Tor security advisory: clients will route traffic
Roger Dingledine
arma at mit.edu
Tue Aug 29 09:29:39 UTC 2006
The short version:
Upgrade to 0.1.1.23.
Impact:
A malicious entry node (the first Tor server in your path) can
route traffic through your Tor client as though you're a server. It can
only route traffic to other Tor servers though -- it can't induce any
"exit" connections.
Versions affected:
All versions of Tor in the 0.1.0.x series earlier than 0.1.0.18.
All versions of Tor in the 0.1.1.x series earlier than 0.1.1.23.
The experimental snapshot 0.1.2.1-alpha-cvs.
Solution:
Upgrade to at least Tor 0.1.1.23. If you absolutely must stay with
the 0.1.0.x series, I've put a patched tarball for the old 0.1.0.x
series at:
http://tor.eff.org/dist/tor-0.1.0.18.tar.gz
http://tor.eff.org/dist/tor-0.1.0.18.tar.gz.asc
More details:
There is a bug in older versions of Tor that allows a hostile Tor server
to crash your Tor process, or route traffic through your client to the
Tor network as though it were a server. To exploit this bug, an attacker
needs to be or compromise the first Tor server in one of your circuits.
(Other Tor servers on your path can't do it.)
This is a client-only bug; servers are not affected.
If you didn't upgrade when we released 0.1.1.23 and said "you should
upgrade"... you should upgrade.
We'll write a more detailed advisory in a little while, after more people
have upgraded.
--Roger
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-announce/attachments/20060829/d997f635/attachment.pgp>
More information about the tor-announce
mailing list