[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-announce] Tor 0.2.9.10 is released

To: tor-announce@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-announce] Tor 0.2.9.10 is released
From: Nick Mathewson <nickm@xxxxxxxxxxxxxx>
Date: Wed, 1 Mar 2017 16:18:42 -0500
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 01 Mar 2017 16:20:55 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:from:date:message-id:subject:to; bh=2tTRTv7IAbpbQUSRV3p27a0+nI98JAWGHmZEptuEGNM=; b=ca132KAQQ8vCb6859Z0zynL8A4jrv04Vntd1byqEtKX8vF3Y8F2DXyrnKhFA8vFsKs k5fil9eFj7krXlHtqMopPXBunXfw9bw2JIq8FIhIBYST0doa7DZFxdqau6ZvOKqlkzO5 pDZRNizwx54idQ6rzFLVG8zOsCv65u5GK9Aq3eMZy0oitj7ywGiT4V577A+ahK3B8GvO azz4bCQSyDIS8j4y6/Y/3VGviqtuB46pAZO/f3eFiuUrWEPzIDaRrcbLXNZ4WhbUfmxc gOD2AUEp595NQtigCVBs6vF+V6rMasaIkMJlFmk2Rfkeu05C35sO+A0PkNAhNDTgCo8y yreQ==
List-archive: <http://lists.torproject.org/pipermail/tor-announce/>
List-help: <mailto:tor-announce-request@lists.torproject.org?subject=help>
List-id: "announce: Important announcements relating to Tor" <tor-announce.lists.torproject.org>
List-post: <mailto:tor-announce@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-announce>, <mailto:tor-announce-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-announce>, <mailto:tor-announce-request@lists.torproject.org?subject=unsubscribe>
Sender: "tor-announce" <tor-announce-bounces@xxxxxxxxxxxxxxxxxxxx>

(If you are about to reply saying "please take me off
this list", instead please follow these instructions:
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-announce/
You will have to enter the actual email address you used to subscribe.)

You can download the source code from https://dist.torproject.org/
but most users should wait for the upcoming Tor Browser release, or
for their upcoming system package updates.

(0.3.0.4-rc also came out today, but non-stable releases get announced
on tor-talk.)


Changes in version 0.2.9.10 - 2017-03-01
  Tor 0.2.9.10 backports a security fix from a later Tor release.  It also
  includes fixes for some major issues affecting directory authorities,
  LibreSSL compatibility, and IPv6 correctness.

  The Tor 0.2.9.x release series is now marked as a long-term-support
  series.  We intend to backport security fixes to 0.2.9.x until at
  least January of 2020.

  o Major bugfixes (directory authority, 0.3.0.3-alpha):
    - During voting, when marking a relay as a probable sybil, do not
      clear its BadExit flag: sybils can still be bad in other ways
      too. (We still clear the other flags.) Fixes bug 21108; bugfix
      on 0.2.0.13-alpha.

  o Major bugfixes (IPv6 Exits, backport from 0.3.0.3-alpha):
    - Stop rejecting all IPv6 traffic on Exits whose exit policy rejects
      any IPv6 addresses. Instead, only reject a port over IPv6 if the
      exit policy rejects that port on more than an IPv6 /16 of
      addresses. This bug was made worse by 17027 in 0.2.8.1-alpha,
      which rejected a relay's own IPv6 address by default. Fixes bug
      21357; bugfix on commit 004f3f4e53 in 0.2.4.7-alpha.

  o Major bugfixes (parsing, also in 0.3.0.4-rc):
    - Fix an integer underflow bug when comparing malformed Tor
      versions. This bug could crash Tor when built with
      --enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor
      0.2.9.8, which were built with -ftrapv by default. In other cases
      it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix
      on 0.0.8pre1. Found by OSS-Fuzz.

  o Minor features (directory authorities, also in 0.3.0.4-rc):
    - Directory authorities now reject descriptors that claim to be
      malformed versions of Tor. Helps prevent exploitation of
      bug 21278.
    - Reject version numbers with components that exceed INT32_MAX.
      Otherwise 32-bit and 64-bit platforms would behave inconsistently.
      Fixes bug 21450; bugfix on 0.0.8pre1.

  o Minor features (geoip):
    - Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2
      Country database.

  o Minor features (portability, compilation, backport from 0.3.0.3-alpha):
    - Autoconf now checks to determine if OpenSSL structures are opaque,
      instead of explicitly checking for OpenSSL version numbers. Part
      of ticket 21359.
    - Support building with recent LibreSSL code that uses opaque
      structures. Closes ticket 21359.

  o Minor bugfixes (code correctness, also in 0.3.0.4-rc):
    - Repair a couple of (unreachable or harmless) cases of the risky
      comparison-by-subtraction pattern that caused bug 21278.

  o Minor bugfixes (tor-resolve, backport from 0.3.0.3-alpha):
    - The tor-resolve command line tool now rejects hostnames over 255
      characters in length. Previously, it would silently truncate them,
      which could lead to bugs. Fixes bug 21280; bugfix on 0.0.9pre5.
      Patch by "junglefowl".
_______________________________________________
tor-announce mailing list
tor-announce@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-announce

Next by Author: [tor-announce] Tor Browser 6.5.1 is released
Next by thread: [tor-announce] Tor Browser 6.5.1 is released
Index(es):
- Author
- Thread