Debian DSA-2993-1 Critical: Tor Information Leak Security Advisory
debian
July 31, 2014
Several issues have been discovered in Tor, a connection-based low-latency anonymous communication system, resulting in information leaks
Summary
o Relay-early cells could be used by colluding relays on the network to
tag user circuits and so deploy traffic confirmation attacks
[CVE-2014-5117]. The updated version emits a warning and drops the
circuit upon receiving inbound relay-early cells, preventing this
specific kind of attack. Please consult the following advisory for
more details about this issue:
https://blog.torproject.org/tor-security-advisory-relay-early-traffic-confirmation-attack/
o A bug in the bounds-checking in the 32-bit curve25519-donna
implementation could cause incorrect results on 32-bit
implementations when certain malformed inputs were used along with a
small class of private ntor keys. This flaw does not currently
appear to allow an attacker to learn private keys or impersonate a
Tor server, but it could provide a means to distinguish 32-bit Tor
implementations from 64-bit Tor implementations.
The following additional security-related improvements have been
implemented:
o As...
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: tor
CVE ID: CVE-2014-5117
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!