New Stable Releases: Tor, and

by dgoulet | August 16, 2021


We have a new stable release today. If you build Tor from source, you can download the source code for the latest stable release on the download page. Packages should be available within the next several weeks, with a new Tor Browser later this week.

The ChangeLog for follows below. For the changelogs for other releases, see the announcement email. These releases backport stability fixes from later Tor releases, and a security issue classified as HIGH per our policy.

Tor fixes several bugs from earlier versions of Tor, including one that could lead to a denial-of-service attack. Everyone running an earlier version, whether as a client, a relay, or an onion service, should upgrade to Tor,, or

Changes in version - 2021-08-16

  • Major bugfixes (cryptography, security):
    • Resolve an assertion failure caused by a behavior mismatch between our batch-signature verification code and our single-signature verification code. This assertion failure could be triggered remotely, leading to a denial of service attack. We fix this issue by disabling batch verification. Fixes bug 40078; bugfix on This issue is also tracked as TROVE-2021-007 and CVE-2021-38385. Found by Henry de Valence.
  • Minor feature (fallbackdir):
    • Regenerate fallback directories list. Close ticket 40447
  • Minor features (geoip data):
    • Update the geoip files to match the IPFire Location Database, as retrieved on 2021/08/12.
  • Minor bugfix (crypto):
    • Disable the unused batch verification feature of ed25519-donna. Fixes bug 40078; bugfix on Found by Henry de Valence.
  • Minor bugfixes (onion service):
    • Send back the extended SOCKS error 0xF6 (Onion Service Invalid Address) for a v2 onion address. Fixes bug 40421; bugfix on
  • Minor bugfixes (relay):
    • Reduce the compression level for data streaming from HIGH to LOW in order to reduce CPU load on the directory relays. Fixes bug 40301; bugfix on
  • Minor bugfixes (timekeeping):
    • Calculate the time of day correctly on systems where the time_t type includes leap seconds. (This is not the case on most operating systems, but on those where it occurs, our tor_timegm function did not correctly invert the system's gmtime function, which could result in assertion failures when calculating voting schedules.) Fixes bug 40383; bugfix on


Please note that the comment area below has been archived.

August 17, 2021


I hope this time around the actually upgrades to for all (the last few releases of 0.4.6.* have not been updated other than as experimental despite them being stable!).

As was noted on the newer versions were held off due to Debian 11 Bullseye freeze, but now that it has been released that should not be any blocking issue for upgrading to 0.4.6.

September 18, 2021


Zero ed_pubkey lets an attacker force the relay to hold open a new TLS connection for _some_ extend request.


/* Fill in ed_pubkey if it was not provided and we can infer it from
* our networkstatus */
if (ed25519_public_key_is_zero(&ec->ed_pubkey)) {
const node_t *node = node_get_by_id((const char*)ec->node_id);
const ed25519_public_key_t *node_ed_id = NULL;
if (node &&
node_supports_ed25519_link_authentication(node, 1) &&
(node_ed_id = node_get_ed25519_id(node))) {
ed25519_pubkey_copy(&ec->ed_pubkey, node_ed_id);

ed_pubkey is optional if no node information.


/* The Ed25519 key has to match too */
if (!channel_remote_identity_matches(chan, rsa_id_digest, ed_id)) {

ed_pubkey is not optional for channel reuse.