openSUSE Security Update: Security update for tor
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2020:1970-1
Rating:             important
References:         #1164275 #1167013 #1167014 #1173979 #1178741 
                    
Cross-References:   CVE-2020-10592 CVE-2020-10593 CVE-2020-15572
                   
Affected Products:
                    SUSE Package Hub for SUSE Linux Enterprise 12
______________________________________________________________________________

   An update that solves three vulnerabilities and has two
   fixes is now available.

Description:

   This update for tor fixes the following issues:

   Updating tor to a newer version in the respective codestream.

   - tor 0.3.5.12:
     * Check channels+circuits on relays more thoroughly (TROVE-2020-005,
       boo#1178741)
     * Not affected by out-of-bound memory access (CVE-2020-15572,
       boo#1173979)
     * Fix DoS defenses on bridges with a pluggable transport
     * CVE-2020-10592: CPU consumption DoS and timing patterns (boo#1167013)
     * CVE-2020-10593: circuit padding memory leak (boo#1167014)

   - tor 0.4.4.6
     * Check channels+circuits on relays more thoroughly (TROVE-2020-005,
       boo#1178741)
     * Fix a crash due to an out-of-bound memory access (CVE-2020-15572,
       boo#1173979)
     * Fix logrotate to not fail when tor is stopped (boo#1164275)


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Package Hub for SUSE Linux Enterprise 12:

      zypper in -t patch openSUSE-2020-1970=1



Package List:

   - SUSE Package Hub for SUSE Linux Enterprise 12 (aarch64 ppc64le s390x x86_64):

      tor-0.3.5.12-25.1


References:

   https://www.suse.com/security/cve/CVE-2020-10592.html
   https://www.suse.com/security/cve/CVE-2020-10593.html
   https://www.suse.com/security/cve/CVE-2020-15572.html
   https://bugzilla.suse.com/1164275
   https://bugzilla.suse.com/1167013
   https://bugzilla.suse.com/1167014
   https://bugzilla.suse.com/1173979
   https://bugzilla.suse.com/1178741
_______________________________________________
openSUSE Security Announce mailing list -- [email protected]
To unsubscribe, email [email protected]
List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette
List Archives: https://lists.opensuse.org/archives/list/[email protected]