Debian Tor vulnerabilities

CVE-2017-8820 [HIGH] CVE-2017-8820: tor - In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.... In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, remote attackers can cause a denial of service (NULL pointer dereference and application crash) against directory authorities via a malformed descriptor, aka TROVE-2017-010. Scope: local bookworm: resolved (fixed in 0.3.1.9-1) bullseye: reso

CVE-2017-8819 [HIGH] CVE-2017-8819: tor - In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.... In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, the replay-cache protection mechanism is ineffective for v2 onion services, aka TROVE-2017-009. An attacker can send many INTRODUCE2 cells to trigger this issue. Scope: local bookworm: resolved (fixed in 0.3.1.9-1) bullseye: resolved (fixed

CVE-2017-0380 [MEDIUM] CVE-2017-0380: tor - The rend_service_intro_established function in or/rendservice.c in Tor before 0.... The rend_service_intro_established function in or/rendservice.c in Tor before 0.2.8.15, 0.2.9.x before 0.2.9.12, 0.3.0.x before 0.3.0.11, 0.3.1.x before 0.3.1.7, and 0.3.2.x before 0.3.2.1-alpha, when SafeLogging is disabled, allows attackers to obtain sensitive information by leveraging access to the log files of a hidden service, because uninitialized stack data is in

CVE-2017-0377 [HIGH] CVE-2017-0377: tor - Tor 0.3.x before 0.3.0.9 has a guard-selection algorithm that only considers the... Tor 0.3.x before 0.3.0.9 has a guard-selection algorithm that only considers the exit relay (not the exit relay's family), which might allow remote attackers to defeat intended anonymity properties by leveraging the existence of large families. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2017-0375 [HIGH] CVE-2017-0375: tor - The hidden-service feature in Tor before 0.3.0.8 allows a denial of service (ass... The hidden-service feature in Tor before 0.3.0.8 allows a denial of service (assertion failure and daemon exit) in the relay_send_end_cell_from_edge_ function via a malformed BEGIN cell. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2017-8822 [LOW] CVE-2017-8822: tor - In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.... In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, relays (that have incompletely downloaded descriptors) can pick themselves in a circuit path, leading to a degradation of anonymity, aka TROVE-2017-012. Scope: local bookworm: resolved (fixed in 0.3.1.9-1) bullseye: resolved (fixed in 0.3.1.9

CVE-2016-1254 [HIGH] CVE-2016-1254: tor - Tor before 0.2.8.12 might allow remote attackers to cause a denial of service (c... Tor before 0.2.8.12 might allow remote attackers to cause a denial of service (client crash) via a crafted hidden service descriptor. Scope: local bookworm: resolved (fixed in 0.2.9.8-2) bullseye: resolved (fixed in 0.2.9.8-2) forky: resolved (fixed in 0.2.9.8-2) sid: resolved (fixed in 0.2.9.8-2) trixie: resolved (fixed in 0.2.9.8-2)

CVE-2016-8860 [HIGH] CVE-2016-8860: tor - Tor before 0.2.8.9 and 0.2.9.x before 0.2.9.4-alpha had internal functions that ... Tor before 0.2.8.9 and 0.2.9.x before 0.2.9.4-alpha had internal functions that were entitled to expect that buf_t data had NUL termination, but the implementation of or/buffers.c did not ensure that NUL termination was present, which allows remote attackers to cause a denial of service (client, hidden service, relay, or authority crash) via crafted data. Scope: local boo

CVE-2015-2929 [HIGH] CVE-2015-2929: tor - The Hidden Service (HS) client implementation in Tor before 0.2.4.27, 0.2.5.x be... The Hidden Service (HS) client implementation in Tor before 0.2.4.27, 0.2.5.x before 0.2.5.12, and 0.2.6.x before 0.2.6.7 allows remote servers to cause a denial of service (assertion failure and application exit) via a malformed HS descriptor. Scope: local bookworm: resolved (fixed in 0.2.5.12-1) bullseye: resolved (fixed in 0.2.5.12-1) forky: resolved (fixed in 0.2.5.12

CVE-2015-2928 [HIGH] CVE-2015-2928: tor - The Hidden Service (HS) server implementation in Tor before 0.2.4.27, 0.2.5.x be... The Hidden Service (HS) server implementation in Tor before 0.2.4.27, 0.2.5.x before 0.2.5.12, and 0.2.6.x before 0.2.6.7 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via unspecified vectors. Scope: local bookworm: resolved (fixed in 0.2.5.12-1) bullseye: resolved (fixed in 0.2.5.12-1) forky: resolved (fixed in 0.2.5.12-1) sid:

CVE-2015-2689 [HIGH] CVE-2015-2689: tor - Tor before 0.2.4.26 and 0.2.5.x before 0.2.5.11 does not properly handle pending... Tor before 0.2.4.26 and 0.2.5.x before 0.2.5.11 does not properly handle pending-connection resolve states during periods of high DNS load, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) via crafted packets. Scope: local bookworm: resolved (fixed in 0.2.5.11-1) bullseye: resolved (fixed in 0.2.5.11-1) forky: resolved (fixed

CVE-2015-2688 [HIGH] CVE-2015-2688: tor - buf_pullup in Tor before 0.2.4.26 and 0.2.5.x before 0.2.5.11 does not properly ... buf_pullup in Tor before 0.2.4.26 and 0.2.5.x before 0.2.5.11 does not properly handle unexpected arrival times of buffers with invalid layouts, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) via crafted packets. Scope: local bookworm: resolved (fixed in 0.2.5.11-1) bullseye: resolved (fixed in 0.2.5.11-1) forky: resolved (f

CVE-2014-5117 [MEDIUM] CVE-2014-5117: tor - Tor before 0.2.4.23 and 0.2.5 before 0.2.5.6-alpha maintains a circuit after an ... Tor before 0.2.4.23 and 0.2.5 before 0.2.5.6-alpha maintains a circuit after an inbound RELAY_EARLY cell is received by a client, which makes it easier for remote attackers to conduct traffic-confirmation attacks by using the pattern of RELAY and RELAY_EARLY cells as a means of communicating information about hidden service names. Scope: local bookworm: resolved (fixed

CVE-2013-7295 [MEDIUM] CVE-2013-7295: tor - Tor before 0.2.4.20, when OpenSSL 1.x is used in conjunction with a certain Hard... Tor before 0.2.4.20, when OpenSSL 1.x is used in conjunction with a certain HardwareAccel setting on Intel Sandy Bridge and Ivy Bridge platforms, does not properly generate random numbers for (1) relay identity keys and (2) hidden-service identity keys, which might make it easier for remote attackers to bypass cryptographic protection mechanisms via unspecified vectors.

CVE-2012-4922 [MEDIUM] CVE-2012-4922: tor - The tor_timegm function in common/util.c in Tor before 0.2.2.39, and 0.2.3.x bef... The tor_timegm function in common/util.c in Tor before 0.2.2.39, and 0.2.3.x before 0.2.3.22-rc, does not properly validate time values, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a malformed directory object, a different vulnerability than CVE-2012-4419. Scope: local bookworm: resolved (fixed in 0.2.3.22-rc-1) bul

CVE-2012-4419 [MEDIUM] CVE-2012-4419: tor - The compare_tor_addr_to_addr_policy function in or/policies.c in Tor before 0.2.... The compare_tor_addr_to_addr_policy function in or/policies.c in Tor before 0.2.2.39, and 0.2.3.x before 0.2.3.21-rc, allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a zero-valued port field that is not properly handled during policy comparison. Scope: local bookworm: resolved (fixed in 0.2.3.22-rc-1) bullseye: resolved (fixe

CVE-2012-3518 [MEDIUM] CVE-2012-3518: tor - The networkstatus_parse_vote_from_string function in routerparse.c in Tor before... The networkstatus_parse_vote_from_string function in routerparse.c in Tor before 0.2.2.38 does not properly handle an invalid flavor name, which allows remote attackers to cause a denial of service (out-of-bounds read and daemon crash) via a crafted (1) vote document or (2) consensus document. Scope: local bookworm: resolved (fixed in 0.2.3.20-rc-1) bullseye: resolved (

CVE-2012-2250 [MEDIUM] CVE-2012-2250: tor - Tor before 0.2.3.24-rc allows remote attackers to cause a denial of service (ass... Tor before 0.2.3.24-rc allows remote attackers to cause a denial of service (assertion failure and daemon exit) by performing link protocol negotiation incorrectly. Scope: local bookworm: resolved (fixed in 0.2.3.24-rc-1) bullseye: resolved (fixed in 0.2.3.24-rc-1) forky: resolved (fixed in 0.2.3.24-rc-1) sid: resolved (fixed in 0.2.3.24-rc-1) trixie: resolved (fixed in

CVE-2012-3517 [MEDIUM] CVE-2012-3517: tor - Use-after-free vulnerability in dns.c in Tor before 0.2.2.38 might allow remote ... Use-after-free vulnerability in dns.c in Tor before 0.2.2.38 might allow remote attackers to cause a denial of service (daemon crash) via vectors related to failed DNS requests. Scope: local bookworm: resolved (fixed in 0.2.3.20-rc-1) bullseye: resolved (fixed in 0.2.3.20-rc-1) forky: resolved (fixed in 0.2.3.20-rc-1) sid: resolved (fixed in 0.2.3.20-rc-1) trixie: resol

CVE-2012-3519 [MEDIUM] CVE-2012-3519: tor - routerlist.c in Tor before 0.2.2.38 uses a different amount of time for relay-li... routerlist.c in Tor before 0.2.2.38 uses a different amount of time for relay-list iteration depending on which relay is chosen, which might allow remote attackers to obtain sensitive information about relay selection via a timing side-channel attack. Scope: local bookworm: resolved (fixed in 0.2.3.20-rc-1) bullseye: resolved (fixed in 0.2.3.20-rc-1) forky: resolved (fi