From 59c522b964024dd4bf616989966223f0b6165220 Mon Sep 17 00:00:00 2001
From: David Goulet <dgoulet@torproject.org>
Date: Mon, 16 Aug 2021 11:53:34 -0400
Subject: changelog: Update with security fix stanza

Signed-off-by: David Goulet <dgoulet@torproject.org>
---
 ChangeLog | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

(limited to 'ChangeLog')

diff --git a/ChangeLog b/ChangeLog
index f4e7006ecc..aa7cfcacc7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,17 @@
 Changes in version 0.3.5.16 - 2021-08-16
-  This version fixes several bugs from earlier versions.
+  This version fixes several bugs from earlier versions of Tor, including one
+  that could lead to a denial-of-service attack. Everyone running an earlier
+  version, whether as a client, a relay, or an onion service, should upgrade
+  to Tor 0.3.5.16, 0.4.5.10, or 0.4.6.7.
+
+  o Major bugfixes (cryptography, security):
+    - Resolve an assertion failure caused by a behavior mismatch between
+      our batch-signature verification code and our single-signature
+      verification code. This assertion failure could be triggered
+      remotely, leading to a denial of service attack. We fix this issue
+      by disabling batch verification. Fixes bug 40078; bugfix on
+      0.2.6.1-alpha. This issue is also tracked as TROVE-2021-007 and
+      CVE-2021-38385. Found by Henry de Valence.
 
   o Minor feature (fallbackdir):
     - Regenerate fallback directories list. Close ticket 40447.
-- 
cgit v1.2.3-54-g00ecf