Tor Bugs Let Remote Users Deny Service
|
|
SecurityTracker Alert ID: 1021708 |
|
SecurityTracker URL: http://securitytracker.com/id/1021708
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Feb 12 2009
|
Impact:
Denial of service via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): prior to 0.2.0.34
|
Description:
Several vulnerabilities were reported in Tor. A remote user can cause denial of service conditions.
A remote user can send specially crafted data to cause the target service to crash or enter an infinite loop.
|
Impact:
A remote user can cause the target service to crash or enter an infinite loop.
|
Solution:
The vendor has issued a fix (0.2.0.34).
The vendor's advisory is available at:
http://archives.seul.org/or/announce/Feb-2009/msg00000.html
|
Vendor URL: torproject.org/ (Links to External Site)
|
Cause:
State error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 11 Feb 2009 20:32:10 -0500
Subject: Tor
|
http://archives.seul.org/or/announce/Feb-2009/msg00000.html
Changes in version 0.2.0.34 - 2009-02-08
o Security fixes:
- Fix an infinite-loop bug on handling corrupt votes under certain
circumstances. Bugfix on 0.2.0.8-alpha.
- Fix a temporary DoS vulnerability that could be performed by
a directory mirror. Bugfix on 0.2.0.9-alpha; reported by lark.
- Avoid a potential crash on exit nodes when processing malformed
input. Remote DoS opportunity. Bugfix on 0.2.0.33.
- Do not accept incomplete ipv4 addresses (like 192.168.0) as valid.
Spec conformance issue. Bugfix on Tor 0.0.2pre27.
|
|
