changelog for 0.2.5.16
This commit is contained in:
parent
4902cfcf19
commit
b97fb313a9
45
ChangeLog
45
ChangeLog
|
@ -1,3 +1,48 @@
|
||||||
|
Changes in version 0.2.5.16 - 2017-12-01
|
||||||
|
Tor 0.2.5.13 backports important security and stability bugfixes from
|
||||||
|
later Tor releases. All Tor users should upgrade to this release, or
|
||||||
|
to another of the releases coming out today.
|
||||||
|
|
||||||
|
Note: the Tor 0.2.5 series will no longer be supported after 1 May
|
||||||
|
2018. If you need a release with long-term support, please upgrade to
|
||||||
|
the 0.2.9 series. Otherwise, please upgrade to 0.3.1 or later.
|
||||||
|
|
||||||
|
o Major bugfixes (security, backport from 0.3.2.6-alpha):
|
||||||
|
- Fix a denial of service bug where an attacker could use a
|
||||||
|
malformed directory object to cause a Tor instance to pause while
|
||||||
|
OpenSSL would try to read a passphrase from the terminal. (Tor
|
||||||
|
instances run without a terminal, which is the case for most Tor
|
||||||
|
packages, are not impacted.) Fixes bug 24246; bugfix on every
|
||||||
|
version of Tor. Also tracked as TROVE-2017-011 and CVE-2017-8821.
|
||||||
|
Found by OSS-Fuzz as testcase 6360145429790720.
|
||||||
|
- When checking for replays in the INTRODUCE1 cell data for a
|
||||||
|
(legacy) onion service, correctly detect replays in the RSA-
|
||||||
|
encrypted part of the cell. We were previously checking for
|
||||||
|
replays on the entire cell, but those can be circumvented due to
|
||||||
|
the malleability of Tor's legacy hybrid encryption. This fix helps
|
||||||
|
prevent a traffic confirmation attack. Fixes bug 24244; bugfix on
|
||||||
|
0.2.4.1-alpha. This issue is also tracked as TROVE-2017-009
|
||||||
|
and CVE-2017-8819.
|
||||||
|
|
||||||
|
o Major bugfixes (security, relay, backport from 0.3.2.6-alpha):
|
||||||
|
- When running as a relay, make sure that we never build a path
|
||||||
|
through ourselves, even in the case where we have somehow lost the
|
||||||
|
version of our descriptor appearing in the consensus. Fixes part
|
||||||
|
of bug 21534; bugfix on 0.2.0.1-alpha. This issue is also tracked
|
||||||
|
as TROVE-2017-012 and CVE-2017-8822.
|
||||||
|
|
||||||
|
o Minor features (bridge, backport from 0.3.1.9):
|
||||||
|
- Bridges now include notice in their descriptors that they are
|
||||||
|
bridges, and notice of their distribution status, based on their
|
||||||
|
publication settings. Implements ticket 18329. For more fine-
|
||||||
|
grained control of how a bridge is distributed, upgrade to 0.3.2.x
|
||||||
|
or later.
|
||||||
|
|
||||||
|
o Minor features (geoip):
|
||||||
|
- Update geoip and geoip6 to the November 6 2017 Maxmind GeoLite2
|
||||||
|
Country database.
|
||||||
|
|
||||||
|
|
||||||
Changes in version 0.2.5.15 - 2017-10-25
|
Changes in version 0.2.5.15 - 2017-10-25
|
||||||
Tor 0.2.5.15 backports a collection of bugfixes from later Tor release
|
Tor 0.2.5.15 backports a collection of bugfixes from later Tor release
|
||||||
series. It also adds a new directory authority, Bastet.
|
series. It also adds a new directory authority, Bastet.
|
||||||
|
|
|
@ -1,6 +0,0 @@
|
||||||
o Minor features (bridge):
|
|
||||||
- Bridges now include notice in their descriptors that they are bridges,
|
|
||||||
and notice of their distribution status, based on their publication
|
|
||||||
settings. Implements ticket 18329. For more fine-grained control of
|
|
||||||
how a bridge is distributed, upgrade to 0.3.2.x or later.
|
|
||||||
|
|
|
@ -1,4 +0,0 @@
|
||||||
o Minor features (geoip):
|
|
||||||
- Update geoip and geoip6 to the November 6 2017 Maxmind GeoLite2
|
|
||||||
Country database.
|
|
||||||
|
|
|
@ -1,10 +0,0 @@
|
||||||
o Major bugfixes (security):
|
|
||||||
- When checking for replays in the INTRODUCE1 cell data for a (legacy)
|
|
||||||
hiddden service, correctly detect replays in the RSA-encrypted part of
|
|
||||||
the cell. We were previously checking for replays on the entire cell,
|
|
||||||
but those can be circumvented due to the malleability of Tor's legacy
|
|
||||||
hybrid encryption. This fix helps prevent a traffic confirmation
|
|
||||||
attack. Fixes bug 24244; bugfix on 0.2.4.1-alpha. This issue is also
|
|
||||||
tracked as TROVE-2017-009 and CVE-2017-8819.
|
|
||||||
|
|
||||||
|
|
|
@ -1,8 +0,0 @@
|
||||||
o Major bugfixes (security):
|
|
||||||
- Fix a denial of service bug where an attacker could use a malformed
|
|
||||||
directory object to cause a Tor instance to pause while OpenSSL would
|
|
||||||
try to read a passphrase from the terminal. (If the terminal was not
|
|
||||||
available, tor would continue running.) Fixes bug 24246; bugfix on
|
|
||||||
every version of Tor. Also tracked as TROVE-2017-011 and
|
|
||||||
CVE-2017-8821. Found by OSS-Fuzz as testcase 6360145429790720.
|
|
||||||
|
|
|
@ -1,6 +0,0 @@
|
||||||
o Major bugfixes (security, relay):
|
|
||||||
- When running as a relay, make sure that we never build a path through
|
|
||||||
ourselves, even in the case where we have somehow lost the version of
|
|
||||||
our descriptor appearing in the consensus. Fixes part of bug 21534;
|
|
||||||
bugfix on 0.2.0.1-alpha. This issue is also tracked as TROVE-2017-012
|
|
||||||
and CVE-2017-8822.
|
|
Loading…
Reference in New Issue