[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1WuicH-0004Ix-0A@titan.mandriva.com>
Date: Wed, 11 Jun 2014 15:31:00 +0200
From: security@...driva.com
To: bugtraq@...urityfocus.com
Subject: [ MDVSA-2014:123 ] tor
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2014:123
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : tor
Date : June 11, 2014
Affected: Business Server 1.0
_______________________________________________________________________
Problem Description:
Updated tor packages fix multiple vulnerabilities:
Tor before 0.2.4.20, when OpenSSL 1.x is used in conjunction with
a certain HardwareAccel setting on Intel Sandy Bridge and Ivy Bridge
platforms, does not properly generate random numbers for relay identity
keys and hidden-service identity keys, which might make it easier
for remote attackers to bypass cryptographic protection mechanisms
via unspecified vectors (CVE-2013-7295).
Update to version 0.2.4.22 solves these major and security problems:
- Block authority signing keys that were used on authorities vulnerable
to the heartbleed bug in OpenSSL (CVE-2014-0160).
- Fix a memory leak that could occur if a microdescriptor parse fails
during the tokenizing step.
- The relay ciphersuite list is now generated automatically based on
uniform criteria, and includes all OpenSSL ciphersuites with acceptable
strength and forward secrecy.
- Relays now trust themselves to have a better view than clients of
which TLS ciphersuites are better than others.
- Clients now try to advertise the same list of ciphersuites as
Firefox 28.
For other changes see the upstream change log
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7295
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
http://advisories.mageia.org/MGASA-2014-0059.html
http://advisories.mageia.org/MGASA-2014-0256.html
_______________________________________________________________________
Updated Packages:
Mandriva Business Server 1/X86_64:
77035fd2ff3c6df5effbaf9ee78bdaf4 mbs1/x86_64/tor-0.2.4.22-1.mbs1.x86_64.rpm
cccaec1a8425ebfce0bb7d8057d38d6e mbs1/SRPMS/tor-0.2.4.22-1.mbs1.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/en/support/security/advisories/
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iD8DBQFTmDAPmqjQ0CJFipgRAqq4AJ9ZIEn/fqUynENotuSA2kTLnKwpJgCgkh59
ssWQCdn4l3H2KyxX+IQBsxw=
=fSis
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists