openSUSE Security Update: Security update for tor ______________________________________________________________________________ Announcement ID: openSUSE-SU-2022:10023-1 Rating: important References: #1200672 Cross-References: CVE-2022-33903 Affected Products: openSUSE Backports SLE-15-SP3 openSUSE Backports SLE-15-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for tor fixes the following issues: tor was updated to 0.4.7.8: * Fix a scenario where RTT estimation can become wedged, seriously degrading congestion control performance on all circuits. This impacts clients, onion services, and relays, and can be triggered remotely by a malicious endpoint. (TROVE-2022-001, CVE-2022-33903, boo#1200672) * Regenerate fallback directories generated on June 17, 2022. * Update the geoip files to match the IPFire Location Database, as retrieved on 2022/06/17. * Allow the rseq system call in the sandbox * logging bug fixes Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP4: zypper in -t patch openSUSE-2022-10023=1 - openSUSE Backports SLE-15-SP3: zypper in -t patch openSUSE-2022-10023=1 Package List: - openSUSE Backports SLE-15-SP4 (aarch64 i586 ppc64le s390x x86_64): tor-0.4.7.8-bp154.2.3.1 tor-debuginfo-0.4.7.8-bp154.2.3.1 tor-debugsource-0.4.7.8-bp154.2.3.1 - openSUSE Backports SLE-15-SP3 (aarch64 i586 ppc64le x86_64): tor-0.4.7.8-bp153.2.15.1 References: https://www.suse.com/security/cve/CVE-2022-33903.html https://bugzilla.suse.com/1200672