Operating System:

[WIN][UNIX/Linux][Debian]

Published:

07 April 2015

Protect yourself against future threats.

//Service

Incident Management

Whether it is proactive or reactive services you're after, we will help you detect, interpret and respond to attacks from across the globe.

Read more
Resources > Security Bulletins > ESB-2015.0860 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2015.0860
                            tor security update
                               7 April 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           tor
Publisher:         Debian
Operating System:  Debian GNU/Linux 7
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-2929 CVE-2015-2928 

Original Bulletin: 
   http://www.debian.org/security/2015/dsa-3216

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running tor check for an updated version of the software for their 
         operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3216-1                   security@debian.org
http://www.debian.org/security/                        Moritz Muehlenhoff
April 06, 2015                         http://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : tor
CVE ID         : CVE-2015-2928 CVE-2015-2929

Several vulnerabilities have been discovered in Tor, a connection-based
low-latency anonymous communication system:

CVE-2015-2928

    "disgleirio" discovered that a malicious client could trigger an
    assertion failure in a Tor instance providing a hidden service,
    thus rendering the service inaccessible.

CVE-2015-2929

    "DonnchaC" discovered that Tor clients would crash with an
    assertion failure upon parsing specially crafted hidden service
    descriptors.

Introduction points would accept multiple INTRODUCE1 cells on one
circuit, making it inexpensive for an attacker to overload a hidden
service with introductions. Introduction points now no longer allow
multiple cells of that type on the same circuit.

For the stable distribution (wheezy), these problems have been fixed in
version 0.2.4.27-1.

For the unstable distribution (sid), these problems have been fixed in
version 0.2.5.12-1.

For the experimental distribution, these problems have been
fixed in version 0.2.6.7-1.

We recommend that you upgrade your tor packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJVIvK4AAoJEBDCk7bDfE42k2QP/3NUAsX06900TgPdoWUut7r0
lq+E+rRzTXpbBxiSYQ4lKfeISdVo6/JJT/RfddTDbaSqo9G0ZHVchWvISmS7khM0
LPsSFjW2v8xtmRrET5S+DM8fwCzX0ShuALAm2IFnLvyqnx2LoEUStGA8hfB9rdDK
T59swVONOEPnMpKxqIuQcFvDbw3X9tkYrHgYecB+hwYrGbH+BBs2Q3JfbMHw3GYt
3htUWP7V6t4XblbiNwIKnnriWGhOuTuDcT3ftju18Zo8UuGizearZeiYg27EkmVB
pPsXcLxpWgmwgD9931+iOP8PhZeNfyRq99zpOc0RjWenDLfjwxr3X2U6Ev4ZC8v8
bg6hY7MqGhC5UWCGa81jbdd+NUCI4tAfthWUCB3iXNmIsmkCfMX18kd0NXOxnLGQ
6nDW4E0GxrPOIwtRQoKOZIPX5FHXkSzE4PUgM3oTzdyxMTcU0CSyKRKQ9v6PbY6s
g+gBZ93crY1o7G0Kt22T9UK8UIk/sDzuuAyB+UwYxZDaauAgStd9UKvBYtpli4ec
/mIvT/C6F5XAXOP+FfaEInS1F0Q8fhtTzCmDWL1lZXuNAbDtjJyFStCIm29vlLqv
RYH7qwSqjxRtd0i1X3bJqJa6HOFE2/A+HaJW7ANlhSPH+1T+mDSfPtni4ZL/Gw/a
5Vl6jLJZ5hiJP7zF4N+Z
=Q8yM
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVSNmmBLndAQH1ShLAQIB6xAAmT6loEZ9X4lkKoQJoNgm4fM/mFKwLEQU
D8H/lfIq40HLlt/2vGbIFjhXvxfHqLqBbwp3S0QcLpBNDo32NNWKeQOD3KhuOL6U
b5Ox0LjvDNgojDWle7OlKHi6i5Vrui73y2psXbXFGgMy5OOgf75aQGkdFUdW/XLz
Fne/k0PPTADFfUi5qQkD87Br1Sf0QYVYPZOzgFQ0/wMq6+7eTXzsdW8kJQBkNmoX
nce7YMIPbrsflLfnTdYYrXzngHudoFZ0nCUwCHkr2Lxjs8OlzdKVaf4px4SLk89z
HtdijrIoN30PaqJid804mo/5qY3q0/zh2QsdlYrvrhXkKt1pUGgeBx5mBWqgGIIo
25So0CLqtjWYNYSx4JYJWApmwG/y51JpI/fGQ9mop+CWUItkkwwWmh8YEG/Te8Ne
H6dcpJSxdfuMHwNGfFO9OQGZBxOeMz1OpxUMkbCnMiVJzFwS6vXgc1e3sJxzoQpm
QqNB4qEg/jilvlvXTRXgT+JDFG2IJlz413SzeODpuZSaKRVxHc6A1tjByCAJIxK5
f0/lX5qbg4kEWG2IHDM/wUdo4Pd5/Iz8ZhZ1CMjD5AqVvuNSc1s8m+UjQRfOUV+f
/gYnqHL/YcBP+/twJsDnk8pKUoK+hwmwKIQhay03tdCK8/wYhi9Sp8p6hJW//iKJ
+xrWN/Jq8DA=
=xopl
-----END PGP SIGNATURE-----