fold in the next 0.2.2 changes
This commit is contained in:
parent
43454a872e
commit
6c02f4d2e3
56
ChangeLog
56
ChangeLog
|
@ -1,3 +1,59 @@
|
|||
Changes in version 0.2.2.36 - 2012-01-06
|
||||
o Major security workaround:
|
||||
- When building or running with any version of OpenSSL earlier
|
||||
than 0.9.8s or 1.0.0f, disable SSLv3 support. These OpenSSL
|
||||
versions had a bug (CVE-2011-4576) in which their block cipher
|
||||
padding included uninitialized data, potentially leaking sensitive
|
||||
information to any peer with whom they made a SSLv3 connection. Tor
|
||||
does not use SSL v3 by default, but a hostile client or server
|
||||
could force an SSLv3 connection in order to gain information that
|
||||
they shouldn't have been able to get. The best solution here is to
|
||||
upgrade to OpenSSL 0.9.8s or 1.0.0f (or later). But when building
|
||||
or running with a non-upgraded OpenSSL, we should instead make
|
||||
sure that the bug can't happen by disabling SSLv3 entirely.
|
||||
|
||||
o Major bugfixes:
|
||||
- Provide correct replacements for the timeradd() and timersub()
|
||||
functions for platforms that lack them (for example, windows). The
|
||||
timersub() function is used when expiring circuits, timeradd() is
|
||||
currently unused. Patch written by Vektor, who also reported the
|
||||
bug. Thanks! Bugfix on 0.2.2.24-alpha/0.2.3.1-alpha, fixes bug 4778.
|
||||
|
||||
o Minor bugfixes:
|
||||
- When running with an older Linux kernel that erroneously responds
|
||||
to strange nmap behavior by having accept() return successfully
|
||||
with a zero-length socket, just close the connection. Previously,
|
||||
we would try harder to learn the remote address: but there was
|
||||
no such remote address to learn, and our method for trying to
|
||||
learn it was incorrect. Fixes bugs 1240, 4745, and 4747. Bugfix
|
||||
on 0.1.0.3-rc. Reported and diagnosed by "r1eo".
|
||||
- Correctly spell "connect" in a log message when creating a
|
||||
controlsocket fails. Fixes bug 4803; bugfix on 0.2.2.26-beta and
|
||||
0.2.3.2-alpha.
|
||||
|
||||
o Minor features:
|
||||
- Directory servers now reject versions of Tor older than 0.2.1.30,
|
||||
and Tor versions between 0.2.2.1-alpha and 0.2.2.20-alpha
|
||||
(inclusive). These versions accounted for only a small fraction of
|
||||
the Tor network, and have numerous known security issues. Resolves
|
||||
issue 4788.
|
||||
- Update to the January 3 2012 Maxmind GeoLite Country database.
|
||||
|
||||
- Feature removal:
|
||||
- When sending or relaying a RELAY_EARLY cell, we used to convert
|
||||
it to a RELAY cell if the connection was using the v1 link
|
||||
protocol. This was a workaround for older versions of Tor, which
|
||||
didn't handle RELAY_EARLY cells properly. Now that all supported
|
||||
versions can handle RELAY_EARLY cells, and now that we're enforcing
|
||||
the "no RELAY_EXTEND commands except in RELAY_EARLY cells" rule,
|
||||
we're removing this workaround. Addresses bug 4786.
|
||||
|
||||
o Code simplifications and refactoring:
|
||||
- During configure, detect when we're building with clang version
|
||||
3.0 or lower and disable the -Wnormalized=id and -Woverride-init
|
||||
CFLAGS. clang doesn't support them yet.
|
||||
|
||||
|
||||
Changes in version 0.2.2.35 - 2011-12-16
|
||||
Tor 0.2.2.35 fixes a critical heap-overflow security issue in Tor's
|
||||
buffers code. Absolutely everybody should upgrade.
|
||||
|
|
|
@ -1,8 +0,0 @@
|
|||
o Minor bugfixes:
|
||||
- When running with an older Linux kernel that erroneously responds
|
||||
to strange nmap behavior by having accept() return successfully
|
||||
with a zero-length socket, just close the connection. Previously,
|
||||
we would try harder to learn the remote address: but there was no
|
||||
such remote address to learn, and our method for trying to learn
|
||||
it was incorrect. Fixes bugs #1240, #4745, and #4747. Bugfix on
|
||||
0.1.0.3-rc. Reported and diagnosed by "r1eo".
|
|
@ -1,9 +0,0 @@
|
|||
- Feature removal:
|
||||
- When sending or relaying a RELAY_EARLY cell, we used to convert
|
||||
it to a RELAY cell if the connection was using the v1 link
|
||||
protocol. This was a workaround for older versions of Tor, which
|
||||
didn't handle RELAY_EARLY cells properly. Now that all supported
|
||||
versions can handle RELAY_EARLY cells, and now that we're
|
||||
enforcing the "no RELAY_EXTEND commands except in RELAY_EARLY
|
||||
cells" rule, we're removing this workaround. Addresses bug 4786.
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
o Minor features (directory server):
|
||||
- Directory servers now reject versions of Tor older than 0.2.1.30,
|
||||
and Tor versions between 0.2.2.1-alpha and 0.2.2.20-alpha
|
||||
(inclusive). These versions accounted for only a small fraction of
|
||||
the Tor network, and have numerous known security issues. Resolves
|
||||
issue #4788.
|
|
@ -1,4 +0,0 @@
|
|||
o Minor bugfixes:
|
||||
- Correctly spell "connect" in a log message when creating a controlsocket
|
||||
fails. Fixes bug 4803; bugfix on 0.2.2.26-beta/0.2.3.2-alpha.
|
||||
|
|
@ -1,13 +0,0 @@
|
|||
o Major security workaround:
|
||||
- When building or running with any version of OpenSSL earlier
|
||||
than 0.9.8s or 1.0.0f, disable SSLv3 support. These versions had
|
||||
a bug (CVE-2011-4576) in which their block cipher padding
|
||||
included uninitialized data, potentially leaking sensitive
|
||||
information to any peer with whom they made a SSLv3
|
||||
connection. Tor does not use SSL v3 by default, but a hostile
|
||||
client or server could force an SSLv3 connection in order to
|
||||
gain information that they shouldn't have been able to get. The
|
||||
best solution here is to upgrade to OpenSSL 0.9.8s or 1.0.0f (or
|
||||
later). But when building or running with a non-upgraded
|
||||
OpenSSL, we should instead make sure that the bug can't happen
|
||||
by disabling SSLv3 entirely.
|
|
@ -1,5 +0,0 @@
|
|||
o Code simplifications and refactoring:
|
||||
- During configure, detect when we're building with clang version 3.0 or
|
||||
lower and disable the -Wnormalized=id and -Woverride-init CFLAGS.
|
||||
clang doesn't support them yet.
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
o Minor features:
|
||||
- Update to the January 3 2012 Maxmind GeoLite Country database.
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
o Major bugfixes:
|
||||
- Provide correct replacements for the timeradd() and timersub() functions
|
||||
for platforms that lack them (for example, windows). The timersub()
|
||||
function is used when expiring circuits, timeradd() is currently unused.
|
||||
Patch written by Vektor, who also reported the bug. Thanks! Bugfix
|
||||
on 0.2.2.24-alpha/0.2.3.1-alpha, fixes bug 4778.
|
||||
|
Loading…
Reference in New Issue