You are here
Home > Preporuke > Ranjivost programskog paketa tor

Ranjivost programskog paketa tor

  • Detalji os-a: LMV
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LMV

Hash: SHA1


Mandriva Linux Security Advisory MDVSA-2014:123

Package : tor
Date : June 11, 2014
Affected: Business Server 1.0

Problem Description:

Updated tor packages fix multiple vulnerabilities:

Tor before, when OpenSSL 1.x is used in conjunction with
a certain HardwareAccel setting on Intel Sandy Bridge and Ivy Bridge
platforms, does not properly generate random numbers for relay identity
keys and hidden-service identity keys, which might make it easier
for remote attackers to bypass cryptographic protection mechanisms
via unspecified vectors (CVE-2013-7295).

Update to version solves these major and security problems:

– Block authority signing keys that were used on authorities vulnerable
to the heartbleed bug in OpenSSL (CVE-2014-0160).

– Fix a memory leak that could occur if a microdescriptor parse fails
during the tokenizing step.

– The relay ciphersuite list is now generated automatically based on
uniform criteria, and includes all OpenSSL ciphersuites with acceptable
strength and forward secrecy.

– Relays now trust themselves to have a better view than clients of
which TLS ciphersuites are better than others.

– Clients now try to advertise the same list of ciphersuites as
Firefox 28.

For other changes see the upstream change log


Updated Packages:

Mandriva Business Server 1/X86_64:
77035fd2ff3c6df5effbaf9ee78bdaf4 mbs1/x86_64/tor-
cccaec1a8425ebfce0bb7d8057d38d6e mbs1/SRPMS/tor-

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver 0x22458A98

You can view other update advisories for Mandriva Linux at:

If you want to report vulnerabilities, please contact


Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
Version: GnuPG v1.4.12 (GNU/Linux)


To unsubscribe, send a email to
with this subject : unsubscribe security-announce
Want to buy your Pack or Services from Mandriva?
Go to

AutorTomislav Protega
Cert idNCERT-REF-2014-06-0007-ADV
CveCVE-2013-7295 CVE-2014-0160
ID izvornikaMDVSA-2014:123
More in Preporuke
Ranjivost programskog paketa chkrootkit

Otkrivena je ranjivost u chkrootkit skripti koja lokalnom napadaču omogućava kreiranje izvršne datoteke unutar direktorija "/tmp" koju će pokretati korisnik...