Tor 1.2.16 - Security hole

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Tor 1.2.16 - Security hole

Peter Thoenen-2
I hate to call Rui out in public but he is the maintainer here and very
non responsive to private emails about this.

Tor 1.1.x has BEEN DEPRECIATED from before the time 4.1 STABLE was
released (you were notified of this also Rui) and all version earlier
than 1.2.15 suffer a remote code exploitation which has been proven in
the wild already with technical details to be released to the public in
two week per the developers.  The developers announced all users should
update immediately yet still not seeing this port updated in stable when
I csup.  Can you (Rui) update this port finally as it would count as a
security update or you just going to hang out and continue to be a
subpar maintainer.  If you don't want to maintain your own port then let
me know and I or somebody else can do it but this is ridiculous.  You
missed the last couple stable releases and when informed of it you were
like "what the f*ck do I care ... OBSD isn't about the latest and
greatest.  Compile it yourself".  Well now we have a serious remote code
issue and a depreciated non-supported (in the current tor directory
services) package in OBSD ... is this a big enough issue to get you to care?

NOTE: I am pretty indifferent if it is fixed in CURRENT.  This is a
remote code exploit and I am pretty sure security patches are merged
into stable's port tree considering I see updates to it at least weekly.

Sorry to be an ass Rui but with maintenance comes responsibility.

-Peter

Reply | Threaded
Open this post in threaded view
|

Re: Tor 1.2.16 - Security hole

Peter Valchev-2
On 8/8/07, Peter Thoenen <[hidden email]> wrote:
> I hate to call Rui out in public but he is the maintainer here and very
> non responsive to private emails about this.
>
> Tor 1.1.x has BEEN DEPRECIATED from before the time 4.1 STABLE was
> released (you were notified of this also Rui) and all version earlier

Can you share where you are getting this from?

http://tor.eff.org/download.html.en
"The latest stable release is 0.1.2.16, and the latest development
release is 0.2.0.4-alpha."

We normally follow -stable ports and not alpha code snapshots from
projects' development branches so I am afraid I see nothing improper
here!

Additionally:
2007-08-01: Tor 0.2.0.4-alpha fixes a critical security vulnerability
for most users, specifically those running Vidalia, TorK, etc.
Everybody should upgrade.
2007-08-01: Tor 0.1.2.16 fixes a critical security vulnerability for
most users, specifically those running Vidalia, TorK, etc. Everybody
should upgrade.

I'm sorry but the bug affected BOTH stable AND the snapshot so you are
on drugs that it would have helped. And you are an asshole for calling
out Rui in the manner that you did!

> than 1.2.15 suffer a remote code exploitation which has been proven in
> the wild already with technical details to be released to the public in
> two week per the developers.  The developers announced all users should
> update immediately yet still not seeing this port updated in stable when

The port has been updated in -current immediately after this happened
and this is where development happens. This is a volunteer project and
-stable is not with priority.

Reply | Threaded
Open this post in threaded view
|

Re: Tor 1.2.16 - Security hole

Will Maier
In reply to this post by Peter Thoenen-2
On Wed, Aug 08, 2007 at 11:47:56AM -0400, Peter Thoenen wrote:
> I hate to call Rui out in public but he is the maintainer here and
> very non responsive to private emails about this.

A fix (up to 0.1.2.16) was committed to -current yesterday; it was
MFCed this morning.

http://www.openbsd.org/cgi-bin/cvsweb/ports/net/tor/Makefile?rev=1.30&content-type=text/x-cvsweb-markup

The rest of your post is rude. If a maintainer isn't being
responsive, a (non-rude) note to ports@ should be sufficient. A
screed will rarely make things happen any sooner; patches tend to
help things along.

--

o--------------------------{ Will Maier }--------------------------o
| web:.......http://www.lfod.us/ | [hidden email] |
*------------------[ BSD Unix: Live Free or Die ]------------------*

Reply | Threaded
Open this post in threaded view
|

Re: Tor 1.2.16 - Security hole

Nikns Siankin
In reply to this post by Peter Thoenen-2
On Wed, Aug 08, 2007 at 11:47:56AM -0400, Peter Thoenen wrote:

>I hate to call Rui out in public but he is the maintainer here and very
>non responsive to private emails about this.
>
>Tor 1.1.x has BEEN DEPRECIATED from before the time 4.1 STABLE was
>released (you were notified of this also Rui) and all version earlier
>than 1.2.15 suffer a remote code exploitation which has been proven in
>the wild already with technical details to be released to the public in
>two week per the developers.  The developers announced all users should
>update immediately yet still not seeing this port updated in stable when
>I csup.  Can you (Rui) update this port finally as it would count as a
>security update or you just going to hang out and continue to be a
>subpar maintainer.  If you don't want to maintain your own port then let
>me know and I or somebody else can do it but this is ridiculous.  You
>missed the last couple stable releases and when informed of it you were
>like "what the f*ck do I care ... OBSD isn't about the latest and
>greatest.  Compile it yourself".  Well now we have a serious remote code
>issue and a depreciated non-supported (in the current tor directory
>services) package in OBSD ... is this a big enough issue to get you to care?
>NOTE: I am pretty indifferent if it is fixed in CURRENT.  This is a
>remote code exploit and I am pretty sure security patches are merged
>into stable's port tree considering I see updates to it at least weekly.

I agree with you on this -current/-stable thingy. This ports tree
soft locking shit *how we care about -stable users* is bullshit,
when outdated/security vulnerable stuff is even in -current and
it takes ages to backport and make packages of needed security updates...
I see there no logic, since developers are on -current anyway and they
don't care about stable users really...


>Sorry to be an ass Rui but with maintenance comes responsibility.

Can't agree on this, since Rui has been very responsive when I sent him
secunia link about flaw. He is not ignorant one ;]
And tor update has been commited in 4.1 branch too. However
there are another ports which aren't updated.

>
>-Peter
>

Reply | Threaded
Open this post in threaded view
|

Re: Tor 1.2.16 - Security hole

Theo de Raadt
> I agree with you on this -current/-stable thingy. This ports tree
> soft locking shit *how we care about -stable users* is bullshit,
> when outdated/security vulnerable stuff is even in -current and
> it takes ages to backport and make packages of needed security updates...
> I see there no logic, since developers are on -current anyway and they
> don't care about stable users really...

There are likely going to be some changes soon as to how -stable is
treated.  However, I think you will not like the changes.  Many people
are quite overworked, unable to proceed forward because they are being
pecked to death by whiny users, and are quite sick and tired of these
people who whine.

The solution will likely comprise some set of:

        promise less, give less, and listen less.

Reply | Threaded
Open this post in threaded view
|

Re: Tor 1.2.16 - Security hole

Nikolay Sturm-2
In reply to this post by Peter Thoenen-2
* Peter Thoenen [2007-08-08]:
> Tor 1.1.x has BEEN DEPRECIATED from before the time 4.1 STABLE was

Tor 1.2 only came out around the release of 4.1 and no update was marked
a security update, so there was no reason to update the -stable ports.
We have our policies and we do have them for a good reason.

> two week per the developers.  The developers announced all users
> should update immediately yet still not seeing this port updated in
> stable when I csup.

So what? Where does the OpenBSD project guarantee you security updates
or any service whatsoever within any fixed timeframe? -current was
updated within a week and 4.1-stable shortly thereafter. 4.0 will have
to wait a little longer.

> Can you (Rui) update this port finally as it would count as a security
> update or you just going to hang out and continue to be a subpar
> maintainer.

How about you smart ass send diffs instead of being a subpar user?  And
btw, we have a process for dealing with unresponsive maintainers.  It's
documented in the archives, but that of course, would mean a little work
on your side finding out...

> If you don't want to maintain your own port then let me know and I or
> somebody else can do it but this is ridiculous.  You

Since 4.1 the tor port was updated within days of the release of a new
version. Get your facts straight.

> Sorry to be an ass Rui but with maintenance comes responsibility.

You have a responsibilty as well, mr consumer, care to take it on?

Nikolay

Reply | Threaded
Open this post in threaded view
|

Re: Tor 1.2.16 - Security hole

Nikns Siankin
In reply to this post by Theo de Raadt
On Wed, Aug 08, 2007 at 11:29:25AM -0600, Theo de Raadt wrote:

>> I agree with you on this -current/-stable thingy. This ports tree
>> soft locking shit *how we care about -stable users* is bullshit,
>> when outdated/security vulnerable stuff is even in -current and
>> it takes ages to backport and make packages of needed security updates...
>> I see there no logic, since developers are on -current anyway and they
>> don't care about stable users really...
>
>There are likely going to be some changes soon as to how -stable is
>treated.  However, I think you will not like the changes.  Many people
>are quite overworked, unable to proceed forward because they are being
>pecked to death by whiny users, and are quite sick and tired of these
>people who whine.
>
>The solution will likely comprise some set of:
>
> promise less, give less, and listen less.

The future is now.

Reply | Threaded
Open this post in threaded view
|

Re: Tor 1.2.16 - Security hole

Rui Reis-2
In reply to this post by Peter Thoenen-2
On Wed, Aug 08, 2007 at 11:47:56AM -0400, Peter Thoenen wrote:
> I hate to call Rui out in public but he is the maintainer here and very
> non responsive to private emails about this.

you are kidding, right?

I answered to your first email and told you how OpenBSD works.

As nikolay@ said "Tor 1.2 only came out around the release of 4.1 and no
update was marked a security update, so there was no reason to update the
-stable ports."

I didn't answer to your second non-sense email, that's true. Why? because
you don't what you are talking about!

Cheers,
rui


> Tor 1.1.x has BEEN DEPRECIATED from before the time 4.1 STABLE was
> released (you were notified of this also Rui) and all version earlier
> than 1.2.15 suffer a remote code exploitation which has been proven in
> the wild already with technical details to be released to the public in
> two week per the developers.  The developers announced all users should
> update immediately yet still not seeing this port updated in stable when
> I csup.  Can you (Rui) update this port finally as it would count as a
> security update or you just going to hang out and continue to be a
> subpar maintainer.  If you don't want to maintain your own port then let
> me know and I or somebody else can do it but this is ridiculous.  You
> missed the last couple stable releases and when informed of it you were
> like "what the f*ck do I care ... OBSD isn't about the latest and
> greatest.  Compile it yourself".  Well now we have a serious remote code
> issue and a depreciated non-supported (in the current tor directory
> services) package in OBSD ... is this a big enough issue to get you to care?
>
> NOTE: I am pretty indifferent if it is fixed in CURRENT.  This is a
> remote code exploit and I am pretty sure security patches are merged
> into stable's port tree considering I see updates to it at least weekly.
>
> Sorry to be an ass Rui but with maintenance comes responsibility.
>
> -Peter

Reply | Threaded
Open this post in threaded view
|

Tor 1.2.16 - Security hole

Julian Frede
In reply to this post by Peter Thoenen-2
I am sorry do get my hands dirty with a thread like that but I just can't
help my self.

The only thing I thought of when reading peters post was:

Why the hell didn't he send a patch to the maintainer?



-Julian
--
Lubarsky's Law of Cybernetic Entomology:
        There's always one more bug.
Reply | Threaded
Open this post in threaded view
|

Re: Tor 1.2.16 - Security hole

Jacob Yocom-Piatt-2
Julian Frede wrote:
> I am sorry do get my hands dirty with a thread like that but I just can't
> help my self.
>
> The only thing I thought of when reading peters post was:
>
> Why the hell didn't he send a patch to the maintainer?
>
>  

because he's busy sucking on a bag of dicks.

>
> -Julian
>  


--