[tor/master] forward-port trove-2017-001 entry and blurb. - tor-commits

23 Jan 2017

commit e760c1b2915634d98ff74e29209e176e4cc28635
Author: Nick Mathewson nickm@torproject.org
Date:   Mon Jan 23 09:16:36 2017 -0500
forward-port trove-2017-001 entry and blurb.
---
 ChangeLog              | 16 +++++++++++++++-
 changes/trove-2017-001 |  8 --------
 2 files changed, 15 insertions(+), 9 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 3403531..9827884 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,10 +1,24 @@
 Changes in version 0.3.0.2-alpha - 2017-01-23
-  Tor 0.3.0.2-alpha improves how exit relays and clients handle DNS
+  Tor 0.3.0.2-alpha fixes a denial-of-service bug where an attacker could
+  cause relays and clients (including hidden services) to crash, even if
+  they were not built with the --enable-expensive-hardening option.
+  This bug affects all 0.2.9.x versions, and also affects 0.3.0.1-alpha:
+  all relays running an affected version should upgrade.
+
+  Tor 0.3.0.2-alpha also improves how exit relays and clients handle DNS
   time-to-live values, makes directory authorities enforce the 1-to-1
   mapping of relay RSA identity keys to ED25519 identity keys, fixes a
   client-side onion service reachability bug, does better at selecting
   the set of fallback directories, and more.
+  o Major bugfixes (security, also in 0.2.9.9):
+    - Downgrade the "-ftrapv" option from "always on" to "only on when
+      --enable-expensive-hardening is provided."  This hardening option, like
+      others, can turn survivable bugs into crashes--and having it on by
+      default made a (relatively harmless) integer overflow bug into a
+      denial-of-service bug. Fixes bug 21278 (TROVE-2017-001); bugfix on
+      0.2.9.1-alpha.
+
   o Major features (security):
     - Change the algorithm used to decide DNS TTLs on client and server
       side, to better resist DNS-based correlation attacks like the
diff --git a/changes/trove-2017-001 b/changes/trove-2017-001
deleted file mode 100644
index 5187e6d..0000000
--- a/changes/trove-2017-001
+++ /dev/null
@@ -1,8 +0,0 @@
-  o Major bugfixes (security):
-    - Downgrade the "-ftrapv" option from "always on" to "only on when
-      --enable-expensive-hardening is provided."  This hardening option, like
-      others, can turn survivable bugs into crashes--and having it on by
-      default made a (relatively harmless) integer overflow bug into a
-      denial-of-service bug. Fixes bug 21278 (TROVE-2017-001); bugfix on
-      0.2.9.1-alpha.
-

    