CVE-2020-10592: 
NixOS vulnerability analysis and mitigation

Tor before 0.3.5.10, 0.4.x before 0.4.1.9, and 0.4.2.x before 0.4.2.7 contains a vulnerability (CVE-2020-10592, also known as TROVE-2020-002) that affects all released Tor instances since 0.2.1.5-alpha. The vulnerability was discovered by OSS-Fuzz and disclosed in March 2020 (Tor Project).

The vulnerability allows attackers to cause Tor instances to consume excessive CPU resources, disrupting operations for several seconds or minutes. The attack could be launched by any attacker against a relay, or by a directory cache against any connected client. The severity is rated as HIGH with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) (NVD).

The attacker could launch this attack repeatedly, causing service disruption and potentially creating timing patterns that could aid in traffic analysis. This affects the availability of Tor services and could potentially compromise user anonymity through traffic analysis (Tor Project).

The vulnerability has been fixed in Tor versions 0.3.5.10, 0.4.1.9, 0.4.2.7, and 0.4.3.3-alpha. Users are advised to upgrade to these or later versions. For Gentoo users, the recommendation is to upgrade to tor-0.4.1.9 or tor-0.4.2.7 depending on their version track (Gentoo Security).