An updated version of tor (0.2.1.22) is available that updates identity keys for two breached directory authorities [1]. Two of the seven directory authorities for Tor were compromised, leading to migrated servers that require new identity keys. Upstream has recommended that all Tor users upgrade to the latest version in response to this security breach of their servers. This would affect Fedora 11, 12, rawhide, and EPEL5. Packages for Fedora with this new version are currently in testing, but not for EPEL5. [1] http://archives.seul.org/or/talk/Jan-2010/msg00161.html
I don't know how easy or difficult it might be to change the current packages in testing from a bugfix update to a security update. Is it possible to change that and note this bug as fixed by them? Also, EPEL5 is currently at tor-0.2.1.19-3.el5 so would require an update.
is it really a security issue? I interpret [1] from #c0: -- * Does this mean someone could have matched users up to their destinations? No. By design, Tor requires a majority of directory authorities (four in this case) to generate a consensus; and like other relays in the Tor network, directory authorities don't know enough to match a user and traffic or destination. -- so that there is no impact on security/privacy. There is "only" a lowered functionality (old clients won't accept these two directory authorities anymore due to the renewed keys). Upstream marks this update as a 'major bugfix' instead of 'security' in its ChangeLog too.
Fair enough. I guess we can leave this as a bugfix then (although I think it would be good if EPEL5 were updated as upstream is urging all users to upgrade). Thanks for looking into it further.
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-0383 to the following vulnerability: Name: CVE-2010-0383 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0383 Assigned: 20100125 Reference: MLIST:[or-announce] 20100121 Tor 0.2.1.22 is released (security fix) Reference: URL: http://archives.seul.org/or/announce/Jan-2010/msg00000.html Reference: MLIST:[or-talk] 20100120 Re: Tor Project infrastructure updates in response to security breach Reference: URL: http://archives.seul.org/or/talk/Jan-2010/msg00165.html Reference: MLIST:[or-talk] 20100120 Tor 0.2.2.7-alpha is out Reference: URL: http://archives.seul.org/or/talk/Jan-2010/msg00162.html Reference: MLIST:[or-talk] 20100120 Tor Project infrastructure updates in response to security breach Reference: URL: http://archives.seul.org/or/talk/Jan-2010/msg00161.html Reference: BID:37901 Reference: URL: http://www.securityfocus.com/bid/37901 Reference: SECUNIA:38198 Reference: URL: http://secunia.com/advisories/38198 Tor before 0.2.1.22, and 0.2.2.x before 0.2.2.7-alpha, uses deprecated identity keys for certain directory authorities, which makes it easier for man-in-the-middle attackers to compromise the anonymity of traffic sources and destinations. Not sure if the updates have been pushed yet, but now that there is a CVE name, we may want to just call this security and note the CVE names.
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-0385 to the following vulnerability: Name: CVE-2010-0385 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0385 Assigned: 20100125 Reference: MLIST:[or-announce] 20100121 Tor 0.2.1.22 is released (security fix) Reference: URL: http://archives.seul.org/or/announce/Jan-2010/msg00000.html Reference: MLIST:[or-talk] 20100120 Tor 0.2.2.7-alpha is out Reference: URL: http://archives.seul.org/or/talk/Jan-2010/msg00162.html Reference: BID:37901 Reference: URL: http://www.securityfocus.com/bid/37901 Reference: OSVDB:61865 Reference: URL: http://www.osvdb.org/61865 Reference: SECUNIA:38198 Reference: URL: http://secunia.com/advisories/38198 Tor before 0.2.1.22, and 0.2.2.x before 0.2.2.7-alpha, when functioning as a bridge directory authority, allows remote attackers to obtain sensitive information about bridge identities and bridge descriptors via a dbg-stability.txt directory query.
Created tor tracking bugs for this issue Affects: epel-5 [bug 671263]
fixed long time ago