openSUSE Security Update: Security update for tor
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2023:0361-1
Rating:             moderate
References:         #1216873 
Affected Products:
                    openSUSE Backports SLE-15-SP4
                    openSUSE Backports SLE-15-SP5
______________________________________________________________________________

   An update that contains security fixes can now be installed.

Description:

   This update for tor fixes the following issues:

   - tor 0.4.8.8:

     * Mitigate an issue when Tor compiled with OpenSSL can crash during
       handshake with a remote relay. (TROVE-2023-004, boo#1216873)
     * Regenerate fallback directories generated on November 03, 2023.
     * Update the geoip files to match the IPFire Location Database, as
       retrieved on 2023/11/03
     * directory authority: Look at the network parameter "maxunmeasuredbw"
       with the correct spelling
     * vanguards addon support: Count the conflux linked cell as valid when
       it is successfully processed. This will quiet a spurious warn in the
       vanguards addon

   - tor 0.4.8.7:

     * Fix an issue that prevented us from pre-building more conflux sets
       after existing sets had been used

   - tor 0.4.8.6:

     * onion service: Fix a reliability issue where services were expiring
       their introduction points every consensus update. This caused
       connectivity issues for clients caching the old descriptor and intro
       points
     * Log the input and output buffer sizes when we detect a potential
       compression bomb
     * Disable multiple BUG warnings of a missing relay identity key when
       starting an instance of Tor compiled without relay support
     * When reporting a pseudo-networkstatus as a bridge authority, or
       answering "ns/purpose/*" controller requests, include accurate
       published-on dates from our list of router descriptors
     * Use less frightening language and lower the log-level of our run-time
       ABI compatibility check message in our Zstd compression subsystem

   - tor 0.4.8.5:

     * bugfixes creating log BUG stacktrace

   - tor 0.4.8.4:

     * Extend DoS protection to partially opened channels and known relays
     * Dynamic Proof-Of-Work protocol to thwart flooding DoS attacks against
       hidden services. Disabled by default, enable via "HiddenServicePoW" in
       torrc
     * Implement conflux traffic splitting
     * Directory authorities and relays now interact properly with directory
       authorities if they change addresses

   - tor 0.4.7.14:

     *  bugfix affecting vanguards (onion service), and minor fixes

   - Enable support for scrypt()


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Backports SLE-15-SP5:

      zypper in -t patch openSUSE-2023-361=1

   - openSUSE Backports SLE-15-SP4:

      zypper in -t patch openSUSE-2023-361=1



Package List:

   - openSUSE Backports SLE-15-SP5 (aarch64 i586 ppc64le s390x x86_64):

      tor-0.4.8.8-bp155.2.3.1
      tor-debuginfo-0.4.8.8-bp155.2.3.1
      tor-debugsource-0.4.8.8-bp155.2.3.1

   - openSUSE Backports SLE-15-SP4 (aarch64 i586 ppc64le s390x x86_64):

      tor-0.4.8.8-bp154.2.15.1


References:

   https://bugzilla.suse.com/1216873

openSUSE: 2023:0361-1 moderate: tor

November 10, 2023
An update that contains security fixes can now be installed

Description

This update for tor fixes the following issues: - tor 0.4.8.8: * Mitigate an issue when Tor compiled with OpenSSL can crash during handshake with a remote relay. (TROVE-2023-004, boo#1216873) * Regenerate fallback directories generated on November 03, 2023. * Update the geoip files to match the IPFire Location Database, as retrieved on 2023/11/03 * directory authority: Look at the network parameter "maxunmeasuredbw" with the correct spelling * vanguards addon support: Count the conflux linked cell as valid when it is successfully processed. This will quiet a spurious warn in the vanguards addon - tor 0.4.8.7: * Fix an issue that prevented us from pre-building more conflux sets after existing sets had been used - tor 0.4.8.6: * onion service: Fix a reliability issue where services were expiring their introduction points every consensus update. This caused connectivity issues for cli...

Read the Full Advisory

 

Patch

Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP5: zypper in -t patch openSUSE-2023-361=1 - openSUSE Backports SLE-15-SP4: zypper in -t patch openSUSE-2023-361=1


Package List

- openSUSE Backports SLE-15-SP5 (aarch64 i586 ppc64le s390x x86_64): tor-0.4.8.8-bp155.2.3.1 tor-debuginfo-0.4.8.8-bp155.2.3.1 tor-debugsource-0.4.8.8-bp155.2.3.1 - openSUSE Backports SLE-15-SP4 (aarch64 i586 ppc64le s390x x86_64): tor-0.4.8.8-bp154.2.15.1


References

https://bugzilla.suse.com/1216873


Severity
Announcement ID: openSUSE-SU-2023:0361-1
Rating: moderate
Affected Products: openSUSE Backports SLE-15-SP4 openSUSE Backports SLE-15-SP5 .

Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved