[tor-packagers] New Tor *security* releases: 0.3.5.15, 0.4.4.9, 0.4.5.9, 0.4.6.5
Nick Mathewson
nickm at torproject.org
Mon Jun 14 15:15:06 UTC 2021
Hello!
There are new security releases today. These releases fix four security
issues discovered by Jann Horn and Sergei Glazunov at Google's Project Zero.
You can find these releases in the usual place at
https://dist.torproject.org. Make sure (as usual) to check the signatures:
my key is available at
key.cgi?fingerprint=2133BC600AB133E1D826D173FE43009C4607B1FB
Also of note:
* The 0.4.6.5 release is the first stable release in its series.
* Tomorrow is end-of-life for the 0.4.4.x series; there will be no more
0.4.4.x releases after today.
For information about how long each series will be supported, see
https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/CoreTorReleases
.
The security issues are as follows. My recommendation is that nobody
should freak out, but everybody should upgrade.
o Major bugfixes (security):
- Don't allow relays to spoof RELAY_END or RELAY_RESOLVED cell on
half-closed streams. Previously, clients failed to validate which
hop sent these cells: this would allow a relay on a circuit to end
a stream that wasn't actually built with it. Fixes bug 40389;
bugfix on 0.3.5.1-alpha. This issue is also tracked as TROVE-2021-
003 and CVE-2021-34548.
o Major bugfixes (security, defense-in-depth):
- Detect more failure conditions from the OpenSSL RNG code.
Previously, we would detect errors from a missing RNG
implementation, but not failures from the RNG code itself.
Fortunately, it appears those failures do not happen in practice
when Tor is using OpenSSL's default RNG implementation. Fixes bug
40390; bugfix on 0.2.8.1-alpha. This issue is also tracked as
TROVE-2021-004. Reported by Jann Horn at Google's Project Zero.
o Major bugfixes (security, denial of service):
- Resist a hashtable-based CPU denial-of-service attack against
relays. Previously we used a naive unkeyed hash function to look
up circuits in a circuitmux object. An attacker could exploit this
to construct circuits with chosen circuit IDs, to create
collisions and make the hash table inefficient. Now we use a
SipHash construction here instead. Fixes bug 40391; bugfix on
0.2.4.4-alpha. This issue is also tracked as TROVE-2021-005 and
CVE-2021-34549. Reported by Jann Horn from Google's Project Zero.
- Fix an out-of-bounds memory access in v3 onion service descriptor
parsing. An attacker could exploit this bug by crafting an onion
service descriptor that would crash any client that tried to visit
it. Fixes bug 40392; bugfix on 0.3.0.1-alpha. This issue is also
tracked as TROVE-2021-006 and CVE-2021-34550. Reported by Sergei
Glazunov from Google's Project Zero.
For complete ChangeLogs for each release, see:
https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.3.5.15
https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.4.4.9
https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.4.5.9
https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.4.6.5
For the ReleaseNotes for the 0.4.6.x series as a whole, see:
https://gitweb.torproject.org/tor.git/tree/ReleaseNotes?h=tor-0.4.6.5
I'll send out announcements after the download page has updated.
best wishes,
--
Nick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-packagers/attachments/20210614/93889889/attachment.htm>
More information about the tor-packagers
mailing list