[tor-talk] Upcoming security releases
Nick Mathewson
nickm at torproject.org
Tue Jun 1 18:16:07 UTC 2021
Hello!
In around two weeks–likely on the 14th or 15th– we plan to put out new
stable Tor releases to fix issues in all currently released versions of
Tor. There are three issues that will be fixed, with severity levels
between "Medium" and "High" according to our classification system. The
most severe issue, by our reckoning, is a denial-of-service issue affecting
onion service clients. We'll share more details after people have time to
patch. To the best of our knowledge, these vulnerabilities are not being
exploited in the wild.
Our security policy:
https://gitlab.torproject.org/legacy/trac/-/wikis/org/teams/NetworkTeam/SecurityPolicy
Our registry of vulnerabilities:
https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/TROVE
The new releases will be 0.3.5.15, 0.4.4.9, 0.4.5.9, 0.4.6.5. The issues
to be fixed are TROVE-2021-003 through TROVE-2021-006. When these releases
are out, we will recommend that everybody upgrade, including clients _and_
relays.
Note that Tor 0.4.4.x reaches its end-of-life on 15 June: this will be the
last 0.4.4.x release.
best wishes,
--
Nick
More information about the tor-talk
mailing list