Common Vulnerabilities and Exposures assigned an identifier CVE-2013-7295 to the following vulnerability: Name: CVE-2013-7295 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7295 Assigned: 20140117 Reference: https://lists.torproject.org/pipermail/tor-talk/2013-December/031483.html Tor before 0.2.4.20, when OpenSSL 1.x is used in conjunction with a certain HardwareAccel setting on Intel Sandy Bridge and Ivy Bridge platforms, does not properly generate random numbers for (1) relay identity keys and (2) hidden-service identity keys, which might make it easier for remote attackers to bypass cryptographic protection mechanisms via unspecified vectors. NOTE: while EPEL5 ships a vulnerable version of tor, Red Hat Enterprise Linux 5 ships with 0.9.8e and is thus unaffected.
tor-0.2.4.25-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
All active branches of Fedora and EPEL now have tor 0.2.4.25 and are thus no longer affected by this bug.