Debian Security Advisory

DLA-187-1 tor -- LTS security update

Date Reported:
07 Apr 2015
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2015-2928, CVE-2015-2929.
More information:

Several hidden service related denial-of-service issues have been discovered in Tor, a connection-based low-latency anonymous communication system.

disgleirio discovered that a malicious client could trigger an assertion failure in a Tor instance providing a hidden service, thus rendering the service inaccessible. [CVE-2015-2928]

DonnchaC discovered that Tor clients would crash with an assertion failure upon parsing specially crafted hidden service descriptors. [CVE-2015-2929]

Introduction points would accept multiple INTRODUCE1 cells on one circuit, making it inexpensive for an attacker to overload a hidden service with introductions. Introduction points no longer allow multiple such cells on the same circuit.