From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4cZfC46NM5z32cx for ; Sun, 28 Sep 2025 22:29:52 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R13" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4cZfC13h7zz2xQW for ; Sun, 28 Sep 2025 22:29:49 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4cZfC00jwKz3PC for ; Sun, 28 Sep 2025 22:29:47 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1759098588; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=aOcdv9PxfSlGD/ut99AOy+PYkeHEOQrqu+pm/cuHB4A=; b=/ESa6iFIBv3zpBaeLIhUyTHq0YkxtJ1QCecztnHcNBtGHM0OS4oQ0rxbG0MwTIRXoEQ9by 1A9K9nMx2eOIHTDg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1759098588; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=aOcdv9PxfSlGD/ut99AOy+PYkeHEOQrqu+pm/cuHB4A=; b=gFJvG7phjcWlxnyKUBcPsp+D0svCVGUY0xw0reO9TvsWuAG/oKrsuxxLtS2jwqDJVjC36a nn7D9U7tbuXwK0ySCiuQBEYaUiMaihYaZA7Or0Uo8S/361+m2syvXgon41yJ8z5b62/4cO QHSiTf/n/pi6nBPF1IZJ79EzSGpgTNUaSTfxLoqvaVEctVgR47n8uMbPQ7bKU5+GrI4gKC C7M1l96hsvAHE3g9ihO5QCnyMY8kOnAdYbVopcMaryGLUv9ij3PahezqxmSAPvLfmOJIN1 F7oNCots4yWsW9fpl36N3jc4UBhShcELD9ScPBdXinKwFYlxkyc0+uPBZuiFGw== Message-ID: <0237a183-8232-45dd-8d19-a778ab26d974@ipfire.org> Date: Sun, 28 Sep 2025 22:29:00 +0000 Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 To: "IPFire: Development" From: =?UTF-8?Q?Peter_M=C3=BCller?= Subject: [PATCH] Tor: Update to 0.4.8.18 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Changes in version 0.4.8.18 - 2025-09-16 This is a minor release with a major onion service directory cache (HSDir) bug fix. A series of minor bugfixes as well. As always, we strongly recommend to upgrade as soon as possible. o Major bugfixes (onion service directory cache): - Preserve the download counter of an onion service descriptor across descriptor uploads, so that recently updated descriptors don't get pruned if there is memory pressure soon after update. Additionally, create a separate torrc option MaxHSDirCacheBytes that defaults to the former 20% of MaxMemInQueues threshold, but can be controlled by relay operators under DoS. Also enforce this theshold during HSDir uploads. Fixes bug 41006; bugfix on 0.4.8.14. o Minor feature (padding, logging): - Reduce the amount of messages being logged related to channel padding timeout when log level is "notice". o Minor features (fallbackdir): - Regenerate fallback directories generated on September 16, 2025. o Minor features (geoip data): - Update the geoip files to match the IPFire Location Database, as retrieved on 2025/09/16. o Minor bugfix (conflux): - Remove the pending nonce if we realize that the nonce of the unlinked circuit is not tracked anymore. Should avoid the non fatal assert triggered with a control port circuit event. Fixes bug 41037; bugfix on 0.4.8.15. o Minor bugfixes (circuit handling): - Prevent circuit_mark_for_close() from being called twice on the same circuit. Second fix attempt Fixes bug 41106; bugfix on 0.4.8.17 o Minor bugfixes (threads): - Make thread control POSIX compliant. Fixes bug 41109; bugfix on 0.4.8.17-dev. Changes in version 0.4.8.17 - 2025-06-30 This is a minor providing a series of minor features especially in the realm of TLS. It also brings a new set of recommended and required sub protocols. And finally, few minor bugfixes, nothing major. As always, we strongly recommend you upgrade as soon as possible. o Minor features (security, TLS): - When we are running with OpenSSL 3.5.0 or later, support using the ML-KEM768 for post-quantum key agreement. Closes ticket 41041. o Minor feature (client, TLS): - Set the TLS 1.3 cipher list instead of falling back on the default value. o Minor features (fallbackdir): - Regenerate fallback directories generated on June 30, 2025. o Minor features (geoip data): - Update the geoip files to match the IPFire Location Database, as retrieved on 2025/06/30. o Minor features (hsdesc POW): - Tolerate multiple PoW schemes in onion service descriptors, for future extensibility. Implements torspec ticket 272. o Minor features (performance TLS): - When running with with OpenSSL 3.0.0 or later, support using X25519 for TLS key agreement. (This should slightly improve performance for TLS session establishment.) o Minor features (portability): - Fix warnings when compiling with GCC 15. Closes ticket 41079. o Minor features (recommended protocols): - Directory authorities now vote to recommend that clients support certain protocols beyond those that are required. These include improved support for connecting to relays on IPv6, NtorV3, and congestion control. Part of ticket 40836. o Minor features (required protocols): - Directory authorities now vote to require clients to support the authenticated SENDME feature, which was introduced in 0.4.1.1-alpha. Part of ticket 40836. - Directory authorities now vote to require relays to support certain protocols, all of which have been implemented since 0.4.7.4-alpha or earlier. These include improved support for connecting to relays on IPv6, NtorV3, running as a rate-limited introduction point, authenticated SENDMEs, and congestion control. Part of ticket 40836. o Minor bugfix (conflux): - Avoid a non fatal assert when describing a conflux circuit on the control port after being prepped to be freed. Fixes bug 41037; bugfix on 0.4.8.15. o Minor bugfixes (circuit handling): - Prevent circuit_mark_for_close() from being called twice on the same circuit. Fixes bug 40951; bugfix on 0.4.8.16-dev. o Minor bugfixes (compiler warnings): - Make sure the two bitfields in the half-closed edge struct are unsigned, as we're using them for boolean values and assign 1 to them. Fixes bug 40911; bugfix on 0.4.7.2-alpha. o Minor bugfixes (threads, memory): - Improvements in cleanup of resources used by threads. Fixes bug 40991; bugfix on 0.4.8.13-dev. - Rework start and exit of worker threads. Signed-off-by: Peter Müller --- lfs/tor | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lfs/tor b/lfs/tor index 0d57f5fed..af16cc982 100644 --- a/lfs/tor +++ b/lfs/tor @@ -26,7 +26,7 @@ include Config SUMMARY = Anonymizing overlay network for TCP (The onion router) -VER = 0.4.8.16 +VER = 0.4.8.18 THISAPP = tor-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -34,7 +34,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = tor -PAK_VER = 89 +PAK_VER = 90 DEPS = libseccomp @@ -48,7 +48,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = fdaf3d124d3e1b11589a5219033c8d37d3e6c8986ff60e930d2bf80532dd6be4c7ee1634bd0806bd283a9954e4478f3be7b9b61abd13e3274fef3b8373df1b00 +$(DL_FILE)_BLAKE2 = 8a2ff369d3b29557a4bb3018dcc5c17b04e459626d23a44bed2968c938a4073ff85c88f734b8f732273197cbb173b70906b4f553db7a432cfbefad73329f6349 install : $(TARGET) -- 2.51.0