Mailinglist Archive: opensuse-updates (48 mails)

< Previous Next >
openSUSE-SU-2014:0975-1: moderate: update for tor
openSUSE Security Update: update for tor
______________________________________________________________________________

Announcement ID: openSUSE-SU-2014:0975-1
Rating: moderate
References: #889688
Cross-References: CVE-2014-5117
Affected Products:
openSUSE 13.1
openSUSE 12.3
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

- Tor 0.2.4.23 [bnc#889688] [CVE-2014-5117] Slows down the risk from guard
rotation and backports several important fixes from the Tor 0.2.5 alpha
release series.
- Major features:
- Clients now look at the "usecreatefast" consensus parameter to decide
whether to use CREATE_FAST or CREATE cells for the first hop
of their circuit. This approach can improve security on connections
where Tor's circuit handshake is stronger than the available TLS
connection security levels, but the tradeoff is more computational
load on guard relays.
- Make the number of entry guards configurable via a new NumEntryGuards
consensus parameter, and the number of directory guards configurable
via a new NumDirectoryGuards consensus parameter.
- Major bugfixes:
- Fix a bug in the bounds-checking in the 32-bit curve25519-donna
implementation that caused incorrect results on 32-bit implementations
when certain malformed inputs were used along with a small class of
private ntor keys.
- Minor bugfixes:
- Warn and drop the circuit if we receive an inbound 'relay early' cell.
- Correct a confusing error message when trying to extend a circuit via
the control protocol but we don't know a descriptor or microdescriptor
for one of the specified relays.
- Avoid an illegal read from stack when initializing the TLS module
using a version of OpenSSL without all of the ciphers used by the v2
link handshake.


Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- openSUSE 13.1:

zypper in -t patch openSUSE-2014-492

- openSUSE 12.3:

zypper in -t patch openSUSE-2014-492

To bring your system up-to-date, use "zypper patch".


Package List:

- openSUSE 13.1 (i586 x86_64):

tor-0.2.4.23-5.12.1
tor-debuginfo-0.2.4.23-5.12.1
tor-debugsource-0.2.4.23-5.12.1

- openSUSE 12.3 (i586 x86_64):

tor-0.2.4.23-2.12.1
tor-debuginfo-0.2.4.23-2.12.1
tor-debugsource-0.2.4.23-2.12.1


References:

http://support.novell.com/security/cve/CVE-2014-5117.html
https://bugzilla.novell.com/889688


< Previous Next >
This Thread
  • No further messages