New stable Tor releases, with security fixes: 0.3.1.9, 0.3.0.13, 0.2.9.14, 0.2.8.17, 0.2.5.16
TROVE-2017-009: Replay-cache ineffective for v2 onion services
severity: medium
whonix impact: replay attack against v2 hidden services. was already possible without this regression.
TROVE-2017-010: Remote DoS attack against directory authorities
severity: medium
whonix impact: directory authorities only
TROVE-2017-011: An attacker can make Tor ask for a password
severity: high
whonix impact: none (tor daemons not affected)
TROVE-2017-012: Relays can pick themselves in a circuit path
severity: medium
whonix impact: relays only; dangerous if running relay & onion on same tor (not recommended)
TROVE-2017-013: Use-after-free in onion service v2
severity: high
whonix impact: v2 hidden services; difficult to trigger remotely
Takeaways:
- upgrade to new onions (v3 hidden services) when 0.3.2.x is stable.
- do not run mixed tor instance:
- client + relay (due to permanent entry guards)
- client + hidden service
- relay + hidden service
@torjunkie and I have been running 0.3.1.x from torproject repo for some time now (1 month+) without any issues. No experience with recent 0.2.9.x versions.