Detections
Analytics

openSUSE 16 Security Update : tor (openSUSE-SU-2026:20589-1)

medium Nessus Plugin ID 309139

Synopsis

The remote openSUSE host is missing a security update.

Description

The remote openSUSE 16 host has a package installed that is affected by a vulnerability as referenced in the openSUSE- SU-2026:20589-1 advisory.

 Changes in tor:

 - update to 0.4.8.23:
 * Fix a memory compare using the wrong length. This could lead to a remote crash when using the conflux subsystem (TROVE-2026-004, boo#1262302)
 * Fix a series of defense in depth security issues found across the codebase
 * Regenerate fallback directories generated on March 25, 2026.
 * Update the geoip files to match the IPFire Location Database, as retrieved on 2026/03/25.
 - includes changes from 0.4.8.22:
 * Avoid an out-of-bounds read error that could occur with V1-formatted EXTEND cells (TROVE-2025-016, boo#1262301)
 * Allow old clients to fetch the consensus even if they use version 0 of the SENDME protocol
 * Do not check for compression bombs for buffers smaller than 5MB (increased from 64 KB)
 * Improvements to directory server statistics

 - update to 0.4.8.21:
 * This release is a continuation of the previous one and addresses additional Conflux-related issues identified through further testing and feedback from relay operators. We strongly recommend upgrading as soon as possible.
 * Major bugfixes (conflux, exit):
 - When dequeuing out-of-order conflux cells, the circuit could be close in between two dequeue which could lead to a mishandling of a NULL pointer. Fixes bug 41162;
 * Add -mbranch-protection=standard for arm64.
 * Regenerate fallback directories generated on November
 * Update the geoip files to match the IPFire Location Database, as retrieved on 2025/11/17.
 * Fix a bug causing the initial tor process to hang intead of exiting with RunAsDaemon, when pluggable transports are used.

 - 0.4.8.20
 * Add a new hardening compiler flag -fcf-protection=full
 * Fix the root cause of some conflux fragile asserts
 * Fix a series of conflux edge cases

 - 0.4.8.19
 * Fix some clients not being able to connect to LibreSSL relays
 * Improve stream flow control performance

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected tor package.

See Also

https://bugzilla.suse.com/1262301

https://bugzilla.suse.com/1262302

Plugin Details

Severity: Medium

ID: 309139

File Name: openSUSE-2026-20589-1.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 4/22/2026

Updated: 4/22/2026

Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:tor, cpe:/o:novell:opensuse:16.0

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 4/20/2026

Vulnerability Publication Date: 4/20/2026