[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Tor security advisory: clients will route traffic

The short version:
  Upgrade to

  A malicious entry node (the first Tor server in your path) can
  route traffic through your Tor client as though you're a server. It can
  only route traffic to other Tor servers though -- it can't induce any
  "exit" connections.

Versions affected:
  All versions of Tor in the 0.1.0.x series earlier than
  All versions of Tor in the 0.1.1.x series earlier than
  The experimental snapshot

  Upgrade to at least Tor If you absolutely must stay with
  the 0.1.0.x series, I've put a patched tarball for the old 0.1.0.x
  series at:

More details:

There is a bug in older versions of Tor that allows a hostile Tor server
to crash your Tor process, or route traffic through your client to the
Tor network as though it were a server. To exploit this bug, an attacker
needs to be or compromise the first Tor server in one of your circuits.
(Other Tor servers on your path can't do it.)

This is a client-only bug; servers are not affected.

If you didn't upgrade when we released and said "you should
upgrade"... you should upgrade.

We'll write a more detailed advisory in a little while, after more people
have upgraded.


Attachment: signature.asc
Description: Digital signature