SUSE Package Hub - openSUSE-2020-1970

Update Info

openSUSE-2020-1970

Security update for tor

Type: security

Severity: important

Issued: 2020-11-19

Description:

This update for tor fixes the following issues:

Updating tor to a newer version in the respective codestream.

- tor 0.3.5.12:
  * Check channels+circuits on relays more thoroughly (TROVE-2020-005, boo#1178741)
  * Not affected by out-of-bound memory access (CVE-2020-15572, boo#1173979)
  * Fix DoS defenses on bridges with a pluggable transport
  * CVE-2020-10592: CPU consumption DoS and timing patterns (boo#1167013)
  * CVE-2020-10593: circuit padding memory leak (boo#1167014) 

- tor 0.4.4.6
  * Check channels+circuits on relays more thoroughly (TROVE-2020-005, boo#1178741)
  * Fix a crash due to an out-of-bound memory access (CVE-2020-15572, boo#1173979)
  * Fix logrotate to not fail when tor is stopped (boo#1164275)

References

CVE: CVE-2020-15572
CVE: CVE-2020-10593
CVE: CVE-2020-10592
Bugzilla: 1178741 VUL-0: tor: ed25519 identity not checked when competing a channel (TROVE-2020-005)
Bugzilla: 1173979 VUL-0: CVE-2020-15572: tor: out-of-bound memory access when built with NSS support
Bugzilla: 1167014 VUL-0: CVE-2020-10593: tor: circuit padding memory leak (TROVE-2020-004)
Bugzilla: 1167013 VUL-0: CVE-2020-10592: tor: CPU consumption DoS and timing patterns (TROVE-2020-002)
Bugzilla: 1164275 logrotate.service fails to start (in relation to tor.service)

Packages

tor-0.4.4.6-bp152.2.3.1