openSUSE Leap 16.0 tor Moderate Security Update 2026-20889-1
opensuse
June 3, 2026
An update that solves various issues can now be installed.
Description
This update for tor fixes the following issues:
Changes in tor:
- Update to 0.4.9.9
* Major bugfixes (compression, security):
- Fix a compression bomb bypass where an attacker could concatenate
many gzip or zlib sub-streams, each just under the per-stream
detection threshold, to avoid the compression bomb check entirely.
TROVE-2026-022. Fixes bug 41275; bugfix on 0.3.1.1-alpha.
- Fix an infinite loop when decompressing a truncated zlib/gzip
stream with done=1. A truncated stream never reaches Z_STREAM_END,
causing zlib to return Z_BUF_ERROR with no input remaining, which
buf_add_compress() mistook for a full output buffer and retried
forever. Fixed by returning TOR_COMPRESS_ERROR in that case so the
caller can abort cleanly. TROVE-2026-021. Fixes bug 41274; bugfix
on 0.2.6.1-alpha.
* Major bugfixes (conflux, security):
- Fix a NULL write after free when sending a CONFLUX_SWITCH cell
fails. The return value...
Read the Full Advisory
Topics Covered
Patch
Package List
- openSUSE Leap 16.0:
tor-0.4.9.9-bp160.1.1
References
PREVIOUS
NEXT
Severity
moderate
Lowest
Low
Medium
High
Critical
Announcement ID: openSUSE-SU-2026:20889-1
Rating: moderate
Affected Products:
openSUSE Leap 16.0
-------------------------------------------------------------
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!