- tor 0.2.4.22 [bnc#878486]
Tor was updated to the recommended version of the 0.2.4.x series.
- major features in 0.2.4.x:
- improved client resilience
- support better link encryption with forward secrecy
- new NTor circuit handshake
- change relay queue for circuit create requests from size-based
limit to time-based limit
- many bug fixes and minor features
- changes contained in 0.2.4.22:
Backports numerous high-priority fixes. These include blocking
all authority signing keys that may have been affected by the
OpenSSL "heartbleed" bug, choosing a far more secure set of TLS
ciphersuites by default, closing a couple of memory leaks that
could be used to run a target relay out of RAM.
- Major features (security)
- Block authority signing keys that were used on authorities
vulnerable to the "heartbleed" bug in OpenSSL (CVE-2014-0160).
- Major bugfixes (security, OOM):
- Fix a memory leak that could occur if a microdescriptor parse
fails during the tokenizing step.
- Major bugfixes (TLS cipher selection):
- The relay ciphersuite list is now generated automatically based
on uniform criteria, and includes all OpenSSL ciphersuites with
acceptable strength and forward secrecy.
- Relays now trust themselves to have a better view than clients
of which TLS ciphersuites are better than others.
- Clients now try to advertise the same list of ciphersuites as
Firefox 28.
- includes changes from 0.2.4.21:
Further improves security against potential adversaries who find
breaking 1024-bit crypto doable, and backports several stability
and robustness patches from the 0.2.5 branch.
- Major features (client security):
- When we choose a path for a 3-hop circuit, make sure it contains
at least one relay that supports the NTor circuit extension
handshake. Otherwise, there is a chance that we're building
a circuit that's worth attacking by an adversary who finds
breaking 1024-bit crypto doable, and that chance changes the game
theory.
- Major bugfixes:
- Do not treat streams that fail with reason
END_STREAM_REASON_INTERNAL as indicating a definite circuit failure,
since it could also indicate an ENETUNREACH connection error
- includes changes from 0.2.4.20:
- Do not allow OpenSSL engines to replace the PRNG, even when
HardwareAccel is set.
- Fix assertion failure when AutomapHostsOnResolve yields an IPv6
address.
- Avoid launching spurious extra circuits when a stream is pending.
- packaging changes:
- remove init script shadowing systemd unit
- general cleanup
- Add tor-fw-helper for UPnP port forwarding; not used by default
- fix logrotate on systemd-only setups without init scripts,
work tor-0.2.2.37-logrotate.patch to tor-0.2.4.x-logrotate.patch
- verify source tarball signature