First published: Mon Mar 05 2018(Updated: )
An issue was discovered in Tor before 0.2.9.15, 0.3.1.x before 0.3.1.10, and 0.3.2.x before 0.3.2.10. The directory-authority protocol-list subprotocol implementation allows remote attackers to cause a denial of service (NULL pointer dereference and directory-authority crash) via a misformatted relay descriptor that is mishandled during voting.
Credit: security@debian.org
Affected Software | Affected Version | How to fix |
---|---|---|
debian/tor | 0.3.5.16-1 0.3.5.16-1+deb10u1 0.4.5.16-1 0.4.7.13-1 0.4.8.7-1 | |
Torproject Tor | <=0.2.9.14 | |
Torproject Tor | >=0.3.1.7<=0.3.1.9 | |
Torproject Tor | =0.3.1.1-alpha | |
Torproject Tor | =0.3.1.2-alpha | |
Torproject Tor | =0.3.1.3-alpha | |
Torproject Tor | =0.3.1.4-alpha | |
Torproject Tor | =0.3.1.5-alpha | |
Torproject Tor | =0.3.1.6-rc | |
Torproject Tor | =0.3.2.1-alpha | |
Torproject Tor | =0.3.2.2-alpha | |
Torproject Tor | =0.3.2.3-alpha | |
Torproject Tor | =0.3.2.4-alpha | |
Torproject Tor | =0.3.2.5-alpha | |
Torproject Tor | =0.3.2.6-alpha | |
Torproject Tor | =0.3.2.7-rc | |
Torproject Tor | =0.3.2.8-rc | |
Torproject Tor | =0.3.2.9 | |
Debian Debian Linux | =9.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2018-0490 is a vulnerability in Tor that allows remote attackers to cause a denial of service via a misformatted protocol-list subprotocol implementation, resulting in a NULL pointer dereference and directory-authority crash.
The severity of CVE-2018-0490 is high, with a CVSS score of 7.5.
CVE-2018-0490 can cause a denial of service, leading to a crash of the Tor directory authority.
To fix CVE-2018-0490, it is recommended to update Tor to version 0.3.5.16-1 or later.
You can find more information about CVE-2018-0490 in the Tor Project's ticket and blog post, as well as the Git commit related to the vulnerability.