[tor-talk] [tor-announce] Tor is released (security patches)

intrigeri intrigeri at boum.org
Fri Dec 16 19:48:35 UTC 2011


Roger Dingledine wrote (16 Dec 2011 18:19:10 GMT) :
> Tor fixes a critical heap-overflow security issue in Tor's
> buffers code. Absolutely everybody should upgrade.

> the attacker would need to either open a SOCKS connection to
> Tor's SocksPort (usually restricted to localhost), or target a Tor
> instance configured to make its connections through a SOCKS proxy

My understanding of the flaw makes me think users of Tails 0.9 are not
at risk: an attacker who is able to connect to the Tor's SocksPort in
Tails is likely to be in a position to run arbitrary code already; and
Tails does not configure Tor to use another SOCKS proxy.

Please correct me if needed.

  intrigeri <intrigeri at boum.org>
  | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
  | We're dreaming of something else.
  | Something more clandestine, something happier.

More information about the tor-talk mailing list