DSA-2136-1: New tor packages fix potential code execution
Posted on: 12/22/2010 03:00 PM

New tor packages are available for Debian GNU/Linux

- ------------------------------------------------------------------------
Debian Security Advisory DSA-2136-1 security@debian.org
http://www.debian.org/security/ Raphael Geissert
December 21, 2010 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : tor
Vulnerability : buffer overflow
Problem type : remote
Debian-specific: no
CVE Id : CVE-2010-1676

Willem Pinckaers discovered that Tor, a tool to enable online anonymity,
does not correctly handle all data read from the network. By supplying
specially crafted packets a remote attacker can cause Tor to overflow its
heap, crashing the process. Arbitrary code execution has not been
confirmed but there is a potential risk.

In the stable distribution (lenny), this update also includes an update of
the IP address for the Tor directory authority gabelmoo and addresses
a weakness in the package's postinst maintainer script.

For the stable distribution (lenny) this problem has been fixed in

For the testing distribution (squeeze) and the unstable distribution (sid),
this problem has been fixed in version

We recommend that you upgrade your tor packages.

Upgrade instructions
- --------------------

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/dsa_2136_1_new_tor_packages_fix_potential_code_execution.html)