Forward port debian 0.2.0.26-rc-1 to trunk

svn:r14933
This commit is contained in:
Peter Palfrader 2008-06-04 08:39:02 +00:00
parent 00405468aa
commit 81429fdc34
4 changed files with 105 additions and 0 deletions

23
debian/changelog vendored
View File

@ -4,6 +4,29 @@ tor (0.2.1.0-unreleased-1) XXperimental; urgency=low
-- Peter Palfrader <weasel@debian.org> Wed, 19 Mar 2008 20:09:25 +0100
tor (0.2.0.26-rc-1) experimental; urgency=critical
* New upstream version.
* Conflict with old libssls.
* On upgrading from versions prior to, including, 0.1.2.19-2, or
from versions later than 0.2.0 and prior to 0.2.0.26-rc do the
following, and if we are a server (we have a /var/lib/tor/keys
directory)
- move /var/lib/tor/keys/secret_onion_key out of the way.
- move /var/lib/tor/keys/secret_onion_key.old out of the way.
- move /var/lib/tor/keys/secret_id_key out of the way if it was
created on or after 2006-09-17, which is the day the bad
libssl was uploaded to Debian unstable.
* Add a NEWS file explaining this change.
-- Peter Palfrader <weasel@debian.org> Tue, 13 May 2008 16:11:21 +0200
tor (0.2.0.24-rc-1) experimental; urgency=low
* New upstream version.
-- Peter Palfrader <weasel@debian.org> Wed, 23 Apr 2008 02:25:22 +0200
tor (0.2.0.23-rc-1) experimental; urgency=low
* New upstream version.

1
debian/control vendored
View File

@ -8,6 +8,7 @@ Standards-Version: 3.7.2
Package: tor
Architecture: any
Depends: ${shlibs:Depends}, adduser, tsocks
Conflicts: libssl0.9.8 (<< 0.9.8g-9)
Recommends: privoxy | polipo (>= 1), socat, logrotate
Suggests: mixmaster, mixminion, anon-proxy
Description: anonymizing overlay network for TCP

16
debian/tor.NEWS vendored Normal file
View File

@ -0,0 +1,16 @@
tor (0.2.0.26-rc-1) experimental; urgency=critical
* weak cryptographic keys
It has been discovered that the random number generator in Debian's
openssl package is predictable. This is caused by an incorrect
Debian-specific change to the openssl package (CVE-2008-0166). As a
result, cryptographic key material may be guessable.
See Debian Security Advisory number 1571 (DSA-1571) for more information:
http://lists.debian.org/debian-security-announce/2008/msg00152.html
If you run a Tor server using this package please see
/var/lib/tor/keys/moved-away-by-tor-package/README.REALLY
-- Peter Palfrader <weasel@debian.org> Tue, 13 May 2008 12:49:05 +0200

65
debian/tor.postinst vendored
View File

@ -51,6 +51,71 @@ find /var/log/tor \( \( ! -user debian-tor \) -o \( ! -group adm \) \) -print0 |
find /var/log/tor -type d -print0 | xargs -0 --no-run-if-empty chmod 02750
find /var/log/tor -type f -print0 | xargs -0 --no-run-if-empty chmod 00640
move_away_keys=0
if [ "$1" = "configure" ] &&
[ -e /var/lib/tor/keys ] &&
[ ! -z "$2" ]; then
if dpkg --compare-versions "$2" lt 0.1.2.19-2; then
move_away_keys=1
elif dpkg --compare-versions "$2" gt 0.2.0 &&
dpkg --compare-versions "$2" lt 0.2.0.26-rc; then
move_away_keys=1
fi
fi
if [ "$move_away_keys" = "1" ]; then
echo "Retiring possibly compromised keys. See /usr/share/doc/tor/NEWS.Debian.gz"
echo "and /var/lib/tor/keys/moved-away-by-tor-package/README.REALLY for"
echo "further information."
if ! [ -d /var/lib/tor/keys/moved-away-by-tor-package ]; then
mkdir /var/lib/tor/keys/moved-away-by-tor-package
cat > /var/lib/tor/keys/moved-away-by-tor-package/README.REALLY << EOF
It has been discovered that the random number generator in Debian's
openssl package is predictable. This is caused by an incorrect
Debian-specific change to the openssl package (CVE-2008-0166). As a
result, cryptographic key material may be guessable.
See Debian Security Advisory number 1571 (DSA-1571) for more information:
http://lists.debian.org/debian-security-announce/2008/msg00152.html
The Debian package for Tor has moved away the onion keys upon package
upgrade, and it will have moved away your identity key if it was created
in the affected timeframe. There is no sure way to automatically tell
if your key was created with an affected openssl library, so this move
is done unconditionally.
If you have restarted Tor since this change (and the package probably
did that for you already unless you configured your system differently)
then the Tor daemon already created new keys for itself and in all
likelyhood is already working just fine with new keys.
If you are absolutely certain that your identity key was created with
a non-affected version of openssl and for some reason you have to retain
the old identity, then you can move back the copy of secret_id_key to
/var/lib/tor/keys. Do not move back the onion keys, they were created
only recently since they are temporary keys with a lifetime of only a few
days anyway.
Sincerely,
Peter Palfrader, Tue, 13 May 2008 13:32:23 +0200
EOF
fi
for f in secret_onion_key secret_onion_key.old; do
if [ -e /var/lib/tor/keys/"$f" ]; then
mv -v /var/lib/tor/keys/"$f" /var/lib/tor/keys/moved-away-by-tor-package/"$f"
fi
done
if [ -e /var/lib/tor/keys/secret_id_key ]; then
id_mtime=`/usr/bin/stat -c %Y /var/lib/tor/keys/secret_id_key`
sept=`date -d '2006-09-10' +%s`
if [ "$id_mtime" -gt "$sept" ] ; then
mv -v /var/lib/tor/keys/secret_id_key /var/lib/tor/keys/moved-away-by-tor-package/secret_id_key
fi
fi
fi
#DEBHELPER#
exit 0