oss-sec mailing list archives

Re: CVE Request - tor

From: "Steven M. Christey" <coley () linus mitre org>
Date: Tue, 16 Dec 2008 21:31:38 -0500 (EST)


======================================================
Name: CVE-2008-5397
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5397
Reference: CONFIRM:http://blog.torproject.org/blog/tor-0.2.0.32-released
Reference: BID:32648
Reference: URL:http://www.securityfocus.com/bid/32648
Reference: SECUNIA:33025
Reference: URL:http://secunia.com/advisories/33025
Reference: XF:tor-user-privilege-escalation(47101)
Reference: URL:http://xforce.iss.net/xforce/xfdb/47101

Tor before 0.2.0.32 does not properly process the (1) User and (2)
Group configuration options, which might allow local users to gain
privileges by leveraging unintended supplementary group memberships of
the Tor process.


======================================================
Name: CVE-2008-5398
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5398
Reference: CONFIRM:http://blog.torproject.org/blog/tor-0.2.0.32-released
Reference: BID:32648
Reference: URL:http://www.securityfocus.com/bid/32648
Reference: SECUNIA:33025
Reference: URL:http://secunia.com/advisories/33025
Reference: XF:tor-clientdnsreject-security-bypass(47102)
Reference: URL:http://xforce.iss.net/xforce/xfdb/47102

Tor before 0.2.0.32 does not properly process the
ClientDNSRejectInternalAddresses configuration option in situations
where an exit relay issues a policy-based refusal of a stream, which
allows remote exit relays to have an unknown impact by mapping an
internal IP address to the destination hostname of a refused stream.

Current thread:

CVE Request - tor Jan Lieskovsky (Dec 08)
- Re: CVE Request - tor Steven M. Christey (Dec 16)