FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

security/tor -- SOCKS4(a) inversion bug

Affected packages
tor < 0.4.7.13

Details

VuXML ID 847f16e5-9406-11ed-a925-3065ec8fd3ec
Discovery 2023-01-12
Entry 2023-01-14

The Tor Project reports:

TROVE-2022-002: The SafeSocks option for SOCKS4(a) is inverted leading to SOCKS4 going through

This is a report from hackerone:
We have classified this as medium considering that tor was not defending in-depth for dangerous SOCKS request and so any user relying on SafeSocks 1 to make sure they don't link DNS leak and their Tor traffic wasn't safe afterall for SOCKS4(a). Tor Browser doesn't use SafeSocks 1 and SOCKS4 so at least the likely vast majority of users are not affected.

[source]

References

URL https://gitlab.torproject.org/tpo/core/tor/-/issues/40730
URL https://hackerone.com/bugs?subject=torproject&report_id=1784589

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.