openSUSE Backports SLE-15-SP7 Tor Moderate Security Issues Fix 2026-0188-1
opensuse
June 5, 2026
An update that contains security fixes can now be installed.
Description
This update for tor fixes the following issues:
- Update to 0.4.9.9
* Major bugfixes (compression, security):
- Fix a compression bomb bypass where an attacker could concatenate
many gzip or zlib sub-streams, each just under the per-stream
detection threshold, to avoid the compression bomb check entirely.
TROVE-2026-022. Fixes bug 41275; bugfix on 0.3.1.1-alpha.
- Fix an infinite loop when decompressing a truncated zlib/gzip stream
with done=1. A truncated stream never reaches Z_STREAM_END, causing
zlib to return Z_BUF_ERROR with no input remaining, which
buf_add_compress() mistook for a full output buffer and retried
forever. Fixed by returning TOR_COMPRESS_ERROR in that case so the
caller can abort cleanly. TROVE-2026-021. Fixes bug 41274; bugfix
on 0.2.6.1-alpha.
* Major bugfixes (conflux, security):
- Fix a NULL write after free when sending a CONFLUX_SWITCH cell
Read the Full Advisory
Topics Covered
Patch
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP7:
zypper in -t patch openSUSE-2026-188=1
Package List
- openSUSE Backports SLE-15-SP7 (aarch64 ppc64le s390x x86_64):
tor-0.4.9.9-bp157.2.12.1
References
PREVIOUS
NEXT
Severity
moderate
Lowest
Low
Medium
High
Critical
Announcement ID: openSUSE-SU-2026:0188-1
Rating: moderate
Affected Products:
openSUSE Backports SLE-15-SP7
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!