Forward merge the latest ChangeLog/ReleaseNotes

Signed-off-by: David Goulet <dgoulet@torproject.org>

1 files changed, 127 insertions, 0 deletions

diff --git a/ChangeLog b/ChangeLog
index 0c912de160..6b1e11f77a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,130 @@
+Changes in version 0.4.6.7 - 2021-08-16
+  This version fixes several bugs from earlier versions of Tor,
+  including one that could lead to a denial-of-service attack. Everyone
+  running an earlier version, whether as a client, a relay, or an onion
+  service, should upgrade to Tor 0.3.5.16, 0.4.5.10, or 0.4.6.7.
+
+  o Major bugfixes (cryptography, security):
+    - Resolve an assertion failure caused by a behavior mismatch between
+      our batch-signature verification code and our single-signature
+      verification code. This assertion failure could be triggered
+      remotely, leading to a denial of service attack. We fix this issue
+      by disabling batch verification. Fixes bug 40078; bugfix on
+      0.2.6.1-alpha. This issue is also tracked as TROVE-2021-007 and
+      CVE-2021-38385. Found by Henry de Valence.
+
+  o Minor feature (fallbackdir):
+    - Regenerate fallback directories list. Close ticket 40447.
+
+  o Minor features (geoip data):
+    - Update the geoip files to match the IPFire Location Database, as
+      retrieved on 2021/08/12.
+
+  o Minor bugfix (crypto):
+    - Disable the unused batch verification feature of ed25519-donna.
+      Fixes bug 40078; bugfix on 0.2.6.1-alpha. Found by Henry
+      de Valence.
+
+  o Minor bugfixes (onion service):
+    - Send back the extended SOCKS error 0xF6 (Onion Service Invalid
+      Address) for a v2 onion address. Fixes bug 40421; bugfix
+      on 0.4.6.2-alpha.
+
+  o Minor bugfixes (relay):
+    - Reduce the compression level for data streaming from HIGH to LOW
+      in order to reduce CPU load on the directory relays. Fixes bug
+      40301; bugfix on 0.3.5.1-alpha.
+
+  o Minor bugfixes (timekeeping):
+    - Calculate the time of day correctly on systems where the time_t
+      type includes leap seconds. (This is not the case on most
+      operating systems, but on those where it occurs, our tor_timegm
+      function did not correctly invert the system's gmtime function,
+      which could result in assertion failures when calculating voting
+      schedules.) Fixes bug 40383; bugfix on 0.2.0.3-alpha.
+
+
+Changes in version 0.4.5.10 - 2021-08-16
+  This version fixes several bugs from earlier versions of Tor,
+  including one that could lead to a denial-of-service attack. Everyone
+  running an earlier version, whether as a client, a relay, or an onion
+  service, should upgrade to Tor 0.3.5.16, 0.4.5.10, or 0.4.6.7.
+
+  o Major bugfixes (cryptography, security):
+    - Resolve an assertion failure caused by a behavior mismatch between
+      our batch-signature verification code and our single-signature
+      verification code. This assertion failure could be triggered
+      remotely, leading to a denial of service attack. We fix this issue
+      by disabling batch verification. Fixes bug 40078; bugfix on
+      0.2.6.1-alpha. This issue is also tracked as TROVE-2021-007 and
+      CVE-2021-38385. Found by Henry de Valence.
+
+  o Minor feature (fallbackdir):
+    - Regenerate fallback directories list. Close ticket 40447.
+
+  o Minor features (geoip data):
+    - Update the geoip files to match the IPFire Location Database, as
+      retrieved on 2021/08/12.
+
+  o Minor features (testing):
+    - Enable the deterministic RNG for unit tests that covers the
+      address set bloomfilter-based API's. Fixes bug 40419; bugfix
+      on 0.3.3.2-alpha.
+
+  o Minor bugfix (crypto, backport from 0.4.6.7):
+    - Disable the unused batch verification feature of ed25519-donna.
+      Fixes bug 40078; bugfix on 0.2.6.1-alpha. Found by Henry
+      de Valence.
+
+  o Minor bugfixes (relay, backport from 0.4.6.7):
+    - Reduce the compression level for data streaming from HIGH to LOW.
+      Fixes bug 40301; bugfix on 0.3.5.1-alpha.
+
+  o Minor bugfixes (timekeeping, backport from 0.4.6.7):
+    - Calculate the time of day correctly on systems where the time_t
+      type includes leap seconds. (This is not the case on most
+      operating systems, but on those where it occurs, our tor_timegm
+      function did not correctly invert the system's gmtime function,
+      which could result in assertion failures when calculating voting
+      schedules.) Fixes bug 40383; bugfix on 0.2.0.3-alpha.
+
+  o Minor bugfixes (warnings, portability, backport from 0.4.6.6):
+    - Suppress a strict-prototype warning when building with some
+      versions of NSS. Fixes bug 40409; bugfix on 0.3.5.1-alpha.
+
+
+Changes in version 0.3.5.16 - 2021-08-16
+  This version fixes several bugs from earlier versions of Tor,
+  including one that could lead to a denial-of-service attack. Everyone
+  running an earlier version, whether as a client, a relay, or an onion
+  service, should upgrade to Tor 0.3.5.16, 0.4.5.10, or 0.4.6.7.
+
+  o Major bugfixes (cryptography, security):
+    - Resolve an assertion failure caused by a behavior mismatch between
+      our batch-signature verification code and our single-signature
+      verification code. This assertion failure could be triggered
+      remotely, leading to a denial of service attack. We fix this issue
+      by disabling batch verification. Fixes bug 40078; bugfix on
+      0.2.6.1-alpha. This issue is also tracked as TROVE-2021-007 and
+      CVE-2021-38385. Found by Henry de Valence.
+
+  o Minor feature (fallbackdir):
+    - Regenerate fallback directories list. Close ticket 40447.
+
+  o Minor features (geoip data):
+    - Update the geoip files to match the IPFire Location Database, as
+      retrieved on 2021/08/12.
+
+  o Minor bugfix (crypto, backport from 0.4.6.7):
+    - Disable the unused batch verification feature of ed25519-donna.
+      Fixes bug 40078; bugfix on 0.2.6.1-alpha. Found by Henry
+      de Valence.
+
+  o Minor bugfixes (relay, backport from 0.4.6.7):
+    - Reduce the compression level for data streaming from HIGH to LOW.
+      Fixes bug 40301; bugfix on 0.3.5.1-alpha.
+
+
 Changes in version 0.4.6.6 - 2021-06-30
   Tor 0.4.6.6 makes several small fixes on 0.4.6.5, including one that
   allows Tor to build correctly on older versions of GCC. You should