funsec mailing list archives
FWD: Tor security advisory: clients will route traffic
From: "Fergie" <fergdawg () netzero net>
Date: Tue, 29 Aug 2006 15:05:17 GMT
Via the or-announce mailing list. [snip] The short version: Upgrade to 0.1.1.23. Impact: A malicious entry node (the first Tor server in your path) can route traffic through your Tor client as though you're a server. It can only route traffic to other Tor servers though -- it can't induce any "exit" connections. Versions affected: All versions of Tor in the 0.1.0.x series earlier than 0.1.0.18. All versions of Tor in the 0.1.1.x series earlier than 0.1.1.23. The experimental snapshot 0.1.2.1-alpha-cvs. Solution: Upgrade to at least Tor 0.1.1.23. If you absolutely must stay with the 0.1.0.x series, I've put a patched tarball for the old 0.1.0.x series at: http://tor.eff.org/dist/tor-0.1.0.18.tar.gz http://tor.eff.org/dist/tor-0.1.0.18.tar.gz.asc More details: There is a bug in older versions of Tor that allows a hostile Tor server to crash your Tor process, or route traffic through your client to the Tor network as though it were a server. To exploit this bug, an attacker needs to be or compromise the first Tor server in one of your circuits. (Other Tor servers on your path can't do it.) This is a client-only bug; servers are not affected. If you didn't upgrade when we released 0.1.1.23 and said "you should upgrade"... you should upgrade. We'll write a more detailed advisory in a little while, after more people have upgraded. --Roger [snip] -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/ _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- FWD: Tor security advisory: clients will route traffic Fergie (Aug 29)