[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Tor 0.2.3.10-alpha is out (security fix)

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-talk] Tor 0.2.3.10-alpha is out (security fix)
From: Roger Dingledine <arma@xxxxxxx>
Date: Fri, 16 Dec 2011 13:06:14 -0500
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 16 Dec 2011 13:06:28 -0500
List-archive: <http://lists.torproject.org/pipermail/tor-talk>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "This mailing list is for all discussion about theory, design, and development of Onion Routing." <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx
User-agent: Mutt/1.5.18 (2008-05-17)

Tor 0.2.3.10-alpha fixes a critical heap-overflow security issue in
Tor's buffers code. Absolutely everybody should upgrade.

The bug relied on an incorrect calculation when making data continuous
in one of our IO buffers, if the first chunk of the buffer was
misaligned by just the wrong amount. The miscalculation would allow an
attacker to overflow a piece of heap-allocated memory. To mount this
attack, the attacker would need to either open a SOCKS connection to
Tor's SocksPort (usually restricted to localhost), or target a Tor
instance configured to make its connections through a SOCKS proxy
(which Tor does not do by default).

Good security practice requires that all heap-overflow bugs should be
presumed to be exploitable until proven otherwise, so we are treating
this as a potential code execution attack. Please upgrade immediately!
This bug does not affect bufferevents-based builds of Tor. Special
thanks to "Vektor" for reporting this issue to us!

This release also contains a few minor bugfixes for issues discovered
in 0.2.3.9-alpha.

https://www.torproject.org/download/download

Note that the tarball and git tags are signed by Nick Mathewson (gpg
key 165733EA) this time around.

Changes in version 0.2.3.10-alpha - 2011-12-16
  o Major bugfixes:
    - Fix a heap overflow bug that could occur when trying to pull
      data into the first chunk of a buffer, when that chunk had
      already had some data drained from it. Fixes CVE-2011-2778;
      bugfix on 0.2.0.16-alpha. Reported by "Vektor".

  o Minor bugfixes:
    - If we can't attach streams to a rendezvous circuit when we
      finish connecting to a hidden service, clear the rendezvous
      circuit's stream-isolation state and try to attach streams
      again. Previously, we cleared rendezvous circuits' isolation
      state either too early (if they were freshly built) or not at all
      (if they had been built earlier and were cannibalized). Bugfix on
      0.2.3.3-alpha; fixes bug 4655.
    - Fix compilation of the libnatpmp helper on non-Windows. Bugfix on
      0.2.3.9-alpha; fixes bug 4691. Reported by Anthony G. Basile.
    - Fix an assertion failure when a relay with accounting enabled
      starts up while dormant. Fixes bug 4702; bugfix on 0.2.3.9-alpha.

  o Minor features:
    - Update to the December 6 2011 Maxmind GeoLite Country database.

Attachment: signature.asc
Description: Digital signature

_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Prev by Author: Re: [tor-talk] New to List
Next by Author: Re: [tor-talk] Announcing the Tor Farsi blog
Previous by thread: [tor-talk] Tor Cloud image ready on Amazon’s new South America (Sao Paulo) Region
Next by thread: [tor-talk] Tor experiments with IPv6
Index(es):
- Author
- Thread