openSUSE Security Update : tor (openSUSE-SU-2014:0719-1) (Heartbleed)

high Nessus Plugin ID 75376

Synopsis

The remote openSUSE host is missing a security update.

Description

- tor 0.2.4.22 [bnc#878486] Tor was updated to the recommended version of the 0.2.4.x series.

- major features in 0.2.4.x :

- improved client resilience

- support better link encryption with forward secrecy

- new NTor circuit handshake

- change relay queue for circuit create requests from size-based limit to time-based limit

- many bug fixes and minor features

- changes contained in 0.2.4.22: Backports numerous high-priority fixes. These include blocking all authority signing keys that may have been affected by the OpenSSL 'heartbleed' bug, choosing a far more secure set of TLS ciphersuites by default, closing a couple of memory leaks that could be used to run a target relay out of RAM.

- Major features (security)

- Block authority signing keys that were used on authorities vulnerable to the 'heartbleed' bug in OpenSSL (CVE-2014-0160).

- Major bugfixes (security, OOM) :

- Fix a memory leak that could occur if a microdescriptor parse fails during the tokenizing step.

- Major bugfixes (TLS cipher selection) :

- The relay ciphersuite list is now generated automatically based on uniform criteria, and includes all OpenSSL ciphersuites with acceptable strength and forward secrecy.

- Relays now trust themselves to have a better view than clients of which TLS ciphersuites are better than others.

- Clients now try to advertise the same list of ciphersuites as Firefox 28.

- includes changes from 0.2.4.21: Further improves security against potential adversaries who find breaking 1024-bit crypto doable, and backports several stability and robustness patches from the 0.2.5 branch.

- Major features (client security) :

- When we choose a path for a 3-hop circuit, make sure it contains at least one relay that supports the NTor circuit extension handshake. Otherwise, there is a chance that we're building a circuit that's worth attacking by an adversary who finds breaking 1024-bit crypto doable, and that chance changes the game theory.

- Major bugfixes :

- Do not treat streams that fail with reason END_STREAM_REASON_INTERNAL as indicating a definite circuit failure, since it could also indicate an ENETUNREACH connection error

- includes changes from 0.2.4.20 :

- Do not allow OpenSSL engines to replace the PRNG, even when HardwareAccel is set.

- Fix assertion failure when AutomapHostsOnResolve yields an IPv6 address.

- Avoid launching spurious extra circuits when a stream is pending.

- packaging changes :

- remove init script shadowing systemd unit

- general cleanup

- Add tor-fw-helper for UPnP port forwarding; not used by default

- fix logrotate on systemd-only setups without init scripts, work tor-0.2.2.37-logrotate.patch to tor-0.2.4.x-logrotate.patch

- verify source tarball signature

Solution

Update the affected tor packages.

See Also

https://bugzilla.novell.com/show_bug.cgi?id=878486

https://lists.opensuse.org/opensuse-updates/2014-05/msg00079.html

Plugin Details

Severity: High

ID: 75376

File Name: openSUSE-2014-398.nasl

Version: 1.8

Type: local

Agent: unix

Published: 6/13/2014

Updated: 5/5/2022

Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.1

CVSS v2

Risk Factor: High

Base Score: 9.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N

CVSS v3

Risk Factor: High

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Vulnerability Information

CPE: cpe:/o:novell:opensuse:12.3, p-cpe:/a:novell:opensuse:tor, p-cpe:/a:novell:opensuse:tor-debugsource, cpe:/o:novell:opensuse:13.1, p-cpe:/a:novell:opensuse:tor-debuginfo

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/20/2014

Vulnerability Publication Date: 4/7/2014

CISA Known Exploited Vulnerability Due Dates: 5/25/2022

Exploitable With

Core Impact

Reference Information

CVE: CVE-2014-0160