[tor-commits] [tor/release-0.2.5] forward-port the 0.2.4.25 changelog to release-0.2.5 changelog and releasenotes

nickm at torproject.org nickm at torproject.org
Mon Oct 20 14:00:47 UTC 2014 

commit 334f4f60e88ae44450983e1d96bb783cd373455e
Author: Nick Mathewson <nickm at torproject.org>
Date:   Mon Oct 20 10:00:49 2014 -0400

    forward-port the 0.2.4.25 changelog to release-0.2.5 changelog and releasenotes
---
 ChangeLog    |   17 +++++++++++++++++
 ReleaseNotes |   17 +++++++++++++++++
 2 files changed, 34 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 91a3e1e..a8506a2 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -31,6 +31,23 @@ Changes in version 0.2.5.9-rc - 2014-10-20
       from 'warn' to 'protocol warning'. Closes ticket 8093.
 
 
+Changes in version 0.2.4.25 - 2014-10-20
+  Tor 0.2.4.25 disables SSL3 in response to the recent "POODLE" attack
+  (even though POODLE does not affect Tor). It also works around a crash
+  bug caused by some operating systems' response to the "POODLE" attack
+  (which does affect Tor).
+
+  o Major security fixes (also in 0.2.5.9-rc):
+    - Disable support for SSLv3. All versions of OpenSSL in use with Tor
+      today support TLS 1.0 or later, so we can safely turn off support
+      for this old (and insecure) protocol. Fixes bug 13426.
+
+  o Major bugfixes (openssl bug workaround, also in 0.2.5.9-rc):
+    - Avoid crashing when using OpenSSL version 0.9.8zc, 1.0.0o, or
+      1.0.1j, built with the 'no-ssl3' configuration option. Fixes bug
+      13471. This is a workaround for an OpenSSL bug.
+
+
 Changes in version 0.2.5.8-rc - 2014-09-22
   Tor 0.2.5.8-rc is the second release candidate for the Tor 0.2.5.x
   series. It fixes a bug that affects consistency and speed when
diff --git a/ReleaseNotes b/ReleaseNotes
index 7386c42..73285f5 100644
--- a/ReleaseNotes
+++ b/ReleaseNotes
@@ -880,6 +880,23 @@ Changes in version 0.2.5.xx - 2014-10-xx
       ticket 12731.
 
 
+Changes in version 0.2.4.25 - 2014-10-20
+  Tor 0.2.4.25 disables SSL3 in response to the recent "POODLE" attack
+  (even though POODLE does not affect Tor). It also works around a crash
+  bug caused by some operating systems' response to the "POODLE" attack
+  (which does affect Tor).
+
+  o Major security fixes (also in 0.2.5.9-rc):
+    - Disable support for SSLv3. All versions of OpenSSL in use with Tor
+      today support TLS 1.0 or later, so we can safely turn off support
+      for this old (and insecure) protocol. Fixes bug 13426.
+
+  o Major bugfixes (openssl bug workaround, also in 0.2.5.9-rc):
+    - Avoid crashing when using OpenSSL version 0.9.8zc, 1.0.0o, or
+      1.0.1j, built with the 'no-ssl3' configuration option. Fixes bug
+      13471. This is a workaround for an OpenSSL bug.
+
+
 Changes in version 0.2.4.24 - 2014-09-22
   Tor 0.2.4.24 fixes a bug that affects consistency and speed when
   connecting to hidden services, and it updates the location of one of

More information about the tor-commits mailing list