From: Brian Warner Date: Thu, 12 Jan 2012 19:02:16 +0000 (-0800) Subject: update relnotes, known_issues, for 1.9.1 release X-Git-Tag: allmydata-tahoe-1.9.1~2 X-Git-Url: https://git.rkrishnan.org/(%5B%5E?a=commitdiff_plain;h=4468d5d0eb99990e448caf7ca9a10e137fc392b0;p=tahoe-lafs%2Ftahoe-lafs.git update relnotes, known_issues, for 1.9.1 release --- diff --git a/docs/known_issues.rst b/docs/known_issues.rst index e564e2b8..c8ac88f9 100644 --- a/docs/known_issues.rst +++ b/docs/known_issues.rst @@ -14,10 +14,9 @@ want to read `the "historical known issues" document`_. .. _the "historical known issues" document: historical/historical_known_issues.txt -Known Issues in Tahoe-LAFS v1.9.0, released 31-Oct-2011 +Known Issues in Tahoe-LAFS v1.9.1, released 12-Jan-2012 ======================================================= - * `Integrity Failure during Mutable Downloads`_ * `Potential unauthorized access by JavaScript in unrelated files`_ * `Potential disclosure of file through embedded hyperlinks or JavaScript in that file`_ * `Command-line arguments are leaked to other local users`_ @@ -27,46 +26,6 @@ Known Issues in Tahoe-LAFS v1.9.0, released 31-Oct-2011 ---- -Integrity Failure during Mutable Downloads --------------------------------------------------------------- - -Under certain circumstances, the integrity-verification code of the mutable -downloader could be bypassed. Clients who receive carefully crafted shares -(from attackers) will emit incorrect file contents, and the usual -share-corruption errors would not be raised. This only affects mutable files -(not immutable), and only affects downloads that use doctored shares. It is -not persistent: the threat is resolved once you upgrade your client to a -version without the bug. However, read-modify-write operations (such as -directory manipulations) performed by vulnerable clients could cause the -attacker's modifications to be written back out to the mutable file, making -the corruption permanent. - -The attacker's ability to manipulate the file contents is limited. They can -modify FEC-encoded ciphertext in all but one share. This gives them the -ability to blindly flip bits in roughly 2/3rds of the file (for the default -k=3 encoding parameter). Confidentiality remains intact, unless the attacker -can deduce the file's contents by observing your reactions to corrupted -downloads. - -This bug was introduced in 1.9.0, as part of the MDMF-capable downloader, and -affects both SDMF and MDMF files. It was not present in 1.8.3. - -*how to manage it* - -There are three options: - -* Upgrade to 1.9.1, which fixes the bug -* Downgrade to 1.8.3, which does not contain the bug -* If using 1.9.0, do not trust the contents of mutable files (whether SDMF or - MDMF) that the 1.9.0 client emits, and do not modify directories (which - could write the corrupted data back into place, making the damage - persistent) - - -.. _#1654: https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1654 - ----- - Potential unauthorized access by JavaScript in unrelated files -------------------------------------------------------------- @@ -283,6 +242,50 @@ time are likely to be related even if they are not linked in the directory structure. Also, users that access the same files may be related to each other. +---- + +Known Issues in Tahoe-LAFS v1.9.0, released 31-Oct-2011 +======================================================= + + +Integrity Failure during Mutable Downloads +------------------------------------------ + +Under certain circumstances, the integrity-verification code of the mutable +downloader could be bypassed. Clients who receive carefully crafted shares +(from attackers) will emit incorrect file contents, and the usual +share-corruption errors would not be raised. This only affects mutable files +(not immutable), and only affects downloads that use doctored shares. It is +not persistent: the threat is resolved once you upgrade your client to a +version without the bug. However, read-modify-write operations (such as +directory manipulations) performed by vulnerable clients could cause the +attacker's modifications to be written back out to the mutable file, making +the corruption permanent. + +The attacker's ability to manipulate the file contents is limited. They can +modify FEC-encoded ciphertext in all but one share. This gives them the +ability to blindly flip bits in roughly 2/3rds of the file (for the default +k=3 encoding parameter). Confidentiality remains intact, unless the attacker +can deduce the file's contents by observing your reactions to corrupted +downloads. + +This bug was introduced in 1.9.0, as part of the MDMF-capable downloader, and +affects both SDMF and MDMF files. It was not present in 1.8.3. + +*how to manage it* + +There are three options: + +* Upgrade to 1.9.1, which fixes the bug +* Downgrade to 1.8.3, which does not contain the bug +* If using 1.9.0, do not trust the contents of mutable files (whether SDMF or + MDMF) that the 1.9.0 client emits, and do not modify directories (which + could write the corrupted data back into place, making the damage + persistent) + + +.. _#1654: https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1654 + ---- Known Issues in Tahoe-LAFS v1.8.2, released 30-Jan-2011 diff --git a/relnotes.txt b/relnotes.txt index 49fc4b0c..cd506025 100644 --- a/relnotes.txt +++ b/relnotes.txt @@ -18,8 +18,8 @@ The previous stable release of Tahoe-LAFS was v1.9.0, released on October 31, 2011. v1.9.1 is a critical bugfix release which fixes a significant -security issue. See the NEWS file [1] and known_issues.rst [2] -file for details. +security issue [#1654]. See the NEWS file [1] and known_issues.rst +[2] file for details. WHAT IS IT GOOD FOR? @@ -137,6 +137,7 @@ January 12, 2011 San Francisco, California, USA +[#1654] https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1654 [1] https://tahoe-lafs.org/trac/tahoe-lafs/browser/NEWS.rst [2] https://tahoe-lafs.org/trac/tahoe-lafs/browser/docs/known_issues.rst [3] https://tahoe-lafs.org/trac/tahoe-lafs/wiki/RelatedProjects