release: Update ChangeLog/ReleaseNotes with latest releases

Signed-off-by: David Goulet <dgoulet@torproject.org>
author: David Goulet <dgoulet@torproject.org> 2022-08-11 11:19:19 -0400
committer: David Goulet <dgoulet@torproject.org> 2022-08-11 11:19:19 -0400
commit: bbc29f4a11696012c0fc073daac76d6a726e953a (patch)
tree: 89a79f0b8002247b390e8a6e8fee27ae2e569113 /ChangeLog
parent: fbfda1b661cf3c9d6c9a35a2786f04a70f23f4b5 (diff)
download: tor-bbc29f4a11696012c0fc073daac76d6a726e953a.tar.gz
tor-bbc29f4a11696012c0fc073daac76d6a726e953a.zip
1 files changed, 212 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
index 0ed1710d7b..7661caf26f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,215 @@
+Changes in version 0.4.7.9 - 2022-08-11
+  This version contains several major fixes aimed at reducing memory pressure on
+  relays and possible side-channel. It also contains a major bugfix related to
+  congestion control also aimed at reducing memory pressure on relays.
+  Finally, there is last one major bugfix related to Vanguard L2 layer node
+  selection.
+
+  We strongly recommend to upgrade to this version especially for Exit relays
+  in order to help the network defend against this ongoing DDoS.
+
+  o Major bugfixes (congestion control):
+    - Implement RFC3742 Limited Slow Start. Congestion control was
+      overshooting the congestion window during slow start, particularly
+      for onion service activity. With this fix, we now update the
+      congestion window more often during slow start, as well as dampen
+      the exponential growth when the congestion window grows above a
+      capping parameter. This should reduce the memory increases guard
+      relays were seeing, as well as allow us to set lower queue limits
+      to defend against ongoing DoS attacks. Fixes bug 40642; bugfix
+      on 0.4.7.5-alpha.
+
+  o Major bugfixes (relay):
+    - Remove OR connections btrack subsystem entries when the connections
+      close normally. Before this, we would only remove the entry on error and
+      thus leaking memory for each normal OR connections. Fixes bug 40604;
+      bugfix on 0.4.0.1-alpha.
+    - Stop sending TRUNCATED cell and instead close the circuit from which we
+      received a DESTROY cell. This makes every relay in the circuit path to
+      stop queuing cells. Fixes bug 40623; bugfix on 0.1.0.2-rc.
+
+  o Major bugfixes (vanguards):
+    - We had omitted some checks for whether our vanguards (second layer
+      guards from proposal 333) overlapped. Now make sure to pick each
+      of them to be independent. Also, change the design to allow them
+      to come from the same family. Fixes bug 40639; bugfix
+      on 0.4.7.1-alpha.
+
+  o Minor features (dirauth):
+    - Add a torrc option to control the Guard flag bandwidth threshold
+      percentile. Closes ticket 40652.
+    - Add an AuthDirVoteGuard torrc option that can allow authorities to
+      assign the Guard flag to the given fingerprints/country code/IPs.
+      This is a needed feature mostly for defense purposes in case a DoS
+      hits the network and relay start losing the Guard flags too fast.
+    - Make UPTIME_TO_GUARANTEE_STABLE, MTBF_TO_GUARANTEE_STABLE,
+      TIME_KNOWN_TO_GUARANTEE_FAMILIAR WFU_TO_GUARANTEE_GUARD tunable
+      from torrc.
+
+  o Minor features (fallbackdir):
+    - Regenerate fallback directories generated on August 11, 2022.
+
+  o Minor features (geoip data):
+    - Update the geoip files to match the IPFire Location Database, as
+      retrieved on 2022/08/11.
+
+  o Minor bugfixes (congestion control):
+    - Add a check for an integer underflow condition that might happen
+      in cases where the system clock is stopped, the ORconn is blocked,
+      and the endpoint sends more than a congestion window worth of non-
+      data control cells at once. This would cause a large congestion
+      window to be calculated instead of a small one. No security
+      impact. Fixes bug 40644; bugfix on 0.4.7.5-alpha.
+
+  o Minor bugfixes (defense in depth):
+    - Change a test in the netflow padding code to make it more
+      _obviously_ safe against remotely triggered crashes. (It was safe
+      against these before, but not obviously so.) Fixes bug 40645;
+      bugfix on 0.3.1.1-alpha.
+
+  o Minor bugfixes (relay):
+    - Do not propagate either forward or backward a DESTROY remote reason when
+      closing a circuit in order to avoid a possible side channel. Fixes bug
+      40649; bugfix on 0.1.2.4-alpha.
+
+
+Changes in version 0.4.6.11 - 2022-08-11
+  This version contains two major fixes aimed at reducing memory pressure on
+  relays and possible side-channel. The rest of the fixes were backported for
+  stability or safety purposes.
+
+  This is the very LAST version of this series. As of August 1st 2022, it is
+  end-of-life (EOL). We thus strongly recommend to upgrade to the latest
+  stable of the 0.4.7.x series.
+
+  o Major bugfixes (relay):
+    - Remove OR connections btrack subsystem entries when the connections
+      close normally. Before this, we would only remove the entry on error and
+      thus leaking memory for each normal OR connections. Fixes bug 40604;
+      bugfix on 0.4.0.1-alpha.
+    - Stop sending TRUNCATED cell and instead close the circuit from which we
+      received a DESTROY cell. This makes every relay in the circuit path to
+      stop queuing cells. Fixes bug 40623; bugfix on 0.1.0.2-rc.
+
+  o Minor features (fallbackdir):
+    - Regenerate fallback directories generated on August 11, 2022.
+
+  o Minor features (geoip data):
+    - Update the geoip files to match the IPFire Location Database, as
+      retrieved on 2022/08/11.
+
+  o Minor features (linux seccomp2 sandbox):
+    - Permit the clone3 syscall, which is apparently used in glibc-2.34
+      and later. Closes ticket 40590.
+
+  o Minor bugfixes (controller, path bias):
+    - When a circuit's path is specified, in full or in part, from the
+      controller API, do not count that circuit towards our path-bias
+      calculations. (Doing so was incorrect, since we cannot tell
+      whether the controller is selecting relays randomly.) Resolves a
+      "Bug" warning. Fixes bug 40515; bugfix on 0.2.4.10-alpha.
+
+  o Minor bugfixes (defense in depth):
+    - Change a test in the netflow padding code to make it more
+      _obviously_ safe against remotely triggered crashes. (It was safe
+      against these before, but not obviously so.) Fixes bug 40645;
+      bugfix on 0.3.1.1-alpha.
+
+  o Minor bugfixes (linux seccomp2 sandbox):
+    - Allow the rseq system call in the sandbox. This solves a crash
+      issue with glibc 2.35 on Linux. Patch from pmu-ipf. Fixes bug
+      40601; bugfix on 0.3.5.11.
+
+  o Minor bugfixes (metrics port, onion service):
+    - The MetricsPort line for an onion service with multiple ports are now
+      unique that is one line per port. Before this, all ports of an onion
+      service would be on the same line which violates the Prometheus rules of
+      unique labels. Fixes bug 40581; bugfix on 0.4.5.1-alpha.
+
+  o Minor bugfixes (onion service, client):
+    - Fix a fatal assert due to a guard subsystem recursion triggered by
+      the onion service client. Fixes bug 40579; bugfix on 0.3.5.1-alpha.
+
+  o Minor bugfixes (performance, DoS):
+    - Fix one case of a not-especially viable denial-of-service attack
+      found by OSS-Fuzz in our consensus-diff parsing code. This attack
+      causes a lot small of memory allocations and then immediately
+      frees them: this is only slow when running with all the sanitizers
+      enabled. Fixes one case of bug 40472; bugfix on 0.3.1.1-alpha.
+
+  o Minor bugfixes (relay):
+    - Do not propagate either forward or backward a DESTROY remote reason when
+      closing a circuit in order to avoid a possible side channel. Fixes bug
+      40649; bugfix on 0.1.2.4-alpha.
+
+
+Changes in version 0.4.5.13 - 2022-08-11
+  This version contains two major fixes aimed at reducing memory pressure on
+  relays and possible side-channel. The rest of the fixes were backported for
+  stability or safety purposes. We strongly recommend to upgrade your relay to
+  this version or, ideally, to the latest stable of the 0.4.7.x series.
+
+  o Major bugfixes (relay):
+    - Remove OR connections btrack subsystem entries when the connections
+      close normally. Before this, we would only remove the entry on error and
+      thus leaking memory for each normal OR connections. Fixes bug 40604;
+      bugfix on 0.4.0.1-alpha.
+    - Stop sending TRUNCATED cell and instead close the circuit from which we
+      received a DESTROY cell. This makes every relay in the circuit path to
+      stop queuing cells. Fixes bug 40623; bugfix on 0.1.0.2-rc.
+
+  o Minor features (fallbackdir):
+    - Regenerate fallback directories generated on August 11, 2022.
+
+  o Minor features (geoip data):
+    - Update the geoip files to match the IPFire Location Database, as
+      retrieved on 2022/08/11.
+
+  o Minor features (linux seccomp2 sandbox):
+    - Permit the clone3 syscall, which is apparently used in glibc-2.34
+      and later. Closes ticket 40590.
+
+  o Minor bugfixes (controller, path bias):
+    - When a circuit's path is specified, in full or in part, from the
+      controller API, do not count that circuit towards our path-bias
+      calculations. (Doing so was incorrect, since we cannot tell
+      whether the controller is selecting relays randomly.) Resolves a
+      "Bug" warning. Fixes bug 40515; bugfix on 0.2.4.10-alpha.
+
+  o Minor bugfixes (defense in depth):
+    - Change a test in the netflow padding code to make it more
+      _obviously_ safe against remotely triggered crashes. (It was safe
+      against these before, but not obviously so.) Fixes bug 40645;
+      bugfix on 0.3.1.1-alpha.
+
+  o Minor bugfixes (linux seccomp2 sandbox):
+    - Allow the rseq system call in the sandbox. This solves a crash
+      issue with glibc 2.35 on Linux. Patch from pmu-ipf. Fixes bug
+      40601; bugfix on 0.3.5.11.
+
+  o Minor bugfixes (metrics port, onion service):
+    - The MetricsPort line for an onion service with multiple ports are now
+      unique that is one line per port. Before this, all ports of an onion
+      service would be on the same line which violates the Prometheus rules of
+      unique labels. Fixes bug 40581; bugfix on 0.4.5.1-alpha.
+
+  o Minor bugfixes (onion service, client):
+    - Fix a fatal assert due to a guard subsystem recursion triggered by
+      the onion service client. Fixes bug 40579; bugfix on 0.3.5.1-alpha.
+
+  o Minor bugfixes (performance, DoS):
+    - Fix one case of a not-especially viable denial-of-service attack
+      found by OSS-Fuzz in our consensus-diff parsing code. This attack
+      causes a lot small of memory allocations and then immediately
+      frees them: this is only slow when running with all the sanitizers
+      enabled. Fixes one case of bug 40472; bugfix on 0.3.1.1-alpha.
+
+  o Minor bugfixes (relay):
+    - Do not propagate either forward or backward a DESTROY remote reason when
+      closing a circuit in order to avoid a possible side channel. Fixes bug
+      40649; bugfix on 0.1.2.4-alpha.
+
+
 Changes in version 0.4.7.8 - 2022-06-17
   This version fixes several bugfixes including a High severity security issue
   categorized as a Denial of Service. Everyone running an earlier version
author	David Goulet <dgoulet@torproject.org>	2022-08-11 11:19:19 -0400
committer	David Goulet <dgoulet@torproject.org>	2022-08-11 11:19:19 -0400
commit	bbc29f4a11696012c0fc073daac76d6a726e953a (patch)
tree	89a79f0b8002247b390e8a6e8fee27ae2e569113 /ChangeLog
parent	fbfda1b661cf3c9d6c9a35a2786f04a70f23f4b5 (diff)
download	tor-bbc29f4a11696012c0fc073daac76d6a726e953a.tar.gz tor-bbc29f4a11696012c0fc073daac76d6a726e953a.zip