[tor-announce] New stable Tor releases 0.2.8.15, 0.2.9.12, and 0.3.0.11, with fix for a medium security issue on hidden services
Nick Mathewson
nickm at torproject.org
Mon Sep 18 16:01:57 UTC 2017
Hello!
We found a security issue in the hidden service code (CVE-2017-0380,
TROVE-2017-008) that can cause sensitive information to be written to
your logs if you have set the SafeLogging option to 0. If you are
not running a hidden service, or you have not changed the SafeLogging
option from its default, you are not affected. If you are running
0.2.5, you are not affected. (0.2.4, 0.2.6, and 0.2.7 are no longer
supported.) For more information, including workaround steps, see
https://lists.torproject.org/pipermail/tor-talk/2017-September/043585.html
Because of this issue, we have released new Tor versions in the 0.2.8,
0.2.9, and 0.3.0 series. If you build Tor from source, you will find
the source code for these releases at https://dist.torproject.org/ .
Packages should be available over the coming days -- in the meantime,
please see the advisory linked above for information on working around
this issue.
The release series 0.3.1.x has also become stable today; I'll announce
that in a separate email.
Below are the changelog entries for the new releases mentioned in this email:
Changes in version 0.2.8.15 - 2017-09-18
Tor 0.2.8.15 backports a collection of bugfixes from later
Tor series.
Most significantly, it includes a fix for TROVE-2017-008, a
security bug that affects hidden services running with the
SafeLogging option disabled. For more information, see
https://trac.torproject.org/projects/tor/ticket/23490
Note that Tor 0.2.8.x will no longer be supported after 1 Jan
2018. We suggest that you upgrade to the latest stable release if
possible. If you can't, we recommend that you upgrade at least to
0.2.9, which will be supported until 2020.
o Major bugfixes (openbsd, denial-of-service, backport from 0.3.1.5-alpha):
- Avoid an assertion failure bug affecting our implementation of
inet_pton(AF_INET6) on certain OpenBSD systems whose strtol()
handling of "0xx" differs from what we had expected. Fixes bug
22789; bugfix on 0.2.3.8-alpha. Also tracked as TROVE-2017-007.
o Minor features:
- Update geoip and geoip6 to the September 6 2017 Maxmind GeoLite2
Country database.
o Minor bugfixes (compilation, mingw, backport from 0.3.1.1-alpha):
- Backport a fix for an "unused variable" warning that appeared
in some versions of mingw. Fixes bug 22838; bugfix on
0.2.8.1-alpha.
o Minor bugfixes (defensive programming, undefined behavior,
backport from 0.3.1.4-alpha):
- Fix a memset() off the end of an array when packing cells. This
bug should be harmless in practice, since the corrupted bytes are
still in the same structure, and are always padding bytes,
ignored, or immediately overwritten, depending on compiler
behavior. Nevertheless, because the memset()'s purpose is to make
sure that any other cell-handling bugs can't expose bytes to the
network, we need to fix it. Fixes bug 22737; bugfix on
0.2.4.11-alpha. Fixes CID 1401591.
o Build features (backport from 0.3.1.5-alpha):
- Tor's repository now includes a Travis Continuous Integration (CI)
configuration file (.travis.yml). This is meant to help new
developers and contributors who fork Tor to a Github repository be
better able to test their changes, and understand what we expect
to pass. To use this new build feature, you must fork Tor to your
Github account, then go into the "Integrations" menu in the
repository settings for your fork and enable Travis, then push
your changes. Closes ticket 22636.
Changes in version 0.2.9.12 - 2017-09-18
Tor 0.2.9.12 backports a collection of bugfixes from later
Tor series.
Most significantly, it includes a fix for TROVE-2017-008, a
security bug that affects hidden services running with the
SafeLogging option disabled. For more information, see
https://trac.torproject.org/projects/tor/ticket/23490
o Major features (security, backport from 0.3.0.2-alpha):
- Change the algorithm used to decide DNS TTLs on client and server
side, to better resist DNS-based correlation attacks like the
DefecTor attack of Greschbach, Pulls, Roberts, Winter, and
Feamster. Now relays only return one of two possible DNS TTL
values, and clients are willing to believe DNS TTL values up to 3
hours long. Closes ticket 19769.
o Major bugfixes (crash, directory connections, backport from 0.3.0.5-rc):
- Fix a rare crash when sending a begin cell on a circuit whose
linked directory connection had already been closed. Fixes bug
21576; bugfix on 0.2.9.3-alpha. Reported by Alec Muffett.
o Major bugfixes (DNS, backport from 0.3.0.2-alpha):
- Fix a bug that prevented exit nodes from caching DNS records for
more than 60 seconds. Fixes bug 19025; bugfix on 0.2.4.7-alpha.
o Major bugfixes (linux TPROXY support, backport from 0.3.1.1-alpha):
- Fix a typo that had prevented TPROXY-based transparent proxying
from working under Linux. Fixes bug 18100; bugfix on 0.2.6.3-alpha.
Patch from "d4fq0fQAgoJ".
o Major bugfixes (openbsd, denial-of-service, backport from 0.3.1.5-alpha):
- Avoid an assertion failure bug affecting our implementation of
inet_pton(AF_INET6) on certain OpenBSD systems whose strtol()
handling of "0xx" differs from what we had expected. Fixes bug
22789; bugfix on 0.2.3.8-alpha. Also tracked as TROVE-2017-007.
o Minor features (code style, backport from 0.3.1.3-alpha):
- Add "Falls through" comments to our codebase, in order to silence
GCC 7's -Wimplicit-fallthrough warnings. Patch from Andreas
Stieger. Closes ticket 22446.
o Minor features (geoip):
- Update geoip and geoip6 to the September 6 2017 Maxmind GeoLite2
Country database.
o Minor bugfixes (bandwidth accounting, backport from 0.3.1.1-alpha):
- Roll over monthly accounting at the configured hour and minute,
rather than always at 00:00. Fixes bug 22245; bugfix on 0.0.9rc1.
Found by Andrey Karpov with PVS-Studio.
o Minor bugfixes (compilation, backport from 0.3.1.5-alpha):
- Suppress -Wdouble-promotion warnings with clang 4.0. Fixes bug 22915;
bugfix on 0.2.8.1-alpha.
- Fix warnings when building with libscrypt and openssl scrypt support
on Clang. Fixes bug 22916; bugfix on 0.2.7.2-alpha.
- When building with certain versions the mingw C header files, avoid
float-conversion warnings when calling the C functions isfinite(),
isnan(), and signbit(). Fixes bug 22801; bugfix on 0.2.8.1-alpha.
o Minor bugfixes (compilation, backport from 0.3.1.7):
- Avoid compiler warnings in the unit tests for running tor_sscanf()
with wide string outputs. Fixes bug 15582; bugfix on 0.2.6.2-alpha.
o Minor bugfixes (compilation, mingw, backport from 0.3.1.1-alpha):
- Backport a fix for an "unused variable" warning that appeared
in some versions of mingw. Fixes bug 22838; bugfix on
0.2.8.1-alpha.
o Minor bugfixes (controller, backport from 0.3.1.7):
- Do not crash when receiving a HSPOST command with an empty body.
Fixes part of bug 22644; bugfix on 0.2.7.1-alpha.
- Do not crash when receiving a POSTDESCRIPTOR command with an
empty body. Fixes part of bug 22644; bugfix on 0.2.0.1-alpha.
o Minor bugfixes (coverity build support, backport from 0.3.1.5-alpha):
- Avoid Coverity build warnings related to our BUG() macro. By
default, Coverity treats BUG() as the Linux kernel does: an
instant abort(). We need to override that so our BUG() macro
doesn't prevent Coverity from analyzing functions that use it.
Fixes bug 23030; bugfix on 0.2.9.1-alpha.
o Minor bugfixes (defensive programming, undefined behavior,
backport from 0.3.1.4-alpha):
- Fix a memset() off the end of an array when packing cells. This
bug should be harmless in practice, since the corrupted bytes are
still in the same structure, and are always padding bytes,
ignored, or immediately overwritten, depending on compiler
behavior. Nevertheless, because the memset()'s purpose is to make
sure that any other cell-handling bugs can't expose bytes to the
network, we need to fix it. Fixes bug 22737; bugfix on
0.2.4.11-alpha. Fixes CID 1401591.
o Minor bugfixes (file limits, osx, backport from 0.3.1.5-alpha):
- When setting the maximum number of connections allowed by the OS,
always allow some extra file descriptors for other files. Fixes
bug 22797; bugfix on 0.2.0.10-alpha.
o Minor bugfixes (linux seccomp2 sandbox, backport from 0.3.1.5-alpha):
- Avoid a sandbox failure when trying to re-bind to a socket and
mark it as IPv6-only. Fixes bug 20247; bugfix on 0.2.5.1-alpha.
o Minor bugfixes (linux seccomp2 sandbox, backport from 0.3.1.4-alpha):
- Permit the fchmod system call, to avoid crashing on startup when
starting with the seccomp2 sandbox and an unexpected set of
permissions on the data directory or its contents. Fixes bug
22516; bugfix on 0.2.5.4-alpha.
o Minor bugfixes (relay, backport from 0.3.0.5-rc):
- Avoid a double-marked-circuit warning that could happen when we
receive DESTROY cells under heavy load. Fixes bug 20059; bugfix
on 0.1.0.1-rc.
o Minor bugfixes (voting consistency, backport from 0.3.1.1-alpha):
- Reject version numbers with non-numeric prefixes (such as +, -, or
whitespace). Disallowing whitespace prevents differential version
parsing between POSIX-based and Windows platforms. Fixes bug 21507
and part of 21508; bugfix on 0.0.8pre1.
o Build features (backport from 0.3.1.5-alpha):
- Tor's repository now includes a Travis Continuous Integration (CI)
configuration file (.travis.yml). This is meant to help new
developers and contributors who fork Tor to a Github repository be
better able to test their changes, and understand what we expect
to pass. To use this new build feature, you must fork Tor to your
Github account, then go into the "Integrations" menu in the
repository settings for your fork and enable Travis, then push
your changes. Closes ticket 22636.
Changes in version 0.3.0.11 - 2017-09-18
Tor 0.3.0.11 backports a collection of bugfixes from Tor the 0.3.1
series.
Most significantly, it includes a fix for TROVE-2017-008, a
security bug that affects hidden services running with the
SafeLogging option disabled. For more information, see
https://trac.torproject.org/projects/tor/ticket/23490
o Minor features (code style, backport from 0.3.1.7):
- Add "Falls through" comments to our codebase, in order to silence
GCC 7's -Wimplicit-fallthrough warnings. Patch from Andreas
Stieger. Closes ticket 22446.
o Minor features:
- Update geoip and geoip6 to the September 6 2017 Maxmind GeoLite2
Country database.
o Minor bugfixes (compilation, backport from 0.3.1.7):
- Avoid compiler warnings in the unit tests for calling tor_sscanf()
with wide string outputs. Fixes bug 15582; bugfix on 0.2.6.2-alpha.
o Minor bugfixes (controller, backport from 0.3.1.7):
- Do not crash when receiving a HSPOST command with an empty body.
Fixes part of bug 22644; bugfix on 0.2.7.1-alpha.
- Do not crash when receiving a POSTDESCRIPTOR command with an empty
body. Fixes part of bug 22644; bugfix on 0.2.0.1-alpha.
o Minor bugfixes (file limits, osx, backport from 0.3.1.5-alpha):
- When setting the maximum number of connections allowed by the OS,
always allow some extra file descriptors for other files. Fixes
bug 22797; bugfix on 0.2.0.10-alpha.
o Minor bugfixes (logging, relay, backport from 0.3.1.6-rc):
- Remove a forgotten debugging message when an introduction point
successfully establishes a hidden service prop224 circuit with
a client.
- Change three other log_warn() for an introduction point to
protocol warnings, because they can be failure from the network
and are not relevant to the operator. Fixes bug 23078; bugfix on
0.3.0.1-alpha and 0.3.0.2-alpha.
More information about the tor-announce
mailing list