CVE-2016-1254
    - debian/patches/update-authority-set

e9d0cd7... by Peter Palfrader on 2016-12-19

Import patches-applied version 0.2.5.12-4 to applied/debian/jessie

Imported using git-ubuntu import.

Changelog parent: 9b0a5e8105226522b24c851215aa1392896b551c
Unapplied parent: 56d06e506b32ee5200ef3df12c437b1150a5ffd0

New changelog entries:
  * Fix for an issue (Tor#21018) where Tor clients could crash when
    attempting to visit a hostile hidden service.
    [TROVE-2016-12-002,CVE-2016-1254]
  * Fix a remote denial of service bug, torbug#20384, TROVE-2016-001.

56d06e5... by Peter Palfrader on 2016-12-19

Import patches-unapplied version 0.2.5.12-4 to debian/jessie

Imported using git-ubuntu import.

Changelog parent: 45279599e376bdb726eb2de558ac812c1e38fabe

New changelog entries:
  * Fix for an issue (Tor#21018) where Tor clients could crash when
    attempting to visit a hostile hidden service.
    [TROVE-2016-12-002,CVE-2016-1254]
  * Fix a remote denial of service bug, torbug#20384, TROVE-2016-001.

9b0a5e8... by Peter Palfrader on 2016-08-30

Import patches-applied version 0.2.5.12-2 to applied/debian/jessie

Imported using git-ubuntu import.

Changelog parent: e52574db2302b577a888b1f34808b6ed61725f77
Unapplied parent: 45279599e376bdb726eb2de558ac812c1e38fabe

New changelog entries:
  * Update the set of authority directory servers to the one from
    Tor 0.2.8.7, released in August 2016. This updates the key
    for dannenberg, replaces the Tonga bridge authority with Bifroest,
    and drops urras.

4527959... by Peter Palfrader on 2016-08-30

Import patches-unapplied version 0.2.5.12-2 to debian/jessie

Imported using git-ubuntu import.

Changelog parent: faaeee7d42858886198452a3bf540229aa7a32bc

New changelog entries:
  * Update the set of authority directory servers to the one from
    Tor 0.2.8.7, released in August 2016. This updates the key
    for dannenberg, replaces the Tonga bridge authority with Bifroest,
    and drops urras.