[tor-talk] Tor 0.2.3.20-rc is out

Roger Dingledine arma at mit.edu
Tue Aug 7 21:51:58 UTC 2012


Tor 0.2.3.20-rc is the third release candidate for the Tor 0.2.3.x
series. It fixes a pair of code security bugs and a potential anonymity
issue, updates our RPM spec files, and cleans up other smaller issues.

https://www.torproject.org/download/download

(Packages coming eventually.)

Changes in version 0.2.3.20-rc - 2012-08-05
  o Security fixes:
    - Avoid read-from-freed-memory and double-free bugs that could occur
      when a DNS request fails while launching it. Fixes bug 6480;
      bugfix on 0.2.0.1-alpha.
    - Avoid an uninitialized memory read when reading a vote or consensus
      document that has an unrecognized flavor name. This read could
      lead to a remote crash bug. Fixes bug 6530; bugfix on 0.2.2.6-alpha.
    - Try to leak less information about what relays a client is
      choosing to a side-channel attacker. Previously, a Tor client would
      stop iterating through the list of available relays as soon as it
      had chosen one, thus finishing a little earlier when it picked
      a router earlier in the list. If an attacker can recover this
      timing information (nontrivial but not proven to be impossible),
      they could learn some coarse-grained information about which relays
      a client was picking (middle nodes in particular are likelier to
      be affected than exits). The timing attack might be mitigated by
      other factors (see bug 6537 for some discussion), but it's best
      not to take chances. Fixes bug 6537; bugfix on 0.0.8rc1.

  o Minor features:
    - Try to make the warning when giving an obsolete SOCKSListenAddress
      a little more useful.
    - Terminate active server managed proxies if Tor stops being a
      relay. Addresses parts of bug 6274; bugfix on 0.2.3.6-alpha.
    - Provide a better error message about possible OSX Asciidoc failure
      reasons. Fixes bug 6436.
    - Warn when Tor is configured to use accounting in a way that can
      link a hidden service to some other hidden service or public
      address. Resolves ticket 6490.

  o Minor bugfixes:
    - Check return value of fputs() when writing authority certificate
      file. Fixes Coverity issue 709056; bugfix on 0.2.0.1-alpha.
    - Ignore ServerTransportPlugin lines when Tor is not configured as
      a relay. Fixes bug 6274; bugfix on 0.2.3.6-alpha.
    - When disabling guards for having too high a proportion of failed
      circuits, make sure to look at each guard. Fixes bug 6397; bugfix
      on 0.2.3.17-beta.

  o Packaging (RPM):
    - Update our default RPM spec files to work with mock and rpmbuild
      on RHEL/Fedora. They have an updated set of dependencies and
      conflicts, a fix for an ancient typo when creating the "_tor"
      user, and better instructions. Thanks to Ondrej Mikle for the
      patch series. Fixes bug 6043.

  o Testing:
    - Make it possible to set the TestingTorNetwork configuration
      option using AlternateDirAuthority and AlternateBridgeAuthority
      as an alternative to setting DirServer. Addresses ticket 6377.

  o Documentation:
    - Clarify the documentation for the Alternate*Authority options.
      Fixes bug 6387.
    - Fix some typos in the manpages. Patch from A. Costa. Fixes bug 6500.

  o Code simplification and refactoring:
    - Do not use SMARTLIST_FOREACH for any loop whose body exceeds
      10 lines. Also, don't nest them. Doing so in the past has
      led to hard-to-debug code. The new style is to use the
      SMARTLIST_FOREACH_{BEGIN,END} pair. Addresses issue 6400.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20120807/fa41ad76/attachment.pgp>


More information about the tor-talk mailing list