Red Hat Bugzilla – Bug 230927
CVE-2007-1103: tor information disclosure
Last modified: 2007-11-30 17:11:58 EST
"Tor does not verify a node's uptime and bandwidth advertisements, which allows
remote attackers who operate a low resource node to make false claims of greater
resources, which places the node into use for many circuits and compromises the
anonymity of traffic sources and destinations."
All <= 0.1.1.26 versions reportedly affected. Upstream statement:
Closing: I believe this is a design issue and relatively well documented:
"Feb 25 16:16:02.628 [notice] Tor v0.1.1.xx. This is experimental software. Do
not rely on it for strong anonymity."