Backport changelog entries

6 files changed, 37 insertions, 27 deletions

diff --git a/ChangeLog b/ChangeLog
index 2575857470..82d3bb9fc1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,6 +5,39 @@ Changes in version 0.4.4.9 - 2021-06-1?
   June 15. This is therefore the last release in its series. Everybody
   still running 0.4.4.x should plan to upgrade to 0.4.5.x or later.
 
+  o Major bugfixes (security, backport from 0.4.6.5):
+    - Don't allow relays to spoof RELAY_END or RELAY_RESOLVED cell on
+      half-closed streams. Previously, clients failed to validate which
+      hop sent these cells: this would allow a relay on a circuit to end
+      a stream that wasn't actually built with it. Fixes bug 40389;
+      bugfix on 0.3.5.1-alpha. This issue is also tracked as TROVE-2021-
+      003 and CVE-2021-34548.
+
+  o Major bugfixes (security, defense-in-depth, backport from 0.4.6.5):
+    - Detect more failure conditions from the OpenSSL RNG code.
+      Previously, we would detect errors from a missing RNG
+      implementation, but not failures from the RNG code itself.
+      Fortunately, it appears those failures do not happen in practice
+      when Tor is using OpenSSL's default RNG implementation. Fixes bug
+      40390; bugfix on 0.2.8.1-alpha. This issue is also tracked as
+      TROVE-2021-004. Reported by Jann Horn at Google's Project Zero.
+
+  o Major bugfixes (security, denial of service, backport from 0.4.6.5):
+    - Resist a hashtable-based CPU denial-of-service attack against
+      relays. Previously we used a naive unkeyed hash function to look
+      up circuits in a circuitmux object. An attacker could exploit this
+      to construct circuits with chosen circuit IDs, to create
+      collisions and make the hash table inefficient. Now we use a
+      SipHash construction here instead. Fixes bug 40391; bugfix on
+      0.2.4.4-alpha. This issue is also tracked as TROVE-2021-005 and
+      CVE-2021-34549. Reported by Jann Horn from Google's Project Zero.
+    - Fix an out-of-bounds memory access in v3 onion service descriptor
+      parsing. An attacker could exploit this bug by crafting an onion
+      service descriptor that would crash any client that tried to visit
+      it. Fixes bug 40392; bugfix on 0.3.0.1-alpha. This issue is also
+      tracked as TROVE-2021-006 and CVE-2021-34550. Reported by Sergei
+      Glazunov from Google's Project Zero.
+
   o Minor features (compatibility, backport from 0.4.6.4-rc):
     - Remove an assertion function related to TLS renegotiation. It was
       used nowhere outside the unit tests, and it was breaking
@@ -15,6 +48,10 @@ Changes in version 0.4.4.9 - 2021-06-1?
     - Regenerate the list of fallback directories to contain a new set
       of 200 relays. Closes ticket 40265.
 
+  o Minor features (geoip data):
+    - Update the geoip files to match the IPFire Location Database, as
+      retrieved on 2021/06/10.
+
   o Minor bugfixes (channel, DoS, backport from 0.4.6.2-alpha):
     - Fix a non-fatal BUG() message due to a too-early free of a string,
       when listing a client connection from the DoS defenses subsystem.
diff --git a/changes/bug40391 b/changes/bug40391
deleted file mode 100644
index e3c186275f..0000000000
--- a/changes/bug40391
+++ /dev/null
@@ -1,9 +0,0 @@
-  o Major bugfixes (security):
-    - Resist a hashtable-based CPU denial-of-service attack against
-      relays. Previously we used a naive unkeyed hash function to look up
-      circuits in a circuitmux object. An attacker could exploit this to
-      construct circuits with chosen circuit IDs in order to try to create
-      collisions and make the hash table inefficient.  Now we use a SipHash
-      construction for this hash table instead. Fixes bug 40391; bugfix on
-      0.2.4.4-alpha. This issue is also tracked as TROVE-2021-005.
-      Reported by Jann Horn from Google's Project Zero.
diff --git a/changes/bug40392 b/changes/bug40392
deleted file mode 100644
index 4dffa50bb2..0000000000
--- a/changes/bug40392
+++ /dev/null
@@ -1,4 +0,0 @@
-  o Major bugfixes (security, denial of service, onion services):
-  - Fix an out-of-bounds memory access in v3 descriptor parsing. Fixes bug
-    40392; bugfix on 0.3.0.1-alpha. This issue is also tracked as
-    TROVE-2021-006. Reported by Sergei Glazunov from Google's Project Zero.
\ No newline at end of file
diff --git a/changes/geoip-2021-06-10 b/changes/geoip-2021-06-10
deleted file mode 100644
index 2b798012c8..0000000000
--- a/changes/geoip-2021-06-10
+++ /dev/null
@@ -1,3 +0,0 @@
-  o Minor features (geoip data):
-    - Update the geoip files to match the IPFire Location Database,
-      as retrieved on 2021/06/10.
diff --git a/changes/ticket40389 b/changes/ticket40389
deleted file mode 100644
index 7dcf65b32e..0000000000
--- a/changes/ticket40389
+++ /dev/null
@@ -1,3 +0,0 @@
-  o Major bugfixes (relay, TROVE):
-    - Don't allow entry or middle relays to spoof RELAY_END or RELAY_RESOLVED
-      cell on half-closed streams. Fixes bug 40389; bugfix on 0.3.5.1-alpha.
diff --git a/changes/ticket40390 b/changes/ticket40390
deleted file mode 100644
index b56fa4d9da..0000000000
--- a/changes/ticket40390
+++ /dev/null
@@ -1,8 +0,0 @@
-  o Major bugfixes (security, defense-in-depth):
-    - Detect a wider variety of failure conditions from the OpenSSL RNG
-      code. Previously, we would detect errors from a missing RNG
-      implementation, but not failures from the RNG code itself.
-      Fortunately, it appears those failures do not happen in practice
-      when Tor is using OpenSSL's default RNG implementation.
-      Fixes bug 40390; bugfix on 0.2.8.1-alpha. This issue is also tracked as
-      TROVE-2021-004. Reported by Jann Horn at Google's Project Zero.