Explore top 10 tips to secure your open-source projects now. Read More
×
Arch Linux Security Advisory ASA-201707-8 ======================================== Severity: Medium Date : 2017-07-11 CVE-ID : CVE-2017-0377 Package : tor Type : session hijacking Remote : Yes Link : https://security.archlinux.org/AVG-336 Summary ====== The package tor before version 0.3.0.9-1 is vulnerable to session hijacking. Resolution ========= Upgrade to 0.3.0.9-1. # pacman -Syu "tor>=0.3.0.9-1" The problem has been fixed upstream in version 0.3.0.9. Workaround ========= None. Description ========== A security issue has been found in Tor <= 0.3.0.8, which could make it easier to eavesdrop on Tor users' traffic. When choosing which guard to use for a circuit, Tor avoids using a node that is in the same family that the exit node it selected, but this check was accidentally removed in 0.3.0. Impact ===== An attacker might be able to eavesdrop on Tor users' traffic by getting in a position to analyze both the incoming and outgoing traffic of a circuit. References ========= https://blog.torproject.org/tor-0309-released-security-update-clients/ https://gitlab.torproject.org/legacy/trac/-/issues/22753 https://github.com/torproject/tor/commit/665baf5ed5c6186d973c46cdea165c0548027350 https://security.archlinux.org/CVE-2017-0377