Ubuntu
tor package

Change logs for tor source package in Impish

  1. Impish (21.10)
  2. Change log 
  • tor (0.4.5.9-1) unstable; urgency=medium

  * New upstream version, fixing several (security) issues (closes: #990000).
     For a full list see the upstream changelog.  It includes:
    - Don't allow relays to spoof RELAY_END or RELAY_RESOLVED cell on
      half-closed streams. Previously, clients failed to validate which
      hop sent these cells: this would allow a relay on a circuit to end
      a stream that wasn't actually built with it.
      Bugfix on 0.3.5.1-alpha. This issue is also tracked as TROVE-2021-
      003 and CVE-2021-34548.
    - Detect more failure conditions from the OpenSSL RNG code.
      Previously, we would detect errors from a missing RNG
      implementation, but not failures from the RNG code itself.
      Fortunately, it appears those failures do not happen in practice
      when Tor is using OpenSSL's default RNG implementation.
      Bugfix on 0.2.8.1-alpha. This issue is also tracked as
      TROVE-2021-004. Reported by Jann Horn at Google's Project Zero.
    - Resist a hashtable-based CPU denial-of-service attack against
      relays. Previously we used a naive unkeyed hash function to look
      up circuits in a circuitmux object. An attacker could exploit this
      to construct circuits with chosen circuit IDs, to create
      collisions and make the hash table inefficient. Now we use a
      SipHash construction here instead. Bugfix on
      0.2.4.4-alpha. This issue is also tracked as TROVE-2021-005 and
      CVE-2021-34549. Reported by Jann Horn from Google's Project Zero.
    - Fix an out-of-bounds memory access in v3 onion service descriptor
      parsing. An attacker could exploit this bug by crafting an onion
      service descriptor that would crash any client that tried to visit
      it. Bugfix on 0.3.0.1-alpha. This issue is also
      tracked as TROVE-2021-006 and CVE-2021-34550. Reported by Sergei
      Glazunov from Google's Project Zero.

 -- Peter Palfrader <email address hidden>  Fri, 18 Jun 2021 11:06:56 +0200
  • tor (0.4.5.8-1) unstable; urgency=medium

  * New upstream version.

 -- Peter Palfrader <email address hidden>  Wed, 19 May 2021 08:51:43 +0200
  • tor (0.4.5.7-1) unstable; urgency=high

  * New upstream version, fixes two security issues:
    - Disable the dump_desc() function.
      (TROVE-2021-001 and CVE-2021-28089).
    - Fix a bug in appending detached signatures.
      (TROVE-2021-002 and CVE-2021-28090)

 -- Peter Palfrader <email address hidden>  Tue, 16 Mar 2021 15:01:09 +0100
  • tor (0.4.5.6-1) unstable; urgency=medium

  * New upstream version.

 -- Peter Palfrader <email address hidden>  Tue, 16 Feb 2021 08:43:47 +0100