[[!meta title="Tails 6.11"]]

[[!meta date="Thu, 09 Jan 2025 00:00:00 +0000"]]

[[!pagetemplate template="news.tmpl"]]

[[!tag announce]]

<h1 id="security">Critical security fixes</h1>

<div class="attack">

<p>The vulnerabilities described below were identified during an external
security audit by <a href="https://www.radicallyopensecurity.com/">Radically
Open Security</a> and disclosed responsibly to our team. We are not aware of
these attacks being used against Tails users until now.</p>

<p>These vulnerabilities can only be exploited by a powerful attacker who has
already exploited another vulnerability to take control of an application in
Tails.</p>

<p>If you want to be extra careful and used Tails a lot since January 9 without
upgrading, we recommend that you do a [[manual upgrade|upgrade/#manual]]
instead of an automatic upgrade.</p>

</div>

- Prevent an attacker from installing malicious software permanently. ([[!tails_ticket 20701]])

In Tails 6.10 or earlier, an attacker who has already taken control of an
application in Tails could then exploit a vulnerability in *Tails Upgrader*
to install a malicious upgrade and permanently take control of your Tails.

Doing a [[manual upgrade|upgrade/#manual]] would erase such malicious software.

- Prevent an attacker from monitoring online activity. ([[!tails_ticket 20709]] and [[!tails_ticket 20702]])

In Tails 6.10 or earlier, an attacker who has already taken control of an
application in Tails could then exploit vulnerabilities in other applications
that might lead to deanonymization or the monitoring of browsing activity:

In *Onion Circuits*, to get information about Tor circuits and close them.

In *Unsafe Browser*, to connect to the Internet without going through Tor.

In *Tor Browser*, to monitor your browsing activity.

In *Tor Connection*, to reconfigure or block your connection to the Tor network.

- Prevent an attacker from changing the Persistent Storage settings. ([[!tails_ticket 20710]])