June 2021 - tor-packagers - lists.torproject.org

New Tor release: 0.4.6.6
by Nick Mathewson 30 Jun '21

30 Jun '21

Greetings! There's a new stable Tor release today, 0.4.6.6. It changes very little since 0.4.6.5: the only significant change is that we merged the fix for the issue that was preventing builds with older versions of GCC. As usual, you can find the release at https://dist.torproject.org/ . If you are already shipping Tor 0.4.6.5, there is no reason to upgrade to 0.4.6.6. If you have had problems compiling 0.4.6.5, this release should fix them for you. Here's the changelog: Changes in version 0.4.6.6 - 2021-06-30 Tor 0.4.6.6 makes several small fixes on 0.4.6.5, including one that allows Tor to build correctly on older versions of GCC. You should upgrade to this version if you were having trouble building Tor 0.4.6.5; otherwise, there is probably no need. o Minor bugfixes (compilation): - Fix a compilation error when trying to build Tor with a compiler that does not support const variables in static initializers. Fixes bug 40410; bugfix on 0.4.6.5. - Suppress a strict-prototype warning when building with some versions of NSS. Fixes bug 40409; bugfix on 0.3.5.1-alpha. o Minor bugfixes (testing): - Enable the deterministic RNG for unit tests that covers the address set bloomfilter-based API's. Fixes bug 40419; bugfix on 0.3.3.2-alpha. Official announcement to follow after the website has updated. Best wishes, -- Nick

1 0

If you're running into compilation issues with Tor 0.4.6.5 on older GCC versions...
by Nick Mathewson 18 Jun '21

18 Jun '21

These versions of GCC have a bug where they don't accept non-literal constants in static initializers. This leads to the following warning: src/feature/dirclient/dirclient.c: In function ‘dir_client_decompress_response_body’: ./src/lib/log/ratelim.h:55:27: error: initializer element is not constant If you're running into this issue, you can fix it with the attached patch, which will also go into the next 0.4.6.x release. References: https://gitlab.torproject.org/tpo/core/tor/-/issues/40410 https://gitlab.torproject.org/tpo/core/tor/-/merge_requests/398/commits#not… -- Nick

1 0

New Tor *security* releases: 0.3.5.15, 0.4.4.9, 0.4.5.9, 0.4.6.5
by Nick Mathewson 14 Jun '21

14 Jun '21

Hello! There are new security releases today. These releases fix four security issues discovered by Jann Horn and Sergei Glazunov at Google's Project Zero. You can find these releases in the usual place at https://dist.torproject.org. Make sure (as usual) to check the signatures: my key is available at key.cgi?fingerprint=2133BC600AB133E1D826D173FE43009C4607B1FB Also of note: * The 0.4.6.5 release is the first stable release in its series. * Tomorrow is end-of-life for the 0.4.4.x series; there will be no more 0.4.4.x releases after today. For information about how long each series will be supported, see https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/CoreTorRele… . The security issues are as follows. My recommendation is that nobody should freak out, but everybody should upgrade. o Major bugfixes (security): - Don't allow relays to spoof RELAY_END or RELAY_RESOLVED cell on half-closed streams. Previously, clients failed to validate which hop sent these cells: this would allow a relay on a circuit to end a stream that wasn't actually built with it. Fixes bug 40389; bugfix on 0.3.5.1-alpha. This issue is also tracked as TROVE-2021- 003 and CVE-2021-34548. o Major bugfixes (security, defense-in-depth): - Detect more failure conditions from the OpenSSL RNG code. Previously, we would detect errors from a missing RNG implementation, but not failures from the RNG code itself. Fortunately, it appears those failures do not happen in practice when Tor is using OpenSSL's default RNG implementation. Fixes bug 40390; bugfix on 0.2.8.1-alpha. This issue is also tracked as TROVE-2021-004. Reported by Jann Horn at Google's Project Zero. o Major bugfixes (security, denial of service): - Resist a hashtable-based CPU denial-of-service attack against relays. Previously we used a naive unkeyed hash function to look up circuits in a circuitmux object. An attacker could exploit this to construct circuits with chosen circuit IDs, to create collisions and make the hash table inefficient. Now we use a SipHash construction here instead. Fixes bug 40391; bugfix on 0.2.4.4-alpha. This issue is also tracked as TROVE-2021-005 and CVE-2021-34549. Reported by Jann Horn from Google's Project Zero. - Fix an out-of-bounds memory access in v3 onion service descriptor parsing. An attacker could exploit this bug by crafting an onion service descriptor that would crash any client that tried to visit it. Fixes bug 40392; bugfix on 0.3.0.1-alpha. This issue is also tracked as TROVE-2021-006 and CVE-2021-34550. Reported by Sergei Glazunov from Google's Project Zero. For complete ChangeLogs for each release, see: https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.3.5.15 https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.4.4.9 https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.4.5.9 https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.4.6.5 For the ReleaseNotes for the 0.4.6.x series as a whole, see: https://gitweb.torproject.org/tor.git/tree/ReleaseNotes?h=tor-0.4.6.5 I'll send out announcements after the download page has updated. best wishes, -- Nick

1 0

Upcoming security releases in mid-June
by Nick Mathewson 10 Jun '21

10 Jun '21

Hello! In around two weeks–likely on the 14th or 15th– we plan to put out new stable Tor releases to fix issues in all currently released versions of Tor. There are three issues that will be fixed, with severity levels between "Medium" and "High" according to our classification system. The most severe issue, by our reckoning, is a denial-of-service issue affecting onion service clients. We'll share more details after people have time to patch. Our security policy: https://gitlab.torproject.org/legacy/trac/-/wikis/org/teams/NetworkTeam/Sec… Our registry of vulnerabilities: https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/TROVE The new releases will be 0.3.5.15, 0.4.4.9, 0.4.5.9, 0.4.6.5. The issues to be fixed are TROVE-2021-003 through TROVE-2021-006. When these releases are out, we will recommend that everybody upgrade, including clients _and_ relays. Note that Tor 0.4.4.x reaches its end-of-life on 15 June: this will be the last 0.4.4.x release. best wishes, -- Nick

1 1