tor 0.2.4.27-1ubuntu0.1 source package in Ubuntu
Changelog
tor (0.2.4.27-1ubuntu0.1) trusty-security; urgency=medium
* SECURITY UPDATE: DoS (client crash) via a crafted hidden service
descriptor.
- debian/patches/CVE-2016-1254.patch: Fix parsing bug with unrecognized
token at EOS.
- CVE-2016-1254
* SECURITY UPDATE: DoS (crash) via crafted data.
- debian/patches/CVE-2016-8860.patch: Protect against NUL-terminated
inputs.
- CVE-2016-8860
* SECURITY UPDATE: DoS (assertion failure and daemon exit) via a BEGIN_DIR
rendezvous circuit.
- debian/patches/CVE-2017-0376.patch: Fix assertion failure.
- CVE-2017-0376
* SECURITY UPDATE: Replay-cache protection mechanism is ineffective for v2
onion services.
- debian/patches/CVE-2017-8819.patch: Fix length of replaycache-checked
data.
- CVE-2017-8819
* SECURITY UPDATE: DoS (application hang) via a crafted PEM input.
- debian/patches/CVE-2017-8821.patch: Avoid asking for passphrase on
junky PEM input.
- CVE-2017-8821
* SECURITY UPDATE: Relays, that have incompletely downloaded
descriptors, can pick themselves in a circuit path, leading to a
degradation of anonymity
- debian/patches/CVE-2017-8822.patch: Use local descriptor object to
exclude self in path selection.
- CVE-2017-8822
-- Eduardo Barretto <email address hidden> Fri, 23 Nov 2018 14:25:06 -0200
Upload details
- Uploaded by:
- Eduardo Barretto
- Uploaded to:
- Trusty
- Original maintainer:
- Ubuntu Developers
- Architectures:
- any all
- Section:
- net
- Urgency:
- Medium Urgency
See full publishing history Publishing
| Series | Published | Component | Section | |
|---|---|---|---|---|
| Trusty | updates | universe | net | |
| Trusty | security | universe | net |
Downloads
| File | Size | SHA-256 Checksum |
|---|---|---|
| tor_0.2.4.27.orig.tar.gz | 3.0 MiB | ea1dddb4ae5fb11fecdf2639669dda6a4b960da4e3dc89ecb3d4250aee6e4871 |
| tor_0.2.4.27-1ubuntu0.1.diff.gz | 39.3 KiB | edcf09b69cd36b736dc7538fd447a0c7839ce54ab88a291d73a39b79c7b2d240 |
| tor_0.2.4.27-1ubuntu0.1.dsc | 2.1 KiB | bfb626a2cb025223c4b2ed4236831e05e9760b5d2d78d7dd5f1b4d06e5a13ba7 |
Available diffs
Binary packages built by this source
- tor: anonymizing overlay network for TCP
Tor is a connection-based low-latency anonymous communication system.
.
Clients choose a source-routed path through a set of relays, and
negotiate a "virtual circuit" through the network, in which each relay
knows its predecessor and successor, but no others. Traffic flowing
down the circuit is decrypted at each relay, which reveals the
downstream relay.
.
Basically, Tor provides a distributed network of relays. Users bounce
their TCP streams (web traffic, ftp, ssh, etc) around the relays, and
recipients, observers, and even the relays themselves have difficulty
learning which users connected to which destinations.
.
This package enables only a Tor client by default, but it can also be
configured as a relay and/or a hidden service easily.
.
Client applications can use the Tor network by connecting to the local
socks proxy interface provided by your Tor instance. If the application
itself does not come with socks support, you can use a socks client
such as torsocks.
.
Note that Tor does no protocol cleaning on application traffic. There
is a danger that application protocols and associated programs can be
induced to reveal information about the user. Tor depends on Torbutton
and similar protocol cleaners to solve this problem. For best
protection when web surfing, the Tor Project recommends that you use
the Tor Browser Bundle, a standalone tarball that includes static
builds of Tor, Torbutton, and a modified Firefox that is patched to fix
a variety of privacy bugs.
- tor-dbg: debugging symbols for Tor
This package provides the debugging symbols for Tor, The Onion Router.
Those symbols allow your debugger to assign names to your backtraces, which
makes it somewhat easier to interpret core dumps.
- tor-dbgsym: debug symbols for package tor
Tor is a connection-based low-latency anonymous communication system.
.
Clients choose a source-routed path through a set of relays, and
negotiate a "virtual circuit" through the network, in which each relay
knows its predecessor and successor, but no others. Traffic flowing
down the circuit is decrypted at each relay, which reveals the
downstream relay.
.
Basically, Tor provides a distributed network of relays. Users bounce
their TCP streams (web traffic, ftp, ssh, etc) around the relays, and
recipients, observers, and even the relays themselves have difficulty
learning which users connected to which destinations.
.
This package enables only a Tor client by default, but it can also be
configured as a relay and/or a hidden service easily.
.
Client applications can use the Tor network by connecting to the local
socks proxy interface provided by your Tor instance. If the application
itself does not come with socks support, you can use a socks client
such as torsocks.
.
Note that Tor does no protocol cleaning on application traffic. There
is a danger that application protocols and associated programs can be
induced to reveal information about the user. Tor depends on Torbutton
and similar protocol cleaners to solve this problem. For best
protection when web surfing, the Tor Project recommends that you use
the Tor Browser Bundle, a standalone tarball that includes static
builds of Tor, Torbutton, and a modified Firefox that is patched to fix
a variety of privacy bugs.
- tor-geoipdb: GeoIP database for Tor
This package provides a GeoIP database for Tor, i.e. it maps IPv4 addresses
to countries.
.
Bridge relays (special Tor relays that aren't listed in the main Tor
directory) use this information to report which countries they see
connections from. These statistics enable the Tor network operators to
learn when certain countries start blocking access to bridges.
.
Clients can also use this to learn what country each relay is in, so
Tor controllers like arm or Vidalia can use it, or if they want to
configure path selection preferences.
