[tor-packagers] New Tor *security* releases: 0.3.5.16, 0.4.5.10, 0.4.6.7
David Goulet
dgoulet at torproject.org
Mon Aug 16 20:26:27 UTC 2021
Greetings,
There are new security releases today.
You can find these releases in the usual place at https://dist.torproject.org.
Make sure (as usual) to check the signatures: my key is available at
key.cgi?fingerprint=2133BC600AB133E1D826D173FE43009C4607B1FB
Security issue is as follow:
o Major bugfixes (cryptography, security):
- Resolve an assertion failure caused by a behavior mismatch between
our batch-signature verification code and our single-signature
verification code. This assertion failure could be triggered
remotely, leading to a denial of service attack. We fix this issue
by disabling batch verification. Fixes bug 40078; bugfix on
0.2.6.1-alpha. This issue is also tracked as TROVE-2021-007 and
CVE-2021-38385. Found by Henry de Valence.
For complete ChangeLog for each release, see:
https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.3.5.16
https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.4.5.10
https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.4.6.7
For the ReleaseNotes for the 0.4.6.x series as a whole, see:
https://gitweb.torproject.org/tor.git/tree/ReleaseNotes?h=tor-0.4.6.7
Cheers!
David
--
lMYBijO9FpmEGKJmZQ6s/yKCHF60TEF+oFM4trwRvVk=
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-packagers/attachments/20210816/8e1ad002/attachment.sig>
More information about the tor-packagers
mailing list