CVE-2006-3418

Description

Tor before 0.1.1.20 does not validate that a server descriptor's fingerprint line matches its identity key, which allows remote attackers to spoof the fingerprint line, which might be trusted by users or other applications.

How to fix CVE-2006-3418

To remediate CVE-2006-3418, upgrade the affected package to a fixed version below.

• Debian/tor—upgrade to 0.1.1.20-1 or later

Is CVE-2006-3418 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 0.1.1.20-1

References (1)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2006-3418