Common Vulnerabilities and Exposures assigned an identifier CVE-2008-5398 to the following vulnerability: References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5398 http://blog.torproject.org/blog/tor-0.2.0.32-released http://www.securityfocus.com/bid/32648 http://secunia.com/advisories/33025 http://xforce.iss.net/xforce/xfdb/47102 Patch from ravv: Backport of R17135 against 0-2-0: https://svn.torproject.org/cgi-bin/viewcvs.cgi?rev=17342&view=rev Original R17135: https://svn.torproject.org/cgi-bin/viewcvs.cgi?rev=17135&view=rev
This issue affects all versions of the tor package, as shipped with Fedora releases of 8, 9 and 10. Please upgrade to latest upstream packages or apply the above patch.
CVE description missing in the comment #0: Tor before 0.2.0.32 does not properly process the ClientDNSRejectInternalAddresses configuration option in situations where an exit relay issues a policy-based refusal of a stream, which allows remote exit relays to have an unknown impact by mapping an internal IP address to the destination hostname of a refused stream.
All current Fedora versions are already updated to upstream version 0.2.0.23: https://admin.fedoraproject.org/updates/F8/FEDORA-2008-10954 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-10989 https://admin.fedoraproject.org/updates/F10/FEDORA-2008-10991