Tor 0.2.0.26-rc is out
Roger Dingledine
arma at mit.edu
Tue May 13 13:27:30 UTC 2008
Tor 0.2.0.26-rc fixes a major security vulnerability caused by a bug in
Debian's OpenSSL packages. All users running any 0.2.0.x version should
upgrade, whether they're running Debian or not. We will follow up with
a security advisory shortly.
https://www.torproject.org/download#Dev
Changes in version 0.2.0.26-rc - 2008-05-13
o Major security fixes:
- Use new V3 directory authority keys on the tor26, gabelmoo, and
moria1 V3 directory authorities. The old keys were generated with
a vulnerable version of Debian's OpenSSL package, and must be
considered compromised. Other authorities' keys were not generated
with an affected version of OpenSSL.
o Major bugfixes:
- List authority signatures as "unrecognized" based on DirServer
lines, not on cert cache. Bugfix on 0.2.0.x.
o Minor features:
- Add a new V3AuthUseLegacyKey option to make it easier for
authorities to change their identity keys if they have to.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20080513/f747c128/attachment.pgp>
More information about the tor-talk
mailing list