On Mon, 2012-08-13 at 18:01 +0200, Peter Palfrader wrote: > | Changes in version 0.2.2.38 - 2012-08-12 > | Tor 0.2.2.38 fixes a rare race condition that can crash exit relays; > | fixes a remotely triggerable crash bug; and fixes a timing attack that > | could in theory leak path information. > | > | o Security fixes: > | - Avoid read-from-freed-memory and double-free bugs that could occur > | when a DNS request fails while launching it. Fixes bug 6480; > | bugfix on 0.2.0.1-alpha. > | - Avoid an uninitialized memory read when reading a vote or consensus > | document that has an unrecognized flavor name. This read could > | lead to a remote crash bug. Fixes bug 6530; bugfix on 0.2.2.6-alpha. > | - Try to leak less information about what relays a client is > | choosing to a side-channel attacker. Previously, a Tor client would > | stop iterating through the list of available relays as soon as it > | had chosen one, thus finishing a little earlier when it picked > | a router earlier in the list. If an attacker can recover this > | timing information (nontrivial but not proven to be impossible), > | they could learn some coarse-grained information about which relays > | a client was picking (middle nodes in particular are likelier to > | be affected than exits). The timing attack might be mitigated by > | other factors (see bug 6537 for some discussion), but it's best > | not to take chances. Fixes bug 6537; bugfix on 0.0.8rc1. > > [ https://gitweb.torproject.org/tor.git/blob/release-0.2.2:/ReleaseNotes ] > > > I would like to package this new version as 0.2.2.38-1, and upload it to > squeeze so that we can get these issues fixed in Debian.
Apologies for not spotting earlier that there wasn't one attached, but please could we have a debdiff against the package currently in p-u? Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
