Greetings,
There are new security releases today.
You can find these releases in the usual place at https://dist.torproject.org. Make sure (as usual) to check the signatures: my key is available at key.cgi?fingerprint=2133BC600AB133E1D826D173FE43009C4607B1FB
Security issue is as follow:
o Major bugfixes (cryptography, security): - Resolve an assertion failure caused by a behavior mismatch between our batch-signature verification code and our single-signature verification code. This assertion failure could be triggered remotely, leading to a denial of service attack. We fix this issue by disabling batch verification. Fixes bug 40078; bugfix on 0.2.6.1-alpha. This issue is also tracked as TROVE-2021-007 and CVE-2021-38385. Found by Henry de Valence.
For complete ChangeLog for each release, see:
https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.3.5.16 https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.4.5.10 https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.4.6.7
For the ReleaseNotes for the 0.4.6.x series as a whole, see:
https://gitweb.torproject.org/tor.git/tree/ReleaseNotes?h=tor-0.4.6.7
Cheers! David
tor-packagers@lists.torproject.org
-
David Goulet