Advisories » MGASA-2014-0256

Updated tor packages fix multiple vulnerabilities

Publication date: 06 Jun 2014
Modification date: 22 Jan 2022
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2014-0160

Description

Update to version 0.2.4.22 which solves these major and security problems:


   - Block authority signing keys that were used on authorities
     vulnerable to the "heartbleed" bug in OpenSSL (CVE-2014-0160).

   - Fix a memory leak that could occur if a microdescriptor parse
     fails during the tokenizing step.

   - The relay ciphersuite list is now generated automatically based on
     uniform criteria, and includes all OpenSSL ciphersuites with
     acceptable strength and forward secrecy.

   - Relays now trust themselves to have a better view than clients of
     which TLS ciphersuites are better than others.

   - Clients now try to advertise the same list of ciphersuites as
     Firefox 28.


For other changes see the upstream change log
                

References

• https://gitweb.torproject.org/tor.git?a=blob_plain;hb=HEAD;f=ChangeLog
• https://bugs.mageia.org/show_bug.cgi?id=11922
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160

SRPMS

4/core

• tor-0.2.4.22-1.mga4

3/core

• tor-0.2.4.22-1.mga3