Security update for tor SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:0474-1 Final 1 1 2021-03-25T11:07:12Z current 2021-03-25T11:07:12Z 2021-03-25T11:07:12Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for tor This update for tor fixes the following issues: tor was updated to 0.4.5.7 * https://lists.torproject.org/pipermail/tor-announce/2021-March/000216.html * Fix 2 denial of service security issues (boo#1183726) + Disable the dump_desc() function that we used to dump unparseable information to disk (CVE-2021-28089) + Fix a bug in appending detached signatures to a pending consensus document that could be used to crash a directory authority (CVE-2021-28090) * Ship geoip files based on the IPFire Location Database This update was imported from the openSUSE:Leap:15.2:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2021-474 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/D34QNXQE32JN77ED4VWLDVQOC4MRKET6/ E-Mail link for openSUSE-SU-2021:0474-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1183726 SUSE Bug 1183726 https://www.suse.com/security/cve/CVE-2021-28089/ SUSE CVE CVE-2021-28089 page https://www.suse.com/security/cve/CVE-2021-28090/ SUSE CVE CVE-2021-28090 page SUSE Package Hub 15 SP2 tor-0.4.5.7-bp152.2.9.1 tor-0.4.5.7-bp152.2.9.1 as a component of SUSE Package Hub 15 SP2 Tor before 0.4.5.7 allows a remote participant in the Tor directory protocol to exhaust CPU resources on a target, aka TROVE-2021-001. CVE-2021-28089 SUSE Package Hub 15 SP2:tor-0.4.5.7-bp152.2.9.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/D34QNXQE32JN77ED4VWLDVQOC4MRKET6/ https://www.suse.com/security/cve/CVE-2021-28089.html CVE-2021-28089 https://bugzilla.suse.com/1183726 SUSE Bug 1183726 https://bugzilla.suse.com/1184261 SUSE Bug 1184261 Tor before 0.4.5.7 allows a remote attacker to cause Tor directory authorities to exit with an assertion failure, aka TROVE-2021-002. CVE-2021-28090 SUSE Package Hub 15 SP2:tor-0.4.5.7-bp152.2.9.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/D34QNXQE32JN77ED4VWLDVQOC4MRKET6/ https://www.suse.com/security/cve/CVE-2021-28090.html CVE-2021-28090 https://bugzilla.suse.com/1183726 SUSE Bug 1183726 https://bugzilla.suse.com/1184261 SUSE Bug 1184261