Content-Transfer-Encoding: 7bit
Content-Type: multipart/mixed; boundary="_----------=_1584549829278930"
MIME-Version: 1.0
Date: Wed, 18 Mar 2020 16:43:49 +0000
From: "Thomas Klausner" <wiz@netbsd.org>
Subject: CVS commit: pkgsrc/net/tor
To: pkgsrc-changes@NetBSD.org
Reply-To: wiz@netbsd.org
Message-Id: <20200318164349.6254CFB27@cvs.NetBSD.org>
Sender: pkgsrc-changes-owner@NetBSD.org
Precedence: bulk

This is a multi-part message in MIME format.

--_----------=_1584549829278930
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="US-ASCII"

Module Name:	pkgsrc
Committed By:	wiz
Date:		Wed Mar 18 16:43:49 UTC 2020

Modified Files:
	pkgsrc/net/tor: Makefile distinfo

Log Message:
tor: update to 0.4.2.7.

Changes in version 0.4.2.7 - 2020-03-18
  This is the third stable release in the 0.4.2.x series. It backports
  numerous fixes from later releases, including a fix for TROVE-2020-
  002, a major denial-of-service vulnerability that affected all
  released Tor instances since 0.2.1.5-alpha. Using this vulnerability,
  an attacker could cause Tor instances to consume a huge amount of CPU,
  disrupting their operations for several seconds or minutes. This
  attack could be launched by anybody against a relay, or by a directory
  cache against any client that had connected to it. The attacker could
  launch this attack as much as they wanted, thereby disrupting service
  or creating patterns that could aid in traffic analysis. This issue
  was found by OSS-Fuzz, and is also tracked as CVE-2020-10592.

  We do not have reason to believe that this attack is currently being
  exploited in the wild, but nonetheless we advise everyone to upgrade
  as soon as packages are available.

  o Major bugfixes (security, denial-of-service, backport from 0.4.3.3-alpha):
    - Fix a denial-of-service bug that could be used by anyone to
      consume a bunch of CPU on any Tor relay or authority, or by
      directories to consume a bunch of CPU on clients or hidden
      services. Because of the potential for CPU consumption to
      introduce observable timing patterns, we are treating this as a
      high-severity security issue. Fixes bug 33119; bugfix on
      0.2.1.5-alpha. Found by OSS-Fuzz. We are also tracking this issue
      as TROVE-2020-002 and CVE-2020-10592.

  o Major bugfixes (circuit padding, memory leak, backport from 0.4.3.3-alpha):
    - Avoid a remotely triggered memory leak in the case that a circuit
      padding machine is somehow negotiated twice on the same circuit.
      Fixes bug 33619; bugfix on 0.4.0.1-alpha. Found by Tobias Pulls.
      This is also tracked as TROVE-2020-004 and CVE-2020-10593.

  o Major bugfixes (directory authority, backport from 0.4.3.3-alpha):
    - Directory authorities will now send a 503 (not enough bandwidth)
      code to clients when under bandwidth pressure. Known relays and
      other authorities will always be answered regardless of the
      bandwidth situation. Fixes bug 33029; bugfix on 0.1.2.5-alpha.

  o Minor features (continuous integration, backport from 0.4.3.2-alpha):
    - Stop allowing failures on the Travis CI stem tests job. It looks
      like all the stem hangs we were seeing before are now fixed.
      Closes ticket 33075.

  o Minor bugfixes (bridges, backport from 0.4.3.1-alpha):
    - Lowercase the configured value of BridgeDistribution before adding
      it to the descriptor. Fixes bug 32753; bugfix on 0.3.2.3-alpha.

  o Minor bugfixes (logging, backport from 0.4.3.2-alpha):
    - If we encounter a bug when flushing a buffer to a TLS connection,
      only log the bug once per invocation of the Tor process.
      Previously we would log with every occurrence, which could cause
      us to run out of disk space. Fixes bug 33093; bugfix
      on 0.3.2.2-alpha.

  o Minor bugfixes (onion services v3, backport from 0.4.3.3-alpha):
    - Fix an assertion failure that could result from a corrupted
      ADD_ONION control port command. Found by Saibato. Fixes bug 33137;
      bugfix on 0.3.3.1-alpha. This issue is also tracked
      as TROVE-2020-003.

  o Minor bugfixes (rust, build, backport from 0.4.3.2-alpha):
    - Fix a syntax warning given by newer versions of Rust that was
      creating problems for our continuous integration. Fixes bug 33212;
      bugfix on 0.3.5.1-alpha.

  o Testing (Travis CI, backport from 0.4.3.3-alpha):
    - Remove a redundant distcheck job. Closes ticket 33194.
    - Sort the Travis jobs in order of speed: putting the slowest jobs
      first takes full advantage of Travis job concurrency. Closes
      ticket 33194.
    - Stop allowing the Chutney IPv6 Travis job to fail. This job was
      previously configured to fast_finish (which requires
      allow_failure), to speed up the build. Closes ticket 33195.
    - When a Travis chutney job fails, use chutney's new "diagnostics.sh"
      tool to produce detailed diagnostic output. Closes ticket 32792.


To generate a diff of this commit:
cvs rdiff -u -r1.151 -r1.152 pkgsrc/net/tor/Makefile
cvs rdiff -u -r1.105 -r1.106 pkgsrc/net/tor/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


--_----------=_1584549829278930
Content-Disposition: inline
Content-Length: 2706
Content-Transfer-Encoding: binary
Content-Type: text/x-diff; charset=us-ascii

Modified files:

Index: pkgsrc/net/tor/Makefile
diff -u pkgsrc/net/tor/Makefile:1.151 pkgsrc/net/tor/Makefile:1.152
--- pkgsrc/net/tor/Makefile:1.151	Thu Jan 30 21:02:49 2020
+++ pkgsrc/net/tor/Makefile	Wed Mar 18 16:43:49 2020
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.151 2020/01/30 21:02:49 leot Exp $
+# $NetBSD: Makefile,v 1.152 2020/03/18 16:43:49 wiz Exp $
 
-DISTNAME=	tor-0.4.2.6
+DISTNAME=	tor-0.4.2.7
 CATEGORIES=	net security
 MASTER_SITES=	https://dist.torproject.org/
 
@@ -17,7 +17,7 @@ USE_TOOLS+=		perl:test pkg-config
 # Work around this by using gmake, which is tiny compared to the
 # existing perl dependency, and unlikely to be needed on any given
 # system just for tor.
-USE_TOOLS+=		gmake
+USE_TOOLS+=		gmake bash:test
 GNU_CONFIGURE=		yes
 CONFIGURE_ARGS+=	--localstatedir=${VARBASE}
 CONFIGURE_ARGS+=	--sysconfdir=${PKG_SYSCONFBASEDIR}

Index: pkgsrc/net/tor/distinfo
diff -u pkgsrc/net/tor/distinfo:1.105 pkgsrc/net/tor/distinfo:1.106
--- pkgsrc/net/tor/distinfo:1.105	Thu Jan 30 21:15:41 2020
+++ pkgsrc/net/tor/distinfo	Wed Mar 18 16:43:49 2020
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.105 2020/01/30 21:15:41 leot Exp $
+$NetBSD: distinfo,v 1.106 2020/03/18 16:43:49 wiz Exp $
 
 SHA1 (digest-0.7.2.crate) = 5b9c88bbbd10db277eb81489d4fd98222c81f654
 RMD160 (digest-0.7.2.crate) = e1754858a8cc3376e4b1faaa2ab950f5c5a9ff26
@@ -20,10 +20,10 @@ SHA1 (rand_core-0.2.0-pre.0.crate) = 21e
 RMD160 (rand_core-0.2.0-pre.0.crate) = cbd3dc9ad06727ca36c296f4d33ec695e25b7bb9
 SHA512 (rand_core-0.2.0-pre.0.crate) = b14f88e529fe99b7b9774fc8e1233b44192e253a8a27bfc4da1a7ae99104b6b697068bd19faab85df3427e557a5182892f81f481dd89e8eb6921ec390ca752e9
 Size (rand_core-0.2.0-pre.0.crate) = 19211 bytes
-SHA1 (tor-0.4.2.6.tar.gz) = 3ca9fcefa74b3d2e4a28aeda1339b5eb65078e54
-RMD160 (tor-0.4.2.6.tar.gz) = fdd9733bbd72e565935011f22ead211469cb2be3
-SHA512 (tor-0.4.2.6.tar.gz) = 0e757cd6f48ca3ed5737978e8f63f1f267d2223479bfc7a431b71a6912040a4a9bc63cc97a73356ff998e03123b0a6a4519486c41359d1ef1f0fe30aa1fa168f
-Size (tor-0.4.2.6.tar.gz) = 7600081 bytes
+SHA1 (tor-0.4.2.7.tar.gz) = a7a48e4199097b5198c86448b5871732fba2ac76
+RMD160 (tor-0.4.2.7.tar.gz) = 86d23f25cfec136a8b2abc0567fa2708f6078252
+SHA512 (tor-0.4.2.7.tar.gz) = a23c7eec8f399372227433c62c97278563a63e4cf03e475307915d395fb0b7efc461b4c8a077149e7b6df955ec26d52cd833dfe37fb650d23b3fcb1a4163d64d
+Size (tor-0.4.2.7.tar.gz) = 7604875 bytes
 SHA1 (typenum-1.9.0.crate) = 76b18bc10204c28798cd32d10fd0df349d4cb5e4
 RMD160 (typenum-1.9.0.crate) = 6468f8efe8e91edac71dfd4e28c46581a2f0d457
 SHA512 (typenum-1.9.0.crate) = 8b72af1e370cf9d9308287baf4fc7c6096c4923d1c52fe0313c23c84077d74196aa4d997ecf195842d8242c871b0fd0da111f7914664be1841c97315e3ba6abb


--_----------=_1584549829278930--