[tor-talk] [tor-announce] Tor 0.2.2.35 is released (security patches)
intrigeri
intrigeri at boum.org
Fri Dec 16 19:48:35 UTC 2011
Hi,
Roger Dingledine wrote (16 Dec 2011 18:19:10 GMT) :
> Tor 0.2.2.35 fixes a critical heap-overflow security issue in Tor's
> buffers code. Absolutely everybody should upgrade.
> the attacker would need to either open a SOCKS connection to
> Tor's SocksPort (usually restricted to localhost), or target a Tor
> instance configured to make its connections through a SOCKS proxy
My understanding of the flaw makes me think users of Tails 0.9 are not
at risk: an attacker who is able to connect to the Tor's SocksPort in
Tails is likely to be in a position to run arbitrary code already; and
Tails does not configure Tor to use another SOCKS proxy.
Please correct me if needed.
Cheers,
--
intrigeri <intrigeri at boum.org>
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
| We're dreaming of something else.
| Something more clandestine, something happier.
More information about the tor-talk
mailing list