tor-packagers

tor-packagers@lists.torproject.org

August 2021

1 participants
2 discussions

New Tor *security* releases: 0.3.5.16, 0.4.5.10, 0.4.6.7
by David Goulet 16 Aug '21

16 Aug '21

Greetings, There are new security releases today. You can find these releases in the usual place at https://dist.torproject.org. Make sure (as usual) to check the signatures: my key is available at key.cgi?fingerprint=2133BC600AB133E1D826D173FE43009C4607B1FB Security issue is as follow: o Major bugfixes (cryptography, security): - Resolve an assertion failure caused by a behavior mismatch between our batch-signature verification code and our single-signature verification code. This assertion failure could be triggered remotely, leading to a denial of service attack. We fix this issue by disabling batch verification. Fixes bug 40078; bugfix on 0.2.6.1-alpha. This issue is also tracked as TROVE-2021-007 and CVE-2021-38385. Found by Henry de Valence. For complete ChangeLog for each release, see: https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.3.5.16 https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.4.5.10 https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.4.6.7 For the ReleaseNotes for the 0.4.6.x series as a whole, see: https://gitweb.torproject.org/tor.git/tree/ReleaseNotes?h=tor-0.4.6.7 Cheers! David -- lMYBijO9FpmEGKJmZQ6s/yKCHF60TEF+oFM4trwRvVk=

1 0

Upcoming security releases on August 16th, 2021
by David Goulet 11 Aug '21

11 Aug '21

Greetings everyone! Before going further, I'm David, part of the Tor network team and I'll be replacing Nick on these announcements for the foreseeable future! Now onto the announcement. We have very recently fixed an important security issue and we are thus quickly rolling out new stable releases on August 16th that is in 5 days. As per our security policy [0], this issue is considered "HIGH" causing a remote crash on possibly all tor instances (client, service, relay). We will share more details after the release. The new releases will be 0.3.5.16, 0.4.5.10 and 0.4.6.7. We are tracking this issue as TROVE-2021-007 which is listed in our registry here[1]. Cheers! David [0] https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/SecurityPol… [1] https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/TROVE -- 6R0521l0PHqj/fg0IVJdNhe4W/n1xY+FxzKcOkn37rQ=

1 0