Hello!
I'm working on these releases today, and intend to publish them in about 24 hours from now.
---------- Forwarded message --------- From: Nick Mathewson nickm@torproject.org Date: Mon, Mar 8, 2021 at 10:55 AM Subject: Upcoming releases to fix denial-of-service issues in Tor To: tor-packagers@lists.torproject.org
Hello!
Early next week -- around Tuesday -- we plan to put out new Tor releases to fix a pair of denial-of-service issues that we have found. We are tracking these issues as "High" and "Medium" severity respectively under our security policy at https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/SecurityPoli... . We are tracking these issues as TROVE-2021-001 and TROVE-2021-002 at https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/TROVE . All currently supported Tor versions are affected.
The impact of these issues is that a remote attacker participating in the directory protocol can cause a denial of service attack against Tor instances. Once the new versions are released, we will recommend that all relays and authorities should upgrade. The impact is worst for directory authorities: we have already distributed patches to the authority operators and encouraged them to upgrade.
To the best of our knowledge these vulnerabilities are not being exploited in the wild.
We'll be releasing more information about these issues after the fixes are available.
best wishes, -- Nick