From peter.thoenen@yahoo.com  Wed Aug 15 02:44:33 2007
Return-Path: <peter.thoenen@yahoo.com>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D4B2C16A420
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 15 Aug 2007 02:44:33 +0000 (UTC)
	(envelope-from peter.thoenen@yahoo.com)
Received: from smtp108.plus.mail.mud.yahoo.com (smtp108.plus.mail.mud.yahoo.com [68.142.206.241])
	by mx1.freebsd.org (Postfix) with SMTP id 98B3A13C4A5
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 15 Aug 2007 02:44:33 +0000 (UTC)
	(envelope-from peter.thoenen@yahoo.com)
Received: (qmail 54765 invoked from network); 15 Aug 2007 02:17:52 -0000
Received: from unknown (HELO ?10.0.114.22?) (eol1@67.154.216.196 with plain)
  by smtp108.plus.mail.mud.yahoo.com with SMTP; 15 Aug 2007 02:17:51 -0000
Message-Id: <46C26245.7030204@yahoo.com>
Date: Tue, 14 Aug 2007 22:17:41 -0400
From: Peter Thoenen <peter.thoenen@yahoo.com>
To: FreeBSD-gnats-submit@freebsd.org
Subject: [UPDATE] security/tor-devel

>Number:         115534
>Category:       ports
>Synopsis:       security/tor-devel
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    itetcu
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Wed Aug 15 02:50:01 GMT 2007
>Closed-Date:    Tue Sep 25 12:49:50 GMT 2007
>Last-Modified:  Tue Sep 25 13:00:06 GMT 2007
>Originator:     Peter Thoenen
>Release:        FreeBSD 7.0-CURRENT i386
>Organization:
>Environment:
>Description:
        Update to latest release.  Suggest all users upgrade as there is
a remote code exploit in versions less than 2.0.4.

--------------000601080403070204020408
Content-Type: text/plain;
 name="tor-devel.diff.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="tor-devel.diff.txt"

diff -ruN tor-devel.orig/Makefile tor-devel/Makefile
--- tor-devel.orig/Makefile     Tue Aug 14 21:43:32 2007
+++ tor-devel/Makefile  Tue Aug 14 21:43:37 2007
@@ -6,7 +6,7 @@
 #

 PORTNAME=      tor
-DISTVERSION=   0.2.0.2-alpha
+DISTVERSION=   0.2.0.4-alpha
 CATEGORIES=    security net
 MASTER_SITES=  http://tor.eff.org/dist/ \
                http://mirror.onionland.org/dist/
diff -ruN tor-devel.orig/distinfo tor-devel/distinfo
--- tor-devel.orig/distinfo     Tue Aug 14 21:43:32 2007
+++ tor-devel/distinfo  Tue Aug 14 21:57:24 2007
@@ -1,3 +1,3 @@
-MD5 (tor-0.2.0.2-alpha.tar.gz) = 201c472a7e145e7a509755f691e95d3a
-SHA256 (tor-0.2.0.2-alpha.tar.gz) = 478de3c1d5b16e3c8170b141dee0b7e0d53cdacf39ea1085375e8f0a73825e11
-SIZE (tor-0.2.0.2-alpha.tar.gz) = 1285290
+MD5 (tor-0.2.0.4-alpha.tar.gz) = a8b6aae081d76fa40eb3d155cbe3a555
+SHA256 (tor-0.2.0.4-alpha.tar.gz) = 263167e8b4ccc33eff602553af269870ec14ea500025c47f87c7826748c972bb
+SIZE (tor-0.2.0.4-alpha.tar.gz) = 1381893

--------------000601080403070204020408--
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->feedback 
State-Changed-By: itetcu 
State-Changed-When: Wed Aug 15 09:03:16 UTC 2007 
State-Changed-Why:  
Could you also submit a VuXML entry for it ? 

http://www.freebsd.org/cgi/query-pr.cgi?pr=115534 
Responsible-Changed-From-To: freebsd-ports-bugs->itetcu 
Responsible-Changed-By: itetcu 
Responsible-Changed-When: Thu Aug 16 10:06:58 UTC 2007 
Responsible-Changed-Why:  
I'll take it. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=115534 
State-Changed-From-To: feedback->open 
State-Changed-By: itetcu 
State-Changed-When: Thu Aug 16 10:07:14 UTC 2007 
State-Changed-Why:  
VuXML entry received on private. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=115534 

From: bf <bf2006a@yahoo.com>
To: bug-followup@FreeBSD.org, peter.thoenen@yahoo.com
Cc:  
Subject: Re: ports/115534: security/tor-devel
Date: Mon, 20 Aug 2007 20:11:17 -0700 (PDT)

 Since this hasn't seem to have been put through yet,
 you should probably consider a subsequent update
 (described at
 http://archives.seul.org/or/talk/Aug-2007/msg00187.html
 ):
 
 diff -ru tor-devel.orig/Makefile tor-devel/Makefile
 --- tor-devel.orig/Makefile	Sat Aug 18 18:04:34 2007
 +++ tor-devel/Makefile	Mon Aug 20 22:10:12 2007
 @@ -6,7 +6,7 @@
  #
  
  PORTNAME=	tor
 -DISTVERSION=	0.2.0.2-alpha
 +DISTVERSION=	0.2.0.5-alpha
  CATEGORIES=	security net
  MASTER_SITES=	http://tor.eff.org/dist/ \
  		http://mirror.onionland.org/dist/
 diff -ru tor-devel.orig/distinfo tor-devel/distinfo
 --- tor-devel.orig/distinfo	Sat Aug 18 18:04:34 2007
 +++ tor-devel/distinfo	Mon Aug 20 22:11:59 2007
 @@ -1,3 +1,3 @@
 -MD5 (tor-0.2.0.2-alpha.tar.gz) =
 201c472a7e145e7a509755f691e95d3a
 -SHA256 (tor-0.2.0.2-alpha.tar.gz) =
 478de3c1d5b16e3c8170b141dee0b7e0d53cdacf39ea1085375e8f0a73825e11
 -SIZE (tor-0.2.0.2-alpha.tar.gz) = 1285290
 +MD5 (tor-0.2.0.5-alpha.tar.gz) =
 18f074108569007f2631a6da221906cd
 +SHA256 (tor-0.2.0.5-alpha.tar.gz) =
 564b6c7c3946b00990e3e636614c5168a8bb8f66467a3335c83c53fc46ae49d3
 +SIZE (tor-0.2.0.5-alpha.tar.gz) = 1391817
 
 
 
        
 ____________________________________________________________________________________
 Building a website is a piece of cake. Yahoo! Small Business gives you all the tools to get online.
 http://smallbusiness.yahoo.com/webhosting 

From: Peter Thoenen <peter.thoenen@yahoo.com>
To: bug-followup@FreeBSD.org
Cc: bf <bf2006a@yahoo.com>
Subject: Re: ports/115534: security/tor-devel
Date: Mon, 20 Aug 2007 23:20:47 -0400

 Ja was going to wait till it was approved as didn't want to rewrite the
 vuxml entry and am on the road.
 
 Committer: bf's update to my update is approved :)

From: bf <bf2006a@yahoo.com>
To: bug-followup@FreeBSD.org, peter.thoenen@yahoo.com, fk@fabiankeil.de
Cc:  
Subject: Re: ports/115534: security/tor-devel
Date: Mon, 27 Aug 2007 07:11:46 -0700 (PDT)

 ... or (!)
 
 (details at:
 
 http://archives.seul.org/or/talk/Aug-2007/msg00215.html
 
 Looks like we could add a few more mirrors from:
 
 http://tor.eff.org/mirrors.html.en 
 
 and the vidalia port maintainer should look into the
 new version which corrects a security problem ):
 
 diff -ruN tor-devel.orig/Makefile tor-devel/Makefile
 --- tor-devel.orig/Makefile     Sat Aug 18 18:04:34
 2007
 +++ tor-devel/Makefile  Mon Aug 27 09:33:04 2007
 @@ -6,7 +6,7 @@
  #
  
  PORTNAME=      tor
 -DISTVERSION=   0.2.0.2-alpha
 +DISTVERSION=   0.2.0.6-alpha
  CATEGORIES=    security net
  MASTER_SITES=  http://tor.eff.org/dist/ \
                 http://mirror.onionland.org/dist/
 diff -ruN tor-devel.orig/distinfo tor-devel/distinfo
 --- tor-devel.orig/distinfo     Sat Aug 18 18:04:34
 2007
 +++ tor-devel/distinfo  Mon Aug 27 09:33:04 2007
 @@ -1,3 +1,3 @@
 -MD5 (tor-0.2.0.2-alpha.tar.gz) =
 201c472a7e145e7a509755f691e95d3a
 -SHA256 (tor-0.2.0.2-alpha.tar.gz) =
 478de3c1d5b16e3c8170b141dee0b7e0d53cdacf39ea1085375e8f0a73825e11
 -SIZE (tor-0.2.0.2-alpha.tar.gz) = 1285290
 +MD5 (tor-0.2.0.6-alpha.tar.gz) =
 7ab2a5a744cb50beb9167f0340f7d7d8
 +SHA256 (tor-0.2.0.6-alpha.tar.gz) =
 f3df9f7427abd551de9075072c0b71c624906aa1f407ae970796e4f98127c6da
 +SIZE (tor-0.2.0.6-alpha.tar.gz) = 1398468
 
 
 
        
 ____________________________________________________________________________________
 Looking for a deal? Find great prices on flights and hotels with Yahoo! FareChase.
 http://farechase.yahoo.com/

From: Peter Thoenen <peter.thoenen@yahoo.com>
To: bug-followup@FreeBSD.org
Cc: bf <bf2006a@yahoo.com>,  fk@fabiankeil.de
Subject: Re: ports/115534: security/tor-devel
Date: Mon, 27 Aug 2007 12:56:49 -0400

 Approved again by me (maintainer) if the committer would ever get around
 to it .. nothing like having a port with a remote hole in it.

From: bf <bf2006a@yahoo.com>
To: bug-followup@FreeBSD.org, peter.thoenen@yahoo.com, itetcu@FreeBSD.org,
  nivo+kw+ports.bfa274@is-root.com
Cc:  
Subject: Re: ports/115534: security/tor-devel
Date: Sat, 22 Sep 2007 00:27:57 -0700 (PDT)

 Due to the recent (and long-overdue) libevent update,
 and another update to tor-devel("makes bridges work
 again, makes bridge authorities work for the first
 time, fixes two huge performance flaws in hidden
 services, and fixes a variety of minor issues"), the
 patch to upgrade tor-devel should now be (provided
 Peter gives his approval):
 
 diff -ruN tor-devel.orig/Makefile tor-devel/Makefile
 --- tor-devel.orig/Makefile     Sat Sep 22 01:48:05
 2007
 +++ tor-devel/Makefile  Sat Sep 22 03:05:26 2007
 @@ -2,12 +2,12 @@
  # Date created:                               
 2005.10.20
  # Whom:                                       
 peter.thoenen@yahoo.com
  #
 -# $FreeBSD: ports/security/tor-devel/Makefile,v 1.45
 2007/09/21 20:21:29 mnag Exp $
 +# $FreeBSD$
  #
  
  PORTNAME=      tor
 -DISTVERSION=   0.2.0.2-alpha
 -PORTREVISION=  1
 +DISTVERSION=   0.2.0.7-alpha
 +PORTREVISION=  0
  CATEGORIES=    security net
  MASTER_SITES=  http://tor.eff.org/dist/ \
                 http://mirror.onionland.org/dist/
 diff -ruN tor-devel.orig/distinfo tor-devel/distinfo
 --- tor-devel.orig/distinfo     Sat Sep 22 01:48:05
 2007
 +++ tor-devel/distinfo  Sat Sep 22 02:40:24 2007
 @@ -1,3 +1,3 @@
 -MD5 (tor-0.2.0.2-alpha.tar.gz) =
 201c472a7e145e7a509755f691e95d3a
 -SHA256 (tor-0.2.0.2-alpha.tar.gz) =
 478de3c1d5b16e3c8170b141dee0b7e0d53cdacf39ea1085375e8f0a73825e11
 -SIZE (tor-0.2.0.2-alpha.tar.gz) = 1285290
 +MD5 (tor-0.2.0.7-alpha.tar.gz) =
 3ff9adcfcfc61293020b3816ff564a98
 +SHA256 (tor-0.2.0.7-alpha.tar.gz) =
 7e84c2bcd9eebd55b8d853ee3aad5a95071fa050a19e7649cec191802298104b
 +SIZE (tor-0.2.0.7-alpha.tar.gz) = 1399183
 
 
 Those of you building this port with recent ports
 trees should be aware of the
 net/libevent-->"net/libevnet" blunder (see PR
 ports/116534) which could break the build.  And
 speaking of long overdue, it has now been over a month
 since this PR was filed, and a month-and-a-half since
 the security problem was announced.  I realize that
 many committers have been busy with the 7.0 bughunt,
 xorg 7.3, gnome 2.20, etc. -- not to mention real life
 -- but on the other hand, many other minor updates to
 the ports tree have come and gone since this issue was
 raised, and still there has been no resolution of this
 problem. (And, as far as I can tell, no requests for
 additional information or other explanations to
 justify inaction.)  This PR deals with a known remote
 security hole in a port that exists to provide
 security and privacy, and deserves prompt attention.
 
 bf
 
 
 
 
 
       ____________________________________________________________________________________
 Catch up on fall's hot new shows on Yahoo! TV. Watch previews, get listings, and more!
 http://tv.yahoo.com/collections/3658 

From: bf <bf2006a@yahoo.com>
To: bug-followup@FreeBSD.org, peter.thoenen@yahoo.com, itetcu@FreeBSD.org,
  nivo+kw+ports.bfa274@is-root.com
Cc:  
Subject: Re: ports/115534: security/tor-devel
Date: Sun, 23 Sep 2007 17:09:11 -0700 (PDT)

 Ignore what I wrote about libevent being misplaced: it
 was a mistake on my part, using a partially-synched
 ports tree on a late night...
 
 bf
 
 
       ____________________________________________________________________________________
 Catch up on fall's hot new shows on Yahoo! TV. Watch previews, get listings, and more!
 http://tv.yahoo.com/collections/3658 

From: Peter Thoenen <peter.thoenen@yahoo.com>
To: bf <bf2006a@yahoo.com>
Cc: bug-followup@FreeBSD.org,  itetcu@FreeBSD.org, 
 nivo+kw+ports.bfa274@is-root.com
Subject: Re: ports/115534: security/tor-devel
Date: Mon, 24 Sep 2007 09:20:25 -0400

 I approve this one also
State-Changed-From-To: open->closed 
State-Changed-By: edwin 
State-Changed-When: Tue Sep 25 12:49:46 UTC 2007 
State-Changed-Why:  
Committed, thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=115534 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/115534: commit references a PR
Date: Tue, 25 Sep 2007 12:50:25 +0000 (UTC)

 edwin       2007-09-25 12:50:18 UTC
 
   FreeBSD ports repository
 
   Modified files:
     security/tor-devel   Makefile distinfo 
   Log:
   [UPDATE] security/tor-devel
   
           Update to latest release. Suggest all users upgrade as there
           is a remote code exploit in versions less than 2.0.7
   
   PR:             ports/115534
   Submitted by:   Peter Thoenen <peter.thoenen@yahoo.com>
   
   Revision  Changes    Path
   1.46      +1 -2      ports/security/tor-devel/Makefile
   1.32      +3 -3      ports/security/tor-devel/distinfo
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
>Unformatted:
 This is a multi-part message in MIME format.
 --------------000601080403070204020408
 Content-Type: text/plain; charset=ISO-8859-1
 Content-Transfer-Encoding: 7bit
 
