ubuntu/+source/tor:ubuntu/trusty-security

Last commit made on 2018-11-26
Get this branch:
git clone -b ubuntu/trusty-security https://git.launchpad.net/ubuntu/+source/tor
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/trusty-security
Repository:
lp:ubuntu/+source/tor

Recent commits

404090b... by Eduardo dos Santos Barretto on 2018-11-23

Import patches-unapplied version 0.2.4.27-1ubuntu0.1 to ubuntu/trusty-security

Imported using git-ubuntu import.

Changelog parent: ad608796bf2aedb2d8f07231a9e166d17f793ae8

New changelog entries:
  * SECURITY UPDATE: DoS (client crash) via a crafted hidden service
    descriptor.
    - debian/patches/CVE-2016-1254.patch: Fix parsing bug with unrecognized
      token at EOS.
    - CVE-2016-1254
  * SECURITY UPDATE: DoS (crash) via crafted data.
    - debian/patches/CVE-2016-8860.patch: Protect against NUL-terminated
      inputs.
    - CVE-2016-8860
  * SECURITY UPDATE: DoS (assertion failure and daemon exit) via a BEGIN_DIR
    rendezvous circuit.
    - debian/patches/CVE-2017-0376.patch: Fix assertion failure.
    - CVE-2017-0376
  * SECURITY UPDATE: Replay-cache protection mechanism is ineffective for v2
    onion services.
    - debian/patches/CVE-2017-8819.patch: Fix length of replaycache-checked
      data.
    - CVE-2017-8819
  * SECURITY UPDATE: DoS (application hang) via a crafted PEM input.
    - debian/patches/CVE-2017-8821.patch: Avoid asking for passphrase on
      junky PEM input.
    - CVE-2017-8821
  * SECURITY UPDATE: Relays, that have incompletely downloaded
    descriptors, can pick themselves in a circuit path, leading to a
    degradation of anonymity
    - debian/patches/CVE-2017-8822.patch: Use local descriptor object to
      exclude self in path selection.
    - CVE-2017-8822

ad60879... by Marc Deslauriers on 2015-07-29

Import patches-unapplied version 0.2.4.27-1build0.14.04.1 to ubuntu/trusty-security

Imported using git-ubuntu import.

Changelog parent: 73b0a3a9a5c4ed9494ffffa7576f9988dbc431e7

New changelog entries:
  * Synced from Debian as a security update

73b0a3a... by Peter Palfrader on 2015-04-06

Import patches-unapplied version 0.2.4.27-1 to debian/wheezy

Imported using git-ubuntu import.

Changelog parent: 85839522f5dc039e03a9697715636692555b5dd6

New changelog entries:
  * New upstream version, fixing hidden service related Denial of
    Service bugs:
    - Fix two remotely triggerable assertion failures (upstream bugs
      #15600 and #15601).
    - Disallow multiple INTRODUCE1 cells on the same circuit at introduction
      points, making overwhelming hidden services with introductions more
      expensive (upstream bug #15515).
  * New upstream version.
    + Fixes the following security relevant issues (copied from upstream
      changelog):
      - Fix an assertion failure that could occur under high DNS load.
        Fixes bug 14129; bugfix on Tor 0.0.7rc1. Found by "jowr";
        diagnosed and fixed by "cypherpunks".
      - Fix a bug that could lead to a relay crashing with an assertion
        failure if a buffer of exactly the wrong layout was passed to
        buf_pullup() at exactly the wrong time. Fixes bug 15083; bugfix on
        0.2.0.10-alpha. Patch from 'cypherpunks'.
      - Do not assert if the 'data' pointer on a buffer is advanced to the
        very end of the buffer; log a BUG message instead. Only assert if
        it is past that point. Fixes bug 15083; bugfix on 0.2.0.10-alpha.
      - Disable support for SSLv3. All versions of OpenSSL in use with Tor
        today support TLS 1.0 or later, so we can safely turn off support
        for this old (and insecure) protocol. Fixes bug 13426.
    + Updates the list of directory authorities and the geoIP database.

8583952... by Peter Palfrader on 2014-09-26

Import patches-unapplied version 0.2.4.24-1 to debian/wheezy

Imported using git-ubuntu import.

Changelog parent: 126f451840d9107686cab06e2b13bd21b7794379

New changelog entries:
  * New upstream version, built for stable (re: #762587):
    - Use correct byte order when sending the address of the chosen rendezvous
      point to a hidden service. This bug meant that clients were leaking to
      the hidden service whether they were on a little-endian (common) or
      big-endian (rare) system.
    - Change IP address for the gabelmoo v3 directory authority.
    - Update geoip and geoip6 to the August 7 2014 Maxmind GeoLite2
      Country database.
  * New upstream version, built for wheezy:
    - Clients will no longer use CREATE_FAST cells for the first hop of their
      circuit. This approach can improve security on connections where Tor's
      circuit handshake is stronger than the available TLS connection security
      levels.
    - Prepare for lowering the number of used entry guards by honoring the
      NumDirectoryGuards consensus parameter.
    - Fix a bug in the bounds-checking in the 32-bit curve25519-donna
      implementation.
    - Warn and drop the circuit if we receive an inbound 'relay early' cell.

126f451... by Peter Palfrader on 2014-06-23

Import patches-unapplied version 0.2.4.22-1~deb7u1 to debian/wheezy

Imported using git-ubuntu import.

Changelog parent: 1a12af0d8b46e51c33699f256b4b640d55c35eac

New changelog entries:
  * Build for stable (re: #751977).
  * Revert upstream changes to the default torrc to match what 0.2.3.25-1
    from stable has (two minor changes in comments).

1a12af0... by Peter Palfrader on 2014-05-17

Import patches-unapplied version 0.2.4.22-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: f69543a0ecc3b93d4ee14764b074cab3f0d37aeb

New changelog entries:
  * New upstream version.

f69543a... by Peter Palfrader on 2014-03-01

Import patches-unapplied version 0.2.4.21-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 83758ae1cb932fa90cf6cd3cf5caee0d4b8f335b

New changelog entries:
  * New upstream version.

83758ae... by Peter Palfrader on 2013-12-25

Import patches-unapplied version 0.2.4.20-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 14237c3bff19e229668462b7f87e1b733adf4fee

New changelog entries:
  * New upstream version.
    - Avoid a crash bug when starting with a corrupted microdescriptor cache
      file. Fixes bug 10406; bugfix on 0.2.2.6-alpha (closes: #732105).
  * init script: make /var/log/tor if it does not exist anymore
    (closes: #732572).

14237c3... by Peter Palfrader on 2013-12-12

Import patches-unapplied version 0.2.4.19-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 4fb8bd23d9d4257a925e4602f4af67fd2612da9a

New changelog entries:
  * New upstream version.

4fb8bd2... by Peter Palfrader on 2013-11-17

Import patches-unapplied version 0.2.4.18-rc-1 to debian/experimental

Imported using git-ubuntu import.

Changelog parent: 340529ec206fc30583cec7c992fd017c26284b33

New changelog entries:
  * New upstream version.
  * Re-add a few 'exit 1' statements on errors that got lost while
    updating the init script to fancy LSB style output (closes: #722153).
  * Mention the DisableDebuggerAttachment setting next to the ulimit -c
    line in /etc/default/tor (closes: #723801).