MGASA-2012-0276
| Date: | September 30th, 2012 |
| Affected releases: | 1, 2 |
Description:
Updated tor package fixes security vulnerabilities:
Tor before 0.2.2.34, when configured as a client or bridge, sends a TLS
certificate chain as part of an outgoing OR connection, which allows
remote relays to bypass intended anonymity properties by reading this
chain and then determining the set of entry guards that the client or
bridge had selected (CVE-2011-2768).
Tor before 0.2.2.34, when configured as a bridge, accepts the CREATE and
CREATE_FAST values in the Command field of a cell within an OR connection
that it initiated, which allows remote relays to enumerate bridges by
using these values (CVE-2011-2769).
Use-after-free vulnerability in dns.c in Tor before 0.2.2.38 might allow
remote attackers to cause a denial of service (daemon crash) via vectors
related to failed DNS requests (CVE-2012-3517).
The networkstatus_parse_vote_from_string function in routerparse.c in Tor
before 0.2.2.38 does not properly handle an invalid flavor name, which
allows remote attackers to cause a denial of service (out-of-bounds read
and daemon crash) via a crafted (1) vote document or (2) consensus
document (CVE-2012-3518).
routerlist.c in Tor before 0.2.2.38 uses a different amount of time for
relay-list iteration depending on which relay is chosen, which might
allow remote attackers to obtain sensitive information about relay
selection via a timing side-channel attack (CVE-2012-3519).
The compare_tor_addr_to_addr_policy function in or/policies.c in Tor
before 0.2.2.39, and 0.2.3.x before 0.2.3.21-rc, allows remote attackers
to cause a denial of service (assertion failure and daemon exit) via a
zero-valued port field that is not properly handled during policy
comparison (CVE-2012-4419).
Tor before 0.2.2.39, when waiting for a client to renegotiate, allowed it
to add bytes to the input buffer, allowing a crash to be caused remotely
(tor-5934, tor-6007).
Updated Packages:
Mageia 1:
tor-0.2.2.39-1.mga1
Mageia 2:
tor-0.2.2.39-2.mga2
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2768
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2769
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3517
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3518
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3519
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4419
https://blog.torproject.org/blog/tor-02234-released-security-patches
https://trac.torproject.org/projects/tor/ticket/5934
https://trac.torproject.org/projects/tor/ticket/6007
https://blog.torproject.org/blog/new-bundles-security-release
http://www.debian.org/security/2011/dsa-2331
http://lists.opensuse.org/opensuse-updates/2012-08/msg00048.html
http://www.debian.org/security/2012/dsa-2548
https://bugs.mageia.org/show_bug.cgi?id=5351
