Skip to content

build01502: 2025-06-29
Compare
Choose a tag to compare
@ArneBab ArneBab released this 29 Jun 12:26
· 20 commits to next since this release
build01502
This tag was signed with the committer’s verified signature.
ArneBab Arne Babenhauserheide
GPG key ID: B41A6047FD6C57F9
Verified
Learn about vigilant mode.
02689f2
This commit was signed with the committer’s verified signature.
ArneBab Arne Babenhauserheide
GPG key ID: B41A6047FD6C57F9
Verified
Learn about vigilant mode.

Hyphanet 0.7.5 build 1502 is now available. [overview]

The most important change is a fix to a vulnerability that enabled
attackers to differentiate between an uploading and a forwarding node
by analyzing the structure of packets in blocks. It was reported
responsibly by Yonghuan Xu and depended on block-level timing of
packet handling.

Thank you very much for reporting the vulnerability and creating and
testing a mitigation!

There were some additional privacy and safety improvements: do not
check reachability of global addresses to avoid a fallback to Echo
packets when a node does not support Ping, don’t show download to disk
for large file page on public gateway nodes, and make fproxy cross
origin isolated -- the latter by torusrxxx.

Torusrxxx also increased again the fraction of HTML and CSS elements
that can be used on Freesites. More and more pages should just work.
Freesites can now set robots, googlebot and referrer=no-referrer, for
example for the Spiders that update indizes, as well as use more CSS
properties.

And there is now support for animated, lossy webp images, recovering
some capabilities we lost when browsers removed support for the Theora
codec, and for WAV files for lossless audio. Thank you!

Also Freemail now allows inbound links with to=WOT_ID, so you can use
links on Freesites that directly open in Freemail.

Below the shutdown-button, there’s now an info how to disable
autostart in GNU Linux.

On the alerts page there are buttons to dismiss all alerts that do not
come from other nodes, or to delete all messages from other nodes.
This should unclutter alerts and make node-to-node messages much more
usable.

In the plugins visibility was adjusted to show in simple mode the
plugins that actually are easy to understand for newcomers.

Additionally there are visible Fixes:

  • Update dependencies.properties wrapper files to files in
    java_installer to avoid downgrading the wrapper after the first
    start -- #1081 by ArneBab
  • Fix regression: compress parameter was inverted on upload. Thanks to
    NewOne@umLZL for investigating! -- #1051 by ArneBab
  • Build the Atom XML correctly -- #1080 by Bombe
  • Do not fix case (upper/lower) of header key -- #1063 by torusrxxx
  • Fix request distribution stats -- #1071 by bertm

And internal code fixes:

  • Return valid length from RandomShortReadInputStream.read -- #1060 by
    bertm
  • Fix single-byte read() in various InputStream implementations --
    #1058 by bertm

And improvements to the code to ease maintenance:

  • 🐛 Allow Class Loader to Enumerate Directory Entries. Fixes Flyway
    usage -- #1049 by Bombe
  • ♻️ Use accessor for NodeClientCore.mainExecutor -- #1079 by Bombe
  • Add Accessors for PageNode’s Member Fields -- #1076 by Bombe
  • Add Accessors for Two Member Fields Used in PeerNodeStatus -- #1075 by Bombe
  • Fix Translation Handling in Tests -- #1074 by Bombe
  • Remove main(...) methods and related test/debug routines -- #1070 by
    bertm
  • Remove unused code and parameters from NodeStats -- #1069 by bertm
  • Remove remaining code paths for disabled slow-down sending -- #1068
    by bertm
  • Get rid of Hashtable in NodeStats -- #1067 by bertm

Finally there are optimizations to the code -- a lot of them
improvements to synchronization -- which should reduce CPU load of
nodes with many peers and make it easier to run simple routing nodes
(without messaging) on weak, cheap, energy conserving hardware:

  • Fix synchronization of receive buffer -- #1044 by ArneBab. Thanks to
    Yonguan Xu for the catch!
  • Do not synchronize on global variable in CryptoKey.fingerprint --
    #1066 by bertm
  • Do not synchronize on access to AEADCryptBucket.readOnly -- #1065 by
    bertm
  • Do not synchronize on global variable in crypt Util.makeKey -- #1064
    by bertm
  • Do not synchronize on Rijndael cipher initialization or use -- #1061
    by bertm
  • Use length hint for bucket creation in ChecksumChecker -- #1059 by
    bertm
  • Optimize OCBBlockCipher_v149 by replacing Vector with List -- #1057
    by bertm
  • Use JCE AES implementation for AEAD when available -- #1056 by bertm

Thank you for using Hyphanet!

  • AB

Developer changelog:

2025-06-29

Changes in 1502:

Fix reported vulnerability:

  • Fix insert tracing vulnerability reported by Yonghuan Xu.
    Thank you very much for reporting the vulnerability and
    creating and testing a mitigation!
    This vulnerability enabled attackers to differentiate
    between an uploading and a forwarding node by analyzing
    the structure of packets in blocks. The fix randomizes
    the order of packets in blocks and adds a delay before
    the last packets are added to match the behavior when
    dispatching packets from received blocks.

Privacy / Safety improvements:

  • Privacy do not check reachability of global addresses -- prevents
    Java from creating global TCP/7 (echo) connections when Ping fails
    -- #1047 by ArneBab
  • Do not show download to disk for large file page on public gateway
    -- #1045 by ArneBab
  • Make fproxy cross origin isolated -- #1053 by torusrxx

Freesite HTML and UX improvements:

  • Add HTML elements meter,progress,input
    type=email,number,search,tel,url -- #1078 by torusrxxx
  • Allow freesite to set robots, googlebot and referrer=no-referrer
    meta tag -- #1077 by torusrxxx
  • Fix style -- #1072 by torusrxxx
  • Add CSS properties -- #1050 by torusrxxx
  • Add info how to disable autostart in GNU Linux -- #1073 by ArneBab
  • Add dismiss all alerts and delete all messages buttons. -- #1046 by
    ArneBab
  • Official plugins visibility adjustment: do not show unsupported
    plugins, always show KeyUtils, only show JSTUN, MDNSDiscovery,
    ThawIndexBrowser, and UPnP in advanced mode -- #1062 by ArneBab

Visible Fixes:

  • Update dependencies.properties wrapper files to files in
    java_installer to avoid downgrading the wrapper after the first
    start -- #1081 by ArneBab
  • Fix regression: compress parameter was inverted on upload. Thanks to
    NewOne@umLZL for investigating! -- #1051 by ArneBab
  • Build the Atom XML correctly -- #1080 by Bombe
  • Do not fix case (upper/lower) of header key -- #1063 by torusrxxx
  • Fix request distribution stats -- #1071 by bertm

Internal code fixes:

  • Return valid length from RandomShortReadInputStream.read -- #1060 by
    bertm
  • Fix single-byte read() in various InputStream implementations --
    #1058 by bertm

Code improvement:

  • 🐛 Allow Class Loader to Enumerate Directory Entries. Fixes Flyway
    usage -- #1049 by Bombe
  • ♻️ Use accessor for NodeClientCore.mainExecutor -- #1079 by Bombe
  • Add Accessors for PageNode’s Member Fields -- #1076 by Bombe
  • Add Accessors for Two Member Fields Used in PeerNodeStatus -- #1075 by Bombe
  • Fix Translation Handling in Tests -- #1074 by Bombe
  • Remove main(...) methods and related test/debug routines -- #1070 by
    bertm
  • Remove unused code and parameters from NodeStats -- #1069 by bertm
  • Remove remaining code paths for disabled slow-down sending -- #1068
    by bertm
  • Get rid of Hashtable in NodeStats -- #1067 by bertm

Optimization:

  • Fix synchronization of receive buffer -- #1044 by ArneBab. Thanks to
    Yonguan Xu for the catch!

  • Do not synchronize on global variable in CryptoKey.fingerprint --
    #1066 by bertm

  • Do not synchronize on access to AEADCryptBucket.readOnly -- #1065 by
    bertm

  • Do not synchronize on global variable in crypt Util.makeKey -- #1064
    by bertm

  • Do not synchronize on Rijndael cipher initialization or use -- #1061
    by bertm

  • Use length hint for bucket creation in ChecksumChecker -- #1059 by
    bertm

  • Optimize OCBBlockCipher_v149 by replacing Vector with List -- #1057
    by bertm

  • Use JCE AES implementation for AEAD when available -- #1056 by bertm

  • AB

Arne Babenhauserheide (33):
Add recently merged PRs to NEWS
turn brief changelog into long form text
note Freemail
polish
Note Chrome/FF Theora removal
note that webp lossless and animation are still todo
Note that the IP Address can include Ping and RTO¹ in the peer list
Debian package 1501
Do not show download to disk for large file page on public gateway
Do not check reachability when sorting IPs.
Fix regression: compress parameter was inverted on upload. Thanks to NewOne@umLZL for investigating!
Adjust advanced state of official plugins to match what people need
Fix: do not show group if it only contains unsupported plugins
Add info how to disable autostart in GNU Linux
Refactor: inline single-use private methods into stream.
Compare enum with = -- thanks to Bombe!
Fix disabled logic, thanks to bertm
Disable download to disk on public gateway wherever disabled was checked
Add dismiss all alerts and delete all messages buttons.
fix: condition was inverted: if arg1 is good, return 1!
Extract reachability check.
Refactor: use thenComparing with prefer-approach. Thanks to bertm!
reverse arguments around == for better readability. Thanks to Bombe!
doc: fix docstring wording
Add IPv6FirstComparator Test thanks to Bombe
Cleanup prefer thanks to bertm
Remove unused constructor
Remove unused methods
Assign fields with this.field = in constructor
Remove unnecessary constructor
update Freemail to v0.2.9
Update dependencies.properties wrapper files to files in java_installer
Add braces around if condition

Arne Babenhauserheide (freenet releases) (2):
Update default bookmark editions
Build 1502

Bert Massop (34):
Optimize OCBBlockCipher_v149 by replacing Vector with List
Fix reading single bytes in AEADInputStream
Fix reading single bytes in RAFInputStream
Fix reading single bytes in PaddedBucket.MyInputStream
Fix reading single bytes in PaddedRandomAccessBucket.MyInputStream
Fix reading single bytes in ByteBufferInputStream
Remove single-byte buffer fields in EncryptedRandomAccessBucket
Use length hint for bucket creation in ChecksumChecker
Return valid length from RandomShortReadInputStream.read
Use JCE AES implementation for AEAD when available
Do not synchronize on Rijndael cipher initialization or use
Do not synchronize on global variable in crypt Util.makeKey
Do not synchronize on access to AEADCryptBucket.readOnly
Do not synchronize on global variable in CryptoKey.fingerprint
Replace Hashtable with concurrent map for backoff stats
Replace Hashtable with concurrent map for database job stats
NodeStats: remove unused private method arguments
NodeStats: remove unused (package)private fields, methods & constructors
Remove remaining code paths for disabled slow-down sending
Tests: remove main(...) debug methods
CSSTokenizerFilter: remove main(...) debug method
MP3Filter: remove main(...) debug method
PNGFilter: remove main(...) debug method
CryptoKey: remove main(...) debug method
DSAPrivateKey: remove commented-out main(...) debug method
JceLoader: remove main(...) debug method
Util: remove main(...) debug method
Yarrow: remove main(...) debug method
FreenetURI: remove main(...) debug method and related routine
ISO639_3: remove main(...) debug method
Version: remove main(...) debug method
DecayingKeyspaceAverage: remove main(...) debug method
URLDecoder: remove main(...) debug method
Fix request distribution stats

David Roden (9):
🐛 Allow class loader to enumerate directory entries
🎨 Make l10n provider used in tests configurable
🐛 Fix translation properties resolution in tests
♻️ Add accessors for PageNode’s outer and content nodes
♻️ Add accessor for PageNode’s headNode
♻️ Add generate() convenience method on InfoboxNode
🔥 Remove unused parameter
♻️ Add generate method to PageHelper and use it
♻️ Add accessors for two attributes used in PeerNodeStatus

David ‘Bombe’ Roden (2):
♻️ Use accessor for NodeClientCore.mainExecutor
🐛 Fix Atom XML being built incorrectly

Torusrxxx (1):
Add a space between if and bracket

Yonghuan Xu (2):
Fix synchronization of receive buffer
Mitigate inserter detection vulnerability

qupo1 (4):
delete gradle-witness
update Gradle to 8.12
update gradlew scripts to 8.12
update Gradle to 8.12.1

torusrxxx (34):
Support ARIA role property
Add CSS properties isolation,object-position,pointer-events,rotate,row-gap
Add tests for CSS property rotate,object-position
Update CSS properties (page-)break-(before,after,inside),outline-color
Add CSS properties border-(block,inline)-(start,end)
Update CSS property content: counter()
Add CSS properties overflow-(x,y,block,inline)
Clean up CSS filters (margin,padding)-(top,bottom,left,right,block,inline)-(start,end),(min,max)-(width,height,block-size,inline-size)
Update CSS properties overflow, overscroll-behavior(-x,y,block,inline)
Fix duplicated/different auxilaryVerifiers[61]
Add CSS properties scroll-(margin,padding)-(left,right,top,bottom,block,inline)-(start,end)
Remove unused function with @SuppressWarnings in CSS filter
Add 16 CSS properties
Add CSS properties background-position-(x,y)
Add and deprecate concat in CSS filter
Do not fix case of header key
Allow freesite to set robots, googlebot and referrer=no-referrer meta tag
Add HTML elements meter,progress,input type=email,number,search,tel,url
Drop use of StringTokenizer and drop support for meta type=referrer
Input types are case-insensitive
Fix input tag tests
Add WAV content filter
Add a few tests for WAV
fix coding styles
Don't allow fact trunk in WAV file with size not equal to 4
No dangerous links in WAV file
Fix unhandled UnsupportedOperationException in Fallocate
Do not throw UnsupportedOperationException in Fallocate
Remove throws clause
fix coding style
Adding support for animated lossy WebP with alpha channel
Make fproxy cross origin isolated
Fix code styles
Fix filling file with size not divisible by 4KB

Contributors

SuppressWarnings
Assets 13
Loading