| Bug ID | 1191231 |
|---|---|
| Summary | VUL-1: CVE-2021-39246: tor: allows a correlation attack excessive verbose logging |
| Classification | openSUSE |
| Product | openSUSE Distribution |
| Version | Leap 15.3 |
| Hardware | Other |
| URL | https://smash.suse.de/issue/310844/ |
| OS | Other |
| Status | NEW |
| Severity | Normal |
| Priority | P5 - None |
| Component | Security |
| Assignee | bwiedemann@suse.com |
| Reporter | gabriele.sonnu@suse.com |
| QA Contact | security-team@suse.de |
| Found By | Security Response Team |
| Blocker | --- |
Tor Browser through 10.5.6 and 11.x through 11.0a4 allows a correlation attack that can compromise the privacy of visits to v2 onion addresses. If --log or --verbose is used, exact timestamps of these onion-service visits are logged locally, and an attacker might be able to compare them to timestamp data collected by the destination server (or collected by a rogue site within the Tor network). References: https://sick.codes/sick-2021-111 https://www.privacyaffairs.com/cve-2021-39246-tor-vulnerability https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-111.md Upstream patch: https://gitlab.torproject.org/tpo/core/tor/-/merge_requests/434 https://gitlab.torproject.org/tpo/core/tor/-/commit/80c404c4b79f3bcba3fc4585d4c62a62a04f3ed9 References: https://bugzilla.redhat.com/show_bug.cgi?id=2008652 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-39246 https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-111.md http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39246 https://gitlab.torproject.org/tpo/core/tor/-/merge_requests/434 https://sick.codes/sick-2021-111 https://gitlab.torproject.org/tpo/core/tor/-/commit/80c404c4b79f3bcba3fc4585d4c62a62a04f3ed9 https://www.privacyaffairs.com/cve-2021-39246-tor-vulnerability