LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

tor: multiple vulnerabilities

Package(s):tor CVE #(s):CVE-2008-5397 CVE-2008-5398 CVE-2009-0414 CVE-2009-0939 CVE-2009-0936 CVE-2009-0937 CVE-2009-0938
Created:April 9, 2009 Updated:April 15, 2009
Description: Tor has a number of vulnerabilities. From the Gentoo alert:

* Theo de Raadt reported that the application does not properly drop privileges to the primary groups of the user specified via the "User" configuration option (CVE-2008-5397).

* rovv reported that the "ClientDNSRejectInternalAddresses" configuration option is not always enforced (CVE-2008-5398).

* Ilja van Sprundel reported a heap-corruption vulnerability that might be remotely triggerable on some platforms (CVE-2009-0414).

* It has been reported that incomplete IPv4 addresses are treated as valid, violating the specification (CVE-2009-0939).

* Three unspecified vulnerabilities have also been reported (CVE-2009-0936, CVE-2009-0937, CVE-2009-0938).

Alerts:
Gentoo 200904-11 2009-04-08
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds