diff options
69 files changed, 1516 insertions, 353 deletions
@@ -1,3 +1,392 @@ +Changes in version 0.2.3.26 - 2013-0?-?? + + o Major bugfixes: + - Reject bogus create and relay cells with 0 circuit ID or 0 stream + ID: these could be used to create unexpected streams and circuits + which would count as "present" to some parts of Tor but "absent" + to others, leading to zombie circuits and streams or to a bandwidth + denial-of-service. Fixes bug 7889; bugfix on every released version + of Tor. Reported by "oftc_must_be_destroyed". + + o Minor bugfixes: + - Avoid a crash if we fail to generate an extrainfo descriptor. + Fixes bug 8208; bugfix on 0.2.3.16-alpha. Found by Coverity; + this is CID 718634. + - Correctly recognize that [::1] is a loopback address. Fixes + bug 8377; bugfix on 0.2.1.3-alpha. + + o Minor features: + - Update to the April 3 2013 Maxmind GeoLite Country database. + + +Changes in version 0.2.3.25 - 2012-11-19 + The Tor 0.2.3 release series is dedicated to the memory of Len "rabbi" + Sassaman (1980-2011), a long-time cypherpunk, anonymity researcher, + Mixmaster maintainer, Pynchon Gate co-designer, CodeCon organizer, + programmer, and friend. Unstinting in his dedication to the cause of + freedom, he inspired and helped many of us as we began our work on + anonymity, and inspires us still. Please honor his memory by writing + software to protect people's freedoms, and by helping others to do so. + + Tor 0.2.3.25, the first stable release in the 0.2.3 branch, features + significantly reduced directory overhead (via microdescriptors), + enormous crypto performance improvements for fast relays on new + enough hardware, a new v3 TLS handshake protocol that can better + resist fingerprinting, support for protocol obfuscation plugins (aka + pluggable transports), better scalability for hidden services, IPv6 + support for bridges, performance improvements like allowing clients + to skip the first round-trip on the circuit ("optimistic data") and + refilling token buckets more often, a new "stream isolation" design + to isolate different applications on different circuits, and many + stability, security, and privacy fixes. + + o Major bugfixes: + - Tor tries to wipe potentially sensitive data after using it, so + that if some subsequent security failure exposes Tor's memory, + the damage will be limited. But we had a bug where the compiler + was eliminating these wipe operations when it decided that the + memory was no longer visible to a (correctly running) program, + hence defeating our attempt at defense in depth. We fix that + by using OpenSSL's OPENSSL_cleanse() operation, which a compiler + is unlikely to optimize away. Future versions of Tor may use + a less ridiculously heavy approach for this. Fixes bug 7352. + Reported in an article by Andrey Karpov. + + o Minor bugfixes: + - Fix a harmless bug when opting against publishing a relay descriptor + because DisableNetwork is set. Fixes bug 7464; bugfix on + 0.2.3.9-alpha. + + +Changes in version 0.2.3.24-rc - 2012-10-25 + Tor 0.2.3.24-rc fixes two important security vulnerabilities that + could lead to remotely triggerable relay crashes, and fixes + a major bug that was preventing clients from choosing suitable exit + nodes. + + o Major bugfixes (security): + - Fix a group of remotely triggerable assertion failures related to + incorrect link protocol negotiation. Found, diagnosed, and fixed + by "some guy from France". Fix for CVE-2012-2250; bugfix on + 0.2.3.6-alpha. + - Fix a denial of service attack by which any directory authority + could crash all the others, or by which a single v2 directory + authority could crash everybody downloading v2 directory + information. Fixes bug 7191; bugfix on 0.2.0.10-alpha. + + o Major bugfixes: + - When parsing exit policy summaries from microdescriptors, we had + previously been ignoring the last character in each one, so that + "accept 80,443,8080" would be treated by clients as indicating + a node that allows access to ports 80, 443, and 808. That would + lead to clients attempting connections that could never work, + and ignoring exit nodes that would support their connections. Now + clients parse these exit policy summaries correctly. Fixes bug 7192; + bugfix on 0.2.3.1-alpha. + + o Minor bugfixes: + - Clients now consider the ClientRejectInternalAddresses config option + when using a microdescriptor consensus stanza to decide whether + an exit relay would allow exiting to an internal address. Fixes + bug 7190; bugfix on 0.2.3.1-alpha. + + +Changes in version 0.2.3.23-rc - 2012-10-20 + Tor 0.2.3.23-rc adds a new v3 directory authority, fixes a privacy + vulnerability introduced by a change in OpenSSL, and fixes a variety + of smaller bugs in preparation for the release. + + o New directory authorities: + - Add Faravahar (run by Sina Rabbani) as the ninth v3 directory + authority. Closes ticket 5749. + + o Major bugfixes (security/privacy): + - Disable TLS session tickets. OpenSSL's implementation was giving + our TLS session keys the lifetime of our TLS context objects, when + perfect forward secrecy would want us to discard anything that + could decrypt a link connection as soon as the link connection + was closed. Fixes bug 7139; bugfix on all versions of Tor linked + against OpenSSL 1.0.0 or later. Found by Florent Daignière. + - Discard extraneous renegotiation attempts once the V3 link + protocol has been initiated. Failure to do so left us open to + a remotely triggerable assertion failure. Fixes CVE-2012-2249; + bugfix on 0.2.3.6-alpha. Reported by "some guy from France". + + o Major bugfixes: + - Fix a possible crash bug when checking for deactivated circuits + in connection_or_flush_from_first_active_circuit(). Fixes bug 6341; + bugfix on 0.2.2.7-alpha. Bug report and fix received pseudonymously. + + o Minor bugfixes (on 0.2.3.x): + - Fix two cases in src/or/transports.c where we were calling + fmt_addr() twice in a parameter list. Bug found by David + Fifield. Fixes bug 7014; bugfix on 0.2.3.9-alpha. + - Convert an assert in the pathbias code to a log message. The assert + appears to only be triggerable by Tor2Web mode. Fixes bug 6866; + bugfix on 0.2.3.17-beta. + - Fix memory leaks whenever we logged any message about the "path + bias" detection. Fixes bug 7022; bugfix on 0.2.3.21-rc. + + o Minor bugfixes (on 0.2.2.x and earlier): + - Don't serve or accept v2 hidden service descriptors over a relay's + DirPort. It's never correct to do so, and disabling it might + make it more annoying to exploit any bugs that turn up in the + descriptor-parsing code. Fixes bug 7149. + - When relays refuse a "create" cell because their queue of pending + create cells is too big (typically because their cpu can't keep up + with the arrival rate), send back reason "resource limit" rather + than reason "internal", so network measurement scripts can get a + more accurate picture. Bugfix on 0.1.1.11-alpha; fixes bug 7037. + - Correct file sizes when reading binary files on Cygwin, to avoid + a bug where Tor would fail to read its state file. Fixes bug 6844; + bugfix on 0.1.2.7-alpha. + - Avoid undefined behaviour when parsing the list of supported + rendezvous/introduction protocols in a hidden service descriptor. + Previously, Tor would have confused (as-yet-unused) protocol version + numbers greater than 32 with lower ones on many platforms. Fixes + bug 6827; bugfix on 0.2.0.10-alpha. Found by George Kadianakis. + + o Documentation fixes: + - Clarify that hidden services are TCP only. Fixes bug 6024. + + +Changes in version 0.2.3.22-rc - 2012-09-11 + Tor 0.2.3.22-rc fixes another opportunity for a remotely triggerable + assertion. + + o Security fixes: + - Fix an assertion failure in tor_timegm() that could be triggered + by a badly formatted directory object. Bug found by fuzzing with + Radamsa. Fixes bug 6811; bugfix on 0.2.0.20-rc. + + o Minor bugfixes: + - Avoid segfault when starting up having run with an extremely old + version of Tor and parsing its state file. Fixes bug 6801; bugfix + on 0.2.2.23-alpha. + + +Changes in version 0.2.2.39 - 2012-09-11 + Tor 0.2.2.39 fixes two more opportunities for remotely triggerable + assertions. + + o Security fixes: + - Fix an assertion failure in tor_timegm() that could be triggered + by a badly formatted directory object. Bug found by fuzzing with + Radamsa. Fixes bug 6811; bugfix on 0.2.0.20-rc. + - Do not crash when comparing an address with port value 0 to an + address policy. This bug could have been used to cause a remote + assertion failure by or against directory authorities, or to + allow some applications to crash clients. Fixes bug 6690; bugfix + on 0.2.1.10-alpha. + + +Changes in version 0.2.3.21-rc - 2012-09-05 + Tor 0.2.3.21-rc is the fourth release candidate for the Tor 0.2.3.x + series. It fixes a trio of potential security bugs, fixes a bug where + we were leaving some of the fast relays out of the microdescriptor + consensus, resumes interpreting "ORPort 0" and "DirPort 0" correctly, + and cleans up other smaller issues. + + o Major bugfixes (security): + - Tear down the circuit if we get an unexpected SENDME cell. Clients + could use this trick to make their circuits receive cells faster + than our flow control would have allowed, or to gum up the network, + or possibly to do targeted memory denial-of-service attacks on + entry nodes. Fixes bug 6252. Bugfix on the 54th commit on Tor -- + from July 2002, before the release of Tor 0.0.0. We had committed + this patch previously, but we had to revert it because of bug 6271. + Now that 6271 is fixed, this patch appears to work. + - Reject any attempt to extend to an internal address. Without + this fix, a router could be used to probe addresses on an internal + network to see whether they were accepting connections. Fixes bug + 6710; bugfix on 0.0.8pre1. + - Do not crash when comparing an address with port value 0 to an + address policy. This bug could have been used to cause a remote + assertion failure by or against directory authorities, or to + allow some applications to crash clients. Fixes bug 6690; bugfix + on 0.2.1.10-alpha. + + o Major bugfixes: + - Remove the upper bound on microdescriptor length. We were hitting + the limit for routers with complex exit policies or family + declarations, causing clients to not use them. Fixes the first + piece of bug 6404; fix on 0.2.2.6-alpha. + - Detect "ORPort 0" as meaning, uniformly, that we're not running + as a relay. Previously, some of our code would treat the presence + of any ORPort line as meaning that we should act like a relay, + even though our new listener code would correctly not open any + ORPorts for ORPort 0. Similar bugs in other Port options are also + fixed. Fixes the first half of bug 6507; bugfix on 0.2.3.3-alpha. + + o Minor bugfixes: + - Avoid a pair of double-free and use-after-mark bugs that can + occur with certain timings in canceled and re-received DNS + requests. Fixes bug 6472; bugfix on 0.0.7rc1. + - Fix build and 64-bit compile warnings from --enable-openbsd-malloc. + Fixes bug 6379. Bugfix on 0.2.0.20-rc. + - Allow one-hop directory fetching circuits the full "circuit build + timeout" period, rather than just half of it, before failing them + and marking the relay down. This fix should help reduce cases where + clients declare relays (or worse, bridges) unreachable because + the TLS handshake takes a few seconds to complete. Fixes bug 6743; + bugfix on 0.2.2.2-alpha, where we changed the timeout from a static + 30 seconds. + - Authorities no longer include any router in their microdescriptor + consensuses for which they couldn't generate or agree on a + microdescriptor. Fixes the second piece of bug 6404; fix on + 0.2.2.6-alpha. + - Detect and reject attempts to specify both "FooPort" and + "FooPort 0" in the same configuration domain. (It's still okay + to have a FooPort in your configuration file, and use "FooPort 0" + on the command line to disable it.) Fixes the second half of bug + 6507; bugfix on 0.2.3.3-alpha. + - Make wildcarded addresses (that is, ones beginning with "*.") work + when provided via the controller's MapAddress command. Previously, + they were accepted, but we never actually noticed that they were + wildcards. Fixes bug 6244; bugfix on 0.2.3.9-alpha. + - Avoid crashing on a malformed state file where EntryGuardPathBias + precedes EntryGuard. Fixes bug 6774; bugfix on 0.2.3.17-beta. + - Add a (probably redundant) memory clear between iterations of + the router status voting loop, to prevent future coding errors + where data might leak between iterations of the loop. Resolves + ticket 6514. + + o Minor bugfixes (log messages): + - Downgrade "set buildtimeout to low value" messages to "info" + severity; they were never an actual problem, there was never + anything reasonable to do about them, and they tended to spam logs + from time to time. Fixes bug 6251; bugfix on 0.2.2.2-alpha. + - Downgrade path-bias warning messages to "info". We'll try to get + them working better in 0.2.4. Add internal circuit construction + state to protect against the noisy warn message "Unexpectedly high + circuit_successes". Also add some additional rate-limited notice + messages to help determine the root cause of the warn. Fixes bug + 6475. Bugfix against 0.2.3.17-beta. + - Move log message when unable to find a microdesc in a routerstatus + entry to parse time. Previously we'd spam this warning every time + we tried to figure out which microdescriptors to download. Fixes + the third piece of bug 6404; fix on 0.2.3.18-rc. + + o Minor features: + - Consider new, removed or changed IPv6 OR ports a non-cosmetic + change when the authority is deciding whether to accept a newly + uploaded descriptor. Implements ticket 6423. + - Add missing documentation for consensus and microdesc files. + Resolves ticket 6732. + + +Changes in version 0.2.2.38 - 2012-08-12 + Tor 0.2.2.38 fixes a remotely triggerable crash bug, and fixes a timing + attack that could in theory leak path information. + + o Security fixes: + - Avoid an uninitialized memory read when reading a vote or consensus + document that has an unrecognized flavor name. This read could + lead to a remote crash bug. Fixes bug 6530; bugfix on 0.2.2.6-alpha. + - Try to leak less information about what relays a client is + choosing to a side-channel attacker. Previously, a Tor client would + stop iterating through the list of available relays as soon as it + had chosen one, thus finishing a little earlier when it picked + a router earlier in the list. If an attacker can recover this + timing information (nontrivial but not proven to be impossible), + they could learn some coarse-grained information about which relays + a client was picking (middle nodes in particular are likelier to + be affected than exits). The timing attack might be mitigated by + other factors (see bug 6537 for some discussion), but it's best + not to take chances. Fixes bug 6537; bugfix on 0.0.8rc1. + + +Changes in version 0.2.3.20-rc - 2012-08-05 + Tor 0.2.3.20-rc is the third release candidate for the Tor 0.2.3.x + series. It fixes a pair of code security bugs and a potential anonymity + issue, updates our RPM spec files, and cleans up other smaller issues. + + o Security fixes: + - Avoid read-from-freed-memory and double-free bugs that could occur + when a DNS request fails while launching it. Fixes bug 6480; + bugfix on 0.2.0.1-alpha. + - Avoid an uninitialized memory read when reading a vote or consensus + document that has an unrecognized flavor name. This read could + lead to a remote crash bug. Fixes bug 6530; bugfix on 0.2.2.6-alpha. + - Try to leak less information about what relays a client is + choosing to a side-channel attacker. Previously, a Tor client would + stop iterating through the list of available relays as soon as it + had chosen one, thus finishing a little earlier when it picked + a router earlier in the list. If an attacker can recover this + timing information (nontrivial but not proven to be impossible), + they could learn some coarse-grained information about which relays + a client was picking (middle nodes in particular are likelier to + be affected than exits). The timing attack might be mitigated by + other factors (see bug 6537 for some discussion), but it's best + not to take chances. Fixes bug 6537; bugfix on 0.0.8rc1. + + o Minor features: + - Try to make the warning when giving an obsolete SOCKSListenAddress + a little more useful. + - Terminate active server managed proxies if Tor stops being a + relay. Addresses parts of bug 6274; bugfix on 0.2.3.6-alpha. + - Provide a better error message about possible OSX Asciidoc failure + reasons. Fixes bug 6436. + - Warn when Tor is configured to use accounting in a way that can + link a hidden service to some other hidden service or public + address. Resolves ticket 6490. + + o Minor bugfixes: + - Check return value of fputs() when writing authority certificate + file. Fixes Coverity issue 709056; bugfix on 0.2.0.1-alpha. + - Ignore ServerTransportPlugin lines when Tor is not configured as + a relay. Fixes bug 6274; bugfix on 0.2.3.6-alpha. + - When disabling guards for having too high a proportion of failed + circuits, make sure to look at each guard. Fixes bug 6397; bugfix + on 0.2.3.17-beta. + + o Packaging (RPM): + - Update our default RPM spec files to work with mock and rpmbuild + on RHEL/Fedora. They have an updated set of dependencies and + conflicts, a fix for an ancient typo when creating the "_tor" + user, and better instructions. Thanks to Ondrej Mikle for the + patch series. Fixes bug 6043. + + o Testing: + - Make it possible to set the TestingTorNetwork configuration + option using AlternateDirAuthority and AlternateBridgeAuthority + as an alternative to setting DirServer. Addresses ticket 6377. + + o Documentation: + - Clarify the documentation for the Alternate*Authority options. + Fixes bug 6387. + - Fix some typos in the manpages. Patch from A. Costa. Fixes bug 6500. + + o Code simplification and refactoring: + - Do not use SMARTLIST_FOREACH for any loop whose body exceeds + 10 lines. Also, don't nest them. Doing so in the past has + led to hard-to-debug code. The new style is to use the + SMARTLIST_FOREACH_{BEGIN,END} pair. Addresses issue 6400. + + +Changes in version 0.2.3.19-rc - 2012-07-06 + Tor 0.2.3.19-rc is the second release candidate for the Tor 0.2.3.x + series. It fixes the compile on Windows, reverts to a GeoIP database + that isn't as broken, and fixes a flow control bug that has been around + since the beginning of Tor. + + o Major bugfixes: + - Fix a bug handling SENDME cells on nonexistent streams that could + result in bizarre window values. Report and patch contributed + pseudonymously. Fixes part of bug 6271. This bug was introduced + before the first Tor release, in svn commit r152. + - Revert to the May 1 2012 Maxmind GeoLite Country database. In the + June 2012 database, Maxmind marked many Tor relays as country "A1", + which will cause risky behavior for clients that set EntryNodes + or ExitNodes. Addresses bug 6334; bugfix on 0.2.3.17-beta. + - Instead of ENOBUFS on Windows, say WSAENOBUFS. Fixes compilation + on Windows. Fixes bug 6296; bugfix on 0.2.3.18-rc. + + o Minor bugfixes: + - Fix wrong TCP port range in parse_port_range(). Fixes bug 6218; + bugfix on 0.2.1.10-alpha. + + Changes in version 0.2.3.18-rc - 2012-06-28 Tor 0.2.3.18-rc is the first release candidate for the Tor 0.2.3.x series. It fixes a few smaller bugs, but generally appears stable. @@ -225,7 +614,7 @@ Changes in version 0.2.3.16-alpha - 2012-06-05 indefinitely. Fixes bug 5380; bugfix on 0.2.1.14-rc. - When fetching a bridge descriptor from a bridge authority, always do so anonymously, whether we have been able to open - circuits or not. Partial fix for bug 1938; bugfix on 2.0.7-alpha. + circuits or not. Partial fix for bug 1938; bugfix on 0.2.0.7-alpha. This behavior makes it *safer* to use UpdateBridgesFromAuthority, but we'll need to wait for bug 6010 before it's actually usable. diff --git a/ReleaseNotes b/ReleaseNotes index 93e38faf3f..db23c52c68 100644 --- a/ReleaseNotes +++ b/ReleaseNotes @@ -3,6 +3,1129 @@ This document summarizes new features and bugfixes in each stable release of Tor. If you want to see more detailed descriptions of the changes in each development snapshot, see the ChangeLog file. +Changes in version 0.2.3.25 - 2012-11-19 + The Tor 0.2.3 release series is dedicated to the memory of Len "rabbi" + Sassaman (1980-2011), a long-time cypherpunk, anonymity researcher, + Mixmaster maintainer, Pynchon Gate co-designer, CodeCon organizer, + programmer, and friend. Unstinting in his dedication to the cause of + freedom, he inspired and helped many of us as we began our work on + anonymity, and inspires us still. Please honor his memory by writing + software to protect people's freedoms, and by helping others to do so. + + Tor 0.2.3.25, the first stable release in the 0.2.3 branch, features + significantly reduced directory overhead (via microdescriptors), + enormous crypto performance improvements for fast relays on new + enough hardware, a new v3 TLS handshake protocol that can better + resist fingerprinting, support for protocol obfuscation plugins (aka + pluggable transports), better scalability for hidden services, IPv6 + support for bridges, performance improvements like allowing clients + to skip the first round-trip on the circuit ("optimistic data") and + refilling token buckets more often, a new "stream isolation" design + to isolate different applications on different circuits, and many + stability, security, and privacy fixes. + + Major features (v3 directory protocol): + - Clients now use microdescriptors instead of regular descriptors + to build circuits. Microdescriptors are authority-generated + summaries of regular descriptors' contents, designed to change very + rarely (see proposal 158 for details). This feature is designed + to save bandwidth, especially for clients on slow internet + connections. Use "UseMicrodescriptors 0" to disable it. + - Caches now download, cache, and serve microdescriptors, as well + as multiple "flavors" of the consensus, including a flavor that + describes microdescriptors. + + o Major features (build hardening): + - Enable gcc and ld hardening by default. Resolves ticket 5210. + + o Major features (relay scaling): + - When built to use OpenSSL 1.0.1, and built for an x86 or x86_64 + instruction set, take advantage of OpenSSL's AESNI, bitsliced, or + vectorized AES implementations as appropriate. These can be much, + much faster than other AES implementations. + - When using OpenSSL 1.0.0 or later, use OpenSSL's counter mode + implementation. It makes AES_CTR about 7% faster than our old one + (which was about 10% faster than the one OpenSSL used to provide). + Resolves ticket 4526. + - Use OpenSSL's EVP interface for AES encryption, so that all AES + operations can use hardware acceleration (if present). Resolves + ticket 4442. + - Unconditionally use OpenSSL's AES implementation instead of our + old built-in one. OpenSSL's AES has been better for a while, and + relatively few servers should still be on any version of OpenSSL + that doesn't have good optimized assembly AES. + + o Major features (blocking resistance): + - Update TLS cipher list to match Firefox 8 and later. Resolves + ticket 4744. + - Remove support for clients falsely claiming to support standard + ciphersuites that they can actually provide. As of modern OpenSSL + versions, it's not necessary to fake any standard ciphersuite, + and doing so prevents us from using better ciphersuites in the + future, since servers can't know whether an advertised ciphersuite + is really supported or not. Some hosts -- notably, ones with very + old versions of OpenSSL or where OpenSSL has been built with ECC + disabled -- will stand out because of this change; TBB users should + not be affected. Implements the client side of proposal 198. + - Implement a new handshake protocol (v3) for authenticating Tors to + each other over TLS. It should be more resistant to fingerprinting + than previous protocols, and should require less TLS hacking for + future Tor implementations. Implements proposal 176. + - Allow variable-length padding cells, to disguise the length of + Tor's TLS records. Implements part of proposal 184. + - While we're trying to bootstrap, record how many TLS connections + fail in each state, and report which states saw the most failures + in response to any bootstrap failures. This feature may speed up + diagnosis of censorship events. Implements ticket 3116. + + o Major features (pluggable transports): + - Clients and bridges can now be configured to use a separate + "transport" proxy. This approach makes the censorship arms race + easier by allowing bridges to use protocol obfuscation plugins. + Implements proposal 180 (tickets 2841 and 3472). + + o Major features (DoS resistance): + - Now that Tor 0.2.0.x is completely deprecated, enable the final + part of "Proposal 110: Avoiding infinite length circuits" by + refusing all circuit-extend requests that do not use a relay_early + cell. This change helps Tor resist a class of denial-of-service + attacks by limiting the maximum circuit length. + - Tear down the circuit if we get an unexpected SENDME cell. Clients + could use this trick to make their circuits receive cells faster + than our flow control would have allowed, or to gum up the network, + or possibly to do targeted memory denial-of-service attacks on + entry nodes. Fixes bug 6252. Bugfix on the 54th commit on Tor -- + from July 2002, before the release of Tor 0.0.0. + + o Major features (hidden services): + - Adjust the number of introduction points that a hidden service + will try to maintain based on how long its introduction points + remain in use and how many introductions they handle. Fixes + part of bug 3825. + - Add a "tor2web mode" for clients that want to connect to hidden + services non-anonymously (and possibly more quickly). As a safety + measure to try to keep users from turning this on without knowing + what they are doing, tor2web mode must be explicitly enabled at + compile time, and a copy of Tor compiled to run in tor2web mode + cannot be used as a normal Tor client. Implements feature 2553. + + o Major features (IPv6): + - Clients can now connect to private bridges over IPv6. Bridges + still need at least one IPv4 address in order to connect to + other relays. Note that we don't yet handle the case where the + user has two bridge lines for the same bridge (one IPv4, one + IPv6). Implements parts of proposal 186. + + o Major features (directory authorities): + - Use a more secure consensus parameter voting algorithm. Now at + least three directory authorities or a majority of them must + vote on a given parameter before it will be included in the + consensus. Implements proposal 178. + - Remove the artificially low cutoff of 20KB to guarantee the Fast + flag. In the past few years the average relay speed has picked + up, and while the "top 7/8 of the network get the Fast flag" and + "all relays with 20KB or more of capacity get the Fast flag" rules + used to have the same result, now the top 7/8 of the network has + a capacity more like 32KB. Bugfix on 0.2.1.14-rc. Fixes bug 4489. + + o Major features (performance): + - Exit nodes now accept and queue data on not-yet-connected streams. + Previously, the client wasn't allowed to send data until the + stream was connected, which slowed down all connections. This + change will enable clients to perform a "fast-start" on streams + and send data without having to wait for a confirmation that the + stream has opened. Patch from Ian Goldberg; implements the server + side of Proposal 174. + - When using an exit relay running 0.2.3.x, clients can now + "optimistically" send data before the exit relay reports that + the stream has opened. This saves a round trip when starting + connections where the client speaks first (such as web browsing). + This behavior is controlled by a consensus parameter (currently + disabled). To turn it on or off manually, use the "OptimisticData" + torrc option. Implements proposal 181; code by Ian Goldberg. + - Add a new TokenBucketRefillInterval option to refill token buckets + more frequently than once per second. This should improve network + performance, alleviate queueing problems, and make traffic less + bursty. Implements proposal 183; closes ticket 3630. Design by + Florian Tschorsch and Björn Scheuermann; implementation by + Florian Tschorsch. + - Raise the threshold of server descriptors needed (75%) and exit + server descriptors needed (50%) before we will declare ourselves + bootstrapped. This will make clients start building circuits a + little later, but makes the initially constructed circuits less + skewed and less in conflict with further directory fetches. Fixes + ticket 3196. + + o Major features (relays): + - Relays now try regenerating and uploading their descriptor more + frequently if they are not listed in the consensus, or if the + version of their descriptor listed in the consensus is too + old. This fix should prevent situations where a server declines + to re-publish itself because it has done so too recently, even + though the authorities decided not to list its recent-enough + descriptor. Fix for bug 3327. + + o Major features (stream isolation): + - You can now configure Tor so that streams from different + applications are isolated on different circuits, to prevent an + attacker who sees your streams as they leave an exit node from + linking your sessions to one another. To do this, choose some way + to distinguish the applications: have them connect to different + SocksPorts, or have one of them use SOCKS4 while the other uses + SOCKS5, or have them pass different authentication strings to the + SOCKS proxy. Then, use the new SocksPort syntax to configure the + degree of isolation you need. This implements Proposal 171. + - There's a new syntax for specifying multiple client ports (such as + SOCKSPort, TransPort, DNSPort, NATDPort): you can now just declare + multiple *Port entries with full addr:port syntax on each. + The old *ListenAddress format is still supported, but you can't + mix it with the new *Port syntax. + + o Major features (bufferevents): + - Tor can now optionally build with the "bufferevents" buffered IO + backend provided by Libevent 2. To use this feature, make sure you + have the latest possible version of Libevent, and pass the + --enable-bufferevents flag to configure when building Tor from + source. This feature will make our networking code more flexible, + let us stack layers on each other, and let us use more efficient + zero-copy transports where available. + - Add experimental support for running on Windows with IOCP and no + kernel-space socket buffers. This feature is controlled by a new + "UserspaceIOCPBuffers" config option (off by default), which has + no effect unless Tor has been built with bufferevents enabled, + you're running on Windows, and you've set "DisableIOCP 0". In the + long run, this may help solve or mitigate bug 98. + + o Major features (path selection): + - The EntryNodes option can now include country codes like {de} or IP + addresses or network masks. Previously we had disallowed these + options because we didn't have an efficient way to keep the list up + to date. Addresses ticket 1982, but see bug 2798 for an unresolved + issue here. + + o Major features (port forwarding): + - Add support for automatic port mapping on the many home routers + that support NAT-PMP or UPnP. To build the support code, you'll + need to have the libnatpnp library and/or the libminiupnpc library, + and you'll need to enable the feature specifically by passing + "--enable-upnp" and/or "--enable-natpnp" to ./configure. To turn + it on, use the new PortForwarding option. + + o Major features (logging): + - Add a new 'Heartbeat' log message type to periodically log a message + describing Tor's status at level Notice. This feature is meant for + operators who log at notice, and want to make sure that their Tor + server is still working. Implementation by George Kadianakis. + - Make logging resolution configurable with a new LogTimeGranularity + option, and change the default from 1 millisecond to 1 second. + Implements enhancement 1668. + + o Major features (other): + - New "DisableNetwork" config option to prevent Tor from launching any + connections or accepting any connections except on a control port. + Bundles and controllers can set this option before letting Tor talk + to the rest of the network, for example to prevent any connections + to a non-bridge address. Packages like Orbot can also use this + option to instruct Tor to save power when the network is off. + - Try to use system facilities for enumerating local interface + addresses, before falling back to our old approach (which was + binding a UDP socket, and calling getsockname() on it). That + approach was scaring OS X users whose draconian firewall + software warned about binding to UDP sockets regardless of + whether packets were sent. Now we try to use getifaddrs(), + SIOCGIFCONF, or GetAdaptersAddresses(), depending on what the + system supports. Resolves ticket 1827. + - Add experimental support for a "defaults" torrc file to be parsed + before the regular torrc. Torrc options override the defaults file's + options in the same way that the command line overrides the torrc. + The SAVECONF controller command saves only those options which + differ between the current configuration and the defaults file. HUP + reloads both files. Implements task 4552. + + o New directory authorities: + - Add Faravahar (run by Sina Rabbani) as the ninth v3 directory + authority. Closes ticket 5749. + + o Security/privacy fixes: + - Avoid read-from-freed-memory and double-free bugs that could occur + when a DNS request fails while launching it. Fixes bug 6480; + bugfix on 0.2.0.1-alpha. + - Reject any attempt to extend to an internal address. Without + this fix, a router could be used to probe addresses on an internal + network to see whether they were accepting connections. Fixes bug + 6710; bugfix on 0.0.8pre1. + - Close any connection that sends unrecognized junk before the TLS + handshake. Solves an issue noted in bug 4369. + - The advertised platform of a relay now includes only its operating + system's name (e.g., "Linux", "Darwin", "Windows 7"), and not + its service pack level (for Windows) or its CPU architecture + (for Unix). Also drop the "git-XYZ" tag in the version. Packagers + can insert an extra string in the platform line by setting the + preprocessor variable TOR_BUILD_TAG. Resolves bug 2988. + - Disable TLS session tickets. OpenSSL's implementation was giving + our TLS session keys the lifetime of our TLS context objects, when + perfect forward secrecy would want us to discard anything that + could decrypt a link connection as soon as the link connection + was closed. Fixes bug 7139; bugfix on all versions of Tor linked + against OpenSSL 1.0.0 or later. Found by Florent Daignière. + - Tor tries to wipe potentially sensitive data after using it, so + that if some subsequent security failure exposes Tor's memory, + the damage will be limited. But we had a bug where the compiler + was eliminating these wipe operations when it decided that the + memory was no longer visible to a (correctly running) program, + hence defeating our attempt at defense in depth. We fix that + by using OpenSSL's OPENSSL_cleanse() operation, which a compiler + is unlikely to optimize away. Future versions of Tor may use + a less ridiculously heavy approach for this. Fixes bug 7352. + Reported in an article by Andrey Karpov. + + o Major bugfixes (crashes and asserts): + - Avoid a pair of double-free and use-after-mark bugs that can + occur with certain timings in canceled and re-received DNS + requests. Fixes bug 6472; bugfix on 0.0.7rc1. + - Fix a denial of service attack by which any directory authority + could crash all the others, or by which a single v2 directory + authority could crash everybody downloading v2 directory + information. Fixes bug 7191; bugfix on 0.2.0.10-alpha. + - Fix an assert that directory authorities could trigger on sighup + during some configuration state transitions. We now don't treat + it as a fatal error when the new descriptor we just generated in + init_keys() isn't accepted. Fixes bug 4438; bugfix on 0.2.1.9-alpha. + - Avoid segfault when starting up having run with an extremely old + version of Tor and parsing its state file. Fixes bug 6801; bugfix + on 0.2.2.23-alpha. + + o Major bugfixes (clients): + - If we are unable to find any exit that supports our predicted ports, + stop calling them predicted, so that we don't loop and build + hopeless circuits indefinitely. Fixes bug 3296; bugfix on 0.0.9pre6, + which introduced predicted ports. + - Check at each new consensus whether our entry guards were picked + long enough ago that we should rotate them. Previously, we only + did this check at startup, which could lead to us holding a guard + indefinitely. Fixes bug 5380; bugfix on 0.2.1.14-rc. + - When fetching a bridge descriptor from a bridge authority, + always do so anonymously, whether we have been able to open + circuits or not. Partial fix for bug 1938; bugfix on 0.2.0.7-alpha. + This behavior makes it *safer* to use UpdateBridgesFromAuthority, + but we'll need to wait for bug 6010 before it's actually usable. + + o Major bugfixes (directory voting): + - Check more thoroughly to prevent a rogue authority from + double-voting on any consensus directory parameter. Previously, + authorities would crash in this case if the total number of + votes for any parameter exceeded the number of active voters, + but would let it pass otherwise. Partially fixes bug 5786; bugfix + on 0.2.2.2-alpha. + - When computing weight parameters, behave more robustly in the + presence of a bad bwweightscale value. Previously, the authorities + would crash if they agreed on a sufficiently broken weight_scale + value; now, they use a reasonable default and carry on. Fixes the + rest of bug 5786; bugfix on 0.2.2.17-alpha. + - If authorities are unable to get a v2 consensus document from other + directory authorities, they no longer fall back to fetching + them from regular directory caches. Fixes bug 5635; bugfix on + 0.2.2.26-beta, where routers stopped downloading v2 consensus + documents entirely. + + o Major bugfixes (relays): + - Fix a bug handling SENDME cells on nonexistent streams that could + result in bizarre window values. Report and patch contributed + pseudonymously. Fixes part of bug 6271. This bug was introduced + before the first Tor release, in svn commit r152. + - Don't update the AccountingSoftLimitHitAt state file entry whenever + tor gets started. This prevents a wrong average bandwidth + estimate, which would cause relays to always start a new accounting + interval at the earliest possible moment. Fixes bug 2003; bugfix + on 0.2.2.7-alpha. Reported by Bryon Eldridge, who also helped + immensely in tracking this bug down. + - Fix a possible crash bug when checking for deactivated circuits + in connection_or_flush_from_first_active_circuit(). Fixes bug 6341; + bugfix on 0.2.2.7-alpha. Bug report and fix received pseudonymously. + - Set the SO_REUSEADDR socket option before we call bind() on outgoing + connections. This change should allow busy exit relays to stop + running out of available sockets as quickly. Fixes bug 4950; + bugfix on 0.2.2.26-beta. + + o Major bugfixes (blocking resistance): + - Bridges no longer include their address in NETINFO cells on outgoing + OR connections, to allow them to blend in better with clients. + Removes another avenue for enumerating bridges. Reported by + "troll_un". Fixes bug 4348; bugfix on 0.2.0.10-alpha, when NETINFO + cells were introduced. + - Warn the user when HTTPProxy, but no other proxy type, is + configured. This can cause surprising behavior: it doesn't send + all of Tor's traffic over the HTTPProxy -- it sends unencrypted + directory traffic only. Resolves ticket 4663. + + o Major bugfixes (hidden services): + - Improve hidden service robustness: when an attempt to connect to + a hidden service ends, be willing to refetch its hidden service + descriptors from each of the HSDir relays responsible for them + immediately. Previously, we would not consider refetching the + service's descriptors from each HSDir for 15 minutes after the last + fetch, which was inconvenient if the hidden service was not running + during the first attempt. Bugfix on 0.2.0.18-alpha; fixes bug 3335. + - Hidden services now ignore the timestamps on INTRODUCE2 cells. + They used to check that the timestamp was within 30 minutes + of their system clock, so they could cap the size of their + replay-detection cache, but that approach unnecessarily refused + service to clients with wrong clocks. Bugfix on 0.2.1.6-alpha, when + the v3 intro-point protocol (the first one which sent a timestamp + field in the INTRODUCE2 cell) was introduced; fixes bug 3460. + - When one of a hidden service's introduction points appears to be + unreachable, stop trying it. Previously, we would keep trying + to build circuits to the introduction point until we lost the + descriptor, usually because the user gave up and restarted Tor. + Fixes part of bug 3825. + + o Changes to default torrc file: + - Stop listing "socksport 9050" in torrc.sample. We open a socks + port on 9050 by default anyway, so this should not change anything + in practice. + - Stop mentioning the deprecated *ListenAddress options in + torrc.sample. Fixes bug 5438. + - Document unit of bandwidth-related options in sample torrc. + Fixes bug 5621. + - Fix broken URLs in the sample torrc file, and tell readers about + the OutboundBindAddress, ExitPolicyRejectPrivate, and + PublishServerDescriptor options. Addresses bug 4652. + + o Minor features (directory authorities): + - Consider new, removed or changed IPv6 OR ports a non-cosmetic + change when the authority is deciding whether to accept a newly + uploaded descriptor. Implements ticket 6423. + - Directory authorities are now a little more lenient at accepting + older router descriptors, or newer router descriptors that don't + make big changes. This should help ameliorate past and future + issues where routers think they have uploaded valid descriptors, + but the authorities don't think so. Fix for ticket 2479. + - Authority operators can now vote for all relays in a given + set of countries to be BadDir/BadExit/Invalid/Rejected. + - Provide two consensus parameters (FastFlagMinThreshold and + FastFlagMaxThreshold) to control the range of allowable bandwidths + for the Fast directory flag. These allow authorities to run + experiments on appropriate requirements for being a "Fast" node. + The AuthDirFastGuarantee config value still applies. Implements + ticket 3946. + + o Minor features (bridges / bridge authorities): + - Make bridge SSL certificates a bit more stealthy by using random + serial numbers, in the same fashion as OpenSSL when generating + self-signed certificates. Implements ticket 4584. + - Tag a bridge's descriptor as "never to be sent unencrypted". + This shouldn't matter, since bridges don't open non-anonymous + connections to the bridge authority and don't allow unencrypted + directory connections from clients, but we might as well make + sure. Closes bug 5139. + - The Bridge Authority now writes statistics on how many bridge + descriptors it gave out in total, and how many unique descriptors + it gave out. It also lists how often the most and least commonly + fetched descriptors were given out, as well as the median and + 25th/75th percentile. Implements tickets 4200 and 4294. + + o Minor features (IPv6): + - Make the code that clients use to detect an address change be + IPv6-aware, so that it won't fill clients' logs with error + messages when trying to get the IPv4 address of an IPv6 + connection. Implements ticket 5537. + - Relays now understand an IPv6 address when they get one from a + directory server. Resolves ticket 4875. + + o Minor features (hidden services): + - Expire old or over-used hidden service introduction points. + Required by fix for bug 3460. + - Reduce the lifetime of elements of hidden services' Diffie-Hellman + public key replay-detection cache from 60 minutes to 5 minutes. This + replay-detection cache is now used only to detect multiple + INTRODUCE2 cells specifying the same rendezvous point, so we can + avoid launching multiple simultaneous attempts to connect to it. + - When a hidden service's introduction point times out, consider + trying it again during the next attempt to connect to the + HS. Previously, we would not try it again unless a newly fetched + descriptor contained it. Required by fixes for bugs 1297 and 3825. + + o Minor features (relays): + - Relays now include a reason for regenerating their descriptors + in an HTTP header when uploading to the authorities. This will + make it easier to debug descriptor-upload issues in the future. + - Turn on directory request statistics by default and include them in + extra-info descriptors. Don't break if we have no GeoIP database. + - Replace files in stats/ rather than appending to them. Now that we + include statistics in extra-info descriptors, it makes no sense to + keep old statistics forever. Implements ticket 2930. + - Relays that set "ConnDirectionStatistics 1" write statistics on the + bidirectional use of connections to disk every 24 hours. + - Add a GeoIP file digest to the extra-info descriptor. Implements + ticket 1883. + + o Minor features (new config options): + - New config option "DynamicDHGroups" (disabled by default) provides + each bridge with a unique prime DH modulus to be used during + SSL handshakes. This option attempts to help against censors + who might use the Apache DH modulus as a static identifier for + bridges. Addresses ticket 4548. + - New config option "DisableDebuggerAttachment" (on by default) + to prevent basic debugging attachment attempts by other processes. + Supports Mac OS X and Gnu/Linux. Resolves ticket 3313. + - Ordinarily, Tor does not count traffic from private addresses (like + 127.0.0.1 or 10.0.0.1) when calculating rate limits or accounting. + There is now a new option, CountPrivateBandwidth, to disable this + behavior. Patch from Daniel Cagara. + + o Minor features (different behavior for old config options): + - Allow MapAddress directives to specify matches against super-domains, + as in "MapAddress *.torproject.org *.torproject.org.torserver.exit". + Implements issue 933. + - Don't disable the DirPort when we cannot exceed our AccountingMax + limit during this interval because the effective bandwidthrate is + low enough. This is useful in a situation where AccountMax is only + used as an additional safeguard or to provide statistics. + - Add port 6523 (Gobby) to LongLivedPorts. Patch by intrigeri; + implements ticket 3439. + - When configuring a large set of nodes in EntryNodes, and there are + enough of them listed as Guard so that we don't need to consider + the non-guard entries, prefer the ones listed with the Guard flag. + - If you set the NumCPUs option to 0, Tor will now try to detect how + many CPUs you have. This is the new default behavior. + - The NodeFamily option -- which let you declare that you want to + consider nodes to be part of a family whether they list themselves + that way or not -- now allows IP address ranges and country codes. + + o Minor features (new command-line config behavior): + - Slightly change behavior of "list" options (that is, config + options that can appear more than once) when they appear both in + torrc and on the command line. Previously, the command-line options + would be appended to the ones from torrc. Now, the command-line + options override the torrc options entirely. This new behavior + allows the user to override list options (like exit policies and + ports to listen on) from the command line, rather than simply + appending to the list. + - You can get the old (appending) command-line behavior for "list" + options by prefixing the option name with a "+". + - You can remove all the values for a "list" option from the command + line without adding any new ones by prefixing the option name + with a "/". + + o Minor features (controller, new events): + - Extend the control protocol to report flags that control a circuit's + path selection in CIRC events and in replies to 'GETINFO + circuit-status'. Implements part of ticket 2411. + - Extend the control protocol to report the hidden service address + and current state of a hidden-service-related circuit in CIRC + events and in replies to 'GETINFO circuit-status'. Implements part + of ticket 2411. + - Include the creation time of a circuit in CIRC and CIRC2 + control-port events and the list produced by the 'GETINFO + circuit-status' control-port command. + - Add a new CONF_CHANGED event so that controllers can be notified + of any configuration changes made by other controllers, or by the + user. Implements ticket 1692. + - Add a new SIGNAL event to the controller interface so that + controllers can be notified when Tor handles a signal. Resolves + issue 1955. Patch by John Brooks. + + o Minor features (controller, new getinfo options): + - Expose our view of whether we have gone dormant to the controller, + via a new "GETINFO dormant" value. Torbutton and other controllers + can use this to avoid doing periodic requests through Tor while + it's dormant (bug 4718). Resolves ticket 5954. + - Add a new GETINFO option to get total bytes read and written. Patch + from pipe, revised by atagar. Resolves ticket 2345. + - Implement new GETINFO controller fields to provide information about + the Tor process's pid, euid, username, and resource limits. + + o Minor features (controller, other): + - Allow controllers to request an event notification whenever a + circuit is cannibalized or its purpose is changed. Implements + part of ticket 3457. + - Use absolute path names when reporting the torrc filename in the + control protocol, so a controller can more easily find the torrc + file. Resolves bug 1101. + - When reporting the path to the cookie file to the controller, + give an absolute path. Resolves ticket 4881. + + o Minor features (log messages): + - Add more information to a log statement that might help track down + bug 4091. If you're seeing "Bug: tor_addr_is_internal() called with a + non-IP address" messages (or any Bug messages, for that matter!), + please let us know about it. + - If EntryNodes are given, but UseEntryGuards is set to 0, warn that + EntryNodes will have no effect. Resolves issue 2571. + - Try to make the introductory warning message that Tor prints on + startup more useful for actually finding help and information. + Resolves ticket 2474. + - When the system call to create a listener socket fails, log the + error message explaining why. This may help diagnose bug 4027. + + o Minor features (other): + - When we fail to initialize Libevent, retry with IOCP disabled so we + don't need to turn on multi-threading support in Libevent, which in + turn requires a working socketpair(). This is a workaround for bug + 4457, which affects Libevent versions from 2.0.1-alpha through + 2.0.15-stable. + - When starting as root and then changing our UID via the User + control option, and we have a ControlSocket configured, make sure + that the ControlSocket is owned by the same account that Tor will + run under. Implements ticket 3421; fix by Jérémy Bobbio. + - Accept attempts to include a password authenticator in the + handshake, as supported by SOCKS5. This handles SOCKS clients that + don't know how to omit a password when authenticating. Resolves + bug 1666. + - Check for and recover from inconsistency in the microdescriptor + cache. This will make it harder for us to accidentally free a + microdescriptor without removing it from the appropriate data + structures. Fixes issue 3135; issue noted by "wanoskarnet". + - Shorten links in the tor-exit-notice file. Patch by Christian Kujau. + + o Minor bugfixes (code security): + - Prevent a null-pointer dereference when receiving a data cell + for a nonexistent stream when the circuit in question has an + empty deliver window. We don't believe this is triggerable, + since we don't currently allow deliver windows to become empty, + but the logic is tricky enough that it's better to make the code + robust. Fixes bug 5541; bugfix on 0.0.2pre14. + - Fix a (harmless) integer overflow in cell statistics reported by + some fast relays. Fixes bug 5849; bugfix on 0.2.2.1-alpha. + - Fix our implementation of crypto_random_hostname() so it can't + overflow on ridiculously large inputs. (No Tor version has ever + provided this kind of bad inputs, but let's be correct in depth.) + Fixes bug 4413; bugfix on 0.2.2.9-alpha. Fix by Stephen Palmateer. + - Add a (probably redundant) memory clear between iterations of + the router status voting loop, to prevent future coding errors + where data might leak between iterations of the loop. Resolves + ticket 6514. + + o Minor bugfixes (wrapper functions): + - Abort if tor_vasprintf() fails in connection_printf_to_buf() (a + utility function used in the control-port code). This shouldn't + ever happen unless Tor is completely out of memory, but if it did + happen and Tor somehow recovered from it, Tor could have sent a log + message to a control port in the middle of a reply to a controller + command. Fixes part of bug 3428; bugfix on 0.1.2.3-alpha. + - Fix some (not actually triggerable) buffer size checks in usage of + tor_inet_ntop(). Fixes bug 4434; bugfix on Tor 0.2.0.1-alpha. Patch + by Anders Sundman. + - Fix parsing of some corner-cases with tor_inet_pton(). Fixes + bug 4515; bugfix on 0.2.0.1-alpha; fix by Anders Sundman. + - Enforce correct return behavior of tor_vsscanf() when the '%%' + pattern is used. Fixes bug 5558. Bugfix on 0.2.1.13. + - Make our replacement implementation of strtok_r() compatible with + the standard behavior of strtok_r(). Patch by nils. Fixes bug 5091; + bugfix on 0.2.2.1-alpha. + - Find more places in the code that should have been testing for + invalid sockets using the SOCKET_OK macro. Required for a fix + for bug 4533. Bugfix on 0.2.2.28-beta. + + o Minor bugfixes (code correctness): + - Check return value of fputs() when writing authority certificate + file. Fixes Coverity issue 709056; bugfix on 0.2.0.1-alpha. + - When building Tor on Windows with -DUNICODE (not default), ensure + that error messages, filenames, and DNS server names are always + NUL-terminated when we convert them to a single-byte encoding. + Fixes bug 5909; bugfix on 0.2.2.16-alpha. + - Fix a memory leak when trying to launch a DNS request when the + nameservers are unconfigurable. Fixes bug 5916; bugfix on Tor + 0.1.2.1-alpha. + - Correct file sizes when reading binary files on Cygwin, to avoid + a bug where Tor would fail to read its state file. Fixes bug 6844; + bugfix on 0.1.2.7-alpha. + - Make sure to set *socket_error in all error cases in + connection_connect(), so it can't produce a warning about + errno being zero from errno_to_orconn_end_reason(). Bugfix on + 0.2.1.1-alpha; resolves ticket 6028. + - Initialize conn->addr to a valid state in spawn_cpuworker(). Fixes + bug 4532; found by "troll_un". + + o Minor bugfixes (clients): + - Allow one-hop directory-fetching circuits the full "circuit build + timeout" period, rather than just half of it, before failing them + and marking the relay down. This fix should help reduce cases where + clients declare relays (or worse, bridges) unreachable because + the TLS handshake takes a few seconds to complete. Fixes bug 6743; + bugfix on 0.2.2.2-alpha, where we changed the timeout from a static + 30 seconds. + - Ensure we don't cannibalize circuits that are longer than three hops + already, so we don't end up making circuits with 5 or more + hops. Patch contributed by wanoskarnet. Fixes bug 5231; bugfix on + 0.1.0.1-rc which introduced cannibalization. + + o Minor bugfixes (relays): + - Don't publish a new relay descriptor when we reload our onion key, + unless the onion key has actually changed. Fixes bug 3263 and + resolves another cause of bug 1810. Bugfix on 0.1.1.11-alpha. + - When relays refuse a "create" cell because their queue of pending + create cells is too big (typically because their cpu can't keep up + with the arrival rate), send back reason "resource limit" rather + than reason "internal", so network measurement scripts can get a + more accurate picture. Bugfix on 0.1.1.11-alpha; fixes bug 7037. + - Exit nodes don't need to fetch certificates for authorities that + they don't recognize; only directory authorities, bridges, + and caches need to do that. Fixes part of bug 2297; bugfix on + 0.2.2.11-alpha. + + o Minor bugfixes (directory authority / mirrors): + - Avoid O(n^2) performance characteristics when parsing a large + extrainfo cache. Fixes bug 5828; bugfix on 0.2.0.1-alpha. + - Authorities no longer include any router in their microdescriptor + consensuses for which they couldn't generate or agree on a + microdescriptor. Fixes the second piece of bug 6404; fix on + 0.2.2.6-alpha. + - When checking for requested signatures on the latest consensus + before serving it to a client, make sure to check the right + consensus flavor. Bugfix on 0.2.2.6-alpha. + - Fix an edge case where TestingTorNetwork is set but the authorities + and relays all have an uptime of zero, so the private Tor network + could briefly lack support for hidden services. Fixes bug 3886; + bugfix on 0.2.2.18-alpha. + - Directory caches no longer refuse to clean out descriptors because + of missing v2 networkstatus documents, unless they're configured + to retrieve v2 networkstatus documents. Fixes bug 4838; bugfix on + 0.2.2.26-beta. Patch by Daniel Bryg. + - Don't serve or accept v2 hidden service descriptors over a relay's + DirPort. It's never correct to do so, and disabling it might + make it more annoying to exploit any bugs that turn up in the + descriptor-parsing code. Fixes bug 7149. + + o Minor bugfixes (hidden services, client-side): + - Assert that hidden-service-related operations are not performed + using single-hop circuits. Previously, Tor would assert that + client-side streams are not attached to single-hop circuits, + but not that other sensitive operations on the client and service + side are not performed using single-hop circuits. Fixes bug 3332; + bugfix on 0.0.6. + - Avoid undefined behaviour when parsing the list of supported + rendezvous/introduction protocols in a hidden service descriptor. + Previously, Tor would have confused (as-yet-unused) protocol version + numbers greater than 32 with lower ones on many platforms. Fixes + bug 6827; bugfix on 0.2.0.10-alpha. Found by George Kadianakis. + - Don't close hidden service client circuits which have almost + finished connecting to their destination when they reach + the normal circuit-build timeout. Previously, we would close + introduction circuits which are waiting for an acknowledgement + from the introduction point, and rendezvous circuits which have + been specified in an INTRODUCE1 cell sent to a hidden service, + after the normal CBT. Now, we mark them as 'timed out', and launch + another rendezvous attempt in parallel. This behavior change can + be disabled using the new CloseHSClientCircuitsImmediatelyOnTimeout + option. Fixes part of bug 1297; bugfix on 0.2.2.2-alpha. + + o Minor bugfixes (hidden services, service-side): + - Don't close hidden-service-side rendezvous circuits when they + reach the normal circuit-build timeout. This behaviour change can + be disabled using the new + CloseHSServiceRendCircuitsImmediatelyOnTimeout option. Fixes the + remaining part of bug 1297; bugfix on 0.2.2.2-alpha. + - Don't launch more than 10 service-side introduction-point circuits + for a hidden service in five minutes. Previously, we would consider + launching more introduction-point circuits if at least one second + had passed without any introduction-point circuits failing. Fixes + bug 4607; bugfix on 0.0.7pre1. + + o Minor bugfixes (config option behavior): + - If the user tries to set MyFamily on a bridge, refuse to + do so, and warn about the security implications. Fixes bug 4657; + bugfix on 0.2.0.3-alpha. + - The "--quiet" and "--hush" options now apply not only to Tor's + behavior before logs are configured, but also to Tor's behavior in + the absense of configured logs. Fixes bug 3550; bugfix on + 0.2.0.10-alpha. + - Change the AllowDotExit rules so they should actually work. + We now enforce AllowDotExit only immediately after receiving an + address via SOCKS or DNSPort: other sources are free to provide + .exit addresses after the resolution occurs. Fixes bug 3940; + bugfix on 0.2.2.1-alpha. + - Make "LearnCircuitBuildTimeout 0" work more reliably. Specifically, + don't depend on the consensus parameters or compute adaptive + timeouts when it is disabled. Fixes bug 5049; bugfix on + 0.2.2.14-alpha. + - After we pick a directory mirror, we would refuse to use it if + it's in our ExcludeExitNodes list, resulting in mysterious failures + to bootstrap for people who just wanted to avoid exiting from + certain locations. Fixes bug 5623; bugfix on 0.2.2.25-alpha. + - When told to add a bridge with the same digest as a preexisting + bridge but a different addr:port, change the addr:port as + requested. Previously we would not notice the change. Fixes half + of bug 5603; fix on 0.2.2.26-beta. + + o Minor bugfixes (controller): + - Allow manual 'authenticate' commands to the controller interface + from netcat (nc) as well as telnet. We were rejecting them because + they didn't come with the expected whitespace at the end of the + command. Bugfix on 0.1.1.1-alpha; fixes bug 2893. + - Report a real bootstrap problem to the controller on router + identity mismatch. Previously we just said "foo", which probably + made a lot of sense at the time. Fixes bug 4169; bugfix on + 0.2.1.1-alpha. + - When we receive a SIGHUP and the controller __ReloadTorrcOnSIGHUP + option is set to 0 (which Vidalia version 0.2.16 now does when + a SAVECONF attempt fails), perform other actions that SIGHUP + usually causes (like reopening the logs). Fixes bug 5095; bugfix + on 0.2.1.9-alpha. + - Correctly handle checking the permissions on the parent + directory of a control socket in the root directory. Bug found + by Esteban Manchado Velázquez. Fixes bug 5089; bugfix on Tor + 0.2.2.26-beta. + - End AUTHCHALLENGE error messages (in the control protocol) with + a CRLF. Fixes bug 5760; bugfix on 0.2.2.36. + + o Minor bugfixes (network reading/writing): + - Disable writing on marked-for-close connections when they are + blocked on bandwidth, to prevent busy-looping in Libevent. Fixes + bug 5263; bugfix on 0.0.2pre13, where we first added a special + case for flushing marked connections. + - Make sure that there are no unhandled pending TLS errors before + reading from a TLS stream. We had checks in 0.1.0.3-rc, but + lost them in 0.1.0.5-rc when we refactored read_to_buf_tls(). + Bugfix on 0.1.0.5-rc; fixes bug 4528. + - Detect SSL handshake even when the initial attempt to write the + server hello fails. Fixes bug 4592; bugfix on 0.2.0.13-alpha. + - If the client fails to set a reasonable set of ciphersuites + during its v2 handshake renegotiation, allow the renegotiation to + continue nevertheless (i.e. send all the required certificates). + Fixes bug 4591; bugfix on 0.2.0.20-rc. + + o Minor bugfixes (other): + - Exit nodes now correctly report EADDRINUSE and EADDRNOTAVAIL as + resource exhaustion, so that clients can adjust their load to + try other exits. Fixes bug 4710; bugfix on 0.1.0.1-rc, which + started using END_STREAM_REASON_RESOURCELIMIT. + - Don't check for whether the address we're using for outbound + connections has changed until after the outbound connection has + completed. On Windows, getsockname() doesn't succeed until the + connection is finished. Fixes bug 5374; bugfix on 0.1.1.14-alpha. + - Don't hold a Windows file handle open for every file mapping; + the file mapping handle is sufficient. Fixes bug 5951; bugfix on + 0.1.2.1-alpha. + - Fix wrong TCP port range in parse_port_range(). Fixes bug 6218; + bugfix on 0.2.1.10-alpha. + - If we fail to write a microdescriptor to the disk cache, do not + continue replacing the old microdescriptor file. Fixes bug 2954; + bugfix on 0.2.2.6-alpha. + + o Minor bugfixes (log messages, path selection): + - Downgrade "set buildtimeout to low value" messages to "info" + severity; they were never an actual problem, there was never + anything reasonable to do about them, and they tended to spam logs + from time to time. Fixes bug 6251; bugfix on 0.2.2.2-alpha. + - Rate-limit the "Weighted bandwidth is 0.000000" message, and add + more information to it, so that we can track it down in case it + returns again. Mitigates bug 5235. + - Check CircuitBuildTimeout and LearnCircuitBuildTimeout in + options_validate(); warn if LearnCircuitBuildTimeout is disabled and + CircuitBuildTimeout is set unreasonably low. Resolves ticket 5452. + - Issue a log message if a guard completes less than 40% of your + circuits. Threshold is configurable by torrc option + PathBiasNoticeRate and consensus parameter pb_noticepct. There is + additional, off-by-default code to disable guards which fail too + many circuits. Addresses ticket 5458. + + o Minor bugfixes (log messages, client): + - Downgrade "Got a certificate, but we already have it" log messages + from warning to info, except when we're a dirauth. Fixes bug 5238; + bugfix on 0.2.1.7-alpha. + - Fix the log message describing how we work around discovering + that our version is the ill-fated OpenSSL 0.9.8l. Fixes bug + 4837; bugfix on 0.2.2.9-alpha. + - When logging about a disallowed .exit name, do not also call it + an "invalid onion address". Fixes bug 3325; bugfix on 0.2.2.9-alpha. + - Fix a log message suggesting that people contact a non-existent + email address. Fixes bug 3448. + - Rephrase the log message emitted if the TestSocks check is + successful. Patch from Fabian Keil; fixes bug 4094. + - Log (at debug level) whenever a circuit's purpose is changed. + - Log SSL state transitions at log level DEBUG, log domain + HANDSHAKE. This can be useful for debugging censorship events. + Implements ticket 3264. + - We now log which torrc file we're using on startup. Implements + ticket 2444. + - Rate-limit log messages when asked to connect anonymously to + a private address. When these hit, they tended to hit fast and + often. Also, don't bother trying to connect to addresses that we + are sure will resolve to 127.0.0.1: getting 127.0.0.1 in a directory + reply makes us think we have been lied to, even when the address the + client tried to connect to was "localhost." Resolves ticket 2822. + + o Minor bugfixes (log messages, non-client): + - Downgrade "eventdns rejected address" message to LOG_PROTOCOL_WARN. + Fixes bug 5932; bugfix on 0.2.2.7-alpha. + - Don't log that we have "decided to publish new relay descriptor" + unless we are actually publishing a descriptor. Fixes bug 3942; + bugfix on 0.2.2.28-beta. + - Log which authority we're missing votes from when we go to fetch + them from the other auths. + - Replace "Sending publish request" log messages with "Launching + upload", so that they no longer confusingly imply that we're + sending something to a directory we might not even be connected + to yet. Fixes bug 3311; bugfix on 0.2.0.10-alpha. + - Warn when Tor is configured to use accounting in a way that can + link a hidden service to some other hidden service or public + address. Resolves ticket 6490. + - Fix a minor formatting issue in one of tor-gencert's error messages. + Fixes bug 4574. + + o Testing: + - Update to the latest version of the tinytest unit testing framework. + This includes a couple of bugfixes that can be relevant for + running forked unit tests on Windows, and removes all reserved + identifiers. + - Avoid a false positive in the util/threads unit test by increasing + the maximum timeout time. Fixes bug 6227; bugfix on 0.2.0.4-alpha. + - Make it possible to set the TestingTorNetwork configuration + option using AlternateDirAuthority and AlternateBridgeAuthority + as an alternative to setting DirServer. Addresses ticket 6377. + - Add a unit test for the environment_variable_names_equal() function. + - A wide variety of new unit tests by Esteban Manchado Velázquez. + - Numerous new unit tests for functions in util.c and address.c by + Anders Sundman. + - The long-disabled benchmark tests are now split into their own + ./src/test/bench binary. + - The benchmark tests can now use more accurate timers than + gettimeofday() when such timers are available. + - Use tt_assert(), not tor_assert(), for checking for test failures. + This makes the unit tests more able to go on in the event that + one of them fails. + + o Build improvements: + - Use the dead_strip option when building Tor on OS X. This reduces + binary size by almost 19% when linking openssl and libevent + statically, which we do for Tor Browser Bundle. + - Provide a better error message about possible OSX Asciidoc failure + reasons. Fixes bug 6436. + - Detect attempts to build Tor on (as yet hypothetical) versions + of Windows where sizeof(intptr_t) != sizeof(SOCKET). Partial + fix for bug 4533. Bugfix on 0.2.2.28-beta. + - On Windows, we now define the _WIN32_WINNT macros only if they + are not already defined. This lets the person building Tor decide, + if they want, to require a later version of Windows. + - Our autogen.sh script now uses autoreconf to launch autoconf, + automake, and so on. This is more robust against some of the failure + modes associated with running the autotools pieces on their own. + - Running "make version" now displays the version of Tor that + we're about to build. Idea from katmagic; resolves issue 4400. + - Make 'tor --digests' list hashes of all Tor source files. Bugfix + on 0.2.2.4-alpha; fixes bug 3427. + - New --enable-static-tor configure option for building Tor as + statically as possible. Idea, general hackery and thoughts from + Alexei Czeskis, John Gilmore, Jacob Appelbaum. Implements ticket + 2702. + - Limited, experimental support for building with nmake and MSVC. + + o Build requirements: + - Building Tor with bufferevent support now requires Libevent + 2.0.13-stable or later. Previous versions of Libevent had bugs in + SSL-related bufferevents and related issues that would make Tor + work badly with bufferevents. Requiring 2.0.13-stable also allows + Tor with bufferevents to take advantage of Libevent APIs + introduced after 2.0.8-rc. + - Our build system requires automake 1.6 or later to create the + Makefile.in files. Previously, you could have used 1.4. + This only affects developers and people building Tor from git; + people who build Tor from the source distribution without changing + the Makefile.am files should be fine. + - Detect when we try to build on a platform that doesn't define + AF_UNSPEC to 0. We don't work there, so refuse to compile. + + o Build fixes (compile/link): + - Format more doubles with %f, not %lf. Patch from grarpamp to make + Tor build correctly on older BSDs again. Fixes bug 3894; bugfix on + Tor 0.2.0.8-alpha. + - When building with --enable-static-tor on OpenBSD, do not + erroneously attempt to link -lrt. Fixes bug 5103. + - Set _WIN32_WINNT to 0x0501 consistently throughout the code, so + that IPv6 stuff will compile on MSVC, and compilation issues + will be easier to track down. Fixes bug 5861. + - Fix build and 64-bit compile warnings from --enable-openbsd-malloc. + Fixes bug 6379. Bugfix on 0.2.0.20-rc. + - Make Tor build correctly again with -DUNICODE -D_UNICODE defined. + Fixes bug 6097; bugfix on 0.2.2.16-alpha. + + o Build fixes (other): + - Use the _WIN32 macro throughout our code to detect Windows. + (Previously we had used the obsolete 'WIN32' and the idiosyncratic + 'MS_WINDOWS'.) + - Properly handle the case where the build-tree is not the same + as the source tree when generating src/common/common_sha1.i, + src/or/micro-revision.i, and src/or/or_sha1.i. Fixes bug 3953; + bugfix on 0.2.0.1-alpha. + - During configure, search for library containing cos function as + libm lives in libcore on some platforms (BeOS/Haiku). Linking + against libm was hard-coded before. Fixes the first part of bug + 4727; bugfix on 0.2.2.2-alpha. Patch and analysis by Martin Hebnes + Pedersen. + - Prevent a false positive from the check-spaces script, by disabling + the "whitespace between function name and (" check for functions + named 'op()'. + + o Packaging (RPM) changes: + - Update our default RPM spec files to work with mock and rpmbuild + on RHEL/Fedora. They have an updated set of dependencies and + conflicts, a fix for an ancient typo when creating the "_tor" + user, and better instructions. Thanks to Ondrej Mikle for the + patch series. Fixes bug 6043. + - On OpenSUSE, create the /var/run/tor directory on startup if it + is not already created. Patch from Andreas Stieger. Fixes bug 2573. + + o Code refactoring (safety): + - Do not use SMARTLIST_FOREACH for any loop whose body exceeds + 10 lines. Also, don't nest them. Doing so in the past has + led to hard-to-debug code. The new style is to use the + SMARTLIST_FOREACH_{BEGIN,END} pair. Addresses issue 6400. + - Use macros to indicate OpenSSL versions, so we don't need to worry + about accidental hexadecimal bit shifts. + - Use tor_sscanf() in place of scanf() in more places through the + code. This makes us a little more locale-independent, and + should help shut up code-analysis tools that can't tell + a safe sscanf string from a dangerous one. + - Convert more instances of tor_snprintf+tor_strdup into tor_asprintf. + - Use the smartlist_add_asprintf() alias more consistently. + + o Code refactoring (consolidate): + - A major revision to our internal node-selecting and listing logic. + Tor already had at least two major ways to look at the question of + "which Tor servers do we know about": a list of router descriptors, + and a list of entries in the current consensus. With + microdescriptors, we're adding a third. Having so many systems + without an abstraction layer over them was hurting the codebase. + Now, we have a new "node_t" abstraction that presents a consistent + interface to a client's view of a Tor node, and holds (nearly) all + of the mutable state formerly in routerinfo_t and routerstatus_t. + - Move tor_gettimeofday_cached() into compat_libevent.c, and use + Libevent's notion of cached time when possible. + - Remove duplicate code for invoking getrlimit() from control.c. + - Use OpenSSL's built-in SSL_state_string_long() instead of our + own homebrewed ssl_state_to_string() replacement. Patch from + Emile Snyder. Fixes bug 4653. + - Change the symmetric cipher interface so that creating and + initializing a stream cipher are no longer separate functions. + + o Code refactoring (separate): + - Make a new "entry connection" struct as an internal subtype of "edge + connection", to simplify the code and make exit connections smaller. + - Split connection_about_to_close() into separate functions for each + connection type. + - Rewrite the listener-selection logic so that parsing which ports + we want to listen on is now separate from binding to the ports + we want. + + o Code refactoring (name changes): + - Rename a handful of old identifiers, mostly related to crypto + structures and crypto functions. By convention, our "create an + object" functions are called "type_new()", our "free an object" + functions are called "type_free()", and our types indicate that + they are types only with a final "_t". But a handful of older + types and functions broke these rules, with function names like + "type_create" or "subsystem_op_type", or with type names like + type_env_t. + - Rename Tor functions that turn strings into addresses, so that + "parse" indicates that no hostname resolution occurs, and + "lookup" indicates that hostname resolution may occur. This + should help prevent mistakes in the future. Fixes bug 3512. + - Use the name "CERTS" consistently to refer to the new cell type; + we were calling it CERT in some places and CERTS in others. + - Use a TOR_INVALID_SOCKET macro when initializing a socket to an + invalid value, rather than just -1. + - Rename the bench_{aes,dmap} functions to test_*, so that tinytest + can pick them up when the tests aren't disabled. Bugfix on + 0.2.2.4-alpha which introduced tinytest. + + o Code refactoring (other): + - Defensively refactor rend_mid_rendezvous() so that protocol + violations and length checks happen in the beginning. Fixes + bug 5645. + - Remove the pure attribute from all functions that used it + previously. In many cases we assigned it incorrectly, because the + functions might assert or call impure functions, and we don't have + evidence that keeping the pure attribute is worthwhile. Implements + changes suggested in ticket 4421. + - Move the replay-detection cache for the RSA-encrypted parts of + INTRODUCE2 cells to the introduction point data structures. + Previously, we would use one replay-detection cache per hidden + service. Required by fix for bug 3460. + - The helper programs tor-gencert, tor-resolve, and tor-checkkey + no longer link against Libevent: they never used it, but + our library structure used to force them to link it. + + o Removed features and files: + - Remove all internal support for unpadded RSA. We never used it, and + it would be a bad idea to start. + - Remove some workaround code for OpenSSL 0.9.6 (which is no longer + supported). + - Remove some redundant #include directives throughout the code. + Patch from Andrea Gelmini. + - Remove some old code to remember statistics about which descriptors + we've served as a directory mirror. The feature wasn't used and + is outdated now that microdescriptors are around. + - Remove some old code to work around even older versions of Tor that + used forked processes to handle DNS requests. Such versions of Tor + are no longer in use as relays. + - The "torify" script no longer supports the "tsocks" socksifier + tool, since tsocks doesn't support DNS and UDP right for Tor. + Everyone should be using torsocks instead. Fixes bugs 3530 and + 5180. Based on a patch by "ugh". + - Remove the torrc.bridge file: we don't use it for anything, and + it had become badly desynchronized from torrc.sample. Resolves + bug 5622. + + o Documentation: + - Begin a doc/state-contents.txt file to explain the contents of + the Tor state file. Fixes bug 2987. + - Clarify the documentation for the Alternate*Authority options. + Fixes bug 6387. + - Document the --defaults-torrc option, and the new semantics for + overriding, extending, and clearing lists of options. Closes + bug 4748. + - Add missing man page documentation for consensus and microdesc + files. Resolves ticket 6732. + - Fix some typos in the manpages. Patch from A. Costa. Fixes bug 6500. + + o Documentation fixes: + - Improve the manual's documentation for the NT Service command-line + options. Addresses ticket 3964. + - Clarify SessionGroup documentation slightly; resolves ticket 5437. + - Document the changes to the ORPort and DirPort options, and the + fact that {OR/Dir}ListenAddress is now unnecessary (and + therefore deprecated). Resolves ticket 5597. + - Correct a broken faq link in the INSTALL file. Fixes bug 2307. + - Clarify that hidden services are TCP only. Fixes bug 6024. + + +Changes in version 0.2.2.39 - 2012-09-11 + Tor 0.2.2.39 fixes two more opportunities for remotely triggerable + assertions. + + o Security fixes: + - Fix an assertion failure in tor_timegm() that could be triggered + by a badly formatted directory object. Bug found by fuzzing with + Radamsa. Fixes bug 6811; bugfix on 0.2.0.20-rc. + - Do not crash when comparing an address with port value 0 to an + address policy. This bug could have been used to cause a remote + assertion failure by or against directory authorities, or to + allow some applications to crash clients. Fixes bug 6690; bugfix + on 0.2.1.10-alpha. + + +Changes in version 0.2.2.38 - 2012-08-12 + Tor 0.2.2.38 fixes a remotely triggerable crash bug, and fixes a timing + attack that could in theory leak path information. + + o Security fixes: + - Avoid an uninitialized memory read when reading a vote or consensus + document that has an unrecognized flavor name. This read could + lead to a remote crash bug. Fixes bug 6530; bugfix on 0.2.2.6-alpha. + - Try to leak less information about what relays a client is + choosing to a side-channel attacker. Previously, a Tor client would + stop iterating through the list of available relays as soon as it + had chosen one, thus finishing a little earlier when it picked + a router earlier in the list. If an attacker can recover this + timing information (nontrivial but not proven to be impossible), + they could learn some coarse-grained information about which relays + a client was picking (middle nodes in particular are likelier to + be affected than exits). The timing attack might be mitigated by + other factors (see bug 6537 for some discussion), but it's best + not to take chances. Fixes bug 6537; bugfix on 0.0.8rc1. + + Changes in version 0.2.2.37 - 2012-06-06 Tor 0.2.2.37 introduces a workaround for a critical renegotiation bug in OpenSSL 1.0.1 (where 20% of the Tor network can't talk to itself diff --git a/changes/bug6024 b/changes/bug6024 deleted file mode 100644 index 743e6ef1fe..0000000000 --- a/changes/bug6024 +++ /dev/null @@ -1,2 +0,0 @@ - o Documentation fixes: - - Clarify that hidden services are TCP only. Fixes bug 6024. diff --git a/changes/bug6043 b/changes/bug6043 deleted file mode 100644 index b88bafb788..0000000000 --- a/changes/bug6043 +++ /dev/null @@ -1,6 +0,0 @@ - o Packaging (RPM): - - Our default RPM spec files have been updated to work with mock - and rpmbuild on RHEL/Fedora. They have an updated set of - dependencies and conflicts, a fix for an ancient typo when creating - the "_tor" user, and better instructions. Thanks to Ondrej - Mikle for the patch series; fix for bug 6043. diff --git a/changes/bug6218 b/changes/bug6218 deleted file mode 100644 index 5d5d108b00..0000000000 --- a/changes/bug6218 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes: - - Fix wrong TCP port range in parse_port_range(). Fixes bug 6218; - bugfix on 0.2.1.10-alpha. diff --git a/changes/bug6244_part_c b/changes/bug6244_part_c deleted file mode 100644 index dea6e7b69e..0000000000 --- a/changes/bug6244_part_c +++ /dev/null @@ -1,6 +0,0 @@ - o Major bugfixes (controller): - - Make wildcarded addresses (that is, ones beginning with *.) work when - provided via the controller's MapAddress command. Previously, they - were accepted, but we never actually noticed that they were wildcards. - Fix for bug 6244; bugfix on 0.2.3.9-alpha. - diff --git a/changes/bug6251 b/changes/bug6251 deleted file mode 100644 index c782a93e49..0000000000 --- a/changes/bug6251 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes: - - Downgrade "set buildtimeout to low value" messages to INFO - severity; they were never an actual problem, there was never - anything reasonable to do about them, and they tended to spam - logs from time to time. Fix for bug 6251; bugfix on - 0.2.2.2-alpha.
\ No newline at end of file diff --git a/changes/bug6252_again b/changes/bug6252_again deleted file mode 100644 index f7fd00cb38..0000000000 --- a/changes/bug6252_again +++ /dev/null @@ -1,11 +0,0 @@ - o Security fixes: - - Tear down the circuit if we get an unexpected SENDME cell. Clients - could use this trick to make their circuits receive cells faster - than our flow control would have allowed, or to gum up the network, - or possibly to do targeted memory denial-of-service attacks on - entry nodes. Fixes bug 6252. Bugfix on the 54th commit on Tor -- - from July 2002, before the release of Tor 0.0.0. We had committed - this patch previously, but we had to revert it because of bug 6271. - Now that 6271 is fixed, this appears to work. - - diff --git a/changes/bug6271 b/changes/bug6271 deleted file mode 100644 index 06b129f73f..0000000000 --- a/changes/bug6271 +++ /dev/null @@ -1,7 +0,0 @@ - o Major bugfixes - - - Fix a bug handling SENDME cells on nonexistent streams that - could result in bizarre window values. Report and patch - contributed pseudymously. Fixes part of bug 6271. This bug - was introduced before the first Tor release, in svn commit - r152. diff --git a/changes/bug6274 b/changes/bug6274 deleted file mode 100644 index ad1abcde54..0000000000 --- a/changes/bug6274 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes: - - Ignore ServerTransportPlugin lines when Tor is not configured as - a relay. Fixes bug 6274; bugfix on 0.2.3.6-alpha. diff --git a/changes/bug6274_2 b/changes/bug6274_2 deleted file mode 100644 index 89576f9328..0000000000 --- a/changes/bug6274_2 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Terminate active server managed proxies if Tor stops being a - relay. Addresses parts of bug 6274; bugfix on 0.2.3.6-alpha. diff --git a/changes/bug6296 b/changes/bug6296 deleted file mode 100644 index b452b1745d..0000000000 --- a/changes/bug6296 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - - Instead of ENOBUFS on Windows, say WSAENOBUFS. Fixes - compilation on Windows. Fixes bug 6296; bugfix on 0.2.3.18-rc. diff --git a/changes/bug6341 b/changes/bug6341 deleted file mode 100644 index 04e52c7cd3..0000000000 --- a/changes/bug6341 +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfixes: - - Fix a possible crash bug when checking for deactivated circuits - in connection_or_flush_from_first_active_circuit(). Fixes bug - 6341; bugfix on 0.2.2.7-alpha. Bug report and fix received - pseudonymously. diff --git a/changes/bug6377 b/changes/bug6377 deleted file mode 100644 index a3a3672783..0000000000 --- a/changes/bug6377 +++ /dev/null @@ -1,4 +0,0 @@ - o Testing: - - Make it possible to set the TestingTorNetwork configuration - option using AlternateDirAuthority and AlternateBridgeAuthority - as an alternative to setting DirServer. diff --git a/changes/bug6379 b/changes/bug6379 deleted file mode 100644 index 1f2b6941cd..0000000000 --- a/changes/bug6379 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes: - - Fix build warnings from --enable-openbsd-malloc with gcc warnings - enabled. Fixes bug 6379. - - Fix 64-bit warnings from --enable-openbsd-malloc. Fixes bug 6379. - Bugfix on 0.2.0.20-rc. - diff --git a/changes/bug6387 b/changes/bug6387 deleted file mode 100644 index 73fc4f7cfe..0000000000 --- a/changes/bug6387 +++ /dev/null @@ -1,3 +0,0 @@ - o Documentation: - - Clarify the documentation for the Alternate*Authority options. - Fixes bug 6387. diff --git a/changes/bug6397 b/changes/bug6397 deleted file mode 100644 index 23d8359bd2..0000000000 --- a/changes/bug6397 +++ /dev/null @@ -1,4 +0,0 @@ - o Major bugfixes: - - When disabling guards for having too high a proportion of failed - circuits, make sure to look at each guard. Fix for bug 6397; bugfix - on 0.2.3.17-beta. diff --git a/changes/bug6404 b/changes/bug6404 deleted file mode 100644 index 948f00b92e..0000000000 --- a/changes/bug6404 +++ /dev/null @@ -1,16 +0,0 @@ - o Minor bugfixes: - - - Remove the maximum length of microdescriptor we are willing to - generate. Occasionally this is needed for routers - with complex policies or family declarations. Partial fix for - bug 6404; fix on 0.2.2.6-alpha. - - - Authorities no longer include any router in their - microdescriptor consensuses for which they couldn't generate or - agree on a microdescriptor. Partial fix for bug 6404; fix on - 0.2.2.6-alpha. - - - Move log message when unable to find a microdesc in a - routerstatus entry to parse time. Previously we'd spam this - warning every time we tried to figure out which microdescriptors - to download. Partial fix for bug 6404; fix on 0.2.3.18-rc. diff --git a/changes/bug6423 b/changes/bug6423 deleted file mode 100644 index 2ea4f1410d..0000000000 --- a/changes/bug6423 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Consider new, removed or changed IPv6 OR ports a non cosmetic - change. diff --git a/changes/bug6436 b/changes/bug6436 deleted file mode 100644 index 2c163df105..0000000000 --- a/changes/bug6436 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Provide a better error message about possible OSX Asciidoc failure - reasons. Fix for bug 6436. diff --git a/changes/bug6472 b/changes/bug6472 deleted file mode 100644 index dcd42ebe68..0000000000 --- a/changes/bug6472 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - Avoid a pair of double-free and use-after-mark bugs that can - occur with certain timings in canceled and re-received DNS - requests. Fix for bug 6472; bugfix on 0.0.7rc1. diff --git a/changes/bug6475 b/changes/bug6475 deleted file mode 100644 index 67bab99622..0000000000 --- a/changes/bug6475 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes: - - Add internal circuit construction state to protect against - the noisy warn message "Unexpectedly high circuit_successes". - Also add some additional rate-limited notice messages to help - determine the root cause of the warn. Fixes bug 6475. - Bugfix against 0.2.3.17-beta. diff --git a/changes/bug6480 b/changes/bug6480 deleted file mode 100644 index 83ae00b251..0000000000 --- a/changes/bug6480 +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfixes: - - Avoid read-from-freed-RAM bug and related double-free bug that - could occur when a DNS request fails while launching it. Fixes - bug 6480; bugfix on 0.2.0.1-alpha. - diff --git a/changes/bug6490 b/changes/bug6490 deleted file mode 100644 index c92daad8f4..0000000000 --- a/changes/bug6490 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Warn when Tor is configured to use accounting in a way that will - link a hidden service to some other hidden service or public - address. Fix for bug 6490. diff --git a/changes/bug6500 b/changes/bug6500 deleted file mode 100644 index cac2054a3a..0000000000 --- a/changes/bug6500 +++ /dev/null @@ -1,2 +0,0 @@ - o Minor bugfixes: - - Fix some typos in the manpages. Patch from A. Costa. Fixes bug 6500. diff --git a/changes/bug6507 b/changes/bug6507 deleted file mode 100644 index 89940cbf7b..0000000000 --- a/changes/bug6507 +++ /dev/null @@ -1,15 +0,0 @@ - o Major bugfixes: - - Detect 'ORPort 0' as meaning, uniformly, that we're not running - as a server. Previously, some of our code would treat the - presence of any ORPort line as meaning that we should act like a - server, even though our new listener code would correctly not - open any ORPorts for ORPort 0. Similar bugs in other Port - options are also fixed. Fixes bug 6507; bugfix on 0.2.3.3-alpha. - - o Minor features: - - - Detect and reject attempts to specify both 'FooPort' and - 'FooPort 0' in the same configuration domain. (It's still okay - to have a FooPort in your configuration file,and use 'FooPort 0' - on the command line to disable it.) Fixes another case of - bug6507; bugfix on 0.2.3.3-alpha. diff --git a/changes/bug6514 b/changes/bug6514 deleted file mode 100644 index 84633bd279..0000000000 --- a/changes/bug6514 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes: - - Add a (probably redundant) memory clear between iterations of - the router status voting loop, to prevent future coding errors - where data might leak between iterations of the loop. Resolves - ticket 6514. diff --git a/changes/bug6530 b/changes/bug6530 deleted file mode 100644 index 825bbb752a..0000000000 --- a/changes/bug6530 +++ /dev/null @@ -1,5 +0,0 @@ - o Major security fixes: - - Avoid a read of uninitializd RAM when reading a vote or consensus - document with an unrecognized flavor name. This could lead to a - remote crash bug. Fixes bug 6530; bugfix on 0.2.2.6-alpha. - diff --git a/changes/bug6690 b/changes/bug6690 deleted file mode 100644 index 99d42976ed..0000000000 --- a/changes/bug6690 +++ /dev/null @@ -1,7 +0,0 @@ - o Major bugfixes (security): - - Do not crash when comparing an address with port value 0 to an - address policy. This bug could have been used to cause a remote - assertion failure by or against directory authorities, or to - allow some applications to crash clients. Fixes bug 6690; bugfix - on 0.2.1.10-alpha. - diff --git a/changes/bug6710 b/changes/bug6710 deleted file mode 100644 index 2c89346114..0000000000 --- a/changes/bug6710 +++ /dev/null @@ -1,6 +0,0 @@ - o Major bugfixes (security): - - Reject any attempt to extend to an internal address. Without - this fix, a router could be used to probe addresses on an - internal network to see whether they were accepting - connections. Fix for bug 6710; bugfix on 0.0.8pre1. - diff --git a/changes/bug6732 b/changes/bug6732 deleted file mode 100644 index 7a744e014a..0000000000 --- a/changes/bug6732 +++ /dev/null @@ -1,3 +0,0 @@ - o Documentation: - - Add missing documentation for consensus and microdesc files. Fix for - bug 6732. diff --git a/changes/bug6743 b/changes/bug6743 deleted file mode 100644 index 6ec78f853a..0000000000 --- a/changes/bug6743 +++ /dev/null @@ -1,9 +0,0 @@ - o Minor bugfixes: - - Allow one-hop directory fetching circuits the full "circuit build - timeout" period, rather than just half of it, before failing them - and marking the relay down. This fix should help reduce cases where - clients declare relays (or worse, bridges) unreachable because - the TLS handshake takes a few seconds to complete. Fixes bug 6743; - bugfix on 0.2.2.2-alpha, where we changed the timeout from a static - 30 seconds. - diff --git a/changes/bug6774 b/changes/bug6774 deleted file mode 100644 index 0c137fd678..0000000000 --- a/changes/bug6774 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - Avoid crashing on a malformed state file where EntryGuardPathBias - precedes EntryGuard. Fix for bug 6774; bugfix on 0.2.3.17-beta. - diff --git a/changes/bug6801 b/changes/bug6801 deleted file mode 100644 index ef21acc98f..0000000000 --- a/changes/bug6801 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes: - - Avoid segfault when starting up having run with an extremely old - version of Tor and parsing its state file. Fixes bug 6801; bugfix on - 0.2.2.23-alpha. - diff --git a/changes/bug6811 b/changes/bug6811 deleted file mode 100644 index 841ec1c54a..0000000000 --- a/changes/bug6811 +++ /dev/null @@ -1,5 +0,0 @@ - o Major security fixes: - - Fix an assertion failure in tor_timegm that could be triggered - by a badly formatted directory object. Bug found by fuzzing with - Radamsa. Fixes bug 6811; bugfix on 0.2.0.20-rc. - diff --git a/changes/bug6827 b/changes/bug6827 deleted file mode 100644 index bf71d2b97c..0000000000 --- a/changes/bug6827 +++ /dev/null @@ -1,9 +0,0 @@ - o Minor bugfixes: - - - Avoid undefined behaviour when parsing the list of supported - rendezvous/introduction protocols in a hidden service - descriptor. Previously, Tor would have confused (as-yet-unused) - protocol version numbers greater than 32 with lower ones on many - platforms. Fixes bug 6827; bugfix on 0.2.0.10-alpha; found by - George Kadianakis. - diff --git a/changes/bug6844 b/changes/bug6844 deleted file mode 100644 index 338e19d9a5..0000000000 --- a/changes/bug6844 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - Correct file sizes when reading binary files on - Cygwin, to avoid a bug where Tor would fail to read its state file. - Fixes bug 6844; bugfix on 0.1.2.7-alpha. diff --git a/changes/bug6866 b/changes/bug6866 deleted file mode 100644 index 561676b765..0000000000 --- a/changes/bug6866 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - Convert an assert in the pathbias code to a log message. Assert - appears to only be triggerable by Tor2Web mode. Fixes bug 6866; - bugfix on 0.2.3.17-beta. diff --git a/changes/bug7014 b/changes/bug7014 deleted file mode 100644 index 1d39103a50..0000000000 --- a/changes/bug7014 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes: - - Fix two cases in src/or/transports.c where we were calling - fmt_addr() twice in a parameter list. Bug found by David - Fifield. Fixes bug 7014; bugfix on 0.2.3.9-alpha. - diff --git a/changes/bug7022 b/changes/bug7022 deleted file mode 100644 index 10ac354724..0000000000 --- a/changes/bug7022 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes: - - Fix memory leaks whenever we logged any message about the "path - bias" detection. Fixes bug 7022; bugfix on 0.2.3.21-rc. diff --git a/changes/bug7037 b/changes/bug7037 deleted file mode 100644 index fc3a1ad1c5..0000000000 --- a/changes/bug7037 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes: - - When relays refuse a "create" cell because their queue of pending - create cells is too big (typically because their cpu can't keep up - with the arrival rate), send back reason "resource limit" rather - than reason "internal", so network measurement scripts can get a - more accurate picture. Bugfix on 0.1.1.11-alpha; fixes bug 7037. diff --git a/changes/bug7139 b/changes/bug7139 deleted file mode 100644 index dfb7d32838..0000000000 --- a/changes/bug7139 +++ /dev/null @@ -1,9 +0,0 @@ - o Major bugfixes (security): - - - Disable TLS session tickets. OpenSSL's implementation were giving - our TLS session keys the lifetime of our TLS context objects, when - perfect forward secrecy would want us to discard anything that - could decrypt a link connection as soon as the link connection was - closed. Fixes bug 7139; bugfix on all versions of Tor linked - against OpenSSL 1.0.0 or later. Found by "nextgens". - diff --git a/changes/bug7190 b/changes/bug7190 deleted file mode 100644 index 1607f79442..0000000000 --- a/changes/bug7190 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes: - - Clients now consider the ClientRejectInternalAddresses config option - when using a microdescriptor consensus stanza to decide whether - an exit relay would allow exiting to an internal address. Fixes - bug 7190; bugfix on 0.2.3.1-alpha. - diff --git a/changes/bug7191 b/changes/bug7191 deleted file mode 100644 index a3bee6e5f7..0000000000 --- a/changes/bug7191 +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfixes: - - Fix a denial of service attack by which any directory authority - could crash all the others, or by which a single v2 directory - authority could crash everybody downloading v2 directory - information. Fixes bug 7191; bugfix on 0.2.0.10-alpha. diff --git a/changes/bug7192 b/changes/bug7192 deleted file mode 100644 index 10cbc2469a..0000000000 --- a/changes/bug7192 +++ /dev/null @@ -1,10 +0,0 @@ - o Major bugfixes: - - When parsing exit policy summaries from microdescriptors, we had - previously been ignoring the last character in each one, so that - "accept 80,443,8080" would be treated by clients as indicating a - node that allows access to ports 80, 443, and 808. That would lead - to clients attempting connections that could never work, and - ignoring exit nodes that would support their connections. Now clients - parse these exit policy summaries correctly. Fixes bug 7192; - bugfix on 0.2.3.1-alpha. - diff --git a/changes/bug7352 b/changes/bug7352 deleted file mode 100644 index 74a878dbe0..0000000000 --- a/changes/bug7352 +++ /dev/null @@ -1,12 +0,0 @@ - o Major bugfixes: - - Tor tries to wipe potentially sensitive data after using it, so - that if some subsequent security failure exposes Tor's memory, - the damage will be limited. But we had a bug where the compiler - was eliminating these wipe operations when it decided that the - memory was no longer visible to a (correctly running) program, - hence defeating our attempt at defense in depth. We fix that - by using OpenSSL's OPENSSL_cleanse() operation, which a compiler - is unlikely to optimize away. Future versions of Tor may use - a less ridiculously heavy approach for this. Fixes bug 7352. - Reported in an article by Andrey Karpov. - diff --git a/changes/bug7464 b/changes/bug7464 deleted file mode 100644 index 9259cc74a3..0000000000 --- a/changes/bug7464 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - Fix a harmless bug when opting against publishing a relay descriptor - because DisableNetwork is set. Fixes bug 7464; bugfix on - 0.2.3.9-alpha. diff --git a/changes/bug7889 b/changes/bug7889 deleted file mode 100644 index ce99a59ce5..0000000000 --- a/changes/bug7889 +++ /dev/null @@ -1,8 +0,0 @@ - o Major bugfixes: - - Reject bogus create and relay cells with 0 circuit ID or 0 stream - ID: these could be used to create unexpected streams and circuits - which would count as "present" to some parts of Tor but "absent" - to others, leading to zombie circuits and streams or to a - bandwidth DOS. Fixes bug 7889; bugfix on every released version of - Tor. Reported by "oftc_must_be_destroyed". - diff --git a/changes/bug8208 b/changes/bug8208 deleted file mode 100644 index c85db90b52..0000000000 --- a/changes/bug8208 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - Avoid a crash if we fail to generate an extrinfo descriptor. - Fixes bug 8208; bugfix on 0.2.3.16-alpha. Found by Coverity; - this is CID 718634. diff --git a/changes/bug8377 b/changes/bug8377 deleted file mode 100644 index c9ad151bc9..0000000000 --- a/changes/bug8377 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes: - - Correctly recognize that [::1] is a loopback address. Fixes bug #8377; - bugfix on 0.2.1.3-alpha. diff --git a/changes/cov709056 b/changes/cov709056 deleted file mode 100644 index 64a75ad8a2..0000000000 --- a/changes/cov709056 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - Check return value of fputs() when writing authority certificate - file. Fixes Coverity issue 709056; bugfix on 0.2.0.1-alpha. - diff --git a/changes/cve-2012-2249 b/changes/cve-2012-2249 deleted file mode 100644 index 625bfa2f58..0000000000 --- a/changes/cve-2012-2249 +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfixes (security): - - Discard extraneous renegotiation attempts once the V3 link - protocol has been initiated. Failure to do so left us open to - a remotely triggerable assertion failure. Fixes CVE-2012-2249; - bugfix on 0.2.3.6-alpha. Reported by "some guy from France". diff --git a/changes/dirserv-BUGGY-a b/changes/dirserv-BUGGY-a deleted file mode 100644 index 35b492a2d7..0000000000 --- a/changes/dirserv-BUGGY-a +++ /dev/null @@ -1,7 +0,0 @@ - o Minor bugfixes: - - - Don't serve or accept v2 hidden service descriptors over a - relay's DirPort. It's never correct to do so, and disabling it - might make it more annoying to exploit any bugs that turn up in the - descriptor-parsing code. Fixes bug 7149. - diff --git a/changes/disable_pathbias_messages b/changes/disable_pathbias_messages deleted file mode 100644 index 3bc996347b..0000000000 --- a/changes/disable_pathbias_messages +++ /dev/null @@ -1,3 +0,0 @@ - o Disabeled features - - Downgrade path-bias warning messages to INFO. We'll try to get them - working better in 0.2.4. Fixes bug 6475; bugfix on 0.2.3.17-beta. diff --git a/changes/geoip-apr2013 b/changes/geoip-apr2013 deleted file mode 100644 index 74d9c63b79..0000000000 --- a/changes/geoip-apr2013 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update to the April 3 2013 Maxmind GeoLite Country database. - diff --git a/changes/geoip-dec2012 b/changes/geoip-dec2012 deleted file mode 100644 index 26431c2e8a..0000000000 --- a/changes/geoip-dec2012 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update to the December 5 2012 Maxmind GeoLite Country database. - diff --git a/changes/geoip-feb2013 b/changes/geoip-feb2013 deleted file mode 100644 index b5d794258f..0000000000 --- a/changes/geoip-feb2013 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update to the February 6 2013 Maxmind GeoLite Country database. - diff --git a/changes/geoip-jan2013 b/changes/geoip-jan2013 deleted file mode 100644 index 45e5a150cc..0000000000 --- a/changes/geoip-jan2013 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update to the January 2 2013 Maxmind GeoLite Country database. - diff --git a/changes/geoip-mar2013 b/changes/geoip-mar2013 deleted file mode 100644 index e9cc3981b3..0000000000 --- a/changes/geoip-mar2013 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update to the March 6 2013 Maxmind GeoLite Country database. - diff --git a/changes/geoip-nov2012 b/changes/geoip-nov2012 deleted file mode 100644 index 22e7bace58..0000000000 --- a/changes/geoip-nov2012 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update to the November 7 2012 Maxmind GeoLite Country database. - diff --git a/changes/link_negotiation_assert b/changes/link_negotiation_assert deleted file mode 100644 index 398a545573..0000000000 --- a/changes/link_negotiation_assert +++ /dev/null @@ -1,6 +0,0 @@ - o Major bugfixs (security): - - Fix a group of remotely triggerable assertion failures related to - incorrect link protocol negotiation. Found, diagnosed, and fixed - by "some guy from France." Fix for CVE-2012-2250; bugfix on - 0.2.3.6-alpha. - diff --git a/changes/pathsel-BUGGY-a b/changes/pathsel-BUGGY-a deleted file mode 100644 index 2e642c7953..0000000000 --- a/changes/pathsel-BUGGY-a +++ /dev/null @@ -1,14 +0,0 @@ - o Security fixes: - - - Try to leak less information about what relays a client is - choosing to a side-channel attacker. Previously, a Tor client - would stop iterating through the list of available relays as - soon as it had chosen one, thus finishing a little earlier - when it picked a router earlier in the list. If an attacker - can recover this timing information (nontrivial but not - proven to be impossible), they could learn some coarse- - grained information about which relays a client was picking - (middle nodes in particular are likelier to be affected than - exits). The timing attack might be mitigated by other factors - (see bug #6537 for some discussion), but it's best not to - take chances. Fixes bug 6537; bugfix on 0.0.8rc1. diff --git a/changes/port_doc b/changes/port_doc deleted file mode 100644 index 0e8662f0ab..0000000000 --- a/changes/port_doc +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features (usability): - - Try to make the warning when giving an obsolete SOCKSListenAddress - a littel more useful. diff --git a/changes/revert-geoip-may2012 b/changes/revert-geoip-may2012 deleted file mode 100644 index e420947a34..0000000000 --- a/changes/revert-geoip-may2012 +++ /dev/null @@ -1,6 +0,0 @@ - o Major bugfixes: - - Revert to the May 1 2012 Maxmind GeoLite Country database. In the - June 2012 database, Maxmind marked many Tor relays as country "A1", - which will cause risky behavior for clients that set EntryNodes - or ExitNodes. Addresses bug 6334; bugfix on 0.2.3.17-beta. - diff --git a/changes/smartlist_foreach b/changes/smartlist_foreach deleted file mode 100644 index 2fd3a1a85c..0000000000 --- a/changes/smartlist_foreach +++ /dev/null @@ -1,8 +0,0 @@ - o Code simplification and refactoring: - - Do not use SMARTLIST_FOREACH for any loop whose body exceeds - 10 lines. Doing so in the past has led to hard-to-debug code. - The new style is to use the SMARTLIST_FOREACH_{BEGIN,END} pair. - Issue 6400. - - Do not nest SMARTLIST_FOREACH blocks within one another. Any - nested block ought to be using SMARTLIST_FOREACH_{BEGIN,END}. - Issue 6400. diff --git a/changes/ticket5749 b/changes/ticket5749 deleted file mode 100644 index 0237241981..0000000000 --- a/changes/ticket5749 +++ /dev/null @@ -1,3 +0,0 @@ - o New directory authorities: - - Add Faravahar (run by Sina Rabbani) as the ninth v3 directory - authority. Closes ticket 5749. diff --git a/configure.in b/configure.in index 8aa90f6414..b29f31815f 100644 --- a/configure.in +++ b/configure.in @@ -4,7 +4,7 @@ dnl Copyright (c) 2007-2012, The Tor Project, Inc. dnl See LICENSE for licensing information AC_INIT -AM_INIT_AUTOMAKE(tor, 0.2.3.18-rc-dev) +AM_INIT_AUTOMAKE(tor, 0.2.3.25) AM_CONFIG_HEADER(orconfig.h) AC_CANONICAL_HOST diff --git a/contrib/tor-mingw.nsi.in b/contrib/tor-mingw.nsi.in index 2133a471b3..69c4c2e8eb 100644 --- a/contrib/tor-mingw.nsi.in +++ b/contrib/tor-mingw.nsi.in @@ -8,7 +8,7 @@ !include "LogicLib.nsh" !include "FileFunc.nsh" !insertmacro GetParameters -!define VERSION "0.2.3.18-rc-dev" +!define VERSION "0.2.3.25" !define INSTALLER "tor-${VERSION}-win32.exe" !define WEBSITE "https://www.torproject.org/" !define LICENSE "LICENSE" diff --git a/src/win32/orconfig.h b/src/win32/orconfig.h index d780d5d73d..90c6b52b47 100644 --- a/src/win32/orconfig.h +++ b/src/win32/orconfig.h @@ -232,7 +232,7 @@ #define USING_TWOS_COMPLEMENT /* Version number of package */ -#define VERSION "0.2.3.18-rc-dev" +#define VERSION "0.2.3.25" |