Upstream has filed a bug report and patches for an RFE to disable the use of RDRAND as the only source of entropy for Tor. Patches are attached to the bug but it is not yet merged and fully tested. I'm noting this here as a bug of interest for future releases as this seems like it could be a desirable _enhancement_ but am not filing it as a security flaw. https://trac.torproject.org/projects/tor/ticket/10402 which has references like this: "FreeBSD Developer Summit: Security Working Group, /dev/random" https://wiki.freebsd.org/201309DevSummit/Security "Surreptitiously Tampering with Computer Chips" https://www.schneier.com/blog/archives/2013/09/surreptitiously.html "How does the NSA break SSL? ... Weak random number generators" http://blog.cryptographyengineering.com/2013/12/how-does-nsa-break-ssl.html
Oh, and the patch: https://peertech.org/dist/tor-latest-rdrand-disable.patch
Upstream have fixed this in 0.2.4.x branch. I have just updated the rawhide package to 0.2.4.21 so this can be considered fixed for rawhide. nickm commented in the upstream bug report that he is "leaving open for possible 0.2.3 backport". AFAICT this has not happened yet. Since this only affects users that set a non-default option (HarwareAccel 1) in their configuration, I am happy to wait until upstream backport this fix.
0.2.4.22 has now been pushed to all fedora and epel branches.