1 | -----BEGIN PGP SIGNED MESSAGE----- |
---|
2 | Hash: SHA1 |
---|
3 | |
---|
4 | Dear Tahoe-LAFS Users: |
---|
5 | |
---|
6 | Kevan Carstensen of the Tahoe-LAFS core team has discovered a security |
---|
7 | vulnerability in Tahoe-LAFS v1.9.0 which would allow a sufficiently clever |
---|
8 | attacker to corrupt the retrieval of mutable files or directories which are |
---|
9 | retrieved with v1.9.0 or, in some cases, to corrupt the stored copy of |
---|
10 | mutable files or directories which are updated with v1.9.0. |
---|
11 | |
---|
12 | The recommended defensive action for all users is to downgrade to v1.8.3, or |
---|
13 | to refrain from using mutable files (either SDMF or MDMF) with 1.9.0. |
---|
14 | |
---|
15 | A FAQ about downgrading from 1.9.0 to 1.8.3, which was written before we |
---|
16 | discovered this critical security vulnerability, is here: |
---|
17 | |
---|
18 | https://tahoe-lafs.org/pipermail/tahoe-dev/2011-December/006905.html |
---|
19 | |
---|
20 | The FAQ is no longer accurate about 1.9.0 being free of dangerous flaws, but |
---|
21 | it is still accurate about 1.8.3 being free of compatibility problems. |
---|
22 | |
---|
23 | We'll be providing a patch soon. We are still writing tests for it and |
---|
24 | searching for other similar bugs and so on. Of course, as soon as we release |
---|
25 | the patch, this will inform any attackers of exactly what they could do to |
---|
26 | users of 1.9.0. Therefore, if there are any users who are especially |
---|
27 | security-sensitive, then they should downgrade to 1.8.3 before we release the |
---|
28 | patch, or else they should suspend their use of mutable files and directories |
---|
29 | until we released the patch and they've applied it. |
---|
30 | |
---|
31 | Once we are ready to publish the details of the issue we will post them to |
---|
32 | this issue tracker ticket: |
---|
33 | |
---|
34 | https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1654 |
---|
35 | |
---|
36 | Please feel free to contact me with any questions or concerns, using GPG |
---|
37 | encryption. Please Cc: Brian Warner, David-Sarah Hopwood, and Kevan |
---|
38 | Carstensen on all such email. |
---|
39 | |
---|
40 | Regards, |
---|
41 | |
---|
42 | Zooko Wilcox-O'Hearn, on behalf of the Tahoe-LAFS core team |
---|
43 | |
---|
44 | |
---|
45 | GPG fingerprints: |
---|
46 | |
---|
47 | Brian Warner <warner-tahoe@lothar.com> 967E FE06 6998 7241 1A77 DF36 D43B 4C9C 7322 5AAF |
---|
48 | David-Sarah Hopwood <david-sarah@jacaranda.org> 3D6A 08E9 1262 3E9A 00B2 1BDC 067F 4920 98CF 2762 |
---|
49 | Kevan Carstensen <kevan@isnotajoke.com> 7E1E 99DB 97B1 DD5F 8154 5973 8E6B 2106 2425 D7AE |
---|
50 | Zooko Wilcox-O'Hearn <zooko@zooko.com> A60B 7EE1 7164 D0C5 F137 3868 5F22 F428 242B E85F |
---|
51 | |
---|
52 | - -----BEGIN PGP PUBLIC KEY BLOCK----- |
---|
53 | Version: GnuPG v1.4.11 (GNU/Linux) |
---|
54 | |
---|
55 | mQGiBEMB9ZARBACsDthnNvgj8ZnP33ViSgxg1ruCiuCGGStk06nLLFCiqgpym2sW |
---|
56 | 10DCajYcIbWw3LtPKetp14xj+p+4wvtej5+LP+gsQ5N+O9zLhaBAbc9aC7jn3xHE |
---|
57 | 2RsHPKbqvfCx/FNp3HvKRIhZdzRgKjFTRMp3O9DNcfD9/tgK8RPzVH75twCgzN3N |
---|
58 | 9oVoxGbfxAaToY1QAJeaDGED/3lw92sABU9SiFs8u3dJHsqEtWjVVAU1Ung2AeVp |
---|
59 | hF05OgRrPR3PpAaF2GsFOmf2dSiexk8uN+cleqX3sWgQ02hH+Ppv9hT1ycAOIMCE |
---|
60 | 31g6TTtLMpWTcAcyxecNBVU5XBYOfIsQzULS0v0WvUGAQfQ3GXxFwei3RMtUBLAR |
---|
61 | 7Xn+BACW66N9+u2V7N9wPCI2DjN7wZGQs2mH0Ngr/lDk1t4GHD6n6qRP1UczT5cf |
---|
62 | wLcn1T9DeBBCZ7G9qdkCl5/9zGEZ/oOs+qFxKQ/1r99HKDxl+v1Er88BSCaXJ0W8 |
---|
63 | iEu08agtTYVeSHa1yoRw/OYgeShyvAi6UiJNU80EtQOVxPR1WrQuWm9va28gTydX |
---|
64 | aGllbGFjcm9ueCAoSGFja2VyKSA8em9va29Aem9va28uY29tPohgBBMRAgAgAhsD |
---|
65 | Ah4BAheABQJJr8YEBgsJCAcDAgQVAggDBBYCAwEACgkQXyL0KCQr6F/ljACdH5YY |
---|
66 | Idzah/onhltusit9C3ZhCoAAnjtP2BCp45dKLgVtVNVYGDro0cx3tC9ab29rbyBX |
---|
67 | aWxjb3gtTydIZWFybiAoSGFja2VyKSA8em9va29Aem9va28uY29tPohgBBMRAgAg |
---|
68 | BQJJr8aZAhsDBgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQXyL0KCQr6F/q/ACe |
---|
69 | IT1ra2rEo9DTvkyuyopMB+gmLGkAnRT5HlTzgWR5IWXebupMIM4+uBvQuQENBEMB |
---|
70 | 9ZEQBACEk0DKOZsds2a8+wgNzCnZwxJPtdJBXogwtTaB7XnvsqBrkTw12begWck/ |
---|
71 | 2k4PhNwHlrKszfz8tzhQGUuMiZqhrvDqhPozqIWWPSJtJgJSqS7OaFDJncNdFRDP |
---|
72 | 3aggkER9J2YjVB23Ig88zIFxvzh6b57MJZhnhJyqYE74DklZawADBQP/WyQTF1JT |
---|
73 | Iv4cbNDHNSihtp/Q+L0cNJvT23/4jAN/P1KCWui5M7QV4PBjjS6h/raXJ1gKh/G0 |
---|
74 | YXB8APbUvSNdVySVg3fBoNK/okcKspxUNTusK6it7gZ7PtMNvuOudiIbVrfjXQlQ |
---|
75 | s0gqDxht8aH0Br41+VsaTc8oaSLTUK7VdWqISQQYEQIACQUCQwH1kQIbDAAKCRBf |
---|
76 | IvQoJCvoX/rMAJ9QAMLP+zCP0Wmxw6MpQMjLqA4bRwCeO/TYWIA1onjBfV/qAYQ0 |
---|
77 | /U0x8sOZAaIESa2nNREEAKJ8GS7J2BpNkqVry+t0ZhB8+ziFyTflOID2kPFAej+4 |
---|
78 | ez/jMMzP4DU4zFmCFmwreZZMA+36WKLY4OsB77amm8PhY5D0DTEjYMFWJUi2j4Sn |
---|
79 | 7URPNT74wia0QamPRd80wnn2li+KNVImeGHkjzj9HXl1VaJO2vqoOyOEyAkvdscr |
---|
80 | AKCL/QCX7WPaHKar0VEabVISGMTt0QQAmLeZDCGaUhmAx2ymizhisqvO/v3wQCIw |
---|
81 | lLctxcQG/YE/c+NFrn29UNwpzpLbRH5KDDopNXfHfDs+haQXJ+AQ9iO5xyDfrumy |
---|
82 | cTpsN/K02kz2uiy9pfWQff7inUwhNGcigJEkW55+qbBmsmSf6cqDixIn9fuSQBQH |
---|
83 | PthDdiiNUz4D/iTvdwIiqYSF4bOBEcEtNEnMc0a+AnCi3pn3ZNu/vkKVXATXpHwE |
---|
84 | fIc4SwdTzkMERF5e6RF+PCtBS4BeSo5m9HgrG94RCu074EQG0YWlBowHfo76KwTD |
---|
85 | DYwMeKoIHArWkmz18CmDDnNXxGfDbCY4HVveCrTIEUl/+wUo2u94omNDtChCcmlh |
---|
86 | biBXYXJuZXIgKGVtYWlsKSA8d2FybmVyQGxvdGhhci5jb20+iGAEExECACAFAkmt |
---|
87 | pzUCGwMGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRDUO0yccyJar1lvAKCGzZ4T |
---|
88 | VF7NbGc4wAmIKNuNjyn7zwCfYs6dcHujZY/C/846a87Ax7viCW25Ag0ESa2nNRAI |
---|
89 | AI9UFWTfqk/0ZgiBfkq/A8hsCl06oOhxjECLKt5dUmPzYio7YwL02xKfWH2geYx4 |
---|
90 | v2/QSHBOjF1UX91Deb4MReepD7uMcybVv0368vAIbj9Mvb1MNXKDKy39wm3aGbuJ |
---|
91 | WCLsEawOo/nDbrmGcIGAAgQenP08peGZzvCKkoSNxnxc4Z4KrygqgQBNKxNFM3ZR |
---|
92 | /zOU9w8F9qV76WwcSHYpX290Vq5oL2WBdRy7lkI586Lubv0TbiIFN9ebuTGwcuYl |
---|
93 | jT1QdJby8Ux8DdJOhb5TiliZ17R1C/M7290Gf7xZ4/CM01ty80oi25w8AoW0AjBL |
---|
94 | FuPu0twR4UfSy5EYFlg6g0sAAwYH/3m3BQHWMHcXqgLBh38V8cn4qSuNZEAkw4Mp |
---|
95 | HgDUJJJhWgV9HA4rU3TMBoR5IVcvSYn71tCJTgVzDq+Aid6PbOp5ovz9B8toKKmu |
---|
96 | 1vDzdd8NXSH0ymI1oPOL2GZ3Cge7WRkq7yGMfsoRGA87ObS/Siji6vwTSPx9rOc9 |
---|
97 | IhObIpNns9cdYqijXWtGDrmHw/VrNfd5hsgjg1ElWgnWoU4TEwNBxlp/XBLnUExf |
---|
98 | PmX2/up6/h3eAD7LfE47e2pmSfWeOSNfve42Fgevl7vf/7fHYaYP3hdnY8tO8Fvy |
---|
99 | 8XPwC1yuCQaOYRBTW9mXA98kttRPd4c+LUpIGILBxyDWUubXFiuISQQYEQIACQUC |
---|
100 | Sa2nNQIbDAAKCRDUO0yccyJar7oqAJ9PWosueCwCt8dXD2TO0h5hNXwY8gCfTlMw |
---|
101 | qfNtn6X8Gm0dRHQm2j1UhtCZAQ0ETX+nlwEIAL+XBjMjo1reeuHxUhFYNgBk1hlu |
---|
102 | Jl39Co1oPsFLLKM4zUR5/m6ooqcltsiBxE5waOlX+ha1evKxd7ykY6AM8QFcjq4l |
---|
103 | CGWbvSlO57493t5PlWBAyCBUc0WK15ZH6vcPPbvYPuW5tZDkiL3VrQcb9MsZ3CYE |
---|
104 | 0UWrFlpc22kYT+9QrgX1fGNtVgEp/ZTbWzfBoMAW7i6ZGstDB38zI7D+RMkenQDn |
---|
105 | Mjvt8+jj1XaDfw/7OTPnBmwCGw9sE3JgXbfLW1jUsURBbCYz1tNwVA/DOrMiVsdw |
---|
106 | 1eoezHlFdqmujAeAsm4PEQaoSDD30H4qah6TIPYEU6d1bWLFEGhczsHaLzMAEQEA |
---|
107 | AbQvRGF2aWQtU2FyYWggSG9wd29vZCA8ZGF2aWQtc2FyYWhAamFjYXJhbmRhLm9y |
---|
108 | Zz6JAT4EEwECACgFAk1/p5cCGyMFCQlmAYAGCwkIBwMCBhUIAgkKCwQWAgMBAh4B |
---|
109 | AheAAAoJEAZ/SSCYzydiSwMH+wW4St0+QHHplPLk1arm0osCSxxFnXTTllu7bhuN |
---|
110 | M9GOjw+5d9Ns1NU2Za8G9oQ0p2Zk2htnS5f8vMk8p/UJDU84V0WntjSjcFToEW0r |
---|
111 | EtTxNfcNDdN0ZMUM9GOIrq7rkFVMtsgL+cKmB84kU6K5oxAHdoRsLg5IQgcAAfVZ |
---|
112 | /uZ+l6Huoxx7u/rDCG7CWlRqCXbfvCv9BREYHmDMC+MStwnklOT6xeRvPj34ryTO |
---|
113 | fhnMuSZAQlTtqXJku9ewrlJWdJCFu2+IhjXwQN1Abhbzprgp6A4Hzn5aot1njrjd |
---|
114 | /O2JKi/L8N2JSH/6xZzcbcDi2ub5au5T3/c0sso4+1+VXCe5AQ0ETX+nlwEIAKrt |
---|
115 | IH+d59ZShS1mtLim8dz+Mh/uM8aU2AmJSULht4IKpf1DfcnWp5Nz6V4slvqKpBr5 |
---|
116 | TvJbKhPmI62hhzudUwNvsNTsCESolcgEoSmNMzEjwb1IK1h+GKNa5KEF/pPxCfg1 |
---|
117 | yhA8ercRgaj8ss1Py0h/5/Y7sWCqEPHPujb0QGiNzSik1caSIXK2cieNqdLaz3+Q |
---|
118 | 6cPLzyOip5ZLxAoD7ae2fWUIUAEa7qCbAkh9GWw5Lv4RT8c+Gm5SINnpywHyoDNC |
---|
119 | e2cU4/3xWhPrGdgADMU8DWHFgN8FKOpWMrLqhVXbh45d8JvoGYyx1AfAVaFiQJsi |
---|
120 | e4z3waQlyf2tqmXPfH8AEQEAAYkBJQQYAQIADwUCTX+nlwIbDAUJCWYBgAAKCRAG |
---|
121 | f0kgmM8nYteMCACnD6PGPZnbspvQ2xAQAEK8b+Pq2jT6GQjrGoz8rthtcgj8PNCt |
---|
122 | +9gsah2vOV+HCzZ2vWfqZ7uegtfA/AoJQUnLY5cAxet/8fLmLRsJrBj3bDDQiGlL |
---|
123 | KL79JkcWyDZn6PZfrTdqg6rkjdLD4J56V50R5Yc7RWUnKcsdHldIEK2pB9lZjEQX |
---|
124 | cFVcN5q6ra0tE+Yj4xTqBQV049UHj/Qzci+FfyT+FIVbRvMA0cE159dvd3QpKADD |
---|
125 | WpONiXK3XNSmO6faiJ/dL2mLzJfg8CwmrosYowG4XzY3cAHNDWdc77WVpyAs2B5T |
---|
126 | YUmeq28HKjmhVVptvfN4Ik+VV2XPo6PW1XaTmQSuBE4Ds6ARDADcHG/8jznjC275 |
---|
127 | /cuDLUSKpcZqOMNf+A+ASw8LK895xoLJaySvYMbPzFpY+OO+VY8clw/c7NVnNUOs |
---|
128 | n2QprL02slTyN/+v1X9rnz0XsHI8G3dfZwTWYoxVdCosgEeaoinQLpn8OX2p+KVw |
---|
129 | J6llzYKBbDKnlcMFMarlzKFeHfT4z8Zg9XMtHXkjxCCQTfOwHgZWxmQSvQcmK5EN |
---|
130 | Dui7oRJQkPTdcTxMUe4gaCcuwQL7hHsaSfaDeX/mGoo7gNn9mPy/VrcHBNEZtWcQ |
---|
131 | C2KSVJpdyOAGZ4i6qzExWyWL72+/PO1dGttYh2+2hHDyXDMdaF0E01yOkQ8zX6GR |
---|
132 | zzLQIftnZvk7gj34ITouulTGwPGgF5X7JTpm+UVxPiZJdk4Q+XH3oUgzP8uiZbSY |
---|
133 | oVO+tgSForlmFAUYkB+N5M1wPxA3/6mVVomb64roK7QO+Wy7tkpZAdJsQU1h/cec |
---|
134 | sfu/y+UbIafJAUk6oBRdjxBRV3cKWvbG44ShUHo2jD8XSwNCdp8BAIAyGSN6qAW2 |
---|
135 | Ai9FSZ4CDhD6fhiuiubtn4wXbS3ZHtXtDACPel5qDFdh6UM1ayvIgrihIucAV3b7 |
---|
136 | 2ruy+XR28Ep5KMIk/MTwynAkNZRXrH4C9HF2emYYOxBw1Q0XiR3qneI9/mV18P0x |
---|
137 | 7D/0NCeMzNPfavXFncEWVpVuUAsVp9aJU5FiCnMtozg/Xep3LD4hngSIg9P33q+I |
---|
138 | nVaPnBSUPtIBdIkcNq5n3R9TDTbr5XaZzd3A+VJcQios3S4yh4Hdzy4OR24L7BE5 |
---|
139 | GqfEF/irKqKd9jZAS2wQMY1dW/yGOPKSoaALSV4cIpyugBhtO2Ub4fWQ5jGAhSHz |
---|
140 | uj1M6IbsB/z/nMkM0uxqJH1EMbWWVJwaFcMbLhsvTnigwYwrHWzNVCpGRcedsBTz |
---|
141 | fZMIzUFEdZyde9LlbYEP3KEBVo+I+Sdv+aPvo336T8L4RO9Aqr0ONU3/PV8MnLVu |
---|
142 | fwbzwMFaQrLxQn7kBRsGLYWY3SDdugQ0P7HonMTFpASgnZtOUqvXavoJoyrgIKGD |
---|
143 | 1/8iRhBhmzNU4Hi28mKN5oDU4S7OfCW/OL8L/2P3uwmTpK9yKxAmgdQlm600wufO |
---|
144 | S8HbIOK+hNz88SCYBniHR7jbDegQx+XNZuSRQisjyCoO7scv5p51/O35qzs6aBSd |
---|
145 | gTIWH0AkUiDg3HJH1P1MXgYO38JikX+0zks3o50ESwF2U75FPw4Ys9kt0Xv9UuBN |
---|
146 | +lx3MyF3CX9ZoPtClP7PCtKl6pL7W0iMndSnGxMst8pgqvXwHMA4b9rC1rO+8ByG |
---|
147 | v5uYy65HIXIjHjf5RXFwXvdnz7Vt0iZqbMyyNGHkvQO/QMWRN7q+JTD9o+lxSkRT |
---|
148 | haKVqhimdggqtF2TSytwsXn/gax5hTqHvL4bpIjvP+m+ZTPzAm9eON+PmRZtkod2 |
---|
149 | xCHx3r7HU9CcVvZZ7HrMG1hEg2BPZgxpNqUoydzTIVVqZABgRyIZt0S7o8PDpxU8 |
---|
150 | 7sN15GwVaWee7Yp05GifbYCMRw7s3bXKTT/U3iDvoXZNQ8NyVg4Yw46sFlcpIGoD |
---|
151 | VP76yeIWdcA2PhPLqfT8YgNhF2zH2UmpPD04dbQtS2V2YW4gQ2Fyc3RlbnNlbiA8 |
---|
152 | a2FjYXJzdGVuc2VuQGNzdXBvbW9uYS5lZHU+iIAEExEIACgFAk4Ds6ACGwMFCQHh |
---|
153 | M4AGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEI5rIQYkJdeum7IA/j56gW+h |
---|
154 | zpqkKkzsZAnvJw0GX1R8KI3Ppai6Yn3sfUtoAP46mY+UxDf89AOhgOIe2ABJtJWb |
---|
155 | 385WIv4A/nTnnQT6QrkDDQROA7OgEAwAw/mLuVT7T+ooC2DLbPy9kQKHlyxQeJNR |
---|
156 | gBsVdh41QGOXOcsCUJ/6jtlpFJ+/PByTHLr6tL3z9cYyddp0mNpS3NV0+6eHpopV |
---|
157 | 1SAhHEBPlJuCtTFWj5BhXTqEHMkf12bGX8kBwJgpNcXJ4JOCItM8q7yVNUkr3988 |
---|
158 | xl2fUCVTT+vRw4N8KQUKy4rGpg3Vcp/QZwpNNrUyazo1VstcSfkIWImSVobeBuXT |
---|
159 | lCBozL0wZgB/WEH/9cXzLIJJbUBTxNaWXJmPXDR8CW/QUy/baQWUXui9OGyldqLL |
---|
160 | zJwWZp7Jw9i4XtgyXVMswNQJI9au+q9l8PCtZyZyM9CPznqBZ4Y371NMxle70e9q |
---|
161 | HjhfAqUdr5k7jDmSSKwLIyZGGK0VqLTetgLCUH2eld1PnrUastP3NHbxJuh8oa7C |
---|
162 | ZAt9y6HXi6hceUhV8/W1fPYxaE4Wj6E8Vlwzy7qqNzhygVZzE1B2A5uvNb+dVV+M |
---|
163 | x8s6b6EnkOPtRCUqB+SDDHfDQF3Y3AmPAAQNC/9PZ9SSb5YkH0DGrN4eSixn6J99 |
---|
164 | H2QsmO/e/dZEVyouRKmPehBcxyibqL0u9wzloJx0t5obFDgY7h02aAN3VUIEQL2V |
---|
165 | bf6Ol3n63TrKXX3INRfY9h2in42W1ba/p8BTj0vboZN+vRsadnODMiZZV1WF3uZw |
---|
166 | rXAHvjuGBbLEeZZB92DyVqCtmZN18AFlxxhfgZfoeyKXBtjImX64lfx2SE3YBfTu |
---|
167 | KyBgVJDhc8hljf5msnUEj3cQGu8f5K0e47Hwf5+IB6jhA0bzyPZVKQ63G05QWmnZ |
---|
168 | fs+XvNUykVcAAxOsXiTIRQvPQR/aLrQKtapNDEDtgT8FsANlEtHUjPi0JvE0gS/p |
---|
169 | +4+p3YOyK8VNgj7Yq2XI2BC7ZzHn2KACLkfhz7YbpnRDf6toCvaw14XVpBegY/l+ |
---|
170 | q4FHEW7rOjtwNSF8jj/qWoN01mfjHQtaOY33c1jeuMsrwq69aYAHsFszaGaappe+ |
---|
171 | q7A4NGrlmha7M7ssC5ArbpvTvJ6Djr3DuJ6DdgOIZwQYEQgADwUCTgOzoAIbDAUJ |
---|
172 | AeEzgAAKCRCOayEGJCXXriR4AP9YVdXBtZZHCjfuT+6CU09nvPvLeOf1vWa+t2Rr |
---|
173 | 767UpAD/Sukn7pceESBqLMLOPDfgEoYLJ7/ZjPJDEmYRDnXG5JE= |
---|
174 | =EbMb |
---|
175 | - -----END PGP PUBLIC KEY BLOCK----- |
---|
176 | -----BEGIN PGP SIGNATURE----- |
---|
177 | Version: GnuPG v1.4.11 (GNU/Linux) |
---|
178 | |
---|
179 | iEYEARECAAYFAk8KjpAACgkQXyL0KCQr6F/PUACfb9EZeqIyehgB7wSoZqHvRgJn |
---|
180 | vIIAoMwVD3cKaJfuwI6KEAURD0to+qAT |
---|
181 | =XB1s |
---|
182 | -----END PGP SIGNATURE----- |
---|