openSUSE-SU-2023:0361-1: moderate: Security update for tor
openSUSE Security Update: Security update for tor
_______________________________
Announcement ID: openSUSE-SU-2023:0361-1
Rating: moderate
References: #1216873
Affected Products:
openSUSE Backports SLE-15-SP4
openSUSE Backports SLE-15-SP5
_______________________________
An update that contains security fixes can now be installed.
Description:
This update for tor fixes the following issues:
- tor 0.4.8.8:
* Mitigate an issue when Tor compiled with OpenSSL can crash during
handshake with a remote relay. (TROVE-2023-004, boo#1216873)
* Regenerate fallback directories generated on November 03, 2023.
* Update the geoip files to match the IPFire Location Database, as
retrieved on 2023/11/03
* directory authority: Look at the network parameter "maxunmeasuredbw"
with the correct spelling
* vanguards addon support: Count the conflux linked cell as valid when
it is successfully processed. This will quiet a spurious warn in the
vanguards addon
- tor 0.4.8.7:
* Fix an issue that prevented us from pre-building more conflux sets
after existing sets had been used
- tor 0.4.8.6:
* onion service: Fix a reliability issue where services were expiring
their introduction points every consensus update. This caused
connectivity issues for clients caching the old descriptor and intro
points
* Log the input and output buffer sizes when we detect a potential
compression bomb
* Disable multiple BUG warnings of a missing relay identity key when
starting an instance of Tor compiled without relay support
* When reporting a pseudo-networkstatus as a bridge authority, or
answering "ns/purpose/*" controller requests, include accurate
published-on dates from our list of router descriptors
* Use less frightening language and lower the log-level of our run-time
ABI compatibility check message in our Zstd compression subsystem
- tor 0.4.8.5:
* bugfixes creating log BUG stacktrace
- tor 0.4.8.4:
* Extend DoS protection to partially opened channels and known relays
* Dynamic Proof-Of-Work protocol to thwart flooding DoS attacks against
hidden services. Disabled by default, enable via "HiddenServicePoW" in
torrc
* Implement conflux traffic splitting
* Directory authorities and relays now interact properly with directory
authorities if they change addresses
- tor 0.4.7.14:
* bugfix affecting vanguards (onion service), and minor fixes
- Enable support for scrypt()
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP5:
zypper in -t patch openSUSE-2023-361=1
- openSUSE Backports SLE-15-SP4:
zypper in -t patch openSUSE-2023-361=1
Package List:
- openSUSE Backports SLE-15-SP5 (aarch64 i586 ppc64le s390x x86_64):
tor-0.4.8.8-bp155.2.3.1
tor-debuginfo-0.4.8.8-bp155.2.3.1
tor-debugsource-0.4.8.8-bp155.2.3.1
- openSUSE Backports SLE-15-SP4 (aarch64 i586 ppc64le s390x x86_64):
tor-0.4.8.8-bp154.2.15.1
References:
https://bugzilla.suse.com/1216873
A tor security update has been released for SUSE Linux Enterprise 15 SP4 and 5.
