Detections
Analytics

Debian DSA-2331-1 : tor - several vulnerabilities

medium Nessus Plugin ID 56670

Language:

Synopsis

The remote Debian host is missing a security-related update.

Description

It has been discovered by 'frosty_un' that a design flaw in Tor, an online privacy tool, allows malicious relay servers to learn certain information that they should not be able to learn. Specifically, a relay that a user connects to directly could learn which other relays that user is connected to directly. In combination with other attacks, this issue can lead to deanonymizing the user. The Common Vulnerabilities and Exposures project has assigned CVE-2011-2768 to this issue.

In addition to fixing the above mentioned issues, the updates to oldstable and stable fix a number of less critical issues (CVE-2011-2769 ). Please see the posting from the Tor blog for more information.

Solution

Upgrade the tor packages.

For the oldstable distribution (lenny), this problem has been fixed in version 0.2.1.31-1~lenny+1. Due to technical limitations in the Debian archive scripts, the update cannot be released synchronously with the packages for stable. It will be released shortly.

For the stable distribution (squeeze), this problem has been fixed in version 0.2.1.31-1.

See Also

https://security-tracker.debian.org/tracker/CVE-2011-2768

https://security-tracker.debian.org/tracker/CVE-2011-2769

https://blog.torproject.org/tor-02234-released-security-patches

https://packages.debian.org/source/squeeze/tor

https://www.debian.org/security/2011/dsa-2331

Plugin Details

Severity: Medium

ID: 56670

File Name: debian_DSA-2331.nasl

Version: 1.12

Type: local

Agent: unix

Published: 10/31/2011

Updated: 1/11/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.7

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:tor, cpe:/o:debian:debian_linux:5.0, cpe:/o:debian:debian_linux:6.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Patch Publication Date: 10/28/2011

Reference Information

CVE: CVE-2011-2768, CVE-2011-2769

DSA: 2331