Requesting Tor packages SRU micro version update exception

Marc Deslauriers marc.deslauriers at canonical.com
Wed Jul 29 11:41:36 UTC 2015 

Hi Chuck,

On 2015-07-17 05:56 PM, Chuck Peters wrote:
> 
> I am requesting "SRU micro version update exception" for Tor packages.  Tor packages with security fixes appear to be maintained upstream at TorProject.org and Debian.  Most of the time I think the Debian packages will resolve the Ubuntu security issues.  However because of the timing of the release cycles of Debian and Ubuntu, backporting a TorProject.org package could occasionally be used to resolve the issue.  
> 
> Justification:
> It appears that Tor never receives any security updates, or at least it hasn't since 2012.
> http://people.canonical.com/~ubuntu-security/cve/pkg/tor.html
> http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tor
> http://packages.ubuntu.com/search?keywords=tor&searchon=names&suite=all&section=all
> https://packages.debian.org/search?keywords=tor&searchon=names&suite=all&section=all
> 
> According to the Security Team wiki [1] the "MOTU Swat team is responsible for helping to coordinate community supported updates in Ubuntu".  Six days ago I emailed all members of the MOTU Swat team (one team members email bounced) about the issue and no one replied.  
> 
> The primary reason the Tor network exists is provide people a way to improve their "privacy and security on the Internet." [2]
> 
> Thanks,
> Chuck
> 
> PS.  
> The number of CVE issues for each of the supported Ubuntu releases.
> 
> Precise: 14
> Trusty: 5
> Utopic: 4
> Vivid: 4
> 
> Instructions on installing the TorProject.org packages: https://www.torproject.org/docs/debian.html.en
> 
> Debian squeeze-lts is understaffed to maintain all of the security issues, and it has been updated with tor 0.2.4.27-1~deb6u1.
> 
> I backported the unmodified Debian packages and uploaded them to my PPA. https://launchpad.net/~cp/+archive/ubuntu/bug-fixes/
> 
> 1. https://wiki.ubuntu.com/SecurityTeam
> 2. https://www.torproject.org/about/overview.html.en
> 

Due to the nature of Tor, I believe the risk exposed by using Tor packages that
are insecure and don't contain the latest improvements far surpasses the risk of
possibly introducing regressions by updating to a latest version.

For that reason, a bug +1 from me.

I will add Tor to the wiki page containing the list of micro-release exceptions.

Thanks!

Marc.

More information about the technical-board mailing list