openSUSE Security Update: update for tor ______________________________________________________________________________ Announcement ID: openSUSE-SU-2014:0719-1 Rating: moderate References: #878486 Cross-References: CVE-2014-0160 Affected Products: openSUSE 13.1 openSUSE 12.3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: - tor 0.2.4.22 [bnc#878486] Tor was updated to the recommended version of the 0.2.4.x series. - major features in 0.2.4.x: - improved client resilience - support better link encryption with forward secrecy - new NTor circuit handshake - change relay queue for circuit create requests from size-based limit to time-based limit - many bug fixes and minor features - changes contained in 0.2.4.22: Backports numerous high-priority fixes. These include blocking all authority signing keys that may have been affected by the OpenSSL "heartbleed" bug, choosing a far more secure set of TLS ciphersuites by default, closing a couple of memory leaks that could be used to run a target relay out of RAM. - Major features (security) - Block authority signing keys that were used on authorities vulnerable to the "heartbleed" bug in OpenSSL (CVE-2014-0160). - Major bugfixes (security, OOM): - Fix a memory leak that could occur if a microdescriptor parse fails during the tokenizing step. - Major bugfixes (TLS cipher selection): - The relay ciphersuite list is now generated automatically based on uniform criteria, and includes all OpenSSL ciphersuites with acceptable strength and forward secrecy. - Relays now trust themselves to have a better view than clients of which TLS ciphersuites are better than others. - Clients now try to advertise the same list of ciphersuites as Firefox 28. - includes changes from 0.2.4.21: Further improves security against potential adversaries who find breaking 1024-bit crypto doable, and backports several stability and robustness patches from the 0.2.5 branch. - Major features (client security): - When we choose a path for a 3-hop circuit, make sure it contains at least one relay that supports the NTor circuit extension handshake. Otherwise, there is a chance that we're building a circuit that's worth attacking by an adversary who finds breaking 1024-bit crypto doable, and that chance changes the game theory. - Major bugfixes: - Do not treat streams that fail with reason END_STREAM_REASON_INTERNAL as indicating a definite circuit failure, since it could also indicate an ENETUNREACH connection error - includes changes from 0.2.4.20: - Do not allow OpenSSL engines to replace the PRNG, even when HardwareAccel is set. - Fix assertion failure when AutomapHostsOnResolve yields an IPv6 address. - Avoid launching spurious extra circuits when a stream is pending. - packaging changes: - remove init script shadowing systemd unit - general cleanup - Add tor-fw-helper for UPnP port forwarding; not used by default - fix logrotate on systemd-only setups without init scripts, work tor-0.2.2.37-logrotate.patch to tor-0.2.4.x-logrotate.patch - verify source tarball signature Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.1: zypper in -t patch openSUSE-2014-398 - openSUSE 12.3: zypper in -t patch openSUSE-2014-398 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.1 (i586 x86_64): tor-0.2.4.22-5.8.1 tor-debuginfo-0.2.4.22-5.8.1 tor-debugsource-0.2.4.22-5.8.1 - openSUSE 12.3 (i586 x86_64): tor-0.2.4.22-2.8.1 tor-debuginfo-0.2.4.22-2.8.1 tor-debugsource-0.2.4.22-2.8.1 References: http://support.novell.com/security/cve/CVE-2014-0160.html https://bugzilla.novell.com/878486