From 9b024fb2810e08569d199e46f922245954477046 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Mon, 19 Dec 2016 08:26:15 -0500 Subject: [PATCH] 0.2.8.12 releasenotes --- ChangeLog | 33 +++++++++++++++++++++++++++++++++ ReleaseNotes | 23 +++++++++++++++++++---- changes/bug21018 | 11 ----------- changes/geoip-december2016 | 4 ---- changes/ticket20170-v3 | 5 ----- 5 files changed, 52 insertions(+), 24 deletions(-) delete mode 100644 changes/bug21018 delete mode 100644 changes/geoip-december2016 delete mode 100644 changes/ticket20170-v3 diff --git a/ChangeLog b/ChangeLog index a735f44dd..507e68ff9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,36 @@ +Changes in version 0.2.8.12 - 2016-12-19 + Tor 0.2.8.12 backports a fix for a medium-severity issue (bug 21018 + below) where Tor clients could crash when attempting to visit a + hostile hidden service. Clients are recommended to upgrade as packages + become available for their systems. + + It also includes an updated list of fallback directories, backported + from 0.2.9. + + Now that the Tor 0.2.9 series is stable, only major bugfixes will be + backported to 0.2.8 in the future. + + o Major bugfixes (parsing, security, backported from 0.2.9.8): + - Fix a bug in parsing that could cause clients to read a single + byte past the end of an allocated region. This bug could be used + to cause hardened clients (built with --enable-expensive-hardening) + to crash if they tried to visit a hostile hidden service. Non- + hardened clients are only affected depending on the details of + their platform's memory allocator. Fixes bug 21018; bugfix on + 0.2.0.8-alpha. Found by using libFuzzer. Also tracked as TROVE- + 2016-12-002 and as CVE-2016-1254. + + o Minor features (fallback directory list, backported from 0.2.9.8): + - Replace the 81 remaining fallbacks of the 100 originally + introduced in Tor 0.2.8.3-alpha in March 2016, with a list of 177 + fallbacks (123 new, 54 existing, 27 removed) generated in December + 2016. Resolves ticket 20170. + + o Minor features (geoip, backported from 0.2.9.7-rc): + - Update geoip and geoip6 to the December 7 2016 Maxmind GeoLite2 + Country database. + + Changes in version 0.2.8.11 - 2016-12-08 Tor 0.2.8.11 backports fixes for additional portability issues that could prevent Tor from building correctly on OSX Sierra, or with diff --git a/ReleaseNotes b/ReleaseNotes index 163ef6796..7f51fe3c7 100644 --- a/ReleaseNotes +++ b/ReleaseNotes @@ -12,13 +12,28 @@ Changes in version 0.2.8.12 - 2016-12-19 It also includes an updated list of fallback directories, backported from 0.2.9. - With the release of Tor 0.2.9.8, the Tor 0.2.8 series is now - officially old: only major bugfixes will be backported to 0.2.8 in the - future. - + Now that the Tor 0.2.9 series is stable, only major bugfixes will be + backported to 0.2.8 in the future. + o Major bugfixes (parsing, security, backported from 0.2.9.8): + - Fix a bug in parsing that could cause clients to read a single + byte past the end of an allocated region. This bug could be used + to cause hardened clients (built with --enable-expensive-hardening) + to crash if they tried to visit a hostile hidden service. Non- + hardened clients are only affected depending on the details of + their platform's memory allocator. Fixes bug 21018; bugfix on + 0.2.0.8-alpha. Found by using libFuzzer. Also tracked as TROVE- + 2016-12-002 and as CVE-2016-1254. + o Minor features (fallback directory list, backported from 0.2.9.8): + - Replace the 81 remaining fallbacks of the 100 originally + introduced in Tor 0.2.8.3-alpha in March 2016, with a list of 177 + fallbacks (123 new, 54 existing, 27 removed) generated in December + 2016. Resolves ticket 20170. + o Minor features (geoip, backported from 0.2.9.7-rc): + - Update geoip and geoip6 to the December 7 2016 Maxmind GeoLite2 + Country database. Changes in version 0.2.8.11 - 2016-12-08 diff --git a/changes/bug21018 b/changes/bug21018 deleted file mode 100644 index 49a8b47a2..000000000 --- a/changes/bug21018 +++ /dev/null @@ -1,11 +0,0 @@ - o Major bugfixes (parsing, security): - - - Fix a bug in parsing that could cause clients to read a single - byte past the end of an allocated region. This bug could be - used to cause hardened clients (built with - --enable-expensive-hardening) to crash if they tried to visit - a hostile hidden service. Non-hardened clients are only - affected depending on the details of their platform's memory - allocator. Fixes bug 21018; bugfix on 0.2.0.8-alpha. Found by - using libFuzzer. Also tracked as TROVE-2016-12-002 and as - CVE-2016-1254. diff --git a/changes/geoip-december2016 b/changes/geoip-december2016 deleted file mode 100644 index 60754ea21..000000000 --- a/changes/geoip-december2016 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the December 7 2016 Maxmind GeoLite2 - Country database. - diff --git a/changes/ticket20170-v3 b/changes/ticket20170-v3 deleted file mode 100644 index d634e7205..000000000 --- a/changes/ticket20170-v3 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor features (fallback directory list): - - Replace the 81 remaining fallbacks of the 100 originally introduced - in Tor 0.2.8.3-alpha in March 2016, with a list of 177 fallbacks - (123 new, 54 existing, 27 removed) generated in December 2016. - Resolves ticket 20170.