From patchwork Sun Sep 11 14:14:43 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 5992 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4MQWvj3yYVz3wbV for ; Sun, 11 Sep 2022 14:14:57 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4MQWvh0xTTz1fq; Sun, 11 Sep 2022 14:14:56 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4MQWvg71f8z2y3W; Sun, 11 Sep 2022 14:14:55 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4MQWvf64b7z2xG7 for ; Sun, 11 Sep 2022 14:14:54 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4MQWvd0SHgz1L9 for ; Sun, 11 Sep 2022 14:14:52 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1662905694; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=cSOov19RpOoAx9Fo/Ejhr1G0Woa3xbwNCp65mRht9ws=; b=NoqhAo5yYZusafTh6OjNiXSXvn+VAc5Yq0B3jmeVDZ5oxnFhYV5MtsB1ObSmSgAYa82lrY Ei5/Tud5JKpmUbBg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1662905694; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=cSOov19RpOoAx9Fo/Ejhr1G0Woa3xbwNCp65mRht9ws=; b=mGH+GGLp0STP7gukuFe0b1Z3YEP4PTnGBKmgAD66OuBWK/ityEHsP9WxpJ/hhN+ODKhIAZ Gw/Oarudil5Ombp1Iz948DkFsEhfBhdhnc0bHGoiaKO/3MqH/mI2GmELf2F4SY0ImiH1b9 5zcdKm6s+4heLX1N5X7N+i92Ppvuf2AQ6grNa3KmMO1iupjG+mdk8rUDubG/NmS+A3aUhz bdUC1AwbyZ76s2I4RY6GP1Oox+f9M3jPOYiSClR9Yfl75uLd0QpcI9h42gFy8WRiLpyvJq sh1a5CU895WV8x4gP71hrq78aVpTmrPPEhibLHjoTH6HR37s9X5SYW0Th0lMFA== Message-ID: <0775a6d8-e774-fb22-3cfe-59a4c058b28d@ipfire.org> Date: Sun, 11 Sep 2022 14:14:43 +0000 MIME-Version: 1.0 Content-Language: en-US To: "IPFire: Development" From: =?utf-8?q?Peter_M=C3=BCller?= Subject: [PATCH] Tor: Update to 0.4.7.10 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Changes in version 0.4.7.10 - 2022-08-12 This version updates the geoip cache that we generate from IPFire location database to use the August 9th, 2022 one. Everyone MUST update to this latest release else circuit path selection and relay metrics are badly affected. o Major bugfixes (geoip data): - IPFire informed us on August 12th that databases generated after (including) August 10th did not have proper ARIN network allocations. We are updating the database to use the one generated on August 9th, 2022. Fixes bug 40658; bugfix on 0.4.7.9. Changes in version 0.4.7.9 - 2022-08-11 This version contains several major fixes aimed at reducing memory pressure on relays and possible side-channel. It also contains a major bugfix related to congestion control also aimed at reducing memory pressure on relays. Finally, there is last one major bugfix related to Vanguard L2 layer node selection. We strongly recommend to upgrade to this version especially for Exit relays in order to help the network defend against this ongoing DDoS. o Major bugfixes (congestion control): - Implement RFC3742 Limited Slow Start. Congestion control was overshooting the congestion window during slow start, particularly for onion service activity. With this fix, we now update the congestion window more often during slow start, as well as dampen the exponential growth when the congestion window grows above a capping parameter. This should reduce the memory increases guard relays were seeing, as well as allow us to set lower queue limits to defend against ongoing DoS attacks. Fixes bug 40642; bugfix on 0.4.7.5-alpha. o Major bugfixes (relay): - Remove OR connections btrack subsystem entries when the connections close normally. Before this, we would only remove the entry on error and thus leaking memory for each normal OR connections. Fixes bug 40604; bugfix on 0.4.0.1-alpha. - Stop sending TRUNCATED cell and instead close the circuit from which we received a DESTROY cell. This makes every relay in the circuit path to stop queuing cells. Fixes bug 40623; bugfix on 0.1.0.2-rc. o Major bugfixes (vanguards): - We had omitted some checks for whether our vanguards (second layer guards from proposal 333) overlapped. Now make sure to pick each of them to be independent. Also, change the design to allow them to come from the same family. Fixes bug 40639; bugfix on 0.4.7.1-alpha. o Minor features (dirauth): - Add a torrc option to control the Guard flag bandwidth threshold percentile. Closes ticket 40652. - Add an AuthDirVoteGuard torrc option that can allow authorities to assign the Guard flag to the given fingerprints/country code/IPs. This is a needed feature mostly for defense purposes in case a DoS hits the network and relay start losing the Guard flags too fast. - Make UPTIME_TO_GUARANTEE_STABLE, MTBF_TO_GUARANTEE_STABLE, TIME_KNOWN_TO_GUARANTEE_FAMILIAR WFU_TO_GUARANTEE_GUARD tunable from torrc. o Minor features (fallbackdir): - Regenerate fallback directories generated on August 11, 2022. o Minor features (geoip data): - Update the geoip files to match the IPFire Location Database, as retrieved on 2022/08/11. o Minor bugfixes (congestion control): - Add a check for an integer underflow condition that might happen in cases where the system clock is stopped, the ORconn is blocked, and the endpoint sends more than a congestion window worth of non- data control cells at once. This would cause a large congestion window to be calculated instead of a small one. No security impact. Fixes bug 40644; bugfix on 0.4.7.5-alpha. o Minor bugfixes (defense in depth): - Change a test in the netflow padding code to make it more _obviously_ safe against remotely triggered crashes. (It was safe against these before, but not obviously so.) Fixes bug 40645; bugfix on 0.3.1.1-alpha. o Minor bugfixes (relay): - Do not propagate either forward or backward a DESTROY remote reason when closing a circuit in order to avoid a possible side channel. Fixes bug 40649; bugfix on 0.1.2.4-alpha. Signed-off-by: Peter Müller --- lfs/tor | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lfs/tor b/lfs/tor index 628ed63a2..c41b6dbed 100644 --- a/lfs/tor +++ b/lfs/tor @@ -26,7 +26,7 @@ include Config SUMMARY = Anonymizing overlay network for TCP (The onion router) -VER = 0.4.7.8 +VER = 0.4.7.10 THISAPP = tor-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -34,7 +34,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = tor -PAK_VER = 70 +PAK_VER = 71 DEPS = libseccomp @@ -48,7 +48,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 40f6eab453d95a09e4531ce7cdb59715a21b84e1d0b1045d107add6a443fb7563a5747734b23e0e1dfda6490a5a7659f912e38c11cdb5fa635535dcff6169eeb +$(DL_FILE)_BLAKE2 = 46a9d932e7451bcc683e18d296d7a26bb4b544767cf4622910ebf90d82715718451ec3e0d6cd215eff5fe2cc3ae8441b8e6065c5877d7fc92c2f26ab5c7fa0cb install : $(TARGET)