This script is Copyright (C) 2014-2016 Tenable Network Security, Inc.
The remote Mandriva Linux host is missing a security update.
Updated tor packages fix multiple vulnerabilities :
Tor before 0.2.4.20, when OpenSSL 1.x is used in conjunction with a
certain HardwareAccel setting on Intel Sandy Bridge and Ivy Bridge
platforms, does not properly generate random numbers for relay
identity keys and hidden-service identity keys, which might make it
easier for remote attackers to bypass cryptographic protection
mechanisms via unspecified vectors (CVE-2013-7295).
Update to version 0.2.4.22 solves these major and security problems :
- Block authority signing keys that were used on
authorities vulnerable to the heartbleed bug in OpenSSL
- Fix a memory leak that could occur if a microdescriptor
parse fails during the tokenizing step.
- The relay ciphersuite list is now generated
automatically based on uniform criteria, and includes
all OpenSSL ciphersuites with acceptable strength and
- Relays now trust themselves to have a better view than
clients of which TLS ciphersuites are better than
- Clients now try to advertise the same list of
ciphersuites as Firefox 28.
For other changes see the upstream change log
See also :
Update the affected tor package.
Risk factor :
High / CVSS Base Score : 9.4
CVSS Temporal Score : 7.4
Public Exploit Available : true