"Tor does not verify a node's uptime and bandwidth advertisements, which allows
remote attackers who operate a low resource node to make false claims of greater
resources, which places the node into use for many circuits and compromises the
anonymity of traffic sources and destinations."
All <= 0.1.1.26 versions reportedly affected. Upstream statement:
Closing: I believe this is a design issue and relatively well documented:
"Feb 25 16:16:02.628 [notice] Tor v0.1.1.xx. This is experimental software. Do
not rely on it for strong anonymity."