[arch-security] [ASA-201504-7] tor: multiple issues
chris.rebischke at gmail.com
chris.rebischke at gmail.com
Tue Apr 7 05:54:44 UTC 2015
Arch Linux Security Advisory ASA-201504-7
=========================================
Severity: high
Date : 2015-04-07
CVE-ID : CVE-2015-2928 CVE-2015-2929
Package : tor
Type : multiple issues
Remote : yes
Link : https://wiki.archlinux.org/index.php/CVE
Summary
=======
The package tor before version 0.2.5.12-1 is vulnerable against
multiple issues.
Resolution
==========
Upgrade to 0.2.5.12-1
# pacman -Syu "tor>=0.2.5.12-1"
The problem has been fixed upstream in version 0.2.5.12.
Workaround
==========
None.
Description
===========
CVE-2015-2928
"disgleirio" discovered that a malicious client could trigger an
assertion failure in a Tor instance providing a hidden service,
thus rendering the service inaccessible.
CVE-2015-2929
"DonnchaC" discovered that Tor clients would crash with an
assertion failure upon parsing specially crafted hidden service
descriptors.
Impact
======
An attacker could crash a Tor client or could make a Tor service
inaccessible.
References
==========
https://trac.torproject.org/projects/tor/ticket/15600
https://trac.torproject.org/projects/tor/ticket/15601
http://seclists.org/oss-sec/2015/q2/56
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20150407/106d5486/attachment.asc>
More information about the arch-security
mailing list