Summary: | <net-misc/tor-0.2.1.30: "policy_summarize()" Directory Authority Denial of Service Vulnerability (CVE-2011-1924) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Paweł Hajdan, Jr. (RETIRED) <phajdan.jr> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | blueness, chiiph |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Paweł Hajdan, Jr. (RETIRED)
2011-03-21 14:27:21 UTC
Maintainers, is it OK to stabilize net-misc/tor-0.2.1.30? To speed up the process, feel free to CC arches and add the STABLEREQ keyword yourself (and change the status whiteboard from "stable?" to "stable"). Yes, it is ready for stabilization. Sorry, still getting used to new bugzilla ... added arches. ppc/ppc64 stable amd64 ok Looks also good here on x86. amd64 done, thanks Agostino x86 stable. Thanks Andreas. arm/sparc stable Thanks, everyone. GLSA Vote: Yes. Vulnerable versions (tor-0.2.1.29 and tor-0.2.1.29-r1) removed from tree. GLSA vote: NO Vote: yes, added to existing GLSA. CVE-2011-1924 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1924): Buffer overflow in the policy_summarize function in or/policies.c in Tor before 0.2.1.30 allows remote attackers to cause a denial of service (directory authority crash) via a crafted policy that triggers creation of a long port list. no clue why bsd is in cc This issue was resolved and addressed in GLSA 201110-13 at http://security.gentoo.org/glsa/glsa-201110-13.xml by GLSA coordinator Tim Sammut (underling). |