[tor-announce] New stable security release: Tor 0.4.6.7

Alexander Færøy ahf at torproject.org
Mon Aug 16 20:58:16 UTC 2021


Hello, everyone!

(If you are about to reply saying "please take me off this list",
instead please follow these instructions:
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-announce/

If you have trouble, it is probably because you subscribed using a
different address than the one you are trying to unsubscribe with. You
will have to enter the actual email address you used when you
subscribed.)

Source code for Tor 0.4.6.7 is now available; you can download the
source code from the download page at
https://www.torproject.org/download/tor/. Packages should be available
within the next several weeks, with a new Tor Browser later this week.

Changes in version 0.4.6.7 - 2021-08-16
  This version fixes several bugs from earlier versions of Tor, including one
  that could lead to a denial-of-service attack. Everyone running an earlier
  version, whether as a client, a relay, or an onion service, should upgrade
  to Tor 0.3.5.16, 0.4.5.10, or 0.4.6.7.

  o Major bugfixes (cryptography, security):
    - Resolve an assertion failure caused by a behavior mismatch between our
      batch-signature verification code and our single-signature verification
      code. This assertion failure could be triggered remotely, leading to a
      denial of service attack. We fix this issue by disabling batch
      verification. Fixes bug 40078; bugfix on 0.2.6.1-alpha. This issue is
      also tracked as TROVE-2021-007 and CVE-2021-38385. Found by Henry de
      Valence.

  o Minor feature (fallbackdir):
    - Regenerate fallback directories list. Close ticket 40447.

  o Minor features (geoip data):
    - Update the geoip files to match the IPFire Location Database,
      as retrieved on 2021/08/12.

  o Minor bugfix (crypto):
    - Disable the unused batch verification feature of ed25519-donna. Fixes
      bug 40078; bugfix on 0.2.6.1-alpha. Found by Henry de Valence.

  o Minor bugfixes (onion service):
    - Send back the extended SOCKS error 0xF6 (Onion Service Invalid Address)
      for a v2 onion address. Fixes bug 40421; bugfix on 0.4.6.2-alpha.

  o Minor bugfixes (relay):
    - Reduce the compression level for data streaming from HIGH to LOW in
      order to reduce CPU load on the directory relays. Fixes bug 40301;
      bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (timekeeping):
    - Calculate the time of day correctly on systems where the time_t
      type includes leap seconds. (This is not the case on most
      operating systems, but on those where it occurs, our tor_timegm
      function did not correctly invert the system's gmtime function,
      which could result in assertion failures when calculating
      voting schedules.)  Fixes bug 40383; bugfix on 0.2.0.3-alpha.

-- 
Alexander Færøy


More information about the tor-announce mailing list