Begin an 0.2.4.28 changelog.

Changes in version 0.2.4.28 - 2017-03-??

  Tor 0.2.4.28 backports a number of security fixes from later Tor

  releases.  Anybody running Tor 0.2.4.27 or earlier should upgrade to

  this release, if for some reason they cannot upgrade to a later

  release series.

  Note that support for Tor 0.2.4.x is ending soon: we will not issue

  any fixes for the Tor 0.2.4.x series after 1 August 2017.  If you need

  a Tor release series with long-term support, we recomment Tor 0.2.9.x.

  o Directory authority changes (backport from 0.2.8.5-rc):

    - Urras is no longer a directory authority. Closes ticket 19271.

  o Directory authority changes (backport from 0.2.9.2-alpha):

    - The "Tonga" bridge authority has been retired; the new bridge

      authority is "Bifroest". Closes tickets 19728 and 19690.

  o Directory authority key updates (backport from 0.2.8.1-alpha):

    - Update the V3 identity key for the dannenberg directory authority:

      it was changed on 18 November 2015. Closes task 17906. Patch

      by "teor".

  o Minor features (DoS-resistance, backport from 0.2.7.1-alpha):

    - Make it harder for attackers to overload hidden services with

      introductions, by blocking multiple introduction requests on the

      same circuit. Resolves ticket 15515.

  o Minor bugfixes (hidden service, backport from 0.2.7.1-alpha):

    - Fix an out-of-bounds read when parsing invalid INTRODUCE2 cells on

      a client authorized hidden service. Fixes bug 15823; bugfix

      on 0.2.1.6-alpha.

  o Major bugfixes (dns proxy mode, crash, backport from 0.2.8.2-alpha):

    - Avoid crashing when running as a DNS proxy. Fixes bug 16248;

      bugfix on 0.2.0.1-alpha. Patch from "cypherpunks".

  o Minor features (bug-resistance, backport from 0.2.8.2-alpha):

    - Make Tor survive errors involving connections without a

      corresponding event object. Previously we'd fail with an

      assertion; now we produce a log message. Related to bug 16248.

  o Major bugfixes (security, correctness, backport from 0.2.7.4-rc):

    - Fix an error that could cause us to read 4 bytes before the

      beginning of an openssl string. This bug could be used to cause

      Tor to crash on systems with unusual malloc implementations, or

      systems with unusual hardening installed. Fixes bug 17404; bugfix

      on 0.2.3.6-alpha.

  o Major bugfixes (guard selection, backport from 0.2.7.6):

    - Actually look at the Guard flag when selecting a new directory

      guard. When we implemented the directory guard design, we

      accidentally started treating all relays as if they have the Guard

      flag during guard selection, leading to weaker anonymity and worse

      performance. Fixes bug 17772; bugfix on 0.2.4.8-alpha. Discovered

      by Mohsen Imani.

  o Minor bugfixes (compilation, backport from 0.2.7.6)

    - Fix a compilation warning with Clang 3.6: Do not check the

      presence of an address which can never be NULL. Fixes bug 17781.

  o Minor features (geoip):

    - Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2

      Country database.

  o Minor features (security, memory erasure, backport from 0.2.8.1-alpha):

    - Make memwipe() do nothing when passed a NULL pointer or buffer of

      zero size. Check size argument to memwipe() for underflow. Fixes

      bug 18089; bugfix on 0.2.3.25 and 0.2.4.6-alpha. Reported by "gk",

      patch by "teor".

  o Major bugfixes (security, pointers, backport from 0.2.8.2-alpha):

    - Avoid a difficult-to-trigger heap corruption attack when extending

      a smartlist to contain over 16GB of pointers. Fixes bug 18162;

      bugfix on 0.1.1.11-alpha, which fixed a related bug incompletely.

      Reported by Guido Vranken.

  o Major features (security fixes, backport from 0.2.9.4-alpha):

    - Prevent a class of security bugs caused by treating the contents

      of a buffer chunk as if they were a NUL-terminated string. At

      least one such bug seems to be present in all currently used

      versions of Tor, and would allow an attacker to remotely crash

      most Tor instances, especially those compiled with extra compiler

      hardening. With this defense in place, such bugs can't crash Tor,

      though we should still fix them as they occur. Closes ticket

      20384 (TROVE-2016-10-001).

  o Major bugfixes (parsing, security, backport from 0.2.9.8):

    - Fix a bug in parsing that could cause clients to read a single

      byte past the end of an allocated region. This bug could be used

      to cause hardened clients (built with --enable-expensive-hardening)

      to crash if they tried to visit a hostile hidden service. Non-

      hardened clients are only affected depending on the details of

      their platform's memory allocator. Fixes bug 21018; bugfix on

      0.2.0.8-alpha. Found by using libFuzzer. Also tracked as TROVE-

      2016-12-002 and as CVE-2016-1254.

  o Major bugfixes (key management, backport from 0.2.8.3-alpha):

    - If OpenSSL fails to generate an RSA key, do not retain a dangling

      pointer to the previous (uninitialized) key value. The impact here

      should be limited to a difficult-to-trigger crash, if OpenSSL is

      running an engine that makes key generation failures possible, or

      if OpenSSL runs out of memory. Fixes bug 19152; bugfix on

      0.2.1.10-alpha. Found by Yuan Jochen Kang, Suman Jana, and

      Baishakhi Ray.

  o Major bugfixes (parsing, also in 0.3.0.4-rc):

    - Fix an integer underflow bug when comparing malformed Tor versions.

      This bug is harmless, except when Tor has been built with

      --enable-expensive-hardening, which would turn it into a crash;

      or on Tor 0.2.9.1-alpha through Tor 0.2.9.8, which were built with

      -ftrapv by default.

      Part of TROVE-2017-001. Fixes bug 21278; bugfix on

      0.0.8pre1. Found by OSS-Fuzz.

Changes in version 0.2.4.27 - 2015-04-06

  Tor 0.2.4.27 backports two fixes from 0.2.6.7 for security issues that

  could be used by an attacker to crash hidden services, or crash clients

  o Directory authority changes:

    - Urras is no longer a directory authority. Closes ticket 19271.

  o Directory authority changes (also in 0.2.8.7):

    - The "Tonga" bridge authority has been retired; the new bridge

      authority is "Bifroest". Closes tickets 19728 and 19690.

  o Minor features (DoS-resistance):

    - Make it harder for attackers to overwhelm hidden services with

      introductions, by blocking multiple introduction requests on the

      same circuit. Resolves ticket #15515.

  o Minor bugfixes (hidden service):

    - Fix an out-of-bounds read when parsing invalid INTRODUCE2 cells

      on a client authorized hidden service. Fixes bug 15823; bugfix

      on 0.2.1.6-alpha.