Changes in version 0.2.2.22-alpha - 2011-01-25
Tor 0.2.2.22-alpha fixes a few more less-critical security issues. The
main other change is a slight tweak to Tor's TLS handshake that makes
relays and bridges that run this new version reachable from Iran again.
We don't expect this tweak will win the arms race long-term, but it
will buy us a bit more time until we roll out a better solution.
o Major bugfixes:
- Fix a bounds-checking error that could allow an attacker to
remotely crash a directory authority. Bugfix on 0.2.1.5-alpha.
Found by "piebeer".
- Don't assert when changing from bridge to relay or vice versa
via the controller. The assert happened because we didn't properly
initialize our keys in this case. Bugfix on 0.2.2.18-alpha; fixes
bug 2433. Reported by bastik.
o Minor features:
- Adjust our TLS Diffie-Hellman parameters to match those used by
Apache's mod_ssl.
- Provide a log message stating which geoip file we're parsing
instead of just stating that we're parsing the geoip file.
Implements ticket 2432.
o Minor bugfixes:
- Check for and reject overly long directory certificates and
directory tokens before they have a chance to hit any assertions.
Bugfix on 0.2.1.28 / 0.2.2.20-alpha. Found by "doorss".
Changes in version 0.2.2.21-alpha - 2011-01-15
Tor 0.2.2.21-alpha includes all the patches from Tor 0.2.1.29, which
continues our recent code security audit work. The main fix resolves
a remote heap overflow vulnerability that can allow remote code
execution (CVE-2011-0427). Other fixes address a variety of assert
and crash bugs, most of which we think are hard to exploit remotely.
o Major bugfixes (security), also included in 0.2.1.29:
- Fix a heap overflow bug where an adversary could cause heap
corruption. This bug probably allows remote code execution
attacks. Reported by "debuger". Fixes CVE-2011-0427. Bugfix on
0.1.2.10-rc.
- Prevent a denial-of-service attack by disallowing any
zlib-compressed data whose compression factor is implausibly
high. Fixes part of bug 2324; reported by "doorss".
- Zero out a few more keys in memory before freeing them. Fixes
bug 2384 and part of bug 2385. These key instances found by
"cypherpunks", based on Andrew Case's report about being able
to find sensitive data in Tor's memory space if you have enough
permissions. Bugfix on 0.0.2pre9.
o Major bugfixes (crashes), also included in 0.2.1.29:
- Prevent calls to Libevent from inside Libevent log handlers.
This had potential to cause a nasty set of crashes, especially
if running Libevent with debug logging enabled, and running
Tor with a controller watching for low-severity log messages.
Bugfix on 0.1.0.2-rc. Fixes bug 2190.
- Add a check for SIZE_T_MAX to tor_realloc() to try to avoid
underflow errors there too. Fixes the other part of bug 2324.
- Fix a bug where we would assert if we ever had a
cached-descriptors.new file (or another file read directly into
memory) of exactly SIZE_T_CEILING bytes. Fixes bug 2326; bugfix
on 0.2.1.25. Found by doorss.
- Fix some potential asserts and parsing issues with grossly
malformed router caches. Fixes bug 2352; bugfix on Tor 0.2.1.27.
Found by doorss.
o Minor bugfixes (other), also included in 0.2.1.29:
- Fix a bug with handling misformed replies to reverse DNS lookup
requests in DNSPort. Bugfix on Tor 0.2.0.1-alpha. Related to a
bug reported by doorss.
- Fix compilation on mingw when a pthreads compatibility library
has been installed. (We don't want to use it, so we shouldn't
be including pthread.h.) Fixes bug 2313; bugfix on 0.1.0.1-rc.
- Fix a bug where we would declare that we had run out of virtual
addresses when the address space was only half-exhausted. Bugfix
on 0.1.2.1-alpha.
- Correctly handle the case where AutomapHostsOnResolve is set but
no virtual addresses are available. Fixes bug 2328; bugfix on
0.1.2.1-alpha. Bug found by doorss.
- Correctly handle wrapping around when we run out of virtual
address space. Found by cypherpunks; bugfix on 0.2.0.5-alpha.
o Minor features, also included in 0.2.1.29:
- Update to the January 1 2011 Maxmind GeoLite Country database.
- Introduce output size checks on all of our decryption functions.
o Build changes, also included in 0.2.1.29:
- Tor does not build packages correctly with Automake 1.6 and earlier;
added a check to Makefile.am to make sure that we're building with
Automake 1.7 or later.
- The 0.2.1.28 tarball was missing src/common/OpenBSD_malloc_Linux.c
because we built it with a too-old version of automake. Thus that
release broke ./configure --enable-openbsd-malloc, which is popular
among really fast exit relays on Linux.
o Major bugfixes, new in 0.2.2.21-alpha:
- Prevent crash/heap corruption when the cbtnummodes consensus
parameter is set to 0 or large values. Fixes bug 2317; bugfix
on 0.2.2.14-alpha.
o Major features, new in 0.2.2.21-alpha:
- Introduce minimum/maximum values that clients will believe
from the consensus. Now we'll have a better chance to avoid crashes
or worse when a consensus param has a weird value.
o Minor features, new in 0.2.2.21-alpha:
- Make sure to disable DirPort if running as a bridge. DirPorts aren't
used on bridges, and it makes bridge scanning somewhat easier.
- If writing the state file to disk fails, wait up to an hour before
retrying again, rather than trying again each second. Fixes bug
2346; bugfix on Tor 0.1.1.3-alpha.
- Make Libevent log messages get delivered to controllers later,
and not from inside the Libevent log handler. This prevents unsafe
reentrant Libevent calls while still letting the log messages
get through.
- Detect platforms that brokenly use a signed size_t, and refuse to
build there. Found and analyzed by doorss and rransom.
- Fix a bunch of compile warnings revealed by mingw with gcc 4.5.
Resolves bug 2314.
o Minor bugfixes, new in 0.2.2.21-alpha:
- Handle SOCKS messages longer than 128 bytes long correctly, rather
than waiting forever for them to finish. Fixes bug 2330; bugfix
on 0.2.0.16-alpha. Found by doorss.
- Add assertions to check for overflow in arguments to
base32_encode() and base32_decode(); fix a signed-unsigned
comparison there too. These bugs are not actually reachable in Tor,
but it's good to prevent future errors too. Found by doorss.
- Correctly detect failures to create DNS requests when using Libevent
versions before v2. (Before Libevent 2, we used our own evdns
implementation. Its return values for Libevent's evdns_resolve_*()
functions are not consistent with those from Libevent.) Fixes bug
2363; bugfix on 0.2.2.6-alpha. Found by "lodger".
o Documentation, new in 0.2.2.21-alpha:
- Document the default socks host and port (127.0.0.1:9050) for
tor-resolve.
Changes in version 0.2.2.20-alpha - 2010-12-17
Tor 0.2.2.20-alpha does some code cleanup to reduce the risk of remotely
exploitable bugs. We also fix a variety of other significant bugs,
change the IP address for one of our directory authorities, and update
the minimum version that Tor relays must run to join the network.
o Major bugfixes:
- Fix a remotely exploitable bug that could be used to crash instances
of Tor remotely by overflowing on the heap. Remote-code execution
hasn't been confirmed, but can't be ruled out. Everyone should
upgrade. Bugfix on the 0.1.1 series and later.
- Fix a bug that could break accounting on 64-bit systems with large
time_t values, making them hibernate for impossibly long intervals.
Fixes bug 2146. Bugfix on 0.0.9pre6; fix by boboper.
- Fix a logic error in directory_fetches_from_authorities() that
would cause all _non_-exits refusing single-hop-like circuits
to fetch from authorities, when we wanted to have _exits_ fetch
from authorities. Fixes more of 2097. Bugfix on 0.2.2.16-alpha;
fix by boboper.
- Fix a stream fairness bug that would cause newer streams on a given
circuit to get preference when reading bytes from the origin or
destination. Fixes bug 2210. Fix by Mashael AlSabah. This bug was
introduced before the first Tor release, in svn revision r152.
o Directory authority changes:
- Change IP address and ports for gabelmoo (v3 directory authority).
o Minor bugfixes:
- Avoid crashes when AccountingMax is set on clients. Fixes bug 2235.
Bugfix on 0.2.2.18-alpha. Diagnosed by boboper.
- Fix an off-by-one error in calculating some controller command
argument lengths. Fortunately, this mistake is harmless since
the controller code does redundant NUL termination too. Found by
boboper. Bugfix on 0.1.1.1-alpha.
- Do not dereference NULL if a bridge fails to build its
extra-info descriptor. Found by an anonymous commenter on
Trac. Bugfix on 0.2.2.19-alpha.
o Minor features:
- Update to the December 1 2010 Maxmind GeoLite Country database.
- Directory authorities now reject relays running any versions of
Tor between 0.2.1.3-alpha and 0.2.1.18 inclusive; they have
known bugs that keep RELAY_EARLY cells from working on rendezvous
circuits. Followup to fix for bug 2081.
- Directory authorities now reject relays running any version of Tor
older than 0.2.0.26-rc. That version is the earliest that fetches
current directory information correctly. Fixes bug 2156.
- Report only the top 10 ports in exit-port stats in order not to
exceed the maximum extra-info descriptor length of 50 KB. Implements
task 2196.
- Numerix has been ripped out. OCaml's Big_int implementation is
used instead.
- version of Berkeley DB has been upgraded to 4.6.
- The sks.pod file has been added to the src tarball
- Some small changes to index view
GTerm is a C/G telnet client that lets you connect to C64 telnet BBS's with
the correct colours and the correct font. Also included is a client for 64CHAT
called CGChat.
Features
* Open source - runs on Windows, MacOS X, and unix compatibles.
* Full C64 screen and keyboard emulation.
* File download with Xmodem, Xmodem/CRC, Xmodem-1k, and Punter protocols.
* Screen capture to SEQ file, and SEQ file playback.
* Keyboard macros.
* Fullscreen mode.
* and more...
color-theme is an emacs-lisp mode for skinning your emacs.
Features are:
* Huge and extensible theme library
* Easy to use
* Works on pretty all emacs flavours
* Mature source code
Yet another bug in pkg_update_plan introduced in 0.3.0
was fixed (packages were marked as auto-removable incorrectly).
Better algorithm for detecting potential problem was
implemented. Now it checks PROVIDES/REQUIRES consistency and uses
this information for automatically resolving problems.
Also, packages with unchanged version but inconsistent changes in
CONFLICTS/DEPENDS/PROVIDES/REQUIRES are now handled correctly.
Minor fixes and updates in documentation.
TODO:
The compiler itself compiles, but the standard library isn't ported.
Installation hasn't been done yet, so the PLIST is empty.
DESCR:
D is a systems programming language. Its focus is on combining the
power and high performance of C and C++ with the programmer
productivity of modern languages like Ruby and Python. Special
attention is given to the needs of quality assurance, documentation,
management, portability and reliability.
The D language is statically typed and compiles directly to machine
code. It's multiparadigm, supporting many programming styles:
imperative, object oriented, and metaprogramming. It's a member of
the C syntax family, and its appearance is very similar to that of
C++.
It is not governed by a corporate agenda or any overarching theory
of programming. The needs and contributions of the D programming
community form the direction it goes.
etm is an acronym for Event and Task Manager. It provides a simple,
intuitive format for using plain text files to store data, a command
line interface for viewing stored information in a variety of
convenient ways and a cross-platform, wx(python)-based GUI for
creating and modifying items as well as viewing them. Displayed
items can be grouped by date, context, keyword or project and can
be filtered in various ways. A display of busy and free times is
also supported as is a ledger view of time spent that is suitable
for client billing. Alarms are supported for events and repetition
for both events and tasks in a powerful and flexible manner.
nts is an acronym for Note Taking Simplified. It provides a simple,
intuitive format for using plain text files to store notes, a
command line interface for viewing notes in a variety of convenient
ways and a cross-platform, wx(python)-based GUI for creating and
modifying notes as well as viewing them. Displayed items can be
grouped by path or tag and can be filtered in various ways.
