DescriptionTor 0.2.2.x before, when functioning as a directory mirror, does not prevent logging of the client IP address upon detection of erroneous client behavior, which might make it easier for local users to discover the identities of clients in opportunistic circumstances by reading log files.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitylow

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tor (PTS)stretch0.2.9.16-1fixed
stretch (security)
buster, buster (security)
bullseye (security), bullseye0.4.5.10-1~deb11u1fixed
bookworm, sid0.4.6.8-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
torsourcelenny(not affected)
torsource(unstable)(not affected)


- tor <not-affected> (only affects versions 0.2.2.x)
[lenny] - tor <not-affected> (only affects versions 0.2.2.x)
does not appear to be a real vulnerability?

Search for package or bug name: Reporting problems