Detections
Analytics
Debian DSA-3216-1 : tor - security update
high Nessus Plugin ID 82624
Language:
Synopsis
The remote Debian host is missing a security-related update.Description
Several vulnerabilities have been discovered in Tor, a connection-based low-latency anonymous communication system :- CVE-2015-2928 'disgleirio' discovered that a malicious client could trigger an assertion failure in a Tor instance providing a hidden service, thus rendering the service inaccessible.
- CVE-2015-2929 'DonnchaC' discovered that Tor clients would crash with an assertion failure upon parsing specially crafted hidden service descriptors.
Introduction points would accept multiple INTRODUCE1 cells on one circuit, making it inexpensive for an attacker to overload a hidden service with introductions. Introduction points now no longer allow multiple cells of that type on the same circuit.
Solution
Upgrade the tor packages.For the stable distribution (wheezy), these problems have been fixed in version 0.2.4.27-1.
See Also
https://security-tracker.debian.org/tracker/CVE-2015-2928
https://security-tracker.debian.org/tracker/CVE-2015-2929
Plugin Details
Severity: High
ID: 82624
File Name: debian_DSA-3216.nasl
Version: 1.5
Type: local
Agent: unix
Family: Debian Local Security Checks
Published: 4/8/2015
Updated: 1/11/2021
Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus
Risk Information
VPR
Risk Factor: Low
Score: 3.6
CVSS v2
Risk Factor: Medium
Base Score: 5
Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS v3
Risk Factor: High
Base Score: 7.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Vulnerability Information
CPE: p-cpe:/a:debian:debian_linux:tor, cpe:/o:debian:debian_linux:7.0
Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l
Patch Publication Date: 4/6/2015
Vulnerability Publication Date: 1/24/2020
Reference Information
CVE: CVE-2015-2928, CVE-2015-2929
DSA: 3216