[manjaro-security] [arch-security] [ASA-201707-8] tor: session hijacking
rgacogne at archlinux.org
Tue Jul 11 21:52:42 CEST 2017
Arch Linux Security Advisory ASA-201707-8
Date : 2017-07-11
CVE-ID : CVE-2017-0377
Package : tor
Type : session hijacking
Remote : Yes
Link : https://security.archlinux.org/AVG-336
The package tor before version 0.3.0.9-1 is vulnerable to session
Upgrade to 0.3.0.9-1.
# pacman -Syu "tor>=0.3.0.9-1"
The problem has been fixed upstream in version 0.3.0.9.
A security issue has been found in Tor <= 0.3.0.8, which could make it
easier to eavesdrop on Tor users' traffic. When choosing which guard to
use for a circuit, Tor avoids using a node that is in the same family
that the exit node it selected, but this check was accidentally removed
An attacker might be able to eavesdrop on Tor users' traffic by getting
in a position to analyze both the incoming and outgoing traffic of a
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the manjaro-security