[arch-security] [ASA-201707-8] tor: session hijacking
Arch Linux Security Advisory ASA-201707-8 ========================================= Severity: Medium Date : 2017-07-11 CVE-ID : CVE-2017-0377 Package : tor Type : session hijacking Remote : Yes Link : https://security.archlinux.org/AVG-336 Summary ======= The package tor before version 0.3.0.9-1 is vulnerable to session hijacking. Resolution ========== Upgrade to 0.3.0.9-1. # pacman -Syu "tor>=0.3.0.9-1" The problem has been fixed upstream in version 0.3.0.9. Workaround ========== None. Description =========== A security issue has been found in Tor <= 0.3.0.8, which could make it easier to eavesdrop on Tor users' traffic. When choosing which guard to use for a circuit, Tor avoids using a node that is in the same family that the exit node it selected, but this check was accidentally removed in 0.3.0. Impact ====== An attacker might be able to eavesdrop on Tor users' traffic by getting in a position to analyze both the incoming and outgoing traffic of a circuit. References ========== https://blog.torproject.org/blog/tor-0309-released-security-update-clients https://trac.torproject.org/projects/tor/ticket/22753 https://github.com/torproject/tor/commit/665baf5ed5c6186d973c46cdea165c05480... https://security.archlinux.org/CVE-2017-0377
participants (1)
-
Remi Gacogne