TROVE-2017-009: Replay-cache ineffective for v2 onion services severity: medium whonix impact: replay attack against v2 hidden services. was already possible without this regression. TROVE-2017-010: Remote DoS attack against directory authorities severity: medium whonix impact: directory authorities only TROVE-2017-011: An attacker can make Tor ask for a password severity: high whonix impact: none (tor daemons not affected) TROVE-2017-012: Relays can pick themselves in a circuit path severity: medium whonix impact: relays only; dangerous if running relay & onion on same tor (not recommended) TROVE-2017-013: Use-after-free in onion service v2 severity: high whonix impact: v2 hidden services; difficult to trigger remotely
- upgrade to new onions (v3 hidden services) when 0.3.2.x is stable.
- do not run mixed tor instance:
- client + relay (due to permanent entry guards)
- client + hidden service
- relay + hidden service
@torjunkie and I have been running 0.3.1.x from torproject repo for some time now (1 month+) without any issues. No experience with recent 0.2.9.x versions.