Bug 1494860 - tor-0.2.9.10-1.el7.x86_64 is unsecure and out of date
Summary: tor-0.2.9.10-1.el7.x86_64 is unsecure and out of date
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: tor
Version: epel7
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Jamie Nguyen
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-09-23 18:06 UTC by Ludovic Hirlimann [:Paul-muadib]
Modified: 2017-10-16 17:19 UTC (History)
6 users (show)

(edit)
Clone Of:
: 1527018 (view as bug list)
(edit)
Last Closed: 2017-10-10 19:28:57 UTC


Attachments (Terms of Use)

Description Ludovic Hirlimann [:Paul-muadib] 2017-09-23 18:06:54 UTC
I run a TOR relay on my centos box and it's reported as "might" contain security
a risk for the user.

https://atlas.torproject.org/#details/383EBB4A99479DF9CD8BE5724E09B964F098E1BD

Steps to Reproduce: 
Install and configure a TOR relay using the rpm.

Comment 1 Fedora Update System 2017-09-29 14:15:18 UTC
tor-0.2.9.12-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-abe6f98ebf

Comment 2 Fedora Update System 2017-09-29 17:51:15 UTC
tor-0.2.9.12-1.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-e4d447e97c

Comment 3 Fedora Update System 2017-09-29 18:11:46 UTC
tor-0.2.9.12-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-03b487b716

Comment 4 Fedora Update System 2017-09-29 18:47:11 UTC
tor-0.2.9.12-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-cf3746f1f6

Comment 5 Fedora Update System 2017-09-29 19:03:24 UTC
tor-0.2.9.12-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-238961d86d

Comment 6 Fedora Update System 2017-10-01 23:48:20 UTC
tor-0.2.9.12-1.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-e4d447e97c

Comment 7 Fedora Update System 2017-10-01 23:49:18 UTC
tor-0.2.9.12-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-abe6f98ebf

Comment 8 Fedora Update System 2017-10-01 23:54:44 UTC
tor-0.2.9.12-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-cf3746f1f6

Comment 9 Fedora Update System 2017-10-02 00:55:19 UTC
tor-0.2.9.12-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-238961d86d

Comment 10 Fedora Update System 2017-10-02 00:56:07 UTC
tor-0.2.9.12-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-03b487b716

Comment 11 Ludovic Hirlimann [:Paul-muadib] 2017-10-02 00:57:50 UTC
I've left a comment on bodhi. I still see that version as not good from the TOR network.

Comment 12 Marcel Haerry 2017-10-02 03:56:49 UTC
I do not see a warning on your atlas site, where is it visible?

The release 0.2.9.12 is the latest Tor LTS release (https://lists.torproject.org/pipermail/tor-announce/2017-September/000139.html), this is according to Tor's Wiki Page and verified with Tor staff: https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/CoreTorReleases Also it fixes all outstanding CVEs, so I would be suprised if Tor would flag their latest LTS release as being not good.

I'm ready to bring newer (non-LTS) versions to Fedora, however first I'd like to sort out #1495063 before moving on. Pushing the latest LTS release to all the repositories was the most non-intrusive action to do, while still fixing all security issues.

Comment 13 Ludovic Hirlimann [:Paul-muadib] 2017-10-02 04:03:04 UTC
(In reply to Marcel Haerry from comment #12)
> I do not see a warning on your atlas site, where is it visible?
> 

It's not showing anymore, it was under property and had a big red button. (maybe some cache issue on atlas. Thanks. i'll update bodhi.

Comment 14 Fedora Update System 2017-10-05 06:36:19 UTC
tor-0.3.1.7-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-b2c714515b

Comment 15 Fedora Update System 2017-10-05 06:55:54 UTC
tor-0.3.1.7-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-1179268a20

Comment 16 Fedora Update System 2017-10-06 03:26:28 UTC
tor-0.3.1.7-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-1179268a20

Comment 17 Fedora Update System 2017-10-06 04:29:01 UTC
tor-0.3.1.7-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-b2c714515b

Comment 18 Ludovic Hirlimann [:Paul-muadib] 2017-10-06 14:38:43 UTC
No 0.3 builds for CentOS

Comment 19 Marcel Haerry 2017-10-07 13:25:25 UTC
I still need to verify whether we can bring the 0.3 builds into EPEL according to EPEL's update policy. AND 0.2.9.12 is the latest release of Tor's LTS branch. So it has all the fixes and is supported for quite a while.

Are there any features you are missing with 0.2.9.12 (except for not being latest) that you like to have in EPEL?

Comment 20 Ludovic Hirlimann [:Paul-muadib] 2017-10-07 20:50:36 UTC
(In reply to Marcel Haerry from comment #19)
 
> Are there any features you are missing with 0.2.9.12 (except for not being
> latest) that you like to have in EPEL?

Not that I can think of.

Comment 21 Fedora Update System 2017-10-10 19:28:57 UTC
tor-0.3.1.7-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 22 Fedora Update System 2017-10-11 01:53:51 UTC
tor-0.2.9.12-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 23 Fedora Update System 2017-10-13 17:21:30 UTC
tor-0.3.1.7-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 24 Fedora Update System 2017-10-16 16:49:15 UTC
tor-0.2.9.12-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.

Comment 25 Fedora Update System 2017-10-16 17:19:18 UTC
tor-0.2.9.12-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.