Greetings!
Sorry for the short notice but we had to act fast on this one. Either today or tomorrow, we'll release 0.4.7.8 with an important security fix. This is tracked with TROVE-2022-001[0] and at the moment considered "High" severity.
We won't disclose just yet the nature of the issue but we believe it can easily be exploited remotely for all tor network components (service, client, relay, authority) hence the choice of severity.
Once the new version is released, we will recommend everyone on the 0.4.7.x series to upgrade immediately including Tor Browser.
It is unknown if this vulnerability is being exploited in the wild but we know it is being triggered (intentionally or not) on the network at the moment.
We'll be releasing more information about this issue after the release.
Thank you all for your precious work and help! David
[0] https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/TROVE
On 16 Jun (08:52:23), David Goulet wrote:
Greetings!
Hi again!
We've just uploaded the tarballs few minutes ago. I will do an official announcement on our Forum soon but wanted to give you a heads up.
https://dist.torproject.org/tor-0.4.7.8.tar.gz https://dist.torproject.org/tor-0.4.7.8.tar.gz.sha256sum https://dist.torproject.org/tor-0.4.7.8.tar.gz.sha256sum.asc
The TROVE-2022-001 is also tracked by CVE-2022-33903 (the update and public release will be done once our packages are out and the network is upgrading).
Thanks a lot everyone! David
Sorry for the short notice but we had to act fast on this one. Either today or tomorrow, we'll release 0.4.7.8 with an important security fix. This is tracked with TROVE-2022-001[0] and at the moment considered "High" severity.
We won't disclose just yet the nature of the issue but we believe it can easily be exploited remotely for all tor network components (service, client, relay, authority) hence the choice of severity.
Once the new version is released, we will recommend everyone on the 0.4.7.x series to upgrade immediately including Tor Browser.
It is unknown if this vulnerability is being exploited in the wild but we know it is being triggered (intentionally or not) on the network at the moment.
We'll be releasing more information about this issue after the release.
Thank you all for your precious work and help! David
[0] https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/TROVE
-- 1FbDnuinhS6KgiGbh7w4iFsvBkngasH4o7C0U5HxYdk=
tor-packagers mailing list tor-packagers@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-packagers
On 17/06/22, David Goulet wrote:
On 16 Jun (08:52:23), David Goulet wrote:
Greetings!
Hi again!
We've just uploaded the tarballs few minutes ago. I will do an official announcement on our Forum soon but wanted to give you a heads up.
https://dist.torproject.org/tor-0.4.7.8.tar.gz https://dist.torproject.org/tor-0.4.7.8.tar.gz.sha256sum https://dist.torproject.org/tor-0.4.7.8.tar.gz.sha256sum.asc
The TROVE-2022-001 is also tracked by CVE-2022-33903 (the update and public release will be done once our packages are out and the network is upgrading).
Thank you for the update. I already built and released the RPMs for the same.
Folks can do `dnf update tor` on their relays & bridges now and get 0.4.7.8 :)
kushal
tor-packagers@lists.torproject.org
-
David Goulet -
Kushal Das