[tor-commits] [tor/release-0.2.2] Changelog for 0.2.2.35

nickm at torproject.org nickm at torproject.org
Fri Dec 16 16:59:39 UTC 2011 

commit d4b935e77f6675fab4e4efe91736a5f63c24e66b
Author: Nick Mathewson <nickm at torproject.org>
Date:   Thu Dec 15 11:56:26 2011 -0500

    Changelog for 0.2.2.35
---
 ChangeLog          |   24 ++++++++++++++++++++++--
 changes/buffer_bug |    7 -------
 2 files changed, 22 insertions(+), 9 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index a8f677b..e1bc545 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,23 @@
-Changes in version 0.2.2.35 - 2011-12-1?
-
-  Tor 0.2.2.35 fixes several bugs in previous versions, including
+Changes in version 0.2.2.35 - 2011-12-16
+  Tor 0.2.2.35 fixes a critical heap-overflow security issue in Tor's
+  buffers code. Absolutely everybody should upgrade.
+
+  The bug relied on an incorrect calculation when making data continuous
+  in one of our IO buffers, if the first chunk of the buffer was
+  misaligned by just the wrong amount. The miscalculation would allow an
+  attacker to overflow a piece of heap-allocated memory. To mount this
+  attack, the attacker would need to either open a SOCKS connection to
+  Tor's SocksPort (usually restricted to localhost), or target a Tor
+  instance configured to make its connections through a SOCKS proxy
+  (which Tor does not do by default).
+
+  Good security practice requires that all heap-overflow bugs should be
+  presumed to be exploitable until proven otherwise, so we are treating
+  this as a potential code execution attack. Please upgrade immediately!
+  This bug does not affect bufferevents-based builds of Tor. Special
+  thanks to "Vektor" for reporting this issue to us!
+
+  Tor 0.2.2.35 also fixes several bugs in previous versions, including
   crash bugs for unusual configurations, and a long-term bug that
   would that would prevent Tor from starting on Windows machines with
   draconian AV software.
@@ -11,6 +28,9 @@ Changes in version 0.2.2.35 - 2011-12-1?
   0.2.2.x series. If you're using a Linux or BSD and its packages are
   obsolete, stop using those packages and upgrade anyway.
 
+  The Tor 0.2.1.x series is also approaching its end-of-life: it will no
+  longer receive support after some time in early 2011.
+
   o Major bugfixes:
     - Initialize Libevent with the EVENT_BASE_FLAG_NOLOCK flag enabled, so
       that it doesn't attempt to allocate a socketpair. This could cause
diff --git a/changes/buffer_bug b/changes/buffer_bug
deleted file mode 100644
index 634f609..0000000
--- a/changes/buffer_bug
+++ /dev/null
@@ -1,7 +0,0 @@
-
-  o Major bugfixes:
-    - Fix a heap overflow bug that could occur when trying to pull
-      data into the first chunk of a buffer, when that chunk had
-      already had some data drained from it. Fixes CVE-2011-2778;
-      bugfix on 0.2.0.16-alpha. Reported by "Vektor".
-

More information about the tor-commits mailing list