Headline
CVE-2022-33903: CVE-2022-33903
Tor 0.4.7.x before 0.4.7.8 allows a denial of service via the wedging of RTT estimation.
Name
CVE-2022-33903
Source
CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
Vulnerable and fixed packages
The table below lists information on source packages.
Source Package
Release
Version
Status
tor (PTS)
buster, buster (security)
0.3.5.16-1
fixed
bullseye (security), bullseye
0.4.5.10-1~deb11u1
fixed
bookworm, sid
0.4.7.8-1
fixed
The information below is based on the following data on fixed versions.
Package
Type
Release
Fixed Version
Urgency
Origin
Debian Bugs
tor
source
stretch
(not affected)
tor
source
buster
(not affected)
tor
source
bullseye
(not affected)
tor
source
(unstable)
0.4.7.8-1
Notes
[bullseye] - tor <not-affected> (Only affects 0.4.7.x)
[buster] - tor <not-affected> (Only affects 0.4.7.x)
[stretch] - tor <not-affected> (Only affects 0.4.7.x)
https://bugzilla.redhat.com/show_bug.cgi?id=2099227
https://gitlab.torproject.org/tpo/core/tor/-/issues/40626
https://lists.torproject.org/pipermail/tor-announce/2022-June/000242.html
https://github.com/torproject/tor/commit/b0496d40197dd5b4fb7b694c1410082d4e34dda6 (tor-0.4.7.8)
Related news
Gentoo Linux Security Advisory 202305-11 - Multiple vulnerabilities have been found in Tor, the worst of which could result in denial of service. Versions less than 0.4.7.13 are affected.