Please upgrade Xenial/Zesty to use the latest LTS point release of Tor (0.2.9)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tor (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Medium
|
Simon Déziel | ||
Zesty |
Fix Released
|
Medium
|
Simon Déziel |
Bug Description
[Impact]
Currently, Zesty ships with Tor 0.2.9.10 but the latest point release is 0.2.9.11 [1]. Xenial is shipping 0.2.7.6 while the 0.2.7 branch reached its end of life on August 1st 2017 [2].
Since Tor is a security sensitive package, tracking upstream point releases for that LTS branch would keep Ubuntu users safe.
[1] https:/
[2] https:/
[Test Case]
1) Setup Tor:
$ sudo apt-get install tor
2) Check that you can use the Tor network:
$ torsocks wget -qO - ifconfig.me/ip
192.0.2.1
3) Check that the IP returned by ifconfig.me/ip is NOT the one
that is assigned by you ISP.
4) If you got a different IP it means your wget used the Tor network successfully
5) Repeat with the -proposed package
[Regression Potential]
Regression risk should be low since it's a backport from Debian Stretch that was released in June 2017.
On top of that, 2 changes were cherry picked from 0.3.0.10-1 and 0.3.0.4-rc-1 to use DAC_READ_SEARCH
instead of DAC_OVERRIDE in the Apparmor profile and the systemd units. The full DAC_OVERRIDE capability
turned out to be unnecessary.
If the capability change turns out to cause problem, Tor should either stop functionning (refuse to initialize)
or be unable to offer some features (like hidden services). Such regression should be visible through Apparmor
denial logs. Since it's a privilege reduction change, the user's security shouldn't be compromised.
[Other Info]
It's also easy to test the hidden service feature using the local SSH daemon. Here's how to do so:
1) Expose your SSH daemon via hidden service:
$ cat << EOF >> /etc/tor/torrc
HiddenServiceDir /var/lib/
HiddenServicePort 22 127.0.0.1:22
EOF
2) Restart Tor:
$ sudo service tor restart
3) Connect to your local hidden service by looping through the Tor network:
$ torsocks nc $(cat /var/lib/
SSH-2.0-
Protocol mismatch.
4) The above version string and protocol mismatch are proof that you were able to connect through Tor.
You can further prove that by checking your ssh logs:
$ journalctl -o cat -u ssh | tail -n1
Bad protocol version identification 'quit' from 127.0.0.1 port 39960
Changed in tor (Ubuntu): | |
status: | Confirmed → Fix Released |
Changed in tor (Ubuntu Xenial): | |
status: | New → Triaged |
Changed in tor (Ubuntu Zesty): | |
status: | New → Triaged |
Changed in tor (Ubuntu Xenial): | |
importance: | Undecided → Medium |
Changed in tor (Ubuntu Zesty): | |
importance: | Undecided → Medium |
Changed in tor (Ubuntu Xenial): | |
assignee: | nobody → Simon Déziel (sdeziel) |
Changed in tor (Ubuntu Zesty): | |
assignee: | nobody → Simon Déziel (sdeziel) |
description: | updated |
Here is Zesty's debdiff