diff options
250 files changed, 2694 insertions, 1247 deletions
@@ -1,3 +1,1198 @@ +Changes in version 0.2.4.29 - 2017-06-08 + Tor 0.2.4.29 backports a fix for a bug that would allow an attacker to + remotely crash a hidden service with an assertion failure. Anyone + running a hidden service should upgrade to this version, or to some + other version with fixes for TROVE-2017-005. (Versions before 0.3.0 + are not affected by TROVE-2017-004.) + + o Major bugfixes (hidden service, relay, security): + - Fix a remotely triggerable assertion failure caused by receiving a + BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug + 22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix + on 0.2.2.1-alpha. + + o Minor features (geoip): + - Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2 + Country database. + + o Minor bugfixes (correctness): + - Avoid undefined behavior when parsing IPv6 entries from the geoip6 + file. Fixes bug 22490; bugfix on 0.2.4.6-alpha. + + +Changes in version 0.2.4.28 - 2017-03-03 + Tor 0.2.4.28 backports a number of security fixes from later Tor + releases. Anybody running Tor 0.2.4.27 or earlier should upgrade to + this release, if for some reason they cannot upgrade to a later + release series. + + Note that support for Tor 0.2.4.x is ending soon: we will not issue + any fixes for the Tor 0.2.4.x series after 1 August 2017. If you need + a Tor release series with long-term support, we recommend Tor 0.2.9.x. + + o Directory authority changes (backport from 0.2.8.5-rc): + - Urras is no longer a directory authority. Closes ticket 19271. + + o Directory authority changes (backport from 0.2.9.2-alpha): + - The "Tonga" bridge authority has been retired; the new bridge + authority is "Bifroest". Closes tickets 19728 and 19690. + + o Directory authority key updates (backport from 0.2.8.1-alpha): + - Update the V3 identity key for the dannenberg directory authority: + it was changed on 18 November 2015. Closes task 17906. Patch + by "teor". + + o Major features (security fixes, backport from 0.2.9.4-alpha): + - Prevent a class of security bugs caused by treating the contents + of a buffer chunk as if they were a NUL-terminated string. At + least one such bug seems to be present in all currently used + versions of Tor, and would allow an attacker to remotely crash + most Tor instances, especially those compiled with extra compiler + hardening. With this defense in place, such bugs can't crash Tor, + though we should still fix them as they occur. Closes ticket + 20384 (TROVE-2016-10-001). + + o Major bugfixes (parsing, security, backport from 0.2.9.8): + - Fix a bug in parsing that could cause clients to read a single + byte past the end of an allocated region. This bug could be used + to cause hardened clients (built with --enable-expensive-hardening) + to crash if they tried to visit a hostile hidden service. Non- + hardened clients are only affected depending on the details of + their platform's memory allocator. Fixes bug 21018; bugfix on + 0.2.0.8-alpha. Found by using libFuzzer. Also tracked as TROVE- + 2016-12-002 and as CVE-2016-1254. + + o Major bugfixes (security, correctness, backport from 0.2.7.4-rc): + - Fix an error that could cause us to read 4 bytes before the + beginning of an openssl string. This bug could be used to cause + Tor to crash on systems with unusual malloc implementations, or + systems with unusual hardening installed. Fixes bug 17404; bugfix + on 0.2.3.6-alpha. + + o Major bugfixes (security, pointers, backport from 0.2.8.2-alpha): + - Avoid a difficult-to-trigger heap corruption attack when extending + a smartlist to contain over 16GB of pointers. Fixes bug 18162; + bugfix on 0.1.1.11-alpha, which fixed a related bug incompletely. + Reported by Guido Vranken. + + o Major bugfixes (dns proxy mode, crash, backport from 0.2.8.2-alpha): + - Avoid crashing when running as a DNS proxy. Fixes bug 16248; + bugfix on 0.2.0.1-alpha. Patch from "cypherpunks". + + o Major bugfixes (guard selection, backport from 0.2.7.6): + - Actually look at the Guard flag when selecting a new directory + guard. When we implemented the directory guard design, we + accidentally started treating all relays as if they have the Guard + flag during guard selection, leading to weaker anonymity and worse + performance. Fixes bug 17772; bugfix on 0.2.4.8-alpha. Discovered + by Mohsen Imani. + + o Major bugfixes (key management, backport from 0.2.8.3-alpha): + - If OpenSSL fails to generate an RSA key, do not retain a dangling + pointer to the previous (uninitialized) key value. The impact here + should be limited to a difficult-to-trigger crash, if OpenSSL is + running an engine that makes key generation failures possible, or + if OpenSSL runs out of memory. Fixes bug 19152; bugfix on + 0.2.1.10-alpha. Found by Yuan Jochen Kang, Suman Jana, and + Baishakhi Ray. + + o Major bugfixes (parsing, backported from 0.3.0.4-rc): + - Fix an integer underflow bug when comparing malformed Tor + versions. This bug could crash Tor when built with + --enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor + 0.2.9.8, which were built with -ftrapv by default. In other cases + it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix + on 0.0.8pre1. Found by OSS-Fuzz. + + o Minor features (security, memory erasure, backport from 0.2.8.1-alpha): + - Make memwipe() do nothing when passed a NULL pointer or buffer of + zero size. Check size argument to memwipe() for underflow. Fixes + bug 18089; bugfix on 0.2.3.25 and 0.2.4.6-alpha. Reported by "gk", + patch by "teor". + + o Minor features (bug-resistance, backport from 0.2.8.2-alpha): + - Make Tor survive errors involving connections without a + corresponding event object. Previously we'd fail with an + assertion; now we produce a log message. Related to bug 16248. + + o Minor features (DoS-resistance, backport from 0.2.7.1-alpha): + - Make it harder for attackers to overload hidden services with + introductions, by blocking multiple introduction requests on the + same circuit. Resolves ticket 15515. + + o Minor features (geoip): + - Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2 + Country database. + + o Minor bugfixes (compilation, backport from 0.2.7.6): + - Fix a compilation warning with Clang 3.6: Do not check the + presence of an address which can never be NULL. Fixes bug 17781. + + o Minor bugfixes (hidden service, backport from 0.2.7.1-alpha): + - Fix an out-of-bounds read when parsing invalid INTRODUCE2 cells on + a client authorized hidden service. Fixes bug 15823; bugfix + on 0.2.1.6-alpha. + + +Changes in version 0.2.4.27 - 2015-04-06 + Tor 0.2.4.27 backports two fixes from 0.2.6.7 for security issues that + could be used by an attacker to crash hidden services, or crash clients + visiting hidden services. Hidden services should upgrade as soon as + possible; clients should upgrade whenever packages become available. + + This release also backports a simple improvement to make hidden + services a bit less vulnerable to denial-of-service attacks. + + o Major bugfixes (security, hidden service): + - Fix an issue that would allow a malicious client to trigger an + assertion failure and halt a hidden service. Fixes bug 15600; + bugfix on 0.2.1.6-alpha. Reported by "disgleirio". + - Fix a bug that could cause a client to crash with an assertion + failure when parsing a malformed hidden service descriptor. Fixes + bug 15601; bugfix on 0.2.1.5-alpha. Found by "DonnchaC". + + o Minor features (DoS-resistance, hidden service): + - Introduction points no longer allow multiple INTRODUCE1 cells to + arrive on the same circuit. This should make it more expensive for + attackers to overwhelm hidden services with introductions. + Resolves ticket 15515. + + +Changes in version 0.2.4.26 - 2015-03-17 + Tor 0.2.4.26 includes an updated list of directory authorities. It + also backports a couple of stability and security bugfixes from 0.2.5 + and beyond. + + o Directory authority changes: + - Remove turtles as a directory authority. + - Add longclaw as a new (v3) directory authority. This implements + ticket 13296. This keeps the directory authority count at 9. + - The directory authority Faravahar has a new IP address. This + closes ticket 14487. + + o Major bugfixes (exit node stability, also in 0.2.6.3-alpha): + - Fix an assertion failure that could occur under high DNS load. + Fixes bug 14129; bugfix on Tor 0.0.7rc1. Found by "jowr"; + diagnosed and fixed by "cypherpunks". + + o Major bugfixes (relay, stability, possible security, also in 0.2.6.4-rc): + - Fix a bug that could lead to a relay crashing with an assertion + failure if a buffer of exactly the wrong layout was passed to + buf_pullup() at exactly the wrong time. Fixes bug 15083; bugfix on + 0.2.0.10-alpha. Patch from 'cypherpunks'. + - Do not assert if the 'data' pointer on a buffer is advanced to the + very end of the buffer; log a BUG message instead. Only assert if + it is past that point. Fixes bug 15083; bugfix on 0.2.0.10-alpha. + + o Minor features (geoip): + - Update geoip to the March 3 2015 Maxmind GeoLite2 Country database. + - Update geoip6 to the March 3 2015 Maxmind GeoLite2 + Country database. + + +Changes in version 0.2.4.25 - 2014-10-20 + Tor 0.2.4.25 disables SSL3 in response to the recent "POODLE" attack + (even though POODLE does not affect Tor). It also works around a crash + bug caused by some operating systems' response to the "POODLE" attack + (which does affect Tor). + + o Major security fixes (also in 0.2.5.9-rc): + - Disable support for SSLv3. All versions of OpenSSL in use with Tor + today support TLS 1.0 or later, so we can safely turn off support + for this old (and insecure) protocol. Fixes bug 13426. + + o Major bugfixes (openssl bug workaround, also in 0.2.5.9-rc): + - Avoid crashing when using OpenSSL version 0.9.8zc, 1.0.0o, or + 1.0.1j, built with the 'no-ssl3' configuration option. Fixes bug + 13471. This is a workaround for an OpenSSL bug. + + +Changes in version 0.2.4.24 - 2014-09-22 + Tor 0.2.4.24 fixes a bug that affects consistency and speed when + connecting to hidden services, and it updates the location of one of + the directory authorities. + + o Major bugfixes: + - Clients now send the correct address for their chosen rendezvous + point when trying to access a hidden service. They used to send + the wrong address, which would still work some of the time because + they also sent the identity digest of the rendezvous point, and if + the hidden service happened to try connecting to the rendezvous + point from a relay that already had a connection open to it, + the relay would reuse that connection. Now connections to hidden + services should be more robust and faster. Also, this bug meant + that clients were leaking to the hidden service whether they were + on a little-endian (common) or big-endian (rare) system, which for + some users might have reduced their anonymity. Fixes bug 13151; + bugfix on 0.2.1.5-alpha. + + o Directory authority changes: + - Change IP address for gabelmoo (v3 directory authority). + + o Minor features (geoip): + - Update geoip and geoip6 to the August 7 2014 Maxmind GeoLite2 + Country database. + + +Changes in version 0.2.4.23 - 2014-07-28 + Tor 0.2.4.23 brings us a big step closer to slowing down the risk from + guard rotation, and also backports several important fixes from the + Tor 0.2.5 alpha release series. + + o Major features: + - Clients now look at the "usecreatefast" consensus parameter to + decide whether to use CREATE_FAST or CREATE cells for the first hop + of their circuit. This approach can improve security on connections + where Tor's circuit handshake is stronger than the available TLS + connection security levels, but the tradeoff is more computational + load on guard relays. Implements proposal 221. Resolves ticket 9386. + - Make the number of entry guards configurable via a new + NumEntryGuards consensus parameter, and the number of directory + guards configurable via a new NumDirectoryGuards consensus + parameter. Implements ticket 12688. + + o Major bugfixes: + - Fix a bug in the bounds-checking in the 32-bit curve25519-donna + implementation that caused incorrect results on 32-bit + implementations when certain malformed inputs were used along with + a small class of private ntor keys. This bug does not currently + appear to allow an attacker to learn private keys or impersonate a + Tor server, but it could provide a means to distinguish 32-bit Tor + implementations from 64-bit Tor implementations. Fixes bug 12694; + bugfix on 0.2.4.8-alpha. Bug found by Robert Ransom; fix from + Adam Langley. + + o Minor bugfixes: + - Warn and drop the circuit if we receive an inbound 'relay early' + cell. Those used to be normal to receive on hidden service circuits + due to bug 1038, but the buggy Tor versions are long gone from + the network so we can afford to resume watching for them. Resolves + the rest of bug 1038; bugfix on 0.2.1.19. + - Correct a confusing error message when trying to extend a circuit + via the control protocol but we don't know a descriptor or + microdescriptor for one of the specified relays. Fixes bug 12718; + bugfix on 0.2.3.1-alpha. + - Avoid an illegal read from stack when initializing the TLS + module using a version of OpenSSL without all of the ciphers + used by the v2 link handshake. Fixes bug 12227; bugfix on + 0.2.4.8-alpha. Found by "starlight". + + o Minor features: + - Update geoip and geoip6 to the July 10 2014 Maxmind GeoLite2 + Country database. + + +Changes in version 0.2.4.22 - 2014-05-16 + Tor 0.2.4.22 backports numerous high-priority fixes from the Tor 0.2.5 + alpha release series. These include blocking all authority signing + keys that may have been affected by the OpenSSL "heartbleed" bug, + choosing a far more secure set of TLS ciphersuites by default, closing + a couple of memory leaks that could be used to run a target relay out + of RAM, and several others. + + o Major features (security, backport from 0.2.5.4-alpha): + - Block authority signing keys that were used on authorities + vulnerable to the "heartbleed" bug in OpenSSL (CVE-2014-0160). (We + don't have any evidence that these keys _were_ compromised; we're + doing this to be prudent.) Resolves ticket 11464. + + o Major bugfixes (security, OOM): + - Fix a memory leak that could occur if a microdescriptor parse + fails during the tokenizing step. This bug could enable a memory + exhaustion attack by directory servers. Fixes bug 11649; bugfix + on 0.2.2.6-alpha. + + o Major bugfixes (TLS cipher selection, backport from 0.2.5.4-alpha): + - The relay ciphersuite list is now generated automatically based on + uniform criteria, and includes all OpenSSL ciphersuites with + acceptable strength and forward secrecy. Previously, we had left + some perfectly fine ciphersuites unsupported due to omission or + typo. Resolves bugs 11513, 11492, 11498, 11499. Bugs reported by + 'cypherpunks'. Bugfix on 0.2.4.8-alpha. + - Relays now trust themselves to have a better view than clients of + which TLS ciphersuites are better than others. (Thanks to bug + 11513, the relay list is now well-considered, whereas the client + list has been chosen mainly for anti-fingerprinting purposes.) + Relays prefer: AES over 3DES; then ECDHE over DHE; then GCM over + CBC; then SHA384 over SHA256 over SHA1; and last, AES256 over + AES128. Resolves ticket 11528. + - Clients now try to advertise the same list of ciphersuites as + Firefox 28. This change enables selection of (fast) GCM + ciphersuites, disables some strange old ciphers, and stops + advertising the ECDH (not to be confused with ECDHE) ciphersuites. + Resolves ticket 11438. + + o Minor bugfixes (configuration, security): + - When running a hidden service, do not allow TunneledDirConns 0: + trying to set that option together with a hidden service would + otherwise prevent the hidden service from running, and also make + it publish its descriptors directly over HTTP. Fixes bug 10849; + bugfix on 0.2.1.1-alpha. + + o Minor bugfixes (controller, backport from 0.2.5.4-alpha): + - Avoid sending a garbage value to the controller when a circuit is + cannibalized. Fixes bug 11519; bugfix on 0.2.3.11-alpha. + + o Minor bugfixes (exit relay, backport from 0.2.5.4-alpha): + - Stop leaking memory when we successfully resolve a PTR record. + Fixes bug 11437; bugfix on 0.2.4.7-alpha. + + o Minor bugfixes (bridge client, backport from 0.2.5.4-alpha): + - Avoid 60-second delays in the bootstrapping process when Tor is + launching for a second time while using bridges. Fixes bug 9229; + bugfix on 0.2.0.3-alpha. + + o Minor bugfixes (relays and bridges, backport from 0.2.5.4-alpha): + - Give the correct URL in the warning message when trying to run a + relay on an ancient version of Windows. Fixes bug 9393. + + o Minor bugfixes (compilation): + - Fix a compilation error when compiling with --disable-curve25519. + Fixes bug 9700; bugfix on 0.2.4.17-rc. + + o Minor bugfixes: + - Downgrade the warning severity for the the "md was still + referenced 1 node(s)" warning. Tor 0.2.5.4-alpha has better code + for trying to diagnose this bug, and the current warning in + earlier versions of tor achieves nothing useful. Addresses warning + from bug 7164. + + o Minor features (log verbosity, backport from 0.2.5.4-alpha): + - When we run out of usable circuit IDs on a channel, log only one + warning for the whole channel, and describe how many circuits + there were on the channel. Fixes part of ticket 11553. + + o Minor features (security, backport from 0.2.5.4-alpha): + - Decrease the lower limit of MaxMemInCellQueues to 256 MBytes (but + leave the default at 8GBytes), to better support Raspberry Pi + users. Fixes bug 9686; bugfix on 0.2.4.14-alpha. + + o Documentation (backport from 0.2.5.4-alpha): + - Correctly document that we search for a system torrc file before + looking in ~/.torrc. Fixes documentation side of 9213; bugfix on + 0.2.3.18-rc. + + +Changes in version 0.2.4.21 - 2014-02-28 + Tor 0.2.4.21 further improves security against potential adversaries who + find breaking 1024-bit crypto doable, and backports several stability + and robustness patches from the 0.2.5 branch. + + o Major features (client security): + - When we choose a path for a 3-hop circuit, make sure it contains + at least one relay that supports the NTor circuit extension + handshake. Otherwise, there is a chance that we're building + a circuit that's worth attacking by an adversary who finds + breaking 1024-bit crypto doable, and that chance changes the game + theory. Implements ticket 9777. + + o Major bugfixes: + - Do not treat streams that fail with reason + END_STREAM_REASON_INTERNAL as indicating a definite circuit failure, + since it could also indicate an ENETUNREACH connection error. Fixes + part of bug 10777; bugfix on 0.2.4.8-alpha. + + o Code simplification and refactoring: + - Remove data structures which were introduced to implement the + CellStatistics option: they are now redundant with the new timestamp + field in the regular packed_cell_t data structure, which we did + in 0.2.4.18-rc in order to resolve bug 9093. Resolves ticket 10870. + + o Minor features: + - Always clear OpenSSL bignums before freeing them -- even bignums + that don't contain secrets. Resolves ticket 10793. Patch by + Florent Daigniere. + - Build without warnings under clang 3.4. (We have some macros that + define static functions only some of which will get used later in + the module. Starting with clang 3.4, these give a warning unless the + unused attribute is set on them.) Resolves ticket 10904. + - Update geoip and geoip6 files to the February 7 2014 Maxmind + GeoLite2 Country database. + + o Minor bugfixes: + - Set the listen() backlog limit to the largest actually supported + on the system, not to the value in a header file. Fixes bug 9716; + bugfix on every released Tor. + - Treat ENETUNREACH, EACCES, and EPERM connection failures at an + exit node as a NOROUTE error, not an INTERNAL error, since they + can apparently happen when trying to connect to the wrong sort + of netblocks. Fixes part of bug 10777; bugfix on 0.1.0.1-rc. + - Fix build warnings about missing "a2x" comment when building the + manpages from scratch on OpenBSD; OpenBSD calls it "a2x.py". + Fixes bug 10929; bugfix on 0.2.2.9-alpha. Patch from Dana Koch. + - Avoid a segfault on SIGUSR1, where we had freed a connection but did + not entirely remove it from the connection lists. Fixes bug 9602; + bugfix on 0.2.4.4-alpha. + - Fix a segmentation fault in our benchmark code when running with + Fedora's OpenSSL package, or any other OpenSSL that provides + ECDH but not P224. Fixes bug 10835; bugfix on 0.2.4.8-alpha. + - Turn "circuit handshake stats since last time" log messages into a + heartbeat message. Fixes bug 10485; bugfix on 0.2.4.17-rc. + + o Documentation fixes: + - Document that all but one DirPort entry must have the NoAdvertise + flag set. Fixes bug 10470; bugfix on 0.2.3.3-alpha / 0.2.3.16-alpha. + + +Changes in version 0.2.4.20 - 2013-12-22 + Tor 0.2.4.20 fixes potentially poor random number generation for users + who 1) use OpenSSL 1.0.0 or later, 2) set "HardwareAccel 1" in their + torrc file, 3) have "Sandy Bridge" or "Ivy Bridge" Intel processors, + and 4) have no state file in their DataDirectory (as would happen on + first start). Users who generated relay or hidden service identity + keys in such a situation should discard them and generate new ones. + + This release also fixes a logic error that caused Tor clients to build + many more preemptive circuits than they actually need. + + o Major bugfixes: + - Do not allow OpenSSL engines to replace the PRNG, even when + HardwareAccel is set. The only default builtin PRNG engine uses + the Intel RDRAND instruction to replace the entire PRNG, and + ignores all attempts to seed it with more entropy. That's + cryptographically stupid: the right response to a new alleged + entropy source is never to discard all previously used entropy + sources. Fixes bug 10402; works around behavior introduced in + OpenSSL 1.0.0. Diagnosis and investigation thanks to "coderman" + and "rl1987". + - Fix assertion failure when AutomapHostsOnResolve yields an IPv6 + address. Fixes bug 10465; bugfix on 0.2.4.7-alpha. + - Avoid launching spurious extra circuits when a stream is pending. + This fixes a bug where any circuit that _wasn't_ unusable for new + streams would be treated as if it were, causing extra circuits to + be launched. Fixes bug 10456; bugfix on 0.2.4.12-alpha. + + o Minor bugfixes: + - Avoid a crash bug when starting with a corrupted microdescriptor + cache file. Fixes bug 10406; bugfix on 0.2.2.6-alpha. + - If we fail to dump a previously cached microdescriptor to disk, avoid + freeing duplicate data later on. Fixes bug 10423; bugfix on + 0.2.4.13-alpha. Spotted by "bobnomnom". + + +Changes in version 0.2.4.19 - 2013-12-11 + The Tor 0.2.4 release series is dedicated to the memory of Aaron Swartz + (1986-2013). Aaron worked on diverse projects including helping to guide + Creative Commons, playing a key role in stopping SOPA/PIPA, bringing + transparency to the U.S government's PACER documents, and contributing + design and development for Tor and Tor2Web. Aaron was one of the latest + martyrs in our collective fight for civil liberties and human rights, + and his death is all the more painful because he was one of us. + + Tor 0.2.4.19, the first stable release in the 0.2.4 branch, features + a new circuit handshake and link encryption that use ECC to provide + better security and efficiency; makes relays better manage circuit + creation requests; uses "directory guards" to reduce client enumeration + risks; makes bridges collect and report statistics about the pluggable + transports they support; cleans up and improves our geoip database; + gets much closer to IPv6 support for clients, bridges, and relays; makes + directory authorities use measured bandwidths rather than advertised + ones when computing flags and thresholds; disables client-side DNS + caching to reduce tracking risks; and fixes a big bug in bridge + reachability testing. This release introduces two new design + abstractions in the code: a new "channel" abstraction between circuits + and or_connections to allow for implementing alternate relay-to-relay + transports, and a new "circuitmux" abstraction storing the queue of + circuits for a channel. The release also includes many stability, + security, and privacy fixes. + + +Changes in version 0.2.4.18-rc - 2013-11-16 + Tor 0.2.4.18-rc is the fourth release candidate for the Tor 0.2.4.x + series. It takes a variety of fixes from the 0.2.5.x branch to improve + stability, performance, and better handling of edge cases. + + o Major features: + - Re-enable TLS 1.1 and 1.2 when built with OpenSSL 1.0.1e or later. + Resolves ticket 6055. (OpenSSL before 1.0.1 didn't have TLS 1.1 or + 1.2, and OpenSSL from 1.0.1 through 1.0.1d had bugs that prevented + renegotiation from working with TLS 1.1 or 1.2, so we had disabled + them to solve bug 6033.) + + o Major bugfixes: + - No longer stop reading or writing on cpuworker connections when + our rate limiting buckets go empty. Now we should handle circuit + handshake requests more promptly. Resolves bug 9731. + - If we are unable to save a microdescriptor to the journal, do not + drop it from memory and then reattempt downloading it. Fixes bug + 9645; bugfix on 0.2.2.6-alpha. + - Stop trying to bootstrap all our directory information from + only our first guard. Discovered while fixing bug 9946; bugfix + on 0.2.4.8-alpha. + - The new channel code sometimes lost track of in-progress circuits, + causing long-running clients to stop building new circuits. The + fix is to always call circuit_n_chan_done(chan, 0) from + channel_closed(). Fixes bug 9776; bugfix on 0.2.4.17-rc. + + o Minor bugfixes (on 0.2.4.x): + - Correctly log long IPv6 exit policies, instead of truncating them + or reporting an error. Fixes bug 9596; bugfix on 0.2.4.7-alpha. + - Our default TLS ecdhe groups were backwards: we meant to be using + P224 for relays (for performance win) and P256 for bridges (since + it is more common in the wild). Instead we had it backwards. After + reconsideration, we decided that the default should be P256 on all + hosts, since its security is probably better, and since P224 is + reportedly used quite little in the wild. Found by "skruffy" on + IRC. Fix for bug 9780; bugfix on 0.2.4.8-alpha. + - Free directory authority certificate download statuses on exit + rather than leaking them. Fixes bug 9644; bugfix on 0.2.4.13-alpha. + + o Minor bugfixes (on 0.2.3.x and earlier): + - If the guard we choose first doesn't answer, we would try the + second guard, but once we connected to the second guard we would + abandon it and retry the first one, slowing down bootstrapping. + The fix is to treat all our initially chosen guards as acceptable + to use. Fixes bug 9946; bugfix on 0.1.1.11-alpha. + - Fix an assertion failure that would occur when disabling the + ORPort setting on a running Tor process while accounting was + enabled. Fixes bug 6979; bugfix on 0.2.2.18-alpha. + - When examining the list of network interfaces to find our address, + do not consider non-running or disabled network interfaces. Fixes + bug 9904; bugfix on 0.2.3.11-alpha. Patch from "hantwister". + - Avoid an off-by-one error when checking buffer boundaries when + formatting the exit status of a pluggable transport helper. + This is probably not an exploitable bug, but better safe than + sorry. Fixes bug 9928; bugfix on 0.2.3.18-rc. Bug found by + Pedro Ribeiro. + + o Minor features (protecting client timestamps): + - Clients no longer send timestamps in their NETINFO cells. These were + not used for anything, and they provided one small way for clients + to be distinguished from each other as they moved from network to + network or behind NAT. Implements part of proposal 222. + - Clients now round timestamps in INTRODUCE cells down to the nearest + 10 minutes. If a new Support022HiddenServices option is set to 0, or + if it's set to "auto" and the feature is disabled in the consensus, + the timestamp is sent as 0 instead. Implements part of proposal 222. + - Stop sending timestamps in AUTHENTICATE cells. This is not such + a big deal from a security point of view, but it achieves no actual + good purpose, and isn't needed. Implements part of proposal 222. + - Reduce down accuracy of timestamps in hidden service descriptors. + Implements part of proposal 222. + + o Minor features (other): + - Improve the circuit queue out-of-memory handler. Previously, when + we ran low on memory, we'd close whichever circuits had the most + queued cells. Now, we close those that have the *oldest* queued + cells, on the theory that those are most responsible for us + running low on memory. Based on analysis from a forthcoming paper + by Jansen, Tschorsch, Johnson, and Scheuermann. Fixes bug 9093. + - Generate bootstrapping status update events correctly when fetching + microdescriptors. Fixes bug 9927. + - Update to the October 2 2013 Maxmind GeoLite Country database. + + o Documentation fixes: + - Clarify the usage and risks of setting the ContactInfo torrc line + for your relay or bridge. Resolves ticket 9854. + - Add anchors to the manpage so we can link to the html version of + the documentation for specific options. Resolves ticket 9866. + - Replace remaining references to DirServer in man page and + log entries. Resolves ticket 10124. + + +Changes in version 0.2.4.17-rc - 2013-09-05 + Tor 0.2.4.17-rc is the third release candidate for the Tor 0.2.4.x + series. It adds an emergency step to help us tolerate the massive + influx of users: 0.2.4 clients using the new (faster and safer) "NTor" + circuit-level handshakes now effectively jump the queue compared to + the 0.2.3 clients using "TAP" handshakes. This release also fixes a + big bug hindering bridge reachability tests. + + o Major features: + - Relays now process the new "NTor" circuit-level handshake requests + with higher priority than the old "TAP" circuit-level handshake + requests. We still process some TAP requests to not totally starve + 0.2.3 clients when NTor becomes popular. A new consensus parameter + "NumNTorsPerTAP" lets us tune the balance later if we need to. + Implements ticket 9574. + + o Major bugfixes: + - If the circuit build timeout logic is disabled (via the consensus, + or because we are an authority), then don't build testing circuits. + Fixes bug 9657; bugfix on 0.2.2.14-alpha. + - Bridges now send AUTH_CHALLENGE cells during their v3 handshakes; + previously they did not, which prevented them from receiving + successful connections from relays for self-test or bandwidth + testing. Also, when a relay is extending a circuit to a bridge, + it needs to send a NETINFO cell, even when the bridge hasn't sent + an AUTH_CHALLENGE cell. Fixes bug 9546; bugfix on 0.2.3.6-alpha. + - If the time to download the next old-style networkstatus is in + the future, do not decline to consider whether to download the + next microdescriptor networkstatus. Fixes bug 9564; bugfix on + 0.2.3.14-alpha. + + o Minor bugfixes: + - Avoid double-closing the listener socket in our socketpair() + replacement (used on Windows) in the case where the addresses on + our opened sockets don't match what we expected. Fixes bug 9400; + bugfix on 0.0.2pre7. Found by Coverity. + + o Minor fixes (config options): + - Avoid overflows when the user sets MaxCircuitDirtiness to a + ridiculously high value, by imposing a (ridiculously high) 30-day + maximum on MaxCircuitDirtiness. + - Fix the documentation of HeartbeatPeriod to say that the heartbeat + message is logged at notice, not at info. + - Warn and fail if a server is configured not to advertise any + ORPorts at all. (We need *something* to put in our descriptor, + or we just won't work.) + + o Minor features: + - Track how many "TAP" and "NTor" circuit handshake requests we get, + and how many we complete, and log it every hour to help relay + operators follow trends in network load. Addresses ticket 9658. + - Update to the August 7 2013 Maxmind GeoLite Country database. + + +Changes in version 0.2.4.16-rc - 2013-08-10 + Tor 0.2.4.16-rc is the second release candidate for the Tor 0.2.4.x + series. It fixes several crash bugs in the 0.2.4 branch. + + o Major bugfixes: + - Fix a bug in the voting algorithm that could yield incorrect results + when a non-naming authority declared too many flags. Fixes bug 9200; + bugfix on 0.2.0.3-alpha. + - Fix an uninitialized read that could in some cases lead to a remote + crash while parsing INTRODUCE2 cells. Bugfix on 0.2.4.1-alpha. + Anybody running a hidden service on the experimental 0.2.4.x + branch should upgrade. (This is, so far as we know, unrelated to + the recent news.) + - Avoid an assertion failure when processing DNS replies without the + answer types we expected. Fixes bug 9337; bugfix on 0.2.4.7-alpha. + - Avoid a crash when using --hash-password. Fixes bug 9295; bugfix on + 0.2.4.15-rc. Found by stem integration tests. + + o Minor bugfixes: + - Fix an invalid memory read that occured when a pluggable + transport proxy failed its configuration protocol. + Fixes bug 9288; bugfix on 0.2.4.1-alpha. + - When evaluating whether to use a connection that we haven't + decided is canonical using a recent link protocol version, + decide that it's canonical only if it used address _does_ + match the desired address. Fixes bug 9309; bugfix on + 0.2.4.4-alpha. Reported by skruffy. + - Make the default behavior of NumDirectoryGuards be to track + NumEntryGuards. Now a user who changes only NumEntryGuards will get + the behavior she expects. Fixes bug 9354; bugfix on 0.2.4.8-alpha. + - Fix a spurious compilation warning with some older versions of + GCC on FreeBSD. Fixes bug 9254; bugfix on 0.2.4.14-alpha. + + o Minor features: + - Update to the July 3 2013 Maxmind GeoLite Country database. + + +Changes in version 0.2.4.15-rc - 2013-07-01 + Tor 0.2.4.15-rc is the first release candidate for the Tor 0.2.4.x + series. It fixes a few smaller bugs, but generally appears stable. + Please test it and let us know whether it is! + + o Major bugfixes: + - When receiving a new configuration file via the control port's + LOADCONF command, do not treat the defaults file as absent. + Fixes bug 9122; bugfix on 0.2.3.9-alpha. + + o Minor features: + - Issue a warning when running with the bufferevents backend enabled. + It's still not stable, and people should know that they're likely + to hit unexpected problems. Closes ticket 9147. + + +Changes in version 0.2.4.14-alpha - 2013-06-18 + Tor 0.2.4.14-alpha fixes a pair of client guard enumeration problems + present in 0.2.4.13-alpha. + + o Major bugfixes: + - When we have too much memory queued in circuits (according to a new + MaxMemInCellQueues option), close the circuits consuming the most + memory. This prevents us from running out of memory as a relay if + circuits fill up faster than they can be drained. Fixes bug 9063; + bugfix on the 54th commit of Tor. This bug is a further fix beyond + bug 6252, whose fix was merged into 0.2.3.21-rc. + + This change also fixes an earlier approach taken in 0.2.4.13-alpha, + where we tried to solve this issue simply by imposing an upper limit + on the number of queued cells for a single circuit. That approach + proved to be problematic, since there are ways to provoke clients to + send a number of cells in excess of any such reasonable limit. Fixes + bug 9072; bugfix on 0.2.4.13-alpha. + + - Limit hidden service descriptors to at most ten introduction + points, to slow one kind of guard enumeration. Fixes bug 9002; + bugfix on 0.1.1.11-alpha. + + +Changes in version 0.2.4.13-alpha - 2013-06-14 + Tor 0.2.4.13-alpha fixes a variety of potential remote crash + vulnerabilities, makes socks5 username/password circuit isolation + actually actually work (this time for sure!), and cleans up a bunch + of other issues in preparation for a release candidate. + + o Major bugfixes (robustness): + - Close any circuit that has too many cells queued on it. Fixes + bug 9063; bugfix on the 54th commit of Tor. This bug is a further + fix beyond bug 6252, whose fix was merged into 0.2.3.21-rc. + - Prevent the get_freelists() function from running off the end of + the list of freelists if it somehow gets an unrecognized + allocation. Fixes bug 8844; bugfix on 0.2.0.16-alpha. Reported by + eugenis. + - Avoid an assertion failure on OpenBSD (and perhaps other BSDs) + when an exit connection with optimistic data succeeds immediately + rather than returning EINPROGRESS. Fixes bug 9017; bugfix on + 0.2.3.1-alpha. + - Fix a directory authority crash bug when building a consensus + using an older consensus as its basis. Fixes bug 8833. Bugfix + on 0.2.4.12-alpha. + + o Major bugfixes: + - Avoid a memory leak where we would leak a consensus body when we + find that a consensus which we couldn't previously verify due to + missing certificates is now verifiable. Fixes bug 8719; bugfix + on 0.2.0.10-alpha. + - We used to always request authority certificates by identity digest, + meaning we'd get the newest one even when we wanted one with a + different signing key. Then we would complain about being given + a certificate we already had, and never get the one we really + wanted. Now we use the "fp-sk/" resource as well as the "fp/" + resource to request the one we want. Fixes bug 5595; bugfix on + 0.2.0.8-alpha. + - Follow the socks5 protocol when offering username/password + authentication. The fix for bug 8117 exposed this bug, and it + turns out real-world applications like Pidgin do care. Bugfix on + 0.2.3.2-alpha; fixes bug 8879. + - Prevent failures on Windows Vista and later when rebuilding the + microdescriptor cache. Diagnosed by Robert Ransom. Fixes bug 8822; + bugfix on 0.2.4.12-alpha. + + o Minor bugfixes: + - Fix an impossible buffer overrun in the AES unit tests. Fixes + bug 8845; bugfix on 0.2.0.7-alpha. Found by eugenis. + - If for some reason we fail to write a microdescriptor while + rebuilding the cache, do not let the annotations from that + microdescriptor linger in the cache file, and do not let the + microdescriptor stay recorded as present in its old location. + Fixes bug 9047; bugfix on 0.2.2.6-alpha. + - Fix a memory leak that would occur whenever a configuration + option changed. Fixes bug 8718; bugfix on 0.2.3.3-alpha. + - Paste the description for PathBias parameters from the man + page into or.h, so the code documents them too. Fixes bug 7982; + bugfix on 0.2.3.17-beta and 0.2.4.8-alpha. + - Relays now treat a changed IPv6 ORPort as sufficient reason to + publish an updated descriptor. Fixes bug 6026; bugfix on + 0.2.4.1-alpha. + - When launching a resolve request on behalf of an AF_UNIX control + socket, omit the address field of the new entry connection, used in + subsequent controller events, rather than letting tor_dup_addr() + set it to "<unknown address type>". Fixes bug 8639; bugfix on + 0.2.4.12-alpha. + + o Minor bugfixes (log messages): + - Fix a scaling issue in the path bias accounting code that + resulted in "Bug:" log messages from either + pathbias_scale_close_rates() or pathbias_count_build_success(). + This represents a bugfix on a previous bugfix: the original fix + attempted in 0.2.4.10-alpha was incomplete. Fixes bug 8235; bugfix + on 0.2.4.1-alpha. + - Give a less useless error message when the user asks for an IPv4 + address on an IPv6-only port, or vice versa. Fixes bug 8846; bugfix + on 0.2.4.7-alpha. + + o Minor features: + - Downgrade "unexpected SENDME" warnings to protocol-warn for 0.2.4.x, + to tolerate bug 8093 for now. + - Add an "ignoring-advertised-bws" boolean to the flag-threshold lines + in directory authority votes to describe whether they have enough + measured bandwidths to ignore advertised (relay descriptor) + bandwidth claims. Resolves ticket 8711. + - Update to the June 5 2013 Maxmind GeoLite Country database. + + o Removed documentation: + - Remove some of the older contents of doc/ as obsolete; move others + to torspec.git. Fixes bug 8965. + + o Code simplification and refactoring: + - Avoid using character buffers when constructing most directory + objects: this approach was unwieldy and error-prone. Instead, + build smartlists of strings, and concatenate them when done. + + +Changes in version 0.2.4.12-alpha - 2013-04-18 + Tor 0.2.4.12-alpha moves Tor forward on several fronts: it starts the + process for lengthening the guard rotation period, makes directory + authority opinions in the consensus a bit less gameable, makes socks5 + username/password circuit isolation actually work, and fixes a wide + variety of other issues. + + o Major features: + - Raise the default time that a client keeps an entry guard from + "1-2 months" to "2-3 months", as suggested by Tariq Elahi's WPES + 2012 paper. (We would make it even longer, but we need better client + load balancing first.) Also, make the guard lifetime controllable + via a new GuardLifetime torrc option and a GuardLifetime consensus + parameter. Start of a fix for bug 8240; bugfix on 0.1.1.11-alpha. + - Directory authorities now prefer using measured bandwidths to + advertised ones when computing flags and thresholds. Resolves + ticket 8273. + - Directory authorities that have more than a threshold number + of relays with measured bandwidths now treat relays with unmeasured + bandwidths as having bandwidth 0. Resolves ticket 8435. + + o Major bugfixes (assert / resource use): + - Avoid a bug where our response to TLS renegotiation under certain + network conditions could lead to a busy-loop, with 100% CPU + consumption. Fixes bug 5650; bugfix on 0.2.0.16-alpha. + - Avoid an assertion when we discover that we'd like to write a cell + onto a closing connection: just discard the cell. Fixes another + case of bug 7350; bugfix on 0.2.4.4-alpha. + + o Major bugfixes (client-side privacy): + - When we mark a circuit as unusable for new circuits, have it + continue to be unusable for new circuits even if MaxCircuitDirtiness + is increased too much at the wrong time, or the system clock jumps + backwards. Fixes bug 6174; bugfix on 0.0.2pre26. + - If ClientDNSRejectInternalAddresses ("do not believe DNS queries + which have resolved to internal addresses") is set, apply that + rule to IPv6 as well. Fixes bug 8475; bugfix on 0.2.0.7-alpha. + - When an exit relay rejects a stream with reason "exit policy", but + we only know an exit policy summary (e.g. from the microdesc + consensus) for it, do not mark the relay as useless for all exiting. + Instead, mark just the circuit as unsuitable for that particular + address. Fixes part of bug 7582; bugfix on 0.2.3.2-alpha. + - Allow applications to get proper stream isolation with + IsolateSOCKSAuth. Many SOCKS5 clients that want to offer + username/password authentication also offer "no authentication". Tor + had previously preferred "no authentication", so the applications + never actually sent Tor their auth details. Now Tor selects + username/password authentication if it's offered. You can disable + this behavior on a per-SOCKSPort basis via PreferSOCKSNoAuth. Fixes + bug 8117; bugfix on 0.2.3.3-alpha. + + o Major bugfixes (other): + - When unable to find any working directory nodes to use as a + directory guard, give up rather than adding the same non-working + nodes to the directory guard list over and over. Fixes bug 8231; + bugfix on 0.2.4.8-alpha. + + o Minor features: + - Reject as invalid most directory objects containing a NUL. + Belt-and-suspender fix for bug 8037. + - In our testsuite, create temporary directories with a bit more + entropy in their name to make name collisions less likely. Fixes + bug 8638. + - Add CACHED keyword to ADDRMAP events in the control protocol + to indicate whether a DNS result will be cached or not. Resolves + ticket 8596. + - Update to the April 3 2013 Maxmind GeoLite Country database. + + o Minor features (build): + - Detect and reject attempts to build Tor with threading support + when OpenSSL has been compiled without threading support. + Fixes bug 6673. + - Clarify that when autoconf is checking for nacl, it is checking + specifically for nacl with a fast curve25519 implementation. + Fixes bug 8014. + - Warn if building on a platform with an unsigned time_t: there + are too many places where Tor currently assumes that time_t can + hold negative values. We'd like to fix them all, but probably + some will remain. + + o Minor bugfixes (build): + - Fix some bugs in tor-fw-helper-natpmp when trying to build and + run it on Windows. More bugs likely remain. Patch from Gisle Vanem. + Fixes bug 7280; bugfix on 0.2.3.1-alpha. + - Add the old src/or/micro-revision.i filename to CLEANFILES. + On the off chance that somebody has one, it will go away as soon + as they run "make clean". Fix for bug 7143; bugfix on 0.2.4.1-alpha. + - Build Tor correctly on 32-bit platforms where the compiler can build + but not run code using the "uint128_t" construction. Fixes bug 8587; + bugfix on 0.2.4.8-alpha. + - Fix compilation warning with some versions of clang that would + prefer the -Wswitch-enum compiler flag to warn about switch + statements with missing enum values, even if those switch + statements have a "default:" statement. Fixes bug 8598; bugfix + on 0.2.4.10-alpha. + + o Minor bugfixes (protocol): + - Fix the handling of a TRUNCATE cell when it arrives while the + circuit extension is in progress. Fixes bug 7947; bugfix on 0.0.7.1. + - Fix a misframing issue when reading the version numbers in a + VERSIONS cell. Previously we would recognize [00 01 00 02] as + 'version 1, version 2, and version 0x100', when it should have + only included versions 1 and 2. Fixes bug 8059; bugfix on + 0.2.0.10-alpha. Reported pseudonymously. + - Make the format and order of STREAM events for DNS lookups + consistent among the various ways to launch DNS lookups. Fixes + bug 8203; bugfix on 0.2.0.24-rc. Patch by "Desoxy." + - Correct our check for which versions of Tor support the EXTEND2 + cell. We had been willing to send it to Tor 0.2.4.7-alpha and + later, when support was really added in version 0.2.4.8-alpha. + Fixes bug 8464; bugfix on 0.2.4.8-alpha. + + o Minor bugfixes (other): + - Correctly store microdescriptors and extrainfo descriptors with + an internal NUL byte. Fixes bug 8037; bugfix on 0.2.0.1-alpha. + Bug reported by "cypherpunks". + - Increase the width of the field used to remember a connection's + link protocol version to two bytes. Harmless for now, since the + only currently recognized versions are one byte long. Reported + pseudonymously. Fixes bug 8062; bugfix on 0.2.0.10-alpha. + - If the state file's path bias counts are invalid (presumably from a + buggy Tor prior to 0.2.4.10-alpha), make them correct. Also add + additional checks and log messages to the scaling of Path Bias + counts, in case there still are remaining issues with scaling. + Should help resolve bug 8235. + - Eliminate several instances where we use "Nickname=ID" to refer to + nodes in logs. Use "Nickname (ID)" instead. (Elsewhere, we still use + "$ID=Nickname", which is also acceptable.) Fixes bug 7065. Bugfix + on 0.2.3.21-rc, 0.2.4.5-alpha, 0.2.4.8-alpha, and 0.2.4.10-alpha. + + o Minor bugfixes (syscalls): + - Always check the return values of functions fcntl() and + setsockopt(). We don't believe these are ever actually failing in + practice, but better safe than sorry. Also, checking these return + values should please analysis tools like Coverity. Patch from + 'flupzor'. Fixes bug 8206; bugfix on all versions of Tor. + - Use direct writes rather than stdio when building microdescriptor + caches, in an attempt to mitigate bug 8031, or at least make it + less common. + + o Minor bugfixes (config): + - When rejecting a configuration because we were unable to parse a + quoted string, log an actual error message. Fixes bug 7950; bugfix + on 0.2.0.16-alpha. + - Behave correctly when the user disables LearnCircuitBuildTimeout + but doesn't tell us what they would like the timeout to be. Fixes + bug 6304; bugfix on 0.2.2.14-alpha. + - When autodetecting the number of CPUs, use the number of available + CPUs in preference to the number of configured CPUs. Inform the + user if this reduces the number of available CPUs. Fixes bug 8002; + bugfix on 0.2.3.1-alpha. + - Make it an error when you set EntryNodes but disable UseGuardNodes, + since it will (surprisingly to some users) ignore EntryNodes. Fixes + bug 8180; bugfix on 0.2.3.11-alpha. + - Allow TestingTorNetworks to override the 4096-byte minimum for + the Fast threshold. Otherwise they can't bootstrap until they've + observed more traffic. Fixes bug 8508; bugfix on 0.2.4.10-alpha. + - Fix some logic errors when the user manually overrides the + PathsNeededToBuildCircuits option in torrc. Fixes bug 8599; bugfix + on 0.2.4.10-alpha. + + o Minor bugfixes (log messages to help diagnose bugs): + - If we fail to free a microdescriptor because of bug 7164, log + the filename and line number from which we tried to free it. + - Add another diagnostic to the heartbeat message: track and log + overhead that TLS is adding to the data we write. If this is + high, we are sending too little data to SSL_write at a time. + Diagnostic for bug 7707. + - Add more detail to a log message about relaxed timeouts, to help + track bug 7799. + - Warn more aggressively when flushing microdescriptors to a + microdescriptor cache fails, in an attempt to mitigate bug 8031, + or at least make it more diagnosable. + - Improve debugging output to help track down bug 8185 ("Bug: + outgoing relay cell has n_chan==NULL. Dropping.") + - Log the purpose of a path-bias testing circuit correctly. + Improves a log message from bug 8477; bugfix on 0.2.4.8-alpha. + + o Minor bugfixes (0.2.4.x log messages that were too noisy): + - Don't attempt to relax the timeout of already opened 1-hop circuits. + They might never timeout. This should eliminate some/all cases of + the relaxed timeout log message. + - Use circuit creation time for network liveness evaluation. This + should eliminate warning log messages about liveness caused + by changes in timeout evaluation. Fixes bug 6572; bugfix on + 0.2.4.8-alpha. + - Reduce a path bias length check from notice to info. The message + is triggered when creating controller circuits. Fixes bug 8196; + bugfix on 0.2.4.8-alpha. + - Fix a path state issue that triggered a notice during relay startup. + Fixes bug 8320; bugfix on 0.2.4.10-alpha. + - Reduce occurrences of warns about circuit purpose in + connection_ap_expire_building(). Fixes bug 8477; bugfix on + 0.2.4.11-alpha. + + o Minor bugfixes (pre-0.2.4.x log messages that were too noisy): + - If we encounter a write failure on a SOCKS connection before we + finish our SOCKS handshake, don't warn that we closed the + connection before we could send a SOCKS reply. Fixes bug 8427; + bugfix on 0.1.0.1-rc. + - Correctly recognize that [::1] is a loopback address. Fixes + bug 8377; bugfix on 0.2.1.3-alpha. + - Fix a directory authority warn caused when we have a large amount + of badexit bandwidth. Fixes bug 8419; bugfix on 0.2.2.10-alpha. + - Don't log inappropriate heartbeat messages when hibernating: a + hibernating node is _expected_ to drop out of the consensus, + decide it isn't bootstrapped, and so forth. Fixes bug 7302; + bugfix on 0.2.3.1-alpha. + - Don't complain about bootstrapping problems while hibernating. + These complaints reflect a general code problem, but not one + with any problematic effects (no connections are actually + opened). Fixes part of bug 7302; bugfix on 0.2.3.2-alpha. + + o Documentation fixes: + - Update tor-fw-helper.1.txt and tor-fw-helper.c to make option + names match. Fixes bug 7768. + - Make the torify manpage no longer refer to tsocks; torify hasn't + supported tsocks since 0.2.3.14-alpha. + - Make the tor manpage no longer reference tsocks. + - Fix the GeoIPExcludeUnknown documentation to refer to + ExcludeExitNodes rather than the currently nonexistent + ExcludeEntryNodes. Spotted by "hamahangi" on tor-talk. + + o Removed files: + - The tor-tsocks.conf is no longer distributed or installed. We + recommend that tsocks users use torsocks instead. Resolves + ticket 8290. + + +Changes in version 0.2.4.11-alpha - 2013-03-11 + Tor 0.2.4.11-alpha makes relay measurement by directory authorities + more robust, makes hidden service authentication work again, and + resolves a DPI fingerprint for Tor's SSL transport. + + o Major features (directory authorities): + - Directory authorities now support a new consensus method (17) + where they cap the published bandwidth of servers for which + insufficient bandwidth measurements exist. Fixes part of bug 2286. + - Directory authorities that set "DisableV2DirectoryInfo_ 1" no longer + serve any v2 directory information. Now we can test disabling the + old deprecated v2 directory format, and see whether doing so has + any effect on network load. Begins to fix bug 6783. + - Directory authorities now include inside each vote a statement of + the performance thresholds they used when assigning flags. + Implements ticket 8151. + + o Major bugfixes (directory authorities): + - Stop marking every relay as having been down for one hour every + time we restart a directory authority. These artificial downtimes + were messing with our Stable and Guard flag calculations. Fixes + bug 8218 (introduced by the fix for 1035). Bugfix on 0.2.2.23-alpha. + + o Major bugfixes (hidden services): + - Allow hidden service authentication to succeed again. When we + refactored the hidden service introduction code back + in 0.2.4.1-alpha, we didn't update the code that checks + whether authentication information is present, causing all + authentication checks to return "false". Fix for bug 8207; bugfix + on 0.2.4.1-alpha. Found by Coverity; this is CID 718615. + + o Minor features (relays, bridges): + - Make bridge relays check once a minute for whether their IP + address has changed, rather than only every 15 minutes. Resolves + bugs 1913 and 1992. + - Refactor resolve_my_address() so it returns the method by which we + decided our public IP address (explicitly configured, resolved from + explicit hostname, guessed from interfaces, learned by gethostname). + Now we can provide more helpful log messages when a relay guesses + its IP address incorrectly (e.g. due to unexpected lines in + /etc/hosts). Resolves ticket 2267. + - Teach bridge-using clients to avoid 0.2.2 bridges when making + microdescriptor-related dir requests, and only fall back to normal + descriptors if none of their bridges can handle microdescriptors + (as opposed to the fix in ticket 4013, which caused them to fall + back to normal descriptors if *any* of their bridges preferred + them). Resolves ticket 4994. + - Randomize the lifetime of our SSL link certificate, so censors can't + use the static value for filtering Tor flows. Resolves ticket 8443; + related to ticket 4014 which was included in 0.2.2.33. + - Support a new version of the link protocol that allows 4-byte circuit + IDs. Previously, circuit IDs were limited to 2 bytes, which presented + a possible resource exhaustion issue. Closes ticket 7351; implements + proposal 214. + + o Minor features (portability): + - Tweak the curve25519-donna*.c implementations to tolerate systems + that lack stdint.h. Fixes bug 3894; bugfix on 0.2.4.8-alpha. + - Use Ville Laurikari's implementation of AX_CHECK_SIGN() to determine + the signs of types during autoconf. This is better than our old + approach, which didn't work when cross-compiling. + - Detect the sign of enum values, rather than assuming that MSC is the + only compiler where enum types are all signed. Fixes bug 7727; + bugfix on 0.2.4.10-alpha. + + o Minor features (other): + - Say "KBytes" rather than "KB" in the man page (for various values + of K), to further reduce confusion about whether Tor counts in + units of memory or fractions of units of memory. Resolves ticket 7054. + - Clear the high bit on curve25519 public keys before passing them to + our backend, in case we ever wind up using a backend that doesn't do + so itself. If we used such a backend, and *didn't* clear the high bit, + we could wind up in a situation where users with such backends would + be distinguishable from users without. Fixes bug 8121; bugfix on + 0.2.4.8-alpha. + - Update to the March 6 2013 Maxmind GeoLite Country database. + + o Minor bugfixes (clients): + - When we receive a RELAY_END cell with the reason DONE, or with no + reason, before receiving a RELAY_CONNECTED cell, report the SOCKS + status as "connection refused". Previously we reported these cases + as success but then immediately closed the connection. Fixes bug + 7902; bugfix on 0.1.0.1-rc. Reported by "oftc_must_be_destroyed". + - Downgrade an assertion in connection_ap_expire_beginning to an + LD_BUG message. The fix for bug 8024 should prevent this message + from displaying, but just in case, a warn that we can diagnose + is better than more assert crashes. Fixes bug 8065; bugfix on + 0.2.4.8-alpha. + - Lower path use bias thresholds to .80 for notice and .60 for warn. + Also make the rate limiting flags for the path use bias log messages + independent from the original path bias flags. Fixes bug 8161; + bugfix on 0.2.4.10-alpha. + + o Minor bugfixes (relays): + - Stop trying to resolve our hostname so often (e.g. every time we + think about doing a directory fetch). Now we reuse the cached + answer in some cases. Fixes bugs 1992 (bugfix on 0.2.0.20-rc) + and 2410 (bugfix on 0.1.2.2-alpha). + - Stop sending a stray "(null)" in some cases for the server status + "EXTERNAL_ADDRESS" controller event. Resolves bug 8200; bugfix + on 0.1.2.6-alpha. + - When choosing which stream on a formerly stalled circuit to wake + first, make better use of the platform's weak RNG. Previously, + we had been using the % ("modulo") operator to try to generate a + 1/N chance of picking each stream, but this behaves badly with + many platforms' choice of weak RNG. Fixes bug 7801; bugfix on + 0.2.2.20-alpha. + - Use our own weak RNG when we need a weak RNG. Windows's rand() and + Irix's random() only return 15 bits; Solaris's random() returns more + bits but its RAND_MAX says it only returns 15, and so on. Motivated + by the fix for bug 7801; bugfix on 0.2.2.20-alpha. + + o Minor bugfixes (directory authorities): + - Directory authorities now use less space when formatting identical + microdescriptor lines in directory votes. Fixes bug 8158; bugfix + on 0.2.4.1-alpha. + + o Minor bugfixes (memory leaks spotted by Coverity -- bug 7816): + - Avoid leaking memory if we fail to compute a consensus signature + or we generate a consensus we can't parse. Bugfix on 0.2.0.5-alpha. + - Fix a memory leak when receiving headers from an HTTPS proxy. Bugfix + on 0.2.1.1-alpha. + - Fix a memory leak during safe-cookie controller authentication. + Bugfix on 0.2.3.13-alpha. + - Avoid memory leak of IPv6 policy content if we fail to format it into + a router descriptor. Bugfix on 0.2.4.7-alpha. + + o Minor bugfixes (other code correctness issues): + - Avoid a crash if we fail to generate an extrainfo descriptor. + Fixes bug 8208; bugfix on 0.2.3.16-alpha. Found by Coverity; + this is CID 718634. + - When detecting the largest possible file descriptor (in order to + close all file descriptors when launching a new program), actually + use _SC_OPEN_MAX. The old code for doing this was very, very broken. + Fixes bug 8209; bugfix on 0.2.3.1-alpha. Found by Coverity; this + is CID 743383. + - Fix a copy-and-paste error when adding a missing A1 to a routerset + because of GeoIPExcludeUnknown. Fix for Coverity CID 980650. + Bugfix on 0.2.4.10-alpha. + - Fix an impossible-to-trigger integer overflow when estimating how + long our onionskin queue would take. (This overflow would require us + to accept 4 million onionskins before processing 100 of them.) Fixes + bug 8210; bugfix on 0.2.4.10-alpha. + + o Code simplification and refactoring: + - Add a wrapper function for the common "log a message with a + rate-limit" case. + + Changes in version 0.2.4.10-alpha - 2013-02-04 Tor 0.2.4.10-alpha adds defenses at the directory authority level from certain attacks that flood the network with relays; changes the queue @@ -303,7 +1498,7 @@ Changes in version 0.2.4.7-alpha - 2012-12-24 "FallbackNetworkstatus" option, since we never got it working well enough to use it. Closes bug 572. - If we have no circuits open, use a relaxed timeout (the - 95-percentile cutoff) until a circuit succeeds. This heuristic + 95th-percentile cutoff) until a circuit succeeds. This heuristic should allow Tor to succeed at building circuits even when the network connection drastically changes. Should help with bug 3443. diff --git a/ReleaseNotes b/ReleaseNotes index d68eca99eb..0ae0576fff 100644 --- a/ReleaseNotes +++ b/ReleaseNotes @@ -3,6 +3,1504 @@ This document summarizes new features and bugfixes in each stable release of Tor. If you want to see more detailed descriptions of the changes in each development snapshot, see the ChangeLog file. +Changes in version 0.2.4.29 - 2017-06-08 + Tor 0.2.4.29 backports a fix for a bug that would allow an attacker to + remotely crash a hidden service with an assertion failure. Anyone + running a hidden service should upgrade to this version, or to some + other version with fixes for TROVE-2017-005. (Versions before 0.3.0 + are not affected by TROVE-2017-004.) + + o Major bugfixes (hidden service, relay, security): + - Fix a remotely triggerable assertion failure caused by receiving a + BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug + 22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix + on 0.2.2.1-alpha. + + o Minor features (geoip): + - Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2 + Country database. + + o Minor bugfixes (correctness): + - Avoid undefined behavior when parsing IPv6 entries from the geoip6 + file. Fixes bug 22490; bugfix on 0.2.4.6-alpha. + + +Changes in version 0.2.4.28 - 2017-03-03 + Tor 0.2.4.28 backports a number of security fixes from later Tor + releases. Anybody running Tor 0.2.4.27 or earlier should upgrade to + this release, if for some reason they cannot upgrade to a later + release series. + + Note that support for Tor 0.2.4.x is ending soon: we will not issue + any fixes for the Tor 0.2.4.x series after 1 August 2017. If you need + a Tor release series with long-term support, we recommend Tor 0.2.9.x. + + o Directory authority changes (backport from 0.2.8.5-rc): + - Urras is no longer a directory authority. Closes ticket 19271. + + o Directory authority changes (backport from 0.2.9.2-alpha): + - The "Tonga" bridge authority has been retired; the new bridge + authority is "Bifroest". Closes tickets 19728 and 19690. + + o Directory authority key updates (backport from 0.2.8.1-alpha): + - Update the V3 identity key for the dannenberg directory authority: + it was changed on 18 November 2015. Closes task 17906. Patch + by "teor". + + o Major features (security fixes, backport from 0.2.9.4-alpha): + - Prevent a class of security bugs caused by treating the contents + of a buffer chunk as if they were a NUL-terminated string. At + least one such bug seems to be present in all currently used + versions of Tor, and would allow an attacker to remotely crash + most Tor instances, especially those compiled with extra compiler + hardening. With this defense in place, such bugs can't crash Tor, + though we should still fix them as they occur. Closes ticket + 20384 (TROVE-2016-10-001). + + o Major bugfixes (parsing, security, backport from 0.2.9.8): + - Fix a bug in parsing that could cause clients to read a single + byte past the end of an allocated region. This bug could be used + to cause hardened clients (built with --enable-expensive-hardening) + to crash if they tried to visit a hostile hidden service. Non- + hardened clients are only affected depending on the details of + their platform's memory allocator. Fixes bug 21018; bugfix on + 0.2.0.8-alpha. Found by using libFuzzer. Also tracked as TROVE- + 2016-12-002 and as CVE-2016-1254. + + o Major bugfixes (security, correctness, backport from 0.2.7.4-rc): + - Fix an error that could cause us to read 4 bytes before the + beginning of an openssl string. This bug could be used to cause + Tor to crash on systems with unusual malloc implementations, or + systems with unusual hardening installed. Fixes bug 17404; bugfix + on 0.2.3.6-alpha. + + o Major bugfixes (security, pointers, backport from 0.2.8.2-alpha): + - Avoid a difficult-to-trigger heap corruption attack when extending + a smartlist to contain over 16GB of pointers. Fixes bug 18162; + bugfix on 0.1.1.11-alpha, which fixed a related bug incompletely. + Reported by Guido Vranken. + + o Major bugfixes (dns proxy mode, crash, backport from 0.2.8.2-alpha): + - Avoid crashing when running as a DNS proxy. Fixes bug 16248; + bugfix on 0.2.0.1-alpha. Patch from "cypherpunks". + + o Major bugfixes (guard selection, backport from 0.2.7.6): + - Actually look at the Guard flag when selecting a new directory + guard. When we implemented the directory guard design, we + accidentally started treating all relays as if they have the Guard + flag during guard selection, leading to weaker anonymity and worse + performance. Fixes bug 17772; bugfix on 0.2.4.8-alpha. Discovered + by Mohsen Imani. + + o Major bugfixes (key management, backport from 0.2.8.3-alpha): + - If OpenSSL fails to generate an RSA key, do not retain a dangling + pointer to the previous (uninitialized) key value. The impact here + should be limited to a difficult-to-trigger crash, if OpenSSL is + running an engine that makes key generation failures possible, or + if OpenSSL runs out of memory. Fixes bug 19152; bugfix on + 0.2.1.10-alpha. Found by Yuan Jochen Kang, Suman Jana, and + Baishakhi Ray. + + o Major bugfixes (parsing, backported from 0.3.0.4-rc): + - Fix an integer underflow bug when comparing malformed Tor + versions. This bug could crash Tor when built with + --enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor + 0.2.9.8, which were built with -ftrapv by default. In other cases + it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix + on 0.0.8pre1. Found by OSS-Fuzz. + + o Minor features (security, memory erasure, backport from 0.2.8.1-alpha): + - Make memwipe() do nothing when passed a NULL pointer or buffer of + zero size. Check size argument to memwipe() for underflow. Fixes + bug 18089; bugfix on 0.2.3.25 and 0.2.4.6-alpha. Reported by "gk", + patch by "teor". + + o Minor features (bug-resistance, backport from 0.2.8.2-alpha): + - Make Tor survive errors involving connections without a + corresponding event object. Previously we'd fail with an + assertion; now we produce a log message. Related to bug 16248. + + o Minor features (DoS-resistance, backport from 0.2.7.1-alpha): + - Make it harder for attackers to overload hidden services with + introductions, by blocking multiple introduction requests on the + same circuit. Resolves ticket 15515. + + o Minor features (geoip): + - Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2 + Country database. + + o Minor bugfixes (compilation, backport from 0.2.7.6): + - Fix a compilation warning with Clang 3.6: Do not check the + presence of an address which can never be NULL. Fixes bug 17781. + + o Minor bugfixes (hidden service, backport from 0.2.7.1-alpha): + - Fix an out-of-bounds read when parsing invalid INTRODUCE2 cells on + a client authorized hidden service. Fixes bug 15823; bugfix + on 0.2.1.6-alpha. + + +Changes in version 0.2.4.27 - 2015-04-06 + Tor 0.2.4.27 backports two fixes from 0.2.6.7 for security issues that + could be used by an attacker to crash hidden services, or crash clients + visiting hidden services. Hidden services should upgrade as soon as + possible; clients should upgrade whenever packages become available. + + This release also backports a simple improvement to make hidden + services a bit less vulnerable to denial-of-service attacks. + + o Major bugfixes (security, hidden service): + - Fix an issue that would allow a malicious client to trigger an + assertion failure and halt a hidden service. Fixes bug 15600; + bugfix on 0.2.1.6-alpha. Reported by "disgleirio". + - Fix a bug that could cause a client to crash with an assertion + failure when parsing a malformed hidden service descriptor. Fixes + bug 15601; bugfix on 0.2.1.5-alpha. Found by "DonnchaC". + + o Minor features (DoS-resistance, hidden service): + - Introduction points no longer allow multiple INTRODUCE1 cells to + arrive on the same circuit. This should make it more expensive for + attackers to overwhelm hidden services with introductions. + Resolves ticket 15515. + + +Changes in version 0.2.4.26 - 2015-03-17 + Tor 0.2.4.26 includes an updated list of directory authorities. It + also backports a couple of stability and security bugfixes from 0.2.5 + and beyond. + + o Directory authority changes: + - Remove turtles as a directory authority. + - Add longclaw as a new (v3) directory authority. This implements + ticket 13296. This keeps the directory authority count at 9. + - The directory authority Faravahar has a new IP address. This + closes ticket 14487. + + o Major bugfixes (exit node stability, also in 0.2.6.3-alpha): + - Fix an assertion failure that could occur under high DNS load. + Fixes bug 14129; bugfix on Tor 0.0.7rc1. Found by "jowr"; + diagnosed and fixed by "cypherpunks". + + o Major bugfixes (relay, stability, possible security, also in 0.2.6.4-rc): + - Fix a bug that could lead to a relay crashing with an assertion + failure if a buffer of exactly the wrong layout was passed to + buf_pullup() at exactly the wrong time. Fixes bug 15083; bugfix on + 0.2.0.10-alpha. Patch from 'cypherpunks'. + - Do not assert if the 'data' pointer on a buffer is advanced to the + very end of the buffer; log a BUG message instead. Only assert if + it is past that point. Fixes bug 15083; bugfix on 0.2.0.10-alpha. + + o Minor features (geoip): + - Update geoip to the March 3 2015 Maxmind GeoLite2 Country database. + - Update geoip6 to the March 3 2015 Maxmind GeoLite2 + Country database. + + +Changes in version 0.2.4.25 - 2014-10-20 + Tor 0.2.4.25 disables SSL3 in response to the recent "POODLE" attack + (even though POODLE does not affect Tor). It also works around a crash + bug caused by some operating systems' response to the "POODLE" attack + (which does affect Tor). + + o Major security fixes (also in 0.2.5.9-rc): + - Disable support for SSLv3. All versions of OpenSSL in use with Tor + today support TLS 1.0 or later, so we can safely turn off support + for this old (and insecure) protocol. Fixes bug 13426. + + o Major bugfixes (openssl bug workaround, also in 0.2.5.9-rc): + - Avoid crashing when using OpenSSL version 0.9.8zc, 1.0.0o, or + 1.0.1j, built with the 'no-ssl3' configuration option. Fixes bug + 13471. This is a workaround for an OpenSSL bug. + + +Changes in version 0.2.4.24 - 2014-09-22 + Tor 0.2.4.24 fixes a bug that affects consistency and speed when + connecting to hidden services, and it updates the location of one of + the directory authorities. + + o Major bugfixes: + - Clients now send the correct address for their chosen rendezvous + point when trying to access a hidden service. They used to send + the wrong address, which would still work some of the time because + they also sent the identity digest of the rendezvous point, and if + the hidden service happened to try connecting to the rendezvous + point from a relay that already had a connection open to it, + the relay would reuse that connection. Now connections to hidden + services should be more robust and faster. Also, this bug meant + that clients were leaking to the hidden service whether they were + on a little-endian (common) or big-endian (rare) system, which for + some users might have reduced their anonymity. Fixes bug 13151; + bugfix on 0.2.1.5-alpha. + + o Directory authority changes: + - Change IP address for gabelmoo (v3 directory authority). + + o Minor features (geoip): + - Update geoip and geoip6 to the August 7 2014 Maxmind GeoLite2 + Country database. + + +Changes in version 0.2.4.23 - 2014-07-28 + Tor 0.2.4.23 brings us a big step closer to slowing down the risk from + guard rotation, and also backports several important fixes from the + Tor 0.2.5 alpha release series. + + o Major features: + - Clients now look at the "usecreatefast" consensus parameter to + decide whether to use CREATE_FAST or CREATE cells for the first hop + of their circuit. This approach can improve security on connections + where Tor's circuit handshake is stronger than the available TLS + connection security levels, but the tradeoff is more computational + load on guard relays. Implements proposal 221. Resolves ticket 9386. + - Make the number of entry guards configurable via a new + NumEntryGuards consensus parameter, and the number of directory + guards configurable via a new NumDirectoryGuards consensus + parameter. Implements ticket 12688. + + o Major bugfixes: + - Fix a bug in the bounds-checking in the 32-bit curve25519-donna + implementation that caused incorrect results on 32-bit + implementations when certain malformed inputs were used along with + a small class of private ntor keys. This bug does not currently + appear to allow an attacker to learn private keys or impersonate a + Tor server, but it could provide a means to distinguish 32-bit Tor + implementations from 64-bit Tor implementations. Fixes bug 12694; + bugfix on 0.2.4.8-alpha. Bug found by Robert Ransom; fix from + Adam Langley. + + o Minor bugfixes: + - Warn and drop the circuit if we receive an inbound 'relay early' + cell. Those used to be normal to receive on hidden service circuits + due to bug 1038, but the buggy Tor versions are long gone from + the network so we can afford to resume watching for them. Resolves + the rest of bug 1038; bugfix on 0.2.1.19. + - Correct a confusing error message when trying to extend a circuit + via the control protocol but we don't know a descriptor or + microdescriptor for one of the specified relays. Fixes bug 12718; + bugfix on 0.2.3.1-alpha. + - Avoid an illegal read from stack when initializing the TLS + module using a version of OpenSSL without all of the ciphers + used by the v2 link handshake. Fixes bug 12227; bugfix on + 0.2.4.8-alpha. Found by "starlight". + + o Minor features: + - Update geoip and geoip6 to the July 10 2014 Maxmind GeoLite2 + Country database. + + +Changes in version 0.2.4.22 - 2014-05-16 + Tor 0.2.4.22 backports numerous high-priority fixes from the Tor 0.2.5 + alpha release series. These include blocking all authority signing + keys that may have been affected by the OpenSSL "heartbleed" bug, + choosing a far more secure set of TLS ciphersuites by default, closing + a couple of memory leaks that could be used to run a target relay out + of RAM, and several others. + + o Major features (security, backport from 0.2.5.4-alpha): + - Block authority signing keys that were used on authorities + vulnerable to the "heartbleed" bug in OpenSSL (CVE-2014-0160). (We + don't have any evidence that these keys _were_ compromised; we're + doing this to be prudent.) Resolves ticket 11464. + + o Major bugfixes (security, OOM): + - Fix a memory leak that could occur if a microdescriptor parse + fails during the tokenizing step. This bug could enable a memory + exhaustion attack by directory servers. Fixes bug 11649; bugfix + on 0.2.2.6-alpha. + + o Major bugfixes (TLS cipher selection, backport from 0.2.5.4-alpha): + - The relay ciphersuite list is now generated automatically based on + uniform criteria, and includes all OpenSSL ciphersuites with + acceptable strength and forward secrecy. Previously, we had left + some perfectly fine ciphersuites unsupported due to omission or + typo. Resolves bugs 11513, 11492, 11498, 11499. Bugs reported by + 'cypherpunks'. Bugfix on 0.2.4.8-alpha. + - Relays now trust themselves to have a better view than clients of + which TLS ciphersuites are better than others. (Thanks to bug + 11513, the relay list is now well-considered, whereas the client + list has been chosen mainly for anti-fingerprinting purposes.) + Relays prefer: AES over 3DES; then ECDHE over DHE; then GCM over + CBC; then SHA384 over SHA256 over SHA1; and last, AES256 over + AES128. Resolves ticket 11528. + - Clients now try to advertise the same list of ciphersuites as + Firefox 28. This change enables selection of (fast) GCM + ciphersuites, disables some strange old ciphers, and stops + advertising the ECDH (not to be confused with ECDHE) ciphersuites. + Resolves ticket 11438. + + o Minor bugfixes (configuration, security): + - When running a hidden service, do not allow TunneledDirConns 0: + trying to set that option together with a hidden service would + otherwise prevent the hidden service from running, and also make + it publish its descriptors directly over HTTP. Fixes bug 10849; + bugfix on 0.2.1.1-alpha. + + o Minor bugfixes (controller, backport from 0.2.5.4-alpha): + - Avoid sending a garbage value to the controller when a circuit is + cannibalized. Fixes bug 11519; bugfix on 0.2.3.11-alpha. + + o Minor bugfixes (exit relay, backport from 0.2.5.4-alpha): + - Stop leaking memory when we successfully resolve a PTR record. + Fixes bug 11437; bugfix on 0.2.4.7-alpha. + + o Minor bugfixes (bridge client, backport from 0.2.5.4-alpha): + - Avoid 60-second delays in the bootstrapping process when Tor is + launching for a second time while using bridges. Fixes bug 9229; + bugfix on 0.2.0.3-alpha. + + o Minor bugfixes (relays and bridges, backport from 0.2.5.4-alpha): + - Give the correct URL in the warning message when trying to run a + relay on an ancient version of Windows. Fixes bug 9393. + + o Minor bugfixes (compilation): + - Fix a compilation error when compiling with --disable-curve25519. + Fixes bug 9700; bugfix on 0.2.4.17-rc. + + o Minor bugfixes: + - Downgrade the warning severity for the the "md was still + referenced 1 node(s)" warning. Tor 0.2.5.4-alpha has better code + for trying to diagnose this bug, and the current warning in + earlier versions of tor achieves nothing useful. Addresses warning + from bug 7164. + + o Minor features (log verbosity, backport from 0.2.5.4-alpha): + - When we run out of usable circuit IDs on a channel, log only one + warning for the whole channel, and describe how many circuits + there were on the channel. Fixes part of ticket 11553. + + o Minor features (security, backport from 0.2.5.4-alpha): + - Decrease the lower limit of MaxMemInCellQueues to 256 MBytes (but + leave the default at 8GBytes), to better support Raspberry Pi + users. Fixes bug 9686; bugfix on 0.2.4.14-alpha. + + o Documentation (backport from 0.2.5.4-alpha): + - Correctly document that we search for a system torrc file before + looking in ~/.torrc. Fixes documentation side of 9213; bugfix on + 0.2.3.18-rc. + + +Changes in version 0.2.4.21 - 2014-02-28 + Tor 0.2.4.21 further improves security against potential adversaries who + find breaking 1024-bit crypto doable, and backports several stability + and robustness patches from the 0.2.5 branch. + + o Major features (client security): + - When we choose a path for a 3-hop circuit, make sure it contains + at least one relay that supports the NTor circuit extension + handshake. Otherwise, there is a chance that we're building + a circuit that's worth attacking by an adversary who finds + breaking 1024-bit crypto doable, and that chance changes the game + theory. Implements ticket 9777. + + o Major bugfixes: + - Do not treat streams that fail with reason + END_STREAM_REASON_INTERNAL as indicating a definite circuit failure, + since it could also indicate an ENETUNREACH connection error. Fixes + part of bug 10777; bugfix on 0.2.4.8-alpha. + + o Code simplification and refactoring: + - Remove data structures which were introduced to implement the + CellStatistics option: they are now redundant with the new timestamp + field in the regular packed_cell_t data structure, which we did + in 0.2.4.18-rc in order to resolve bug 9093. Resolves ticket 10870. + + o Minor features: + - Always clear OpenSSL bignums before freeing them -- even bignums + that don't contain secrets. Resolves ticket 10793. Patch by + Florent Daigniere. + - Build without warnings under clang 3.4. (We have some macros that + define static functions only some of which will get used later in + the module. Starting with clang 3.4, these give a warning unless the + unused attribute is set on them.) Resolves ticket 10904. + - Update geoip and geoip6 files to the February 7 2014 Maxmind + GeoLite2 Country database. + + o Minor bugfixes: + - Set the listen() backlog limit to the largest actually supported + on the system, not to the value in a header file. Fixes bug 9716; + bugfix on every released Tor. + - Treat ENETUNREACH, EACCES, and EPERM connection failures at an + exit node as a NOROUTE error, not an INTERNAL error, since they + can apparently happen when trying to connect to the wrong sort + of netblocks. Fixes part of bug 10777; bugfix on 0.1.0.1-rc. + - Fix build warnings about missing "a2x" comment when building the + manpages from scratch on OpenBSD; OpenBSD calls it "a2x.py". + Fixes bug 10929; bugfix on 0.2.2.9-alpha. Patch from Dana Koch. + - Avoid a segfault on SIGUSR1, where we had freed a connection but did + not entirely remove it from the connection lists. Fixes bug 9602; + bugfix on 0.2.4.4-alpha. + - Fix a segmentation fault in our benchmark code when running with + Fedora's OpenSSL package, or any other OpenSSL that provides + ECDH but not P224. Fixes bug 10835; bugfix on 0.2.4.8-alpha. + - Turn "circuit handshake stats since last time" log messages into a + heartbeat message. Fixes bug 10485; bugfix on 0.2.4.17-rc. + + o Documentation fixes: + - Document that all but one DirPort entry must have the NoAdvertise + flag set. Fixes bug 10470; bugfix on 0.2.3.3-alpha / 0.2.3.16-alpha. + + +Changes in version 0.2.4.20 - 2013-12-22 + Tor 0.2.4.20 fixes potentially poor random number generation for users + who 1) use OpenSSL 1.0.0 or later, 2) set "HardwareAccel 1" in their + torrc file, 3) have "Sandy Bridge" or "Ivy Bridge" Intel processors, + and 4) have no state file in their DataDirectory (as would happen on + first start). Users who generated relay or hidden service identity + keys in such a situation should discard them and generate new ones. + + This release also fixes a logic error that caused Tor clients to build + many more preemptive circuits than they actually need. + + o Major bugfixes: + - Do not allow OpenSSL engines to replace the PRNG, even when + HardwareAccel is set. The only default builtin PRNG engine uses + the Intel RDRAND instruction to replace the entire PRNG, and + ignores all attempts to seed it with more entropy. That's + cryptographically stupid: the right response to a new alleged + entropy source is never to discard all previously used entropy + sources. Fixes bug 10402; works around behavior introduced in + OpenSSL 1.0.0. Diagnosis and investigation thanks to "coderman" + and "rl1987". + - Fix assertion failure when AutomapHostsOnResolve yields an IPv6 + address. Fixes bug 10465; bugfix on 0.2.4.7-alpha. + - Avoid launching spurious extra circuits when a stream is pending. + This fixes a bug where any circuit that _wasn't_ unusable for new + streams would be treated as if it were, causing extra circuits to + be launched. Fixes bug 10456; bugfix on 0.2.4.12-alpha. + + o Minor bugfixes: + - Avoid a crash bug when starting with a corrupted microdescriptor + cache file. Fixes bug 10406; bugfix on 0.2.2.6-alpha. + - If we fail to dump a previously cached microdescriptor to disk, avoid + freeing duplicate data later on. Fixes bug 10423; bugfix on + 0.2.4.13-alpha. Spotted by "bobnomnom". + + +Changes in version 0.2.4.19 - 2013-12-11 + The Tor 0.2.4 release series is dedicated to the memory of Aaron Swartz + (1986-2013). Aaron worked on diverse projects including helping to guide + Creative Commons, playing a key role in stopping SOPA/PIPA, bringing + transparency to the U.S government's PACER documents, and contributing + design and development for Tor and Tor2Web. Aaron was one of the latest + martyrs in our collective fight for civil liberties and human rights, + and his death is all the more painful because he was one of us. + + Tor 0.2.4.19, the first stable release in the 0.2.4 branch, features + a new circuit handshake and link encryption that use ECC to provide + better security and efficiency; makes relays better manage circuit + creation requests; uses "directory guards" to reduce client enumeration + risks; makes bridges collect and report statistics about the pluggable + transports they support; cleans up and improves our geoip database; + gets much closer to IPv6 support for clients, bridges, and relays; makes + directory authorities use measured bandwidths rather than advertised + ones when computing flags and thresholds; disables client-side DNS + caching to reduce tracking risks; and fixes a big bug in bridge + reachability testing. This release introduces two new design + abstractions in the code: a new "channel" abstraction between circuits + and or_connections to allow for implementing alternate relay-to-relay + transports, and a new "circuitmux" abstraction storing the queue of + circuits for a channel. The release also includes many stability, + security, and privacy fixes. + + o Major features (new circuit handshake): + - Tor now supports a new circuit extension handshake designed by Ian + Goldberg, Douglas Stebila, and Berkant Ustaoglu. Our original + circuit extension handshake, later called "TAP", was a bit slow + (especially on the relay side), had a fragile security proof, and + used weaker keys than we'd now prefer. The new circuit handshake + uses Dan Bernstein's "curve25519" elliptic-curve Diffie-Hellman + function, making it significantly more secure than the older + handshake, and significantly faster. Tor can use one of two built-in + pure-C curve25519-donna implementations by Adam Langley, or it + can link against the "nacl" library for a tuned version if present. + + The built-in version is very fast for 64-bit systems when building + with GCC. The built-in 32-bit version is still faster than the + old TAP protocol, but using libnacl is better on most such hosts. + + Implements proposal 216; closes ticket 7202. + + o Major features (better link encryption): + - Relays can now enable the ECDHE TLS ciphersuites when available + and appropriate. These ciphersuites let us negotiate forward-secure + TLS secret keys more safely and more efficiently than with our + previous use of Diffie-Hellman modulo a 1024-bit prime. By default, + public relays prefer the (faster) P224 group, and bridges prefer + the (more common) P256 group; you can override this with the + TLSECGroup option. + + This feature requires clients running 0.2.3.17-beta or later, + and requires both sides to be running OpenSSL 1.0.0 or later + with ECC support. OpenSSL 1.0.1, with the compile-time option + "enable-ec_nistp_64_gcc_128", is highly recommended. + + Implements the relay side of proposal 198; closes ticket 7200. + + - Re-enable TLS 1.1 and 1.2 when built with OpenSSL 1.0.1e or later. + Resolves ticket 6055. (OpenSSL before 1.0.1 didn't have TLS 1.1 or + 1.2, and OpenSSL from 1.0.1 through 1.0.1d had bugs that prevented + renegotiation from working with TLS 1.1 or 1.2, so we had disabled + them to solve bug 6033.) + + o Major features (relay performance): + - Instead of limiting the number of queued onionskins (aka circuit + create requests) to a fixed, hard-to-configure number, we limit + the size of the queue based on how many we expect to be able to + process in a given amount of time. We estimate the time it will + take to process an onionskin based on average processing time + of previous onionskins. Closes ticket 7291. You'll never have to + configure MaxOnionsPending again. + - Relays process the new "NTor" circuit-level handshake requests + with higher priority than the old "TAP" circuit-level handshake + requests. We still process some TAP requests to not totally starve + 0.2.3 clients when NTor becomes popular. A new consensus parameter + "NumNTorsPerTAP" lets us tune the balance later if we need to. + Implements ticket 9574. + + o Major features (client bootstrapping resilience): + - Add a new "FallbackDir" torrc option to use when we can't use + a directory mirror from the consensus (either because we lack a + consensus, or because they're all down). Currently, all authorities + are fallbacks by default, and there are no other default fallbacks, + but that will change. This option will allow us to give clients a + longer list of servers to try to get a consensus from when first + connecting to the Tor network, and thereby reduce load on the + directory authorities. Implements proposal 206, "Preconfigured + directory sources for bootstrapping". We also removed the old + "FallbackNetworkstatus" option, since we never got it working well + enough to use it. Closes bug 572. + - If we have no circuits open, use a relaxed timeout (the + 95th-percentile cutoff) until a circuit succeeds. This heuristic + should allow Tor to succeed at building circuits even when the + network connection drastically changes. Should help with bug 3443. + + o Major features (use of guards): + - Support directory guards (proposal 207): when possible, clients now + use their entry guards for non-anonymous directory requests. This + can help prevent client enumeration. Note that this behavior only + works when we have a usable consensus directory, and when options + about what to download are more or less standard. In the future we + should re-bootstrap from our guards, rather than re-bootstrapping + from the preconfigured list of directory sources that ships with + Tor. Resolves ticket 6526. + - Raise the default time that a client keeps an entry guard from + "1-2 months" to "2-3 months", as suggested by Tariq Elahi's WPES + 2012 paper. (We would make it even longer, but we need better client + load balancing first.) Also, make the guard lifetime controllable + via a new GuardLifetime torrc option and a GuardLifetime consensus + parameter. Start of a fix for bug 8240; bugfix on 0.1.1.11-alpha. + + o Major features (bridges with pluggable transports): + - Bridges now report the pluggable transports they support to the + bridge authority, so it can pass the supported transports on to + bridgedb and/or eventually do reachability testing. Implements + ticket 3589. + - Automatically forward the TCP ports of pluggable transport + proxies using tor-fw-helper if PortForwarding is enabled. Implements + ticket 4567. + + o Major features (geoip database): + - Maxmind began labelling Tor relays as being in country "A1", + which breaks by-country node selection inside Tor. Now we use a + script to replace "A1" ("Anonymous Proxy") entries in our geoip + file with real country codes. This script fixes about 90% of "A1" + entries automatically and uses manual country code assignments to + fix the remaining 10%. See src/config/README.geoip for details. + Fixes bug 6266. + - Add GeoIP database for IPv6 addresses. The new config option + is GeoIPv6File. + - Update to the October 2 2013 Maxmind GeoLite Country database. + + o Major features (IPv6): + - Clients who set "ClientUseIPv6 1" may connect to entry nodes over + IPv6. Set "ClientPreferIPv6ORPort 1" to make this even more likely + to happen. Implements ticket 5535. + - All kind of relays, not just bridges, can now advertise an IPv6 + OR port. Implements ticket 6362. + - Relays can now exit to IPv6 addresses: make sure that you have IPv6 + connectivity, then set the IPv6Exit flag to 1. Also make sure your + exit policy reads as you would like: the address * applies to all + address families, whereas *4 is IPv4 address only, and *6 is IPv6 + addresses only. On the client side, you'll need to wait for enough + exits to support IPv6, apply the "IPv6Traffic" flag to a SocksPort, + and use Socks5. Closes ticket 5547, implements proposal 117 as + revised in proposal 208. + - Bridge authorities now accept IPv6 bridge addresses and include + them in network status documents. Implements ticket 5534. + - Directory authorities vote on IPv6 OR ports. Implements ticket 6363. + + o Major features (directory authorities): + - Directory authorities now prefer using measured bandwidths to + advertised ones when computing flags and thresholds. Resolves + ticket 8273. + - Directory authorities that vote measured bandwidths about more + than a threshold number of relays now treat relays with + unmeasured bandwidths as having bandwidth 0 when computing their + flags. Resolves ticket 8435. + - Directory authorities now support a new consensus method (17) + where they cap the published bandwidth of relays for which + insufficient bandwidth measurements exist. Fixes part of bug 2286. + - Directory authorities that set "DisableV2DirectoryInfo_ 1" no longer + serve any v2 directory information. Now we can test disabling the + old deprecated v2 directory format, and see whether doing so has + any effect on network load. Begins to fix bug 6783. + + o Major features (build and portability): + - Switch to a nonrecursive Makefile structure. Now instead of each + Makefile.am invoking other Makefile.am's, there is a master + Makefile.am that includes the others. This change makes our build + process slightly more maintainable, and improves parallelism for + building with make -j. Original patch by Stewart Smith; various + fixes by Jim Meyering. + - Where available, we now use automake's "silent" make rules by + default, so that warnings are easier to spot. You can get the old + behavior with "make V=1". Patch by Stewart Smith for ticket 6522. + - Resume building correctly with MSVC and Makefile.nmake. This patch + resolves numerous bugs and fixes reported by ultramage, including + 7305, 7308, 7309, 7310, 7312, 7313, 7315, 7316, and 7669. + + o Security features: + - Switch to a completely time-invariant approach for picking nodes + weighted by bandwidth. Our old approach would run through the + part of the loop after it had made its choice slightly slower + than it ran through the part of the loop before it had made its + choice. Addresses ticket 6538. + - Disable the use of Guard nodes when in Tor2WebMode. Guard usage + by tor2web clients allows hidden services to identify tor2web + clients through their repeated selection of the same rendezvous + and introduction point circuit endpoints (their guards). Resolves + ticket 6888. + + o Major bugfixes (relay denial of service): + - When we have too much memory queued in circuits (according to a new + MaxMemInCellQueues option), close the circuits that have the oldest + queued cells, on the theory that those are most responsible for + us running low on memory. This prevents us from running out of + memory as a relay if circuits fill up faster than they can be + drained. Fixes bugs 9063 and 9093; bugfix on the 54th commit of + Tor. This bug is a further fix beyond bug 6252, whose fix was + merged into 0.2.3.21-rc. + - Reject bogus create and relay cells with 0 circuit ID or 0 stream + ID: these could be used to create unexpected streams and circuits + which would count as "present" to some parts of Tor but "absent" + to others, leading to zombie circuits and streams or to a bandwidth + denial-of-service. Fixes bug 7889; bugfix on every released version + of Tor. Reported by "oftc_must_be_destroyed". + - Avoid a bug where our response to TLS renegotiation under certain + network conditions could lead to a busy-loop, with 100% CPU + consumption. Fixes bug 5650; bugfix on 0.2.0.16-alpha. + + o Major bugfixes (asserts, crashes, leaks): + - Prevent the get_freelists() function from running off the end of + the list of freelists if it somehow gets an unrecognized + allocation. Fixes bug 8844; bugfix on 0.2.0.16-alpha. Reported by + eugenis. + - Avoid a memory leak where we would leak a consensus body when we + find that a consensus which we couldn't previously verify due to + missing certificates is now verifiable. Fixes bug 8719; bugfix + on 0.2.0.10-alpha. + - If we are unable to save a microdescriptor to the journal, do not + drop it from memory and then reattempt downloading it. Fixes bug + 9645; bugfix on 0.2.2.6-alpha. + - Fix an assertion failure that would occur when disabling the + ORPort setting on a running Tor process while accounting was + enabled. Fixes bug 6979; bugfix on 0.2.2.18-alpha. + - Avoid an assertion failure on OpenBSD (and perhaps other BSDs) + when an exit connection with optimistic data succeeds immediately + rather than returning EINPROGRESS. Fixes bug 9017; bugfix on + 0.2.3.1-alpha. + - Fix a memory leak that would occur whenever a configuration + option changed. Fixes bug 8718; bugfix on 0.2.3.3-alpha. + + o Major bugfixes (relay rate limiting): + - When a TLS write is partially successful but incomplete, remember + that the flushed part has been flushed, and notice that bytes were + actually written. Reported and fixed pseudonymously. Fixes bug 7708; + bugfix on Tor 0.1.0.5-rc. + - Raise the default BandwidthRate/BandwidthBurst values from 5MB/10MB + to 1GB/1GB. The previous defaults were intended to be "basically + infinite", but it turns out they're now limiting our 100mbit+ + relays and bridges. Fixes bug 6605; bugfix on 0.2.0.10-alpha (the + last time we raised it). + - No longer stop reading or writing on cpuworker connections when + our rate limiting buckets go empty. Now we should handle circuit + handshake requests more promptly. Resolves bug 9731. + + o Major bugfixes (client-side privacy): + - When we mark a circuit as unusable for new circuits, have it + continue to be unusable for new circuits even if MaxCircuitDirtiness + is increased too much at the wrong time, or the system clock jumps + backwards. Fixes bug 6174; bugfix on 0.0.2pre26. + - If ClientDNSRejectInternalAddresses ("do not believe DNS queries + which have resolved to internal addresses") is set, apply that + rule to IPv6 as well. Fixes bug 8475; bugfix on 0.2.0.7-alpha. + - When an exit relay rejects a stream with reason "exit policy", but + we only know an exit policy summary (e.g. from the microdesc + consensus) for it, do not mark the relay as useless for all exiting. + Instead, mark just the circuit as unsuitable for that particular + address. Fixes part of bug 7582; bugfix on 0.2.3.2-alpha. + + o Major bugfixes (stream isolation): + - Allow applications to get proper stream isolation with + IsolateSOCKSAuth. Many SOCKS5 clients that want to offer + username/password authentication also offer "no authentication". Tor + had previously preferred "no authentication", so the applications + never actually sent Tor their auth details. Now Tor selects + username/password authentication if it's offered. You can disable + this behavior on a per-SOCKSPort basis via PreferSOCKSNoAuth. Fixes + bug 8117; bugfix on 0.2.3.3-alpha. + - Follow the socks5 protocol when offering username/password + authentication. The fix for bug 8117 exposed this bug, and it + turns out real-world applications like Pidgin do care. Bugfix on + 0.2.3.2-alpha; fixes bug 8879. + + o Major bugfixes (client circuit building): + - Alter circuit build timeout measurement to start at the point + where we begin the CREATE/CREATE_FAST step (as opposed to circuit + initialization). This should make our timeout measurements more + uniform. Previously, we were sometimes including ORconn setup time + in our circuit build time measurements. Should resolve bug 3443. + - If the circuit build timeout logic is disabled (via the consensus, + or because we are an authority), then don't build testing circuits. + Fixes bug 9657; bugfix on 0.2.2.14-alpha. + + o Major bugfixes (client-side DNS): + - Turn off the client-side DNS cache by default. Updating and using + the DNS cache is now configurable on a per-client-port + level. SOCKSPort, DNSPort, etc lines may now contain + {No,}Cache{IPv4,IPv6,}DNS lines to indicate that we shouldn't + cache these types of DNS answers when we receive them from an + exit node in response to an application request on this port, and + {No,}UseCached{IPv4,IPv6,DNS} lines to indicate that if we have + cached DNS answers of these types, we shouldn't use them. It's + potentially risky to use cached DNS answers at the client, since + doing so can indicate to one exit what answers we've gotten + for DNS lookups in the past. With IPv6, this becomes especially + problematic. Using cached DNS answers for requests on the same + circuit would present less linkability risk, since all traffic + on a circuit is already linkable, but it would also provide + little performance benefit: the exit node caches DNS replies + too. Implements a simplified version of Proposal 205. Implements + ticket 7570. + + o Major bugfixes (hidden service privacy): + - Limit hidden service descriptors to at most ten introduction + points, to slow one kind of guard enumeration. Fixes bug 9002; + bugfix on 0.1.1.11-alpha. + + o Major bugfixes (directory fetching): + - If the time to download the next old-style networkstatus is in + the future, do not decline to consider whether to download the + next microdescriptor networkstatus. Fixes bug 9564; bugfix on + 0.2.3.14-alpha. + - We used to always request authority certificates by identity digest, + meaning we'd get the newest one even when we wanted one with a + different signing key. Then we would complain about being given + a certificate we already had, and never get the one we really + wanted. Now we use the "fp-sk/" resource as well as the "fp/" + resource to request the one we want. Fixes bug 5595; bugfix on + 0.2.0.8-alpha. + + o Major bugfixes (bridge reachability): + - Bridges now send AUTH_CHALLENGE cells during their v3 handshakes; + previously they did not, which prevented them from receiving + successful connections from relays for self-test or bandwidth + testing. Also, when a relay is extending a circuit to a bridge, + it needs to send a NETINFO cell, even when the bridge hasn't sent + an AUTH_CHALLENGE cell. Fixes bug 9546; bugfix on 0.2.3.6-alpha. + + o Major bugfixes (control interface): + - When receiving a new configuration file via the control port's + LOADCONF command, do not treat the defaults file as absent. + Fixes bug 9122; bugfix on 0.2.3.9-alpha. + + o Major bugfixes (directory authorities): + - Stop marking every relay as having been down for one hour every + time we restart a directory authority. These artificial downtimes + were messing with our Stable and Guard flag calculations. Fixes + bug 8218 (introduced by the fix for 1035). Bugfix on 0.2.2.23-alpha. + - When computing directory thresholds, ignore any rejected-as-sybil + nodes during the computation so that they can't influence Fast, + Guard, etc. (We should have done this for proposal 109.) Fixes + bug 8146. + - When marking a node as a likely sybil, reset its uptime metrics + to zero, so that it cannot time towards getting marked as Guard, + Stable, or HSDir. (We should have done this for proposal 109.) Fixes + bug 8147. + - Fix a bug in the voting algorithm that could yield incorrect results + when a non-naming authority declared too many flags. Fixes bug 9200; + bugfix on 0.2.0.3-alpha. + + o Internal abstraction features: + - Introduce new channel_t abstraction between circuits and + or_connection_t to allow for implementing alternate OR-to-OR + transports. A channel_t is an abstract object which can either be a + cell-bearing channel, which is responsible for authenticating and + handshaking with the remote OR and transmitting cells to and from + it, or a listening channel, which spawns new cell-bearing channels + at the request of remote ORs. Implements part of ticket 6465. + - Make a channel_tls_t subclass of channel_t, adapting it to the + existing or_connection_t code. The V2/V3 protocol handshaking + code which formerly resided in command.c has been moved below the + channel_t abstraction layer and may be found in channeltls.c now. + Implements the rest of ticket 6465. + - Introduce new circuitmux_t storing the queue of circuits for + a channel; this encapsulates and abstracts the queue logic and + circuit selection policy, and allows the latter to be overridden + easily by switching out a policy object. The existing EWMA behavior + is now implemented as a circuitmux_policy_t. Resolves ticket 6816. + + o New build requirements: + - Tor now requires OpenSSL 0.9.8 or later. OpenSSL 1.0.0 or later is + strongly recommended. + - Tor maintainers now require Automake version 1.9 or later to build + Tor from the Git repository. (Automake is not required when building + from a source distribution.) + + o Minor features (protocol): + - No longer include the "opt" prefix when generating routerinfos + or v2 directories: it has been needless since Tor 0.1.2. Closes + ticket 5124. + - Reject EXTEND cells sent to nonexistent streams. According to the + spec, an EXTEND cell sent to _any_ nonzero stream ID is invalid, but + we were only checking for stream IDs that were currently in use. + Found while hunting for more instances of bug 6271. Bugfix on + 0.0.2pre8, which introduced incremental circuit construction. + - Tor relays and clients now support a better CREATE/EXTEND cell + format, allowing the sender to specify multiple address, identity, + and handshake types. Implements Robert Ransom's proposal 200; + closes ticket 7199. + - Reject as invalid most directory objects containing a NUL. + Belt-and-suspender fix for bug 8037. + + o Minor features (security): + - Clear keys and key-derived material left on the stack in + rendservice.c and rendclient.c. Check return value of + crypto_pk_write_private_key_to_string() in rend_service_load_keys(). + These fixes should make us more forward-secure against cold-boot + attacks and the like. Fixes bug 2385. + - Use our own weak RNG when we need a weak RNG. Windows's rand() and + Irix's random() only return 15 bits; Solaris's random() returns more + bits but its RAND_MAX says it only returns 15, and so on. Motivated + by the fix for bug 7801; bugfix on 0.2.2.20-alpha. + + o Minor features (control protocol): + - Add a "GETINFO signal/names" control port command. Implements + ticket 3842. + - Provide default values for all options via "GETINFO config/defaults". + Implements ticket 4971. + - Allow an optional $ before the node identity digest in the + controller command GETINFO ns/id/<identity>, for consistency with + md/id/<identity> and desc/id/<identity>. Resolves ticket 7059. + - Add CACHED keyword to ADDRMAP events in the control protocol + to indicate whether a DNS result will be cached or not. Resolves + ticket 8596. + - Generate bootstrapping status update events correctly when fetching + microdescriptors. Fixes bug 9927. + + o Minor features (path selection): + - When deciding whether we have enough descriptors to build circuits, + instead of looking at raw relay counts, look at which fraction + of (bandwidth-weighted) paths we're able to build. This approach + keeps clients from building circuits if their paths are likely to + stand out statistically. The default fraction of paths needed is + taken from the consensus directory; you can override it with the + new PathsNeededToBuildCircuits option. Fixes ticket 5956. + - When any country code is listed in ExcludeNodes or ExcludeExitNodes, + and we have GeoIP information, also exclude all nodes with unknown + countries "??" and "A1". This behavior is controlled by the + new GeoIPExcludeUnknown option: you can make such nodes always + excluded with "GeoIPExcludeUnknown 1", and disable the feature + with "GeoIPExcludeUnknown 0". Setting "GeoIPExcludeUnknown auto" + gets you the default behavior. Implements feature 7706. + + o Minor features (hidden services): + - Improve circuit build timeout handling for hidden services. + In particular: adjust build timeouts more accurately depending + upon the number of hop-RTTs that a particular circuit type + undergoes. Additionally, launch intro circuits in parallel + if they timeout, and take the first one to reply as valid. + - The Tor client now ignores sub-domain components of a .onion + address. This change makes HTTP "virtual" hosting + possible: http://foo.aaaaaaaaaaaaaaaa.onion/ and + http://bar.aaaaaaaaaaaaaaaa.onion/ can be two different websites + hosted on the same hidden service. Implements proposal 204. + - Enable Tor to read configuration, state, and key information from + a FIFO. Previously Tor would only read from files with a positive + stat.st_size. Code from meejah; fixes bug 6044. + + o Minor features (clients): + - Teach bridge-using clients to avoid 0.2.2.x bridges when making + microdescriptor-related dir requests, and only fall back to normal + descriptors if none of their bridges can handle microdescriptors + (as opposed to the fix in ticket 4013, which caused them to fall + back to normal descriptors if *any* of their bridges preferred + them). Resolves ticket 4994. + - Tweak tor-fw-helper to accept an arbitrary amount of arbitrary + TCP ports to forward. In the past it only accepted two ports: + the ORPort and the DirPort. + + o Minor features (protecting client timestamps): + - Clients no longer send timestamps in their NETINFO cells. These were + not used for anything, and they provided one small way for clients + to be distinguished from each other as they moved from network to + network or behind NAT. Implements part of proposal 222. + - Clients now round timestamps in INTRODUCE cells down to the nearest + 10 minutes. If a new Support022HiddenServices option is set to 0, or + if it's set to "auto" and the feature is disabled in the consensus, + the timestamp is sent as 0 instead. Implements part of proposal 222. + - Stop sending timestamps in AUTHENTICATE cells. This is not such + a big deal from a security point of view, but it achieves no actual + good purpose, and isn't needed. Implements part of proposal 222. + - Reduce down accuracy of timestamps in hidden service descriptors. + Implements part of proposal 222. + + o Minor features (bridges): + - Make bridge relays check once a minute for whether their IP + address has changed, rather than only every 15 minutes. Resolves + bugs 1913 and 1992. + - Bridge statistics now count bridge clients connecting over IPv6: + bridge statistics files now list "bridge-ip-versions" and + extra-info documents list "geoip6-db-digest". The control protocol + "CLIENTS_SEEN" and "ip-to-country" queries now support IPv6. Initial + implementation by "shkoo", addressing ticket 5055. + - Add a new torrc option "ServerTransportListenAddr" to let bridge + operators select the address where their pluggable transports will + listen for connections. Resolves ticket 7013. + - Randomize the lifetime of our SSL link certificate, so censors can't + use the static value for filtering Tor flows. Resolves ticket 8443; + related to ticket 4014 which was included in 0.2.2.33. + + o Minor features (relays): + - Option OutboundBindAddress can be specified multiple times and + accepts IPv6 addresses. Resolves ticket 6876. + + o Minor features (IPv6, client side): + - AutomapHostsOnResolve now supports IPv6 addresses. By default, we + prefer to hand out virtual IPv6 addresses, since there are more of + them and we can't run out. To override this behavior and make IPv4 + addresses preferred, set NoPreferIPv6Automap on whatever SOCKSPort + or DNSPort you're using for resolving. Implements ticket 7571. + - AutomapHostsOnResolve responses are now randomized, to avoid + annoying situations where Tor is restarted and applications + connect to the wrong addresses. + - Never try more than 1000 times to pick a new virtual address when + AutomapHostsOnResolve is set. That's good enough so long as we + aren't close to handing out our entire virtual address space; + if you're getting there, it's best to switch to IPv6 virtual + addresses anyway. + + o Minor features (IPv6, relay/authority side): + - New config option "AuthDirHasIPv6Connectivity 1" that directory + authorities should set if they have IPv6 connectivity and want to + do reachability tests for IPv6 relays. Implements feature 5974. + - A relay with an IPv6 OR port now sends that address in NETINFO + cells (in addition to its other address). Implements ticket 6364. + + o Minor features (directory authorities): + - Directory authorities no long accept descriptors for any version of + Tor before 0.2.2.35, or for any 0.2.3 release before 0.2.3.10-alpha. + These versions are insecure, unsupported, or both. Implements + ticket 6789. + - When directory authorities are computing thresholds for flags, + never let the threshold for the Fast flag fall below 4096 + bytes. Also, do not consider nodes with extremely low bandwidths + when deciding thresholds for various directory flags. This change + should raise our threshold for Fast relays, possibly in turn + improving overall network performance; see ticket 1854. Resolves + ticket 8145. + - Directory authorities now include inside each vote a statement of + the performance thresholds they used when assigning flags. + Implements ticket 8151. + - Add an "ignoring-advertised-bws" boolean to the flag-threshold lines + in directory authority votes to describe whether they have enough + measured bandwidths to ignore advertised (relay descriptor) + bandwidth claims. Resolves ticket 8711. + + o Minor features (path bias detection): + - Path Use Bias: Perform separate accounting for successful circuit + use. Keep separate statistics on stream attempt rates versus stream + success rates for each guard. Provide configurable thresholds to + determine when to emit log messages or disable use of guards that + fail too many stream attempts. Resolves ticket 7802. + - Create three levels of Path Bias log messages, as opposed to just + two. These are configurable via consensus as well as via the torrc + options PathBiasNoticeRate, PathBiasWarnRate, PathBiasExtremeRate. + The default values are 0.70, 0.50, and 0.30 respectively. + - Separate the log message levels from the decision to drop guards, + which also is available via torrc option PathBiasDropGuards. + PathBiasDropGuards still defaults to 0 (off). + - Deprecate PathBiasDisableRate in favor of PathBiasDropGuards + in combination with PathBiasExtremeRate. + - Increase the default values for PathBiasScaleThreshold and + PathBiasCircThreshold from (200, 20) to (300, 150). + - Add in circuit usage accounting to path bias. If we try to use a + built circuit but fail for any reason, it counts as path bias. + Certain classes of circuits where the adversary gets to pick your + destination node are exempt from this accounting. Usage accounting + can be specifically disabled via consensus parameter or torrc. + - Convert all internal path bias state to double-precision floating + point, to avoid roundoff error and other issues. + - Only record path bias information for circuits that have completed + *two* hops. Assuming end-to-end tagging is the attack vector, this + makes us more resilient to ambient circuit failure without any + detection capability loss. + + o Minor features (build): + - Tor now builds correctly on Bitrig, an OpenBSD fork. Patch from + dhill. Resolves ticket 6982. + - Compile on win64 using mingw64. Fixes bug 7260; patches from + "yayooo". + - Work correctly on Unix systems where EAGAIN and EWOULDBLOCK are + separate error codes; or at least, don't break for that reason. + Fixes bug 7935. Reported by "oftc_must_be_destroyed". + + o Build improvements (autotools): + - Warn if building on a platform with an unsigned time_t: there + are too many places where Tor currently assumes that time_t can + hold negative values. We'd like to fix them all, but probably + some will remain. + - Do not report status verbosely from autogen.sh unless the -v flag + is specified. Fixes issue 4664. Patch from Onizuka. + - Detect and reject attempts to build Tor with threading support + when OpenSSL has been compiled without threading support. + Fixes bug 6673. + - Try to detect if we are ever building on a platform where + memset(...,0,...) does not set the value of a double to 0.0. Such + platforms are permitted by the C standard, though in practice + they're pretty rare (since IEEE 754 is nigh-ubiquitous). We don't + currently support them, but it's better to detect them and fail + than to perform erroneously. + - We no longer warn so much when generating manpages from their + asciidoc source. + - Use Ville Laurikari's implementation of AX_CHECK_SIGN() to determine + the signs of types during autoconf. This is better than our old + approach, which didn't work when cross-compiling. + + o Minor features (log messages, warnings): + - Detect when we're running with a version of OpenSSL other than the + one we compiled with. This conflict has occasionally given people + hard-to-track-down errors. + - Warn users who run hidden services on a Tor client with + UseEntryGuards disabled that their hidden services will be + vulnerable to http://freehaven.net/anonbib/#hs-attack06 (the + attack which motivated Tor to support entry guards in the first + place). Resolves ticket 6889. + - Warn when we are binding low ports when hibernation is enabled; + previously we had warned when we were _advertising_ low ports with + hibernation enabled. Fixes bug 7285; bugfix on 0.2.3.9-alpha. + - Issue a warning when running with the bufferevents backend enabled. + It's still not stable, and people should know that they're likely + to hit unexpected problems. Closes ticket 9147. + + o Minor features (log messages, notices): + - Refactor resolve_my_address() so it returns the method by which we + decided our public IP address (explicitly configured, resolved from + explicit hostname, guessed from interfaces, learned by gethostname). + Now we can provide more helpful log messages when a relay guesses + its IP address incorrectly (e.g. due to unexpected lines in + /etc/hosts). Resolves ticket 2267. + - Track how many "TAP" and "NTor" circuit handshake requests we get, + and how many we complete, and log it every hour to help relay + operators follow trends in network load. Addresses ticket 9658. + + o Minor features (log messages, diagnostics): + - If we fail to free a microdescriptor because of bug 7164, log + the filename and line number from which we tried to free it. + - We compute the overhead from passing onionskins back and forth to + cpuworkers, and report it when dumping statistics in response to + SIGUSR1. Supports ticket 7291. + - Add another diagnostic to the heartbeat message: track and log + overhead that TLS is adding to the data we write. If this is + high, we are sending too little data to SSL_write at a time. + Diagnostic for bug 7707. + - Log packaged cell fullness as part of the heartbeat message. + Diagnosis to try to determine the extent of bug 7743. + - Add more detail to a log message about relaxed timeouts, to help + track bug 7799. + - When learning a fingerprint for a bridge, log its corresponding + transport type. Implements ticket 7896. + - Warn more aggressively when flushing microdescriptors to a + microdescriptor cache fails, in an attempt to mitigate bug 8031, + or at least make it more diagnosable. + - Improve the log message when "Bug/attack: unexpected sendme cell + from client" occurs, to help us track bug 8093. + - Improve debugging output to help track down bug 8185 ("Bug: + outgoing relay cell has n_chan==NULL. Dropping.") + + o Minor features (log messages, quieter bootstrapping): + - Log fewer lines at level "notice" about our OpenSSL and Libevent + versions and capabilities when everything is going right. Resolves + part of ticket 6736. + - Omit the first heartbeat log message, because it never has anything + useful to say, and it clutters up the bootstrapping messages. + Resolves ticket 6758. + - Don't log about reloading the microdescriptor cache at startup. Our + bootstrap warnings are supposed to tell the user when there's a + problem, and our bootstrap notices say when there isn't. Resolves + ticket 6759; bugfix on 0.2.2.6-alpha. + - Don't log "I learned some more directory information" when we're + reading cached directory information. Reserve it for when new + directory information arrives in response to a fetch. Resolves + ticket 6760. + - Don't complain about bootstrapping problems while hibernating. + These complaints reflect a general code problem, but not one + with any problematic effects (no connections are actually + opened). Fixes part of bug 7302; bugfix on 0.2.3.2-alpha. + + o Minor features (testing): + - In our testsuite, create temporary directories with a bit more + entropy in their name to make name collisions less likely. Fixes + bug 8638. + - Add benchmarks for DH (1024-bit multiplicative group) and ECDH + (P-256) Diffie-Hellman handshakes to src/or/bench. + - Add benchmark functions to test onion handshake performance. + + o Renamed options: + - The DirServer option is now DirAuthority, for consistency with + current naming patterns. You can still use the old DirServer form. + + o Minor bugfixes (protocol): + - Fix the handling of a TRUNCATE cell when it arrives while the + circuit extension is in progress. Fixes bug 7947; bugfix on 0.0.7.1. + - When a Tor client gets a "truncated" relay cell, the first byte of + its payload specifies why the circuit was truncated. We were + ignoring this 'reason' byte when tearing down the circuit, resulting + in the controller not being told why the circuit closed. Now we + pass the reason from the truncated cell to the controller. Bugfix + on 0.1.2.3-alpha; fixes bug 7039. + - Fix a misframing issue when reading the version numbers in a + VERSIONS cell. Previously we would recognize [00 01 00 02] as + 'version 1, version 2, and version 0x100', when it should have + only included versions 1 and 2. Fixes bug 8059; bugfix on + 0.2.0.10-alpha. Reported pseudonymously. + - Make the format and order of STREAM events for DNS lookups + consistent among the various ways to launch DNS lookups. Fixes + bug 8203; bugfix on 0.2.0.24-rc. Patch by "Desoxy". + + o Minor bugfixes (syscalls and disk interaction): + - Always check the return values of functions fcntl() and + setsockopt(). We don't believe these are ever actually failing in + practice, but better safe than sorry. Also, checking these return + values should please analysis tools like Coverity. Patch from + 'flupzor'. Fixes bug 8206; bugfix on all versions of Tor. + - Avoid double-closing the listener socket in our socketpair() + replacement (used on Windows) in the case where the addresses on + our opened sockets don't match what we expected. Fixes bug 9400; + bugfix on 0.0.2pre7. Found by Coverity. + - Correctly store microdescriptors and extrainfo descriptors that + include an internal NUL byte. Fixes bug 8037; bugfix on + 0.2.0.1-alpha. Bug reported by "cypherpunks". + - If for some reason we fail to write a microdescriptor while + rebuilding the cache, do not let the annotations from that + microdescriptor linger in the cache file, and do not let the + microdescriptor stay recorded as present in its old location. + Fixes bug 9047; bugfix on 0.2.2.6-alpha. + - Use direct writes rather than stdio when building microdescriptor + caches, in an attempt to mitigate bug 8031, or at least make it + less common. + + o Minor fixes (config options): + - Warn and fail if a server is configured not to advertise any + ORPorts at all. (We need *something* to put in our descriptor, + or we just won't work.) + - Behave correctly when the user disables LearnCircuitBuildTimeout + but doesn't tell us what they would like the timeout to be. Fixes + bug 6304; bugfix on 0.2.2.14-alpha. + - Rename the (internal-use-only) UsingTestingNetworkDefaults option + to start with a triple-underscore so the controller won't touch it. + Patch by Meejah. Fixes bug 3155. Bugfix on 0.2.2.23-alpha. + - Rename the (testing-use-only) _UseFilteringSSLBufferevents option + so it doesn't start with _. Fixes bug 3155. Bugfix on 0.2.3.1-alpha. + - When autodetecting the number of CPUs, use the number of available + CPUs in preference to the number of configured CPUs. Inform the + user if this reduces the number of available CPUs. Fixes bug 8002; + bugfix on 0.2.3.1-alpha. + - Command-line option "--version" implies "--quiet". Fixes bug 6997. + - Make it an error when you set EntryNodes but disable UseGuardNodes, + since it will (surprisingly to some users) ignore EntryNodes. Fixes + bug 8180; bugfix on 0.2.3.11-alpha. + - Avoid overflows when the user sets MaxCircuitDirtiness to a + ridiculously high value, by imposing a (ridiculously high) 30-day + maximum on MaxCircuitDirtiness. + + o Minor bugfixes (control protocol): + - Stop sending a stray "(null)" in some cases for the server status + "EXTERNAL_ADDRESS" controller event. Resolves bug 8200; bugfix + on 0.1.2.6-alpha. + - The ADDRMAP command can no longer generate an ill-formed error + code on a failed MAPADDRESS. It now says "internal" rather than + an English sentence fragment with spaces in the middle. Bugfix on + Tor 0.2.0.19-alpha. + + o Minor bugfixes (clients / edges): + - When we receive a RELAY_END cell with the reason DONE, or with no + reason, before receiving a RELAY_CONNECTED cell, report the SOCKS + status as "connection refused". Previously we reported these cases + as success but then immediately closed the connection. Fixes bug + 7902; bugfix on 0.1.0.1-rc. Reported by "oftc_must_be_destroyed". + - If the guard we choose first doesn't answer, we would try the + second guard, but once we connected to the second guard we would + abandon it and retry the first one, slowing down bootstrapping. + The fix is to treat all our initially chosen guards as acceptable + to use. Fixes bug 9946; bugfix on 0.1.1.11-alpha. + - When choosing which stream on a formerly stalled circuit to wake + first, make better use of the platform's weak RNG. Previously, + we had been using the % ("modulo") operator to try to generate a + 1/N chance of picking each stream, but this behaves badly with + many platforms' choice of weak RNG. Fixes bug 7801; bugfix on + 0.2.2.20-alpha. + + o Minor bugfixes (path bias detection): + - If the state file's path bias counts are invalid (presumably from a + buggy Tor prior to 0.2.4.10-alpha), make them correct. Also add + additional checks and log messages to the scaling of Path Bias + counts, in case there still are remaining issues with scaling. + Should help resolve bug 8235. + - Prevent rounding error in path bias counts when scaling + them down, and use the correct scale factor default. Also demote + some path bias related log messages down a level and make others + less scary sounding. Fixes bug 6647. Bugfix on 0.2.3.17-beta. + - Remove a source of rounding error during path bias count scaling; + don't count cannibalized circuits as used for path bias until we + actually try to use them; and fix a circuit_package_relay_cell() + warning message about n_chan==NULL. Fixes bug 7802. + - Paste the description for PathBias parameters from the man + page into or.h, so the code documents them too. Fixes bug 7982; + bugfix on 0.2.3.17-beta. + + o Minor bugfixes (relays): + - Stop trying to resolve our hostname so often (e.g. every time we + think about doing a directory fetch). Now we reuse the cached + answer in some cases. Fixes bugs 1992 (bugfix on 0.2.0.20-rc) + and 2410 (bugfix on 0.1.2.2-alpha). + - When examining the list of network interfaces to find our address, + do not consider non-running or disabled network interfaces. Fixes + bug 9904; bugfix on 0.2.3.11-alpha. Patch from "hantwister". + + o Minor bugfixes (blocking resistance): + - Only disable TLS session ticket support when running as a TLS + server. Now clients will blend better with regular Firefox + connections. Fixes bug 7189; bugfix on Tor 0.2.3.23-rc. + + o Minor bugfixes (IPv6): + - Use square brackets around IPv6 addresses in numerous places + that needed them, including log messages, HTTPS CONNECT proxy + requests, TransportProxy statefile entries, and pluggable transport + extra-info lines. Fixes bug 7011; patch by David Fifield. + + o Minor bugfixes (directory authorities): + - Reject consensus votes with more than 64 known-flags. We aren't even + close to that limit yet, and our code doesn't handle it correctly. + Fixes bug 6833; bugfix on 0.2.0.1-alpha. + - Correctly handle votes with more than 31 flags. Fixes bug 6853; + bugfix on 0.2.0.3-alpha. + + o Minor bugfixes (memory leaks): + - Avoid leaking memory if we fail to compute a consensus signature + or we generate a consensus we can't parse. Bugfix on 0.2.0.5-alpha. + - Fix a memory leak when receiving headers from an HTTPS proxy. Bugfix + on 0.2.1.1-alpha; fixes bug 7816. + - Fix a memory leak during safe-cookie controller authentication. + Bugfix on 0.2.3.13-alpha; fixes bug 7816. + - Free some more still-in-use memory at exit, to make hunting for + memory leaks easier. Resolves bug 7029. + + o Minor bugfixes (code correctness): + - Increase the width of the field used to remember a connection's + link protocol version to two bytes. Harmless for now, since the + only currently recognized versions are one byte long. Reported + pseudonymously. Fixes bug 8062; bugfix on 0.2.0.10-alpha. + - Fix a crash when debugging unit tests on Windows: deallocate a + shared library with FreeLibrary, not CloseHandle. Fixes bug 7306; + bugfix on 0.2.2.17-alpha. Reported by "ultramage". + - When detecting the largest possible file descriptor (in order to + close all file descriptors when launching a new program), actually + use _SC_OPEN_MAX. The old code for doing this was very, very broken. + Fixes bug 8209; bugfix on 0.2.3.1-alpha. Found by Coverity; this + is CID 743383. + - Avoid a crash if we fail to generate an extrainfo descriptor. + Fixes bug 8208; bugfix on 0.2.3.16-alpha. Found by Coverity; + this is CID 718634. + - Avoid an off-by-one error when checking buffer boundaries when + formatting the exit status of a pluggable transport helper. + This is probably not an exploitable bug, but better safe than + sorry. Fixes bug 9928; bugfix on 0.2.3.18-rc. Bug found by + Pedro Ribeiro. + - Get rid of a couple of harmless clang warnings, where we compared + enums to ints. These warnings are newly introduced in clang 3.2. + + o Minor bugfixes (code cleanliness): + - Avoid use of reserved identifiers in our C code. The C standard + doesn't like us declaring anything that starts with an + underscore, so let's knock it off before we get in trouble. Fix + for bug 1031; bugfix on the first Tor commit. + - Fix round_to_power_of_2() so it doesn't invoke undefined behavior + with large values. This situation was untriggered, but nevertheless + incorrect. Fixes bug 6831; bugfix on 0.2.0.1-alpha. + - Fix an impossible buffer overrun in the AES unit tests. Fixes + bug 8845; bugfix on 0.2.0.7-alpha. Found by eugenis. + - Fix handling of rendezvous client authorization types over 8. + Fixes bug 6861; bugfix on 0.2.1.5-alpha. + - Remove a couple of extraneous semicolons that were upsetting the + cparser library. Patch by Christian Grothoff. Fixes bug 7115; + bugfix on 0.2.2.1-alpha. + - When complaining about a client port on a public address, log + which address we're complaining about. Fixes bug 4020; bugfix on + 0.2.3.3-alpha. Patch by Tom Fitzhenry. + + o Minor bugfixes (log messages, warnings): + - If we encounter a write failure on a SOCKS connection before we + finish our SOCKS handshake, don't warn that we closed the + connection before we could send a SOCKS reply. Fixes bug 8427; + bugfix on 0.1.0.1-rc. + - Fix a directory authority warn caused when we have a large amount + of badexit bandwidth. Fixes bug 8419; bugfix on 0.2.2.10-alpha. + - Downgrade "Failed to hand off onionskin" messages to "debug" + severity, since they're typically redundant with the "Your computer + is too slow" messages. Fixes bug 7038; bugfix on 0.2.2.16-alpha. + - Avoid spurious warnings when configuring multiple client ports of + which only some are nonlocal. Previously, we had claimed that some + were nonlocal when in fact they weren't. Fixes bug 7836; bugfix on + 0.2.3.3-alpha. + + o Minor bugfixes (log messages, other): + - Fix log messages and comments to avoid saying "GMT" when we mean + "UTC". Fixes bug 6113. + - When rejecting a configuration because we were unable to parse a + quoted string, log an actual error message. Fixes bug 7950; bugfix + on 0.2.0.16-alpha. + - Correctly recognize that [::1] is a loopback address. Fixes + bug 8377; bugfix on 0.2.1.3-alpha. + - Don't log inappropriate heartbeat messages when hibernating: a + hibernating node is _expected_ to drop out of the consensus, + decide it isn't bootstrapped, and so forth. Fixes bug 7302; + bugfix on 0.2.3.1-alpha. + - Eliminate several instances where we use "Nickname=ID" to refer to + nodes in logs. Use "Nickname (ID)" instead. (Elsewhere, we still use + "$ID=Nickname", which is also acceptable.) Fixes bug 7065. Bugfix + on 0.2.3.21-rc. + + o Minor bugfixes (build): + - Fix some bugs in tor-fw-helper-natpmp when trying to build and + run it on Windows. More bugs likely remain. Patch from Gisle Vanem. + Fixes bug 7280; bugfix on 0.2.3.1-alpha. + + o Documentation fixes: + - Make the torify manpage no longer refer to tsocks; torify hasn't + supported tsocks since 0.2.3.14-alpha. + - Make the tor manpage no longer reference tsocks. + - Fix the GeoIPExcludeUnknown documentation to refer to + ExcludeExitNodes rather than the currently nonexistent + ExcludeEntryNodes. Spotted by "hamahangi" on tor-talk. + - Resolve a typo in torrc.sample.in. Fixes bug 6819; bugfix on + 0.2.3.14-alpha. + - Say "KBytes" rather than "KB" in the man page (for various values + of K), to further reduce confusion about whether Tor counts in + units of memory or fractions of units of memory. Resolves ticket 7054. + - Update tor-fw-helper.1.txt and tor-fw-helper.c to make option + names match. Fixes bug 7768. + - Fix the documentation of HeartbeatPeriod to say that the heartbeat + message is logged at notice, not at info. + - Clarify the usage and risks of setting the ContactInfo torrc line + for your relay or bridge. Resolves ticket 9854. + - Add anchors to the manpage so we can link to the html version of + the documentation for specific options. Resolves ticket 9866. + - Replace remaining references to DirServer in man page and + log entries. Resolves ticket 10124. + + o Removed features: + - Stop exporting estimates of v2 and v3 directory traffic shares + in extrainfo documents. They were unneeded and sometimes inaccurate. + Also stop exporting any v2 directory request statistics. Resolves + ticket 5823. + - Drop support for detecting and warning about versions of Libevent + before 1.3e. Nothing reasonable ships with them any longer; warning + the user about them shouldn't be needed. Resolves ticket 6826. + - Now that all versions before 0.2.2.x are disallowed, we no longer + need to work around their missing features. Remove a bunch of + compatibility code. + + o Removed files: + - The tor-tsocks.conf is no longer distributed or installed. We + recommend that tsocks users use torsocks instead. Resolves + ticket 8290. + - Remove some of the older contents of doc/ as obsolete; move others + to torspec.git. Fixes bug 8965. + + o Code simplification: + - Avoid using character buffers when constructing most directory + objects: this approach was unwieldy and error-prone. Instead, + build smartlists of strings, and concatenate them when done. + - Rename "isin" functions to "contains", for grammar. Resolves + ticket 5285. + - Rename Tor's logging function log() to tor_log(), to avoid conflicts + with the natural logarithm function from the system libm. Resolves + ticket 7599. + - Start using OpenBSD's implementation of queue.h, so that we don't + need to hand-roll our own pointer and list structures whenever we + need them. (We can't rely on a sys/queue.h, since some operating + systems don't have them, and the ones that do have them don't all + present the same extensions.) + - Start using OpenBSD's implementation of queue.h (originally by + Niels Provos). + - Enhance our internal sscanf replacement so that we can eliminate + the last remaining uses of the system sscanf. (Though those uses + of sscanf were safe, sscanf itself is generally error prone, so + we want to eliminate when we can.) Fixes ticket 4195 and Coverity + CID 448. + - Replace all calls to snprintf() outside of src/ext with + tor_snprintf(). Also remove the #define to replace snprintf with + _snprintf on Windows; they have different semantics, and all of + our callers should be using tor_snprintf() anyway. Fixes bug 7304. + + o Refactoring: + - Add a wrapper function for the common "log a message with a + rate-limit" case. + - Split the onion.c file into separate modules for the onion queue + and the different handshakes it supports. + - Move the client-side address-map/virtual-address/DNS-cache code + out of connection_edge.c into a new addressmap.c module. + - Move the entry node code from circuitbuild.c to its own file. + - Move the circuit build timeout tracking code from circuitbuild.c + to its own file. + - Source files taken from other packages now reside in src/ext; + previously they were scattered around the rest of Tor. + - Move the generic "config" code into a new file, and have "config.c" + hold only torrc- and state-related code. Resolves ticket 6823. + - Move the core of our "choose a weighted element at random" logic + into its own function, and give it unit tests. Now the logic is + testable, and a little less fragile too. + - Move ipv6_preferred from routerinfo_t to node_t. Addresses bug 4620. + - Move last_reachable and testing_since from routerinfo_t to node_t. + Implements ticket 5529. + - Add replaycache_t structure, functions and unit tests, then refactor + rend_service_introduce() to be more clear to read, improve, debug, + and test. Resolves bug 6177. + + o Removed code: + - Remove some now-needless code that tried to aggressively flush + OR connections as data was added to them. Since 0.2.0.1-alpha, our + cell queue logic has saved us from the failure mode that this code + was supposed to prevent. Removing this code will limit the number + of baroque control flow paths through Tor's network logic. Reported + pseudonymously on IRC. Fixes bug 6468; bugfix on 0.2.0.1-alpha. + - Remove unused code for parsing v1 directories and "running routers" + documents. Fixes bug 6887. + - Remove the marshalling/unmarshalling code for sending requests to + cpuworkers over a socket, and instead just send structs. The + recipient will always be the same Tor binary as the sender, so + any encoding is overkill. + - Remove the testing_since field of node_t, which hasn't been used + for anything since 0.2.0.9-alpha. + - Finally remove support for malloc_good_size and malloc_usable_size. + We had hoped that these functions would let us eke a little more + memory out of our malloc implementation. Unfortunately, the only + implementations that provided these functions are also ones that + are already efficient about not overallocation: they never got us + more than 7 or so bytes per allocation. Removing them saves us a + little code complexity and a nontrivial amount of build complexity. + + Changes in version 0.2.3.25 - 2012-11-19 The Tor 0.2.3 release series is dedicated to the memory of Len "rabbi" Sassaman (1980-2011), a long-time cypherpunk, anonymity researcher, diff --git a/changes/10777_netunreach b/changes/10777_netunreach deleted file mode 100644 index 899181423f..0000000000 --- a/changes/10777_netunreach +++ /dev/null @@ -1,7 +0,0 @@ - - Minor bugfixes: - - - Treat ENETUNREACH, EACCES, and EPERM at an exit node as a - NOROUTE error, not an INTERNAL error, since they can apparently - happen when trying to connect to the wrong sort of - netblocks. Fixes a part of bug 10777; bugfix on 0.1.0.1-rc. - diff --git a/changes/19271 b/changes/19271 deleted file mode 100644 index dc06ead999..0000000000 --- a/changes/19271 +++ /dev/null @@ -1,2 +0,0 @@ - o Directory authority changes: - - Urras is no longer a directory authority. Closes ticket 19271. diff --git a/changes/6783_big_hammer b/changes/6783_big_hammer deleted file mode 100644 index 2ff3249b33..0000000000 --- a/changes/6783_big_hammer +++ /dev/null @@ -1,6 +0,0 @@ - o Major features (deprecation): - - There's now a "DisableV2DirectoryInfo_" option that prevents us - from serving any directory requests for v2 directory information. - This is for us to test disabling the old deprecated V2 directory - format, so that we can see whether doing so has any effect on - network load. Part of a fix for bug 6783. diff --git a/changes/9854 b/changes/9854 deleted file mode 100644 index 30105cb731..0000000000 --- a/changes/9854 +++ /dev/null @@ -1,3 +0,0 @@ - o Documentation fixes: - - Clarify the usage and risks of ContactInfo. Resolves ticket 9854. - diff --git a/changes/bifroest b/changes/bifroest deleted file mode 100644 index 41af658ed8..0000000000 --- a/changes/bifroest +++ /dev/null @@ -1,3 +0,0 @@ - o Directory authority changes (also in 0.2.8.7): - - The "Tonga" bridge authority has been retired; the new bridge - authority is "Bifroest". Closes tickets 19728 and 19690. diff --git a/changes/bug10124 b/changes/bug10124 deleted file mode 100644 index 95b0838839..0000000000 --- a/changes/bug10124 +++ /dev/null @@ -1,3 +0,0 @@ - o Documentation: - - Replace remaining references to DirServer in man page and - log entries. Resolves ticket 10124. diff --git a/changes/bug1038-3 b/changes/bug1038-3 deleted file mode 100644 index 5af4afa46f..0000000000 --- a/changes/bug1038-3 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes: - - Warn and drop the circuit if we receive an inbound 'relay early' - cell. Those used to be normal to receive on hidden service circuits - due to bug 1038, but the buggy Tor versions are long gone from - the network so we can afford to resume watching for them. Resolves - the rest of bug 1038; bugfix on 0.2.1.19. diff --git a/changes/bug10402 b/changes/bug10402 deleted file mode 100644 index eac00bdc6d..0000000000 --- a/changes/bug10402 +++ /dev/null @@ -1,11 +0,0 @@ - o Major bugfixes: - - Do not allow OpenSSL engines to replace the PRNG, even when - HardwareAccel is set. The only default builtin PRNG engine uses - the Intel RDRAND instruction to replace the entire PRNG, and - ignores all attempts to seed it with more entropy. That's - cryptographically stupid: the right response to a new alleged - entropy source is never to discard all previously used entropy - sources. Fixes bug 10402; works around behavior introduced in - OpenSSL 1.0.0. Diagnosis and investigation thanks to "coderman" - and "rl1987". - diff --git a/changes/bug10409 b/changes/bug10409 deleted file mode 100644 index 5ef5ae29de..0000000000 --- a/changes/bug10409 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes: - - Avoid a crash bug when starting with a corrupted microdescriptor - cache file. Fix for bug 10406; bugfix on 0.2.2.6-alpha. diff --git a/changes/bug10423 b/changes/bug10423 deleted file mode 100644 index 493b7b15e3..0000000000 --- a/changes/bug10423 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - If we fail to dump a previously cached microdescriptor to disk, avoid - freeing duplicate data later on. Fix for bug 10423; bugfix on - 0.2.4.13-alpha. Spotted by "bobnomnom". diff --git a/changes/bug10456 b/changes/bug10456 deleted file mode 100644 index fb3b92fcd8..0000000000 --- a/changes/bug10456 +++ /dev/null @@ -1,6 +0,0 @@ - o Major bugfixes: - - Avoid launching spurious extra circuits when a stream is pending. - This fixes a bug where any circuit that _wasn't_ unusable for new - streams would be treated as if it were, causing extra circuits to - be launched. Fixes bug 10456; bugfix on 0.2.4.12-alpha. - diff --git a/changes/bug10465 b/changes/bug10465 deleted file mode 100644 index 330f969416..0000000000 --- a/changes/bug10465 +++ /dev/null @@ -1,3 +0,0 @@ - o Major bugfixes: - - Fix assertion failure when AutomapHostsOnResolve yields an IPv6 - address. Fixes bug 10465; bugfix on 0.2.4.7-alpha. diff --git a/changes/bug10470 b/changes/bug10470 deleted file mode 100644 index 2b753436d9..0000000000 --- a/changes/bug10470 +++ /dev/null @@ -1,4 +0,0 @@ - o Documentation fixes: - - Note that all but one DirPort entry must have the NoAdvertise flag - set. Fix for #10470. - diff --git a/changes/bug10485 b/changes/bug10485 deleted file mode 100644 index 7e5fa530e8..0000000000 --- a/changes/bug10485 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - Move message about circuit handshake counts into the heartbeat - message where it belongs, instead of logging it once per hour - unconditionally. Fixes bug 10485; bugfix on 0.2.4.17-rc. diff --git a/changes/bug10777_internal_024 b/changes/bug10777_internal_024 deleted file mode 100644 index 4544147f6e..0000000000 --- a/changes/bug10777_internal_024 +++ /dev/null @@ -1,4 +0,0 @@ - o Major bugfixes: - - Do not treat END_STREAM_REASON_INTERNAL as indicating a definite - circuit failure, since it could also indicate an ENETUNREACH - error. Fixes part of bug 10777; bugfix on 0.2.4.8-alpha. diff --git a/changes/bug10793 b/changes/bug10793 deleted file mode 100644 index 24c4025dde..0000000000 --- a/changes/bug10793 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features (security): - - Always clear OpenSSL bignums before freeing them--even bignums - that don't contain secrets. Resolves ticket 10793. Patch by - Florent Daigniere. diff --git a/changes/bug10835 b/changes/bug10835 deleted file mode 100644 index 9df7bdd279..0000000000 --- a/changes/bug10835 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (testing): - - Fix a segmentation fault in our benchmark code when running with - Fedora's OpenSSL package, or any other OpenSSL that provides - ECDH but not P224. Fixes bug 10835; bugfix on 0.2.4.8-alpha. diff --git a/changes/bug10849_023 b/changes/bug10849_023 deleted file mode 100644 index 480dea3de0..0000000000 --- a/changes/bug10849_023 +++ /dev/null @@ -1,6 +0,0 @@ - o Major bugfixes: - - When running a hidden service, do not allow TunneledDirConns 0; - this will keep the hidden service from running, and also - make it publish its descriptors directly over HTTP. Fixes bug 10849; - bugfix on 0.2.1.1-alpha. - diff --git a/changes/bug10870 b/changes/bug10870 deleted file mode 100644 index d8a00f4029..0000000000 --- a/changes/bug10870 +++ /dev/null @@ -1,6 +0,0 @@ - o Code simplification and refactoring: - - Remove data structures which were introduced to implement the - CellStatistics option: they are now redundant with the addition - of timestamp to the regular packed_cell_t data structure, which - we did in 0.2.4.18-rc in order to resolve #9093. Fixes bug - 10870.
\ No newline at end of file diff --git a/changes/bug10904 b/changes/bug10904 deleted file mode 100644 index 6f551ea412..0000000000 --- a/changes/bug10904 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (compilation): - - Build without warnings under clang 3.4. (We have some macros that - define static functions only some of which will get used later in - the module. Starting with clang 3.4, these give a warning unless the - unused attribute is set on them.) diff --git a/changes/bug10929 b/changes/bug10929 deleted file mode 100644 index acf3960471..0000000000 --- a/changes/bug10929 +++ /dev/null @@ -1,6 +0,0 @@ - - Minor bugfixes: - - Fix build warnings about missing "a2x" comment when building the - manpages from scratch on OpenBSD; OpenBSD calls it "a2x.py". - Fixes bug 10929; bugfix on tor-0.2.2.9-alpha. Patch from - Dana Koch. - diff --git a/changes/bug11437 b/changes/bug11437 deleted file mode 100644 index f5117cae99..0000000000 --- a/changes/bug11437 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes: - - Stop leaking memory when we successfully resolve a PTR record. - Fixes bug 11437; bugfix on 0.2.4.7-alpha. diff --git a/changes/bug11464_023 b/changes/bug11464_023 deleted file mode 100644 index 80c04b21e6..0000000000 --- a/changes/bug11464_023 +++ /dev/null @@ -1,5 +0,0 @@ - o Major features (security): - - Block authority signing keys that were used on an authorities - vulnerable to the "heartbleed" bug in openssl (CVE-2014-0160). - (We don't have any evidence that these keys _were_ compromised; - we're doing this to be prudent.) Resolves ticket 11464. diff --git a/changes/bug11513 b/changes/bug11513 deleted file mode 100644 index 820c02605f..0000000000 --- a/changes/bug11513 +++ /dev/null @@ -1,12 +0,0 @@ - o Major bugfixes: - - Generate the server's preference list for ciphersuites - automatically based on uniform criteria, and considering all - OpenSSL ciphersuites with acceptable strength and forward - secrecy. (The sort order is: prefer AES to 3DES; break ties by - preferring ECDHE to DHE; break ties by preferring GCM to CBC; - break ties by preferring SHA384 to SHA256 to SHA1; and finally, - break ties by preferring AES256 to AES128.) This resolves bugs - #11513, #11492, #11498, #11499. Bugs reported by 'cypherpunks'. - Bugfix on 0.2.4.8-alpha. - - diff --git a/changes/bug11519 b/changes/bug11519 deleted file mode 100644 index 5c1e6af7e4..0000000000 --- a/changes/bug11519 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes: - - Avoid sending an garbage value to the controller when a circuit is - cannibalized. Fixes bug 11519; bugfix on 0.2.3.11-alpha. diff --git a/changes/bug11553 b/changes/bug11553 deleted file mode 100644 index 1540f4642f..0000000000 --- a/changes/bug11553 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor features: - - When we run out of usable circuit IDs on a channel, log only one - warning for the whole channel, and include a description of - how many circuits there were on the channel. Fix for part of ticket - #11553. diff --git a/changes/bug12227 b/changes/bug12227 deleted file mode 100644 index d8b5d08a55..0000000000 --- a/changes/bug12227 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes: - - Avoid an illegal read from stack when initializing the TLS - module using a version of OpenSSL without all of the ciphers - used by the v2 link handshake. Fixes bug 12227; bugfix on - 0.2.4.8-alpha. Found by "starlight". diff --git a/changes/bug12718 b/changes/bug12718 deleted file mode 100644 index 0c5f708446..0000000000 --- a/changes/bug12718 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes: - - Correct a confusing error message when trying to extend a circuit - via the control protocol but we don't know a descriptor or - microdescriptor for one of the specified relays. Fixes bug 12718; - bugfix on 0.2.3.1-alpha. diff --git a/changes/bug13100 b/changes/bug13100 deleted file mode 100644 index bbe43e65a7..0000000000 --- a/changes/bug13100 +++ /dev/null @@ -1,3 +0,0 @@ - o Directory authority changes: - - Change IP address for gabelmoo (v3 directory authority). - diff --git a/changes/bug13151-client b/changes/bug13151-client deleted file mode 100644 index 1218dfdfab..0000000000 --- a/changes/bug13151-client +++ /dev/null @@ -1,13 +0,0 @@ - o Major bugfixes: - - Clients now send the correct address for their chosen rendezvous - point when trying to access a hidden service. They used to send - the wrong address, which would still work some of the time because - they also sent the identity digest of the rendezvous point, and if - the hidden service happened to try connecting to the rendezvous - point from a relay that already had a connection open to it, - the relay would reuse that connection. Now connections to hidden - services should be more robust and faster. Also, this bug meant - that clients were leaking to the hidden service whether they were - on a little-endian (common) or big-endian (rare) system, which for - some users might have reduced their anonymity. Fixes bug 13151; - bugfix on 0.2.1.5-alpha. diff --git a/changes/bug13296 b/changes/bug13296 deleted file mode 100644 index d6fe038c30..0000000000 --- a/changes/bug13296 +++ /dev/null @@ -1,5 +0,0 @@ - o Directory authority changes: - - Remove turtles as a directory authority. - - Add longclaw as a new (v3) directory authority. This implements - ticket 13296. This keeps the directory authority count at 9. - diff --git a/changes/bug13471 b/changes/bug13471 deleted file mode 100644 index c116a4aeeb..0000000000 --- a/changes/bug13471 +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfixes (openssl bug workaround): - - Avoid crashing when using OpenSSL version 0.9.8zc, 1.0.0o, or - 1.0.1j, built with the 'no-ssl3' configuration option. Fixes - bug 13471. This is a workaround for an OpenSSL bug. - diff --git a/changes/bug14129 b/changes/bug14129 deleted file mode 100644 index 6153cd84fd..0000000000 --- a/changes/bug14129 +++ /dev/null @@ -1,7 +0,0 @@ - o Major bugfixes (exit node stability): - - - Fix an assertion failure that could occur under high DNS load. Fixes - bug 14129; bugfix on Tor 0.0.7rc1. Found by "jowr"; diagnosed and fixed - by "cypherpunks". - - diff --git a/changes/bug15083 b/changes/bug15083 deleted file mode 100644 index 5cc79b5ba1..0000000000 --- a/changes/bug15083 +++ /dev/null @@ -1,10 +0,0 @@ - o Major bugfixes (relay, stability, possible security): - - Fix a bug that could lead to a relay crashing with an assertion - failure if a buffer of exactly the wrong layout was passed - to buf_pullup() at exactly the wrong time. Fixes bug 15083; - bugfix on 0.2.0.10-alpha. Patch from 'cypherpunks'. - - - Do not assert if the 'data' pointer on a buffer is advanced to the very - end of the buffer; log a BUG message instead. Only assert if it is - past that point. Fixes bug 15083; bugfix on 0.2.0.10-alpha. - diff --git a/changes/bug15515 b/changes/bug15515 deleted file mode 100644 index dda7c2fcd8..0000000000 --- a/changes/bug15515 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features (DoS-resistance): - - Make it harder for attackers to overwhelm hidden services with - introductions, by blocking multiple introduction requests on the - same circuit. Resolves ticket #15515. diff --git a/changes/bug15600 b/changes/bug15600 deleted file mode 100644 index ee1d6cfe19..0000000000 --- a/changes/bug15600 +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfixes (security, hidden service): - - Fix an issue that would allow a malicious client to trigger - an assertion failure and halt a hidden service. Fixes - bug 15600; bugfix on 0.2.1.6-alpha. Reported by "skruffy". - diff --git a/changes/bug15601 b/changes/bug15601 deleted file mode 100644 index 2cc880af7f..0000000000 --- a/changes/bug15601 +++ /dev/null @@ -1,4 +0,0 @@ - o Major bugfixes (security, hidden service): - - Fix a bug that could cause a client to crash with an assertion - failure when parsing a malformed hidden service descriptor. - Fixes bug 15601; bugfix on 0.2.1.5-alpha. Found by "DonnCha". diff --git a/changes/bug15823 b/changes/bug15823 deleted file mode 100644 index 987de5d9ac..0000000000 --- a/changes/bug15823 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (hidden service): - - Fix an out-of-bounds read when parsing invalid INTRODUCE2 cells - on a client authorized hidden service. Fixes bug 15823; bugfix - on 0.2.1.6-alpha. diff --git a/changes/bug16248 b/changes/bug16248 deleted file mode 100644 index 399b7093cd..0000000000 --- a/changes/bug16248 +++ /dev/null @@ -1,8 +0,0 @@ - o Major bugfixes (dns proxy mode, crash): - - Avoid crashing when running as a DNS proxy. Closes bug 16248; bugfix on - 0.2.0.1-alpha. Patch from 'cypherpunks'. - - o Minor features (bug-resistance): - - Make Tor survive errors involving connections without a corresponding - event object. Previously we'd fail with an assertion; now we produce a - log message. Related to bug 16248. diff --git a/changes/bug17404 b/changes/bug17404 deleted file mode 100644 index d524f6662d..0000000000 --- a/changes/bug17404 +++ /dev/null @@ -1,6 +0,0 @@ - o Major bugfixes (security, correctness): - - Fix a programming error that could cause us to read 4 bytes before - the beginning of an openssl string. This could be used to provoke - a crash on systems with an unusual malloc implementation, or - systems with unsual hardening installed. Fixes bug 17404; bugfix - on 0.2.3.6-alpha. diff --git a/changes/bug17772 b/changes/bug17772 deleted file mode 100644 index 54d457c601..0000000000 --- a/changes/bug17772 +++ /dev/null @@ -1,7 +0,0 @@ - o Major bugfixes (guard selection): - - Actually look at the Guard flag when selecting a new directory - guard. When we implemented the directory guard design, we - accidentally started treating all relays as if they have the Guard - flag during guard selection, leading to weaker anonymity and worse - performance. Fixes bug 17222; bugfix on 0.2.4.8-alpha. Discovered - by Mohsen Imani. diff --git a/changes/bug17781 b/changes/bug17781 deleted file mode 100644 index 01ed231b0a..0000000000 --- a/changes/bug17781 +++ /dev/null @@ -1,3 +0,0 @@ - o Compilation fixes: - - Fix a compilation warning with Clang 3.6: Do not check the - presence of an address which can never be NULL. Fixes bug 17781. diff --git a/changes/bug17906 b/changes/bug17906 deleted file mode 100644 index fff76d1c59..0000000000 --- a/changes/bug17906 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features (authorities): - - Update the V3 identity key for dannenberg, it was changed on - 18 November 2015. - Closes task #17906. Patch by "teor". diff --git a/changes/bug18089 b/changes/bug18089 deleted file mode 100644 index c1fb342f77..0000000000 --- a/changes/bug18089 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor fixes (security): - - Make memwipe() do nothing when passed a NULL pointer - or zero size. Check size argument to memwipe() for underflow. - Closes bug #18089. Reported by "gk", patch by "teor". - Bugfix on 0.2.3.25 and 0.2.4.6-alpha (#7352), - commit 49dd5ef3 on 7 Nov 2012. diff --git a/changes/bug18162 b/changes/bug18162 deleted file mode 100644 index 0844d6f62f..0000000000 --- a/changes/bug18162 +++ /dev/null @@ -1,7 +0,0 @@ - o Major bugfixes (security, pointers): - - - Avoid a difficult-to-trigger heap corruption attack when extending - a smartlist to contain over 16GB of pointers. Fixes bug #18162; - bugfix on Tor 0.1.1.11-alpha, which fixed a related bug - incompletely. Reported by Guido Vranken. - diff --git a/changes/bug1992 b/changes/bug1992 deleted file mode 100644 index 6a751dc7e6..0000000000 --- a/changes/bug1992 +++ /dev/null @@ -1,11 +0,0 @@ - o Minor bugfixes: - - Stop trying to resolve our hostname so often (e.g. every time we - think about doing a directory fetch). Now we reuse the cached - answer in some cases. Fixes bugs 1992 (bugfix on 0.2.0.20-rc) - and 2410 (bugfix on 0.1.2.2-alpha). - - o Minor features: - - Make bridge relays check once a minute for whether their IP - address has changed, rather than only every 15 minutes. Resolves - bugs 1913 and 1992. - diff --git a/changes/bug20384 b/changes/bug20384 deleted file mode 100644 index 591015ad94..0000000000 --- a/changes/bug20384 +++ /dev/null @@ -1,10 +0,0 @@ - o Major features (security fixes): - - Prevent a class of security bugs caused by treating the contents - of a buffer chunk as if they were a NUL-terminated string. At - least one such bug seems to be present in all currently used - versions of Tor, and would allow an attacker to remotely crash - most Tor instances, especially those compiled with extra compiler - hardening. With this defense in place, such bugs can't crash Tor, - though we should still fix them as they occur. Closes ticket - 20384 (TROVE-2016-10-001). - diff --git a/changes/bug21018 b/changes/bug21018 deleted file mode 100644 index 49a8b47a25..0000000000 --- a/changes/bug21018 +++ /dev/null @@ -1,11 +0,0 @@ - o Major bugfixes (parsing, security): - - - Fix a bug in parsing that could cause clients to read a single - byte past the end of an allocated region. This bug could be - used to cause hardened clients (built with - --enable-expensive-hardening) to crash if they tried to visit - a hostile hidden service. Non-hardened clients are only - affected depending on the details of their platform's memory - allocator. Fixes bug 21018; bugfix on 0.2.0.8-alpha. Found by - using libFuzzer. Also tracked as TROVE-2016-12-002 and as - CVE-2016-1254. diff --git a/changes/bug22490 b/changes/bug22490 deleted file mode 100644 index 244dd50b36..0000000000 --- a/changes/bug22490 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (correctness): - - Avoid undefined behavior when parsing IPv6 entries from the geoip6 - file. Fixes bug 22490; bugfix on 0.2.4.6-alpha. diff --git a/changes/bug2286 b/changes/bug2286 deleted file mode 100644 index 4f8dfbbf68..0000000000 --- a/changes/bug2286 +++ /dev/null @@ -1,5 +0,0 @@ - o Major features (directory authority): - - Directory authorities now support a new consensus method (17) - where they cap the published bandwidth of servers for which - insufficient bandwidth measurements exist. Fixes part of bug - 2286. diff --git a/changes/bug5595 b/changes/bug5595 deleted file mode 100644 index 31f4b84b03..0000000000 --- a/changes/bug5595 +++ /dev/null @@ -1,8 +0,0 @@ - o Critical bugfixes: - - Distinguish downloading an authority certificate by identity digest from - downloading one by identity digest/signing key digest pair; formerly we - always request them only by identity digest and get the newest one even - when we wanted one with a different signing key. Then we would complain - about being given a certificate we already had, and never get the one we - really wanted. Now we use the "fp-sk/" resource as well as the "fp/" - resource to request the one we want. Fixes bug 5595. diff --git a/changes/bug5650 b/changes/bug5650 deleted file mode 100644 index 401e317074..0000000000 --- a/changes/bug5650 +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfixes: - - Avoid a bug where our response to TLS renegotation under certain - network conditions could lead to a busy-loop, with 100% CPU - consumption. Fixes bug 5650; bugfix on 0.2.0.16-alpha. - diff --git a/changes/bug6026 b/changes/bug6026 deleted file mode 100644 index de5d6ead01..0000000000 --- a/changes/bug6026 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - Relays now treat a changed IPv6 ORPort as sufficient reason to - publish an updated descriptor. Fix for bug 6026; bugfix for - 0.2.4.1-alpha. diff --git a/changes/bug6055 b/changes/bug6055 deleted file mode 100644 index 00730073a8..0000000000 --- a/changes/bug6055 +++ /dev/null @@ -1,6 +0,0 @@ - o Major enhancements: - - Re-enable TLS 1.1 and 1.2 when built with OpenSSL 1.0.1e or later. - (OpenSSL before 1.0.1 didn't have TLS 1.1 or 1.2. OpenSSL from 1.0.1 - through 1.0.1d had bugs that prevented renegotiation from working - with TLS 1.1 or 1.2, so we disabled them to solve bug 6033.) Fix for - issue #6055. diff --git a/changes/bug6174 b/changes/bug6174 deleted file mode 100644 index 79d2930ec3..0000000000 --- a/changes/bug6174 +++ /dev/null @@ -1,6 +0,0 @@ - o Major bugfixes: - - When we mark a circuit as unusable for new circuits, have it - continue to be unusable for new circuits even if MaxCircuitDirtiness - is increased too much at the wrong time, or the system clock jumped - backwards. Fix for bug 6174; bugfix on 0.0.2pre26. - diff --git a/changes/bug6206 b/changes/bug6206 deleted file mode 100644 index 61a16d291a..0000000000 --- a/changes/bug6206 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes: - - Always check the return values of functions fcntl() and - setsockopt(). We don't believe these are ever actually failing in - practice, but better safe than sorry. Also, checking these return - values should please some analysis tools (like Coverity). Patch - from 'flupzor'. Fix for bug 8206; bugfix on all versions of Tor. diff --git a/changes/bug6304 b/changes/bug6304 deleted file mode 100644 index 445560a8e1..0000000000 --- a/changes/bug6304 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - Behave correctly when the user disables LearnCircuitBuildTimeout - but doesn't tell us what they would like the timeout to be. Fixes - bug 6304; bugfix on 0.2.2.14-alpha. diff --git a/changes/bug6572 b/changes/bug6572 deleted file mode 100644 index 6508d1bcb5..0000000000 --- a/changes/bug6572 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (log messages) - - Use circuit creation time for network liveness evaluation. This - should eliminate warning log messages about liveness caused by - changes in timeout evaluation. Fixes bug 6572; bugfix on 0.2.4.8-alpha. diff --git a/changes/bug6673 b/changes/bug6673 deleted file mode 100644 index 506b449892..0000000000 --- a/changes/bug6673 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features (build): - - Detect and reject attempts to build Tor with threading support - when OpenSSL have been compiled with threading support disabled. - Fixes bug 6673. diff --git a/changes/bug6979 b/changes/bug6979 deleted file mode 100644 index 55572ecbac..0000000000 --- a/changes/bug6979 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - Fix an assertion failure that would occur when disabling the - ORPort setting on a running Tor process while accounting was - enabled. Fixes bug 6979; bugfix on 0.2.2.18-alpha. diff --git a/changes/bug7054 b/changes/bug7054 deleted file mode 100644 index 15680d72ce..0000000000 --- a/changes/bug7054 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (man page): - - Say "KBytes" rather than "KB" in the man page (for various values - of K), to further reduce confusion about whether Tor counts in - units of memory or fractions of units of memory. Fixes bug 7054. diff --git a/changes/bug7065 b/changes/bug7065 deleted file mode 100644 index 1ca6841021..0000000000 --- a/changes/bug7065 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfix (log cleanups): - - Eliminate several instances where we use Nickname=ID to refer to - nodes in logs. Use Nickname (ID) instead. (Elsewhere, we still use - $ID=Nickname, which is also acceptable.) Fixes bug #7065. Bugfix - on 0.2.3.21-rc, 0.2.4.5-alpha, 0.2.4.8-alpha, and 0.2.4.10-alpha. diff --git a/changes/bug7143 b/changes/bug7143 deleted file mode 100644 index d26135ae65..0000000000 --- a/changes/bug7143 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (build): - - Add the old src/or/micro-revision.i filename to CLEANFILES. - On the off chance that somebody has one, it will go away as soon - as they run "make clean". Fix for bug 7143; bugfix on 0.2.4.1-alpha. diff --git a/changes/bug7164_diagnostic b/changes/bug7164_diagnostic deleted file mode 100644 index 8bedfc4bd5..0000000000 --- a/changes/bug7164_diagnostic +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features (bug diagnostic): - - If we fail to free a microdescriptor because of bug #7164, log - the filename and line number from which we tried to free it. - This should help us finally fix #7164. diff --git a/changes/bug7164_downgrade b/changes/bug7164_downgrade deleted file mode 100644 index 4d75586bb1..0000000000 --- a/changes/bug7164_downgrade +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes: - - Downgrade the warning severity for the the "md was still referenced 1 - node(s)" warning. Tor 0.2.5.4-alpha has better code for trying to - diagnose this bug, and the current warning in earlier versions of - tor achieves nothing useful. Addresses warning from bug 7164. - diff --git a/changes/bug7280 b/changes/bug7280 deleted file mode 100644 index ef5d36a802..0000000000 --- a/changes/bug7280 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - Fix some bugs in tor-fw-helper-natpmp when trying to build and - run it on Windows. More bugs likely remain. Patch from Gisle Vanem. - Fixes bug 7280; bugfix on 0.2.3.1-alpha. diff --git a/changes/bug7302 b/changes/bug7302 deleted file mode 100644 index fec615ff90..0000000000 --- a/changes/bug7302 +++ /dev/null @@ -1,11 +0,0 @@ - o Minor bugfixes: - - Don't log inappropriate heartbeat messages when hibernating: a - hibernating node is _expected_ to drop out of the consensus, - decide it isn't bootstrapped, and so forth. Fixes part of bug - 7302; bugfix on 0.2.3.1-alpha. - - - Don't complain about bootstrapping problems while hibernating. - These complaints reflect a general code problems, but not one - with any problematic effects. (No connections are actually - opened.) Fixes part of bug 7302; bugfix on 0.2.3.2-alpha. - diff --git a/changes/bug7350 b/changes/bug7350 deleted file mode 100644 index b0ee9d0919..0000000000 --- a/changes/bug7350 +++ /dev/null @@ -1,4 +0,0 @@ - o Major bugfixes: - - Avoid an assertion when we discover that we'd like to write a cell - onto a closing connection: just discard the cell. Fixes another - case of bug 7350; bugfix on 0.2.4.4-alpha. diff --git a/changes/bug7582 b/changes/bug7582 deleted file mode 100644 index f3b0635765..0000000000 --- a/changes/bug7582 +++ /dev/null @@ -1,9 +0,0 @@ - o Major bugfixes: - - - When an exit node tells us that it is rejecting because of its - exit policy a stream we expected it to accept (because of its exit - policy), do not mark the node as useless for exiting if our - expectation was only based on an exit policy summary. Instead, - mark the circuit as unsuitable for that particular address. Fixes - part of bug 7582; bugfix on 0.2.3.2-alpha. - diff --git a/changes/bug7707_diagnostic b/changes/bug7707_diagnostic deleted file mode 100644 index 0c3138e785..0000000000 --- a/changes/bug7707_diagnostic +++ /dev/null @@ -1,5 +0,0 @@ - o Minor features: - - Add another diagnostic to the heartbeat message: track and log - overhead that TLS is adding to the data we write. If this is - high, we are sending too little data to SSL_write at a time. - Diagnostic for bug 7707. diff --git a/changes/bug7768 b/changes/bug7768 deleted file mode 100644 index e3f9600afb..0000000000 --- a/changes/bug7768 +++ /dev/null @@ -1,3 +0,0 @@ - o Documentation fixes: - - Update tor-fw-helper.1.txt and tor-fw-helper.c to make option - names match. Fixes bug 7768. diff --git a/changes/bug7799 b/changes/bug7799 deleted file mode 100644 index ed4570129c..0000000000 --- a/changes/bug7799 +++ /dev/null @@ -1,7 +0,0 @@ - o Minor changes (log clarification) - - Add more detail to a log message about relaxed timeouts. Hopefully - this additional detail will allow us to diagnose the cause of bug 7799. - o Minor bugfixes - - Don't attempt to relax the timeout of already opened 1-hop circuits. - They might never timeout. This should eliminate some/all cases of - the relaxed timeout log message. diff --git a/changes/bug7801 b/changes/bug7801 deleted file mode 100644 index 1d6d021f3f..0000000000 --- a/changes/bug7801 +++ /dev/null @@ -1,13 +0,0 @@ - o Minor bugfixes: - - When choosing which stream on a formerly stalled circuit to wake - first, make better use of the platform's weak RNG. Previously, we - had been using the % ("modulo") operator to try to generate a 1/N - chance of picking each stream, but this behaves badly with many - platforms' choice of weak RNG. Fix for bug 7801; bugfix on - 0.2.2.20-alpha. - - Use our own weak RNG when we need a weak RNG. Windows's rand() - and Irix's random() only return 15 bits; Solaris's random() - returns more bits but its RAND_MAX says it only returns 15, and - so on. Fixes another aspect of bug 7801; bugfix on - 0.2.2.20-alpha. - diff --git a/changes/bug7816.024 b/changes/bug7816.024 deleted file mode 100644 index b5d55f5d6d..0000000000 --- a/changes/bug7816.024 +++ /dev/null @@ -1,8 +0,0 @@ - o Minor bugfixes: - - Avoid leaking IPv6 policy content if we fail to format it into - a router descriptor. Spotted by Coverity. Fixes part of 7816; - bugfix on 0.2.4.7-alpha. - - - Avoid leaking memory if we fail to compute a consensus signature - or we generated a consensus we couldn't parse. Spotted by Coverity. - Fixes part of 7816; bugfix on 0.2.0.5-alpha. diff --git a/changes/bug7816_023 b/changes/bug7816_023 deleted file mode 100644 index a4530292cc..0000000000 --- a/changes/bug7816_023 +++ /dev/null @@ -1,7 +0,0 @@ - o Minor bugfixes (memory leak, controller): - - Fix a memory leak during safe-cookie controller authentication. - Spotted by Coverity. Fixes part of bug 7816; bugfix on 0.2.3.13-alpha. - - o Minor bugfixes (memory leak, HTTPS proxy support): - - Fix a memory leak when receiving headers from an HTTPS proxy. - Spotted by Coverity. Fixes part of bug 7816; bugfix on 0.2.1.1-alpha. diff --git a/changes/bug7816_023_small b/changes/bug7816_023_small deleted file mode 100644 index cd90f035f1..0000000000 --- a/changes/bug7816_023_small +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes: - - Fix various places where we leak file descriptors or memory on - error cases. Spotted by coverity. Fixes parts of bug 7816. diff --git a/changes/bug7902 b/changes/bug7902 deleted file mode 100644 index 051759dc0a..0000000000 --- a/changes/bug7902 +++ /dev/null @@ -1,7 +0,0 @@ - o Minor bugfixes: - - When we receive a RELAY_END cell with the reason DONE, or with no - reason, before receiving a RELAY_CONNECTED cell, report the SOCKS - status as "connection refused." Previously we reporting these - cases as success but then immediately closing the connection. - Fixes bug 7902; bugfix on 0.1.0.1-rc. Reported by "oftc_must_ - be_destroyed." diff --git a/changes/bug7947 b/changes/bug7947 deleted file mode 100644 index 6200ba2d8a..0000000000 --- a/changes/bug7947 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - Fix the handling of a TRUNCATE cell when it arrives while the circuit - extension is in progress. Fixes bug 7947; bugfix on 0.0.7.1. - diff --git a/changes/bug7950 b/changes/bug7950 deleted file mode 100644 index e62cca07a1..0000000000 --- a/changes/bug7950 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - When rejecting a configuration because we were unable to parse a - quoted string, log an actual error message. Fix for bug 7950; - bugfix on 0.2.0.16-alpha. diff --git a/changes/bug7982 b/changes/bug7982 deleted file mode 100644 index 46aa53249c..0000000000 --- a/changes/bug7982 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes: - - Copy-paste description for PathBias params from man page into or.h - comment. Fixes bug 7982. diff --git a/changes/bug8002 b/changes/bug8002 deleted file mode 100644 index d6e2ff2492..0000000000 --- a/changes/bug8002 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes: - - When autodetecting the number of CPUs, use the number of available - CPUs in preferernce to the number of configured CPUs. Inform the - user if this reduces the number of avialable CPUs. Fix for bug 8002. - Bugfix on 0.2.3.1-alpha. diff --git a/changes/bug8014 b/changes/bug8014 deleted file mode 100644 index c09a86098c..0000000000 --- a/changes/bug8014 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor usability improvements (build): - - Clarify that when autconf is checking for nacl, it is checking - specifically for nacl with a fast curve25519 implementation. - Fixes bug 8014. - diff --git a/changes/bug8031 b/changes/bug8031 deleted file mode 100644 index 17329ec5b5..0000000000 --- a/changes/bug8031 +++ /dev/null @@ -1,7 +0,0 @@ - o Minor bugfixes: - - Use direct writes rather than stdio when building microdescriptor - caches, in an attempt to mitigate bug 8031, or at least make it - less common. - - Warn more aggressively when flushing microdescriptors to a - microdescriptor cache fails, in an attempt to mitegate bug 8031, - or at least make it more diagnosable. diff --git a/changes/bug8037 b/changes/bug8037 deleted file mode 100644 index 989745fc39..0000000000 --- a/changes/bug8037 +++ /dev/null @@ -1,8 +0,0 @@ - o Minor bugfixes: - - Correctly store microdescriptors and extrainfo descriptors with - an internal NUL byte. Fixes bug 8037; bugfix on 0.2.0.1-alpha. - Bug reported by "cypherpunks". - - o Minor features: - - Reject as invalid most directory objects containing a - NUL. Belt-and-suspender fix for bug 8037. diff --git a/changes/bug8059 b/changes/bug8059 deleted file mode 100644 index 47273ed0ac..0000000000 --- a/changes/bug8059 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes (protocol conformance): - - Fix a misframing issue when reading the version numbers in a - VERSIONS cell. Previously we would recognize [00 01 00 02] as - 'version 1, version 2, and version 0x100', when it should have - only included versions 1 and 2. Fixes bug 8059; bugfix on - 0.2.0.10-alpha. Reported pseudonymously. diff --git a/changes/bug8062 b/changes/bug8062 deleted file mode 100644 index 805e51ed41..0000000000 --- a/changes/bug8062 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes: - - Increase the width of the field used to remember a connection's - link protocol version to two bytes. Harmless for now, since the - only currently recognized versions are one byte long. Reported - pseudynmously. Fixes bug 8062, bugfix on 0.2.0.10-alpha. diff --git a/changes/bug8065 b/changes/bug8065 deleted file mode 100644 index 06dbae8cd7..0000000000 --- a/changes/bug8065 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes: - - Downgrade an assertion in connection_ap_expire_beginning to - an LD_BUG message. The fix for bug 8024 should prevent this - message from displaying, but just in case a warn that we can - diagnose is better than more assert crashes. Fix for bug 8065; - bugfix on 0.2.4.8-alpha. diff --git a/changes/bug8093.part1 b/changes/bug8093.part1 deleted file mode 100644 index 2450794dd7..0000000000 --- a/changes/bug8093.part1 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Downgrade "unexpected SENDME" warnings to protocol-warn for 0.2.4, - for bug 8093. diff --git a/changes/bug8117 b/changes/bug8117 deleted file mode 100644 index 910e8056f4..0000000000 --- a/changes/bug8117 +++ /dev/null @@ -1,13 +0,0 @@ - o Major bugfixes: - - - Many SOCKS5 clients, when configured to offer a username/password, - offer both username/password authentication and "no authentication". - Tor had previously preferred no authentication, but this was - problematic when trying to make applications get proper stream - isolation with IsolateSOCKSAuth. Now, on any SOCKS port with - IsolateSOCKSAuth turned on (which is the default), Tor selects - username/password authentication if it's offered. If this confuses your - application, you can disable it on a per-SOCKSPort basis via - PreferSOCKSNoAuth. Fixes bug 8117; bugfix on 0.2.3.3-alpha. - - diff --git a/changes/bug8121 b/changes/bug8121 deleted file mode 100644 index 60cba72848..0000000000 --- a/changes/bug8121 +++ /dev/null @@ -1,7 +0,0 @@ - o Minor features: - - Clear the high bit on curve25519 public keys before passing them to - our backend, in case we ever wind up using a backend that doesn't do - so itself. If we used such a backend, and *didn't* clear the high bit, - we could wind up in a situation where users with such backends would - be distinguishable from users without. Fix for bug 8121; bugfix on - 0.2.4.8-alpha. diff --git a/changes/bug8151 b/changes/bug8151 deleted file mode 100644 index e20fa3c31a..0000000000 --- a/changes/bug8151 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor features (directory authority): - - Include inside each vote a statement of the performance - thresholds that made the authority vote for its flags. Implements - ticket 8151. -
\ No newline at end of file diff --git a/changes/bug8158 b/changes/bug8158 deleted file mode 100644 index 65b21c2a26..0000000000 --- a/changes/bug8158 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes: - - Use less space when formatting identical microdescriptor lines in - directory votes. Fixes bug 8158; bugfix on 0.2.4.1-alpha. diff --git a/changes/bug8161 b/changes/bug8161 deleted file mode 100644 index ab7b9c0cad..0000000000 --- a/changes/bug8161 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor changes: - - Lower path use bias thresholds to .80 for notice and .60 for warn. - Fixes bug #8161; bugfix on 0.2.4.10-alpa. - - Make the rate limiting flags for the path use bias log messages - independent from the original path bias flags. Fixes bug #8161; - bugfix on 0.2.4.10-alpha. diff --git a/changes/bug8180 b/changes/bug8180 deleted file mode 100644 index 39e6ce7f9a..0000000000 --- a/changes/bug8180 +++ /dev/null @@ -1,7 +0,0 @@ - o Minor bugfixes (security usability): - - Elevate the severity of the warning message when setting - EntryNodes but disabling UseGuardNodes to an error. The outcome - of letting Tor procede with those options enabled (which causes - EntryNodes to get ignored) is sufficiently different from what - was expected that it's best to just refuse to proceed. Fixes bug - 8180; bugfix on 0.2.3.11-alpha. diff --git a/changes/bug8185_diagnostic b/changes/bug8185_diagnostic deleted file mode 100644 index b0f8884758..0000000000 --- a/changes/bug8185_diagnostic +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Improve debugging output to attempt to diagnose the underlying - cause of bug 8185. diff --git a/changes/bug8200 b/changes/bug8200 deleted file mode 100644 index 65fc9dd03a..0000000000 --- a/changes/bug8200 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfix: - - Stop sending a stray "(null)" in some cases for the server status - "EXTERNAL_ADDRESS" controller event. Resolves bug 8200; bugfix - on 0.1.2.6-alpha. - diff --git a/changes/bug8203 b/changes/bug8203 deleted file mode 100644 index d26dc0fccf..0000000000 --- a/changes/bug8203 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - Make the format and order of STREAM events for DNS lookups consistent - among the various ways to launch DNS lookups. Fix for bug 8203; - bugfix on 0.2.0.24-rc. Patch by "Desoxy." diff --git a/changes/bug8207 b/changes/bug8207 deleted file mode 100644 index 0028d3380f..0000000000 --- a/changes/bug8207 +++ /dev/null @@ -1,7 +0,0 @@ - o Major bugfixes (hidden services): - - Allow hidden service authentication to succeed again. When we - refactored the hidden service introduction code back in 0.2.4.1-alpha, - we didn't update the code that checks whether authentication - information is present, causing all authentication checks to - return "false". Fix for bug 8207; bugfix on 0.2.4.1-alpha. Found by - Coverity; this is CID 718615. diff --git a/changes/bug8208 b/changes/bug8208 deleted file mode 100644 index c85db90b52..0000000000 --- a/changes/bug8208 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - Avoid a crash if we fail to generate an extrinfo descriptor. - Fixes bug 8208; bugfix on 0.2.3.16-alpha. Found by Coverity; - this is CID 718634. diff --git a/changes/bug8209 b/changes/bug8209 deleted file mode 100644 index c58923540b..0000000000 --- a/changes/bug8209 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes: - - When detecting the largest possible file descriptor (in order to close - all file descriptors when launching a new program), actually use - _SC_OPEN_MAX. The old code for doing this was very, very broken. - Fix for bug 8209; bugfix on 0.2.3.1-alpha. Found by Coverity; this - is CID 743383. diff --git a/changes/bug8210 b/changes/bug8210 deleted file mode 100644 index 85d41b844a..0000000000 --- a/changes/bug8210 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes: - - Fix an impossible-to-trigger integer overflow when - estimating how long out onionskin queue would take. (This overflow - would require us to accept 4 million onionskins before processing - 100 of them.) Fixes bug 8210; bugfix on 0.2.4.10-alpha. - diff --git a/changes/bug8218 b/changes/bug8218 deleted file mode 100644 index ce8d53ba62..0000000000 --- a/changes/bug8218 +++ /dev/null @@ -1,6 +0,0 @@ - o Major bugfixes: - - Stop marking every relay as having been down for one hour every - time we restart a directory authority. These artificial downtimes - were messing with our Stable and Guard flag calculations. Fixes - bug 8218 (introduced by the fix for 1035). Bugfix on 0.2.2.23-alpha. - diff --git a/changes/bug8231 b/changes/bug8231 deleted file mode 100644 index fd87a1daec..0000000000 --- a/changes/bug8231 +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfixes: - - When unable to find any working directory nodes to use as a - directory guard, give up rather than adding the same non-working - nodes to the list over and over. Fixes bug 8231; bugfix on - 0.2.4.8-alpha. diff --git a/changes/bug8235-diagnosing b/changes/bug8235-diagnosing deleted file mode 100644 index b760035cfc..0000000000 --- a/changes/bug8235-diagnosing +++ /dev/null @@ -1,5 +0,0 @@ - o Minor features (diagnostic) - - If the state file's path bias counts are invalid (presumably from a - buggy tor prior to 0.2.4.10-alpha), make them correct. - - Add additional checks and log messages to the scaling of Path Bias - counts, in case there still are remaining issues with scaling. diff --git a/changes/bug8253-fix b/changes/bug8253-fix deleted file mode 100644 index 3d36d06c88..0000000000 --- a/changes/bug8253-fix +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes (log messages) - - Fix a scaling issue in the path bias accounting code that resulted in - "Bug:" log messages from either pathbias_scale_close_rates() or - pathbias_count_build_success(). This represents a bugfix on a previous - bugfix: The original fix attempted in 0.2.4.10-alpha was incomplete. - Fixes bug 8235; bugfix on 0.2.4.1-alpha. diff --git a/changes/bug8273 b/changes/bug8273 deleted file mode 100644 index 257f57e7ab..0000000000 --- a/changes/bug8273 +++ /dev/null @@ -1,3 +0,0 @@ - o Critical bugfixes: - - When dirserv.c computes flags and thresholds, use measured bandwidths - in preference to advertised ones. diff --git a/changes/bug8290 b/changes/bug8290 deleted file mode 100644 index d1fce7d8b5..0000000000 --- a/changes/bug8290 +++ /dev/null @@ -1,9 +0,0 @@ - o Removed files: - - The tor-tsocks.conf is no longer distributed or installed. We - recommend that tsocks users use torsocks instead. Resolves - ticket 8290. - - o Documentation fixes: - - The torify manpage no longer refers to tsocks; torify hasn't - supported tsocks since 0.2.3.14-alpha. - - The manpages no longer reference tsocks. diff --git a/changes/bug8377 b/changes/bug8377 deleted file mode 100644 index c9ad151bc9..0000000000 --- a/changes/bug8377 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes: - - Correctly recognize that [::1] is a loopback address. Fixes bug #8377; - bugfix on 0.2.1.3-alpha. diff --git a/changes/bug8408 b/changes/bug8408 deleted file mode 100644 index ae9cf172e1..0000000000 --- a/changes/bug8408 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - Allow TestingTorNetworks to override the 4096-byte minimum for the Fast - threshold. Otherwise they can't bootstrap until they've observed more - traffic. Fixes bug 8508; bugfix on 0.2.4.10-alpha. diff --git a/changes/bug8427 b/changes/bug8427 deleted file mode 100644 index 22b003fc38..0000000000 --- a/changes/bug8427 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes: - - If we encounter a write failure on a SOCKS connection before we - finish our SOCKS handshake, don't warn that we closed the - connection before we could send a SOCKS reply. Fixes bug 8427; - bugfix on 0.1.0.1-rc. diff --git a/changes/bug8435 b/changes/bug8435 deleted file mode 100644 index da7ca7c1f8..0000000000 --- a/changes/bug8435 +++ /dev/null @@ -1,4 +0,0 @@ - o Major bugfixes: - - When dirserv.c computes flags and thresholds, ignore advertised - bandwidths if we have more than a threshold number of routers with - measured bandwidths. diff --git a/changes/bug8464 b/changes/bug8464 deleted file mode 100644 index 74ff2e39ff..0000000000 --- a/changes/bug8464 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes: - - Correct our check for which versions of Tor support the EXTEND2 - cell. We had been willing to send it to Tor 0.2.4.7-alpha and - later, when support was really added in version 0.2.4.8-alpha. - Fixes bug 8464; bugfix on 0.2.4.8-alpha. diff --git a/changes/bug8475 b/changes/bug8475 deleted file mode 100644 index eb8debedba..0000000000 --- a/changes/bug8475 +++ /dev/null @@ -1,4 +0,0 @@ - o Major bugfixes: - - If configured via ClientDNSRejectInternalAddresses not to report - DNS queries which have resolved to internal addresses, apply that - rule to IPv6 as well. Fixes bug 8475; bugfix on 0.2.0.7-alpha. diff --git a/changes/bug8477-easypart b/changes/bug8477-easypart deleted file mode 100644 index 0f8f1031c5..0000000000 --- a/changes/bug8477-easypart +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes: - - Log the purpose of a path-bias testing circuit correctly. - Improves a log message from bug 8477; bugfix on 0.2.4.8-alpha. diff --git a/changes/bug8587 b/changes/bug8587 deleted file mode 100644 index 84d2f1ec0d..0000000000 --- a/changes/bug8587 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (build): - - Build Tor correctly on 32-bit platforms where the compiler can build - but not run code using the "uint128_t" construction. Fixes bug 8587; - bugfix on 0.2.4.8-alpha. - diff --git a/changes/bug8596 b/changes/bug8596 deleted file mode 100644 index dd36bad855..0000000000 --- a/changes/bug8596 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Add CACHED keyword to ADDRMAP events in the control protocol to indicate - whether a DNS result will be cached or not. diff --git a/changes/bug8598 b/changes/bug8598 deleted file mode 100644 index e31c8f3c74..0000000000 --- a/changes/bug8598 +++ /dev/null @@ -1,6 +0,0 @@ - o Bugfixes: - - Fix compilation warning with some versions of clang that would prefer - the -Wswitch-enum compiler flag to warn about switch statements with - missing enum values, even if those switch statements have a default: - statement. Fixes bug 8598; bugfix on 0.2.4.10-alpha. - diff --git a/changes/bug8599 b/changes/bug8599 deleted file mode 100644 index 204ef58c3f..0000000000 --- a/changes/bug8599 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - Fix some logic errors when the user manually overrides the - PathsNeededToBuildCircuits option in torrc. Fixes bug 8599; bugfix - on 0.2.4.10-alpha. diff --git a/changes/bug8638 b/changes/bug8638 deleted file mode 100644 index 3a790e567d..0000000000 --- a/changes/bug8638 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features - In our testsuite, create temporary directories with a bit more entropy - in their name to make name collissions less likely. Fixes bug 8638. diff --git a/changes/bug8639 b/changes/bug8639 deleted file mode 100644 index 0db5c91429..0000000000 --- a/changes/bug8639 +++ /dev/null @@ -1,5 +0,0 @@ - o Normal bugfixes: - - When launching a resolve request on behalf of an AF_UNIX control - socket, omit the address field of the new entry connection, used in - subsequent controller events, rather than letting tor_dup_addr() set - it to "<unknown address type>". Fixes bug 8639. diff --git a/changes/bug8711 b/changes/bug8711 deleted file mode 100644 index 28a1daa454..0000000000 --- a/changes/bug8711 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor features (authority): - - Add a "ignoring-advertised-bws" boolean to our flag-thresholds - lines to describe whether we have enough measured bandwidths to - ignore advertised bandwidth claims. Closes ticket 8711. - - diff --git a/changes/bug8716 b/changes/bug8716 deleted file mode 100644 index 74c74f82a6..0000000000 --- a/changes/bug8716 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (memory leak): - - Fix a memory leak that would occur whenever a configuration - option changed. Fixes bug #8718; bugfix on 0.2.3.3-alpha. diff --git a/changes/bug8719 b/changes/bug8719 deleted file mode 100644 index c05b79ddec..0000000000 --- a/changes/bug8719 +++ /dev/null @@ -1,6 +0,0 @@ - o Major bugfixes (memory leak): - - Avoid a memory leak where we would leak a consensus body when we find - that a consensus which we couldn't previously verify due to missing - certificates is now verifiable. Fixes bug 8719; bugfix on - 0.2.0.10-alpha. - diff --git a/changes/bug8822 b/changes/bug8822 deleted file mode 100644 index c6787afe06..0000000000 --- a/changes/bug8822 +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfixes (windows): - - Prevent failures on Windows Vista and later when rebuilding the - microdescriptor cache. Diagnosed by Robert Ransom. Fixes bug 8822; - bugfix on 0.2.4.12-alpha. - diff --git a/changes/bug8833 b/changes/bug8833 deleted file mode 100644 index 681a86191f..0000000000 --- a/changes/bug8833 +++ /dev/null @@ -1,3 +0,0 @@ - o Major bugfixes (directory authority): - - Fix a crash bug when building a consensus using an older consensus as - its basis. Fixes bug 8833. Bugfix on 0.2.4.12-alpha. diff --git a/changes/bug8844 b/changes/bug8844 deleted file mode 100644 index 320e5f2845..0000000000 --- a/changes/bug8844 +++ /dev/null @@ -1,6 +0,0 @@ - o Major bugfixes: - - Prevent the get_freelists() function from running off the end of - the list of freelists if it somehow gets an unrecognized - allocation. Fixes bug 8844; bugfix on 0.2.0.16-alpha. Reported by - eugenis. - diff --git a/changes/bug8845 b/changes/bug8845 deleted file mode 100644 index ace043ab9b..0000000000 --- a/changes/bug8845 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (test): - - Fix an impossible buffer overrun in the AES unit tests. Fixes bug 8845; - bugfix on 0.2.0.7-alpha. Found by eugenis. diff --git a/changes/bug8846 b/changes/bug8846 deleted file mode 100644 index 377cc3708a..0000000000 --- a/changes/bug8846 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - Give a less useless error message when the user asks for an IPv4 - address on an IPv6-only port, or vice versa. Fixes bug 8846; bugfix - on 0.2.4.7-alpha. diff --git a/changes/bug8879 b/changes/bug8879 deleted file mode 100644 index 0d2a70086c..0000000000 --- a/changes/bug8879 +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfixes: - - Follow the socks5 protocol when offering username/password - authentication. The fix for bug 8117 exposed this bug, and it - turns out real-world applications like Pidgin do care. Bugfix on - 0.2.3.2-alpha; fixes bug 8879. diff --git a/changes/bug8965 b/changes/bug8965 deleted file mode 100644 index b5af279632..0000000000 --- a/changes/bug8965 +++ /dev/null @@ -1,3 +0,0 @@ - o Removed documentation: - - Remove some of the older contents of doc/ as obsolete; move others - to torspec.git. Fixes bug 8965. diff --git a/changes/bug9002 b/changes/bug9002 deleted file mode 100644 index c41ace394a..0000000000 --- a/changes/bug9002 +++ /dev/null @@ -1,4 +0,0 @@ - o Major bugfixes: - - Limit hidden service descriptors to at most ten introduction - points, to slow one kind of guard enumeration. Fixes bug 9002; - bugfix on 0.1.1.11-alpha. diff --git a/changes/bug9017 b/changes/bug9017 deleted file mode 100644 index 359c526b00..0000000000 --- a/changes/bug9017 +++ /dev/null @@ -1,6 +0,0 @@ - o Major bugfixes: - - Avoid an assertion failure on OpenBSD (and perhaps other BSDs) - when an exit connection with optimistic data succeeds immediately - rather than returning EINPROGRESS. Fixes bug 9017; bugfix on - 0.2.3.1-alpha. - diff --git a/changes/bug9047 b/changes/bug9047 deleted file mode 100644 index 497f0d3372..0000000000 --- a/changes/bug9047 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes: - - If for some reason we fail to write a microdescriptor while - rebuilding the cache, do not let the annotations from that - microdescriptor linger in the cache file, and do not let the - microdescriptor stay recorded as present in its old location. - Fixes bug 9047; bugfix on 0.2.2.6-alpha. diff --git a/changes/bug9063 b/changes/bug9063 deleted file mode 100644 index dcbecf6179..0000000000 --- a/changes/bug9063 +++ /dev/null @@ -1,3 +0,0 @@ - o Normal bugfixes: - - Close any circuit that has more cells queued than the spec permits. - Fixes bug #9063; bugfix on 0.2.4.12. diff --git a/changes/bug9063_redux b/changes/bug9063_redux deleted file mode 100644 index e6fae72efc..0000000000 --- a/changes/bug9063_redux +++ /dev/null @@ -1,15 +0,0 @@ - o Major bugfixes: - - When we have too much memory queued in circuits (according to a new - MaxMemInCellQueues option), close the circuits consuming the most - memory. This prevents us from running out of memory as a relay if - circuits fill up faster than they can be drained. Fixes - bug 9063; bugfix on the 54th commit of Tor. This bug is a further - fix beyond bug 6252, whose fix was merged into 0.2.3.21-rc. - - Also fixes an earlier approach taken in 0.2.4.13-alpha, where we - tried to solve this issue simply by imposing an upper limit on the - number of queued cells for a single circuit. That approach proved to - be problematic, since there are ways to provoke clients to send a - number of cells in excess of any such reasonable limit. - Fixes bug 9072; bugfix on 0.2.4.13-alpha. - diff --git a/changes/bug9072 b/changes/bug9072 deleted file mode 100644 index e594a38335..0000000000 --- a/changes/bug9072 +++ /dev/null @@ -1,3 +0,0 @@ - o Critical bugfixes: - - Disable middle relay queue overfill detection code due to possible - guard discovery attack, pending further analysis. Fixes bug #9072. diff --git a/changes/bug9093 b/changes/bug9093 deleted file mode 100644 index 06b6cb926a..0000000000 --- a/changes/bug9093 +++ /dev/null @@ -1,7 +0,0 @@ - o Minor features: - - Improve the circuit queue out-of-memory handler. Previously, when - we ran low on memory, we'd close whichever circuits had the most - queued cells. Now, we close those that have the *oldest* queued - cells, on the theory that those are most responsible for us - running low on memory. Based on analysis from a forthcoming paper - by Jansen, Tschorsch, Johnson, and Scheuermann. Fixes bug 9093.
\ No newline at end of file diff --git a/changes/bug9122 b/changes/bug9122 deleted file mode 100644 index 5009da6126..0000000000 --- a/changes/bug9122 +++ /dev/null @@ -1,4 +0,0 @@ - o Major bugfixes: - - When receiving a new configuration file via the control port's - LOADCONF command, do not treat the defaults file as absent. - Fixes bug 9122; bugfix on 0.2.3.9-alpha. diff --git a/changes/bug9147 b/changes/bug9147 deleted file mode 100644 index e6064ea0e5..0000000000 --- a/changes/bug9147 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Issue a warning when running with the bufferevents backend enabled. - It's still not stable, and people should know that they're likely - to hit unexpected problems. Closes ticket 9147. diff --git a/changes/bug9200 b/changes/bug9200 deleted file mode 100644 index 7b64dd1744..0000000000 --- a/changes/bug9200 +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfixes: - - Fix a bug in the voting algorithm that could yield incorrect results - when a non-naming authority declared too many flags. Fixes bug 9200; - bugfix on 0.2.0.3-alpha. - diff --git a/changes/bug9213_doc b/changes/bug9213_doc deleted file mode 100644 index 2f959dd831..0000000000 --- a/changes/bug9213_doc +++ /dev/null @@ -1,5 +0,0 @@ - o Documentation: - - Correctly document that we search for a system torrc file before - looking in ~/.torrc. Fixes documentation side of 9213; bugfix - on 0.2.3.18-rc. - diff --git a/changes/bug9229 b/changes/bug9229 deleted file mode 100644 index ad7fd22c28..0000000000 --- a/changes/bug9229 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes: - - Avoid 60-second delays in the bootstrapping process when Tor - is launching for a second time while using bridges. Fixes bug 9229; - bugfix on 0.2.0.3-alpha. - diff --git a/changes/bug9254 b/changes/bug9254 deleted file mode 100644 index 5179bdc523..0000000000 --- a/changes/bug9254 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - Fix a spurious compilation warning with some older versions of - GCC on FreeBSD. Fixes bug 9254; bugfix on 0.2.4.14-alpha. - diff --git a/changes/bug9288 b/changes/bug9288 deleted file mode 100644 index 59bf414ea1..0000000000 --- a/changes/bug9288 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - Fix an invalid memory read that occured when a pluggable - transport proxy failed its configuration protocol. - Fixes bug 9288. diff --git a/changes/bug9295 b/changes/bug9295 deleted file mode 100644 index 2c113616c3..0000000000 --- a/changes/bug9295 +++ /dev/null @@ -1,4 +0,0 @@ - o Major bugfixes: - - Avoid a crash when using --hash-password. Fixes bug 9295; bugfix on - 0.2.4.15-rc. Found by stem integration tests. - diff --git a/changes/bug9309 b/changes/bug9309 deleted file mode 100644 index 38c462bc0f..0000000000 --- a/changes/bug9309 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes: - - When evaluating whether to use a connection that we haven't - decided is canonical using a recent link protocol version, - decide that it's canonical only if it used address _does_ - match the desired address. Fixes bug 9309; bugfix on - 0.2.4.4-alpha. Reported by skruffy. diff --git a/changes/bug9337 b/changes/bug9337 deleted file mode 100644 index ce99bc8184..0000000000 --- a/changes/bug9337 +++ /dev/null @@ -1,4 +0,0 @@ - o Major bugfixes (DNS): - - Avoid an assertion failure when processing DNS replies without the - answer types we expected. Fixes bug 9337; bugfix on 0.2.4.7-alpha. - diff --git a/changes/bug9354 b/changes/bug9354 deleted file mode 100644 index 68fc81a595..0000000000 --- a/changes/bug9354 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes: - - Make the default behavior of NumDirectoryGuards be to track - NumEntryGuards. Now a user who changes only NumEntryGuards will get - the behavior she expects. Fixes bug 9354; bugfix on 0.2.4.8-alpha. - diff --git a/changes/bug9366 b/changes/bug9366 deleted file mode 100644 index acc919e77f..0000000000 --- a/changes/bug9366 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features (usability): - - Warn and fail if a server is configured not to advertise any - ORPorts at all. (We need *something* to put in our descriptor, or - we just won't work.) diff --git a/changes/bug9393 b/changes/bug9393 deleted file mode 100644 index 9aedd1260b..0000000000 --- a/changes/bug9393 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - Give the correct URL in the warning message that we present - when the user is trying to run a Tor relay on an ancient version - of Windows. Fixes bug 9393. diff --git a/changes/bug9400 b/changes/bug9400 deleted file mode 100644 index 974224068a..0000000000 --- a/changes/bug9400 +++ /dev/null @@ -1,7 +0,0 @@ - o Minor bugfixes: - - - Avoid double-closing the listener socket in our socketpair replacement - (used on Windows) in the case where the addresses on our opened - sockets don't match what we expected. Fixes bug 9400; bugfix on - every released Tor version. Found by Coverity. - diff --git a/changes/bug9543 b/changes/bug9543 deleted file mode 100644 index 753947f6fd..0000000000 --- a/changes/bug9543 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - Avoid overflows when the user sets MaxCircuitDirtiness to a - ridiculously high value, by imposing a (ridiculously high) 30-day - maximum on MaxCircuitDirtiness. diff --git a/changes/bug9546 b/changes/bug9546 deleted file mode 100644 index 2145e35d8f..0000000000 --- a/changes/bug9546 +++ /dev/null @@ -1,11 +0,0 @@ - o Major bugfixes: - - - When a relay is extending a circuit to a bridge, it needs to send a - NETINFO cell, even when the bridge hasn't sent an AUTH_CHALLENGE - cell. Fixes bug 9546; bugfix on 0.2.3.6-alpha. - - - Bridges send AUTH_CHALLENGE cells during their handshakes; previously - they did not, which prevented relays from successfully connecting - to a bridge for self-test or bandwidth testing. Fixes bug 9546; - bugfix on 0.2.3.6-alpha. - diff --git a/changes/bug9564 b/changes/bug9564 deleted file mode 100644 index 0df00e3698..0000000000 --- a/changes/bug9564 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes: - - If the time to download the next old-style networkstatus is in - the future, do not decline to consider whether to download the - next microdescriptor networkstatus. Fixes bug 9564. Bugfix on - 0.2.3.14-alpha. diff --git a/changes/bug9596 b/changes/bug9596 deleted file mode 100644 index b3d138ecdc..0000000000 --- a/changes/bug9596 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - Correctly log long IPv6 exit policy, instead of truncating them - or reporting an error. Fixes bug 9596; bugfix on 0.2.4.7-alpha. - diff --git a/changes/bug9602 b/changes/bug9602 deleted file mode 100644 index 2dc13c4c02..0000000000 --- a/changes/bug9602 +++ /dev/null @@ -1,5 +0,0 @@ - o Bugfixes - - Null out orconn->chan->conn when closing orconn in case orconn is freed - before channel_run_cleanup() gets to orconn->chan, and handle the null - conn edge case correctly in channel_tls_t methods. Fixes bug #9602; - bugfix on 0.2.4.4-alpha. diff --git a/changes/bug9644 b/changes/bug9644 deleted file mode 100644 index 51c58a5fff..0000000000 --- a/changes/bug9644 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - Fix a small memory leak on exit. (We weren't freeing directory - authority certificate download statuses.) Fixes bug 9644; bugfix - on 0.2.4.13-alpha. diff --git a/changes/bug9645a b/changes/bug9645a deleted file mode 100644 index 2daba65a00..0000000000 --- a/changes/bug9645a +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes: - - If we are unable to save a microdescriptor to the journal, do not - drop it from memory and then reattempt downloading it. Fixes bug - 9645; bugfix on 0.2.2.6-alpha. - diff --git a/changes/bug9671_023 b/changes/bug9671_023 deleted file mode 100644 index 035ca5cdea..0000000000 --- a/changes/bug9671_023 +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfixes: - - If the circuit build timeout logic is disabled (via the consensus, - or because we are an authority), then don't build testing circuits. - Fixes bug 9657; bugfix on 0.2.2.14-alpha. - diff --git a/changes/bug9686_024 b/changes/bug9686_024 deleted file mode 100644 index 8705379d32..0000000000 --- a/changes/bug9686_024 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor features (security): - - Decrease the lower limit of MaxMemInCellQueues to 256 MBytes (but leave - the default at 8GBytes), to better support Raspberry Pi users. Fixes - bug 9686; bugfix on 0.2.4.14-alpha. - diff --git a/changes/bug9700 b/changes/bug9700 deleted file mode 100644 index f59f54cb01..0000000000 --- a/changes/bug9700 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (compilation): - - Fix a compilation error when compiling with --disable-cuve25519. - Fixes bug 9700; bugfix on 0.2.4.17-rc. diff --git a/changes/bug9716 b/changes/bug9716 deleted file mode 100644 index 5e39077173..0000000000 --- a/changes/bug9716 +++ /dev/null @@ -1,4 +0,0 @@ - o Bugfixes (performance): - - Set the listen() backlog limit to the largest actually supported - on the system, not to the value in a header file. Fixes bug 9716; - bugfix on every released Tor. diff --git a/changes/bug9731 b/changes/bug9731 deleted file mode 100644 index 828496af3f..0000000000 --- a/changes/bug9731 +++ /dev/null @@ -1,3 +0,0 @@ - o Major bugfixes: - - Do not apply connection_consider_empty_read/write_buckets to - cpuworker connections. diff --git a/changes/bug9776 b/changes/bug9776 deleted file mode 100644 index ea3a96abb3..0000000000 --- a/changes/bug9776 +++ /dev/null @@ -1,5 +0,0 @@ - o Normal bugfixes: - - Always call circuit_n_chan_done(chan, 0) from channel_closed(), so we - can't leak pending circuits in some cases where - run_connection_housekeeping() calls connection_or_close_normally(). - Fixes bug #9776; bugfix on 0.2.4.17. diff --git a/changes/bug9780 b/changes/bug9780 deleted file mode 100644 index 3cb51bd528..0000000000 --- a/changes/bug9780 +++ /dev/null @@ -1,8 +0,0 @@ - o Minor bugfixes (performance, fingerprinting): - - Our default TLS ecdhe groups were backwards: we meant to be using - P224 for relays (for performance win) and P256 for bridges (since - it is more common in the wild). Instead we had it backwards. After - reconsideration, we decided that the default should be P256 on all - hosts, since its security is probably better, and since P224 is - reportedly used quite little in the wild. Found by "skruffy" on - IRC. Fix for bug 9780; bugfix on 0.2.4.8-alpha. diff --git a/changes/bug9880 b/changes/bug9880 deleted file mode 100644 index a7dda8f82f..0000000000 --- a/changes/bug9880 +++ /dev/null @@ -1,8 +0,0 @@ - o Minor bugfixes: - - - When closing a channel that has already been open, do not close - pending circuits that were waiting to connect to the same relay. - Fixes bug 9880; bugfix on 0.2.5.1-alpha. Thanks to skruffy for - finding this bug. (Bug was merged to 0.2.4 branch but not released - in any 0.2.4 version) - diff --git a/changes/bug9904 b/changes/bug9904 deleted file mode 100644 index eec4144cce..0000000000 --- a/changes/bug9904 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - When examining list of network interfaces to find our address, do - not consider non-running or disabled network interfaces. Fixes bug - 9904; bugfix on 0.2.3.11-alpha. Patch from "hantwister". diff --git a/changes/bug9927 b/changes/bug9927 deleted file mode 100644 index e66280c3c4..0000000000 --- a/changes/bug9927 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Generate bootstrapping status update events correctly for fetching - microdescriptors. Fixes bug 9927. - diff --git a/changes/bug9928 b/changes/bug9928 deleted file mode 100644 index b72cea3d87..0000000000 --- a/changes/bug9928 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes: - - Avoid an off-by-one error when checking buffer boundaries when - formatting the exit status of a pluggable transport helper. - This is probably not an exploitable bug, but better safe than - sorry. Fixes bug 9928; bugfix on 0.2.3.18-rc. Bug found by - Pedro Ribeiro. diff --git a/changes/bug9946 b/changes/bug9946 deleted file mode 100644 index 5d1c888743..0000000000 --- a/changes/bug9946 +++ /dev/null @@ -1,11 +0,0 @@ - o Minor bugfixes: - - If the guard we choose first doesn't answer, we would try the - second guard, but once we connected to the second guard we would - abandon it and retry the first one, slowing down bootstrapping. - The fix is to treat all our initially chosen guards as acceptable - to use. Fixes bug 9946; bugfix on 0.1.1.11-alpha. - - o Major bugfixes: - - Stop trying to fetch all our directory information from our first - guard. Discovered while fixing bug 9946; bugfix on 0.2.4.8-alpha. - diff --git a/changes/cov980650 b/changes/cov980650 deleted file mode 100644 index cbbada2e66..0000000000 --- a/changes/cov980650 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - Fix a copy-and-paste error when adding a missing A1 to a routerset - because of GeoIPExcludeUnknown. Fix for coverity CID 980650. - Bugfix on 0.2.4.10-alpha. diff --git a/changes/curve25519-donna32-bug b/changes/curve25519-donna32-bug deleted file mode 100644 index 7fccab1b0c..0000000000 --- a/changes/curve25519-donna32-bug +++ /dev/null @@ -1,12 +0,0 @@ - o Major bugfixes: - - - Fix a bug in the bounds-checking in the 32-bit curve25519-donna - implementation that caused incorrect results on 32-bit - implementations when certain malformed inputs were used along with - a small class of private ntor keys. This bug does not currently - appear to allow an attacker to learn private keys or impersonate a - Tor server, but it could provide a means to distinguish 32-bit Tor - implementations from 64-bit Tor implementations. Fixes bug 12694; - bugfix on 0.2.4.8-alpha. Bug found by Robert Ransom; fix from - Adam Langley. - diff --git a/changes/disable_sslv3 b/changes/disable_sslv3 deleted file mode 100644 index bb4c2df7a2..0000000000 --- a/changes/disable_sslv3 +++ /dev/null @@ -1,4 +0,0 @@ - o Major security fixes: - - Disable support for SSLv3. All versions of OpenSSL in use with - Tor today support TLS 1.0 or later, so we can safely turn off - support for this old (and insecure) protocol. Fixes bug 13426. diff --git a/changes/doc-heartbeat-loglevel b/changes/doc-heartbeat-loglevel deleted file mode 100644 index 91f40ad260..0000000000 --- a/changes/doc-heartbeat-loglevel +++ /dev/null @@ -1,3 +0,0 @@ - o Minor documentation fixes: - - Fix the documentation of HeartbeatPeriod to say that the heartbeat - message is logged at notice, not at info. diff --git a/changes/easy.ratelim b/changes/easy.ratelim deleted file mode 100644 index cadd1e4f5e..0000000000 --- a/changes/easy.ratelim +++ /dev/null @@ -1,3 +0,0 @@ - o Code simplification and refactoring: - - Add a wrapper function for the common "log a message with a rate-limit" - case. diff --git a/changes/feature4994 b/changes/feature4994 deleted file mode 100644 index 4fa0e037b7..0000000000 --- a/changes/feature4994 +++ /dev/null @@ -1,7 +0,0 @@ - o Minor features: - - Teach bridge-using clients to avoid 0.2.2 bridges when making - microdescriptor-related dir requests, and only fall back to normal - descriptors if none of their bridges can handle microdescriptors - (as opposed to the fix in ticket 4013, which caused them to fall - back to normal descriptors if *any* of their bridges preferred - them). Resolves ticket 4994. diff --git a/changes/feature9574 b/changes/feature9574 deleted file mode 100644 index 723606e396..0000000000 --- a/changes/feature9574 +++ /dev/null @@ -1,7 +0,0 @@ - o Major features: - - Relays now process the new "NTor" circuit-level handshake requests - with higher priority than the old "TAP" circuit-level handshake - requests. We still process some TAP requests to not totally starve - 0.2.3 clients when NTor becomes popular. A new consensus parameter - "NumNTorsPerTAP" lets us tune the balance later if we need to. - Implements ticket 9574. diff --git a/changes/feature9777 b/changes/feature9777 deleted file mode 100644 index 312b5e034e..0000000000 --- a/changes/feature9777 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Avoid using circuit paths if no node in the path supports the ntor - circuit extension handshake. Implements ticket 9777. diff --git a/changes/ff28_ciphers b/changes/ff28_ciphers deleted file mode 100644 index 05eb4e9bcc..0000000000 --- a/changes/ff28_ciphers +++ /dev/null @@ -1,6 +0,0 @@ - o Minor features (performance, compatibility): - - Update the list of TLS cipehrsuites that a client advertises - to match those advertised by Firefox 28. This enables selection of - (fast) GCM ciphersuites, disables some strange old ciphers, and - disables the ECDH (not to be confused with ECDHE) ciphersuites. - Resolves ticket 11438. diff --git a/changes/fix-geoipexclude-doc b/changes/fix-geoipexclude-doc deleted file mode 100644 index 63b544ef29..0000000000 --- a/changes/fix-geoipexclude-doc +++ /dev/null @@ -1,4 +0,0 @@ - o Documentation fixes: - - Fix the GeoIPExcludeUnknown documentation to refer to ExcludeExitNodes - rather than the currently nonexistent ExcludeEntryNodes. Spotted by - "hamahangi" on tor-talk. diff --git a/changes/geoip-apr2013 b/changes/geoip-apr2013 deleted file mode 100644 index 74d9c63b79..0000000000 --- a/changes/geoip-apr2013 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update to the April 3 2013 Maxmind GeoLite Country database. - diff --git a/changes/geoip-april2015 b/changes/geoip-april2015 deleted file mode 100644 index 7db38ed797..0000000000 --- a/changes/geoip-april2015 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update geoip to the April 8 2015 Maxmind GeoLite2 Country database. - diff --git a/changes/geoip-april2016 b/changes/geoip-april2016 deleted file mode 100644 index 4cd03e556b..0000000000 --- a/changes/geoip-april2016 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the April 5 2016 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-april2017 b/changes/geoip-april2017 deleted file mode 100644 index b489eaf016..0000000000 --- a/changes/geoip-april2017 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the April 4 2017 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-august2013 b/changes/geoip-august2013 deleted file mode 100644 index bd15177a0c..0000000000 --- a/changes/geoip-august2013 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update to the August 7 2013 Maxmind GeoLite Country database. - diff --git a/changes/geoip-august2014 b/changes/geoip-august2014 deleted file mode 100644 index 90d8ecb300..0000000000 --- a/changes/geoip-august2014 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update geoip to the August 7 2014 Maxmind GeoLite2 Country database. - diff --git a/changes/geoip-august2016 b/changes/geoip-august2016 deleted file mode 100644 index 370ab64cac..0000000000 --- a/changes/geoip-august2016 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the August 2 2016 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-december2015 b/changes/geoip-december2015 deleted file mode 100644 index 597bcc92f8..0000000000 --- a/changes/geoip-december2015 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the December 1 2015 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-december2016 b/changes/geoip-december2016 deleted file mode 100644 index 60754ea21d..0000000000 --- a/changes/geoip-december2016 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the December 7 2016 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-feb2013 b/changes/geoip-feb2013 deleted file mode 100644 index b5d794258f..0000000000 --- a/changes/geoip-feb2013 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update to the February 6 2013 Maxmind GeoLite Country database. - diff --git a/changes/geoip-february2014 b/changes/geoip-february2014 deleted file mode 100644 index f8657b468e..0000000000 --- a/changes/geoip-february2014 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update to the February 7 2014 Maxmind GeoLite2 Country database. - diff --git a/changes/geoip-february2014-regcountry b/changes/geoip-february2014-regcountry deleted file mode 100644 index c2ddf092aa..0000000000 --- a/changes/geoip-february2014-regcountry +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Fix our version of the February 7 2014 Maxmind GeoLite2 Country database. - diff --git a/changes/geoip-february2016 b/changes/geoip-february2016 deleted file mode 100644 index 49a8041fad..0000000000 --- a/changes/geoip-february2016 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the February 2 2016 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-february2017 b/changes/geoip-february2017 deleted file mode 100644 index ec54b6122a..0000000000 --- a/changes/geoip-february2017 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-january2015 b/changes/geoip-january2015 deleted file mode 100644 index 67324f27f2..0000000000 --- a/changes/geoip-january2015 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update geoip to the January 7 2015 Maxmind GeoLite2 Country database. - diff --git a/changes/geoip-january2016 b/changes/geoip-january2016 deleted file mode 100644 index fe2d5c7dc7..0000000000 --- a/changes/geoip-january2016 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the January 5 2016 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-january2017 b/changes/geoip-january2017 deleted file mode 100644 index de1a4cbe2a..0000000000 --- a/changes/geoip-january2017 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the January 4 2017 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-july2013 b/changes/geoip-july2013 deleted file mode 100644 index 097819dd7c..0000000000 --- a/changes/geoip-july2013 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update to the July 3 2013 Maxmind GeoLite Country database. - diff --git a/changes/geoip-july2014 b/changes/geoip-july2014 deleted file mode 100644 index a0523ecac9..0000000000 --- a/changes/geoip-july2014 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update geoip to the July 10 2014 Maxmind GeoLite2 Country database. - diff --git a/changes/geoip-july2015 b/changes/geoip-july2015 deleted file mode 100644 index 381c2df231..0000000000 --- a/changes/geoip-july2015 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the July 8 2015 Maxmind GeoLite2 Country database. - diff --git a/changes/geoip-july2016 b/changes/geoip-july2016 deleted file mode 100644 index d9963bd6a8..0000000000 --- a/changes/geoip-july2016 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the July 6 2016 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-jun2016 b/changes/geoip-jun2016 deleted file mode 100644 index 8d308f6f72..0000000000 --- a/changes/geoip-jun2016 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the June 7 2016 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-june2013 b/changes/geoip-june2013 deleted file mode 100644 index f8e00a62c6..0000000000 --- a/changes/geoip-june2013 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update to the June 5 2013 Maxmind GeoLite Country database. - diff --git a/changes/geoip-june2015 b/changes/geoip-june2015 deleted file mode 100644 index 9d6cd3658b..0000000000 --- a/changes/geoip-june2015 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update geoip to the June 3 2015 Maxmind GeoLite2 Country database. - diff --git a/changes/geoip-mar2013 b/changes/geoip-mar2013 deleted file mode 100644 index e9cc3981b3..0000000000 --- a/changes/geoip-mar2013 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update to the March 6 2013 Maxmind GeoLite Country database. - diff --git a/changes/geoip-march2015 b/changes/geoip-march2015 deleted file mode 100644 index 565781280a..0000000000 --- a/changes/geoip-march2015 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update geoip to the March 3 2015 Maxmind GeoLite2 Country database. - diff --git a/changes/geoip-march2016 b/changes/geoip-march2016 deleted file mode 100644 index d7b1bd42f9..0000000000 --- a/changes/geoip-march2016 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the March 3 2016 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-march2017 b/changes/geoip-march2017 deleted file mode 100644 index 6dc92baa2f..0000000000 --- a/changes/geoip-march2017 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the March 7 2017 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-may2013 b/changes/geoip-may2013 deleted file mode 100644 index ff4b98f22b..0000000000 --- a/changes/geoip-may2013 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update to the May 9 2013 Maxmind GeoLite Country database. - diff --git a/changes/geoip-may2016 b/changes/geoip-may2016 deleted file mode 100644 index 3fd42dce24..0000000000 --- a/changes/geoip-may2016 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the May 4 2016 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-may2017 b/changes/geoip-may2017 deleted file mode 100644 index 4e504d7a0a..0000000000 --- a/changes/geoip-may2017 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-november2014 b/changes/geoip-november2014 deleted file mode 100644 index 52cbeb3e41..0000000000 --- a/changes/geoip-november2014 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update geoip to the November 15 2014 Maxmind GeoLite2 Country database. - diff --git a/changes/geoip-november2016 b/changes/geoip-november2016 deleted file mode 100644 index 5190ed66f4..0000000000 --- a/changes/geoip-november2016 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the November 3 2016 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-october2013 b/changes/geoip-october2013 deleted file mode 100644 index bc72850725..0000000000 --- a/changes/geoip-october2013 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update to the October 2 2013 Maxmind GeoLite Country database. - diff --git a/changes/geoip-october2015 b/changes/geoip-october2015 deleted file mode 100644 index f20febec5a..0000000000 --- a/changes/geoip-october2015 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the October 9 2015 Maxmind GeoLite2 Country database. - diff --git a/changes/geoip-october2016 b/changes/geoip-october2016 deleted file mode 100644 index fff9a1eeb5..0000000000 --- a/changes/geoip-october2016 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the October 4 2016 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-september2013 b/changes/geoip-september2013 deleted file mode 100644 index 0173f4cfe3..0000000000 --- a/changes/geoip-september2013 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update to the September 4 2013 Maxmind GeoLite Country database. - diff --git a/changes/geoip-september2015 b/changes/geoip-september2015 deleted file mode 100644 index a4f99efaa2..0000000000 --- a/changes/geoip-september2015 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the September 3 2015 Maxmind GeoLite2 Country database. - diff --git a/changes/geoip-september2016 b/changes/geoip-september2016 deleted file mode 100644 index a14c7c699f..0000000000 --- a/changes/geoip-september2016 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the September 6 2016 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip6-april2015 b/changes/geoip6-april2015 deleted file mode 100644 index 241c9119b6..0000000000 --- a/changes/geoip6-april2015 +++ /dev/null @@ -1,2 +0,0 @@ - o Minor features: - - Update geoip6 to the April 8 2015 Maxmind GeoLite2 Country database. diff --git a/changes/geoip6-august2014 b/changes/geoip6-august2014 deleted file mode 100644 index 7e7c9a975d..0000000000 --- a/changes/geoip6-august2014 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update geoip6 to the August 7 2014 Maxmind GeoLite2 Country database. - diff --git a/changes/geoip6-february2014 b/changes/geoip6-february2014 deleted file mode 100644 index af30be00b1..0000000000 --- a/changes/geoip6-february2014 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update geoip6 to the February 7 2014 Maxmind GeoLite2 Country - database. diff --git a/changes/geoip6-january2015 b/changes/geoip6-january2015 deleted file mode 100644 index b86fe2be57..0000000000 --- a/changes/geoip6-january2015 +++ /dev/null @@ -1,2 +0,0 @@ - o Minor features: - - Update geoip6 to the January 7 2015 Maxmind GeoLite2 Country database. diff --git a/changes/geoip6-july2014 b/changes/geoip6-july2014 deleted file mode 100644 index 155788ef88..0000000000 --- a/changes/geoip6-july2014 +++ /dev/null @@ -1,2 +0,0 @@ - o Minor features: - - Update geoip6 to the July 10 2014 Maxmind GeoLite2 Country database. diff --git a/changes/geoip6-june2014 b/changes/geoip6-june2014 deleted file mode 100644 index 1a33e6fb45..0000000000 --- a/changes/geoip6-june2014 +++ /dev/null @@ -1,2 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the June 4 2014 Maxmind GeoLite2 Country database. diff --git a/changes/geoip6-june2015 b/changes/geoip6-june2015 deleted file mode 100644 index 527dbff53b..0000000000 --- a/changes/geoip6-june2015 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update geoip6 to the June 3 2015 Maxmind GeoLite2 Country database. - diff --git a/changes/geoip6-march2015 b/changes/geoip6-march2015 deleted file mode 100644 index 9a38c65e62..0000000000 --- a/changes/geoip6-march2015 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update geoip6 to the March 3 2015 Maxmind GeoLite2 Country database. - diff --git a/changes/geoip6-november2014 b/changes/geoip6-november2014 deleted file mode 100644 index e91fcc0d3b..0000000000 --- a/changes/geoip6-november2014 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update geoip6 to the November 15 2014 Maxmind GeoLite2 Country database. - diff --git a/changes/integers_donna b/changes/integers_donna deleted file mode 100644 index e9c69e8e1c..0000000000 --- a/changes/integers_donna +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (portability) - - Tweak the curve25519-donna*.c implementations to tolerate systems - that lack stdint.h. Fixes bug 3894; bugfix on 0.2.4.8-alpha. diff --git a/changes/less_charbuf_usage b/changes/less_charbuf_usage deleted file mode 100644 index 2ec42b544a..0000000000 --- a/changes/less_charbuf_usage +++ /dev/null @@ -1,5 +0,0 @@ - o Code simplification and refactoring: - - Avoid using character buffers when constructing most directory - objects: this approach was unweildy and error-prone. Instead, - build smartlists of strings, and concatenate them when done. - diff --git a/changes/log-noise b/changes/log-noise deleted file mode 100644 index bbbf0d2c0c..0000000000 --- a/changes/log-noise +++ /dev/null @@ -1,11 +0,0 @@ - o Minor bugfixes (log message reduction) - - Fix a path state issue that triggered a notice during relay startup. - Fixes bug #8320; bugfix on 0.2.4.10-alpha. - - Reduce occurrences of warns about circuit purpose in - connection_ap_expire_building(). Fixes bug #8477; bugfix on - 0.2.4.11-alpha. - - Fix a directory authority warn caused when we have a large amount - of badexit bandwidth. Fixes bug #8419; bugfix on 0.2.2.10-alpha. - - Reduce a path bias length check notice log to info. The notice - is triggered when creating controller circuits. Fixes bug #8196; - bugfix on 0.2.4.8-alpha. diff --git a/changes/md_leak_bug b/changes/md_leak_bug deleted file mode 100644 index 26270aacc3..0000000000 --- a/changes/md_leak_bug +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfixes (security, OOM) - - Fix a memory leak that could occur if a microdescriptor parse - fails during the tokenizing step. This could enable a memory - exhaustion attack by directory servers. Fixes bug #11649; bugfix - on 0.2.2.6-alpha. diff --git a/changes/no_client_timestamps_024 b/changes/no_client_timestamps_024 deleted file mode 100644 index 41dea2f1a6..0000000000 --- a/changes/no_client_timestamps_024 +++ /dev/null @@ -1,14 +0,0 @@ - o Minor features (security, timestamp avoidance, proposal 222): - - Clients no longer send timestamps in their NETINFO cells. These were - not used for anything, and they provided one small way for clients - to be distinguished from each other as they moved from network to - network or behind NAT. Implements part of proposal 222. - - Clients now round timestamps in INTRODUCE cells down to the nearest - 10 minutes. If a new Support022HiddenServices option is set to 0, - or if it's set to "auto" and the feature is disabled in the consensus, - the timestamp is sent as 0 instead. Implements part of proposal 222. - - Stop sending timestamps in AUTHENTICATE cells. This is not such - a big deal from a security point of view, but it achieves no actual - good purpose, and isn't needed. Implements part of proposal 222. - - Reduce down accuracy of timestamps in hidden service descriptors. - Implements part of proposal 222. diff --git a/changes/prop221 b/changes/prop221 deleted file mode 100644 index b2bf44bc37..0000000000 --- a/changes/prop221 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor features: - - Stop sending the CREATE_FAST cells by default; instead, use a - parameter in the consensus to decide whether to use - CREATE_FAST. This can improve security on connections where - Tor's circuit handshake is stronger than the available TLS - connection security levels. Implements proposal 221. diff --git a/changes/rsa_init_bug b/changes/rsa_init_bug deleted file mode 100644 index 6b5fb4f2f9..0000000000 --- a/changes/rsa_init_bug +++ /dev/null @@ -1,7 +0,0 @@ - o Major bugfixes (key management): - - If OpenSSL fails to generate an RSA key, do not retain a dangling pointer - to the previous (uninitialized) key value. The impact here should be - limited to a difficult-to-trigger crash, if OpenSSL is running an - engine that makes key generation failures possible, or if OpenSSL runs - out of memory. Fixes bug 19152; bugfix on 0.2.1.10-alpha. Found by - Yuan Jochen Kang, Suman Jana, and Baishakhi Ray. diff --git a/changes/signof_enum b/changes/signof_enum deleted file mode 100644 index ba4fb597d7..0000000000 --- a/changes/signof_enum +++ /dev/null @@ -1,7 +0,0 @@ - o Code simplifications and refactoring: - - Use Ville Laurikari's implementation of AX_CHECK_SIGN() to determine - the signs of types during autoconf. This is better than our old - approach, which didn't work when cross-compiling. - - Detect the sign of enum values, rather than assuming that MSC is the - only compiler where enum types are all signed. Fix for bug 7727; - bugfix on 0.2.4.10-alpha. diff --git a/changes/ticket11528 b/changes/ticket11528 deleted file mode 100644 index 15daad9950..0000000000 --- a/changes/ticket11528 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor features: - - Servers now trust themselves to have a better view than clients of - which TLS ciphersuites to choose. (Thanks to #11513, the server - list is now well-considered, whereas the client list has been - chosen mainly for anti-fingerprinting purposes.) Resolves ticket - 11528. diff --git a/changes/ticket12688 b/changes/ticket12688 deleted file mode 100644 index 88228e5506..0000000000 --- a/changes/ticket12688 +++ /dev/null @@ -1,6 +0,0 @@ - Major features: - - Make the number of entry guards configurable via a new - NumEntryGuards consensus parameter, and the number of directory - guards configurable via a new NumDirectoryGuards consensus - parameter. Implements ticket 12688. - diff --git a/changes/ticket14487 b/changes/ticket14487 deleted file mode 100644 index 577337ff24..0000000000 --- a/changes/ticket14487 +++ /dev/null @@ -1,3 +0,0 @@ - o Directory authority IP change: - - The directory authority Faravahar has a new IP address. Closes - ticket 14487. diff --git a/changes/ticket2267 b/changes/ticket2267 deleted file mode 100644 index b589b5721f..0000000000 --- a/changes/ticket2267 +++ /dev/null @@ -1,8 +0,0 @@ - o Minor features: - - Refactor resolve_my_address() so it returns the method by which we - decided our public IP address (explicitly configured, resolved from - explicit hostname, guessed from interfaces, learned by gethostname). - Now we can provide more helpful log messages when a relay guesses - its IP address incorrectly (e.g. due to unexpected lines in - /etc/hosts). Resolves ticket 2267. - diff --git a/changes/ticket8240 b/changes/ticket8240 deleted file mode 100644 index 91e6f8c14a..0000000000 --- a/changes/ticket8240 +++ /dev/null @@ -1,4 +0,0 @@ - o Major security fixes: - - Make the default guard lifetime controllable via a new - GuardLifetime torrc option and a GuardLifetime consensus - parameter. Start of a fix for bug 8240; bugfix on 0.1.1.11-alpha. diff --git a/changes/ticket8443 b/changes/ticket8443 deleted file mode 100644 index ca6fb2f471..0000000000 --- a/changes/ticket8443 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Randomize the lifetime of our SSL link certificate, so censors can't - use the static value for filtering Tor flows. Resolves ticket 8443; - related to ticket 4014 which was included in 0.2.2.33. diff --git a/changes/ticket9658 b/changes/ticket9658 deleted file mode 100644 index a8db2efba8..0000000000 --- a/changes/ticket9658 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Track how many "TAP" and "NTor" circuit handshake requests we get, - and how many we complete, and log it every hour to help relay - operators follow trends in network load. Addresses ticket 9658. diff --git a/changes/ticket9866 b/changes/ticket9866 deleted file mode 100644 index 6cbb1110db..0000000000 --- a/changes/ticket9866 +++ /dev/null @@ -1,3 +0,0 @@ - o Documentation: - - Add anchors to the manpage so we can link to the documentation for - specific options. Resolves ticket 9866. diff --git a/changes/trove-2017-001.2 b/changes/trove-2017-001.2 deleted file mode 100644 index 3ef073cf9f..0000000000 --- a/changes/trove-2017-001.2 +++ /dev/null @@ -1,8 +0,0 @@ - o Major bugfixes (parsing): - - Fix an integer underflow bug when comparing malformed Tor versions. - This bug is harmless, except when Tor has been built with - --enable-expensive-hardening, which would turn it into a crash; - or on Tor 0.2.9.1-alpha through Tor 0.2.9.8, which were built with - -ftrapv by default. - Part of TROVE-2017-001. Fixes bug 21278; bugfix on - 0.0.8pre1. Found by OSS-Fuzz. diff --git a/changes/trove-2017-005 b/changes/trove-2017-005 deleted file mode 100644 index cebb013f86..0000000000 --- a/changes/trove-2017-005 +++ /dev/null @@ -1,7 +0,0 @@ - o Major bugfixes (hidden service, relay, security): - - Fix an assertion failure caused by receiving a BEGIN_DIR cell on - a hidden service rendezvous circuit. Fixes bug 22494, tracked as - TROVE-2017-005 and CVE-2017-0376; bugfix on 0.2.2.1-alpha. Found - by armadev. - - diff --git a/changes/v3_intro_len b/changes/v3_intro_len deleted file mode 100644 index fbe39bce3b..0000000000 --- a/changes/v3_intro_len +++ /dev/null @@ -1,8 +0,0 @@ - o Major bugfixes: - - - Fix an uninitialized read that could (in some cases) lead to a remote - crash while parsing INTRODUCE 1 cells. (This is, so far as we know, - unrelated to the recent news.) Fixes bug XXX; bugfix on - 0.2.4.1-alpha. Anybody running a hidden service on the experimental - 0.2.4.x branch should upgrade. - diff --git a/changes/warn-unsigned-time_t b/changes/warn-unsigned-time_t deleted file mode 100644 index 5f0c36d099..0000000000 --- a/changes/warn-unsigned-time_t +++ /dev/null @@ -1,5 +0,0 @@ - o Build improvements: - - Warn if building on a platform with an unsigned time_t: there - are too many places where Tor currently assumes that time_t can - hold negative values. We'd like to fix them all, but probably - some will remain. |