Debian Security Advisory
DLA-187-1 tor -- LTS security update
- Date Reported:
- 07 Apr 2015
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2015-2928, CVE-2015-2929.
- More information:
Several hidden service related denial-of-service issues have been discovered in Tor, a connection-based low-latency anonymous communication system.
disgleiriodiscovered that a malicious client could trigger an assertion failure in a Tor instance providing a hidden service, thus rendering the service inaccessible. [CVE-2015-2928]
DonnchaCdiscovered that Tor clients would crash with an assertion failure upon parsing specially crafted hidden service descriptors. [CVE-2015-2929]
Introduction points would accept multiple INTRODUCE1 cells on one circuit, making it inexpensive for an attacker to overload a hidden service with introductions. Introduction points no longer allow multiple such cells on the same circuit.