|Summary:||CVE-2011-0015 CVE-2011-0016 CVE-2011-0427 CVE-2011-0490 CVE-2011-0491 CVE-2011-0492 CVE-2011-0493 tor: multiple security flaws fixed in 0.2.1.29|
|Product:||[Other] Security Response||Reporter:||Vincent Danen <vdanen>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED CURRENTRELEASE||QA Contact:|
|Version:||unspecified||CC:||casmls, cassmodiah, lmacken, michael, pwouters, rcvalle, rh-bugzilla, tremble, wnefal+redhatbugzilla|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2013-05-31 03:13:59 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:||671263|
Description Vincent Danen 2011-01-20 21:42:21 UTC
Tor 0.2.1.29 fixes a number of security flaws, as noted below: http://blog.torproject.org/blog/tor-02129-released-security-patches https://gitweb.torproject.org/tor.git/blob/refs/heads/release-0.2.2:/ChangeLog The specifics of the CVEs are as follows: * Name: CVE-2011-0015 * Reference: https://trac.torproject.org/projects/tor/ticket/2324 Tor before 0.2.1.29 and 0.2.2.x before 0.2.2.21-alpha does not properly check the amount of compression in zlib-compressed data, which allows remote attackers to cause a denial of service via a large compression factor. * Name: CVE-2011-0016 * Reference: https://trac.torproject.org/projects/tor/ticket/2384 * Reference: https://trac.torproject.org/projects/tor/ticket/2385 Tor before 0.2.1.29 and 0.2.2.x before 0.2.2.21-alpha does not properly manage key data in memory, which might allow local users to obtain sensitive information by leveraging the ability to read memory that was previously used by a different process. * Name: CVE-2011-0427 Heap-based buffer overflow in Tor before 0.2.1.29 and 0.2.2.x before 0.2.2.21-alpha allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors. * Name: CVE-2011-0490 * Reference: https://trac.torproject.org/projects/tor/ticket/2190 Tor before 0.2.1.29 and 0.2.2.x before 0.2.2.21-alpha makes calls to Libevent within Libevent log handlers, which might allow remote attackers to cause a denial of service (daemon crash) via vectors that trigger certain log messages. * Name: CVE-2011-0491 * Reference: https://trac.torproject.org/projects/tor/ticket/2324 The tor_realloc function in Tor before 0.2.1.29 and 0.2.2.x before 0.2.2.21-alpha does not validate a certain size value during memory allocation, which might allow remote attackers to cause a denial of service (daemon crash) via unspecified vectors, related to "underflow errors." * Name: CVE-2011-0492 * Reference: https://trac.torproject.org/projects/tor/ticket/2326 Tor before 0.2.1.29 and 0.2.2.x before 0.2.2.21-alpha allows remote attackers to cause a denial of service (assertion failure and daemon exit) via blobs that trigger a certain file size, as demonstrated by the cached-descriptors.new file. * Name: CVE-2011-0493 * Reference: https://trac.torproject.org/projects/tor/ticket/2352 Tor before 0.2.1.29 and 0.2.2.x before 0.2.2.21-alpha might allow remote attackers to cause a denial of service (assertion failure and daemon exit) via vectors related to malformed router caches and improper handling of integer values.
Comment 1 Vincent Danen 2011-01-20 21:50:48 UTC
Fedora currently has 0.2.1.29 in testing, so once those have hit stable, Fedora is taken care of. EPEL5 has quite an old version of tor (0.2.1.19) and is vulnerable to these flaws.
Comment 2 Vincent Danen 2011-01-20 21:52:03 UTC
Created tor tracking bugs for this issue Affects: epel-5 [bug 671263]
Comment 3 Christoph A. 2011-05-04 13:50:38 UTC
F13 and F14 still doesn't contain 0.2.1.29. What is blocking 0.2.1.29? http://koji.fedoraproject.org/koji/buildinfo?buildID=214444 http://koji.fedoraproject.org/koji/buildinfo?buildID=214443 there also 0.2.1.30 packages: http://koji.fedoraproject.org/koji/buildinfo?buildID=234269 http://koji.fedoraproject.org/koji/buildinfo?buildID=234271
Comment 4 Vincent Danen 2011-05-16 22:22:56 UTC
Please see bug #705192; we need to update to 0.2.1.30. Thanks.
Comment 5 Paul Wouters 2013-05-31 03:13:59 UTC
fixed long time ago