openSUSE Security Update: update for tor ______________________________________________________________________________ Announcement ID: openSUSE-SU-2014:0143-1 Rating: moderate References: #859421 Cross-References: CVE-2013-7295 Affected Products: openSUSE 13.1 openSUSE 12.3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: - fixes potentially poor random number generation for users who 1) use OpenSSL 1.0.0 or later, 2) set "HardwareAccel 1" in their torrc file, 3) have "Sandy Bridge" or "Ivy Bridge" Intel processors and 4) have no state file in their DataDirectory (as would happen on first start). Users who generated relay or hidden service identity keys in such a situation should discard them and generate new ones. No 2 is not the default configuration for openSUSE. [bnc#859421] [CVE-2013-7295] - added patches: * tor-0.2.3.x-CVE-2013-7295.patch Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.1: zypper in -t patch openSUSE-2014-86 - openSUSE 12.3: zypper in -t patch openSUSE-2014-86 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.1 (i586 x86_64): tor-0.2.3.25-5.4.1 tor-debuginfo-0.2.3.25-5.4.1 tor-debugsource-0.2.3.25-5.4.1 - openSUSE 12.3 (i586 x86_64): tor-0.2.3.25-2.4.1 tor-debuginfo-0.2.3.25-2.4.1 tor-debugsource-0.2.3.25-2.4.1 References: http://support.novell.com/security/cve/CVE-2013-7295.html https://bugzilla.novell.com/859421