summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTails developers <amnesia@boum.org>2013-10-17 13:44:25 +0000
committerTails developers <amnesia@boum.org>2013-10-17 13:44:25 +0000
commit17beb114e68778f0b8e20ead7c5719bc3c725773 (patch)
tree4de05497356f52402495b2bbe10500f12d4a5fe3
parentfef84cf71262ed00c3b9bbd64d5aca94e501ecff (diff)
Update changelog for 0.21~rc1.0.21-rc1
-rw-r--r--debian/changelog76
1 files changed, 73 insertions, 3 deletions
diff --git a/debian/changelog b/debian/changelog
index cd6ca90..d52fb7e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,78 @@
-tails (0.21) UNRELEASED; urgency=low
+tails (0.21~rc1) unstable; urgency=low
+
+ * Security fixes
+ - Don't grant access to the Tor control port for the desktop user
+ (amnesia). Else, an attacker able to run arbitrary code as this user
+ could obtain the public IP with a get_info command.
+ · Vidalia is now run as a dedicated user.
+ · Remove the amnesia user from the debian-tor group.
+ · Remove the Vidalia launcher in the Applications menu.
+ The Vidalia instance it starts is useless, since it can't connect
+ to the Tor control port.
+ - Don't allow the desktop user to directly change persistence settings.
+ Else, an attacker able to run arbitrary code as this user could
+ leverage this feature to gain persistent root access, as long as
+ persistence is enabled.
+ · Fully rework the persistent filesystem and files ownership
+ and permissions.
+ · Run the Persistent Volume Assistant as a dedicated user, that is
+ granted the relevant udisks and filesystem -level credentials.
+ · At persistence activation time, don't trust existing persistence
+ configuration files, migrate to the new ownership and permissions,
+ migrate every known-safe existing settings and backup what's left.
+ Warn the user when not all persistence settings could be migrated.
+ · Persistent Volume Assistant uses the new ownership and permissions
+ scheme when initializing a new persistent volume, and refuses to
+ read persistence.conf if it, or the parent directory, hasn't the
+ expected permissions.
+ · Make boot medium 'system internal' for udisks with bilibop.
+ Once Tails is based on Wheezy, this will further complete the
+ protection (see #6172 for details).
- * Upcoming release.
+ * Major new features
+ - Add a persistence preset for printing settings (Closes: #5686).
+ Reload CUPS configuration after persistence activation.
+ - Support SD card connected through a SDIO host adapter (Closes: #6324).
+ · Rebrand Tails USB installer to Tails installer.
+ · Display devices brand, model and size in the Installer
+ (Closes: #6292).
+ · Ask for confirmation before installing Tails onto a device
+ (Closes: #6293).
+ · Add support for SDIO and MMC block devices to the Tails Installer
+ (Closes: #5744) and the Persistent Volume Assistant (Closes: #6325).
+ · Arm the udev watchdog when booted from SD (plugged in SDIO) too
+ (Closes: #6327).
+
+ * Minor improvements
+ - Add a KeePassX launcher to the top GNOME panel (Closes: #6290).
+ - Rework bug reporting workflow: point the desktop launcher to
+ the troubleshooting page.
+ - Make /home world-readable at build time, regardless of the Git
+ working copy permissions. This makes the build process more robust
+ against strict umasks.
+ - Add signing capabilities to the tails-build script (Closes: #6267).
+ This is in turn used to sign ISO images built by our Jenkins setup
+ (Closes: #6193).
+ - Simplify the ikiwiki setup and make more pages translatable.
+ - Exclude the version string in GnuPG's ASCII armored output.
+ - Prefer stronger ciphers (AES256,AES192,AES,CAST5) when encrypting
+ data with GnuPG.
+ - Use the same custom Startpage search URL than the TBB.
+ This apparently disables the new broken "family" filter.
+ - Enable oldstable-proposed-updates APT sources to install packages
+ scheduled for the next Squeeze point-release. Accordingly update
+ APT pinning.
+ - Update AdBlock Plus patterns.
- -- Tails developers <tails@debian.org> Thu, 19 Sep 2013 15:59:43 +0200
+ * Test suite
+ - Look for "/tmp/.X11-unix/X${1#:}" too when detecting displays in use.
+ - Adapt tests to match the Control Port access security fix:
+ · Take into account that the amnesia user isn't part of the debian-tor
+ group anymore.
+ · Run as root the checks to see if a process is running: this
+ is required to see other users' processes.
+
+ -- Tails developers <tails@boum.org> Thu, 17 Oct 2013 14:13:27 +0200
tails (0.20.1) unstable; urgency=low