Tor 0.3.x before 0.3.0.9 has a guard-selection algorithm that only considers the exit relay (not the exit relay's family), which might allow remote attackers to defeat intended anonymity properties by leveraging the existence of large families. Upstream bug: https://trac.torproject.org/projects/tor/ticket/22753 Upstream patch: https://github.com/torproject/tor/commit/665baf5ed5c6186d973c46cdea165c0548027350 References: https://blog.torproject.org/blog/tor-0309-released-security-update-clients
Created tor tracking bugs for this issue: Affects: epel-all [bug 1467728] Affects: fedora-all [bug 1467729]
Only 0.3.0.x or 0.3.1.x versions were affected by this CVE. Fedora nor EPEL currently ship a Version > 0.2.9.10, which means nobody was affected and this could be closed.