Bug 27977 - tor security vulnerability CVE-2020-8516
Summary: tor security vulnerability CVE-2020-8516
Status: RESOLVED INVALID
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Mageia Bug Squad
QA Contact: Sec team
URL: https://nvd.nist.gov/vuln/detail/CVE-...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-12-29 12:18 CET by Zombie Ryushu
Modified: 2020-12-29 17:18 CET (History)
1 user (show)

See Also:
Source RPM: tor-0.3.5.12-1.mga8.src.rpm
CVE: CVE-2020-8516
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Zombie Ryushu 2020-12-29 12:18:05 CET 
** DISPUTED ** The daemon in Tor through 0.4.1.8 and 0.4.2.x through 0.4.2.6 does not verify that a rendezvous node is known before attempting to connect to it, which might make it easier for remote attackers to discover circuit information. NOTE: The network team of Tor claims this is an intended behavior and not a vulnerability.
Zombie Ryushu 2020-12-29 12:18:13 CET

CVE: (none) => CVE-2020-8516

Comment 1 Nicolas Lécureuil 2020-12-29 12:25:16 CET 
I think we can close this bugreport as in fact this is "done by design" by tor team.

https://lists.torproject.org/pipermail/tor-dev/2020-February/014147.html
https://security-tracker.debian.org/tracker/CVE-2020-8516

CC: (none) => mageia

Comment 2 David Walser 2020-12-29 17:18:20 CET 
Also our version isn't affected.

Status: NEW => RESOLVED
Resolution: (none) => INVALID
Note You need to log in before you can comment on or make changes to this bug.