-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3216-1 security@xxxxxxxxxx http://www.debian.org/security/ Moritz Muehlenhoff April 06, 2015 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : tor CVE ID : CVE-2015-2928 CVE-2015-2929 Several vulnerabilities have been discovered in Tor, a connection-based low-latency anonymous communication system: CVE-2015-2928 "disgleirio" discovered that a malicious client could trigger an assertion failure in a Tor instance providing a hidden service, thus rendering the service inaccessible. CVE-2015-2929 "DonnchaC" discovered that Tor clients would crash with an assertion failure upon parsing specially crafted hidden service descriptors. Introduction points would accept multiple INTRODUCE1 cells on one circuit, making it inexpensive for an attacker to overload a hidden service with introductions. Introduction points now no longer allow multiple cells of that type on the same circuit. For the stable distribution (wheezy), these problems have been fixed in version 0.2.4.27-1. For the unstable distribution (sid), these problems have been fixed in version 0.2.5.12-1. For the experimental distribution, these problems have been fixed in version 0.2.6.7-1. We recommend that you upgrade your tor packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@xxxxxxxxxxxxxxxx -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJVIvK4AAoJEBDCk7bDfE42k2QP/3NUAsX06900TgPdoWUut7r0 lq+E+rRzTXpbBxiSYQ4lKfeISdVo6/JJT/RfddTDbaSqo9G0ZHVchWvISmS7khM0 LPsSFjW2v8xtmRrET5S+DM8fwCzX0ShuALAm2IFnLvyqnx2LoEUStGA8hfB9rdDK T59swVONOEPnMpKxqIuQcFvDbw3X9tkYrHgYecB+hwYrGbH+BBs2Q3JfbMHw3GYt 3htUWP7V6t4XblbiNwIKnnriWGhOuTuDcT3ftju18Zo8UuGizearZeiYg27EkmVB pPsXcLxpWgmwgD9931+iOP8PhZeNfyRq99zpOc0RjWenDLfjwxr3X2U6Ev4ZC8v8 bg6hY7MqGhC5UWCGa81jbdd+NUCI4tAfthWUCB3iXNmIsmkCfMX18kd0NXOxnLGQ 6nDW4E0GxrPOIwtRQoKOZIPX5FHXkSzE4PUgM3oTzdyxMTcU0CSyKRKQ9v6PbY6s g+gBZ93crY1o7G0Kt22T9UK8UIk/sDzuuAyB+UwYxZDaauAgStd9UKvBYtpli4ec /mIvT/C6F5XAXOP+FfaEInS1F0Q8fhtTzCmDWL1lZXuNAbDtjJyFStCIm29vlLqv RYH7qwSqjxRtd0i1X3bJqJa6HOFE2/A+HaJW7ANlhSPH+1T+mDSfPtni4ZL/Gw/a 5Vl6jLJZ5hiJP7zF4N+Z =Q8yM -----END PGP SIGNATURE-----