commit d4b935e77f6675fab4e4efe91736a5f63c24e66b Author: Nick Mathewson nickm@torproject.org Date: Thu Dec 15 11:56:26 2011 -0500
Changelog for 0.2.2.35 --- ChangeLog | 24 ++++++++++++++++++++++-- changes/buffer_bug | 7 ------- 2 files changed, 22 insertions(+), 9 deletions(-)
diff --git a/ChangeLog b/ChangeLog index a8f677b..e1bc545 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,23 @@ -Changes in version 0.2.2.35 - 2011-12-1? - - Tor 0.2.2.35 fixes several bugs in previous versions, including +Changes in version 0.2.2.35 - 2011-12-16 + Tor 0.2.2.35 fixes a critical heap-overflow security issue in Tor's + buffers code. Absolutely everybody should upgrade. + + The bug relied on an incorrect calculation when making data continuous + in one of our IO buffers, if the first chunk of the buffer was + misaligned by just the wrong amount. The miscalculation would allow an + attacker to overflow a piece of heap-allocated memory. To mount this + attack, the attacker would need to either open a SOCKS connection to + Tor's SocksPort (usually restricted to localhost), or target a Tor + instance configured to make its connections through a SOCKS proxy + (which Tor does not do by default). + + Good security practice requires that all heap-overflow bugs should be + presumed to be exploitable until proven otherwise, so we are treating + this as a potential code execution attack. Please upgrade immediately! + This bug does not affect bufferevents-based builds of Tor. Special + thanks to "Vektor" for reporting this issue to us! + + Tor 0.2.2.35 also fixes several bugs in previous versions, including crash bugs for unusual configurations, and a long-term bug that would that would prevent Tor from starting on Windows machines with draconian AV software. @@ -11,6 +28,9 @@ Changes in version 0.2.2.35 - 2011-12-1? 0.2.2.x series. If you're using a Linux or BSD and its packages are obsolete, stop using those packages and upgrade anyway.
+ The Tor 0.2.1.x series is also approaching its end-of-life: it will no + longer receive support after some time in early 2011. + o Major bugfixes: - Initialize Libevent with the EVENT_BASE_FLAG_NOLOCK flag enabled, so that it doesn't attempt to allocate a socketpair. This could cause diff --git a/changes/buffer_bug b/changes/buffer_bug deleted file mode 100644 index 634f609..0000000 --- a/changes/buffer_bug +++ /dev/null @@ -1,7 +0,0 @@ - - o Major bugfixes: - - Fix a heap overflow bug that could occur when trying to pull - data into the first chunk of a buffer, when that chunk had - already had some data drained from it. Fixes CVE-2011-2778; - bugfix on 0.2.0.16-alpha. Reported by "Vektor". -