Hi, all!
There is a new version of OpenSSL out today, with a security advisory that affects Tor. The vulnerability is CVE-2021-3449, as described on https://www.openssl.org/news/secadv/20210325.txt . It affects OpenSSL versions 1.1.1 through 1.1.1j. OpenSSL 1.1.1k is the first version with a fix.
I haven't tested this bug, but I believe that it would allow an adversary to remotely crash Tor relays and authorities. It won't have any effect on Tor clients.
I suggest that everybody should upgrade to the latest OpenSSL when it becomes available on their platform.
best wishes,
tor-relays@lists.torproject.org