[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] [tor-announce] Tor 0.2.2.35 is released (security patches)

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] [tor-announce] Tor 0.2.2.35 is released (security patches)
From: intrigeri <intrigeri@xxxxxxxx>
Date: Fri, 16 Dec 2011 20:48:35 +0100
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 16 Dec 2011 14:49:13 -0500
In-reply-to: <20111216181910.GU5308@xxxxxxxxxxxxxx> (Roger Dingledine's message of "Fri, 16 Dec 2011 13:19:10 -0500")
List-archive: <http://lists.torproject.org/pipermail/tor-talk>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "This mailing list is for all discussion about theory, design, and development of Onion Routing." <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <20111216181910.GU5308@xxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx
User-agent: Roundcube Webmail/0.5.1

Hi,

Roger Dingledine wrote (16 Dec 2011 18:19:10 GMT) :
> Tor 0.2.2.35 fixes a critical heap-overflow security issue in Tor's
> buffers code. Absolutely everybody should upgrade.

> the attacker would need to either open a SOCKS connection to
> Tor's SocksPort (usually restricted to localhost), or target a Tor
> instance configured to make its connections through a SOCKS proxy

My understanding of the flaw makes me think users of Tails 0.9 are not
at risk: an attacker who is able to connect to the Tor's SocksPort in
Tails is likely to be in a position to run arbitrary code already; and
Tails does not configure Tor to use another SOCKS proxy.

Please correct me if needed.

Cheers,
--
  intrigeri <intrigeri@xxxxxxxx>
  | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
  | We're dreaming of something else.
  | Something more clandestine, something happier.
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] [tor-announce] Tor 0.2.2.35 is released (security patches)
  - From: Robert Ransom

Prev by Author: Re: [tor-talk] Did we decide about bad exits ? Where does bittorrent fall ?
Next by Author: Re: [tor-talk] janusvm still safe?
Previous by thread: Re: [tor-talk] Tor experiments with IPv6
Next by thread: Re: [tor-talk] [tor-announce] Tor 0.2.2.35 is released (security patches)
Index(es):
- Author
- Thread