key rollover: tor
Dear WWW Team,
Another round of updates:
Tor is not in stable, but affected in Lenny.
Clients running 0.1.2.x are not affected. Tor nodes or hidden service
providers running any version, as well as everyone on 0.2.0.x are
Please see the vulnerability announcement on the Tor announce mailing
Upgrading to 0.1.2.19-3 (available in testing, unstable, backports.org,
and the usual noreply.org repository) or 0.2.0.26-rc-1 (available in
experimental and the usual noreply.org repository) is recommended.
If you run a relay these versions will force new server keys
(/var/lib/tor/keys/secret_*) being generated.
Should you run a Tor node without using the package's infrastructure
(debian-tor user, /var/lib/tor as DataDirectory etc.) you manually need
to remove bad keys. See the advisory link posted above.
If you are hidden service provider, and have created your key in
the affected timeframe with a bad libssl then please delete your hidden
service's private key. This will change your hidden service's host name
and may require reconfiguring your servers.
If you are running 0.2.0.x, an upgrade is highly recommended -- 3 of the
6 v3 authority servers have compromised keys. Old 0.2.0.x versions
will stop working in a week or two.