[oss-security] 20150406 CVE Request: tor: new upstream releases (0.2.6.7, 0.2.5.12 and 0.2.4.27) fixing security issues

https://trac.torproject.org/projects/tor/ticket/15600

The remote host is affected by the vulnerability described in GLSA-201507-02 (Tor: Denial of Service)

    Tor does not handle data correctly when specifically crafted data is       sent, and also fails to properly verify a descriptor provided by a hidden       service directory.
  Impact :

    A remote attacker could cause a Denial of Service condition in both a       Tor client or a Tor server.
  Workaround :

    There is no known workaround at this time.

Updated tor packages fix security vulnerabilities :

disgleirio discovered that a malicious client could trigger an assertion failure in a Tor instance providing a hidden service, thus rendering the service inaccessible (CVE-2015-2928).

DonnchaC discovered that Tor clients would crash with an assertion failure upon parsing specially crafted hidden service descriptors (CVE-2015-2929).

Introduction points would accept multiple INTRODUCE1 cells on one circuit, making it inexpensive for an attacker to overload a hidden service with introductions. Introduction points now no longer allow multiple cells of that type on the same circuit.

The tor package has been updated to version 0.2.4.27, fixing these issues.

Update to upstream release 0.2.5.12. Update to upstream release 0.2.5.11.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Update to upstream release 0.2.5.12.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Tor was updated to 0.2.4.27 to fix two security issues that could be used by an attacker to crash hidden services, or crash clients visiting hidden services. Hidden services should upgrade as soon as possible. 

The following security issues were fixed :

  - A malicious client could trigger an assertion failure     and halt a hidden service. (CVE-2015-2928)

  - A client could crash with an assertion failure when     parsing a malformed hidden service descriptor.
    (CVE-2015-2929)

This release also backports a simple improvement to make hidden services a bit less vulnerable to denial-of-service attacks :

  - Introduction points no longer allow multiple INTRODUCE1     cells to arrive on the same circuit. This should make it     more expensive for attackers to overwhelm hidden     services with introductions.

Several vulnerabilities have been discovered in Tor, a connection-based low-latency anonymous communication system :

  - CVE-2015-2928     'disgleirio' discovered that a malicious client could     trigger an assertion failure in a Tor instance providing     a hidden service, thus rendering the service     inaccessible.

  - CVE-2015-2929     'DonnchaC' discovered that Tor clients would crash with     an assertion failure upon parsing specially crafted     hidden service descriptors.

Introduction points would accept multiple INTRODUCE1 cells on one circuit, making it inexpensive for an attacker to overload a hidden service with introductions. Introduction points now no longer allow multiple cells of that type on the same circuit.

Several hidden service related denial of service issues have been discovered in Tor, a connection-based low-latency anonymous communication system.

o 'disgleirio' discovered that a malicious client could trigger an assertion failure in a Tor instance providing a hidden service, thus rendering the service inaccessible. [CVE-2015-2928]

o 'DonnchaC' discovered that Tor clients would crash with an assertion failure upon parsing specially crafted hidden service descriptors.
[CVE-2015-2929]

o Introduction points would accept multiple INTRODUCE1 cells on one circuit, making it inexpensive for an attacker to overload a hidden service with introductions. Introduction points no longer allow multiple such cells on the same circuit.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
84556	GLSA-201507-02 : Tor: Denial of Service	Nessus	Gentoo Local Security Checks	medium
83097	Mandriva Linux Security Advisory : tor (MDVSA-2015:205)	Nessus	Mandriva Local Security Checks	medium
82969	Fedora 22 : tor-0.2.5.12-1.fc22 (2015-5890)	Nessus	Fedora Local Security Checks	medium
82883	Fedora 20 : tor-0.2.5.12-1.fc20 (2015-5732)	Nessus	Fedora Local Security Checks	medium
82882	Fedora 21 : tor-0.2.5.12-1.fc21 (2015-5729)	Nessus	Fedora Local Security Checks	medium
82754	openSUSE Security Update : tor (openSUSE-2015-300)	Nessus	SuSE Local Security Checks	medium
82624	Debian DSA-3216-1 : tor - security update	Nessus	Debian Local Security Checks	medium
82594	Debian DLA-187-1 : tor security update	Nessus	Debian Local Security Checks	medium

CVE-2015-2928

MEDIUM

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins

medium

medium

medium

medium

medium

medium

medium

medium