Greetings, We just release tor stable 0.4.9.9 as a security release. Here is the announcement: https://forum.torproject.org/t/security-release-0-4-9-9/21664 The ChangeLog is below. Cheers! David Changes in version 0.4.9.9 - 2026-06-01 This is a security release fixing several major bugfixes that were reported in the past weeks. We strongly recommend upgrading as soon as possible. o Major bugfixes (compression, security): - Fix a compression bomb bypass where an attacker could concatenate many gzip or zlib sub-streams, each just under the per-stream detection threshold, to avoid the compression bomb check entirely. TROVE-2026-022. Fixes bug 41275; bugfix on 0.3.1.1-alpha. - Fix an infinite loop when decompressing a truncated zlib/gzip stream with done=1. A truncated stream never reaches Z_STREAM_END, causing zlib to return Z_BUF_ERROR with no input remaining, which buf_add_compress() mistook for a full output buffer and retried forever. Fixed by returning TOR_COMPRESS_ERROR in that case so the caller can abort cleanly. TROVE-2026-021. Fixes bug 41274; bugfix on 0.2.6.1-alpha. o Major bugfixes (conflux, security): - Fix a NULL write after free when sending a CONFLUX_SWITCH cell fails. The return value of relay_send_command_from_edge() was ignored, so a send failure (which calls circuit_mark_for_close() and removes the leg via cfx_del_leg()) would go undetected, causing the caller to write to the now-freed current leg and resulting in a crash. TROVE-2026-017. Fixes bug 41263; bugfix on 0.4.8.1-alpha. o Major bugfixes (security, TROVE-2026-019): - Avoid out-of-bounds read/write when parsing a consensus or detached signature with unexpected signature digest type. Impact is minor for most Tor roles, but potentially major for directory authorities. Fixes bug 41267; bugfix on 0.2.8.2-alpha. o Major bugfixes (client stability, TROVE-2026-013, TROVE-2026-015): - Protect against a client-side assert that can happen if a malicious onion service gets the client to load its carefully crafted onion descriptor. Fixes bugs 41259 and 41261; bugfix on 0.3.1.1-alpha. o Major bugfixes (code safety): - Avoid a dangerous situation in router_find_exact_exit_enclave() where we could have reached an assert if bridges or relays claim an IP address of 0.0.0.0. Fixes bug 41276; bugfix on 0.4.5.1-alpha. o Major bugfixes (conflux, shutdown): - Fix a use-after-free in the shutdown path when freeing conflux circuits. cfx_add_leg() shares stream list pointers across legs without NULLing the old leg, so circuit_free_all() would free the lists via one leg and then access freed memory via another. TROVE- 2026-016. Fixes bug 41262; bugfix on 0.4.8.1-alpha. o Major bugfixes (DNSPort, TROVE-2026-018): - Fix a client-side crash that would happen if we decide to stop reading on a RESOLVE request that came from the DNSPort or controller. This crash could happen naturally under heavy load and with poor luck, but since 0.4.7.2-alpha it could be induced by the exit relay via a flow control request. Fixes bug 41265; bugfix on 0.2.0.1-alpha. o Major bugfixes (memory safety, TROVE-2026-014): - Avoid a heap-use-after-free mistake that can happen in the conflux subsystem, and which can be induced at either the client or the exit relay. Fixes bug 41260; bugfix on 0.4.8.1-alpha. o Major bugfixes (onion services, TROVE-2026-020): - Avoid a possible divide by zero crash on onion services that have the proof-of-work (PoW) defense enabled. This bug could be hit by extreme bad luck or maybe by the help of an attacker crafting just the right circumstances. Fixes bug 41270; bugfix on 0.4.8.1-alpha. o Minor features (fallbackdir): - Regenerate fallback directories generated on June 01, 2026. o Minor features (geoip data): - Update the geoip files to match the IPFire Location Database, as retrieved on 2026/06/01. o Minor bugfixes (circuit handshake): - Fix an edge case where relays would allow a CGO-style circuit hop to be established without congestion control parameters, meaning there is no way to refill the sendme windows. Fixes bug 41271; bugfix on 0.4.9.3-alpha. o Minor bugfixes (cpuworker threads): - We have a defense-in-depth step to wipe local memory after processing each create cell in a cpuworker thread, but we were accidentally only wiping part of what we wanted to cover. Fixes bug 41269; bugfix on 0.2.4.8-alpha. o Minor bugfixes (relay stability): - Make relays survive having the consensus parameter "onion_queue_wait_cutoff" set to a nonsensical 0 seconds. Fixes bug 41266; bugfix on 0.4.7.11. -- z3EGJZTCc4CNkGk96W4TnFLWd94EBFpKaXz1LzyUsRs=