[tor-talk] Upcoming Tor releases tomorrow, to fix Hidden Service remote DoS bugs
Nick Mathewson
nickm at freehaven.net
Thu Jun 8 15:24:17 UTC 2017
On Wed, Jun 7, 2017 at 11:15 AM, Nick Mathewson <nickm at freehaven.net> wrote:
> Hi, all!
>
> Tomorrow we'll be putting out new releases in all supported series
> (0.2.4 through 0.3.1) to fix two vulnerabilities that we have found in
> the hidden service code. These vulnerabilities allow an attacker to
> cause a hidden service to crash with an assertion failure. We believe
> that is the only impact. We are tracking these vulnerabilities as
> TROVE-2017-004 and TROVE-2017-005.
>
> For more information about how we handle security issues in Tor, see
> our draft policy at:
> https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/SecurityPolicy
These releases are now available from https://dist.torproject.org/ .
They are: 0.2.4.29, 0.2.5.14, 0.2.6.12, 0.2.7.8, 0.2.8.14, 0.2.9.11,
0.3.0.8, and 0.3.1.3-alpha.
It will take a while for the website download page to upgrade, since
the system that updates the website tends to get bogged down when
there are lots of builders running at once. I'll send out the regular
announcements once the download page is up-to-date, since it tends to
confuse people when I don't wait for that.
If you're running a hidden service, I recommend that you upgrade as
soon as a package is available for your system.
best wishes,
--
Nick
More information about the tor-talk
mailing list