Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package tor for openSUSE:Factory checked in at 2026-06-02 16:08:41 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/tor (Old) and /work/SRC/openSUSE:Factory/.tor.new.1937 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tor" Tue Jun 2 16:08:41 2026 rev:134 rq:1356643 version:0.4.9.9 Changes: -------- --- /work/SRC/openSUSE:Factory/tor/tor.changes 2026-05-08 16:48:33.441111533 +0200 +++ /work/SRC/openSUSE:Factory/.tor.new.1937/tor.changes 2026-06-02 16:10:28.242175318 +0200 @@ -1,0 +2,61 @@ +Tue Jun 2 06:15:12 UTC 2026 - Bernhard Wiedemann <[email protected]> + +- Update to 0.4.9.9 + * Major bugfixes (compression, security): + - Fix a compression bomb bypass where an attacker could concatenate + many gzip or zlib sub-streams, each just under the per-stream + detection threshold, to avoid the compression bomb check entirely. + TROVE-2026-022. Fixes bug 41275; bugfix on 0.3.1.1-alpha. + - Fix an infinite loop when decompressing a truncated zlib/gzip + stream with done=1. A truncated stream never reaches Z_STREAM_END, + causing zlib to return Z_BUF_ERROR with no input remaining, which + buf_add_compress() mistook for a full output buffer and retried + forever. Fixed by returning TOR_COMPRESS_ERROR in that case so the + caller can abort cleanly. TROVE-2026-021. Fixes bug 41274; bugfix + on 0.2.6.1-alpha. + * Major bugfixes (conflux, security): + - Fix a NULL write after free when sending a CONFLUX_SWITCH cell + fails. The return value of relay_send_command_from_edge() was + ignored, so a send failure (which calls circuit_mark_for_close() + and removes the leg via cfx_del_leg()) would go undetected, + causing the caller to write to the now-freed current leg and + resulting in a crash. TROVE-2026-017. Fixes bug 41263; bugfix + on 0.4.8.1-alpha. + * Major bugfixes (security, TROVE-2026-019): + - Avoid out-of-bounds read/write when parsing a consensus or + detached signature with unexpected signature digest type. Impact + is minor for most Tor roles, but potentially major for directory + authorities. Fixes bug 41267; bugfix on 0.2.8.2-alpha. + * Major bugfixes (client stability, TROVE-2026-013, TROVE-2026-015): + - Protect against a client-side assert that can happen if a + malicious onion service gets the client to load its carefully + crafted onion descriptor. Fixes bugs 41259 and 41261; bugfix + on 0.3.1.1-alpha. + * Major bugfixes (code safety): + - Avoid a dangerous situation in router_find_exact_exit_enclave() + where we could have reached an assert if bridges or relays claim + an IP address of 0.0.0.0. Fixes bug 41276; bugfix on 0.4.5.1-alpha. + * Major bugfixes (conflux, shutdown): + - Fix a use-after-free in the shutdown path when freeing conflux + circuits. cfx_add_leg() shares stream list pointers across legs + without NULLing the old leg, so circuit_free_all() would free the + lists via one leg and then access freed memory via another. TROVE- + 2026-016. Fixes bug 41262; bugfix on 0.4.8.1-alpha. + * Major bugfixes (DNSPort, TROVE-2026-018): + - Fix a client-side crash that would happen if we decide to stop + reading on a RESOLVE request that came from the DNSPort or + controller. This crash could happen naturally under heavy load and + with poor luck, but since 0.4.7.2-alpha it could be induced by the + exit relay via a flow control request. Fixes bug 41265; bugfix + on 0.2.0.1-alpha. + * Major bugfixes (memory safety, TROVE-2026-014): + - Avoid a heap-use-after-free mistake that can happen in the conflux + subsystem, and which can be induced at either the client or the + exit relay. Fixes bug 41260; bugfix on 0.4.8.1-alpha. + * Major bugfixes (onion services, TROVE-2026-020): + - Avoid a possible divide by zero crash on onion services that have + the proof-of-work (PoW) defense enabled. This bug could be hit by + extreme bad luck or maybe by the help of an attacker crafting just + the right circumstances. Fixes bug 41270; bugfix on 0.4.8.1-alpha. + +------------------------------------------------------------------- Old: ---- tor-0.4.9.8.tar.gz tor-0.4.9.8.tar.gz.sha256sum tor-0.4.9.8.tar.gz.sha256sum.asc New: ---- tor-0.4.9.9.tar.gz tor-0.4.9.9.tar.gz.sha256sum tor-0.4.9.9.tar.gz.sha256sum.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tor.spec ++++++ --- /var/tmp/diff_new_pack.rgewCM/_old 2026-06-02 16:10:29.262217620 +0200 +++ /var/tmp/diff_new_pack.rgewCM/_new 2026-06-02 16:10:29.266217786 +0200 @@ -21,7 +21,7 @@ %define torgroup %{name} %define home_dir %{_localstatedir}/lib/empty Name: tor -Version: 0.4.9.8 +Version: 0.4.9.9 Release: 0 Summary: Anonymizing overlay network for TCP (The onion router) License: BSD-3-Clause ++++++ tor-0.4.9.8.tar.gz -> tor-0.4.9.9.tar.gz ++++++ /work/SRC/openSUSE:Factory/tor/tor-0.4.9.8.tar.gz /work/SRC/openSUSE:Factory/.tor.new.1937/tor-0.4.9.9.tar.gz differ: char 13, line 1 ++++++ tor-0.4.9.8.tar.gz.sha256sum -> tor-0.4.9.9.tar.gz.sha256sum ++++++ --- /work/SRC/openSUSE:Factory/tor/tor-0.4.9.8.tar.gz.sha256sum 2026-05-08 16:48:33.425110869 +0200 +++ /work/SRC/openSUSE:Factory/.tor.new.1937/tor-0.4.9.9.tar.gz.sha256sum 2026-06-02 16:10:27.998165198 +0200 @@ -1 +1 @@ -ac1f394e2dd2ab0877d27d928fd0d9e86662fe3ca6afdffb9fd9b6f0f96d05de tor-0.4.9.8.tar.gz +bd75ba7fd68f607c7806fcf70156a300aa926e9ad69a5e56a8e6414f5227e833 tor-0.4.9.9.tar.gz ++++++ tor.keyring ++++++ --- /var/tmp/diff_new_pack.rgewCM/_old 2026-06-02 16:10:29.402223427 +0200 +++ /var/tmp/diff_new_pack.rgewCM/_new 2026-06-02 16:10:29.414223924 +0200 @@ -1,45 +1,45 @@ -----BEGIN PGP PUBLIC KEY BLOCK----- -xjMEXegH3RYJKwYBBAHaRw8BAQdA1IMvjZzYALGBFe/ARHNSXuQjccz0HgOHBHRq -v8Pb4j/NH0FsZXhhbmRlciBGw6Zyw7h5IDxhaGZAMHg5MC5kaz7CmQQTFggAQQIb +mDMEXegH3RYJKwYBBAHaRw8BAQdA1IMvjZzYALGBFe/ARHNSXuQjccz0HgOHBHRq +v8Pb4j+0H0FsZXhhbmRlciBGw6Zyw7h5IDxhaGZAMHg5MC5kaz6ImQQTFggAQQIb AwUJCWYBgAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBBwbwAep9geqgVLAQL6n sYCxSRkhBQJd6GooAhkBAAoJEL6nsYCxSRkhdqEA/0skJeGZkqRmlHPXqTFZMvbh As2kY9Lm5LBGesjgQCspAPwJZagtqC5252zPFMlaIUu2hxcUeA+HwdLqnnl6Wjvs -Ac0kQWxleGFuZGVyIEbDpnLDuHkgPGFoZkBib3JuaGFjay5vcmc+wpYEExYIAD4W +AbQmQWxleGFuZGVyIEbDpnLDuHkgPGFoZkB0b3Jwcm9qZWN0Lm9yZz6IlgQTFggA +PgIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBBwbwAep9geqgVLAQL6nsYCx +SRkhBQJnj6uOBQkRLHGtAAoJEL6nsYCxSRkh8cMBAPI/GstI1YUoG23hRWuPUEFE +z2savHaNf7yVi4pTf9EGAQCY+YEy2aDM3MzbpZyZF+Psy7NwdroQg20AxvmurIoA +ArQkQWxleGFuZGVyIEbDpnLDuHkgPGFoZkBib3JuaGFjay5vcmc+iJYEExYIAD4W IQQcG8AHqfYHqoFSwEC+p7GAsUkZIQUCXegKdwIbAwUJCWYBgAULCQgHAgYVCgkI CwIEFgIDAQIeAQIXgAAKCRC+p7GAsUkZIRfkAP997/8J1lf3D7PiY21tPnB8d+5S -CXI/qI8mEfhaDZY+SAD/cfCblmB8CYzashZAbFM/6dwwNrNR7VBrzYyaRPhpkALN -IEFsZXhhbmRlciBGw6Zyw7h5IDxhaGZAZnNmZS5vcmc+wpYEExYIAD4WIQQcG8AH +CXI/qI8mEfhaDZY+SAD/cfCblmB8CYzashZAbFM/6dwwNrNR7VBrzYyaRPhpkAK0 +IEFsZXhhbmRlciBGw6Zyw7h5IDxhaGZAZnNmZS5vcmc+iJYEExYIAD4WIQQcG8AH qfYHqoFSwEC+p7GAsUkZIQUCXegKbwIbAwUJCWYBgAULCQgHAgYVCgkICwIEFgID AQIeAQIXgAAKCRC+p7GAsUkZIdxtAQDuraf/2l/6BGDEAERL63OsjyN692MMur3P -KRy4kWdQzwEAod6V12Y5X3yjraPkbsiGC5QsXraAAz7ihSkIcJs0NgHNIEFsZXhh -bmRlciBGw6Zyw7h5IDxhaGZAaXJjNi5uZXQ+wpYEExYIAD4WIQQcG8AHqfYHqoFS -wEC+p7GAsUkZIQUCXegKVgIbAwUJCWYBgAULCQgHAgYVCgkICwIEFgIDAQIeAQIX -gAAKCRC+p7GAsUkZITd5AQDgi5qd1zBzUO9qzk8inT1xPxUjWoj7dj4hh7gFErut -vwD+JAxYHXrM0Kwg1F7nkf8XBfICTtx8do2QDNFO2nZvJgDNIUFsZXhhbmRlciBG -w6Zyw7h5IDxhaGZAaXJzc2kub3JnPsKWBBMWCAA+FiEEHBvAB6n2B6qBUsBAvqex -gLFJGSEFAl3oCmMCGwMFCQlmAYAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQ -vqexgLFJGSG+PAD7BECXB/S+eUWz118sqaiyrBtr/2msq89p7FNMswoOIlQBAMgO -1j8A5xW+hW8YOfiklahZh2TUHRVrcNhrE4R6PgELzSZBbGV4YW5kZXIgRsOmcsO4 -eSA8YWhmQHRvcnByb2plY3Qub3JnPsKWBBMWCAA+FiEEHBvAB6n2B6qBUsBAvqex -gLFJGSEFAl3oCoICGwMFCQlmAYAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQ -vqexgLFJGSHOawEAts5tDnzSOw9O7xtKBujA06UKlyJMxxD3ARjPqm9BBV4A/jHu -wYvNLPJdVl1PPgYnmCJ1u7L5epfdagZRsHqQ5PkEzjMEXegMBBYJKwYBBAHaRw8B -AQdAQvnurKGUaemX/DTpmpSE5NtGyfxLWgW9WSvZbbbR+DPCeAQYFggAIBYhBBwb +KRy4kWdQzwEAod6V12Y5X3yjraPkbsiGC5QsXraAAz7ihSkIcJs0NgG0IUFsZXhh +bmRlciBGw6Zyw7h5IDxhaGZAaXJzc2kub3JnPoiWBBMWCAA+FiEEHBvAB6n2B6qB +UsBAvqexgLFJGSEFAl3oCmMCGwMFCQlmAYAFCwkIBwIGFQoJCAsCBBYCAwECHgEC +F4AACgkQvqexgLFJGSG+PAD7BECXB/S+eUWz118sqaiyrBtr/2msq89p7FNMswoO +IlQBAMgO1j8A5xW+hW8YOfiklahZh2TUHRVrcNhrE4R6PgELtCBBbGV4YW5kZXIg +RsOmcsO4eSA8YWhmQGlyYzYubmV0PoiWBBMWCAA+FiEEHBvAB6n2B6qBUsBAvqex +gLFJGSEFAl3oClYCGwMFCQlmAYAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQ +vqexgLFJGSE3eQEA4Iuandcwc1Dvas5PIp09cT8VI1qI+3Y+IYe4BRK7rb8A/iQM +WB16zNCsINRe55H/FwXyAk7cfHaNkAzRTtp2byYAuDMEXegMBBYJKwYBBAHaRw8B +AQdAQvnurKGUaemX/DTpmpSE5NtGyfxLWgW9WSvZbbbR+DOIeAQYFggAIBYhBBwb wAep9geqgVLAQL6nsYCxSRkhBQJd6AwEAhsgAAoJEL6nsYCxSRkhLj4BAOMBgQBj h8SJEOM6RqWT5SXb8HiDfdZqvgr8nCtffEewAP93G3tS+owZ3m4bTzkeBzTvay/7 -eq23AcJprL+sedUTBs44BF3oC/ASCisGAQQBl1UBBQEBB0C1S8DIQiC+5dfHix3b -eFUzD3Lrq5+5UYGkmp6lh+OaPwMBCAfCeAQYFggAIBYhBBwbwAep9geqgVLAQL6n +eq23AcJprL+sedUTBrg4BF3oC/ASCisGAQQBl1UBBQEBB0C1S8DIQiC+5dfHix3b +eFUzD3Lrq5+5UYGkmp6lh+OaPwMBCAeIeAQYFggAIBYhBBwbwAep9geqgVLAQL6n sYCxSRkhBQJd6AvwAhsMAAoJEL6nsYCxSRkhDJQBAJse48bTxe81zjXKuMt66QKa RnBaDsY1EGaYk4Vyb6rxAQCtmsYhDHtiE2D2oFav+UULbeqdJyIOhPEPa31Rn4N5 -D84zBF3oC7wWCSsGAQQB2kcPAQEHQPdFLwvik9OFJ008OgdtSfe4LNlTuybXT4Pu -CuMuUgqcwsAvBBgWCAAgFiEEHBvAB6n2B6qBUsBAvqexgLFJGSEFAl3oC7wCGwIA -gQkQvqexgLFJGSF2IAQZFggAHRYhBFFBAkVNCofbB2eh675qBTHBipF5BQJd6Au8 -AAoJEL5qBTHBipF5qtoBAPTP2KTGDGl2OvDdwEzZ0uN7+VyiRPEGLUizwkyALsN7 -AQCInRWmKA4jrQzMgn5sC4yCKKW46/TA8PGX3kHZnYnNBfIXAP9ajF1eZVWy1BFl -ayUm3Z7tUF9w7qWTL0u+EZD1Nlnw9wD/dUZYPCNEPhsk/Bdrh+v6sBryagleM4Vc -6SM3xZaaxQI= -=GZkh +D7gzBF3oC7wWCSsGAQQB2kcPAQEHQPdFLwvik9OFJ008OgdtSfe4LNlTuybXT4Pu +CuMuUgqciO8EGBYIACAWIQQcG8AHqfYHqoFSwEC+p7GAsUkZIQUCXegLvAIbAgCB +CRC+p7GAsUkZIXYgBBkWCAAdFiEEUUECRU0Kh9sHZ6HrvmoFMcGKkXkFAl3oC7wA +CgkQvmoFMcGKkXmq2gEA9M/YpMYMaXY68N3ATNnS43v5XKJE8QYtSLPCTIAuw3sB +AIidFaYoDiOtDMyCfmwLjIIopbjr9MDw8ZfeQdmdic0F8hcA/1qMXV5lVbLUEWVr +JSbdnu1QX3DupZMvS74RkPU2WfD3AP91Rlg8I0Q+GyT8F2uH6/qwGvJqCV4zhVzp +IzfFlprFAg== +=G1TI -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP PUBLIC KEY BLOCK-----
