匿名通信的自由软件Tor 更新至0.2.8.9 修复旧版允许远程攻击Tor的安全问题

2016/10/19
Tor(The Onion Router,洋葱路由器)是实现匿名通信的自由软件。Tor是第二代洋葱路由的一种实现,用户通过Tor可以在因特网上进行匿名交流。
Tor用于防范互联网上广泛存在的流量过滤、嗅探分析。Tor在由“洋葱路由”组成的表层网(overlay network)上进行通讯,可以实作匿名对外联机、匿名隐藏服务。

Tor 0.2.8.9 is released, with important fixes

Tor 0.2.8.9 backports a fix for a security hole in previous versions of Tor that would allow a remote attacker to crash a Tor client, hidden service, relay, or authority. All Tor users should upgrade to this version, or to 0.2.9.4-alpha. Patches will be released for older versions of Tor.
You can download the source from the Tor website. Packages should be available over the next week or so.
Below is a list of changes since 0.2.8.8.

Changes in version 0.2.8.9 - 2016-10-17

  • Major features (security fixes, also in 0.2.9.4-alpha):
    • Prevent a class of security bugs caused by treating the contents of a buffer chunk as if they were a NUL-terminated string. At least one such bug seems to be present in all currently used versions of Tor, and would allow an attacker to remotely crash most Tor instances, especially those compiled with extra compiler hardening. With this defense in place, such bugs can't crash Tor, though we should still fix them as they occur. Closes ticket 20384 (TROVE-2016-10-001).
  • Minor features (geoip):
    • Update geoip and geoip6 to the October 4 2016 Maxmind GeoLite2 Country database.

Related Posts