Bug 776586 (CVE-2021-28089, CVE-2021-28090, TROVE-2021-001, TROVE-2021-002)

Description Sam James 2021-03-16 00:08:20 UTC

"Hello!

I'm working on these releases today, and intend to publish them in
about 24 hours from now.

---------- Forwarded message ---------
From: Nick Mathewson <nickm at torproject.org>
Date: Mon, Mar 8, 2021 at 10:55 AM
Subject: Upcoming releases to fix denial-of-service issues in Tor
To: <tor-packagers at lists.torproject.org>


Hello!

Early next week -- around Tuesday -- we plan to put out new Tor
releases to fix a pair of denial-of-service issues that we have found.
  We are tracking these issues as "High" and "Medium" severity
respectively under our security policy at
https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/SecurityPolicy
.  We are tracking these issues as TROVE-2021-001 and TROVE-2021-002
at https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/TROVE
.  All currently supported Tor versions are affected.

The impact of these issues is that a remote attacker participating in
the directory protocol can cause a denial of service attack against
Tor instances. Once the new versions are released, we will recommend
that all relays and authorities should upgrade.  The impact is worst
for directory authorities: we have already distributed patches to the
authority operators and encouraged them to upgrade.

To the best of our knowledge these vulnerabilities are not being
exploited in the wild.

We'll be releasing more information about these issues after the fixes
are available.

best wishes,
--
Nick"