[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] [tor-announce] Tor 0.2.2.35 is released (security patches)

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] [tor-announce] Tor 0.2.2.35 is released (security patches)
From: Robert Ransom <rransom.8774@xxxxxxxxx>
Date: Sat, 17 Dec 2011 02:08:36 +0000
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 16 Dec 2011 21:08:48 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=IvgUlmRJt/I++HrKscrLN0ZPk33hT4I+lKy8k67OgK0=; b=nhWRbvPnV8TczfYlsmi4aFdJdattxOxbiM7gR/qJmfgJIasHMqCoCVqGXc1GfoAKPA zmFxWjHe7+mlXVzMwHWPxyJwpD8Jg0SoE6TOYJf8xFx7io2gs+bZjY0ke+gIYR3bey5S en/amj3HgXeY3w4ErsVAdXaRzvfzG2Dv2H5oM=
In-reply-to: <85obv8xppo.fsf@xxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "This mailing list is for all discussion about theory, design, and development of Onion Routing." <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <20111216181910.GU5308@xxxxxxxxxxxxxx> <85obv8xppo.fsf@xxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx

On 2011-12-16, intrigeri <intrigeri@xxxxxxxx> wrote:
> Hi,
>
> Roger Dingledine wrote (16 Dec 2011 18:19:10 GMT) :
>> Tor 0.2.2.35 fixes a critical heap-overflow security issue in Tor's
>> buffers code. Absolutely everybody should upgrade.
>
>> the attacker would need to either open a SOCKS connection to
>> Tor's SocksPort (usually restricted to localhost), or target a Tor
>> instance configured to make its connections through a SOCKS proxy
>
> My understanding of the flaw makes me think users of Tails 0.9 are not
> at risk: an attacker who is able to connect to the Tor's SocksPort in
> Tails is likely to be in a position to run arbitrary code already; and
> Tails does not configure Tor to use another SOCKS proxy.
>
> Please correct me if needed.

Your understanding is correct.


Robert Ransom
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- Re: [tor-talk] [tor-announce] Tor 0.2.2.35 is released (security patches)
  - From: intrigeri

Prev by Author: Re: [tor-talk] variable speed limits on ports ...
Next by Author: Re: [tor-talk] On verifying security of Tor Routers idea
Previous by thread: Re: [tor-talk] [tor-announce] Tor 0.2.2.35 is released (security patches)
Next by thread: [tor-talk] what to do with Captcha?
Index(es):
- Author
- Thread