Bug#537323: marked as done (Perhaps a critical mistake in the example for chaining with Tor?)

Sun, 26 Jul 2009 03:44:12 -0700 

Your message dated Sun, 26 Jul 2009 12:28:32 +0200
with message-id <20090726102832.gf6...@dinghy.sail.spinnaker.de>
and subject line Re: Bug#537323: Perhaps a critical mistake in the example for 
chaining with Tor?
has caused the Debian Bug report #537323,
regarding Perhaps a critical mistake in the example for chaining with Tor?
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
537323: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=537323
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: privoxy
Version: 3.0.13-1
Justification: user security hole
Severity: grave
Tags: security

Hi.
Since the last release or so, the config template gives this as an example for chaining privoxy with Tor: 
#      To chain Privoxy and Tor, both running on the same system,
#      you would use something like:
#
#        forward-socks5   /               127.0.0.1:9050 .
AFAIK, it was always the case, that with socks5, DNS resolution happened locally and not via the proxy (which was the reason one should use socks4a). 
Has this changed?
As this change could render Tor useless,.. and I found no docs whether the above has change in the meantime... I've marked this bug as security critical. 
Feel free to close, if I'm wrong :-)


Thanks,
Chris.


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.30-heisenberg (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages privoxy depends on:
ii  adduser                3.110             add and remove users and groups
ii  libc6                  2.9-20            GNU C Library: Shared libraries
ii libpcre3 7.8-2 Perl 5 Compatible Regular Expressi 
ii  logrotate              3.7.7-3           Log rotation utility
ii lsb-base 3.2-22 Linux Standard Base 3.2 init scrip 
ii  perl                   5.10.0-24         Larry Wall's Practical Extraction
ii  zlib1g                 1:1.2.3.3.dfsg-14 compression library - runtime

Versions of packages privoxy recommends:
ii doc-base 0.9.3 utilities to manage online documen 

privoxy suggests no packages.

-- no debconf information


----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

--- End Message ---
--- Begin Message --- 
Christoph Anton Mitterer schrieb am Freitag, den 17. Juli 2009:

> Package: privoxy
> Version: 3.0.13-1
> Justification: user security hole
> Severity: grave
> Tags: security

> Since the last release or so, the config template gives this as an  
> example for chaining privoxy with Tor:
> #      To chain Privoxy and Tor, both running on the same system,
> #      you would use something like:
> #
> #        forward-socks5   /               127.0.0.1:9050 .
>
> AFAIK, it was always the case, that with socks5, DNS resolution happened 
> locally and not via the proxy (which was the reason one should use 
> socks4a).
> Has this changed?

According to the privoxy documentation this problem only occurs with
socks4, while socks4a and socks5 tunnel DNS:

| 7.5.2. forward-socks4, forward-socks4a and forward-socks5
| [...]
| The difference between forward-socks4 and forward-socks4a  is that in
| the SOCKS 4A protocol, the DNS resolution of the target hostname
| happens on the SOCKS server, while in SOCKS 4 it happens locally. 
|
| With forward-socks5 the DNS resolution will happen on the remote
| server as well. 

A short test on my local machine shows that this works as documented
using wget, while I noticed some trouble with Firefox when ShowIP is
enabled (so switch of ShowIP to be really invisible!). 
Except this only socks4a does local DNS requests.

> As this change could render Tor useless,.. and I found no docs whether  
> the above has change in the meantime... I've marked this bug as security 
> critical.
> Feel free to close, if I'm wrong :-)

As far as I can see you are wrong, so I do so.

Tschoeeee

        Roland

--- End Message ---

Reply via email to