drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Mehrere Probleme in Tor
Name: |
Mehrere Probleme in Tor |
|
ID: |
200904-11 |
|
Distribution: |
Gentoo |
|
Plattformen: |
Keine Angabe |
|
Datum: |
Sa, 11. April 2009, 13:03 |
|
Referenzen: |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5397
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5398
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0414
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0936
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0937
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0938
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0939 |
|
Applikationen: |
Tor |
|
Originalnachricht |
--===============2066945480== Content-Type: multipart/signed; boundary="nextPart1513424.f0Iifzg9CB"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit
--nextPart1513424.f0Iifzg9CB Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200904-11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High Title: Tor: Multiple vulnerabilities Date: April 08, 2009 Bugs: #250018, #256078, #258833 ID: 200904-11
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis ========
Multiple vulnerabilities in Tor might allow for heap corruption, Denial of Service, escalation of privileges and information disclosure.
Background ==========
Tor is an implementation of second generation Onion Routing, a connection-oriented anonymizing communication service.
Affected packages =================
------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-misc/tor < 0.2.0.34 >= 0.2.0.34
Description ===========
* Theo de Raadt reported that the application does not properly drop privileges to the primary groups of the user specified via the "User" configuration option (CVE-2008-5397).
* rovv reported that the "ClientDNSRejectInternalAddresses" configuration option is not always enforced (CVE-2008-5398).
* Ilja van Sprundel reported a heap-corruption vulnerability that might be remotely triggerable on some platforms (CVE-2009-0414).
* It has been reported that incomplete IPv4 addresses are treated as valid, violating the specification (CVE-2009-0939).
* Three unspecified vulnerabilities have also been reported (CVE-2009-0936, CVE-2009-0937, CVE-2009-0938).
Impact ======
A local attacker could escalate privileges by leveraging unintended supplementary group memberships of the Tor process. A remote attacker could exploit these vulnerabilities to cause a heap corruption with unknown impact and attack vectors, to cause a Denial of Service via CPU consuption or daemon crash, and to weaken anonymity provided by the service.
Workaround ==========
There is no known workaround at this time.
Resolution ==========
All Tor users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/tor-0.2.0.34"
References ==========
[ 1 ] CVE-2008-5397 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5397 [ 2 ] CVE-2008-5398 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5398 [ 3 ] CVE-2009-0414 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0414 [ 4 ] CVE-2009-0936 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0936 [ 5 ] CVE-2009-0937 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0937 [ 6 ] CVE-2009-0938 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0938 [ 7 ] CVE-2009-0939 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0939
Availability ============
This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200904-11.xml
Concerns? =========
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org.
License =======
Copyright 2009 Gentoo Foundation, Inc; referenced text belongs to its owner(s).
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
--nextPart1513424.f0Iifzg9CB Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.10 (GNU/Linux)
iQIcBAABAgAGBQJJ3SnbAAoJECaaHo/OfoM5JsEQAKfszxbAf0LD6gLCbj70h4EB oeMO+uoA9+ezrZ2yie+E1XqhzKwPPTgFpRoqVqk/mpYp9sSRVWPc6zh+lRvRY2YI XLcCBdmWRYbnw93d9BnOHC/3t6yNTMyoXERoWc67S6mvBMudlJ+1uB7/QkZ1xE0R sxdJR99PZLffL6obpr5lTFlDdWwsPfhwqhDMgsvtxq50wDBuC0gj91+yAQCqyl4H W1R5o/ESJSSKuY8SbXsnz0EABtg9MbdUg1XtszfJwOwyf/y7gU/s/gzyyyhd53m8 dvJJ+pgqXoP2DqYGs2f2zzi6G6KxAr7SOnwjrvOLBTx0PhxCR9+NJv0EDr2puRDq 9wzWyxYh6PGRbRkDpIo4JpAG+pA5BZubzFrtcR/RTIzzqtkuT2xbfZ49ggh70AXR 2qc1oy2TLJM7/71FpZtIU//r0c6sL1LubDcJVR7v4MPw0rv70XJumSxd6+BP05Hn VXSPaUgLAqZxZna0p76ghDygBy4b/uVXgvB5so46sft4nfjjgTRt+Qwd8FZHbrLQ Cy+/HIUuQZqDaBjEm+ssmOFVJGdwmMv3B9tvl1m9AIz6HQu4cxEIr8WUoGnlIjty DYfGLcG20meeNvWfUsmGwbtkq2nKuLkxYrZ9amzr5rpy+v9weklIz++1BRsLx0Yi CaJhHKUYfA6J68XW5aND =pArj -----END PGP SIGNATURE-----
--nextPart1513424.f0Iifzg9CB--
--===============2066945480== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ --===============2066945480==--
|
|
|
|