LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Mageia alert MGASA-2012-0276 (tor)



From:
    	      Mageia Updates <buildsystem-daemon@mageia.org> 


To:
    	      updates-announce@ml.mageia.org 


Subject:
    	      [updates-announce] MGASA-2012-0276: tor-0.2.2.39-1.mga1 (1/core),
 tor-0.2.2.39-2.mga2 (2/core) 


Date:
    	      Sun, 30 Sep 2012 20:54:49 +0200


Message-ID:
    	      <20120930185449.GA18947@valstar.mageia.org>


Archive-link:
    	      Article, Thread
              


MGASA-2012-0276
Date: 	September 30th, 2012
Affected releases: 	1, 2


Description:
Updated tor package fixes security vulnerabilities:

Tor before 0.2.2.34, when configured as a client or bridge, sends a TLS
certificate chain as part of an outgoing OR connection, which allows
remote relays to bypass intended anonymity properties by reading this
chain and then determining the set of entry guards that the client or
bridge had selected (CVE-2011-2768).

Tor before 0.2.2.34, when configured as a bridge, accepts the CREATE and
CREATE_FAST values in the Command field of a cell within an OR connection
that it initiated, which allows remote relays to enumerate bridges by
using these values (CVE-2011-2769).

Use-after-free vulnerability in dns.c in Tor before 0.2.2.38 might allow
remote attackers to cause a denial of service (daemon crash) via vectors
related to failed DNS requests (CVE-2012-3517).

The networkstatus_parse_vote_from_string function in routerparse.c in Tor
before 0.2.2.38 does not properly handle an invalid flavor name, which
allows remote attackers to cause a denial of service (out-of-bounds read
and daemon crash) via a crafted (1) vote document or (2) consensus
document (CVE-2012-3518).

routerlist.c in Tor before 0.2.2.38 uses a different amount of time for
relay-list iteration depending on which relay is chosen, which might
allow remote attackers to obtain sensitive information about relay
selection via a timing side-channel attack (CVE-2012-3519).

The compare_tor_addr_to_addr_policy function in or/policies.c in Tor
before 0.2.2.39, and 0.2.3.x before 0.2.3.21-rc, allows remote attackers
to cause a denial of service (assertion failure and daemon exit) via a
zero-valued port field that is not properly handled during policy
comparison (CVE-2012-4419).

Tor before 0.2.2.39, when waiting for a client to renegotiate, allowed it
to add bytes to the input buffer, allowing a crash to be caused remotely
(tor-5934, tor-6007).


Updated Packages:
Mageia 1:
tor-0.2.2.39-1.mga1

Mageia 2:
tor-0.2.2.39-2.mga2


References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2768
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2769
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3517
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3518
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3519
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4419
https://blog.torproject.org/blog/tor-02234-released-secur...
https://trac.torproject.org/projects/tor/ticket/5934
https://trac.torproject.org/projects/tor/ticket/6007
https://blog.torproject.org/blog/new-bundles-security-rel...
http://www.debian.org/security/2011/dsa-2331
http://lists.opensuse.org/opensuse-updates/2012-08/msg000...
http://www.debian.org/security/2012/dsa-2548
https://bugs.mageia.org/show_bug.cgi?id=5351
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-...
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds