[tor-commits] [tor/release-0.4.5] changelog: Update with security fix stanza

dgoulet at torproject.org dgoulet at torproject.org
Mon Aug 16 19:33:49 UTC 2021 

commit 35f0833900c7902179430849734d26b4560a1f9f
Author: David Goulet <dgoulet at torproject.org>
Date:   Mon Aug 16 11:53:49 2021 -0400

    changelog: Update with security fix stanza
    
    Signed-off-by: David Goulet <dgoulet at torproject.org>
---
 ChangeLog    | 14 +++++++++++++-
 ReleaseNotes | 16 ++++++++++++++--
 2 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 82631e2673..157aa5fad9 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,17 @@
 Changes in version 0.4.5.10 - 2021-08-16
-  This version fixes several bugs from earlier versions.
+  This version fixes several bugs from earlier versions of Tor, including one
+  that could lead to a denial-of-service attack. Everyone running an earlier
+  version, whether as a client, a relay, or an onion service, should upgrade
+  to Tor 0.3.5.16, 0.4.5.10, or 0.4.6.7.
+
+  o Major bugfixes (cryptography, security):
+    - Resolve an assertion failure caused by a behavior mismatch between
+      our batch-signature verification code and our single-signature
+      verification code. This assertion failure could be triggered
+      remotely, leading to a denial of service attack. We fix this issue
+      by disabling batch verification. Fixes bug 40078; bugfix on
+      0.2.6.1-alpha. This issue is also tracked as TROVE-2021-007 and
+      CVE-2021-38385. Found by Henry de Valence.
 
   o Minor feature (fallbackdir):
     - Regenerate fallback directories list. Close ticket 40447.
diff --git a/ReleaseNotes b/ReleaseNotes
index c8b4a12cfa..a6e39c2362 100644
--- a/ReleaseNotes
+++ b/ReleaseNotes
@@ -2,8 +2,20 @@ This document summarizes new features and bugfixes in each stable
 release of Tor. If you want to see more detailed descriptions of the
 changes in each development snapshot, see the ChangeLog file.
 
-Changes in version 0.4.5.10 - 2021-08-13
-  This version fixes several bugs from earlier versions.
+Changes in version 0.4.5.10 - 2021-08-16
+  This version fixes several bugs from earlier versions of Tor, including one
+  that could lead to a denial-of-service attack. Everyone running an earlier
+  version, whether as a client, a relay, or an onion service, should upgrade
+  to Tor 0.3.5.16, 0.4.5.10, or 0.4.6.7.
+
+  o Major bugfixes (cryptography, security):
+    - Resolve an assertion failure caused by a behavior mismatch between our
+      batch-signature verification code and our single-signature verification
+      code. This assertion failure could be triggered remotely, leading to a
+      denial of service attack. We fix this issue by disabling batch
+      verification. Fixes bug 40078; bugfix on 0.2.6.1-alpha. This issue is
+      also tracked as TROVE-2021-007 and CVE-2021-38385. Found by Henry de
+      Valence.
 
   o Minor feature (fallbackdir):
     - Regenerate fallback directories list. Close ticket 40447.

More information about the tor-commits mailing list