Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.0860 tor security update 7 April 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: tor Publisher: Debian Operating System: Debian GNU/Linux 7 UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2015-2929 CVE-2015-2928 Original Bulletin: http://www.debian.org/security/2015/dsa-3216 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running tor check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-3216-1 security@debian.org http://www.debian.org/security/ Moritz Muehlenhoff April 06, 2015 http://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : tor CVE ID : CVE-2015-2928 CVE-2015-2929 Several vulnerabilities have been discovered in Tor, a connection-based low-latency anonymous communication system: CVE-2015-2928 "disgleirio" discovered that a malicious client could trigger an assertion failure in a Tor instance providing a hidden service, thus rendering the service inaccessible. CVE-2015-2929 "DonnchaC" discovered that Tor clients would crash with an assertion failure upon parsing specially crafted hidden service descriptors. Introduction points would accept multiple INTRODUCE1 cells on one circuit, making it inexpensive for an attacker to overload a hidden service with introductions. Introduction points now no longer allow multiple cells of that type on the same circuit. For the stable distribution (wheezy), these problems have been fixed in version 0.2.4.27-1. For the unstable distribution (sid), these problems have been fixed in version 0.2.5.12-1. For the experimental distribution, these problems have been fixed in version 0.2.6.7-1. We recommend that you upgrade your tor packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJVIvK4AAoJEBDCk7bDfE42k2QP/3NUAsX06900TgPdoWUut7r0 lq+E+rRzTXpbBxiSYQ4lKfeISdVo6/JJT/RfddTDbaSqo9G0ZHVchWvISmS7khM0 LPsSFjW2v8xtmRrET5S+DM8fwCzX0ShuALAm2IFnLvyqnx2LoEUStGA8hfB9rdDK T59swVONOEPnMpKxqIuQcFvDbw3X9tkYrHgYecB+hwYrGbH+BBs2Q3JfbMHw3GYt 3htUWP7V6t4XblbiNwIKnnriWGhOuTuDcT3ftju18Zo8UuGizearZeiYg27EkmVB pPsXcLxpWgmwgD9931+iOP8PhZeNfyRq99zpOc0RjWenDLfjwxr3X2U6Ev4ZC8v8 bg6hY7MqGhC5UWCGa81jbdd+NUCI4tAfthWUCB3iXNmIsmkCfMX18kd0NXOxnLGQ 6nDW4E0GxrPOIwtRQoKOZIPX5FHXkSzE4PUgM3oTzdyxMTcU0CSyKRKQ9v6PbY6s g+gBZ93crY1o7G0Kt22T9UK8UIk/sDzuuAyB+UwYxZDaauAgStd9UKvBYtpli4ec /mIvT/C6F5XAXOP+FfaEInS1F0Q8fhtTzCmDWL1lZXuNAbDtjJyFStCIm29vlLqv RYH7qwSqjxRtd0i1X3bJqJa6HOFE2/A+HaJW7ANlhSPH+1T+mDSfPtni4ZL/Gw/a 5Vl6jLJZ5hiJP7zF4N+Z =Q8yM - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVSNmmBLndAQH1ShLAQIB6xAAmT6loEZ9X4lkKoQJoNgm4fM/mFKwLEQU D8H/lfIq40HLlt/2vGbIFjhXvxfHqLqBbwp3S0QcLpBNDo32NNWKeQOD3KhuOL6U b5Ox0LjvDNgojDWle7OlKHi6i5Vrui73y2psXbXFGgMy5OOgf75aQGkdFUdW/XLz Fne/k0PPTADFfUi5qQkD87Br1Sf0QYVYPZOzgFQ0/wMq6+7eTXzsdW8kJQBkNmoX nce7YMIPbrsflLfnTdYYrXzngHudoFZ0nCUwCHkr2Lxjs8OlzdKVaf4px4SLk89z HtdijrIoN30PaqJid804mo/5qY3q0/zh2QsdlYrvrhXkKt1pUGgeBx5mBWqgGIIo 25So0CLqtjWYNYSx4JYJWApmwG/y51JpI/fGQ9mop+CWUItkkwwWmh8YEG/Te8Ne H6dcpJSxdfuMHwNGfFO9OQGZBxOeMz1OpxUMkbCnMiVJzFwS6vXgc1e3sJxzoQpm QqNB4qEg/jilvlvXTRXgT+JDFG2IJlz413SzeODpuZSaKRVxHc6A1tjByCAJIxK5 f0/lX5qbg4kEWG2IHDM/wUdo4Pd5/Iz8ZhZ1CMjD5AqVvuNSc1s8m+UjQRfOUV+f /gYnqHL/YcBP+/twJsDnk8pKUoK+hwmwKIQhay03tdCK8/wYhi9Sp8p6hJW//iKJ +xrWN/Jq8DA= =xopl -----END PGP SIGNATURE-----