+Changes in version 0.2.2.36 - 2012-01-06
+ o Major security workaround:
+ - When building or running with any version of OpenSSL earlier
+ than 0.9.8s or 1.0.0f, disable SSLv3 support. These OpenSSL
+ versions had a bug (CVE-2011-4576) in which their block cipher
+ padding included uninitialized data, potentially leaking sensitive
+ information to any peer with whom they made a SSLv3 connection. Tor
+ does not use SSL v3 by default, but a hostile client or server
+ could force an SSLv3 connection in order to gain information that
+ they shouldn't have been able to get. The best solution here is to
+ upgrade to OpenSSL 0.9.8s or 1.0.0f (or later). But when building
+ or running with a non-upgraded OpenSSL, we should instead make
+ sure that the bug can't happen by disabling SSLv3 entirely.
+
+ o Major bugfixes:
+ - Provide correct replacements for the timeradd() and timersub()
+ functions for platforms that lack them (for example, windows). The
+ timersub() function is used when expiring circuits, timeradd() is
+ currently unused. Patch written by Vektor, who also reported the
+ bug. Thanks! Bugfix on 0.2.2.24-alpha/0.2.3.1-alpha, fixes bug 4778.
+
+ o Minor bugfixes:
+ - When running with an older Linux kernel that erroneously responds
+ to strange nmap behavior by having accept() return successfully
+ with a zero-length socket, just close the connection. Previously,
+ we would try harder to learn the remote address: but there was
+ no such remote address to learn, and our method for trying to
+ learn it was incorrect. Fixes bugs 1240, 4745, and 4747. Bugfix
+ on 0.1.0.3-rc. Reported and diagnosed by "r1eo".
+ - Correctly spell "connect" in a log message when creating a
+ controlsocket fails. Fixes bug 4803; bugfix on 0.2.2.26-beta and
+ 0.2.3.2-alpha.
+
+ o Minor features:
+ - Directory servers now reject versions of Tor older than 0.2.1.30,
+ and Tor versions between 0.2.2.1-alpha and 0.2.2.20-alpha
+ (inclusive). These versions accounted for only a small fraction of
+ the Tor network, and have numerous known security issues. Resolves
+ issue 4788.
+ - Update to the January 3 2012 Maxmind GeoLite Country database.
+
+ - Feature removal:
+ - When sending or relaying a RELAY_EARLY cell, we used to convert
+ it to a RELAY cell if the connection was using the v1 link
+ protocol. This was a workaround for older versions of Tor, which
+ didn't handle RELAY_EARLY cells properly. Now that all supported
+ versions can handle RELAY_EARLY cells, and now that we're enforcing
+ the "no RELAY_EXTEND commands except in RELAY_EARLY cells" rule,
+ we're removing this workaround. Addresses bug 4786.
+
+ o Code simplifications and refactoring:
+ - During configure, detect when we're building with clang version
+ 3.0 or lower and disable the -Wnormalized=id and -Woverride-init
+ CFLAGS. clang doesn't support them yet.
+
+
Changes in version 0.2.2.35 - 2011-12-16
Tor 0.2.2.35 fixes a critical heap-overflow security issue in Tor's
buffers code. Absolutely everybody should upgrade.
+++ /dev/null
- o Major security workaround:
- - When building or running with any version of OpenSSL earlier
- than 0.9.8s or 1.0.0f, disable SSLv3 support. These versions had
- a bug (CVE-2011-4576) in which their block cipher padding
- included uninitialized data, potentially leaking sensitive
- information to any peer with whom they made a SSLv3
- connection. Tor does not use SSL v3 by default, but a hostile
- client or server could force an SSLv3 connection in order to
- gain information that they shouldn't have been able to get. The
- best solution here is to upgrade to OpenSSL 0.9.8s or 1.0.0f (or
- later). But when building or running with a non-upgraded
- OpenSSL, we should instead make sure that the bug can't happen
- by disabling SSLv3 entirely.
projects / thirdparty / tor.git / commitdiff
