merge in the safecookie changelog entry too

author: Roger Dingledine <arma@torproject.org> 2012-03-26 22:15:02 -0400
committer: Roger Dingledine <arma@torproject.org> 2012-03-26 22:15:02 -0400
commit: de73e3692a6d83774027ac9d29e1ec8608076385 (patch)
tree: 28eaa94bab8ff01f88efce53305a4f803c92cd38 /ChangeLog
parent: 65bf007a77be579a05e2bbc4fdcdea3741439f3e (diff)
download: tor-de73e3692a6d83774027ac9d29e1ec8608076385.tar
tor-de73e3692a6d83774027ac9d29e1ec8608076385.tar.gz
1 files changed, 7 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
index d6cc6d646..52c73451e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -7,6 +7,13 @@ Changes in version 0.2.3.13-alpha - 2012-03-26
     - Change IP address for maatuska (v3 directory authority).
 
   o Security fixes:
+    - Provide controllers with a safer way to implement the cookie
+      authentication mechanism. With the old method, if another locally
+      running program could convince a controller that it was the Tor
+      process, then that program could trick the contoller into telling
+      it the contents of an arbitrary 32-byte file. The new "SAFECOOKIE"
+      authentication method uses a challenge-response approach to prevent
+      this attack. Fixes bug 5185, implements proposal 193.
     - Never use a bridge or a controller-supplied node as an exit, even
       if its exit policy allows it. Found by wanoskarnet. Fixes bug
       5342. Bugfix on 0.1.1.15-rc (for controller-purpose descriptors)
author	Roger Dingledine <arma@torproject.org>	2012-03-26 22:15:02 -0400
committer	Roger Dingledine <arma@torproject.org>	2012-03-26 22:15:02 -0400
commit	de73e3692a6d83774027ac9d29e1ec8608076385 (patch)
tree	28eaa94bab8ff01f88efce53305a4f803c92cd38 /ChangeLog
parent	65bf007a77be579a05e2bbc4fdcdea3741439f3e (diff)
download	tor-de73e3692a6d83774027ac9d29e1ec8608076385.tar tor-de73e3692a6d83774027ac9d29e1ec8608076385.tar.gz