Tor Releases Updates to Address DoS Vulnerability

New corrective releases of the Tor software toolkit (versions 0.3.5.11, 0.4.2.8, 0.4.3.6, and 4.4.2-alpha) have been announced. Tor is widely used to enable anonymous networking. These new versions fix a vulnerability (CVE-2020-15572) caused by accessing memory outside the bounds of an allocated buffer. This vulnerability could allow a remote attacker to crash the Tor process. The issue only affects builds that use the NSS library (by default, Tor is built with OpenSSL; using NSS requires the --enable-nss flag).

End of Support for Onion Services Protocol Version 2

Additionally, a plan has been announced to end support for version 2 of the onion services protocol (previously known as hidden services). A year and a half ago, with the release of 0.3.2.9, users were introduced to version 3 of the onion services protocol. Version 3 features 56-character addresses, stronger protection against data leaks via directory servers, a modular and extensible structure, and the use of SHA3, ed25519, and curve25519 algorithms instead of SHA1, DH, and RSA-1024.

Version 2 of the protocol was developed about 15 years ago and, due to its use of outdated algorithms, is no longer considered secure. With the end of support for older branches, all current Tor gateways now support version 3 of the protocol, which is the default for new onion services.

• September 15, 2020: Tor will begin warning operators and clients about the deprecation of version 2 of the protocol.
• July 15, 2021: Support for version 2 will be removed from the codebase.
• October 15, 2021: A new stable release of Tor will be published without support for the old protocol.

This gives owners of older onion services 16 months to migrate to the new protocol version.