Tor 0.2.8.6 is released!
|
时间:2016-08-09 来源:torproject.org 作者:nickm
条评论
|
- Reject attempts to change our Address with “Sandbox 1” enabled. Changing Address with Sandbox turned on would never actually work, but previously it would fail in strange and confusing ways. Found while fixing 18548.
Minor features (logging):
- When logging to syslog, allow a tag to be added to the syslog identity (the string prepended to every log message). The tag can be configured with SyslogIdentityTag and defaults to none. Setting it to “foo” will cause logs to be tagged as “Tor-foo”. Closes ticket 17194.
Minor features (portability):
- Use timingsafe_memcmp() where available. Closes ticket 17944; patch from <logan@hackers.mu>.
Minor features (relay, address discovery):
- Add a family argument to get_interface_addresses_raw() and subfunctions to make network interface address interogation more efficient. Now Tor can specifically ask for IPv4, IPv6 or both types of interfaces from the operating system. Resolves ticket17950.
- When get_interface_address6_list(.,AF_UNSPEC,.) is called and fails to enumerate interface addresses using the platform-specific API, have it rely on the UDP socket fallback technique to try and find out what IP addresses (both IPv4 and IPv6) our machine has. Resolves ticket 17951.
Minor features (replay cache):
- The replay cache now uses SHA256 instead of SHA1. Implements feature 8961. Patch by teor, issue reported by rransom.
Minor features (robustness):
- Exit immediately with an error message if the code attempts to use Libevent without having initialized it. This should resolve some frequently-made mistakes in our unit tests. Closes ticket 18241.
Minor features (security, clock):
- Warn when the system clock appears to move back in time (when the state file was last written in the future). Tor doesn’t know that consensuses have expired if the clock is in the past. Patch by teor. Implements ticket 17188.
Minor features (security, exit policies):
- ExitPolicyRejectPrivate now rejects more private addresses by default. Specifically, it now rejects the relay’s outbound bind addresses (if configured), and the relay’s configured port addresses (such as ORPort and DirPort). Fixes bug17027; bugfix on 0.2.0.11-alpha. Patch by teor.
Minor features (security, memory erasure):
- Make memwipe() do nothing when passed a NULL pointer or buffer of zero size. Check size argument to memwipe() for underflow. Fixes bug 18089; bugfix on 0.2.3.25 and 0.2.4.6-alpha. Reported by “gk”, patch by teor.
- Set the unused entries in a smartlist to NULL. This helped catch a (harmless) bug, and shouldn’t affect performance too much. Implements ticket17026.
- Use SecureMemoryWipe() function to securely clean memory on Windows. Previously we’d use OpenSSL’s OPENSSL_cleanse() function. Implements feature17986.
- Use explicit_bzero or memset_s when present. Previously, we’d use OpenSSL’s OPENSSL_cleanse() function. Closes ticket 7419; patches from <logan@hackers.mu> and <selven@hackers.mu>.
Minor features (security, RNG):
- Adjust Tor’s use of OpenSSL’s RNG APIs so that they absolutely, positively are not allowed to fail. Previously we depended on internal details of OpenSSL’s behavior. Closes ticket 17686.
- Never use the system entropy output directly for anything besides seeding the PRNG. When we want to generate important keys, instead of using system entropy directly, we now hash it with the PRNG stream. This may help resist certain attacks based on broken OS entropy implementations. Closes part of ticket 17694.
- Use modern system calls (like getentropy() or getrandom()) to generate strong entropy on platforms that have them. Closes ticket 13696.
Minor features (security, win32):
- Set SO_EXCLUSIVEADDRUSE on Win32 to avoid a local port-stealing attack. Fixes bug 18123; bugfix on all tor versions. Patch by teor.
Minor features (unix domain sockets):
- Add a new per-socket option, RelaxDirModeCheck, to allow creating Unix domain sockets without checking the permissions on the parent directory. (Tor checks permissions by default because some operating systems only check permissions on the parent directory. However, some operating systems do look at permissions on the socket, and tor’s default check is unneeded.) Closes ticket 18458. Patch by weasel.
Minor features (unix file permissions):
- Defer creation of Unix sockets until after setuid. This avoids needing CAP_CHOWN and CAP_FOWNER when using systemd’s CapabilityBoundingSet, or chown and fowner when using SELinux. Implements part of ticket17562. Patch from Jamie Nguyen.
- If any directory created by Tor is marked as group readable, the filesystem group is allowed to be either the default GID or the root user. Allowing root to read the DataDirectory prevents the need for CAP_READ_SEARCH when using systemd’s CapabilityBoundingSet, or dac_read_search when using SELinux. Implements part of ticket 17562. Patch from Jamie Nguyen.
- Introduce a new DataDirectoryGroupReadable option. If it is set to 1, the DataDirectory will be made readable by the default GID. Implements part of ticket17562. Patch from Jamie Nguyen.
Minor bugfixes (accounting):
- The max bandwidth when using ‘AccountRule sum’ is now correctly logged. Fixes bug18024; bugfix on 0.2.6.1-alpha. Patch from “unixninja92”.
Minor bugfixes (assert, portability):
|
|
|
|