corrective releases of the Tor toolkit (0.3.5.11, 0.4.2.8, 0.4.3.6 and 4.4.2-alpha) used to run the Tor anonymous network. Fixed in new versions (CVE-2020-15572) caused by accessing a memory area outside the bounds of the allocated buffer. The vulnerability allows a remote attacker to cause the tor process to crash. The problem only appears when building with the NSS library (by default, Tor is built with OpenSSL, and using NSS requires the --enable-nss flag).
Additionally a plan to end support for the second version of the onion services protocol (formerly called hidden services). A year and a half ago, in release 0.3.2.9, users were the third version of the protocol for onion services, notable for the transition to 56-character addresses, more reliable protection against data leaks through directory servers, an extensible modular structure and the use of SHA3, ed25519 and curve25519 algorithms instead of SHA1, DH and RSA-1024.
The second version of the protocol was developed about 15 years ago and, due to the use of outdated algorithms, cannot be considered safe in modern conditions. Given the expiration of support for old branches, at present, any current Tor gateway supports the third version of the protocol, which is offered by default when creating new onion services.
On September 15, 2020, Tor will begin to warn operators and customers about the deprecation of the second version of the protocol. On July 15, 2021, support for the second version of the protocol will be removed from the codebase, and on October 15, 2021, a new stable release of Tor will be released without support for the old protocol. Thus, the owners of old onion services have 16 months to switch to a new version of the protocol, which requires the generation of a new 56-character address for the service.
Source: opennet.ru