diff options
| -rw-r--r-- | ChangeLog | 171 | ||||
| -rw-r--r-- | ReleaseNotes | 61 | ||||
| -rw-r--r-- | changes/bug20711 | 7 | ||||
| -rw-r--r-- | changes/bug20894 | 9 | ||||
| -rw-r--r-- | changes/bug21007_case2 | 4 | ||||
| -rw-r--r-- | changes/bug21027 | 8 | ||||
| -rw-r--r-- | changes/bug21116 | 3 | ||||
| -rw-r--r-- | changes/bug21278_extras | 3 | ||||
| -rw-r--r-- | changes/bug21278_prevention | 4 | ||||
| -rw-r--r-- | changes/bug21369_check | 3 | ||||
| -rw-r--r-- | changes/bug21415 | 4 | ||||
| -rw-r--r-- | changes/bug21420 | 3 | ||||
| -rw-r--r-- | changes/bug21447 | 4 | ||||
| -rw-r--r-- | changes/bug21450 | 4 | ||||
| -rw-r--r-- | changes/bug21471 | 5 | ||||
| -rw-r--r-- | changes/bug21472 | 3 | ||||
| -rw-r--r-- | changes/bug21492 | 5 | ||||
| -rw-r--r-- | changes/bug21553 | 7 | ||||
| -rw-r--r-- | changes/bug21562 | 4 | ||||
| -rw-r--r-- | changes/bug21581 | 5 | ||||
| -rw-r--r-- | changes/feature21570 | 5 | ||||
| -rw-r--r-- | changes/geoip-february2017 | 4 | ||||
| -rw-r--r-- | changes/ticket20656 | 3 | ||||
| -rw-r--r-- | changes/trove-2017-001.2 | 8 |
24 files changed, 231 insertions, 106 deletions
@@ -1,4 +1,173 @@ -Changes in version 0.3.0.4-??? - 2017-02-?? +Changes in version 0.3.0.4-rc - 2017-03-01 + Tor 0.3.0.4-rc fixes some remaining bugs, large and small, in the + 0.3.0 release series, and introduces a few reliability features to + keep them from coming back. + + This is the first release candidate in the Tor 0.3.0 series. If we + find no new bugs or regressions here, the first stable 0.3.0 release + will be nearly identical to it. + + o Major bugfixes (bridges): + - When the same bridge is configured multiple times with the same + identity, but at different address:port combinations, treat those + bridge instances as separate guards. This fix restores the ability + of clients to configure the same bridge with multiple pluggable + transports. Fixes bug 21027; bugfix on 0.3.0.1-alpha. + + o Major bugfixes (hidden service directory v3): + - Stop crashing on a failed v3 hidden service descriptor lookup + failure. Fixes bug 21471; bugfixes on tor-0.3.0.1-alpha. + + o Major bugfixes (parsing): + - When parsing a malformed content-length field from an HTTP + message, do not read off the end of the buffer. This bug was a + potential remote denial-of-service attack against Tor clients and + relays. A workaround was released in October 2016, to prevent this + bug from crashing Tor. This is a fix for the underlying issue, + which should no longer matter (if you applied the earlier patch). + Fixes bug 20894; bugfix on 0.2.0.16-alpha. Bug found by fuzzing + using AFL (http://lcamtuf.coredump.cx/afl/). + - Fix an integer underflow bug when comparing malformed Tor + versions. This bug could crash Tor when built with + --enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor + 0.2.9.8, which were built with -ftrapv by default. In other cases + it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix + on 0.0.8pre1. Found by OSS-Fuzz. + + o Minor feature (protocol versioning): + - Add new protocol version for proposal 224. HSIntro now advertises + version "3-4" and HSDir version "1-2". Fixes ticket 20656. + + o Minor features (directory authorities): + - Directory authorities now reject descriptors that claim to be + malformed versions of Tor. Helps prevent exploitation of + bug 21278. + - Reject version numbers with components that exceed INT32_MAX. + Otherwise 32-bit and 64-bit platforms would behave inconsistently. + Fixes bug 21450; bugfix on 0.0.8pre1. + + o Minor features (geoip): + - Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2 + Country database. + + o Minor features (reliability, crash): + - Try better to detect problems in buffers where they might grow (or + think they have grown) over 2 GB in size. Diagnostic for + bug 21369. + + o Minor features (testing): + - During 'make test-network-all', if tor logs any warnings, ask + chutney to output them. Requires a recent version of chutney with + the 21572 patch. Implements 21570. + + o Minor bugfixes (certificate expiration time): + - Avoid using link certificates that don't become valid till some + time in the future. Fixes bug 21420; bugfix on 0.2.4.11-alpha + + o Minor bugfixes (code correctness): + - Repair a couple of (unreachable or harmless) cases of the risky + comparison-by-subtraction pattern that caused bug 21278. + - Remove a redundant check for the UseEntryGuards option from the + options_transition_affects_guards() function. Fixes bug 21492; + bugfix on 0.3.0.1-alpha. + + o Minor bugfixes (directory mirrors): + - Allow relays to use directory mirrors without a DirPort: these + relays need to be contacted over their ORPorts using a begindir + connection. Fixes one case of bug 20711; bugfix on 0.2.8.2-alpha. + - Clarify the message logged when a remote relay is unexpectedly + missing an ORPort or DirPort: users were confusing this with a + local port. Fixes another case of bug 20711; bugfix + on 0.2.8.2-alpha. + + o Minor bugfixes (guards): + - Don't warn about a missing guard state on timeout-measurement + circuits: they aren't supposed to be using guards. Fixes an + instance of bug 21007; bugfix on 0.3.0.1-alpha. + - Silence a BUG() warning when attempting to use a guard whose + descriptor we don't know, and make this scenario less likely to + happen. Fixes bug 21415; bugfix on 0.3.0.1-alpha. + + o Minor bugfixes (hidden service): + - Pass correct buffer length when encoding legacy ESTABLISH_INTRO + cells. Previously, we were using sizeof() on a pointer, instead of + the real destination buffer. Fortunately, that value was only used + to double-check that there was enough room--which was already + enforced elsewhere. Fixes bug 21553; bugfix on 0.3.0.1-alpha. + + o Minor bugfixes (testing): + - Fix Raspbian build issues related to missing socket errno in + test_util.c. Fixes bug 21116; bugfix on tor-0.2.8.2. Patch + by "hein". + - Rename "make fuzz" to "make test-fuzz-corpora", since it doesn't + actually fuzz anything. Fixes bug 21447; bugfix on 0.3.0.3-alpha. + - Use bash in src/test/test-network.sh. This ensures we reliably + call chutney's newer tools/test-network.sh when available. Fixes + bug 21562; bugfix on 0.2.9.1-alpha. + + o Documentation: + - Small fixes to the fuzzing documentation. Closes ticket 21472. + + +Changes in version 0.2.9.10 - 2017-03-01 + Tor 0.2.9.10 backports a security fix from later Tor release. It also + includes fixes for some major issues affecting directory authorities, + LibreSSL compatibility, and IPv6 correctness. + + The Tor 0.2.9.x release series is now marked as a long-term-support + series. We intend to backport security fixes to 0.2.9.x until at + least January of 2020. + + o Major bugfixes (directory authority, 0.3.0.3-alpha): + - During voting, when marking a relay as a probable sybil, do not + clear its BadExit flag: sybils can still be bad in other ways + too. (We still clear the other flags.) Fixes bug 21108; bugfix + on 0.2.0.13-alpha. + + o Major bugfixes (IPv6 Exits, backport from 0.3.0.3-alpha): + - Stop rejecting all IPv6 traffic on Exits whose exit policy rejects + any IPv6 addresses. Instead, only reject a port over IPv6 if the + exit policy rejects that port on more than an IPv6 /16 of + addresses. This bug was made worse by 17027 in 0.2.8.1-alpha, + which rejected a relay's own IPv6 address by default. Fixes bug + 21357; bugfix on commit 004f3f4e53 in 0.2.4.7-alpha. + + o Major bugfixes (parsing, also in 0.3.0.4-rc): + - Fix an integer underflow bug when comparing malformed Tor + versions. This bug could crash Tor when built with + --enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor + 0.2.9.8, which were built with -ftrapv by default. In other cases + it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix + on 0.0.8pre1. Found by OSS-Fuzz. + + o Minor features (directory authorities, also in 0.3.0.4-rc): + - Directory authorities now reject descriptors that claim to be + malformed versions of Tor. Helps prevent exploitation of + bug 21278. + - Reject version numbers with components that exceed INT32_MAX. + Otherwise 32-bit and 64-bit platforms would behave inconsistently. + Fixes bug 21450; bugfix on 0.0.8pre1. + + o Minor features (geoip): + - Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2 + Country database. + + o Minor features (portability, compilation, backport from 0.3.0.3-alpha): + - Autoconf now checks to determine if OpenSSL structures are opaque, + instead of explicitly checking for OpenSSL version numbers. Part + of ticket 21359. + - Support building with recent LibreSSL code that uses opaque + structures. Closes ticket 21359. + + o Minor bugfixes (code correctness, also in 0.3.0.4-rc): + - Repair a couple of (unreachable or harmless) cases of the risky + comparison-by-subtraction pattern that caused bug 21278. + + o Minor bugfixes (tor-resolve, backport from 0.3.0.3-alpha): + - The tor-resolve command line tool now rejects hostnames over 255 + characters in length. Previously, it would silently truncate them, + which could lead to bugs. Fixes bug 21280; bugfix on 0.0.9pre5. + Patch by "junglefowl". Changes in version 0.3.0.3-alpha - 2017-02-03 diff --git a/ReleaseNotes b/ReleaseNotes index d6adbe5f9b..8c7671e81a 100644 --- a/ReleaseNotes +++ b/ReleaseNotes @@ -2,6 +2,67 @@ This document summarizes new features and bugfixes in each stable release of Tor. If you want to see more detailed descriptions of the changes in each development snapshot, see the ChangeLog file. +Changes in version 0.2.9.10 - 2017-03-01 + Tor 0.2.9.10 backports a security fix from later Tor release. It also + includes fixes for some major issues affecting directory authorities, + LibreSSL compatibility, and IPv6 correctness. + + The Tor 0.2.9.x release series is now marked as a long-term-support + series. We intend to backport security fixes to 0.2.9.x until at + least January of 2020. + + o Major bugfixes (directory authority, 0.3.0.3-alpha): + - During voting, when marking a relay as a probable sybil, do not + clear its BadExit flag: sybils can still be bad in other ways + too. (We still clear the other flags.) Fixes bug 21108; bugfix + on 0.2.0.13-alpha. + + o Major bugfixes (IPv6 Exits, backport from 0.3.0.3-alpha): + - Stop rejecting all IPv6 traffic on Exits whose exit policy rejects + any IPv6 addresses. Instead, only reject a port over IPv6 if the + exit policy rejects that port on more than an IPv6 /16 of + addresses. This bug was made worse by 17027 in 0.2.8.1-alpha, + which rejected a relay's own IPv6 address by default. Fixes bug + 21357; bugfix on commit 004f3f4e53 in 0.2.4.7-alpha. + + o Major bugfixes (parsing, also in 0.3.0.4-rc): + - Fix an integer underflow bug when comparing malformed Tor + versions. This bug could crash Tor when built with + --enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor + 0.2.9.8, which were built with -ftrapv by default. In other cases + it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix + on 0.0.8pre1. Found by OSS-Fuzz. + + o Minor features (directory authorities, also in 0.3.0.4-rc): + - Directory authorities now reject descriptors that claim to be + malformed versions of Tor. Helps prevent exploitation of + bug 21278. + - Reject version numbers with components that exceed INT32_MAX. + Otherwise 32-bit and 64-bit platforms would behave inconsistently. + Fixes bug 21450; bugfix on 0.0.8pre1. + + o Minor features (geoip): + - Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2 + Country database. + + o Minor features (portability, compilation, backport from 0.3.0.3-alpha): + - Autoconf now checks to determine if OpenSSL structures are opaque, + instead of explicitly checking for OpenSSL version numbers. Part + of ticket 21359. + - Support building with recent LibreSSL code that uses opaque + structures. Closes ticket 21359. + + o Minor bugfixes (code correctness, also in 0.3.0.4-rc): + - Repair a couple of (unreachable or harmless) cases of the risky + comparison-by-subtraction pattern that caused bug 21278. + + o Minor bugfixes (tor-resolve, backport from 0.3.0.3-alpha): + - The tor-resolve command line tool now rejects hostnames over 255 + characters in length. Previously, it would silently truncate them, + which could lead to bugs. Fixes bug 21280; bugfix on 0.0.9pre5. + Patch by "junglefowl". + + Changes in version 0.2.9.9 - 2017-01-23 Tor 0.2.9.9 fixes a denial-of-service bug where an attacker could cause relays and clients to crash, even if they were not built with diff --git a/changes/bug20711 b/changes/bug20711 deleted file mode 100644 index 0bc0d94fb1..0000000000 --- a/changes/bug20711 +++ /dev/null @@ -1,7 +0,0 @@ - o Minor bugfixes (directory mirrors): - - Allow relays to use directory mirrors without a DirPort: these relays - need to be contacted over their ORPorts using a begindir connection. - Fixes bug 20711; bugfix on 0.2.8.2-alpha. - - Clarify the message logged when a remote relay is unexpectedly missing - an ORPort or DirPort: users were confusing this with a local port. - Fixes bug 20711; bugfix on 0.2.8.2-alpha. diff --git a/changes/bug20894 b/changes/bug20894 deleted file mode 100644 index 2dbf9b9aa9..0000000000 --- a/changes/bug20894 +++ /dev/null @@ -1,9 +0,0 @@ - o Major bugfixes (HTTP, parsing): - - When parsing a malformed content-length field from an HTTP message, - do not read off the end of the buffer. This bug was a potential - remote denial-of-service attack against Tor clients and relays. - A workaround was released in October 2016, which prevents this - bug from crashing Tor. This is a fix for the underlying issue, - which should no longer matter (if you applied the earlier patch). - Fixes bug 20894; bugfix on 0.2.0.16-alpha. Bug found by fuzzing - using AFL (http://lcamtuf.coredump.cx/afl/). diff --git a/changes/bug21007_case2 b/changes/bug21007_case2 deleted file mode 100644 index 43344449ec..0000000000 --- a/changes/bug21007_case2 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (guards): - - Don't warn about a missing guard state on timeout-measurement - circuits: they aren't supposed to be using guards. Fixes an - instance of bug 21007; bugfix on 0.3.0.1-alpha. diff --git a/changes/bug21027 b/changes/bug21027 deleted file mode 100644 index d20df876fa..0000000000 --- a/changes/bug21027 +++ /dev/null @@ -1,8 +0,0 @@ - o Major bugfixes (bridges): - - - When the same bridge is configured multiple times at different - address:port combinations (but with the same identity), treat - those bridge instances as separate guards. This allows clients to - configure the same bridge with multiple pluggable transports, once - again. Fixes bug 21027; bugfix on 0.3.0.1-alpha. - diff --git a/changes/bug21116 b/changes/bug21116 deleted file mode 100644 index 2304ab0fd6..0000000000 --- a/changes/bug21116 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (test): - - Fix Raspbian build missing socket errno in test util. Fixes bug 21116.; - bugfix on tor-0.2.8.2. Patch by "hein". diff --git a/changes/bug21278_extras b/changes/bug21278_extras deleted file mode 100644 index ffdf4a047b..0000000000 --- a/changes/bug21278_extras +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (code correctness): - - Repair a couple of (unreachable or harmless) cases of the risky - comparison-by-subtraction pattern that caused bug 21278. diff --git a/changes/bug21278_prevention b/changes/bug21278_prevention deleted file mode 100644 index e07f0a670c..0000000000 --- a/changes/bug21278_prevention +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features (directory authority): - - Directory authorities now reject descriptors that claim to be - malformed versions of Tor. Helps prevent exploitation of bug 21278. - diff --git a/changes/bug21369_check b/changes/bug21369_check deleted file mode 100644 index 2cd808c9b6..0000000000 --- a/changes/bug21369_check +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features (reliability, crash): - - Try better to detect problems in buffers where they might grow (or - think they have grown) over 2 GB in size. Diagnostic for bug 21369. diff --git a/changes/bug21415 b/changes/bug21415 deleted file mode 100644 index f0aa72f81f..0000000000 --- a/changes/bug21415 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfix (entry guards): - - Silence a BUG() warning when attempting to use a guard whose descriptor - we don't know and make this scenario more unlikely to happen. Fixes bug - 21415; bugfix on 0.3.0.1-alpha. diff --git a/changes/bug21420 b/changes/bug21420 deleted file mode 100644 index 014404466a..0000000000 --- a/changes/bug21420 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (certificate expiration time): - - Avoid using link certificates that don't become valid till - some time in the future. Fixes bug 21420; bugfix on 0.2.4.11-alpha diff --git a/changes/bug21447 b/changes/bug21447 deleted file mode 100644 index c025b92313..0000000000 --- a/changes/bug21447 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (testing): - - Rename "make fuzz" to "make test-fuzz-corpora", since it doesn't - actually fuzz anything. Fixes bug 21447; bugfix on 0.3.0.3-alpha. - diff --git a/changes/bug21450 b/changes/bug21450 deleted file mode 100644 index a1cf89ab41..0000000000 --- a/changes/bug21450 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (voting consistency): - - Reject version numbers with components that exceed INT32_MAX. - Otherwise 32-bit and 64-bit platforms would behave inconsistently. - Fixes bug 21450; bugfix on 0.0.8pre1. diff --git a/changes/bug21471 b/changes/bug21471 deleted file mode 100644 index 684035b19c..0000000000 --- a/changes/bug21471 +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfixes (hidden service directory v3): - - When a descriptor lookup was done and it was not found in the directory - cache, it would crash on a NULL pointer instead of returning the 404 - code back to the client like it was suppose to. Fixes bug 21471.; - bugfixes on tor-0.3.0.1-alpha. diff --git a/changes/bug21472 b/changes/bug21472 deleted file mode 100644 index f31ec9157e..0000000000 --- a/changes/bug21472 +++ /dev/null @@ -1,3 +0,0 @@ - o Documentation: - - Small fixes to the fuzzing documentation. Closes ticket - 21472. diff --git a/changes/bug21492 b/changes/bug21492 deleted file mode 100644 index 2ed7947771..0000000000 --- a/changes/bug21492 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (correctness): - - Remove a redundant check for the UseEntryGuards option from the - options_transition_affects_guards() function. Fixes bug 21492; - bugfix on 0.3.0.1-alpha. - diff --git a/changes/bug21553 b/changes/bug21553 deleted file mode 100644 index 6ffa3e29a2..0000000000 --- a/changes/bug21553 +++ /dev/null @@ -1,7 +0,0 @@ - o Minor bugfixes (hidden service): - - When encoding a legacy ESTABLISH_INTRO cell, we were using the sizeof() - on a pointer instead of real size of the destination buffer leading to - an overflow passing an enormous value to the signing digest function. - Fortunately, that value was only used to make sure the destination - buffer length was big enough for the key size and in this case it was. - Fixes bug 21553; bugfix on tor-0.3.0.1-alpha. diff --git a/changes/bug21562 b/changes/bug21562 deleted file mode 100644 index 48396a00e7..0000000000 --- a/changes/bug21562 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (testing): - - Use bash in src/test/test-network.sh. This ensures we reliably call - chutney's newer tools/test-network.sh when available. - Fixes bug 21562; bugfix on tor-0.2.9.1-alpha. diff --git a/changes/bug21581 b/changes/bug21581 deleted file mode 100644 index 1077719856..0000000000 --- a/changes/bug21581 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (testing): - - Restore support for test-network.sh on BSD and other systems without - bash. (But use bash if it's available.) This is a workaround until we - remove bash-specific code in 19699. - Fixes bug 21581; bugfix on 21562, not in any released version of tor. diff --git a/changes/feature21570 b/changes/feature21570 deleted file mode 100644 index 40555eefa9..0000000000 --- a/changes/feature21570 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor features (testing): - - During 'make test-network-all', if tor logs any warnings, ask chutney - to output them. Requires a recent version of chutney with the 21572 - patch. - Implements 21570. diff --git a/changes/geoip-february2017 b/changes/geoip-february2017 deleted file mode 100644 index ec54b6122a..0000000000 --- a/changes/geoip-february2017 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2 - Country database. - diff --git a/changes/ticket20656 b/changes/ticket20656 deleted file mode 100644 index 28192e8978..0000000000 --- a/changes/ticket20656 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor feature (protover): - - Add new protocol version for proposal 224. HSIntro now advertises - version "3-4" and HSDir version "1-2". Fixes ticket 20656. diff --git a/changes/trove-2017-001.2 b/changes/trove-2017-001.2 deleted file mode 100644 index 3ef073cf9f..0000000000 --- a/changes/trove-2017-001.2 +++ /dev/null @@ -1,8 +0,0 @@ - o Major bugfixes (parsing): - - Fix an integer underflow bug when comparing malformed Tor versions. - This bug is harmless, except when Tor has been built with - --enable-expensive-hardening, which would turn it into a crash; - or on Tor 0.2.9.1-alpha through Tor 0.2.9.8, which were built with - -ftrapv by default. - Part of TROVE-2017-001. Fixes bug 21278; bugfix on - 0.0.8pre1. Found by OSS-Fuzz. |