CVE-2019-8955

Name
CVE-2019-8955
Description
In Tor before 0.3.3.12, 0.3.4.x before 0.3.4.11, 0.3.5.x before 0.3.5.8, and 0.4.x before 0.4.0.2-alpha, remote denial of service against Tor clients and relays can occur via memory exhaustion in the KIST cell scheduler.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Vendor Advisory https://trac.torproject.org/projects/tor/ticket/29168
Vendor Advisory https://blog.torproject.org/new-releases-tor-0402-alpha-0358-03411-and-03312
Third Party Advisory http://www.securityfocus.com/bid/107136
SUSE http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00013.html

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:torproject:tor:0.3.4.5:rc:*:*:*:*:*:* tor == None == 0.3.4.5
cpe:2.3:a:torproject:tor:0.3.4.6:rc:*:*:*:*:*:* tor == None == 0.3.4.6
cpe:2.3:a:torproject:tor:0.3.5.4:alpha:*:*:*:*:*:* tor == None == 0.3.5.4
cpe:2.3:a:torproject:tor:0.3.5.5:alpha:*:*:*:*:*:* tor == None == 0.3.5.5
cpe:2.3:a:torproject:tor:0.3.4.1:alpha:*:*:*:*:*:* tor == None == 0.3.4.1
cpe:2.3:a:torproject:tor:0.3.4.2:alpha:*:*:*:*:*:* tor == None == 0.3.4.2
cpe:2.3:a:torproject:tor:0.3.5.0:alpha-dev:*:*:*:*:*:* tor == None == 0.3.5.0
cpe:2.3:a:torproject:tor:0.3.5.1:alpha:*:*:*:*:*:* tor == None == 0.3.5.1
cpe:2.3:a:torproject:tor:*:*:*:*:*:*:*:* tor >= None < 0.3.3.12
cpe:2.3:a:torproject:tor:0.3.4.0:alpha-dev:*:*:*:*:*:* tor == None == 0.3.4.0
cpe:2.3:a:torproject:tor:0.3.4.7:rc:*:*:*:*:*:* tor == None == 0.3.4.7
cpe:2.3:a:torproject:tor:*:*:*:*:*:*:*:* tor >= 0.3.4.8 < 0.3.4.11
cpe:2.3:a:torproject:tor:0.3.5.6:rc:*:*:*:*:*:* tor == None == 0.3.5.6
cpe:2.3:a:torproject:tor:0.3.5.7:*:*:*:*:*:*:* tor == None == 0.3.5.7
cpe:2.3:a:torproject:tor:0.4.0.1:alpha:*:*:*:*:*:* tor == None == 0.4.0.1
cpe:2.3:a:torproject:tor:0.3.4.3:alpha:*:*:*:*:*:* tor == None == 0.3.4.3
cpe:2.3:a:torproject:tor:0.3.4.4:rc:*:*:*:*:*:* tor == None == 0.3.4.4
cpe:2.3:a:torproject:tor:0.3.5.2:alpha:*:*:*:*:*:* tor == None == 0.3.5.2
cpe:2.3:a:torproject:tor:0.3.5.3:alpha:*:*:*:*:*:* tor == None == 0.3.5.3

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
tor edge-community 0.3.5.8-r0 None fixed
tor edge-community 0.3.2.10-r0 None possibly vulnerable
tor edge-community 0.3.0.8-r0 None possibly vulnerable
tor 3.22-community 0.3.5.8-r0 None fixed
tor 3.22-community 0.3.2.10-r0 None possibly vulnerable
tor 3.22-community 0.3.0.8-r0 None possibly vulnerable
tor 3.21-community 0.3.5.8-r0 None fixed
tor 3.20-community 0.3.5.8-r0 None fixed
tor 3.19-community 0.3.5.8-r0 None fixed
tor 3.18-community 0.3.5.8-r0 None fixed
tor 3.17-community 0.3.5.8-r0 None fixed