From mboxrd@z Thu Jan 1 00:00:00 1970 From: contact.ng0@cryptolab.net Subject: tor: update to 0.2.9.9 Date: Tue, 24 Jan 2017 11:19:33 +0000 Message-ID: <20170124111934.16080-1-contact.ng0@cryptolab.net> Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:35901) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cVz7V-0000pp-Lb for guix-devel@gnu.org; Tue, 24 Jan 2017 06:18:38 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cVz7S-0005oq-FW for guix-devel@gnu.org; Tue, 24 Jan 2017 06:18:37 -0500 Received: from aibo.runbox.com ([91.220.196.211]:44964) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1cVz7S-0005oO-7u for guix-devel@gnu.org; Tue, 24 Jan 2017 06:18:34 -0500 Received: from [10.9.9.211] (helo=mailfront11.runbox.com) by mailtransmit03.runbox with esmtp (Exim 4.86_2) (envelope-from ) id 1cVz7P-0006kk-Ic for guix-devel@gnu.org; Tue, 24 Jan 2017 12:18:31 +0100 Received: from xd9bb8748.dyn.telefonica.de ([217.187.135.72] helo=localhost) by mailfront11.runbox.com with esmtpsa (uid:892961 ) (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) id 1cVz7F-0001DG-D9 for guix-devel@gnu.org; Tue, 24 Jan 2017 12:18:21 +0100 List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org This updates tor. I have seen no one prepare or commit a patch for this. Paste from the announcement email: Tor 0.2.9.9 fixes a denial-of-service bug where an attacker could cause relays and clients to crash, even if they were not built with the --enable-expensive-hardening option. This bug affects all 0.2.9.x versions, and also affects 0.3.0.1-alpha: all relays running an affected version should upgrade. This release also resolves a client-side onion service reachability bug, and resolves a pair of small portability issues. Changes in version 0.2.9.9 - 2017-01-23 o Major bugfixes (security): - Downgrade the "-ftrapv" option from "always on" to "only on when --enable-expensive-hardening is provided." This hardening option, like others, can turn survivable bugs into crashes -- and having it on by default made a (relatively harmless) integer overflow bug into a denial-of-service bug. Fixes bug 21278 (TROVE-2017-001); bugfix on 0.2.9.1-alpha. o Major bugfixes (client, onion service): - Fix a client-side onion service reachability bug, where multiple socks requests to an onion service (or a single slow request) could cause us to mistakenly mark some of the service's introduction points as failed, and we cache that failure so eventually we run out and can't reach the service. Also resolves a mysterious "Remote server sent bogus reason code 65021" log warning. The bug was introduced in ticket 17218, where we tried to remember the circuit end reason as a uint16_t, which mangled negative values. Partially fixes bug 21056 and fixes bug 20307; bugfix on 0.2.8.1-alpha. o Minor features (geoip): - Update geoip and geoip6 to the January 4 2017 Maxmind GeoLite2 Country database. o Minor bugfixes (portability): - Avoid crashing when Tor is built using headers that contain CLOCK_MONOTONIC_COARSE, but then tries to run on an older kernel without CLOCK_MONOTONIC_COARSE. Fixes bug 21035; bugfix on 0.2.9.1-alpha. - Fix Libevent detection on platforms without Libevent 1 headers installed. Fixes bug 21051; bugfix on 0.2.9.1-alpha.