Arch Linux Security Advisory ASA-201504-7 ========================================= Severity: high Date : 2015-04-07 CVE-ID : CVE-2015-2928 CVE-2015-2929 Package : tor Type : multiple issues Remote : yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package tor before version 0.2.5.12-1 is vulnerable against multiple issues. Resolution ========== Upgrade to 0.2.5.12-1 # pacman -Syu "tor>=0.2.5.12-1" The problem has been fixed upstream in version 0.2.5.12. Workaround ========== None. Description =========== CVE-2015-2928 "disgleirio" discovered that a malicious client could trigger an assertion failure in a Tor instance providing a hidden service, thus rendering the service inaccessible. CVE-2015-2929 "DonnchaC" discovered that Tor clients would crash with an assertion failure upon parsing specially crafted hidden service descriptors. Impact ====== An attacker could crash a Tor client or could make a Tor service inaccessible. References ========== https://trac.torproject.org/projects/tor/ticket/15600 https://trac.torproject.org/projects/tor/ticket/15601 http://seclists.org/oss-sec/2015/q2/56