Security critical Tor- released

by phobos | May 13, 2008

Tor- replaces several V3 directory authority keys affected by a recent Debian OpenSSL bug.

This is a security-critical release.

Everybody running any version in the 0.2.0.x series should upgrade, whether
they are running Debian or not. Also, all servers running any version of Tor
whose keys were generated by Debian, Ubuntu, or any derived distribution may
have to replace their identity keys. See our security advisory for full details. As always, you can find Tor on the downloads page.

Changes in version - 2008-05-13
Major security fixes:

  • Use new V3 directory authority keys on the tor26, gabelmoo, and moria1 V3 directory authorities. The old keys were generated with a vulnerable version of Debian's OpenSSL package, and must be considered compromised. Other authorities' keys were not generatedwith an affected version of OpenSSL.

Major bugfixes:

  • List authority signatures as "unrecognized" based on DirServer lines, not on cert cache. Bugfix on 0.2.0.x.

Minor features:

  • Add a new V3AuthUseLegacyKey option to make it easier for authorities to change their identity keys if they have to.


Please note that the comment area below has been archived.

May 19, 2008


Hello my name is gustavo,I have downloded de Tor software but I can't start using it because I dont have the athentification password required` pls if u can tell me what's the authentification poassword is about and how can I get it??
Thanks a lot ... Gustavo

August 11, 2009


Hi!!! I am currently new to Tor. I had it working but Vidalia it is currently asking for a password.