Summary: | <net-misc/tor-0.2.4.23: potential for traffic-confirmation attacks (CVE-2014-5117) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | blueness |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2014-07-31 09:46:15 UTC
It should be ready. I've been testing it for about 1 day. @arches, please stabilize =net-misc/tor-0.2.4.23 KEYWORDS="amd64 arm ppc ppc64 sparc x86" I'll do arm, ppc and ppc64 in a minute. Stable on arm, ppc and ppc64 with a run test + network. CVE-2014-5117 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5117): Tor before 0.2.4.23 and 0.2.5 before 0.2.5.6-alpha maintains a circuit after an inbound RELAY_EARLY cell is received by a client, which makes it easier for remote attackers to conduct traffic-confirmation attacks by using the pattern of RELAY and RELAY_EARLY cells as a means of communicating information about hidden service names. amd64 stable x86 stable sparc stable Arches, Thank you for your work Maintainer(s), please drop the vulnerable version. GLSA Vote: No GLSA Vote: No Maintainer(s), Thank you for cleanup! Closing noglsa |