[tor] [tor-announce] Tor 0.2.9.9 is released

Patrick O'Doherty p at trickod.com
Tue Jan 24 21:55:00 UTC 2017 

I attempted to update this last night but while the package was updated
I don't think I successfully restarted the 4x tor instances due to our
non-standard /etc/init.d/tor script.

Making a note to commit what we have into a git repo and see how it
might be updated. Alternatively migrating our node to be managed by an
ansible-relayor[0] ansible playbook might be nice and make future
expansion that much easier to manage.

[0] - https://github.com/nusenu/ansible-relayor

Roger Dingledine:
> (If you are about to reply saying "please take me off
> this list", instead please follow these instructions:
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-announce/
> You will have to enter the actual email address you used to subscribe.)
> 
> Tor 0.2.9.9 fixes a denial-of-service bug where an attacker could
> cause relays and clients to crash, even if they were not built with
> the --enable-expensive-hardening option. This bug affects all 0.2.9.x
> versions, and also affects 0.3.0.1-alpha: all relays running an affected
> version should upgrade.
> 
> This release also resolves a client-side onion service reachability bug,
> and resolves a pair of small portability issues.
> 
> You can download the source code from https://dist.torproject.org/
> but most users should wait for the upcoming Tor Browser release, or
> for their upcoming system package updates.
> 
> Changes in version 0.2.9.9 - 2017-01-23
>   o Major bugfixes (security):
>     - Downgrade the "-ftrapv" option from "always on" to "only on when
>       --enable-expensive-hardening is provided." This hardening option,
>       like others, can turn survivable bugs into crashes -- and having
>       it on by default made a (relatively harmless) integer overflow bug
>       into a denial-of-service bug. Fixes bug 21278 (TROVE-2017-001);
>       bugfix on 0.2.9.1-alpha.
> 
>   o Major bugfixes (client, onion service):
>     - Fix a client-side onion service reachability bug, where multiple
>       socks requests to an onion service (or a single slow request)
>       could cause us to mistakenly mark some of the service's
>       introduction points as failed, and we cache that failure so
>       eventually we run out and can't reach the service. Also resolves a
>       mysterious "Remote server sent bogus reason code 65021" log
>       warning. The bug was introduced in ticket 17218, where we tried to
>       remember the circuit end reason as a uint16_t, which mangled
>       negative values. Partially fixes bug 21056 and fixes bug 20307;
>       bugfix on 0.2.8.1-alpha.
> 
>   o Minor features (geoip):
>     - Update geoip and geoip6 to the January 4 2017 Maxmind GeoLite2
>       Country database.
> 
>   o Minor bugfixes (portability):
>     - Avoid crashing when Tor is built using headers that contain
>       CLOCK_MONOTONIC_COARSE, but then tries to run on an older kernel
>       without CLOCK_MONOTONIC_COARSE. Fixes bug 21035; bugfix
>       on 0.2.9.1-alpha.
>     - Fix Libevent detection on platforms without Libevent 1 headers
>       installed. Fixes bug 21051; bugfix on 0.2.9.1-alpha.
> 
> 
> 
> _______________________________________________
> tor-announce mailing list
> tor-announce at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-announce
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://www.noisebridge.net/pipermail/tor/attachments/20170124/aa5682e9/attachment-0002.sig>

More information about the tor mailing list