[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Tor is out

Tor fixes a major security vulnerability caused by a bug in
Debian's OpenSSL packages. All users running any 0.2.0.x version should
upgrade, whether they're running Debian or not. We will follow up with
a security advisory shortly.


Changes in version - 2008-05-13
  o Major security fixes:
    - Use new V3 directory authority keys on the tor26, gabelmoo, and
      moria1 V3 directory authorities. The old keys were generated with
      a vulnerable version of Debian's OpenSSL package, and must be
      considered compromised. Other authorities' keys were not generated
      with an affected version of OpenSSL.

  o Major bugfixes:
    - List authority signatures as "unrecognized" based on DirServer
      lines, not on cert cache. Bugfix on 0.2.0.x.

  o Minor features:
    - Add a new V3AuthUseLegacyKey option to make it easier for
      authorities to change their identity keys if they have to.

Attachment: signature.asc
Description: Digital signature