update relnotes, known_issues, for 1.9.1 release

diff --git a/docs/known_issues.rst b/docs/known_issues.rst
index e564e2b8b54709d0d3e17f2599dc97d6426a40f4..c8ac88f926c838c1c525f0bc828f7ccbd5dee3ff 100644 (file)
--- a/docs/known_issues.rst
+++ b/docs/known_issues.rst
@@ -14,10 +14,9 @@ want to read `the "historical known issues" document`_.
 .. _the "historical known issues" document: historical/historical_known_issues.txt
 
 
-Known Issues in Tahoe-LAFS v1.9.0, released 31-Oct-2011
+Known Issues in Tahoe-LAFS v1.9.1, released 12-Jan-2012
 =======================================================
 
-  *  `Integrity Failure during Mutable Downloads`_
   *  `Potential unauthorized access by JavaScript in unrelated files`_
   *  `Potential disclosure of file through embedded hyperlinks or JavaScript in that file`_
   *  `Command-line arguments are leaked to other local users`_
@@ -27,46 +26,6 @@ Known Issues in Tahoe-LAFS v1.9.0, released 31-Oct-2011
 
 ----
 
-Integrity Failure during Mutable Downloads
---------------------------------------------------------------
-
-Under certain circumstances, the integrity-verification code of the mutable
-downloader could be bypassed. Clients who receive carefully crafted shares
-(from attackers) will emit incorrect file contents, and the usual
-share-corruption errors would not be raised. This only affects mutable files
-(not immutable), and only affects downloads that use doctored shares. It is
-not persistent: the threat is resolved once you upgrade your client to a
-version without the bug. However, read-modify-write operations (such as
-directory manipulations) performed by vulnerable clients could cause the
-attacker's modifications to be written back out to the mutable file, making
-the corruption permanent.
-
-The attacker's ability to manipulate the file contents is limited. They can
-modify FEC-encoded ciphertext in all but one share. This gives them the
-ability to blindly flip bits in roughly 2/3rds of the file (for the default
-k=3 encoding parameter). Confidentiality remains intact, unless the attacker
-can deduce the file's contents by observing your reactions to corrupted
-downloads.
-
-This bug was introduced in 1.9.0, as part of the MDMF-capable downloader, and
-affects both SDMF and MDMF files. It was not present in 1.8.3.
-
-*how to manage it*
-
-There are three options:
-
-* Upgrade to 1.9.1, which fixes the bug
-* Downgrade to 1.8.3, which does not contain the bug
-* If using 1.9.0, do not trust the contents of mutable files (whether SDMF or
-  MDMF) that the 1.9.0 client emits, and do not modify directories (which
-  could write the corrupted data back into place, making the damage
-  persistent)
-
-
-.. _#1654: https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1654
-
-----
-
 Potential unauthorized access by JavaScript in unrelated files
 --------------------------------------------------------------
 
@@ -283,6 +242,50 @@ time are likely to be related even if they are not linked in the directory
 structure. Also, users that access the same files may be related to each other.
 
 
+----
+
+Known Issues in Tahoe-LAFS v1.9.0, released 31-Oct-2011
+=======================================================
+
+
+Integrity Failure during Mutable Downloads
+------------------------------------------
+
+Under certain circumstances, the integrity-verification code of the mutable
+downloader could be bypassed. Clients who receive carefully crafted shares
+(from attackers) will emit incorrect file contents, and the usual
+share-corruption errors would not be raised. This only affects mutable files
+(not immutable), and only affects downloads that use doctored shares. It is
+not persistent: the threat is resolved once you upgrade your client to a
+version without the bug. However, read-modify-write operations (such as
+directory manipulations) performed by vulnerable clients could cause the
+attacker's modifications to be written back out to the mutable file, making
+the corruption permanent.
+
+The attacker's ability to manipulate the file contents is limited. They can
+modify FEC-encoded ciphertext in all but one share. This gives them the
+ability to blindly flip bits in roughly 2/3rds of the file (for the default
+k=3 encoding parameter). Confidentiality remains intact, unless the attacker
+can deduce the file's contents by observing your reactions to corrupted
+downloads.
+
+This bug was introduced in 1.9.0, as part of the MDMF-capable downloader, and
+affects both SDMF and MDMF files. It was not present in 1.8.3.
+
+*how to manage it*
+
+There are three options:
+
+* Upgrade to 1.9.1, which fixes the bug
+* Downgrade to 1.8.3, which does not contain the bug
+* If using 1.9.0, do not trust the contents of mutable files (whether SDMF or
+  MDMF) that the 1.9.0 client emits, and do not modify directories (which
+  could write the corrupted data back into place, making the damage
+  persistent)
+
+
+.. _#1654: https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1654
+
 ----
 
 Known Issues in Tahoe-LAFS v1.8.2, released 30-Jan-2011

diff --git a/relnotes.txt b/relnotes.txt
index 49fc4b0c32f1dc1f160bc0f6a696bb09ddcfe720..cd506025e42d255d501208b29a40df861d7c68cd 100644 (file)
--- a/relnotes.txt
+++ b/relnotes.txt
@@ -18,8 +18,8 @@ The previous stable release of Tahoe-LAFS was v1.9.0, released
 on October 31, 2011.
 
 v1.9.1 is a critical bugfix release which fixes a significant
-security issue. See the NEWS file [1] and known_issues.rst [2]
-file for details.
+security issue [#1654]. See the NEWS file [1] and known_issues.rst
+[2] file for details.
 
 
 WHAT IS IT GOOD FOR?
@@ -137,6 +137,7 @@ January 12, 2011
 San Francisco, California, USA
 
 
+[#1654] https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1654
 [1] https://tahoe-lafs.org/trac/tahoe-lafs/browser/NEWS.rst
 [2] https://tahoe-lafs.org/trac/tahoe-lafs/browser/docs/known_issues.rst
 [3] https://tahoe-lafs.org/trac/tahoe-lafs/wiki/RelatedProjects