diff options
author | Roger Dingledine <arma@torproject.org> | 2011-10-26 20:41:51 -0400 |
---|---|---|
committer | Roger Dingledine <arma@torproject.org> | 2011-10-26 20:41:51 -0400 |
commit | 821f59b4df6877e497cb9c2a7691dd1eaa59c93c (patch) | |
tree | 172461a126ff010e54b652ab954f5113a7da4750 | |
parent | 1a160ae5235951f73620e980b480c919fc184c32 (diff) | |
download | tor-821f59b4df6877e497cb9c2a7691dd1eaa59c93c.tar.gz tor-821f59b4df6877e497cb9c2a7691dd1eaa59c93c.zip |
forward-port the stable releases notes
-rw-r--r-- | ChangeLog | 223 | ||||
-rw-r--r-- | ReleaseNotes | 223 |
2 files changed, 446 insertions, 0 deletions
@@ -124,6 +124,229 @@ Changes in version 0.2.3.6-alpha - 2011-10-26 should help prevent mistakes in the future. Fixes bug 3512. +Changes in version 0.2.2.34 - 2011-10-26 + Tor 0.2.2.34 fixes a critical anonymity vulnerability where an attacker + can deanonymize Tor users. Everybody should upgrade. + + The attack relies on four components: 1) Clients reuse their TLS cert + when talking to different relays, so relays can recognize a user by + the identity key in her cert. 2) An attacker who knows the client's + identity key can probe each guard relay to see if that identity key + is connected to that guard relay right now. 3) A variety of active + attacks in the literature (starting from "Low-Cost Traffic Analysis + of Tor" by Murdoch and Danezis in 2005) allow a malicious website to + discover the guard relays that a Tor user visiting the website is using. + 4) Clients typically pick three guards at random, so the set of guards + for a given user could well be a unique fingerprint for her. This + release fixes components #1 and #2, which is enough to block the attack; + the other two remain as open research problems. Special thanks to + "frosty_un" for reporting the issue to us! + + Clients should upgrade so they are no longer recognizable by the TLS + certs they present. Relays should upgrade so they no longer allow a + remote attacker to probe them to test whether unpatched clients are + currently connected to them. + + This release also fixes several vulnerabilities that allow an attacker + to enumerate bridge relays. Some bridge enumeration attacks still + remain; see for example proposal 188. + + o Privacy/anonymity fixes (clients): + - Clients and bridges no longer send TLS certificate chains on + outgoing OR connections. Previously, each client or bridge + would use the same cert chain for all outgoing OR connections + for up to 24 hours, which allowed any relay that the client or + bridge contacted to determine which entry guards it is using. + Fixes CVE-2011-2768. Bugfix on 0.0.9pre5; found by "frosty_un". + - If a relay receives a CREATE_FAST cell on a TLS connection, it + no longer considers that connection as suitable for satisfying a + circuit EXTEND request. Now relays can protect clients from the + CVE-2011-2768 issue even if the clients haven't upgraded yet. + - Directory authorities no longer assign the Guard flag to relays + that haven't upgraded to the above "refuse EXTEND requests + to client connections" fix. Now directory authorities can + protect clients from the CVE-2011-2768 issue even if neither + the clients nor the relays have upgraded yet. There's a new + "GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays" config option + to let us transition smoothly, else tomorrow there would be no + guard relays. + + o Privacy/anonymity fixes (bridge enumeration): + - Bridge relays now do their directory fetches inside Tor TLS + connections, like all the other clients do, rather than connecting + directly to the DirPort like public relays do. Removes another + avenue for enumerating bridges. Fixes bug 4115; bugfix on 0.2.0.35. + - Bridges relays now build circuits for themselves in a more similar + way to how clients build them. Removes another avenue for + enumerating bridges. Fixes bug 4124; bugfix on 0.2.0.3-alpha, + when bridges were introduced. + - Bridges now refuse CREATE or CREATE_FAST cells on OR connections + that they initiated. Relays could distinguish incoming bridge + connections from client connections, creating another avenue for + enumerating bridges. Fixes CVE-2011-2769. Bugfix on 0.2.0.3-alpha. + Found by "frosty_un". + + o Major bugfixes: + - Fix a crash bug when changing node restrictions while a DNS lookup + is in-progress. Fixes bug 4259; bugfix on 0.2.2.25-alpha. Bugfix + by "Tey'". + - Don't launch a useless circuit after failing to use one of a + hidden service's introduction points. Previously, we would + launch a new introduction circuit, but not set the hidden service + which that circuit was intended to connect to, so it would never + actually be used. A different piece of code would then create a + new introduction circuit correctly. Bug reported by katmagic and + found by Sebastian Hahn. Bugfix on 0.2.1.13-alpha; fixes bug 4212. + + o Minor bugfixes: + - Change an integer overflow check in the OpenBSD_Malloc code so + that GCC is less likely to eliminate it as impossible. Patch + from Mansour Moufid. Fixes bug 4059. + - When a hidden service turns an extra service-side introduction + circuit into a general-purpose circuit, free the rend_data and + intro_key fields first, so we won't leak memory if the circuit + is cannibalized for use as another service-side introduction + circuit. Bugfix on 0.2.1.7-alpha; fixes bug 4251. + - Bridges now skip DNS self-tests, to act a little more stealthily. + Fixes bug 4201; bugfix on 0.2.0.3-alpha, which first introduced + bridges. Patch by "warms0x". + - Fix internal bug-checking logic that was supposed to catch + failures in digest generation so that it will fail more robustly + if we ask for a nonexistent algorithm. Found by Coverity Scan. + Bugfix on 0.2.2.1-alpha; fixes Coverity CID 479. + - Report any failure in init_keys() calls launched because our + IP address has changed. Spotted by Coverity Scan. Bugfix on + 0.1.1.4-alpha; fixes CID 484. + + o Minor bugfixes (log messages and documentation): + - Remove a confusing dollar sign from the example fingerprint in the + man page, and also make the example fingerprint a valid one. Fixes + bug 4309; bugfix on 0.2.1.3-alpha. + - The next version of Windows will be called Windows 8, and it has + a major version of 6, minor version of 2. Correctly identify that + version instead of calling it "Very recent version". Resolves + ticket 4153; reported by funkstar. + - Downgrade log messages about circuit timeout calibration from + "notice" to "info": they don't require or suggest any human + intervention. Patch from Tom Lowenthal. Fixes bug 4063; + bugfix on 0.2.2.14-alpha. + + o Minor features: + - Turn on directory request statistics by default and include them in + extra-info descriptors. Don't break if we have no GeoIP database. + Backported from 0.2.3.1-alpha; implements ticket 3951. + - Update to the October 4 2011 Maxmind GeoLite Country database. + + +Changes in version 0.2.1.31 - 2011-10-26 + Tor 0.2.1.31 backports important security and privacy fixes for + oldstable. This release is intended only for package maintainers and + others who cannot use the 0.2.2 stable series. All others should be + using Tor 0.2.2.x or newer. + + o Security fixes (also included in 0.2.2.x): + - Replace all potentially sensitive memory comparison operations + with versions whose runtime does not depend on the data being + compared. This will help resist a class of attacks where an + adversary can use variations in timing information to learn + sensitive data. Fix for one case of bug 3122. (Safe memcmp + implementation by Robert Ransom based partially on code by DJB.) + - Fix an assert in parsing router descriptors containing IPv6 + addresses. This one took down the directory authorities when + somebody tried some experimental code. Bugfix on 0.2.1.3-alpha. + + o Privacy/anonymity fixes (also included in 0.2.2.x): + - Clients and bridges no longer send TLS certificate chains on + outgoing OR connections. Previously, each client or bridge + would use the same cert chain for all outgoing OR connections + for up to 24 hours, which allowed any relay that the client or + bridge contacted to determine which entry guards it is using. + Fixes CVE-2011-2768. Bugfix on 0.0.9pre5; found by frosty_un. + - If a relay receives a CREATE_FAST cell on a TLS connection, it + no longer considers that connection as suitable for satisfying a + circuit EXTEND request. Now relays can protect clients from the + CVE-2011-2768 issue even if the clients haven't upgraded yet. + - Bridges now refuse CREATE or CREATE_FAST cells on OR connections + that they initiated. Relays could distinguish incoming bridge + connections from client connections, creating another avenue for + enumerating bridges. Fixes CVE-2011-2769. Bugfix on 0.2.0.3-alpha. + Found by "frosty_un". + - When receiving a hidden service descriptor, check that it is for + the hidden service we wanted. Previously, Tor would store any + hidden service descriptors that a directory gave it, whether it + wanted them or not. This wouldn't have let an attacker impersonate + a hidden service, but it did let directories pre-seed a client + with descriptors that it didn't want. Bugfix on 0.0.6. + - Avoid linkability based on cached hidden service descriptors: forget + all hidden service descriptors cached as a client when processing a + SIGNAL NEWNYM command. Fixes bug 3000; bugfix on 0.0.6. + - Make the bridge directory authority refuse to answer directory + requests for "all" descriptors. It used to include bridge + descriptors in its answer, which was a major information leak. + Found by "piebeer". Bugfix on 0.2.0.3-alpha. + - Don't attach new streams to old rendezvous circuits after SIGNAL + NEWNYM. Previously, we would keep using an existing rendezvous + circuit if it remained open (i.e. if it were kept open by a + long-lived stream, or if a new stream were attached to it before + Tor could notice that it was old and no longer in use). Bugfix on + 0.1.1.15-rc; fixes bug 3375. + + o Minor bugfixes (also included in 0.2.2.x): + - When we restart our relay, we might get a successful connection + from the outside before we've started our reachability tests, + triggering a warning: "ORPort found reachable, but I have no + routerinfo yet. Failing to inform controller of success." This + bug was harmless unless Tor is running under a controller + like Vidalia, in which case the controller would never get a + REACHABILITY_SUCCEEDED status event. Bugfix on 0.1.2.6-alpha; + fixes bug 1172. + - Build correctly on OSX with zlib 1.2.4 and higher with all warnings + enabled. Fixes bug 1526. + - Remove undocumented option "-F" from tor-resolve: it hasn't done + anything since 0.2.1.16-rc. + - Avoid signed/unsigned comparisons by making SIZE_T_CEILING unsigned. + None of the cases where we did this before were wrong, but by making + this change we avoid warnings. Fixes bug 2475; bugfix on 0.2.1.28. + - Fix a rare crash bug that could occur when a client was configured + with a large number of bridges. Fixes bug 2629; bugfix on + 0.2.1.2-alpha. Bugfix by trac user "shitlei". + - Correct the warning displayed when a rendezvous descriptor exceeds + the maximum size. Fixes bug 2750; bugfix on 0.2.1.5-alpha. Found by + John Brooks. + - Fix an uncommon assertion failure when running with DNSPort under + heavy load. Fixes bug 2933; bugfix on 0.2.0.1-alpha. + - When warning about missing zlib development packages during compile, + give the correct package names. Bugfix on 0.2.0.1-alpha. + - Require that introduction point keys and onion keys have public + exponent 65537. Bugfix on 0.2.0.10-alpha. + - Do not crash when our configuration file becomes unreadable, for + example due to a permissions change, between when we start up + and when a controller calls SAVECONF. Fixes bug 3135; bugfix + on 0.0.9pre6. + - Fix warnings from GCC 4.6's "-Wunused-but-set-variable" option. + Fixes bug 3208. + - Always NUL-terminate the sun_path field of a sockaddr_un before + passing it to the kernel. (Not a security issue: kernels are + smart enough to reject bad sockaddr_uns.) Found by Coverity; + CID #428. Bugfix on Tor 0.2.0.3-alpha. + - Don't stack-allocate the list of supplementary GIDs when we're + about to log them. Stack-allocating NGROUPS_MAX gid_t elements + could take up to 256K, which is way too much stack. Found by + Coverity; CID #450. Bugfix on 0.2.1.7-alpha. + + o Minor bugfixes (only in 0.2.1.x): + - Resume using micro-version numbers in 0.2.1.x: our Debian packages + rely on them. Bugfix on 0.2.1.30. + - Use git revisions instead of svn revisions when generating our + micro-version numbers. Bugfix on 0.2.1.15-rc; fixes bug 2402. + + o Minor features (also included in 0.2.2.x): + - Adjust the expiration time on our SSL session certificates to + better match SSL certs seen in the wild. Resolves ticket 4014. + - Allow nameservers with IPv6 address. Resolves bug 2574. + - Update to the October 4 2011 Maxmind GeoLite Country database. + + Changes in version 0.2.3.5-alpha - 2011-09-28 Tor 0.2.3.5-alpha fixes two bugs that make it possible to enumerate bridge relays; fixes an assertion error that many users started hitting diff --git a/ReleaseNotes b/ReleaseNotes index 0f9299ec3e..879028a01d 100644 --- a/ReleaseNotes +++ b/ReleaseNotes @@ -3,6 +3,229 @@ This document summarizes new features and bugfixes in each stable release of Tor. If you want to see more detailed descriptions of the changes in each development snapshot, see the ChangeLog file. +Changes in version 0.2.2.34 - 2011-10-26 + Tor 0.2.2.34 fixes a critical anonymity vulnerability where an attacker + can deanonymize Tor users. Everybody should upgrade. + + The attack relies on four components: 1) Clients reuse their TLS cert + when talking to different relays, so relays can recognize a user by + the identity key in her cert. 2) An attacker who knows the client's + identity key can probe each guard relay to see if that identity key + is connected to that guard relay right now. 3) A variety of active + attacks in the literature (starting from "Low-Cost Traffic Analysis + of Tor" by Murdoch and Danezis in 2005) allow a malicious website to + discover the guard relays that a Tor user visiting the website is using. + 4) Clients typically pick three guards at random, so the set of guards + for a given user could well be a unique fingerprint for her. This + release fixes components #1 and #2, which is enough to block the attack; + the other two remain as open research problems. Special thanks to + "frosty_un" for reporting the issue to us! + + Clients should upgrade so they are no longer recognizable by the TLS + certs they present. Relays should upgrade so they no longer allow a + remote attacker to probe them to test whether unpatched clients are + currently connected to them. + + This release also fixes several vulnerabilities that allow an attacker + to enumerate bridge relays. Some bridge enumeration attacks still + remain; see for example proposal 188. + + o Privacy/anonymity fixes (clients): + - Clients and bridges no longer send TLS certificate chains on + outgoing OR connections. Previously, each client or bridge + would use the same cert chain for all outgoing OR connections + for up to 24 hours, which allowed any relay that the client or + bridge contacted to determine which entry guards it is using. + Fixes CVE-2011-2768. Bugfix on 0.0.9pre5; found by "frosty_un". + - If a relay receives a CREATE_FAST cell on a TLS connection, it + no longer considers that connection as suitable for satisfying a + circuit EXTEND request. Now relays can protect clients from the + CVE-2011-2768 issue even if the clients haven't upgraded yet. + - Directory authorities no longer assign the Guard flag to relays + that haven't upgraded to the above "refuse EXTEND requests + to client connections" fix. Now directory authorities can + protect clients from the CVE-2011-2768 issue even if neither + the clients nor the relays have upgraded yet. There's a new + "GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays" config option + to let us transition smoothly, else tomorrow there would be no + guard relays. + + o Privacy/anonymity fixes (bridge enumeration): + - Bridge relays now do their directory fetches inside Tor TLS + connections, like all the other clients do, rather than connecting + directly to the DirPort like public relays do. Removes another + avenue for enumerating bridges. Fixes bug 4115; bugfix on 0.2.0.35. + - Bridges relays now build circuits for themselves in a more similar + way to how clients build them. Removes another avenue for + enumerating bridges. Fixes bug 4124; bugfix on 0.2.0.3-alpha, + when bridges were introduced. + - Bridges now refuse CREATE or CREATE_FAST cells on OR connections + that they initiated. Relays could distinguish incoming bridge + connections from client connections, creating another avenue for + enumerating bridges. Fixes CVE-2011-2769. Bugfix on 0.2.0.3-alpha. + Found by "frosty_un". + + o Major bugfixes: + - Fix a crash bug when changing node restrictions while a DNS lookup + is in-progress. Fixes bug 4259; bugfix on 0.2.2.25-alpha. Bugfix + by "Tey'". + - Don't launch a useless circuit after failing to use one of a + hidden service's introduction points. Previously, we would + launch a new introduction circuit, but not set the hidden service + which that circuit was intended to connect to, so it would never + actually be used. A different piece of code would then create a + new introduction circuit correctly. Bug reported by katmagic and + found by Sebastian Hahn. Bugfix on 0.2.1.13-alpha; fixes bug 4212. + + o Minor bugfixes: + - Change an integer overflow check in the OpenBSD_Malloc code so + that GCC is less likely to eliminate it as impossible. Patch + from Mansour Moufid. Fixes bug 4059. + - When a hidden service turns an extra service-side introduction + circuit into a general-purpose circuit, free the rend_data and + intro_key fields first, so we won't leak memory if the circuit + is cannibalized for use as another service-side introduction + circuit. Bugfix on 0.2.1.7-alpha; fixes bug 4251. + - Bridges now skip DNS self-tests, to act a little more stealthily. + Fixes bug 4201; bugfix on 0.2.0.3-alpha, which first introduced + bridges. Patch by "warms0x". + - Fix internal bug-checking logic that was supposed to catch + failures in digest generation so that it will fail more robustly + if we ask for a nonexistent algorithm. Found by Coverity Scan. + Bugfix on 0.2.2.1-alpha; fixes Coverity CID 479. + - Report any failure in init_keys() calls launched because our + IP address has changed. Spotted by Coverity Scan. Bugfix on + 0.1.1.4-alpha; fixes CID 484. + + o Minor bugfixes (log messages and documentation): + - Remove a confusing dollar sign from the example fingerprint in the + man page, and also make the example fingerprint a valid one. Fixes + bug 4309; bugfix on 0.2.1.3-alpha. + - The next version of Windows will be called Windows 8, and it has + a major version of 6, minor version of 2. Correctly identify that + version instead of calling it "Very recent version". Resolves + ticket 4153; reported by funkstar. + - Downgrade log messages about circuit timeout calibration from + "notice" to "info": they don't require or suggest any human + intervention. Patch from Tom Lowenthal. Fixes bug 4063; + bugfix on 0.2.2.14-alpha. + + o Minor features: + - Turn on directory request statistics by default and include them in + extra-info descriptors. Don't break if we have no GeoIP database. + Backported from 0.2.3.1-alpha; implements ticket 3951. + - Update to the October 4 2011 Maxmind GeoLite Country database. + + +Changes in version 0.2.1.31 - 2011-10-26 + Tor 0.2.1.31 backports important security and privacy fixes for + oldstable. This release is intended only for package maintainers and + others who cannot use the 0.2.2 stable series. All others should be + using Tor 0.2.2.x or newer. + + o Security fixes (also included in 0.2.2.x): + - Replace all potentially sensitive memory comparison operations + with versions whose runtime does not depend on the data being + compared. This will help resist a class of attacks where an + adversary can use variations in timing information to learn + sensitive data. Fix for one case of bug 3122. (Safe memcmp + implementation by Robert Ransom based partially on code by DJB.) + - Fix an assert in parsing router descriptors containing IPv6 + addresses. This one took down the directory authorities when + somebody tried some experimental code. Bugfix on 0.2.1.3-alpha. + + o Privacy/anonymity fixes (also included in 0.2.2.x): + - Clients and bridges no longer send TLS certificate chains on + outgoing OR connections. Previously, each client or bridge + would use the same cert chain for all outgoing OR connections + for up to 24 hours, which allowed any relay that the client or + bridge contacted to determine which entry guards it is using. + Fixes CVE-2011-2768. Bugfix on 0.0.9pre5; found by frosty_un. + - If a relay receives a CREATE_FAST cell on a TLS connection, it + no longer considers that connection as suitable for satisfying a + circuit EXTEND request. Now relays can protect clients from the + CVE-2011-2768 issue even if the clients haven't upgraded yet. + - Bridges now refuse CREATE or CREATE_FAST cells on OR connections + that they initiated. Relays could distinguish incoming bridge + connections from client connections, creating another avenue for + enumerating bridges. Fixes CVE-2011-2769. Bugfix on 0.2.0.3-alpha. + Found by "frosty_un". + - When receiving a hidden service descriptor, check that it is for + the hidden service we wanted. Previously, Tor would store any + hidden service descriptors that a directory gave it, whether it + wanted them or not. This wouldn't have let an attacker impersonate + a hidden service, but it did let directories pre-seed a client + with descriptors that it didn't want. Bugfix on 0.0.6. + - Avoid linkability based on cached hidden service descriptors: forget + all hidden service descriptors cached as a client when processing a + SIGNAL NEWNYM command. Fixes bug 3000; bugfix on 0.0.6. + - Make the bridge directory authority refuse to answer directory + requests for "all" descriptors. It used to include bridge + descriptors in its answer, which was a major information leak. + Found by "piebeer". Bugfix on 0.2.0.3-alpha. + - Don't attach new streams to old rendezvous circuits after SIGNAL + NEWNYM. Previously, we would keep using an existing rendezvous + circuit if it remained open (i.e. if it were kept open by a + long-lived stream, or if a new stream were attached to it before + Tor could notice that it was old and no longer in use). Bugfix on + 0.1.1.15-rc; fixes bug 3375. + + o Minor bugfixes (also included in 0.2.2.x): + - When we restart our relay, we might get a successful connection + from the outside before we've started our reachability tests, + triggering a warning: "ORPort found reachable, but I have no + routerinfo yet. Failing to inform controller of success." This + bug was harmless unless Tor is running under a controller + like Vidalia, in which case the controller would never get a + REACHABILITY_SUCCEEDED status event. Bugfix on 0.1.2.6-alpha; + fixes bug 1172. + - Build correctly on OSX with zlib 1.2.4 and higher with all warnings + enabled. Fixes bug 1526. + - Remove undocumented option "-F" from tor-resolve: it hasn't done + anything since 0.2.1.16-rc. + - Avoid signed/unsigned comparisons by making SIZE_T_CEILING unsigned. + None of the cases where we did this before were wrong, but by making + this change we avoid warnings. Fixes bug 2475; bugfix on 0.2.1.28. + - Fix a rare crash bug that could occur when a client was configured + with a large number of bridges. Fixes bug 2629; bugfix on + 0.2.1.2-alpha. Bugfix by trac user "shitlei". + - Correct the warning displayed when a rendezvous descriptor exceeds + the maximum size. Fixes bug 2750; bugfix on 0.2.1.5-alpha. Found by + John Brooks. + - Fix an uncommon assertion failure when running with DNSPort under + heavy load. Fixes bug 2933; bugfix on 0.2.0.1-alpha. + - When warning about missing zlib development packages during compile, + give the correct package names. Bugfix on 0.2.0.1-alpha. + - Require that introduction point keys and onion keys have public + exponent 65537. Bugfix on 0.2.0.10-alpha. + - Do not crash when our configuration file becomes unreadable, for + example due to a permissions change, between when we start up + and when a controller calls SAVECONF. Fixes bug 3135; bugfix + on 0.0.9pre6. + - Fix warnings from GCC 4.6's "-Wunused-but-set-variable" option. + Fixes bug 3208. + - Always NUL-terminate the sun_path field of a sockaddr_un before + passing it to the kernel. (Not a security issue: kernels are + smart enough to reject bad sockaddr_uns.) Found by Coverity; + CID #428. Bugfix on Tor 0.2.0.3-alpha. + - Don't stack-allocate the list of supplementary GIDs when we're + about to log them. Stack-allocating NGROUPS_MAX gid_t elements + could take up to 256K, which is way too much stack. Found by + Coverity; CID #450. Bugfix on 0.2.1.7-alpha. + + o Minor bugfixes (only in 0.2.1.x): + - Resume using micro-version numbers in 0.2.1.x: our Debian packages + rely on them. Bugfix on 0.2.1.30. + - Use git revisions instead of svn revisions when generating our + micro-version numbers. Bugfix on 0.2.1.15-rc; fixes bug 2402. + + o Minor features (also included in 0.2.2.x): + - Adjust the expiration time on our SSL session certificates to + better match SSL certs seen in the wild. Resolves ticket 4014. + - Allow nameservers with IPv6 address. Resolves bug 2574. + - Update to the October 4 2011 Maxmind GeoLite Country database. + + Changes in version 0.2.2.33 - 2011-09-13 Tor 0.2.2.33 fixes several bugs, and includes a slight tweak to Tor's TLS handshake that makes relays and bridges that run this new version |