ChangeLog and ReleaseNotes for 0.3.3.11

37 files changed, 346 insertions, 155 deletions

diff --git a/ChangeLog b/ChangeLog
index 6c75b5b67d..6d3f0cb6e1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,176 @@
+Changes in version 0.3.3.11 - 2018-01-07
+  Tor 0.3.3.11 backports numerous fixes from later versions of Tor.
+  numerous fixes, including an important fix for anyone using OpenSSL
+  1.1.1. Anyone running an earlier version of Tor 0.3.3 should upgrade
+  to this version, or to a later series.
+
+  As a reminder, support the Tor 0.3.3 series will end on 22 Feb 2019.
+  We anticipate that this will be the last release of Tor 0.3.3, unless
+  some major bug is before then. Some time between now and then, users
+  should switch to either the Tor 0.3.4 series (supported until at least
+  10 June 2019), or the Tor 0.3.5 series, which will receive long-term
+  support until at least 1 Feb 2022.
+
+  o Major bugfixes (OpenSSL, portability, backport from 0.3.5.5-alpha):
+    - Fix our usage of named groups when running as a TLS 1.3 client in
+      OpenSSL 1.1.1. Previously, we only initialized EC groups when
+      running as a relay, which caused clients to fail to negotiate TLS
+      1.3 with relays. Fixes bug 28245; bugfix on 0.2.9.15 (when TLS 1.3
+      support was added).
+
+  o Major bugfixes (restart-in-process, backport from 0.3.5.1-alpha):
+    - Fix a use-after-free error that could be caused by passing Tor an
+      impossible set of options that would fail during options_act().
+      Fixes bug 27708; bugfix on 0.3.3.1-alpha.
+
+  o Minor features (continuous integration, backport from 0.3.5.1-alpha):
+    - Only run one online rust build in Travis, to reduce network
+      errors. Skip offline rust builds on Travis for Linux gcc, because
+      they're redundant. Implements ticket 27252.
+    - Skip gcc on OSX in Travis CI, because it's rarely used. Skip a
+      duplicate hardening-off build in Travis on Tor 0.2.9. Skip gcc on
+      Linux with default settings, because all the non-default builds
+      use gcc on Linux. Implements ticket 27252.
+
+  o Minor features (continuous integration, backport from 0.3.5.3-alpha):
+    - Use the Travis Homebrew addon to install packages on macOS during
+      Travis CI. The package list is the same, but the Homebrew addon
+      does not do a `brew update` by default. Implements ticket 27738.
+
+  o Minor features (fallback directory list, backport from 0.3.5.6-rc):
+    - Replace the 150 fallbacks originally introduced in Tor
+      0.3.3.1-alpha in January 2018 (of which ~115 were still
+      functional), with a list of 157 fallbacks (92 new, 65 existing, 85
+      removed) generated in December 2018. Closes ticket 24803.
+
+  o Minor features (geoip):
+    - Update geoip and geoip6 to the January 3 2019 Maxmind GeoLite2
+      Country database. Closes ticket 29012.
+
+  o Minor features (OpenSSL bug workaround, backport from 0.3.5.7):
+    - Work around a bug in OpenSSL 1.1.1a, which prevented the TLS 1.3
+      key export function from handling long labels. When this bug is
+      detected, Tor will disable TLS 1.3. We recommend upgrading to a
+      version of OpenSSL without this bug when it becomes available.
+      Closes ticket 28973.
+
+  o Minor bugfixes (relay statistics, backport from 0.3.5.7):
+    - Update relay descriptor on bandwidth changes only when the uptime
+      is smaller than 24h, in order to reduce the efficiency of guard
+      discovery attacks. Fixes bug 24104; bugfix on 0.1.1.6-alpha.
+
+  o Minor bugfixes (C correctness, backport from 0.3.5.4-alpha):
+    - Avoid undefined behavior in an end-of-string check when parsing
+      the BEGIN line in a directory object. Fixes bug 28202; bugfix
+      on 0.2.0.3-alpha.
+
+  o Minor bugfixes (code safety, backport from 0.3.5.3-alpha):
+    - Rewrite our assertion macros so that they no longer suppress the
+      compiler's -Wparentheses warnings. Fixes bug 27709; bugfix
+
+  o Minor bugfixes (compilation, backport from 0.3.5.5-alpha):
+    - Initialize a variable unconditionally in aes_new_cipher(), since
+      some compilers cannot tell that we always initialize it before
+      use. Fixes bug 28413; bugfix on 0.2.9.3-alpha.
+
+  o Minor bugfixes (directory authority, backport from 0.3.5.4-alpha):
+    - Log additional info when we get a relay that shares an ed25519 ID
+      with a different relay, instead making a BUG() warning. Fixes bug
+      27800; bugfix on 0.3.2.1-alpha.
+
+  o Minor bugfixes (directory permissions, backport form 0.3.5.3-alpha):
+    - When a user requests a group-readable DataDirectory, give it to
+      them. Previously, when the DataDirectory and the CacheDirectory
+      were the same, the default setting (0) for
+      CacheDirectoryGroupReadable would override the setting for
+      DataDirectoryGroupReadable. Fixes bug 26913; bugfix
+      on 0.3.3.1-alpha.
+
+  o Minor bugfixes (onion service v3, backport from 0.3.5.1-alpha):
+    - When the onion service directory can't be created or has the wrong
+      permissions, do not log a stack trace. Fixes bug 27335; bugfix
+      on 0.3.2.1-alpha.
+
+  o Minor bugfixes (onion service v3, backport from 0.3.5.2-alpha):
+    - Close all SOCKS request (for the same .onion) if the newly fetched
+      descriptor is unusable. Before that, we would close only the first
+      one leaving the other hanging and let to time out by themselves.
+      Fixes bug 27410; bugfix on 0.3.2.1-alpha.
+
+  o Minor bugfixes (onion service v3, backport from 0.3.5.3-alpha):
+    - Don't warn so loudly when Tor is unable to decode an onion
+      descriptor. This can now happen as a normal use case if a client
+      gets a descriptor with client authorization but the client is not
+      authorized. Fixes bug 27550; bugfix on 0.3.5.1-alpha.
+
+  o Minor bugfixes (onion service v3, backport from 0.3.5.6-rc):
+    - When deleting an ephemeral onion service (DEL_ONION), do not close
+      any rendezvous circuits in order to let the existing client
+      connections finish by themselves or closed by the application. The
+      HS v2 is doing that already so now we have the same behavior for
+      all versions. Fixes bug 28619; bugfix on 0.3.3.1-alpha.
+
+  o Minor bugfixes (HTTP tunnel):
+    - Fix a bug warning when closing an HTTP tunnel connection due to
+      an HTTP request we couldn't handle. Fixes bug 26470; bugfix on
+      0.3.2.1-alpha.
+
+  o Minor bugfixes (memory leaks, backport from 0.3.5.5-alpha):
+    - Fix a harmless memory leak in libtorrunner.a. Fixes bug 28419;
+      bugfix on 0.3.3.1-alpha. Patch from Martin Kepplinger.
+
+  o Minor bugfixes (netflow padding, backport from 0.3.5.1-alpha):
+    - Ensure circuitmux queues are empty before scheduling or sending
+      padding. Fixes bug 25505; bugfix on 0.3.1.1-alpha.
+
+  o Minor bugfixes (protover, backport from 0.3.5.3-alpha):
+    - Reject protocol names containing bytes other than alphanumeric
+      characters and hyphens ([A-Za-z0-9-]). Fixes bug 27316; bugfix
+      on 0.2.9.4-alpha.
+
+  o Minor bugfixes (rust, backport from 0.3.5.1-alpha):
+    - Compute protover votes correctly in the rust version of the
+      protover code. Previously, the protover rewrite in 24031 allowed
+      repeated votes from the same voter for the same protocol version
+      to be counted multiple times in protover_compute_vote(). Fixes bug
+      27649; bugfix on 0.3.3.5-rc.
+    - Reject protover names that contain invalid characters. Fixes bug
+      27687; bugfix on 0.3.3.1-alpha.
+
+  o Minor bugfixes (rust, backport from 0.3.5.2-alpha):
+    - protover_all_supported() would attempt to allocate up to 16GB on
+      some inputs, leading to a potential memory DoS. Fixes bug 27206;
+      bugfix on 0.3.3.5-rc.
+
+  o Minor bugfixes (rust, backport from 0.3.5.4-alpha):
+    - Fix a potential null dereference in protover_all_supported(). Add
+      a test for it. Fixes bug 27804; bugfix on 0.3.3.1-alpha.
+    - Return a string that can be safely freed by C code, not one
+      created by the rust allocator, in protover_all_supported(). Fixes
+      bug 27740; bugfix on 0.3.3.1-alpha.
+    - Fix an API mismatch in the rust implementation of
+      protover_compute_vote(). This bug could have caused crashes on any
+      directory authorities running Tor with Rust (which we do not yet
+      recommend). Fixes bug 27741; bugfix on 0.3.3.6.
+
+  o Minor bugfixes (testing, backport from 0.3.5.1-alpha):
+    - If a unit test running in a subprocess exits abnormally or with a
+      nonzero status code, treat the test as having failed, even if the
+      test reported success. Without this fix, memory leaks don't cause
+      the tests to fail, even with LeakSanitizer. Fixes bug 27658;
+      bugfix on 0.2.2.4-alpha.
+
+  o Minor bugfixes (testing, backport from 0.3.5.4-alpha):
+    - Treat backtrace test failures as expected on BSD-derived systems
+      (NetBSD, OpenBSD, and macOS/Darwin) until we solve bug 17808.
+      (FreeBSD failures have been treated as expected since 18204 in
+      0.2.8.) Fixes bug 27948; bugfix on 0.2.5.2-alpha.
+
+  o Minor bugfixes (unit tests, guard selection, backport from 0.3.5.6-rc):
+    - Stop leaking memory in an entry guard unit test. Fixes bug 28554;
+      bugfix on 0.3.0.1-alpha.
+
+
 Changes in version 0.3.3.10 - 2018-09-10
   Tor 0.3.3.10 backports numerous fixes from later versions of Tor.
 
diff --git a/ReleaseNotes b/ReleaseNotes
index d07b89354b..67f567953a 100644
--- a/ReleaseNotes
+++ b/ReleaseNotes
@@ -2,6 +2,179 @@ This document summarizes new features and bugfixes in each stable
 release of Tor. If you want to see more detailed descriptions of the
 changes in each development snapshot, see the ChangeLog file.
 
+Changes in version 0.3.3.11 - 2018-01-07
+  Tor 0.3.3.11 backports numerous fixes from later versions of Tor.
+  numerous fixes, including an important fix for anyone using OpenSSL
+  1.1.1. Anyone running an earlier version of Tor 0.3.3 should upgrade
+  to this version, or to a later series.
+
+  As a reminder, support the Tor 0.3.3 series will end on 22 Feb 2019.
+  We anticipate that this will be the last release of Tor 0.3.3, unless
+  some major bug is before then. Some time between now and then, users
+  should switch to either the Tor 0.3.4 series (supported until at least
+  10 June 2019), or the Tor 0.3.5 series, which will receive long-term
+  support until at least 1 Feb 2022.
+
+  o Major bugfixes (OpenSSL, portability, backport from 0.3.5.5-alpha):
+    - Fix our usage of named groups when running as a TLS 1.3 client in
+      OpenSSL 1.1.1. Previously, we only initialized EC groups when
+      running as a relay, which caused clients to fail to negotiate TLS
+      1.3 with relays. Fixes bug 28245; bugfix on 0.2.9.15 (when TLS 1.3
+      support was added).
+
+  o Major bugfixes (restart-in-process, backport from 0.3.5.1-alpha):
+    - Fix a use-after-free error that could be caused by passing Tor an
+      impossible set of options that would fail during options_act().
+      Fixes bug 27708; bugfix on 0.3.3.1-alpha.
+
+  o Minor features (continuous integration, backport from 0.3.5.1-alpha):
+    - Only run one online rust build in Travis, to reduce network
+      errors. Skip offline rust builds on Travis for Linux gcc, because
+      they're redundant. Implements ticket 27252.
+    - Skip gcc on OSX in Travis CI, because it's rarely used. Skip a
+      duplicate hardening-off build in Travis on Tor 0.2.9. Skip gcc on
+      Linux with default settings, because all the non-default builds
+      use gcc on Linux. Implements ticket 27252.
+
+  o Minor features (continuous integration, backport from 0.3.5.3-alpha):
+    - Use the Travis Homebrew addon to install packages on macOS during
+      Travis CI. The package list is the same, but the Homebrew addon
+      does not do a `brew update` by default. Implements ticket 27738.
+
+  o Minor features (fallback directory list, backport from 0.3.5.6-rc):
+    - Replace the 150 fallbacks originally introduced in Tor
+      0.3.3.1-alpha in January 2018 (of which ~115 were still
+      functional), with a list of 157 fallbacks (92 new, 65 existing, 85
+      removed) generated in December 2018. Closes ticket 24803.
+
+  o Minor features (geoip):
+    - Update geoip and geoip6 to the January 3 2019 Maxmind GeoLite2
+      Country database. Closes ticket 29012.
+
+  o Minor features (OpenSSL bug workaround, backport from 0.3.5.7):
+    - Work around a bug in OpenSSL 1.1.1a, which prevented the TLS 1.3
+      key export function from handling long labels. When this bug is
+      detected, Tor will disable TLS 1.3. We recommend upgrading to a
+      version of OpenSSL without this bug when it becomes available.
+      Closes ticket 28973.
+
+  o Minor bugfixes (relay statistics, backport from 0.3.5.7):
+    - Update relay descriptor on bandwidth changes only when the uptime
+      is smaller than 24h, in order to reduce the efficiency of guard
+      discovery attacks. Fixes bug 24104; bugfix on 0.1.1.6-alpha.
+
+  o Minor bugfixes (C correctness, backport from 0.3.5.4-alpha):
+    - Avoid undefined behavior in an end-of-string check when parsing
+      the BEGIN line in a directory object. Fixes bug 28202; bugfix
+      on 0.2.0.3-alpha.
+
+  o Minor bugfixes (code safety, backport from 0.3.5.3-alpha):
+    - Rewrite our assertion macros so that they no longer suppress the
+      compiler's -Wparentheses warnings. Fixes bug 27709; bugfix
+
+  o Minor bugfixes (compilation, backport from 0.3.5.5-alpha):
+    - Initialize a variable unconditionally in aes_new_cipher(), since
+      some compilers cannot tell that we always initialize it before
+      use. Fixes bug 28413; bugfix on 0.2.9.3-alpha.
+
+  o Minor bugfixes (directory authority, backport from 0.3.5.4-alpha):
+    - Log additional info when we get a relay that shares an ed25519 ID
+      with a different relay, instead making a BUG() warning. Fixes bug
+      27800; bugfix on 0.3.2.1-alpha.
+
+  o Minor bugfixes (directory permissions, backport form 0.3.5.3-alpha):
+    - When a user requests a group-readable DataDirectory, give it to
+      them. Previously, when the DataDirectory and the CacheDirectory
+      were the same, the default setting (0) for
+      CacheDirectoryGroupReadable would override the setting for
+      DataDirectoryGroupReadable. Fixes bug 26913; bugfix
+      on 0.3.3.1-alpha.
+
+  o Minor bugfixes (onion service v3, backport from 0.3.5.1-alpha):
+    - When the onion service directory can't be created or has the wrong
+      permissions, do not log a stack trace. Fixes bug 27335; bugfix
+      on 0.3.2.1-alpha.
+
+  o Minor bugfixes (onion service v3, backport from 0.3.5.2-alpha):
+    - Close all SOCKS request (for the same .onion) if the newly fetched
+      descriptor is unusable. Before that, we would close only the first
+      one leaving the other hanging and let to time out by themselves.
+      Fixes bug 27410; bugfix on 0.3.2.1-alpha.
+
+  o Minor bugfixes (onion service v3, backport from 0.3.5.3-alpha):
+    - Don't warn so loudly when Tor is unable to decode an onion
+      descriptor. This can now happen as a normal use case if a client
+      gets a descriptor with client authorization but the client is not
+      authorized. Fixes bug 27550; bugfix on 0.3.5.1-alpha.
+
+  o Minor bugfixes (onion service v3, backport from 0.3.5.6-rc):
+    - When deleting an ephemeral onion service (DEL_ONION), do not close
+      any rendezvous circuits in order to let the existing client
+      connections finish by themselves or closed by the application. The
+      HS v2 is doing that already so now we have the same behavior for
+      all versions. Fixes bug 28619; bugfix on 0.3.3.1-alpha.
+
+  o Minor bugfixes (HTTP tunnel):
+    - Fix a bug warning when closing an HTTP tunnel connection due to
+      an HTTP request we couldn't handle. Fixes bug 26470; bugfix on
+      0.3.2.1-alpha.
+
+  o Minor bugfixes (memory leaks, backport from 0.3.5.5-alpha):
+    - Fix a harmless memory leak in libtorrunner.a. Fixes bug 28419;
+      bugfix on 0.3.3.1-alpha. Patch from Martin Kepplinger.
+
+  o Minor bugfixes (netflow padding, backport from 0.3.5.1-alpha):
+    - Ensure circuitmux queues are empty before scheduling or sending
+      padding. Fixes bug 25505; bugfix on 0.3.1.1-alpha.
+
+  o Minor bugfixes (protover, backport from 0.3.5.3-alpha):
+    - Reject protocol names containing bytes other than alphanumeric
+      characters and hyphens ([A-Za-z0-9-]). Fixes bug 27316; bugfix
+      on 0.2.9.4-alpha.
+
+  o Minor bugfixes (rust, backport from 0.3.5.1-alpha):
+    - Compute protover votes correctly in the rust version of the
+      protover code. Previously, the protover rewrite in 24031 allowed
+      repeated votes from the same voter for the same protocol version
+      to be counted multiple times in protover_compute_vote(). Fixes bug
+      27649; bugfix on 0.3.3.5-rc.
+    - Reject protover names that contain invalid characters. Fixes bug
+      27687; bugfix on 0.3.3.1-alpha.
+
+  o Minor bugfixes (rust, backport from 0.3.5.2-alpha):
+    - protover_all_supported() would attempt to allocate up to 16GB on
+      some inputs, leading to a potential memory DoS. Fixes bug 27206;
+      bugfix on 0.3.3.5-rc.
+
+  o Minor bugfixes (rust, backport from 0.3.5.4-alpha):
+    - Fix a potential null dereference in protover_all_supported(). Add
+      a test for it. Fixes bug 27804; bugfix on 0.3.3.1-alpha.
+    - Return a string that can be safely freed by C code, not one
+      created by the rust allocator, in protover_all_supported(). Fixes
+      bug 27740; bugfix on 0.3.3.1-alpha.
+    - Fix an API mismatch in the rust implementation of
+      protover_compute_vote(). This bug could have caused crashes on any
+      directory authorities running Tor with Rust (which we do not yet
+      recommend). Fixes bug 27741; bugfix on 0.3.3.6.
+
+  o Minor bugfixes (testing, backport from 0.3.5.1-alpha):
+    - If a unit test running in a subprocess exits abnormally or with a
+      nonzero status code, treat the test as having failed, even if the
+      test reported success. Without this fix, memory leaks don't cause
+      the tests to fail, even with LeakSanitizer. Fixes bug 27658;
+      bugfix on 0.2.2.4-alpha.
+
+  o Minor bugfixes (testing, backport from 0.3.5.4-alpha):
+    - Treat backtrace test failures as expected on BSD-derived systems
+      (NetBSD, OpenBSD, and macOS/Darwin) until we solve bug 17808.
+      (FreeBSD failures have been treated as expected since 18204 in
+      0.2.8.) Fixes bug 27948; bugfix on 0.2.5.2-alpha.
+
+  o Minor bugfixes (unit tests, guard selection, backport from 0.3.5.6-rc):
+    - Stop leaking memory in an entry guard unit test. Fixes bug 28554;
+      bugfix on 0.3.0.1-alpha.
+
+
 Changes in version 0.3.3.10 - 2018-09-10
   Tor 0.3.3.10 backports numerous fixes from later versions of Tor.
 
diff --git a/changes/bug24104 b/changes/bug24104
deleted file mode 100644
index ca2a3537fa..0000000000
--- a/changes/bug24104
+++ /dev/null
@@ -1,4 +0,0 @@
-  o Minor bugfix (relay statistics):
-    - Update relay descriptor on bandwidth changes only when the uptime is
-      smaller than 24h in order to reduce the efficiency of guard discovery
-      attacks. Fixes bug 24104; bugfix on 0.1.1.6-alpha.
diff --git a/changes/bug25505 b/changes/bug25505
deleted file mode 100644
index 101c7d5246..0000000000
--- a/changes/bug25505
+++ /dev/null
@@ -1,3 +0,0 @@
-  o Minor bugfixes (netflow padding):
-    - Ensure circuitmux queues are empty before scheduling or sending padding.
-      Fixes bug 25505; bugfix on 0.3.1.1-alpha.
diff --git a/changes/bug26470 b/changes/bug26470
deleted file mode 100644
index 854ec7ea72..0000000000
--- a/changes/bug26470
+++ /dev/null
@@ -1,4 +0,0 @@
-  o Minor bugfixes (HTTP tunnel):
-    - Fix a bug warning when closing an HTTP tunnel connection due to
-      an HTTP request we couldn't handle. Fixes bug 26470; bugfix on
-      0.3.2.1-alpha.
diff --git a/changes/bug27206 b/changes/bug27206
deleted file mode 100644
index c0fbbed702..0000000000
--- a/changes/bug27206
+++ /dev/null
@@ -1,4 +0,0 @@
-  o Minor bugfixes (rust):
-    - protover_all_supported() would attempt to allocate up to 16GB on some
-      inputs, leading to a potential memory DoS. Fixes bug 27206; bugfix on
-      0.3.3.5-rc.
diff --git a/changes/bug27316 b/changes/bug27316
deleted file mode 100644
index cec9348912..0000000000
--- a/changes/bug27316
+++ /dev/null
@@ -1,3 +0,0 @@
-  o Minor bugfixes (protover):
-    - Reject protocol names containing bytes other than alphanumeric characters
-      and hyphens ([A-Za-z0-9-]). Fixes bug 27316; bugfix on 0.2.9.4-alpha.
diff --git a/changes/bug27335 b/changes/bug27335
deleted file mode 100644
index dcc55a945a..0000000000
--- a/changes/bug27335
+++ /dev/null
@@ -1,4 +0,0 @@
-  o Minor bugfixes (hidden service v3):
-    - In case the hidden service directory can't be created or has wrong
-      permissions, do not BUG() on it which lead to a non fatal stacktrace.
-      Fixes bug 27335; bugfix on 0.3.2.1.
diff --git a/changes/bug27649 b/changes/bug27649
deleted file mode 100644
index 55bfc3a842..0000000000
--- a/changes/bug27649
+++ /dev/null
@@ -1,4 +0,0 @@
-  o Minor bugfixes (rust):
-    - The protover rewrite in 24031 allowed repeated votes from the same
-      voter for the same protocol version to be counted multiple times in
-      protover_compute_vote(). Fixes bug 27649; bugfix on 0.3.3.5-rc.
diff --git a/changes/bug27658 b/changes/bug27658
deleted file mode 100644
index 8cc0aa4714..0000000000
--- a/changes/bug27658
+++ /dev/null
@@ -1,6 +0,0 @@
-  o Minor bugfixes (testing):
-    - If a unit test running in a subprocess exits abnormally or with a
-      nonzero status code, treat the test as having failed, even if
-      the test reported success. Without this fix, memory leaks don't cause
-      cause the tests to fail, even with LeakSanitizer. Fixes bug 27658;
-      bugfix on 0.2.2.4-alpha.
diff --git a/changes/bug27687 b/changes/bug27687
deleted file mode 100644
index 8b7903b63e..0000000000
--- a/changes/bug27687
+++ /dev/null
@@ -1,4 +0,0 @@
-  o Minor bugfixes (rust):
-    - protover parsed and accepted unknown protocol names containing invalid
-      characters outside the range [A-Za-z0-9-]. Fixes bug 27687; bugfix on
-      0.3.3.1-alpha.
diff --git a/changes/bug27708 b/changes/bug27708
deleted file mode 100644
index d283b19515..0000000000
--- a/changes/bug27708
+++ /dev/null
@@ -1,4 +0,0 @@
-  o Major bugfixes (restart-in-process):
-    - Fix a use-after-free error that could be caused by passing Tor an
-      impossible set of options that would fail during options_act().
-      Fixes bug 27708; bugfix on 0.3.3.1-alpha.
diff --git a/changes/bug27709 b/changes/bug27709
deleted file mode 100644
index 49e87cbb0a..0000000000
--- a/changes/bug27709
+++ /dev/null
@@ -1,4 +0,0 @@
-  o Minor bugfixes (code safety):
-    - Rewrite our assertion macros so that they no longer suppress
-      the compiler's -Wparentheses warnings on their inputs. Fixes bug 27709;
-      bugfix on 0.0.6.
diff --git a/changes/bug27740 b/changes/bug27740
deleted file mode 100644
index 76a17b7dda..0000000000
--- a/changes/bug27740
+++ /dev/null
@@ -1,4 +0,0 @@
-  o Minor bugfixes (rust):
-    - Return a string that can be safely freed by C code, not one created by
-      the rust allocator, in protover_all_supported(). Fixes bug 27740; bugfix
-      on 0.3.3.1-alpha.
diff --git a/changes/bug27741 b/changes/bug27741
deleted file mode 100644
index 531e264b63..0000000000
--- a/changes/bug27741
+++ /dev/null
@@ -1,5 +0,0 @@
-  o Minor bugfixes (rust, directory authority):
-    - Fix an API mismatch in the rust implementation of
-      protover_compute_vote(). This bug could have caused crashes on any
-      directory authorities running Tor with Rust (which we do not yet
-      recommend). Fixes bug 27741; bugfix on 0.3.3.6.
diff --git a/changes/bug27800 b/changes/bug27800
deleted file mode 100644
index 63d5dbc681..0000000000
--- a/changes/bug27800
+++ /dev/null
@@ -1,4 +0,0 @@
-  o Minor bugfixes (directory authority):
-    - Log additional info when we get a relay that shares an ed25519
-      ID with a different relay, instead making a BUG() warning.
-      Fixes bug 27800; bugfix on 0.3.2.1-alpha.
diff --git a/changes/bug27804 b/changes/bug27804
deleted file mode 100644
index fa7fec0bc5..0000000000
--- a/changes/bug27804
+++ /dev/null
@@ -1,3 +0,0 @@
-  o Minor bugfixes (rust):
-    - Fix a potential null dereference in protover_all_supported().
-      Add a test for it. Fixes bug 27804; bugfix on 0.3.3.1-alpha.
diff --git a/changes/bug27948 b/changes/bug27948
deleted file mode 100644
index fea16f3d0f..0000000000
--- a/changes/bug27948
+++ /dev/null
@@ -1,6 +0,0 @@
-  o Minor bugfixes (tests):
-    - Treat backtrace test failures as expected on BSD-derived systems
-      (NetBSD, OpenBSD, and macOS/Darwin) until we solve bug 17808.
-      (FreeBSD failures have been treated as expected since 18204 in 0.2.8.)
-      Fixes bug 27948; bugfix on 0.2.5.2-alpha.
-
diff --git a/changes/bug28202 b/changes/bug28202
deleted file mode 100644
index 182daac4f1..0000000000
--- a/changes/bug28202
+++ /dev/null
@@ -1,4 +0,0 @@
-  o Minor bugfixes (C correctness):
-    - Avoid undefined behavior in an end-of-string check when parsing the
-      BEGIN line in a directory object.  Fixes bug 28202; bugfix on
-      0.2.0.3-alpha.
diff --git a/changes/bug28245 b/changes/bug28245
deleted file mode 100644
index d7e6deb810..0000000000
--- a/changes/bug28245
+++ /dev/null
@@ -1,6 +0,0 @@
-  o Major bugfixes (OpenSSL, portability):
-    - Fix our usage of named groups when running as a TLS 1.3 client in
-      OpenSSL 1.1.1. Previously, we only initialized EC groups when running
-      as a server, which caused clients to fail to negotiate TLS 1.3 with
-      relays. Fixes bug 28245; bugfix on 0.2.9.15 when TLS 1.3 support was
-      added.
diff --git a/changes/bug28413 b/changes/bug28413
deleted file mode 100644
index 4c88bea7e7..0000000000
--- a/changes/bug28413
+++ /dev/null
@@ -1,4 +0,0 @@
-  o Minor bugfixes (compilation):
-    - Initialize a variable in aes_new_cipher(), since some compilers
-      cannot tell that we always initialize it before use. Fixes bug 28413;
-      bugfix on 0.2.9.3-alpha.
diff --git a/changes/bug28419 b/changes/bug28419
deleted file mode 100644
index 52ceb0a2a7..0000000000
--- a/changes/bug28419
+++ /dev/null
@@ -1,3 +0,0 @@
-  o Minor bugfixes (memory leaks):
-    - Fix a harmless memory leak in libtorrunner.a. Fixes bug 28419;
-      bugfix on 0.3.3.1-alpha.  Patch from Martin Kepplinger.
\ No newline at end of file
diff --git a/changes/bug28554 b/changes/bug28554
deleted file mode 100644
index 9a0b281406..0000000000
--- a/changes/bug28554
+++ /dev/null
@@ -1,3 +0,0 @@
-  o Minor bugfixes (unit tests, guard selection):
-    - Stop leaking memory in an entry guard unit test. Fixes bug 28554;
-      bugfix on 0.3.0.1-alpha.
diff --git a/changes/bug28619 b/changes/bug28619
deleted file mode 100644
index 86be8cb2fb..0000000000
--- a/changes/bug28619
+++ /dev/null
@@ -1,6 +0,0 @@
-  o Minor bugfixes (hidden service v3):
-    - When deleting an ephemeral onion service (DEL_ONION), do not close any
-      rendezvous circuits in order to let the existing client connections
-      finish by themselves or closed by the application. The HS v2 is doing
-      that already so now we have the same behavior for all versions. Fixes
-      bug 28619; bugfix on 0.3.3.1-alpha.
diff --git a/changes/geoip-2018-09-06 b/changes/geoip-2018-09-06
deleted file mode 100644
index 851ec46e25..0000000000
--- a/changes/geoip-2018-09-06
+++ /dev/null
@@ -1,4 +0,0 @@
-  o Minor features (geoip):
-    - Update geoip and geoip6 to the September 6 2018 Maxmind GeoLite2
-      Country database. Closes ticket 27631.
-
diff --git a/changes/geoip-2018-10-09 b/changes/geoip-2018-10-09
deleted file mode 100644
index 9b8e621852..0000000000
--- a/changes/geoip-2018-10-09
+++ /dev/null
@@ -1,4 +0,0 @@
-  o Minor features (geoip):
-    - Update geoip and geoip6 to the October 9 2018 Maxmind GeoLite2
-      Country database. Closes ticket 27991.
-
diff --git a/changes/geoip-2018-11-06 b/changes/geoip-2018-11-06
deleted file mode 100644
index 5c18ea4244..0000000000
--- a/changes/geoip-2018-11-06
+++ /dev/null
@@ -1,4 +0,0 @@
-  o Minor features (geoip):
-    - Update geoip and geoip6 to the November 6 2018 Maxmind GeoLite2
-      Country database. Closes ticket 28395.
-
diff --git a/changes/geoip-2018-12-05 b/changes/geoip-2018-12-05
deleted file mode 100644
index 20ccf2d8a5..0000000000
--- a/changes/geoip-2018-12-05
+++ /dev/null
@@ -1,4 +0,0 @@
-  o Minor features (geoip):
-    - Update geoip and geoip6 to the December 5 2018 Maxmind GeoLite2
-      Country database. Closes ticket 28744.
-
diff --git a/changes/geoip-2019-01-03 b/changes/geoip-2019-01-03
deleted file mode 100644
index 27ffb7f460..0000000000
--- a/changes/geoip-2019-01-03
+++ /dev/null
@@ -1,4 +0,0 @@
-  o Minor features (geoip):
-    - Update geoip and geoip6 to the January 3 2019 Maxmind GeoLite2
-      Country database. Closes ticket 29012.
-
diff --git a/changes/ticket24803 b/changes/ticket24803
deleted file mode 100644
index e76a9eeab9..0000000000
--- a/changes/ticket24803
+++ /dev/null
@@ -1,5 +0,0 @@
-  o Minor features (fallback directory list):
-    - Replace the 150 fallbacks originally introduced in Tor 0.3.3.1-alpha in
-      January 2018 (of which ~115 were still functional), with a list of
-      157 fallbacks (92 new, 65 existing, 85 removed) generated in
-      December 2018.  Closes ticket 24803.
diff --git a/changes/ticket26913 b/changes/ticket26913
deleted file mode 100644
index d6555764ec..0000000000
--- a/changes/ticket26913
+++ /dev/null
@@ -1,7 +0,0 @@
-  o Minor bugfixes (directory permissions):
-    - When a user requests a group-readable DataDirectory, give it to
-      them. Previously, when the DataDirectory and the CacheDirectory
-      were the same, the default setting (0) for
-      CacheDirectoryGroupReadable would always override the setting for
-      DataDirectoryGroupReadable. Fixes bug 26913; bugfix on
-      0.3.3.1-alpha.
diff --git a/changes/ticket27252 b/changes/ticket27252
deleted file mode 100644
index 410ddef8c0..0000000000
--- a/changes/ticket27252
+++ /dev/null
@@ -1,6 +0,0 @@
-  o Minor features (continuous integration):
-    - Skip gcc on OSX in Travis CI, it's rarely used.
-      Skip a duplicate hardening-off build in Travis on Tor 0.2.9.
-      Skip gcc on Linux with default settings, because all the non-default
-      builds use gcc on Linux.
-      Implements ticket 27252.
diff --git a/changes/ticket27252-032 b/changes/ticket27252-032
deleted file mode 100644
index 4752aedcf6..0000000000
--- a/changes/ticket27252-032
+++ /dev/null
@@ -1,5 +0,0 @@
-  o Minor features (continuous integration):
-    - Only run one online rust build in Travis, to reduce network errors.
-      Skip offline rust builds on Travis for Linux gcc, because they're
-      redundant.
-      Implements ticket 27252.
diff --git a/changes/ticket27410 b/changes/ticket27410
deleted file mode 100644
index a21fdde58e..0000000000
--- a/changes/ticket27410
+++ /dev/null
@@ -1,5 +0,0 @@
-  o Minor bugfixes (hidden service v3):
-    - Close all SOCKS request (for the same .onion) if the newly fetched
-      descriptor is unusable. Before that, we would close only the first one
-      leaving the other hanging and let to time out by themselves. Fixes bug
-      27410; bugfix on 0.3.2.1-alpha.
diff --git a/changes/ticket27550 b/changes/ticket27550
deleted file mode 100644
index 87f9b5cbe9..0000000000
--- a/changes/ticket27550
+++ /dev/null
@@ -1,5 +0,0 @@
-  o Minor bugfixes (hidden service v3):
-    - Don't warn so loudly when tor is unable to decode a descriptor. This can
-      now happen as a normal use case if a client gets a descriptor with
-      client authorization but the client is not authorized. Fixes bug 27550;
-      bugfix on 0.3.5.1-alpha.
diff --git a/changes/ticket27738 b/changes/ticket27738
deleted file mode 100644
index f23bfb019e..0000000000
--- a/changes/ticket27738
+++ /dev/null
@@ -1,4 +0,0 @@
-  o Minor features (continuous integration):
-    - Use the Travis Homebrew addon to install packages on macOS. The package
-      list is the same, but the Homebrew addon does not do a `brew update` by
-      default. Implements ticket 27738.
diff --git a/changes/ticket28973 b/changes/ticket28973
deleted file mode 100644
index b1d208ee51..0000000000
--- a/changes/ticket28973
+++ /dev/null
@@ -1,6 +0,0 @@
-  o Minor features (OpenSSL bug workaround):
-    - Work around a bug in OpenSSL 1.1.1a, which prevented the TLS 1.3
-      key export function from handling long labels.  When this bug
-      is detected, Tor will disable TLS 1.3.  We recommend upgrading to
-      a version of OpenSSL without this bug when it becomes available.
-      Closes ticket 28973.