---------- Forwarded message --------- From: Nick Mathewson nickm@torproject.org Date: Wed, Feb 20, 2019 at 12:29 PM Subject: Upcoming stable releases to fix a medium-severity security issue To: tor-talk@lists.torproject.org

Hi!

I'm planning to put out new Tor source releases some time Thursday or Friday. They will be versions 0.3.3.12, 0.3.4.11, 0.3.5.8, and 0.4.0.2-alpha.

These versions will, among the usual array of bugfixes, fix a medium-severity security issue: a remote denial-of-service attack vector against relays and clients running version 0.3.2.1-alpha and later. While we don't currently know an exploit for the issue, we hope that all affected relays will upgrade. The issue is traced as TROVE-2019-001, Tor bug #29168, and CVE-2019-8955.

One more reminder: the 0.3.3.x series was scheduled to reach end-of-life as of February 22. We've extended that to February 28, but after that date, there will be no more security updates for the 0.3.3.x series. If you need a version that will receive long-term support, we recommend that you stick with 0.3.5.x, which will be supported until 2022.

best wishes,