CVSROOT: /cvs
Module name: ports
Changes by: pas...@cvs.openbsd.org 2012/05/26 05:08:45
Modified files:
net/tor : Makefile distinfo
net/tor/patches: patch-configure
Log message:
Update to tor 0.2.2.36, including SECURITY fixes and various other bugfixes.
- Never use a bridge or a controller-supplied node as an exit, even
if its exit policy allows it.
- Only build circuits if we have a sufficient threshold of the total
descriptors that are marked in the consensus with the "Exit"
flag.
- Provide controllers with a safer way to implement the cookie
authentication mechanism. With the old method, if another locally
running program could convince a controller that it was the Tor
process, then that program could trick the contoller into telling
it the contents of an arbitrary 32-byte file. The new "SAFECOOKIE"
authentication method uses a challenge-response approach to prevent
this attack.
We are not affected by the openssl vulnerability.
Full release notes:
https://gitweb.torproject.org/tor.git/blob/release-0.2.2:/ReleaseNotes
ok sthen@ jasper@
