The short version: Upgrade to 0.1.1.23. Impact: A malicious entry node (the first Tor server in your path) can route traffic through your Tor client as though you're a server. It can only route traffic to other Tor servers though -- it can't induce any "exit" connections. Versions affected: All versions of Tor in the 0.1.0.x series earlier than 0.1.0.18. All versions of Tor in the 0.1.1.x series earlier than 0.1.1.23. The experimental snapshot 0.1.2.1-alpha-cvs. Solution: Upgrade to at least Tor 0.1.1.23. If you absolutely must stay with the 0.1.0.x series, I've put a patched tarball for the old 0.1.0.x series at: http://tor.eff.org/dist/tor-0.1.0.18.tar.gz http://tor.eff.org/dist/tor-0.1.0.18.tar.gz.asc More details: There is a bug in older versions of Tor that allows a hostile Tor server to crash your Tor process, or route traffic through your client to the Tor network as though it were a server. To exploit this bug, an attacker needs to be or compromise the first Tor server in one of your circuits. (Other Tor servers on your path can't do it.) This is a client-only bug; servers are not affected. If you didn't upgrade when we released 0.1.1.23 and said "you should upgrade"... you should upgrade. We'll write a more detailed advisory in a little while, after more people have upgraded. --Roger
Attachment:
signature.asc
Description: Digital signature