Bug 557798 (CVE-2010-0383, CVE-2010-0385)

Summary: CVE-2010-0383, CVE-2010-0385: tor multiple vulnerabilities in versions prior to 0.2.1.22
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: extras-orphan, pwouters, rh-bugzilla
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-05-31 03:12:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 671263    
Bug Blocks:    

Description Vincent Danen 2010-01-22 16:06:20 UTC 
An updated version of tor (0.2.1.22) is available that updates identity keys for two breached directory authorities [1].  Two of the seven directory authorities for Tor were compromised, leading to migrated servers that require new identity keys.  Upstream has recommended that all Tor users upgrade to the latest version in response to this security breach of their servers.

This would affect Fedora 11, 12, rawhide, and EPEL5.  Packages for Fedora with this new version are currently in testing, but not for EPEL5.

[1] http://archives.seul.org/or/talk/Jan-2010/msg00161.html
Comment 1 Vincent Danen 2010-01-22 16:08:42 UTC 
I don't know how easy or difficult it might be to change the current packages in testing from a bugfix update to a security update.  Is it possible to change that and note this bug as fixed by them?

Also, EPEL5 is currently at tor-0.2.1.19-3.el5 so would require an update.
Comment 2 Enrico Scholz 2010-01-22 16:58:50 UTC 
is it really a security issue? I interpret [1] from #c0:

--
* Does this mean someone could have matched users up to their
destinations?

No. By design, Tor requires a majority of directory authorities (four
in this case) to generate a consensus; and like other relays in the
Tor network, directory authorities don't know enough to match a user
and traffic or destination.
--

so that there is no impact on security/privacy.  There is "only" a lowered functionality (old clients won't accept these two directory authorities anymore due to the renewed keys).

Upstream marks this update as a 'major bugfix' instead of 'security' in its ChangeLog too.
Comment 3 Vincent Danen 2010-01-22 18:06:31 UTC 
Fair enough.  I guess we can leave this as a bugfix then (although I think it would be good if EPEL5 were updated as upstream is urging all users to upgrade).

Thanks for looking into it further.
Comment 4 Vincent Danen 2010-01-25 20:58:04 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-0383 to
the following vulnerability:

Name: CVE-2010-0383
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0383
Assigned: 20100125
Reference: MLIST:[or-announce] 20100121 Tor 0.2.1.22 is released (security fix)
Reference: URL: http://archives.seul.org/or/announce/Jan-2010/msg00000.html
Reference: MLIST:[or-talk] 20100120 Re: Tor Project infrastructure updates in response to security breach
Reference: URL: http://archives.seul.org/or/talk/Jan-2010/msg00165.html
Reference: MLIST:[or-talk] 20100120 Tor 0.2.2.7-alpha is out
Reference: URL: http://archives.seul.org/or/talk/Jan-2010/msg00162.html
Reference: MLIST:[or-talk] 20100120 Tor Project infrastructure updates in response to security breach
Reference: URL: http://archives.seul.org/or/talk/Jan-2010/msg00161.html
Reference: BID:37901
Reference: URL: http://www.securityfocus.com/bid/37901
Reference: SECUNIA:38198
Reference: URL: http://secunia.com/advisories/38198

Tor before 0.2.1.22, and 0.2.2.x before 0.2.2.7-alpha, uses deprecated
identity keys for certain directory authorities, which makes it easier
for man-in-the-middle attackers to compromise the anonymity of traffic
sources and destinations.


Not sure if the updates have been pushed yet, but now that there is a CVE name, we may want to just call this security and note the CVE names.
Comment 5 Vincent Danen 2010-01-25 21:02:42 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-0385 to
the following vulnerability:

Name: CVE-2010-0385
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0385
Assigned: 20100125
Reference: MLIST:[or-announce] 20100121 Tor 0.2.1.22 is released (security fix)
Reference: URL: http://archives.seul.org/or/announce/Jan-2010/msg00000.html
Reference: MLIST:[or-talk] 20100120 Tor 0.2.2.7-alpha is out
Reference: URL: http://archives.seul.org/or/talk/Jan-2010/msg00162.html
Reference: BID:37901
Reference: URL: http://www.securityfocus.com/bid/37901
Reference: OSVDB:61865
Reference: URL: http://www.osvdb.org/61865
Reference: SECUNIA:38198
Reference: URL: http://secunia.com/advisories/38198

Tor before 0.2.1.22, and 0.2.2.x before 0.2.2.7-alpha, when
functioning as a bridge directory authority, allows remote attackers
to obtain sensitive information about bridge identities and bridge
descriptors via a dbg-stability.txt directory query.
Comment 6 Vincent Danen 2011-01-20 21:52:28 UTC 
Created tor tracking bugs for this issue

Affects: epel-5 [bug 671263]
Comment 7 Paul Wouters 2013-05-31 03:12:54 UTC 
fixed long time ago