[tor] [tor-announce] Tor 0.2.9.10 is released
Patrick O'Doherty
p at trickod.com
Thu Mar 2 00:24:00 UTC 2017
I'll attempt to roll us forward to this LTS release tonight.
p
Nick Mathewson:
> (If you are about to reply saying "please take me off
> this list", instead please follow these instructions:
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-announce/
> You will have to enter the actual email address you used to subscribe.)
>
> You can download the source code from https://dist.torproject.org/
> but most users should wait for the upcoming Tor Browser release, or
> for their upcoming system package updates.
>
> (0.3.0.4-rc also came out today, but non-stable releases get announced
> on tor-talk.)
>
>
> Changes in version 0.2.9.10 - 2017-03-01
> Tor 0.2.9.10 backports a security fix from a later Tor release. It also
> includes fixes for some major issues affecting directory authorities,
> LibreSSL compatibility, and IPv6 correctness.
>
> The Tor 0.2.9.x release series is now marked as a long-term-support
> series. We intend to backport security fixes to 0.2.9.x until at
> least January of 2020.
>
> o Major bugfixes (directory authority, 0.3.0.3-alpha):
> - During voting, when marking a relay as a probable sybil, do not
> clear its BadExit flag: sybils can still be bad in other ways
> too. (We still clear the other flags.) Fixes bug 21108; bugfix
> on 0.2.0.13-alpha.
>
> o Major bugfixes (IPv6 Exits, backport from 0.3.0.3-alpha):
> - Stop rejecting all IPv6 traffic on Exits whose exit policy rejects
> any IPv6 addresses. Instead, only reject a port over IPv6 if the
> exit policy rejects that port on more than an IPv6 /16 of
> addresses. This bug was made worse by 17027 in 0.2.8.1-alpha,
> which rejected a relay's own IPv6 address by default. Fixes bug
> 21357; bugfix on commit 004f3f4e53 in 0.2.4.7-alpha.
>
> o Major bugfixes (parsing, also in 0.3.0.4-rc):
> - Fix an integer underflow bug when comparing malformed Tor
> versions. This bug could crash Tor when built with
> --enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor
> 0.2.9.8, which were built with -ftrapv by default. In other cases
> it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix
> on 0.0.8pre1. Found by OSS-Fuzz.
>
> o Minor features (directory authorities, also in 0.3.0.4-rc):
> - Directory authorities now reject descriptors that claim to be
> malformed versions of Tor. Helps prevent exploitation of
> bug 21278.
> - Reject version numbers with components that exceed INT32_MAX.
> Otherwise 32-bit and 64-bit platforms would behave inconsistently.
> Fixes bug 21450; bugfix on 0.0.8pre1.
>
> o Minor features (geoip):
> - Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2
> Country database.
>
> o Minor features (portability, compilation, backport from 0.3.0.3-alpha):
> - Autoconf now checks to determine if OpenSSL structures are opaque,
> instead of explicitly checking for OpenSSL version numbers. Part
> of ticket 21359.
> - Support building with recent LibreSSL code that uses opaque
> structures. Closes ticket 21359.
>
> o Minor bugfixes (code correctness, also in 0.3.0.4-rc):
> - Repair a couple of (unreachable or harmless) cases of the risky
> comparison-by-subtraction pattern that caused bug 21278.
>
> o Minor bugfixes (tor-resolve, backport from 0.3.0.3-alpha):
> - The tor-resolve command line tool now rejects hostnames over 255
> characters in length. Previously, it would silently truncate them,
> which could lead to bugs. Fixes bug 21280; bugfix on 0.0.9pre5.
> Patch by "junglefowl".
> _______________________________________________
> tor-announce mailing list
> tor-announce at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-announce
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://www.noisebridge.net/pipermail/tor/attachments/20170302/47119003/attachment-0002.sig>
More information about the tor
mailing list