[pkgsrc/trunk]: pkgsrc/net/tor tor: update to 0.4.5.7.

To: pkgsrc-changes-hg%NetBSD.org@localhost
Subject: [pkgsrc/trunk]: pkgsrc/net/tor tor: update to 0.4.5.7.
From: wiz <wiz%pkgsrc.org@localhost>
Date: Tue, 16 Mar 2021 17:53:41 +0000
details:   https://anonhg.NetBSD.org/pkgsrc/rev/4a65214ae627
branches:  trunk
changeset: 448850:4a65214ae627
user:      wiz <wiz%pkgsrc.org@localhost>
date:      Tue Mar 16 16:25:21 2021 +0000

description:
tor: update to 0.4.5.7.

  Tor 0.4.5.7 fixes two important denial-of-service bugs in earlier
  versions of Tor.

  One of these vulnerabilities (TROVE-2021-001) would allow an attacker
  who can send directory data to a Tor instance to force that Tor
  instance to consume huge amounts of CPU. This is easiest to exploit
  against authorities, since anybody can upload to them, but directory
  caches could also exploit this vulnerability against relays or clients
  when they download. The other vulnerability (TROVE-2021-002) only
  affects directory authorities, and would allow an attacker to remotely
  crash the authority with an assertion failure. Patches have already
  been provided to the authority operators, to help ensure
  network stability.

  We recommend that everybody upgrade to one of the releases that fixes
  these issues (0.3.5.14, 0.4.4.8, or 0.4.5.7) as they become available
  to you.

  This release also updates our GeoIP data source, and fixes a few
  smaller bugs in earlier releases.

  o Major bugfixes (security, denial of service):
    - Disable the dump_desc() function that we used to dump unparseable
      information to disk. It was called incorrectly in several places,
      in a way that could lead to excessive CPU usage. Fixes bug 40286;
      bugfix on 0.2.2.1-alpha. This bug is also tracked as TROVE-2021-
      001 and CVE-2021-28089.
    - Fix a bug in appending detached signatures to a pending consensus
      document that could be used to crash a directory authority. Fixes
      bug 40316; bugfix on 0.2.2.6-alpha. Tracked as TROVE-2021-002
      and CVE-2021-28090.

  o Minor features (geoip data):
    - We have switched geoip data sources. Previously we shipped IP-to-
      country mappings from Maxmind's GeoLite2, but in 2019 they changed
      their licensing terms, so we were unable to update them after that
      point. We now ship geoip files based on the IPFire Location
      Database instead. (See https://location.ipfire.org/ for more
      information). This release updates our geoip files to match the
      IPFire Location Database as retrieved on 2021/03/12. Closes
      ticket 40224.

  o Minor bugfixes (directory authority):
    - Now that exit relays don't allow exit connections to directory
      authority DirPorts (to prevent network reentry), disable
      authorities' reachability self test on the DirPort. Fixes bug
      40287; bugfix on 0.4.5.5-rc.

  o Minor bugfixes (documentation):
    - Fix a formatting error in the documentation for
      VirtualAddrNetworkIPv6. Fixes bug 40256; bugfix on 0.2.9.4-alpha.

  o Minor bugfixes (Linux, relay):
    - Fix a bug in determining total available system memory that would
      have been triggered if the format of Linux's /proc/meminfo file
      had ever changed to include "MemTotal:" in the middle of a line.
      Fixes bug 40315; bugfix on 0.2.5.4-alpha.

  o Minor bugfixes (metrics port):
    - Fix a BUG() warning on the MetricsPort for an internal missing
      handler. Fixes bug 40295; bugfix on 0.4.5.1-alpha.

  o Minor bugfixes (onion service):
    - Remove a harmless BUG() warning when reloading tor configured with
      onion services. Fixes bug 40334; bugfix on 0.4.5.1-alpha.

  o Minor bugfixes (portability):
    - Fix a non-portable usage of "==" with "test" in the configure
      script. Fixes bug 40298; bugfix on 0.4.5.1-alpha.

  o Minor bugfixes (relay):
    - Remove a spammy log notice falsely claiming that the IPv4/v6
      address was missing. Fixes bug 40300; bugfix on 0.4.5.1-alpha.
    - Do not query the address cache early in the boot process when
      deciding if a relay needs to fetch early directory information
      from an authority. This bug resulted in a relay falsely believing
      it didn't have an address and thus triggering an authority fetch
      at each boot. Related to our fix for 40300.

  o Removed features (mallinfo deprecated):
    - Remove mallinfo() usage entirely. Libc 2.33+ now deprecates it.
      Closes ticket 40309.

diffstat:

 net/tor/Makefile                |   5 ++---
 net/tor/distinfo                |  11 +++++------
 net/tor/patches/patch-configure |  15 ---------------
 3 files changed, 7 insertions(+), 24 deletions(-)

diffs (48 lines):

diff -r bd9f534772e4 -r 4a65214ae627 net/tor/Makefile
--- a/net/tor/Makefile  Tue Mar 16 08:20:18 2021 +0000
+++ b/net/tor/Makefile  Tue Mar 16 16:25:21 2021 +0000
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.162 2021/02/20 09:08:58 wiz Exp $
+# $NetBSD: Makefile,v 1.163 2021/03/16 16:25:21 wiz Exp $
 
-DISTNAME=      tor-0.4.5.6
-PKGREVISION=   2
+DISTNAME=      tor-0.4.5.7
 CATEGORIES=    net security
 MASTER_SITES=  https://dist.torproject.org/
 
diff -r bd9f534772e4 -r 4a65214ae627 net/tor/distinfo
--- a/net/tor/distinfo  Tue Mar 16 08:20:18 2021 +0000
+++ b/net/tor/distinfo  Tue Mar 16 16:25:21 2021 +0000
@@ -1,7 +1,6 @@
-$NetBSD: distinfo,v 1.112 2021/02/15 19:01:31 wiz Exp $
+$NetBSD: distinfo,v 1.113 2021/03/16 16:25:21 wiz Exp $
 
-SHA1 (tor-0.4.5.6.tar.gz) = 4bcb5cbe8aeb857615b2c9107de6980e4b416d81
-RMD160 (tor-0.4.5.6.tar.gz) = 5c76b6154e2156241b195ce743d8085e1dabfc81
-SHA512 (tor-0.4.5.6.tar.gz) = 3759657a997f4aabdfef6ad3f5da16085a1dd3353015db8283a21fcb1d658ca390bc3c36387a89c99baf2069c6e1d392a1fef4b3eba24ee1f2b408acbc103f9d
-Size (tor-0.4.5.6.tar.gz) = 7926711 bytes
-SHA1 (patch-configure) = 59d0245fc0c21f4dedf62df396100a899361611c
+SHA1 (tor-0.4.5.7.tar.gz) = 902bab16c39e8f54b97502d6dc04e6b484894bcd
+RMD160 (tor-0.4.5.7.tar.gz) = ec6375b290c6bed7a1acff002aed061d0965e191
+SHA512 (tor-0.4.5.7.tar.gz) = 1ca0e35eff5b344ee416de4cb958d7f04d4e5e9f2efff524576b1fc3c2882dbc068d35f25670e7efe5fcb51308b165393b1078fc46585ec6d40052daa0628a05
+Size (tor-0.4.5.7.tar.gz) = 7816158 bytes
diff -r bd9f534772e4 -r 4a65214ae627 net/tor/patches/patch-configure
--- a/net/tor/patches/patch-configure   Tue Mar 16 08:20:18 2021 +0000
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,15 +0,0 @@
-$NetBSD: patch-configure,v 1.3 2021/02/15 19:01:31 wiz Exp $
-
-Fix unportable test(1) operator.
-
---- configure.orig     2021-02-15 15:47:45.000000000 +0000
-+++ configure
-@@ -10385,7 +10385,7 @@ else
- 
-    # This is a kludge to figure out whether compilation failed, or whether
-    # running the program failed.
--   if test "$ac_retval" == "1"; then
-+   if test "$ac_retval" = "1"; then
-       openssl_ver_mismatch=inconclusive
-    else
-       openssl_ver_mismatch=yes
Prev by Date: [pkgsrc/trunk]: pkgsrc/doc doc: Updated net/tor to 0.4.5.7
Next by Date: [pkgsrc/trunk]: pkgsrc/www/stagit stagit: update to 0.9.5.
Previous by Thread: [pkgsrc/trunk]: pkgsrc/doc doc: Updated net/tor to 0.4.5.7
Next by Thread: [pkgsrc/trunk]: pkgsrc/www/stagit stagit: update to 0.9.5.
Indexes:
Home | Main Index | Thread Index | Old Index