Main Vulnerability Database SB2014102219

SB2014102219 - Fedora EPEL 5 update for tor

Published: October 22, 2014 Updated: April 24, 2025

Security Bulletin ID SB2014102219

Severity

Low

Patch available

YES

Number of vulnerabilities 3

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Cryptographic issues (CVE-ID: CVE-2013-7295)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Tor before 0.2.4.20, when OpenSSL 1.x is used in conjunction with a certain HardwareAccel setting on Intel Sandy Bridge and Ivy Bridge platforms, does not properly generate random numbers for (1) relay identity keys and (2) hidden-service identity keys, which might make it easier for remote attackers to bypass cryptographic protection mechanisms via unspecified vectors.

2) Input validation error (CVE-ID: CVE-2012-2249)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

Tor before 0.2.3.23-rc allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a renegotiation attempt that occurs after the initiation of the V3 link protocol.

3) Input validation error (CVE-ID: CVE-2012-2250)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

Tor before 0.2.3.24-rc allows remote attackers to cause a denial of service (assertion failure and daemon exit) by performing link protocol negotiation incorrectly.

Remediation

Install update from vendor's website.

References

https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2014-3570