[tor-commits] [tor/release-0.4.3] fold in changelog and blurb for trove-2020-002

nickm at torproject.org nickm at torproject.org
Wed Mar 18 13:34:40 UTC 2020 

commit 2d47cb984d0f882e9347f8e7ebcac5723c94337e
Author: Nick Mathewson <nickm at torproject.org>
Date:   Tue Mar 17 15:37:34 2020 -0400

    fold in changelog and blurb for trove-2020-002
---
 ChangeLog           | 40 ++++++++++++++++++++++++++++++++--------
 changes/ticket33119 |  8 --------
 2 files changed, 32 insertions(+), 16 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 9c8fecfef..98c3d01ff 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,11 +1,35 @@
 Changes in version 0.4.3.3-alpha - 2020-03-??
-  blurb here.
+  Tor 0.4.3.3-alpha fixes several bugs in previous releases, including
+  TROVE-2020-002, a major denial-of-service vulnerability that affected
+  all released Tor instances since 0.2.1.5-alpha. Using this
+  vulnerability, an attacker could cause Tor instances to consume a huge
+  amount of CPU, disrupting their operations for several seconds or
+  minutes. This attack could be launched by anybody against a relay, or
+  by a directory cache against any client that had connected to it. The
+  attacker could launch this attack as much as they wanted, thereby
+  disrupting service or creating patterns that could aid in traffic
+  analysis. This issue was found by OSS-Fuzz, and is also tracked
+  as CVE-2020-10592.
+
+  We do not have reason to believe that this attack is currently being
+  exploited in the wild, but nonetheless we advise everyone to upgrade
+  as soon as packages are available.
+
+  o Major bugfixes (security, denial-of-service):
+    - Fix a denial-of-service bug that could be used by anyone to
+      consume a bunch of CPU on any Tor relay or authority, or by
+      directories to consume a bunch of CPU on clients or hidden
+      services. Because of the potential for CPU consumption to
+      introduce observable timing patterns, we are treating this as a
+      high-severity security issue. Fixes bug 33119; bugfix on
+      0.2.1.5-alpha. Found by OSS-Fuzz. We are also tracking this issue
+      as TROVE-2020-002 and CVE-2020-10592.
 
   o Major bugfixes (circuit padding, memory leak):
     - Avoid a remotely triggered memory leak in the case that a circuit
       padding machine is somehow negotiated twice on the same circuit.
       Fixes bug 33619; bugfix on 0.4.0.1-alpha. Found by Tobias Pulls.
-      This is also tracked as TROVE-2020-004.
+      This is also tracked as TROVE-2020-004 and CVE-2020-10593.
 
   o Major bugfixes (directory authority):
     - Directory authorities will now send a 503 (not enough bandwidth)
@@ -44,18 +68,18 @@ Changes in version 0.4.3.3-alpha - 2020-03-??
     - Remove the buggy and unused mirroring job. Fixes bug 33213; bugfix
       on 0.3.2.2-alpha.
 
-  o Minor bugfixes (onion services v3):
-    - Fix an assertion failure that could result from a corrupted
-      ADD_ONION control port command. Found by Saibato. Fixes bug 33137;
-      bugfix on 0.3.3.1-alpha. This issue is also tracked
-      as TROVE-2020-003.
-
   o Minor bugfixes (onion service v3, client):
     - Remove a BUG() warning that would cause a stack trace if an onion
       service descriptor was freed while we were waiting for a
       rendezvous circuit to complete. Fixes bug 28992; bugfix
       on 0.3.2.1-alpha.
 
+  o Minor bugfixes (onion services v3):
+    - Fix an assertion failure that could result from a corrupted
+      ADD_ONION control port command. Found by Saibato. Fixes bug 33137;
+      bugfix on 0.3.3.1-alpha. This issue is also tracked
+      as TROVE-2020-003.
+
   o Documentation (manpage):
     - Alphabetize the Server and Directory server sections of the tor
       manpage. Also split Statistics options into their own section of
diff --git a/changes/ticket33119 b/changes/ticket33119
deleted file mode 100644
index 11c20bc7a..000000000
--- a/changes/ticket33119
+++ /dev/null
@@ -1,8 +0,0 @@
-  o Major bugfixes (security, denial-of-service):
-    - Fix a denial-of-service bug that could be used by anyone to consume a
-      bunch of CPU on any Tor relay or authority, or by directories to
-      consume a bunch of CPU on clients or hidden services. Because
-      of the potential for CPU consumption to introduce observable
-      timing patterns, we are treating this as a high-severity security
-      issue.  Fixes bug 33119; bugfix on 0.2.1.5-alpha. We are also tracking
-      this issue as TROVE-2020-002.

More information about the tor-commits mailing list