[tor-talk] [tor-announce] Tor 0.2.2.35 is released (security patches)

Robert Ransom rransom.8774 at gmail.com
Sat Dec 17 02:08:36 UTC 2011


On 2011-12-16, intrigeri <intrigeri at boum.org> wrote:
> Hi,
>
> Roger Dingledine wrote (16 Dec 2011 18:19:10 GMT) :
>> Tor 0.2.2.35 fixes a critical heap-overflow security issue in Tor's
>> buffers code. Absolutely everybody should upgrade.
>
>> the attacker would need to either open a SOCKS connection to
>> Tor's SocksPort (usually restricted to localhost), or target a Tor
>> instance configured to make its connections through a SOCKS proxy
>
> My understanding of the flaw makes me think users of Tails 0.9 are not
> at risk: an attacker who is able to connect to the Tor's SocksPort in
> Tails is likely to be in a position to run arbitrary code already; and
> Tails does not configure Tor to use another SOCKS proxy.
>
> Please correct me if needed.

Your understanding is correct.


Robert Ransom


More information about the tor-talk mailing list