[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Upcoming releases next week to fix denial-of-service bugs in Tor

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-talk] Upcoming releases next week to fix denial-of-service bugs in Tor
From: Nick Mathewson <nickm@xxxxxxxxxxxxxx>
Date: Mon, 8 Mar 2021 10:54:44 -0500
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 08 Mar 2021 10:55:39 -0500
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

Hello!

Early next week -- around Tuesday -- we plan to put out new Tor
releases to fix a pair of denial-of-service issues that we have found.
  We are tracking these issues as "High" and "Medium" severity
respectively under our security policy at
https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/SecurityPolicy
.  We are tracking these issues as TROVE-2021-001 and TROVE-2021-002
at https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/TROVE
.  All currently supported Tor versions are affected.

The impact of these issues is that a remote attacker participating in
the directory protocol can cause a denial of service attack against
Tor instances. Once the new versions are released, we will recommend
that all relays and authorities should upgrade.  The impact is worst
for directory authorities: we have already distributed patches to the
authority operators and encouraged them to upgrade.

To the best of our knowledge these vulnerabilities are not being
supported in the wild.

We'll be releasing more information about these issues after the fixes
are available.

best wishes,
-- 
Nick
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Upcoming releases next week to fix denial-of-service bugs in Tor
  - From: Nick Mathewson

Prev by Author: [tor-talk] Tor 0.4.6.1-alpha is released
Next by Author: [tor-talk] Onion available does not appear in http version
Next by thread: Re: [tor-talk] Upcoming releases next week to fix denial-of-service bugs in Tor
Index(es):
- Author
- Thread