Security update for tor SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2015:0712-1 Final 1 1 2015-04-06T21:06:21Z current 2015-04-06T21:06:21Z 2015-04-06T21:06:21Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for tor Tor was updated to 0.2.4.27 to fix two security issues that could be used by an attacker to crash hidden services, or crash clients visiting hidden services. Hidden services should upgrade as soon as possible. The following security issues were fixed: * A malicious client could trigger an assertion failure and halt a hidden service. (CVE-2015-2928) * A client could crash with an assertion failure when parsing a malformed hidden service descriptor. (CVE-2015-2929) This release also backports a simple improvement to make hidden services a bit less vulnerable to denial-of-service attacks: * Introduction points no longer allow multiple INTRODUCE1 cells to arrive on the same circuit. This should make it more expensive for attackers to overwhelm hidden services with introductions. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2015-04/msg00019.html E-Mail link for openSUSE-SU-2015:0712-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings tor-0.2.4.27-5.30.1 The Hidden Service (HS) server implementation in Tor before 0.2.4.27, 0.2.5.x before 0.2.5.12, and 0.2.6.x before 0.2.6.7 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via unspecified vectors. CVE-2015-2928 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2015-04/msg00019.html https://www.suse.com/security/cve/CVE-2015-2928.html CVE-2015-2928 https://bugzilla.suse.com/926097 SUSE Bug 926097 The Hidden Service (HS) client implementation in Tor before 0.2.4.27, 0.2.5.x before 0.2.5.12, and 0.2.6.x before 0.2.6.7 allows remote servers to cause a denial of service (assertion failure and application exit) via a malformed HS descriptor. CVE-2015-2929 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2015-04/msg00019.html https://www.suse.com/security/cve/CVE-2015-2929.html CVE-2015-2929 https://bugzilla.suse.com/926097 SUSE Bug 926097