mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-10 13:13:44 +01:00
Authorities reject insecure Tors.
This patch should make us reject every Tor that was vulnerable to CVE-2011-0427. Additionally, it makes us reject every Tor that couldn't handle RELAY_EARLY cells, which helps with proposal 110 (#4339).
This commit is contained in:
parent
da876aec63
commit
9bcb187387
6
changes/bug4788
Normal file
6
changes/bug4788
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
o Minor features (directory server):
|
||||||
|
- Directory servers now reject versions of Tor older than 0.2.1.30,
|
||||||
|
and Tor versions between 0.2.2.1-alpha and 0.2.2.20-alpha
|
||||||
|
(inclusive). These versions accounted for only a small fraction of
|
||||||
|
the Tor network, and have numerous known security issues. Resolves
|
||||||
|
issue #4788.
|
@ -388,20 +388,21 @@ dirserv_get_status_impl(const char *id_digest, const char *nickname,
|
|||||||
strmap_size(fingerprint_list->fp_by_name),
|
strmap_size(fingerprint_list->fp_by_name),
|
||||||
digestmap_size(fingerprint_list->status_by_digest));
|
digestmap_size(fingerprint_list->status_by_digest));
|
||||||
|
|
||||||
/* Tor 0.2.0.26-rc is the oldest version that currently caches the right
|
/* Versions before Tor 0.2.1.30 have known security issues that
|
||||||
* directory information. Once more of them die off, we should raise this
|
* make them unsuitable for the current network. */
|
||||||
* minimum. */
|
if (platform && !tor_version_as_new_as(platform,"0.2.1.30")) {
|
||||||
if (platform && !tor_version_as_new_as(platform,"0.2.0.26-rc")) {
|
|
||||||
if (msg)
|
if (msg)
|
||||||
*msg = "Tor version is far too old to work.";
|
*msg = "Tor version is insecure. Please upgrade!";
|
||||||
return FP_REJECT;
|
return FP_REJECT;
|
||||||
} else if (platform && tor_version_as_new_as(platform,"0.2.1.3-alpha")
|
} else if (platform && tor_version_as_new_as(platform,"0.2.2.1-alpha")) {
|
||||||
&& !tor_version_as_new_as(platform, "0.2.1.19")) {
|
/* Versions from 0.2.2.1-alpha...0.2.2.20-alpha have known security
|
||||||
/* These versions mishandled RELAY_EARLY cells on rend circuits. */
|
* issues that make them unusable for the current network */
|
||||||
|
if (!tor_version_as_new_as(platform, "0.2.2.21-alpha")) {
|
||||||
if (msg)
|
if (msg)
|
||||||
*msg = "Tor version is too buggy to work.";
|
*msg = "Tor version is insecure. Please upgrade!";
|
||||||
return FP_REJECT;
|
return FP_REJECT;
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
result = dirserv_get_name_status(id_digest, nickname);
|
result = dirserv_get_name_status(id_digest, nickname);
|
||||||
if (result & FP_NAMED) {
|
if (result & FP_NAMED) {
|
||||||
|
Loading…
Reference in New Issue
Block a user