summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog16
-rw-r--r--changes/trove-2017-0018
2 files changed, 15 insertions, 9 deletions
diff --git a/ChangeLog b/ChangeLog
index 34035313f3..9827884e70 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,10 +1,24 @@
Changes in version 0.3.0.2-alpha - 2017-01-23
- Tor 0.3.0.2-alpha improves how exit relays and clients handle DNS
+ Tor 0.3.0.2-alpha fixes a denial-of-service bug where an attacker could
+ cause relays and clients (including hidden services) to crash, even if
+ they were not built with the --enable-expensive-hardening option.
+ This bug affects all 0.2.9.x versions, and also affects 0.3.0.1-alpha:
+ all relays running an affected version should upgrade.
+
+ Tor 0.3.0.2-alpha also improves how exit relays and clients handle DNS
time-to-live values, makes directory authorities enforce the 1-to-1
mapping of relay RSA identity keys to ED25519 identity keys, fixes a
client-side onion service reachability bug, does better at selecting
the set of fallback directories, and more.
+ o Major bugfixes (security, also in 0.2.9.9):
+ - Downgrade the "-ftrapv" option from "always on" to "only on when
+ --enable-expensive-hardening is provided." This hardening option, like
+ others, can turn survivable bugs into crashes--and having it on by
+ default made a (relatively harmless) integer overflow bug into a
+ denial-of-service bug. Fixes bug 21278 (TROVE-2017-001); bugfix on
+ 0.2.9.1-alpha.
+
o Major features (security):
- Change the algorithm used to decide DNS TTLs on client and server
side, to better resist DNS-based correlation attacks like the
diff --git a/changes/trove-2017-001 b/changes/trove-2017-001
deleted file mode 100644
index 5187e6d5f1..0000000000
--- a/changes/trove-2017-001
+++ /dev/null
@@ -1,8 +0,0 @@
- o Major bugfixes (security):
- - Downgrade the "-ftrapv" option from "always on" to "only on when
- --enable-expensive-hardening is provided." This hardening option, like
- others, can turn survivable bugs into crashes--and having it on by
- default made a (relatively harmless) integer overflow bug into a
- denial-of-service bug. Fixes bug 21278 (TROVE-2017-001); bugfix on
- 0.2.9.1-alpha.
-