diff options
| author | David Goulet <dgoulet@torproject.org> | 2021-08-16 11:53:49 -0400 |
|---|---|---|
| committer | David Goulet <dgoulet@torproject.org> | 2021-08-16 11:53:49 -0400 |
| commit | 35f0833900c7902179430849734d26b4560a1f9f (patch) | |
| tree | 00d362836685ed520b97c1e8189695648438da48 /ChangeLog | |
| parent | 80d33e10aa5b4537c7dbc051b3b4e7ae3570aa12 (diff) | |
| download | tor-35f0833900c7902179430849734d26b4560a1f9f.tar.gz tor-35f0833900c7902179430849734d26b4560a1f9f.zip | |
changelog: Update with security fix stanza
Signed-off-by: David Goulet <dgoulet@torproject.org>
Diffstat (limited to 'ChangeLog')
| -rw-r--r-- | ChangeLog | 14 |
1 files changed, 13 insertions, 1 deletions
@@ -1,5 +1,17 @@ Changes in version 0.4.5.10 - 2021-08-16 - This version fixes several bugs from earlier versions. + This version fixes several bugs from earlier versions of Tor, including one + that could lead to a denial-of-service attack. Everyone running an earlier + version, whether as a client, a relay, or an onion service, should upgrade + to Tor 0.3.5.16, 0.4.5.10, or 0.4.6.7. + + o Major bugfixes (cryptography, security): + - Resolve an assertion failure caused by a behavior mismatch between + our batch-signature verification code and our single-signature + verification code. This assertion failure could be triggered + remotely, leading to a denial of service attack. We fix this issue + by disabling batch verification. Fixes bug 40078; bugfix on + 0.2.6.1-alpha. This issue is also tracked as TROVE-2021-007 and + CVE-2021-38385. Found by Henry de Valence. o Minor feature (fallbackdir): - Regenerate fallback directories list. Close ticket 40447. |