From 499bdd81a7f653aa4176e1983804c04dd13d4ea1 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Thu, 1 Mar 2018 16:41:48 -0500 Subject: [PATCH] Draft changelog for 0.3.2.10 --- ChangeLog | 60 +++++++++++++++++++++++++++++----------- changes/bug25249 | 3 -- changes/bug25249.2 | 3 -- changes/trove-2018-001.1 | 6 ---- changes/trove-2018-004 | 8 ------ 5 files changed, 44 insertions(+), 36 deletions(-) delete mode 100644 changes/bug25249 delete mode 100644 changes/bug25249.2 delete mode 100644 changes/trove-2018-001.1 delete mode 100644 changes/trove-2018-004 diff --git a/ChangeLog b/ChangeLog index dcae057a2..0320151a6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,7 +3,37 @@ Changes in version 0.3.2.10 - 2018-03-?? backports a number of bugfixes, including important fixes for security issues. - BLURB HERE. + It includes an important security fix for a remote crash attack + against directory authorities, tracked as TROVE-2018-001. + + Additionally, it backports a fix for a bug whose severity we have + upgraded: Bug 24700, which was fixed in 0.3.3.2-alpha, can be remotely + triggered in order to crash relays with a use-after-free pattern. As + such, we are now tracking that bug as TROVE-2018-002 and + CVE-2018-0491, and backporting it to earlier releases. This bug + affected versions 0.3.2.1-alpha through 0.3.2.9, as well as version + 0.3.3.1-alpha. + + This release also backports our new system for improved resistance to + denial-of-service attacks against relays. + + This release also fixes several minor bugs and annoyances from + earlier releases. + + All directory authorities should upgrade to one of the versions + released today. All relays not already running Tor 0.3.3.2-alpha or + later should upgrade to this release. + + o Major bugfixes (denial-of-service, directory authority, backport from 0.3.3.3-alpha): + - Fix a protocol-list handling bug that could be used to remotely crash + directory authorities with a null-pointer exception. Fixes bug 25074; + bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2018-001 and + CVE-2018-0490. + + o Major bugfixes (scheduler, KIST, denial-of-service, backport from 0.3.3.2-alpha): + - Avoid adding the same channel twice in the KIST scheduler pending + list, which could lead to remote denial-of-service use-after-free + attacks against relays. Fixes bug 24700; bugfix on 0.3.2.1-alpha. o Major features (denial-of-service mitigation, backport from 0.3.3.2-alpha): - Give relays some defenses against the recent network overload. We @@ -75,6 +105,14 @@ Changes in version 0.3.2.10 - 2018-03-?? making decisions about how to handle the incoming connection. Fixes bug 24952; bugfix on 0.2.4.11-alpha. Patch by "ffmancera". + o Minor bugfixes (denial-of-service, backport from 0.3.3.3-alpha): + - Fix a possible crash on malformed consensus. If a consensus had + contained an unparseable protocol line, it could have made clients + and relays crash with a null-pointer exception. To exploit this + issue, however, an attacker would need to be able to subvert the + directory authority system. Fixes bug 25251; bugfix on + 0.2.9.4-alpha. Also tracked as TROVE-2018-004. + o Minor bugfix (directory authority, backport from 0.3.3.2-alpha): - Directory authorities, when refusing a descriptor from a rejected relay, now explicitly tell the relay (in its logs) to set a valid @@ -86,17 +124,6 @@ Changes in version 0.3.2.10 - 2018-03-?? around the issue at https://github.com/rust-lang/rust/issues/46797. Fixes bug 24652; bugfix on 0.3.1.1-alpha. - - [[[[ OMIT - o Minor bugfixes (DoS mitigation): - - Add extra safety checks when refilling the circuit creation bucket to - ensure we never set a value that is above the allowed burst. Fixes - bug 25202; bugfix on 0.3.3.2-alpha. - - Make sure we don't modify consensus parameters if we aren't a public - relay when a new consensus arrives. Fixes bug 25223; bugfix on - 0.3.3.2-alpha. - OMIT]]]] - o Minor bugfixes (onion services, backport from 0.3.3.2-alpha): - Remove a BUG() statement when a client fetches an onion descriptor that has a lower revision counter than the one in its cache. This @@ -118,10 +145,11 @@ Changes in version 0.3.2.10 - 2018-03-?? limit (which can happen sometimes on some versions of OSX). Fixes bug 21074; bugfix on 0.0.9pre5. - o Minor bugfixes (scheduler, KIST, backport from 0.3.3.2-alpha): - - Avoid adding the same channel twice in the KIST scheduler pending - list, which would waste CPU cycles. Fixes bug 24700; bugfix - on 0.3.2.1-alpha. + o Minor bugfixes (spec conformance, backport from 0.3.3.3-alpha): + - Forbid "-0" as a protocol version. Fixes part of bug 25249; bugfix on + 0.2.9.4-alpha. + - Forbid UINT32_MAX as a protocol version. Fixes part of bug 25249; + bugfix on 0.2.9.4-alpha. o Minor bugfixes (testing, backport from 0.3.3.1-alpha): - Fix a memory leak in the scheduler/loop_kist unit test. Fixes bug diff --git a/changes/bug25249 b/changes/bug25249 deleted file mode 100644 index b4153eeae..000000000 --- a/changes/bug25249 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (spec conformance): - - Forbid "-0" as a protocol version. Fixes part of bug 25249; bugfix on - 0.2.9.4-alpha. diff --git a/changes/bug25249.2 b/changes/bug25249.2 deleted file mode 100644 index 9058c1107..000000000 --- a/changes/bug25249.2 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (spec conformance): - - Forbid UINT32_MAX as a protocol version. Fixes part of bug 25249; - bugfix on 0.2.9.4-alpha. diff --git a/changes/trove-2018-001.1 b/changes/trove-2018-001.1 deleted file mode 100644 index f0ee92f40..000000000 --- a/changes/trove-2018-001.1 +++ /dev/null @@ -1,6 +0,0 @@ - o Major bugfixes (denial-of-service, directory authority): - - Fix a protocol-list handling bug that could be used to remotely crash - directory authorities with a null-pointer exception. Fixes bug 25074; - bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2018-001. - - diff --git a/changes/trove-2018-004 b/changes/trove-2018-004 deleted file mode 100644 index 37e0a89b0..000000000 --- a/changes/trove-2018-004 +++ /dev/null @@ -1,8 +0,0 @@ - o Minor bugfixes (denial-of-service): - - Fix a possible crash on malformed consensus. If a consensus had - contained an unparseable protocol line, it could have made clients - and relays crash with a null-pointer exception. To exploit this - issue, however, an attacker would need to be able to subvert the - directory-authority system. Fixes bug 25251; bugfix on - 0.2.9.4-alpha. Also tracked as TROVE-2018-004. -