Debian Long Term Support / LTS Security Information / 2015 / Security Information -- DLA-187-1 tor

Debian Security Advisory

DLA-187-1 tor -- LTS security update

Date Reported:

07 Apr 2015

Affected Packages:

tor

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2015-2928, CVE-2015-2929.

More information:

Several hidden service related denial-of-service issues have been discovered in Tor, a connection-based low-latency anonymous communication system.

disgleirio discovered that a malicious client could trigger an assertion failure in a Tor instance providing a hidden service, thus rendering the service inaccessible. [CVE-2015-2928]

DonnchaC discovered that Tor clients would crash with an assertion failure upon parsing specially crafted hidden service descriptors. [CVE-2015-2929]

Introduction points would accept multiple INTRODUCE1 cells on one circuit, making it inexpensive for an attacker to overload a hidden service with introductions. Introduction points no longer allow multiple such cells on the same circuit.