Tor project releases update to close critical hole
The developers of the Tor (The Onion Routing project) anonymisation solution has released version 0.2.1.29 to close a hole that can be remotely exploited. According to the developers, the problem is caused by a heap overflow. Version 0.2.1.28, which was released in late December, had already fixed another heap overflow in Tor. This flaw could be exploited to remotely crash Tor and the developers didn't rule out that it could also have been exploited to inject and execute arbitrary code.
In addition, the new version 0.2.1.29 fixes a potential Denial of Service (DoS) vulnerability in connection with the zlib compression library. Furthermore, keys that are no longer in use will be overwritten with zeros before their memory areas are made available. This is to prevent attackers who have escalated their privileges from accessing the keys. The flaws were also fixed in the unstable version 0.2.2.21-alpha. The developers also corrected numerous further issues that previously impacted program stability.
Tor 0.2.1.29 is available to download in source code form. Readily compiled versions are available for Windows Mac OS X and Linux, also in combination with Vidalia, the cross-platform graphical controller for Tor. Linux distributors will probably offer updated packages in the near future.