Tor: Information disclosure — GLSA 200508-16

A flaw in Tor leads to the disclosure of information and the loss of anonymity, integrity and confidentiality.

Affected Packages

net-misc/tor on all architectures
Affected versions < 0.1.0.14
Unaffected versions >= 0.1.0.14

Background

Tor is an implementation of second generation Onion Routing, a connection-oriented anonymizing communication service.

Description

The Diffie-Hellman implementation of Tor fails to verify the cryptographic strength of keys which are used during handshakes.

Impact

By setting up a malicious Tor server and enticing users to use this server as first hop, a remote attacker could read and modify all traffic of the user.

Workaround

There is no known workaround at this time.

Resolution

All Tor users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-misc/tor-0.1.0.14"

References

Release Date
August 25, 2005

Latest Revision
August 25, 2005: 01

Severity
low

Exploitable
remote

Bugzilla entries