1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 2993-1] tor security update

    From Salvatore Bonaccorso@1:229/2 to All on Thu Jul 31 12:40:02 2014
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-2993-1 [email protected] http://www.debian.org/security/ Peter Palfrader
    July 31, 2014 http://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : tor
    CVE ID : CVE-2014-5117

    Several issues have been discovered in Tor, a connection-based
    low-latency anonymous communication system, resulting in information
    leaks.

    o Relay-early cells could be used by colluding relays on the network to
    tag user circuits and so deploy traffic confirmation attacks
    [CVE-2014-5117]. The updated version emits a warning and drops the
    circuit upon receiving inbound relay-early cells, preventing this
    specific kind of attack. Please consult the following advisory for
    more details about this issue:

    https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack

    o A bug in the bounds-checking in the 32-bit curve25519-donna
    implementation could cause incorrect results on 32-bit
    implementations when certain malformed inputs were used along with a
    small class of private ntor keys. This flaw does not currently
    appear to allow an attacker to learn private keys or impersonate a
    Tor server, but it could provide a means to distinguish 32-bit Tor
    implementations from 64-bit Tor implementations.

    The following additional security-related improvements have been
    implemented:

    o As a client, the new version will effectively stop using CREATE_FAST
    cells. While this adds computational load on the network, this
    approach can improve security on connections where Tor's circuit
    handshake is stronger than the available TLS connection security
    levels.

    o Prepare clients to use fewer entry guards by honoring the consensus
    parameters. The following article provides some background:

    https://blog.torproject.org/blog/improving-tors-anonymity-changing-guard-parameters

    For the stable distribution (wheezy), these problems have been fixed in
    version 0.2.4.23-1~deb7u1.

    For the testing distribution (jessie) and the unstable distribution
    (sid), these problems have been fixed in version 0.2.4.23-1.

    For the experimental distribution, these problems have been fixed in
    version 0.2.5.6-alpha-1.

    We recommend that you upgrade your tor packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: http://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1

    iQIcBAEBCgAGBQJT2ht+AAoJEAVMuPMTQ89EtFgP/3AWMfTTOxdZn046F/QemXPl zuDTBhfllKc2s0UXOV63/yjfqr0oa703a/EhWIwZttc9NTi03NY9iKEwNeB+HUCN b3hENNISFdVp5i11pmbExSTGhfmgBLMPXXJAKbj5Zz1wsUr4SKJpsI0caaBXOOYp mTOHy0iKvT8RnpBiR0v2pXcCAQEqPy/7j99npO8SDwlOIcG7bmePc+L6YsHT99gh shNxnnjQIqO45rVHkqVCJc7uEx5k3i3rq0nDQnTrbiZI4G2zOJi7XfteJlCzl0vc XUt/7cTQeKyIRnNhRE09BctSs+bygCOJXY94iBoOc3eTxGeMoLcORRGZ8R1Jae99 cj8cfT3rH/SP1uWON071I9awwhXaC0nwHtkejAiA6S51rZBaUnQqCFEHp/D3ku7V NZ8Iux1JYkuXFYyU/FgFouRpbyt3ApITgKFjCySZmH0Kcm7C78gUuHyXhgvQfhdw MG9DvNIMlRKNAOXlBA9ZUSNpz1YzHRrv0KpwPnlaKSMwvuuuzhfXqFUzbEFLjbkL pPx0goe/BAmdRDKD0to4JhnpzRh71HtZwIOwJWQpqQ/p2IN0s7C5hrfk+g+Bh5kl fQBUnE18ZJC9ytQlUkYUd0Isc6HfmSQn3C2KA8pDV5jXn4tCMe9u2kfsB10uAPiY K/PnpW3fw41iiJPdYDZI
    =+/Vb
    -----END PGP SIGNATURE-----


    --
    To UNSUBSCRIBE, email to [email protected]
    with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)