[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-announce] [SECURITY RELEASE] Tor stable 0.4.8.23 and 0.4.9.6

To: tor-announce <tor-announce@xxxxxxxxxxxxxxxxxxxx>
Subject: [tor-announce] [SECURITY RELEASE] Tor stable 0.4.8.23 and 0.4.9.6
From: David Goulet via tor-announce <tor-announce@xxxxxxxxxxxxxxxxxxxx>
Date: Wed, 25 Mar 2026 17:23:09 -0400
List-id: "announce: Important announcements relating to Tor" <tor-announce.lists.torproject.org>
Reply-to: David Goulet <dgoulet@xxxxxxxxxxxxxx>

Greetings,

We just released today 0.4.8.23 and 0.4.9.6. Here is the announcement:
https://forum.torproject.org/t/security-release-0-4-8-23-and-0-4-9-6/21386

Please upgrade as soon as possible if you are running a relay.

Change log:

Changes in version 0.4.8.23 - 2026-03-25
  This is a security release fixing major bugfixes that could possibly lead to
  remote crashing relays. We strongly recommend upgrading as soon as possible.

  o Major bugfix (security, conflux):
    - Fix a memory compare using the wrong length. This could lead to a
      remote crash when using the conflux subsystem. TROVE-2026-004.
      Fixes bug 41232; bugfix on 0.4.8.1-alpha.

  o Minor bugfixes (security):
    - Fix a series of defense in depth security issues found across the
      codebase. Fixes bug 41228; bugfix on 0.3.5.1-alpha.

  o Minor features (fallbackdir):
    - Regenerate fallback directories generated on March 25, 2026.

  o Minor features (geoip data):
    - Update the geoip files to match the IPFire Location Database, as
      retrieved on 2026/03/25.

Changes in version 0.4.9.6 - 2026-03-25
  This is a security release fixing major bugfixes that could possibly lead to
  remote crashing relays. We strongly recommend upgrading as soon as possible.

  o Major bugfix (security):
    - Fix a stack overflow of 11 bytes on malicious CREATED2. This lead
      to a remote crash. TROVE-2026-003. Reported-by: Anas Cherni of
      Calif.io. Fixes bug 41231; bugfix on 0.4.9.1-alpha.

  o Major bugfix (security, conflux):
    - Fix a memory compare using the wrong length. This could lead to a
      remote crash when using the conflux subsystem. TROVE-2026-004.
      Fixes bug 41232; bugfix on 0.4.8.1-alpha.

  o Minor bugfixes (security):
    - Fix a series of defense in depth security issues found across the
      codebase. Fixes bug 41228; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (portability):
    - (Hopefully) fix our polyval implementation on big-endian
      platforms. Fixes bug 41215; bugfix on 0.4.9.3-alpha.

  o Minor features (fallbackdir):
    - Regenerate fallback directories generated on March 25, 2026.

  o Minor features (geoip data):
    - Update the geoip files to match the IPFire Location Database, as
      retrieved on 2026/03/25.

Cheers!
David

-- 
7Cse8G921+pZrNTPQ6t2z5h5ZO83kH17z68vTK0aSQM=

Attachment: signature.asc
Description: PGP signature

_______________________________________________
tor-announce mailing list -- tor-announce@xxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to tor-announce-leave@xxxxxxxxxxxxxxxxxxxx

Next by Author: [tor-announce] New Release: Tor Browser 16.0a4 (Android, Windows, macOS, Linux)
Previous by thread: [tor-announce] New Release: Tor Browser 15.0.8 (Android, Windows, macOS, Linux)
Index(es):
- Author
- Thread