CVS commit: pkgsrc/net/tor

["Leonardo Taccari" <leot%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   leot
Date:           Fri Jan 30 11:08:35 UTC 2026

Modified Files:
        pkgsrc/net/tor: Makefile distinfo

Log Message:
tor: Update to 0.4.8.22

Changes:
Changes in version 0.4.8.22 - 2026-01-28
  This is likely the very last release of the 0.4.8.x series. Three major
  bugfixes detailled below including two affecting directory servers (basically
  all relays). We strongly recommend upgrading as soon as possible.

  o Major bugfixes (security):
    - Avoid an out-of-bounds read error that could occur with
      V1-formatted cells. Fixes bug 41180; bugfix on 0.4.8.1-alpha. This
      is tracked as TROVE-2025-016.

  o Major bugfixes (directory servers):
    - Allow old clients to fetch the consensus even if they use version
      0 of the SENDME protocol. In mid 2025 we changed the required
      minimum version of the "FlowCtrl" protocol to 1, meaning directory
      caches hang up on clients that send a version 0 SENDME cell. Since
      old clients were no longer able to retrieve the consensus, they
      couldn't learn about this required minimum version -- meaning
      we've had many many old clients loading down directory servers for
      the past months. Fixes bug 41191; bugfix on 0.4.1.1-alpha.
    - Don't count networkstatus serves until they finish. When we
      started serving a consensus document but the client didn't receive
      all of it, we were still counting that as a success in our stats.
      This mistake, which can be triggered for example by obsolete
      clients or by DPI-based censorship, led to wildly inflated user
      counts because we estimate total users in the world based on
      successful consensus fetches. Fixes bug 41192; bugfix
      on 0.2.1.1-alpha.

  o Minor feature (testing, CI):
    - Bump the CI version of chutney to the current version as of
      2026-01-21 (3338f5c).

  o Minor features (debugging, compression):
    - Do not check for compression bombs for buffers smaller than 5MB
      (increased from 64 KB). Fixes ticket 40739; bugfix on 0.2.1.29.
    - Log the input and output buffer sizes when we detect a potential
      compression bomb. Diagnostic for ticket 40739.

  o Minor features (directory servers):
    - Track how many times directory servers begin serving networkstatus
      documents, so we can compare it to the number of times we finish
      serving them. Motivated by the fixes in ticket 41192.

  o Minor features (fallbackdir):
    - Regenerate fallback directories generated on January 28, 2026.

  o Minor features (geoip data):
    - Update the geoip files to match the IPFire Location Database, as
      retrieved on 2026/01/28.

  o Minor bugfixes (relay):
    - Downgrade log warn to info as the error condition is possible under
      normal circumstances. Fixes bug 40951; bugfix on 0.3.5.1-alpha.

  o Code simplification and refactoring:
    - Simplify SOCKS4a parsing to avoid the (false) appearance of
      integer underflows, and to make the logic more obvious. Fixes bug
      41190; bugfix on 0.3.5.1-alpha.


To generate a diff of this commit:
cvs rdiff -u -r1.194 -r1.195 pkgsrc/net/tor/Makefile
cvs rdiff -u -r1.138 -r1.139 pkgsrc/net/tor/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/net/tor/Makefile
diff -u pkgsrc/net/tor/Makefile:1.194 pkgsrc/net/tor/Makefile:1.195
--- pkgsrc/net/tor/Makefile:1.194       Mon Dec 15 09:12:54 2025
+++ pkgsrc/net/tor/Makefile     Fri Jan 30 11:08:35 2026
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.194 2025/12/15 09:12:54 adam Exp $
+# $NetBSD: Makefile,v 1.195 2026/01/30 11:08:35 leot Exp $
 
-DISTNAME=      tor-0.4.8.21
+DISTNAME=      tor-0.4.8.22
 CATEGORIES=    net security
 MASTER_SITES=  https://dist.torproject.org/
 

Index: pkgsrc/net/tor/distinfo
diff -u pkgsrc/net/tor/distinfo:1.138 pkgsrc/net/tor/distinfo:1.139
--- pkgsrc/net/tor/distinfo:1.138       Mon Dec 15 09:12:54 2025
+++ pkgsrc/net/tor/distinfo     Fri Jan 30 11:08:35 2026
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.138 2025/12/15 09:12:54 adam Exp $
+$NetBSD: distinfo,v 1.139 2026/01/30 11:08:35 leot Exp $
 
-BLAKE2s (tor-0.4.8.21.tar.gz) = 7431b71b5fcb785e0a7c00f3a77e5616e7a16b2a60db4740d27e66dead67aa2c
-SHA512 (tor-0.4.8.21.tar.gz) = 5ba774d1f9b2079bd393323d490edf6e1a6380f5a970f07f87e8cf14522eb994c7137a8c8a7ad551289db0ad9aa3ff0a46d8d55fdcdaea5042d68196cf9399b7
-Size (tor-0.4.8.21.tar.gz) = 10663112 bytes
+BLAKE2s (tor-0.4.8.22.tar.gz) = 4b6ccdafaece15afee6f93d21ce4a4b0d0129fce0237dd0b37a181a50fcb88ad
+SHA512 (tor-0.4.8.22.tar.gz) = c7c6bfc7a2c10d045903c3e60fcff076983949fdbdf884d3f8e3eb6dc01c3e8a75abdc6e8e8efe7ac409d77932e034551ff0f6309851edd75c1134f1828aa8b3
+Size (tor-0.4.8.22.tar.gz) = 10625231 bytes