Begin an 0.2.5.13 changelog
To build this changelog, I've gone through the entries in release-0.2.5's changes subdirectory, and looked up the ChangeLog entry for each. I have not sorted them yet.
This commit is contained in:
parent
a8a1e7e8da
commit
7b1762481b
124
ChangeLog
124
ChangeLog
|
@ -1,3 +1,127 @@
|
||||||
|
Changes in version 0.2.5.13 - 2017-03-??
|
||||||
|
Tor 0.2.5.13 backports a number of security fixes from later Tor
|
||||||
|
releases. Anybody running Tor 0.2.5.13 or earlier should upgrade to
|
||||||
|
this release, if for some reason they cannot upgrade to a later
|
||||||
|
release series.
|
||||||
|
|
||||||
|
Note that support for Tor 0.2.5.x is ending next year: we will not issue
|
||||||
|
any fixes for the Tor 0.2.5.x series after 1 August 2018. If you need
|
||||||
|
a Tor release series with longer-term support, we recommend Tor 0.2.9.x.
|
||||||
|
|
||||||
|
o Directory authority changes (backport from 0.2.8.5-rc):
|
||||||
|
- Urras is no longer a directory authority. Closes ticket 19271.
|
||||||
|
|
||||||
|
o Directory authority changes (backport from 0.2.9.2-alpha):
|
||||||
|
- The "Tonga" bridge authority has been retired; the new bridge
|
||||||
|
authority is "Bifroest". Closes tickets 19728 and 19690.
|
||||||
|
|
||||||
|
o Directory authority key updates (backport from 0.2.8.1-alpha):
|
||||||
|
- Update the V3 identity key for the dannenberg directory authority:
|
||||||
|
it was changed on 18 November 2015. Closes task 17906. Patch
|
||||||
|
by "teor".
|
||||||
|
|
||||||
|
o Minor bugfixes (hidden service, backport from 0.2.7.1-alpha):
|
||||||
|
- Fix an out-of-bounds read when parsing invalid INTRODUCE2 cells on
|
||||||
|
a client authorized hidden service. Fixes bug 15823; bugfix
|
||||||
|
on 0.2.1.6-alpha.
|
||||||
|
|
||||||
|
o Major bugfixes (dns proxy mode, crash, backport from 0.2.8.2-alpha):
|
||||||
|
- Avoid crashing when running as a DNS proxy. Fixes bug 16248;
|
||||||
|
bugfix on 0.2.0.1-alpha. Patch from "cypherpunks".
|
||||||
|
|
||||||
|
o Minor features (bug-resistance, backport from 0.2.8.2-alpha):
|
||||||
|
- Make Tor survive errors involving connections without a
|
||||||
|
corresponding event object. Previously we'd fail with an
|
||||||
|
assertion; now we produce a log message. Related to bug 16248.
|
||||||
|
|
||||||
|
o Minor bugfixes (crypto error-handling, backport from 0.2.7.2-alpha):
|
||||||
|
- Check for failures from crypto_early_init, and refuse to continue.
|
||||||
|
A previous typo meant that we could keep going with an
|
||||||
|
uninitialized crypto library, and would have OpenSSL initialize
|
||||||
|
its own PRNG. Fixes bug 16360; bugfix on 0.2.5.2-alpha, introduced
|
||||||
|
when implementing ticket 4900. Patch by "teor".
|
||||||
|
|
||||||
|
o Major bugfixes (security, correctness, backport from 0.2.7.4-rc):
|
||||||
|
- Fix an error that could cause us to read 4 bytes before the
|
||||||
|
beginning of an openssl string. This bug could be used to cause
|
||||||
|
Tor to crash on systems with unusual malloc implementations, or
|
||||||
|
systems with unusual hardening installed. Fixes bug 17404; bugfix
|
||||||
|
on 0.2.3.6-alpha.
|
||||||
|
|
||||||
|
o Major bugfixes (guard selection, backport from 0.2.7.6):
|
||||||
|
- Actually look at the Guard flag when selecting a new directory
|
||||||
|
guard. When we implemented the directory guard design, we
|
||||||
|
accidentally started treating all relays as if they have the Guard
|
||||||
|
flag during guard selection, leading to weaker anonymity and worse
|
||||||
|
performance. Fixes bug 17772; bugfix on 0.2.4.8-alpha. Discovered
|
||||||
|
by Mohsen Imani.
|
||||||
|
|
||||||
|
o Minor bugfixes (compilation, backport from 0.2.7.6)
|
||||||
|
- Fix a compilation warning with Clang 3.6: Do not check the
|
||||||
|
presence of an address which can never be NULL. Fixes bug 17781.
|
||||||
|
|
||||||
|
o Minor features (geoip):
|
||||||
|
- Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2
|
||||||
|
Country database.
|
||||||
|
|
||||||
|
o Minor features (security, memory erasure, backport from 0.2.8.1-alpha):
|
||||||
|
- Make memwipe() do nothing when passed a NULL pointer or buffer of
|
||||||
|
zero size. Check size argument to memwipe() for underflow. Fixes
|
||||||
|
bug 18089; bugfix on 0.2.3.25 and 0.2.4.6-alpha. Reported by "gk",
|
||||||
|
patch by "teor".
|
||||||
|
|
||||||
|
o Major bugfixes (security, pointers, backport from 0.2.8.2-alpha):
|
||||||
|
- Avoid a difficult-to-trigger heap corruption attack when extending
|
||||||
|
a smartlist to contain over 16GB of pointers. Fixes bug 18162;
|
||||||
|
bugfix on 0.1.1.11-alpha, which fixed a related bug incompletely.
|
||||||
|
Reported by Guido Vranken.
|
||||||
|
|
||||||
|
o Major bugfixes (security, client, DNS proxy, backport from 0.2.8.3-alpha):
|
||||||
|
- Stop a crash that could occur when a client running with DNSPort
|
||||||
|
received a query with multiple address types, and the first
|
||||||
|
address type was not supported. Found and fixed by Scott Dial.
|
||||||
|
Fixes bug 18710; bugfix on 0.2.5.4-alpha.
|
||||||
|
|
||||||
|
o Major features (security fixes, backport from 0.2.9.4-alpha):
|
||||||
|
- Prevent a class of security bugs caused by treating the contents
|
||||||
|
of a buffer chunk as if they were a NUL-terminated string. At
|
||||||
|
least one such bug seems to be present in all currently used
|
||||||
|
versions of Tor, and would allow an attacker to remotely crash
|
||||||
|
most Tor instances, especially those compiled with extra compiler
|
||||||
|
hardening. With this defense in place, such bugs can't crash Tor,
|
||||||
|
though we should still fix them as they occur. Closes ticket
|
||||||
|
20384 (TROVE-2016-10-001).
|
||||||
|
|
||||||
|
o Major bugfixes (parsing, security, backport from 0.2.9.8):
|
||||||
|
- Fix a bug in parsing that could cause clients to read a single
|
||||||
|
byte past the end of an allocated region. This bug could be used
|
||||||
|
to cause hardened clients (built with --enable-expensive-hardening)
|
||||||
|
to crash if they tried to visit a hostile hidden service. Non-
|
||||||
|
hardened clients are only affected depending on the details of
|
||||||
|
their platform's memory allocator. Fixes bug 21018; bugfix on
|
||||||
|
0.2.0.8-alpha. Found by using libFuzzer. Also tracked as TROVE-
|
||||||
|
2016-12-002 and as CVE-2016-1254.
|
||||||
|
|
||||||
|
o Major bugfixes (key management, backport from 0.2.8.3-alpha):
|
||||||
|
- If OpenSSL fails to generate an RSA key, do not retain a dangling
|
||||||
|
pointer to the previous (uninitialized) key value. The impact here
|
||||||
|
should be limited to a difficult-to-trigger crash, if OpenSSL is
|
||||||
|
running an engine that makes key generation failures possible, or
|
||||||
|
if OpenSSL runs out of memory. Fixes bug 19152; bugfix on
|
||||||
|
0.2.1.10-alpha. Found by Yuan Jochen Kang, Suman Jana, and
|
||||||
|
Baishakhi Ray.
|
||||||
|
|
||||||
|
o Major bugfixes (parsing, also in 0.3.0.4-rc):
|
||||||
|
- Fix an integer underflow bug when comparing malformed Tor versions.
|
||||||
|
This bug is harmless, except when Tor has been built with
|
||||||
|
--enable-expensive-hardening, which would turn it into a crash;
|
||||||
|
or on Tor 0.2.9.1-alpha through Tor 0.2.9.8, which were built with
|
||||||
|
-ftrapv by default.
|
||||||
|
Part of TROVE-2017-001. Fixes bug 21278; bugfix on
|
||||||
|
0.0.8pre1. Found by OSS-Fuzz.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Changes in version 0.2.5.12 - 2015-04-06
|
Changes in version 0.2.5.12 - 2015-04-06
|
||||||
Tor 0.2.5.12 backports two fixes from 0.2.6.7 for security issues that
|
Tor 0.2.5.12 backports two fixes from 0.2.6.7 for security issues that
|
||||||
could be used by an attacker to crash hidden services, or crash clients
|
could be used by an attacker to crash hidden services, or crash clients
|
||||||
|
|
|
@ -1,2 +0,0 @@
|
||||||
o Directory authority changes:
|
|
||||||
- Urras is no longer a directory authority. Closes ticket 19271.
|
|
|
@ -1,3 +0,0 @@
|
||||||
o Directory authority changes (also in 0.2.8.7):
|
|
||||||
- The "Tonga" bridge authority has been retired; the new bridge
|
|
||||||
authority is "Bifroest". Closes tickets 19728 and 19690.
|
|
|
@ -1,4 +0,0 @@
|
||||||
o Minor features (DoS-resistance):
|
|
||||||
- Make it harder for attackers to overwhelm hidden services with
|
|
||||||
introductions, by blocking multiple introduction requests on the
|
|
||||||
same circuit. Resolves ticket #15515.
|
|
|
@ -1,5 +0,0 @@
|
||||||
o Major bugfixes (security, hidden service):
|
|
||||||
- Fix an issue that would allow a malicious client to trigger
|
|
||||||
an assertion failure and halt a hidden service. Fixes
|
|
||||||
bug 15600; bugfix on 0.2.1.6-alpha. Reported by "skruffy".
|
|
||||||
|
|
|
@ -1,4 +0,0 @@
|
||||||
o Major bugfixes (security, hidden service):
|
|
||||||
- Fix a bug that could cause a client to crash with an assertion
|
|
||||||
failure when parsing a malformed hidden service descriptor.
|
|
||||||
Fixes bug 15601; bugfix on 0.2.1.5-alpha. Found by "DonnCha".
|
|
|
@ -1,4 +0,0 @@
|
||||||
o Minor bugfixes (hidden service):
|
|
||||||
- Fix an out-of-bounds read when parsing invalid INTRODUCE2 cells
|
|
||||||
on a client authorized hidden service. Fixes bug 15823; bugfix
|
|
||||||
on 0.2.1.6-alpha.
|
|
|
@ -1,8 +0,0 @@
|
||||||
o Major bugfixes (dns proxy mode, crash):
|
|
||||||
- Avoid crashing when running as a DNS proxy. Closes bug 16248; bugfix on
|
|
||||||
0.2.0.1-alpha. Patch from 'cypherpunks'.
|
|
||||||
|
|
||||||
o Minor features (bug-resistance):
|
|
||||||
- Make Tor survive errors involving connections without a corresponding
|
|
||||||
event object. Previously we'd fail with an assertion; now we produce a
|
|
||||||
log message. Related to bug 16248.
|
|
|
@ -1,7 +0,0 @@
|
||||||
o Minor bugfixes (crypto error-handling):
|
|
||||||
- If crypto_early_init fails, a typo in a return value from tor_init
|
|
||||||
means that tor_main continues running, rather than returning
|
|
||||||
an error value.
|
|
||||||
Fixes bug 16360; bugfix on d3fb846d8c98 in 0.2.5.2-alpha,
|
|
||||||
introduced when implementing #4900.
|
|
||||||
Patch by "teor".
|
|
|
@ -1,6 +0,0 @@
|
||||||
o Major bugfixes (security, correctness):
|
|
||||||
- Fix a programming error that could cause us to read 4 bytes before
|
|
||||||
the beginning of an openssl string. This could be used to provoke
|
|
||||||
a crash on systems with an unusual malloc implementation, or
|
|
||||||
systems with unsual hardening installed. Fixes bug 17404; bugfix
|
|
||||||
on 0.2.3.6-alpha.
|
|
|
@ -1,7 +0,0 @@
|
||||||
o Major bugfixes (guard selection):
|
|
||||||
- Actually look at the Guard flag when selecting a new directory
|
|
||||||
guard. When we implemented the directory guard design, we
|
|
||||||
accidentally started treating all relays as if they have the Guard
|
|
||||||
flag during guard selection, leading to weaker anonymity and worse
|
|
||||||
performance. Fixes bug 17222; bugfix on 0.2.4.8-alpha. Discovered
|
|
||||||
by Mohsen Imani.
|
|
|
@ -1,3 +0,0 @@
|
||||||
o Compilation fixes:
|
|
||||||
- Fix a compilation warning with Clang 3.6: Do not check the
|
|
||||||
presence of an address which can never be NULL. Fixes bug 17781.
|
|
|
@ -1,4 +0,0 @@
|
||||||
o Minor features (authorities):
|
|
||||||
- Update the V3 identity key for dannenberg, it was changed on
|
|
||||||
18 November 2015.
|
|
||||||
Closes task #17906. Patch by "teor".
|
|
|
@ -1,6 +0,0 @@
|
||||||
o Minor fixes (security):
|
|
||||||
- Make memwipe() do nothing when passed a NULL pointer
|
|
||||||
or zero size. Check size argument to memwipe() for underflow.
|
|
||||||
Closes bug #18089. Reported by "gk", patch by "teor".
|
|
||||||
Bugfix on 0.2.3.25 and 0.2.4.6-alpha (#7352),
|
|
||||||
commit 49dd5ef3 on 7 Nov 2012.
|
|
|
@ -1,7 +0,0 @@
|
||||||
o Major bugfixes (security, pointers):
|
|
||||||
|
|
||||||
- Avoid a difficult-to-trigger heap corruption attack when extending
|
|
||||||
a smartlist to contain over 16GB of pointers. Fixes bug #18162;
|
|
||||||
bugfix on Tor 0.1.1.11-alpha, which fixed a related bug
|
|
||||||
incompletely. Reported by Guido Vranken.
|
|
||||||
|
|
|
@ -1,6 +0,0 @@
|
||||||
o Major bugfixes (DNS proxy):
|
|
||||||
- Stop a crash that could occur when a client running with DNSPort
|
|
||||||
received a query with multiple address types, where the first
|
|
||||||
address type was not supported. Found and fixed by Scott Dial.
|
|
||||||
Fixes bug 18710; bugfix on 0.2.5.4-alpha.
|
|
||||||
|
|
|
@ -1,10 +0,0 @@
|
||||||
o Major features (security fixes):
|
|
||||||
- Prevent a class of security bugs caused by treating the contents
|
|
||||||
of a buffer chunk as if they were a NUL-terminated string. At
|
|
||||||
least one such bug seems to be present in all currently used
|
|
||||||
versions of Tor, and would allow an attacker to remotely crash
|
|
||||||
most Tor instances, especially those compiled with extra compiler
|
|
||||||
hardening. With this defense in place, such bugs can't crash Tor,
|
|
||||||
though we should still fix them as they occur. Closes ticket
|
|
||||||
20384 (TROVE-2016-10-001).
|
|
||||||
|
|
|
@ -1,11 +0,0 @@
|
||||||
o Major bugfixes (parsing, security):
|
|
||||||
|
|
||||||
- Fix a bug in parsing that could cause clients to read a single
|
|
||||||
byte past the end of an allocated region. This bug could be
|
|
||||||
used to cause hardened clients (built with
|
|
||||||
--enable-expensive-hardening) to crash if they tried to visit
|
|
||||||
a hostile hidden service. Non-hardened clients are only
|
|
||||||
affected depending on the details of their platform's memory
|
|
||||||
allocator. Fixes bug 21018; bugfix on 0.2.0.8-alpha. Found by
|
|
||||||
using libFuzzer. Also tracked as TROVE-2016-12-002 and as
|
|
||||||
CVE-2016-1254.
|
|
|
@ -1,3 +0,0 @@
|
||||||
o Minor features:
|
|
||||||
- Update geoip to the April 8 2015 Maxmind GeoLite2 Country database.
|
|
||||||
|
|
|
@ -1,4 +0,0 @@
|
||||||
o Minor features:
|
|
||||||
- Update geoip and geoip6 to the April 5 2016 Maxmind GeoLite2
|
|
||||||
Country database.
|
|
||||||
|
|
|
@ -1,4 +0,0 @@
|
||||||
o Minor features:
|
|
||||||
- Update geoip and geoip6 to the August 2 2016 Maxmind GeoLite2
|
|
||||||
Country database.
|
|
||||||
|
|
|
@ -1,4 +0,0 @@
|
||||||
o Minor features:
|
|
||||||
- Update geoip and geoip6 to the December 1 2015 Maxmind GeoLite2
|
|
||||||
Country database.
|
|
||||||
|
|
|
@ -1,4 +0,0 @@
|
||||||
o Minor features:
|
|
||||||
- Update geoip and geoip6 to the December 7 2016 Maxmind GeoLite2
|
|
||||||
Country database.
|
|
||||||
|
|
|
@ -1,4 +0,0 @@
|
||||||
o Minor features:
|
|
||||||
- Update geoip and geoip6 to the February 2 2016 Maxmind GeoLite2
|
|
||||||
Country database.
|
|
||||||
|
|
|
@ -1,4 +0,0 @@
|
||||||
o Minor features:
|
|
||||||
- Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2
|
|
||||||
Country database.
|
|
||||||
|
|
|
@ -1,4 +0,0 @@
|
||||||
o Minor features:
|
|
||||||
- Update geoip and geoip6 to the January 5 2016 Maxmind GeoLite2
|
|
||||||
Country database.
|
|
||||||
|
|
|
@ -1,4 +0,0 @@
|
||||||
o Minor features:
|
|
||||||
- Update geoip and geoip6 to the January 4 2017 Maxmind GeoLite2
|
|
||||||
Country database.
|
|
||||||
|
|
|
@ -1,3 +0,0 @@
|
||||||
o Minor features:
|
|
||||||
- Update geoip and geoip6 to the July 8 2015 Maxmind GeoLite2 Country database.
|
|
||||||
|
|
|
@ -1,4 +0,0 @@
|
||||||
o Minor features:
|
|
||||||
- Update geoip and geoip6 to the July 6 2016 Maxmind GeoLite2
|
|
||||||
Country database.
|
|
||||||
|
|
|
@ -1,4 +0,0 @@
|
||||||
o Minor features:
|
|
||||||
- Update geoip and geoip6 to the June 7 2016 Maxmind GeoLite2
|
|
||||||
Country database.
|
|
||||||
|
|
|
@ -1,3 +0,0 @@
|
||||||
o Minor features:
|
|
||||||
- Update geoip to the June 3 2015 Maxmind GeoLite2 Country database.
|
|
||||||
|
|
|
@ -1,4 +0,0 @@
|
||||||
o Minor features:
|
|
||||||
- Update geoip and geoip6 to the March 3 2016 Maxmind GeoLite2
|
|
||||||
Country database.
|
|
||||||
|
|
|
@ -1,4 +0,0 @@
|
||||||
o Minor features:
|
|
||||||
- Update geoip and geoip6 to the May 4 2016 Maxmind GeoLite2
|
|
||||||
Country database.
|
|
||||||
|
|
|
@ -1,4 +0,0 @@
|
||||||
o Minor features:
|
|
||||||
- Update geoip and geoip6 to the November 3 2016 Maxmind GeoLite2
|
|
||||||
Country database.
|
|
||||||
|
|
|
@ -1,3 +0,0 @@
|
||||||
o Minor features:
|
|
||||||
- Update geoip and geoip6 to the October 9 2015 Maxmind GeoLite2 Country database.
|
|
||||||
|
|
|
@ -1,4 +0,0 @@
|
||||||
o Minor features:
|
|
||||||
- Update geoip and geoip6 to the October 4 2016 Maxmind GeoLite2
|
|
||||||
Country database.
|
|
||||||
|
|
|
@ -1,3 +0,0 @@
|
||||||
o Minor features:
|
|
||||||
- Update geoip and geoip6 to the September 3 2015 Maxmind GeoLite2 Country database.
|
|
||||||
|
|
|
@ -1,4 +0,0 @@
|
||||||
o Minor features:
|
|
||||||
- Update geoip and geoip6 to the September 6 2016 Maxmind GeoLite2
|
|
||||||
Country database.
|
|
||||||
|
|
|
@ -1,2 +0,0 @@
|
||||||
o Minor features:
|
|
||||||
- Update geoip6 to the April 8 2015 Maxmind GeoLite2 Country database.
|
|
|
@ -1,3 +0,0 @@
|
||||||
o Minor features:
|
|
||||||
- Update geoip6 to the June 3 2015 Maxmind GeoLite2 Country database.
|
|
||||||
|
|
|
@ -1,7 +0,0 @@
|
||||||
o Major bugfixes (key management):
|
|
||||||
- If OpenSSL fails to generate an RSA key, do not retain a dangling pointer
|
|
||||||
to the previous (uninitialized) key value. The impact here should be
|
|
||||||
limited to a difficult-to-trigger crash, if OpenSSL is running an
|
|
||||||
engine that makes key generation failures possible, or if OpenSSL runs
|
|
||||||
out of memory. Fixes bug 19152; bugfix on 0.2.1.10-alpha. Found by
|
|
||||||
Yuan Jochen Kang, Suman Jana, and Baishakhi Ray.
|
|
|
@ -1,8 +0,0 @@
|
||||||
o Major bugfixes (parsing):
|
|
||||||
- Fix an integer underflow bug when comparing malformed Tor versions.
|
|
||||||
This bug is harmless, except when Tor has been built with
|
|
||||||
--enable-expensive-hardening, which would turn it into a crash;
|
|
||||||
or on Tor 0.2.9.1-alpha through Tor 0.2.9.8, which were built with
|
|
||||||
-ftrapv by default.
|
|
||||||
Part of TROVE-2017-001. Fixes bug 21278; bugfix on
|
|
||||||
0.0.8pre1. Found by OSS-Fuzz.
|
|
Loading…
Reference in New Issue