tor-packagers

tor-packagers@lists.torproject.org

March 2020

1 participants
2 discussions

New Tor releases: 0.3.5.10, 0.4.1.9, 0.4.2.7, and 0.4.3.3-alpha
by Nick Mathewson 18 Mar '20

18 Mar '20

Hello! New tor releases are tagged and signed, and available at https://dist.torproject.org/ . Please remember to check the signatures. Here are the changelog links: 0.3.5.10: https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.3.5.10 0.4.1.9: https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.4.1.9 0.4.2.7: https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.4.2.7 0.4.3.3-alpha: https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.4.3.3-alpha Note that these releases fix several vulnerabilities, including a remotely triggerable CPU DoS. Everybody running older versions should upgrade to one of these. For TROVE and CVE identifiers and more about the vulnerabilities, please see the ChangeLogs. I'll send official announcements after the website has updated.

1 0

Fwd: Upcoming Tor security releases to fix a denial-of-service issue
by Nick Mathewson 16 Mar '20

16 Mar '20

---------- Forwarded message --------- From: Nick Mathewson <nickm(a)torproject.org> Date: Mon, Mar 16, 2020 at 1:25 PM Subject: Upcoming Tor security releases to fix a denial-of-service issue To: <tor-talk(a)lists.torproject.org> Hello! Some time this week, we currently plan to put out a set of security updates for all supported versions of Tor. These releases will fix a pair of denial-of-service bugs: one that we are classifying at "low" severity, and one that we are classifying at "high" severity. Our recommendation will be for everybody, including relays and clients, to upgrade once packages are available for their platforms. Although these vulnerabilities are "only" denial-of-service issues, any denial-of-service attack against Tor could be leveraged by an attacker to aid in a traffic analysis attack. To the best of our knowledge, these vulnerabilities are not being exploited in the wild. Currently supported release series are 0.3.5, 0.4.1, 0.4.2, and 0.4.3 (alpha). If you have not yet upgraded to one of those, the time to do so is soon. For our policy and process for handing security issues, please see: https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/Securit… best wishes, -- Nick

1 0