[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Tor security advisory: clients will route traffic



The short version:
  Upgrade to 0.1.1.23.

Impact:
  A malicious entry node (the first Tor server in your path) can
  route traffic through your Tor client as though you're a server. It can
  only route traffic to other Tor servers though -- it can't induce any
  "exit" connections.

Versions affected:
  All versions of Tor in the 0.1.0.x series earlier than 0.1.0.18.
  All versions of Tor in the 0.1.1.x series earlier than 0.1.1.23.
  The experimental snapshot 0.1.2.1-alpha-cvs.

Solution:
  Upgrade to at least Tor 0.1.1.23. If you absolutely must stay with
  the 0.1.0.x series, I've put a patched tarball for the old 0.1.0.x
  series at:
  http://tor.eff.org/dist/tor-0.1.0.18.tar.gz
  http://tor.eff.org/dist/tor-0.1.0.18.tar.gz.asc

More details:

There is a bug in older versions of Tor that allows a hostile Tor server
to crash your Tor process, or route traffic through your client to the
Tor network as though it were a server. To exploit this bug, an attacker
needs to be or compromise the first Tor server in one of your circuits.
(Other Tor servers on your path can't do it.)

This is a client-only bug; servers are not affected.

If you didn't upgrade when we released 0.1.1.23 and said "you should
upgrade"... you should upgrade.

We'll write a more detailed advisory in a little while, after more people
have upgraded.

--Roger

Attachment: signature.asc
Description: Digital signature