http://bugzilla.opensuse.org/show_bug.cgi?id=1183726 Bug ID: 1183726 Summary: VUL-0: CVE-2021-28089,CVE-2021-28090: tor: New releases (with security fixes): 0.3.5.14, 0.4.4.8, and 0.4.5.7 Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.1 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: bwiedemann@suse.com Reporter: rfrohl@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- We have a new stable release today. If you build Tor from source, you can download the source code for 0.4.5.7 on the download page. Packages should be available within the next several weeks, with a new Tor Browser coming next week. Also today, Tor 0.3.5.14 (changelog) and Tor 0.4.4.8 (changelog) have also been released; you can find them (and source for older Tor releases) at https://dist.torproject.org. -- Major bugfixes (security, denial of service): Disable the dump_desc() function that we used to dump unparseable information to disk. It was called incorrectly in several places, in a way that could lead to excessive CPU usage. Fixes bug 40286; bugfix on 0.2.2.1-alpha. This bug is also tracked as TROVE-2021- 001 and CVE-2021-28089. Fix a bug in appending detached signatures to a pending consensus document that could be used to crash a directory authority. Fixes bug 40316; bugfix on 0.2.2.6-alpha. Tracked as TROVE-2021-002 and CVE-2021-28090. -- https://blog.torproject.org/node/2009 -- You are receiving this mail because: You are on the CC list for the bug.