diff --git a/ChangeLog b/ChangeLog index 04625c36a6..667a953885 100644 --- a/ChangeLog +++ b/ChangeLog @@ -46,6 +46,126 @@ Changes in version 0.2.3.10-alpha - 2011-12-16 - Update to the December 6 2011 Maxmind GeoLite Country database. +Changes in version 0.2.2.35 - 2011-12-16 + Tor 0.2.2.35 fixes a critical heap-overflow security issue in Tor's + buffers code. Absolutely everybody should upgrade. + + The bug relied on an incorrect calculation when making data continuous + in one of our IO buffers, if the first chunk of the buffer was + misaligned by just the wrong amount. The miscalculation would allow an + attacker to overflow a piece of heap-allocated memory. To mount this + attack, the attacker would need to either open a SOCKS connection to + Tor's SocksPort (usually restricted to localhost), or target a Tor + instance configured to make its connections through a SOCKS proxy + (which Tor does not do by default). + + Good security practice requires that all heap-overflow bugs should be + presumed to be exploitable until proven otherwise, so we are treating + this as a potential code execution attack. Please upgrade immediately! + This bug does not affect bufferevents-based builds of Tor. Special + thanks to "Vektor" for reporting this issue to us! + + Tor 0.2.2.35 also fixes several bugs in previous versions, including + crash bugs for unusual configurations, and a long-term bug that + would prevent Tor from starting on Windows machines with draconian + AV software. + + With this release, we remind everyone that 0.2.0.x has reached its + formal end-of-life. Those Tor versions have many known flaws, and + nobody should be using them. You should upgrade -- ideally to the + 0.2.2.x series. If you're using a Linux or BSD and its packages are + obsolete, stop using those packages and upgrade anyway. + + The Tor 0.2.1.x series is also approaching its end-of-life: it will no + longer receive support after some time in early 2012. + + o Major bugfixes: + - Fix a heap overflow bug that could occur when trying to pull + data into the first chunk of a buffer, when that chunk had + already had some data drained from it. Fixes CVE-2011-2778; + bugfix on 0.2.0.16-alpha. Reported by "Vektor". + - Initialize Libevent with the EVENT_BASE_FLAG_NOLOCK flag enabled, so + that it doesn't attempt to allocate a socketpair. This could cause + some problems on Windows systems with overzealous firewalls. Fix for + bug 4457; workaround for Libevent versions 2.0.1-alpha through + 2.0.15-stable. + - If we mark an OR connection for close based on a cell we process, + don't process any further cells on it. We already avoid further + reads on marked-for-close connections, but now we also discard the + cells we'd already read. Fixes bug 4299; bugfix on 0.2.0.10-alpha, + which was the first version where we might mark a connection for + close based on processing a cell on it. + - Correctly sanity-check that we don't underflow on a memory + allocation (and then assert) for hidden service introduction + point decryption. Bug discovered by Dan Rosenberg. Fixes bug 4410; + bugfix on 0.2.1.5-alpha. + - Fix a memory leak when we check whether a hidden service + descriptor has any usable introduction points left. Fixes bug + 4424. Bugfix on 0.2.2.25-alpha. + - Don't crash when we're running as a relay and don't have a GeoIP + file. Bugfix on 0.2.2.34; fixes bug 4340. This backports a fix + we've had in the 0.2.3.x branch already. + - When running as a client, do not print a misleading (and plain + wrong) log message that we're collecting "directory request" + statistics: clients don't collect statistics. Also don't create a + useless (because empty) stats file in the stats/ directory. Fixes + bug 4353; bugfix on 0.2.2.34. + + o Minor bugfixes: + - Detect failure to initialize Libevent. This fix provides better + detection for future instances of bug 4457. + - Avoid frequent calls to the fairly expensive cull_wedged_cpuworkers + function. This was eating up hideously large amounts of time on some + busy servers. Fixes bug 4518; bugfix on 0.0.9.8. + - Resolve an integer overflow bug in smartlist_ensure_capacity(). + Fixes bug 4230; bugfix on Tor 0.1.0.1-rc. Based on a patch by + Mansour Moufid. + - Don't warn about unused log_mutex in log.c when building with + --disable-threads using a recent GCC. Fixes bug 4437; bugfix on + 0.1.0.6-rc which introduced --disable-threads. + - When configuring, starting, or stopping an NT service, stop + immediately after the service configuration attempt has succeeded + or failed. Fixes bug 3963; bugfix on 0.2.0.7-alpha. + - When sending a NETINFO cell, include the original address + received for the other side, not its canonical address. Found + by "troll_un"; fixes bug 4349; bugfix on 0.2.0.10-alpha. + - Fix a typo in a hibernation-related log message. Fixes bug 4331; + bugfix on 0.2.2.23-alpha; found by "tmpname0901". + - Fix a memory leak in launch_direct_bridge_descriptor_fetch() that + occurred when a client tried to fetch a descriptor for a bridge + in ExcludeNodes. Fixes bug 4383; bugfix on 0.2.2.25-alpha. + - Backport fixes for a pair of compilation warnings on Windows. + Fixes bug 4521; bugfix on 0.2.2.28-beta and on 0.2.2.29-beta. + - If we had ever tried to call tor_addr_to_str on an address of + unknown type, we would have done a strdup on an uninitialized + buffer. Now we won't. Fixes bug 4529; bugfix on 0.2.1.3-alpha. + Reported by "troll_un". + - Correctly detect and handle transient lookup failures from + tor_addr_lookup. Fixes bug 4530; bugfix on 0.2.1.5-alpha. + Reported by "troll_un". + - Fix null-pointer access that could occur if TLS allocation failed. + Fixes bug 4531; bugfix on 0.2.0.20-rc. Found by "troll_un". + - Use tor_socket_t type for listener argument to accept(). Fixes bug + 4535; bugfix on 0.2.2.28-beta. Found by "troll_un". + + o Minor features: + - Add two new config options for directory authorities: + AuthDirFastGuarantee sets a bandwidth threshold for guaranteeing the + Fast flag, and AuthDirGuardBWGuarantee sets a bandwidth threshold + that is always sufficient to satisfy the bandwidth requirement for + the Guard flag. Now it will be easier for researchers to simulate + Tor networks with different values. Resolves ticket 4484. + - When Tor ignores a hidden service specified in its configuration, + include the hidden service's directory in the warning message. + Previously, we would only tell the user that some hidden service + was ignored. Bugfix on 0.0.6; fixes bug 4426. + - Update to the December 6 2011 Maxmind GeoLite Country database. + + o Packaging changes: + - Make it easier to automate expert package builds on Windows, + by removing an absolute path from makensis.exe command. + + Changes in version 0.2.3.9-alpha - 2011-12-08 Tor 0.2.3.9-alpha introduces initial IPv6 support for bridges, adds a "DisableNetwork" security feature that bundles can use to avoid diff --git a/ReleaseNotes b/ReleaseNotes index cbc8f0ef32..5e24d77929 100644 --- a/ReleaseNotes +++ b/ReleaseNotes @@ -3,6 +3,126 @@ This document summarizes new features and bugfixes in each stable release of Tor. If you want to see more detailed descriptions of the changes in each development snapshot, see the ChangeLog file. +Changes in version 0.2.2.35 - 2011-12-16 + Tor 0.2.2.35 fixes a critical heap-overflow security issue in Tor's + buffers code. Absolutely everybody should upgrade. + + The bug relied on an incorrect calculation when making data continuous + in one of our IO buffers, if the first chunk of the buffer was + misaligned by just the wrong amount. The miscalculation would allow an + attacker to overflow a piece of heap-allocated memory. To mount this + attack, the attacker would need to either open a SOCKS connection to + Tor's SocksPort (usually restricted to localhost), or target a Tor + instance configured to make its connections through a SOCKS proxy + (which Tor does not do by default). + + Good security practice requires that all heap-overflow bugs should be + presumed to be exploitable until proven otherwise, so we are treating + this as a potential code execution attack. Please upgrade immediately! + This bug does not affect bufferevents-based builds of Tor. Special + thanks to "Vektor" for reporting this issue to us! + + Tor 0.2.2.35 also fixes several bugs in previous versions, including + crash bugs for unusual configurations, and a long-term bug that + would prevent Tor from starting on Windows machines with draconian + AV software. + + With this release, we remind everyone that 0.2.0.x has reached its + formal end-of-life. Those Tor versions have many known flaws, and + nobody should be using them. You should upgrade -- ideally to the + 0.2.2.x series. If you're using a Linux or BSD and its packages are + obsolete, stop using those packages and upgrade anyway. + + The Tor 0.2.1.x series is also approaching its end-of-life: it will no + longer receive support after some time in early 2012. + + o Major bugfixes: + - Fix a heap overflow bug that could occur when trying to pull + data into the first chunk of a buffer, when that chunk had + already had some data drained from it. Fixes CVE-2011-2778; + bugfix on 0.2.0.16-alpha. Reported by "Vektor". + - Initialize Libevent with the EVENT_BASE_FLAG_NOLOCK flag enabled, so + that it doesn't attempt to allocate a socketpair. This could cause + some problems on Windows systems with overzealous firewalls. Fix for + bug 4457; workaround for Libevent versions 2.0.1-alpha through + 2.0.15-stable. + - If we mark an OR connection for close based on a cell we process, + don't process any further cells on it. We already avoid further + reads on marked-for-close connections, but now we also discard the + cells we'd already read. Fixes bug 4299; bugfix on 0.2.0.10-alpha, + which was the first version where we might mark a connection for + close based on processing a cell on it. + - Correctly sanity-check that we don't underflow on a memory + allocation (and then assert) for hidden service introduction + point decryption. Bug discovered by Dan Rosenberg. Fixes bug 4410; + bugfix on 0.2.1.5-alpha. + - Fix a memory leak when we check whether a hidden service + descriptor has any usable introduction points left. Fixes bug + 4424. Bugfix on 0.2.2.25-alpha. + - Don't crash when we're running as a relay and don't have a GeoIP + file. Bugfix on 0.2.2.34; fixes bug 4340. This backports a fix + we've had in the 0.2.3.x branch already. + - When running as a client, do not print a misleading (and plain + wrong) log message that we're collecting "directory request" + statistics: clients don't collect statistics. Also don't create a + useless (because empty) stats file in the stats/ directory. Fixes + bug 4353; bugfix on 0.2.2.34. + + o Minor bugfixes: + - Detect failure to initialize Libevent. This fix provides better + detection for future instances of bug 4457. + - Avoid frequent calls to the fairly expensive cull_wedged_cpuworkers + function. This was eating up hideously large amounts of time on some + busy servers. Fixes bug 4518; bugfix on 0.0.9.8. + - Resolve an integer overflow bug in smartlist_ensure_capacity(). + Fixes bug 4230; bugfix on Tor 0.1.0.1-rc. Based on a patch by + Mansour Moufid. + - Don't warn about unused log_mutex in log.c when building with + --disable-threads using a recent GCC. Fixes bug 4437; bugfix on + 0.1.0.6-rc which introduced --disable-threads. + - When configuring, starting, or stopping an NT service, stop + immediately after the service configuration attempt has succeeded + or failed. Fixes bug 3963; bugfix on 0.2.0.7-alpha. + - When sending a NETINFO cell, include the original address + received for the other side, not its canonical address. Found + by "troll_un"; fixes bug 4349; bugfix on 0.2.0.10-alpha. + - Fix a typo in a hibernation-related log message. Fixes bug 4331; + bugfix on 0.2.2.23-alpha; found by "tmpname0901". + - Fix a memory leak in launch_direct_bridge_descriptor_fetch() that + occurred when a client tried to fetch a descriptor for a bridge + in ExcludeNodes. Fixes bug 4383; bugfix on 0.2.2.25-alpha. + - Backport fixes for a pair of compilation warnings on Windows. + Fixes bug 4521; bugfix on 0.2.2.28-beta and on 0.2.2.29-beta. + - If we had ever tried to call tor_addr_to_str on an address of + unknown type, we would have done a strdup on an uninitialized + buffer. Now we won't. Fixes bug 4529; bugfix on 0.2.1.3-alpha. + Reported by "troll_un". + - Correctly detect and handle transient lookup failures from + tor_addr_lookup. Fixes bug 4530; bugfix on 0.2.1.5-alpha. + Reported by "troll_un". + - Fix null-pointer access that could occur if TLS allocation failed. + Fixes bug 4531; bugfix on 0.2.0.20-rc. Found by "troll_un". + - Use tor_socket_t type for listener argument to accept(). Fixes bug + 4535; bugfix on 0.2.2.28-beta. Found by "troll_un". + + o Minor features: + - Add two new config options for directory authorities: + AuthDirFastGuarantee sets a bandwidth threshold for guaranteeing the + Fast flag, and AuthDirGuardBWGuarantee sets a bandwidth threshold + that is always sufficient to satisfy the bandwidth requirement for + the Guard flag. Now it will be easier for researchers to simulate + Tor networks with different values. Resolves ticket 4484. + - When Tor ignores a hidden service specified in its configuration, + include the hidden service's directory in the warning message. + Previously, we would only tell the user that some hidden service + was ignored. Bugfix on 0.0.6; fixes bug 4426. + - Update to the December 6 2011 Maxmind GeoLite Country database. + + o Packaging changes: + - Make it easier to automate expert package builds on Windows, + by removing an absolute path from makensis.exe command. + + Changes in version 0.2.2.34 - 2011-10-26 Tor 0.2.2.34 fixes a critical anonymity vulnerability where an attacker can deanonymize Tor users. Everybody should upgrade.