[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: Tor 0.2.0.32 is released
- To: or-talk@xxxxxxxxxxxxx
- Subject: Re: Tor 0.2.0.32 is released
- From: "Matt LaPlante" <cyberdog3k@xxxxxxxxx>
- Date: Thu, 4 Dec 2008 17:34:28 -0600
- Delivered-to: archiver@xxxxxxxx
- Delivered-to: or-talk-outgoing@xxxxxxxx
- Delivered-to: or-talk@xxxxxxxx
- Delivery-date: Thu, 04 Dec 2008 18:34:33 -0500
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=H7jk9zyIfaRzsOYl2MWh5W3VPunDxCJ4C4rjczHgc7A=; b=MzadyLFCxJfaO83jnRynb0LHM4VtagwIRmoW/gQNz0rHS1VMxb/3B2Try2s+G+QlxJ Dnw0IQOlnXyibPKjCjoIM2YCK+pKyl8s5olvr7rIrouyJ4da5PJfqSRcdN/z9c3idC8C fgN+Yho1Jn9VWQkDvgOTF2FfMH9ZctbOvCVTs=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=Mi8U2i5tthQ2tEnUTmDHs3sJNk3EHfjkKqvlO3SbH4MVoylX053Mj7f0RJGAajpGA5 s4cRr8t/ZecMmaQNQfYciJoLgjRrGswD5Rvnkcq5hSMd+0/IyKkwtq3rgNi3zhJw0q9p TOBCGrmLuPzgDCki2v3Fn99mTTpStH/eU3yyg=
- In-reply-to: <20081204173416.GA23589@xxxxxxxxxxxxxxxxxxx>
- References: <20081204173416.GA23589@xxxxxxxxxxxxxxxxxxx>
- Reply-to: or-talk@xxxxxxxxxxxxx
- Sender: owner-or-talk@xxxxxxxxxxxxx
On Thu, Dec 4, 2008 at 11:34 AM, <phobos@xxxxxxxxxx> wrote:
> Tor 0.2.0.32 fixes a major security problem in Debian and Ubuntu packages
> (and maybe other packages) noticed by Theo de Raadt, fixes a smaller
> security flaw that might allow an attacker to access local services,
> further improves hidden service performance, and fixes a variety of
> other issues.
Are there any bugs open with Debian/Ubuntu to get these merged into
the security branches? I haven't checked Debian, but Ubuntu 8.10 is
currently still at 0.31.
>
> https://www.torproject.org/download.html
>
> Or use our new https://www.torproject.org/easy-download page.
>
> Changes in version 0.2.0.32 - 2008-11-20
> o Security fixes:
> - The "User" and "Group" config options did not clear the
> supplementary group entries for the Tor process. The "User" option
> is now more robust, and we now set the groups to the specified
> user's primary group. The "Group" option is now ignored. For more
> detailed logging on credential switching, set CREDENTIAL_LOG_LEVEL
> in common/compat.c to LOG_NOTICE or higher. Patch by Jacob Appelbaum
> and Steven Murdoch. Bugfix on 0.0.2pre14. Fixes bug 848 and 857.
> - The "ClientDNSRejectInternalAddresses" config option wasn't being
> consistently obeyed: if an exit relay refuses a stream because its
> exit policy doesn't allow it, we would remember what IP address
> the relay said the destination address resolves to, even if it's
> an internal IP address. Bugfix on 0.2.0.7-alpha; patch by rovv.
>
> o Major bugfixes:
> - Fix a DOS opportunity during the voting signature collection process
> at directory authorities. Spotted by rovv. Bugfix on 0.2.0.x.
>
> o Major bugfixes (hidden services):
> - When fetching v0 and v2 rendezvous service descriptors in parallel,
> we were failing the whole hidden service request when the v0
> descriptor fetch fails, even if the v2 fetch is still pending and
> might succeed. Similarly, if the last v2 fetch fails, we were
> failing the whole hidden service request even if a v0 fetch is
> still pending. Fixes bug 814. Bugfix on 0.2.0.10-alpha.
> - When extending a circuit to a hidden service directory to upload a
> rendezvous descriptor using a BEGIN_DIR cell, almost 1/6 of all
> requests failed, because the router descriptor has not been
> downloaded yet. In these cases, do not attempt to upload the
> rendezvous descriptor, but wait until the router descriptor is
> downloaded and retry. Likewise, do not attempt to fetch a rendezvous
> descriptor from a hidden service directory for which the router
> descriptor has not yet been downloaded. Fixes bug 767. Bugfix
> on 0.2.0.10-alpha.
>
> o Minor bugfixes:
> - Fix several infrequent memory leaks spotted by Coverity.
> - When testing for libevent functions, set the LDFLAGS variable
> correctly. Found by Riastradh.
> - Avoid a bug where the FastFirstHopPK 0 option would keep Tor from
> bootstrapping with tunneled directory connections. Bugfix on
> 0.1.2.5-alpha. Fixes bug 797. Found by Erwin Lam.
> - When asked to connect to A.B.exit:80, if we don't know the IP for A
> and we know that server B rejects most-but-not all connections to
> port 80, we would previously reject the connection. Now, we assume
> the user knows what they were asking for. Fixes bug 752. Bugfix
> on 0.0.9rc5. Diagnosed by BarkerJr.
> - If we overrun our per-second write limits a little, count this as
> having used up our write allocation for the second, and choke
> outgoing directory writes. Previously, we had only counted this when
> we had met our limits precisely. Fixes bug 824. Patch from by rovv.
> Bugfix on 0.2.0.x.
> - Remove the old v2 directory authority 'lefkada' from the default
> list. It has been gone for many months.
> - Stop doing unaligned memory access that generated bus errors on
> sparc64. Bugfix on 0.2.0.10-alpha. Fixes bug 862.
> - Make USR2 log-level switch take effect immediately. Bugfix on
> 0.1.2.8-beta.
>
> o Minor bugfixes (controller):
> - Make DNS resolved events into "CLOSED", not "FAILED". Bugfix on
> 0.1.2.5-alpha. Fix by Robert Hogan. Resolves bug 807.
>
> --
> Andrew
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFJOBSYO50JPzGwl0sRAo63AJ9uVH8Rk0CSf9PXPlWfQuxqTt1IzQCeMtFB
> hvuayLifVdMBanIy2Za6y5M=
> =UkKO
> -----END PGP SIGNATURE-----
>
>