Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: freeze-exception
Please unblock package tor. This is a new upstream release, a new release candidate for Tor's 0.2.3.x tree. It fixes a couple security issues: - Avoid read-from-freed-memory and double-free bugs that could occur when a DNS request fails while launching it. Fixes bug 6480. - Avoid an uninitialized memory read when reading a vote or consensus document that has an unrecognized flavor name. This read could lead to a remote crash bug. Fixes bug 6530. - Try to leak less information about what relays a client is choosing to a side-channel attacker. The full upstream changelog is at [1]. In total, this new upstream release consists of 33 commits, only 10 of which touch actual code. The rest is documentation, infrastructure and RPM-packaging updates. The changes appear to be reasonable. I can provide the diffs on request. In addition to the upstream changes, the debian package has been improved slightly: - Added a suggests for tor-arm, - Updated and improved the long description of the binary packages - Updated the Vcs-Git URL to use https (we like crypto). Diff of the debian directory is attached. I think this version is strictly better than 0.2.3.19-rc-1 currently in testing, so I would appreciate if we could ship 0.2.3.20-rc-1 instead. unblock tor/0.2.3.20-rc-1 Thanks for your consideration, weasel 1. https://gitweb.torproject.org/tor.git/blob/24d7a06f04d701c4dd263b911906cb1e97672e99:/ChangeLog
diff --git a/debian/changelog b/debian/changelog index 9350c12..1a53919 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,19 @@ +tor (0.2.3.20-rc-1) unstable; urgency=low + + * New upstream version, including a couple security fixes: + - Avoid read-from-freed-memory and double-free bugs that could occur + when a DNS request fails while launching it. Fixes bug 6480. + - Avoid an uninitialized memory read when reading a vote or consensus + document that has an unrecognized flavor name. This read could + lead to a remote crash bug. Fixes bug 6530. + - Try to leak less information about what relays a client is + choosing to a side-channel attacker. + * Suggest the tor-arm controller. + * Improve long descriptions with Roger's help. + * Use https:// instead of git:// for the Vcs-Git URL. + + -- Peter Palfrader <wea...@debian.org> Tue, 07 Aug 2012 23:13:18 +0200 + tor (0.2.3.19-rc-1) unstable; urgency=low * New upstream version. diff --git a/debian/control b/debian/control index 76cce8e..503dd66 100644 --- a/debian/control +++ b/debian/control @@ -5,7 +5,7 @@ Maintainer: Peter Palfrader <wea...@debian.org> Build-Depends: debhelper (>= 5), libssl-dev, dpatch, zlib1g-dev, libevent-dev (>= 1.1), binutils (>= 2.14.90.0.7), hardening-includes, asciidoc (>= 8.2), docbook-xml, docbook-xsl, xmlto, dh-apparmor Standards-Version: 3.8.1 Homepage: https://www.torproject.org/ -Vcs-Git: git://git.torproject.org/debian/tor.git +Vcs-Git: https://git.torproject.org/debian/tor.git Vcs-Browser: https://gitweb.torproject.org/debian/tor.git Package: tor @@ -13,43 +13,37 @@ Architecture: any Depends: ${shlibs:Depends}, adduser, ${misc:Depends}, lsb-base Conflicts: libssl0.9.8 (<< 0.9.8g-9) Recommends: logrotate, tor-geoipdb, torsocks -Suggests: mixmaster, xul-ext-torbutton, socat, tor-arm, polipo (>= 1) | privoxy, apparmor-utils +Suggests: mixmaster, xul-ext-torbutton, socat, tor-arm, polipo (>= 1) | privoxy, apparmor-utils, tor-arm Description: anonymizing overlay network for TCP - Tor is a connection-based low-latency anonymous communication system which - addresses many flaws in the original onion routing design. + Tor is a connection-based low-latency anonymous communication system. . - In brief, Onion Routing is a connection-oriented anonymizing communication - service. Users choose a source-routed path through a set of nodes, and - negotiate a "virtual circuit" through the network, in which each node - knows its predecessor and successor, but no others. Traffic flowing down - the circuit is unwrapped by a symmetric key at each node, which reveals - the downstream node. + Clients choose a source-routed path through a set of relays, and + negotiate a "virtual circuit" through the network, in which each relay + knows its predecessor and successor, but no others. Traffic flowing + down the circuit is decrypted at each relay, which reveals the + downstream relay. . - Basically Tor provides a distributed network of servers ("onion - routers"). Users bounce their tcp streams (web traffic, ftp, ssh, etc) - around the routers, and recipients, observers, and even the routers - themselves have difficulty tracking the source of the stream. + Basically, Tor provides a distributed network of relays. Users bounce + their TCP streams (web traffic, ftp, ssh, etc) around the relays, and + recipients, observers, and even the relays themselves have difficulty + learning which users connected to which destinations. . - Note that Tor does no protocol cleaning. That means there is a danger that - application protocols and associated programs can be induced to reveal - information about the initiator. Tor depends on Privoxy and similar protocol - cleaners to solve this problem. + This package enables only a Tor client by default, but it can also be + configured as a relay and/or a hidden service easily. . Client applications can use the Tor network by connecting to the local - onion proxy. If the application itself does not come with socks support - you can use a socks client such as tsocks. Some web browsers like mozilla - and web proxies like privoxy come with socks support, so you don't need an - extra socks client if you want to use Tor with them. + socks proxy interface provided by your Tor instance. If the application + itself does not come with socks support, you can use a socks client + such as torsocks. . - This package enables only the onion proxy by default, but it can be configured - as a relay (server) node. - . - Remember that this is development code -- don't rely on the current Tor - network if you really need strong anonymity. - . - The latest information can be found at https://www.torproject.org/, or on the - mailing lists, archived at https://lists.torproject.org/pipermail/tor-talk/ or - https://lists.torproject.org/pipermail/tor-announce/. + Note that Tor does no protocol cleaning on application traffic. There + is a danger that application protocols and associated programs can be + induced to reveal information about the user. Tor depends on Torbutton + and similar protocol cleaners to solve this problem. For best + protection when web surfing, the Tor Project recommends that you use + the Tor Browser Bundle, a standalone tarball that includes static + builds of Tor, Torbutton, and a modified Firefox that is patched to fix + a variety of privacy bugs. Package: tor-dbg Architecture: any @@ -66,11 +60,15 @@ Package: tor-geoipdb Architecture: all Priority: extra Depends: tor (>= ${source:Version}), ${misc:Depends} -Description: geoIP database for Tor - This package provides a geoIP database for Tor, i.e. it maps IPv4 addresses +Description: GeoIP database for Tor + This package provides a GeoIP database for Tor, i.e. it maps IPv4 addresses to countries. . - Bridges (special Tor relays that aren't listed in the main Tor directory) use - this information to report which countries they get access from. This allows - the Tor network operators to learn if certain countries started blocking - access to bridges. + Bridge relays (special Tor relays that aren't listed in the main Tor + directory) use this information to report which countries they see + connections from. These statistics enable the Tor network operators to + learn when certain countries start blocking access to bridges. + . + Clients can also use this to learn what country each relay is in, so + Tor controllers like arm or Vidalia can use it, or if they want to + configure path selection preferences.
