diff options
| author | Nick Mathewson <nickm@torproject.org> | 2019-02-21 10:23:24 -0500 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2019-02-21 10:23:24 -0500 |
| commit | 2d7735ea06b6ff9243d5516a24693941f2575f86 (patch) | |
| tree | 32e26e4b8536b4546fcfac41e6096d886674a321 /ChangeLog | |
| parent | f10a23d9a4dc9e334512f3f87a134b266b4943b5 (diff) | |
| download | tor-2d7735ea06b6ff9243d5516a24693941f2575f86.tar.gz tor-2d7735ea06b6ff9243d5516a24693941f2575f86.zip | |
Add TROVE-2019-001 to changelog for 0.3.5.8
Diffstat (limited to 'ChangeLog')
| -rw-r--r-- | ChangeLog | 13 |
1 files changed, 13 insertions, 0 deletions
@@ -3,6 +3,19 @@ Changes in version 0.3.5.8 - 2019-02-21 for an annoying SOCKS-parsing bug that affected users in earlier 0.3.5.x releases. + It also includes a fix for a medium-severity security bug affecting Tor + 0.3.2.1-alpha and later. All Tor instances running an affected release + should upgrade to 0.3.3.12, 0.3.4.11, 0.3.5.8, or 0.4.0.2-alpha. + + o Major bugfixes (cell scheduler, KIST, security): + - Make KIST consider the outbuf length when computing what it can + put in the outbuf. Previously, KIST acted as though the outbuf + were empty, which could lead to the outbuf becoming too full. It + is possible that an attacker could exploit this bug to cause a Tor + client or relay to run out of memory and crash. Fixes bug 29168; + bugfix on 0.3.2.1-alpha. This issue is also being tracked as + TROVE-2019-001 and CVE-2019-8955. + o Major bugfixes (networking, backport from 0.4.0.2-alpha): - Gracefully handle empty username/password fields in SOCKS5 username/password auth messsage and allow SOCKS5 handshake to |