[ubuntu/trusty-security] tor 0.2.4.27-1ubuntu0.1 (Accepted)

Eduardo dos Santos Barretto eduardo.barretto at canonical.com
Mon Nov 26 17:15:22 UTC 2018


tor (0.2.4.27-1ubuntu0.1) trusty-security; urgency=medium

  * SECURITY UPDATE: DoS (client crash) via a crafted hidden service
    descriptor.
    - debian/patches/CVE-2016-1254.patch: Fix parsing bug with unrecognized
      token at EOS.
    - CVE-2016-1254
  * SECURITY UPDATE: DoS (crash) via crafted data.
    - debian/patches/CVE-2016-8860.patch: Protect against NUL-terminated
      inputs.
    - CVE-2016-8860
  * SECURITY UPDATE: DoS (assertion failure and daemon exit) via a BEGIN_DIR
    rendezvous circuit.
    - debian/patches/CVE-2017-0376.patch: Fix assertion failure.
    - CVE-2017-0376
  * SECURITY UPDATE: Replay-cache protection mechanism is ineffective for v2
    onion services.
    - debian/patches/CVE-2017-8819.patch: Fix length of replaycache-checked
      data.
    - CVE-2017-8819
  * SECURITY UPDATE: DoS (application hang) via a crafted PEM input.
    - debian/patches/CVE-2017-8821.patch: Avoid asking for passphrase on
      junky PEM input.
    - CVE-2017-8821
  * SECURITY UPDATE: Relays, that have incompletely downloaded
    descriptors, can pick themselves in a circuit path, leading to a
    degradation of anonymity
    - debian/patches/CVE-2017-8822.patch: Use local descriptor object to
      exclude self in path selection.
    - CVE-2017-8822

Date: 2018-11-26 16:04:17.183114+00:00
Changed-By: Eduardo dos Santos Barretto <eduardo.barretto at canonical.com>
https://launchpad.net/ubuntu/+source/tor/0.2.4.27-1ubuntu0.1
-------------- next part --------------
Sorry, changesfile not available.


More information about the Trusty-changes mailing list