Executive Summary
Summary | |
---|---|
Title | tor security update |
Informations | |||
---|---|---|---|
Name | DSA-2993 | First vendor Publication | 2014-07-31 |
Vendor | Debian | Last vendor Modification | 2014-07-31 |
Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:N) | |||
---|---|---|---|
Cvss Base Score | 5.8 | Attack Range | Network |
Cvss Impact Score | 4.9 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Several issues have been discovered in Tor, a connection-based low-latency anonymous communication system, resulting in information leaks. o Relay-early cells could be used by colluding relays on the network to tag user circuits and so deploy traffic confirmation attacks [CVE-2014-5117]. The updated version emits a warning and drops the circuit upon receiving inbound relay-early cells, preventing this specific kind of attack. Please consult the following advisory for more details about this issue: https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack o A bug in the bounds-checking in the 32-bit curve25519-donna implementation could cause incorrect results on 32-bit implementations when certain malformed inputs were used along with a small class of private ntor keys. This flaw does not currently appear to allow an attacker to learn private keys or impersonate a Tor server, but it could provide a means to distinguish 32-bit Tor implementations from 64-bit Tor implementations. The following additional security-related improvements have been implemented: o As a client, the new version will effectively stop using CREATE_FAST cells. While this adds computational load on the network, this approach can improve security on connections where Tor's circuit handshake is stronger than the available TLS connection security levels. o Prepare clients to use fewer entry guards by honoring the consensus parameters. The following article provides some background: https://blog.torproject.org/blog/improving-tors-anonymity-changing-guard-parameters For the stable distribution (wheezy), these problems have been fixed in version 0.2.4.23-1~deb7u1. For the testing distribution (jessie) and the unstable distribution (sid), these problems have been fixed in version 0.2.4.23-1. For the experimental distribution, these problems have been fixed in version 0.2.5.6-alpha-1. We recommend that you upgrade your tor packages. |
Original Source
Url : http://www.debian.org/security/2014/dsa-2993 |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:26058 | |||
Oval ID: | oval:org.mitre.oval:def:26058 | ||
Title: | DSA-2993-1 -- tor - security update | ||
Description: | Several issues have been discovered in Tor, a connection-based low-latency anonymous communication system, resulting in information leaks. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2993-1 CVE-2014-5117 | Version: | 5 |
Platform(s): | Debian GNU/Linux 7 Debian GNU/kFreeBSD 7 | Product(s): | tor |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2014-08-15 | Name : The remote Fedora host is missing a security update. File : fedora_2014-9073.nasl - Type : ACT_GATHER_INFO |
2014-08-15 | Name : The remote Fedora host is missing a security update. File : fedora_2014-9082.nasl - Type : ACT_GATHER_INFO |
2014-08-12 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2014-492.nasl - Type : ACT_GATHER_INFO |
2014-08-07 | Name : The remote Mandriva Linux host is missing a security update. File : mandriva_MDVSA-2014-150.nasl - Type : ACT_GATHER_INFO |
2014-08-01 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2993.nasl - Type : ACT_GATHER_INFO |
2014-07-31 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_31c09848182911e4bf0460a44c524f57.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-08-04 21:29:26 |
|
2014-08-02 13:24:24 |
|
2014-07-31 21:28:29 |
|
2014-07-31 13:22:06 |
|