DSA 2548-1: tor security update
Posted on: 09/14/2012 01:45 PM

A tor security update has been released for Debian GNU/Linux

DSA 2548-1: tor security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2548-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
September 13, 2012 http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : tor
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-3518 CVE-2012-3519 CVE-2012-4419

Severel vulnerabilities have been discovered in Tor, an online privacy


Avoid an uninitialised memory read when reading a vote or consensus
document that has an unrecognized flavour name. This could lead to
a remote, resulting in denial of service.


Try to leak less information about what relays a client is choosing to
a side-channel attacker.


By providing specially crafted date strings to a victim tor instance,
an attacker can cause it to run into an assertion and shut down

Additionally the update to stable includes the following fixes:
- - When waiting for a client to renegotiate, don't allow it to add any
bytes to the input buffer. This fixes a potential DoS issue
[tor-5934, tor-6007].

For the stable distribution (squeeze), these problems have been fixed in

For the unstable distribution, these problems have been fixed in version

We recommend that you upgrade your tor packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/dsa_2548_1_tor_security_update.html)