Bug 8325

Summary: tor new security issue CVE-2012-5573
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: Normal CC: sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/528437/
Whiteboard: has_procedure mga2-32-OK mga2-64-OK
Source RPM: tor-0.2.2.39-2.mga2.src.rpm CVE:
Status comment:

Description David Walser 2012-12-07 16:50:04 CET 
OpenSuSE has issued an advisory today (December 7):
http://lists.opensuse.org/opensuse-updates/2012-12/msg00018.html

Cauldron is not affected as it was fixed upstream in 0.2.3.25.

Patched package uploaded for Mageia 2.

Patch checked into Mageia 1 SVN.

Advisory:
========================

Updated tor package fixes security vulnerability:

Denial of Service vulnerability in Tor before 0.2.3.25, due to an error when
handling SENDME cells and can be exploited to cause excessive consumption of
memory resources within an entry node (SA51329, CVE-2012-5573).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5573
https://secunia.com/advisories/51329/
https://trac.torproject.org/projects/tor/ticket/6252
http://lists.opensuse.org/opensuse-updates/2012-12/msg00018.html
========================

Updated packages in core/updates_testing:
========================
tor-0.2.2.39-2.1.mga2

from tor-0.2.2.39-2.1.mga2.src.rpm
Comment 1 claire robinson 2012-12-07 18:01:37 CET 
No PoC.

Testing using the procedure here: https://bugs.mageia.org/show_bug.cgi?id=3953#c4

mga2 64 complete

Whiteboard: (none) => has_procedure mga2-64-OK

Comment 2 claire robinson 2012-12-07 18:11:34 CET 
mga2 32 complete

Validating

Advisory & srpm in comment 0

Could sysadmin please push from core/updates_testing to core/updates

Thanks!

Whiteboard: has_procedure mga2-64-OK => has_procedure mga2-32-OK mga2-64-OK

claire robinson 2012-12-07 18:12:35 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

David Walser 2012-12-07 19:37:35 CET

URL: (none) => http://lwn.net/Vulnerabilities/528437/

Comment 3 Thomas Backlund 2012-12-07 22:44:33 CET 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0356

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED