[tor-packagers] Upcoming security release of tor
David Goulet
dgoulet at torproject.org
Fri Jun 17 14:42:52 UTC 2022
On 16 Jun (08:52:23), David Goulet wrote:
> Greetings!
Hi again!
We've just uploaded the tarballs few minutes ago. I will do an official
announcement on our Forum soon but wanted to give you a heads up.
https://dist.torproject.org/tor-0.4.7.8.tar.gz
https://dist.torproject.org/tor-0.4.7.8.tar.gz.sha256sum
https://dist.torproject.org/tor-0.4.7.8.tar.gz.sha256sum.asc
The TROVE-2022-001 is also tracked by CVE-2022-33903 (the update and public
release will be done once our packages are out and the network is upgrading).
Thanks a lot everyone!
David
>
> Sorry for the short notice but we had to act fast on this one. Either today or
> tomorrow, we'll release 0.4.7.8 with an important security fix. This is
> tracked with TROVE-2022-001[0] and at the moment considered "High" severity.
>
> We won't disclose just yet the nature of the issue but we believe it can
> easily be exploited remotely for all tor network components (service, client,
> relay, authority) hence the choice of severity.
>
> Once the new version is released, we will recommend everyone on the 0.4.7.x
> series to upgrade immediately including Tor Browser.
>
> It is unknown if this vulnerability is being exploited in the wild but we know
> it is being triggered (intentionally or not) on the network at the moment.
>
> We'll be releasing more information about this issue after the release.
>
> Thank you all for your precious work and help!
> David
>
> [0] https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/TROVE
>
> --
> 1FbDnuinhS6KgiGbh7w4iFsvBkngasH4o7C0U5HxYdk=
> _______________________________________________
> tor-packagers mailing list
> tor-packagers at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-packagers
--
2T22ifd4rhYVbSbjDNppIEIrp1Iz0lnUkfbKzkbn8s4=
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-packagers/attachments/20220617/a50a54a0/attachment.sig>
More information about the tor-packagers
mailing list