[PATCH] Tor: Update to 0.4.8.18

["Peter Müller" <peter.mueller@ipfire.org>]

Changes in version 0.4.8.18 - 2025-09-16
  This is a minor release with a major onion service directory cache (HSDir)
  bug fix. A series of minor bugfixes as well. As always, we strongly recommend
  to upgrade as soon as possible.

  o Major bugfixes (onion service directory cache):
    - Preserve the download counter of an onion service descriptor
      across descriptor uploads, so that recently updated descriptors
      don't get pruned if there is memory pressure soon after update.
      Additionally, create a separate torrc option MaxHSDirCacheBytes
      that defaults to the former 20% of MaxMemInQueues threshold, but
      can be controlled by relay operators under DoS. Also enforce this
      theshold during HSDir uploads. Fixes bug 41006; bugfix
      on 0.4.8.14.

  o Minor feature (padding, logging):
    - Reduce the amount of messages being logged related to channel
      padding timeout when log level is "notice".

  o Minor features (fallbackdir):
    - Regenerate fallback directories generated on September 16, 2025.

  o Minor features (geoip data):
    - Update the geoip files to match the IPFire Location Database, as
      retrieved on 2025/09/16.

  o Minor bugfix (conflux):
    - Remove the pending nonce if we realize that the nonce of the
      unlinked circuit is not tracked anymore. Should avoid the non
      fatal assert triggered with a control port circuit event. Fixes
      bug 41037; bugfix on 0.4.8.15.

  o Minor bugfixes (circuit handling):
    - Prevent circuit_mark_for_close() from being called twice on the
      same circuit. Second fix attempt Fixes bug 41106; bugfix
      on 0.4.8.17

  o Minor bugfixes (threads):
    - Make thread control POSIX compliant. Fixes bug 41109; bugfix
      on 0.4.8.17-dev.

Changes in version 0.4.8.17 - 2025-06-30
  This is a minor providing a series of minor features especially in the realm
  of TLS. It also brings a new set of recommended and required sub protocols.
  And finally, few minor bugfixes, nothing major. As always, we strongly
  recommend you upgrade as soon as possible.

  o Minor features (security, TLS):
    - When we are running with OpenSSL 3.5.0 or later, support using the
      ML-KEM768 for post-quantum key agreement. Closes ticket 41041.

  o Minor feature (client, TLS):
    - Set the TLS 1.3 cipher list instead of falling back on the
      default value.

  o Minor features (fallbackdir):
    - Regenerate fallback directories generated on June 30, 2025.

  o Minor features (geoip data):
    - Update the geoip files to match the IPFire Location Database, as
      retrieved on 2025/06/30.

  o Minor features (hsdesc POW):
    - Tolerate multiple PoW schemes in onion service descriptors, for
      future extensibility. Implements torspec ticket 272.

  o Minor features (performance TLS):
    - When running with with OpenSSL 3.0.0 or later, support using
      X25519 for TLS key agreement. (This should slightly improve
      performance for TLS session establishment.)

  o Minor features (portability):
    - Fix warnings when compiling with GCC 15. Closes ticket 41079.

  o Minor features (recommended protocols):
    - Directory authorities now vote to recommend that clients support
      certain protocols beyond those that are required. These include
      improved support for connecting to relays on IPv6, NtorV3, and
      congestion control. Part of ticket 40836.

  o Minor features (required protocols):
    - Directory authorities now vote to require clients to support the
      authenticated SENDME feature, which was introduced in
      0.4.1.1-alpha. Part of ticket 40836.
    - Directory authorities now vote to require relays to support
      certain protocols, all of which have been implemented since
      0.4.7.4-alpha or earlier. These include improved support for
      connecting to relays on IPv6, NtorV3, running as a rate-limited
      introduction point, authenticated SENDMEs, and congestion control.
      Part of ticket 40836.

  o Minor bugfix (conflux):
    - Avoid a non fatal assert when describing a conflux circuit on the
      control port after being prepped to be freed. Fixes bug 41037;
      bugfix on 0.4.8.15.

  o Minor bugfixes (circuit handling):
    - Prevent circuit_mark_for_close() from being called twice on the
      same circuit. Fixes bug 40951; bugfix on 0.4.8.16-dev.

  o Minor bugfixes (compiler warnings):
    - Make sure the two bitfields in the half-closed edge struct are
      unsigned, as we're using them for boolean values and assign 1 to
      them. Fixes bug 40911; bugfix on 0.4.7.2-alpha.

  o Minor bugfixes (threads, memory):
    - Improvements in cleanup of resources used by threads. Fixes bug
      40991; bugfix on 0.4.8.13-dev.
    - Rework start and exit of worker threads.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
 lfs/tor | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lfs/tor b/lfs/tor
index 0d57f5fed..af16cc982 100644
--- a/lfs/tor
+++ b/lfs/tor
@@ -26,7 +26,7 @@ include Config
 
 SUMMARY    = Anonymizing overlay network for TCP (The onion router)
 
-VER        = 0.4.8.16
+VER        = 0.4.8.18
 
 THISAPP    = tor-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -34,7 +34,7 @@ DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = tor
-PAK_VER    = 89
+PAK_VER    = 90
 
 DEPS       = libseccomp
 
@@ -48,7 +48,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = fdaf3d124d3e1b11589a5219033c8d37d3e6c8986ff60e930d2bf80532dd6be4c7ee1634bd0806bd283a9954e4478f3be7b9b61abd13e3274fef3b8373df1b00
+$(DL_FILE)_BLAKE2 = 8a2ff369d3b29557a4bb3018dcc5c17b04e459626d23a44bed2968c938a4073ff85c88f734b8f732273197cbb173b70906b4f553db7a432cfbefad73329f6349
 
 install : $(TARGET)
 
-- 
2.51.0