ASA-201707-8 generated external raw

[ASA-201707-8] tor: session hijacking
Arch Linux Security Advisory ASA-201707-8 ========================================= Severity: Medium Date : 2017-07-11 CVE-ID : CVE-2017-0377 Package : tor Type : session hijacking Remote : Yes Link : Summary ======= The package <a href="/package/tor">tor</a> before version is vulnerable to session hijacking. Resolution ========== Upgrade to # pacman -Syu "tor>=" The problem has been fixed upstream in version Workaround ========== None. Description =========== A security issue has been found in <a href="/package/tor">Tor</a> <=, which could make it easier to eavesdrop on <a href="/package/tor">Tor</a> users' traffic. When choosing which guard to use for a circuit, <a href="/package/tor">Tor</a> avoids using a node that is in the same family that the exit node it selected, but this check was accidentally removed in 0.3.0. Impact ====== An attacker might be able to eavesdrop on <a href="/package/tor">Tor</a> users' traffic by getting in a position to analyze both the incoming and outgoing traffic of a circuit. References ==========