Today, we release 0.4.7.8 fixing several issues including a High severity security issue only affecting the 0.4.7.x series. You can track this issue with TROVE-2022-001 and CVE-2021-38385.
Please note that at the moment, the full details of the security issue are not yet public as we are waiting on the OS distribution packages to be updated and the network to be on its upgrade path.
This security issue is not affecting the safety of the tor host system itself and is categorized as a Denial of Service thus affecting performance and possibly anonymity.
We STRONGLY recommend anyone on an earlier version to upgrade as soon as possible to tor 0.4.7.8 (this release). OS packages are on the way!
tor0.4.7.8 not yet available from deb.torproject.org - refer to Tor integration in Whonix - #19 by Patrick on how to check that has changed. Once available, I upload to deb.whonix.org.
from: the currently used “Versions are downloaded from deb.torproject.org, verified to work, and then migrated to deb.whonix.org”
to: “Use the Tor LTS version from the official Debian package repository: packages.debian.org.”
This is because while The Tor Project is working on Arti, no major new releases for the old C programming language based Tor package are to be expected.