Upgrade tor on Snowflake bridge for TROVE-2021-001 and TROVE-2021-002 (2021-03-16)

Upcoming releases next week to fix denial-of-service bugs in Tor

Early next week -- around Tuesday -- we plan to put out new Tor releases to fix a pair of denial-of-service issues that we have found. We are tracking these issues as "High" and "Medium" severity respectively under our security policy at https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/SecurityPolicy

We are tracking these issues as TROVE-2021-001 and TROVE-2021-002 at https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/TROVE

All currently supported Tor versions are affected.

The impact of these issues is that a remote attacker participating in the directory protocol can cause a denial of service attack against Tor instances. Once the new versions are released, we will recommend that all relays and authorities should upgrade. The impact is worst for directory authorities: we have already distributed patches to the authority operators and encouraged them to upgrade.

To the best of our knowledge these vulnerabilities are not being exploited in the wild.

We'll be releasing more information about these issues after the fixes are available.

Edited Mar 08, 2021 by David Fifield