From e25e980285a80231956dba6d3c89a25c27fdf94f Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Mon, 18 Sep 2017 09:57:45 -0400 Subject: [PATCH] Finish changelog for 0.2.8.15 --- ChangeLog | 13 ++++++++++- ReleaseNotes | 50 ++++++++++++++++++++++++++++++++++++++++++ changes/trove-2017-008 | 5 ----- 3 files changed, 62 insertions(+), 6 deletions(-) delete mode 100644 changes/trove-2017-008 diff --git a/ChangeLog b/ChangeLog index 602069f5f..28303c082 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,16 @@ Changes in version 0.2.8.15 - 2017-09-18 - BLURB + Tor 0.2.8.15 backports a collection of bugfixes from later + Tor series. + + Most significantly, it includes a fix for TROVE-2017-008, a + security bug that affects hidden services running with the + SafeLogging option disabled. For more information, see + https://trac.torproject.org/projects/tor/ticket/23490 + + Note that Tor 0.2.8.x will no longer be supported after 1 Jan + 2018. We suggest that you upgrade to the latest stable release if + possible. If you can't, we recommend that you upgrade at least to + 0.2.9, which will be supported until 2020. o Major bugfixes (openbsd, denial-of-service, backport from 0.3.1.5-alpha): - Avoid an assertion failure bug affecting our implementation of diff --git a/ReleaseNotes b/ReleaseNotes index 9353cd086..2d67f5b89 100644 --- a/ReleaseNotes +++ b/ReleaseNotes @@ -2,6 +2,56 @@ This document summarizes new features and bugfixes in each stable release of Tor. If you want to see more detailed descriptions of the changes in each development snapshot, see the ChangeLog file. +Changes in version 0.2.8.15 - 2017-09-18 + Tor 0.2.8.15 backports a collection of bugfixes from later + Tor series. + + Most significantly, it includes a fix for TROVE-2017-008, a + security bug that affects hidden services running with the + SafeLogging option disabled. For more information, see + https://trac.torproject.org/projects/tor/ticket/23490 + + Note that Tor 0.2.8.x will no longer be supported after 1 Jan + 2018. We suggest that you upgrade to the latest stable release if + possible. If you can't, we recommend that you upgrade at least to + 0.2.9, which will be supported until 2020. + + o Major bugfixes (openbsd, denial-of-service, backport from 0.3.1.5-alpha): + - Avoid an assertion failure bug affecting our implementation of + inet_pton(AF_INET6) on certain OpenBSD systems whose strtol() + handling of "0xx" differs from what we had expected. Fixes bug + 22789; bugfix on 0.2.3.8-alpha. Also tracked as TROVE-2017-007. + + o Minor features: + - Update geoip and geoip6 to the September 6 2017 Maxmind GeoLite2 + Country database. + + o Minor bugfixes (compilation, mingw, backport from 0.3.1.1-alpha): + - Backport a fix for an "unused variable" warning that appeared + in some versions of mingw. Fixes bug 22838; bugfix on + 0.2.8.1-alpha. + + o Minor bugfixes (defensive programming, undefined behavior, backport from 0.3.1.4-alpha): + - Fix a memset() off the end of an array when packing cells. This + bug should be harmless in practice, since the corrupted bytes are + still in the same structure, and are always padding bytes, + ignored, or immediately overwritten, depending on compiler + behavior. Nevertheless, because the memset()'s purpose is to make + sure that any other cell-handling bugs can't expose bytes to the + network, we need to fix it. Fixes bug 22737; bugfix on + 0.2.4.11-alpha. Fixes CID 1401591. + + o Build features (backport from 0.3.1.5-alpha): + - Tor's repository now includes a Travis Continuous Integration (CI) + configuration file (.travis.yml). This is meant to help new + developers and contributors who fork Tor to a Github repository be + better able to test their changes, and understand what we expect + to pass. To use this new build feature, you must fork Tor to your + Github account, then go into the "Integrations" menu in the + repository settings for your fork and enable Travis, then push + your changes. Closes ticket 22636. + + Changes in version 0.2.8.14 - 2017-06-08 Tor 0.2.7.8 backports a fix for a bug that would allow an attacker to remotely crash a hidden service with an assertion failure. Anyone diff --git a/changes/trove-2017-008 b/changes/trove-2017-008 deleted file mode 100644 index 4b9c5b0a1..000000000 --- a/changes/trove-2017-008 +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfixes (security, hidden services, loggging): - - Fix a bug where we could log uninitialized stack when a certain - hidden service error occurred while SafeLogging was disabled. - Fixes bug #23490; bugfix on 0.2.7.2-alpha. - This is also tracked as TROVE-2017-008 and CVE-2017-0380.