On Thu, Dec 4, 2008 at 11:34 AM, <[EMAIL PROTECTED]> wrote: > Tor 0.2.0.32 fixes a major security problem in Debian and Ubuntu packages > (and maybe other packages) noticed by Theo de Raadt, fixes a smaller > security flaw that might allow an attacker to access local services, > further improves hidden service performance, and fixes a variety of > other issues.
Are there any bugs open with Debian/Ubuntu to get these merged into the security branches? I haven't checked Debian, but Ubuntu 8.10 is currently still at 0.31. > > https://www.torproject.org/download.html > > Or use our new https://www.torproject.org/easy-download page. > > Changes in version 0.2.0.32 - 2008-11-20 > o Security fixes: > - The "User" and "Group" config options did not clear the > supplementary group entries for the Tor process. The "User" option > is now more robust, and we now set the groups to the specified > user's primary group. The "Group" option is now ignored. For more > detailed logging on credential switching, set CREDENTIAL_LOG_LEVEL > in common/compat.c to LOG_NOTICE or higher. Patch by Jacob Appelbaum > and Steven Murdoch. Bugfix on 0.0.2pre14. Fixes bug 848 and 857. > - The "ClientDNSRejectInternalAddresses" config option wasn't being > consistently obeyed: if an exit relay refuses a stream because its > exit policy doesn't allow it, we would remember what IP address > the relay said the destination address resolves to, even if it's > an internal IP address. Bugfix on 0.2.0.7-alpha; patch by rovv. > > o Major bugfixes: > - Fix a DOS opportunity during the voting signature collection process > at directory authorities. Spotted by rovv. Bugfix on 0.2.0.x. > > o Major bugfixes (hidden services): > - When fetching v0 and v2 rendezvous service descriptors in parallel, > we were failing the whole hidden service request when the v0 > descriptor fetch fails, even if the v2 fetch is still pending and > might succeed. Similarly, if the last v2 fetch fails, we were > failing the whole hidden service request even if a v0 fetch is > still pending. Fixes bug 814. Bugfix on 0.2.0.10-alpha. > - When extending a circuit to a hidden service directory to upload a > rendezvous descriptor using a BEGIN_DIR cell, almost 1/6 of all > requests failed, because the router descriptor has not been > downloaded yet. In these cases, do not attempt to upload the > rendezvous descriptor, but wait until the router descriptor is > downloaded and retry. Likewise, do not attempt to fetch a rendezvous > descriptor from a hidden service directory for which the router > descriptor has not yet been downloaded. Fixes bug 767. Bugfix > on 0.2.0.10-alpha. > > o Minor bugfixes: > - Fix several infrequent memory leaks spotted by Coverity. > - When testing for libevent functions, set the LDFLAGS variable > correctly. Found by Riastradh. > - Avoid a bug where the FastFirstHopPK 0 option would keep Tor from > bootstrapping with tunneled directory connections. Bugfix on > 0.1.2.5-alpha. Fixes bug 797. Found by Erwin Lam. > - When asked to connect to A.B.exit:80, if we don't know the IP for A > and we know that server B rejects most-but-not all connections to > port 80, we would previously reject the connection. Now, we assume > the user knows what they were asking for. Fixes bug 752. Bugfix > on 0.0.9rc5. Diagnosed by BarkerJr. > - If we overrun our per-second write limits a little, count this as > having used up our write allocation for the second, and choke > outgoing directory writes. Previously, we had only counted this when > we had met our limits precisely. Fixes bug 824. Patch from by rovv. > Bugfix on 0.2.0.x. > - Remove the old v2 directory authority 'lefkada' from the default > list. It has been gone for many months. > - Stop doing unaligned memory access that generated bus errors on > sparc64. Bugfix on 0.2.0.10-alpha. Fixes bug 862. > - Make USR2 log-level switch take effect immediately. Bugfix on > 0.1.2.8-beta. > > o Minor bugfixes (controller): > - Make DNS resolved events into "CLOSED", not "FAILED". Bugfix on > 0.1.2.5-alpha. Fix by Robert Hogan. Resolves bug 807. > > -- > Andrew > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFJOBSYO50JPzGwl0sRAo63AJ9uVH8Rk0CSf9PXPlWfQuxqTt1IzQCeMtFB > hvuayLifVdMBanIy2Za6y5M= > =UkKO > -----END PGP SIGNATURE----- > >