[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-relays] (FWD) [tor-announce] Tor 0.3.0.7 is released, with a medium security fix for relays



For those of you who are not on tor-announce... now would be a good
time to remember to subscribe to tor-announce. :)

--Roger

----- Forwarded message from Nick Mathewson <nickm@xxxxxxxxxxxxxx> -----

Date: Mon, 15 May 2017 18:57:59 -0400
From: Nick Mathewson <nickm@xxxxxxxxxxxxxx>
To: tor-announce@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-announce] Tor 0.3.0.7 is released, with a medium security fix for relays

Hi, all!

There's a new Tor release (0.3.0.7) available on the website.  It
fixes a bug affecting relays running earlier versions of 0.3.0.x that
could allow attackers to trigger an assertion failure on those relays.
Clients are not affected; neither are relays running versions before
0.3.0.x.

If you're running a relay with one of the affected versions, you
should upgrade.  Source is available on the website now; packages
should be available over the next several days.

===========

Changes in version 0.3.0.7 - 2017-05-15
  Tor 0.3.0.7 fixes a medium-severity security bug in earlier versions
  of Tor 0.3.0.x, where an attacker could cause a Tor relay process
  to exit. Relays running earlier versions of Tor 0.3.0.x should upgrade;
  clients are not affected.

  o Major bugfixes (hidden service directory, security):
    - Fix an assertion failure in the hidden service directory code, which
      could be used by an attacker to remotely cause a Tor relay process to
      exit. Relays running earlier versions of Tor 0.3.0.x should upgrade.
      should upgrade. This security issue is tracked as TROVE-2017-002.
      Fixes bug 22246; bugfix on 0.3.0.1-alpha.

  o Minor features:
    - Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2
      Country database.

  o Minor features (future-proofing):
    - Tor no longer refuses to download microdescriptors or descriptors
      if they are listed as "published in the future". This change will
      eventually allow us to stop listing meaningful "published" dates
      in microdescriptor consensuses, and thereby allow us to reduce the
      resources required to download consensus diffs by over 50%.
      Implements part of ticket 21642; implements part of proposal 275.

  o Minor bugfixes (Linux seccomp2 sandbox):
    - The getpid() system call is now permitted under the Linux seccomp2
      sandbox, to avoid crashing with versions of OpenSSL (and other
      libraries) that attempt to learn the process's PID by using the
      syscall rather than the VDSO code. Fixes bug 21943; bugfix
      on 0.2.5.1-alpha.
_______________________________________________
tor-announce mailing list
tor-announce@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-announce

----- End forwarded message -----

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays