start a new 029 changelog

created by catting all the changes/ files together, then
overwriting each entry with how it was written in a later
release, then running the format_changelog.py script

hopefully this will save nickm a bit of time -- if not feel free
to overwrite. :)

28 files changed, 147 insertions, 147 deletions

diff --git a/ChangeLog b/ChangeLog
index 5c565fb36b..e7bbe27051 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,150 @@
+Changes in version 0.2.9.15 - 2018-03-xx
+  Tor 0.2.9.15 backports important security and stability bugfixes from
+  later Tor releases. All Tor users should upgrade to this release, or
+  to another of the releases coming out today.
+
+  o Major features (denial-of-service mitigation):
+    - Give relays some defenses against the recent network overload. We
+      start with three defenses (default parameters in parentheses).
+      First: if a single client address makes too many concurrent
+      connections (>100), hang up on further connections. Second: if a
+      single client address makes circuits too quickly (more than 3 per
+      second, with an allowed burst of 90) while also having too many
+      connections open (3), refuse new create cells for the next while
+      (1-2 hours). Third: if a client asks to establish a rendezvous
+      point to you directly, ignore the request. These defenses can be
+      manually controlled by new torrc options, but relays will also
+      take guidance from consensus parameters, so there's no need to
+      configure anything manually. Implements ticket 24902.
+
+  o Major bugfixes (bootstrapping):
+    - Fetch descriptors aggressively whenever we lack enough to build
+      circuits, regardless of how many descriptors we are missing.
+      Previously, we would delay launching the fetch when we had fewer
+      than 15 missing descriptors, even if some of those descriptors
+      were blocking circuits from building. Fixes bug 23985; bugfix on
+      0.1.1.11-alpha. The effects of this bug became worse in
+      0.3.0.3-alpha, when we began treating missing descriptors from our
+      primary guards as a reason to delay circuits.
+
+  o Major bugfixes (onion services, retry behavior):
+    - Fix an "off by 2" error in counting rendezvous failures on the
+      onion service side. While we thought we would stop the rendezvous
+      attempt after one failed circuit, we were actually making three
+      circuit attempts before giving up. Now switch to a default of 2,
+      and allow the consensus parameter "hs_service_max_rdv_failures" to
+      override. Fixes bug 24895; bugfix on 0.0.6.
+
+  o Minor feature (relay statistics):
+    - Change relay bandwidth reporting stats interval from 4 hours to 24
+      hours in order to reduce the efficiency of guard discovery
+      attacks. Fixes ticket 23856.
+
+  o Minor features (compatibility, OpenSSL):
+    - Tor will now support TLS1.3 once OpenSSL 1.1.1 is released.
+      Previous versions of Tor would not have worked with OpenSSL 1.1.1,
+      since they neither disabled TLS 1.3 nor enabled any of the
+      ciphersuites it requires. Here we enable the TLS 1.3 ciphersuites.
+      Closes ticket 24978.
+
+  o Minor features (denial-of-service avoidance):
+    - Make our OOM handler aware of the geoip client history cache so it
+      doesn't fill up the memory. This check is important for IPv6 and
+      our DoS mitigation subsystem. Closes ticket 25122.
+
+  o Minor features (fallback directory mirrors):
+    - The fallback directory list has been re-generated based on the
+      current status of the network. Tor uses fallback directories to
+      bootstrap when it doesn't yet have up-to-date directory
+      information. Closes ticket 24801.
+    - Make the default DirAuthorityFallbackRate 0.1, so that clients
+      prefer to bootstrap from fallback directory mirrors. This is a
+      follow-up to 24679, which removed weights from the default
+      fallbacks. Implements ticket 24681.
+
+  o Minor features (geoip):
+    - Update geoip and geoip6 to the February 7 2018 Maxmind GeoLite2
+      Country database.
+
+  o Minor features (linux seccomp2 sandbox):
+    - Update the sandbox rules so that they should now work correctly
+      with Glibc 2.26. Closes ticket 24315.
+
+  o Minor bugfix (channel connection):
+    - Use the actual observed address of an incoming relay connection,
+      not the canonical address of the relay from its descriptor, when
+      making decisions about how to handle the incoming connection.
+      Fixes bug 24952; bugfix on 0.2.4.11-alpha. Patch by "ffmancera".
+
+  o Minor bugfix (directory authority):
+    - Directory authorities, when refusing a descriptor from a rejected
+      relay, now explicitly tell the relay (in its logs) to set a valid
+      ContactInfo address and contact the bad-relays@ mailing list.
+      Fixes bug 25170; bugfix on 0.2.9.1.
+
+  o Minor bugfixes (address selection):
+    - When the fascist_firewall_choose_address_ functions don't find a
+      reachable address, set the returned address to the null address
+      and port. This is a precautionary measure, because some callers do
+      not check the return value. Fixes bug 24736; bugfix
+      on 0.2.8.2-alpha.
+
+  o Minor bugfixes (compilation):
+    - Fix a signed/unsigned comparison warning introduced by our fix to
+      TROVE-2017-009. Fixes bug 24480; bugfix on 0.2.5.16.
+
+  o Minor bugfixes (control port, linux seccomp2 sandbox):
+    - Avoid a crash when attempting to use the seccomp2 sandbox together
+      with the OwningControllerProcess feature. Fixes bug 24198; bugfix
+      on 0.2.5.1-alpha.
+
+  o Minor bugfixes (memory usage):
+    - When queuing DESTROY cells on a channel, only queue the circuit-id
+      and reason fields: not the entire 514-byte cell. This fix should
+      help mitigate any bugs or attacks that fill up these queues, and
+      free more RAM for other uses. Fixes bug 24666; bugfix
+      on 0.2.5.1-alpha.
+
+  o Minor bugfixes (network layer):
+    - When closing a connection via close_connection_immediately(), we
+      mark it as "not blocked on bandwidth", to prevent later calls from
+      trying to unblock it, and give it permission to read. This fixes a
+      backtrace warning that can happen on relays under various
+      circumstances. Fixes bug 24167; bugfix on 0.1.0.1-rc.
+
+  o Minor bugfixes (OSX):
+    - Don't exit the Tor process if setrlimit() fails to change the file
+      limit (which can happen sometimes on some versions of OSX). Fixes
+      bug 21074; bugfix on 0.0.9pre5.
+
+  o Minor bugfixes (path selection):
+    - When selecting relays by bandwidth, avoid a rounding error that
+      could sometimes cause load to be imbalanced incorrectly.
+      Previously, we would always round upwards; now, we round towards
+      the nearest integer. This had the biggest effect when a relay's
+      weight adjustments should have given it weight 0, but it got
+      weight 1 instead. Fixes bug 23318; bugfix on 0.2.4.3-alpha.
+    - When calculating the fraction of nodes that have descriptors, and
+      all nodes in the network have zero bandwidths, count the number of
+      nodes instead. Fixes bug 23318; bugfix on 0.2.4.10-alpha.
+    - Actually log the total bandwidth in compute_weighted_bandwidths().
+      Fixes bug 24170; bugfix on 0.2.4.3-alpha.
+
+  o Minor bugfixes (portability, msvc):
+    - Fix a bug in the bit-counting parts of our timing-wheel code on
+      MSVC. (Note that MSVC is still not a supported build platform, due
+      to cryptographic timing channel risks.) Fixes bug 24633; bugfix
+      on 0.2.9.1-alpha.
+
+  o Minor bugfixes (relay):
+    - Make the internal channel_is_client() function look at what sort
+      of connection handshake the other side used, rather than whether
+      the other side ever sent a create_fast cell to us. Backports part
+      of the fixes from bugs 22805 and 24898.
+
+
 Changes in version 0.2.9.14 - 2017-12-01
-  Tor 0.3.0.13 backports important security and stability bugfixes from
+  Tor 0.2.9.14 backports important security and stability bugfixes from
   later Tor releases. All Tor users should upgrade to this release, or
   to another of the releases coming out today.
 
diff --git a/ReleaseNotes b/ReleaseNotes
index 3253bd2bab..e691e092bb 100644
--- a/ReleaseNotes
+++ b/ReleaseNotes
@@ -3,7 +3,7 @@ of Tor. If you want to see more detailed descriptions of the changes in
 each development snapshot, see the ChangeLog file.
 
 Changes in version 0.2.9.14 - 2017-12-01
-  Tor 0.3.0.13 backports important security and stability bugfixes from
+  Tor 0.2.9.14 backports important security and stability bugfixes from
   later Tor releases. All Tor users should upgrade to this release, or
   to another of the releases coming out today.
 
diff --git a/changes/bug21074_downgrade b/changes/bug21074_downgrade
deleted file mode 100644
index 1bc1f8523a..0000000000
--- a/changes/bug21074_downgrade
+++ /dev/null
@@ -1,4 +0,0 @@
-  o Minor bugfixes (portability):
-    - Don't exit the Tor process if setrlimit() fails to change the file
-      limit (which can happen sometimes on some versions of OSX). Fixes
-      bug 21074; bugfix on 0.0.9pre5.
diff --git a/changes/bug23318 b/changes/bug23318
deleted file mode 100644
index 7fcb8d4487..0000000000
--- a/changes/bug23318
+++ /dev/null
@@ -1,11 +0,0 @@
-  o Minor bugfixes (path selection):
-    - When selecting relays by bandwidth, avoid a rounding error that
-      could sometimes cause load to be imbalanced incorrectly. Previously,
-      we would always round upwards; now, we round towards the nearest
-      integer.  This had the biggest effect when a relay's weight adjustments
-      should have given it weight 0, but it got weight 1 instead.
-      Fixes bug 23318; bugfix on 0.2.4.3-alpha.
-    - When calculating the fraction of nodes that have descriptors, and all
-      all nodes in the network have zero bandwidths, count the number of nodes
-      instead.
-      Fixes bug 23318; bugfix on 0.2.4.10-alpha.
diff --git a/changes/bug23985 b/changes/bug23985
deleted file mode 100644
index 9cb5937962..0000000000
--- a/changes/bug23985
+++ /dev/null
@@ -1,9 +0,0 @@
-  o Minor bugfixes (bootstrapping):
-    - Fetch descriptors aggressively whenever we lack enough
-      to build circuits, regardless of how many descriptors we are missing.
-      Previously, we would delay launching the fetch when we had fewer than
-      15 missing descriptors, even if some of those descriptors were
-      blocking circuits from building. Fixes bug 23985; bugfix on
-      0.1.1.11-alpha. The effects of this bug became worse in 0.3.0.3-alpha,
-      when we began treating missing descriptors from our primary guards
-      as a reason to delay circuits.
diff --git a/changes/bug24167 b/changes/bug24167
deleted file mode 100644
index fd0d87efff..0000000000
--- a/changes/bug24167
+++ /dev/null
@@ -1,7 +0,0 @@
-  o Minor bugfixes (network layer):
-    - When closing a connection via close_connection_immediately(), we
-      mark it as "not blocked on bandwidth", to prevent later calls
-      from trying to unblock it, and give it permission to read. This
-      fixes a backtrace warning that can happen on relays under various
-      circumstances. Fixes bug 24167; bugfix on 0.1.0.1-rc.
-
diff --git a/changes/bug24170 b/changes/bug24170
deleted file mode 100644
index d3d7347693..0000000000
--- a/changes/bug24170
+++ /dev/null
@@ -1,3 +0,0 @@
-  o Minor bugfixes (path selection):
-    - Actually log the total bandwidth in compute_weighted_bandwidths().
-      Fixes bug 24170; bugfix on 0.2.4.3-alpha.
diff --git a/changes/bug24198 b/changes/bug24198
deleted file mode 100644
index 6790706872..0000000000
--- a/changes/bug24198
+++ /dev/null
@@ -1,4 +0,0 @@
-  o Minor bugfixes (controller, linux seccomp2 sandbox):
-    - Avoid a crash when attempting to use the seccomp2 sandbox
-      together with the OwningControllerProcess feature.
-      Fixes bug 24198; bugfix on 0.2.5.1-alpha.
diff --git a/changes/bug24480 b/changes/bug24480
deleted file mode 100644
index 94e5b91a0c..0000000000
--- a/changes/bug24480
+++ /dev/null
@@ -1,3 +0,0 @@
-  o Minor bugfixes (compilation):
-    - Fix a signed/unsigned comparison warning introduced by our
-      fix to TROVE-2017-009. Fixes bug 24480; bugfix on 0.2.5.16.
diff --git a/changes/bug24633 b/changes/bug24633
deleted file mode 100644
index 028c7cc143..0000000000
--- a/changes/bug24633
+++ /dev/null
@@ -1,5 +0,0 @@
-  o Minor bugfixes (portability, msvc):
-    - Fix a bug in the bit-counting parts of our timing-wheel code on
-      MSVC. (Note that MSVC is still not a supported build platform,
-      due to cyptographic timing channel risks.) Fixes bug 24633;
-      bugfix on 0.2.9.1-alpha.
diff --git a/changes/bug24666 b/changes/bug24666
deleted file mode 100644
index 830775f5f6..0000000000
--- a/changes/bug24666
+++ /dev/null
@@ -1,7 +0,0 @@
-  o Minor bugfixes (memory usage):
-
-    - When queuing DESTROY cells on a channel, only queue the
-      circuit-id and reason fields: not the entire 514-byte
-      cell. This fix should help mitigate any bugs or attacks that
-      fill up these queues, and free more RAM for other uses. Fixes
-      bug 24666; bugfix on 0.2.5.1-alpha.
diff --git a/changes/bug24736 b/changes/bug24736
deleted file mode 100644
index 632560932a..0000000000
--- a/changes/bug24736
+++ /dev/null
@@ -1,6 +0,0 @@
-  o Minor bugfixes (address selection):
-    - When the fascist_firewall_choose_address_ functions don't find a
-      reachable address, set the returned address to the null address and port.
-      This is a precautionary measure, because some callers do not check the
-      return value.
-      Fixes bug 24736; bugfix on 0.2.8.2-alpha.
diff --git a/changes/bug24895 b/changes/bug24895
deleted file mode 100644
index 7edde94a0b..0000000000
--- a/changes/bug24895
+++ /dev/null
@@ -1,8 +0,0 @@
-  o Major bugfixes (onion services):
-    - Fix an "off by 2" error in counting rendezvous failures on the onion
-      service side. While we thought we would stop the rendezvous attempt
-      after one failed circuit, we were actually making three circuit attempts
-      before giving up. Now switch to a default of 2, and allow the consensus
-      parameter "hs_service_max_rdv_failures" to override. Fixes bug 24895;
-      bugfix on 0.0.6.
-
diff --git a/changes/bug24898-029 b/changes/bug24898-029
deleted file mode 100644
index b33f093841..0000000000
--- a/changes/bug24898-029
+++ /dev/null
@@ -1,6 +0,0 @@
-  o Minor bugfixes (relay):
-    - Make the internal channel_is_client() function look at what sort
-      of connection handshake the other side used, rather than whether
-      the other side ever sent a create_fast cell to us. Backports part
-      of the fixes from bugs 22805 and 24898.
-
diff --git a/changes/bug24952 b/changes/bug24952
deleted file mode 100644
index 93174c04f5..0000000000
--- a/changes/bug24952
+++ /dev/null
@@ -1,5 +0,0 @@
-  o Minor bugfix (channel connection):
-    - The accurate address of a connection is real_addr, not the addr member.
-      TLS Channel remote address is now real_addr content instead of addr
-      member. Fixes bug 24952; bugfix on 707c1e2e26 in 0.2.4.11-alpha.
-      Patch by "ffmancera".
diff --git a/changes/bug24978 b/changes/bug24978
deleted file mode 100644
index 5dc45c7442..0000000000
--- a/changes/bug24978
+++ /dev/null
@@ -1,7 +0,0 @@
-  o Minor features (compatibility, OpenSSL):
-    - Tor will now support TLS1.3 once OpenSSL 1.1.1 is released.
-      Previous versions of Tor would not have worked with OpenSSL
-      1.1.1, since they neither disabled TLS 1.3 nor enabled any of the
-      ciphersuites it requires. Here we enable the TLS 1.3 ciphersuites.
-      Closes ticket 24978.
-
diff --git a/changes/bug25223 b/changes/bug25223
deleted file mode 100644
index fdd5563500..0000000000
--- a/changes/bug25223
+++ /dev/null
@@ -1,4 +0,0 @@
-  o Minor bugfixes (DoS mitigation):
-    - Make sure we don't modify consensus parameters if we aren't a public
-      relay when a new consensus arrives. Fixes bug 25223; bugfix on
-      0.3.3.2-alpha.
diff --git a/changes/geoip-2017-12-06 b/changes/geoip-2017-12-06
deleted file mode 100644
index ae4fb1149f..0000000000
--- a/changes/geoip-2017-12-06
+++ /dev/null
@@ -1,4 +0,0 @@
-  o Minor features (geoip):
-    - Update geoip and geoip6 to the December 6 2017 Maxmind GeoLite2
-      Country database.
-
diff --git a/changes/geoip-2018-01-05 b/changes/geoip-2018-01-05
deleted file mode 100644
index 59aba02d09..0000000000
--- a/changes/geoip-2018-01-05
+++ /dev/null
@@ -1,4 +0,0 @@
-  o Minor features (geoip):
-    - Update geoip and geoip6 to the January 5 2018 Maxmind GeoLite2
-      Country database.
-
diff --git a/changes/geoip-2018-02-07 b/changes/geoip-2018-02-07
deleted file mode 100644
index f45228fd76..0000000000
--- a/changes/geoip-2018-02-07
+++ /dev/null
@@ -1,4 +0,0 @@
-  o Minor features (geoip):
-    - Update geoip and geoip6 to the February 7 2018 Maxmind GeoLite2
-      Country database.
-
diff --git a/changes/ticket23856 b/changes/ticket23856
deleted file mode 100644
index 049da18d06..0000000000
--- a/changes/ticket23856
+++ /dev/null
@@ -1,4 +0,0 @@
-  o Minor feature (relay statistics): 
-    - Change relay bandwidth reporting stats interval from 4 hours to 24 hours
-      in order to reduce the efficiency of guard discovery attacks. Fixes
-      ticket 23856.
diff --git a/changes/ticket24315 b/changes/ticket24315
deleted file mode 100644
index df34dbf412..0000000000
--- a/changes/ticket24315
+++ /dev/null
@@ -1,3 +0,0 @@
-  o Major features (linux seccomp2 sandbox):
-    - Update the sandbox rules so that they should now work correctly with
-      Glibc 2.26.  Closes  ticket 24315.
diff --git a/changes/ticket24681 b/changes/ticket24681
deleted file mode 100644
index cc0a42b2e0..0000000000
--- a/changes/ticket24681
+++ /dev/null
@@ -1,6 +0,0 @@
-  o Minor features (fallback directory mirrors):
-    - Make the default DirAuthorityFallbackRate 0.1, so that clients on the
-      public tor network prefer to bootstrap off fallback directory mirrors.
-      This is a follow-up to 24679, which removed weights from the default
-      fallbacks.
-      Implements ticket 24681.
diff --git a/changes/ticket24902 b/changes/ticket24902
deleted file mode 100644
index 1a2ef95cc9..0000000000
--- a/changes/ticket24902
+++ /dev/null
@@ -1,13 +0,0 @@
-  o Major features (denial of service mitigation):
-    - Give relays some defenses against the recent network overload. We start
-      with three defenses (default parameters in parentheses). First: if a
-      single client address makes too many concurrent connections (>100), hang
-      up on further connections. Second: if a single client address makes
-      circuits too quickly (more than 3 per second, with an allowed burst of
-      90) while also having too many connections open (3), refuse new create
-      cells for the next while (1-2 hours). Third: if a client asks to
-      establish a rendezvous point to you directly, ignore the request. These
-      defenses can be manually controlled by new torrc options, but relays
-      will also take guidance from consensus parameters, so there's no need to
-      configure anything manually. Implements ticket 24902.
-
diff --git a/changes/ticket25122 b/changes/ticket25122
deleted file mode 100644
index 2921811b22..0000000000
--- a/changes/ticket25122
+++ /dev/null
@@ -1,4 +0,0 @@
-  o Minor feature (geoip cache):
-    - Make our OOM handler aware of the geoip client history cache so it
-      doesn't fill up the memory which is especially important for IPv6 and
-      our DoS mitigation subsystem. Closes ticket 25122.
diff --git a/changes/ticket25170 b/changes/ticket25170
deleted file mode 100644
index 0652139400..0000000000
--- a/changes/ticket25170
+++ /dev/null
@@ -1,5 +0,0 @@
-  o Minor bugfix (directory authority, documentation):
-    - When a fingerprint or network address is marked as rejected, the
-      returned message by the authority now explicitly mention to set a valid
-      ContactInfo address and contact the bad-relays@ mailing list. Fixes bug
-      25170; bugfix on 0.2.9.1.
diff --git a/changes/ticket25202 b/changes/ticket25202
deleted file mode 100644
index ba64abad7b..0000000000
--- a/changes/ticket25202
+++ /dev/null
@@ -1,4 +0,0 @@
-  o Minor bugfixes (DoS mitigation):
-    - Add extra safety checks when refilling the circuit creation bucket to
-      ensure we never set a value that is above the allowed burst. Fixes
-      bug 25202; bugfix on 0.3.3.2-alpha.
diff --git a/changes/ticket_24801 b/changes/ticket_24801
deleted file mode 100644
index f5f6c831af..0000000000
--- a/changes/ticket_24801
+++ /dev/null
@@ -1,5 +0,0 @@
-  o Minor features (new fallback directories):
-    - The fallback directory list has been re-generated based on the
-      current status of the network. Tor uses fallback directories to
-      bootstrap it doesn't yet have up-to-date directory
-      information. Closes ticket 24801.