final entries for 0.4.2.8 changelog

ChangeLog

@@ -1,7 +1,22 @@
-Changes in version 0.4.2.8 - 2020-07-??
+Changes in version 0.4.2.8 - 2020-07-09
   Tor 0.4.2.8 backports various fixes from later releases, including
   several that affect usability and portability.
 
+  This release also fixes TROVE-2020-001, a medium-severity denial of
+  service vulnerability affecting all versions of Tor when compiled with
+  the NSS encryption library. (This is not the default configuration.)
+  Using this vulnerability, an attacker could cause an affected Tor
+  instance to crash remotely. This issue is also tracked as CVE-2020-
+  15572. Anybody running a version of Tor built with the NSS library
+  should upgrade to 0.3.5.11, 0.4.2.8, 0.4.3.6, or 0.4.4.2-alpha
+  or later.
+
+  o Major bugfixes (NSS, security, backport from 0.4.4.2-alpha):
+    - Fix a crash due to an out-of-bound memory access when Tor is
+      compiled with NSS support. Fixes bug 33119; bugfix on
+      0.3.5.1-alpha. This issue is also tracked as TROVE-2020-001
+      and CVE-2020-15572.
+
   o Major bugfixes (DoS defenses, bridges, pluggable transport, backport from 0.4.3.4-rc):
     - Fix a bug that was preventing DoS defenses from running on bridges
       with a pluggable transport. Previously, the DoS subsystem was not
@@ -27,6 +42,10 @@ Changes in version 0.4.2.8 - 2020-07-??
       that are failing on Appveyor because of mismatched OpenSSL
       libraries. Part of ticket 33643.
 
+  o Minor bugfix (CI, Windows, backport from 0.4.4.2-alpha):
+    - Use the correct 64-bit printf format when compiling with MINGW on
+      Appveyor. Fixes bug 40026; bugfix on 0.3.5.5-alpha.
+
   o Minor bugfix (relay, configuration, backport from 0.4.3.3-alpha):
     - Warn if the ContactInfo field is not set, and tell the relay
       operator that not having a ContactInfo field set might cause their
@@ -47,6 +66,10 @@ Changes in version 0.4.2.8 - 2020-07-??
     - Fix compilation warnings with GCC 10.0.1. Fixes bug 34077; bugfix
       on 0.4.0.3-alpha.
 
+  o Minor bugfixes (compiler warnings, backport from 0.4.4.2-alpha):
+    - Fix a compiler warning on platforms with 32-bit time_t values.
+      Fixes bug 40028; bugfix on 0.3.2.8-rc.
+
   o Minor bugfixes (controller protocol, backport from 0.4.3.2-alpha):
     - When receiving "ACTIVE" or "DORMANT" signals on the control port,
       report them as SIGNAL events. Previously we would log a bug

changes/bug33119

@@ -1,4 +0,0 @@
-  o Major bugfixes (NSS):
-    - Fix out-of-bound memory access in `tor_tls_cert_matches_key()` when Tor is
-      compiled with NSS support. Fixes bug 33119; bugfix on 0.3.5.1-alpha. This
-      issue is also tracked as TROVE-2020-001.

changes/bug40028

@@ -1,3 +0,0 @@
-  o Minor bugfixes (compiler warnings):
-    - Fix a compiler warning on platforms with 32-bit time_t values.
-      Fixes bug 40028; bugfix on 0.3.2.8-rc.

changes/ticket40026

@@ -1,3 +0,0 @@
-  o Minor bugfix (CI, Windows):
-    - Don't use stdio 64 bit printf format when compiling with MINGW on
-      Appveyor. Fixes bug 40026; bugfix on 0.3.5.5-alpha.