openSUSE Security Update : tor (openSUSE-SU-2014:0719-1) (Heartbleed)

High Nessus Plugin ID 75376


The remote openSUSE host is missing a security update.


- tor [bnc#878486] Tor was updated to the recommended version of the 0.2.4.x series.

- major features in 0.2.4.x :

- improved client resilience

- support better link encryption with forward secrecy

- new NTor circuit handshake

- change relay queue for circuit create requests from size-based limit to time-based limit

- many bug fixes and minor features

- changes contained in Backports numerous high-priority fixes. These include blocking all authority signing keys that may have been affected by the OpenSSL 'heartbleed' bug, choosing a far more secure set of TLS ciphersuites by default, closing a couple of memory leaks that could be used to run a target relay out of RAM.

- Major features (security)

- Block authority signing keys that were used on authorities vulnerable to the 'heartbleed' bug in OpenSSL (CVE-2014-0160).

- Major bugfixes (security, OOM) :

- Fix a memory leak that could occur if a microdescriptor parse fails during the tokenizing step.

- Major bugfixes (TLS cipher selection) :

- The relay ciphersuite list is now generated automatically based on uniform criteria, and includes all OpenSSL ciphersuites with acceptable strength and forward secrecy.

- Relays now trust themselves to have a better view than clients of which TLS ciphersuites are better than others.

- Clients now try to advertise the same list of ciphersuites as Firefox 28.

- includes changes from Further improves security against potential adversaries who find breaking 1024-bit crypto doable, and backports several stability and robustness patches from the 0.2.5 branch.

- Major features (client security) :

- When we choose a path for a 3-hop circuit, make sure it contains at least one relay that supports the NTor circuit extension handshake. Otherwise, there is a chance that we're building a circuit that's worth attacking by an adversary who finds breaking 1024-bit crypto doable, and that chance changes the game theory.

- Major bugfixes :

- Do not treat streams that fail with reason END_STREAM_REASON_INTERNAL as indicating a definite circuit failure, since it could also indicate an ENETUNREACH connection error

- includes changes from :

- Do not allow OpenSSL engines to replace the PRNG, even when HardwareAccel is set.

- Fix assertion failure when AutomapHostsOnResolve yields an IPv6 address.

- Avoid launching spurious extra circuits when a stream is pending.

- packaging changes :

- remove init script shadowing systemd unit

- general cleanup

- Add tor-fw-helper for UPnP port forwarding; not used by default

- fix logrotate on systemd-only setups without init scripts, work tor- to tor-0.2.4.x-logrotate.patch

- verify source tarball signature


Update the affected tor packages.

See Also

Plugin Details

Severity: High

ID: 75376

File Name: openSUSE-2014-398.nasl

Version: $Revision: 1.3 $

Type: local

Agent: unix

Published: 2014/06/13

Modified: 2015/10/22

Dependencies: 12634

Risk Information

Risk Factor: High


Base Score: 9.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:tor, p-cpe:/a:novell:opensuse:tor-debuginfo, p-cpe:/a:novell:opensuse:tor-debugsource, cpe:/o:novell:opensuse:12.3, cpe:/o:novell:opensuse:13.1

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2014/05/20

Exploitable With

Core Impact

Reference Information

CVE: CVE-2014-0160