|
@@ -2,6 +2,466 @@ This document summarizes new features and bugfixes in each stable release
|
|
of Tor. If you want to see more detailed descriptions of the changes in
|
|
of Tor. If you want to see more detailed descriptions of the changes in
|
|
each development snapshot, see the ChangeLog file.
|
|
each development snapshot, see the ChangeLog file.
|
|
|
|
|
|
|
|
+
|
|
|
|
+Changes in version 0.2.8.13 - 2017-03-03
|
|
|
|
+ Tor 0.2.8.13 backports a security fix from later Tor
|
|
|
|
+ releases. Anybody running Tor 0.2.8.12 or earlier should upgrade to this
|
|
|
|
+ this release, if for some reason they cannot upgrade to a later
|
|
|
|
+ release series, and if they build Tor with the --enable-expensive-hardening
|
|
|
|
+ option.
|
|
|
|
+
|
|
|
|
+ Note that support for Tor 0.2.8.x is ending next year: we will not issue
|
|
|
|
+ any fixes for the Tor 0.2.8.x series after 1 Jan 2018. If you need
|
|
|
|
+ a Tor release series with longer-term support, we recommend Tor 0.2.9.x.
|
|
|
|
+
|
|
|
|
+ o Major bugfixes (parsing, backported from 0.3.0.4-rc):
|
|
|
|
+ - Fix an integer underflow bug when comparing malformed Tor
|
|
|
|
+ versions. This bug could crash Tor when built with
|
|
|
|
+ --enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor
|
|
|
|
+ 0.2.9.8, which were built with -ftrapv by default. In other cases
|
|
|
|
+ it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix
|
|
|
|
+ on 0.0.8pre1. Found by OSS-Fuzz.
|
|
|
|
+
|
|
|
|
+ o Minor features (geoip):
|
|
|
|
+ - Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2
|
|
|
|
+ Country database.
|
|
|
|
+
|
|
|
|
+
|
|
|
|
+Changes in version 0.2.7.7 - 2017-03-03
|
|
|
|
+ Tor 0.2.7.7 backports a number of security fixes from later Tor
|
|
|
|
+ releases. Anybody running Tor 0.2.7.6 or earlier should upgrade to
|
|
|
|
+ this release, if for some reason they cannot upgrade to a later
|
|
|
|
+ release series.
|
|
|
|
+
|
|
|
|
+ Note that support for Tor 0.2.7.x is ending this year: we will not issue
|
|
|
|
+ any fixes for the Tor 0.2.7.x series after 1 August 2017. If you need
|
|
|
|
+ a Tor release series with longer-term support, we recommend Tor 0.2.9.x.
|
|
|
|
+
|
|
|
|
+ o Directory authority changes (backport from 0.2.8.5-rc):
|
|
|
|
+ - Urras is no longer a directory authority. Closes ticket 19271.
|
|
|
|
+
|
|
|
|
+ o Directory authority changes (backport from 0.2.9.2-alpha):
|
|
|
|
+ - The "Tonga" bridge authority has been retired; the new bridge
|
|
|
|
+ authority is "Bifroest". Closes tickets 19728 and 19690.
|
|
|
|
+
|
|
|
|
+ o Directory authority key updates (backport from 0.2.8.1-alpha):
|
|
|
|
+ - Update the V3 identity key for the dannenberg directory authority:
|
|
|
|
+ it was changed on 18 November 2015. Closes task 17906. Patch
|
|
|
|
+ by "teor".
|
|
|
|
+
|
|
|
|
+ o Major bugfixes (parsing, security, backport from 0.2.9.8):
|
|
|
|
+ - Fix a bug in parsing that could cause clients to read a single
|
|
|
|
+ byte past the end of an allocated region. This bug could be used
|
|
|
|
+ to cause hardened clients (built with --enable-expensive-hardening)
|
|
|
|
+ to crash if they tried to visit a hostile hidden service. Non-
|
|
|
|
+ hardened clients are only affected depending on the details of
|
|
|
|
+ their platform's memory allocator. Fixes bug 21018; bugfix on
|
|
|
|
+ 0.2.0.8-alpha. Found by using libFuzzer. Also tracked as TROVE-
|
|
|
|
+ 2016-12-002 and as CVE-2016-1254.
|
|
|
|
+
|
|
|
|
+ o Major bugfixes (security, client, DNS proxy, backport from 0.2.8.3-alpha):
|
|
|
|
+ - Stop a crash that could occur when a client running with DNSPort
|
|
|
|
+ received a query with multiple address types, and the first
|
|
|
|
+ address type was not supported. Found and fixed by Scott Dial.
|
|
|
|
+ Fixes bug 18710; bugfix on 0.2.5.4-alpha.
|
|
|
|
+ - Prevent a class of security bugs caused by treating the contents
|
|
|
|
+ of a buffer chunk as if they were a NUL-terminated string. At
|
|
|
|
+ least one such bug seems to be present in all currently used
|
|
|
|
+ versions of Tor, and would allow an attacker to remotely crash
|
|
|
|
+ most Tor instances, especially those compiled with extra compiler
|
|
|
|
+ hardening. With this defense in place, such bugs can't crash Tor,
|
|
|
|
+ though we should still fix them as they occur. Closes ticket
|
|
|
|
+ 20384 (TROVE-2016-10-001).
|
|
|
|
+
|
|
|
|
+ o Major bugfixes (security, pointers, backport from 0.2.8.2-alpha):
|
|
|
|
+ - Avoid a difficult-to-trigger heap corruption attack when extending
|
|
|
|
+ a smartlist to contain over 16GB of pointers. Fixes bug 18162;
|
|
|
|
+ bugfix on 0.1.1.11-alpha, which fixed a related bug incompletely.
|
|
|
|
+ Reported by Guido Vranken.
|
|
|
|
+
|
|
|
|
+ o Major bugfixes (dns proxy mode, crash, backport from 0.2.8.2-alpha):
|
|
|
|
+ - Avoid crashing when running as a DNS proxy. Fixes bug 16248;
|
|
|
|
+ bugfix on 0.2.0.1-alpha. Patch from "cypherpunks".
|
|
|
|
+
|
|
|
|
+ o Major bugfixes (key management, backport from 0.2.8.3-alpha):
|
|
|
|
+ - If OpenSSL fails to generate an RSA key, do not retain a dangling
|
|
|
|
+ pointer to the previous (uninitialized) key value. The impact here
|
|
|
|
+ should be limited to a difficult-to-trigger crash, if OpenSSL is
|
|
|
|
+ running an engine that makes key generation failures possible, or
|
|
|
|
+ if OpenSSL runs out of memory. Fixes bug 19152; bugfix on
|
|
|
|
+ 0.2.1.10-alpha. Found by Yuan Jochen Kang, Suman Jana, and
|
|
|
|
+ Baishakhi Ray.
|
|
|
|
+
|
|
|
|
+ o Major bugfixes (parsing, backported from 0.3.0.4-rc):
|
|
|
|
+ - Fix an integer underflow bug when comparing malformed Tor
|
|
|
|
+ versions. This bug could crash Tor when built with
|
|
|
|
+ --enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor
|
|
|
|
+ 0.2.9.8, which were built with -ftrapv by default. In other cases
|
|
|
|
+ it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix
|
|
|
|
+ on 0.0.8pre1. Found by OSS-Fuzz.
|
|
|
|
+
|
|
|
|
+ o Minor features (security, memory erasure, backport from 0.2.8.1-alpha):
|
|
|
|
+ - Make memwipe() do nothing when passed a NULL pointer or buffer of
|
|
|
|
+ zero size. Check size argument to memwipe() for underflow. Fixes
|
|
|
|
+ bug 18089; bugfix on 0.2.3.25 and 0.2.4.6-alpha. Reported by "gk",
|
|
|
|
+ patch by "teor".
|
|
|
|
+
|
|
|
|
+ o Minor features (bug-resistance, backport from 0.2.8.2-alpha):
|
|
|
|
+ - Make Tor survive errors involving connections without a
|
|
|
|
+ corresponding event object. Previously we'd fail with an
|
|
|
|
+ assertion; now we produce a log message. Related to bug 16248.
|
|
|
|
+
|
|
|
|
+ o Minor features (geoip):
|
|
|
|
+ - Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2
|
|
|
|
+ Country database.
|
|
|
|
+
|
|
|
|
+
|
|
|
|
+Changes in version 0.2.6.11 - 2017-03-03
|
|
|
|
+ Tor 0.2.6.11 backports a number of security fixes from later Tor
|
|
|
|
+ releases. Anybody running Tor 0.2.6.10 or earlier should upgrade to
|
|
|
|
+ this release, if for some reason they cannot upgrade to a later
|
|
|
|
+ release series.
|
|
|
|
+
|
|
|
|
+ Note that support for Tor 0.2.6.x is ending this year: we will not issue
|
|
|
|
+ any fixes for the Tor 0.2.6.x series after 1 August 2017. If you need
|
|
|
|
+ a Tor release series with longer-term support, we recommend Tor 0.2.9.x.
|
|
|
|
+
|
|
|
|
+ o Directory authority changes (backport from 0.2.8.5-rc):
|
|
|
|
+ - Urras is no longer a directory authority. Closes ticket 19271.
|
|
|
|
+
|
|
|
|
+ o Directory authority changes (backport from 0.2.9.2-alpha):
|
|
|
|
+ - The "Tonga" bridge authority has been retired; the new bridge
|
|
|
|
+ authority is "Bifroest". Closes tickets 19728 and 19690.
|
|
|
|
+
|
|
|
|
+ o Directory authority key updates (backport from 0.2.8.1-alpha):
|
|
|
|
+ - Update the V3 identity key for the dannenberg directory authority:
|
|
|
|
+ it was changed on 18 November 2015. Closes task 17906. Patch
|
|
|
|
+ by "teor".
|
|
|
|
+
|
|
|
|
+ o Major features (security fixes, backport from 0.2.9.4-alpha):
|
|
|
|
+ - Prevent a class of security bugs caused by treating the contents
|
|
|
|
+ of a buffer chunk as if they were a NUL-terminated string. At
|
|
|
|
+ least one such bug seems to be present in all currently used
|
|
|
|
+ versions of Tor, and would allow an attacker to remotely crash
|
|
|
|
+ most Tor instances, especially those compiled with extra compiler
|
|
|
|
+ hardening. With this defense in place, such bugs can't crash Tor,
|
|
|
|
+ though we should still fix them as they occur. Closes ticket
|
|
|
|
+ 20384 (TROVE-2016-10-001).
|
|
|
|
+
|
|
|
|
+ o Major bugfixes (parsing, security, backport from 0.2.9.8):
|
|
|
|
+ - Fix a bug in parsing that could cause clients to read a single
|
|
|
|
+ byte past the end of an allocated region. This bug could be used
|
|
|
|
+ to cause hardened clients (built with --enable-expensive-hardening)
|
|
|
|
+ to crash if they tried to visit a hostile hidden service. Non-
|
|
|
|
+ hardened clients are only affected depending on the details of
|
|
|
|
+ their platform's memory allocator. Fixes bug 21018; bugfix on
|
|
|
|
+ 0.2.0.8-alpha. Found by using libFuzzer. Also tracked as TROVE-
|
|
|
|
+ 2016-12-002 and as CVE-2016-1254.
|
|
|
|
+
|
|
|
|
+ o Major bugfixes (security, client, DNS proxy, backport from 0.2.8.3-alpha):
|
|
|
|
+ - Stop a crash that could occur when a client running with DNSPort
|
|
|
|
+ received a query with multiple address types, and the first
|
|
|
|
+ address type was not supported. Found and fixed by Scott Dial.
|
|
|
|
+ Fixes bug 18710; bugfix on 0.2.5.4-alpha.
|
|
|
|
+
|
|
|
|
+ o Major bugfixes (security, correctness, backport from 0.2.7.4-rc):
|
|
|
|
+ - Fix an error that could cause us to read 4 bytes before the
|
|
|
|
+ beginning of an openssl string. This bug could be used to cause
|
|
|
|
+ Tor to crash on systems with unusual malloc implementations, or
|
|
|
|
+ systems with unusual hardening installed. Fixes bug 17404; bugfix
|
|
|
|
+ on 0.2.3.6-alpha.
|
|
|
|
+
|
|
|
|
+ o Major bugfixes (security, pointers, backport from 0.2.8.2-alpha):
|
|
|
|
+ - Avoid a difficult-to-trigger heap corruption attack when extending
|
|
|
|
+ a smartlist to contain over 16GB of pointers. Fixes bug 18162;
|
|
|
|
+ bugfix on 0.1.1.11-alpha, which fixed a related bug incompletely.
|
|
|
|
+ Reported by Guido Vranken.
|
|
|
|
+
|
|
|
|
+ o Major bugfixes (dns proxy mode, crash, backport from 0.2.8.2-alpha):
|
|
|
|
+ - Avoid crashing when running as a DNS proxy. Fixes bug 16248;
|
|
|
|
+ bugfix on 0.2.0.1-alpha. Patch from "cypherpunks".
|
|
|
|
+
|
|
|
|
+ o Major bugfixes (guard selection, backport from 0.2.7.6):
|
|
|
|
+ - Actually look at the Guard flag when selecting a new directory
|
|
|
|
+ guard. When we implemented the directory guard design, we
|
|
|
|
+ accidentally started treating all relays as if they have the Guard
|
|
|
|
+ flag during guard selection, leading to weaker anonymity and worse
|
|
|
|
+ performance. Fixes bug 17772; bugfix on 0.2.4.8-alpha. Discovered
|
|
|
|
+ by Mohsen Imani.
|
|
|
|
+
|
|
|
|
+ o Major bugfixes (key management, backport from 0.2.8.3-alpha):
|
|
|
|
+ - If OpenSSL fails to generate an RSA key, do not retain a dangling
|
|
|
|
+ pointer to the previous (uninitialized) key value. The impact here
|
|
|
|
+ should be limited to a difficult-to-trigger crash, if OpenSSL is
|
|
|
|
+ running an engine that makes key generation failures possible, or
|
|
|
|
+ if OpenSSL runs out of memory. Fixes bug 19152; bugfix on
|
|
|
|
+ 0.2.1.10-alpha. Found by Yuan Jochen Kang, Suman Jana, and
|
|
|
|
+ Baishakhi Ray.
|
|
|
|
+
|
|
|
|
+ o Major bugfixes (parsing, backported from 0.3.0.4-rc):
|
|
|
|
+ - Fix an integer underflow bug when comparing malformed Tor
|
|
|
|
+ versions. This bug could crash Tor when built with
|
|
|
|
+ --enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor
|
|
|
|
+ 0.2.9.8, which were built with -ftrapv by default. In other cases
|
|
|
|
+ it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix
|
|
|
|
+ on 0.0.8pre1. Found by OSS-Fuzz.
|
|
|
|
+
|
|
|
|
+ o Minor features (security, memory erasure, backport from 0.2.8.1-alpha):
|
|
|
|
+ - Make memwipe() do nothing when passed a NULL pointer or buffer of
|
|
|
|
+ zero size. Check size argument to memwipe() for underflow. Fixes
|
|
|
|
+ bug 18089; bugfix on 0.2.3.25 and 0.2.4.6-alpha. Reported by "gk",
|
|
|
|
+ patch by "teor".
|
|
|
|
+
|
|
|
|
+ o Minor features (bug-resistance, backport from 0.2.8.2-alpha):
|
|
|
|
+ - Make Tor survive errors involving connections without a
|
|
|
|
+ corresponding event object. Previously we'd fail with an
|
|
|
|
+ assertion; now we produce a log message. Related to bug 16248.
|
|
|
|
+
|
|
|
|
+ o Minor features (geoip):
|
|
|
|
+ - Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2
|
|
|
|
+ Country database.
|
|
|
|
+
|
|
|
|
+ o Minor bugfixes (compilation, backport from 0.2.7.6):
|
|
|
|
+ - Fix a compilation warning with Clang 3.6: Do not check the
|
|
|
|
+ presence of an address which can never be NULL. Fixes bug 17781.
|
|
|
|
+
|
|
|
|
+
|
|
|
|
+Changes in version 0.2.5.13 - 2017-03-03
|
|
|
|
+ Tor 0.2.5.13 backports a number of security fixes from later Tor
|
|
|
|
+ releases. Anybody running Tor 0.2.5.13 or earlier should upgrade to
|
|
|
|
+ this release, if for some reason they cannot upgrade to a later
|
|
|
|
+ release series.
|
|
|
|
+
|
|
|
|
+ Note that support for Tor 0.2.5.x is ending next year: we will not issue
|
|
|
|
+ any fixes for the Tor 0.2.5.x series after 1 May 2018. If you need
|
|
|
|
+ a Tor release series with longer-term support, we recommend Tor 0.2.9.x.
|
|
|
|
+
|
|
|
|
+ o Directory authority changes (backport from 0.2.8.5-rc):
|
|
|
|
+ - Urras is no longer a directory authority. Closes ticket 19271.
|
|
|
|
+
|
|
|
|
+ o Directory authority changes (backport from 0.2.9.2-alpha):
|
|
|
|
+ - The "Tonga" bridge authority has been retired; the new bridge
|
|
|
|
+ authority is "Bifroest". Closes tickets 19728 and 19690.
|
|
|
|
+
|
|
|
|
+ o Directory authority key updates (backport from 0.2.8.1-alpha):
|
|
|
|
+ - Update the V3 identity key for the dannenberg directory authority:
|
|
|
|
+ it was changed on 18 November 2015. Closes task 17906. Patch
|
|
|
|
+ by "teor".
|
|
|
|
+
|
|
|
|
+ o Major features (security fixes, backport from 0.2.9.4-alpha):
|
|
|
|
+ - Prevent a class of security bugs caused by treating the contents
|
|
|
|
+ of a buffer chunk as if they were a NUL-terminated string. At
|
|
|
|
+ least one such bug seems to be present in all currently used
|
|
|
|
+ versions of Tor, and would allow an attacker to remotely crash
|
|
|
|
+ most Tor instances, especially those compiled with extra compiler
|
|
|
|
+ hardening. With this defense in place, such bugs can't crash Tor,
|
|
|
|
+ though we should still fix them as they occur. Closes ticket
|
|
|
|
+ 20384 (TROVE-2016-10-001).
|
|
|
|
+
|
|
|
|
+ o Major bugfixes (parsing, security, backport from 0.2.9.8):
|
|
|
|
+ - Fix a bug in parsing that could cause clients to read a single
|
|
|
|
+ byte past the end of an allocated region. This bug could be used
|
|
|
|
+ to cause hardened clients (built with --enable-expensive-hardening)
|
|
|
|
+ to crash if they tried to visit a hostile hidden service. Non-
|
|
|
|
+ hardened clients are only affected depending on the details of
|
|
|
|
+ their platform's memory allocator. Fixes bug 21018; bugfix on
|
|
|
|
+ 0.2.0.8-alpha. Found by using libFuzzer. Also tracked as TROVE-
|
|
|
|
+ 2016-12-002 and as CVE-2016-1254.
|
|
|
|
+
|
|
|
|
+ o Major bugfixes (security, client, DNS proxy, backport from 0.2.8.3-alpha):
|
|
|
|
+ - Stop a crash that could occur when a client running with DNSPort
|
|
|
|
+ received a query with multiple address types, and the first
|
|
|
|
+ address type was not supported. Found and fixed by Scott Dial.
|
|
|
|
+ Fixes bug 18710; bugfix on 0.2.5.4-alpha.
|
|
|
|
+
|
|
|
|
+ o Major bugfixes (security, correctness, backport from 0.2.7.4-rc):
|
|
|
|
+ - Fix an error that could cause us to read 4 bytes before the
|
|
|
|
+ beginning of an openssl string. This bug could be used to cause
|
|
|
|
+ Tor to crash on systems with unusual malloc implementations, or
|
|
|
|
+ systems with unusual hardening installed. Fixes bug 17404; bugfix
|
|
|
|
+ on 0.2.3.6-alpha.
|
|
|
|
+
|
|
|
|
+ o Major bugfixes (security, pointers, backport from 0.2.8.2-alpha):
|
|
|
|
+ - Avoid a difficult-to-trigger heap corruption attack when extending
|
|
|
|
+ a smartlist to contain over 16GB of pointers. Fixes bug 18162;
|
|
|
|
+ bugfix on 0.1.1.11-alpha, which fixed a related bug incompletely.
|
|
|
|
+ Reported by Guido Vranken.
|
|
|
|
+
|
|
|
|
+ o Major bugfixes (dns proxy mode, crash, backport from 0.2.8.2-alpha):
|
|
|
|
+ - Avoid crashing when running as a DNS proxy. Fixes bug 16248;
|
|
|
|
+ bugfix on 0.2.0.1-alpha. Patch from "cypherpunks".
|
|
|
|
+
|
|
|
|
+ o Major bugfixes (guard selection, backport from 0.2.7.6):
|
|
|
|
+ - Actually look at the Guard flag when selecting a new directory
|
|
|
|
+ guard. When we implemented the directory guard design, we
|
|
|
|
+ accidentally started treating all relays as if they have the Guard
|
|
|
|
+ flag during guard selection, leading to weaker anonymity and worse
|
|
|
|
+ performance. Fixes bug 17772; bugfix on 0.2.4.8-alpha. Discovered
|
|
|
|
+ by Mohsen Imani.
|
|
|
|
+
|
|
|
|
+ o Major bugfixes (key management, backport from 0.2.8.3-alpha):
|
|
|
|
+ - If OpenSSL fails to generate an RSA key, do not retain a dangling
|
|
|
|
+ pointer to the previous (uninitialized) key value. The impact here
|
|
|
|
+ should be limited to a difficult-to-trigger crash, if OpenSSL is
|
|
|
|
+ running an engine that makes key generation failures possible, or
|
|
|
|
+ if OpenSSL runs out of memory. Fixes bug 19152; bugfix on
|
|
|
|
+ 0.2.1.10-alpha. Found by Yuan Jochen Kang, Suman Jana, and
|
|
|
|
+ Baishakhi Ray.
|
|
|
|
+
|
|
|
|
+ o Major bugfixes (parsing, backported from 0.3.0.4-rc):
|
|
|
|
+ - Fix an integer underflow bug when comparing malformed Tor
|
|
|
|
+ versions. This bug could crash Tor when built with
|
|
|
|
+ --enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor
|
|
|
|
+ 0.2.9.8, which were built with -ftrapv by default. In other cases
|
|
|
|
+ it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix
|
|
|
|
+ on 0.0.8pre1. Found by OSS-Fuzz.
|
|
|
|
+
|
|
|
|
+ o Minor features (security, memory erasure, backport from 0.2.8.1-alpha):
|
|
|
|
+ - Make memwipe() do nothing when passed a NULL pointer or buffer of
|
|
|
|
+ zero size. Check size argument to memwipe() for underflow. Fixes
|
|
|
|
+ bug 18089; bugfix on 0.2.3.25 and 0.2.4.6-alpha. Reported by "gk",
|
|
|
|
+ patch by "teor".
|
|
|
|
+
|
|
|
|
+ o Minor features (bug-resistance, backport from 0.2.8.2-alpha):
|
|
|
|
+ - Make Tor survive errors involving connections without a
|
|
|
|
+ corresponding event object. Previously we'd fail with an
|
|
|
|
+ assertion; now we produce a log message. Related to bug 16248.
|
|
|
|
+
|
|
|
|
+ o Minor features (geoip):
|
|
|
|
+ - Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2
|
|
|
|
+ Country database.
|
|
|
|
+
|
|
|
|
+ o Minor bugfixes (compilation, backport from 0.2.7.6):
|
|
|
|
+ - Fix a compilation warning with Clang 3.6: Do not check the
|
|
|
|
+ presence of an address which can never be NULL. Fixes bug 17781.
|
|
|
|
+
|
|
|
|
+ o Minor bugfixes (crypto error-handling, backport from 0.2.7.2-alpha):
|
|
|
|
+ - Check for failures from crypto_early_init, and refuse to continue.
|
|
|
|
+ A previous typo meant that we could keep going with an
|
|
|
|
+ uninitialized crypto library, and would have OpenSSL initialize
|
|
|
|
+ its own PRNG. Fixes bug 16360; bugfix on 0.2.5.2-alpha, introduced
|
|
|
|
+ when implementing ticket 4900. Patch by "teor".
|
|
|
|
+
|
|
|
|
+ o Minor bugfixes (hidden service, backport from 0.2.7.1-alpha):
|
|
|
|
+ - Fix an out-of-bounds read when parsing invalid INTRODUCE2 cells on
|
|
|
|
+ a client authorized hidden service. Fixes bug 15823; bugfix
|
|
|
|
+ on 0.2.1.6-alpha.
|
|
|
|
+
|
|
|
|
+
|
|
|
|
+Changes in version 0.2.4.28 - 2017-03-03
|
|
|
|
+ Tor 0.2.4.28 backports a number of security fixes from later Tor
|
|
|
|
+ releases. Anybody running Tor 0.2.4.27 or earlier should upgrade to
|
|
|
|
+ this release, if for some reason they cannot upgrade to a later
|
|
|
|
+ release series.
|
|
|
|
+
|
|
|
|
+ Note that support for Tor 0.2.4.x is ending soon: we will not issue
|
|
|
|
+ any fixes for the Tor 0.2.4.x series after 1 August 2017. If you need
|
|
|
|
+ a Tor release series with long-term support, we recommend Tor 0.2.9.x.
|
|
|
|
+
|
|
|
|
+ o Directory authority changes (backport from 0.2.8.5-rc):
|
|
|
|
+ - Urras is no longer a directory authority. Closes ticket 19271.
|
|
|
|
+
|
|
|
|
+ o Directory authority changes (backport from 0.2.9.2-alpha):
|
|
|
|
+ - The "Tonga" bridge authority has been retired; the new bridge
|
|
|
|
+ authority is "Bifroest". Closes tickets 19728 and 19690.
|
|
|
|
+
|
|
|
|
+ o Directory authority key updates (backport from 0.2.8.1-alpha):
|
|
|
|
+ - Update the V3 identity key for the dannenberg directory authority:
|
|
|
|
+ it was changed on 18 November 2015. Closes task 17906. Patch
|
|
|
|
+ by "teor".
|
|
|
|
+
|
|
|
|
+ o Major features (security fixes, backport from 0.2.9.4-alpha):
|
|
|
|
+ - Prevent a class of security bugs caused by treating the contents
|
|
|
|
+ of a buffer chunk as if they were a NUL-terminated string. At
|
|
|
|
+ least one such bug seems to be present in all currently used
|
|
|
|
+ versions of Tor, and would allow an attacker to remotely crash
|
|
|
|
+ most Tor instances, especially those compiled with extra compiler
|
|
|
|
+ hardening. With this defense in place, such bugs can't crash Tor,
|
|
|
|
+ though we should still fix them as they occur. Closes ticket
|
|
|
|
+ 20384 (TROVE-2016-10-001).
|
|
|
|
+
|
|
|
|
+ o Major bugfixes (parsing, security, backport from 0.2.9.8):
|
|
|
|
+ - Fix a bug in parsing that could cause clients to read a single
|
|
|
|
+ byte past the end of an allocated region. This bug could be used
|
|
|
|
+ to cause hardened clients (built with --enable-expensive-hardening)
|
|
|
|
+ to crash if they tried to visit a hostile hidden service. Non-
|
|
|
|
+ hardened clients are only affected depending on the details of
|
|
|
|
+ their platform's memory allocator. Fixes bug 21018; bugfix on
|
|
|
|
+ 0.2.0.8-alpha. Found by using libFuzzer. Also tracked as TROVE-
|
|
|
|
+ 2016-12-002 and as CVE-2016-1254.
|
|
|
|
+
|
|
|
|
+ o Major bugfixes (security, correctness, backport from 0.2.7.4-rc):
|
|
|
|
+ - Fix an error that could cause us to read 4 bytes before the
|
|
|
|
+ beginning of an openssl string. This bug could be used to cause
|
|
|
|
+ Tor to crash on systems with unusual malloc implementations, or
|
|
|
|
+ systems with unusual hardening installed. Fixes bug 17404; bugfix
|
|
|
|
+ on 0.2.3.6-alpha.
|
|
|
|
+
|
|
|
|
+ o Major bugfixes (security, pointers, backport from 0.2.8.2-alpha):
|
|
|
|
+ - Avoid a difficult-to-trigger heap corruption attack when extending
|
|
|
|
+ a smartlist to contain over 16GB of pointers. Fixes bug 18162;
|
|
|
|
+ bugfix on 0.1.1.11-alpha, which fixed a related bug incompletely.
|
|
|
|
+ Reported by Guido Vranken.
|
|
|
|
+
|
|
|
|
+ o Major bugfixes (dns proxy mode, crash, backport from 0.2.8.2-alpha):
|
|
|
|
+ - Avoid crashing when running as a DNS proxy. Fixes bug 16248;
|
|
|
|
+ bugfix on 0.2.0.1-alpha. Patch from "cypherpunks".
|
|
|
|
+
|
|
|
|
+ o Major bugfixes (guard selection, backport from 0.2.7.6):
|
|
|
|
+ - Actually look at the Guard flag when selecting a new directory
|
|
|
|
+ guard. When we implemented the directory guard design, we
|
|
|
|
+ accidentally started treating all relays as if they have the Guard
|
|
|
|
+ flag during guard selection, leading to weaker anonymity and worse
|
|
|
|
+ performance. Fixes bug 17772; bugfix on 0.2.4.8-alpha. Discovered
|
|
|
|
+ by Mohsen Imani.
|
|
|
|
+
|
|
|
|
+ o Major bugfixes (key management, backport from 0.2.8.3-alpha):
|
|
|
|
+ - If OpenSSL fails to generate an RSA key, do not retain a dangling
|
|
|
|
+ pointer to the previous (uninitialized) key value. The impact here
|
|
|
|
+ should be limited to a difficult-to-trigger crash, if OpenSSL is
|
|
|
|
+ running an engine that makes key generation failures possible, or
|
|
|
|
+ if OpenSSL runs out of memory. Fixes bug 19152; bugfix on
|
|
|
|
+ 0.2.1.10-alpha. Found by Yuan Jochen Kang, Suman Jana, and
|
|
|
|
+ Baishakhi Ray.
|
|
|
|
+
|
|
|
|
+ o Major bugfixes (parsing, backported from 0.3.0.4-rc):
|
|
|
|
+ - Fix an integer underflow bug when comparing malformed Tor
|
|
|
|
+ versions. This bug could crash Tor when built with
|
|
|
|
+ --enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor
|
|
|
|
+ 0.2.9.8, which were built with -ftrapv by default. In other cases
|
|
|
|
+ it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix
|
|
|
|
+ on 0.0.8pre1. Found by OSS-Fuzz.
|
|
|
|
+
|
|
|
|
+ o Minor features (security, memory erasure, backport from 0.2.8.1-alpha):
|
|
|
|
+ - Make memwipe() do nothing when passed a NULL pointer or buffer of
|
|
|
|
+ zero size. Check size argument to memwipe() for underflow. Fixes
|
|
|
|
+ bug 18089; bugfix on 0.2.3.25 and 0.2.4.6-alpha. Reported by "gk",
|
|
|
|
+ patch by "teor".
|
|
|
|
+
|
|
|
|
+ o Minor features (bug-resistance, backport from 0.2.8.2-alpha):
|
|
|
|
+ - Make Tor survive errors involving connections without a
|
|
|
|
+ corresponding event object. Previously we'd fail with an
|
|
|
|
+ assertion; now we produce a log message. Related to bug 16248.
|
|
|
|
+
|
|
|
|
+ o Minor features (DoS-resistance, backport from 0.2.7.1-alpha):
|
|
|
|
+ - Make it harder for attackers to overload hidden services with
|
|
|
|
+ introductions, by blocking multiple introduction requests on the
|
|
|
|
+ same circuit. Resolves ticket 15515.
|
|
|
|
+
|
|
|
|
+ o Minor features (geoip):
|
|
|
|
+ - Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2
|
|
|
|
+ Country database.
|
|
|
|
+
|
|
|
|
+ o Minor bugfixes (compilation, backport from 0.2.7.6):
|
|
|
|
+ - Fix a compilation warning with Clang 3.6: Do not check the
|
|
|
|
+ presence of an address which can never be NULL. Fixes bug 17781.
|
|
|
|
+
|
|
|
|
+ o Minor bugfixes (hidden service, backport from 0.2.7.1-alpha):
|
|
|
|
+ - Fix an out-of-bounds read when parsing invalid INTRODUCE2 cells on
|
|
|
|
+ a client authorized hidden service. Fixes bug 15823; bugfix
|
|
|
|
+ on 0.2.1.6-alpha.
|
|
|
|
+
|
|
|
|
+
|
|
Changes in version 0.2.9.10 - 2017-03-01
|
|
Changes in version 0.2.9.10 - 2017-03-01
|
|
Tor 0.2.9.10 backports a security fix from later Tor release. It also
|
|
Tor 0.2.9.10 backports a security fix from later Tor release. It also
|
|
includes fixes for some major issues affecting directory authorities,
|
|
includes fixes for some major issues affecting directory authorities,
|