| 2017-08-15 01:47:50 |
Simon Déziel |
bug |
|
|
added bug |
| 2017-08-15 05:21:27 |
Simon Déziel |
attachment added |
|
lp1710753-17.10.debdiff https://bugs.launchpad.net/ubuntu/+source/tor/+bug/1710753/+attachment/4932463/+files/lp1710753-17.10.debdiff |
|
| 2017-08-15 05:21:57 |
Simon Déziel |
attachment added |
|
lp1710753-16.04.debdiff https://bugs.launchpad.net/ubuntu/+source/tor/+bug/1710753/+attachment/4932464/+files/lp1710753-16.04.debdiff |
|
| 2017-08-15 08:20:35 |
Ubuntu Foundations Team Bug Bot |
tags |
|
patch |
|
| 2017-08-15 08:20:41 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
| 2017-08-21 15:50:53 |
Launchpad Janitor |
tor (Ubuntu): status |
New |
Confirmed |
|
| 2017-08-24 15:11:37 |
Stéphane Graber |
nominated for series |
|
Ubuntu Zesty |
|
| 2017-08-24 15:11:37 |
Stéphane Graber |
bug task added |
|
tor (Ubuntu Zesty) |
|
| 2017-08-24 15:11:37 |
Stéphane Graber |
nominated for series |
|
Ubuntu Xenial |
|
| 2017-08-24 15:11:37 |
Stéphane Graber |
bug task added |
|
tor (Ubuntu Xenial) |
|
| 2017-08-24 15:11:44 |
Stéphane Graber |
tor (Ubuntu): status |
Confirmed |
Fix Released |
|
| 2017-08-24 15:11:50 |
Stéphane Graber |
tor (Ubuntu Xenial): status |
New |
Triaged |
|
| 2017-08-24 15:11:52 |
Stéphane Graber |
tor (Ubuntu Zesty): status |
New |
Triaged |
|
| 2017-08-24 15:11:54 |
Stéphane Graber |
tor (Ubuntu Xenial): importance |
Undecided |
Medium |
|
| 2017-08-24 15:11:58 |
Stéphane Graber |
tor (Ubuntu Zesty): importance |
Undecided |
Medium |
|
| 2017-08-24 15:12:03 |
Stéphane Graber |
tor (Ubuntu Xenial): assignee |
|
Simon Déziel (sdeziel) |
|
| 2017-08-24 15:12:09 |
Stéphane Graber |
tor (Ubuntu Zesty): assignee |
|
Simon Déziel (sdeziel) |
|
| 2017-08-24 15:14:47 |
Stéphane Graber |
removed subscriber Ubuntu Sponsors Team |
|
|
|
| 2017-08-24 15:14:59 |
Stéphane Graber |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2017-08-24 15:52:41 |
Stéphane Graber |
tor (Ubuntu Zesty): status |
Triaged |
Fix Committed |
|
| 2017-08-24 15:52:43 |
Stéphane Graber |
bug |
|
|
added subscriber SRU Verification |
| 2017-08-24 15:52:48 |
Stéphane Graber |
tags |
patch |
patch verification-needed verification-needed-zesty |
|
| 2017-08-25 01:15:25 |
Simon Déziel |
description |
Currently, Zesty ships with Tor 0.2.9.10 but the latest point release is 0.2.9.11 [1]. Xenial is shipping 0.2.7.6 while the 0.2.7 branch reached its end of life on August 1st 2017 [2].
Since Tor is a security sensitive package, tracking upstream point releases for that LTS branch would keep Ubuntu users safe.
1: https://gitweb.torproject.org/tor.git/plain/ReleaseNotes?id=tor-0.2.9.11
2: https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/CoreTorReleases |
[Impact]
Currently, Zesty ships with Tor 0.2.9.10 but the latest point release is 0.2.9.11 [1]. Xenial is shipping 0.2.7.6 while the 0.2.7 branch reached its end of life on August 1st 2017 [2].
Since Tor is a security sensitive package, tracking upstream point releases for that LTS branch would keep Ubuntu users safe.
[1] https://gitweb.torproject.org/tor.git/plain/ReleaseNotes?id=tor-0.2.9.11
[2] https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/CoreTorReleases
[Test Case]
1) Setup Tor:
$ sudo apt-get install tor
2) Check that you can use the Tor network:
$ torsocks wget -qO - ifconfig.me/ip
192.0.2.1
3) Check that the IP returned by ifconfig.me/ip is NOT the one
that is assigned by you ISP.
4) If you got a different IP it means your wget used the Tor network successfully
5) Repeat with the -proposed package
[Regression Potential]
Regression risk should be low since it's a backport from Debian Stretch that was released in June 2017.
On top of that, 2 changes were cherry picked from 0.3.0.10-1 and 0.3.0.4-rc-1 to use DAC_READ_SEARCH
instead of DAC_OVERRIDE in the Apparmor profile and the systemd units. The full DAC_OVERRIDE capability
turned out to be unnecessary.
If the capability change turns out to cause problem, Tor should either stop functionning (refuse to initialize)
or be unable to offer some features (like hidden services). Such regression should be visible through Apparmor
denial logs. Since it's a privilege reduction change, the user's security shouldn't be compromised.
[Other Info]
It's also easy to test the hidden service feature using the local SSH daemon. Here's how to do so:
1) Expose your SSH daemon via hidden service:
$ cat << EOF >> /etc/tor/torrc
HiddenServiceDir /var/lib/tor/hidden_service_sshd/
HiddenServicePort 22 127.0.0.1:22
EOF
2) Restart Tor:
$ sudo service tor restart
3) Connect to your local hidden service by looping through the Tor network:
$ torsocks nc $(cat /var/lib/tor/hidden_service_sshd/hostname) 22 <<< quit
SSH-2.0-OpenSSH_7.4p1
Protocol mismatch.
4) The above version string and protocol mismatch are proof that you were able to connect through Tor.
You can further prove that by checking your ssh logs:
$ journalctl -o cat -u ssh | tail -n1
Bad protocol version identification 'quit' from 127.0.0.1 port 39960 |
|
| 2017-08-25 01:21:11 |
Simon Déziel |
tags |
patch verification-needed verification-needed-zesty |
patch verification-done-zesty verification-needed |
|
| 2017-09-04 15:34:22 |
Launchpad Janitor |
tor (Ubuntu Zesty): status |
Fix Committed |
Fix Released |
|
| 2017-09-04 15:34:26 |
Łukasz Zemczak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
| 2017-09-07 17:34:50 |
Stéphane Graber |
tor (Ubuntu Xenial): status |
Triaged |
Fix Committed |
|
| 2017-09-07 17:34:52 |
Stéphane Graber |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2017-09-07 17:34:55 |
Stéphane Graber |
tags |
patch verification-done-zesty verification-needed |
patch verification-done-zesty verification-needed verification-needed-xenial |
|
| 2017-09-07 22:38:13 |
Simon Déziel |
tags |
patch verification-done-zesty verification-needed verification-needed-xenial |
patch verification-done verification-done-xenial verification-done-zesty |
|
| 2017-09-18 14:34:20 |
Launchpad Janitor |
tor (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
