[SECURITY] [DLA 187-1] tor security update

2015-04-06T22:07:56
ID DEBIAN:DLA-187-1:CA35B
Type debian
Reporter Debian
Modified 2015-04-06T22:07:56

Description

Package : tor Version : 0.2.4.27-1~deb6u1 CVE ID : CVE-2015-2928 CVE-2015-2929

Several hidden service related denial-of-service issues have been discovered in Tor, a connection-based low-latency anonymous communication system.

o "disgleirio" discovered that a malicious client could trigger an assertion failure in a Tor instance providing a hidden service, thus rendering the service inaccessible. [CVE-2015-2928]

o "DonnchaC" discovered that Tor clients would crash with an assertion failure upon parsing specially crafted hidden service descriptors. [CVE-2015-2929]

o Introduction points would accept multiple INTRODUCE1 cells on one circuit, making it inexpensive for an attacker to overload a hidden service with introductions. Introduction points no longer allow multiple such cells on the same circuit.