fold in changes files for upcoming 0.2.4.4-alpha

22 files changed, 101 insertions, 110 deletions

diff --git a/ChangeLog b/ChangeLog
index 98f050765f..d2348070ce 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,104 @@
+Changes in version 0.2.4.4-alpha - 2012-10-20
+  Tor 0.2.4.4-alpha adds a new v3 directory authority, fixes a privacy
+  vulnerability introduced by a change in OpenSSL, fixes a remotely
+  triggerable assert, and adds new channel_t and circuitmux_t abstractions
+  that will make it easier to test new connection transport and cell
+  scheduling algorithms.
+
+  o New directory authorities (also in 0.2.3.23-rc):
+    - Add Faravahar (run by Sina Rabbani) as the ninth v3 directory
+      authority. Closes ticket 5749.
+
+  o Major bugfixes (security/privacy, also in 0.2.3.23-rc):
+    - Disable TLS session tickets. OpenSSL's implementation was giving
+      our TLS session keys the lifetime of our TLS context objects, when
+      perfect forward secrecy would want us to discard anything that
+      could decrypt a link connection as soon as the link connection
+      was closed. Fixes bug 7139; bugfix on all versions of Tor linked
+      against OpenSSL 1.0.0 or later. Found by Florent Daignière.
+    - Discard extraneous renegotiation attempts once the V3 link
+      protocol has been initiated. Failure to do so left us open to
+      a remotely triggerable assertion failure. Fixes CVE-2012-2249;
+      bugfix on 0.2.3.6-alpha. Reported by "some guy from France".
+
+  o Internal abstraction features:
+    - Introduce new channel_t abstraction between circuits and
+      or_connection_t to allow for implementing alternate OR-to-OR
+      transports. A channel_t is an abstract object which can either be a
+      cell-bearing channel, which is responsible for authenticating and
+      handshaking with the remote OR and transmitting cells to and from
+      it, or a listening channel, which spawns new cell-bearing channels
+      at the request of remote ORs. Implements part of ticket 6465.
+    - Also new is the channel_tls_t subclass of channel_t, adapting it
+      to the existing or_connection_t code. The V2/V3 protocol handshaking
+      code which formerly resided in command.c has been moved below the
+      channel_t abstraction layer and may be found in channeltls.c now.
+      Implements the rest of ticket 6465.
+    - Introduce new circuitmux_t storing the queue of circuits for
+      a channel; this encapsulates and abstracts the queue logic and
+      circuit selection policy, and allows the latter to be overridden
+      easily by switching out a policy object. The existing EWMA behavior
+      is now implemented as a circuitmux_policy_t. Resolves ticket 6816.
+
+  o Required libraries:
+    - Tor now requires OpenSSL 0.9.8 or later. OpenSSL 1.0.0 or later is
+      strongly recommended.
+
+  o Minor features:
+    - Warn users who run hidden services on a Tor client with
+      UseEntryGuards disabled that their hidden services will be
+      vulnerable to http://freehaven.net/anonbib/#hs-attack06 (the
+      attack which motivated Tor to support entry guards in the first
+      place). Resolves ticket 6889.
+    - Tor now builds correctly on Bitrig, an OpenBSD fork. Patch from
+      dhill. Resolves ticket 6982.
+
+  o Minor bugfixes (also in 0.2.3.23-rc):
+    - Don't serve or accept v2 hidden service descriptors over a
+      relay's DirPort. It's never correct to do so, and disabling it
+      might make it more annoying to exploit any bugs that turn up in the
+      descriptor-parsing code. Fixes bug 7149.
+    - Fix two cases in src/or/transports.c where we were calling
+      fmt_addr() twice in a parameter list. Bug found by David
+      Fifield. Fixes bug 7014; bugfix on 0.2.3.9-alpha.
+    - Fix memory leaks whenever we logged any message about the "path
+      bias" detection. Fixes bug 7022; bugfix on 0.2.3.21-rc.
+    - When relays refuse a "create" cell because their queue of pending
+      create cells is too big (typically because their cpu can't keep up
+      with the arrival rate), send back reason "resource limit" rather
+      than reason "internal", so network measurement scripts can get a
+      more accurate picture. Fixes bug 7037; bugfix on 0.1.1.11-alpha.
+
+  o Minor bugfixes:
+    - Command-line option "--version" implies "--quiet". Fixes bug 6997.
+    - Free some more still-in-use memory at exit, to make hunting for
+      memory leaks easier. Resolves bug 7029.
+    - When a Tor client gets a "truncated" relay cell, the first byte of
+      its payload specifies why the circuit was truncated. We were
+      ignoring this 'reason' byte when tearing down the circuit, resulting
+      in the controller not being told why the circuit closed. Now we
+      pass the reason from the truncated cell to the controller. Bugfix
+      on 0.1.2.3-alpha; fixes bug 7039.
+    - Downgrade "Failed to hand off onionskin" messages to "debug"
+      severity, since they're typically redundant with the "Your computer
+      is too slow" messages. Fixes bug 7038; bugfix on 0.2.2.16-alpha.
+    - Make clients running with IPv6 bridges connect over IPv6 again,
+      even without setting new config options ClientUseIPv6 and
+      ClientPreferIPv6ORPort. Fixes bug 6757; bugfix on 0.2.4.1-alpha.
+    - Use square brackets around IPv6 addresses in numerous places
+      that needed them, including log messages, HTTPS CONNECT proxy
+      requests, TransportProxy statefile entries, and pluggable transport
+      extra-info lines. Fixes bug 7011; patch by David Fifield.
+
+  o Code refactoring and cleanup:
+    - Source files taken from other packages now reside in src/ext;
+      previously they were scattered around the rest of Tor.
+    - Avoid use of reserved identifiers in our C code. The C standard
+      doesn't like us declaring anything that starts with an
+      underscore, so let's knock it off before we get in trouble. Fix
+      for bug 1031; bugfix on the first Tor commit.
+
+
 Changes in version 0.2.3.23-rc - 2012-10-20
   Tor 0.2.3.23-rc adds a new v3 directory authority, fixes a privacy
   vulnerability introduced by a change in OpenSSL, and fixes a variety
diff --git a/changes/6757 b/changes/6757
deleted file mode 100644
index 6b17f951d1..0000000000
--- a/changes/6757
+++ /dev/null
@@ -1,5 +0,0 @@
-  o Minor bugfixes (client):
-    - Make clients running with IPv6 bridges connect over IPv6 again,
-      even without setting new config options ClientUseIPv6 and
-      ClientPreferIPv6ORPort.
-      Fixes bug 6757; bugfix on 0.2.4.1-alpha.
diff --git a/changes/6982 b/changes/6982
deleted file mode 100644
index edfa066a56..0000000000
--- a/changes/6982
+++ /dev/null
@@ -1,3 +0,0 @@
-  o Minor features (portability):
-    - Tor now builds correctly on Bitrig, an OpenBSD fork. Patch from dhill.
-      Ticket 6982.
diff --git a/changes/addr_is_internal_debug b/changes/addr_is_internal_debug
deleted file mode 100644
index 6de221bb2e..0000000000
--- a/changes/addr_is_internal_debug
+++ /dev/null
@@ -1,4 +0,0 @@
-  o Minor features:
-    - Log the call-site of a failed tor_addr_is_internal(), so that we
-      can learn who is calling it with AF_UNSPECIFIED and fix the
-      second (unrelated) part of bug 7086.
diff --git a/changes/bug1031 b/changes/bug1031
deleted file mode 100644
index e3ab49b2bd..0000000000
--- a/changes/bug1031
+++ /dev/null
@@ -1,5 +0,0 @@
-  o Code cleanup:
-    - Avoid use of reserved identifiers in our C code. The C standard
-      doesn't like us declaring anything that starts with an
-      underscore, so let's knock it off before we get in trouble. Fix
-      for bug 1031; bugfix on the first Tor commit.
diff --git a/changes/bug6465 b/changes/bug6465
deleted file mode 100644
index a5ea9e213c..0000000000
--- a/changes/bug6465
+++ /dev/null
@@ -1,12 +0,0 @@
-  o Infrastructure features:
-    - Introduce new channel_t abstraction between circuits and or_connection_t
-      to allow for implementing alternate OR-to-OR transports.  A channel_t is
-      an abstract object which can either be a cell-bearing channel, which is
-      responsible for authenticating and handshaking with the remote OR and
-      transmitting cells to and from it, or a listening channel, which spawns
-      new cell-bearing channels at the request of remote ORs.
-
-    - Also new is the channel_tls_t subclass of channel_t, adapting it to the
-      existing or_connection_t code.  The V2/V3 protocol handshaking code
-      which formerly resided in command.c has been moved below the channel_t
-      abstraction layer and may be found in channeltls.c now.
diff --git a/changes/bug6816 b/changes/bug6816
deleted file mode 100644
index e9e6877a96..0000000000
--- a/changes/bug6816
+++ /dev/null
@@ -1,6 +0,0 @@
-  o Infrastructure features:
-    - Introduce new circuitmux_t storing the queue of circuits for a channel;
-      this encapsulates and abstracts the queue logic and circuit selection
-      policy, and allows the latter to be overridden easily by switching out
-      a policy object.  The existing EWMA behavior is now implemented as a
-      circuitmux_policy_t.  This fixes bug 6816.
diff --git a/changes/bug7011 b/changes/bug7011
deleted file mode 100644
index f3d0aa2e1e..0000000000
--- a/changes/bug7011
+++ /dev/null
@@ -1,6 +0,0 @@
-  o Minor bugfixes:
-    - Use square brackets around IPv6 addresses in numerous places that needed
-      them, including log messages, HTTPS CONNECT proxy requests,
-      TransportProxy statefile entries, and pluggable transport extra-info
-      lines.  Fix for bug 7011; patch by David Fifield.
-
diff --git a/changes/bug7014 b/changes/bug7014
deleted file mode 100644
index 1d39103a50..0000000000
--- a/changes/bug7014
+++ /dev/null
@@ -1,5 +0,0 @@
-  o Minor bugfixes:
-    - Fix two cases in src/or/transports.c where we were calling
-      fmt_addr() twice in a parameter list. Bug found by David
-      Fifield. Fixes bug 7014; bugfix on 0.2.3.9-alpha.
-
diff --git a/changes/bug7022 b/changes/bug7022
deleted file mode 100644
index 10ac354724..0000000000
--- a/changes/bug7022
+++ /dev/null
@@ -1,3 +0,0 @@
-  o Minor bugfixes:
-    - Fix memory leaks whenever we logged any message about the "path
-      bias" detection. Fixes bug 7022; bugfix on 0.2.3.21-rc.
diff --git a/changes/bug7029 b/changes/bug7029
deleted file mode 100644
index a115b42f8e..0000000000
--- a/changes/bug7029
+++ /dev/null
@@ -1,3 +0,0 @@
-  o Minor bugfixes (code cleanliness):
-    - Free some more still-in-use memory at exit, to make hunting for
-      memory leaks easier. Resolves bug 7029.
diff --git a/changes/bug7037 b/changes/bug7037
deleted file mode 100644
index fc3a1ad1c5..0000000000
--- a/changes/bug7037
+++ /dev/null
@@ -1,6 +0,0 @@
-  o Minor bugfixes:
-    - When relays refuse a "create" cell because their queue of pending
-      create cells is too big (typically because their cpu can't keep up
-      with the arrival rate), send back reason "resource limit" rather
-      than reason "internal", so network measurement scripts can get a
-      more accurate picture. Bugfix on 0.1.1.11-alpha; fixes bug 7037.
diff --git a/changes/bug7038 b/changes/bug7038
deleted file mode 100644
index 3805d868b2..0000000000
--- a/changes/bug7038
+++ /dev/null
@@ -1,5 +0,0 @@
-  o Minor bugfixes (log messages):
-    - Downgrade "Failed to hand off onionskin" messages to "debug"
-      severity, since they're typically redundant with the "Your computer
-      is too slow" messages. Fixes bug 7038; bugfix on 0.2.2.16-alpha.
-
diff --git a/changes/bug7039 b/changes/bug7039
deleted file mode 100644
index dc5111a00c..0000000000
--- a/changes/bug7039
+++ /dev/null
@@ -1,7 +0,0 @@
-  o Minor bugfixes:
-    - When a Tor client gets a "truncated" relay cell, the first byte of
-      its payload specifies why the circuit was truncated. We were
-      ignoring this 'reason' byte when tearing down the circuit, resulting
-      in the controller not being told why the circuit closed. Now we
-      pass the reason from the truncated cell to the controller. Bugfix
-      on 0.1.2.3-alpha; fixes bug 7039.
diff --git a/changes/bug7139 b/changes/bug7139
deleted file mode 100644
index dfb7d32838..0000000000
--- a/changes/bug7139
+++ /dev/null
@@ -1,9 +0,0 @@
-  o Major bugfixes (security):
-
-    - Disable TLS session tickets.  OpenSSL's implementation were giving
-      our TLS session keys the lifetime of our TLS context objects, when
-      perfect forward secrecy would want us to discard anything that
-      could decrypt a link connection as soon as the link connection was
-      closed.  Fixes bug 7139; bugfix on all versions of Tor linked
-      against OpenSSL 1.0.0 or later. Found by "nextgens".
-
diff --git a/changes/cve-2012-2249 b/changes/cve-2012-2249
deleted file mode 100644
index 625bfa2f58..0000000000
--- a/changes/cve-2012-2249
+++ /dev/null
@@ -1,5 +0,0 @@
-  o Major bugfixes (security):
-    - Discard extraneous renegotiation attempts once the V3 link
-      protocol has been initiated. Failure to do so left us open to
-      a remotely triggerable assertion failure. Fixes CVE-2012-2249;
-      bugfix on 0.2.3.6-alpha. Reported by "some guy from France".
diff --git a/changes/dirserv-BUGGY-a b/changes/dirserv-BUGGY-a
deleted file mode 100644
index 35b492a2d7..0000000000
--- a/changes/dirserv-BUGGY-a
+++ /dev/null
@@ -1,7 +0,0 @@
-  o Minor bugfixes:
-
-    - Don't serve or accept v2 hidden service descriptors over a
-      relay's DirPort. It's never correct to do so, and disabling it
-      might make it more annoying to exploit any bugs that turn up in the
-      descriptor-parsing code. Fixes bug 7149.
-
diff --git a/changes/dropped_openssl_vers b/changes/dropped_openssl_vers
deleted file mode 100644
index dc79d5e3ff..0000000000
--- a/changes/dropped_openssl_vers
+++ /dev/null
@@ -1,3 +0,0 @@
-  o Required libraries:
-    - Tor now requires OpenSSL 0.9.8 or later; OpenSSL 1.0.0 or later is
-      strongly recommended.
diff --git a/changes/src_ext b/changes/src_ext
deleted file mode 100644
index a1b2a2198f..0000000000
--- a/changes/src_ext
+++ /dev/null
@@ -1,3 +0,0 @@
-  o Code refactoring:
-    - Source files taken from other packages now reside in src/ext;
-      previously they were scattered around the rest of Tor.
diff --git a/changes/ticket5749 b/changes/ticket5749
deleted file mode 100644
index 0237241981..0000000000
--- a/changes/ticket5749
+++ /dev/null
@@ -1,3 +0,0 @@
-  o New directory authorities:
-    - Add Faravahar (run by Sina Rabbani) as the ninth v3 directory
-      authority. Closes ticket 5749.
diff --git a/changes/ticket6997 b/changes/ticket6997
deleted file mode 100644
index 0a33b37552..0000000000
--- a/changes/ticket6997
+++ /dev/null
@@ -1,2 +0,0 @@
-  o Minor bugfixes:
-    - Command-line option "--version" implies "--quiet". Closes ticket #6997.
diff --git a/changes/warn-about-hses-without-guards b/changes/warn-about-hses-without-guards
deleted file mode 100644
index 57b8b4d00f..0000000000
--- a/changes/warn-about-hses-without-guards
+++ /dev/null
@@ -1,8 +0,0 @@
-  o Minor features:
-
-    - Warn users who run hidden services on a Tor client with
-      UseEntryGuards disabled that their hidden services will be
-      vulnerable to http://freehaven.net/anonbib/#hs-attack06 (the
-      attack which motivated Tor to support entry guards in the first
-      place).  Fixes bug 6889.
-