[<prev] [next>] [<thread-prev] [month] [year] [list]
Date: Tue, 16 Dec 2008 21:31:38 -0500 (EST)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: oss-security <oss-security@...ts.openwall.com>
cc: coley@...re.org
Subject: Re: CVE Request - tor
======================================================
Name: CVE-2008-5397
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5397
Reference: CONFIRM:http://blog.torproject.org/blog/tor-0.2.0.32-released
Reference: BID:32648
Reference: URL:http://www.securityfocus.com/bid/32648
Reference: SECUNIA:33025
Reference: URL:http://secunia.com/advisories/33025
Reference: XF:tor-user-privilege-escalation(47101)
Reference: URL:http://xforce.iss.net/xforce/xfdb/47101
Tor before 0.2.0.32 does not properly process the (1) User and (2)
Group configuration options, which might allow local users to gain
privileges by leveraging unintended supplementary group memberships of
the Tor process.
======================================================
Name: CVE-2008-5398
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5398
Reference: CONFIRM:http://blog.torproject.org/blog/tor-0.2.0.32-released
Reference: BID:32648
Reference: URL:http://www.securityfocus.com/bid/32648
Reference: SECUNIA:33025
Reference: URL:http://secunia.com/advisories/33025
Reference: XF:tor-clientdnsreject-security-bypass(47102)
Reference: URL:http://xforce.iss.net/xforce/xfdb/47102
Tor before 0.2.0.32 does not properly process the
ClientDNSRejectInternalAddresses configuration option in situations
where an exit relay issues a policy-based refusal of a stream, which
allows remote exit relays to have an unknown impact by mapping an
internal IP address to the destination hostname of a refused stream.
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Powered by Openwall GNU/*/Linux -
Powered by OpenVZ