Debian DSA-2148-1 : tor - several vulnerabilities

medium Nessus Plugin ID 51559

Synopsis

The remote Debian host is missing a security-related update.

Description

The developers of Tor, an anonymizing overlay network for TCP, found three security issues during a security audit. A heap overflow allowed the execution of arbitrary code (CVE-2011-0427 ), a denial of service vulnerability was found in the zlib compression handling and some key memory was incorrectly zeroed out before being freed. The latter two issues do not yet have CVE identifiers assigned. The Debian Security Tracker will be updated once they're available:
https://security-tracker.debian.org/tracker/source-package/tor

Solution

Upgrade the tor packages.

For the stable distribution (lenny), this problem has been fixed in version 0.2.1.29-1~lenny+1.

See Also

https://security-tracker.debian.org/tracker/CVE-2011-0427

http://www.nessus.org/u?f1a39dcf

https://www.debian.org/security/2011/dsa-2148

Plugin Details

Severity: Medium

ID: 51559

File Name: debian_DSA-2148.nasl

Version: 1.13

Type: local

Agent: unix

Published: 1/18/2011

Updated: 1/4/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:tor, cpe:/o:debian:debian_linux:5.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Patch Publication Date: 1/17/2011

Reference Information

CVE: CVE-2011-0427

DSA: 2148