some changelog entries for master too

2011-01-15 20:59:25 -05:00 · 2011-01-15 20:59:25 -05:00 · 8e9b25e6c7
parent 6a6e3adf01
commit 8e9b25e6c7
1 changed files with 241 additions and 0 deletions
--- a/241
+++ b/241
@ -1,3 +1,169 @@
+Changes in version 0.2.2.21-alpha - 2011-01-15
+  Tor 0.2.2.21-alpha includes all the patches from Tor 0.2.1.29, which
+  continues our recent code security audit work. The main fix resolves
+  a remote heap overflow vulnerability that can allow remote code
+  execution (CVE-2011-0427). Other fixes address a variety of assert
+  and crash bugs, most of which we think are hard to exploit remotely.
+
+  o Major bugfixes (security), also included in 0.2.1.29:
+    - Fix a heap overflow bug where an adversary could cause heap
+      corruption. This bug probably allows remote code execution
+      attacks. Reported by "debuger". Fixes CVE-2011-0427. Bugfix on
+      0.1.2.10-rc.
+    - Prevent a denial-of-service attack by disallowing any
+      zlib-compressed data whose compression factor is implausibly
+      high. Fixes part of bug 2324; reported by "doorss".
+    - Zero out a few more keys in memory before freeing them. Fixes
+      bug 2384 and part of bug 2385. These key instances found by
+      "cypherpunks", based on Andrew Case's report about being able
+      to find sensitive data in Tor's memory space if you have enough
+      permissions. Bugfix on 0.0.2pre9.
+
+  o Major bugfixes (crashes), also included in 0.2.1.29:
+    - Prevent calls to Libevent from inside Libevent log handlers.
+      This had potential to cause a nasty set of crashes, especially
+      if running Libevent with debug logging enabled, and running
+      Tor with a controller watching for low-severity log messages.
+      Bugfix on 0.1.0.2-rc. Fixes bug 2190.
+    - Add a check for SIZE_T_MAX to tor_realloc() to try to avoid
+      underflow errors there too. Fixes the other part of bug 2324.
+    - Fix a bug where we would assert if we ever had a
+      cached-descriptors.new file (or another file read directly into
+      memory) of exactly SIZE_T_CEILING bytes. Fixes bug 2326; bugfix
+      on 0.2.1.25. Found by doorss.
+    - Fix some potential asserts and parsing issues with grossly
+      malformed router caches. Fixes bug 2352; bugfix on Tor 0.2.1.27.
+      Found by doorss.
+
+  o Minor bugfixes (other), also included in 0.2.1.29:
+    - Fix a bug with handling misformed replies to reverse DNS lookup
+      requests in DNSPort. Bugfix on Tor 0.2.0.1-alpha. Related to a
+      bug reported by doorss.
+    - Fix compilation on mingw when a pthreads compatibility library
+      has been installed. (We don't want to use it, so we shouldn't
+      be including pthread.h.) Fixes bug 2313; bugfix on 0.1.0.1-rc.
+    - Fix a bug where we would declare that we had run out of virtual
+      addresses when the address space was only half-exhausted. Bugfix
+      on 0.1.2.1-alpha.
+    - Correctly handle the case where AutomapHostsOnResolve is set but
+      no virtual addresses are available. Fixes bug 2328; bugfix on
+      0.1.2.1-alpha. Bug found by doorss.
+    - Correctly handle wrapping around to when we run out of virtual
+      address space. Found by cypherpunks, bugfix on 0.2.0.5-alpha.
+    - The 0.2.1.28 tarball was missing src/common/OpenBSD_malloc_Linux.c
+      because we built it with a too-old version of automake. Thus that
+      release broke ./configure --enable-openbsd-malloc, which is popular
+      among really fast exit relays on Linux.
+
+  o Minor features, also included in 0.2.1.29:
+    - Update to the January 1 2011 Maxmind GeoLite Country database.
+    - Introduce output size checks on all of our decryption functions.
+
+  o Build changes, also included in 0.2.1.29:
+    - Tor does not build packages correctly with Automake 1.6 and earlier;
+      added a check to Makefile.am to make sure that we're building with
+      Automake 1.7 or later.
+
+  o Minor features, new in 0.2.2.21-alpha:
+    - Make sure to disable DirPort if running as a bridge. DirPorts aren't
+      used on bridges, and it makes bridge scanning somewhat easier.
+    - If writing the state file to disk fails, wait up to an hour before
+      retrying again, rather than trying again each second. Fixes bug
+      2346; bugfix on Tor 0.1.1.3-alpha.
+    - Make Libevent log messages get delivered to controllers later,
+      and not from inside the Libevent log handler. This prevents unsafe
+      reentrant Libevent calls while still letting the log messages
+      get through.
+    - Detect platforms that brokenly use a signed size_t, and refuse to
+      build there. Found and analyzed by doorss and rransom.
+    - Fix a bunch of compile warnings revealed by mingw with gcc 4.5.
+      Resolves bug 2314.
+
+  o Minor bugfixes, new in 0.2.2.21-alpha:
+    - Handle SOCKS messages longer than 128 bytes long correctly, rather
+      than waiting forever for them to finish. Fixes bug 2330; bugfix
+      on 0.2.0.16-alpha. Found by doorss.
+    - Add assertions to check for overflow in arguments to
+      base32_encode() and base32_decode(); fix a signed-unsigned
+      comparison there too. These bugs are not actually reachable in Tor,
+      but it's good to prevent future errors too. Found by doorss.
+    - Correctly detect failures to create DNS requests when using Libevent
+      versions before v2. (Before Libevent 2, we used our own evdns
+      implementation. Its return values for Libevent's evdns_resolve_*()
+      functions are not consistent with those from Libevent.) Fixes bug
+      2363; bugfix on 0.2.2.6-alpha. Found by "lodger".
+
+  o Documentation, new in 0.2.2.21-alpha:
+    - Document the default socks host and port (127.0.0.1:9050) for
+      tor-resolve.
+
+
+Changes in version 0.2.1.29 - 2011-01-15
+  Tor 0.2.1.29 continues our recent code security audit work. The main
+  fix resolves a remote heap overflow vulnerability that can allow remote
+  code execution. Other fixes address a variety of assert and crash bugs,
+  most of which we think are hard to exploit remotely.
+
+  o Major bugfixes (security):
+    - Fix a heap overflow bug where an adversary could cause heap
+      corruption. This bug probably allows remote code execution
+      attacks. Reported by "debuger". Fixes CVE-2011-0427. Bugfix on
+      0.1.2.10-rc.
+    - Prevent a denial-of-service attack by disallowing any
+      zlib-compressed data whose compression factor is implausibly
+      high. Fixes part of bug 2324; reported by "doorss".
+    - Zero out a few more keys in memory before freeing them. Fixes
+      bug 2384 and part of bug 2385. These key instances found by
+      "cypherpunks", based on Andrew Case's report about being able
+      to find sensitive data in Tor's memory space if you have enough
+      permissions. Bugfix on 0.0.2pre9.
+
+  o Major bugfixes (crashes):
+    - Prevent calls to Libevent from inside Libevent log handlers.
+      This had potential to cause a nasty set of crashes, especially
+      if running Libevent with debug logging enabled, and running
+      Tor with a controller watching for low-severity log messages.
+      Bugfix on 0.1.0.2-rc. Fixes bug 2190.
+    - Add a check for SIZE_T_MAX to tor_realloc() to try to avoid
+      underflow errors there too. Fixes the other part of bug 2324.
+    - Fix a bug where we would assert if we ever had a
+      cached-descriptors.new file (or another file read directly into
+      memory) of exactly SIZE_T_CEILING bytes. Fixes bug 2326; bugfix
+      on 0.2.1.25. Found by doorss.
+    - Fix some potential asserts and parsing issues with grossly
+      malformed router caches. Fixes bug 2352; bugfix on Tor 0.2.1.27.
+      Found by doorss.
+
+  o Minor bugfixes (other):
+    - Fix a bug with handling misformed replies to reverse DNS lookup
+      requests in DNSPort. Bugfix on Tor 0.2.0.1-alpha. Related to a
+      bug reported by doorss.
+    - Fix compilation on mingw when a pthreads compatibility library
+      has been installed. (We don't want to use it, so we shouldn't
+      be including pthread.h.) Fixes bug 2313; bugfix on 0.1.0.1-rc.
+    - Fix a bug where we would declare that we had run out of virtual
+      addresses when the address space was only half-exhausted. Bugfix
+      on 0.1.2.1-alpha.
+    - Correctly handle the case where AutomapHostsOnResolve is set but
+      no virtual addresses are available. Fixes bug 2328; bugfix on
+      0.1.2.1-alpha. Bug found by doorss.
+    - Correctly handle wrapping around to when we run out of virtual
+      address space. Found by cypherpunks, bugfix on 0.2.0.5-alpha.
+    - The 0.2.1.28 tarball was missing src/common/OpenBSD_malloc_Linux.c
+      because we built it with a too-old version of automake. Thus that
+      release broke ./configure --enable-openbsd-malloc, which is popular
+      among really fast exit relays on Linux.
+
+  o Minor features:
+    - Update to the January 1 2011 Maxmind GeoLite Country database.
+    - Introduce output size checks on all of our decryption functions.
+
+  o Build changes:
+    - Tor does not build packages correctly with Automake 1.6 and earlier;
+      added a check to Makefile.am to make sure that we're building with
+      Automake 1.7 or later.
+
+
 Changes in version 0.2.2.20-alpha - 2010-12-17
  Tor 0.2.2.20-alpha does some code cleanup to reduce the risk of remotely
  exploitable bugs. We also fix a variety of other significant bugs,
@ -69,6 +235,81 @@ Changes in version 0.2.1.28 - 2010-12-17
    - Update to the December 1 2010 Maxmind GeoLite Country database.


+Changes in version 0.2.1.27 - 2010-11-23
+  Yet another OpenSSL security patch broke its compatibility with Tor:
+  Tor 0.2.1.27 makes relays work with openssl 0.9.8p and 1.0.0.b. We
+  also took this opportunity to fix several crash bugs, integrate a new
+  directory authority, and update the bundled GeoIP database.
+
+  o Major bugfixes:
+    - Resolve an incompatibility with OpenSSL 0.9.8p and OpenSSL 1.0.0b:
+      No longer set the tlsext_host_name extension on server SSL objects;
+      but continue to set it on client SSL objects. Our goal in setting
+      it was to imitate a browser, not a vhosting server. Fixes bug 2204;
+      bugfix on 0.2.1.1-alpha.
+    - Do not log messages to the controller while shrinking buffer
+      freelists. Doing so would sometimes make the controller connection
+      try to allocate a buffer chunk, which would mess up the internals
+      of the freelist and cause an assertion failure. Fixes bug 1125;
+      fixed by Robert Ransom. Bugfix on 0.2.0.16-alpha.
+    - Learn our external IP address when we're a relay or bridge, even if
+      we set PublishServerDescriptor to 0. Bugfix on 0.2.0.3-alpha,
+      where we introduced bridge relays that don't need to publish to
+      be useful. Fixes bug 2050.
+    - Do even more to reject (and not just ignore) annotations on
+      router descriptors received anywhere but from the cache. Previously
+      we would ignore such annotations at first, but cache them to disk
+      anyway. Bugfix on 0.2.0.8-alpha. Found by piebeer.
+    - When you're using bridges and your network goes away and your
+      bridges get marked as down, recover when you attempt a new socks
+      connection (if the network is back), rather than waiting up to an
+      hour to try fetching new descriptors for your bridges. Bugfix on
+      0.2.0.3-alpha; fixes bug 1981.
+
+  o Major features:
+    - Move to the November 2010 Maxmind GeoLite country db (rather
+      than the June 2009 ip-to-country GeoIP db) for our statistics that
+      count how many users relays are seeing from each country. Now we'll
+      have more accurate data, especially for many African countries.
+
+  o New directory authorities:
+    - Set up maatuska (run by Linus Nordberg) as the eighth v3 directory
+      authority.
+
+  o Minor bugfixes:
+    - Fix an assertion failure that could occur in directory caches or
+      bridge users when using a very short voting interval on a testing
+      network. Diagnosed by Robert Hogan. Fixes bug 1141; bugfix on
+      0.2.0.8-alpha.
+    - Enforce multiplicity rules when parsing annotations. Bugfix on
+      0.2.0.8-alpha. Found by piebeer.
+    - Allow handshaking OR connections to take a full KeepalivePeriod
+      seconds to handshake. Previously, we would close them after
+      IDLE_OR_CONN_TIMEOUT (180) seconds, the same timeout as if they
+      were open. Bugfix on 0.2.1.26; fixes bug 1840. Thanks to mingw-san
+      for analysis help.
+    - When building with --enable-gcc-warnings on OpenBSD, disable
+      warnings in system headers. This makes --enable-gcc-warnings
+      pass on OpenBSD 4.8.
+
+  o Minor features:
+    - Exit nodes didn't recognize EHOSTUNREACH as a plausible error code,
+      and so sent back END_STREAM_REASON_MISC. Clients now recognize a new
+      stream ending reason for this case: END_STREAM_REASON_NOROUTE.
+      Servers can start sending this code when enough clients recognize
+      it. Bugfix on 0.1.0.1-rc; fixes part of bug 1793.
+    - Build correctly on mingw with more recent versions of OpenSSL 0.9.8.
+      Patch from mingw-san.
+
+  o Removed files:
+    - Remove the old debian/ directory from the main Tor distribution.
+      The official Tor-for-debian git repository lives at the URL
+      https://git.torproject.org/debian/tor.git
+    - Stop shipping the old doc/website/ directory in the tarball. We
+      changed the website format in late 2010, and what we shipped in
+      0.2.1.26 really wasn't that useful anyway.
+
+
 Changes in version 0.2.2.19-alpha - 2010-11-22
  Yet another OpenSSL security patch broke its compatibility with Tor:
  Tor 0.2.2.19-alpha makes relays work with OpenSSL 0.9.8p and 1.0.0.b.