[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[SECURITY] [DSA-2136-1] New tor packages fix potential code execution

Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-2136-1                  security@xxxxxxxxxx
http://www.debian.org/security/                         Raphael Geissert
December 21, 2010                     http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : tor
Vulnerability  : buffer overflow
Problem type   : remote
Debian-specific: no
CVE Id         : CVE-2010-1676

Willem Pinckaers discovered that Tor, a tool to enable online anonymity,
does not correctly handle all data read from the network.  By supplying
specially crafted packets a remote attacker can cause Tor to overflow its
heap, crashing the process. Arbitrary code execution has not been
confirmed but there is a potential risk.

In the stable distribution (lenny), this update also includes an update of
the IP address for the Tor directory authority gabelmoo and addresses
a weakness in the package's postinst maintainer script.

For the stable distribution (lenny) this problem has been fixed in

For the testing distribution (squeeze) and the unstable distribution (sid),
this problem has been fixed in version

We recommend that you upgrade your tor packages.

Upgrade instructions
- --------------------

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@xxxxxxxxxxxxxxxx
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
Version: GnuPG v1.4.10 (GNU/Linux)