[tor-commits] [tor/master] merge in the safecookie changelog entry too
arma at torproject.org
arma at torproject.org
Tue Mar 27 02:16:00 UTC 2012
commit de73e3692a6d83774027ac9d29e1ec8608076385
Author: Roger Dingledine <arma at torproject.org>
Date: Mon Mar 26 22:15:02 2012 -0400
merge in the safecookie changelog entry too
---
ChangeLog | 7 +++++++
changes/safecookie | 9 ---------
2 files changed, 7 insertions(+), 9 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index d6cc6d6..52c7345 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -7,6 +7,13 @@ Changes in version 0.2.3.13-alpha - 2012-03-26
- Change IP address for maatuska (v3 directory authority).
o Security fixes:
+ - Provide controllers with a safer way to implement the cookie
+ authentication mechanism. With the old method, if another locally
+ running program could convince a controller that it was the Tor
+ process, then that program could trick the contoller into telling
+ it the contents of an arbitrary 32-byte file. The new "SAFECOOKIE"
+ authentication method uses a challenge-response approach to prevent
+ this attack. Fixes bug 5185, implements proposal 193.
- Never use a bridge or a controller-supplied node as an exit, even
if its exit policy allows it. Found by wanoskarnet. Fixes bug
5342. Bugfix on 0.1.1.15-rc (for controller-purpose descriptors)
diff --git a/changes/safecookie b/changes/safecookie
deleted file mode 100644
index fd7d7af..0000000
--- a/changes/safecookie
+++ /dev/null
@@ -1,9 +0,0 @@
- o Security Features:
- - Provide controllers with a safer way to implement the cookie
- authentication mechanism. With the old method, if another locally
- running program could convince a controller that it was the Tor
- process, then that program could trick the contoller into
- telling it the contents of an arbitrary 32-byte file. The new
- "SAFECOOKIE" authentication method uses a challenge-response
- approach to prevent this. Fixes bug 5185, implements proposal 193.
-
More information about the tor-commits
mailing list