Justin Conover wrote: > Not sure if this should be in bugzilla or were. Yeah, bugzilla is generally the best place for this sort of thing. For security problems, it's also worth checking the fedora-security module in CVS to see if the problem is known. In this case it is: http://cvs.fedora.redhat.com/viewcvs/fedora-security/audit/fc7?root=fedora&view=markup The line: CVE-2007-4174 VULNERABLE (tor, fixed 0.1.2.16) indicates that the version in the repository is known to be vulnerable and that the issue was fixed in upstream release 0.1.2.16. I also checked in the F7 update manager, Bodhi, and I see that tor-0.1.2.16-1.fc7 was submitted on 2007-08-02. For some reason the update is marked as pending still (as are 0.1.2.14 and 0.1.2.15). Something seems amiss there. You can find the updated packages in the F7 build system (though they are unsigned, FYI): http://koji.fedoraproject.org/koji/buildinfo?buildID=12656 I'll ask on fedora-maintainers if there's a reason for the tor updates not being pushed for weeks and weeks. -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Between two evils, I always pick the one I never tried before. -- Mae West
Attachment:
pgpRorB02O3g5.pgp
Description: PGP signature
