CVE-2017-8822
Published: 3 December 2017
In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, relays (that have incompletely downloaded descriptors) can pick themselves in a circuit path, leading to a degradation of anonymity, aka TROVE-2017-012.
From the Ubuntu security team
It was discovered that Tor could make itself part of a circuit path resulting in degraded anonymity.
Priority
CVSS 3 base score: 3.7
Status
Package | Release | Status |
---|---|---|
tor Launchpad, Ubuntu, Debian |
artful |
Released
(0.3.0.13-0ubuntu1~17.10.2)
|
bionic |
Not vulnerable
(0.3.1.9-1)
|
|
cosmic |
Not vulnerable
(0.3.1.9-1)
|
|
precise |
Does not exist
|
|
trusty |
Released
(0.2.4.27-1ubuntu0.1)
|
|
upstream |
Released
(0.2.9.14-1, 0.3.1.9-1)
|
|
xenial |
Released
(0.2.9.14-1ubuntu1~16.04.2)
|
|
zesty |
Ignored
(reached end-of-life)
|