Vulnerability CVE-2017-16541: Information
Description
Tor Browser before 7.0.9 on macOS and Linux allows remote attackers to bypass the intended anonymity feature and discover a client IP address via vectors involving a crafted web site that leverages file:// mishandling in Firefox, aka TorMoil. NOTE: Tails is unaffected.
Severity: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Fixed packages
Package name | Branch | Fixed in version | Version from repository | Errata ID | Task # | State |
|---|---|---|---|---|---|---|
| firefox | sisyphus | 62.0.3-alt1 | 125.0.2-alt1 | ALT-PU-2018-2423-1 | 214118 | Fixed |
| firefox | p10 | 62.0.3-alt1 | 118.0.2-alt0.p10.1 | ALT-PU-2018-2423-1 | 214118 | Fixed |
| firefox | p9 | 62.0.3-alt1 | 105.0.1-alt0.c9.1 | ALT-PU-2018-2423-1 | 214118 | Fixed |
| firefox | p8 | 62.0.3-alt0.M80P.1 | 68.0.1-alt0.M80P.1 | ALT-PU-2018-2479-1 | 214248 | Fixed |
| firefox | c10f1 | 62.0.3-alt1 | 112.0.2-alt0.p10.1 | ALT-PU-2018-2423-1 | 214118 | Fixed |
| firefox | c9f2 | 62.0.3-alt1 | 105.0.1-alt0.c9.1 | ALT-PU-2018-2423-1 | 214118 | Fixed |
| firefox | c7 | 60.6.1-alt0.M70C.1 | 60.8.0-alt0.M70C.1 | ALT-PU-2019-1726-1 | 218597 | Fixed |
| firefox-esr | sisyphus | 60.2.0-alt1 | 115.10.0-alt1 | ALT-PU-2018-2304-1 | 212803 | Fixed |
| firefox-esr | p10 | 60.2.0-alt1 | 115.10.0-alt1 | ALT-PU-2018-2304-1 | 212803 | Fixed |
| firefox-esr | p9 | 60.2.0-alt1 | 102.11.0-alt0.c9.1 | ALT-PU-2018-2304-1 | 212803 | Fixed |
| firefox-esr | p8 | 60.2.0-alt0.M80P.1 | 68.4.1-alt0.M80P.1 | ALT-PU-2018-2343-1 | 212912 | Fixed |
| firefox-esr | c10f1 | 60.2.0-alt1 | 115.9.1-alt0.c10.1 | ALT-PU-2018-2304-1 | 212803 | Fixed |
| firefox-esr | c9f2 | 60.2.0-alt1 | 102.12.0-alt0.c9.1 | ALT-PU-2018-2304-1 | 212803 | Fixed |
| thunderbird | sisyphus | 60.3.0-alt1 | 115.9.0-alt1 | ALT-PU-2018-2669-1 | 210777 | Fixed |
| thunderbird | p10 | 60.3.0-alt1 | 115.9.0-alt1 | ALT-PU-2018-2669-1 | 210777 | Fixed |
| thunderbird | p9 | 60.3.0-alt1 | 102.11.0-alt0.c9.1 | ALT-PU-2018-2669-1 | 210777 | Fixed |
| thunderbird | p8 | 60.7.2-alt0.M80P.1 | 60.8.0-alt0.M80P.1 | ALT-PU-2019-2196-1 | 216874 | Fixed |
| thunderbird | c10f1 | 60.3.0-alt1 | 115.9.0-alt0.c10.1 | ALT-PU-2018-2669-1 | 210777 | Fixed |
| thunderbird | c9f2 | 60.3.0-alt1 | 102.11.0-alt0.c9.1 | ALT-PU-2018-2669-1 | 210777 | Fixed |
| thunderbird | c7 | 60.8.0-alt0.M70C.1 | 60.8.0-alt0.M70C.1 | ALT-PU-2019-2345-1 | 234994 | Fixed |
References to Advisories, Solutions, and Tools
Hyperlink | Resource |
|---|---|
| https://www.wearesegment.com/research/tormoil-torbrowser-unspecified-critical-security-vulnerability/ |
|
| https://www.bleepingcomputer.com/news/security/tormoil-vulnerability-leaks-real-ip-address-from-tor-browser-users/ |
|
| https://trac.torproject.org/projects/tor/ticket/24052 |
|
| https://bugzilla.mozilla.org/show_bug.cgi?id=1412081 |
|
| https://blog.torproject.org/tor-browser-709-released |
|
| 101665 |
|
| 1041610 |
|
| RHSA-2018:2693 |
|
| RHSA-2018:2692 |
|
| GLSA-201810-01 |
|
| DSA-4327 |
|
| RHSA-2018:3403 |
|
| RHSA-2018:3458 |
|
| [debian-lts-announce] 20181112 [SECURITY] [DLA 1575-1] thunderbird security update |
|
| GLSA-201811-13 |
|