[tor-packagers] Upcoming releases to fix denial-of-service issues in Tor
Nick Mathewson
nickm at torproject.org
Mon Mar 8 15:55:29 UTC 2021
Hello!
Early next week -- around Tuesday -- we plan to put out new Tor
releases to fix a pair of denial-of-service issues that we have found.
We are tracking these issues as "High" and "Medium" severity
respectively under our security policy at
https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/SecurityPolicy
. We are tracking these issues as TROVE-2021-001 and TROVE-2021-002
at https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/TROVE
. All currently supported Tor versions are affected.
The impact of these issues is that a remote attacker participating in
the directory protocol can cause a denial of service attack against
Tor instances. Once the new versions are released, we will recommend
that all relays and authorities should upgrade. The impact is worst
for directory authorities: we have already distributed patches to the
authority operators and encouraged them to upgrade.
To the best of our knowledge these vulnerabilities are not being
exploited in the wild.
We'll be releasing more information about these issues after the fixes
are available.
best wishes,
--
Nick
More information about the tor-packagers
mailing list