Arti is our ongoing project to create a next-generation Tor client in
Rust. Now we’re announcing the latest release, Arti 1.2.4.
This release continues development on onion services, and on the
planned RPC system, which will allow Arti to be managed and controlled
programmatically.
We have restored the faravahar directory authority, which has a new
location and keys.
We have also fixed two medium-severity security issues, tracked as
TROVE-2024-005 and TROVE-2024-006, respectively, and a number of other,
smaller bugs.
The issues
TROVE-2024-005 affects hidden service circuits using non-default vanguard
configurations (where the vanguard mode is set to ‘disabled’ or ‘full’), causing
hidden service circuits to be built from circuit stubs that are incompatible
with the circuit target, and to have an incorrect length.
This bug is also tracked as issue #1424.
TROVE-2024-006 affects hidden services and clients using non-default vanguard
configurations, where the vanguard mode is set to ‘disabled’, or that have the
vanguards feature compiled out. In some circumstances, this bug can lead to
building hidden service circuits that contain the same relay in multiple
positions.
This bug is also tracked as issue #1425.
Both issues can make users of this code more vulnerable to traffic analysis when
running or accessing onion services.
Who is affected
If you use arti to connect to onion services, or to run onion services, and you
are using Arti 1.2.3 or earlier, you should upgrade.
For full details on what we’ve done, and for information about
many smaller and less visible changes as well,
please see the CHANGELOG.
For more information on using Arti, see our top-level README, and the
documentation for the arti binary.
Thanks to everybody who’s contributed to this release, including
Alexander Færøy, Gaba, Jim Newsome, juga, and pinkforest!
Also, our deep thanks to Zcash Community Grants and our other sponsors
for funding the development of Arti!