From 1b0322bb4da8f0e36995ec3671000650abfa3549 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Tue, 17 Mar 2020 15:37:45 -0400 Subject: fold in changelog and blurb for trove-2020-002 --- ChangeLog | 40 ++++++++++++++++++++++++++++++++-------- 1 file changed, 32 insertions(+), 8 deletions(-) diff --git a/ChangeLog b/ChangeLog index 116684cb1a..e572a0aee6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,22 +1,40 @@ Changes in version 0.4.1.9 - 2020-03-?? - Blurb. + Tor 0.4.1.9 backports important fixes from later Tor releases, + including a fix for TROVE-2020-002, a major denial-of-service + vulnerability that affected all released Tor instances since + 0.2.1.5-alpha. Using this vulnerability, an attacker could cause Tor + instances to consume a huge amount of CPU, disrupting their operations + for several seconds or minutes. This attack could be launched by + anybody against a relay, or by a directory cache against any client + that had connected to it. The attacker could launch this attack as + much as they wanted, thereby disrupting service or creating patterns + that could aid in traffic analysis. This issue was found by OSS-Fuzz, + and is also tracked as CVE-2020-10592. + + We do not have reason to believe that this attack is currently being + exploited in the wild, but nonetheless we advise everyone to upgrade + as soon as packages are available. + + o Major bugfixes (security, denial-of-service, backport from 0.4.3.3-alpha): + - Fix a denial-of-service bug that could be used by anyone to + consume a bunch of CPU on any Tor relay or authority, or by + directories to consume a bunch of CPU on clients or hidden + services. Because of the potential for CPU consumption to + introduce observable timing patterns, we are treating this as a + high-severity security issue. Fixes bug 33119; bugfix on + 0.2.1.5-alpha. Found by OSS-Fuzz. We are also tracking this issue + as TROVE-2020-002 and CVE-2020-10592. o Major bugfixes (circuit padding, memory leak, backport from 0.4.3.3-alpha): - Avoid a remotely triggered memory leak in the case that a circuit padding machine is somehow negotiated twice on the same circuit. Fixes bug 33619; bugfix on 0.4.0.1-alpha. Found by Tobias Pulls. - This is also tracked as TROVE-2020-004. + This is also tracked as TROVE-2020-004 and CVE-2020-10593. o Minor bugfixes (bridges, backport from 0.4.3.1-alpha): - Lowercase the configured value of BridgeDistribution before adding it to the descriptor. Fixes bug 32753; bugfix on 0.3.2.3-alpha. - o Minor bugfixes (onion services v3, backport from 0.4.3.3-alpha): - - Fix an assertion failure that could result from a corrupted - ADD_ONION control port command. Found by Saibato. Fixes bug 33137; - bugfix on 0.3.3.1-alpha. This issue is also tracked - as TROVE-2020-003. - o Minor bugfixes (logging, backport from 0.4.3.2-alpha): - If we encounter a bug when flushing a buffer to a TLS connection, only log the bug once per invocation of the Tor process. @@ -24,6 +42,12 @@ Changes in version 0.4.1.9 - 2020-03-?? us to run out of disk space. Fixes bug 33093; bugfix on 0.3.2.2-alpha. + o Minor bugfixes (onion services v3, backport from 0.4.3.3-alpha): + - Fix an assertion failure that could result from a corrupted + ADD_ONION control port command. Found by Saibato. Fixes bug 33137; + bugfix on 0.3.3.1-alpha. This issue is also tracked + as TROVE-2020-003. + o Minor bugfixes (rust, build, backport from 0.4.3.2-alpha): - Fix a syntax warning given by newer versions of Rust that was creating problems for our continuous integration. Fixes bug 33212; -- cgit v1.2.3-54-g00ecf