[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Tor 0.2.0.26-rc is out

To: or-talk@xxxxxxxxxxxxx
Subject: Tor 0.2.0.26-rc is out
From: Roger Dingledine <arma@xxxxxxx>
Date: Tue, 13 May 2008 09:27:30 -0400
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Tue, 13 May 2008 09:27:33 -0400
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: Mutt/1.5.13 (2006-08-11)

Tor 0.2.0.26-rc fixes a major security vulnerability caused by a bug in
Debian's OpenSSL packages. All users running any 0.2.0.x version should
upgrade, whether they're running Debian or not. We will follow up with
a security advisory shortly.

https://www.torproject.org/download#Dev

Changes in version 0.2.0.26-rc - 2008-05-13
  o Major security fixes:
    - Use new V3 directory authority keys on the tor26, gabelmoo, and
      moria1 V3 directory authorities. The old keys were generated with
      a vulnerable version of Debian's OpenSSL package, and must be
      considered compromised. Other authorities' keys were not generated
      with an affected version of OpenSSL.

  o Major bugfixes:
    - List authority signatures as "unrecognized" based on DirServer
      lines, not on cert cache. Bugfix on 0.2.0.x.

  o Minor features:
    - Add a new V3AuthUseLegacyKey option to make it easier for
      authorities to change their identity keys if they have to.

Attachment: signature.asc
Description: Digital signature

Prev by Author: Tor 0.2.0.25-rc is out
Next by Author: Tor security advisory: Debian flaw causes weak identity keys
Previous by thread: Re: Tor On Private Network
Next by thread: Tor security advisory: Debian flaw causes weak identity keys
Index(es):
- Author
- Thread