Bug 1102127 - tor: security update
Summary: tor: security update
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1102132 1102134 1102136
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-05-28 14:26 UTC by Vasyl Kaigorodov
Modified: 2019-09-29 13:17 UTC (History)
6 users (show)

Fixed In Version: tor 0.2.4.22
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-03-03 14:32:24 UTC


Attachments (Terms of Use)

Description Vasyl Kaigorodov 2014-05-28 14:26:33 UTC
Fedora (and EPEL) ship a bit outdated version of tor packages.
In fact, upstream is no longer maintaining tor version 0.2.3.x, and discourages its use [1].

More on this, 0.2.3.x lacks a fix for CVE-2014-0160 (Heartbleed).

0.2.4.x ChangeLog: https://gitweb.torproject.org/tor.git?a=blob_plain;hb=release-0.2.4;f=ReleaseNotes

[1]: https://bugzilla.novell.com/show_bug.cgi?id=878486#c0

Comment 1 Vasyl Kaigorodov 2014-05-28 14:28:52 UTC
Created tor tracking bugs for this issue:

Affects: fedora-all [bug 1102132]
Affects: epel-all [bug 1102136]

Comment 2 Vasyl Kaigorodov 2014-05-28 14:28:55 UTC
Created tor-arm tracking bugs for this issue:

Affects: fedora-all [bug 1102134]

Comment 3 Vincent Danen 2014-05-28 19:41:32 UTC
(In reply to Vasyl Kaigorodov from comment #2)
> Created tor-arm tracking bugs for this issue:
> 
> Affects: fedora-all [bug 1102134]

tor-arm is not the same thing as tor, so it would not be vulnerable to this.  It's a monitor for tor, not tor itself.

Comment 4 Jamie Nguyen 2014-05-31 07:57:28 UTC
The link given in the bugzilla is a comment from OpenSUSE packager that
hasn't cited any sources.

I am not aware of any official message from upstream that 0.2.3.25 is
deprecated. The Tor network still has many nodes running 0.2.3.25 and
they have not been removed from the Tor directory list.

There are no known vulnerabilities in Tor related to Heartbleed,
other than the fact that some nodes ave been blacklisted that *may* have
had their private key compromised. The Heartbleed related patches add blacklist logic (client-side) to ignore nodes with keys that may have been compromised. There are 9 keys in this blacklist. These patches have been backported to the 0.2.3 branch and I imagine there will be a 0.2.3.26 release at some point.

Our options are:

 1) Update to 0.2.4.22 on all branches
 2) Remain at 0.2.3.25 but use the backported patches
 3) Do nothing and wait for 0.2.3.26 release

I'm tempted to update to 0.2.4.22 on all branches. I expect the 0.2.3.x
branch will be deprecated by upstream long before RHEL 6 is EOL, or even
before End of Production 1 Phase, so it may be inevitable that we will
need to update Tor beyond 0.2.3.x branch.

On the other hand, the Fedora packager side of me wants to adhere to
packaging policy and avoid major version bumps. This is why I haven't updated to 0.2.4.22 on all branches as yet. Were it not for our update policy, I would have updated already.

Co-maintainer Paul Wouters is discussing with upstream to ask best action to take. I'm awaiting Paul's response.

Comment 5 Jamie Nguyen 2014-05-31 08:04:32 UTC
Also, my assessment above may not be correct. Paul or upstream do not necessarily share the same view. I'm happy to be overridden by a Proven Packager in the meantime (all that is needed is a merge from f21 to all branches). I understand that this package is very sensitive, so that's why I'm getting advice from Paul and upstream before doing anything.

Comment 6 Sam Kottler 2014-05-31 08:10:49 UTC
(In reply to Jamie Nguyen from comment #4)
> The link given in the bugzilla is a comment from OpenSUSE packager that
> hasn't cited any sources.
> 
> I am not aware of any official message from upstream that 0.2.3.25 is
> deprecated. The Tor network still has many nodes running 0.2.3.25 and
> they have not been removed from the Tor directory list.
> 
> There are no known vulnerabilities in Tor related to Heartbleed,
> other than the fact that some nodes ave been blacklisted that *may* have
> had their private key compromised. The Heartbleed related patches add
> blacklist logic (client-side) to ignore nodes with keys that may have been
> compromised. There are 9 keys in this blacklist. These patches have been
> backported to the 0.2.3 branch and I imagine there will be a 0.2.3.26
> release at some point.
> 
> Our options are:
> 
>  1) Update to 0.2.4.22 on all branches

This is really the only good option IMO, despite the fact that lots of people are uncomfortable with it because of the way packaging guidelines work. Tor doesn't really provide an ABI which is consumed by other projects throughout the distro so I wouldn't worry too much about breaking ABI. 

>  2) Remain at 0.2.3.25 but use the backported patches

There's really no way to viably do this. 0.2.3.x was released almost two years ago at this point so there'd be a number of patches which would need backport. Seems like a lot of work for no gain over the first option.

>  3) Do nothing and wait for 0.2.3.26 release

Is there actually going to be a 0.2.3.26 release?

> 
> I'm tempted to update to 0.2.4.22 on all branches. I expect the 0.2.3.x
> branch will be deprecated by upstream long before RHEL 6 is EOL, or even
> before End of Production 1 Phase, so it may be inevitable that we will
> need to update Tor beyond 0.2.3.x branch.
> 
> On the other hand, the Fedora packager side of me wants to adhere to
> packaging policy and avoid major version bumps. This is why I haven't
> updated to 0.2.4.22 on all branches as yet. Were it not for our update
> policy, I would have updated already.
> 
> Co-maintainer Paul Wouters is discussing with upstream to ask best action to
> take. I'm awaiting Paul's response.

Comment 7 Fedora Update System 2014-06-27 02:29:29 UTC
tor-0.2.4.22-2.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2014-06-27 02:29:54 UTC
tor-0.2.4.22-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2014-06-27 15:27:50 UTC
tor-0.2.4.22-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.