[Full-disclosure] [ GLSA 200508-16 ] Tor: Information disclosure

From: Sune Kloppenborg Jeppesen (jaervosz_at_gentoo.org)
Date: 08/25/05

  • Next message: Stuart Carter: "Re: [Full-disclosure] talk.google.com" 
    To: gentoo-announce@gentoo.org
Date: Thu, 25 Aug 2005 07:14:03 +0200

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Gentoo Linux Security Advisory GLSA 200508-16
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                                http://security.gentoo.org/
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

      Severity: Low
         Title: Tor: Information disclosure
          Date: August 25, 2005
          Bugs: #102245
            ID: 200508-16

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Synopsis
    ========

    A flaw in Tor leads to the disclosure of information and the loss of
    anonymity, integrity and confidentiality.

    Background
    ==========

    Tor is an implementation of second generation Onion Routing, a
    connection-oriented anonymizing communication service.

    Affected packages
    =================

        -------------------------------------------------------------------
         Package / Vulnerable / Unaffected
        -------------------------------------------------------------------
      1 net-misc/tor < 0.1.0.14 >= 0.1.0.14

    Description
    ===========

    The Diffie-Hellman implementation of Tor fails to verify the
    cryptographic strength of keys which are used during handshakes.

    Impact
    ======

    By setting up a malicious Tor server and enticing users to use this
    server as first hop, a remote attacker could read and modify all
    traffic of the user.

    Workaround
    ==========

    There is no known workaround at this time.

    Resolution
    ==========

    All Tor users should upgrade to the latest version:

        # emerge --sync
        # emerge --ask --oneshot --verbose ">=net-misc/tor-0.1.0.14"

    References
    ==========

      [ 1 ] CAN-2005-2643
            http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2643
      [ 2 ] Tor Security Announcement
            http://archives.seul.org/or/announce/Aug-2005/msg00002.html

    Availability
    ============

    This GLSA and any updates to it are available for viewing at
    the Gentoo Security Website:

      http://security.gentoo.org/glsa/glsa-200508-16.xml

    Concerns?
    =========

    Security is a primary focus of Gentoo Linux and ensuring the
    confidentiality and security of our users machines is of utmost
    importance to us. Any security concerns should be addressed to
    security@gentoo.org or alternatively, you may file a bug at
    http://bugs.gentoo.org.

    License
    =======

    Copyright 2005 Gentoo Foundation, Inc; referenced text
    belongs to its owner(s).

    The contents of this document are licensed under the
    Creative Commons - Attribution / Share Alike license.

    http://creativecommons.org/licenses/by-sa/2.0

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/

  • Next message: Stuart Carter: "Re: [Full-disclosure] talk.google.com"

    Relevant Pages

    • [TOOL] Tor: An Anonymous Internet Communication System
      ... Get your security news from a reliable source. ... Tor is a toolset for a wide range of organizations and people that want to ... new applications with built-in anonymity, safety, and privacy features. ... Internet users with protection against "traffic analysis," a form of ...
      (Securiteam)
    • Re: how to secure my computer
      ... If you have any tutorials/links about security concerning Linux, ... Install and use an IDS, ... If you run a DNS server keep it private and isolated from ... See if you may want to install and run "Tor". ...
      (comp.os.linux.security)
    • Re: [Full-disclosure] Compromise of Tor, anonymizing networks/utilities
      ... not imply or beget security nor vice versa. ... You can use Tor to make yourself "anonymous" to your destinations on the ... Hiding behind/through Tor and an encrypted proxy just puts more layers ... anonymizing network is rife with law enforcement infiltration. ...
      (Full-Disclosure)
    • [ GLSA 200508-16 ] Tor: Information disclosure
      ... A flaw in Tor leads to the disclosure of information and the loss of ... anonymity, integrity and confidentiality. ... Tor Security Announcement ... confidentiality and security of our users machines is of utmost ...
      (Bugtraq)
    • Re: [Full-disclosure] Tool Release - Tor Blocker
      ... from china but are rather malicious hackers that use it to keep their ... that you broke the anonymity of tor and were able to track down users ... Forensics is left with a tor exit ... but hopefully it raises the security bar just a little bit ...
      (Full-Disclosure)