[freenet-support] Build 1474 status and the Frostbite attack
Freenet build 1474 has been partially released. It includes a critical bugfix for the "Frostbite" bug: if you visit a malicious key, downloads can stop working. This is being actively exploited on Frost and Sone/WoT. Unloading WoT / turning off Frost and restarting the node should make it work again. Unfortunately the official release manager Steve is indisposed, and nextgens and I are still working on completing the release; it should be inserted into the auto-update system tomorrow, and thus "officially" released. The build has been released as far as the website, so new installs will be 1474. Sorry about this, we will try to make our recovery procedures more robust in future... Please relay this message to FMS etc if possible, thanks! You can manually update to the new build as follows: Option 1: Use update.sh or update.cmd This is not anonymous, in that it downloads the jar file over HTTPS from our server, so anyone listening could tell that you run Freenet. Also there have been some reported bugs (one problem with update.sh was fixed just by running it again, otherwise contact #freenet on irc.freenode.net - note that this is also not anonymous). Option 2: Download the jar from Freenet on a working node and replace them. First, download the following key: CHK@jCVrtDlDgly4kqNRPAH4o7j16I5Fcy39ka6Qz2~NOko,kbxLQ-wHV4S8YgPUme3y9HKYopc1FWeEMUaZ~zDeSqM,AAMC--8/freenet-build01474.jar Signature is here (if you have gnupg and my pubkey): CHK@~gTf8kWGI0X34XOI~pI-hagrddxzUJdbPIk20nYoLjs,a7SNdm2Sq7u3sOwjX5GyVkitpR8J92~VGdO~tSynLto,AAMC--8/freenet-build01474.jar.sig Now shut down the node. Open wrapper.conf in a text editor. There should be a line that says something like: wrapper.java.classpath.1=freenet.jar.new If it says freenet.jar.new then change it to freenet.jar. If it says freenet.jar then don't do anything. Now replace freenet.jar with the jar you just downloaded from Freenet. Official release notes: $ git tag -v build01474 object ced0ba20a7ffba7fdf05466d00bf6cb585c28bc9 type commit tag build01474 tagger Matthew Toseland 1465137470 +0100 2016-06-05 Freenet 0.7.5 build 1474 is now available. This is an emergency bugfix release, hence I am releasing it rather than Steve while he is incapacitated. It fixes some important bugs, one of which is involved in the current attacks on Frost and Sone. Summary of changes: * Fix the Frostbite bug: if the node downloads a malicious key, this would cause the whole client layer to break. This is currently being actively used to attack Frost and Sone. * Automatically upgrade nodes to use the minimum bandwidth limit if necessary. Some nodes were unable to start up because their bandwidth limit was too low. Apologies to anyone affected by this. Also, improve the logic that sets the per-second bandwidth limits from a monthly setting. Obviously, you should be very careful if using Freenet on a connection with a monthly transfer limit. * Minor security improvements to the web interface. If your node is unable to update because of the Frostbite bug, please turn off the affected applications (unload the Web of Trust and Sone plugins and shut down Frost), and then restart the node. It should pick up the update within a few hours. If it still doesn't work, the update.cmd or update.sh scripts may fix the problem, but they will access our website in a traceable manner. Thank you for using Freenet! - Matthew Toseland Git shortlog: Bert Massop (4): BloomFilter: additional sanity checking of length and hash count Add more splitfile sanity checks Make KeyListenerTracker more resilient Fix a corner case in BloomFilter length Florent Daigniere (7): Set rel='noreferrer noopener' where appropriate Merge branch 'do-not-die-on-too-low-bandwidth' of https://github.com/ArneBab/fred-staging-1 into ArneBab-do-not-die-on-too-low-bandwidth Merge branch 'ArneBab-do-not-die-on-too-low-bandwidth' into next Merge branch 'frostbite-hotfix' of https://github.com/bertm/fred-staging into bertm-frostbite-hotfix Merge branch 'bertm-frostbite-hotfix' into next Merge branch 'avoid-claiming-magic' of https://github.com/Thynix/fred-staging into Thynix-avoid-claiming-magic Merge branch 'Thynix-avoid-claiming-magic' into next Matthew Toseland (1): Build 1474, mandatory in a week but crucial bugfixes Steve Dougherty (3): Merge remote-tracking branch 'ArneBab/do-not-die-on-too-low-bandwidth' into next Merge remote-tracking branch 'nextgens/use-noreferrer' into next l10n: avoid suggesting tracing is impossible drak@kaverne (5): FIX: on too low bandwidth, use min bandwidth node init: log increase of bandwidth to minimum fixed bandwidth selection per month whitespace (tabify) use asymptoticDlFraction + fix whitespace gpg: Signature made Sun 05 Jun 2016 15:37:50 BST using RSA key ID 1946AA94 gpg: Good signature from "Matthew Toseland (2013-2018 key, hi
[freenet-support] Build 1474 status and the Frostbite attack
Freenet build 1474 has been partially released. It includes a critical bugfix for the "Frostbite" bug: if you visit a malicious key, downloads can stop working. This is being actively exploited on Frost and Sone/WoT. Unloading WoT / turning off Frost and restarting the node should make it work again. Unfortunately the official release manager Steve is indisposed, and nextgens and I are still working on completing the release; it should be inserted into the auto-update system tomorrow, and thus "officially" released. The build has been released as far as the website, so new installs will be 1474. Sorry about this, we will try to make our recovery procedures more robust in future... Please relay this message to FMS etc if possible, thanks! You can manually update to the new build as follows: Option 1: Use update.sh or update.cmd This is not anonymous, in that it downloads the jar file over HTTPS from our server, so anyone listening could tell that you run Freenet. Also there have been some reported bugs (one problem with update.sh was fixed just by running it again, otherwise contact #freenet on irc.freenode.net - note that this is also not anonymous). Option 2: Download the jar from Freenet on a working node and replace them. First, download the following key: CHK@jCVrtDlDgly4kqNRPAH4o7j16I5Fcy39ka6Qz2~NOko,kbxLQ-wHV4S8YgPUme3y9HKYopc1FWeEMUaZ~zDeSqM,AAMC--8/freenet-build01474.jar Signature is here (if you have gnupg and my pubkey): CHK@~gTf8kWGI0X34XOI~pI-hagrddxzUJdbPIk20nYoLjs,a7SNdm2Sq7u3sOwjX5GyVkitpR8J92~VGdO~tSynLto,AAMC--8/freenet-build01474.jar.sig Now shut down the node. Open wrapper.conf in a text editor. There should be a line that says something like: wrapper.java.classpath.1=freenet.jar.new If it says freenet.jar.new then change it to freenet.jar. If it says freenet.jar then don't do anything. Now replace freenet.jar with the jar you just downloaded from Freenet. Official release notes: $ git tag -v build01474 object ced0ba20a7ffba7fdf05466d00bf6cb585c28bc9 type commit tag build01474 tagger Matthew Toseland 1465137470 +0100 2016-06-05 Freenet 0.7.5 build 1474 is now available. This is an emergency bugfix release, hence I am releasing it rather than Steve while he is incapacitated. It fixes some important bugs, one of which is involved in the current attacks on Frost and Sone. Summary of changes: * Fix the Frostbite bug: if the node downloads a malicious key, this would cause the whole client layer to break. This is currently being actively used to attack Frost and Sone. * Automatically upgrade nodes to use the minimum bandwidth limit if necessary. Some nodes were unable to start up because their bandwidth limit was too low. Apologies to anyone affected by this. Also, improve the logic that sets the per-second bandwidth limits from a monthly setting. Obviously, you should be very careful if using Freenet on a connection with a monthly transfer limit. * Minor security improvements to the web interface. If your node is unable to update because of the Frostbite bug, please turn off the affected applications (unload the Web of Trust and Sone plugins and shut down Frost), and then restart the node. It should pick up the update within a few hours. If it still doesn't work, the update.cmd or update.sh scripts may fix the problem, but they will access our website in a traceable manner. Thank you for using Freenet! - Matthew Toseland Git shortlog: Bert Massop (4): BloomFilter: additional sanity checking of length and hash count Add more splitfile sanity checks Make KeyListenerTracker more resilient Fix a corner case in BloomFilter length Florent Daigniere (7): Set rel='noreferrer noopener' where appropriate Merge branch 'do-not-die-on-too-low-bandwidth' of https://github.com/ArneBab/fred-staging-1 into ArneBab-do-not-die-on-too-low-bandwidth Merge branch 'ArneBab-do-not-die-on-too-low-bandwidth' into next Merge branch 'frostbite-hotfix' of https://github.com/bertm/fred-staging into bertm-frostbite-hotfix Merge branch 'bertm-frostbite-hotfix' into next Merge branch 'avoid-claiming-magic' of https://github.com/Thynix/fred-staging into Thynix-avoid-claiming-magic Merge branch 'Thynix-avoid-claiming-magic' into next Matthew Toseland (1): Build 1474, mandatory in a week but crucial bugfixes Steve Dougherty (3): Merge remote-tracking branch 'ArneBab/do-not-die-on-too-low-bandwidth' into next Merge remote-tracking branch 'nextgens/use-noreferrer' into next l10n: avoid suggesting tracing is impossible drak@kaverne (5): FIX: on too low bandwidth, use min bandwidth node init: log increase of bandwidth to minimum fixed bandwidth selection per month whitespace (tabify) use asymptoticDlFraction + fix whitespace gpg: Signature made Sun 05 Jun 2016 15:37:50 BST using RSA key ID 1946AA94 gpg: Good signature from "Matthew Toseland (2013-2018 key, hi
