* debian-ci:
  pristine-tar moved to gitlab (from gitolite)

* debian-merge:
  New upstream version: 0.4.8.10
  version: Bump version to 0.4.8.10
  release: ChangeLog and ReleaseNotes for 0.4.8.10
  fallbackdir: Update list generated on December 08, 2023
  Update geoip files to match ipfire location db, 2023/12/08.
  Bug 40897: Changes file
  Bug 40897 Bug Bounty: Double the number of max conflux circs
  Bug 40897: Add more checks to free paths
  Bug 40897: Move safety check to proper location and give it error handling.
  update changes file with correct introduced version
  version: Bump version to 0.4.8.9-dev
  add change file
  fix bridge transport statistics

Tor 0.4.8.10

# -----BEGIN PGP SIGNATURE-----
#
# iQEzBAABCAAdFiEEt0QX7d8irJ+ekPSRQuhqKhH0jTYFAmVzaoQACgkQQuhqKhH0
# jTZA0wf/Sk3Uac0CI+PHcB7sMjUAIfOlp8qRlCrMttQGuiECccokjXIMSqgNfoIp
# rSsogc3ycIoJCBTetmvJ/etPPnZZuh8PG2ifciCfht0NgCNBMIfP0BjMyyegNiJc
# 0DBby+7LA6tWNvlmrq7ULYfT9L0w9D2aftiU7WmBqOb13pU7DpuY2e2Sf9LpJGiJ
# 4dH7FnTcfCN3QFGsiQH5dwL7UJbKm+I6RErgwrHre4k1aQB5nItdHA1V561ovavX
# 95eAGtv3nLKv+0ZexUTSomXywRBCvKaDkueZdhiZ3u0JMN5kKaYCVJOV9kO31U5J
# Vl/G8JJB577xTU6lEWaieukHVnKxkA==
# =VlgS
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri Dec  8 20:12:04 2023 CET
# gpg:                using RSA key B74417EDDF22AC9F9E90F49142E86A2A11F48D36
# gpg: please do a --check-trustdb
# gpg: Good signature from "David Goulet <dgoulet@ev0ke.net>" [unknown]
# gpg:                 aka "David Goulet <dgoulet@riseup.net>" [unknown]
# gpg:                 aka "David Goulet <dgoulet@torproject.org>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: B744 17ED DF22 AC9F 9E90  F491 42E8 6A2A 11F4 8D36

* tag 'tor-0.4.8.10':
  version: Bump version to 0.4.8.10
  release: ChangeLog and ReleaseNotes for 0.4.8.10
  fallbackdir: Update list generated on December 08, 2023
  Update geoip files to match ipfire location db, 2023/12/08.
  Bug 40897: Changes file
  Bug 40897 Bug Bounty: Double the number of max conflux circs
  Bug 40897: Add more checks to free paths
  Bug 40897: Move safety check to proper location and give it error handling.
  update changes file with correct introduced version
  version: Bump version to 0.4.8.9-dev
  add change file
  fix bridge transport statistics

We strongly suspect that bug 40897 was caused by a custom Tor client that
tried to use more than the default number of conflux circuits, for either
performance or traffic analysis defense gains, or both.

This entity hit a safety check on the exit side, which caused a UAF. Our
"belt and suspenders" snapped off, and hit us in the face... again...

Since there are good reasons to try more than 2 conflux legs, and research has
found some traffic analysis benefits with as many as 5, we're going to raise
and parameterize this limit as a form of bug bounty for finding this UAF, so
that this entity can try out a little more confluxing.

This should also make it easier for researchers to try things like gathering
traces with larger amounts of confluxing than normal, to measure real-world
traffic analysis impacts of conflux.

Shine on, you yoloing anonymous diamond. Let us know if you find out anything
interesting!

Similar double-frees would be caught earlier by these, so long as the pointers
remain nulled out.

* debian-merge:
  New upstream version: 0.4.8.9
  version: Bump version to 0.4.8.9
  release: ChangeLog and ReleaseNotes for 0.4.8.9
  fallbackdir: Update list generated on November 09, 2023
  Update geoip files to match ipfire location db, 2023/11/09.
  hs: Always check if the hs_ident is available when processing a cell
  hs: Fix assert in hs_metrics_update_by_ident()
  version: Bump version to 0.4.8.8-dev
  version: Bump version to 0.4.7.16-dev
  release: ChangeLog and ReleaseNotes for 0.4.8.8
  Update geoip files to match ipfire location db, 2023/11/03.
  fallbackdir: Update list generated on November 03, 2023
  version: Bump version to 0.4.7.16
  fallbackdir: Update list generated on November 03, 2023
  Update geoip files to match ipfire location db, 2023/11/03.
  Bug 40876 changes file
  Bug 40876: Extra logging
  Bug 40876: Don't reduce primary list for temporary restrictions

Tor 0.4.8.9

# gpg: Signature made Thu Nov  9 16:09:19 2023 CET
# gpg:                using RSA key B74417EDDF22AC9F9E90F49142E86A2A11F48D36
# gpg: please do a --check-trustdb
# gpg: Good signature from "David Goulet <dgoulet@ev0ke.net>" [unknown]
# gpg:                 aka "David Goulet <dgoulet@riseup.net>" [unknown]
# gpg:                 aka "David Goulet <dgoulet@torproject.org>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: B744 17ED DF22 AC9F 9E90  F491 42E8 6A2A 11F4 8D36

* tag 'tor-0.4.8.9':
  version: Bump version to 0.4.8.9
  release: ChangeLog and ReleaseNotes for 0.4.8.9
  fallbackdir: Update list generated on November 09, 2023
  Update geoip files to match ipfire location db, 2023/11/09.
  hs: Always check if the hs_ident is available when processing a cell
  hs: Fix assert in hs_metrics_update_by_ident()
  version: Bump version to 0.4.8.8-dev
  version: Bump version to 0.4.7.16-dev
  release: ChangeLog and ReleaseNotes for 0.4.8.8
  Update geoip files to match ipfire location db, 2023/11/03.
  fallbackdir: Update list generated on November 03, 2023
  version: Bump version to 0.4.7.16
  fallbackdir: Update list generated on November 03, 2023
  Update geoip files to match ipfire location db, 2023/11/03.
  Bug 40876 changes file
  Bug 40876: Extra logging
  Bug 40876: Don't reduce primary list for temporary restrictions

Signed-off-by: David Goulet <dgoulet@torproject.org>

The hs_metrics_failed_rdv() macro could pass a NULL value for the identity key
when a building circuit would end up in a failure path *before* the "hs_ident"
was able to be set which leading to this assert.

This was introduced in 0.4.8.1-alpha with the addition of rendezvous circuit
failure metrics for the MetricsPort.

This fixes TROVE-2023-006 for which its severity is considered high.

Signed-off-by: David Goulet <dgoulet@torproject.org>

* debian-merge:
  New upstream version: 0.4.8.8
  version: Bump version to 0.4.8.8
  Sync geoip and fallbackdir from maint 048 before release
  Fix TROVE-2023-004: Remote crash when compiled against OpenSSL
  Changes file for bug 40878
  Bug 40878: Count a valid conflux linked cell as valid data
  configure: Bump version to 0.4.8.8-dev
  Fix the spelling of maxunmeasur(e)dbw.
  version: Bump version to 0.4.8.7-dev

Tor 0.4.8.8

# gpg: Signature made Sat Nov  4 17:26:54 2023 CET
# gpg:                using RSA key B74417EDDF22AC9F9E90F49142E86A2A11F48D36
# gpg: please do a --check-trustdb
# gpg: Good signature from "David Goulet <dgoulet@ev0ke.net>" [unknown]
# gpg:                 aka "David Goulet <dgoulet@riseup.net>" [unknown]
# gpg:                 aka "David Goulet <dgoulet@torproject.org>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: B744 17ED DF22 AC9F 9E90  F491 42E8 6A2A 11F4 8D36

* tag 'tor-0.4.8.8':
  version: Bump version to 0.4.8.8
  Sync geoip and fallbackdir from maint 048 before release
  Fix TROVE-2023-004: Remote crash when compiled against OpenSSL
  Changes file for bug 40878
  Bug 40878: Count a valid conflux linked cell as valid data
  configure: Bump version to 0.4.8.8-dev
  Fix the spelling of maxunmeasur(e)dbw.
  version: Bump version to 0.4.8.7-dev