New Stable Releases: Tor 0.3.5.16, 0.4.5.10 and 0.4.6.7

Greetings!

We have a new stable release today. If you build Tor from source, you can download the source code for the latest stable release on the download page. Packages should be available within the next several weeks, with a new Tor Browser later this week.

The ChangeLog for 0.4.6.7 follows below. For the changelogs for other releases, see the announcement email. These releases backport stability fixes from later Tor releases, and a security issue classified as HIGH per our policy.

Tor 0.4.6.7 fixes several bugs from earlier versions of Tor, including one that could lead to a denial-of-service attack. Everyone running an earlier version, whether as a client, a relay, or an onion service, should upgrade to Tor 0.3.5.16, 0.4.5.10, or 0.4.6.7.

Changes in version 0.4.6.7 - 2021-08-16

  • Major bugfixes (cryptography, security):
    • Resolve an assertion failure caused by a behavior mismatch between our batch-signature verification code and our single-signature verification code. This assertion failure could be triggered remotely, leading to a denial of service attack. We fix this issue by disabling batch verification. Fixes bug 40078; bugfix on 0.2.6.1-alpha. This issue is also tracked as TROVE-2021-007 and CVE-2021-38385. Found by Henry de Valence.
  • Minor feature (fallbackdir):
    • Regenerate fallback directories list. Close ticket 40447
  • Minor features (geoip data):
    • Update the geoip files to match the IPFire Location Database, as retrieved on 2021/08/12.
  • Minor bugfix (crypto):
    • Disable the unused batch verification feature of ed25519-donna. Fixes bug 40078; bugfix on 0.2.6.1-alpha. Found by Henry de Valence.
  • Minor bugfixes (onion service):
    • Send back the extended SOCKS error 0xF6 (Onion Service Invalid Address) for a v2 onion address. Fixes bug 40421; bugfix on 0.4.6.2-alpha.
  • Minor bugfixes (relay):
    • Reduce the compression level for data streaming from HIGH to LOW in order to reduce CPU load on the directory relays. Fixes bug 40301; bugfix on 0.3.5.1-alpha.
  • Minor bugfixes (timekeeping):
    • Calculate the time of day correctly on systems where the time_t type includes leap seconds. (This is not the case on most operating systems, but on those where it occurs, our tor_timegm function did not correctly invert the system's gmtime function, which could result in assertion failures when calculating voting schedules.) Fixes bug 40383; bugfix on 0.2.0.3-alpha.
Anonymous

August 17, 2021

Permalink

I hope this time around the deb.torproject.org actually upgrades to 0.4.6.7 for all (the last few releases of 0.4.6.* have not been updated other than as experimental despite them being stable!).

As was noted on gitlab.torproject.org/tpo/tpa/team/-/issues/40221#note_2745110 the newer versions were held off due to Debian 11 Bullseye freeze, but now that it has been released that should not be any blocking issue for upgrading to 0.4.6.

Join the discussion...

We encourage respectful, on-topic comments. Comments that violate our Code of Conduct will be deleted. Off-topic comments may be deleted at the discretion of the post moderator. Please do not comment as a way to receive support or report bugs on a post unrelated to a release. If you are looking for support, please see our support portal or ways to get in touch with us.

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

6 + 8 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.