Your message dated Mon, 21 Jun 2021 19:02:13 +0000 with message-id <e1lvpbv-000ejz...@fasolo.debian.org> and subject line Bug#990000: fixed in tor 0.3.5.15-1 has caused the Debian Bug report #990000, regarding tor: CVE-2021-34548 CVE-2021-34549 CVE-2021-34550 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 990000: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990000 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: tor Version: 0.4.5.8-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> CVE-2021-34548[1], CVE-2021-34549[2] and CVE-2021-34550[3]. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-34548 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34548 [1] https://security-tracker.debian.org/tracker/CVE-2021-34549 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34549 [2] https://security-tracker.debian.org/tracker/CVE-2021-34550 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34550 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: tor Source-Version: 0.3.5.15-1 Done: Peter Palfrader <wea...@debian.org> We believe that the bug you reported is fixed in the latest version of tor, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 990...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Peter Palfrader <wea...@debian.org> (supplier of updated tor package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 18 Jun 2021 10:27:26 +0200 Source: tor Architecture: source Version: 0.3.5.15-1 Distribution: buster-security Urgency: medium Maintainer: Peter Palfrader <wea...@debian.org> Changed-By: Peter Palfrader <wea...@debian.org> Closes: 990000 Changes: tor (0.3.5.15-1) buster-security; urgency=medium . * New upstream version, fixing several (security) issues (closes: #990000). For a full list see the upstream changelog. It includes: - Don't allow relays to spoof RELAY_END or RELAY_RESOLVED cell on half-closed streams. Previously, clients failed to validate which hop sent these cells: this would allow a relay on a circuit to end a stream that wasn't actually built with it. Bugfix on 0.3.5.1-alpha. This issue is also tracked as TROVE-2021- 003 and CVE-2021-34548. - Detect more failure conditions from the OpenSSL RNG code. Previously, we would detect errors from a missing RNG implementation, but not failures from the RNG code itself. Fortunately, it appears those failures do not happen in practice when Tor is using OpenSSL's default RNG implementation. Bugfix on 0.2.8.1-alpha. This issue is also tracked as TROVE-2021-004. Reported by Jann Horn at Google's Project Zero. - Resist a hashtable-based CPU denial-of-service attack against relays. Previously we used a naive unkeyed hash function to look up circuits in a circuitmux object. An attacker could exploit this to construct circuits with chosen circuit IDs, to create collisions and make the hash table inefficient. Now we use a SipHash construction here instead. Bugfix on 0.2.4.4-alpha. This issue is also tracked as TROVE-2021-005 and CVE-2021-34549. Reported by Jann Horn from Google's Project Zero. - Fix an out-of-bounds memory access in v3 onion service descriptor parsing. An attacker could exploit this bug by crafting an onion service descriptor that would crash any client that tried to visit it. Bugfix on 0.3.0.1-alpha. This issue is also tracked as TROVE-2021-006 and CVE-2021-34550. Reported by Sergei Glazunov from Google's Project Zero. Checksums-Sha1: 08eeead59d5386910a3833ada2a63b7d6cdec84f 1968 tor_0.3.5.15-1.dsc 6dfbd329281627c3b680da6d6bc160e830410f17 7136322 tor_0.3.5.15.orig.tar.gz 55ac245c9df8d4e27075d783ee84c81adc4b008c 51228 tor_0.3.5.15-1.diff.gz Checksums-Sha256: 73dec977ceddddaf471fc6081249b848914309793b81b9ccb88ac57455e76f73 1968 tor_0.3.5.15-1.dsc 253b8d9887115e5edfc3315b7803d3c70d3ca145ebf4cbd9423169f3211b1484 7136322 tor_0.3.5.15.orig.tar.gz 41e43f1df42a49bca51f751a92ecaf9da45563dbe68ea5c417147758fbf031c3 51228 tor_0.3.5.15-1.diff.gz Files: d7afecce49813263632854d75656c8c5 1968 net optional tor_0.3.5.15-1.dsc 793ad5fec153d4bcf68483b16f42f3e0 7136322 net optional tor_0.3.5.15.orig.tar.gz 6e012e594d39c9e3eff147825f630a9e 51228 net optional tor_0.3.5.15-1.diff.gz -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEZI5W7zrm8w5X0SHVIw/UyqaI+y8FAmDMX+QACgkQIw/UyqaI +y+nrQf+Nm4dRpURo2stMoyadBAG3Jf85ZmAaIvdam3pbHc7/m8QtIsFbPBXg9gI h/SyA6I7jhXUN1+LYIkBY1ZDCeh9HugRmlxD188Ita8xo3mt2ECzwyW0fObMflya 7N2zR+AXgk+nDpuVqHv3c3Qf+8BQsQjjyaZ6D/i1bOZalz0MUAkaYRvDxk3HPDEE TAOy3gNxr+yA4aIfJzEqYf/8CA3Ss8/NPZ64AntqLhQlmNLZOK32NK2j+meBx1Pe NXJTQxn7uFYRYFu1uxuUHG0bLeun4khNs+Bpi44LAlpUd9fVoPypZoVoNyqzrbwn ReXi2zjIk5s2Fa18kuwUN4Aqk75WOQ== =RtqV -----END PGP SIGNATURE-----
--- End Message ---
