Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 12 Sep 2012 21:40:04 +0200
From: Nico Golde <oss-security+ml@...lde.de>
To: oss-security@...ts.openwall.com
Subject: Re: CVE id request: tor

Hi,
* Kurt Seifried <kseifried@...hat.com> [2012-09-12 19:01]:
> On 09/12/2012 06:34 AM, Nico Golde wrote:
> > Hi, from the tor release notes[0]: Changes in version 0.2.2.39 -
> > 2012-09-11 Tor 0.2.2.39 fixes two more opportunities for remotely
> > triggerable assertions.
> > 
> > o Security fixes: - Fix an assertion failure in tor_timegm() that
> > could be triggered by a badly formatted directory object. Bug found
> > by fuzzing with Radamsa. Fixes bug 6811; bugfix on 0.2.0.20-rc. -
> > Do not crash when comparing an address with port value 0 to an 
> > address policy. This bug could have been used to cause a remote 
> > assertion failure by or against directory authorities, or to allow
> > some applications to crash clients. Fixes bug 6690; bugfix on
> > 0.2.1.10-alpha.
> > 
> > I have not seen CVE ids for these issues. Can you assign ids for
> > them?
> > 
> > [0]
> > https://gitweb.torproject.org/tor.git/blob/release-0.2.2:/ReleaseNotes
> 
> Can you attach links to the code commits? thanks

I didn't have them when I sent this mail. Should be:
https://gitweb.torproject.org/tor.git/commitdiff/973c18bf0e84d14d8006a9ae97fde7f7fb97e404
https://gitweb.torproject.org/tor.git/commitdiff/62d96284f7e0f81c40d5df7e53dd7b4dfe7e56a5

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@...ber.ccc.de - GPG: 0xA0A0AAAA

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.