[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-announce] New stable Tor releases 0.2.8.15, 0.2.9.12, and 0.3.0.11, with fix for a medium security issue on hidden services



Hello!

We found a security issue in the hidden service code (CVE-2017-0380,
TROVE-2017-008) that can cause sensitive information to be written to
your logs if you have set the SafeLogging option to 0.   If you are
not running a hidden service, or you have not changed the SafeLogging
option from its default, you are not affected.  If you are running
0.2.5, you are not affected.  (0.2.4, 0.2.6, and 0.2.7 are no longer
supported.) For more information, including workaround steps, see
https://lists.torproject.org/pipermail/tor-talk/2017-September/043585.html

Because of this issue, we have released new Tor versions in the 0.2.8,
0.2.9, and 0.3.0 series.  If you build Tor from source, you will find
the source code for these releases at https://dist.torproject.org/ .
Packages should be available over the coming days -- in the meantime,
please see the advisory linked above for information on working around
this issue.

The release series 0.3.1.x has also become stable today; I'll announce
that in a separate email.

Below are the changelog entries for the new releases mentioned in this email:


Changes in version 0.2.8.15 - 2017-09-18
  Tor 0.2.8.15 backports a collection of bugfixes from later
  Tor series.

  Most significantly, it includes a fix for TROVE-2017-008, a
  security bug that affects hidden services running with the
  SafeLogging option disabled. For more information, see
  https://trac.torproject.org/projects/tor/ticket/23490

  Note that Tor 0.2.8.x will no longer be supported after 1 Jan
  2018.  We suggest that you upgrade to the latest stable release if
  possible.  If you can't, we recommend that you upgrade at least to
  0.2.9, which will be supported until 2020.

  o Major bugfixes (openbsd, denial-of-service, backport from 0.3.1.5-alpha):
    - Avoid an assertion failure bug affecting our implementation of
      inet_pton(AF_INET6) on certain OpenBSD systems whose strtol()
      handling of "0xx" differs from what we had expected. Fixes bug
      22789; bugfix on 0.2.3.8-alpha. Also tracked as TROVE-2017-007.

  o Minor features:
    - Update geoip and geoip6 to the September 6 2017 Maxmind GeoLite2
      Country database.

  o Minor bugfixes (compilation, mingw, backport from 0.3.1.1-alpha):
    - Backport a fix for an "unused variable" warning that appeared
      in some versions of mingw. Fixes bug 22838; bugfix on
      0.2.8.1-alpha.

  o Minor bugfixes (defensive programming, undefined behavior,
backport from 0.3.1.4-alpha):
    - Fix a memset() off the end of an array when packing cells. This
      bug should be harmless in practice, since the corrupted bytes are
      still in the same structure, and are always padding bytes,
      ignored, or immediately overwritten, depending on compiler
      behavior. Nevertheless, because the memset()'s purpose is to make
      sure that any other cell-handling bugs can't expose bytes to the
      network, we need to fix it. Fixes bug 22737; bugfix on
      0.2.4.11-alpha. Fixes CID 1401591.

  o Build features (backport from 0.3.1.5-alpha):
    - Tor's repository now includes a Travis Continuous Integration (CI)
      configuration file (.travis.yml). This is meant to help new
      developers and contributors who fork Tor to a Github repository be
      better able to test their changes, and understand what we expect
      to pass. To use this new build feature, you must fork Tor to your
      Github account, then go into the "Integrations" menu in the
      repository settings for your fork and enable Travis, then push
      your changes. Closes ticket 22636.


Changes in version 0.2.9.12 - 2017-09-18
  Tor 0.2.9.12 backports a collection of bugfixes from later
  Tor series.

  Most significantly, it includes a fix for TROVE-2017-008, a
  security bug that affects hidden services running with the
  SafeLogging option disabled. For more information, see
  https://trac.torproject.org/projects/tor/ticket/23490

  o Major features (security, backport from 0.3.0.2-alpha):
    - Change the algorithm used to decide DNS TTLs on client and server
      side, to better resist DNS-based correlation attacks like the
      DefecTor attack of Greschbach, Pulls, Roberts, Winter, and
      Feamster. Now relays only return one of two possible DNS TTL
      values, and clients are willing to believe DNS TTL values up to 3
      hours long. Closes ticket 19769.

  o Major bugfixes (crash, directory connections, backport from 0.3.0.5-rc):
    - Fix a rare crash when sending a begin cell on a circuit whose
      linked directory connection had already been closed. Fixes bug
      21576; bugfix on 0.2.9.3-alpha. Reported by Alec Muffett.

  o Major bugfixes (DNS, backport from 0.3.0.2-alpha):
    - Fix a bug that prevented exit nodes from caching DNS records for
      more than 60 seconds. Fixes bug 19025; bugfix on 0.2.4.7-alpha.

  o Major bugfixes (linux TPROXY support, backport from 0.3.1.1-alpha):
    - Fix a typo that had prevented TPROXY-based transparent proxying
      from working under Linux. Fixes bug 18100; bugfix on 0.2.6.3-alpha.
      Patch from "d4fq0fQAgoJ".

  o Major bugfixes (openbsd, denial-of-service, backport from 0.3.1.5-alpha):
    - Avoid an assertion failure bug affecting our implementation of
      inet_pton(AF_INET6) on certain OpenBSD systems whose strtol()
      handling of "0xx" differs from what we had expected. Fixes bug
      22789; bugfix on 0.2.3.8-alpha. Also tracked as TROVE-2017-007.

  o Minor features (code style, backport from 0.3.1.3-alpha):
    - Add "Falls through" comments to our codebase, in order to silence
      GCC 7's -Wimplicit-fallthrough warnings. Patch from Andreas
      Stieger. Closes ticket 22446.

  o Minor features (geoip):
    - Update geoip and geoip6 to the September 6 2017 Maxmind GeoLite2
      Country database.

  o Minor bugfixes (bandwidth accounting, backport from 0.3.1.1-alpha):
    - Roll over monthly accounting at the configured hour and minute,
      rather than always at 00:00. Fixes bug 22245; bugfix on 0.0.9rc1.
      Found by Andrey Karpov with PVS-Studio.

  o Minor bugfixes (compilation, backport from 0.3.1.5-alpha):
    - Suppress -Wdouble-promotion warnings with clang 4.0. Fixes bug 22915;
      bugfix on 0.2.8.1-alpha.
    - Fix warnings when building with libscrypt and openssl scrypt support
      on Clang. Fixes bug 22916; bugfix on 0.2.7.2-alpha.
    - When building with certain versions the mingw C header files, avoid
      float-conversion warnings when calling the C functions isfinite(),
      isnan(), and signbit(). Fixes bug 22801; bugfix on 0.2.8.1-alpha.

  o Minor bugfixes (compilation, backport from 0.3.1.7):
    - Avoid compiler warnings in the unit tests for running tor_sscanf()
      with wide string outputs. Fixes bug 15582; bugfix on 0.2.6.2-alpha.

  o Minor bugfixes (compilation, mingw, backport from 0.3.1.1-alpha):
    - Backport a fix for an "unused variable" warning that appeared
      in some versions of mingw. Fixes bug 22838; bugfix on
      0.2.8.1-alpha.

  o Minor bugfixes (controller, backport from 0.3.1.7):
    - Do not crash when receiving a HSPOST command with an empty body.
      Fixes part of bug 22644; bugfix on 0.2.7.1-alpha.
    - Do not crash when receiving a POSTDESCRIPTOR command with an
      empty body. Fixes part of bug 22644; bugfix on 0.2.0.1-alpha.

  o Minor bugfixes (coverity build support, backport from 0.3.1.5-alpha):
    - Avoid Coverity build warnings related to our BUG() macro. By
      default, Coverity treats BUG() as the Linux kernel does: an
      instant abort(). We need to override that so our BUG() macro
      doesn't prevent Coverity from analyzing functions that use it.
      Fixes bug 23030; bugfix on 0.2.9.1-alpha.

  o Minor bugfixes (defensive programming, undefined behavior,
backport from 0.3.1.4-alpha):
    - Fix a memset() off the end of an array when packing cells. This
      bug should be harmless in practice, since the corrupted bytes are
      still in the same structure, and are always padding bytes,
      ignored, or immediately overwritten, depending on compiler
      behavior. Nevertheless, because the memset()'s purpose is to make
      sure that any other cell-handling bugs can't expose bytes to the
      network, we need to fix it. Fixes bug 22737; bugfix on
      0.2.4.11-alpha. Fixes CID 1401591.

  o Minor bugfixes (file limits, osx, backport from 0.3.1.5-alpha):
    - When setting the maximum number of connections allowed by the OS,
      always allow some extra file descriptors for other files. Fixes
      bug 22797; bugfix on 0.2.0.10-alpha.

  o Minor bugfixes (linux seccomp2 sandbox, backport from 0.3.1.5-alpha):
    - Avoid a sandbox failure when trying to re-bind to a socket and
      mark it as IPv6-only. Fixes bug 20247; bugfix on 0.2.5.1-alpha.

  o Minor bugfixes (linux seccomp2 sandbox, backport from 0.3.1.4-alpha):
    - Permit the fchmod system call, to avoid crashing on startup when
      starting with the seccomp2 sandbox and an unexpected set of
      permissions on the data directory or its contents. Fixes bug
      22516; bugfix on 0.2.5.4-alpha.

  o Minor bugfixes (relay, backport from 0.3.0.5-rc):
    - Avoid a double-marked-circuit warning that could happen when we
      receive DESTROY cells under heavy load. Fixes bug 20059; bugfix
      on 0.1.0.1-rc.

  o Minor bugfixes (voting consistency, backport from 0.3.1.1-alpha):
    - Reject version numbers with non-numeric prefixes (such as +, -, or
      whitespace). Disallowing whitespace prevents differential version
      parsing between POSIX-based and Windows platforms. Fixes bug 21507
      and part of 21508; bugfix on 0.0.8pre1.

  o Build features (backport from 0.3.1.5-alpha):
    - Tor's repository now includes a Travis Continuous Integration (CI)
      configuration file (.travis.yml). This is meant to help new
      developers and contributors who fork Tor to a Github repository be
      better able to test their changes, and understand what we expect
      to pass. To use this new build feature, you must fork Tor to your
      Github account, then go into the "Integrations" menu in the
      repository settings for your fork and enable Travis, then push
      your changes. Closes ticket 22636.


Changes in version 0.3.0.11 - 2017-09-18
  Tor 0.3.0.11 backports a collection of bugfixes from Tor the 0.3.1
  series.

  Most significantly, it includes a fix for TROVE-2017-008, a
  security bug that affects hidden services running with the
  SafeLogging option disabled. For more information, see
  https://trac.torproject.org/projects/tor/ticket/23490

  o Minor features (code style, backport from 0.3.1.7):
    - Add "Falls through" comments to our codebase, in order to silence
      GCC 7's -Wimplicit-fallthrough warnings. Patch from Andreas
      Stieger. Closes ticket 22446.

  o Minor features:
    - Update geoip and geoip6 to the September 6 2017 Maxmind GeoLite2
      Country database.

  o Minor bugfixes (compilation, backport from 0.3.1.7):
    - Avoid compiler warnings in the unit tests for calling tor_sscanf()
      with wide string outputs. Fixes bug 15582; bugfix on 0.2.6.2-alpha.

  o Minor bugfixes (controller, backport from 0.3.1.7):
    - Do not crash when receiving a HSPOST command with an empty body.
      Fixes part of bug 22644; bugfix on 0.2.7.1-alpha.
    - Do not crash when receiving a POSTDESCRIPTOR command with an empty
      body. Fixes part of bug 22644; bugfix on 0.2.0.1-alpha.

  o Minor bugfixes (file limits, osx, backport from 0.3.1.5-alpha):
    - When setting the maximum number of connections allowed by the OS,
      always allow some extra file descriptors for other files. Fixes
      bug 22797; bugfix on 0.2.0.10-alpha.

  o Minor bugfixes (logging, relay, backport from 0.3.1.6-rc):
    - Remove a forgotten debugging message when an introduction point
      successfully establishes a hidden service prop224 circuit with
      a client.
    - Change three other log_warn() for an introduction point to
      protocol warnings, because they can be failure from the network
      and are not relevant to the operator. Fixes bug 23078; bugfix on
      0.3.0.1-alpha and 0.3.0.2-alpha.
_______________________________________________
tor-announce mailing list
tor-announce@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-announce