[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-announce] [RELEASE] Security release - Tor stable version 0.4.9.11

To: tor-announce <tor-announce@xxxxxxxxxxxxxxxxxxxx>
Subject: [tor-announce] [RELEASE] Security release - Tor stable version 0.4.9.11
From: David Goulet via tor-announce <tor-announce@xxxxxxxxxxxxxxxxxxxx>
Date: Fri, 26 Jun 2026 13:19:16 -0400
List-id: "announce: Important announcements relating to Tor" <tor-announce.lists.torproject.org>
Reply-to: David Goulet <dgoulet@xxxxxxxxxxxxxx>

Greetings,

We just released 0.4.9.11 as a security release. The announcement is here:
https://forum.torproject.org/t/security-release-0-4-9-11/21786

As noted in the announcement, 0.4.9.10 went under the radar because we had to
quickly plan for another release after and so we didn't do an official
announcement for it until today.

Here is the ChangeLog:

Changes in version 0.4.9.11 - 2026-06-25
  Security release follows in quick succession after the previous one due to
  additional high-priority security issues including one concerning onion
  services (#41297). We strongly recommend upgrading as soon as possible.

  o Major bugfixes (onion services):
    - Prevent a race condition where in just the right circumstances a
      rendezvous point could man-in-the-middle (impersonate) the onion
      service that the client was trying to reach. Fixes bug 41297;
      bugfix on 0.3.5.3-alpha.

  o Major bugfixes (client):
    - Clients no longer assert and exit if an onion service encodes an
      all-zero public key for one of its introduction points. Fixes bug
      41295; bugfix on 0.3.2.1-alpha.

  o Major bugfixes (directory authorities):
    - Stop allowing 0 as a port in exit policy lines. We had put in some
      secondary checks to make sure exit policy ports weren't out of the
      expected range, but one of those checks accidentally allowed us to
      parse the port "0" as equivalent to the port range "1-0", which
      triggered an assert when generating a networkstatus vote (on v3
      directory authorities) or a networkstatus document (on the bridge
      authority). Fixes bug 41292; bugfix on 0.1.2.5-alpha.

  o Major bugfixes (security, conflux):
    - Fix a use-after-free (and potential double free) of a conflux
      object when a recovery leg revives a conflux set whose last linked
      leg has already been closed. A malicious exit could use this to
      crash a client. TROVE-2026-026. Fixes bug 41306; bugfix
      on 0.4.8.1-alpha.

  o Minor features (fallbackdir):
    - Regenerate fallback directories generated on June 25, 2026.

  o Minor features (geoip data):
    - Update the geoip files to match the IPFire Location Database, as
      retrieved on 2026/06/25.

Changes in version 0.4.9.10 - 2026-06-23
  Another release with an important security fix and major bugfixes. We
  strongly recommend upgrading as soon as possible.

  o Major bugfixes (conflux, security, TROVE):
    - Reject a CONFLUX_LINK cell that arrives on a circuit which already
      has attached streams. A malicious client could send a
      RELAY_COMMAND_BEGIN before the CONFLUX_LINK on the same circuit,
      attaching an exit stream that would later end up orphan leaving a
      dangling circuit back-pointer and a use-after-free (UAF) when the
      circuit is freed. TROVE-2026-025. Fixes bug 41258; bugfix
      on 0.4.8.1-alpha.

  o Major bugfixes (client):
    - Resume warning about unsafe socks protocols (socks4 or
      socks5-not-hostname) when SafeSocks is not set. Also resume
      warning every time when TestSocks is set. Fixes bug 41290; bugfix
      on 0.2.2.18-alpha and 0.2.4.11-alpha.

  o Major bugfixes (clients):
    - Make clients more consistently expire entry guards 48 to 60 days
      after they are first used. Previously, we would sometimes expire
      entry guards after this intended range, but sometimes we would
      wait up to 120 days. Fixes bug 41280; bugfix on 0.3.0.1-alpha.

  o Minor features (fallbackdir):
    - Regenerate fallback directories generated on June 23, 2026.

  o Minor features (geoip data):
    - Update the geoip files to match the IPFire Location Database, as
      retrieved on 2026/06/23.

  o Minor bugfixes (code security):
    - Add a defensive check in port_parse_ports_relay() to make it
      clearer to static analysis tools that there is no security
      problem. Fixes bug 41278; bugfix on 0.4.3.1-alpha.

  o Minor bugfixes (client-side onion service):
    - Stop leaking memory in the case where the client fetches a well-
      formed onion descriptor but it turns out to not match the onion
      address we intended to fetch. Fixes bug 41264; bugfix
      on 0.3.2.1-alpha.

  o Minor bugfixes (directory authorities):
    - Correctly omit "package" lines from the consensus. In proposal 301
      we tried to make a new consensus method that never generates
      "package" lines, but we got the logic wrong. Fixes bug 41293;
      bugfix on 0.4.9.1-alpha.

  o Minor bugfixes (relay):
    - Avoid a mistaken BUG() warning and backtrace if a client sends an
      INTRODUCE1 cell using the legacy format from v2 onion services.
      This error case was already handled correctly, but there's no need
      to warn and backtrace. Fixes bug 41299; bugfix on 0.4.6.1-alpha.


Cheers!
David

-- 
cRaZH0sx1J1BKO2hWyJsGpi/KvY3GEdhNCKTK09Sl4A=zz

Attachment: signature.asc
Description: PGP signature

_______________________________________________
tor-announce mailing list -- tor-announce@xxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to tor-announce-leave@xxxxxxxxxxxxxxxxxxxx

Prev by Author: [tor-announce] [RELEASE] Security Release - Tor stable version 0.4.9.9
Next by Author: [tor-announce] New Release: Tor Browser 15.0.15 (Android, Windows, macOS, Linux)
Previous by thread: [tor-announce] New Release: Tor Browser 15.0.16 (Android, Windows, macOS, Linux)
Next by thread: [tor-announce] New Release: Tor Browser 15.0.17 (Android, Windows, macOS, Linux)
Index(es):
- Author
- Thread