opensource.dyc.edu

The release incorporates an important fix for a heap overflow from upstream. While no exploit is know against it, heap overflows in general are easily exploited and so it is recommended that you upgrade as soon as possible. You can read more about it on their ChangeLog.

All three images have been tested and no problems found. Enjoy the "Merry Xmas" release.

This release approaches a boundary where we will eventually have to make a decision --- the 4GB requirement for RAM. A while back, the Tin Hat ISOs grew too big for CDs but this didn't bother us much because optical devices are going out of style and most people just download the ISO and then transfer it to a pen drive. But the system requirements have now crept up to the 4GB limit for RAM. Tin Hat will require the full 4GB to boot leaving little for anything else, at least on amd64. We have some time on i686 but it too is growing.

This release follows an critical fix from upstream. An attack was found which can deanonymize tor users by identifying them with their reused TLS certs. An older attack allows a malicious web site to discover what guards are being used, then by probing the guards for those certs, one can identify the user. This fix from the tor team addresses the reuse of the certs and the ability to probe the guards. You can read about it in their ChangeLog, along with a few other fixes.

This release is primarily a maintenance release following upstream's new stable version of tor 0.2.2.33. It's not surprising that a new release came out only weeks after the first 0.2.2 stable since now this branch is getting more attention. Upstream's ChangeLog mentions one major bug fix when reloading TrackExitHosts, and a bunch of fixes, but no feature enhancement.

This release features the first tor server in the 0.2.2 which has been marked by the tor team as stable, tor-0.2.2.32. It has been a while since the last releases which came in a flurry of security fixes. In contrast, tor-0.2.2.32 came up leisurely through a series of release candidates and was well tested --- I know because I've been maintaining tor for the Gentoo community for a while and I haven't heard much noise about 0.2.2 releases. The 0.2.3 branch is another story, but that's what alphas are for.

Well I finally released hmwultd publicly. I sat on it for about one month, running it on the servers to make sure it wasn't going to break anything. Finally I decided it was time to announce it on freshmeat.

This has been one of the longest spells without a Tin Hat release, but it was well worth the wait because this is one of the tightest releases yet. There were approximately 400 packages upgraded, built with a toolchain composed of gcc-4.4.5, glibc-2.12.2 and binutils-2.20.1-r1. The amd64 version tested with no known issues. The i686 does have issues, but they are limited to just a few video codecs. The hardening is still interfering with some assembly code in those codecs and so there's still work to be done by the Hardened Gentoo team.

The latest release of Tor 0.2.1.30 doesn't address any security issues as the last two did, so we didn't feel the same urgency in getting it into tor-ramdisk, but it does have some important bug fixes, such as addressing the filtering of Tor in Iran --- minor bugs, but important. Since we had to rebuild and test new images, we also took the opportunity to update a few other pieces, like busybox, openssl/openssh and the kernel. The most important was our update to libevent-2 which brings improved asynchronous DNS.

This is another security release coming from Tor. A heap overflow was discovered which can lead to remote code being executed (CVE-2011-0427), see their ChangeLog. Two other major bugs were also addressed as well as a host of others.

We took this opportunity to also bump busybox by one minor bump to its current stable 1.18.2 and the kernel to 2.6.32.28 with hardened-patchset-2.6.32-r37. We're as current as possible!

Happy anonymous surfing!