[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-announce] [RELEASE] Security Release - Tor stable version 0.4.9.9

To: tor-announce <tor-announce@xxxxxxxxxxxxxxxxxxxx>
Subject: [tor-announce] [RELEASE] Security Release - Tor stable version 0.4.9.9
From: David Goulet via tor-announce <tor-announce@xxxxxxxxxxxxxxxxxxxx>
Date: Mon, 1 Jun 2026 15:49:14 -0400
List-id: "announce: Important announcements relating to Tor" <tor-announce.lists.torproject.org>
Reply-to: David Goulet <dgoulet@xxxxxxxxxxxxxx>

Greetings,

We just release tor stable 0.4.9.9 as a security release.

Here is the announcement:
https://forum.torproject.org/t/security-release-0-4-9-9/21664

The ChangeLog is below.

Cheers!
David

Changes in version 0.4.9.9 - 2026-06-01
  This is a security release fixing several major bugfixes that were reported
  in the past weeks. We strongly recommend upgrading as soon as possible.

  o Major bugfixes (compression, security):
    - Fix a compression bomb bypass where an attacker could concatenate
      many gzip or zlib sub-streams, each just under the per-stream
      detection threshold, to avoid the compression bomb check entirely.
      TROVE-2026-022. Fixes bug 41275; bugfix on 0.3.1.1-alpha.
    - Fix an infinite loop when decompressing a truncated zlib/gzip
      stream with done=1. A truncated stream never reaches Z_STREAM_END,
      causing zlib to return Z_BUF_ERROR with no input remaining, which
      buf_add_compress() mistook for a full output buffer and retried
      forever. Fixed by returning TOR_COMPRESS_ERROR in that case so the
      caller can abort cleanly. TROVE-2026-021. Fixes bug 41274; bugfix
      on 0.2.6.1-alpha.

  o Major bugfixes (conflux, security):
    - Fix a NULL write after free when sending a CONFLUX_SWITCH cell
      fails. The return value of relay_send_command_from_edge() was
      ignored, so a send failure (which calls circuit_mark_for_close()
      and removes the leg via cfx_del_leg()) would go undetected,
      causing the caller to write to the now-freed current leg and
      resulting in a crash. TROVE-2026-017. Fixes bug 41263; bugfix
      on 0.4.8.1-alpha.

  o Major bugfixes (security, TROVE-2026-019):
    - Avoid out-of-bounds read/write when parsing a consensus or
      detached signature with unexpected signature digest type. Impact
      is minor for most Tor roles, but potentially major for directory
      authorities. Fixes bug 41267; bugfix on 0.2.8.2-alpha.

  o Major bugfixes (client stability, TROVE-2026-013, TROVE-2026-015):
    - Protect against a client-side assert that can happen if a
      malicious onion service gets the client to load its carefully
      crafted onion descriptor. Fixes bugs 41259 and 41261; bugfix
      on 0.3.1.1-alpha.

  o Major bugfixes (code safety):
    - Avoid a dangerous situation in router_find_exact_exit_enclave()
      where we could have reached an assert if bridges or relays claim
      an IP address of 0.0.0.0. Fixes bug 41276; bugfix on 0.4.5.1-alpha.

  o Major bugfixes (conflux, shutdown):
    - Fix a use-after-free in the shutdown path when freeing conflux
      circuits. cfx_add_leg() shares stream list pointers across legs
      without NULLing the old leg, so circuit_free_all() would free the
      lists via one leg and then access freed memory via another. TROVE-
      2026-016. Fixes bug 41262; bugfix on 0.4.8.1-alpha.

  o Major bugfixes (DNSPort, TROVE-2026-018):
    - Fix a client-side crash that would happen if we decide to stop
      reading on a RESOLVE request that came from the DNSPort or
      controller. This crash could happen naturally under heavy load and
      with poor luck, but since 0.4.7.2-alpha it could be induced by the
      exit relay via a flow control request. Fixes bug 41265; bugfix
      on 0.2.0.1-alpha.

  o Major bugfixes (memory safety, TROVE-2026-014):
    - Avoid a heap-use-after-free mistake that can happen in the conflux
      subsystem, and which can be induced at either the client or the
      exit relay. Fixes bug 41260; bugfix on 0.4.8.1-alpha.

  o Major bugfixes (onion services, TROVE-2026-020):
    - Avoid a possible divide by zero crash on onion services that have
      the proof-of-work (PoW) defense enabled. This bug could be hit by
      extreme bad luck or maybe by the help of an attacker crafting just
      the right circumstances. Fixes bug 41270; bugfix on 0.4.8.1-alpha.

  o Minor features (fallbackdir):
    - Regenerate fallback directories generated on June 01, 2026.

  o Minor features (geoip data):
    - Update the geoip files to match the IPFire Location Database, as
      retrieved on 2026/06/01.

  o Minor bugfixes (circuit handshake):
    - Fix an edge case where relays would allow a CGO-style circuit hop
      to be established without congestion control parameters, meaning
      there is no way to refill the sendme windows. Fixes bug 41271;
      bugfix on 0.4.9.3-alpha.

  o Minor bugfixes (cpuworker threads):
    - We have a defense-in-depth step to wipe local memory after
      processing each create cell in a cpuworker thread, but we were
      accidentally only wiping part of what we wanted to cover. Fixes
      bug 41269; bugfix on 0.2.4.8-alpha.

  o Minor bugfixes (relay stability):
    - Make relays survive having the consensus parameter
      "onion_queue_wait_cutoff" set to a nonsensical 0 seconds. Fixes
      bug 41266; bugfix on 0.4.7.11.

-- 
z3EGJZTCc4CNkGk96W4TnFLWd94EBFpKaXz1LzyUsRs=

Attachment: signature.asc
Description: PGP signature

_______________________________________________
tor-announce mailing list -- tor-announce@xxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to tor-announce-leave@xxxxxxxxxxxxxxxxxxxx

Next by Author: [tor-announce] New Release: Tor Browser 15.0.15 (Android, Windows, macOS, Linux)
Next by thread: [tor-announce] New Release: Tor Browser 15.0.15 (Android, Windows, macOS, Linux)
Index(es):
- Author
- Thread