diff options
| author | Roger Dingledine <arma@torproject.org> | 2012-10-20 14:18:31 -0400 |
|---|---|---|
| committer | Roger Dingledine <arma@torproject.org> | 2012-10-20 14:18:31 -0400 |
| commit | 7ebfeff65756edf94dec5f1b0568d5a3cfebc823 (patch) | |
| tree | 6c443fe5ab30e763cc7936efd4036d85ffcd9ced /ChangeLog | |
| parent | e8f547c181e9b86fa590280c579fd3be495824ce (diff) | |
| download | tor-7ebfeff65756edf94dec5f1b0568d5a3cfebc823.tar tor-7ebfeff65756edf94dec5f1b0568d5a3cfebc823.tar.gz | |
forward-port the 0.2.3.23-rc changelog
Diffstat (limited to 'ChangeLog')
| -rw-r--r-- | ChangeLog | 59 |
1 files changed, 59 insertions, 0 deletions
@@ -1,3 +1,62 @@ +Changes in version 0.2.3.23-rc - 2012-10-20 + Tor 0.2.3.23-rc adds a new v3 directory authority, fixes a privacy + vulnerability introduced by a change in OpenSSL, and fixes a variety + of smaller bugs in preparation for the release. + + o New directory authorities: + - Add Faravahar (run by Sina Rabbani) as the ninth v3 directory + authority. Closes ticket 5749. + + o Major bugfixes (security/privacy): + - Disable TLS session tickets. OpenSSL's implementation was giving + our TLS session keys the lifetime of our TLS context objects, when + perfect forward secrecy would want us to discard anything that + could decrypt a link connection as soon as the link connection + was closed. Fixes bug 7139; bugfix on all versions of Tor linked + against OpenSSL 1.0.0 or later. Found by Florent Daignière. + - Discard extraneous renegotiation attempts once the V3 link + protocol has been initiated. Failure to do so left us open to + a remotely triggerable assertion failure. Fixes CVE-2012-2249; + bugfix on 0.2.3.6-alpha. Reported by "some guy from France". + + o Major bugfixes: + - Fix a possible crash bug when checking for deactivated circuits + in connection_or_flush_from_first_active_circuit(). Fixes bug 6341; + bugfix on 0.2.2.7-alpha. Bug report and fix received pseudonymously. + + o Minor bugfixes (on 0.2.3.x): + - Fix two cases in src/or/transports.c where we were calling + fmt_addr() twice in a parameter list. Bug found by David + Fifield. Fixes bug 7014; bugfix on 0.2.3.9-alpha. + - Convert an assert in the pathbias code to a log message. The assert + appears to only be triggerable by Tor2Web mode. Fixes bug 6866; + bugfix on 0.2.3.17-beta. + - Fix memory leaks whenever we logged any message about the "path + bias" detection. Fixes bug 7022; bugfix on 0.2.3.21-rc. + + o Minor bugfixes (on 0.2.2.x and earlier): + - Don't serve or accept v2 hidden service descriptors over a relay's + DirPort. It's never correct to do so, and disabling it might + make it more annoying to exploit any bugs that turn up in the + descriptor-parsing code. Fixes bug 7149. + - When relays refuse a "create" cell because their queue of pending + create cells is too big (typically because their cpu can't keep up + with the arrival rate), send back reason "resource limit" rather + than reason "internal", so network measurement scripts can get a + more accurate picture. Bugfix on 0.1.1.11-alpha; fixes bug 7037. + - Correct file sizes when reading binary files on Cygwin, to avoid + a bug where Tor would fail to read its state file. Fixes bug 6844; + bugfix on 0.1.2.7-alpha. + - Avoid undefined behaviour when parsing the list of supported + rendezvous/introduction protocols in a hidden service descriptor. + Previously, Tor would have confused (as-yet-unused) protocol version + numbers greater than 32 with lower ones on many platforms. Fixes + bug 6827; bugfix on 0.2.0.10-alpha. Found by George Kadianakis. + + o Documentation fixes: + - Clarify that hidden services are TCP only. Fixes bug 6024. + + Changes in version 0.2.4.3-alpha - 2012-09-22 Tor 0.2.4.3-alpha fixes another opportunity for a remotely triggerable assertion, resumes letting relays test reachability of their DirPort, |