Compare commits
68 Commits
master
...
release-0.
Author | SHA1 | Date |
---|---|---|
Roger Dingledine | 7da1ae7adf | |
Roger Dingledine | 0b74f64275 | |
Nick Mathewson | 887bddb7e7 | |
Nick Mathewson | fbfc8e032f | |
Nick Mathewson | c30ac81d40 | |
Nick Mathewson | aea35fbb1b | |
Nick Mathewson | 03c7d9e992 | |
Nick Mathewson | 5eff44ca8e | |
Nick Mathewson | 67357ca9f3 | |
Roger Dingledine | e234c1cd23 | |
Roger Dingledine | abd34f1527 | |
Roger Dingledine | e740ac08c6 | |
Roger Dingledine | 4f699cd24a | |
Roger Dingledine | 484240c4b8 | |
Roger Dingledine | 6bb9bd17d0 | |
Roger Dingledine | 6097b8eefc | |
Roger Dingledine | 031d8fcdab | |
Roger Dingledine | 9f61d8a3b3 | |
Roger Dingledine | 9ac4ceb0d4 | |
Roger Dingledine | 7c29b6996e | |
Roger Dingledine | c55f586e36 | |
Roger Dingledine | 6ef2e30c72 | |
Roger Dingledine | f1c43a1e64 | |
Nick Mathewson | 189ba4c9a9 | |
Nick Mathewson | 4a3ef002e7 | |
Roger Dingledine | 109ba37d54 | |
Roger Dingledine | acc54d32b6 | |
Roger Dingledine | 2bd2c10fcb | |
Roger Dingledine | c783b828ca | |
Roger Dingledine | b36a837f08 | |
Roger Dingledine | 75953f9b60 | |
Roger Dingledine | 1855b4ebfd | |
Roger Dingledine | 62d660b1da | |
Roger Dingledine | feabf2eb6c | |
Roger Dingledine | f10ec55b25 | |
Roger Dingledine | 6168d2e975 | |
Roger Dingledine | f59cad68dc | |
Roger Dingledine | 95cd7f6f67 | |
Roger Dingledine | 026204088a | |
Roger Dingledine | 49cda713f8 | |
Roger Dingledine | a2fe17bae2 | |
Roger Dingledine | 41b60af271 | |
Roger Dingledine | 2cb9ed2cd3 | |
Roger Dingledine | 9be473b82f | |
Roger Dingledine | f90fcaff64 | |
Roger Dingledine | bcd788f33f | |
Roger Dingledine | 4262a36d99 | |
Roger Dingledine | 73a7028a11 | |
Roger Dingledine | 3936267fd9 | |
Roger Dingledine | f181067a09 | |
Roger Dingledine | 6b23a6aff7 | |
Roger Dingledine | 4170a11398 | |
Roger Dingledine | ba8a8ff935 | |
Roger Dingledine | df16e99718 | |
Roger Dingledine | 75bead1246 | |
Roger Dingledine | 924f7bf9a5 | |
Roger Dingledine | 16946d7e36 | |
Roger Dingledine | d05323c802 | |
Roger Dingledine | 076d2a0e11 | |
Roger Dingledine | 05319e4d59 | |
Roger Dingledine | 4c549fec8f | |
Roger Dingledine | a55b44dc00 | |
Roger Dingledine | 9a7db7abaa | |
Roger Dingledine | 32ca2bd0f5 | |
Roger Dingledine | 64d1b8364e | |
Roger Dingledine | 24c334e728 | |
Roger Dingledine | 77f30fb55b | |
Roger Dingledine | ba97ab4eb2 |
385
ChangeLog
385
ChangeLog
|
@ -1,3 +1,388 @@
|
|||
Changes in version 0.2.1.32 - 2011-12-16
|
||||
Tor 0.2.1.32 backports important security and privacy fixes for
|
||||
oldstable. This release is intended only for package maintainers and
|
||||
others who cannot use the 0.2.2 stable series. All others should be
|
||||
using Tor 0.2.2.x or newer.
|
||||
|
||||
The Tor 0.2.1.x series will reach formal end-of-life some time in
|
||||
early 2012; we will stop releasing patches for it then.
|
||||
|
||||
o Major bugfixes (also included in 0.2.2.x):
|
||||
- Correctly sanity-check that we don't underflow on a memory
|
||||
allocation (and then assert) for hidden service introduction
|
||||
point decryption. Bug discovered by Dan Rosenberg. Fixes bug 4410;
|
||||
bugfix on 0.2.1.5-alpha.
|
||||
- Fix a heap overflow bug that could occur when trying to pull
|
||||
data into the first chunk of a buffer, when that chunk had
|
||||
already had some data drained from it. Fixes CVE-2011-2778;
|
||||
bugfix on 0.2.0.16-alpha. Reported by "Vektor".
|
||||
|
||||
o Minor features:
|
||||
- Update to the December 6 2011 Maxmind GeoLite Country database.
|
||||
|
||||
|
||||
Changes in version 0.2.1.31 - 2011-10-26
|
||||
Tor 0.2.1.31 backports important security and privacy fixes for
|
||||
oldstable. This release is intended only for package maintainers and
|
||||
others who cannot use the 0.2.2 stable series. All others should be
|
||||
using Tor 0.2.2.x or newer.
|
||||
|
||||
o Security fixes (also included in 0.2.2.x):
|
||||
- Replace all potentially sensitive memory comparison operations
|
||||
with versions whose runtime does not depend on the data being
|
||||
compared. This will help resist a class of attacks where an
|
||||
adversary can use variations in timing information to learn
|
||||
sensitive data. Fix for one case of bug 3122. (Safe memcmp
|
||||
implementation by Robert Ransom based partially on code by DJB.)
|
||||
- Fix an assert in parsing router descriptors containing IPv6
|
||||
addresses. This one took down the directory authorities when
|
||||
somebody tried some experimental code. Bugfix on 0.2.1.3-alpha.
|
||||
|
||||
o Privacy/anonymity fixes (also included in 0.2.2.x):
|
||||
- Clients and bridges no longer send TLS certificate chains on
|
||||
outgoing OR connections. Previously, each client or bridge would
|
||||
use the same cert chain for all outgoing OR connections until
|
||||
its IP address changes, which allowed any relay that the client
|
||||
or bridge contacted to determine which entry guards it is using.
|
||||
Fixes CVE-2011-2768. Bugfix on 0.0.9pre5; found by "frosty_un".
|
||||
- If a relay receives a CREATE_FAST cell on a TLS connection, it
|
||||
no longer considers that connection as suitable for satisfying a
|
||||
circuit EXTEND request. Now relays can protect clients from the
|
||||
CVE-2011-2768 issue even if the clients haven't upgraded yet.
|
||||
- Bridges now refuse CREATE or CREATE_FAST cells on OR connections
|
||||
that they initiated. Relays could distinguish incoming bridge
|
||||
connections from client connections, creating another avenue for
|
||||
enumerating bridges. Fixes CVE-2011-2769. Bugfix on 0.2.0.3-alpha.
|
||||
Found by "frosty_un".
|
||||
- When receiving a hidden service descriptor, check that it is for
|
||||
the hidden service we wanted. Previously, Tor would store any
|
||||
hidden service descriptors that a directory gave it, whether it
|
||||
wanted them or not. This wouldn't have let an attacker impersonate
|
||||
a hidden service, but it did let directories pre-seed a client
|
||||
with descriptors that it didn't want. Bugfix on 0.0.6.
|
||||
- Avoid linkability based on cached hidden service descriptors: forget
|
||||
all hidden service descriptors cached as a client when processing a
|
||||
SIGNAL NEWNYM command. Fixes bug 3000; bugfix on 0.0.6.
|
||||
- Make the bridge directory authority refuse to answer directory
|
||||
requests for "all" descriptors. It used to include bridge
|
||||
descriptors in its answer, which was a major information leak.
|
||||
Found by "piebeer". Bugfix on 0.2.0.3-alpha.
|
||||
- Don't attach new streams to old rendezvous circuits after SIGNAL
|
||||
NEWNYM. Previously, we would keep using an existing rendezvous
|
||||
circuit if it remained open (i.e. if it were kept open by a
|
||||
long-lived stream, or if a new stream were attached to it before
|
||||
Tor could notice that it was old and no longer in use). Bugfix on
|
||||
0.1.1.15-rc; fixes bug 3375.
|
||||
|
||||
o Minor bugfixes (also included in 0.2.2.x):
|
||||
- When we restart our relay, we might get a successful connection
|
||||
from the outside before we've started our reachability tests,
|
||||
triggering a warning: "ORPort found reachable, but I have no
|
||||
routerinfo yet. Failing to inform controller of success." This
|
||||
bug was harmless unless Tor is running under a controller
|
||||
like Vidalia, in which case the controller would never get a
|
||||
REACHABILITY_SUCCEEDED status event. Bugfix on 0.1.2.6-alpha;
|
||||
fixes bug 1172.
|
||||
- Build correctly on OSX with zlib 1.2.4 and higher with all warnings
|
||||
enabled. Fixes bug 1526.
|
||||
- Remove undocumented option "-F" from tor-resolve: it hasn't done
|
||||
anything since 0.2.1.16-rc.
|
||||
- Avoid signed/unsigned comparisons by making SIZE_T_CEILING unsigned.
|
||||
None of the cases where we did this before were wrong, but by making
|
||||
this change we avoid warnings. Fixes bug 2475; bugfix on 0.2.1.28.
|
||||
- Fix a rare crash bug that could occur when a client was configured
|
||||
with a large number of bridges. Fixes bug 2629; bugfix on
|
||||
0.2.1.2-alpha. Bugfix by trac user "shitlei".
|
||||
- Correct the warning displayed when a rendezvous descriptor exceeds
|
||||
the maximum size. Fixes bug 2750; bugfix on 0.2.1.5-alpha. Found by
|
||||
John Brooks.
|
||||
- Fix an uncommon assertion failure when running with DNSPort under
|
||||
heavy load. Fixes bug 2933; bugfix on 0.2.0.1-alpha.
|
||||
- When warning about missing zlib development packages during compile,
|
||||
give the correct package names. Bugfix on 0.2.0.1-alpha.
|
||||
- Require that introduction point keys and onion keys have public
|
||||
exponent 65537. Bugfix on 0.2.0.10-alpha.
|
||||
- Do not crash when our configuration file becomes unreadable, for
|
||||
example due to a permissions change, between when we start up
|
||||
and when a controller calls SAVECONF. Fixes bug 3135; bugfix
|
||||
on 0.0.9pre6.
|
||||
- Fix warnings from GCC 4.6's "-Wunused-but-set-variable" option.
|
||||
Fixes bug 3208.
|
||||
- Always NUL-terminate the sun_path field of a sockaddr_un before
|
||||
passing it to the kernel. (Not a security issue: kernels are
|
||||
smart enough to reject bad sockaddr_uns.) Found by Coverity;
|
||||
CID #428. Bugfix on Tor 0.2.0.3-alpha.
|
||||
- Don't stack-allocate the list of supplementary GIDs when we're
|
||||
about to log them. Stack-allocating NGROUPS_MAX gid_t elements
|
||||
could take up to 256K, which is way too much stack. Found by
|
||||
Coverity; CID #450. Bugfix on 0.2.1.7-alpha.
|
||||
|
||||
o Minor bugfixes (only in 0.2.1.x):
|
||||
- Resume using micro-version numbers in 0.2.1.x: our Debian packages
|
||||
rely on them. Bugfix on 0.2.1.30.
|
||||
- Use git revisions instead of svn revisions when generating our
|
||||
micro-version numbers. Bugfix on 0.2.1.15-rc; fixes bug 2402.
|
||||
|
||||
o Minor features (also included in 0.2.2.x):
|
||||
- Adjust the expiration time on our SSL session certificates to
|
||||
better match SSL certs seen in the wild. Resolves ticket 4014.
|
||||
- Allow nameservers with IPv6 address. Resolves bug 2574.
|
||||
- Update to the October 4 2011 Maxmind GeoLite Country database.
|
||||
|
||||
|
||||
Changes in version 0.2.1.30 - 2011-02-23
|
||||
Tor 0.2.1.30 fixes a variety of less critical bugs. The main other
|
||||
change is a slight tweak to Tor's TLS handshake that makes relays
|
||||
and bridges that run this new version reachable from Iran again.
|
||||
We don't expect this tweak will win the arms race long-term, but it
|
||||
buys us time until we roll out a better solution.
|
||||
|
||||
o Major bugfixes:
|
||||
- Stop sending a CLOCK_SKEW controller status event whenever
|
||||
we fetch directory information from a relay that has a wrong clock.
|
||||
Instead, only inform the controller when it's a trusted authority
|
||||
that claims our clock is wrong. Bugfix on 0.1.2.6-alpha; fixes
|
||||
the rest of bug 1074.
|
||||
- Fix a bounds-checking error that could allow an attacker to
|
||||
remotely crash a directory authority. Bugfix on 0.2.1.5-alpha.
|
||||
Found by "piebeer".
|
||||
- If relays set RelayBandwidthBurst but not RelayBandwidthRate,
|
||||
Tor would ignore their RelayBandwidthBurst setting,
|
||||
potentially using more bandwidth than expected. Bugfix on
|
||||
0.2.0.1-alpha. Reported by Paul Wouters. Fixes bug 2470.
|
||||
- Ignore and warn if the user mistakenly sets "PublishServerDescriptor
|
||||
hidserv" in her torrc. The 'hidserv' argument never controlled
|
||||
publication of hidden service descriptors. Bugfix on 0.2.0.1-alpha.
|
||||
|
||||
o Minor features:
|
||||
- Adjust our TLS Diffie-Hellman parameters to match those used by
|
||||
Apache's mod_ssl.
|
||||
- Update to the February 1 2011 Maxmind GeoLite Country database.
|
||||
|
||||
o Minor bugfixes:
|
||||
- Check for and reject overly long directory certificates and
|
||||
directory tokens before they have a chance to hit any assertions.
|
||||
Bugfix on 0.2.1.28. Found by "doorss".
|
||||
- Bring the logic that gathers routerinfos and assesses the
|
||||
acceptability of circuits into line. This prevents a Tor OP from
|
||||
getting locked in a cycle of choosing its local OR as an exit for a
|
||||
path (due to a .exit request) and then rejecting the circuit because
|
||||
its OR is not listed yet. It also prevents Tor clients from using an
|
||||
OR running in the same instance as an exit (due to a .exit request)
|
||||
if the OR does not meet the same requirements expected of an OR
|
||||
running elsewhere. Fixes bug 1859; bugfix on 0.1.0.1-rc.
|
||||
|
||||
o Packaging changes:
|
||||
- Stop shipping the Tor specs files and development proposal documents
|
||||
in the tarball. They are now in a separate git repository at
|
||||
git://git.torproject.org/torspec.git
|
||||
- Do not include Git version tags as though they are SVN tags when
|
||||
generating a tarball from inside a repository that has switched
|
||||
between branches. Bugfix on 0.2.1.15-rc; fixes bug 2402.
|
||||
|
||||
|
||||
Changes in version 0.2.1.29 - 2011-01-15
|
||||
Tor 0.2.1.29 continues our recent code security audit work. The main
|
||||
fix resolves a remote heap overflow vulnerability that can allow remote
|
||||
code execution. Other fixes address a variety of assert and crash bugs,
|
||||
most of which we think are hard to exploit remotely.
|
||||
|
||||
o Major bugfixes (security):
|
||||
- Fix a heap overflow bug where an adversary could cause heap
|
||||
corruption. This bug probably allows remote code execution
|
||||
attacks. Reported by "debuger". Fixes CVE-2011-0427. Bugfix on
|
||||
0.1.2.10-rc.
|
||||
- Prevent a denial-of-service attack by disallowing any
|
||||
zlib-compressed data whose compression factor is implausibly
|
||||
high. Fixes part of bug 2324; reported by "doorss".
|
||||
- Zero out a few more keys in memory before freeing them. Fixes
|
||||
bug 2384 and part of bug 2385. These key instances found by
|
||||
"cypherpunks", based on Andrew Case's report about being able
|
||||
to find sensitive data in Tor's memory space if you have enough
|
||||
permissions. Bugfix on 0.0.2pre9.
|
||||
|
||||
o Major bugfixes (crashes):
|
||||
- Prevent calls to Libevent from inside Libevent log handlers.
|
||||
This had potential to cause a nasty set of crashes, especially
|
||||
if running Libevent with debug logging enabled, and running
|
||||
Tor with a controller watching for low-severity log messages.
|
||||
Bugfix on 0.1.0.2-rc. Fixes bug 2190.
|
||||
- Add a check for SIZE_T_MAX to tor_realloc() to try to avoid
|
||||
underflow errors there too. Fixes the other part of bug 2324.
|
||||
- Fix a bug where we would assert if we ever had a
|
||||
cached-descriptors.new file (or another file read directly into
|
||||
memory) of exactly SIZE_T_CEILING bytes. Fixes bug 2326; bugfix
|
||||
on 0.2.1.25. Found by doorss.
|
||||
- Fix some potential asserts and parsing issues with grossly
|
||||
malformed router caches. Fixes bug 2352; bugfix on Tor 0.2.1.27.
|
||||
Found by doorss.
|
||||
|
||||
o Minor bugfixes (other):
|
||||
- Fix a bug with handling misformed replies to reverse DNS lookup
|
||||
requests in DNSPort. Bugfix on Tor 0.2.0.1-alpha. Related to a
|
||||
bug reported by doorss.
|
||||
- Fix compilation on mingw when a pthreads compatibility library
|
||||
has been installed. (We don't want to use it, so we shouldn't
|
||||
be including pthread.h.) Fixes bug 2313; bugfix on 0.1.0.1-rc.
|
||||
- Fix a bug where we would declare that we had run out of virtual
|
||||
addresses when the address space was only half-exhausted. Bugfix
|
||||
on 0.1.2.1-alpha.
|
||||
- Correctly handle the case where AutomapHostsOnResolve is set but
|
||||
no virtual addresses are available. Fixes bug 2328; bugfix on
|
||||
0.1.2.1-alpha. Bug found by doorss.
|
||||
- Correctly handle wrapping around to when we run out of virtual
|
||||
address space. Found by cypherpunks, bugfix on 0.2.0.5-alpha.
|
||||
- The 0.2.1.28 tarball was missing src/common/OpenBSD_malloc_Linux.c
|
||||
because we built it with a too-old version of automake. Thus that
|
||||
release broke ./configure --enable-openbsd-malloc, which is popular
|
||||
among really fast exit relays on Linux.
|
||||
|
||||
o Minor features:
|
||||
- Update to the January 1 2011 Maxmind GeoLite Country database.
|
||||
- Introduce output size checks on all of our decryption functions.
|
||||
|
||||
o Build changes:
|
||||
- Tor does not build packages correctly with Automake 1.6 and earlier;
|
||||
added a check to Makefile.am to make sure that we're building with
|
||||
Automake 1.7 or later.
|
||||
|
||||
|
||||
Changes in version 0.2.1.28 - 2010-12-17
|
||||
Tor 0.2.1.28 does some code cleanup to reduce the risk of remotely
|
||||
exploitable bugs. We also took this opportunity to change the IP address
|
||||
for one of our directory authorities, and to update the geoip database
|
||||
we ship.
|
||||
|
||||
o Major bugfixes:
|
||||
- Fix a remotely exploitable bug that could be used to crash instances
|
||||
of Tor remotely by overflowing on the heap. Remote-code execution
|
||||
hasn't been confirmed, but can't be ruled out. Everyone should
|
||||
upgrade. Bugfix on the 0.1.1 series and later.
|
||||
|
||||
o Directory authority changes:
|
||||
- Change IP address and ports for gabelmoo (v3 directory authority).
|
||||
|
||||
o Minor features:
|
||||
- Update to the December 1 2010 Maxmind GeoLite Country database.
|
||||
|
||||
|
||||
Changes in version 0.2.1.27 - 2010-11-23
|
||||
Yet another OpenSSL security patch broke its compatibility with Tor:
|
||||
Tor 0.2.1.27 makes relays work with openssl 0.9.8p and 1.0.0.b. We
|
||||
also took this opportunity to fix several crash bugs, integrate a new
|
||||
directory authority, and update the bundled GeoIP database.
|
||||
|
||||
o Major bugfixes:
|
||||
- Resolve an incompatibility with OpenSSL 0.9.8p and OpenSSL 1.0.0b:
|
||||
No longer set the tlsext_host_name extension on server SSL objects;
|
||||
but continue to set it on client SSL objects. Our goal in setting
|
||||
it was to imitate a browser, not a vhosting server. Fixes bug 2204;
|
||||
bugfix on 0.2.1.1-alpha.
|
||||
- Do not log messages to the controller while shrinking buffer
|
||||
freelists. Doing so would sometimes make the controller connection
|
||||
try to allocate a buffer chunk, which would mess up the internals
|
||||
of the freelist and cause an assertion failure. Fixes bug 1125;
|
||||
fixed by Robert Ransom. Bugfix on 0.2.0.16-alpha.
|
||||
- Learn our external IP address when we're a relay or bridge, even if
|
||||
we set PublishServerDescriptor to 0. Bugfix on 0.2.0.3-alpha,
|
||||
where we introduced bridge relays that don't need to publish to
|
||||
be useful. Fixes bug 2050.
|
||||
- Do even more to reject (and not just ignore) annotations on
|
||||
router descriptors received anywhere but from the cache. Previously
|
||||
we would ignore such annotations at first, but cache them to disk
|
||||
anyway. Bugfix on 0.2.0.8-alpha. Found by piebeer.
|
||||
- When you're using bridges and your network goes away and your
|
||||
bridges get marked as down, recover when you attempt a new socks
|
||||
connection (if the network is back), rather than waiting up to an
|
||||
hour to try fetching new descriptors for your bridges. Bugfix on
|
||||
0.2.0.3-alpha; fixes bug 1981.
|
||||
|
||||
o Major features:
|
||||
- Move to the November 2010 Maxmind GeoLite country db (rather
|
||||
than the June 2009 ip-to-country GeoIP db) for our statistics that
|
||||
count how many users relays are seeing from each country. Now we'll
|
||||
have more accurate data, especially for many African countries.
|
||||
|
||||
o New directory authorities:
|
||||
- Set up maatuska (run by Linus Nordberg) as the eighth v3 directory
|
||||
authority.
|
||||
|
||||
o Minor bugfixes:
|
||||
- Fix an assertion failure that could occur in directory caches or
|
||||
bridge users when using a very short voting interval on a testing
|
||||
network. Diagnosed by Robert Hogan. Fixes bug 1141; bugfix on
|
||||
0.2.0.8-alpha.
|
||||
- Enforce multiplicity rules when parsing annotations. Bugfix on
|
||||
0.2.0.8-alpha. Found by piebeer.
|
||||
- Allow handshaking OR connections to take a full KeepalivePeriod
|
||||
seconds to handshake. Previously, we would close them after
|
||||
IDLE_OR_CONN_TIMEOUT (180) seconds, the same timeout as if they
|
||||
were open. Bugfix on 0.2.1.26; fixes bug 1840. Thanks to mingw-san
|
||||
for analysis help.
|
||||
- When building with --enable-gcc-warnings on OpenBSD, disable
|
||||
warnings in system headers. This makes --enable-gcc-warnings
|
||||
pass on OpenBSD 4.8.
|
||||
|
||||
o Minor features:
|
||||
- Exit nodes didn't recognize EHOSTUNREACH as a plausible error code,
|
||||
and so sent back END_STREAM_REASON_MISC. Clients now recognize a new
|
||||
stream ending reason for this case: END_STREAM_REASON_NOROUTE.
|
||||
Servers can start sending this code when enough clients recognize
|
||||
it. Bugfix on 0.1.0.1-rc; fixes part of bug 1793.
|
||||
- Build correctly on mingw with more recent versions of OpenSSL 0.9.8.
|
||||
Patch from mingw-san.
|
||||
|
||||
o Removed files:
|
||||
- Remove the old debian/ directory from the main Tor distribution.
|
||||
The official Tor-for-debian git repository lives at the URL
|
||||
https://git.torproject.org/debian/tor.git
|
||||
- Stop shipping the old doc/website/ directory in the tarball. We
|
||||
changed the website format in late 2010, and what we shipped in
|
||||
0.2.1.26 really wasn't that useful anyway.
|
||||
|
||||
|
||||
Changes in version 0.2.1.26 - 2010-05-02
|
||||
Tor 0.2.1.26 addresses the recent connection and memory overload
|
||||
problems we've been seeing on relays, especially relays with their
|
||||
DirPort open. If your relay has been crashing, or you turned it off
|
||||
because it used too many resources, give this release a try.
|
||||
|
||||
This release also fixes yet another instance of broken OpenSSL libraries
|
||||
that was causing some relays to drop out of the consensus.
|
||||
|
||||
o Major bugfixes:
|
||||
- Teach relays to defend themselves from connection overload. Relays
|
||||
now close idle circuits early if it looks like they were intended
|
||||
for directory fetches. Relays are also more aggressive about closing
|
||||
TLS connections that have no circuits on them. Such circuits are
|
||||
unlikely to be re-used, and tens of thousands of them were piling
|
||||
up at the fast relays, causing the relays to run out of sockets
|
||||
and memory. Bugfix on 0.2.0.22-rc (where clients started tunneling
|
||||
their directory fetches over TLS).
|
||||
- Fix SSL renegotiation behavior on OpenSSL versions like on Centos
|
||||
that claim to be earlier than 0.9.8m, but which have in reality
|
||||
backported huge swaths of 0.9.8m or 0.9.8n renegotiation
|
||||
behavior. Possible fix for some cases of bug 1346.
|
||||
- Directory mirrors were fetching relay descriptors only from v2
|
||||
directory authorities, rather than v3 authorities like they should.
|
||||
Only 2 v2 authorities remain (compared to 7 v3 authorities), leading
|
||||
to a serious bottleneck. Bugfix on 0.2.0.9-alpha. Fixes bug 1324.
|
||||
|
||||
o Minor bugfixes:
|
||||
- Finally get rid of the deprecated and now harmful notion of "clique
|
||||
mode", where directory authorities maintain TLS connections to
|
||||
every other relay.
|
||||
|
||||
o Testsuite fixes:
|
||||
- In the util/threads test, no longer free the test_mutex before all
|
||||
worker threads have finished. Bugfix on 0.2.1.6-alpha.
|
||||
- The master thread could starve the worker threads quite badly on
|
||||
certain systems, causing them to run only partially in the allowed
|
||||
window. This resulted in test failures. Now the master thread sleeps
|
||||
occasionally for a few microseconds while the two worker-threads
|
||||
compete for the mutex. Bugfix on 0.2.0.1-alpha.
|
||||
|
||||
|
||||
Changes in version 0.2.1.25 - 2010-03-16
|
||||
Tor 0.2.1.25 fixes a regression introduced in 0.2.1.23 that could
|
||||
prevent relays from guessing their IP address correctly. It also fixes
|
||||
|
|
132
ReleaseNotes
132
ReleaseNotes
|
@ -3,6 +3,138 @@ This document summarizes new features and bugfixes in each stable release
|
|||
of Tor. If you want to see more detailed descriptions of the changes in
|
||||
each development snapshot, see the ChangeLog file.
|
||||
|
||||
Changes in version 0.2.1.32 - 2011-12-16
|
||||
Tor 0.2.1.32 backports important security and privacy fixes for
|
||||
oldstable. This release is intended only for package maintainers and
|
||||
others who cannot use the 0.2.2 stable series. All others should be
|
||||
using Tor 0.2.2.x or newer.
|
||||
|
||||
The Tor 0.2.1.x series will reach formal end-of-life some time in
|
||||
early 2012; we will stop releasing patches for it then.
|
||||
|
||||
o Major bugfixes (also included in 0.2.2.x):
|
||||
- Correctly sanity-check that we don't underflow on a memory
|
||||
allocation (and then assert) for hidden service introduction
|
||||
point decryption. Bug discovered by Dan Rosenberg. Fixes bug 4410;
|
||||
bugfix on 0.2.1.5-alpha.
|
||||
- Fix a heap overflow bug that could occur when trying to pull
|
||||
data into the first chunk of a buffer, when that chunk had
|
||||
already had some data drained from it. Fixes CVE-2011-2778;
|
||||
bugfix on 0.2.0.16-alpha. Reported by "Vektor".
|
||||
|
||||
o Minor features:
|
||||
- Update to the December 6 2011 Maxmind GeoLite Country database.
|
||||
|
||||
|
||||
Changes in version 0.2.1.31 - 2011-10-26
|
||||
Tor 0.2.1.31 backports important security and privacy fixes for
|
||||
oldstable. This release is intended only for package maintainers and
|
||||
others who cannot use the 0.2.2 stable series. All others should be
|
||||
using Tor 0.2.2.x or newer.
|
||||
|
||||
o Security fixes (also included in 0.2.2.x):
|
||||
- Replace all potentially sensitive memory comparison operations
|
||||
with versions whose runtime does not depend on the data being
|
||||
compared. This will help resist a class of attacks where an
|
||||
adversary can use variations in timing information to learn
|
||||
sensitive data. Fix for one case of bug 3122. (Safe memcmp
|
||||
implementation by Robert Ransom based partially on code by DJB.)
|
||||
- Fix an assert in parsing router descriptors containing IPv6
|
||||
addresses. This one took down the directory authorities when
|
||||
somebody tried some experimental code. Bugfix on 0.2.1.3-alpha.
|
||||
|
||||
o Privacy/anonymity fixes (also included in 0.2.2.x):
|
||||
- Clients and bridges no longer send TLS certificate chains on
|
||||
outgoing OR connections. Previously, each client or bridge would
|
||||
use the same cert chain for all outgoing OR connections until
|
||||
its IP address changes, which allowed any relay that the client
|
||||
or bridge contacted to determine which entry guards it is using.
|
||||
Fixes CVE-2011-2768. Bugfix on 0.0.9pre5; found by "frosty_un".
|
||||
- If a relay receives a CREATE_FAST cell on a TLS connection, it
|
||||
no longer considers that connection as suitable for satisfying a
|
||||
circuit EXTEND request. Now relays can protect clients from the
|
||||
CVE-2011-2768 issue even if the clients haven't upgraded yet.
|
||||
- Bridges now refuse CREATE or CREATE_FAST cells on OR connections
|
||||
that they initiated. Relays could distinguish incoming bridge
|
||||
connections from client connections, creating another avenue for
|
||||
enumerating bridges. Fixes CVE-2011-2769. Bugfix on 0.2.0.3-alpha.
|
||||
Found by "frosty_un".
|
||||
- When receiving a hidden service descriptor, check that it is for
|
||||
the hidden service we wanted. Previously, Tor would store any
|
||||
hidden service descriptors that a directory gave it, whether it
|
||||
wanted them or not. This wouldn't have let an attacker impersonate
|
||||
a hidden service, but it did let directories pre-seed a client
|
||||
with descriptors that it didn't want. Bugfix on 0.0.6.
|
||||
- Avoid linkability based on cached hidden service descriptors: forget
|
||||
all hidden service descriptors cached as a client when processing a
|
||||
SIGNAL NEWNYM command. Fixes bug 3000; bugfix on 0.0.6.
|
||||
- Make the bridge directory authority refuse to answer directory
|
||||
requests for "all" descriptors. It used to include bridge
|
||||
descriptors in its answer, which was a major information leak.
|
||||
Found by "piebeer". Bugfix on 0.2.0.3-alpha.
|
||||
- Don't attach new streams to old rendezvous circuits after SIGNAL
|
||||
NEWNYM. Previously, we would keep using an existing rendezvous
|
||||
circuit if it remained open (i.e. if it were kept open by a
|
||||
long-lived stream, or if a new stream were attached to it before
|
||||
Tor could notice that it was old and no longer in use). Bugfix on
|
||||
0.1.1.15-rc; fixes bug 3375.
|
||||
|
||||
o Minor bugfixes (also included in 0.2.2.x):
|
||||
- When we restart our relay, we might get a successful connection
|
||||
from the outside before we've started our reachability tests,
|
||||
triggering a warning: "ORPort found reachable, but I have no
|
||||
routerinfo yet. Failing to inform controller of success." This
|
||||
bug was harmless unless Tor is running under a controller
|
||||
like Vidalia, in which case the controller would never get a
|
||||
REACHABILITY_SUCCEEDED status event. Bugfix on 0.1.2.6-alpha;
|
||||
fixes bug 1172.
|
||||
- Build correctly on OSX with zlib 1.2.4 and higher with all warnings
|
||||
enabled. Fixes bug 1526.
|
||||
- Remove undocumented option "-F" from tor-resolve: it hasn't done
|
||||
anything since 0.2.1.16-rc.
|
||||
- Avoid signed/unsigned comparisons by making SIZE_T_CEILING unsigned.
|
||||
None of the cases where we did this before were wrong, but by making
|
||||
this change we avoid warnings. Fixes bug 2475; bugfix on 0.2.1.28.
|
||||
- Fix a rare crash bug that could occur when a client was configured
|
||||
with a large number of bridges. Fixes bug 2629; bugfix on
|
||||
0.2.1.2-alpha. Bugfix by trac user "shitlei".
|
||||
- Correct the warning displayed when a rendezvous descriptor exceeds
|
||||
the maximum size. Fixes bug 2750; bugfix on 0.2.1.5-alpha. Found by
|
||||
John Brooks.
|
||||
- Fix an uncommon assertion failure when running with DNSPort under
|
||||
heavy load. Fixes bug 2933; bugfix on 0.2.0.1-alpha.
|
||||
- When warning about missing zlib development packages during compile,
|
||||
give the correct package names. Bugfix on 0.2.0.1-alpha.
|
||||
- Require that introduction point keys and onion keys have public
|
||||
exponent 65537. Bugfix on 0.2.0.10-alpha.
|
||||
- Do not crash when our configuration file becomes unreadable, for
|
||||
example due to a permissions change, between when we start up
|
||||
and when a controller calls SAVECONF. Fixes bug 3135; bugfix
|
||||
on 0.0.9pre6.
|
||||
- Fix warnings from GCC 4.6's "-Wunused-but-set-variable" option.
|
||||
Fixes bug 3208.
|
||||
- Always NUL-terminate the sun_path field of a sockaddr_un before
|
||||
passing it to the kernel. (Not a security issue: kernels are
|
||||
smart enough to reject bad sockaddr_uns.) Found by Coverity;
|
||||
CID #428. Bugfix on Tor 0.2.0.3-alpha.
|
||||
- Don't stack-allocate the list of supplementary GIDs when we're
|
||||
about to log them. Stack-allocating NGROUPS_MAX gid_t elements
|
||||
could take up to 256K, which is way too much stack. Found by
|
||||
Coverity; CID #450. Bugfix on 0.2.1.7-alpha.
|
||||
|
||||
o Minor bugfixes (only in 0.2.1.x):
|
||||
- Resume using micro-version numbers in 0.2.1.x: our Debian packages
|
||||
rely on them. Bugfix on 0.2.1.30.
|
||||
- Use git revisions instead of svn revisions when generating our
|
||||
micro-version numbers. Bugfix on 0.2.1.15-rc; fixes bug 2402.
|
||||
|
||||
o Minor features (also included in 0.2.2.x):
|
||||
- Adjust the expiration time on our SSL session certificates to
|
||||
better match SSL certs seen in the wild. Resolves ticket 4014.
|
||||
- Allow nameservers with IPv6 address. Resolves bug 2574.
|
||||
- Update to the October 4 2011 Maxmind GeoLite Country database.
|
||||
|
||||
|
||||
Changes in version 0.2.1.30 - 2011-02-23
|
||||
Tor 0.2.1.30 fixes a variety of less critical bugs. The main other
|
||||
change is a slight tweak to Tor's TLS handshake that makes relays
|
||||
|
|
|
@ -1,8 +0,0 @@
|
|||
o Security fixes:
|
||||
- Don't attach new streams to old rendezvous circuits after SIGNAL
|
||||
NEWNYM. Previously, we would keep using an existing rendezvous
|
||||
circuit if it remained open (i.e. if it were kept open by a
|
||||
long-lived stream or if a new stream were attached to it before
|
||||
Tor could notice that it was old and no longer in use and close
|
||||
it). Bugfix on 0.1.1.15-rc; fixes bug 3375.
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
|
||||
o Major bugfixes:
|
||||
- Fix a heap overflow bug that could occur when trying to pull
|
||||
data into the first chunk of a buffer, when that chunk had
|
||||
already had some data drained from it. Fixes CVE-2011-2778;
|
||||
bugfix on 0.2.0.16-alpha. Reported by "Vektor".
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
o Minor bugfixes:
|
||||
- Build correctly on OSX with zlib 1.2.4 and higher with all warnings
|
||||
enabled.
|
|
@ -1,3 +0,0 @@
|
|||
o Minor bugfixes
|
||||
- Avoid crashes when AccountingMax is set on clients. Fixes bug 2235;
|
||||
Bugfix on 0.2.2.18-alpha. Diagnosed by boboper.
|
|
@ -1,5 +0,0 @@
|
|||
o Major bugfixes:
|
||||
- Don't assert when changing from bridge to relay or vice versa with a controller.
|
||||
The assert happened because we didn't properly initialize our keys in this case.
|
||||
Bugfix on 0.2.2.18, fixes bug 2433. Issue first discovered by bastik.
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
o Minor bugfixes:
|
||||
- Don't crash a bridge authority on SIGHUP if it can't force itself
|
||||
into its routerlist. Fixes bug 2572.
|
||||
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
o Minor features:
|
||||
- Allow nameservers with IPv6 address. Fixes bug 2574.
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
o Security fixes
|
||||
- Replace all potentially sensitive memory comparison operations
|
||||
with versions whose runtime does not depend on the data being
|
||||
compared. This will help resist a class of attacks where an
|
||||
adversary can use variations in timing information to learn
|
||||
sensitive data. Fix for one case of bug 3122. (Safe memcmp
|
||||
implementation by Robert Ransom based partially on code by DJB.)
|
|
@ -1,6 +0,0 @@
|
|||
o Minor bugfixes
|
||||
- Do not crash when our configuration file becomes unreadable
|
||||
(usually due to a permissions change) between when we start
|
||||
up and when a controller calls SAVECONF. Fixes bug 3135;
|
||||
bugfix on 0.0.9pre6.
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
o Removed options:
|
||||
- Remove undocumented option "-F" from tor-resolve: it hasn't done
|
||||
anything since 0.2.1.16-rc.
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
o Minor bugfixes:
|
||||
- Fix warnings from GCC 4.6's "-Wunused-but-set-variable" option.
|
||||
Fixes bug 3208.
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
o Major bugfixes:
|
||||
- Resolve a crash that occured when setting BridgeRelay to 1 with
|
||||
accounting enabled. Fixes bug 3228; bugfix on 0.2.2.18-alpha.
|
|
@ -1,3 +0,0 @@
|
|||
o Minor features:
|
||||
- Adjust the expiration time on our SSL session certificates to
|
||||
better match SSL certs seen in the wild. Resolves ticket 4014.
|
|
@ -1,5 +0,0 @@
|
|||
o Major bugfixes:
|
||||
- Correctly sanity-check that we don't underflow on a memory allocation
|
||||
for introduction point decryption. Bug discovered by Dan Rosenberg.
|
||||
Fixes bug 4410; bugfix on 0.2.1.5-alpha.
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
o Security fixes:
|
||||
- When fetching a hidden service descriptor, check that it is for
|
||||
the hidden service we were trying to connect to, in order to
|
||||
stop a directory from pre-seeding a client with a descriptor for
|
||||
a hidden service that they didn't want. Bugfix on 0.0.6.
|
||||
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
o Minor bugfixes:
|
||||
- Require that introduction point keys and onion keys have public
|
||||
exponent 65537. Bugfix on 0.2.0.10-alpha.
|
||||
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
o Minor bugfixes:
|
||||
- Always NUL-terminate the sun_path field of a sockaddr_un before
|
||||
passing it to the kernel. (Not a security issue: kernels are
|
||||
smart enough to reject bad sockaddr_uns.) Found by Coverity; CID
|
||||
# 428. Bugfix on Tor 0.2.0.3-alpha.
|
|
@ -1,5 +0,0 @@
|
|||
o Minor bugfixes:
|
||||
- Don't stack-allocate the list of supplementary GIDs when we're
|
||||
about to log them. Stack-allocating NGROUPS_MAX gid_t elements
|
||||
could take up to 256K, which is way too much stack. Found by
|
||||
Coverity; CID #450. Bugfix on 0.2.1.7-alpha.
|
|
@ -1,3 +0,0 @@
|
|||
o Minor features:
|
||||
- Update to the August 2 2011 Maxmind GeoLite Country database.
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
o Minor features:
|
||||
- Update to the December 6 2011 Maxmind GeoLite Country database.
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
o Minor features:
|
||||
- Update to the July 1 2011 Maxmind GeoLite Country database.
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
o Minor features:
|
||||
- Update to the June 1 2011 Maxmind GeoLite Country database.
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
o Minor features:
|
||||
- Update to the May 1 2011 Maxmind GeoLite Country database.
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
o Minor features:
|
||||
- Update to the November 1 2011 Maxmind GeoLite Country database.
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
o Minor features:
|
||||
- Update to the October 4 2011 Maxmind GeoLite Country database.
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
o Minor features:
|
||||
- Update to the September 6 2011 Maxmind GeoLite Country database.
|
||||
|
|
@ -1,21 +0,0 @@
|
|||
o Security fixes:
|
||||
|
||||
- Don't send TLS certificate chains on outgoing OR connections
|
||||
from clients and bridges. Previously, each client or bridge
|
||||
would use a single cert chain for all outgoing OR connections
|
||||
for up to 24 hours, which allowed any relay connected to by a
|
||||
client or bridge to determine which entry guards it is using.
|
||||
This is a potential user-tracing bug for *all* users; everyone
|
||||
who uses Tor's client or hidden service functionality should
|
||||
upgrade. Fixes CVE-2011-2768. Bugfix on FIXME; found by
|
||||
frosty_un.
|
||||
|
||||
- Don't use any OR connection on which we have received a
|
||||
CREATE_FAST cell to satisfy an EXTEND request. Previously, we
|
||||
would not consider whether a connection appears to be from a
|
||||
client or bridge when deciding whether to use that connection to
|
||||
satisfy an EXTEND request. Mitigates CVE-2011-2768, by
|
||||
preventing an attacker from determining whether an unpatched
|
||||
client is connected to a patched relay. Bugfix on FIXME; found
|
||||
by frosty_un.
|
||||
|
|
@ -1,9 +0,0 @@
|
|||
o Security fixes:
|
||||
|
||||
- Reject CREATE and CREATE_FAST cells on outgoing OR connections
|
||||
from a bridge to a relay. Previously, we would accept them and
|
||||
handle them normally, thereby allowing a malicious relay to
|
||||
easily distinguish bridges which connect to it from clients.
|
||||
Fixes CVE-2011-2769. Bugfix on 0.2.0.3-alpha, when bridges were
|
||||
implemented; found by frosty_un.
|
||||
|
|
@ -5,7 +5,7 @@ dnl Copyright (c) 2007-2008, The Tor Project, Inc.
|
|||
dnl See LICENSE for licensing information
|
||||
|
||||
AC_INIT
|
||||
AM_INIT_AUTOMAKE(tor, 0.2.1.31)
|
||||
AM_INIT_AUTOMAKE(tor, 0.2.1.32)
|
||||
AM_CONFIG_HEADER(orconfig.h)
|
||||
|
||||
AC_CANONICAL_HOST
|
||||
|
|
|
@ -9,7 +9,7 @@
|
|||
!include "FileFunc.nsh"
|
||||
!insertmacro GetParameters
|
||||
|
||||
!define VERSION "0.2.1.31"
|
||||
!define VERSION "0.2.1.32"
|
||||
!define INSTALLER "tor-${VERSION}-win32.exe"
|
||||
!define WEBSITE "https://www.torproject.org/"
|
||||
!define LICENSE "LICENSE"
|
||||
|
|
|
@ -226,6 +226,6 @@
|
|||
#define USING_TWOS_COMPLEMENT
|
||||
|
||||
/* Version number of package */
|
||||
#define VERSION "0.2.1.31"
|
||||
#define VERSION "0.2.1.32"
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue