Mailinglist Archive: opensuse-updates (86 mails)

< Previous Next >
openSUSE-SU-2014:0719-1: moderate: update for tor
openSUSE Security Update: update for tor

Announcement ID: openSUSE-SU-2014:0719-1
Rating: moderate
References: #878486
Cross-References: CVE-2014-0160
Affected Products:
openSUSE 13.1
openSUSE 12.3

An update that fixes one vulnerability is now available.


- tor [bnc#878486] Tor was updated to the recommended version of
the 0.2.4.x series.
- major features in 0.2.4.x:
- improved client resilience
- support better link encryption with forward secrecy
- new NTor circuit handshake
- change relay queue for circuit create requests from size-based limit
to time-based limit
- many bug fixes and minor features
- changes contained in Backports numerous high-priority fixes.
These include blocking all authority signing keys that may have been
affected by the OpenSSL "heartbleed" bug, choosing a far more secure set
of TLS ciphersuites by default, closing a couple of memory leaks that
could be used to run a target relay out of RAM.
- Major features (security)
- Block authority signing keys that were used on authorities
vulnerable to the "heartbleed" bug in OpenSSL (CVE-2014-0160).
- Major bugfixes (security, OOM):
- Fix a memory leak that could occur if a microdescriptor parse fails
during the tokenizing step.
- Major bugfixes (TLS cipher selection):
- The relay ciphersuite list is now generated automatically based
on uniform criteria, and includes all OpenSSL ciphersuites with
acceptable strength and forward secrecy.
- Relays now trust themselves to have a better view than clients
of which TLS ciphersuites are better than others.
- Clients now try to advertise the same list of ciphersuites as
Firefox 28.
- includes changes from Further improves security against
potential adversaries who find breaking 1024-bit crypto doable, and
backports several stability and robustness patches from the 0.2.5 branch.
- Major features (client security):
- When we choose a path for a 3-hop circuit, make sure it contains at
least one relay that supports the NTor circuit extension handshake.
Otherwise, there is a chance that we're building a circuit that's
worth attacking by an adversary who finds breaking 1024-bit crypto
doable, and that chance changes the game theory.
- Major bugfixes:
- Do not treat streams that fail with reason
END_STREAM_REASON_INTERNAL as indicating a definite circuit failure,
since it could also indicate an ENETUNREACH connection error
- includes changes from
- Do not allow OpenSSL engines to replace the PRNG, even when
HardwareAccel is set.
- Fix assertion failure when AutomapHostsOnResolve yields an IPv6
- Avoid launching spurious extra circuits when a stream is pending.
- packaging changes:
- remove init script shadowing systemd unit
- general cleanup
- Add tor-fw-helper for UPnP port forwarding; not used by default
- fix logrotate on systemd-only setups without init scripts, work
tor- to tor-0.2.4.x-logrotate.patch
- verify source tarball signature

Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- openSUSE 13.1:

zypper in -t patch openSUSE-2014-398

- openSUSE 12.3:

zypper in -t patch openSUSE-2014-398

To bring your system up-to-date, use "zypper patch".

Package List:

- openSUSE 13.1 (i586 x86_64):


- openSUSE 12.3 (i586 x86_64):



< Previous Next >
This Thread
  • No further messages