commit 727d3f1b5e6eeda721339151e3cd49ffa7efbb29
Author: Nick Mathewson <nickm(a)torproject.org>
Date: Thu Nov 30 14:58:58 2017 -0500
0.3.1.9 changelog.
---
ChangeLog | 94 ++++++++++++++++++++++++++++++++++++++++++++
changes/bastet_v6 | 4 --
changes/bug18329-minimal | 6 ---
changes/bug21394 | 9 -----
changes/bug23470 | 6 ---
changes/bug23693 | 6 ---
changes/bug24262 | 3 --
changes/bug24313 | 5 ---
changes/bug8185_025 | 6 ---
changes/geoip-2017-11-06 | 4 --
changes/ticket22895 | 3 --
changes/trove-2017-009 | 10 -----
changes/trove-2017-010 | 6 ---
changes/trove-2017-011 | 8 ----
changes/trove-2017-012-part1 | 6 ---
changes/trove-2017-012-part2 | 5 ---
16 files changed, 94 insertions(+), 87 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 572ddd352..0e3a738e3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,97 @@
+Changes in version 0.3.1.9 - 2017-12-01:
+ Tor 0.3.1.9 backports important security and stability fixes from the
+ 0.3.2 development series. All Tor users should upgrade to this
+ release, or to another of the releases coming out today.
+
+ o Major bugfixes (security, backport from 0.3.2.6-alpha):
+ - Fix a denial of service bug where an attacker could use a
+ malformed directory object to cause a Tor instance to pause while
+ OpenSSL would try to read a passphrase from the terminal. (Tor
+ instances run without a terminal, which is the case for most Tor
+ packages, are not impacted.) Fixes bug 24246; bugfix on every
+ version of Tor. Also tracked as TROVE-2017-011 and CVE-2017-8821.
+ Found by OSS-Fuzz as testcase 6360145429790720.
+ - Fix a denial of service issue where an attacker could crash a
+ directory authority using a malformed router descriptor. Fixes bug
+ 24245; bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2017-010
+ and CVE-2017-8820.
+ - When checking for replays in the INTRODUCE1 cell data for a
+ (legacy) onion service, correctly detect replays in the RSA-
+ encrypted part of the cell. We were previously checking for
+ replays on the entire cell, but those can be circumvented due to
+ the malleability of Tor's legacy hybrid encryption. This fix helps
+ prevent a traffic confirmation attack. Fixes bug 24244; bugfix on
+ 0.2.4.1-alpha. This issue is also tracked as TROVE-2017-009
+ and CVE-2017-8819.
+
+ o Major bugfixes (security, onion service v2, backport from 0.3.2.6-alpha):
+ - Fix a use-after-free error that could crash v2 Tor onion services
+ when they failed to open circuits while expiring introduction
+ points. Fixes bug 24313; bugfix on 0.2.7.2-alpha. This issue is
+ also tracked as TROVE-2017-013 and CVE-2017-8823.
+
+ o Major bugfixes (security, relay, backport from 0.3.2.6-alpha):
+ - When running as a relay, make sure that we never build a path
+ through ourselves, even in the case where we have somehow lost the
+ version of our descriptor appearing in the consensus. Fixes part
+ of bug 21534; bugfix on 0.2.0.1-alpha. This issue is also tracked
+ as TROVE-2017-012 and CVE-2017-8822.
+ - When running as a relay, make sure that we never choose ourselves
+ as a guard. Fixes part of bug 21534; bugfix on 0.3.0.1-alpha. This
+ issue is also tracked as TROVE-2017-012 and CVE-2017-8822.
+
+ o Major bugfixes (exit relays, DNS, backport from 0.3.2.4-alpha):
+ - Fix an issue causing DNS to fail on high-bandwidth exit nodes,
+ making them nearly unusable. Fixes bugs 21394 and 18580; bugfix on
+ 0.1.2.2-alpha, which introduced eventdns. Thanks to Dhalgren for
+ identifying and finding a workaround to this bug and to Moritz,
+ Arthur Edelstein, and Roger for helping to track it down and
+ analyze it.
+
+ o Minor features (bridge):
+ - Bridges now include notice in their descriptors that they are
+ bridges, and notice of their distribution status, based on their
+ publication settings. Implements ticket 18329. For more fine-
+ grained control of how a bridge is distributed, upgrade to 0.3.2.x
+ or later.
+
+ o Minor features (directory authority, backport from 0.3.2.6-alpha):
+ - Add an IPv6 address for the "bastet" directory authority. Closes
+ ticket 24394.
+
+ o Minor features (geoip):
+ - Update geoip and geoip6 to the November 6 2017 Maxmind GeoLite2
+ Country database.
+
+ o Minor bugfix (relay address resolution, backport from 0.3.2.1-alpha):
+ - Avoid unnecessary calls to directory_fetches_from_authorities() on
+ relays, to prevent spurious address resolutions and descriptor
+ rebuilds. This is a mitigation for bug 21789. Fixes bug 23470;
+ bugfix on in 0.2.8.1-alpha.
+
+ o Minor bugfixes (compilation, backport from 0.3.2.1-alpha):
+ - Fix unused variable warnings in donna's Curve25519 SSE2 code.
+ Fixes bug 22895; bugfix on 0.2.7.2-alpha.
+
+ o Minor bugfixes (logging, relay shutdown, annoyance, backport from 0.3.2.2-alpha):
+ - When a circuit is marked for close, do not attempt to package any
+ cells for channels on that circuit. Previously, we would detect
+ this condition lower in the call stack, when we noticed that the
+ circuit had no attached channel, and log an annoying message.
+ Fixes bug 8185; bugfix on 0.2.5.4-alpha.
+
+ o Minor bugfixes (onion service, backport from 0.3.2.5-alpha):
+ - Rename the consensus parameter "hsdir-interval" to "hsdir_interval"
+ so it matches dir-spec.txt. Fixes bug 24262; bugfix
+ on 0.3.1.1-alpha.
+
+ o Minor bugfixes (relay, crash, backport from 0.3.2.4-alpha):
+ - Avoid a crash when transitioning from client mode to bridge mode.
+ Previously, we would launch the worker threads whenever our
+ "public server" mode changed, but not when our "server" mode
+ changed. Fixes bug 23693; bugfix on 0.2.6.3-alpha.
+
+
Changes in version 0.3.1.8 - 2017-10-25
Tor 0.3.1.8 is the second stable release in the 0.3.1 series.
It includes several bugfixes, including a bugfix for a crash issue
diff --git a/changes/bastet_v6 b/changes/bastet_v6
deleted file mode 100644
index ee4e2c809..000000000
--- a/changes/bastet_v6
+++ /dev/null
@@ -1,4 +0,0 @@
- o Minor features (directory authority):
- - Add an IPv6 address for the "bastet" directory authority.
- Closes ticket 24394.
-
diff --git a/changes/bug18329-minimal b/changes/bug18329-minimal
deleted file mode 100644
index 804c4e8dd..000000000
--- a/changes/bug18329-minimal
+++ /dev/null
@@ -1,6 +0,0 @@
- o Minor features (bridge):
- - Bridges now include notice in their descriptors that they are bridges,
- and notice of their distribution status, based on their publication
- settings. Implements ticket 18329. For more fine-grained control of
- how a bridge is distributed, upgrade to 0.3.2.x or later.
-
diff --git a/changes/bug21394 b/changes/bug21394
deleted file mode 100644
index e5452e20b..000000000
--- a/changes/bug21394
+++ /dev/null
@@ -1,9 +0,0 @@
- o Major bugfixes (Exit nodes):
- - Fix an issue causing high-bandwidth exit nodes to fail a majority
- or all of their DNS requests, making them basically unsuitable for
- regular usage in Tor circuits. The problem is related to
- libevent's DNS handling, but we can work around it in Tor. Fixes
- bugs 21394 and 18580; bugfix on 0.1.2.2-alpha which introduced
- eventdns. Credit goes to Dhalgren for identifying and finding a
- workaround to this bug and to gamambel, arthuredelstein and
- arma in helping to track it down and analyze it.
diff --git a/changes/bug23470 b/changes/bug23470
deleted file mode 100644
index 33367b3a3..000000000
--- a/changes/bug23470
+++ /dev/null
@@ -1,6 +0,0 @@
- o Minor bugfix (relay address resolution):
- - Avoid unnecessary calls to directory_fetches_from_authorities()
- on relays. This avoids spurious address resolutions and
- descriptor rebuilds. This is a mitigation for 21789. The original
- bug was introduced in commit 35bbf2e as part of prop210.
- Fixes 23470 in 0.2.8.1-alpha.
diff --git a/changes/bug23693 b/changes/bug23693
deleted file mode 100644
index 796398be5..000000000
--- a/changes/bug23693
+++ /dev/null
@@ -1,6 +0,0 @@
- o Minor bugfixes (relay, crash):
- - Avoid a crash when transitioning from client mode to bridge mode.
- Previously, we would launch the worker threads whenever our "public
- server" mode changed, but not when our "server" mode changed.
- Fixes bug 23693; bugfix on 0.2.6.3-alpha.
-
diff --git a/changes/bug24262 b/changes/bug24262
deleted file mode 100644
index eee69512e..000000000
--- a/changes/bug24262
+++ /dev/null
@@ -1,3 +0,0 @@
- o Minor bugfixes (hidden service):
- - Fix the consensus parameter "hsdir-interval" to "hsdir_interval" so it
- matches the dir-spec.txt. Fixes bug 24262; bugfix on 0.3.1.1-alpha.
diff --git a/changes/bug24313 b/changes/bug24313
deleted file mode 100644
index b927ec3ba..000000000
--- a/changes/bug24313
+++ /dev/null
@@ -1,5 +0,0 @@
- o Major bugfixes (security, hidden service v2):
- - Fix a use-after-free error that could crash v2 Tor hidden services
- when it failed to open circuits while expiring introductions
- points. Fixes bug 24313; bugfix on 0.2.7.2-alpha. This
- issue is also tracked as TROVE-2017-013 and CVE-2017-8823.
diff --git a/changes/bug8185_025 b/changes/bug8185_025
deleted file mode 100644
index 1bfc12b1e..000000000
--- a/changes/bug8185_025
+++ /dev/null
@@ -1,6 +0,0 @@
- o Minor bugfixes (logging, relay shutdown, annoyance):
- - When a circuit is marked for close, do not attempt to package any cells
- for channels on that circuit. Previously, we would detect this
- condition lower in the call stack, when we noticed that the circuit had
- no attached channel, and log an annoying message. Fixes bug 8185;
- bugfix on 0.2.5.4-alpha.
diff --git a/changes/geoip-2017-11-06 b/changes/geoip-2017-11-06
deleted file mode 100644
index f034be900..000000000
--- a/changes/geoip-2017-11-06
+++ /dev/null
@@ -1,4 +0,0 @@
- o Minor features (geoip):
- - Update geoip and geoip6 to the November 6 2017 Maxmind GeoLite2
- Country database.
-
diff --git a/changes/ticket22895 b/changes/ticket22895
deleted file mode 100644
index a3f7b8601..000000000
--- a/changes/ticket22895
+++ /dev/null
@@ -1,3 +0,0 @@
- o Minor bugfixes (compilation):
- - Fix unused variable warnings in donna's Curve25519 SSE2 code.
- Fixes bug 22895; bugfix on 0.2.7.2-alpha.
diff --git a/changes/trove-2017-009 b/changes/trove-2017-009
deleted file mode 100644
index 166a5faec..000000000
--- a/changes/trove-2017-009
+++ /dev/null
@@ -1,10 +0,0 @@
- o Major bugfixes (security):
- - When checking for replays in the INTRODUCE1 cell data for a (legacy)
- hiddden service, correctly detect replays in the RSA-encrypted part of
- the cell. We were previously checking for replays on the entire cell,
- but those can be circumvented due to the malleability of Tor's legacy
- hybrid encryption. This fix helps prevent a traffic confirmation
- attack. Fixes bug 24244; bugfix on 0.2.4.1-alpha. This issue is also
- tracked as TROVE-2017-009 and CVE-2017-8819.
-
-
diff --git a/changes/trove-2017-010 b/changes/trove-2017-010
deleted file mode 100644
index d5bf9333d..000000000
--- a/changes/trove-2017-010
+++ /dev/null
@@ -1,6 +0,0 @@
- o Major bugfixes (security):
- - Fix a denial-of-service issue where an attacker could crash
- a directory authority using a malformed router descriptor.
- Fixes bug 24245; bugfix on 0.2.9.4-alpha. Also tracked
- as TROVE-2017-010 and CVE-2017-8820.
-
diff --git a/changes/trove-2017-011 b/changes/trove-2017-011
deleted file mode 100644
index 82d20d9e7..000000000
--- a/changes/trove-2017-011
+++ /dev/null
@@ -1,8 +0,0 @@
- o Major bugfixes (security):
- - Fix a denial of service bug where an attacker could use a malformed
- directory object to cause a Tor instance to pause while OpenSSL would
- try to read a passphrase from the terminal. (If the terminal was not
- available, tor would continue running.) Fixes bug 24246; bugfix on
- every version of Tor. Also tracked as TROVE-2017-011 and
- CVE-2017-8821. Found by OSS-Fuzz as testcase 6360145429790720.
-
diff --git a/changes/trove-2017-012-part1 b/changes/trove-2017-012-part1
deleted file mode 100644
index 9fccc2cf6..000000000
--- a/changes/trove-2017-012-part1
+++ /dev/null
@@ -1,6 +0,0 @@
- o Major bugfixes (security, relay):
- - When running as a relay, make sure that we never build a path through
- ourselves, even in the case where we have somehow lost the version of
- our descriptor appearing in the consensus. Fixes part of bug 21534;
- bugfix on 0.2.0.1-alpha. This issue is also tracked as TROVE-2017-012
- and CVE-2017-8822.
diff --git a/changes/trove-2017-012-part2 b/changes/trove-2017-012-part2
deleted file mode 100644
index ed994c5b0..000000000
--- a/changes/trove-2017-012-part2
+++ /dev/null
@@ -1,5 +0,0 @@
- o Major bugfixes (security, relay):
- - When running as a relay, make sure that we never ever choose ourselves
- as a guard. Previously, this was possible. Fixes part of bug 21534;
- bugfix on 0.3.0.1-alpha. This issue is also tracked as TROVE-2017-012
- and CVE-2017-8822.