Message ID | 0775a6d8-e774-fb22-3cfe-59a4c058b28d@ipfire.org |
---|---|
State | Accepted |
Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4MQWvj3yYVz3wbV for <patchwork@web04.haj.ipfire.org>; Sun, 11 Sep 2022 14:14:57 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4MQWvh0xTTz1fq; Sun, 11 Sep 2022 14:14:56 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4MQWvg71f8z2y3W; Sun, 11 Sep 2022 14:14:55 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4MQWvf64b7z2xG7 for <development@lists.ipfire.org>; Sun, 11 Sep 2022 14:14:54 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4MQWvd0SHgz1L9 for <development@lists.ipfire.org>; Sun, 11 Sep 2022 14:14:52 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1662905694; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=cSOov19RpOoAx9Fo/Ejhr1G0Woa3xbwNCp65mRht9ws=; b=NoqhAo5yYZusafTh6OjNiXSXvn+VAc5Yq0B3jmeVDZ5oxnFhYV5MtsB1ObSmSgAYa82lrY Ei5/Tud5JKpmUbBg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1662905694; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=cSOov19RpOoAx9Fo/Ejhr1G0Woa3xbwNCp65mRht9ws=; b=mGH+GGLp0STP7gukuFe0b1Z3YEP4PTnGBKmgAD66OuBWK/ityEHsP9WxpJ/hhN+ODKhIAZ Gw/Oarudil5Ombp1Iz948DkFsEhfBhdhnc0bHGoiaKO/3MqH/mI2GmELf2F4SY0ImiH1b9 5zcdKm6s+4heLX1N5X7N+i92Ppvuf2AQ6grNa3KmMO1iupjG+mdk8rUDubG/NmS+A3aUhz bdUC1AwbyZ76s2I4RY6GP1Oox+f9M3jPOYiSClR9Yfl75uLd0QpcI9h42gFy8WRiLpyvJq sh1a5CU895WV8x4gP71hrq78aVpTmrPPEhibLHjoTH6HR37s9X5SYW0Th0lMFA== Message-ID: <0775a6d8-e774-fb22-3cfe-59a4c058b28d@ipfire.org> Date: Sun, 11 Sep 2022 14:14:43 +0000 MIME-Version: 1.0 Content-Language: en-US To: "IPFire: Development" <development@lists.ipfire.org> From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org> Subject: [PATCH] Tor: Update to 0.4.7.10 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
Series |
Tor: Update to 0.4.7.10
|
|
Commit Message
Peter Müller
Sept. 11, 2022, 2:14 p.m. UTC
Changes in version 0.4.7.10 - 2022-08-12
This version updates the geoip cache that we generate from IPFire location
database to use the August 9th, 2022 one. Everyone MUST update to this
latest release else circuit path selection and relay metrics are badly
affected.
o Major bugfixes (geoip data):
- IPFire informed us on August 12th that databases generated after
(including) August 10th did not have proper ARIN network allocations. We
are updating the database to use the one generated on August 9th, 2022.
Fixes bug 40658; bugfix on 0.4.7.9.
Changes in version 0.4.7.9 - 2022-08-11
This version contains several major fixes aimed at reducing memory pressure on
relays and possible side-channel. It also contains a major bugfix related to
congestion control also aimed at reducing memory pressure on relays.
Finally, there is last one major bugfix related to Vanguard L2 layer node
selection.
We strongly recommend to upgrade to this version especially for Exit relays
in order to help the network defend against this ongoing DDoS.
o Major bugfixes (congestion control):
- Implement RFC3742 Limited Slow Start. Congestion control was
overshooting the congestion window during slow start, particularly
for onion service activity. With this fix, we now update the
congestion window more often during slow start, as well as dampen
the exponential growth when the congestion window grows above a
capping parameter. This should reduce the memory increases guard
relays were seeing, as well as allow us to set lower queue limits
to defend against ongoing DoS attacks. Fixes bug 40642; bugfix
on 0.4.7.5-alpha.
o Major bugfixes (relay):
- Remove OR connections btrack subsystem entries when the connections
close normally. Before this, we would only remove the entry on error and
thus leaking memory for each normal OR connections. Fixes bug 40604;
bugfix on 0.4.0.1-alpha.
- Stop sending TRUNCATED cell and instead close the circuit from which we
received a DESTROY cell. This makes every relay in the circuit path to
stop queuing cells. Fixes bug 40623; bugfix on 0.1.0.2-rc.
o Major bugfixes (vanguards):
- We had omitted some checks for whether our vanguards (second layer
guards from proposal 333) overlapped. Now make sure to pick each
of them to be independent. Also, change the design to allow them
to come from the same family. Fixes bug 40639; bugfix
on 0.4.7.1-alpha.
o Minor features (dirauth):
- Add a torrc option to control the Guard flag bandwidth threshold
percentile. Closes ticket 40652.
- Add an AuthDirVoteGuard torrc option that can allow authorities to
assign the Guard flag to the given fingerprints/country code/IPs.
This is a needed feature mostly for defense purposes in case a DoS
hits the network and relay start losing the Guard flags too fast.
- Make UPTIME_TO_GUARANTEE_STABLE, MTBF_TO_GUARANTEE_STABLE,
TIME_KNOWN_TO_GUARANTEE_FAMILIAR WFU_TO_GUARANTEE_GUARD tunable
from torrc.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on August 11, 2022.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2022/08/11.
o Minor bugfixes (congestion control):
- Add a check for an integer underflow condition that might happen
in cases where the system clock is stopped, the ORconn is blocked,
and the endpoint sends more than a congestion window worth of non-
data control cells at once. This would cause a large congestion
window to be calculated instead of a small one. No security
impact. Fixes bug 40644; bugfix on 0.4.7.5-alpha.
o Minor bugfixes (defense in depth):
- Change a test in the netflow padding code to make it more
_obviously_ safe against remotely triggered crashes. (It was safe
against these before, but not obviously so.) Fixes bug 40645;
bugfix on 0.3.1.1-alpha.
o Minor bugfixes (relay):
- Do not propagate either forward or backward a DESTROY remote reason when
closing a circuit in order to avoid a possible side channel. Fixes bug
40649; bugfix on 0.1.2.4-alpha.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
lfs/tor | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/lfs/tor b/lfs/tor index 628ed63a2..c41b6dbed 100644 --- a/lfs/tor +++ b/lfs/tor @@ -26,7 +26,7 @@ include Config SUMMARY = Anonymizing overlay network for TCP (The onion router) -VER = 0.4.7.8 +VER = 0.4.7.10 THISAPP = tor-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -34,7 +34,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = tor -PAK_VER = 70 +PAK_VER = 71 DEPS = libseccomp @@ -48,7 +48,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 40f6eab453d95a09e4531ce7cdb59715a21b84e1d0b1045d107add6a443fb7563a5747734b23e0e1dfda6490a5a7659f912e38c11cdb5fa635535dcff6169eeb +$(DL_FILE)_BLAKE2 = 46a9d932e7451bcc683e18d296d7a26bb4b544767cf4622910ebf90d82715718451ec3e0d6cd215eff5fe2cc3ae8441b8e6065c5877d7fc92c2f26ab5c7fa0cb install : $(TARGET)