Home page logo

bugtraq logo Bugtraq mailing list archives

[SECURITY] [DSA-2136-1] New tor packages fix potential code execution
From: Raphael Geissert <geissert () debian org>
Date: Tue, 21 Dec 2010 18:24:55 -0600

Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-2136-1                  security () debian org
http://www.debian.org/security/                         Raphael Geissert
December 21, 2010                     http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : tor
Vulnerability  : buffer overflow
Problem type   : remote
Debian-specific: no
CVE Id         : CVE-2010-1676

Willem Pinckaers discovered that Tor, a tool to enable online anonymity,
does not correctly handle all data read from the network.  By supplying
specially crafted packets a remote attacker can cause Tor to overflow its
heap, crashing the process. Arbitrary code execution has not been
confirmed but there is a potential risk.

In the stable distribution (lenny), this update also includes an update of
the IP address for the Tor directory authority gabelmoo and addresses
a weakness in the package's postinst maintainer script.

For the stable distribution (lenny) this problem has been fixed in

For the testing distribution (squeeze) and the unstable distribution (sid),
this problem has been fixed in version

We recommend that you upgrade your tor packages.

Upgrade instructions
- --------------------

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce () lists debian org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
Version: GnuPG v1.4.10 (GNU/Linux)


  By Date           By Thread  

Current thread:
  • [SECURITY] [DSA-2136-1] New tor packages fix potential code execution Raphael Geissert (Dec 22)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]