| Summary: | net-vpn/tor: Tor through 0.4.1.8 and 0.4.2.x through 0.4.2.6 does not verify rendezvous node correctly (CVE-2020-8516) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | filip ambroz <filip.ambroz> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED INVALID | ||
| Severity: | minor | CC: | blueness, filip.ambroz |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://www.hackerfactor.com/blog/index.php?/archives/868-Deanonymizing-Tor-Circuits.html | ||
| Whiteboard: | B4 [upstream] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
filip ambroz
2020-02-02 22:16:23 UTC
(In reply to filip ambroz from comment #0) > The daemon in Tor through 0.4.1.8 and 0.4.2.x through 0.4.2.6 does not > verify that a rendezvous node is known before attempting to connect to it, > which might make it easier for remote attackers to discover circuit > information. Upstream is skeptical of this bug. Nick Mathewson redirected me to the following bug: https://trac.torproject.org/projects/tor/ticket/33129 At this point, I'll just follow what upstream does and report back here. (In reply to Anthony Basile from comment #1) > (In reply to filip ambroz from comment #0) > > The daemon in Tor through 0.4.1.8 and 0.4.2.x through 0.4.2.6 does not > > verify that a rendezvous node is known before attempting to connect to it, > > which might make it easier for remote attackers to discover circuit > > information. > > Upstream is skeptical of this bug. Nick Mathewson redirected me to the > following bug: https://trac.torproject.org/projects/tor/ticket/33129 > > At this point, I'll just follow what upstream does and report back here. Also take a look at the following thread on tor-dev@ https://lists.torproject.org/pipermail/tor-dev/2020-February/014146.html Thank you very much, very informative! Closing the bug as invalid. |
