[tor-announce] Tor 0.2.5.12 and 0.2.6.7 are released

Roger Dingledine arma at mit.edu
Tue Apr 7 18:19:39 UTC 2015


Tor 0.2.5.12 and 0.2.6.7 fix two security issues that could be used by
an attacker to crash hidden services, or crash clients visiting hidden
services. Hidden services should upgrade as soon as possible; clients
should upgrade whenever packages become available.

These releases also contain two simple improvements to make hidden
services a bit less vulnerable to denial-of-service attacks.

We also made a Tor 0.2.4.27 release so that Debian stable can easily
integrate these fixes.

The Tor Browser team is currently evaluating whether to put out a new
Tor Browser stable release with these fixes, or wait until next week
for their scheduled next stable release.

Changes in version 0.2.5.12 - 2015-04-06
  o Major bugfixes (security, hidden service):
    - Fix an issue that would allow a malicious client to trigger an
      assertion failure and halt a hidden service. Fixes bug 15600;
      bugfix on 0.2.1.6-alpha. Reported by "disgleirio".
    - Fix a bug that could cause a client to crash with an assertion
      failure when parsing a malformed hidden service descriptor. Fixes
      bug 15601; bugfix on 0.2.1.5-alpha. Found by "DonnchaC".

  o Minor features (DoS-resistance, hidden service):
    - Introduction points no longer allow multiple INTRODUCE1 cells to
      arrive on the same circuit. This should make it more expensive for
      attackers to overwhelm hidden services with introductions.
      Resolves ticket 15515.


Changes in version 0.2.6.7 - 2015-04-06
  o Major bugfixes (security, hidden service):
    - Fix an issue that would allow a malicious client to trigger an
      assertion failure and halt a hidden service. Fixes bug 15600;
      bugfix on 0.2.1.6-alpha. Reported by "disgleirio".
    - Fix a bug that could cause a client to crash with an assertion
      failure when parsing a malformed hidden service descriptor. Fixes
      bug 15601; bugfix on 0.2.1.5-alpha. Found by "DonnchaC".

  o Minor features (DoS-resistance, hidden service):
    - Introduction points no longer allow multiple INTRODUCE1 cells to
      arrive on the same circuit. This should make it more expensive for
      attackers to overwhelm hidden services with introductions.
      Resolves ticket 15515.
    - Decrease the amount of reattempts that a hidden service performs
      when its rendezvous circuits fail. This reduces the computational
      cost for running a hidden service under heavy load. Resolves
      ticket 11447.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-announce/attachments/20150407/ef18514f/attachment.sig>


More information about the tor-announce mailing list