Bug 8325 - tor new security issue CVE-2012-5573
: tor new security issue CVE-2012-5573
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/528437/
: has_procedure mga2-32-OK mga2-64-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-12-07 16:50 CET by David Walser
Modified: 2012-12-07 22:44 CET (History)
2 users (show)

See Also:
Source RPM: tor-0.2.2.39-2.mga2.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2012-12-07 16:50:04 CET
OpenSuSE has issued an advisory today (December 7):
http://lists.opensuse.org/opensuse-updates/2012-12/msg00018.html

Cauldron is not affected as it was fixed upstream in 0.2.3.25.

Patched package uploaded for Mageia 2.

Patch checked into Mageia 1 SVN.

Advisory:
========================

Updated tor package fixes security vulnerability:

Denial of Service vulnerability in Tor before 0.2.3.25, due to an error when
handling SENDME cells and can be exploited to cause excessive consumption of
memory resources within an entry node (SA51329, CVE-2012-5573).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5573
https://secunia.com/advisories/51329/
https://trac.torproject.org/projects/tor/ticket/6252
http://lists.opensuse.org/opensuse-updates/2012-12/msg00018.html
========================

Updated packages in core/updates_testing:
========================
tor-0.2.2.39-2.1.mga2

from tor-0.2.2.39-2.1.mga2.src.rpm
Comment 1 claire robinson 2012-12-07 18:01:37 CET
No PoC.

Testing using the procedure here: https://bugs.mageia.org/show_bug.cgi?id=3953#c4

mga2 64 complete
Comment 2 claire robinson 2012-12-07 18:11:34 CET
mga2 32 complete

Validating

Advisory & srpm in comment 0

Could sysadmin please push from core/updates_testing to core/updates

Thanks!
Comment 3 Thomas Backlund 2012-12-07 22:44:33 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0356

Note You need to log in before you can comment on or make changes to this bug.