Security update for tor SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:0614-1 Final 1 1 2018-03-06T19:19:46Z current 2018-03-06T19:19:46Z 2018-03-06T19:19:46Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for tor This update for tor to version 0.3.2.10 fixes security issues and bugs. The following vulnerabilities were fixed: - CVE-2018-0490: remote crash vulnerability against directory authorities (boo#1083845, TROVE-2018-001) - CVE-2018-0491: remote relay crash (boo#1083846, TROVE-2018-002) This new upstream stable version also contains a new system for improved resistance to DoS attacks against relays and various other bug fixes. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2018-223 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1083845 SUSE Bug 1083845 https://bugzilla.suse.com/1083846 SUSE Bug 1083846 https://www.suse.com/security/cve/CVE-2018-0490/ SUSE CVE CVE-2018-0490 page https://www.suse.com/security/cve/CVE-2018-0491/ SUSE CVE CVE-2018-0491 page SUSE Package Hub 12 tor-0.3.2.10-14.1 tor-0.3.2.10-14.1 as a component of SUSE Package Hub 12 An issue was discovered in Tor before 0.2.9.15, 0.3.1.x before 0.3.1.10, and 0.3.2.x before 0.3.2.10. The directory-authority protocol-list subprotocol implementation allows remote attackers to cause a denial of service (NULL pointer dereference and directory-authority crash) via a misformatted relay descriptor that is mishandled during voting. CVE-2018-0490 SUSE Package Hub 12:tor-0.3.2.10-14.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-0490.html CVE-2018-0490 https://bugzilla.suse.com/1083845 SUSE Bug 1083845 A use-after-free issue was discovered in Tor 0.3.2.x before 0.3.2.10. It allows remote attackers to cause a denial of service (relay crash) because the KIST implementation allows a channel to be added more than once in the pending list. CVE-2018-0491 SUSE Package Hub 12:tor-0.3.2.10-14.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-0491.html CVE-2018-0491 https://bugzilla.suse.com/1083846 SUSE Bug 1083846