diff --git a/RELEASING.md b/RELEASING.md new file mode 100644 index 00000000..741f54ae --- /dev/null +++ b/RELEASING.md @@ -0,0 +1,59 @@ +Creating a release +================== + +This document is documentation intednded for maintainers of Barrier. +It documents the release process of Barrier. + +Step 1: Setup environment variables +----------------------------------- + +Setup the following environment variable that will be used throughout the rest of the steps. + + export VERSION=X.Y.Z + +Step 2: Release notes PR +------------------------ + +Open a new branch (e.g. `release`) and run the following: + + towncrier --version ${VERSION} --date `date -u +%F` + +This collects the release notes using the `towncrier` tool. Please commit the collected release +notes afterwards. + +Certain file names are not properly supported by the `towncrier` tool and it ignores them. +Check `newsfragments` directory for any forgotten release notes + +Step 3: Merge the release notes PR +---------------------------------- + +Step 4: Push git tag +-------------------- + +Pull the merge commit created on the `master` branch during the step 2. + +Create a tag: + + git tag -s v${VERSION} -m v${VERSION} + +Push the tag: + + git push origin master --tags + + +Step 5: Draft a new release on Github +------------------------------------- + +Go to https://github.com/buildbot/buildbot/releases and draft a new release. + +Use git tag as the title of the release: `vX.Y.Z`. + +Use the release notes generated by the `towncrier` tool as the description of the releases. + +Upload the artifacts created by Azure pipelines as the binaries of the release. The following +artifacts should be uploaded to Github: + + - the Barrier-X.Y.Z-release.dmg created by the oldest Mac OS task (artifact name is + "Mac Release Disk Image and App XYZ"). + + - the BarrierSetup-X.Y.Z-release.exe (artifact name is Windows Release Installer). diff --git a/azure-pipelines.yml b/azure-pipelines.yml index 2b42fc1d..e34a3bc5 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -114,4 +114,4 @@ jobs: condition: eq(variables['B_BUILD_TYPE'], 'Release') inputs: pathtoPublish: build/bundle - artifactName: Mac Release Disk Image and App + artifactName: Mac Release Disk Image and App $(imageName) diff --git a/doc/newsfragments/README.md b/doc/newsfragments/README.md new file mode 100644 index 00000000..0338cf80 --- /dev/null +++ b/doc/newsfragments/README.md @@ -0,0 +1,13 @@ +This is the directory for release note fragments processed by +[towncrier](https://github.com/hawkowl/towncrier). + +When making a user-visible change create a file in this directory and it will be automatically be +included into the release note document when the next release is published. + +The file extension specifies the type of a change. The following are currently supported: + + - .feature: a new feature. + - .bugfix: a bug fix. + - .security: a fix for security issue. + - .doc: a documentation improvement. + - .removal: a deprecation or removal of functionality. diff --git a/doc/newsfragments/close-failed-handshake-connections.bugfix b/doc/newsfragments/close-failed-handshake-connections.bugfix deleted file mode 100644 index 0dc8c16c..00000000 --- a/doc/newsfragments/close-failed-handshake-connections.bugfix +++ /dev/null @@ -1,6 +0,0 @@ -SECURITY ISSUE - -Barrier will now correctly close connections when the app-level handshake fails (fixes CVE-2021-42075). - -Previously repeated failing connections would leak file descriptors leading to Barrier being unable -to receive new connections from clients. diff --git a/doc/newsfragments/enforce-maximum-message-length.bugfix b/doc/newsfragments/enforce-maximum-message-length.bugfix deleted file mode 100644 index 81ec2ba0..00000000 --- a/doc/newsfragments/enforce-maximum-message-length.bugfix +++ /dev/null @@ -1,6 +0,0 @@ -SECURITY ISSUE - -Barrier will now enforce a maximum length of input messages (fixes CVE-2021-42076). - -Previously it was possible for a malicious client or server to send excessive length messages -leading to denial of service by resource exhaustion. diff --git a/doc/newsfragments/fix-crash-on-ssl-hello.bugfix b/doc/newsfragments/fix-crash-on-ssl-hello.bugfix deleted file mode 100644 index 30bb0603..00000000 --- a/doc/newsfragments/fix-crash-on-ssl-hello.bugfix +++ /dev/null @@ -1,4 +0,0 @@ -SECURITY ISSUE - -Fixed a bug which caused Barrier to crash when disconnecting a TCP session just after sending Hello message. -This bug allowed an unauthenticated attacker to crash Barrier with only network access. diff --git a/doc/newsfragments/ssl-corrupted-data.bugfix b/doc/newsfragments/ssl-corrupted-data.bugfix deleted file mode 100644 index db8bbf86..00000000 --- a/doc/newsfragments/ssl-corrupted-data.bugfix +++ /dev/null @@ -1,2 +0,0 @@ -Fixed a bug in SSL implementation that caused invalid data occasionally being sent to clients -under heavy load. diff --git a/doc/release_notes/index.md b/doc/release_notes/index.md new file mode 100644 index 00000000..006debb5 --- /dev/null +++ b/doc/release_notes/index.md @@ -0,0 +1,32 @@ +Release notes +============= + +[comment]: <> (towncrier release notes start) + +Barrier `2.3.4` ( `2021-11-01` ) +================================ + +Security fixes +-------------- + +- Barrier will now correctly close connections when the app-level handshake fails (fixes CVE-2021-42075). + + Previously repeated failing connections would leak file descriptors leading to Barrier being unable + to receive new connections from clients. + +- Barrier will now enforce a maximum length of input messages (fixes CVE-2021-42076). + + Previously it was possible for a malicious client or server to send excessive length messages + leading to denial of service by resource exhaustion. + +- Fixed a bug which caused Barrier to crash when disconnecting a TCP session just after sending Hello message. + This bug allowed an unauthenticated attacker to crash Barrier with only network access. + +All of the above security issues have been reported by Matthias Gerstner who was really helpful +resolving them. + +Bug fixes +--------- + +- Fixed a bug in SSL implementation that caused invalid data occasionally being sent to clients + under heavy load. diff --git a/doc/release_notes/index.template.jinja b/doc/release_notes/index.template.jinja new file mode 100644 index 00000000..418a1d32 --- /dev/null +++ b/doc/release_notes/index.template.jinja @@ -0,0 +1,37 @@ +{% for section, _ in sections|dictsort(by='key') %} +{% set underline = "-" %} +{% if section %} +{{section}} +{{ underline * section|length }}{% set underline = "-" %} + +{% endif %} +{% if sections[section] %} +{% for category, val in definitions|dictsort if category in sections[section]%} + +{{ definitions[category]['name'] }} +{{ underline * definitions[category]['name']|length }} + +{% if definitions[category]['showcontent'] %} +{% for text, values in sections[section][category]|dictsort(by='value') %} +- {{ text }} +{% endfor %} +{% else %} +- {{ sections[section][category]['']|sort|join(', ') }} + + +{% endif %} +{% if sections[section][category]|length == 0 %} + +No significant changes. + + +{% else %} +{% endif %} +{% endfor %} +{% else %} + +No significant changes. + + +{% endif %} +{% endfor %} diff --git a/towncrier.toml b/towncrier.toml new file mode 100644 index 00000000..d8f0a61c --- /dev/null +++ b/towncrier.toml @@ -0,0 +1,39 @@ +[tool.towncrier] + package = "" + directory = "doc/newsfragments" + filename = "doc/release_notes/index.md" + template = "doc/release_notes/index.template.jinja" + title_format = "\nBarrier `{version}` ( `{project_date}` )\n================================\n" + start_string = "[comment]: <> (towncrier release notes start)" + [[tool.towncrier.section]] + path = "" + + [[tool.towncrier.type]] + directory = "security" + name = "Security fixes" + showcontent = false + + [[tool.towncrier.type]] + directory = "feature" + name = "Features" + showcontent = true + + [[tool.towncrier.type]] + directory = "bugfix" + name = "Bug fixes" + showcontent = true + + [[tool.towncrier.type]] + directory = "doc" + name = "Improved Documentation" + showcontent = true + + [[tool.towncrier.type]] + directory = "removal" + name = "Deprecations and Removals" + showcontent = true + + [[tool.towncrier.type]] + directory = "misc" + name = "Miscellaneous" + showcontent = false