Bug 27977

Summary: tor security vulnerability CVE-2020-8516
Product: Mageia Reporter: Zombie Ryushu <zombie_ryushu>
Component: SecurityAssignee: Mageia Bug Squad <bugsquad>
Status: RESOLVED INVALID QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: mageia
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://nvd.nist.gov/vuln/detail/CVE-2020-8516
Whiteboard:
Source RPM: tor-0.3.5.12-1.mga8.src.rpm CVE: CVE-2020-8516
Status comment:

Description Zombie Ryushu 2020-12-29 12:18:05 CET 
** DISPUTED ** The daemon in Tor through 0.4.1.8 and 0.4.2.x through 0.4.2.6 does not verify that a rendezvous node is known before attempting to connect to it, which might make it easier for remote attackers to discover circuit information. NOTE: The network team of Tor claims this is an intended behavior and not a vulnerability.
Zombie Ryushu 2020-12-29 12:18:13 CET

CVE: (none) => CVE-2020-8516

Comment 1 Nicolas Lécureuil 2020-12-29 12:25:16 CET 
I think we can close this bugreport as in fact this is "done by design" by tor team.

https://lists.torproject.org/pipermail/tor-dev/2020-February/014147.html
https://security-tracker.debian.org/tracker/CVE-2020-8516

CC: (none) => mageia

Comment 2 David Walser 2020-12-29 17:18:20 CET 
Also our version isn't affected.

Status: NEW => RESOLVED
Resolution: (none) => INVALID