Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 8 Nov 2008 10:39:03 GMT
From:      bf <bf2006a@yahoo.com>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   ports/128691: [PATCH]security/tor-devel: update to 0.2.1.7-alpha
Message-ID:  <200811081039.mA8Ad3Tb099481@www.freebsd.org>
Resent-Message-ID: <200811081040.mA8Ae2SX051225@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         128691
>Category:       ports
>Synopsis:       [PATCH]security/tor-devel: update to 0.2.1.7-alpha
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Sat Nov 08 10:40:02 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     bf
>Release:        7-STABLE i386
>Organization:
-
>Environment:
>Description:
Update and remove references to the obselete "Group" torrc option in files/tor.in.

Some security fixes included; from the changelog:

"Changes in version 0.2.1.7-alpha - 2008-11-08
  o Security fixes:
    - The "ClientDNSRejectInternalAddresses" config option wasn't being
      consistently obeyed: if an exit relay refuses a stream because its
      exit policy doesn't allow it, we would remember what IP address
      the relay said the destination address resolves to, even if it's
      an internal IP address. Bugfix on 0.2.0.7-alpha; patch by rovv.
    - The "User" and "Group" config options did not clear the
      supplementary group entries for the Tor process. The "User" option
      is now more robust, and we now set the groups to the specified
      user's primary group. The "Group" option is now ignored. For more
      detailed logging on credential switching, set CREDENTIAL_LOG_LEVEL
      in common/compat.c to LOG_NOTICE or higher. Patch by Jacob Appelbaum
      and Steven Murdoch. Bugfix on 0.0.2pre14. Fixes bug 848.
    - Do not use or believe expired v3 authority certificates. Patch
      from Karsten. Bugfix in 0.2.0.x. Fixes bug 851.

  o Minor features:
    - Now NodeFamily and MyFamily config options allow spaces in
      identity fingerprints, so it's easier to paste them in.
      Suggested by Lucky Green.
    - Implement the 0x20 hack to better resist DNS poisoning: set the
      case on outgoing DNS requests randomly, and reject responses that do
      not match the case correctly. This logic can be disabled with the
      ServerDNSRamdomizeCase setting, if you are using one of the 0.3%
      of servers that do not reliably preserve case in replies. See
      "Increased DNS Forgery Resistance through 0x20-Bit Encoding"
      for more info.
    - Preserve case in replies to DNSPort requests in order to support
      the 0x20 hack for resisting DNS poisoning attacks.

  o Hidden service performance improvements:
    - When the client launches an introduction circuit, retry with a
      new circuit after 30 seconds rather than 60 seconds.
    - Launch a second client-side introduction circuit in parallel
      after a delay of 15 seconds (based on work by Christian Wilms).
    - Hidden services start out building five intro circuits rather
      than three, and when the first three finish they publish a service
      descriptor using those. Now we publish our service descriptor much
      faster after restart.

  o Minor bugfixes:
    - Minor fix in the warning messages when you're having problems
      bootstrapping; also, be more forgiving of bootstrap problems when
      we're still making incremental progress on a given bootstrap phase.
    - When we're choosing an exit node for a circuit, and we have
      no pending streams, choose a good general exit rather than one that
      supports "all the pending streams". Bugfix on 0.1.1.x. Fix by rovv.
    - Send a valid END cell back when a client tries to connect to a
      nonexistent hidden service port. Bugfix on 0.1.2.15. Fixes bug
      840. Patch from rovv.
    - If a broken client asks a non-exit router to connect somewhere,
      do not even do the DNS lookup before rejecting the connection.
      Fixes another case of bug 619. Patch from rovv.
    - Fix another case of assuming, when a specific exit is requested,
      that we know more than the user about what hosts it allows.
      Fixes another case of bug 752. Patch from rovv.
    - Check which hops rendezvous stream cells are associated with to
      prevent possible guess-the-streamid injection attacks from
      intermediate hops. Fixes another case of bug 446. Based on patch
      from rovv.
    - Avoid using a negative right-shift when comparing 32-bit
      addresses. Possible fix for bug 845 and bug 811.
    - Make the assert_circuit_ok() function work correctly on circuits that
      have already been marked for close.
    - Fix read-off-the-end-of-string error in unit tests when decoding
      introduction points.
    - Fix uninitialized size field for memory area allocation: may improve
      memory performance during directory parsing.
    - Treat duplicate certificate fetches as failures, so that we do
      not try to re-fetch an expired certificate over and over and over.
    - Do not say we're fetching a certificate when we'll in fact skip it
      because of a pending download."

>How-To-Repeat:

>Fix:


Patch attached with submission follows:

diff -ruN tor-devel.orig/Makefile tor-devel/Makefile
--- tor-devel.orig/Makefile	2008-10-05 06:14:41.000000000 -0400
+++ tor-devel/Makefile	2008-11-08 04:57:01.973732591 -0500
@@ -2,11 +2,11 @@
 # Date created:				2005.10.20
 # Whom:					peter.thoenen@yahoo.com
 #
-# $FreeBSD: ports/security/tor-devel/Makefile,v 1.68 2008/10/05 10:14:41 miwi Exp $
+# $FreeBSD: ports/security/tor-devel/Makefile,v 1.67 2008/09/05 14:24:07 miwi Exp $
 #
 
 PORTNAME=	tor
-DISTVERSION=	0.2.1.6-alpha
+DISTVERSION=	0.2.1.7-alpha
 CATEGORIES=	security net ipv6
 MASTER_SITES=	http://www.torproject.org/dist/ \
 		http://tor.cypherpunks.at/dist/ \
diff -ruN tor-devel.orig/distinfo tor-devel/distinfo
--- tor-devel.orig/distinfo	2008-10-05 06:14:41.000000000 -0400
+++ tor-devel/distinfo	2008-11-08 04:57:01.973732591 -0500
@@ -1,3 +1,3 @@
-MD5 (tor-0.2.1.6-alpha.tar.gz) = db49c016e3ec55773687207dfe556662
-SHA256 (tor-0.2.1.6-alpha.tar.gz) = e51cbcfe85a05ca7c1b212da76e91e407fbadd911c6c1e3aa36d53424be1a435
-SIZE (tor-0.2.1.6-alpha.tar.gz) = 2295719
+MD5 (tor-0.2.1.7-alpha.tar.gz) = f4eeebb9d536317e4a5391cb03732947
+SHA256 (tor-0.2.1.7-alpha.tar.gz) = eefa9383f5bfc722458517c02f3b7446041f6f3a2cd82377484f4eb80a83cae5
+SIZE (tor-0.2.1.7-alpha.tar.gz) = 2302260
diff -ruN tor-devel.orig/files/tor.in tor-devel/files/tor.in
--- tor-devel.orig/files/tor.in	2008-03-20 19:31:05.000000000 -0400
+++ tor-devel/files/tor.in	2008-11-08 05:14:21.262484933 -0500
@@ -15,7 +15,6 @@
 # tor_conf (str):	Points to your tor conf file
 #			Default: %%PREFIX%%/etc/tor/torrc
 # tor_user (str):	Tor Daemon user. Default _tor
-# tor_group (str):	Tor Daemon group. Default _tor
 # tor_datadir (str):	Tor DataDir.  Defaults /var/db/tor
 # tor_logfile (str):	Tor Log File.  Defaults /var/log/tor
 #
@@ -30,7 +29,6 @@
 : ${tor_enable="NO"}
 : ${tor_conf="%%PREFIX%%/etc/tor/torrc"}
 : ${tor_user="_tor"}
-: ${tor_group="_tor"}
 : ${tor_pidfile="/var/run/tor/tor.pid"}
 : ${tor_logfile="/var/log/tor"}
 : ${tor_datadir="/var/db/tor"}
@@ -39,7 +37,7 @@
 required_dirs=${tor_datadir}
 pidfile=${tor_pidfile}
 command="%%PREFIX%%/bin/${name}"
-command_args="-f ${tor_conf} --PidFile ${tor_pidfile} --RunAsDaemon 1 --DataDirectory ${tor_datadir} --User ${tor_user} --Group ${tor_group} --Log notice\ file\ ${tor_logfile}"
+command_args="-f ${tor_conf} --PidFile ${tor_pidfile} --RunAsDaemon 1 --DataDirectory ${tor_datadir} --User ${tor_user} --Log notice\ file\ ${tor_logfile}"
 extra_commands="log"
 log_cmd="${name}_log"
 


>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200811081039.mA8Ad3Tb099481>