The developers of the Tor (The Onion Routing project) anonymisation solution has released version 0.2.1.29 to close a hole that can be remotely exploited. According to the developers, the problem is caused by a heap overflow. Version 0.2.1.28, which was released in late December, had already fixed another heap overflow in Tor. This flaw could be exploited to remotely crash Tor and the developers didn't rule out that it could also have been exploited to inject and execute arbitrary code.
In addition, the new version 0.2.1.29 fixes a potential Denial of Service (DoS) vulnerability in connection with the zlib compression library. Furthermore, keys that are no longer in use will be overwritten with zeros before their memory areas are made available. This is to prevent attackers who have escalated their privileges from accessing the keys. The flaws were also fixed in the unstable version 0.2.2.21-alpha. The developers also corrected numerous further issues that previously impacted program stability.

The link for this article located at H Security is no longer available.