Also of note: * The 0.4.6.5 release is the first stable release in its series. * Tomorrow is end-of-life for the 0.4.4.x series; there will be no more 0.4.4.x releases after today. For information about how long each series will be supported, see https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/CoreTorReleases . The security issues are as follows. My recommendation is that nobody should freak out, but everybody should upgrade. o Major bugfixes (security): - Don't allow relays to spoof RELAY_END or RELAY_RESOLVED cell on half-closed streams. Previously, clients failed to validate which hop sent these cells: this would allow a relay on a circuit to end a stream that wasn't actually built with it. Fixes bug 40389; bugfix on 0.3.5.1-alpha. This issue is also tracked as TROVE-2021- 003 and CVE-2021-34548. o Major bugfixes (security, defense-in-depth): - Detect more failure conditions from the OpenSSL RNG code. Previously, we would detect errors from a missing RNG implementation, but not failures from the RNG code itself. Fortunately, it appears those failures do not happen in practice when Tor is using OpenSSL's default RNG implementation. Fixes bug 40390; bugfix on 0.2.8.1-alpha. This issue is also tracked as TROVE-2021-004. Reported by Jann Horn at Google's Project Zero. o Major bugfixes (security, denial of service): - Resist a hashtable-based CPU denial-of-service attack against relays. Previously we used a naive unkeyed hash function to look up circuits in a circuitmux object. An attacker could exploit this to construct circuits with chosen circuit IDs, to create collisions and make the hash table inefficient. Now we use a SipHash construction here instead. Fixes bug 40391; bugfix on 0.2.4.4-alpha. This issue is also tracked as TROVE-2021-005 and CVE-2021-34549. Reported by Jann Horn from Google's Project Zero. - Fix an out-of-bounds memory access in v3 onion service descriptor parsing. An attacker could exploit this bug by crafting an onion service descriptor that would crash any client that tried to visit it. Fixes bug 40392; bugfix on 0.3.0.1-alpha. This issue is also tracked as TROVE-2021-006 and CVE-2021-34550. Reported by Sergei Glazunov from Google's Project Zero.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d57a3b5a9229c29102731cfc5f2686219eb4c7a4 commit d57a3b5a9229c29102731cfc5f2686219eb4c7a4 Author: Sam James <sam@gentoo.org> AuthorDate: 2021-06-14 16:10:50 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-06-14 16:11:23 +0000 net-vpn/tor: add 0.4.6.5 Bug: https://bugs.gentoo.org/795969 Signed-off-by: Sam James <sam@gentoo.org> net-vpn/tor/Manifest | 2 + net-vpn/tor/tor-0.4.6.5.ebuild | 108 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 110 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f1a62358eb0bef0702ce8174ff1c724871446f9b commit f1a62358eb0bef0702ce8174ff1c724871446f9b Author: Sam James <sam@gentoo.org> AuthorDate: 2021-06-14 16:10:46 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-06-14 16:11:22 +0000 net-vpn/tor: add 0.4.5.9 Bug: https://bugs.gentoo.org/795969 Signed-off-by: Sam James <sam@gentoo.org> net-vpn/tor/Manifest | 2 + net-vpn/tor/tor-0.4.5.9.ebuild | 95 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 97 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0b50e42bbe4e5b043d81f39bb81363d207f9f727 commit 0b50e42bbe4e5b043d81f39bb81363d207f9f727 Author: Sam James <sam@gentoo.org> AuthorDate: 2021-06-14 16:10:42 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-06-14 16:11:21 +0000 net-vpn/tor: add 0.4.4.9 Bug: https://bugs.gentoo.org/795969 Signed-off-by: Sam James <sam@gentoo.org> net-vpn/tor/Manifest | 2 + net-vpn/tor/tor-0.4.4.9.ebuild | 109 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 111 insertions(+)
arm64 done
arm done
ppc done
ppc64 done
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
Unable to check for sanity: > no match for package: net-vpn/tor-0.4.5.9
This issue was resolved and addressed in GLSA 202107-25 at https://security.gentoo.org/glsa/202107-25 by GLSA coordinator John Helmert III (ajak).
Reopening for cleanup
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0ece19340e455a495fe963602e5d458089947d34 commit 0ece19340e455a495fe963602e5d458089947d34 Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2021-07-25 20:52:39 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2021-07-26 03:12:47 +0000 net-vpn/tor: drop 0.4.5.7-r1 Bug: https://bugs.gentoo.org/795969 Signed-off-by: John Helmert III <ajak@gentoo.org> net-vpn/tor/Manifest | 2 - net-vpn/tor/tor-0.4.5.7-r1.ebuild | 109 -------------------------------------- 2 files changed, 111 deletions(-)
All done!