Debian DLA-17-1 : tor: new upstream version

high Nessus Plugin ID 82154

Synopsis

The remote Debian host is missing a security update.

Description

The Tor version previously in Debian squeeze, 0.2.2.39, is no longer supported by upstream.

This update brings the currently stable version of Tor, 0.2.4.23, to Debian squeeze.

Changes include use of stronger cryptographic primitives, always clearing bignums before freeing them to avoid leaving key material in memory, mitigating several linkability vectors such as by disabling client-side DNS caches, blacklisting authority signing keys potentially compromised due to heartbleed, updating the list of directory authorities, and much more.

We recommend that you upgrade your tor packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Upgrade the affected tor, tor-dbg, and tor-geoipdb packages.

See Also

https://lists.debian.org/debian-lts-announce/2014/07/msg00015.html

https://packages.debian.org/source/squeeze-lts/tor

Plugin Details

Severity: High

ID: 82154

File Name: debian_DLA-17.nasl

Version: 1.4

Type: local

Agent: unix

Published: 3/26/2015

Updated: 1/11/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:tor, p-cpe:/a:debian:debian_linux:tor-dbg, p-cpe:/a:debian:debian_linux:tor-geoipdb, cpe:/o:debian:debian_linux:6.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Patch Publication Date: 7/31/2014