File _patchinfo of Package patchinfo

<patchinfo>
  <issue id="878486" tracker="bnc">tor upgrade to 0.2.4.22</issue>
  <issue id="CVE-2014-0160" tracker="cve" />
  <category>security</category>
  <rating>moderate</rating>
  <packager>AndreasStieger</packager>
  <description>
- tor 0.2.4.22 [bnc#878486]
  Tor was updated to the recommended version of the 0.2.4.x series.
- major features in 0.2.4.x:
  - improved client resilience
  - support better link encryption with forward secrecy
  - new NTor circuit handshake
  - change relay queue for circuit create requests from size-based
    limit to time-based limit
  - many bug fixes and minor features
- changes contained in 0.2.4.22: 
  Backports numerous high-priority fixes. These include blocking
  all authority signing keys that may have been affected by the
  OpenSSL "heartbleed" bug, choosing a far more secure set of TLS
  ciphersuites by default, closing a couple of memory leaks that
  could be used to run a target relay out of RAM.
  - Major features (security)
    - Block authority signing keys that were used on authorities
      vulnerable to the "heartbleed" bug in OpenSSL (CVE-2014-0160).
  - Major bugfixes (security, OOM):
    - Fix a memory leak that could occur if a microdescriptor parse
      fails during the tokenizing step.
  - Major bugfixes (TLS cipher selection):
    - The relay ciphersuite list is now generated automatically based
      on uniform criteria, and includes all OpenSSL ciphersuites with
      acceptable strength and forward secrecy.
    - Relays now trust themselves to have a better view than clients
      of which TLS ciphersuites are better than others.
    - Clients now try to advertise the same list of ciphersuites as
      Firefox 28.
- includes changes from 0.2.4.21:
    Further improves security against potential adversaries who find
    breaking 1024-bit crypto doable, and backports several stability
    and robustness patches from the 0.2.5 branch.
  - Major features (client security):
    - When we choose a path for a 3-hop circuit, make sure it contains
      at least one relay that supports the NTor circuit extension
      handshake. Otherwise, there is a chance that we're building
      a circuit that's worth attacking by an adversary who finds
      breaking 1024-bit crypto doable, and that chance changes the game
      theory.
  - Major bugfixes:
    - Do not treat streams that fail with reason
      END_STREAM_REASON_INTERNAL as indicating a definite circuit failure,
      since it could also indicate an ENETUNREACH connection error
- includes changes from 0.2.4.20:
  - Do not allow OpenSSL engines to replace the PRNG, even when
    HardwareAccel is set.
  - Fix assertion failure when AutomapHostsOnResolve yields an IPv6
    address.
  - Avoid launching spurious extra circuits when a stream is pending.
- packaging changes:
  - remove init script shadowing systemd unit
  - general cleanup
  - Add tor-fw-helper for UPnP port forwarding; not used by default
  - fix logrotate on systemd-only setups without init scripts,
    work tor-0.2.2.37-logrotate.patch to tor-0.2.4.x-logrotate.patch
  - verify source tarball signature
</description>
  <summary>update for tor</summary>
</patchinfo>