We have released updates to Arti today, to resolve a pair of security issues related to circuit construction for onion services.UOz免费翻墙网
These vulnerabilities affect the crate tor-circmgr 0.18.0, released along with Arti version 1.2.2. They are fixed in tor-circmgr 0.18.1. (Fixes will also appear in Arti version 1.2.4, to be released on our regular schedule at the start of June.)UOz免费翻墙网
Who is affected
If you use arti to connect to onion services, or to run onion services, and you are using Arti 1.2.2 or tor-circmgr 0.18.0, you should upgrade.UOz免费翻墙网
(In Arti 1.2.1 and earlier, vanguards were still an experimental feature, or absent, so those versions are classified as "not affected", but downgrading to these versions will not improve your security.)UOz免费翻墙网
Upgrade instructions
If you installed Arti via cargo install, use this command to update:UOz免费翻墙网
cargo install --locked --features=full arti
# or whatever --features you used before
If you obtained Arti as source code from git, fetch the tag arti-v1.2.3 and rebuild, with cargo build --locked --release --features=full -p arti.UOz免费翻墙网
The issues
Both issues affect circuit construction when vanguards are enabled, and affect the length.UOz免费翻墙网
First, when building anonymizing circuits to or from an onion service with 'lite' vanguards (the default) enabled, the circuit manager code would build the circuits with one hop too few. This makes users of this code more vulnerable to some kinds of traffic analysis when they run or visit onion services. This bug is tracked as issue #1409, and as TROVE-2024-003. Its severity is "high".UOz免费翻墙网
Second, when 'full' vanguards are enabled, some circuits are supposed to be built with an extra hop to minimize the linkability of the guard nodes. In some circumstances, the circuit manager would build circuits with one hop too few, making it easier for an adversary to discover the L2 and L3 guards of the affected clients and services. This issue is tracked as issue #1400, and as TROVE-2024-004. Its severity is "medium".UOz免费翻墙网
