Arti 1.2.4 is released: onion services development, security fixes

by gabi | June 5, 2024

Arti is our ongoing project to create a next-generation Tor client in Rust. Now we're announcing the latest release, Arti 1.2.4.

This release continues development on onion services, and on the planned RPC system, which will allow Arti to be managed and controlled programmatically.

We have restored the faravahar directory authority, which has a new location and keys.

We have also fixed two medium-severity security issues, tracked as TROVE-2024-005 and TROVE-2024-006, respectively, and a number of other, smaller bugs.

The issues

TROVE-2024-005 affects hidden service circuits using non-default vanguard configurations (where the vanguard mode is set to 'disabled' or 'full'), causing hidden service circuits to be built from circuit stubs that are incompatible with the circuit target, and to have an incorrect length. This bug is also tracked as issue #1424.

TROVE-2024-006 affects hidden services and clients using non-default vanguard configurations, where the vanguard mode is set to 'disabled', or that have the vanguards feature compiled out. In some circumstances, this bug can lead to building hidden service circuits that contain the same relay in multiple positions. This bug is also tracked as issue #1425.

Both issues can make users of this code more vulnerable to traffic analysis when running or accessing onion services.

Who is affected

If you use arti to connect to onion services, or to run onion services, and you are using Arti 1.2.3 or earlier, you should upgrade.

For full details on what we've done, and for information about many smaller and less visible changes as well, please see the CHANGELOG.

For more information on using Arti, see our top-level README, and the documentation for the arti binary.

Thanks to everybody who's contributed to this release, including Alexander Færøy, Gaba, Jim Newsome, juga, and pinkforest!

Also, our deep thanks to Zcash Community Grants and our [other sponsors] for funding the development of Arti!


This is a companion discussion topic for the original entry at https://blog.torproject.org/arti_1_2_4_released
1 Like