sort recent changelog stanzas by release date

2 files changed, 450 insertions, 450 deletions

diff --git a/ChangeLog b/ChangeLog
index a061775812..d1bc48dc0c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -150,100 +150,6 @@ Changes in version 0.4.7.2-alpha - 2021-10-26
       ticket 40485.
 
 
-Changes in version 0.4.7.1-alpha - 2021-09-17
-  This version is the first alpha release of the 0.4.7.x series. One
-  major feature is Vanguards Lite, from proposal 333, to help mitigate
-  guard discovery attacks against onion services. It also includes
-  numerous bugfixes.
-
-  o Major features (Proposal 332, onion services, guard selection algorithm):
-    - Clients and onion services now choose four long-lived "layer 2"
-      guard relays for use as the middle hop in all onion circuits.
-      These relays are kept in place for a randomized duration averaging
-      1 week. This mitigates guard discovery attacks against clients and
-      short-lived onion services such as OnionShare. Long-lived onion
-      services that need high security should still use the Vanguards
-      addon (https://github.com/mikeperry-tor/vanguards). Closes ticket
-      40363; implements proposal 333.
-
-  o Minor features (bridge testing support):
-    - Let external bridge reachability testing tools discard cached
-      bridge descriptors when setting new bridges, so they can be sure
-      to get a clean reachability test. Implements ticket 40209.
-
-  o Minor features (fuzzing):
-    - When building with --enable-libfuzzer, use a set of compiler flags
-      that works with more recent versions of the library. Previously we
-      were using a set of flags from 2017. Closes ticket 40407.
-
-  o Minor features (testing configuration):
-    - When TestingTorNetwork is enabled, skip the permissions check on
-      hidden service directories. Closes ticket 40338.
-    - On a testing network, relays can now use the
-      TestingMinTimeToReportBandwidth option to change the smallest
-      amount of time over which they're willing to report their observed
-      maximum bandwidth. Previously, this was fixed at 1 day. For
-      safety, values under 2 hours are only supported on testing
-      networks. Part of a fix for ticket 40337.
-    - Relays on testing networks no longer rate-limit how frequently
-      they are willing to report new bandwidth measurements. Part of a
-      fix for ticket 40337.
-    - Relays on testing networks now report their observed bandwidths
-      immediately from startup. Previously, they waited until they had
-      been running for a full day. Closes ticket 40337.
-
-  o Minor bugfixes (circuit padding):
-    - Don't send STOP circuit padding cells when the other side has
-      already shut down the corresponding padding machine. Fixes bug
-      40435; bugfix on 0.4.0.1-alpha.
-
-  o Minor bugfixes (compatibility):
-    - Fix compatibility with the most recent Libevent versions, which no
-      longer have an evdns_set_random_bytes() function. Because this
-      function has been a no-op since Libevent 2.0.4-alpha, it is safe
-      for us to just stop calling it. Fixes bug 40371; bugfix
-      on 0.2.1.7-alpha.
-
-  o Minor bugfixes (control, sandbox):
-    - Allows the control command SAVECONF to succeed when the seccomp
-      sandbox is enabled. Makes SAVECONF keep only one backup file, to
-      simplify implementation. Fixes bug 40317; bugfix on 0.2.5.4-alpha.
-      Patch by Daniel Pinto.
-
-  o Minor bugfixes (heartbeat):
-    - Adjust the heartbeat log message about distinct clients to
-      consider the HeartbeatPeriod rather than a flat 6-hour delay.
-      Fixes bug 40330; bugfix on 0.2.6.3-alpha.
-
-  o Minor bugfixes (logging, relay):
-    - Add spaces between the "and" when logging the "Your server has not
-      managed to confirm reachability for its" on dual-stack relays.
-      Fixes bug 40453; bugfix on 0.4.5.1-alpha. Patch by Neel Chauhan.
-
-  o Minor bugfixes (onion service):
-    - Do not flag an HSDir as non-running in case the descriptor upload
-      or fetch fails. An onion service closes pending directory
-      connections before uploading a new descriptor which leads to
-      wrongly flagging many relays and thus affecting circuit path
-      selection. Fixes bug 40434; bugfix on 0.2.0.13-alpha.
-
-  o Minor bugfixes (statistics):
-    - Fix a fencepost issue when we check stability_last_downrated where
-      we called rep_hist_downrate_old_runs() twice. Fixes bug 40394;
-      bugfix on 0.2.0.5-alpha. Patch by Neel Chauhan.
-
-  o Minor bugfixes (tests):
-    - Fix a bug that prevented some tests from running with the correct
-      names. Fixes bug 40365; bugfix on 0.4.3.1-alpha.
-
-  o Documentation:
-    - Add links to original tor design paper and anonbib to
-      docs/HACKING/README.1st.md. Closes ticket 33742. Patch from
-      Emily Bones.
-    - Describe the "fingerprint-ed25519" file in the tor.1 man page.
-      Fixes bug 40467; bugfix on 0.4.3.1-alpha. Patch by Neel Chauhan.
-
-
 Changes in version 0.4.6.8 - 2021-10-26
   This version fixes several bugs from earlier versions of Tor. One
   highlight is a fix on how we track DNS timeouts to report general
@@ -303,52 +209,6 @@ Changes in version 0.4.6.8 - 2021-10-26
       Fixes bug 40474; bugfix on 0.4.5.8.
 
 
-Changes in version 0.4.6.7 - 2021-08-16
-  This version fixes several bugs from earlier versions of Tor,
-  including one that could lead to a denial-of-service attack. Everyone
-  running an earlier version, whether as a client, a relay, or an onion
-  service, should upgrade to Tor 0.3.5.16, 0.4.5.10, or 0.4.6.7.
-
-  o Major bugfixes (cryptography, security):
-    - Resolve an assertion failure caused by a behavior mismatch between
-      our batch-signature verification code and our single-signature
-      verification code. This assertion failure could be triggered
-      remotely, leading to a denial of service attack. We fix this issue
-      by disabling batch verification. Fixes bug 40078; bugfix on
-      0.2.6.1-alpha. This issue is also tracked as TROVE-2021-007 and
-      CVE-2021-38385. Found by Henry de Valence.
-
-  o Minor feature (fallbackdir):
-    - Regenerate fallback directories list. Close ticket 40447.
-
-  o Minor features (geoip data):
-    - Update the geoip files to match the IPFire Location Database, as
-      retrieved on 2021/08/12.
-
-  o Minor bugfix (crypto):
-    - Disable the unused batch verification feature of ed25519-donna.
-      Fixes bug 40078; bugfix on 0.2.6.1-alpha. Found by Henry
-      de Valence.
-
-  o Minor bugfixes (onion service):
-    - Send back the extended SOCKS error 0xF6 (Onion Service Invalid
-      Address) for a v2 onion address. Fixes bug 40421; bugfix
-      on 0.4.6.2-alpha.
-
-  o Minor bugfixes (relay):
-    - Reduce the compression level for data streaming from HIGH to LOW
-      in order to reduce CPU load on the directory relays. Fixes bug
-      40301; bugfix on 0.3.5.1-alpha.
-
-  o Minor bugfixes (timekeeping):
-    - Calculate the time of day correctly on systems where the time_t
-      type includes leap seconds. (This is not the case on most
-      operating systems, but on those where it occurs, our tor_timegm
-      function did not correctly invert the system's gmtime function,
-      which could result in assertion failures when calculating voting
-      schedules.) Fixes bug 40383; bugfix on 0.2.0.3-alpha.
-
-
 Changes in version 0.4.5.11 - 2021-10-26
   The major change in this version is that v2 onion services are now
   disabled at the client, service, and relay: any Tor nodes running this
@@ -430,6 +290,183 @@ Changes in version 0.4.5.11 - 2021-10-26
       Fixes bug 40474; bugfix on 0.4.5.8.
 
 
+Changes in version 0.3.5.17 - 2021-10-26
+  The major change in this version is that v2 onion services are now
+  disabled at the client, service, and relay: any Tor nodes running this
+  version and onward will stop supporting v2 onion services. This is the
+  last step in the long deprecation process of v2 onion services.
+  Everyone running an earlier version, whether as a client, a relay, or
+  an onion service, should upgrade to Tor 0.3.5.17, 0.4.5.11,
+  or 0.4.6.8.
+
+  o Major feature (onion service v2, backport from 0.4.5.11):
+    - See https://blog.torproject.org/v2-deprecation-timeline for
+      details on how to transition from v2 to v3.
+    - The control port commands HSFETCH and HSPOST no longer allow
+      version 2, and it is no longer possible to create a v2 service
+      with ADD_ONION.
+    - Tor no longer allows creating v2 services, or connecting as a
+      client to a v2 service. Relays will decline to be a v2 HSDir or
+      introduction point. This effectively disables onion service
+      version 2 Tor-wide. Closes ticket 40476.
+
+  o Minor features (bridge, backport from 0.4.6.8):
+    - We now announce the URL to Tor's new bridge status at
+      https://bridges.torproject.org/ when Tor is configured to run as a
+      bridge relay. Closes ticket 30477.
+
+  o Minor features (fallbackdir):
+    - Regenerate fallback directories for October 2021. Closes
+      ticket 40493.
+
+  o Minor bugfixes (compatibility, backport from 0.4.6.8):
+    - Fix compatibility with the most recent Libevent versions, which no
+      longer have an evdns_set_random_bytes() function. Because this
+      function has been a no-op since Libevent 2.0.4-alpha, it is safe
+      for us to just stop calling it. Fixes bug 40371; bugfix
+      on 0.2.1.7-alpha.
+
+
+Changes in version 0.4.7.1-alpha - 2021-09-17
+  This version is the first alpha release of the 0.4.7.x series. One
+  major feature is Vanguards Lite, from proposal 333, to help mitigate
+  guard discovery attacks against onion services. It also includes
+  numerous bugfixes.
+
+  o Major features (Proposal 332, onion services, guard selection algorithm):
+    - Clients and onion services now choose four long-lived "layer 2"
+      guard relays for use as the middle hop in all onion circuits.
+      These relays are kept in place for a randomized duration averaging
+      1 week. This mitigates guard discovery attacks against clients and
+      short-lived onion services such as OnionShare. Long-lived onion
+      services that need high security should still use the Vanguards
+      addon (https://github.com/mikeperry-tor/vanguards). Closes ticket
+      40363; implements proposal 333.
+
+  o Minor features (bridge testing support):
+    - Let external bridge reachability testing tools discard cached
+      bridge descriptors when setting new bridges, so they can be sure
+      to get a clean reachability test. Implements ticket 40209.
+
+  o Minor features (fuzzing):
+    - When building with --enable-libfuzzer, use a set of compiler flags
+      that works with more recent versions of the library. Previously we
+      were using a set of flags from 2017. Closes ticket 40407.
+
+  o Minor features (testing configuration):
+    - When TestingTorNetwork is enabled, skip the permissions check on
+      hidden service directories. Closes ticket 40338.
+    - On a testing network, relays can now use the
+      TestingMinTimeToReportBandwidth option to change the smallest
+      amount of time over which they're willing to report their observed
+      maximum bandwidth. Previously, this was fixed at 1 day. For
+      safety, values under 2 hours are only supported on testing
+      networks. Part of a fix for ticket 40337.
+    - Relays on testing networks no longer rate-limit how frequently
+      they are willing to report new bandwidth measurements. Part of a
+      fix for ticket 40337.
+    - Relays on testing networks now report their observed bandwidths
+      immediately from startup. Previously, they waited until they had
+      been running for a full day. Closes ticket 40337.
+
+  o Minor bugfixes (circuit padding):
+    - Don't send STOP circuit padding cells when the other side has
+      already shut down the corresponding padding machine. Fixes bug
+      40435; bugfix on 0.4.0.1-alpha.
+
+  o Minor bugfixes (compatibility):
+    - Fix compatibility with the most recent Libevent versions, which no
+      longer have an evdns_set_random_bytes() function. Because this
+      function has been a no-op since Libevent 2.0.4-alpha, it is safe
+      for us to just stop calling it. Fixes bug 40371; bugfix
+      on 0.2.1.7-alpha.
+
+  o Minor bugfixes (control, sandbox):
+    - Allows the control command SAVECONF to succeed when the seccomp
+      sandbox is enabled. Makes SAVECONF keep only one backup file, to
+      simplify implementation. Fixes bug 40317; bugfix on 0.2.5.4-alpha.
+      Patch by Daniel Pinto.
+
+  o Minor bugfixes (heartbeat):
+    - Adjust the heartbeat log message about distinct clients to
+      consider the HeartbeatPeriod rather than a flat 6-hour delay.
+      Fixes bug 40330; bugfix on 0.2.6.3-alpha.
+
+  o Minor bugfixes (logging, relay):
+    - Add spaces between the "and" when logging the "Your server has not
+      managed to confirm reachability for its" on dual-stack relays.
+      Fixes bug 40453; bugfix on 0.4.5.1-alpha. Patch by Neel Chauhan.
+
+  o Minor bugfixes (onion service):
+    - Do not flag an HSDir as non-running in case the descriptor upload
+      or fetch fails. An onion service closes pending directory
+      connections before uploading a new descriptor which leads to
+      wrongly flagging many relays and thus affecting circuit path
+      selection. Fixes bug 40434; bugfix on 0.2.0.13-alpha.
+
+  o Minor bugfixes (statistics):
+    - Fix a fencepost issue when we check stability_last_downrated where
+      we called rep_hist_downrate_old_runs() twice. Fixes bug 40394;
+      bugfix on 0.2.0.5-alpha. Patch by Neel Chauhan.
+
+  o Minor bugfixes (tests):
+    - Fix a bug that prevented some tests from running with the correct
+      names. Fixes bug 40365; bugfix on 0.4.3.1-alpha.
+
+  o Documentation:
+    - Add links to original tor design paper and anonbib to
+      docs/HACKING/README.1st.md. Closes ticket 33742. Patch from
+      Emily Bones.
+    - Describe the "fingerprint-ed25519" file in the tor.1 man page.
+      Fixes bug 40467; bugfix on 0.4.3.1-alpha. Patch by Neel Chauhan.
+
+
+Changes in version 0.4.6.7 - 2021-08-16
+  This version fixes several bugs from earlier versions of Tor,
+  including one that could lead to a denial-of-service attack. Everyone
+  running an earlier version, whether as a client, a relay, or an onion
+  service, should upgrade to Tor 0.3.5.16, 0.4.5.10, or 0.4.6.7.
+
+  o Major bugfixes (cryptography, security):
+    - Resolve an assertion failure caused by a behavior mismatch between
+      our batch-signature verification code and our single-signature
+      verification code. This assertion failure could be triggered
+      remotely, leading to a denial of service attack. We fix this issue
+      by disabling batch verification. Fixes bug 40078; bugfix on
+      0.2.6.1-alpha. This issue is also tracked as TROVE-2021-007 and
+      CVE-2021-38385. Found by Henry de Valence.
+
+  o Minor feature (fallbackdir):
+    - Regenerate fallback directories list. Close ticket 40447.
+
+  o Minor features (geoip data):
+    - Update the geoip files to match the IPFire Location Database, as
+      retrieved on 2021/08/12.
+
+  o Minor bugfix (crypto):
+    - Disable the unused batch verification feature of ed25519-donna.
+      Fixes bug 40078; bugfix on 0.2.6.1-alpha. Found by Henry
+      de Valence.
+
+  o Minor bugfixes (onion service):
+    - Send back the extended SOCKS error 0xF6 (Onion Service Invalid
+      Address) for a v2 onion address. Fixes bug 40421; bugfix
+      on 0.4.6.2-alpha.
+
+  o Minor bugfixes (relay):
+    - Reduce the compression level for data streaming from HIGH to LOW
+      in order to reduce CPU load on the directory relays. Fixes bug
+      40301; bugfix on 0.3.5.1-alpha.
+
+  o Minor bugfixes (timekeeping):
+    - Calculate the time of day correctly on systems where the time_t
+      type includes leap seconds. (This is not the case on most
+      operating systems, but on those where it occurs, our tor_timegm
+      function did not correctly invert the system's gmtime function,
+      which could result in assertion failures when calculating voting
+      schedules.) Fixes bug 40383; bugfix on 0.2.0.3-alpha.
+
+
 Changes in version 0.4.5.10 - 2021-08-16
   This version fixes several bugs from earlier versions of Tor,
   including one that could lead to a denial-of-service attack. Everyone
@@ -479,43 +516,6 @@ Changes in version 0.4.5.10 - 2021-08-16
       versions of NSS. Fixes bug 40409; bugfix on 0.3.5.1-alpha.
 
 
-Changes in version 0.3.5.17 - 2021-10-26
-  The major change in this version is that v2 onion services are now
-  disabled at the client, service, and relay: any Tor nodes running this
-  version and onward will stop supporting v2 onion services. This is the
-  last step in the long deprecation process of v2 onion services.
-  Everyone running an earlier version, whether as a client, a relay, or
-  an onion service, should upgrade to Tor 0.3.5.17, 0.4.5.11,
-  or 0.4.6.8.
-
-  o Major feature (onion service v2, backport from 0.4.5.11):
-    - See https://blog.torproject.org/v2-deprecation-timeline for
-      details on how to transition from v2 to v3.
-    - The control port commands HSFETCH and HSPOST no longer allow
-      version 2, and it is no longer possible to create a v2 service
-      with ADD_ONION.
-    - Tor no longer allows creating v2 services, or connecting as a
-      client to a v2 service. Relays will decline to be a v2 HSDir or
-      introduction point. This effectively disables onion service
-      version 2 Tor-wide. Closes ticket 40476.
-
-  o Minor features (bridge, backport from 0.4.6.8):
-    - We now announce the URL to Tor's new bridge status at
-      https://bridges.torproject.org/ when Tor is configured to run as a
-      bridge relay. Closes ticket 30477.
-
-  o Minor features (fallbackdir):
-    - Regenerate fallback directories for October 2021. Closes
-      ticket 40493.
-
-  o Minor bugfixes (compatibility, backport from 0.4.6.8):
-    - Fix compatibility with the most recent Libevent versions, which no
-      longer have an evdns_set_random_bytes() function. Because this
-      function has been a no-op since Libevent 2.0.4-alpha, it is safe
-      for us to just stop calling it. Fixes bug 40371; bugfix
-      on 0.2.1.7-alpha.
-
-
 Changes in version 0.3.5.16 - 2021-08-16
   This version fixes several bugs from earlier versions of Tor,
   including one that could lead to a denial-of-service attack. Everyone
diff --git a/ReleaseNotes b/ReleaseNotes
index 73c351fa83..8401162ebe 100644
--- a/ReleaseNotes
+++ b/ReleaseNotes
@@ -61,54 +61,6 @@ Changes in version 0.4.6.8 - 2021-10-26
       Fixes bug 40474; bugfix on 0.4.5.8.
 
 
-Changes in version 0.4.6.7 - 2021-08-16
-  This version fixes several bugs from earlier versions of Tor, including one
-  that could lead to a denial-of-service attack. Everyone running an earlier
-  version, whether as a client, a relay, or an onion service, should upgrade
-  to Tor 0.3.5.16, 0.4.5.10, or 0.4.6.7.
-
-  o Major bugfixes (cryptography, security):
-    - Resolve an assertion failure caused by a behavior mismatch between our
-      batch-signature verification code and our single-signature verification
-      code. This assertion failure could be triggered remotely, leading to a
-      denial of service attack. We fix this issue by disabling batch
-      verification. Fixes bug 40078; bugfix on 0.2.6.1-alpha. This issue is
-      also tracked as TROVE-2021-007 and CVE-2021-38385. Found by Henry de
-      Valence.
-
-  o Minor feature (fallbackdir):
-    - Regenerate fallback directories list. Close ticket 40447.
-
-  o Minor features (geoip data):
-    - Update the geoip files to match the IPFire Location Database,
-      as retrieved on 2021/08/12.
-
-  o Minor bugfix (crypto):
-    - Disable the unused batch verification feature of ed25519-donna. Fixes
-      bug 40078; bugfix on 0.2.6.1-alpha. Found by Henry de Valence.
-
-  o Minor bugfixes (onion service):
-    - Send back the extended SOCKS error 0xF6 (Onion Service Invalid Address)
-      for a v2 onion address. Fixes bug 40421; bugfix on 0.4.6.2-alpha.
-
-  o Minor bugfix (CI, onion service):
-    - Exclude onion service version 2 Stem tests in our CI. Fixes bug 40500;
-      bugfix on 0.3.2.1-alpha.
-
-  o Minor bugfixes (relay):
-    - Reduce the compression level for data streaming from HIGH to LOW in
-      order to reduce CPU load on the directory relays. Fixes bug 40301;
-      bugfix on 0.3.5.1-alpha.
-
-  o Minor bugfixes (timekeeping):
-    - Calculate the time of day correctly on systems where the time_t
-      type includes leap seconds. (This is not the case on most
-      operating systems, but on those where it occurs, our tor_timegm
-      function did not correctly invert the system's gmtime function,
-      which could result in assertion failures when calculating
-      voting schedules.)  Fixes bug 40383; bugfix on 0.2.0.3-alpha.
-
-
 Changes in version 0.4.5.11 - 2021-10-26
   The major change in this version is that v2 onion services are now
   disabled at the client, service, and relay: any Tor nodes running this
@@ -190,6 +142,91 @@ Changes in version 0.4.5.11 - 2021-10-26
       Fixes bug 40474; bugfix on 0.4.5.8.
 
 
+Changes in version 0.3.5.17 - 2021-10-26
+  The major change in this version is that v2 onion services are now
+  disabled at the client, service, and relay: any Tor nodes running this
+  version and onward will stop supporting v2 onion services. This is the
+  last step in the long deprecation process of v2 onion services.
+  Everyone running an earlier version, whether as a client, a relay, or
+  an onion service, should upgrade to Tor 0.3.5.17, 0.4.5.11,
+  or 0.4.6.8.
+
+  o Major feature (onion service v2, backport from 0.4.5.11):
+    - See https://blog.torproject.org/v2-deprecation-timeline for
+      details on how to transition from v2 to v3.
+    - The control port commands HSFETCH and HSPOST no longer allow
+      version 2, and it is no longer possible to create a v2 service
+      with ADD_ONION.
+    - Tor no longer allows creating v2 services, or connecting as a
+      client to a v2 service. Relays will decline to be a v2 HSDir or
+      introduction point. This effectively disables onion service
+      version 2 Tor-wide. Closes ticket 40476.
+
+  o Minor features (bridge, backport from 0.4.6.8):
+    - We now announce the URL to Tor's new bridge status at
+      https://bridges.torproject.org/ when Tor is configured to run as a
+      bridge relay. Closes ticket 30477.
+
+  o Minor features (fallbackdir):
+    - Regenerate fallback directories for October 2021. Closes
+      ticket 40493.
+
+  o Minor bugfixes (compatibility, backport from 0.4.6.8):
+    - Fix compatibility with the most recent Libevent versions, which no
+      longer have an evdns_set_random_bytes() function. Because this
+      function has been a no-op since Libevent 2.0.4-alpha, it is safe
+      for us to just stop calling it. Fixes bug 40371; bugfix
+      on 0.2.1.7-alpha.
+
+
+Changes in version 0.4.6.7 - 2021-08-16
+  This version fixes several bugs from earlier versions of Tor, including one
+  that could lead to a denial-of-service attack. Everyone running an earlier
+  version, whether as a client, a relay, or an onion service, should upgrade
+  to Tor 0.3.5.16, 0.4.5.10, or 0.4.6.7.
+
+  o Major bugfixes (cryptography, security):
+    - Resolve an assertion failure caused by a behavior mismatch between our
+      batch-signature verification code and our single-signature verification
+      code. This assertion failure could be triggered remotely, leading to a
+      denial of service attack. We fix this issue by disabling batch
+      verification. Fixes bug 40078; bugfix on 0.2.6.1-alpha. This issue is
+      also tracked as TROVE-2021-007 and CVE-2021-38385. Found by Henry de
+      Valence.
+
+  o Minor feature (fallbackdir):
+    - Regenerate fallback directories list. Close ticket 40447.
+
+  o Minor features (geoip data):
+    - Update the geoip files to match the IPFire Location Database,
+      as retrieved on 2021/08/12.
+
+  o Minor bugfix (crypto):
+    - Disable the unused batch verification feature of ed25519-donna. Fixes
+      bug 40078; bugfix on 0.2.6.1-alpha. Found by Henry de Valence.
+
+  o Minor bugfixes (onion service):
+    - Send back the extended SOCKS error 0xF6 (Onion Service Invalid Address)
+      for a v2 onion address. Fixes bug 40421; bugfix on 0.4.6.2-alpha.
+
+  o Minor bugfix (CI, onion service):
+    - Exclude onion service version 2 Stem tests in our CI. Fixes bug 40500;
+      bugfix on 0.3.2.1-alpha.
+
+  o Minor bugfixes (relay):
+    - Reduce the compression level for data streaming from HIGH to LOW in
+      order to reduce CPU load on the directory relays. Fixes bug 40301;
+      bugfix on 0.3.5.1-alpha.
+
+  o Minor bugfixes (timekeeping):
+    - Calculate the time of day correctly on systems where the time_t
+      type includes leap seconds. (This is not the case on most
+      operating systems, but on those where it occurs, our tor_timegm
+      function did not correctly invert the system's gmtime function,
+      which could result in assertion failures when calculating
+      voting schedules.)  Fixes bug 40383; bugfix on 0.2.0.3-alpha.
+
+
 Changes in version 0.4.5.10 - 2021-08-16
   This version fixes several bugs from earlier versions of Tor, including one
   that could lead to a denial-of-service attack. Everyone running an earlier
@@ -237,43 +274,6 @@ Changes in version 0.4.5.10 - 2021-08-16
       of NSS.  Fixes bug 40409; bugfix on 0.3.5.1-alpha.
 
 
-Changes in version 0.3.5.17 - 2021-10-26
-  The major change in this version is that v2 onion services are now
-  disabled at the client, service, and relay: any Tor nodes running this
-  version and onward will stop supporting v2 onion services. This is the
-  last step in the long deprecation process of v2 onion services.
-  Everyone running an earlier version, whether as a client, a relay, or
-  an onion service, should upgrade to Tor 0.3.5.17, 0.4.5.11,
-  or 0.4.6.8.
-
-  o Major feature (onion service v2, backport from 0.4.5.11):
-    - See https://blog.torproject.org/v2-deprecation-timeline for
-      details on how to transition from v2 to v3.
-    - The control port commands HSFETCH and HSPOST no longer allow
-      version 2, and it is no longer possible to create a v2 service
-      with ADD_ONION.
-    - Tor no longer allows creating v2 services, or connecting as a
-      client to a v2 service. Relays will decline to be a v2 HSDir or
-      introduction point. This effectively disables onion service
-      version 2 Tor-wide. Closes ticket 40476.
-
-  o Minor features (bridge, backport from 0.4.6.8):
-    - We now announce the URL to Tor's new bridge status at
-      https://bridges.torproject.org/ when Tor is configured to run as a
-      bridge relay. Closes ticket 30477.
-
-  o Minor features (fallbackdir):
-    - Regenerate fallback directories for October 2021. Closes
-      ticket 40493.
-
-  o Minor bugfixes (compatibility, backport from 0.4.6.8):
-    - Fix compatibility with the most recent Libevent versions, which no
-      longer have an evdns_set_random_bytes() function. Because this
-      function has been a no-op since Libevent 2.0.4-alpha, it is safe
-      for us to just stop calling it. Fixes bug 40371; bugfix
-      on 0.2.1.7-alpha.
-
-
 Changes in version 0.3.5.16 - 2021-08-16
   This version fixes several bugs from earlier versions of Tor, including one
   that could lead to a denial-of-service attack. Everyone running an earlier
@@ -324,194 +324,6 @@ Changes in version 0.4.6.6 - 2021-06-30
       on 0.3.3.2-alpha.
 
 
-Changes in version 0.4.5.9 - 2021-06-14
-  Tor 0.4.5.9 fixes several security issues, including a
-  denial-of-service attack against onion service clients, and another
-  denial-of-service attack against relays. Everybody should upgrade to
-  one of 0.3.5.15, 0.4.4.9, 0.4.5.9, or 0.4.6.5.
-
-  o Major bugfixes (security, backport from 0.4.6.5):
-    - Don't allow relays to spoof RELAY_END or RELAY_RESOLVED cell on
-      half-closed streams. Previously, clients failed to validate which
-      hop sent these cells: this would allow a relay on a circuit to end
-      a stream that wasn't actually built with it. Fixes bug 40389;
-      bugfix on 0.3.5.1-alpha. This issue is also tracked as TROVE-2021-
-      003 and CVE-2021-34548.
-
-  o Major bugfixes (security, defense-in-depth, backport from 0.4.6.5):
-    - Detect more failure conditions from the OpenSSL RNG code.
-      Previously, we would detect errors from a missing RNG
-      implementation, but not failures from the RNG code itself.
-      Fortunately, it appears those failures do not happen in practice
-      when Tor is using OpenSSL's default RNG implementation. Fixes bug
-      40390; bugfix on 0.2.8.1-alpha. This issue is also tracked as
-      TROVE-2021-004. Reported by Jann Horn at Google's Project Zero.
-
-  o Major bugfixes (security, denial of service, backport from 0.4.6.5):
-    - Resist a hashtable-based CPU denial-of-service attack against
-      relays. Previously we used a naive unkeyed hash function to look
-      up circuits in a circuitmux object. An attacker could exploit this
-      to construct circuits with chosen circuit IDs, to create
-      collisions and make the hash table inefficient. Now we use a
-      SipHash construction here instead. Fixes bug 40391; bugfix on
-      0.2.4.4-alpha. This issue is also tracked as TROVE-2021-005 and
-      CVE-2021-34549. Reported by Jann Horn from Google's Project Zero.
-    - Fix an out-of-bounds memory access in v3 onion service descriptor
-      parsing. An attacker could exploit this bug by crafting an onion
-      service descriptor that would crash any client that tried to visit
-      it. Fixes bug 40392; bugfix on 0.3.0.1-alpha. This issue is also
-      tracked as TROVE-2021-006 and CVE-2021-34550. Reported by Sergei
-      Glazunov from Google's Project Zero.
-
-  o Minor features (compatibility, backport from 0.4.6.4-rc):
-    - Remove an assertion function related to TLS renegotiation. It was
-      used nowhere outside the unit tests, and it was breaking
-      compilation with recent alpha releases of OpenSSL 3.0.0. Closes
-      ticket 40399.
-
-  o Minor features (geoip data):
-    - Update the geoip files to match the IPFire Location Database, as
-      retrieved on 2021/06/10.
-
-  o Minor bugfixes (control, sandbox, backport from 0.4.6.4-rc):
-    - Allow the control command SAVECONF to succeed when the seccomp
-      sandbox is enabled, and make SAVECONF keep only one backup file to
-      simplify implementation. Previously SAVECONF allowed a large
-      number of backup files, which made it incompatible with the
-      sandbox. Fixes bug 40317; bugfix on 0.2.5.4-alpha. Patch by
-      Daniel Pinto.
-
-  o Minor bugfixes (metrics port, backport from 0.4.6.4-rc):
-    - Fix a bug that made tor try to re-bind() on an already open
-      MetricsPort every 60 seconds. Fixes bug 40370; bugfix
-      on 0.4.5.1-alpha.
-
-
-Changes in version 0.4.4.9 - 2021-06-14
-  Tor 0.4.4.9 fixes several security issues, including a
-  denial-of-service attack against onion service clients, and another
-  denial-of-service attack against relays. Everybody should upgrade to
-  one of 0.3.5.15, 0.4.4.9, 0.4.5.9, or 0.4.6.5.
-
-  Note that the scheduled end-of-life date for the Tor 0.4.4.x series is
-  June 15. This is therefore the last release in its series. Everybody
-  still running 0.4.4.x should plan to upgrade to 0.4.5.x or later.
-
-  o Major bugfixes (security, backport from 0.4.6.5):
-    - Don't allow relays to spoof RELAY_END or RELAY_RESOLVED cell on
-      half-closed streams. Previously, clients failed to validate which
-      hop sent these cells: this would allow a relay on a circuit to end
-      a stream that wasn't actually built with it. Fixes bug 40389;
-      bugfix on 0.3.5.1-alpha. This issue is also tracked as TROVE-2021-
-      003 and CVE-2021-34548.
-
-  o Major bugfixes (security, defense-in-depth, backport from 0.4.6.5):
-    - Detect more failure conditions from the OpenSSL RNG code.
-      Previously, we would detect errors from a missing RNG
-      implementation, but not failures from the RNG code itself.
-      Fortunately, it appears those failures do not happen in practice
-      when Tor is using OpenSSL's default RNG implementation. Fixes bug
-      40390; bugfix on 0.2.8.1-alpha. This issue is also tracked as
-      TROVE-2021-004. Reported by Jann Horn at Google's Project Zero.
-
-  o Major bugfixes (security, denial of service, backport from 0.4.6.5):
-    - Resist a hashtable-based CPU denial-of-service attack against
-      relays. Previously we used a naive unkeyed hash function to look
-      up circuits in a circuitmux object. An attacker could exploit this
-      to construct circuits with chosen circuit IDs, to create
-      collisions and make the hash table inefficient. Now we use a
-      SipHash construction here instead. Fixes bug 40391; bugfix on
-      0.2.4.4-alpha. This issue is also tracked as TROVE-2021-005 and
-      CVE-2021-34549. Reported by Jann Horn from Google's Project Zero.
-    - Fix an out-of-bounds memory access in v3 onion service descriptor
-      parsing. An attacker could exploit this bug by crafting an onion
-      service descriptor that would crash any client that tried to visit
-      it. Fixes bug 40392; bugfix on 0.3.0.1-alpha. This issue is also
-      tracked as TROVE-2021-006 and CVE-2021-34550. Reported by Sergei
-      Glazunov from Google's Project Zero.
-
-  o Minor features (compatibility, backport from 0.4.6.4-rc):
-    - Remove an assertion function related to TLS renegotiation. It was
-      used nowhere outside the unit tests, and it was breaking
-      compilation with recent alpha releases of OpenSSL 3.0.0. Closes
-      ticket 40399.
-
-  o Minor features (fallback directory list, backport from 0.4.6.2-alpha):
-    - Regenerate the list of fallback directories to contain a new set
-      of 200 relays. Closes ticket 40265.
-
-  o Minor features (geoip data):
-    - Update the geoip files to match the IPFire Location Database, as
-      retrieved on 2021/06/10.
-
-  o Minor bugfixes (channel, DoS, backport from 0.4.6.2-alpha):
-    - Fix a non-fatal BUG() message due to a too-early free of a string,
-      when listing a client connection from the DoS defenses subsystem.
-      Fixes bug 40345; bugfix on 0.4.3.4-rc.
-
-  o Minor bugfixes (compiler warnings, backport from 0.4.6.3-rc):
-    - Fix an indentation problem that led to a warning from GCC 11.1.1.
-      Fixes bug 40380; bugfix on 0.3.0.1-alpha.
-
-
-Changes in version 0.3.5.15 - 2021-06-14
-  Tor 0.3.5.15 fixes several security issues, including a
-  denial-of-service attack against onion service clients, and another
-  denial-of-service attack against relays. Everybody should upgrade to
-  one of 0.3.5.15, 0.4.4.9, 0.4.5.9, or 0.4.6.5.
-
-  o Major bugfixes (security, backport from 0.4.6.5):
-    - Don't allow relays to spoof RELAY_END or RELAY_RESOLVED cell on
-      half-closed streams. Previously, clients failed to validate which
-      hop sent these cells: this would allow a relay on a circuit to end
-      a stream that wasn't actually built with it. Fixes bug 40389;
-      bugfix on 0.3.5.1-alpha. This issue is also tracked as TROVE-2021-
-      003 and CVE-2021-34548.
-
-  o Major bugfixes (security, defense-in-depth, backport from 0.4.6.5):
-    - Detect more failure conditions from the OpenSSL RNG code.
-      Previously, we would detect errors from a missing RNG
-      implementation, but not failures from the RNG code itself.
-      Fortunately, it appears those failures do not happen in practice
-      when Tor is using OpenSSL's default RNG implementation. Fixes bug
-      40390; bugfix on 0.2.8.1-alpha. This issue is also tracked as
-      TROVE-2021-004. Reported by Jann Horn at Google's Project Zero.
-
-  o Major bugfixes (security, denial of service, backport from 0.4.6.5):
-    - Resist a hashtable-based CPU denial-of-service attack against
-      relays. Previously we used a naive unkeyed hash function to look
-      up circuits in a circuitmux object. An attacker could exploit this
-      to construct circuits with chosen circuit IDs, to create
-      collisions and make the hash table inefficient. Now we use a
-      SipHash construction here instead. Fixes bug 40391; bugfix on
-      0.2.4.4-alpha. This issue is also tracked as TROVE-2021-005 and
-      CVE-2021-34549. Reported by Jann Horn from Google's Project Zero.
-    - Fix an out-of-bounds memory access in v3 onion service descriptor
-      parsing. An attacker could exploit this bug by crafting an onion
-      service descriptor that would crash any client that tried to visit
-      it. Fixes bug 40392; bugfix on 0.3.0.1-alpha. This issue is also
-      tracked as TROVE-2021-006 and CVE-2021-34550. Reported by Sergei
-      Glazunov from Google's Project Zero.
-
-  o Minor bugfixes (compiler warnings, backport from 0.4.6.3-rc):
-    - Fix an indentation problem that led to a warning from GCC 11.1.1.
-      Fixes bug 40380; bugfix on 0.3.0.1-alpha.
-
-  o Minor features (compatibility, backport from 0.4.6.4-rc):
-    - Remove an assertion function related to TLS renegotiation. It was
-      used nowhere outside the unit tests, and it was breaking
-      compilation with recent alpha releases of OpenSSL 3.0.0. Closes
-      ticket 40399.
-
-  o Minor features (fallback directory list, backport from 0.4.6.2-alpha):
-    - Regenerate the list of fallback directories to contain a new set
-      of 200 relays. Closes ticket 40265.
-
-  o Minor features (geoip data):
-    - Update the geoip files to match the IPFire Location Database, as
-      retrieved on 2021/06/10.
-
-
 Changes in version 0.4.6.5 - 2021-06-14
   Tor 0.4.6.5 is the first stable release in its series. The 0.4.6.x
   series includes numerous features and bugfixes, including a significant
@@ -822,6 +634,194 @@ Changes in version 0.4.6.5 - 2021-06-14
       for now.) Closes ticket 40282.
 
 
+Changes in version 0.4.5.9 - 2021-06-14
+  Tor 0.4.5.9 fixes several security issues, including a
+  denial-of-service attack against onion service clients, and another
+  denial-of-service attack against relays. Everybody should upgrade to
+  one of 0.3.5.15, 0.4.4.9, 0.4.5.9, or 0.4.6.5.
+
+  o Major bugfixes (security, backport from 0.4.6.5):
+    - Don't allow relays to spoof RELAY_END or RELAY_RESOLVED cell on
+      half-closed streams. Previously, clients failed to validate which
+      hop sent these cells: this would allow a relay on a circuit to end
+      a stream that wasn't actually built with it. Fixes bug 40389;
+      bugfix on 0.3.5.1-alpha. This issue is also tracked as TROVE-2021-
+      003 and CVE-2021-34548.
+
+  o Major bugfixes (security, defense-in-depth, backport from 0.4.6.5):
+    - Detect more failure conditions from the OpenSSL RNG code.
+      Previously, we would detect errors from a missing RNG
+      implementation, but not failures from the RNG code itself.
+      Fortunately, it appears those failures do not happen in practice
+      when Tor is using OpenSSL's default RNG implementation. Fixes bug
+      40390; bugfix on 0.2.8.1-alpha. This issue is also tracked as
+      TROVE-2021-004. Reported by Jann Horn at Google's Project Zero.
+
+  o Major bugfixes (security, denial of service, backport from 0.4.6.5):
+    - Resist a hashtable-based CPU denial-of-service attack against
+      relays. Previously we used a naive unkeyed hash function to look
+      up circuits in a circuitmux object. An attacker could exploit this
+      to construct circuits with chosen circuit IDs, to create
+      collisions and make the hash table inefficient. Now we use a
+      SipHash construction here instead. Fixes bug 40391; bugfix on
+      0.2.4.4-alpha. This issue is also tracked as TROVE-2021-005 and
+      CVE-2021-34549. Reported by Jann Horn from Google's Project Zero.
+    - Fix an out-of-bounds memory access in v3 onion service descriptor
+      parsing. An attacker could exploit this bug by crafting an onion
+      service descriptor that would crash any client that tried to visit
+      it. Fixes bug 40392; bugfix on 0.3.0.1-alpha. This issue is also
+      tracked as TROVE-2021-006 and CVE-2021-34550. Reported by Sergei
+      Glazunov from Google's Project Zero.
+
+  o Minor features (compatibility, backport from 0.4.6.4-rc):
+    - Remove an assertion function related to TLS renegotiation. It was
+      used nowhere outside the unit tests, and it was breaking
+      compilation with recent alpha releases of OpenSSL 3.0.0. Closes
+      ticket 40399.
+
+  o Minor features (geoip data):
+    - Update the geoip files to match the IPFire Location Database, as
+      retrieved on 2021/06/10.
+
+  o Minor bugfixes (control, sandbox, backport from 0.4.6.4-rc):
+    - Allow the control command SAVECONF to succeed when the seccomp
+      sandbox is enabled, and make SAVECONF keep only one backup file to
+      simplify implementation. Previously SAVECONF allowed a large
+      number of backup files, which made it incompatible with the
+      sandbox. Fixes bug 40317; bugfix on 0.2.5.4-alpha. Patch by
+      Daniel Pinto.
+
+  o Minor bugfixes (metrics port, backport from 0.4.6.4-rc):
+    - Fix a bug that made tor try to re-bind() on an already open
+      MetricsPort every 60 seconds. Fixes bug 40370; bugfix
+      on 0.4.5.1-alpha.
+
+
+Changes in version 0.4.4.9 - 2021-06-14
+  Tor 0.4.4.9 fixes several security issues, including a
+  denial-of-service attack against onion service clients, and another
+  denial-of-service attack against relays. Everybody should upgrade to
+  one of 0.3.5.15, 0.4.4.9, 0.4.5.9, or 0.4.6.5.
+
+  Note that the scheduled end-of-life date for the Tor 0.4.4.x series is
+  June 15. This is therefore the last release in its series. Everybody
+  still running 0.4.4.x should plan to upgrade to 0.4.5.x or later.
+
+  o Major bugfixes (security, backport from 0.4.6.5):
+    - Don't allow relays to spoof RELAY_END or RELAY_RESOLVED cell on
+      half-closed streams. Previously, clients failed to validate which
+      hop sent these cells: this would allow a relay on a circuit to end
+      a stream that wasn't actually built with it. Fixes bug 40389;
+      bugfix on 0.3.5.1-alpha. This issue is also tracked as TROVE-2021-
+      003 and CVE-2021-34548.
+
+  o Major bugfixes (security, defense-in-depth, backport from 0.4.6.5):
+    - Detect more failure conditions from the OpenSSL RNG code.
+      Previously, we would detect errors from a missing RNG
+      implementation, but not failures from the RNG code itself.
+      Fortunately, it appears those failures do not happen in practice
+      when Tor is using OpenSSL's default RNG implementation. Fixes bug
+      40390; bugfix on 0.2.8.1-alpha. This issue is also tracked as
+      TROVE-2021-004. Reported by Jann Horn at Google's Project Zero.
+
+  o Major bugfixes (security, denial of service, backport from 0.4.6.5):
+    - Resist a hashtable-based CPU denial-of-service attack against
+      relays. Previously we used a naive unkeyed hash function to look
+      up circuits in a circuitmux object. An attacker could exploit this
+      to construct circuits with chosen circuit IDs, to create
+      collisions and make the hash table inefficient. Now we use a
+      SipHash construction here instead. Fixes bug 40391; bugfix on
+      0.2.4.4-alpha. This issue is also tracked as TROVE-2021-005 and
+      CVE-2021-34549. Reported by Jann Horn from Google's Project Zero.
+    - Fix an out-of-bounds memory access in v3 onion service descriptor
+      parsing. An attacker could exploit this bug by crafting an onion
+      service descriptor that would crash any client that tried to visit
+      it. Fixes bug 40392; bugfix on 0.3.0.1-alpha. This issue is also
+      tracked as TROVE-2021-006 and CVE-2021-34550. Reported by Sergei
+      Glazunov from Google's Project Zero.
+
+  o Minor features (compatibility, backport from 0.4.6.4-rc):
+    - Remove an assertion function related to TLS renegotiation. It was
+      used nowhere outside the unit tests, and it was breaking
+      compilation with recent alpha releases of OpenSSL 3.0.0. Closes
+      ticket 40399.
+
+  o Minor features (fallback directory list, backport from 0.4.6.2-alpha):
+    - Regenerate the list of fallback directories to contain a new set
+      of 200 relays. Closes ticket 40265.
+
+  o Minor features (geoip data):
+    - Update the geoip files to match the IPFire Location Database, as
+      retrieved on 2021/06/10.
+
+  o Minor bugfixes (channel, DoS, backport from 0.4.6.2-alpha):
+    - Fix a non-fatal BUG() message due to a too-early free of a string,
+      when listing a client connection from the DoS defenses subsystem.
+      Fixes bug 40345; bugfix on 0.4.3.4-rc.
+
+  o Minor bugfixes (compiler warnings, backport from 0.4.6.3-rc):
+    - Fix an indentation problem that led to a warning from GCC 11.1.1.
+      Fixes bug 40380; bugfix on 0.3.0.1-alpha.
+
+
+Changes in version 0.3.5.15 - 2021-06-14
+  Tor 0.3.5.15 fixes several security issues, including a
+  denial-of-service attack against onion service clients, and another
+  denial-of-service attack against relays. Everybody should upgrade to
+  one of 0.3.5.15, 0.4.4.9, 0.4.5.9, or 0.4.6.5.
+
+  o Major bugfixes (security, backport from 0.4.6.5):
+    - Don't allow relays to spoof RELAY_END or RELAY_RESOLVED cell on
+      half-closed streams. Previously, clients failed to validate which
+      hop sent these cells: this would allow a relay on a circuit to end
+      a stream that wasn't actually built with it. Fixes bug 40389;
+      bugfix on 0.3.5.1-alpha. This issue is also tracked as TROVE-2021-
+      003 and CVE-2021-34548.
+
+  o Major bugfixes (security, defense-in-depth, backport from 0.4.6.5):
+    - Detect more failure conditions from the OpenSSL RNG code.
+      Previously, we would detect errors from a missing RNG
+      implementation, but not failures from the RNG code itself.
+      Fortunately, it appears those failures do not happen in practice
+      when Tor is using OpenSSL's default RNG implementation. Fixes bug
+      40390; bugfix on 0.2.8.1-alpha. This issue is also tracked as
+      TROVE-2021-004. Reported by Jann Horn at Google's Project Zero.
+
+  o Major bugfixes (security, denial of service, backport from 0.4.6.5):
+    - Resist a hashtable-based CPU denial-of-service attack against
+      relays. Previously we used a naive unkeyed hash function to look
+      up circuits in a circuitmux object. An attacker could exploit this
+      to construct circuits with chosen circuit IDs, to create
+      collisions and make the hash table inefficient. Now we use a
+      SipHash construction here instead. Fixes bug 40391; bugfix on
+      0.2.4.4-alpha. This issue is also tracked as TROVE-2021-005 and
+      CVE-2021-34549. Reported by Jann Horn from Google's Project Zero.
+    - Fix an out-of-bounds memory access in v3 onion service descriptor
+      parsing. An attacker could exploit this bug by crafting an onion
+      service descriptor that would crash any client that tried to visit
+      it. Fixes bug 40392; bugfix on 0.3.0.1-alpha. This issue is also
+      tracked as TROVE-2021-006 and CVE-2021-34550. Reported by Sergei
+      Glazunov from Google's Project Zero.
+
+  o Minor bugfixes (compiler warnings, backport from 0.4.6.3-rc):
+    - Fix an indentation problem that led to a warning from GCC 11.1.1.
+      Fixes bug 40380; bugfix on 0.3.0.1-alpha.
+
+  o Minor features (compatibility, backport from 0.4.6.4-rc):
+    - Remove an assertion function related to TLS renegotiation. It was
+      used nowhere outside the unit tests, and it was breaking
+      compilation with recent alpha releases of OpenSSL 3.0.0. Closes
+      ticket 40399.
+
+  o Minor features (fallback directory list, backport from 0.4.6.2-alpha):
+    - Regenerate the list of fallback directories to contain a new set
+      of 200 relays. Closes ticket 40265.
+
+  o Minor features (geoip data):
+    - Update the geoip files to match the IPFire Location Database, as
+      retrieved on 2021/06/10.
+
+
 Changes in version 0.4.5.8 - 2021-05-10
   Tor 0.4.5.8 fixes several bugs in earlier version, backporting fixes
   from the 0.4.6.x series.