-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 18 Jun 2021 10:27:26 +0200
Source: tor
Binary: tor tor-dbgsym
Architecture: mipsel
Version: 0.3.5.15-1
Distribution: buster-security
Urgency: medium
Maintainer: mipsel Build Daemon (mipsel-manda-04) <buildd_mips64el-mipsel-manda-04@buildd.debian.org>
Changed-By: Peter Palfrader <weasel@debian.org>
Description:
 tor        - anonymizing overlay network for TCP
Closes: 990000
Changes:
 tor (0.3.5.15-1) buster-security; urgency=medium
 .
   * New upstream version, fixing several (security) issues (closes: #990000).
     For a full list see the upstream changelog.  It includes:
     - Don't allow relays to spoof RELAY_END or RELAY_RESOLVED cell on
       half-closed streams. Previously, clients failed to validate which
       hop sent these cells: this would allow a relay on a circuit to end
       a stream that wasn't actually built with it.
       Bugfix on 0.3.5.1-alpha. This issue is also tracked as TROVE-2021-
       003 and CVE-2021-34548.
     - Detect more failure conditions from the OpenSSL RNG code.
       Previously, we would detect errors from a missing RNG
       implementation, but not failures from the RNG code itself.
       Fortunately, it appears those failures do not happen in practice
       when Tor is using OpenSSL's default RNG implementation.
       Bugfix on 0.2.8.1-alpha. This issue is also tracked as
       TROVE-2021-004. Reported by Jann Horn at Google's Project Zero.
     - Resist a hashtable-based CPU denial-of-service attack against
       relays. Previously we used a naive unkeyed hash function to look
       up circuits in a circuitmux object. An attacker could exploit this
       to construct circuits with chosen circuit IDs, to create
       collisions and make the hash table inefficient. Now we use a
       SipHash construction here instead. Bugfix on
       0.2.4.4-alpha. This issue is also tracked as TROVE-2021-005 and
       CVE-2021-34549. Reported by Jann Horn from Google's Project Zero.
     - Fix an out-of-bounds memory access in v3 onion service descriptor
       parsing. An attacker could exploit this bug by crafting an onion
       service descriptor that would crash any client that tried to visit
       it. Bugfix on 0.3.0.1-alpha. This issue is also
       tracked as TROVE-2021-006 and CVE-2021-34550. Reported by Sergei
       Glazunov from Google's Project Zero.
Checksums-Sha1:
 e2b87c9748cec5d333fe8619a15835835f949ade 4285200 tor-dbgsym_0.3.5.15-1_mipsel.deb
 6a2e5e077c58eb6fc318aa613a7cff27bce4d0d7 6775 tor_0.3.5.15-1_mipsel-buildd.buildinfo
 5729240df0b5797162753daf5ac535370d6d3323 1760344 tor_0.3.5.15-1_mipsel.deb
Checksums-Sha256:
 2aa01ee4e152c25aee29bfba1b286c5dd161c3df0343f18be2fc517bb66e812c 4285200 tor-dbgsym_0.3.5.15-1_mipsel.deb
 0427ab0d1c994f43e65f1c3f966dc38439eead1d5f09fccedc6490a5ffa2d5f2 6775 tor_0.3.5.15-1_mipsel-buildd.buildinfo
 737031ab4c99fae0111f7ec3d1cf43de5d1b4410766bc8ea2e73084814104735 1760344 tor_0.3.5.15-1_mipsel.deb
Files:
 0d105df63cc90ee1e8b060417ca28c38 4285200 debug optional tor-dbgsym_0.3.5.15-1_mipsel.deb
 56b68b6d6dd3da2437a70719f76dc312 6775 net optional tor_0.3.5.15-1_mipsel-buildd.buildinfo
 ecdd7e8dc3c1f54850d7b2ced6f1a219 1760344 net optional tor_0.3.5.15-1_mipsel.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3ScFd/C5XooG8cTOSlWhEcfpBVMFAmDMb3oACgkQSlWhEcfp
BVPSeRAArIAAycKbIKm5KEx+U0505uwn9CxilPDCD48BV0tpFDf1eAgWizJiPcys
fBoznICS0A81V7zHH1T5wV6pI06NHTaTr8oS1IHKg00yGAr7Jqb5sMv1hSy7dDz6
r90OMYpuwoKn2AQqcPnCi1/S9xKNGOlLyYbucMbfIvVnJzi00BjvcgQQhYKPaOHf
BDoPAenicvunJkwnmPCW4X95rX5lDG7veBZLb+/ytfe+zuBKO9bxk6TYkXlgrhVv
cO/ssqEvOfgG5az90fGr91U9ven0ikCKtSWgolHcHYqK4PEQbESRX9ynYVc+NDtd
JMC+80mCOfn7oNiDuAn5uje5azk+eEfbNQq32pziUdudJsxraov0ONGvUbT6/iib
idpRWaZdLp4aQNH7E1HgvVxLKA1Soa/3T9TCrx69pkCMCBHH5H3rFAIqGTTD7mhG
+bueUhNseESq1WAoosKxzZaeyxuKPRn8lMNcNNdDyBJnkmRaUmcVrfb/9qyegcuH
Oxl5j7axc+1ou4XF/qyuFxFAtJ15q+Q89XZk4D5xZkcaHj+8aVq5Drh95di8i4pK
gEh2fmyPQ9sedv5x4RCJtPWcNvVzWc2BBAM+I8HXTr6t77kGrhWTDfT9IaUwroEn
+nOghK5OWAYfvRvo0mMgQxVIDx6tT0ZYfsJJL/amM4ju9TnRa9A=
=+y0p
-----END PGP SIGNATURE-----