In association with heise online

17 January 2011, 12:04

Tor project releases update to close critical hole

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Tor Logo The developers of the Tor (The Onion Routing project) anonymisation solution has released version 0.2.1.29 to close a hole that can be remotely exploited. According to the developers, the problem is caused by a heap overflow. Version 0.2.1.28, which was released in late December, had already fixed another heap overflow in Tor. This flaw could be exploited to remotely crash Tor and the developers didn't rule out that it could also have been exploited to inject and execute arbitrary code.

In addition, the new version 0.2.1.29 fixes a potential Denial of Service (DoS) vulnerability in connection with the zlib compression library. Furthermore, keys that are no longer in use will be overwritten with zeros before their memory areas are made available. This is to prevent attackers who have escalated their privileges from accessing the keys. The flaws were also fixed in the unstable version 0.2.2.21-alpha. The developers also corrected numerous further issues that previously impacted program stability.

Tor 0.2.1.29 is available to download in source code form. Readily compiled versions are available for Windows Mac OS X and Linux, also in combination with Vidalia, the cross-platform graphical controller for Tor. Linux distributors will probably offer updated packages in the near future.

Distributed as free software, Tor is licensed under a BSD license – the bundle also includes the GPL-licensed Vidalia and Polipo.

(crve)

Print Version | Send by email | Permalink: http://h-online.com/-1170454
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit