CVS commit: pkgsrc/net/tor

["Thomas Klausner" <wiz%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   wiz
Date:           Mon Jun 14 17:46:43 UTC 2021

Modified Files:
        pkgsrc/net/tor: Makefile distinfo

Log Message:
tor: update to 0.4.5.9.

Changes in version 0.4.5.9 - 2021-06-14
  Tor 0.4.5.9 fixes several security issues, including a
  denial-of-service attack against onion service clients, and another
  denial-of-service attack against relays. Everybody should upgrade to
  one of 0.3.5.15, 0.4.4.9, 0.4.5.9, or 0.4.6.5.

  o Major bugfixes (security, backport from 0.4.6.5):
    - Don't allow relays to spoof RELAY_END or RELAY_RESOLVED cell on
      half-closed streams. Previously, clients failed to validate which
      hop sent these cells: this would allow a relay on a circuit to end
      a stream that wasn't actually built with it. Fixes bug 40389;
      bugfix on 0.3.5.1-alpha. This issue is also tracked as TROVE-2021-
      003 and CVE-2021-34548.

  o Major bugfixes (security, defense-in-depth, backport from 0.4.6.5):
    - Detect more failure conditions from the OpenSSL RNG code.
      Previously, we would detect errors from a missing RNG
      implementation, but not failures from the RNG code itself.
      Fortunately, it appears those failures do not happen in practice
      when Tor is using OpenSSL's default RNG implementation. Fixes bug
      40390; bugfix on 0.2.8.1-alpha. This issue is also tracked as
      TROVE-2021-004. Reported by Jann Horn at Google's Project Zero.

  o Major bugfixes (security, denial of service, backport from 0.4.6.5):
    - Resist a hashtable-based CPU denial-of-service attack against
      relays. Previously we used a naive unkeyed hash function to look
      up circuits in a circuitmux object. An attacker could exploit this
      to construct circuits with chosen circuit IDs, to create
      collisions and make the hash table inefficient. Now we use a
      SipHash construction here instead. Fixes bug 40391; bugfix on
      0.2.4.4-alpha. This issue is also tracked as TROVE-2021-005 and
      CVE-2021-34549. Reported by Jann Horn from Google's Project Zero.
    - Fix an out-of-bounds memory access in v3 onion service descriptor
      parsing. An attacker could exploit this bug by crafting an onion
      service descriptor that would crash any client that tried to visit
      it. Fixes bug 40392; bugfix on 0.3.0.1-alpha. This issue is also
      tracked as TROVE-2021-006 and CVE-2021-34550. Reported by Sergei
      Glazunov from Google's Project Zero.

  o Minor features (compatibility, backport from 0.4.6.4-rc):
    - Remove an assertion function related to TLS renegotiation. It was
      used nowhere outside the unit tests, and it was breaking
      compilation with recent alpha releases of OpenSSL 3.0.0. Closes
      ticket 40399.

  o Minor features (geoip data):
    - Update the geoip files to match the IPFire Location Database, as
      retrieved on 2021/06/10.

  o Minor bugfixes (control, sandbox, backport from 0.4.6.4-rc):
    - Allow the control command SAVECONF to succeed when the seccomp
      sandbox is enabled, and make SAVECONF keep only one backup file to
      simplify implementation. Previously SAVECONF allowed a large
      number of backup files, which made it incompatible with the
      sandbox. Fixes bug 40317; bugfix on 0.2.5.4-alpha. Patch by
      Daniel Pinto.

  o Minor bugfixes (metrics port, backport from 0.4.6.4-rc):
    - Fix a bug that made tor try to re-bind() on an already open
      MetricsPort every 60 seconds. Fixes bug 40370; bugfix
      on 0.4.5.1-alpha.


To generate a diff of this commit:
cvs rdiff -u -r1.168 -r1.169 pkgsrc/net/tor/Makefile
cvs rdiff -u -r1.114 -r1.115 pkgsrc/net/tor/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/net/tor/Makefile
diff -u pkgsrc/net/tor/Makefile:1.168 pkgsrc/net/tor/Makefile:1.169
--- pkgsrc/net/tor/Makefile:1.168       Sat Jun 12 10:01:29 2021
+++ pkgsrc/net/tor/Makefile     Mon Jun 14 17:46:43 2021
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.168 2021/06/12 10:01:29 wiz Exp $
+# $NetBSD: Makefile,v 1.169 2021/06/14 17:46:43 wiz Exp $
 
-DISTNAME=      tor-0.4.5.8
-PKGREVISION=   1
+DISTNAME=      tor-0.4.5.9
 CATEGORIES=    net security
 MASTER_SITES=  https://dist.torproject.org/
 

Index: pkgsrc/net/tor/distinfo
diff -u pkgsrc/net/tor/distinfo:1.114 pkgsrc/net/tor/distinfo:1.115
--- pkgsrc/net/tor/distinfo:1.114       Sun May 23 11:14:01 2021
+++ pkgsrc/net/tor/distinfo     Mon Jun 14 17:46:43 2021
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.114 2021/05/23 11:14:01 wiz Exp $
+$NetBSD: distinfo,v 1.115 2021/06/14 17:46:43 wiz Exp $
 
-SHA1 (tor-0.4.5.8.tar.gz) = 6f5e1169fc9e223c94ea4c287fefe8d1797ca9d7
-RMD160 (tor-0.4.5.8.tar.gz) = 1379dcf11b8c5733d21d76e1c621c63bc6ecbfa1
-SHA512 (tor-0.4.5.8.tar.gz) = f5cb32f5d0fc333aa1607370e290e6be85230896bd26e00072a68db4b32293d5dd38cccb57e92941fbe6ac17fb4207c38d11e3095ede289c3a6ebbd64ed70119
-Size (tor-0.4.5.8.tar.gz) = 7826458 bytes
+SHA1 (tor-0.4.5.9.tar.gz) = adbfefa54a23c6e7418561bd042442ee6fc50bfc
+RMD160 (tor-0.4.5.9.tar.gz) = c3933bbd8ceec45813ae736ad72b65d7935a76b2
+SHA512 (tor-0.4.5.9.tar.gz) = b3c3b5cce30c881fb1e705ec6183513f625ddb9d076671b9cd6299e81a410bc12f59a30677636371c336e397211432f0831bdcb2105c9aed8dcb608eae54e2b2
+Size (tor-0.4.5.9.tar.gz) = 7840294 bytes