[or-cvs] r14600: Bump version and update authority keys affected by Debian Op (in tor/branches/tor-0_2_0-patches: . contrib src/or src/win32)

nickm at seul.org nickm at seul.org
Tue May 13 12:42:27 UTC 2008 

Author: nickm
Date: 2008-05-13 08:42:25 -0400 (Tue, 13 May 2008)
New Revision: 14600

Modified:
   tor/branches/tor-0_2_0-patches/
   tor/branches/tor-0_2_0-patches/ChangeLog
   tor/branches/tor-0_2_0-patches/configure.in
   tor/branches/tor-0_2_0-patches/contrib/tor-mingw.nsi.in
   tor/branches/tor-0_2_0-patches/src/or/config.c
   tor/branches/tor-0_2_0-patches/src/win32/orconfig.h
Log:
 r19723 at catbus:  nickm | 2008-05-13 08:41:40 -0400
 Bump version and update authority keys affected by Debian OpenSSL bug (See CVE-2008-0166 or http://lists.debian.org/debian-security-announce/2008/msg00152.html )



Property changes on: tor/branches/tor-0_2_0-patches
___________________________________________________________________
 svk:merge ticket from /tor/020 [r19723] on 8246c3cf-6607-4228-993b-4d95d33730f1

Modified: tor/branches/tor-0_2_0-patches/ChangeLog
===================================================================
--- tor/branches/tor-0_2_0-patches/ChangeLog	2008-05-13 05:00:09 UTC (rev 14599)
+++ tor/branches/tor-0_2_0-patches/ChangeLog	2008-05-13 12:42:25 UTC (rev 14600)
@@ -1,7 +1,18 @@
-Changes in version 0.2.0.26-rc - 2008-05-??
+Changes in version 0.2.0.26-rc - 2008-05-13
+  Tor 0.2.0.26-rc fixes a major security vulnerability caused by a bug
+  in Debian's OpenSSL packages.  All users running any 0.2.0.x version
+  should upgrade, whether they're running Debian or not.
+
+  o Major security fixes:
+    - Use new V3 directory authority keys on the Tor26, Gabelmoo, and
+      Moria1 V3 directory authorities.  The old keys were generated with
+      a vulnerable version of Debian's OpenSSL package, and must be
+      considered compromised.  Other authorities' keys were not
+      generated with an affected version of OpenSSL.
+
   o Major bugfixes:
     - List authority signatures as "unrecognized" based on DirServer lines,
-      not on cert cache.
+      not on cert cache.  Bugfix on 0.2.0.x.
 
   o Minor features:
     - Add a new V3AuthUseLegacyKey option to make it easier for authorities

Modified: tor/branches/tor-0_2_0-patches/configure.in
===================================================================
--- tor/branches/tor-0_2_0-patches/configure.in	2008-05-13 05:00:09 UTC (rev 14599)
+++ tor/branches/tor-0_2_0-patches/configure.in	2008-05-13 12:42:25 UTC (rev 14600)
@@ -5,7 +5,7 @@
 dnl See LICENSE for licensing information
 
 AC_INIT
-AM_INIT_AUTOMAKE(tor, 0.2.0.25-rc-dev)
+AM_INIT_AUTOMAKE(tor, 0.2.0.26-rc)
 AM_CONFIG_HEADER(orconfig.h)
 
 AC_CANONICAL_HOST

Modified: tor/branches/tor-0_2_0-patches/contrib/tor-mingw.nsi.in
===================================================================
--- tor/branches/tor-0_2_0-patches/contrib/tor-mingw.nsi.in	2008-05-13 05:00:09 UTC (rev 14599)
+++ tor/branches/tor-0_2_0-patches/contrib/tor-mingw.nsi.in	2008-05-13 12:42:25 UTC (rev 14600)
@@ -9,7 +9,7 @@
 !include "FileFunc.nsh"
 !insertmacro GetParameters
   
-!define VERSION "0.2.0.25-rc-dev"
+!define VERSION "0.2.0.26-rc"
 !define INSTALLER "tor-${VERSION}-win32.exe"
 !define WEBSITE "https://www.torproject.org/"
 !define LICENSE "LICENSE"

Modified: tor/branches/tor-0_2_0-patches/src/or/config.c
===================================================================
--- tor/branches/tor-0_2_0-patches/src/or/config.c	2008-05-13 05:00:09 UTC (rev 14599)
+++ tor/branches/tor-0_2_0-patches/src/or/config.c	2008-05-13 12:42:25 UTC (rev 14600)
@@ -823,11 +823,11 @@
 {
   int i;
   const char *dirservers[] = {
-    "moria1 v1 orport=9001 v3ident=5420FD8EA46BD4290F1D07A1883C9D85ECC486C4 "
+    "moria1 v1 orport=9001 v3ident=E2A2AF570166665D738736D0DD58169CC61D8A8B "
       "128.31.0.34:9031 FFCB 46DB 1339 DA84 674C 70D7 CB58 6434 C437 0441",
     "moria2 v1 orport=9002 128.31.0.34:9032 "
       "719B E45D E224 B607 C537 07D0 E214 3E2D 423E 74CF",
-    "tor26 v1 orport=443 v3ident=A9AC67E64B200BBF2FA26DF194AC0469E2A948C6 "
+    "tor26 v1 orport=443 v3ident=14C131DFC5C6F93646BE72FA1401C02A8DF2E8B4 "
       "86.59.21.38:80 847B 1F85 0344 D787 6491 A548 92F9 0493 4E4E B85D",
     "lefkada orport=443 "
       "140.247.60.64:80 38D4 F5FC F7B1 0232 28B8 95EA 56ED E7D5 CCDC AF32",
@@ -838,7 +838,7 @@
     "ides orport=9090 no-v2 v3ident=27B6B5996C426270A5C95488AA5BCEB6BCC86956 "
       "216.224.124.114:9030 F397 038A DC51 3361 35E7 B80B D99C A384 4360 292B",
     "gabelmoo orport=443 no-v2 "
-      "v3ident=EAA879B5C75032E462CB018630D2D0DF46EBA606 "
+      "v3ident=81349FC1F2DBA2C2C11B45CB9706637D480AB913 "
       "88.198.7.215:80 6833 3D07 61BC F397 A587 A0C0 B963 E4A9 E99E C4D3",
     "dannenberg orport=443 no-v2 "
       "v3ident=585769C78764D58426B8B52B6651A5A71137189A "

Modified: tor/branches/tor-0_2_0-patches/src/win32/orconfig.h
===================================================================
--- tor/branches/tor-0_2_0-patches/src/win32/orconfig.h	2008-05-13 05:00:09 UTC (rev 14599)
+++ tor/branches/tor-0_2_0-patches/src/win32/orconfig.h	2008-05-13 12:42:25 UTC (rev 14600)
@@ -227,6 +227,6 @@
 #define USING_TWOS_COMPLEMENT
 
 /* Version number of package */
-#define VERSION "0.2.0.25-rc-dev"
+#define VERSION "0.2.0.26-rc"

More information about the tor-commits mailing list