<div dir="ltr"><p>Hello, everyone!</p>
<p>(If you are about to reply saying "please take me off this list", instead please follow these instructions:
<a href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-announce/" rel="nofollow noreferrer noopener" target="_blank">https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-announce/</a>
. If you have trouble, it is probably because you subscribed using a different address than the one you are trying to unsubscribe with. You will have to enter the actual email address you used when you subscribed.)</p>Source code for Tor 0.3.5.15, 0.4.4.9, and 0.4.5.9 is now available; since these are older release series, you can download the source code at <a href="https://dist.torproject.org/">https://dist.torproject.org/</a> . Packages should be available within the next several weeks, with a new Tor Browser around the end of the week.<p>This release fixes several security vulnerabilities, described in the changelogs. We are also releasing security fixes for the other supported release series; I'll describe them in a separate email. I recommend that everybody upgrade to 0.3.5.15, 0.4.4.9, 0.4.5.9, or 0.4.6.5 as soon as binaries are available (or right now, if you build from source).</p><p>Below is the changelog for 0.4.5.9. You can find the changelogs for the other releases at: <br></p><div><a href="https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.3.5.15" target="_blank">https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.3.5.15</a></div><div><div><a href="https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.4.4.9" target="_blank">https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.4.4.9</a></div><div><br></div><div>Changes in version 0.4.5.9 - 2021-06-14<br> Tor 0.4.5.9 fixes several security issues, including a<br> denial-of-service attack against onion service clients, and another<br> denial-of-service attack against relays. Everybody should upgrade to<br> one of 0.3.5.15, 0.4.4.9, 0.4.5.9, or 0.4.6.5.<br><br> o Major bugfixes (security, backport from 0.4.6.5):<br> - Don't allow relays to spoof RELAY_END or RELAY_RESOLVED cell on<br> half-closed streams. Previously, clients failed to validate which<br> hop sent these cells: this would allow a relay on a circuit to end<br> a stream that wasn't actually built with it. Fixes bug 40389;<br> bugfix on 0.3.5.1-alpha. This issue is also tracked as TROVE-2021-<br> 003 and CVE-2021-34548.<br><br> o Major bugfixes (security, defense-in-depth, backport from 0.4.6.5):<br> - Detect more failure conditions from the OpenSSL RNG code.<br> Previously, we would detect errors from a missing RNG<br> implementation, but not failures from the RNG code itself.<br> Fortunately, it appears those failures do not happen in practice<br> when Tor is using OpenSSL's default RNG implementation. Fixes bug<br> 40390; bugfix on 0.2.8.1-alpha. This issue is also tracked as<br> TROVE-2021-004. Reported by Jann Horn at Google's Project Zero.<br><br> o Major bugfixes (security, denial of service, backport from 0.4.6.5):<br> - Resist a hashtable-based CPU denial-of-service attack against<br> relays. Previously we used a naive unkeyed hash function to look<br> up circuits in a circuitmux object. An attacker could exploit this<br> to construct circuits with chosen circuit IDs, to create<br> collisions and make the hash table inefficient. Now we use a<br> SipHash construction here instead. Fixes bug 40391; bugfix on<br> 0.2.4.4-alpha. This issue is also tracked as TROVE-2021-005 and<br> CVE-2021-34549. Reported by Jann Horn from Google's Project Zero.<br> - Fix an out-of-bounds memory access in v3 onion service descriptor<br> parsing. An attacker could exploit this bug by crafting an onion<br> service descriptor that would crash any client that tried to visit<br> it. Fixes bug 40392; bugfix on 0.3.0.1-alpha. This issue is also<br> tracked as TROVE-2021-006 and CVE-2021-34550. Reported by Sergei<br> Glazunov from Google's Project Zero.<br><br> o Minor features (compatibility, backport from 0.4.6.4-rc):<br> - Remove an assertion function related to TLS renegotiation. It was<br> used nowhere outside the unit tests, and it was breaking<br> compilation with recent alpha releases of OpenSSL 3.0.0. Closes<br> ticket 40399.<br><br> o Minor features (geoip data):<br> - Update the geoip files to match the IPFire Location Database, as<br> retrieved on 2021/06/10.<br><br> o Minor bugfixes (control, sandbox, backport from 0.4.6.4-rc):<br> - Allow the control command SAVECONF to succeed when the seccomp<br> sandbox is enabled, and make SAVECONF keep only one backup file to<br> simplify implementation. Previously SAVECONF allowed a large<br> number of backup files, which made it incompatible with the<br> sandbox. Fixes bug 40317; bugfix on 0.2.5.4-alpha. Patch by<br> Daniel Pinto.<br><br> o Minor bugfixes (metrics port, backport from 0.4.6.4-rc):<br> - Fix a bug that made tor try to re-bind() on an already open<br> MetricsPort every 60 seconds. Fixes bug 40370; bugfix<br> on 0.4.5.1-alpha.<br><br></div></div></div>