headers
Roger Dingledine | 4 Aug 03:47
Picon
Favicon

Tor 0.1.1.23 is released -- you should upgrade

Tor 0.1.1.23 fixes more bugs in server reachability testing, a few more
crash bugs, and an important client-side bug.

Both clients and servers are strongly encouraged to upgrade.

http://tor.eff.org/download.html

Changes in version 0.1.1.23 - 2006-07-30
  o Major bugfixes:
    - Fast Tor servers, especially exit nodes, were triggering asserts
      due to a bug in handling the list of pending DNS resolves. Some
      bugs still remain here; we're hunting them.
    - Entry guards could crash clients by sending unexpected input.
    - More fixes on reachability testing: if you find yourself reachable,
      then don't ever make any client requests (so you stop predicting
      circuits), then hup or have your clock jump, then later your IP
      changes, you won't think circuits are working, so you won't try to
      test reachability, so you won't publish.

  o Minor bugfixes:
    - Avoid a crash if the controller does a resetconf firewallports
      and then a setconf fascistfirewall=1.
    - Avoid an integer underflow when the dir authority decides whether
      a router is stable: we might wrongly label it stable, and compute
      a slightly wrong median stability, when a descriptor is published
      later than now.
    - Fix a place where we might trigger an assert if we can't build our
      own server descriptor yet.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Roger Dingledine | 29 Aug 11:29
Picon
Favicon

Tor security advisory: clients will route traffic

The short version:
  Upgrade to 0.1.1.23.

Impact:
  A malicious entry node (the first Tor server in your path) can
  route traffic through your Tor client as though you're a server. It can
  only route traffic to other Tor servers though -- it can't induce any
  "exit" connections.

Versions affected:
  All versions of Tor in the 0.1.0.x series earlier than 0.1.0.18.
  All versions of Tor in the 0.1.1.x series earlier than 0.1.1.23.
  The experimental snapshot 0.1.2.1-alpha-cvs.

Solution:
  Upgrade to at least Tor 0.1.1.23. If you absolutely must stay with
  the 0.1.0.x series, I've put a patched tarball for the old 0.1.0.x
  series at:
  http://tor.eff.org/dist/tor-0.1.0.18.tar.gz
  http://tor.eff.org/dist/tor-0.1.0.18.tar.gz.asc

More details:

There is a bug in older versions of Tor that allows a hostile Tor server
to crash your Tor process, or route traffic through your client to the
Tor network as though it were a server. To exploit this bug, an attacker
needs to be or compromise the first Tor server in one of your circuits.
(Other Tor servers on your path can't do it.)

This is a client-only bug; servers are not affected.
(Continue reading)

Permalink | Reply | 0 comments |

Gmane