Two new versions of the Tor anonymity software have been released on Tuesday, with fixes for two security issues that can be exploited to crash hidden services and clients visiting them.
The first one allows “a malicious client to trigger an assertion failure and halt a hidden service”, the second one can “cause a client to crash with an assertion failure when parsing a malformed hidden service descriptor,” as described by Tor Project Leader Roger Dingledine (and one of the original developers of the software).
These latest versions – 0.2.5.12 and 0.2.6.7 – also sport improvements that lessen hidden services’ vulnerability to DoS attacks.
Neither of these issues are a danger to users’ anonymity, but could inconvenience users, so the Tor Browser team is still debating if these fixes require the immediate release of a new Tor Browser update.
If they decide not to, the fixes will be implemented in the next stable release, which is due to be out next week.
In the meantime, Dingledine advises hidden services to upgrade as soon as possible, and clients to do it as soon as the packages for their systems become available.
Needless to say, it’s best to download the updates from Tor Project’s official site.