[tor-commits] [tor/release-0.2.2] forward-port the 0.2.1.31 release notes
arma at torproject.org
arma at torproject.org
Thu Oct 27 23:52:31 UTC 2011
commit c4eae752f0d157ce1f0f820b4491ca33be86a2ba
Author: Roger Dingledine <arma at torproject.org>
Date: Wed Oct 26 20:22:13 2011 -0400
forward-port the 0.2.1.31 release notes
---
ChangeLog | 109 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
ReleaseNotes | 109 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 218 insertions(+), 0 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 2c20536..db59365 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -112,6 +112,115 @@ Changes in version 0.2.2.34 - 2011-10-26
- Update to the October 4 2011 Maxmind GeoLite Country database.
+Changes in version 0.2.1.31 - 2011-10-26
+ Tor 0.2.1.31 backports important security and privacy fixes for
+ oldstable. This release is intended only for package maintainers and
+ others who cannot use the 0.2.2 stable series. All others should be
+ using Tor 0.2.2.x or newer.
+
+ o Security fixes (also included in 0.2.2.x):
+ - Replace all potentially sensitive memory comparison operations
+ with versions whose runtime does not depend on the data being
+ compared. This will help resist a class of attacks where an
+ adversary can use variations in timing information to learn
+ sensitive data. Fix for one case of bug 3122. (Safe memcmp
+ implementation by Robert Ransom based partially on code by DJB.)
+ - Fix an assert in parsing router descriptors containing IPv6
+ addresses. This one took down the directory authorities when
+ somebody tried some experimental code. Bugfix on 0.2.1.3-alpha.
+
+ o Privacy/anonymity fixes (also included in 0.2.2.x):
+ - Clients and bridges no longer send TLS certificate chains on
+ outgoing OR connections. Previously, each client or bridge
+ would use the same cert chain for all outgoing OR connections
+ for up to 24 hours, which allowed any relay that the client or
+ bridge contacted to determine which entry guards it is using.
+ Fixes CVE-2011-2768. Bugfix on 0.0.9pre5; found by frosty_un.
+ - If a relay receives a CREATE_FAST cell on a TLS connection, it
+ no longer considers that connection as suitable for satisfying a
+ circuit EXTEND request. Now relays can protect clients from the
+ CVE-2011-2768 issue even if the clients haven't upgraded yet.
+ - Bridges now refuse CREATE or CREATE_FAST cells on OR connections
+ that they initiated. Relays could distinguish incoming bridge
+ connections from client connections, creating another avenue for
+ enumerating bridges. Fixes CVE-2011-2769. Bugfix on 0.2.0.3-alpha.
+ Found by "frosty_un".
+ - When receiving a hidden service descriptor, check that it is for
+ the hidden service we wanted. Previously, Tor would store any
+ hidden service descriptors that a directory gave it, whether it
+ wanted them or not. This wouldn't have let an attacker impersonate
+ a hidden service, but it did let directories pre-seed a client
+ with descriptors that it didn't want. Bugfix on 0.0.6.
+ - Avoid linkability based on cached hidden service descriptors: forget
+ all hidden service descriptors cached as a client when processing a
+ SIGNAL NEWNYM command. Fixes bug 3000; bugfix on 0.0.6.
+ - Make the bridge directory authority refuse to answer directory
+ requests for "all" descriptors. It used to include bridge
+ descriptors in its answer, which was a major information leak.
+ Found by "piebeer". Bugfix on 0.2.0.3-alpha.
+ - Don't attach new streams to old rendezvous circuits after SIGNAL
+ NEWNYM. Previously, we would keep using an existing rendezvous
+ circuit if it remained open (i.e. if it were kept open by a
+ long-lived stream, or if a new stream were attached to it before
+ Tor could notice that it was old and no longer in use). Bugfix on
+ 0.1.1.15-rc; fixes bug 3375.
+
+ o Minor bugfixes (also included in 0.2.2.x):
+ - When we restart our relay, we might get a successful connection
+ from the outside before we've started our reachability tests,
+ triggering a warning: "ORPort found reachable, but I have no
+ routerinfo yet. Failing to inform controller of success." This
+ bug was harmless unless Tor is running under a controller
+ like Vidalia, in which case the controller would never get a
+ REACHABILITY_SUCCEEDED status event. Bugfix on 0.1.2.6-alpha;
+ fixes bug 1172.
+ - Build correctly on OSX with zlib 1.2.4 and higher with all warnings
+ enabled. Fixes bug 1526.
+ - Remove undocumented option "-F" from tor-resolve: it hasn't done
+ anything since 0.2.1.16-rc.
+ - Avoid signed/unsigned comparisons by making SIZE_T_CEILING unsigned.
+ None of the cases where we did this before were wrong, but by making
+ this change we avoid warnings. Fixes bug 2475; bugfix on 0.2.1.28.
+ - Fix a rare crash bug that could occur when a client was configured
+ with a large number of bridges. Fixes bug 2629; bugfix on
+ 0.2.1.2-alpha. Bugfix by trac user "shitlei".
+ - Correct the warning displayed when a rendezvous descriptor exceeds
+ the maximum size. Fixes bug 2750; bugfix on 0.2.1.5-alpha. Found by
+ John Brooks.
+ - Fix an uncommon assertion failure when running with DNSPort under
+ heavy load. Fixes bug 2933; bugfix on 0.2.0.1-alpha.
+ - When warning about missing zlib development packages during compile,
+ give the correct package names. Bugfix on 0.2.0.1-alpha.
+ - Require that introduction point keys and onion keys have public
+ exponent 65537. Bugfix on 0.2.0.10-alpha.
+ - Do not crash when our configuration file becomes unreadable, for
+ example due to a permissions change, between when we start up
+ and when a controller calls SAVECONF. Fixes bug 3135; bugfix
+ on 0.0.9pre6.
+ - Fix warnings from GCC 4.6's "-Wunused-but-set-variable" option.
+ Fixes bug 3208.
+ - Always NUL-terminate the sun_path field of a sockaddr_un before
+ passing it to the kernel. (Not a security issue: kernels are
+ smart enough to reject bad sockaddr_uns.) Found by Coverity;
+ CID #428. Bugfix on Tor 0.2.0.3-alpha.
+ - Don't stack-allocate the list of supplementary GIDs when we're
+ about to log them. Stack-allocating NGROUPS_MAX gid_t elements
+ could take up to 256K, which is way too much stack. Found by
+ Coverity; CID #450. Bugfix on 0.2.1.7-alpha.
+
+ o Minor bugfixes (only in 0.2.1.x):
+ - Resume using micro-version numbers in 0.2.1.x: our Debian packages
+ rely on them. Bugfix on 0.2.1.30.
+ - Use git revisions instead of svn revisions when generating our
+ micro-version numbers. Bugfix on 0.2.1.15-rc; fixes bug 2402.
+
+ o Minor features (also included in 0.2.2.x):
+ - Adjust the expiration time on our SSL session certificates to
+ better match SSL certs seen in the wild. Resolves ticket 4014.
+ - Allow nameservers with IPv6 address. Resolves bug 2574.
+ - Update to the October 4 2011 Maxmind GeoLite Country database.
+
+
Changes in version 0.2.2.33 - 2011-09-13
Tor 0.2.2.33 fixes several bugs, and includes a slight tweak to Tor's
TLS handshake that makes relays and bridges that run this new version
diff --git a/ReleaseNotes b/ReleaseNotes
index 8e3a60b..1fec570 100644
--- a/ReleaseNotes
+++ b/ReleaseNotes
@@ -117,6 +117,115 @@ Changes in version 0.2.2.34 - 2011-10-26
- Update to the October 4 2011 Maxmind GeoLite Country database.
+Changes in version 0.2.1.31 - 2011-10-26
+ Tor 0.2.1.31 backports important security and privacy fixes for
+ oldstable. This release is intended only for package maintainers and
+ others who cannot use the 0.2.2 stable series. All others should be
+ using Tor 0.2.2.x or newer.
+
+ o Security fixes (also included in 0.2.2.x):
+ - Replace all potentially sensitive memory comparison operations
+ with versions whose runtime does not depend on the data being
+ compared. This will help resist a class of attacks where an
+ adversary can use variations in timing information to learn
+ sensitive data. Fix for one case of bug 3122. (Safe memcmp
+ implementation by Robert Ransom based partially on code by DJB.)
+ - Fix an assert in parsing router descriptors containing IPv6
+ addresses. This one took down the directory authorities when
+ somebody tried some experimental code. Bugfix on 0.2.1.3-alpha.
+
+ o Privacy/anonymity fixes (also included in 0.2.2.x):
+ - Clients and bridges no longer send TLS certificate chains on
+ outgoing OR connections. Previously, each client or bridge
+ would use the same cert chain for all outgoing OR connections
+ for up to 24 hours, which allowed any relay that the client or
+ bridge contacted to determine which entry guards it is using.
+ Fixes CVE-2011-2768. Bugfix on 0.0.9pre5; found by frosty_un.
+ - If a relay receives a CREATE_FAST cell on a TLS connection, it
+ no longer considers that connection as suitable for satisfying a
+ circuit EXTEND request. Now relays can protect clients from the
+ CVE-2011-2768 issue even if the clients haven't upgraded yet.
+ - Bridges now refuse CREATE or CREATE_FAST cells on OR connections
+ that they initiated. Relays could distinguish incoming bridge
+ connections from client connections, creating another avenue for
+ enumerating bridges. Fixes CVE-2011-2769. Bugfix on 0.2.0.3-alpha.
+ Found by "frosty_un".
+ - When receiving a hidden service descriptor, check that it is for
+ the hidden service we wanted. Previously, Tor would store any
+ hidden service descriptors that a directory gave it, whether it
+ wanted them or not. This wouldn't have let an attacker impersonate
+ a hidden service, but it did let directories pre-seed a client
+ with descriptors that it didn't want. Bugfix on 0.0.6.
+ - Avoid linkability based on cached hidden service descriptors: forget
+ all hidden service descriptors cached as a client when processing a
+ SIGNAL NEWNYM command. Fixes bug 3000; bugfix on 0.0.6.
+ - Make the bridge directory authority refuse to answer directory
+ requests for "all" descriptors. It used to include bridge
+ descriptors in its answer, which was a major information leak.
+ Found by "piebeer". Bugfix on 0.2.0.3-alpha.
+ - Don't attach new streams to old rendezvous circuits after SIGNAL
+ NEWNYM. Previously, we would keep using an existing rendezvous
+ circuit if it remained open (i.e. if it were kept open by a
+ long-lived stream, or if a new stream were attached to it before
+ Tor could notice that it was old and no longer in use). Bugfix on
+ 0.1.1.15-rc; fixes bug 3375.
+
+ o Minor bugfixes (also included in 0.2.2.x):
+ - When we restart our relay, we might get a successful connection
+ from the outside before we've started our reachability tests,
+ triggering a warning: "ORPort found reachable, but I have no
+ routerinfo yet. Failing to inform controller of success." This
+ bug was harmless unless Tor is running under a controller
+ like Vidalia, in which case the controller would never get a
+ REACHABILITY_SUCCEEDED status event. Bugfix on 0.1.2.6-alpha;
+ fixes bug 1172.
+ - Build correctly on OSX with zlib 1.2.4 and higher with all warnings
+ enabled. Fixes bug 1526.
+ - Remove undocumented option "-F" from tor-resolve: it hasn't done
+ anything since 0.2.1.16-rc.
+ - Avoid signed/unsigned comparisons by making SIZE_T_CEILING unsigned.
+ None of the cases where we did this before were wrong, but by making
+ this change we avoid warnings. Fixes bug 2475; bugfix on 0.2.1.28.
+ - Fix a rare crash bug that could occur when a client was configured
+ with a large number of bridges. Fixes bug 2629; bugfix on
+ 0.2.1.2-alpha. Bugfix by trac user "shitlei".
+ - Correct the warning displayed when a rendezvous descriptor exceeds
+ the maximum size. Fixes bug 2750; bugfix on 0.2.1.5-alpha. Found by
+ John Brooks.
+ - Fix an uncommon assertion failure when running with DNSPort under
+ heavy load. Fixes bug 2933; bugfix on 0.2.0.1-alpha.
+ - When warning about missing zlib development packages during compile,
+ give the correct package names. Bugfix on 0.2.0.1-alpha.
+ - Require that introduction point keys and onion keys have public
+ exponent 65537. Bugfix on 0.2.0.10-alpha.
+ - Do not crash when our configuration file becomes unreadable, for
+ example due to a permissions change, between when we start up
+ and when a controller calls SAVECONF. Fixes bug 3135; bugfix
+ on 0.0.9pre6.
+ - Fix warnings from GCC 4.6's "-Wunused-but-set-variable" option.
+ Fixes bug 3208.
+ - Always NUL-terminate the sun_path field of a sockaddr_un before
+ passing it to the kernel. (Not a security issue: kernels are
+ smart enough to reject bad sockaddr_uns.) Found by Coverity;
+ CID #428. Bugfix on Tor 0.2.0.3-alpha.
+ - Don't stack-allocate the list of supplementary GIDs when we're
+ about to log them. Stack-allocating NGROUPS_MAX gid_t elements
+ could take up to 256K, which is way too much stack. Found by
+ Coverity; CID #450. Bugfix on 0.2.1.7-alpha.
+
+ o Minor bugfixes (only in 0.2.1.x):
+ - Resume using micro-version numbers in 0.2.1.x: our Debian packages
+ rely on them. Bugfix on 0.2.1.30.
+ - Use git revisions instead of svn revisions when generating our
+ micro-version numbers. Bugfix on 0.2.1.15-rc; fixes bug 2402.
+
+ o Minor features (also included in 0.2.2.x):
+ - Adjust the expiration time on our SSL session certificates to
+ better match SSL certs seen in the wild. Resolves ticket 4014.
+ - Allow nameservers with IPv6 address. Resolves bug 2574.
+ - Update to the October 4 2011 Maxmind GeoLite Country database.
+
+
Changes in version 0.2.2.33 - 2011-09-13
Tor 0.2.2.33 fixes several bugs, and includes a slight tweak to Tor's
TLS handshake that makes relays and bridges that run this new version
More information about the tor-commits
mailing list