tor - security update

2015-04-0700:00:00

Google

osv.dev

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.002 Low

EPSS

Percentile

60.1%

JSON

Several hidden service related denial-of-service issues have been
discovered in Tor, a connection-based low-latency anonymous
communication system.

disgleirio discovered that a malicious client could trigger an
assertion failure in a Tor instance providing a hidden service, thus
rendering the service inaccessible.
[CVE-2015-2928]

DonnchaC discovered that Tor clients would crash with an assertion
failure upon parsing specially crafted hidden service descriptors.
[CVE-2015-2929]

Introduction points would accept multiple INTRODUCE1 cells on one
circuit, making it inexpensive for an attacker to overload a hidden
service with introductions. Introduction points no longer allow
multiple such cells on the same circuit.

CPENameOperatorVersion
toreq0.2.1.29-1
toreq0.2.1.30-1
toreq0.2.1.31-1
toreq0.2.1.31-1~lenny+1
toreq0.2.1.32-1
toreq0.2.2.1-alpha-1
toreq0.2.2.10-alpha-1
toreq0.2.2.10-alpha-2
toreq0.2.2.11-alpha-1
toreq0.2.2.12-alpha-1

Name	Operator	Version
tor	eq	0.2.1.29-1
tor	eq	0.2.1.30-1
tor	eq	0.2.1.31-1
tor	eq	0.2.1.31-1~lenny+1
tor	eq	0.2.1.32-1
tor	eq	0.2.2.1-alpha-1
tor	eq	0.2.2.10-alpha-1
tor	eq	0.2.2.10-alpha-2
tor	eq	0.2.2.11-alpha-1
tor	eq	0.2.2.12-alpha-1