Debian Long Term Support / LTS Security Information / 2014 / Security Information -- DLA-17-1 tor

Debian Security Advisory

DLA-17-1 tor -- LTS security update

Date Reported:

31 Jul 2014

Affected Packages:

tor

Vulnerable:

Yes

Security database references:

No other external database security references currently available.

More information:

The Tor version previously in Debian squeeze, 0.2.2.39, is no longer supported by upstream.

This update brings the currently stable version of Tor, 0.2.4.23, to Debian squeeze.

Changes include use of stronger cryptographic primitives, always clearing bignums before freeing them to avoid leaving key material in memory, mitigating several linkability vectors such as by disabling client-side DNS caches, blacklisting authority signing keys potentially compromised due to heartbleed, updating the list of directory authorities, and much more.

We recommend that you upgrade your tor packages.

For Debian 6 Squeeze, these issues have been fixed in tor version 0.2.4.23-1~deb6u1