diff --git a/ChangeLog b/ChangeLog index e279919d2..a80b39c53 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,127 @@ +Changes in version 0.2.5.13 - 2017-03-?? + Tor 0.2.5.13 backports a number of security fixes from later Tor + releases. Anybody running Tor 0.2.5.13 or earlier should upgrade to + this release, if for some reason they cannot upgrade to a later + release series. + + Note that support for Tor 0.2.5.x is ending next year: we will not issue + any fixes for the Tor 0.2.5.x series after 1 August 2018. If you need + a Tor release series with longer-term support, we recommend Tor 0.2.9.x. + + o Directory authority changes (backport from 0.2.8.5-rc): + - Urras is no longer a directory authority. Closes ticket 19271. + + o Directory authority changes (backport from 0.2.9.2-alpha): + - The "Tonga" bridge authority has been retired; the new bridge + authority is "Bifroest". Closes tickets 19728 and 19690. + + o Directory authority key updates (backport from 0.2.8.1-alpha): + - Update the V3 identity key for the dannenberg directory authority: + it was changed on 18 November 2015. Closes task 17906. Patch + by "teor". + + o Minor bugfixes (hidden service, backport from 0.2.7.1-alpha): + - Fix an out-of-bounds read when parsing invalid INTRODUCE2 cells on + a client authorized hidden service. Fixes bug 15823; bugfix + on 0.2.1.6-alpha. + + o Major bugfixes (dns proxy mode, crash, backport from 0.2.8.2-alpha): + - Avoid crashing when running as a DNS proxy. Fixes bug 16248; + bugfix on 0.2.0.1-alpha. Patch from "cypherpunks". + + o Minor features (bug-resistance, backport from 0.2.8.2-alpha): + - Make Tor survive errors involving connections without a + corresponding event object. Previously we'd fail with an + assertion; now we produce a log message. Related to bug 16248. + + o Minor bugfixes (crypto error-handling, backport from 0.2.7.2-alpha): + - Check for failures from crypto_early_init, and refuse to continue. + A previous typo meant that we could keep going with an + uninitialized crypto library, and would have OpenSSL initialize + its own PRNG. Fixes bug 16360; bugfix on 0.2.5.2-alpha, introduced + when implementing ticket 4900. Patch by "teor". + + o Major bugfixes (security, correctness, backport from 0.2.7.4-rc): + - Fix an error that could cause us to read 4 bytes before the + beginning of an openssl string. This bug could be used to cause + Tor to crash on systems with unusual malloc implementations, or + systems with unusual hardening installed. Fixes bug 17404; bugfix + on 0.2.3.6-alpha. + + o Major bugfixes (guard selection, backport from 0.2.7.6): + - Actually look at the Guard flag when selecting a new directory + guard. When we implemented the directory guard design, we + accidentally started treating all relays as if they have the Guard + flag during guard selection, leading to weaker anonymity and worse + performance. Fixes bug 17772; bugfix on 0.2.4.8-alpha. Discovered + by Mohsen Imani. + + o Minor bugfixes (compilation, backport from 0.2.7.6) + - Fix a compilation warning with Clang 3.6: Do not check the + presence of an address which can never be NULL. Fixes bug 17781. + + o Minor features (geoip): + - Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2 + Country database. + + o Minor features (security, memory erasure, backport from 0.2.8.1-alpha): + - Make memwipe() do nothing when passed a NULL pointer or buffer of + zero size. Check size argument to memwipe() for underflow. Fixes + bug 18089; bugfix on 0.2.3.25 and 0.2.4.6-alpha. Reported by "gk", + patch by "teor". + + o Major bugfixes (security, pointers, backport from 0.2.8.2-alpha): + - Avoid a difficult-to-trigger heap corruption attack when extending + a smartlist to contain over 16GB of pointers. Fixes bug 18162; + bugfix on 0.1.1.11-alpha, which fixed a related bug incompletely. + Reported by Guido Vranken. + + o Major bugfixes (security, client, DNS proxy, backport from 0.2.8.3-alpha): + - Stop a crash that could occur when a client running with DNSPort + received a query with multiple address types, and the first + address type was not supported. Found and fixed by Scott Dial. + Fixes bug 18710; bugfix on 0.2.5.4-alpha. + + o Major features (security fixes, backport from 0.2.9.4-alpha): + - Prevent a class of security bugs caused by treating the contents + of a buffer chunk as if they were a NUL-terminated string. At + least one such bug seems to be present in all currently used + versions of Tor, and would allow an attacker to remotely crash + most Tor instances, especially those compiled with extra compiler + hardening. With this defense in place, such bugs can't crash Tor, + though we should still fix them as they occur. Closes ticket + 20384 (TROVE-2016-10-001). + + o Major bugfixes (parsing, security, backport from 0.2.9.8): + - Fix a bug in parsing that could cause clients to read a single + byte past the end of an allocated region. This bug could be used + to cause hardened clients (built with --enable-expensive-hardening) + to crash if they tried to visit a hostile hidden service. Non- + hardened clients are only affected depending on the details of + their platform's memory allocator. Fixes bug 21018; bugfix on + 0.2.0.8-alpha. Found by using libFuzzer. Also tracked as TROVE- + 2016-12-002 and as CVE-2016-1254. + + o Major bugfixes (key management, backport from 0.2.8.3-alpha): + - If OpenSSL fails to generate an RSA key, do not retain a dangling + pointer to the previous (uninitialized) key value. The impact here + should be limited to a difficult-to-trigger crash, if OpenSSL is + running an engine that makes key generation failures possible, or + if OpenSSL runs out of memory. Fixes bug 19152; bugfix on + 0.2.1.10-alpha. Found by Yuan Jochen Kang, Suman Jana, and + Baishakhi Ray. + + o Major bugfixes (parsing, also in 0.3.0.4-rc): + - Fix an integer underflow bug when comparing malformed Tor versions. + This bug is harmless, except when Tor has been built with + --enable-expensive-hardening, which would turn it into a crash; + or on Tor 0.2.9.1-alpha through Tor 0.2.9.8, which were built with + -ftrapv by default. + Part of TROVE-2017-001. Fixes bug 21278; bugfix on + 0.0.8pre1. Found by OSS-Fuzz. + + + Changes in version 0.2.5.12 - 2015-04-06 Tor 0.2.5.12 backports two fixes from 0.2.6.7 for security issues that could be used by an attacker to crash hidden services, or crash clients diff --git a/changes/19271 b/changes/19271 deleted file mode 100644 index dc06ead99..000000000 --- a/changes/19271 +++ /dev/null @@ -1,2 +0,0 @@ - o Directory authority changes: - - Urras is no longer a directory authority. Closes ticket 19271. diff --git a/changes/bifroest b/changes/bifroest deleted file mode 100644 index 41af658ed..000000000 --- a/changes/bifroest +++ /dev/null @@ -1,3 +0,0 @@ - o Directory authority changes (also in 0.2.8.7): - - The "Tonga" bridge authority has been retired; the new bridge - authority is "Bifroest". Closes tickets 19728 and 19690. diff --git a/changes/bug15515 b/changes/bug15515 deleted file mode 100644 index dda7c2fcd..000000000 --- a/changes/bug15515 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features (DoS-resistance): - - Make it harder for attackers to overwhelm hidden services with - introductions, by blocking multiple introduction requests on the - same circuit. Resolves ticket #15515. diff --git a/changes/bug15600 b/changes/bug15600 deleted file mode 100644 index ee1d6cfe1..000000000 --- a/changes/bug15600 +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfixes (security, hidden service): - - Fix an issue that would allow a malicious client to trigger - an assertion failure and halt a hidden service. Fixes - bug 15600; bugfix on 0.2.1.6-alpha. Reported by "skruffy". - diff --git a/changes/bug15601 b/changes/bug15601 deleted file mode 100644 index 2cc880af7..000000000 --- a/changes/bug15601 +++ /dev/null @@ -1,4 +0,0 @@ - o Major bugfixes (security, hidden service): - - Fix a bug that could cause a client to crash with an assertion - failure when parsing a malformed hidden service descriptor. - Fixes bug 15601; bugfix on 0.2.1.5-alpha. Found by "DonnCha". diff --git a/changes/bug15823 b/changes/bug15823 deleted file mode 100644 index 987de5d9a..000000000 --- a/changes/bug15823 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (hidden service): - - Fix an out-of-bounds read when parsing invalid INTRODUCE2 cells - on a client authorized hidden service. Fixes bug 15823; bugfix - on 0.2.1.6-alpha. diff --git a/changes/bug16248 b/changes/bug16248 deleted file mode 100644 index 399b7093c..000000000 --- a/changes/bug16248 +++ /dev/null @@ -1,8 +0,0 @@ - o Major bugfixes (dns proxy mode, crash): - - Avoid crashing when running as a DNS proxy. Closes bug 16248; bugfix on - 0.2.0.1-alpha. Patch from 'cypherpunks'. - - o Minor features (bug-resistance): - - Make Tor survive errors involving connections without a corresponding - event object. Previously we'd fail with an assertion; now we produce a - log message. Related to bug 16248. diff --git a/changes/bug16360-failed-crypto-early-init b/changes/bug16360-failed-crypto-early-init deleted file mode 100644 index 21972bce5..000000000 --- a/changes/bug16360-failed-crypto-early-init +++ /dev/null @@ -1,7 +0,0 @@ - o Minor bugfixes (crypto error-handling): - - If crypto_early_init fails, a typo in a return value from tor_init - means that tor_main continues running, rather than returning - an error value. - Fixes bug 16360; bugfix on d3fb846d8c98 in 0.2.5.2-alpha, - introduced when implementing #4900. - Patch by "teor". diff --git a/changes/bug17404 b/changes/bug17404 deleted file mode 100644 index d524f6662..000000000 --- a/changes/bug17404 +++ /dev/null @@ -1,6 +0,0 @@ - o Major bugfixes (security, correctness): - - Fix a programming error that could cause us to read 4 bytes before - the beginning of an openssl string. This could be used to provoke - a crash on systems with an unusual malloc implementation, or - systems with unsual hardening installed. Fixes bug 17404; bugfix - on 0.2.3.6-alpha. diff --git a/changes/bug17772 b/changes/bug17772 deleted file mode 100644 index 54d457c60..000000000 --- a/changes/bug17772 +++ /dev/null @@ -1,7 +0,0 @@ - o Major bugfixes (guard selection): - - Actually look at the Guard flag when selecting a new directory - guard. When we implemented the directory guard design, we - accidentally started treating all relays as if they have the Guard - flag during guard selection, leading to weaker anonymity and worse - performance. Fixes bug 17222; bugfix on 0.2.4.8-alpha. Discovered - by Mohsen Imani. diff --git a/changes/bug17781 b/changes/bug17781 deleted file mode 100644 index 01ed231b0..000000000 --- a/changes/bug17781 +++ /dev/null @@ -1,3 +0,0 @@ - o Compilation fixes: - - Fix a compilation warning with Clang 3.6: Do not check the - presence of an address which can never be NULL. Fixes bug 17781. diff --git a/changes/bug17906 b/changes/bug17906 deleted file mode 100644 index fff76d1c5..000000000 --- a/changes/bug17906 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features (authorities): - - Update the V3 identity key for dannenberg, it was changed on - 18 November 2015. - Closes task #17906. Patch by "teor". diff --git a/changes/bug18089 b/changes/bug18089 deleted file mode 100644 index c1fb342f7..000000000 --- a/changes/bug18089 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor fixes (security): - - Make memwipe() do nothing when passed a NULL pointer - or zero size. Check size argument to memwipe() for underflow. - Closes bug #18089. Reported by "gk", patch by "teor". - Bugfix on 0.2.3.25 and 0.2.4.6-alpha (#7352), - commit 49dd5ef3 on 7 Nov 2012. diff --git a/changes/bug18162 b/changes/bug18162 deleted file mode 100644 index 0844d6f62..000000000 --- a/changes/bug18162 +++ /dev/null @@ -1,7 +0,0 @@ - o Major bugfixes (security, pointers): - - - Avoid a difficult-to-trigger heap corruption attack when extending - a smartlist to contain over 16GB of pointers. Fixes bug #18162; - bugfix on Tor 0.1.1.11-alpha, which fixed a related bug - incompletely. Reported by Guido Vranken. - diff --git a/changes/bug18710 b/changes/bug18710 deleted file mode 100644 index 269395563..000000000 --- a/changes/bug18710 +++ /dev/null @@ -1,6 +0,0 @@ - o Major bugfixes (DNS proxy): - - Stop a crash that could occur when a client running with DNSPort - received a query with multiple address types, where the first - address type was not supported. Found and fixed by Scott Dial. - Fixes bug 18710; bugfix on 0.2.5.4-alpha. - diff --git a/changes/bug20384 b/changes/bug20384 deleted file mode 100644 index 591015ad9..000000000 --- a/changes/bug20384 +++ /dev/null @@ -1,10 +0,0 @@ - o Major features (security fixes): - - Prevent a class of security bugs caused by treating the contents - of a buffer chunk as if they were a NUL-terminated string. At - least one such bug seems to be present in all currently used - versions of Tor, and would allow an attacker to remotely crash - most Tor instances, especially those compiled with extra compiler - hardening. With this defense in place, such bugs can't crash Tor, - though we should still fix them as they occur. Closes ticket - 20384 (TROVE-2016-10-001). - diff --git a/changes/bug21018 b/changes/bug21018 deleted file mode 100644 index 49a8b47a2..000000000 --- a/changes/bug21018 +++ /dev/null @@ -1,11 +0,0 @@ - o Major bugfixes (parsing, security): - - - Fix a bug in parsing that could cause clients to read a single - byte past the end of an allocated region. This bug could be - used to cause hardened clients (built with - --enable-expensive-hardening) to crash if they tried to visit - a hostile hidden service. Non-hardened clients are only - affected depending on the details of their platform's memory - allocator. Fixes bug 21018; bugfix on 0.2.0.8-alpha. Found by - using libFuzzer. Also tracked as TROVE-2016-12-002 and as - CVE-2016-1254. diff --git a/changes/geoip-april2015 b/changes/geoip-april2015 deleted file mode 100644 index 7db38ed79..000000000 --- a/changes/geoip-april2015 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update geoip to the April 8 2015 Maxmind GeoLite2 Country database. - diff --git a/changes/geoip-april2016 b/changes/geoip-april2016 deleted file mode 100644 index 4cd03e556..000000000 --- a/changes/geoip-april2016 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the April 5 2016 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-august2016 b/changes/geoip-august2016 deleted file mode 100644 index 370ab64ca..000000000 --- a/changes/geoip-august2016 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the August 2 2016 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-december2015 b/changes/geoip-december2015 deleted file mode 100644 index 597bcc92f..000000000 --- a/changes/geoip-december2015 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the December 1 2015 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-december2016 b/changes/geoip-december2016 deleted file mode 100644 index 60754ea21..000000000 --- a/changes/geoip-december2016 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the December 7 2016 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-february2016 b/changes/geoip-february2016 deleted file mode 100644 index 49a8041fa..000000000 --- a/changes/geoip-february2016 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the February 2 2016 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-february2017 b/changes/geoip-february2017 deleted file mode 100644 index ec54b6122..000000000 --- a/changes/geoip-february2017 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-january2016 b/changes/geoip-january2016 deleted file mode 100644 index fe2d5c7dc..000000000 --- a/changes/geoip-january2016 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the January 5 2016 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-january2017 b/changes/geoip-january2017 deleted file mode 100644 index de1a4cbe2..000000000 --- a/changes/geoip-january2017 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the January 4 2017 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-july2015 b/changes/geoip-july2015 deleted file mode 100644 index 381c2df23..000000000 --- a/changes/geoip-july2015 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the July 8 2015 Maxmind GeoLite2 Country database. - diff --git a/changes/geoip-july2016 b/changes/geoip-july2016 deleted file mode 100644 index d9963bd6a..000000000 --- a/changes/geoip-july2016 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the July 6 2016 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-jun2016 b/changes/geoip-jun2016 deleted file mode 100644 index 8d308f6f7..000000000 --- a/changes/geoip-jun2016 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the June 7 2016 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-june2015 b/changes/geoip-june2015 deleted file mode 100644 index 9d6cd3658..000000000 --- a/changes/geoip-june2015 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update geoip to the June 3 2015 Maxmind GeoLite2 Country database. - diff --git a/changes/geoip-march2016 b/changes/geoip-march2016 deleted file mode 100644 index d7b1bd42f..000000000 --- a/changes/geoip-march2016 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the March 3 2016 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-may2016 b/changes/geoip-may2016 deleted file mode 100644 index 3fd42dce2..000000000 --- a/changes/geoip-may2016 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the May 4 2016 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-november2016 b/changes/geoip-november2016 deleted file mode 100644 index 5190ed66f..000000000 --- a/changes/geoip-november2016 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the November 3 2016 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-october2015 b/changes/geoip-october2015 deleted file mode 100644 index f20febec5..000000000 --- a/changes/geoip-october2015 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the October 9 2015 Maxmind GeoLite2 Country database. - diff --git a/changes/geoip-october2016 b/changes/geoip-october2016 deleted file mode 100644 index fff9a1eeb..000000000 --- a/changes/geoip-october2016 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the October 4 2016 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-september2015 b/changes/geoip-september2015 deleted file mode 100644 index a4f99efaa..000000000 --- a/changes/geoip-september2015 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the September 3 2015 Maxmind GeoLite2 Country database. - diff --git a/changes/geoip-september2016 b/changes/geoip-september2016 deleted file mode 100644 index a14c7c699..000000000 --- a/changes/geoip-september2016 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the September 6 2016 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip6-april2015 b/changes/geoip6-april2015 deleted file mode 100644 index 241c9119b..000000000 --- a/changes/geoip6-april2015 +++ /dev/null @@ -1,2 +0,0 @@ - o Minor features: - - Update geoip6 to the April 8 2015 Maxmind GeoLite2 Country database. diff --git a/changes/geoip6-june2015 b/changes/geoip6-june2015 deleted file mode 100644 index 527dbff53..000000000 --- a/changes/geoip6-june2015 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update geoip6 to the June 3 2015 Maxmind GeoLite2 Country database. - diff --git a/changes/rsa_init_bug b/changes/rsa_init_bug deleted file mode 100644 index 6b5fb4f2f..000000000 --- a/changes/rsa_init_bug +++ /dev/null @@ -1,7 +0,0 @@ - o Major bugfixes (key management): - - If OpenSSL fails to generate an RSA key, do not retain a dangling pointer - to the previous (uninitialized) key value. The impact here should be - limited to a difficult-to-trigger crash, if OpenSSL is running an - engine that makes key generation failures possible, or if OpenSSL runs - out of memory. Fixes bug 19152; bugfix on 0.2.1.10-alpha. Found by - Yuan Jochen Kang, Suman Jana, and Baishakhi Ray. diff --git a/changes/trove-2017-001.2 b/changes/trove-2017-001.2 deleted file mode 100644 index 3ef073cf9..000000000 --- a/changes/trove-2017-001.2 +++ /dev/null @@ -1,8 +0,0 @@ - o Major bugfixes (parsing): - - Fix an integer underflow bug when comparing malformed Tor versions. - This bug is harmless, except when Tor has been built with - --enable-expensive-hardening, which would turn it into a crash; - or on Tor 0.2.9.1-alpha through Tor 0.2.9.8, which were built with - -ftrapv by default. - Part of TROVE-2017-001. Fixes bug 21278; bugfix on - 0.0.8pre1. Found by OSS-Fuzz.