CVE-2017-8822
Published: 3 December 2017
In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, relays (that have incompletely downloaded descriptors) can pick themselves in a circuit path, leading to a degradation of anonymity, aka TROVE-2017-012.
From the Ubuntu security team
It was discovered that Tor could make itself part of a circuit path resulting in degraded anonymity.
Priority
Low
CVSS 3 base score: 3.7
Status
| Package | Release | Status |
|---|---|---|
|
tor Launchpad, Ubuntu, Debian |
artful |
Released
(0.3.0.13-0ubuntu1~17.10.2)
|
| bionic |
Not vulnerable
(0.3.1.9-1)
|
|
| cosmic |
Not vulnerable
(0.3.1.9-1)
|
|
| precise |
Does not exist
|
|
| trusty |
Released
(0.2.4.27-1ubuntu0.1)
|
|
| upstream |
Released
(0.2.9.14-1, 0.3.1.9-1)
|
|
| xenial |
Released
(0.2.9.14-1ubuntu1~16.04.2)
|
|
| zesty |
Ignored
(reached end-of-life)
|