SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for tor-0.2.1.30-1.pm.1.1.x86_64.rpm :
Thu Feb 3 13:00:00 2011 detlefAATTlinks2linux.de
- new upstream version <0.2.1.30>

* Major bugfixes:
- Stop sending a CLOCK_SKEW controller status event whenever
we fetch directory information from a relay that has a wrong clock.
Instead, only inform the controller when it\'s a trusted authority
that claims our clock is wrong. Bugfix on 0.1.2.6-alpha; fixes
the rest of bug 1074.
- Fix a bounds-checking error that could allow an attacker to
remotely crash a directory authority. Bugfix on 0.2.1.5-alpha.
Found by \"piebeer\".
- If relays set RelayBandwidthBurst but not RelayBandwidthRate,
Tor would ignore their RelayBandwidthBurst setting,
potentially using more bandwidth than expected. Bugfix on
0.2.0.1-alpha. Reported by Paul Wouters. Fixes bug 2470.
- Ignore and warn if the user mistakenly sets \"PublishServerDescriptor
hidserv\" in her torrc. The \'hidserv\' argument never controlled
publication of hidden service descriptors. Bugfix on 0.2.0.1-alpha.

* Minor features:
- Adjust our TLS Diffie-Hellman parameters to match those used by
Apache\'s mod_ssl.
- Update to the February 1 2011 Maxmind GeoLite Country database.

* Minor bugfixes:
- Check for and reject overly long directory certificates and
directory tokens before they have a chance to hit any assertions.
Bugfix on 0.2.1.28. Found by \"doorss\".
- Bring the logic that gathers routerinfos and assesses the
acceptability of circuits into line. This prevents a Tor OP from
getting locked in a cycle of choosing its local OR as an exit for a
path (due to a .exit request) and then rejecting the circuit because
its OR is not listed yet. It also prevents Tor clients from using an
OR running in the same instance as an exit (due to a .exit request)
if the OR does not meet the same requirements expected of an OR
running elsewhere. Fixes bug 1859; bugfix on 0.1.0.1-rc.

Wed Jan 19 13:00:00 2011 detlefAATTlinks2linux.de
- new upstream version <0.2.1.29>

Fri Dec 24 13:00:00 2010 detlefAATTlinks2linux.de
- new upstream version <0.2.1.28>

* Tor 0.2.1.28 does some code cleanup to reduce the risk of remotely
exploitable bugs. We also took this opportunity to change the IP address
for one of our directory authorities, and to update the geoip database
we ship.

* Major bugfixes:
- Fix a remotely exploitable bug that could be used to crash instances
of Tor remotely by overflowing on the heap. Remote-code execution
hasn\'t been confirmed, but can\'t be ruled out. Everyone should
upgrade. Bugfix on the 0.1.1 series and later.

* Directory authority changes:
- Change IP address and ports for gabelmoo (v3 directory authority).

* Minor features:
- Update to the December 1 2010 Maxmind GeoLite Country database.

Sat Nov 27 13:00:00 2010 detlefAATTlinks2linux.de
- new upstream version <0.2.1.27>

* Major bugfixes:
- Resolve an incompatibility with OpenSSL 0.9.8p and OpenSSL 1.0.0b:
No longer set the tlsext_host_name extension on server SSL objects;
but continue to set it on client SSL objects. Our goal in setting
it was to imitate a browser, not a vhosting server. Fixes bug 2204;
bugfix on 0.2.1.1-alpha.
- Do not log messages to the controller while shrinking buffer
freelists. Doing so would sometimes make the controller connection
try to allocate a buffer chunk, which would mess up the internals
of the freelist and cause an assertion failure. Fixes bug 1125;
fixed by Robert Ransom. Bugfix on 0.2.0.16-alpha.
- Learn our external IP address when we\'re a relay or bridge, even if
we set PublishServerDescriptor to 0. Bugfix on 0.2.0.3-alpha,
where we introduced bridge relays that don\'t need to publish to
be useful. Fixes bug 2050.
- Do even more to reject (and not just ignore) annotations on
router descriptors received anywhere but from the cache. Previously
we would ignore such annotations at first, but cache them to disk
anyway. Bugfix on 0.2.0.8-alpha. Found by piebeer.
- When you\'re using bridges and your network goes away and your
bridges get marked as down, recover when you attempt a new socks
connection (if the network is back), rather than waiting up to an
hour to try fetching new descriptors for your bridges. Bugfix on
0.2.0.3-alpha; fixes bug 1981.

* Major features:
- Move to the November 2010 Maxmind GeoLite country db (rather
than the June 2009 ip-to-country GeoIP db) for our statistics that
count how many users relays are seeing from each country. Now we\'ll
have more accurate data, especially for many African countries.

* New directory authorities:
- Set up maatuska (run by Linus Nordberg) as the eighth v3 directory
authority.

* Minor bugfixes:
- Fix an assertion failure that could occur in directory caches or
bridge users when using a very short voting interval on a testing
network. Diagnosed by Robert Hogan. Fixes bug 1141; bugfix on
0.2.0.8-alpha.
- Enforce multiplicity rules when parsing annotations. Bugfix on
0.2.0.8-alpha. Found by piebeer.
- Allow handshaking OR connections to take a full KeepalivePeriod
seconds to handshake. Previously, we would close them after
IDLE_OR_CONN_TIMEOUT (180) seconds, the same timeout as if they
were open. Bugfix on 0.2.1.26; fixes bug 1840. Thanks to mingw-san
for analysis help.
- When building with --enable-gcc-warnings on OpenBSD, disable
warnings in system headers. This makes --enable-gcc-warnings
pass on OpenBSD 4.8.

* Minor features:
- Exit nodes didn\'t recognize EHOSTUNREACH as a plausible error code,
and so sent back END_STREAM_REASON_MISC. Clients now recognize a new
stream ending reason for this case: END_STREAM_REASON_NOROUTE.
Servers can start sending this code when enough clients recognize
it. Bugfix on 0.1.0.1-rc; fixes part of bug 1793.
- Build correctly on mingw with more recent versions of OpenSSL 0.9.8.
Patch from mingw-san.

* Removed files:
- Remove the old debian/ directory from the main Tor distribution.
The official Tor-for-debian git repository lives at the URL
https://git.torproject.org/debian/tor.git
- Stop shipping the old doc/website/ directory in the tarball. We
changed the website format in late 2010, and what we shipped in
0.2.1.26 really wasn\'t that useful anyway.

Mon May 3 14:00:00 2010 detlefAATTlinks2linux.de
- new upstream version <0.2.1.26>

* Major bugfixes:
- Teach relays to defend themselves from connection overload. Relays
now close idle circuits early if it looks like they were intended
for directory fetches. Relays are also more aggressive about closing
TLS connections that have no circuits on them. Such circuits are
unlikely to be re-used, and tens of thousands of them were piling
up at the fast relays, causing the relays to run out of sockets
and memory. Bugfix on 0.2.0.22-rc (where clients started tunneling
their directory fetches over TLS).
- Fix SSL renegotiation behavior on OpenSSL versions like on Centos
that claim to be earlier than 0.9.8m, but which have in reality
backported huge swaths of 0.9.8m or 0.9.8n renegotiation
behavior. Possible fix for some cases of bug 1346.
- Directory mirrors were fetching relay descriptors only from v2
directory authorities, rather than v3 authorities like they should.
Only 2 v2 authorities remain (compared to 7 v3 authorities), leading
to a serious bottleneck. Bugfix on 0.2.0.9-alpha. Fixes bug 1324.

* Minor bugfixes:
- Finally get rid of the deprecated and now harmful notion of \"clique
mode\", where directory authorities maintain TLS connections to
every other relay.

* Testsuite fixes:
- In the util/threads test, no longer free the test_mutex before all
worker threads have finished. Bugfix on 0.2.1.6-alpha.
- The master thread could starve the worker threads quite badly on
certain systems, causing them to run only partially in the allowed
window. This resulted in test failures. Now the master thread sleeps
occasionally for a few microseconds while the two worker-threads
compete for the mutex. Bugfix on 0.2.0.1-alpha.

Fri Mar 19 13:00:00 2010 detlefAATTlinks2linux.de
- new upstream version <0.2.1.25>

* Tor 0.2.1.25 fixes a regression introduced in 0.2.1.23 that could
prevent relays from guessing their IP address correctly. It also fixes
several minor potential security bugs.

* Major bugfixes:
- Fix a regression from our patch for bug 1244 that caused relays
to guess their IP address incorrectly if they didn\'t set Address
in their torrc and/or their address fails to resolve. Bugfix on
0.2.1.23; fixes bug 1269.
- When freeing a session key, zero it out completely. We only zeroed
the first ptrsize bytes. Bugfix on 0.0.2pre8. Discovered and
patched by ekir. Fixes bug 1254.

* Minor bugfixes:
- Fix a dereference-then-NULL-check sequence when publishing
descriptors. Bugfix on 0.2.1.5-alpha. Discovered by ekir; fixes
bug 1255.
- Fix another dereference-then-NULL-check sequence. Bugfix on
0.2.1.14-rc. Discovered by ekir; fixes bug 1256.
- Make sure we treat potentially not NUL-terminated strings correctly.
Bugfix on 0.1.1.13-alpha. Discovered by rieo; fixes bug 1257.

Thu Feb 25 13:00:00 2010 detlefAATTlinks2linux.de
- new upstream version <0.2.1.24>

* TLS Bug fixed :)

* Tor 0.2.1.24 makes Tor work again on the latest OS X -- this time
for sure!

* Minor bugfixes:
- Work correctly out-of-the-box with even more vendor-patched versions
of OpenSSL. In particular, make it so Debian and OS X don\'t need
customized patches to run/build.

Mon Feb 15 13:00:00 2010 detlefAATTlinks2linux.de
- new upstream version <0.2.1.23>

* Major bugfixes (performance):
- We were selecting our guards uniformly at random, and then weighting
which of our guards we\'d use uniformly at random. This imbalance
meant that Tor clients were severely limited on throughput (and
probably latency too) by the first hop in their circuit. Now we
select guards weighted by currently advertised bandwidth. We also
automatically discard guards picked using the old algorithm. Fixes
bug 1217; bugfix on 0.2.1.3-alpha. Found by Mike Perry.

* Major bugfixes:
- Make Tor work again on the latest OS X: when deciding whether to
use strange flags to turn TLS renegotiation on, detect the OpenSSL
version at run-time, not compile time. We need to do this because
Apple doesn\'t update its dev-tools headers when it updates its
libraries in a security patch.
- Fix a potential buffer overflow in lookup_last_hid_serv_request()
that could happen on 32-bit platforms with 64-bit time_t. Also fix
a memory leak when requesting a hidden service descriptor we\'ve
requested before. Fixes bug 1242, bugfix on 0.2.0.18-alpha. Found
by aakova.

* Directory authority changes:
- Change IP address for dannenberg (v3 directory authority), and
remove moria2 (obsolete v1, v2 directory authority and v0 hidden
service directory authority) from the list.

* Minor bugfixes:
- Refactor resolve_my_address() to not use gethostbyname() anymore.
Fixes bug 1244; bugfix on 0.0.2pre25. Reported by Mike Mestnik.

* Minor features:
- Avoid a mad rush at the beginning of each month when each client
rotates half of its guards. Instead we spread the rotation out
throughout the month, but we still avoid leaving a precise timestamp
in the state file about when we first picked the guard. Improves
over the behavior introduced in 0.1.2.17.

Fri Feb 12 13:00:00 2010 detlefAATTlinks2linux.de
- rebuild with new openssl (openSUSE_Update)

Mon Jan 25 13:00:00 2010 detlefAATTlinks2linux.de
- new upstream version <0.2.1.22>

* Tor 0.2.1.22 fixes a critical privacy problem in bridge directory
authorities -- it would tell you its whole history of bridge descriptors
if you make the right directory request. This stable update also
rotates two of the seven v3 directory authority keys and locations.

* Directory authority changes:
- Rotate keys (both v3 identity and relay identity) for moria1
and gabelmoo.

* Major bugfixes:
- Stop bridge directory authorities from answering dbg-stability.txt
directory queries, which would let people fetch a list of all
bridge identities they track. Bugfix on 0.2.1.6-alpha.

Sat Dec 26 13:00:00 2009 detlefAATTlinks2linux.de
- fix logrotate conf

Fri Dec 25 13:00:00 2009 detlefAATTlinks2linux.de
- new upstream version <0.2.1.21>

* Major bugfixes:
- Work around a security feature in OpenSSL 0.9.8l that prevents our
handshake from working unless we explicitly tell OpenSSL that we
are using SSL renegotiation safely. We are, of course, but OpenSSL
0.9.8l won\'t work unless we say we are.
- Avoid crashing if the client is trying to upload many bytes and the
circuit gets torn down at the same time, or if the flip side
happens on the exit relay. Bugfix on 0.2.0.1-alpha; fixes bug 1150.

* Minor bugfixes:
- Do not refuse to learn about authority certs and v2 networkstatus
documents that are older than the latest consensus. This bug might
have degraded client bootstrapping. Bugfix on 0.2.0.10-alpha.
Spotted and fixed by xmux.
- Fix a couple of very-hard-to-trigger memory leaks, and one hard-to-
trigger platform-specific option misparsing case found by Coverity
Scan.
- Fix a compilation warning on Fedora 12 by removing an impossible-to-
trigger assert. Fixes bug 1173.

Sat Dec 19 13:00:00 2009 detlefAATTlinks2linux.de
- add patch for openssl

Tue Nov 3 13:00:00 2009 detlefAATTlinks2linux.de
- new upstream version <0.2.1.20>

Sat Jul 18 14:00:00 2009 detlefAATTlinks2linux.de
- new upstream version <0.2.0.35>

* Avoid crashing in the presence of certain malformed descriptors.
Found by lark, and by automated fuzzing.

* Fix an edge case where a malicious exit relay could convince a
controller that the client\'s DNS question resolves to an internal IP
address. Bug found and fixed by \"optimist\"; bugfix on 0.1.2.8-beta.

* Finally fix the bug where dynamic-IP relays disappear when their
IP address changes: directory mirrors were mistakenly telling
them their old address if they asked via begin_dir, so they
never got an accurate answer about their new address, so they
just vanished after a day. For belt-and-suspenders, relays that
don\'t set Address in their config now avoid using begin_dir for
all direct connections. Should fix bugs 827, 883, and 900.

* Fix a timing-dependent, allocator-dependent, DNS-related crash bug
that would occur on some exit nodes when DNS failures and timeouts
occurred in certain patterns. Fix for bug 957.

* When starting with a cache over a few days old, do not leak
memory for the obsolete router descriptors in it. Bugfix on
0.2.0.33; fixes bug 672.

* Hidden service clients didn\'t use a cached service descriptor that
was older than 15 minutes, but wouldn\'t fetch a new one either,
because there was already one in the cache. Now, fetch a v2
descriptor unless the same descriptor was added to the cache within
the last 15 minutes. Fixes bug 997; reported by Marcus Griep.

Tue Feb 10 13:00:00 2009 detlefAATTlinks2linux.de
- new upstream version <0.2.0.34>

* Fix an infinite-loop bug on handling corrupt votes under certain
circumstances. Bugfix on 0.2.0.8-alpha.

* Fix a temporary DoS vulnerability that could be performed by
a directory mirror. Bugfix on 0.2.0.9-alpha; reported by lark.

* Avoid a potential crash on exit nodes when processing malformed
input. Remote DoS opportunity. Bugfix on 0.2.0.33.

* Do not accept incomplete ipv4 addresses (like 192.168.0) as valid.
Spec conformance issue. Bugfix on Tor 0.0.2pre27.

* Fix compilation on systems where time_t is a 64-bit integer.
Patch from Matthias Drochner.

* Don\'t consider expiring already-closed client connections. Fixes
bug 893. Bugfix on 0.0.2pre20.

Thu Jan 22 13:00:00 2009 detlefAATTlinks2linux.de
- new upstream version <0.2.33>

* many fixes...

Fri Nov 28 13:00:00 2008 detlefAATTlinks2linux.de
- new upstream version <0.2.32>

* Security fixes:
- The \"User\" and \"Group\" config options did not clear the
supplementary group entries for the Tor process. The \"User\" option
is now more robust, and we now set the groups to the specified
user\'s primary group. The \"Group\" option is now ignored. For more
detailed logging on credential switching, set CREDENTIAL_LOG_LEVEL
in common/compat.c to LOG_NOTICE or higher. Patch by Jacob Appelbaum
and Steven Murdoch. Bugfix on 0.0.2pre14. Fixes bug 848 and 857.
- The \"ClientDNSRejectInternalAddresses\" config option wasn\'t being
consistently obeyed: if an exit relay refuses a stream because its
exit policy doesn\'t allow it, we would remember what IP address
the relay said the destination address resolves to, even if it\'s
an internal IP address. Bugfix on 0.2.0.7-alpha; patch by rovv.
o Major bugfixes:
- Fix a DOS opportunity during the voting signature collection process
at directory authorities. Spotted by rovv. Bugfix on 0.2.0.x.
o Major bugfixes (hidden services):
- When fetching v0 and v2 rendezvous service descriptors in parallel,
we were failing the whole hidden service request when the v0
descriptor fetch fails, even if the v2 fetch is still pending and
might succeed. Similarly, if the last v2 fetch fails, we were
failing the whole hidden service request even if a v0 fetch is
still pending. Fixes bug 814. Bugfix on 0.2.0.10-alpha.
- When extending a circuit to a hidden service directory to upload a
rendezvous descriptor using a BEGIN_DIR cell, almost 1/6 of all
requests failed, because the router descriptor has not been
downloaded yet. In these cases, do not attempt to upload the
rendezvous descriptor, but wait until the router descriptor is
downloaded and retry. Likewise, do not attempt to fetch a rendezvous
descriptor from a hidden service directory for which the router
descriptor has not yet been downloaded. Fixes bug 767. Bugfix
on 0.2.0.10-alpha.
o Minor bugfixes:
- Fix several infrequent memory leaks spotted by Coverity.
- When testing for libevent functions, set the LDFLAGS variable
correctly. Found by Riastradh.
- Avoid a bug where the FastFirstHopPK 0 option would keep Tor from
bootstrapping with tunneled directory connections. Bugfix on
0.1.2.5-alpha. Fixes bug 797. Found by Erwin Lam.
- When asked to connect to A.B.exit:80, if we don\'t know the IP for A
and we know that server B rejects most-but-not all connections to
port 80, we would previously reject the connection. Now, we assume
the user knows what they were asking for. Fixes bug 752. Bugfix
on 0.0.9rc5. Diagnosed by BarkerJr.
- If we overrun our per-second write limits a little, count this as
having used up our write allocation for the second, and choke
outgoing directory writes. Previously, we had only counted this when
we had met our limits precisely. Fixes bug 824. Patch from by rovv.
Bugfix on 0.2.0.x (??).
- Remove the old v2 directory authority \'lefkada\' from the default
list. It has been gone for many months.
- Stop doing unaligned memory access that generated bus errors on
sparc64. Bugfix on 0.2.0.10-alpha. Fixes bug 862.
- Make USR2 log-level switch take effect immediately. Bugfix on
0.1.2.8-beta.
o Minor bugfixes (controller):
- Make DNS resolved events into \"CLOSED\", not \"FAILED\". Bugfix on
0.1.2.5-alpha. Fix by Robert Hogan. Resolves bug 807.

Thu Sep 4 14:00:00 2008 detlefAATTlinks2linux.de
- new upstream version <0.2.31>

* Make sure that two circuits can never exist on the same connection
with the same circuit ID, even if one is marked for close. This
is conceivably a bugfix for bug 779. Bugfix on 0.1.0.4-rc.

* Relays now reject risky extend cells: if the extend cell includes
a digest of all zeroes, or asks to extend back to the relay that
sent the extend cell, tear down the circuit. Ideas suggested
by rovv.

* If not enough of our entry guards are available so we add a new
one, we might use the new one even if it overlapped with the
current circuit\'s exit relay (or its family). Anonymity bugfix
pointed out by rovv.

* Recover 3-7 bytes that were wasted per memory chunk. Fixes bug
794; bug spotted by rovv. Bugfix on 0.2.0.1-alpha.

* Correctly detect the presence of the linux/netfilter_ipv4.h header
when building against recent kernels. Bugfix on 0.1.2.1-alpha.

* Pick size of default geoip filename string correctly on windows.
Fixes bug 806. Bugfix on 0.2.0.30.

* Make the autoconf script accept the obsolete --with-ssl-dir
option as an alias for the actually-working --with-openssl-dir
option. Fix the help documentation to recommend --with-openssl-dir.
Based on a patch by \"Dave\". Bugfix on 0.2.0.1-alpha.

* Disallow session resumption attempts during the renegotiation
stage of the v2 handshake protocol. Clients should never be trying
session resumption at this point, but apparently some did, in
ways that caused the handshake to fail. Bug found by Geoff Goodell.
Bugfix on 0.2.0.20-rc.

* When using the TransPort option on OpenBSD, and using the User
option to change UID and drop privileges, make sure to open
/dev/pf before dropping privileges. Fixes bug 782. Patch from
Christopher Davis. Bugfix on 0.1.2.1-alpha.

* Try to attach connections immediately upon receiving a RENDEZVOUS2
or RENDEZVOUS_ESTABLISHED cell. This can save a second or two
on the client side when connecting to a hidden service. Bugfix
on 0.0.6pre1. Found and fixed by Christian Wilms; resolves bug 743.

* When closing an application-side connection because its circuit is
getting torn down, generate the stream event correctly. Bugfix on
0.1.2.x. Anonymous patch.

Sat Aug 2 14:00:00 2008 detlefAATTlinks2linux.de
- new upstream version <0.2.30>

Wed Jun 25 14:00:00 2008 guruAATTunixtech.be
- added patch to build with GCC 4.3 on openSUSE 11.0

Thu Mar 20 13:00:00 2008 detlefAATTlinks2linux.de
- fix init.d path in logrotate script, thx to Erwin Lam

Tue Jan 29 13:00:00 2008 detlefAATTlinks2linux.de
- new upstream version <0.1.2.19>

Tue Nov 6 13:00:00 2007 detlefAATTlinks2linux.de
- initial build for packman <0.1.2.18>

Wed Oct 17 14:00:00 2007 phobosAATTrootme.org
- Remove tor_gencert as this feature isn\'t backported yet.


  
ICM