Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
T
Tor
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Wiki
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Build
Pipelines
Jobs
Pipeline schedules
Artifacts
Deploy
Releases
Container Registry
Model registry
Operate
Environments
Monitor
Incidents
Service Desk
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
Alexander Hansen Færøy
Tor
Commits
87fca699
Commit
87fca699
authored
4 years ago
by
Nick Mathewson
Browse files
Options
Downloads
Patches
Plain Diff
Pick release date, copy changelog to releasenotes.
parent
a640bebf
No related branches found
Branches containing commit
Tags
tor-0.3.5.10
No related merge requests found
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
ChangeLog
+1
-1
1 addition, 1 deletion
ChangeLog
ReleaseNotes
+93
-0
93 additions, 0 deletions
ReleaseNotes
with
94 additions
and
1 deletion
ChangeLog
+
1
−
1
View file @
87fca699
Changes in version 0.3.5.10 - 2020-03-
??
Changes in version 0.3.5.10 - 2020-03-
18
Tor 0.3.5.10 backports many fixes from later Tor releases, including a
fix for TROVE-2020-002, a major denial-of-service vulnerability that
affected all released Tor instances since 0.2.1.5-alpha. Using this
This diff is collapsed.
Click to expand it.
ReleaseNotes
+
93
−
0
View file @
87fca699
...
...
@@ -2,6 +2,99 @@ This document summarizes new features and bugfixes in each stable
release of Tor. If you want to see more detailed descriptions of the
changes in each development snapshot, see the ChangeLog file.
Changes in version 0.3.5.10 - 2020-03-18
Tor 0.3.5.10 backports many fixes from later Tor releases, including a
fix for TROVE-2020-002, a major denial-of-service vulnerability that
affected all released Tor instances since 0.2.1.5-alpha. Using this
vulnerability, an attacker could cause Tor instances to consume a huge
amount of CPU, disrupting their operations for several seconds or
minutes. This attack could be launched by anybody against a relay, or
by a directory cache against any client that had connected to it. The
attacker could launch this attack as much as they wanted, thereby
disrupting service or creating patterns that could aid in traffic
analysis. This issue was found by OSS-Fuzz, and is also tracked
as CVE-2020-10592.
We do not have reason to believe that this attack is currently being
exploited in the wild, but nonetheless we advise everyone to upgrade
as soon as packages are available.
o Major bugfixes (security, denial-of-service, backport from 0.4.3.3-alpha):
- Fix a denial-of-service bug that could be used by anyone to
consume a bunch of CPU on any Tor relay or authority, or by
directories to consume a bunch of CPU on clients or hidden
services. Because of the potential for CPU consumption to
introduce observable timing patterns, we are treating this as a
high-severity security issue. Fixes bug 33119; bugfix on
0.2.1.5-alpha. Found by OSS-Fuzz. We are also tracking this issue
as TROVE-2020-002 and CVE-2020-10592.
o Major bugfixes (linux seccomp sandbox, backport from 0.4.3.1-alpha):
- Correct how we use libseccomp. Particularly, stop assuming that
rules are applied in a particular order or that more rules are
processed after the first match. Neither is the case! In
libseccomp <2.4.0 this lead to some rules having no effect.
libseccomp 2.4.0 changed how rules are generated, leading to a
different ordering, which in turn led to a fatal crash during
startup. Fixes bug 29819; bugfix on 0.2.5.1-alpha. Patch by
Peter Gerber.
o Minor features (continuous integration, backport from 0.4.3.2-alpha):
- Stop allowing failures on the Travis CI stem tests job. It looks
like all the stem hangs we were seeing before are now fixed.
Closes ticket 33075.
o Minor bugfixes (bridges, backport from 0.4.3.1-alpha):
- Lowercase the configured value of BridgeDistribution before adding
it to the descriptor. Fixes bug 32753; bugfix on 0.3.2.3-alpha.
o Minor bugfixes (crash, backport from 0.4.2.4-rc):
- When running Tor with an option like --verify-config or
--dump-config that does not start the event loop, avoid crashing
if we try to exit early because of an error. Fixes bug 32407;
bugfix on 0.3.3.1-alpha.
o Minor bugfixes (logging, backport from 0.4.3.2-alpha):
- If we encounter a bug when flushing a buffer to a TLS connection,
only log the bug once per invocation of the Tor process.
Previously we would log with every occurrence, which could cause
us to run out of disk space. Fixes bug 33093; bugfix
on 0.3.2.2-alpha.
o Minor bugfixes (onion services v3, backport from 0.4.3.3-alpha):
- Fix an assertion failure that could result from a corrupted
ADD_ONION control port command. Found by Saibato. Fixes bug 33137;
bugfix on 0.3.3.1-alpha. This issue is also tracked
as TROVE-2020-003.
o Minor bugfixes (rust, build, backport from 0.4.3.2-alpha):
- Fix a syntax warning given by newer versions of Rust that was
creating problems for our continuous integration. Fixes bug 33212;
bugfix on 0.3.5.1-alpha.
o Testing (backport from 0.4.3.1-alpha):
- Re-enable the Travis CI macOS Chutney build, but don't let it
prevent the Travis job from finishing. (The Travis macOS jobs are
slow, so we don't want to have it delay the whole CI process.)
Closes ticket 32629.
- Turn off Tor's Sandbox in Chutney jobs, and run those jobs on
Ubuntu Bionic. Turning off the Sandbox is a work-around, until we
fix the sandbox errors in 32722. Closes ticket 32240.
o Testing (continuous integration, backport from 0.4.3.1-alpha):
- Use zstd in our Travis Linux builds. Closes ticket 32242.
o Testing (Travis CI, backport from 0.4.3.3-alpha):
- Remove a redundant distcheck job. Closes ticket 33194.
- Sort the Travis jobs in order of speed: putting the slowest jobs
first takes full advantage of Travis job concurrency. Closes
ticket 33194.
- Stop allowing the Chutney IPv6 Travis job to fail. This job was
previously configured to fast_finish (which requires
- When a Travis chutney job fails, use chutney's new "diagnostics.sh"
tool to produce detailed diagnostic output. Closes ticket 32792.
Changes in version 0.3.5.9 - 2019-12-09
Tor 0.3.5.9 backports serveral fixes from later releases, including
several that affect bridge users, relay stability, onion services,
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment