openSUSE Security Update : tor (openSUSE-SU-2014:0719-1) (Heartbleed)
High Nessus Plugin ID 75376
SynopsisThe remote openSUSE host is missing a security update.
Description- tor 0.2.4.22 [bnc#878486] Tor was updated to the recommended version of the 0.2.4.x series.
- major features in 0.2.4.x :
- improved client resilience
- support better link encryption with forward secrecy
- new NTor circuit handshake
- change relay queue for circuit create requests from size-based limit to time-based limit
- many bug fixes and minor features
- changes contained in 0.2.4.22: Backports numerous high-priority fixes. These include blocking all authority signing keys that may have been affected by the OpenSSL 'heartbleed' bug, choosing a far more secure set of TLS ciphersuites by default, closing a couple of memory leaks that could be used to run a target relay out of RAM.
- Major features (security)
- Block authority signing keys that were used on authorities vulnerable to the 'heartbleed' bug in OpenSSL (CVE-2014-0160).
- Major bugfixes (security, OOM) :
- Fix a memory leak that could occur if a microdescriptor parse fails during the tokenizing step.
- Major bugfixes (TLS cipher selection) :
- The relay ciphersuite list is now generated automatically based on uniform criteria, and includes all OpenSSL ciphersuites with acceptable strength and forward secrecy.
- Relays now trust themselves to have a better view than clients of which TLS ciphersuites are better than others.
- Clients now try to advertise the same list of ciphersuites as Firefox 28.
- includes changes from 0.2.4.21: Further improves security against potential adversaries who find breaking 1024-bit crypto doable, and backports several stability and robustness patches from the 0.2.5 branch.
- Major features (client security) :
- When we choose a path for a 3-hop circuit, make sure it contains at least one relay that supports the NTor circuit extension handshake. Otherwise, there is a chance that we're building a circuit that's worth attacking by an adversary who finds breaking 1024-bit crypto doable, and that chance changes the game theory.
- Major bugfixes :
- Do not treat streams that fail with reason END_STREAM_REASON_INTERNAL as indicating a definite circuit failure, since it could also indicate an ENETUNREACH connection error
- includes changes from 0.2.4.20 :
- Do not allow OpenSSL engines to replace the PRNG, even when HardwareAccel is set.
- Fix assertion failure when AutomapHostsOnResolve yields an IPv6 address.
- Avoid launching spurious extra circuits when a stream is pending.
- packaging changes :
- remove init script shadowing systemd unit
- general cleanup
- Add tor-fw-helper for UPnP port forwarding; not used by default
- fix logrotate on systemd-only setups without init scripts, work tor-0.2.2.37-logrotate.patch to tor-0.2.4.x-logrotate.patch
- verify source tarball signature
SolutionUpdate the affected tor packages.