Hello community,
here is the log from the commit of package tor.3099 for openSUSE:12.3:Update checked in at 2014-11-05 10:51:32
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:12.3:Update/tor.3099 (Old)
and /work/SRC/openSUSE:12.3:Update/.tor.3099.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tor.3099"
Changes:
--------
New Changes file:
--- /dev/null 2014-10-24 22:03:51.036034256 +0200
+++ /work/SRC/openSUSE:12.3:Update/.tor.3099.new/tor.changes 2014-11-05 10:51:33.000000000 +0100
@@ -0,0 +1,2000 @@
+-------------------------------------------------------------------
+Thu Oct 23 20:35:26 UTC 2014 - andreas.stieger@gmx.de
+
+- tor 0.2.4.25 [boo#902476]
+ Disables SSL3 in response to the recent "POODLE" attack (even
+ though POODLE does not affect Tor).
+ It also works around a crash bug caused by some operating systems'
+ response to the "POODLE" attack (which does affect Tor).
+ - Disable support for SSLv3.
+ - Avoid crashing when using OpenSSL version 0.9.8zc, 1.0.0o, or
+ 1.0.1j, built with the 'no-ssl3' configuration option.
+
+-------------------------------------------------------------------
+Wed Sep 24 17:52:08 UTC 2014 - andreas.stieger@gmx.de
+
+- tor 0.2.4.24 [bnc#898268]
+ Fixes a bug that affects consistency and speed when connecting to
+ hidden services, and it updates the location of one of the
+ directory authorities.
+- Major bugfixes:
+ * Clients now send the correct address for their chosen rendezvous
+ point when trying to access a hidden service.
+- Directory authority changes:
+ * Change IP address for gabelmoo (v3 directory authority).
+- Minor features (geoip):
+ * Update geoip and geoip6 to the August 7 2014 Maxmind GeoLite2
+ Country database.
+- disable build with experimental feature bufferevents [bnc#897113]
+
+-------------------------------------------------------------------
+Wed Jul 30 22:52:17 UTC 2014 - andreas.stieger@gmx.de
+
+- Tor 0.2.4.23 [bnc#889688] [CVE-2014-5117]
+ Slows down the risk from guard rotation and backports several
+ important fixes from the Tor 0.2.5 alpha release series.
+- Major features:
+ - Clients now look at the "usecreatefast" consensus parameter to
+ decide whether to use CREATE_FAST or CREATE cells for the first hop
+ of their circuit. This approach can improve security on connections
+ where Tor's circuit handshake is stronger than the available TLS
+ connection security levels, but the tradeoff is more computational
+ load on guard relays.
+ - Make the number of entry guards configurable via a new
+ NumEntryGuards consensus parameter, and the number of directory
+ guards configurable via a new NumDirectoryGuards consensus
+ parameter.
+- Major bugfixes:
+ - Fix a bug in the bounds-checking in the 32-bit curve25519-donna
+ implementation that caused incorrect results on 32-bit
+ implementations when certain malformed inputs were used along with
+ a small class of private ntor keys.
+- Minor bugfixes:
+ - Warn and drop the circuit if we receive an inbound 'relay early'
+ cell.
+ - Correct a confusing error message when trying to extend a circuit
+ via the control protocol but we don't know a descriptor or
+ microdescriptor for one of the specified relays.
+ - Avoid an illegal read from stack when initializing the TLS module
+ using a version of OpenSSL without all of the ciphers used by the
+ v2 link handshake.
+
+-------------------------------------------------------------------
+Mon May 19 22:06:52 UTC 2014 - andreas.stieger@gmx.de
+
+- tor 0.2.4.22 [bnc#878486]
+ Tor was updated to the recommended version of the 0.2.4.x series.
+- major features in 0.2.4.x:
+ - improved client resilience
+ - support better link encryption with forward secrecy
+ - new NTor circuit handshake
+ - change relay queue for circuit create requests from size-based
+ limit to time-based limit
+ - many bug fixes and minor features
+- changes contained in 0.2.4.22:
+ Backports numerous high-priority fixes. These include blocking
+ all authority signing keys that may have been affected by the
+ OpenSSL "heartbleed" bug, choosing a far more secure set of TLS
+ ciphersuites by default, closing a couple of memory leaks that
+ could be used to run a target relay out of RAM.
+ - Major features (security)
+ - Block authority signing keys that were used on authorities
+ vulnerable to the "heartbleed" bug in OpenSSL (CVE-2014-0160).
+ - Major bugfixes (security, OOM):
+ - Fix a memory leak that could occur if a microdescriptor parse
+ fails during the tokenizing step.
+ - Major bugfixes (TLS cipher selection):
+ - The relay ciphersuite list is now generated automatically based
+ on uniform criteria, and includes all OpenSSL ciphersuites with
+ acceptable strength and forward secrecy.
+ - Relays now trust themselves to have a better view than clients
+ of which TLS ciphersuites are better than others.
+ - Clients now try to advertise the same list of ciphersuites as
+ Firefox 28.
+- includes changes from 0.2.4.21:
+ Further improves security against potential adversaries who find
+ breaking 1024-bit crypto doable, and backports several stability
+ and robustness patches from the 0.2.5 branch.
+ - Major features (client security):
+ - When we choose a path for a 3-hop circuit, make sure it contains
+ at least one relay that supports the NTor circuit extension
+ handshake. Otherwise, there is a chance that we're building
+ a circuit that's worth attacking by an adversary who finds
+ breaking 1024-bit crypto doable, and that chance changes the game
+ theory.
+ - Major bugfixes:
+ - Do not treat streams that fail with reason
+ END_STREAM_REASON_INTERNAL as indicating a definite circuit failure,
+ since it could also indicate an ENETUNREACH connection error
+- includes changes from 0.2.4.20:
+ - Do not allow OpenSSL engines to replace the PRNG, even when
+ HardwareAccel is set.
+ - Fix assertion failure when AutomapHostsOnResolve yields an IPv6
+ address.
+ - Avoid launching spurious extra circuits when a stream is pending.
+- packaging changes:
+ - remove init script shadowing systemd unit
+ - general cleanup
+ - Add tor-fw-helper for UPnP port forwarding; not used by default
+ - fix logrotate on systemd-only setups without init scripts,
+ work tor-0.2.2.37-logrotate.patch to tor-0.2.4.x-logrotate.patch
+ - verify source tarball signature
+
+-------------------------------------------------------------------
+Mon Jan 20 20:55:12 UTC 2014 - andreas.stieger@gmx.de
+
+- fixes potentially poor random number generation for users who
+ 1) use OpenSSL 1.0.0 or later,
+ 2) set "HardwareAccel 1" in their torrc file,
+ 3) have "Sandy Bridge" or "Ivy Bridge" Intel processors
+ and
+ 4) have no state file in their DataDirectory (as would happen on
+ first start).
+ Users who generated relay or hidden service identity keys in such
+ a situation should discard them and generate new ones.
+ No 2 is not the default configuration for openSUSE.
+ [bnc#859421] [CVE-2013-7295]
+- added patches:
+ * tor-0.2.3.x-CVE-2013-7295.patch
+
+-------------------------------------------------------------------
+Tue Nov 27 21:46:02 UTC 2012 - andreas.stieger@gmx.de
+
+- update to 0.2.3.25, the first stable release in the 0.2.3 branch
+ + significantly reduced directory overhead (via microdescriptors)
+ + enormous crypto performance improvements for fast relays on new
+ enough hardware
+ + new v3 TLS handshake protocol that can better resist
+ fingerprinting
+ + support for protocol obfuscation plugins (pluggable transports)
+ + better scalability for hidden services
+ + IPv6 support for bridges
+ + performance improvements
+ + new "stream isolation" design to isolate different applications
+ on different circuits
+ + many stability, security, and privacy fixes
+ + Complete list of changes enumerated in:
+ https://lists.torproject.org/pipermail/tor-talk/2012-November/026554.html
+ https://gitweb.torproject.org/tor.git/blob/267c0e5aa14deeb2ca0d7997b4ef5a5c2...
+ + Tear down the circuit when receiving an unexpected SENDME cell.
+ [bnc#791374] CVE-2012-5573
+- build using --enable-bufferevents provided by Libevent 2.0.13
+
+-------------------------------------------------------------------
+Tue Nov 20 09:07:23 UTC 2012 - dimstar@opensuse.org
+
+- Fix useradd invocation: -o is useless without -u and newer
+ versions of pwdutils/shadowutils fail on this now.
+
+-------------------------------------------------------------------
+Sat Sep 15 14:08:49 UTC 2012 - andreas.stieger@gmx.de
+
+- update to 0.2.2.39 [bnc#780620]
+ Changes in version 0.2.2.39 - 2012-09-11
+ Tor 0.2.2.39 fixes two more opportunities for remotely triggerable
+ assertions.
+
+ o Security fixes:
+ - Fix an assertion failure in tor_timegm() that could be triggered
+ by a badly formatted directory object.
+ CVE-2012-4922
+ - Do not crash when comparing an address with port value 0 to an
+ address policy. This bug could have been used to cause a remote
+ assertion failure by or against directory authorities, or to
+ allow some applications to crash clients.
+ CVE-2012-4419
+
+-------------------------------------------------------------------
+Mon Aug 20 19:11:57 UTC 2012 - andreas.stieger@gmx.de
+
+- update to 0.2.2.38 [bnc#776642]
+ Changes in version 0.2.2.38 - 2012-08-12
+ Tor 0.2.2.38 fixes a rare race condition that can crash exit relays;
+ fixes a remotely triggerable crash bug; and fixes a timing attack that
+ could in theory leak path information.
+ o Security fixes:
+ - Avoid read-from-freed-memory and double-free bugs that could occur
+ when a DNS request fails while launching it.
++++ 1803 more lines (skipped)
++++ between /dev/null
++++ and /work/SRC/openSUSE:12.3:Update/.tor.3099.new/tor.changes
New:
----
tor-0.2.4.25.tar.gz
tor-0.2.4.25.tar.gz.asc
tor-0.2.4.x-logrotate.patch
tor.changes
tor.keyring
tor.service
tor.spec
tor.tmpfiles
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ tor.spec ++++++
#
# spec file for package tor
#
# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
%bcond_with bufferevents
%define with_systemd 0%{?suse_version} > 1140
%define with_upnp 0%{?suse_version} >= 1220
%define toruser %{name}
%define torgroup %{name}
%define home_dir %{_localstatedir}/lib/empty
Name: tor
Version: 0.2.4.25
Release: 0
Summary: Anonymizing overlay network for TCP (The onion router)
License: BSD-3-Clause
Group: Productivity/Networking/Security
Url: https://www.torproject.org/
Source0: https://www.torproject.org/dist/%{name}-%{version}.tar.gz
Source1: https://www.torproject.org/dist/%{name}-%{version}.tar.gz.asc
# https://www.torproject.org/docs/signing-keys.html.en
Source2: tor.keyring
Source3: tor.service
Source4: tor.tmpfiles
Patch0: tor-0.2.4.x-logrotate.patch
%if %{with_upnp}
BuildRequires: libminiupnpc-devel
%endif
BuildRequires: openssl-devel
BuildRequires: pwdutils
Requires: logrotate
PreReq(post): %fillup_prereq
BuildRoot: %{_tmppath}/%{name}-%{version}-build
#
%if %{with bufferevents}
BuildRequires: pkgconfig(libevent) >= 2.0.13
%endif # with bufferevents
%if %{?suse_version} > 1210
BuildRequires: pkgconfig(libevent)
%else
BuildRequires: libevent-devel
%endif
%if 0%{?with_systemd}
BuildRequires: pkgconfig(systemd)
%{?systemd_requires}
%endif
#
%description
Tor is a connection-based low-latency anonymous communication system.
This package provides the "tor" program, which serves as both a client and
a relay node. Scripts will automatically create a "%{toruser}" user and
a "%{torgroup}" group, and set tor up to run as a daemon when the system
is rebooted.
Applications connect to the local Tor proxy using the SOCKS
protocol. The tor client chooses a path through a set of relays, in
which each relay knows its predecessor and successor, but no
others. Traffic flowing down the circuit is unwrapped by a symmetric
key at each relay, which reveals the downstream relay.
Warnings: Tor does no protocol cleaning. That means there is a danger
that application protocols and associated programs can be induced to
reveal information about the initiator. Tor depends on Privoxy or
similar protocol cleaners to solve this problem. This is alpha code,
and is even more likely than released code to have anonymity-spoiling
bugs. The present network is small -- this further reduces the
strength of the anonymity provided. Tor is not presently suitable
for high-stakes anonymity.
%prep
%setup -q
%patch0 -p1
%build
%configure \
--with-tor-user=%{toruser} \
--with-tor-group=%{torgroup} \
%if %{with_upnp}
--enable-upnp \
%endif
%if %{with bufferevents}
--enable-bufferevents \
%endif
--docdir=%{_docdir}/%{name}
make %{?_smp_mflags}
%install
make DESTDIR=%{buildroot} install %{?_smp_mflags}
# missing dirs
install -d -m 700 \
%{buildroot}%{_localstatedir}/lib/%{name} \
%{buildroot}%{_localstatedir}/tmp/%{name}
install -d -m 755 \
%{buildroot}%{_localstatedir}/run/%{name} \
%{buildroot}%{_localstatedir}/log/%{name} \
%{buildroot}/%{_sbindir}
%if 0%{?with_systemd}
install -m 644 -D %{SOURCE3} %{buildroot}/%{_unitdir}/%{name}.service
install -d -m 0755 %{buildroot}%{_libexecdir}/tmpfiles.d/
install -m 0644 %{SOURCE4} %{buildroot}%{_libexecdir}/tmpfiles.d/%{name}.conf
ln -s -f service %{buildroot}%{_sbindir}/rc%{name}
%else
# init script
install -D -m 755 contrib/suse/tor.sh %{buildroot}/%{_initddir}/%{name}
ln -s -f ../..%{_initddir}/%{name} %{buildroot}%{_sbindir}/rc%{name}
%endif
# control script
install -p -m 755 contrib/torctl %{buildroot}/%{_bindir}
# sample config file
install -p -m 644 src/config/torrc.sample %{buildroot}/%{_sysconfdir}/%{name}/torrc.sample
# logrotate conf
sed -i -e "s|_tor|tor|g" contrib/tor.logrotate
install -D -m 644 contrib/tor.logrotate %{buildroot}/%{_sysconfdir}/logrotate.d/%{name}
%pre
getent group %{torgroup} >/dev/null || groupadd -r %{torgroup}
getent passwd %{toruser} >/dev/null || useradd -r -g %{torgroup} -d %{home_dir} -s /sbin/false -c "User to ru %{name}" %{toruser}
%if 0%{?with_systemd}
%service_add_pre tor.service
%endif
%post
%if 0%{?with_systemd}
%fillup_only
%service_add_post tor.service
systemd-tmpfiles --create %{_libexecdir}/tmpfiles.d/tor.conf
%else
%fillup_and_insserv tor
%endif
%preun
%if 0%{?with_systemd}
%service_del_preun tor.service
%else
%stop_on_removal tor
%endif
%postun
%if 0%{?with_systemd}
%service_del_postun tor.service
%else
%insserv_cleanup
%restart_on_update tor
%endif
%files
%defattr(-,root,root)
%doc LICENSE README ChangeLog doc/HACKING doc/*.html
%doc %{_mandir}/man*/*
%{_bindir}/%{name}
%{_bindir}/%{name}ctl
%{_bindir}/%{name}ify
%{_bindir}/%{name}-gencert
%{_bindir}/%{name}-resolve
%if %{with_upnp}
%{_bindir}/%{name}-fw-helper
%endif
%dir %{_datadir}/%{name}
%{_datadir}/%{name}/geoip*
%config(noreplace) %attr(0644,root,root) %{_sysconfdir}/logrotate.d/%{name}
%dir %attr(0755,root,%{torgroup}) %{_sysconfdir}/%{name}
%config(noreplace) %attr(0644,root,%{torgroup}) %{_sysconfdir}/%{name}/*
%attr(0700,%{toruser},%{torgroup}) %dir %{_localstatedir}/lib/%{name}
%ghost %attr(0750,%{toruser},%{torgroup}) %dir %{_localstatedir}/run/%{name}
%attr(0750,%{toruser},%{torgroup}) %dir %{_localstatedir}/log/%{name}
%if 0%{?with_systemd}
%{_unitdir}/%{name}.service
%{_libexecdir}/tmpfiles.d/%{name}.conf
%else
%config %{_initddir}/%{name}
%endif
%{_sbindir}/rc%{name}
%changelog
++++++ tor-0.2.4.x-logrotate.patch ++++++
From: Andreas Stieger