diff options
author | David Goulet <dgoulet@torproject.org> | 2021-08-16 11:54:01 -0400 |
---|---|---|
committer | David Goulet <dgoulet@torproject.org> | 2021-08-16 11:54:01 -0400 |
commit | fde7ffb13f974dca75546188ee38fd762277a850 (patch) | |
tree | cf815d90a52c744f426b6d39bebf80bdc62a23f8 /ChangeLog | |
parent | 1f76b3cce7c8aaaf08ae1a35799b5b366c7dfaf4 (diff) | |
download | tor-fde7ffb13f974dca75546188ee38fd762277a850.tar.gz tor-fde7ffb13f974dca75546188ee38fd762277a850.zip |
changelog: Update with security fix stanza
Signed-off-by: David Goulet <dgoulet@torproject.org>
Diffstat (limited to 'ChangeLog')
-rw-r--r-- | ChangeLog | 14 |
1 files changed, 13 insertions, 1 deletions
@@ -1,5 +1,17 @@ Changes in version 0.4.6.7 - 2021-08-16 - This version fixes several bugs from earlier versions. + This version fixes several bugs from earlier versions of Tor, including one + that could lead to a denial-of-service attack. Everyone running an earlier + version, whether as a client, a relay, or an onion service, should upgrade + to Tor 0.3.5.16, 0.4.5.10, or 0.4.6.7. + + o Major bugfixes (cryptography, security): + - Resolve an assertion failure caused by a behavior mismatch between + our batch-signature verification code and our single-signature + verification code. This assertion failure could be triggered + remotely, leading to a denial of service attack. We fix this issue + by disabling batch verification. Fixes bug 40078; bugfix on + 0.2.6.1-alpha. This issue is also tracked as TROVE-2021-007 and + CVE-2021-38385. Found by Henry de Valence. o Minor feature (fallbackdir): - Regenerate fallback directories list. Close ticket 40447. |