[tor-talk] Tor 0.2.3.23-rc is out

Roger Dingledine arma at mit.edu
Sat Oct 20 18:39:45 UTC 2012


Tor 0.2.3.23-rc adds a new v3 directory authority, fixes a privacy
vulnerability introduced by a change in OpenSSL, and fixes a variety
of smaller bugs in preparation for the release.

I hope this will be the final release candidate for the 0.2.3 series.
That is, if we don't find any urgent issues, the next release will be
called stable.

https://www.torproject.org/download/download
https://www.torproject.org/dist/

(Packages coming eventually, hopefully soon since this is the final
release candidate.)

Changes in version 0.2.3.23-rc - 2012-10-20
  o New directory authorities:
    - Add Faravahar (run by Sina Rabbani) as the ninth v3 directory
      authority. Closes ticket 5749.

  o Major bugfixes (security/privacy):
    - Disable TLS session tickets. OpenSSL's implementation was giving
      our TLS session keys the lifetime of our TLS context objects, when
      perfect forward secrecy would want us to discard anything that
      could decrypt a link connection as soon as the link connection
      was closed. Fixes bug 7139; bugfix on all versions of Tor linked
      against OpenSSL 1.0.0 or later. Found by Florent Daignière.
    - Discard extraneous renegotiation attempts once the V3 link
      protocol has been initiated. Failure to do so left us open to
      a remotely triggerable assertion failure. Fixes CVE-2012-2249;
      bugfix on 0.2.3.6-alpha. Reported by "some guy from France".

  o Major bugfixes:
    - Fix a possible crash bug when checking for deactivated circuits
      in connection_or_flush_from_first_active_circuit(). Fixes bug 6341;
      bugfix on 0.2.2.7-alpha. Bug report and fix received pseudonymously.

  o Minor bugfixes (on 0.2.3.x):
    - Fix two cases in src/or/transports.c where we were calling
      fmt_addr() twice in a parameter list. Bug found by David
      Fifield. Fixes bug 7014; bugfix on 0.2.3.9-alpha.
    - Convert an assert in the pathbias code to a log message. The assert
      appears to only be triggerable by Tor2Web mode. Fixes bug 6866;
      bugfix on 0.2.3.17-beta.
    - Fix memory leaks whenever we logged any message about the "path
      bias" detection. Fixes bug 7022; bugfix on 0.2.3.21-rc.

  o Minor bugfixes (on 0.2.2.x and earlier):
    - Don't serve or accept v2 hidden service descriptors over a relay's
      DirPort. It's never correct to do so, and disabling it might
      make it more annoying to exploit any bugs that turn up in the
      descriptor-parsing code. Fixes bug 7149.
    - When relays refuse a "create" cell because their queue of pending
      create cells is too big (typically because their cpu can't keep up
      with the arrival rate), send back reason "resource limit" rather
      than reason "internal", so network measurement scripts can get a
      more accurate picture. Bugfix on 0.1.1.11-alpha; fixes bug 7037.
    - Correct file sizes when reading binary files on Cygwin, to avoid
      a bug where Tor would fail to read its state file. Fixes bug 6844;
      bugfix on 0.1.2.7-alpha.
    - Avoid undefined behaviour when parsing the list of supported
      rendezvous/introduction protocols in a hidden service descriptor.
      Previously, Tor would have confused (as-yet-unused) protocol version
      numbers greater than 32 with lower ones on many platforms. Fixes
      bug 6827; bugfix on 0.2.0.10-alpha. Found by George Kadianakis.

  o Documentation fixes:
    - Clarify that hidden services are TCP only. Fixes bug 6024.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20121020/d57a7205/attachment.pgp>


More information about the tor-talk mailing list