UbuntuUpdates.org

Package "tor"

Name: tor

Description:

anonymizing overlay network for TCP
Latest version: 0.2.4.27-1ubuntu0.1
Release: trusty (14.04)
Level: security
Repository: universe
Homepage: https://www.torproject.org/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "tor"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "tor" in Trusty

Repository Area Version
base universe 0.2.4.20-1
updates universe 0.2.4.27-1ubuntu0.1
PPA: Tor 0.3.4.9-1~trusty+1

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 0.2.4.27-1ubuntu0.1 2018-11-26 18:07:07 UTC

  tor (0.2.4.27-1ubuntu0.1) trusty-security; urgency=medium

  * SECURITY UPDATE: DoS (client crash) via a crafted hidden service
    descriptor.
    - debian/patches/CVE-2016-1254.patch: Fix parsing bug with unrecognized
      token at EOS.
    - CVE-2016-1254
  * SECURITY UPDATE: DoS (crash) via crafted data.
    - debian/patches/CVE-2016-8860.patch: Protect against NUL-terminated
      inputs.
    - CVE-2016-8860
  * SECURITY UPDATE: DoS (assertion failure and daemon exit) via a BEGIN_DIR
    rendezvous circuit.
    - debian/patches/CVE-2017-0376.patch: Fix assertion failure.
    - CVE-2017-0376
  * SECURITY UPDATE: Replay-cache protection mechanism is ineffective for v2
    onion services.
    - debian/patches/CVE-2017-8819.patch: Fix length of replaycache-checked
      data.
    - CVE-2017-8819
  * SECURITY UPDATE: DoS (application hang) via a crafted PEM input.
    - debian/patches/CVE-2017-8821.patch: Avoid asking for passphrase on
      junky PEM input.
    - CVE-2017-8821
  * SECURITY UPDATE: Relays, that have incompletely downloaded
    descriptors, can pick themselves in a circuit path, leading to a
    degradation of anonymity
    - debian/patches/CVE-2017-8822.patch: Use local descriptor object to
      exclude self in path selection.
    - CVE-2017-8822

 -- Eduardo Barretto <email address hidden> Fri, 23 Nov 2018 14:25:06 -0200
Source diff to previous version
CVE-2016-1254 Tor before 0.2.8.12 might allow remote attackers to cause a denial of service (client crash) via a crafted hidden service descriptor.
CVE-2016-8860 Tor before 0.2.8.9 and 0.2.9.x before 0.2.9.4-alpha had internal functions that were entitled to expect that buf_t data had NUL termination, but the
CVE-2017-0376 The hidden-service feature in Tor before 0.3.0.8 allows a denial of service (assertion failure and daemon exit) in the connection_edge_process_relay_
CVE-2017-8819 In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, the replay-cache
CVE-2017-8821 In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, an attacker can
CVE-2017-8822 In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, relays (that hav

Version: 0.2.4.27-1build0.14.04.1 2015-07-29 14:06:47 UTC

  tor (0.2.4.27-1build0.14.04.1) trusty-security; urgency=medium

  * Synced from Debian as a security update


About   -   Send Feedback to @ubuntu_updates