Преглед изворни кода

merge in the safecookie changelog entry too

Roger Dingledine пре 12 година
родитељ
комит
de73e3692a
2 измењених фајлова са 7 додато и 9 уклоњено
  1. 7 0
      ChangeLog
  2. 0 9
      changes/safecookie

+ 7 - 0
ChangeLog

@@ -7,6 +7,13 @@ Changes in version 0.2.3.13-alpha - 2012-03-26
     - Change IP address for maatuska (v3 directory authority).
     - Change IP address for maatuska (v3 directory authority).
 
 
   o Security fixes:
   o Security fixes:
+    - Provide controllers with a safer way to implement the cookie
+      authentication mechanism. With the old method, if another locally
+      running program could convince a controller that it was the Tor
+      process, then that program could trick the contoller into telling
+      it the contents of an arbitrary 32-byte file. The new "SAFECOOKIE"
+      authentication method uses a challenge-response approach to prevent
+      this attack. Fixes bug 5185, implements proposal 193.
     - Never use a bridge or a controller-supplied node as an exit, even
     - Never use a bridge or a controller-supplied node as an exit, even
       if its exit policy allows it. Found by wanoskarnet. Fixes bug
       if its exit policy allows it. Found by wanoskarnet. Fixes bug
       5342. Bugfix on 0.1.1.15-rc (for controller-purpose descriptors)
       5342. Bugfix on 0.1.1.15-rc (for controller-purpose descriptors)

+ 0 - 9
changes/safecookie

@@ -1,9 +0,0 @@
-  o Security Features:
-    - Provide controllers with a safer way to implement the cookie
-      authentication mechanism. With the old method, if another locally
-      running program could convince a controller that it was the Tor
-      process, then that program could trick the contoller into
-      telling it the contents of an arbitrary 32-byte file. The new
-      "SAFECOOKIE" authentication method uses a challenge-response
-      approach to prevent this. Fixes bug 5185, implements proposal 193. 
-