[tor-commits] [tor/release-0.4.1] fold in changelog and blurb for trove-2020-002

[nickm at torproject.org]

commit 1b0322bb4da8f0e36995ec3671000650abfa3549
Author: Nick Mathewson <nickm at torproject.org>
Date:   Tue Mar 17 15:37:45 2020 -0400

    fold in changelog and blurb for trove-2020-002
---
 ChangeLog | 40 ++++++++++++++++++++++++++++++++--------
 1 file changed, 32 insertions(+), 8 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 116684cb1..e572a0aee 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,22 +1,40 @@
 Changes in version 0.4.1.9 - 2020-03-??
-  Blurb.
+  Tor 0.4.1.9 backports important fixes from later Tor releases,
+  including a fix for TROVE-2020-002, a major denial-of-service
+  vulnerability that affected all released Tor instances since
+  0.2.1.5-alpha. Using this vulnerability, an attacker could cause Tor
+  instances to consume a huge amount of CPU, disrupting their operations
+  for several seconds or minutes. This attack could be launched by
+  anybody against a relay, or by a directory cache against any client
+  that had connected to it. The attacker could launch this attack as
+  much as they wanted, thereby disrupting service or creating patterns
+  that could aid in traffic analysis. This issue was found by OSS-Fuzz,
+  and is also tracked as CVE-2020-10592.
+
+  We do not have reason to believe that this attack is currently being
+  exploited in the wild, but nonetheless we advise everyone to upgrade
+  as soon as packages are available.
+
+  o Major bugfixes (security, denial-of-service, backport from 0.4.3.3-alpha):
+    - Fix a denial-of-service bug that could be used by anyone to
+      consume a bunch of CPU on any Tor relay or authority, or by
+      directories to consume a bunch of CPU on clients or hidden
+      services. Because of the potential for CPU consumption to
+      introduce observable timing patterns, we are treating this as a
+      high-severity security issue. Fixes bug 33119; bugfix on
+      0.2.1.5-alpha. Found by OSS-Fuzz. We are also tracking this issue
+      as TROVE-2020-002 and CVE-2020-10592.
 
   o Major bugfixes (circuit padding, memory leak, backport from 0.4.3.3-alpha):
     - Avoid a remotely triggered memory leak in the case that a circuit
       padding machine is somehow negotiated twice on the same circuit.
       Fixes bug 33619; bugfix on 0.4.0.1-alpha. Found by Tobias Pulls.
-      This is also tracked as TROVE-2020-004.
+      This is also tracked as TROVE-2020-004 and CVE-2020-10593.
 
   o Minor bugfixes (bridges, backport from 0.4.3.1-alpha):
     - Lowercase the configured value of BridgeDistribution before adding
       it to the descriptor. Fixes bug 32753; bugfix on 0.3.2.3-alpha.
 
-  o Minor bugfixes (onion services v3, backport from 0.4.3.3-alpha):
-    - Fix an assertion failure that could result from a corrupted
-      ADD_ONION control port command. Found by Saibato. Fixes bug 33137;
-      bugfix on 0.3.3.1-alpha. This issue is also tracked
-      as TROVE-2020-003.
-
   o Minor bugfixes (logging, backport from 0.4.3.2-alpha):
     - If we encounter a bug when flushing a buffer to a TLS connection,
       only log the bug once per invocation of the Tor process.
@@ -24,6 +42,12 @@ Changes in version 0.4.1.9 - 2020-03-??
       us to run out of disk space. Fixes bug 33093; bugfix
       on 0.3.2.2-alpha.
 
+  o Minor bugfixes (onion services v3, backport from 0.4.3.3-alpha):
+    - Fix an assertion failure that could result from a corrupted
+      ADD_ONION control port command. Found by Saibato. Fixes bug 33137;
+      bugfix on 0.3.3.1-alpha. This issue is also tracked
+      as TROVE-2020-003.
+
   o Minor bugfixes (rust, build, backport from 0.4.3.2-alpha):
     - Fix a syntax warning given by newer versions of Rust that was
       creating problems for our continuous integration. Fixes bug 33212;