openSUSE Security Update : tor (openSUSE-2015-300)

This script is Copyright (C) 2015 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

Tor was updated to 0.2.4.27 to fix two security issues that could be
used by an attacker to crash hidden services, or crash clients
visiting hidden services. Hidden services should upgrade as soon as
possible.

The following security issues were fixed :

- A malicious client could trigger an assertion failure
and halt a hidden service. (CVE-2015-2928)

- A client could crash with an assertion failure when
parsing a malformed hidden service descriptor.
(CVE-2015-2929)

This release also backports a simple improvement to make hidden
services a bit less vulnerable to denial-of-service attacks :

- Introduction points no longer allow multiple INTRODUCE1
cells to arrive on the same circuit. This should make it
more expensive for attackers to overwhelm hidden
services with introductions.

See also :

https://bugzilla.opensuse.org/show_bug.cgi?id=926097

Solution :

Update the affected tor packages.

Risk factor :

Medium

Family: SuSE Local Security Checks

Nessus Plugin ID: 82754 ()

Bugtraq ID:

CVE ID: CVE-2015-2928
CVE-2015-2929

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now