Mailinglist Archive: opensuse-updates (86 mails)

< Previous Next >
openSUSE-SU-2014:0719-1: moderate: update for tor
openSUSE Security Update: update for tor
______________________________________________________________________________

Announcement ID: openSUSE-SU-2014:0719-1
Rating: moderate
References: #878486
Cross-References: CVE-2014-0160
Affected Products:
openSUSE 13.1
openSUSE 12.3
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:


- tor 0.2.4.22 [bnc#878486] Tor was updated to the recommended version of
the 0.2.4.x series.
- major features in 0.2.4.x:
- improved client resilience
- support better link encryption with forward secrecy
- new NTor circuit handshake
- change relay queue for circuit create requests from size-based limit
to time-based limit
- many bug fixes and minor features
- changes contained in 0.2.4.22: Backports numerous high-priority fixes.
These include blocking all authority signing keys that may have been
affected by the OpenSSL "heartbleed" bug, choosing a far more secure set
of TLS ciphersuites by default, closing a couple of memory leaks that
could be used to run a target relay out of RAM.
- Major features (security)
- Block authority signing keys that were used on authorities
vulnerable to the "heartbleed" bug in OpenSSL (CVE-2014-0160).
- Major bugfixes (security, OOM):
- Fix a memory leak that could occur if a microdescriptor parse fails
during the tokenizing step.
- Major bugfixes (TLS cipher selection):
- The relay ciphersuite list is now generated automatically based
on uniform criteria, and includes all OpenSSL ciphersuites with
acceptable strength and forward secrecy.
- Relays now trust themselves to have a better view than clients
of which TLS ciphersuites are better than others.
- Clients now try to advertise the same list of ciphersuites as
Firefox 28.
- includes changes from 0.2.4.21: Further improves security against
potential adversaries who find breaking 1024-bit crypto doable, and
backports several stability and robustness patches from the 0.2.5 branch.
- Major features (client security):
- When we choose a path for a 3-hop circuit, make sure it contains at
least one relay that supports the NTor circuit extension handshake.
Otherwise, there is a chance that we're building a circuit that's
worth attacking by an adversary who finds breaking 1024-bit crypto
doable, and that chance changes the game theory.
- Major bugfixes:
- Do not treat streams that fail with reason
END_STREAM_REASON_INTERNAL as indicating a definite circuit failure,
since it could also indicate an ENETUNREACH connection error
- includes changes from 0.2.4.20:
- Do not allow OpenSSL engines to replace the PRNG, even when
HardwareAccel is set.
- Fix assertion failure when AutomapHostsOnResolve yields an IPv6
address.
- Avoid launching spurious extra circuits when a stream is pending.
- packaging changes:
- remove init script shadowing systemd unit
- general cleanup
- Add tor-fw-helper for UPnP port forwarding; not used by default
- fix logrotate on systemd-only setups without init scripts, work
tor-0.2.2.37-logrotate.patch to tor-0.2.4.x-logrotate.patch
- verify source tarball signature


Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- openSUSE 13.1:

zypper in -t patch openSUSE-2014-398

- openSUSE 12.3:

zypper in -t patch openSUSE-2014-398

To bring your system up-to-date, use "zypper patch".


Package List:

- openSUSE 13.1 (i586 x86_64):

tor-0.2.4.22-5.8.1
tor-debuginfo-0.2.4.22-5.8.1
tor-debugsource-0.2.4.22-5.8.1

- openSUSE 12.3 (i586 x86_64):

tor-0.2.4.22-2.8.1
tor-debuginfo-0.2.4.22-2.8.1
tor-debugsource-0.2.4.22-2.8.1


References:

http://support.novell.com/security/cve/CVE-2014-0160.html
https://bugzilla.novell.com/878486


< Previous Next >
This Thread
  • No further messages