From 845326317d9c468012ac99fab6e78575a807ed4f Mon Sep 17 00:00:00 2001
From: Roger Dingledine <arma@mit.edu>
Date: Fri, 12 Jun 2009 11:18:02 -0400
Subject: Check answer_len in the remap_addr case of
 process_relay_cell_not_open.

Fix an edge case where a malicious exit relay could convince a
controller that the client's DNS question resolves to an internal IP
address. Bug found and fixed by "optimist"; bugfix on 0.1.2.8-beta.
---
 ChangeLog | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'ChangeLog')

diff --git a/ChangeLog b/ChangeLog
index 527adc954..bce2aa39d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,9 @@
 Changes in version 0.2.1.16-?? - 2009-??-??
+  o Security fixes:
+    - Fix an edge case where a malicious exit relay could convince a
+      controller that the client's DNS question resolves to an internal IP
+      address. Bug found and fixed by "optimist"; bugfix on 0.1.2.8-beta.
+
   o Major performance improvements (on 0.2.0.x):
     - Disable and refactor some debugging checks that forced a linear scan
       over the whole server-side DNS cache.  These accounted for over 50%
-- 
cgit v1.2.3