diff options
| author | Nick Mathewson <nickm@torproject.org> | 2011-12-15 11:59:09 -0500 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2011-12-15 11:59:09 -0500 |
| commit | a7b5e72463f2cc1bb7beac3aa7cd375779ae0984 (patch) | |
| tree | 21c6638bec0237b2fdab1608e56e6a2e96797885 | |
| parent | e402edd96064ae853767dff459da2646bc70af5e (diff) | |
| download | tor-a7b5e72463f2cc1bb7beac3aa7cd375779ae0984.tar.gz tor-a7b5e72463f2cc1bb7beac3aa7cd375779ae0984.zip | |
Changelog and blurb for 0.2.3.10-alpha
| -rw-r--r-- | ChangeLog | 29 | ||||
| -rw-r--r-- | changes/buffer_bug | 7 |
2 files changed, 26 insertions, 10 deletions
@@ -1,5 +1,30 @@ -Changes in version 0.2.3.10-alpha - 201?-??-?? +Changes in version 0.2.3.10-alpha - 2011-12-16 + Tor 0.2.3.10-alpha fixes a critical heap-overflow security issue in Tor's + buffers code. Absolutely everybody should upgrade. + + The bug relied on an incorrect calculation when making data continuous + in one of our IO buffers, if the first chunk of the buffer was + misaligned by just the wrong amount. The miscalculation would allow an + attacker to overflow a piece of heap-allocated memory. To mount this + attack, the attacker would need to either open a SOCKS connection to + Tor's SocksPort (usually restricted to localhost), or target a Tor + instance configured to make its connections through a SOCKS proxy + (which Tor does not do by default). + + Good security practice requires that all heap-overflow bugs should be + presumed to be exploitable until proven otherwise, so we are treating + this as a potential code execution attack. Please upgrade immediately! + This bug does not affect bufferevents-based builds of Tor. Special + thanks to "Vektor" for reporting this issue to us! + + This release also contains a few minor bugfixes for issues + discovered in 0.2.3.9-alpha. + o Major bugfixes: + - Fix a heap overflow bug that could occur when trying to pull + data into the first chunk of a buffer, when that chunk had + already had some data drained from it. Fixes CVE-2011-2778; + bugfix on 0.2.0.16-alpha. Reported by "Vektor". o Minor bugfixes: - If we can't attach streams to a rendezvous circuit when we @@ -11,8 +36,6 @@ Changes in version 0.2.3.10-alpha - 201?-??-?? Bugfix on 0.2.3.3-alpha; fixes bug 4655. - Fix compilation of the libnatpmp helper on non-Windows. Bugfix on 0.2.3.9-alpha; fixes bug 4691. Reported by Anthony G. Basile. - - o Minor bugfixes: - Fix an assertion failure when a relay with accounting enabled starts up while dormant. Fixes bug 4702; bugfix on 0.2.3.9-alpha. diff --git a/changes/buffer_bug b/changes/buffer_bug deleted file mode 100644 index 634f609533..0000000000 --- a/changes/buffer_bug +++ /dev/null @@ -1,7 +0,0 @@ - - o Major bugfixes: - - Fix a heap overflow bug that could occur when trying to pull - data into the first chunk of a buffer, when that chunk had - already had some data drained from it. Fixes CVE-2011-2778; - bugfix on 0.2.0.16-alpha. Reported by "Vektor". - |