Freenet build 1474 has been partially released. It includes a critical bugfix for the "Frostbite" bug: if you visit a malicious key, downloads can stop working. This is being actively exploited on Frost and Sone/WoT. Unloading WoT / turning off Frost and restarting the node should make it work again. Unfortunately the official release manager Steve is indisposed, and nextgens and I are still working on completing the release; it should be inserted into the auto-update system tomorrow, and thus "officially" released.
The build has been released as far as the website, so new installs will be
1474. Sorry about this, we will try to make our recovery procedures more
robust in future... Please relay this message to FMS etc if possible, thanks!
You can manually update to the new build as follows:
Option 1: Use update.sh or update.cmd
This is not anonymous, in that it downloads the jar file over HTTPS from our
server, so anyone listening could tell that you run Freenet. Also there
have been some reported bugs (one problem with update.sh was fixed just by
running it again, otherwise contact #freenet on irc.freenode.net - note that
this is also not anonymous).
Option 2: Download the jar from Freenet on a working node and replace them.
First, download the following key:
CHK@jCVrtDlDgly4kqNRPAH4o7j16I5Fcy39ka6Qz2~NOko,kbxLQ-wHV4S8YgPUme3y9HKYopc1FWeEMUaZ~zDeSqM,AAMC--8/freenet-build01474.jar
Signature is here (if you have gnupg and my pubkey):
CHK@~gTf8kWGI0X34XOI~pI-hagrddxzUJdbPIk20nYoLjs,a7SNdm2Sq7u3sOwjX5GyVkitpR8J92~VGdO~tSynLto,AAMC--8/freenet-build01474.jar.sig
Now shut down the node.
Open wrapper.conf in a text editor.
There should be a line that says something like:
wrapper.java.classpath.1=freenet.jar.new
If it says freenet.jar.new then change it to freenet.jar.
If it says freenet.jar then don't do anything.
Now replace freenet.jar with the jar you just downloaded from Freenet.
====
Official release notes:
$ git tag -v build01474
object ced0ba20a7ffba7fdf05466d00bf6cb585c28bc9
type commit
tag build01474
tagger Matthew Toseland <matt...@toselandcs.co.uk> 1465137470 +0100
2016-06-05
Freenet 0.7.5 build 1474 is now available. This is an emergency bugfix release,
hence I am releasing it rather than Steve while he is incapacitated. It fixes
some important bugs, one of which is involved in the current attacks on Frost
and Sone.
Summary of changes:
* Fix the Frostbite bug: if the node downloads a malicious key, this would
cause the whole client layer to break. This is currently being actively used to
attack Frost and Sone.
* Automatically upgrade nodes to use the minimum bandwidth limit if necessary.
Some nodes were unable to start up because their bandwidth limit was too low.
Apologies to anyone affected by this. Also, improve the logic that sets the
per-second bandwidth limits from a monthly setting. Obviously, you should be
very careful if using Freenet on a connection with a monthly transfer limit.
* Minor security improvements to the web interface.
If your node is unable to update because of the Frostbite bug, please turn off
the affected applications (unload the Web of Trust and Sone plugins and shut
down Frost), and then restart the node. It should pick up the update within a
few hours. If it still doesn't work, the update.cmd or update.sh scripts may
fix the problem, but they will access our website in a traceable manner.
Thank you for using Freenet!
- Matthew Toseland
Git shortlog:
Bert Massop (4):
BloomFilter: additional sanity checking of length and hash count
Add more splitfile sanity checks
Make KeyListenerTracker more resilient
Fix a corner case in BloomFilter length
Florent Daigniere (7):
Set rel='noreferrer noopener' where appropriate
Merge branch 'do-not-die-on-too-low-bandwidth' of
https://github.com/ArneBab/fred-staging-1 into
ArneBab-do-not-die-on-too-low-bandwidth
Merge branch 'ArneBab-do-not-die-on-too-low-bandwidth' into next
Merge branch 'frostbite-hotfix' of https://github.com/bertm/fred-staging
into bertm-frostbite-hotfix
Merge branch 'bertm-frostbite-hotfix' into next
Merge branch 'avoid-claiming-magic' of
https://github.com/Thynix/fred-staging into Thynix-avoid-claiming-magic
Merge branch 'Thynix-avoid-claiming-magic' into next
Matthew Toseland (1):
Build 1474, mandatory in a week but crucial bugfixes
Steve Dougherty (3):
Merge remote-tracking branch 'ArneBab/do-not-die-on-too-low-bandwidth'
into next
Merge remote-tracking branch 'nextgens/use-noreferrer' into next
l10n: avoid suggesting tracing is impossible
drak@kaverne (5):
FIX: on too low bandwidth, use min bandwidth
node init: log increase of bandwidth to minimum
fixed bandwidth selection per month
whitespace (tabify)
use asymptoticDlFraction + fix whitespace
gpg: Signature made Sun 05 Jun 2016 15:37:50 BST using RSA key ID 1946AA94
gpg: Good signature from "Matthew Toseland (2013-2018 key, higher key length)
<matt...@toselandcs.co.uk>"
gpg: aka "Matthew Toseland (2013-2018 key, higher key length)
<t...@amphibian.dyndns.org>"
====
Details for verification:
Git tag build01474 signed by me.
Git ID is ced0ba20a7ffba7fdf05466d00bf6cb585c28bc9
Source is in the git repository or on Freenet:
CHK@~Pn8tcQ~DZ9GnmzZUUCEi-uUnttOmy~OmmiJp9lUTM0,EH3sC17rF63tXJ25vGV7cnuN0noobhYxZPNWwJgz1vY,AAMC--8/freenet-build01474-source.tar.bz2
CHK@d1gUowN3GVIl0SwOc8NkDluiTsDpWpmkN~UnbWmRDIc,xgl6eSeDvaMW23JQjL-oc8JP9wq55uzQaUV~8z9SD4M,AAMC--8/freenet-build01474-source.tar.bz2.sig
Thanks!
signature.asc
Description: Digital signature
_______________________________________________ Support mailing list Support@freenetproject.org http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:support-requ...@freenetproject.org?subject=unsubscribe
