FWD: Tor security advisory: clients will route traffic

["Fergie" <fergdawg () netzero net>]

Via the or-announce mailing list.

[snip]

The short version:
  Upgrade to 0.1.1.23.

Impact:
  A malicious entry node (the first Tor server in your path) can
  route traffic through your Tor client as though you're a server. It can
  only route traffic to other Tor servers though -- it can't induce any
  "exit" connections.

Versions affected:
  All versions of Tor in the 0.1.0.x series earlier than 0.1.0.18.
  All versions of Tor in the 0.1.1.x series earlier than 0.1.1.23.
  The experimental snapshot 0.1.2.1-alpha-cvs.

Solution:
  Upgrade to at least Tor 0.1.1.23. If you absolutely must stay with
  the 0.1.0.x series, I've put a patched tarball for the old 0.1.0.x
  series at:
  http://tor.eff.org/dist/tor-0.1.0.18.tar.gz
  http://tor.eff.org/dist/tor-0.1.0.18.tar.gz.asc

More details:

There is a bug in older versions of Tor that allows a hostile Tor server
to crash your Tor process, or route traffic through your client to the
Tor network as though it were a server. To exploit this bug, an attacker
needs to be or compromise the first Tor server in one of your circuits.
(Other Tor servers on your path can't do it.)

This is a client-only bug; servers are not affected.

If you didn't upgrade when we released 0.1.1.23 and said "you should
upgrade"... you should upgrade.

We'll write a more detailed advisory in a little while, after more people
have upgraded.

--Roger

[snip]



--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.