From 5417a4ece921a23276443dfa5904e238b278d56d Mon Sep 17 00:00:00 2001 From: Povilas Kanapickas Date: Mon, 1 Nov 2021 21:30:58 +0200 Subject: [PATCH 1/4] Document the releasing procedure --- RELEASING.md | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 RELEASING.md diff --git a/RELEASING.md b/RELEASING.md new file mode 100644 index 00000000000..741f54ae0ec --- /dev/null +++ b/RELEASING.md @@ -0,0 +1,59 @@ +Creating a release +================== + +This document is documentation intednded for maintainers of Barrier. +It documents the release process of Barrier. + +Step 1: Setup environment variables +----------------------------------- + +Setup the following environment variable that will be used throughout the rest of the steps. + + export VERSION=X.Y.Z + +Step 2: Release notes PR +------------------------ + +Open a new branch (e.g. `release`) and run the following: + + towncrier --version ${VERSION} --date `date -u +%F` + +This collects the release notes using the `towncrier` tool. Please commit the collected release +notes afterwards. + +Certain file names are not properly supported by the `towncrier` tool and it ignores them. +Check `newsfragments` directory for any forgotten release notes + +Step 3: Merge the release notes PR +---------------------------------- + +Step 4: Push git tag +-------------------- + +Pull the merge commit created on the `master` branch during the step 2. + +Create a tag: + + git tag -s v${VERSION} -m v${VERSION} + +Push the tag: + + git push origin master --tags + + +Step 5: Draft a new release on Github +------------------------------------- + +Go to https://github.com/buildbot/buildbot/releases and draft a new release. + +Use git tag as the title of the release: `vX.Y.Z`. + +Use the release notes generated by the `towncrier` tool as the description of the releases. + +Upload the artifacts created by Azure pipelines as the binaries of the release. The following +artifacts should be uploaded to Github: + + - the Barrier-X.Y.Z-release.dmg created by the oldest Mac OS task (artifact name is + "Mac Release Disk Image and App XYZ"). + + - the BarrierSetup-X.Y.Z-release.exe (artifact name is Windows Release Installer). From 342bb6295f8d1322bc5b14ce9e6e41c786728535 Mon Sep 17 00:00:00 2001 From: Povilas Kanapickas Date: Mon, 1 Nov 2021 21:30:59 +0200 Subject: [PATCH 2/4] azure-pipelines: Use a different artifact name for each macOS image --- azure-pipelines.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azure-pipelines.yml b/azure-pipelines.yml index 2b42fc1d03b..e34a3bc52af 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -114,4 +114,4 @@ jobs: condition: eq(variables['B_BUILD_TYPE'], 'Release') inputs: pathtoPublish: build/bundle - artifactName: Mac Release Disk Image and App + artifactName: Mac Release Disk Image and App $(imageName) From 8883cfae0f3e48d1b433015f3d7d8834b52d9d4c Mon Sep 17 00:00:00 2001 From: Povilas Kanapickas Date: Mon, 1 Nov 2021 21:31:00 +0200 Subject: [PATCH 3/4] Setup release notes build using towncrier tool --- doc/newsfragments/README.md | 13 +++++++++ doc/release_notes/index.md | 4 +++ doc/release_notes/index.template.jinja | 37 ++++++++++++++++++++++++ towncrier.toml | 39 ++++++++++++++++++++++++++ 4 files changed, 93 insertions(+) create mode 100644 doc/newsfragments/README.md create mode 100644 doc/release_notes/index.md create mode 100644 doc/release_notes/index.template.jinja create mode 100644 towncrier.toml diff --git a/doc/newsfragments/README.md b/doc/newsfragments/README.md new file mode 100644 index 00000000000..0338cf80bfa --- /dev/null +++ b/doc/newsfragments/README.md @@ -0,0 +1,13 @@ +This is the directory for release note fragments processed by +[towncrier](https://github.com/hawkowl/towncrier). + +When making a user-visible change create a file in this directory and it will be automatically be +included into the release note document when the next release is published. + +The file extension specifies the type of a change. The following are currently supported: + + - .feature: a new feature. + - .bugfix: a bug fix. + - .security: a fix for security issue. + - .doc: a documentation improvement. + - .removal: a deprecation or removal of functionality. diff --git a/doc/release_notes/index.md b/doc/release_notes/index.md new file mode 100644 index 00000000000..77dd565a28c --- /dev/null +++ b/doc/release_notes/index.md @@ -0,0 +1,4 @@ +Release notes +============= + +[comment]: <> (towncrier release notes start) diff --git a/doc/release_notes/index.template.jinja b/doc/release_notes/index.template.jinja new file mode 100644 index 00000000000..418a1d3232b --- /dev/null +++ b/doc/release_notes/index.template.jinja @@ -0,0 +1,37 @@ +{% for section, _ in sections|dictsort(by='key') %} +{% set underline = "-" %} +{% if section %} +{{section}} +{{ underline * section|length }}{% set underline = "-" %} + +{% endif %} +{% if sections[section] %} +{% for category, val in definitions|dictsort if category in sections[section]%} + +{{ definitions[category]['name'] }} +{{ underline * definitions[category]['name']|length }} + +{% if definitions[category]['showcontent'] %} +{% for text, values in sections[section][category]|dictsort(by='value') %} +- {{ text }} +{% endfor %} +{% else %} +- {{ sections[section][category]['']|sort|join(', ') }} + + +{% endif %} +{% if sections[section][category]|length == 0 %} + +No significant changes. + + +{% else %} +{% endif %} +{% endfor %} +{% else %} + +No significant changes. + + +{% endif %} +{% endfor %} diff --git a/towncrier.toml b/towncrier.toml new file mode 100644 index 00000000000..d8f0a61c8a7 --- /dev/null +++ b/towncrier.toml @@ -0,0 +1,39 @@ +[tool.towncrier] + package = "" + directory = "doc/newsfragments" + filename = "doc/release_notes/index.md" + template = "doc/release_notes/index.template.jinja" + title_format = "\nBarrier `{version}` ( `{project_date}` )\n================================\n" + start_string = "[comment]: <> (towncrier release notes start)" + [[tool.towncrier.section]] + path = "" + + [[tool.towncrier.type]] + directory = "security" + name = "Security fixes" + showcontent = false + + [[tool.towncrier.type]] + directory = "feature" + name = "Features" + showcontent = true + + [[tool.towncrier.type]] + directory = "bugfix" + name = "Bug fixes" + showcontent = true + + [[tool.towncrier.type]] + directory = "doc" + name = "Improved Documentation" + showcontent = true + + [[tool.towncrier.type]] + directory = "removal" + name = "Deprecations and Removals" + showcontent = true + + [[tool.towncrier.type]] + directory = "misc" + name = "Miscellaneous" + showcontent = false From ad1a2c0bd66f7ce5108598c5921185b48010abd6 Mon Sep 17 00:00:00 2001 From: Povilas Kanapickas Date: Mon, 1 Nov 2021 21:31:01 +0200 Subject: [PATCH 4/4] Release notes for v2.3.4 --- .../close-failed-handshake-connections.bugfix | 6 ---- .../enforce-maximum-message-length.bugfix | 6 ---- .../fix-crash-on-ssl-hello.bugfix | 4 --- doc/newsfragments/ssl-corrupted-data.bugfix | 2 -- doc/release_notes/index.md | 28 +++++++++++++++++++ 5 files changed, 28 insertions(+), 18 deletions(-) delete mode 100644 doc/newsfragments/close-failed-handshake-connections.bugfix delete mode 100644 doc/newsfragments/enforce-maximum-message-length.bugfix delete mode 100644 doc/newsfragments/fix-crash-on-ssl-hello.bugfix delete mode 100644 doc/newsfragments/ssl-corrupted-data.bugfix diff --git a/doc/newsfragments/close-failed-handshake-connections.bugfix b/doc/newsfragments/close-failed-handshake-connections.bugfix deleted file mode 100644 index 0dc8c16cf1d..00000000000 --- a/doc/newsfragments/close-failed-handshake-connections.bugfix +++ /dev/null @@ -1,6 +0,0 @@ -SECURITY ISSUE - -Barrier will now correctly close connections when the app-level handshake fails (fixes CVE-2021-42075). - -Previously repeated failing connections would leak file descriptors leading to Barrier being unable -to receive new connections from clients. diff --git a/doc/newsfragments/enforce-maximum-message-length.bugfix b/doc/newsfragments/enforce-maximum-message-length.bugfix deleted file mode 100644 index 81ec2ba0230..00000000000 --- a/doc/newsfragments/enforce-maximum-message-length.bugfix +++ /dev/null @@ -1,6 +0,0 @@ -SECURITY ISSUE - -Barrier will now enforce a maximum length of input messages (fixes CVE-2021-42076). - -Previously it was possible for a malicious client or server to send excessive length messages -leading to denial of service by resource exhaustion. diff --git a/doc/newsfragments/fix-crash-on-ssl-hello.bugfix b/doc/newsfragments/fix-crash-on-ssl-hello.bugfix deleted file mode 100644 index 30bb06030fe..00000000000 --- a/doc/newsfragments/fix-crash-on-ssl-hello.bugfix +++ /dev/null @@ -1,4 +0,0 @@ -SECURITY ISSUE - -Fixed a bug which caused Barrier to crash when disconnecting a TCP session just after sending Hello message. -This bug allowed an unauthenticated attacker to crash Barrier with only network access. diff --git a/doc/newsfragments/ssl-corrupted-data.bugfix b/doc/newsfragments/ssl-corrupted-data.bugfix deleted file mode 100644 index db8bbf863ef..00000000000 --- a/doc/newsfragments/ssl-corrupted-data.bugfix +++ /dev/null @@ -1,2 +0,0 @@ -Fixed a bug in SSL implementation that caused invalid data occasionally being sent to clients -under heavy load. diff --git a/doc/release_notes/index.md b/doc/release_notes/index.md index 77dd565a28c..006debb56b5 100644 --- a/doc/release_notes/index.md +++ b/doc/release_notes/index.md @@ -2,3 +2,31 @@ Release notes ============= [comment]: <> (towncrier release notes start) + +Barrier `2.3.4` ( `2021-11-01` ) +================================ + +Security fixes +-------------- + +- Barrier will now correctly close connections when the app-level handshake fails (fixes CVE-2021-42075). + + Previously repeated failing connections would leak file descriptors leading to Barrier being unable + to receive new connections from clients. + +- Barrier will now enforce a maximum length of input messages (fixes CVE-2021-42076). + + Previously it was possible for a malicious client or server to send excessive length messages + leading to denial of service by resource exhaustion. + +- Fixed a bug which caused Barrier to crash when disconnecting a TCP session just after sending Hello message. + This bug allowed an unauthenticated attacker to crash Barrier with only network access. + +All of the above security issues have been reported by Matthias Gerstner who was really helpful +resolving them. + +Bug fixes +--------- + +- Fixed a bug in SSL implementation that caused invalid data occasionally being sent to clients + under heavy load.