Skip to content
Snippets Groups Projects
Commit de73e369 authored by Roger Dingledine's avatar Roger Dingledine
Browse files

merge in the safecookie changelog entry too

parent 65bf007a
No related branches found
No related tags found
No related merge requests found
......@@ -7,6 +7,13 @@ Changes in version 0.2.3.13-alpha - 2012-03-26
- Change IP address for maatuska (v3 directory authority).
 
o Security fixes:
- Provide controllers with a safer way to implement the cookie
authentication mechanism. With the old method, if another locally
running program could convince a controller that it was the Tor
process, then that program could trick the contoller into telling
it the contents of an arbitrary 32-byte file. The new "SAFECOOKIE"
authentication method uses a challenge-response approach to prevent
this attack. Fixes bug 5185, implements proposal 193.
- Never use a bridge or a controller-supplied node as an exit, even
if its exit policy allows it. Found by wanoskarnet. Fixes bug
5342. Bugfix on 0.1.1.15-rc (for controller-purpose descriptors)
......
o Security Features:
- Provide controllers with a safer way to implement the cookie
authentication mechanism. With the old method, if another locally
running program could convince a controller that it was the Tor
process, then that program could trick the contoller into
telling it the contents of an arbitrary 32-byte file. The new
"SAFECOOKIE" authentication method uses a challenge-response
approach to prevent this. Fixes bug 5185, implements proposal 193.
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment