Debian Security Advisory

DSA-3741-1 tor -- security update

Date Reported:
20 Dec 2016
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 848847.
In Mitre's CVE dictionary: CVE-2016-1254.
More information:

It was discovered that Tor, a connection-based low-latency anonymous communication system, may read one byte past a buffer when parsing hidden service descriptors. This issue may enable a hostile hidden service to crash Tor clients depending on hardening options and malloc implementation.

For the stable distribution (jessie), this problem has been fixed in version

For the testing (stretch) and unstable (sid) distributions, this problem has been fixed in version

We recommend that you upgrade your tor packages.