Executive Summary
| Summary | |
|---|---|
| Title | Security update for tor |
| Informations | |||
|---|---|---|---|
| Name | DSA-2148 | First vendor Publication | 2011-01-17 |
| Vendor | Debian | Last vendor Modification | 2011-01-17 |
| Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P) | |||
|---|---|---|---|
| Cvss Base Score | 6.8 | Attack Range | Network |
| Cvss Impact Score | 6.4 | Attack Complexity | Medium |
| Cvss Expoit Score | 8.6 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| The developers of Tor, an anonymizing overlay network for TCP, found three security issues during a security audit. A heap overflow allowed the execution of arbitrary code (CVE-2011-0427), a denial of service vulnerability was found in the zlib compression handling and some key memory was incorrectly zeroed out before being freed. The latter two issues do not yet have CVE identifiers assigned. The Debian Security Tracker will be updated once they're available: http://security-tracker.debian.org/tracker/source-package/tor For the stable distribution (lenny), this problem has been fixed in version 0.2.1.29-1~lenny+1. For the testing distribution (squeeze) and the unstable distribution (sid), this problem has been fixed in version 0.2.1.29-1. For the experimental distribution, this problem has been fixed in version 0.2.2.21-alpha-1. We recommend that you upgrade your tor packages. |
Original Source
| Url : http://www.debian.org/security/2011/dsa-2148 |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 33 % | CWE-399 | Resource Management Errors |
| 33 % | CWE-119 | Failure to Constrain Operations within the Bounds of a Memory Buffer |
| 33 % | CWE-20 | Improper Input Validation |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:12522 | |||
| Oval ID: | oval:org.mitre.oval:def:12522 | ||
| Title: | DSA-2148-1 tor -- several | ||
| Description: | The developers of Tor, an anonymizing overlay network for TCP, found three security issues during a security audit. A heap overflow allowed the execution of arbitrary code, a denial of service vulnerability was found in the zlib compression handling and some key memory was incorrectly zeroed out before being freed. The latter two issues do not yet have CVE identifiers assigned | ||
| Family: | unix | Class: | patch |
| Reference(s): | DSA-2148-1 CVE-2011-0427 | Version: | 5 |
| Platform(s): | Debian GNU/Linux 5.0 | Product(s): | tor |
| Definition Synopsis: | |||
CPE : Common Platform Enumeration
OpenVAS Exploits
| Date | Description |
|---|---|
| 2012-02-12 | Name : Gentoo Security Advisory GLSA 201110-13 (Tor) File : nvt/glsa_201110_13.nasl |
| 2011-06-10 | Name : Fedora Update for tor FEDORA-2011-0650 File : nvt/gb_fedora_2011_0650_tor_fc13.nasl |
| 2011-06-10 | Name : Fedora Update for tor FEDORA-2011-7972 File : nvt/gb_fedora_2011_7972_tor_fc14.nasl |
| 2011-05-17 | Name : Fedora Update for tor FEDORA-2011-0642 File : nvt/gb_fedora_2011_0642_tor_fc14.nasl |
| 2011-03-07 | Name : Debian Security Advisory DSA 2148-1 (tor) File : nvt/deb_2148_1.nasl |
| 2011-01-24 | Name : FreeBSD Ports: tor File : nvt/freebsd_tor5.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 70525 | Tor Unspecified Remote Overflow DoS Tor is prone to an overflow condition. The program fails to properly sanitize user-supplied input resulting in a heap-based buffer overflow. This may allow a remote attacker to cause a denial of service, or possibly execute arbitrary code. |
| 70524 | Tor Key Data Management Local Memory Disclosure Tor contains a flaw that may lead to an unauthorized information disclosure. Â The issue is triggered when the program fails to properly manage key data in memory, which will disclose sensitive key information to a local attacker who reads memory that was previously used by a different process. |
| 70522 | Tor zlib Compression Factor Handling Remote DoS Tor contains a flaw that may allow a remote denial of service. The issue is triggered when the program fails to properly check the amount of compression in zlib-compressed data, allowing a remote attacker to use crafted compressed data to cause a denial of service. |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2011-10-19 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201110-13.nasl - Type : ACT_GATHER_INFO |
| 2011-06-09 | Name : The remote Fedora host is missing a security update. File : fedora_2011-0650.nasl - Type : ACT_GATHER_INFO |
| 2011-06-07 | Name : The remote Fedora host is missing a security update. File : fedora_2011-7972.nasl - Type : ACT_GATHER_INFO |
| 2011-05-16 | Name : The remote Fedora host is missing a security update. File : fedora_2011-0642.nasl - Type : ACT_GATHER_INFO |
| 2011-01-18 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2148.nasl - Type : ACT_GATHER_INFO |
| 2011-01-18 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_38bdf10e229311e0bfa4001676740879.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:29:49 |
|
