Arti is our ongoing project to create a next-generation Tor client in Rust. Now we're announcing the latest release, Arti 1.2.4.
This release continues development on onion services, and on the planned RPC system, which will allow Arti to be managed and controlled programmatically.
We have restored the faravahar
directory authority, which has a new
location and keys.
We have also fixed two medium-severity security issues, tracked as TROVE-2024-005 and TROVE-2024-006, respectively, and a number of other, smaller bugs.
TROVE-2024-005 affects hidden service circuits using non-default vanguard configurations (where the vanguard mode is set to 'disabled' or 'full'), causing hidden service circuits to be built from circuit stubs that are incompatible with the circuit target, and to have an incorrect length. This bug is also tracked as issue #1424.
TROVE-2024-006 affects hidden services and clients using non-default vanguard
configurations, where the vanguard mode is set to 'disabled', or that have the
vanguards
feature compiled out. In some circumstances, this bug can lead to
building hidden service circuits that contain the same relay in multiple
positions.
This bug is also tracked as issue #1425.
Both issues can make users of this code more vulnerable to traffic analysis when running or accessing onion services.
If you use arti to connect to onion services, or to run onion services, and you are using Arti 1.2.3 or earlier, you should upgrade.
For full details on what we've done, and for information about many smaller and less visible changes as well, please see the CHANGELOG.
For more information on using Arti, see our top-level README, and the
documentation for the arti
binary.
Thanks to everybody who's contributed to this release, including Alexander Færøy, Gaba, Jim Newsome, juga, and pinkforest!
Also, our deep thanks to Zcash Community Grants and our other sponsors for funding the development of Arti!