Debian: DSA-2993-1: tor security update

    Date31 Jul 2014
    CategoryDebian
    43
    Posted ByLinuxSecurity Advisories
    Several issues have been discovered in Tor, a connection-based low-latency anonymous communication system, resulting in information leaks.
    
    - -------------------------------------------------------------------------
    Debian Security Advisory DSA-2993-1                   This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                           Peter Palfrader
    July 31, 2014                          http://www.debian.org/security/faq
    - -------------------------------------------------------------------------
    
    Package        : tor
    CVE ID         : CVE-2014-5117
    
    Several issues have been discovered in Tor, a connection-based
    low-latency anonymous communication system, resulting in information
    leaks.
    
    o  Relay-early cells could be used by colluding relays on the network to
       tag user circuits and so deploy traffic confirmation attacks
       [CVE-2014-5117].  The updated version emits a warning and drops the
       circuit upon receiving inbound relay-early cells, preventing this
       specific kind of attack.  Please consult the following advisory for
       more details about this issue:
    
         https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack
    
    o  A bug in the bounds-checking in the 32-bit curve25519-donna
       implementation could cause incorrect results on 32-bit
       implementations when certain malformed inputs were used along with a
       small class of private ntor keys.  This flaw does not currently
       appear to allow an attacker to learn private keys or impersonate a
       Tor server, but it could provide a means to distinguish 32-bit Tor
       implementations from 64-bit Tor implementations.
    
    The following additional security-related improvements have been
    implemented:
    
    o  As a client, the new version will effectively stop using CREATE_FAST
       cells.  While this adds computational load on the network, this
       approach can improve security on connections where Tor's circuit
       handshake is stronger than the available TLS connection security
       levels.
    
    o  Prepare clients to use fewer entry guards by honoring the consensus
       parameters.  The following article provides some background:
    
         https://blog.torproject.org/blog/improving-tors-anonymity-changing-guard-parameters
    
    For the stable distribution (wheezy), these problems have been fixed in
    version 0.2.4.23-1~deb7u1.
    
    For the testing distribution (jessie) and the unstable distribution
    (sid), these problems have been fixed in version 0.2.4.23-1.
    
    For the experimental distribution, these problems have been fixed in
    version 0.2.5.6-alpha-1.
    
    We recommend that you upgrade your tor packages.
    
    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: http://www.debian.org/security/
    
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"13","type":"x","order":"1","pct":52,"resources":[]},{"id":"88","title":"Should be more technical","votes":"4","type":"x","order":"2","pct":16,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"8","type":"x","order":"3","pct":32,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.