[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-commits] [tor/release-0.3.1] Draft changelog for 0.3.1.10
commit babd102f0b2071694eb0cb9fcbf4a5cbab5c8b7f
Author: Nick Mathewson <nickm@xxxxxxxxxxxxxx>
Date: Thu Mar 1 16:41:35 2018 -0500
Draft changelog for 0.3.1.10
---
ChangeLog | 42 ++++++++++++++++++++++++++++++++++++++----
changes/bug25249 | 3 ---
changes/bug25249.2 | 3 ---
changes/trove-2018-001.1 | 6 ------
changes/trove-2018-004 | 8 --------
5 files changed, 38 insertions(+), 24 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index f13c8a193..7bbe95d50 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,7 +2,30 @@ Changes in version 0.3.1.10 - 2018-03-??
Tor 0.3.1.10 backports a number of bugfixes, including important fixes for
security issues.
- BLURB HERE.
+ It includes an important security fix for a remote crash attack
+ against directory authorities, tracked as TROVE-2018-001.
+
+ This release also backports our new system for improved resistance to
+ denial-of-service attacks against relays.
+
+ This release also fixes several minor bugs and annoyances from
+ earlier releases.
+
+ All directory authorities should upgrade to one of the versions
+ released today. All relays not already running Tor 0.3.3.2-alpha or
+ later should upgrade to one of the versions released today.
+
+ Please note: according to our release calendar, Tor 0.3.1 will no
+ longer be supported after 1 July 2018. If you will be running Tor
+ after that date, you should make sure to plan to upgrade to the latest
+ stable version, or downgrade to 0.2.9 (which will receive long-term
+ support).
+
+ o Major bugfixes (denial-of-service, directory authority, backport from 0.3.3.3-alpha):
+ - Fix a protocol-list handling bug that could be used to remotely crash
+ directory authorities with a null-pointer exception. Fixes bug 25074;
+ bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2018-001 and
+ CVE-2018-0490.
o Major features (denial-of-service mitigation, backport from 0.3.3.2-alpha):
- Give relays some defenses against the recent network overload. We
@@ -114,6 +137,14 @@ Changes in version 0.3.1.10 - 2018-03-??
with the OwningControllerProcess feature. Fixes bug 24198; bugfix
on 0.2.5.1-alpha.
+ o Minor bugfixes (denial-of-service, backport from 0.3.3.3-alpha):
+ - Fix a possible crash on malformed consensus. If a consensus had
+ contained an unparseable protocol line, it could have made clients
+ and relays crash with a null-pointer exception. To exploit this
+ issue, however, an attacker would need to be able to subvert the
+ directory authority system. Fixes bug 25251; bugfix on
+ 0.2.9.4-alpha. Also tracked as TROVE-2018-004.
+
o Minor bugfixes (directory cache, backport from 0.3.2.5-alpha):
- Recover better from empty or corrupt files in the consensus cache
directory. Fixes bug 24099; bugfix on 0.3.1.1-alpha.
@@ -186,14 +217,17 @@ Changes in version 0.3.1.10 - 2018-03-??
the other side ever sent a create_fast cell to us. Backports part
of the fixes from bugs 22805 and 24898.
+ o Minor bugfixes (spec conformance, backport from 0.3.3.3-alpha):
+ - Forbid "-0" as a protocol version. Fixes part of bug 25249; bugfix on
+ 0.2.9.4-alpha.
+ - Forbid UINT32_MAX as a protocol version. Fixes part of bug 25249;
+ bugfix on 0.2.9.4-alpha.
+
o Code simplification and refactoring (backport from 0.3.3.3-alpha):
- Update the "rust dependencies" submodule to be a project-level
repository, rather than a user repository. Closes ticket 25323.
-
-
-
Changes in version 0.3.1.9 - 2017-12-01:
Tor 0.3.1.9 backports important security and stability fixes from the
0.3.2 development series. All Tor users should upgrade to this
diff --git a/changes/bug25249 b/changes/bug25249
deleted file mode 100644
index b4153eeae..000000000
--- a/changes/bug25249
+++ /dev/null
@@ -1,3 +0,0 @@
- o Minor bugfixes (spec conformance):
- - Forbid "-0" as a protocol version. Fixes part of bug 25249; bugfix on
- 0.2.9.4-alpha.
diff --git a/changes/bug25249.2 b/changes/bug25249.2
deleted file mode 100644
index 9058c1107..000000000
--- a/changes/bug25249.2
+++ /dev/null
@@ -1,3 +0,0 @@
- o Minor bugfixes (spec conformance):
- - Forbid UINT32_MAX as a protocol version. Fixes part of bug 25249;
- bugfix on 0.2.9.4-alpha.
diff --git a/changes/trove-2018-001.1 b/changes/trove-2018-001.1
deleted file mode 100644
index f0ee92f40..000000000
--- a/changes/trove-2018-001.1
+++ /dev/null
@@ -1,6 +0,0 @@
- o Major bugfixes (denial-of-service, directory authority):
- - Fix a protocol-list handling bug that could be used to remotely crash
- directory authorities with a null-pointer exception. Fixes bug 25074;
- bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2018-001.
-
-
diff --git a/changes/trove-2018-004 b/changes/trove-2018-004
deleted file mode 100644
index 37e0a89b0..000000000
--- a/changes/trove-2018-004
+++ /dev/null
@@ -1,8 +0,0 @@
- o Minor bugfixes (denial-of-service):
- - Fix a possible crash on malformed consensus. If a consensus had
- contained an unparseable protocol line, it could have made clients
- and relays crash with a null-pointer exception. To exploit this
- issue, however, an attacker would need to be able to subvert the
- directory-authority system. Fixes bug 25251; bugfix on
- 0.2.9.4-alpha. Also tracked as TROVE-2018-004.
-
_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits