[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Tor 0.2.0.34 is released (security fixes)

To: or-announce@xxxxxxxxxxxxx
Subject: Tor 0.2.0.34 is released (security fixes)
From: Roger Dingledine <arma@xxxxxxx>
Date: Mon, 9 Feb 2009 18:12:15 -0500
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-announce-outgoing@xxxxxxxx
Delivered-to: or-announce@xxxxxxxx
Delivery-date: Mon, 09 Feb 2009 18:12:20 -0500
Sender: owner-or-announce@xxxxxxxxxxxxx
User-agent: Mutt/1.5.13 (2006-08-11)

Tor 0.2.0.34 features several more security-related fixes. You
should upgrade, especially if you run an exit relay (remote crash) or
a directory authority (remote infinite loop), or you're on an older
(pre-XP) or not-recently-patched Windows (remote exploit).

This release marks end-of-life for Tor 0.1.2.x. Those Tor versions have
many known flaws, and nobody should be using them. You should upgrade. If
you're using a Linux or BSD and its packages are obsolete, stop using
those packages and upgrade anyway.

https://www.torproject.org/download.html

Changes in version 0.2.0.34 - 2009-02-08
  o Security fixes:
    - Fix an infinite-loop bug on handling corrupt votes under certain
      circumstances. Bugfix on 0.2.0.8-alpha.
    - Fix a temporary DoS vulnerability that could be performed by
      a directory mirror. Bugfix on 0.2.0.9-alpha; reported by lark.
    - Avoid a potential crash on exit nodes when processing malformed
      input. Remote DoS opportunity. Bugfix on 0.2.0.33.
    - Do not accept incomplete ipv4 addresses (like 192.168.0) as valid.
      Spec conformance issue. Bugfix on Tor 0.0.2pre27.

  o Minor bugfixes:
    - Fix compilation on systems where time_t is a 64-bit integer.
      Patch from Matthias Drochner.
    - Don't consider expiring already-closed client connections. Fixes
      bug 893. Bugfix on 0.0.2pre20.

Attachment: signature.asc
Description: Digital signature

Index(es):
- Author
- Thread