commit 20a46bdce6b573b9c219bb6f599fb28a22a64833 Author: Nick Mathewson <nickm@torproject.org> Date: Thu Jun 29 16:02:47 2017 -0400 Fold in changes entry for 22753, and write a blurb. --- ChangeLog | 25 ++++++++++++++++++------- changes/bug22753 | 7 ------- 2 files changed, 18 insertions(+), 14 deletions(-) diff --git a/ChangeLog b/ChangeLog index 097482c..4bf8e6f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,20 @@ -Changes in version 0.3.1.4-alpha - 2017-06-29: - blurb goes here. +Changes in version 0.3.1.4-alpha - 2017-06-29 + Tor 0.3.1.4-alpha fixes a path selection bug that would allow a client + to use a guard that was in the same network family as a chosen exit + node. This is a security regression; all clients running earlier + versions of 0.3.0.x or 0.3.1.x should upgrade to 0.3.0.9 or + 0.3.1.4-alpha. + + This release also fixes several other bugs related to new features in + 0.3.0.x and 0.3.1.x, including others that can effect bandwidth usage + and correctness. + + o Major bugfixes (path selection, security): + - When choosing which guard to use for a circuit, avoid the + exit's family along with the exit itself. Previously, the new + guard selection logic avoided the exit, but did not consider + its family. Fixes bug 22753; bugfix on 0.3.0.1-alpha. Tracked + as TROVE-2016-006 and CVE-2017-0377. o New dependencies: - To build with zstd and lzma support, Tor now requires the pkg- @@ -78,21 +93,17 @@ Changes in version 0.3.1.4-alpha - 2017-06-29: permissions on the data directory or its contents. Fixes bug 22516; bugfix on 0.2.5.4-alpha. - o Minor bugfixes (logging, compression): + o Minor bugfixes (logging): - When decompressing, do not warn if we fail to decompress using a compression method that we merely guessed. Fixes part of bug 22670; bugfix on 0.1.1.14-alpha. - When decompressing, treat mismatch between content-encoding and actual compression type as a protocol warning. Fixes part of bug 22670; bugfix on 0.1.1.9-alpha. - - o Minor bugfixes (logging, relay): - Downgrade "assigned_to_cpuworker failed" message to INFO-level severity. In every case that can reach it, either a better warning has already been logged, or no warning is warranted. Fixes bug 22356; bugfix on 0.2.6.3-alpha. - - o Minor bugfixes (netflow padding logging): - Demote a warn that was caused by libevent delays to info if the padding is less than 4.5 seconds late, or notice if it is more (4.5 seconds is the amount of time that a netflow record might be diff --git a/changes/bug22753 b/changes/bug22753 deleted file mode 100644 index 32a6dfa..0000000 --- a/changes/bug22753 +++ /dev/null @@ -1,7 +0,0 @@ - o Major bugfixes (path selection, security): - - When choosing which guard to use for a circuit, avoid the - exit's family along with the exit itself. Previously, the new - guard selection logic avoided the exit, but did not consider - its family. Fixes bug 22753; bugfix on 0.3.0.1-alpha. Tracked - as TROVE-2016-006 and CVE-2017-0377. -