Executive Summary
| Summary | |
|---|---|
| Title | tor security update |
| Informations | |||
|---|---|---|---|
| Name | DSA-2331 | First vendor Publication | 2011-10-28 |
| Vendor | Debian | Last vendor Modification | 2011-10-28 |
| Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:N) | |||
|---|---|---|---|
| Cvss Base Score | 5.8 | Attack Range | Network |
| Cvss Impact Score | 4.9 | Attack Complexity | Medium |
| Cvss Expoit Score | 8.6 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| It has been discovered by "frosty_un" that a design flaw in Tor, an online privacy tool, allows malicious relay servers to learn certain information that they should not be able to learn. Specifically, a relay that a user connects to directly could learn which other relays that user is connected to directly. In combination with other attacks, this issue can lead to deanonymizing the user. The Common Vulnerabilities and Exposures project has assigned CVE-2011-2768 to this issue. In addition to fixing the above mentioned issues, the updates to oldstable and stable fix a number of less critical issues (CVE-2011-2769). Please see this posting from the Tor blog for more information: https://blog.torproject.org/blog/tor-02234-released-security-patches For the oldstable distribution (lenny), this problem has been fixed in version 0.2.1.31-1~lenny+1. Due to technical limitations in the Debian archive scripts, the update cannot be released synchronously with the packages for stable. It will be released shortly. For the stable distribution (squeeze), this problem has been fixed in version 0.2.1.31-1. For the unstable and testing distributions, this problem has been fixed in version 0.2.2.34-1. For the experimental distribution, this problem have has fixed in version 0.2.3.6-alpha-1. We recommend that you upgrade your tor packages. |
Original Source
| Url : http://www.debian.org/security/2011/dsa-2331 |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 50 % | CWE-264 | Permissions, Privileges, and Access Controls |
| 50 % | CWE-200 | Information Exposure |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:14939 | |||
| Oval ID: | oval:org.mitre.oval:def:14939 | ||
| Title: | DSA-2331-1 tor -- several | ||
| Description: | It has been discovered by "frosty_un" that a design flaw in Tor, an online privacy tool, allows malicious relay servers to learn certain information that they should not be able to learn. Specifically, a relay that a user connects to directly could learn which other relays that user is connected to directly. In combination with other attacks, this issue can lead to deanonymizing the user. The Common Vulnerabilities and Exposures project has assigned CVE-2011-2768 to this issue. In addition to fixing the above mentioned issues, the updates to oldstable and stable fix a number of less critical issues. Please see this posting from the Tor blog for more information: https://blog.torproject.org/blog/tor-02234-released-security-patches | ||
| Family: | unix | Class: | patch |
| Reference(s): | DSA-2331-1 CVE-2011-2768 CVE-2011-2769 | Version: | 5 |
| Platform(s): | Debian GNU/Linux 5.0 Debian GNU/Linux 6.0 Debian GNU/kFreeBSD 6.0 | Product(s): | tor |
| Definition Synopsis: | |||
| |||
CPE : Common Platform Enumeration
OpenVAS Exploits
| Date | Description |
|---|---|
| 2012-04-02 | Name : Fedora Update for tor FEDORA-2011-17248 File : nvt/gb_fedora_2011_17248_tor_fc16.nasl |
| 2012-03-19 | Name : Fedora Update for tor FEDORA-2011-15208 File : nvt/gb_fedora_2011_15208_tor_fc16.nasl |
| 2012-02-12 | Name : Gentoo Security Advisory GLSA 201201-12 (Tor) File : nvt/glsa_201201_12.nasl |
| 2012-02-11 | Name : Debian Security Advisory DSA 2331-1 (tor) File : nvt/deb_2331_1.nasl |
| 2011-11-08 | Name : Fedora Update for tor FEDORA-2011-15117 File : nvt/gb_fedora_2011_15117_tor_fc15.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 76630 | Tor TLS Certificate Reuse Direct DirPort Connection User Identification Weakness |
| 76629 | Tor TLS Certificate Reuse Outgoing OR Connection User Identification Weakness |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2013-04-20 | Name : The remote Mandriva Linux host is missing a security update. File : mandriva_MDVSA-2013-132.nasl - Type : ACT_GATHER_INFO |
| 2012-01-24 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201201-12.nasl - Type : ACT_GATHER_INFO |
| 2012-01-11 | Name : The remote Fedora host is missing a security update. File : fedora_2011-17248.nasl - Type : ACT_GATHER_INFO |
| 2011-11-14 | Name : The remote Fedora host is missing a security update. File : fedora_2011-15208.nasl - Type : ACT_GATHER_INFO |
| 2011-11-07 | Name : The remote Fedora host is missing a security update. File : fedora_2011-15117.nasl - Type : ACT_GATHER_INFO |
| 2011-10-31 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2331.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:30:31 |
|
