From b5717f450de71f6d7f236a64f9acb71ea6623bb9 Mon Sep 17 00:00:00 2001 From: Tails developers Date: Thu, 17 Oct 2013 13:44:25 +0000 Subject: [PATCH] Update changelog for 0.21~rc1. --- debian/changelog | 76 +++++++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 73 insertions(+), 3 deletions(-) diff --git a/debian/changelog b/debian/changelog index cd6ca9067..d52fb7edc 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,8 +1,78 @@ -tails (0.21) UNRELEASED; urgency=low +tails (0.21~rc1) unstable; urgency=low + + * Security fixes + - Don't grant access to the Tor control port for the desktop user + (amnesia). Else, an attacker able to run arbitrary code as this user + could obtain the public IP with a get_info command. + · Vidalia is now run as a dedicated user. + · Remove the amnesia user from the debian-tor group. + · Remove the Vidalia launcher in the Applications menu. + The Vidalia instance it starts is useless, since it can't connect + to the Tor control port. + - Don't allow the desktop user to directly change persistence settings. + Else, an attacker able to run arbitrary code as this user could + leverage this feature to gain persistent root access, as long as + persistence is enabled. + · Fully rework the persistent filesystem and files ownership + and permissions. + · Run the Persistent Volume Assistant as a dedicated user, that is + granted the relevant udisks and filesystem -level credentials. + · At persistence activation time, don't trust existing persistence + configuration files, migrate to the new ownership and permissions, + migrate every known-safe existing settings and backup what's left. + Warn the user when not all persistence settings could be migrated. + · Persistent Volume Assistant uses the new ownership and permissions + scheme when initializing a new persistent volume, and refuses to + read persistence.conf if it, or the parent directory, hasn't the + expected permissions. + · Make boot medium 'system internal' for udisks with bilibop. + Once Tails is based on Wheezy, this will further complete the + protection (see #6172 for details). - * Upcoming release. + * Major new features + - Add a persistence preset for printing settings (Closes: #5686). + Reload CUPS configuration after persistence activation. + - Support SD card connected through a SDIO host adapter (Closes: #6324). + · Rebrand Tails USB installer to Tails installer. + · Display devices brand, model and size in the Installer + (Closes: #6292). + · Ask for confirmation before installing Tails onto a device + (Closes: #6293). + · Add support for SDIO and MMC block devices to the Tails Installer + (Closes: #5744) and the Persistent Volume Assistant (Closes: #6325). + · Arm the udev watchdog when booted from SD (plugged in SDIO) too + (Closes: #6327). + + * Minor improvements + - Add a KeePassX launcher to the top GNOME panel (Closes: #6290). + - Rework bug reporting workflow: point the desktop launcher to + the troubleshooting page. + - Make /home world-readable at build time, regardless of the Git + working copy permissions. This makes the build process more robust + against strict umasks. + - Add signing capabilities to the tails-build script (Closes: #6267). + This is in turn used to sign ISO images built by our Jenkins setup + (Closes: #6193). + - Simplify the ikiwiki setup and make more pages translatable. + - Exclude the version string in GnuPG's ASCII armored output. + - Prefer stronger ciphers (AES256,AES192,AES,CAST5) when encrypting + data with GnuPG. + - Use the same custom Startpage search URL than the TBB. + This apparently disables the new broken "family" filter. + - Enable oldstable-proposed-updates APT sources to install packages + scheduled for the next Squeeze point-release. Accordingly update + APT pinning. + - Update AdBlock Plus patterns. - -- Tails developers Thu, 19 Sep 2013 15:59:43 +0200 + * Test suite + - Look for "/tmp/.X11-unix/X${1#:}" too when detecting displays in use. + - Adapt tests to match the Control Port access security fix: + · Take into account that the amnesia user isn't part of the debian-tor + group anymore. + · Run as root the checks to see if a process is running: this + is required to see other users' processes. + + -- Tails developers Thu, 17 Oct 2013 14:13:27 +0200 tails (0.20.1) unstable; urgency=low -- 2.11.4.GIT