Tor 0.3.5.16, 0.4.5.10 and 0.4.6.7 releases: free software for anonymous communications

Version 0.4.6.7 – 2021-08-16

• Major bugfixes (cryptography, security):
  • Resolve an assertion failure caused by a behavior mismatch between our batch-signature verification code and our single-signature verification code. This assertion failure could be triggered remotely, leading to a denial of service attack. We fix this issue by disabling batch verification. Fixes bug 40078; bugfix on 0.2.6.1-alpha. This issue is also tracked as TROVE-2021-007 and CVE-2021-38385. Found by Henry de Valence.
• Minor feature (fallbackdir):
  • Regenerate fallback directories list. Close ticket 40447.

• Minor features (geoip data):
  • Update the geoip files to match the IPFire Location Database, as retrieved on 2021/08/12.
• Minor bugfix (crypto):
  • Disable the unused batch verification feature of ed25519-donna. Fixes bug 40078; bugfix on 0.2.6.1-alpha. Found by Henry de Valence.
• Minor bugfixes (onion service):
  • Send back the extended SOCKS error 0xF6 (Onion Service Invalid Address) for a v2 onion address. Fixes bug 40421; bugfix on 0.4.6.2-alpha.
• Minor bugfixes (relay):
  • Reduce the compression level for data streaming from HIGH to LOW in order to reduce CPU load on the directory relays. Fixes bug 40301; bugfix on 0.3.5.1-alpha.
• Minor bugfixes (timekeeping):
  • Calculate the time of day correctly on systems where the time_t type includes leap seconds. (This is not the case on most operating systems, but on those where it occurs, our tor_timegm function did not correctly invert the system’s gmtime function, which could result in assertion failures when calculating voting schedules.) Fixes bug 40383; bugfix on 0.2.0.3-alpha.

Download