Do you have a question? Post it now! No Registration Necessary. Now with pictures!
August 29, 2006, 8:36 pm
rate this thread
The short version:
Upgrade to 0.1.1.23.
A malicious entry node (the first Tor server in your path) can
route traffic through your Tor client as though you're a server. It can
only route traffic to other Tor servers though -- it can't induce any
All versions of Tor in the 0.1.0.x series earlier than 0.1.0.18.
All versions of Tor in the 0.1.1.x series earlier than 0.1.1.23.
The experimental snapshot 0.1.2.1-alpha-cvs.
Upgrade to at least Tor 0.1.1.23. If you absolutely must stay with
the 0.1.0.x series, I've put a patched tarball for the old 0.1.0.x
There is a bug in older versions of Tor that allows a hostile Tor server
to crash your Tor process, or route traffic through your client to the
Tor network as though it were a server. To exploit this bug, an attacker
needs to be or compromise the first Tor server in one of your circuits.
(Other Tor servers on your path can't do it.)
This is a client-only bug; servers are not affected.
If you didn't upgrade when we released 0.1.1.23 and said "you should
upgrade"... you should upgrade.
We'll write a more detailed advisory in a little while, after more people
- » ssh on command line: force using a group size (prime size) of 1024 (and no...
- — The site's Newest Thread. Posted in » Secure Shell Forum