Bumped Tor version to 0.4.5.7 #5875
Conversation
zenmonkeykstop
requested review from
conorsch,
emkll,
kushaldas and
redshiftzero
as code owners
|
Marking WIP since we're seeing failures in CI: https://app.circleci.com/pipelines/github/freedomofpress/securedrop/2154/workflows/d7d16659-8006-4cdd-8a2a-65a36c02c5f1/jobs/52504 Based on @zenmonkeykstop's comments out of band, we suspect |
zenmonkeykstop
force-pushed
the
bump-tor-0.4.5.7
branch
from
c013c2b to
6c6ae65
Compare
There was a problem hiding this comment.
Approving these changes, along with freedomofpress/securedrop-apt-test#101, where packages of the referenced versions are submitted.
I'm going to hold off on merge here until we verify that CI passes using the new packages. Normally that's as simple as re-running the CI job, but due to ongoing quay.io problems, we may need to wait until tomorrow for a successful CI run.
|
Rerunning CI now that Quay is stable again, we should see all tests passing, including the latest version numbers here. |
Status
WIP
Description of Changes
Fixes #5873 .
Updates Tor package version downloaded from Tor Project repos from 0.4.5.6 to 0.4.5.7.
This update includes fixes for two DoS attacks, one directly against directory authorities, which does not affect SecureDrop , and one using compromised authorities to launch attacks against any Tor instances, including SecureDrop. Severity for the latter is rated High - it is being tracked as TROVE-2021- 001 in Tor's vulnerability listings and CVE-2021-28089 (pending) in general. There are no recorded cases of it affecting SecureDrop instances so far.
Testing
Deployment
Will be deployed independently to apt.freedom.press and picked up on next nightly update. Users wishing to apply it earlier can do so via
cron-apton Xenial andunattended-upgradeson Focal.