Tor 0.2.0.26-rc replaces several V3 directory authority keys affected by a recent Debian OpenSSL bug. This is a security-critical release. Everybody running any version in the 0.2.0.x series should upgrade, whether they are running Debian or not. Also, all servers running any version of Tor whose keys were generated by Debian, Ubuntu, or any derived distribution may have to replace their identity keys. See our security advisory for full details. As always, you can find Tor 0.2.0.26-rc on the downloads page.
SUMMARY: This is a critical security announcement.
A bug in the Debian GNU/Linux distribution’s OpenSSL package was announced today. This bug would allow an attacker to figure out private keys generated by these buggy versions of the OpenSSL library. Thus, all private keys generated by affected versions of OpenSSL must be considered to be compromised.