http://bugzilla.opensuse.org/show_bug.cgi?id=1207110 Bug ID: 1207110 Summary: VUL-0: tor: The SafeSocks option for SOCKS4(a) is inverted leading to SOCKS4 going through (TROVE-2022-002) Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.4 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: bwiedemann@suse.com Reporter: Andreas.Stieger@gmx.de QA Contact: security-team@suse.de Found By: --- Blocker: --- It was discovered that tor before 0.4.5.16 / 0.4.7.13 had an inverted logic for the SafeSocks options for SOCKS4 and SOCKS4a. The could load to tor client users who relied on the "SafeSocks 1" option to avoid DNS leaks to have unsafe Tor traffic. The incorrect implementation would let the unsafe SOCKS4 pass but not the safe SOCKS4a one. References: https://gitlab.torproject.org/tpo/core/tor/-/issues/40730 https://gitlab.torproject.org/tpo/core/tor/-/commit/a282145b3634547ab84ccd95... https://hackerone.com/bugs?subject=torproject&report_id=1784589 https://lists.torproject.org/pipermail/tor-announce/2023-January/000261.html https://forum.torproject.net/t/stable-release-0-4-5-16-and-0-4-7-13/6216 -- You are receiving this mail because: You are on the CC list for the bug.