CVE-2017-8822
Description
In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, relays (that have incompletely downloaded descriptors) can pick themselves in a circuit path, leading to a degradation of anonymity, aka TROVE-2017-012.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2017-8822
Vendor advisory: security@debian.org — https://bugs.torproject.org/24333
Vendor advisory: security@debian.org — https://bugs.torproject.org/21534
Vendor advisory: security@debian.org — https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516
Vendor advisory: arch — https://security.archlinux.org/ASA-201712-10
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| arch | fixed | 0.3.1.9-1 | |
| debian | 8.0 | affected | |
| debian | 9.0 | affected | |
| debian | bookworm | fixed | 0.3.1.9-1 |
| debian | bullseye | fixed | 0.3.1.9-1 |
| debian | forky | fixed | 0.3.1.9-1 |
| debian | sid | fixed | 0.3.1.9-1 |
| debian | trixie | fixed | 0.3.1.9-1 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| tor_project | tor | {"endExcluding":"0.2.5.16"} | 0.2.5.16 |
References
- https://security.archlinux.org/ASA-201712-10
- https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516
- https://bugs.torproject.org/21534
- https://bugs.torproject.org/24333
- https://www.debian.org/security/2017/dsa-4054
- https://security-tracker.debian.org/tracker/CVE-2017-8822
CWEs
CWE-417
Verify integrity in audit chain (admin only). AS-IS.