#18456: Exits on 0.2.7 publicise all their IP addresses in their descriptor --------------------------+------------------------------------ Reporter: teor | Owner: Type: defect | Status: needs_review Priority: Medium | Milestone: Tor: 0.2.9.x-final Component: Core Tor/Tor | Version: Tor: 0.2.7.2-alpha Severity: Normal | Resolution: Keywords: | Actual Points: 0.2 Parent ID: | Points: 3 Reviewer: | Sponsor: --------------------------+------------------------------------ Changes (by teor):
* status: new => needs_review * actualpoints: => 0.2 Comment: Please see my branch bug18456 on https://github.com/teor2345/tor.git The corresponding torspec patch is in #19453. I fixed this issue by making ExitPolicyRejectPrivate only reject IP addresses we are going to put in the descriptor anyway (that is, the relay's advertised IPv4 and IPv6 address). Then, I added another option ExitPolicyRejectLocalInterfaces that also blocks the IPv4 and IPv6 OutboundBindAddresses, and the configured port addresses, and any interface addresses. (If a specific bind address is configured for the ORPort and DirPort, it is included by both options. This is ok, and necessary because of public-to-public address redirection. Also, any duplicate rules are removed.) I didn't modify the sample torrcs, but I can do that if we think it's a good idea. I made this patch on master because we've made multiple changes to this code since 0.2.7.2-alpha. And it's not really a security issue. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18456#comment:6> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online _______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs