Freenet / Hyphanet 0.7.5 build 1506 is now available.
Install Freenet / Hyphanet for Windows or for GNU/Linux, macOS and other *nixes. See the download page for more information and other platforms.
This is a shared release for builds 1504, 1505, and 1506.
1504 brings updates to plugins, optimization for routing, cleanups and upkeep. 1505 fixed a critical vulnerability reported responsibly. And 1506 fixed regressions that had caused changes to the keys of inserted files. The main changes are:
- a critical vulnerability is fixed
- plugins WebOfTrust and JSTUN were updated
- file transfer was optimized (regressions fixed in 1506)
- code cleanup and upkeep (regressions fixed in 1506)
- bugfixes
vulnerability in client-side Javascript fixed
This release fixes a vulnerability in the progress bar of downloads via the web interface (fproxy).
The Javascript code for updating the progress bar used the innerHTML selector to show updates from the server without protecting these with a server key, so a finishing download could be interpreted as new content, injecting arbitrary code into the download page.
This code existed since 2009. Nowadays you’d use server-sent-events (SSE) or a websocket for this, but when the code was added, those were not available yet.
This was exploitable by getting someone to access a file within Hyphanet so it was a critical problem for us. Luckily this was found , disclosed responsibly, and fixed by bertm, and not by an attacker. It is fixed now.
We organized with the Linux packagers (Gentoo, Arch AUR, Nix) to enable all nodes to update at the same time, so none would be vulnerable once the the release got out.
The whole Javascript file is removed and more legacy Javascript will get removed in future releases.
We checked all data we could reach with a dedicated crawler and did not find any exploit.
A takeaway is that reviewing old code is worthwhile. While we hope that there aren’t more vulnerabilities of this scope, there are surely chances for optimization, because the JVM got a long way in the 25 years since Hyphanet started (under the name Freenet) and parts of our code were still optimized for JVM 1.4. But please doublecheck whether it actually brings benefits, to avoid causing instability needlessly: if you want to optimize, start with profiling.
Plugin updates
WebOfTrust got updated to 0.4.5 build 21. Dead seed IDs got replaced by active ones. Thanks to xor!
JSTUN was updated to version 1.5: dead STUN servers are replaced with a list of standard servers to make Hyphanet nodes which require STUN to find their IP address harder to fingerprint. Thanks to Bombe!
Optimization
Bertm did multiple performance optimizations deep in our core: MultiHash{Input,Output}Stream, BlockTransmitter, MersenneTwister, and RunningAverage. Thank you!
Cleanups
- Torusrxxx polished PeerManager and version transitions
- Bombe made tests cleanup files after the run
- Bombe removed translation strings of removed features
- 🚸 Build source JAR in a more reproducible way, thanks to Bombe!
State of the Art upkeep
- The PNG filter supports HDR chunks, thanks to Bombe and torusrxxx!
- Translations and the Localization Labs tooling setup are up to date again
- Update MIME types, thanks to torusrxxx!
- Bump Gradle to 8.14.3, thanks to qupo1!
- Update Github Actions versions. Thanks to qupo1!
- CONTRIBUTING file: Add "no spurious changes" note
- Link bugs via bugs.hyphanet.org, replace dead URIs, Suggest IRC username SecRabbit in SECURITY.md, replace mailing lists reference by FMS
- Update debian package to 1506, thanks to qupo1!
Fixes
- Continue securely deleting a file if an IOException occurred and add logging, thanks to torusrxxx!
- Preserve the order of peers when updating handshake IPs
- Show radiobuttons on sky dark static theme for WoT
Installers
- Add more seednodes
- java_installer: Disable verifyjar due to glitches
Plugin updates
WebOfTrust plugin (thanks to xor!):
- Replace old seed IDs by active ones
- New seeds: Adilson_Lanpo, ArneBab, HieronymusCH
- Removed seeds (haven't been active in a long time): operhiem1, toad_, zidel
- Update github actions
- Require Java 8
JSTUN plugin (thanks to Bombe!):
- Use a public always-online STUN server list (makes JSTUN accesses harder to identify as Hyphanet)
- Remove Dead STUN Servers
- Require Java 8
Regression fixes in 1506
Side-effects in the improvements from 1504 caused regressions that lead to uploads with compression for large files sometimes get broken hashes or different keys. These were fixed in 1506:
- fix upload hashing input stream regression. Thanks to Bombe!
- fix concurrent access regression in SkipShieldingInputStream. Thanks to Bertm!
- do not embed the shorthands for new MIME types into compressed uploads. Thanks to Bertm!
This fixes an issue with downloads failing with the error "The hashes in the metadata do not match the actual data". It wasn’t an issue in the network, but a problem in the hashing during upload compression where multiple uploads interfered with each other and the input stream wasn’t always drained completely.
The cause were regressions due to side effects of performance optimization and refactorings. Also added MIME types had a side effect on compressed uploads, because with compression known MIME types get replaced with an index to save space. But this changed upload keys for files that had already used these newly added MIME types from an older version.
All three issues are fixed now: the keys generated during upload are
hashed consistently and match the old keys again. To create the same
key as from 1506 if the file has a mime-type not yet recognized in
1506, you can use the new option --mimetype-send-octet-stream in
fcpupload from pyfreenet 0.7.0.
A big thank you to everyone who tested the release and reported the regressions!
Contribute
Join our core.
If you want to help us get better, please chat with us in #freenet @ irc.libera.chat. And give us time to answer, we’re all volunteers and might not be in your timezone.
To get into development right-away, have a look at one of the Freenet / Hyphanet Projects or just get fred and fix something that annoys you.
And to take on something that makes a big difference, have a look at the high-impact tasks.
In addition to coding, spreading Hyphanet, joining the community, writing a decentralized website, and other ways to contribute within Hyphanet, you can join the awesome team of translators at localization lab. They are the reason why we’re able to support several different languages, the often unseen heroes who make our work accessible to those who need it the most.
What is Freenet / Hyphanet?
Hyphanet is the original Freenet,
a peer-to-peer platform for
censorship-resistant and privacy-respecting
publishing and communication.
I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say 'Daddy, where were you when they took freedom of the press away from the Internet? --Mike Godwin, Electronic Frontier Foundation
What about the name „Hyphanet“? See Freenet renamed to Hyphanet.
That Hyphanet can keep moving forward and help people worldwide to exercise their basic rights and freedoms is the work of amazing volunteers, both contributors and people running Hyphanet nodes.
Thank you for your contributions, and thank you for using Freenet / Hyphanet!
-- AB
Install Freenet / Hyphanet for Windows or for GNU/Linux, macOS and other *nixes. See the download page for more information and other platforms.