[tor-announce] Tor stable release 0.4.7.8 - Security Fix

David Goulet dgoulet at torproject.org
Fri Jun 17 19:53:36 UTC 2022


Hello everyone!

We have released tor 0.4.7.8 earlier today, a new stable version for the
0.4.7.x series containing an important High severity security fix. The
affected tor are only those of the 0.4.7.x series as in from
tor-0.4.7.1-alpha to tor-0.4.7.7.

https://forum.torproject.net/t/stable-release-0-4-7-8/3679

As stated in the announcement (link above), we strongly recommend that
everyone upgrades to 0.4.7.8. Packages are being updated and released for OS
distributions so keep an eye out! Our beloved packagers are hard at work!

Also, I will repeat it here, the security issue is categorized as a Denial of
Service so it is not affecting the security of the host machine running "tor".
Nevertheless, again, we strongly encourage you to upgrade.

Here is the ChangeLog for this version:

Changes in version 0.4.7.8 - 2022-06-17
  This version fixes several bugfixes including a High severity security issue
  categorized as a Denial of Service. Everyone running an earlier version
  should upgrade to this version.

  o Major bugfixes (congestion control, TROVE-2022-001):
    - Fix a scenario where RTT estimation can become wedged, seriously
      degrading congestion control performance on all circuits. This
      impacts clients, onion services, and relays, and can be triggered
      remotely by a malicious endpoint. Tracked as CVE-2022-33903. Fixes
      bug 40626; bugfix on 0.4.7.5-alpha.

  o Minor features (fallbackdir):
    - Regenerate fallback directories generated on June 17, 2022.

  o Minor features (geoip data):
    - Update the geoip files to match the IPFire Location Database, as
      retrieved on 2022/06/17.

  o Minor bugfixes (linux seccomp2 sandbox):
    - Allow the rseq system call in the sandbox. This solves a crash
      issue with glibc 2.35 on Linux. Patch from pmu-ipf. Fixes bug
      40601; bugfix on 0.3.5.11.

  o Minor bugfixes (logging):
    - Demote a harmless warn log message about finding a second hop to
      from warn level to info level, if we do not have enough
      descriptors yet. Leave it at notice level for other cases. Fixes
      bug 40603; bugfix on 0.4.7.1-alpha.
    - Demote a notice log message about "Unexpected path length" to info
      level. These cases seem to happen arbitrarily, and we likely will
      never find all of them before the switch to arti. Fixes bug 40612;
      bugfix on 0.4.7.5-alpha.

  o Minor bugfixes (relay, logging):
    - Demote a harmless XOFF log message to from notice level to info
      level. Fixes bug 40620; bugfix on 0.4.7.5-alpha.

Cheers!
David

-- 
2T22ifd4rhYVbSbjDNppIEIrp1Iz0lnUkfbKzkbn8s4=
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-announce/attachments/20220617/7504b5bd/attachment.sig>


More information about the tor-announce mailing list