Changes in version 0.2.2.39 - 2012-09-11
Tor 0.2.2.39 fixes two more opportunities for remotely triggerable
assertions.
o Security fixes:
- Fix an assertion failure in tor_timegm() that could be triggered
by a badly formatted directory object. Bug found by fuzzing with
Radamsa. Fixes bug 6811; bugfix on 0.2.0.20-rc.
- Do not crash when comparing an address with port value 0 to an
address policy. This bug could have been used to cause a remote
assertion failure by or against directory authorities, or to
allow some applications to crash clients. Fixes bug 6690; bugfix
on 0.2.1.10-alpha.
No CVEs for these vulnerabilities yet.
https://kb.isc.org/article/AA-00778
If a record with RDATA in excess of 65535 bytes is loaded into a
nameserver, a subsequent query for that record will cause named to exit
with an assertion failure.
This vulnerability can be exploited remotely against recursive servers
by inducing them to query for records provided by an authoritative
server. It affects authoritative servers if a zone containing this type
of resource record is loaded from file or provided via zone transfer.
Also add @comment'ed lines for lib/charset.alias and share/locale/locale.alias,
no problem at present but will save hassle if someone blindly update-plist's
later.
with no objections. It relies on a GUI toolkit which hasn't been updated
in 10 years, needs to run as root in order to get tcpdump to parse
capture files, and even then it still doesn't work.
NOT a gcc3 workaround). Without it the build on sparc64 gobbles all
memory, takes the machine to a halt, and gets killed after a unfinite
amount of time. Brad, next time, please test it at least.
separate from the version in the base OS which deliberately does not include
the mail proxy and additional modules. rc.d/enginx script is added (not
rc.d/nginx to avoid conflicting with base). Lua module is also supported.
Most of the work done by william@, with a few tweaks by me and ok william.
README could use more work and as pointed out by ajacoutot we need to
review permissions of the tmp directory, but the diff is already long enough.
@pkgpath markers are set to update from the 1.0.x packages to 1.2.x (with or
without the passenger flavour as appropriate).
