Greetings,
There are new security releases today.
You can find these releases in the usual place at https://dist.torproject.org.
Make sure (as usual) to check the signatures: my key is available at
key.cgi?fingerprint=2133BC600AB133E1D826D173FE43009C4607B1FB
Security issue is as follow:
o Major bugfixes (cryptography, security):
- Resolve an assertion failure caused by a behavior mismatch between
our batch-signature verification code and our single-signature
verification code. This assertion failure could be triggered
remotely, leading to a denial of service attack. We fix this issue
by disabling batch verification. Fixes bug 40078; bugfix on
0.2.6.1-alpha. This issue is also tracked as TROVE-2021-007 and
CVE-2021-38385. Found by Henry de Valence.
For complete ChangeLog for each release, see:
https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.3.5.16https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.4.5.10https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.4.6.7
For the ReleaseNotes for the 0.4.6.x series as a whole, see:
https://gitweb.torproject.org/tor.git/tree/ReleaseNotes?h=tor-0.4.6.7
Cheers!
David
--
lMYBijO9FpmEGKJmZQ6s/yKCHF60TEF+oFM4trwRvVk=
Greetings everyone!
Before going further, I'm David, part of the Tor network team and I'll be
replacing Nick on these announcements for the foreseeable future! Now onto the
announcement.
We have very recently fixed an important security issue and we are thus
quickly rolling out new stable releases on August 16th that is in 5 days.
As per our security policy [0], this issue is considered "HIGH" causing a
remote crash on possibly all tor instances (client, service, relay). We will
share more details after the release.
The new releases will be 0.3.5.16, 0.4.5.10 and 0.4.6.7. We are tracking this
issue as TROVE-2021-007 which is listed in our registry here[1].
Cheers!
David
[0] https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/SecurityPol…
[1] https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/TROVE
--
6R0521l0PHqj/fg0IVJdNhe4W/n1xY+FxzKcOkn37rQ=
