[tor-packagers] Upcoming security release of tor

David Goulet dgoulet at torproject.org
Fri Jun 17 14:42:52 UTC 2022

On 16 Jun (08:52:23), David Goulet wrote:
> Greetings!

Hi again!

We've just uploaded the tarballs few minutes ago. I will do an official
announcement on our Forum soon but wanted to give you a heads up.


The TROVE-2022-001 is also tracked by CVE-2022-33903 (the update and public
release will be done once our packages are out and the network is upgrading).

Thanks a lot everyone!

> Sorry for the short notice but we had to act fast on this one. Either today or
> tomorrow, we'll release with an important security fix. This is
> tracked with TROVE-2022-001[0] and at the moment considered "High" severity.
> We won't disclose just yet the nature of the issue but we believe it can
> easily be exploited remotely for all tor network components (service, client,
> relay, authority) hence the choice of severity.
> Once the new version is released, we will recommend everyone on the 0.4.7.x
> series to upgrade immediately including Tor Browser.
> It is unknown if this vulnerability is being exploited in the wild but we know
> it is being triggered (intentionally or not) on the network at the moment.
> We'll be releasing more information about this issue after the release.
> Thank you all for your precious work and help!
> David
> [0] https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/TROVE
> -- 
> 1FbDnuinhS6KgiGbh7w4iFsvBkngasH4o7C0U5HxYdk=

> _______________________________________________
> tor-packagers mailing list
> tor-packagers at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-packagers

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-packagers/attachments/20220617/a50a54a0/attachment.sig>

More information about the tor-packagers mailing list