Dear relay operators,
Today (2023-11-03) the Network Team has released new Tor versions 0.4.7.16 and 0.4.8.8[1]. These updates contains a fix to a remote crash bug (TROVE 2023 004). It is highly recommended that all relay operators upgrade to the new versions as soon as possible to maintain the network stability and security.
For those running their Tor relay using the Tor Debian repository, expect the new deb package to be available soon.
The patches prevents the issue from causing a crash in Tor. However, it will make Tor more noisy when the bug is triggered, including logging information about the remote peer that is the source or destination of the circuit in the path. Such information is important for our developers to diagnose the specific invariant within Tor's TLS logic that does not hold.
Eventually, a new version of Tor will need to be released in the future that will remove the verbose logging of this issue.
Please note that this bug is specific to Tor relays and does not impact Tor clients or Tor powered apps (Tor Browser, Orbot, OnionShare).
Thank you, Gus
[1] https://forum.torproject.org/t/security-release-0-4-7-16-and-0-4-8-8/10064