diff options
123 files changed, 2057 insertions, 601 deletions
@@ -1,3 +1,714 @@ +Changes in version 0.2.5.16 - 2017-12-01 + Tor 0.2.5.13 backports important security and stability bugfixes from + later Tor releases. All Tor users should upgrade to this release, or + to another of the releases coming out today. + + Note: the Tor 0.2.5 series will no longer be supported after 1 May + 2018. If you need a release with long-term support, please upgrade to + the 0.2.9 series. Otherwise, please upgrade to 0.3.1 or later. + + o Major bugfixes (security, backport from 0.3.2.6-alpha): + - Fix a denial of service bug where an attacker could use a + malformed directory object to cause a Tor instance to pause while + OpenSSL would try to read a passphrase from the terminal. (Tor + instances run without a terminal, which is the case for most Tor + packages, are not impacted.) Fixes bug 24246; bugfix on every + version of Tor. Also tracked as TROVE-2017-011 and CVE-2017-8821. + Found by OSS-Fuzz as testcase 6360145429790720. + - When checking for replays in the INTRODUCE1 cell data for a + (legacy) onion service, correctly detect replays in the RSA- + encrypted part of the cell. We were previously checking for + replays on the entire cell, but those can be circumvented due to + the malleability of Tor's legacy hybrid encryption. This fix helps + prevent a traffic confirmation attack. Fixes bug 24244; bugfix on + 0.2.4.1-alpha. This issue is also tracked as TROVE-2017-009 + and CVE-2017-8819. + + o Major bugfixes (security, relay, backport from 0.3.2.6-alpha): + - When running as a relay, make sure that we never build a path + through ourselves, even in the case where we have somehow lost the + version of our descriptor appearing in the consensus. Fixes part + of bug 21534; bugfix on 0.2.0.1-alpha. This issue is also tracked + as TROVE-2017-012 and CVE-2017-8822. + + o Minor features (bridge, backport from 0.3.1.9): + - Bridges now include notice in their descriptors that they are + bridges, and notice of their distribution status, based on their + publication settings. Implements ticket 18329. For more fine- + grained control of how a bridge is distributed, upgrade to 0.3.2.x + or later. + + o Minor features (geoip): + - Update geoip and geoip6 to the November 6 2017 Maxmind GeoLite2 + Country database. + + +Changes in version 0.2.5.15 - 2017-10-25 + Tor 0.2.5.15 backports a collection of bugfixes from later Tor release + series. It also adds a new directory authority, Bastet. + + Note: the Tor 0.2.5 series will no longer be supported after 1 May + 2018. If you need a release with long-term support, please upgrade to + the 0.2.9 series. Otherwise, please upgrade to 0.3.1 or later. + + o Directory authority changes: + - Add "Bastet" as a ninth directory authority to the default list. + Closes ticket 23910. + - The directory authority "Longclaw" has changed its IP address. + Closes ticket 23592. + + o Major bugfixes (openbsd, denial-of-service, backport from 0.3.1.5-alpha): + - Avoid an assertion failure bug affecting our implementation of + inet_pton(AF_INET6) on certain OpenBSD systems whose strtol() + handling of "0xx" differs from what we had expected. Fixes bug + 22789; bugfix on 0.2.3.8-alpha. Also tracked as TROVE-2017-007. + + o Minor features (geoip): + - Update geoip and geoip6 to the October 4 2017 Maxmind GeoLite2 + Country database. + + o Minor bugfixes (defensive programming, undefined behavior, backport from 0.3.1.4-alpha): + - Fix a memset() off the end of an array when packing cells. This + bug should be harmless in practice, since the corrupted bytes are + still in the same structure, and are always padding bytes, + ignored, or immediately overwritten, depending on compiler + behavior. Nevertheless, because the memset()'s purpose is to make + sure that any other cell-handling bugs can't expose bytes to the + network, we need to fix it. Fixes bug 22737; bugfix on + 0.2.4.11-alpha. Fixes CID 1401591. + + o Build features (backport from 0.3.1.5-alpha): + - Tor's repository now includes a Travis Continuous Integration (CI) + configuration file (.travis.yml). This is meant to help new + developers and contributors who fork Tor to a Github repository be + better able to test their changes, and understand what we expect + to pass. To use this new build feature, you must fork Tor to your + Github account, then go into the "Integrations" menu in the + repository settings for your fork and enable Travis, then push + your changes. Closes ticket 22636. + + +Changes in version 0.2.5.14 - 2017-06-08 + Tor 0.2.5.14 backports a fix for a bug that would allow an attacker to + remotely crash a hidden service with an assertion failure. Anyone + running a hidden service should upgrade to this version, or to some + other version with fixes for TROVE-2017-005. (Versions before 0.3.0 + are not affected by TROVE-2017-004.) + + o Major bugfixes (hidden service, relay, security): + - Fix a remotely triggerable assertion failure caused by receiving a + BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug + 22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix + on 0.2.2.1-alpha. + + o Minor features (geoip): + - Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2 + Country database. + + o Minor bugfixes (correctness): + - Avoid undefined behavior when parsing IPv6 entries from the geoip6 + file. Fixes bug 22490; bugfix on 0.2.4.6-alpha. + + +Changes in version 0.2.5.13 - 2017-03-03 + Tor 0.2.5.13 backports a number of security fixes from later Tor + releases. Anybody running Tor 0.2.5.13 or earlier should upgrade to + this release, if for some reason they cannot upgrade to a later + release series. + + Note that support for Tor 0.2.5.x is ending next year: we will not issue + any fixes for the Tor 0.2.5.x series after 1 May 2018. If you need + a Tor release series with longer-term support, we recommend Tor 0.2.9.x. + + o Directory authority changes (backport from 0.2.8.5-rc): + - Urras is no longer a directory authority. Closes ticket 19271. + + o Directory authority changes (backport from 0.2.9.2-alpha): + - The "Tonga" bridge authority has been retired; the new bridge + authority is "Bifroest". Closes tickets 19728 and 19690. + + o Directory authority key updates (backport from 0.2.8.1-alpha): + - Update the V3 identity key for the dannenberg directory authority: + it was changed on 18 November 2015. Closes task 17906. Patch + by "teor". + + o Major features (security fixes, backport from 0.2.9.4-alpha): + - Prevent a class of security bugs caused by treating the contents + of a buffer chunk as if they were a NUL-terminated string. At + least one such bug seems to be present in all currently used + versions of Tor, and would allow an attacker to remotely crash + most Tor instances, especially those compiled with extra compiler + hardening. With this defense in place, such bugs can't crash Tor, + though we should still fix them as they occur. Closes ticket + 20384 (TROVE-2016-10-001). + + o Major bugfixes (parsing, security, backport from 0.2.9.8): + - Fix a bug in parsing that could cause clients to read a single + byte past the end of an allocated region. This bug could be used + to cause hardened clients (built with --enable-expensive-hardening) + to crash if they tried to visit a hostile hidden service. Non- + hardened clients are only affected depending on the details of + their platform's memory allocator. Fixes bug 21018; bugfix on + 0.2.0.8-alpha. Found by using libFuzzer. Also tracked as TROVE- + 2016-12-002 and as CVE-2016-1254. + + o Major bugfixes (security, client, DNS proxy, backport from 0.2.8.3-alpha): + - Stop a crash that could occur when a client running with DNSPort + received a query with multiple address types, and the first + address type was not supported. Found and fixed by Scott Dial. + Fixes bug 18710; bugfix on 0.2.5.4-alpha. + + o Major bugfixes (security, correctness, backport from 0.2.7.4-rc): + - Fix an error that could cause us to read 4 bytes before the + beginning of an openssl string. This bug could be used to cause + Tor to crash on systems with unusual malloc implementations, or + systems with unusual hardening installed. Fixes bug 17404; bugfix + on 0.2.3.6-alpha. + + o Major bugfixes (security, pointers, backport from 0.2.8.2-alpha): + - Avoid a difficult-to-trigger heap corruption attack when extending + a smartlist to contain over 16GB of pointers. Fixes bug 18162; + bugfix on 0.1.1.11-alpha, which fixed a related bug incompletely. + Reported by Guido Vranken. + + o Major bugfixes (dns proxy mode, crash, backport from 0.2.8.2-alpha): + - Avoid crashing when running as a DNS proxy. Fixes bug 16248; + bugfix on 0.2.0.1-alpha. Patch from "cypherpunks". + + o Major bugfixes (guard selection, backport from 0.2.7.6): + - Actually look at the Guard flag when selecting a new directory + guard. When we implemented the directory guard design, we + accidentally started treating all relays as if they have the Guard + flag during guard selection, leading to weaker anonymity and worse + performance. Fixes bug 17772; bugfix on 0.2.4.8-alpha. Discovered + by Mohsen Imani. + + o Major bugfixes (key management, backport from 0.2.8.3-alpha): + - If OpenSSL fails to generate an RSA key, do not retain a dangling + pointer to the previous (uninitialized) key value. The impact here + should be limited to a difficult-to-trigger crash, if OpenSSL is + running an engine that makes key generation failures possible, or + if OpenSSL runs out of memory. Fixes bug 19152; bugfix on + 0.2.1.10-alpha. Found by Yuan Jochen Kang, Suman Jana, and + Baishakhi Ray. + + o Major bugfixes (parsing, backported from 0.3.0.4-rc): + - Fix an integer underflow bug when comparing malformed Tor + versions. This bug could crash Tor when built with + --enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor + 0.2.9.8, which were built with -ftrapv by default. In other cases + it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix + on 0.0.8pre1. Found by OSS-Fuzz. + + o Minor features (security, memory erasure, backport from 0.2.8.1-alpha): + - Make memwipe() do nothing when passed a NULL pointer or buffer of + zero size. Check size argument to memwipe() for underflow. Fixes + bug 18089; bugfix on 0.2.3.25 and 0.2.4.6-alpha. Reported by "gk", + patch by "teor". + + o Minor features (bug-resistance, backport from 0.2.8.2-alpha): + - Make Tor survive errors involving connections without a + corresponding event object. Previously we'd fail with an + assertion; now we produce a log message. Related to bug 16248. + + o Minor features (geoip): + - Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2 + Country database. + + o Minor bugfixes (compilation, backport from 0.2.7.6): + - Fix a compilation warning with Clang 3.6: Do not check the + presence of an address which can never be NULL. Fixes bug 17781. + + o Minor bugfixes (crypto error-handling, backport from 0.2.7.2-alpha): + - Check for failures from crypto_early_init, and refuse to continue. + A previous typo meant that we could keep going with an + uninitialized crypto library, and would have OpenSSL initialize + its own PRNG. Fixes bug 16360; bugfix on 0.2.5.2-alpha, introduced + when implementing ticket 4900. Patch by "teor". + + o Minor bugfixes (hidden service, backport from 0.2.7.1-alpha): + - Fix an out-of-bounds read when parsing invalid INTRODUCE2 cells on + a client authorized hidden service. Fixes bug 15823; bugfix + on 0.2.1.6-alpha. + + +Changes in version 0.2.5.12 - 2015-04-06 + Tor 0.2.5.12 backports two fixes from 0.2.6.7 for security issues that + could be used by an attacker to crash hidden services, or crash clients + visiting hidden services. Hidden services should upgrade as soon as + possible; clients should upgrade whenever packages become available. + + This release also backports a simple improvement to make hidden + services a bit less vulnerable to denial-of-service attacks. + + o Major bugfixes (security, hidden service): + - Fix an issue that would allow a malicious client to trigger an + assertion failure and halt a hidden service. Fixes bug 15600; + bugfix on 0.2.1.6-alpha. Reported by "disgleirio". + - Fix a bug that could cause a client to crash with an assertion + failure when parsing a malformed hidden service descriptor. Fixes + bug 15601; bugfix on 0.2.1.5-alpha. Found by "DonnchaC". + + o Minor features (DoS-resistance, hidden service): + - Introduction points no longer allow multiple INTRODUCE1 cells to + arrive on the same circuit. This should make it more expensive for + attackers to overwhelm hidden services with introductions. + Resolves ticket 15515. + + +Changes in version 0.2.5.11 - 2015-03-17 + Tor 0.2.5.11 is the second stable release in the 0.2.5 series. + + It backports several bugfixes from the 0.2.6 branch, including a + couple of medium-level security fixes for relays and exit nodes. + It also updates the list of directory authorities. + + o Directory authority changes: + - Remove turtles as a directory authority. + - Add longclaw as a new (v3) directory authority. This implements + ticket 13296. This keeps the directory authority count at 9. + - The directory authority Faravahar has a new IP address. This + closes ticket 14487. + + o Major bugfixes (crash, OSX, security): + - Fix a remote denial-of-service opportunity caused by a bug in + OSX's _strlcat_chk() function. Fixes bug 15205; bug first appeared + in OSX 10.9. + + o Major bugfixes (relay, stability, possible security): + - Fix a bug that could lead to a relay crashing with an assertion + failure if a buffer of exactly the wrong layout was passed to + buf_pullup() at exactly the wrong time. Fixes bug 15083; bugfix on + 0.2.0.10-alpha. Patch from 'cypherpunks'. + - Do not assert if the 'data' pointer on a buffer is advanced to the + very end of the buffer; log a BUG message instead. Only assert if + it is past that point. Fixes bug 15083; bugfix on 0.2.0.10-alpha. + + o Major bugfixes (exit node stability): + - Fix an assertion failure that could occur under high DNS load. + Fixes bug 14129; bugfix on Tor 0.0.7rc1. Found by "jowr"; + diagnosed and fixed by "cypherpunks". + + o Major bugfixes (Linux seccomp2 sandbox): + - Upon receiving sighup with the seccomp2 sandbox enabled, do not + crash during attempts to call wait4. Fixes bug 15088; bugfix on + 0.2.5.1-alpha. Patch from "sanic". + + o Minor features (controller): + - New "GETINFO bw-event-cache" to get information about recent + bandwidth events. Closes ticket 14128. Useful for controllers to + get recent bandwidth history after the fix for ticket 13988. + + o Minor features (geoip): + - Update geoip to the March 3 2015 Maxmind GeoLite2 Country database. + - Update geoip6 to the March 3 2015 Maxmind GeoLite2 + Country database. + + o Minor bugfixes (client, automapping): + - Avoid crashing on torrc lines for VirtualAddrNetworkIPv[4|6] when + no value follows the option. Fixes bug 14142; bugfix on + 0.2.4.7-alpha. Patch by "teor". + - Fix a memory leak when using AutomapHostsOnResolve. Fixes bug + 14195; bugfix on 0.1.0.1-rc. + + o Minor bugfixes (compilation): + - Build without warnings with the stock OpenSSL srtp.h header, which + has a duplicate declaration of SSL_get_selected_srtp_profile(). + Fixes bug 14220; this is OpenSSL's bug, not ours. + + o Minor bugfixes (directory authority): + - Allow directory authorities to fetch more data from one another if + they find themselves missing lots of votes. Previously, they had + been bumping against the 10 MB queued data limit. Fixes bug 14261; + bugfix on 0.1.2.5-alpha. + - Enlarge the buffer to read bwauth generated files to avoid an + issue when parsing the file in dirserv_read_measured_bandwidths(). + Fixes bug 14125; bugfix on 0.2.2.1-alpha. + + o Minor bugfixes (statistics): + - Increase period over which bandwidth observations are aggregated + from 15 minutes to 4 hours. Fixes bug 13988; bugfix on 0.0.8pre1. + + o Minor bugfixes (preventative security, C safety): + - When reading a hexadecimal, base-32, or base-64 encoded value from + a string, always overwrite the whole output buffer. This prevents + some bugs where we would look at (but fortunately, not reveal) + uninitialized memory on the stack. Fixes bug 14013; bugfix on all + versions of Tor. + + +Changes in version 0.2.4.26 - 2015-03-17 + Tor 0.2.4.26 includes an updated list of directory authorities. It + also backports a couple of stability and security bugfixes from 0.2.5 + and beyond. + + o Directory authority changes: + - Remove turtles as a directory authority. + - Add longclaw as a new (v3) directory authority. This implements + ticket 13296. This keeps the directory authority count at 9. + - The directory authority Faravahar has a new IP address. This + closes ticket 14487. + + o Major bugfixes (exit node stability, also in 0.2.6.3-alpha): + - Fix an assertion failure that could occur under high DNS load. + Fixes bug 14129; bugfix on Tor 0.0.7rc1. Found by "jowr"; + diagnosed and fixed by "cypherpunks". + + o Major bugfixes (relay, stability, possible security, also in 0.2.6.4-rc): + - Fix a bug that could lead to a relay crashing with an assertion + failure if a buffer of exactly the wrong layout was passed to + buf_pullup() at exactly the wrong time. Fixes bug 15083; bugfix on + 0.2.0.10-alpha. Patch from 'cypherpunks'. + - Do not assert if the 'data' pointer on a buffer is advanced to the + very end of the buffer; log a BUG message instead. Only assert if + it is past that point. Fixes bug 15083; bugfix on 0.2.0.10-alpha. + + o Minor features (geoip): + - Update geoip to the March 3 2015 Maxmind GeoLite2 Country database. + - Update geoip6 to the March 3 2015 Maxmind GeoLite2 + Country database. + + +Changes in version 0.2.5.10 - 2014-10-24 + Tor 0.2.5.10 is the first stable release in the 0.2.5 series. + + It adds several new security features, including improved + denial-of-service resistance for relays, new compiler hardening + options, and a system-call sandbox for hardened installations on Linux + (requires seccomp2). The controller protocol has several new features, + resolving IPv6 addresses should work better than before, and relays + should be a little more CPU-efficient. We've added support for more + OpenBSD and FreeBSD transparent proxy types. We've improved the build + system and testing infrastructure to allow unit testing of more parts + of the Tor codebase. Finally, we've addressed several nagging pluggable + transport usability issues, and included numerous other small bugfixes + and features mentioned below. + + This release marks end-of-life for Tor 0.2.3.x; those Tor versions + have accumulated many known flaws; everyone should upgrade. + + o Deprecated versions: + - Tor 0.2.3.x has reached end-of-life; it has received no patches or + attention for some while. + + +Changes in version 0.2.5.9-rc - 2014-10-20 + Tor 0.2.5.9-rc is the third release candidate for the Tor 0.2.5.x + series. It disables SSL3 in response to the recent "POODLE" attack + (even though POODLE does not affect Tor). It also works around a crash + bug caused by some operating systems' response to the "POODLE" attack + (which does affect Tor). It also contains a few miscellaneous fixes. + + o Major security fixes: + - Disable support for SSLv3. All versions of OpenSSL in use with Tor + today support TLS 1.0 or later, so we can safely turn off support + for this old (and insecure) protocol. Fixes bug 13426. + + o Major bugfixes (openssl bug workaround): + - Avoid crashing when using OpenSSL version 0.9.8zc, 1.0.0o, or + 1.0.1j, built with the 'no-ssl3' configuration option. Fixes bug + 13471. This is a workaround for an OpenSSL bug. + + o Minor bugfixes: + - Disable the sandbox name resolver cache when running tor-resolve: + tor-resolve doesn't use the sandbox code, and turning it on was + breaking attempts to do tor-resolve on a non-default server on + Linux. Fixes bug 13295; bugfix on 0.2.5.3-alpha. + + o Compilation fixes: + - Build and run correctly on systems like OpenBSD-current that have + patched OpenSSL to remove get_cipher_by_char and/or its + implementations. Fixes issue 13325. + + o Downgraded warnings: + - Downgrade the severity of the 'unexpected sendme cell from client' + from 'warn' to 'protocol warning'. Closes ticket 8093. + + +Changes in version 0.2.4.25 - 2014-10-20 + Tor 0.2.4.25 disables SSL3 in response to the recent "POODLE" attack + (even though POODLE does not affect Tor). It also works around a crash + bug caused by some operating systems' response to the "POODLE" attack + (which does affect Tor). + + o Major security fixes (also in 0.2.5.9-rc): + - Disable support for SSLv3. All versions of OpenSSL in use with Tor + today support TLS 1.0 or later, so we can safely turn off support + for this old (and insecure) protocol. Fixes bug 13426. + + o Major bugfixes (openssl bug workaround, also in 0.2.5.9-rc): + - Avoid crashing when using OpenSSL version 0.9.8zc, 1.0.0o, or + 1.0.1j, built with the 'no-ssl3' configuration option. Fixes bug + 13471. This is a workaround for an OpenSSL bug. + + +Changes in version 0.2.5.8-rc - 2014-09-22 + Tor 0.2.5.8-rc is the second release candidate for the Tor 0.2.5.x + series. It fixes a bug that affects consistency and speed when + connecting to hidden services, and it updates the location of one of + the directory authorities. + + o Major bugfixes: + - Clients now send the correct address for their chosen rendezvous + point when trying to access a hidden service. They used to send + the wrong address, which would still work some of the time because + they also sent the identity digest of the rendezvous point, and if + the hidden service happened to try connecting to the rendezvous + point from a relay that already had a connection open to it, + the relay would reuse that connection. Now connections to hidden + services should be more robust and faster. Also, this bug meant + that clients were leaking to the hidden service whether they were + on a little-endian (common) or big-endian (rare) system, which for + some users might have reduced their anonymity. Fixes bug 13151; + bugfix on 0.2.1.5-alpha. + + o Directory authority changes: + - Change IP address for gabelmoo (v3 directory authority). + + +Changes in version 0.2.4.24 - 2014-09-22 + Tor 0.2.4.24 fixes a bug that affects consistency and speed when + connecting to hidden services, and it updates the location of one of + the directory authorities. + + o Major bugfixes: + - Clients now send the correct address for their chosen rendezvous + point when trying to access a hidden service. They used to send + the wrong address, which would still work some of the time because + they also sent the identity digest of the rendezvous point, and if + the hidden service happened to try connecting to the rendezvous + point from a relay that already had a connection open to it, + the relay would reuse that connection. Now connections to hidden + services should be more robust and faster. Also, this bug meant + that clients were leaking to the hidden service whether they were + on a little-endian (common) or big-endian (rare) system, which for + some users might have reduced their anonymity. Fixes bug 13151; + bugfix on 0.2.1.5-alpha. + + o Directory authority changes: + - Change IP address for gabelmoo (v3 directory authority). + + o Minor features (geoip): + - Update geoip and geoip6 to the August 7 2014 Maxmind GeoLite2 + Country database. + + +Changes in version 0.2.5.7-rc - 2014-09-11 + Tor 0.2.5.7-rc fixes several regressions from earlier in the 0.2.5.x + release series, and some long-standing bugs related to ORPort reachability + testing and failure to send CREATE cells. It is the first release + candidate for the Tor 0.2.5.x series. + + o Major bugfixes (client, startup): + - Start making circuits as soon as DisabledNetwork is turned off. + When Tor started with DisabledNetwork set, it would correctly + conclude that it shouldn't build circuits, but it would mistakenly + cache this conclusion, and continue believing it even when + DisableNetwork is set to 0. Fixes the bug introduced by the fix + for bug 11200; bugfix on 0.2.5.4-alpha. + - Resume expanding abbreviations for command-line options. The fix + for bug 4647 accidentally removed our hack from bug 586 that + rewrote HashedControlPassword to __HashedControlSessionPassword + when it appears on the commandline (which allowed the user to set + her own HashedControlPassword in the torrc file while the + controller generates a fresh session password for each run). Fixes + bug 12948; bugfix on 0.2.5.1-alpha. + - Warn about attempts to run hidden services and relays in the same + process: that's probably not a good idea. Closes ticket 12908. + + o Major bugfixes (relay): + - Avoid queuing or sending destroy cells for circuit ID zero when we + fail to send a CREATE cell. Fixes bug 12848; bugfix on 0.0.8pre1. + Found and fixed by "cypherpunks". + - Fix ORPort reachability detection on relays running behind a + proxy, by correctly updating the "local" mark on the controlling + channel when changing the address of an or_connection_t after the + handshake. Fixes bug 12160; bugfix on 0.2.4.4-alpha. + + o Minor features (bridge): + - Add an ExtORPortCookieAuthFileGroupReadable option to make the + cookie file for the ExtORPort g+r by default. + + o Minor features (geoip): + - Update geoip and geoip6 to the August 7 2014 Maxmind GeoLite2 + Country database. + + o Minor bugfixes (logging): + - Reduce the log severity of the "Pluggable transport proxy does not + provide any needed transports and will not be launched." message, + since Tor Browser includes several ClientTransportPlugin lines in + its torrc-defaults file, leading every Tor Browser user who looks + at her logs to see these notices and wonder if they're dangerous. + Resolves bug 13124; bugfix on 0.2.5.3-alpha. + - Downgrade "Unexpected onionskin length after decryption" warning + to a protocol-warn, since there's nothing relay operators can do + about a client that sends them a malformed create cell. Resolves + bug 12996; bugfix on 0.0.6rc1. + - Log more specific warnings when we get an ESTABLISH_RENDEZVOUS + cell on a cannibalized or non-OR circuit. Resolves ticket 12997. + - When logging information about an EXTEND2 or EXTENDED2 cell, log + their names correctly. Fixes part of bug 12700; bugfix + on 0.2.4.8-alpha. + - When logging information about a relay cell whose command we don't + recognize, log its command as an integer. Fixes part of bug 12700; + bugfix on 0.2.1.10-alpha. + - Escape all strings from the directory connection before logging + them. Fixes bug 13071; bugfix on 0.1.1.15. Patch from "teor". + + o Minor bugfixes (controller): + - Restore the functionality of CookieAuthFileGroupReadable. Fixes + bug 12864; bugfix on 0.2.5.1-alpha. + - Actually send TRANSPORT_LAUNCHED and HS_DESC events to + controllers. Fixes bug 13085; bugfix on 0.2.5.1-alpha. Patch + by "teor". + + o Minor bugfixes (compilation): + - Fix compilation of test.h with MSVC. Patch from Gisle Vanem; + bugfix on 0.2.5.5-alpha. + - Make the nmake make files work again. Fixes bug 13081. Bugfix on + 0.2.5.1-alpha. Patch from "NewEraCracker". + - In routerlist_assert_ok(), don't take the address of a + routerinfo's cache_info member unless that routerinfo is non-NULL. + Fixes bug 13096; bugfix on 0.1.1.9-alpha. Patch by "teor". + - Fix a large number of false positive warnings from the clang + analyzer static analysis tool. This should make real warnings + easier for clang analyzer to find. Patch from "teor". Closes + ticket 13036. + + o Distribution (systemd): + - Verify configuration file via ExecStartPre in the systemd unit + file. Patch from intrigeri; resolves ticket 12730. + - Explicitly disable RunAsDaemon in the systemd unit file. Our + current systemd unit uses "Type = simple", so systemd does not + expect tor to fork. If the user has "RunAsDaemon 1" in their + torrc, then things won't work as expected. This is e.g. the case + on Debian (and derivatives), since there we pass "--defaults-torrc + /usr/share/tor/tor-service-defaults-torrc" (that contains + "RunAsDaemon 1") by default. Patch by intrigeri; resolves + ticket 12731. + + o Documentation: + - Adjust the URLs in the README to refer to the new locations of + several documents on the website. Fixes bug 12830. Patch from + Matt Pagan. + - Document 'reject6' and 'accept6' ExitPolicy entries. Resolves + ticket 12878. + + +Changes in version 0.2.5.6-alpha - 2014-07-28 + Tor 0.2.5.6-alpha brings us a big step closer to slowing down the + risk from guard rotation, and fixes a variety of other issues to get + us closer to a release candidate. + + o Major features (also in 0.2.4.23): + - Make the number of entry guards configurable via a new + NumEntryGuards consensus parameter, and the number of directory + guards configurable via a new NumDirectoryGuards consensus + parameter. Implements ticket 12688. + + o Major bugfixes (also in 0.2.4.23): + - Fix a bug in the bounds-checking in the 32-bit curve25519-donna + implementation that caused incorrect results on 32-bit + implementations when certain malformed inputs were used along with + a small class of private ntor keys. This bug does not currently + appear to allow an attacker to learn private keys or impersonate a + Tor server, but it could provide a means to distinguish 32-bit Tor + implementations from 64-bit Tor implementations. Fixes bug 12694; + bugfix on 0.2.4.8-alpha. Bug found by Robert Ransom; fix from + Adam Langley. + + o Major bugfixes: + - Perform circuit cleanup operations even when circuit + construction operations are disabled (because the network is + disabled, or because there isn't enough directory information). + Previously, when we were not building predictive circuits, we + were not closing expired circuits either. Fixes bug 8387; bugfix on + 0.1.1.11-alpha. This bug became visible in 0.2.4.10-alpha when we + became more strict about when we have "enough directory information + to build circuits". + + o Minor features: + - Authorities now assign the Guard flag to the fastest 25% of the + network (it used to be the fastest 50%). Also raise the consensus + weight that guarantees the Guard flag from 250 to 2000. For the + current network, this results in about 1100 guards, down from 2500. + This step paves the way for moving the number of entry guards + down to 1 (proposal 236) while still providing reasonable expected + performance for most users. Implements ticket 12690. + - Update geoip and geoip6 to the July 10 2014 Maxmind GeoLite2 + Country database. + - Slightly enhance the diagnostic message for bug 12184. + + o Minor bugfixes (also in 0.2.4.23): + - Warn and drop the circuit if we receive an inbound 'relay early' + cell. Those used to be normal to receive on hidden service circuits + due to bug 1038, but the buggy Tor versions are long gone from + the network so we can afford to resume watching for them. Resolves + the rest of bug 1038; bugfix on 0.2.1.19. + - Correct a confusing error message when trying to extend a circuit + via the control protocol but we don't know a descriptor or + microdescriptor for one of the specified relays. Fixes bug 12718; + bugfix on 0.2.3.1-alpha. + + o Minor bugfixes: + - Fix compilation when building with bufferevents enabled. (This + configuration is still not expected to work, however.) + Fixes bugs 12438, 12474, 11578; bugfixes on 0.2.5.1-alpha and + 0.2.5.3-alpha. Patches from Anthony G. Basile and Sathyanarayanan + Gunasekaran. + - Compile correctly with builds and forks of OpenSSL (such as + LibreSSL) that disable compression. Fixes bug 12602; bugfix on + 0.2.1.1-alpha. Patch from "dhill". + + +Changes in version 0.2.4.23 - 2014-07-28 + Tor 0.2.4.23 brings us a big step closer to slowing down the risk from + guard rotation, and also backports several important fixes from the + Tor 0.2.5 alpha release series. + + o Major features: + - Clients now look at the "usecreatefast" consensus parameter to + decide whether to use CREATE_FAST or CREATE cells for the first hop + of their circuit. This approach can improve security on connections + where Tor's circuit handshake is stronger than the available TLS + connection security levels, but the tradeoff is more computational + load on guard relays. Implements proposal 221. Resolves ticket 9386. + - Make the number of entry guards configurable via a new + NumEntryGuards consensus parameter, and the number of directory + guards configurable via a new NumDirectoryGuards consensus + parameter. Implements ticket 12688. + + o Major bugfixes: + - Fix a bug in the bounds-checking in the 32-bit curve25519-donna + implementation that caused incorrect results on 32-bit + implementations when certain malformed inputs were used along with + a small class of private ntor keys. This bug does not currently + appear to allow an attacker to learn private keys or impersonate a + Tor server, but it could provide a means to distinguish 32-bit Tor + implementations from 64-bit Tor implementations. Fixes bug 12694; + bugfix on 0.2.4.8-alpha. Bug found by Robert Ransom; fix from + Adam Langley. + + o Minor bugfixes: + - Warn and drop the circuit if we receive an inbound 'relay early' + cell. Those used to be normal to receive on hidden service circuits + due to bug 1038, but the buggy Tor versions are long gone from + the network so we can afford to resume watching for them. Resolves + the rest of bug 1038; bugfix on 0.2.1.19. + - Correct a confusing error message when trying to extend a circuit + via the control protocol but we don't know a descriptor or + microdescriptor for one of the specified relays. Fixes bug 12718; + bugfix on 0.2.3.1-alpha. + - Avoid an illegal read from stack when initializing the TLS + module using a version of OpenSSL without all of the ciphers + used by the v2 link handshake. Fixes bug 12227; bugfix on + 0.2.4.8-alpha. Found by "starlight". + + o Minor features: + - Update geoip and geoip6 to the July 10 2014 Maxmind GeoLite2 + Country database. + + Changes in version 0.2.5.5-alpha - 2014-06-18 Tor 0.2.5.5-alpha fixes a wide variety of remaining issues in the Tor 0.2.5.x release series, including a couple of DoS issues, some diff --git a/ReleaseNotes b/ReleaseNotes index 19185a2968..951e1449f4 100644 --- a/ReleaseNotes +++ b/ReleaseNotes @@ -1,8 +1,1353 @@ - This document summarizes new features and bugfixes in each stable release of Tor. If you want to see more detailed descriptions of the changes in each development snapshot, see the ChangeLog file. +Changes in version 0.2.5.16 - 2017-12-01 + Tor 0.2.5.13 backports important security and stability bugfixes from + later Tor releases. All Tor users should upgrade to this release, or + to another of the releases coming out today. + + Note: the Tor 0.2.5 series will no longer be supported after 1 May + 2018. If you need a release with long-term support, please upgrade to + the 0.2.9 series. Otherwise, please upgrade to 0.3.1 or later. + + o Major bugfixes (security, backport from 0.3.2.6-alpha): + - Fix a denial of service bug where an attacker could use a + malformed directory object to cause a Tor instance to pause while + OpenSSL would try to read a passphrase from the terminal. (Tor + instances run without a terminal, which is the case for most Tor + packages, are not impacted.) Fixes bug 24246; bugfix on every + version of Tor. Also tracked as TROVE-2017-011 and CVE-2017-8821. + Found by OSS-Fuzz as testcase 6360145429790720. + - When checking for replays in the INTRODUCE1 cell data for a + (legacy) onion service, correctly detect replays in the RSA- + encrypted part of the cell. We were previously checking for + replays on the entire cell, but those can be circumvented due to + the malleability of Tor's legacy hybrid encryption. This fix helps + prevent a traffic confirmation attack. Fixes bug 24244; bugfix on + 0.2.4.1-alpha. This issue is also tracked as TROVE-2017-009 + and CVE-2017-8819. + + o Major bugfixes (security, relay, backport from 0.3.2.6-alpha): + - When running as a relay, make sure that we never build a path + through ourselves, even in the case where we have somehow lost the + version of our descriptor appearing in the consensus. Fixes part + of bug 21534; bugfix on 0.2.0.1-alpha. This issue is also tracked + as TROVE-2017-012 and CVE-2017-8822. + + o Minor features (bridge, backport from 0.3.1.9): + - Bridges now include notice in their descriptors that they are + bridges, and notice of their distribution status, based on their + publication settings. Implements ticket 18329. For more fine- + grained control of how a bridge is distributed, upgrade to 0.3.2.x + or later. + + o Minor features (geoip): + - Update geoip and geoip6 to the November 6 2017 Maxmind GeoLite2 + Country database. + + +Changes in version 0.2.5.15 - 2017-10-25 + Tor 0.2.5.15 backports a collection of bugfixes from later Tor release + series. It also adds a new directory authority, Bastet. + + Note: the Tor 0.2.5 series will no longer be supported after 1 May + 2018. If you need a release with long-term support, please upgrade to + the 0.2.9 series. Otherwise, please upgrade to 0.3.1 or later. + + o Directory authority changes: + - Add "Bastet" as a ninth directory authority to the default list. + Closes ticket 23910. + - The directory authority "Longclaw" has changed its IP address. + Closes ticket 23592. + + o Major bugfixes (openbsd, denial-of-service, backport from 0.3.1.5-alpha): + - Avoid an assertion failure bug affecting our implementation of + inet_pton(AF_INET6) on certain OpenBSD systems whose strtol() + handling of "0xx" differs from what we had expected. Fixes bug + 22789; bugfix on 0.2.3.8-alpha. Also tracked as TROVE-2017-007. + + o Minor features (geoip): + - Update geoip and geoip6 to the October 4 2017 Maxmind GeoLite2 + Country database. + + o Minor bugfixes (defensive programming, undefined behavior, backport from 0.3.1.4-alpha): + - Fix a memset() off the end of an array when packing cells. This + bug should be harmless in practice, since the corrupted bytes are + still in the same structure, and are always padding bytes, + ignored, or immediately overwritten, depending on compiler + behavior. Nevertheless, because the memset()'s purpose is to make + sure that any other cell-handling bugs can't expose bytes to the + network, we need to fix it. Fixes bug 22737; bugfix on + 0.2.4.11-alpha. Fixes CID 1401591. + + o Build features (backport from 0.3.1.5-alpha): + - Tor's repository now includes a Travis Continuous Integration (CI) + configuration file (.travis.yml). This is meant to help new + developers and contributors who fork Tor to a Github repository be + better able to test their changes, and understand what we expect + to pass. To use this new build feature, you must fork Tor to your + Github account, then go into the "Integrations" menu in the + repository settings for your fork and enable Travis, then push + your changes. Closes ticket 22636. + + +Changes in version 0.2.5.14 - 2017-06-08 + Tor 0.2.5.14 backports a fix for a bug that would allow an attacker to + remotely crash a hidden service with an assertion failure. Anyone + running a hidden service should upgrade to this version, or to some + other version with fixes for TROVE-2017-005. (Versions before 0.3.0 + are not affected by TROVE-2017-004.) + + o Major bugfixes (hidden service, relay, security): + - Fix a remotely triggerable assertion failure caused by receiving a + BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug + 22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix + on 0.2.2.1-alpha. + + o Minor features (geoip): + - Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2 + Country database. + + o Minor bugfixes (correctness): + - Avoid undefined behavior when parsing IPv6 entries from the geoip6 + file. Fixes bug 22490; bugfix on 0.2.4.6-alpha. + + +Changes in version 0.2.5.13 - 2017-03-03 + Tor 0.2.5.13 backports a number of security fixes from later Tor + releases. Anybody running Tor 0.2.5.13 or earlier should upgrade to + this release, if for some reason they cannot upgrade to a later + release series. + + Note that support for Tor 0.2.5.x is ending next year: we will not issue + any fixes for the Tor 0.2.5.x series after 1 May 2018. If you need + a Tor release series with longer-term support, we recommend Tor 0.2.9.x. + + o Directory authority changes (backport from 0.2.8.5-rc): + - Urras is no longer a directory authority. Closes ticket 19271. + + o Directory authority changes (backport from 0.2.9.2-alpha): + - The "Tonga" bridge authority has been retired; the new bridge + authority is "Bifroest". Closes tickets 19728 and 19690. + + o Directory authority key updates (backport from 0.2.8.1-alpha): + - Update the V3 identity key for the dannenberg directory authority: + it was changed on 18 November 2015. Closes task 17906. Patch + by "teor". + + o Major features (security fixes, backport from 0.2.9.4-alpha): + - Prevent a class of security bugs caused by treating the contents + of a buffer chunk as if they were a NUL-terminated string. At + least one such bug seems to be present in all currently used + versions of Tor, and would allow an attacker to remotely crash + most Tor instances, especially those compiled with extra compiler + hardening. With this defense in place, such bugs can't crash Tor, + though we should still fix them as they occur. Closes ticket + 20384 (TROVE-2016-10-001). + + o Major bugfixes (parsing, security, backport from 0.2.9.8): + - Fix a bug in parsing that could cause clients to read a single + byte past the end of an allocated region. This bug could be used + to cause hardened clients (built with --enable-expensive-hardening) + to crash if they tried to visit a hostile hidden service. Non- + hardened clients are only affected depending on the details of + their platform's memory allocator. Fixes bug 21018; bugfix on + 0.2.0.8-alpha. Found by using libFuzzer. Also tracked as TROVE- + 2016-12-002 and as CVE-2016-1254. + + o Major bugfixes (security, client, DNS proxy, backport from 0.2.8.3-alpha): + - Stop a crash that could occur when a client running with DNSPort + received a query with multiple address types, and the first + address type was not supported. Found and fixed by Scott Dial. + Fixes bug 18710; bugfix on 0.2.5.4-alpha. + + o Major bugfixes (security, correctness, backport from 0.2.7.4-rc): + - Fix an error that could cause us to read 4 bytes before the + beginning of an openssl string. This bug could be used to cause + Tor to crash on systems with unusual malloc implementations, or + systems with unusual hardening installed. Fixes bug 17404; bugfix + on 0.2.3.6-alpha. + + o Major bugfixes (security, pointers, backport from 0.2.8.2-alpha): + - Avoid a difficult-to-trigger heap corruption attack when extending + a smartlist to contain over 16GB of pointers. Fixes bug 18162; + bugfix on 0.1.1.11-alpha, which fixed a related bug incompletely. + Reported by Guido Vranken. + + o Major bugfixes (dns proxy mode, crash, backport from 0.2.8.2-alpha): + - Avoid crashing when running as a DNS proxy. Fixes bug 16248; + bugfix on 0.2.0.1-alpha. Patch from "cypherpunks". + + o Major bugfixes (guard selection, backport from 0.2.7.6): + - Actually look at the Guard flag when selecting a new directory + guard. When we implemented the directory guard design, we + accidentally started treating all relays as if they have the Guard + flag during guard selection, leading to weaker anonymity and worse + performance. Fixes bug 17772; bugfix on 0.2.4.8-alpha. Discovered + by Mohsen Imani. + + o Major bugfixes (key management, backport from 0.2.8.3-alpha): + - If OpenSSL fails to generate an RSA key, do not retain a dangling + pointer to the previous (uninitialized) key value. The impact here + should be limited to a difficult-to-trigger crash, if OpenSSL is + running an engine that makes key generation failures possible, or + if OpenSSL runs out of memory. Fixes bug 19152; bugfix on + 0.2.1.10-alpha. Found by Yuan Jochen Kang, Suman Jana, and + Baishakhi Ray. + + o Major bugfixes (parsing, backported from 0.3.0.4-rc): + - Fix an integer underflow bug when comparing malformed Tor + versions. This bug could crash Tor when built with + --enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor + 0.2.9.8, which were built with -ftrapv by default. In other cases + it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix + on 0.0.8pre1. Found by OSS-Fuzz. + + o Minor features (security, memory erasure, backport from 0.2.8.1-alpha): + - Make memwipe() do nothing when passed a NULL pointer or buffer of + zero size. Check size argument to memwipe() for underflow. Fixes + bug 18089; bugfix on 0.2.3.25 and 0.2.4.6-alpha. Reported by "gk", + patch by "teor". + + o Minor features (bug-resistance, backport from 0.2.8.2-alpha): + - Make Tor survive errors involving connections without a + corresponding event object. Previously we'd fail with an + assertion; now we produce a log message. Related to bug 16248. + + o Minor features (geoip): + - Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2 + Country database. + + o Minor bugfixes (compilation, backport from 0.2.7.6): + - Fix a compilation warning with Clang 3.6: Do not check the + presence of an address which can never be NULL. Fixes bug 17781. + + o Minor bugfixes (crypto error-handling, backport from 0.2.7.2-alpha): + - Check for failures from crypto_early_init, and refuse to continue. + A previous typo meant that we could keep going with an + uninitialized crypto library, and would have OpenSSL initialize + its own PRNG. Fixes bug 16360; bugfix on 0.2.5.2-alpha, introduced + when implementing ticket 4900. Patch by "teor". + + o Minor bugfixes (hidden service, backport from 0.2.7.1-alpha): + - Fix an out-of-bounds read when parsing invalid INTRODUCE2 cells on + a client authorized hidden service. Fixes bug 15823; bugfix + on 0.2.1.6-alpha. + + +Changes in version 0.2.5.12 - 2015-04-06 + Tor 0.2.5.12 backports two fixes from 0.2.6.7 for security issues that + could be used by an attacker to crash hidden services, or crash clients + visiting hidden services. Hidden services should upgrade as soon as + possible; clients should upgrade whenever packages become available. + + This release also backports a simple improvement to make hidden + services a bit less vulnerable to denial-of-service attacks. + + o Major bugfixes (security, hidden service): + - Fix an issue that would allow a malicious client to trigger an + assertion failure and halt a hidden service. Fixes bug 15600; + bugfix on 0.2.1.6-alpha. Reported by "disgleirio". + - Fix a bug that could cause a client to crash with an assertion + failure when parsing a malformed hidden service descriptor. Fixes + bug 15601; bugfix on 0.2.1.5-alpha. Found by "DonnchaC". + + o Minor features (DoS-resistance, hidden service): + - Introduction points no longer allow multiple INTRODUCE1 cells to + arrive on the same circuit. This should make it more expensive for + attackers to overwhelm hidden services with introductions. + Resolves ticket 15515. + + +Changes in version 0.2.5.11 - 2015-03-17 + Tor 0.2.5.11 is the second stable release in the 0.2.5 series. + + It backports several bugfixes from the 0.2.6 branch, including a + couple of medium-level security fixes for relays and exit nodes. + It also updates the list of directory authorities. + + o Directory authority changes: + - Remove turtles as a directory authority. + - Add longclaw as a new (v3) directory authority. This implements + ticket 13296. This keeps the directory authority count at 9. + - The directory authority Faravahar has a new IP address. This + closes ticket 14487. + + o Major bugfixes (crash, OSX, security): + - Fix a remote denial-of-service opportunity caused by a bug in + OSX's _strlcat_chk() function. Fixes bug 15205; bug first appeared + in OSX 10.9. + + o Major bugfixes (relay, stability, possible security): + - Fix a bug that could lead to a relay crashing with an assertion + failure if a buffer of exactly the wrong layout was passed to + buf_pullup() at exactly the wrong time. Fixes bug 15083; bugfix on + 0.2.0.10-alpha. Patch from 'cypherpunks'. + - Do not assert if the 'data' pointer on a buffer is advanced to the + very end of the buffer; log a BUG message instead. Only assert if + it is past that point. Fixes bug 15083; bugfix on 0.2.0.10-alpha. + + o Major bugfixes (exit node stability): + - Fix an assertion failure that could occur under high DNS load. + Fixes bug 14129; bugfix on Tor 0.0.7rc1. Found by "jowr"; + diagnosed and fixed by "cypherpunks". + + o Major bugfixes (Linux seccomp2 sandbox): + - Upon receiving sighup with the seccomp2 sandbox enabled, do not + crash during attempts to call wait4. Fixes bug 15088; bugfix on + 0.2.5.1-alpha. Patch from "sanic". + + o Minor features (controller): + - New "GETINFO bw-event-cache" to get information about recent + bandwidth events. Closes ticket 14128. Useful for controllers to + get recent bandwidth history after the fix for ticket 13988. + + o Minor features (geoip): + - Update geoip to the March 3 2015 Maxmind GeoLite2 Country database. + - Update geoip6 to the March 3 2015 Maxmind GeoLite2 + Country database. + + o Minor bugfixes (client, automapping): + - Avoid crashing on torrc lines for VirtualAddrNetworkIPv[4|6] when + no value follows the option. Fixes bug 14142; bugfix on + 0.2.4.7-alpha. Patch by "teor". + - Fix a memory leak when using AutomapHostsOnResolve. Fixes bug + 14195; bugfix on 0.1.0.1-rc. + + o Minor bugfixes (compilation): + - Build without warnings with the stock OpenSSL srtp.h header, which + has a duplicate declaration of SSL_get_selected_srtp_profile(). + Fixes bug 14220; this is OpenSSL's bug, not ours. + + o Minor bugfixes (directory authority): + - Allow directory authorities to fetch more data from one another if + they find themselves missing lots of votes. Previously, they had + been bumping against the 10 MB queued data limit. Fixes bug 14261; + bugfix on 0.1.2.5-alpha. + - Enlarge the buffer to read bwauth generated files to avoid an + issue when parsing the file in dirserv_read_measured_bandwidths(). + Fixes bug 14125; bugfix on 0.2.2.1-alpha. + + o Minor bugfixes (statistics): + - Increase period over which bandwidth observations are aggregated + from 15 minutes to 4 hours. Fixes bug 13988; bugfix on 0.0.8pre1. + + o Minor bugfixes (preventative security, C safety): + - When reading a hexadecimal, base-32, or base-64 encoded value from + a string, always overwrite the whole output buffer. This prevents + some bugs where we would look at (but fortunately, not reveal) + uninitialized memory on the stack. Fixes bug 14013; bugfix on all + versions of Tor. + + +Changes in version 0.2.4.26 - 2015-03-17 + Tor 0.2.4.26 includes an updated list of directory authorities. It + also backports a couple of stability and security bugfixes from 0.2.5 + and beyond. + + o Directory authority changes: + - Remove turtles as a directory authority. + - Add longclaw as a new (v3) directory authority. This implements + ticket 13296. This keeps the directory authority count at 9. + - The directory authority Faravahar has a new IP address. This + closes ticket 14487. + + o Major bugfixes (exit node stability, also in 0.2.6.3-alpha): + - Fix an assertion failure that could occur under high DNS load. + Fixes bug 14129; bugfix on Tor 0.0.7rc1. Found by "jowr"; + diagnosed and fixed by "cypherpunks". + + o Major bugfixes (relay, stability, possible security, also in 0.2.6.4-rc): + - Fix a bug that could lead to a relay crashing with an assertion + failure if a buffer of exactly the wrong layout was passed to + buf_pullup() at exactly the wrong time. Fixes bug 15083; bugfix on + 0.2.0.10-alpha. Patch from 'cypherpunks'. + - Do not assert if the 'data' pointer on a buffer is advanced to the + very end of the buffer; log a BUG message instead. Only assert if + it is past that point. Fixes bug 15083; bugfix on 0.2.0.10-alpha. + + o Minor features (geoip): + - Update geoip to the March 3 2015 Maxmind GeoLite2 Country database. + - Update geoip6 to the March 3 2015 Maxmind GeoLite2 + Country database. + + +Changes in version 0.2.5.10 - 2014-10-24 + Tor 0.2.5.10 is the first stable release in the 0.2.5 series. + + It adds several new security features, including improved + denial-of-service resistance for relays, new compiler hardening + options, and a system-call sandbox for hardened installations on Linux + (requires seccomp2). The controller protocol has several new features, + resolving IPv6 addresses should work better than before, and relays + should be a little more CPU-efficient. We've added support for more + OpenBSD and FreeBSD transparent proxy types. We've improved the build + system and testing infrastructure to allow unit testing of more parts + of the Tor codebase. Finally, we've addressed several nagging pluggable + transport usability issues, and included numerous other small bugfixes + and features mentioned below. + + This release marks end-of-life for Tor 0.2.3.x; those Tor versions + have accumulated many known flaws; everyone should upgrade. + + o Major features (security): + - The ntor handshake is now on-by-default, no matter what the + directory authorities recommend. Implements ticket 8561. + - Make the "tor-gencert" tool used by directory authority operators + create 2048-bit signing keys by default (rather than 1024-bit, since + 1024-bit is uncomfortably small these days). Addresses ticket 10324. + - Warn about attempts to run hidden services and relays in the same + process: that's probably not a good idea. Closes ticket 12908. + - Disable support for SSLv3. All versions of OpenSSL in use with Tor + today support TLS 1.0 or later, so we can safely turn off support + for this old (and insecure) protocol. Fixes bug 13426. + + o Major features (relay security, DoS-resistance): + - When deciding whether we have run out of memory and we need to + close circuits, also consider memory allocated in buffers for + streams attached to each circuit. + + This change, which extends an anti-DoS feature introduced in + 0.2.4.13-alpha and improved in 0.2.4.14-alpha, lets Tor exit relays + better resist more memory-based DoS attacks than before. Since the + MaxMemInCellQueues option now applies to all queues, it is renamed + to MaxMemInQueues. This feature fixes bug 10169. + - Avoid hash-flooding denial-of-service attacks by using the secure + SipHash-2-4 hash function for our hashtables. Without this + feature, an attacker could degrade performance of a targeted + client or server by flooding their data structures with a large + number of entries to be stored at the same hash table position, + thereby slowing down the Tor instance. With this feature, hash + table positions are derived from a randomized cryptographic key, + and an attacker cannot predict which entries will collide. Closes + ticket 4900. + - If you don't specify MaxMemInQueues yourself, Tor now tries to + pick a good value based on your total system memory. Previously, + the default was always 8 GB. You can still override the default by + setting MaxMemInQueues yourself. Resolves ticket 11396. + + o Major features (bridges and pluggable transports): + - Add support for passing arguments to managed pluggable transport + proxies. Implements ticket 3594. + - Bridges now track GeoIP information and the number of their users + even when pluggable transports are in use, and report usage + statistics in their extra-info descriptors. Resolves tickets 4773 + and 5040. + - Don't launch pluggable transport proxies if we don't have any + bridges configured that would use them. Now we can list many + pluggable transports, and Tor will dynamically start one when it + hears a bridge address that needs it. Resolves ticket 5018. + - The bridge directory authority now assigns status flags (Stable, + Guard, etc) to bridges based on thresholds calculated over all + Running bridges. Now bridgedb can finally make use of its features + to e.g. include at least one Stable bridge in its answers. Fixes + bug 9859. + + o Major features (controller): + - Extend ORCONN controller event to include an "ID" parameter, + and add four new controller event types CONN_BW, CIRC_BW, + CELL_STATS, and TB_EMPTY that show connection and circuit usage. + The new events are emitted in private Tor networks only, with the + goal of being able to better track performance and load during + full-network simulations. Implements proposal 218 and ticket 7359. + + o Major features (relay performance): + - Speed up server-side lookups of rendezvous and introduction point + circuits by using hashtables instead of linear searches. These + functions previously accounted between 3 and 7% of CPU usage on + some busy relays. Resolves ticket 9841. + - Avoid wasting CPU when extending a circuit over a channel that is + nearly out of circuit IDs. Previously, we would do a linear scan + over possible circuit IDs before finding one or deciding that we + had exhausted our possibilities. Now, we try at most 64 random + circuit IDs before deciding that we probably won't succeed. Fixes + a possible root cause of ticket 11553. + + o Major features (seccomp2 sandbox, Linux only): + - Use the seccomp2 syscall filtering facility on Linux to limit + which system calls Tor can invoke. This is an experimental, + Linux-only feature to provide defense-in-depth against unknown + attacks. To try turning it on, set "Sandbox 1" in your torrc + file. Please be ready to report bugs. We hope to add support + for better sandboxing in the future, including more fine-grained + filters, better division of responsibility, and support for more + platforms. This work has been done by Cristian-Matei Toader for + Google Summer of Code. Resolves tickets 11351 and 11465. + + o Major features (testing networks): + - Make testing Tor networks bootstrap better: lower directory fetch + retry schedules and maximum interval without directory requests, + and raise maximum download tries. Implements ticket 6752. + - Add make target 'test-network' to run tests on a Chutney network. + Implements ticket 8530. + + o Major features (other): + - On some platforms (currently: recent OSX versions, glibc-based + platforms that support the ELF format, and a few other + Unix-like operating systems), Tor can now dump stack traces + when a crash occurs or an assertion fails. By default, traces + are dumped to stderr (if possible) and to any logs that are + reporting errors. Implements ticket 9299. + + o Deprecated versions: + - Tor 0.2.3.x has reached end-of-life; it has received no patches or + attention for some while. + + o Major bugfixes (security, directory authorities): + - Directory authorities now include a digest of each relay's + identity key as a part of its microdescriptor. + + This is a workaround for bug 11743 (reported by "cypherpunks"), + where Tor clients do not support receiving multiple + microdescriptors with the same SHA256 digest in the same + consensus. When clients receive a consensus like this, they only + use one of the relays. Without this fix, a hostile relay could + selectively disable some client use of target relays by + constructing a router descriptor with a different identity and the + same microdescriptor parameters and getting the authorities to + list it in a microdescriptor consensus. This fix prevents an + attacker from causing a microdescriptor collision, because the + router's identity is not forgeable. + + o Major bugfixes (openssl bug workaround): + - Avoid crashing when using OpenSSL version 0.9.8zc, 1.0.0o, or + 1.0.1j, built with the 'no-ssl3' configuration option. Fixes + bug 13471. This is a workaround for an OpenSSL bug. + + o Major bugfixes (client): + - Perform circuit cleanup operations even when circuit + construction operations are disabled (because the network is + disabled, or because there isn't enough directory information). + Previously, when we were not building predictive circuits, we + were not closing expired circuits either. Fixes bug 8387; bugfix on + 0.1.1.11-alpha. This bug became visible in 0.2.4.10-alpha when we + became more strict about when we have "enough directory information + to build circuits". + + o Major bugfixes (client, pluggable transports): + - When managing pluggable transports, use OS notification facilities + to learn if they have crashed, and don't attempt to kill any + process that has already exited. Fixes bug 8746; bugfix + on 0.2.3.6-alpha. + + o Major bugfixes (relay denial of service): + - Instead of writing destroy cells directly to outgoing connection + buffers, queue them and intersperse them with other outgoing cells. + This can prevent a set of resource starvation conditions where too + many pending destroy cells prevent data cells from actually getting + delivered. Reported by "oftc_must_be_destroyed". Fixes bug 7912; + bugfix on 0.2.0.1-alpha. + + o Major bugfixes (relay): + - Avoid queuing or sending destroy cells for circuit ID zero when we + fail to send a CREATE cell. Fixes bug 12848; bugfix on 0.0.8pre1. + Found and fixed by "cypherpunks". + - Fix ORPort reachability detection on relays running behind a + proxy, by correctly updating the "local" mark on the controlling + channel when changing the address of an or_connection_t after the + handshake. Fixes bug 12160; bugfix on 0.2.4.4-alpha. + - Use a direct dirport connection when uploading non-anonymous + descriptors to the directory authorities. Previously, relays would + incorrectly use tunnel connections under a fairly wide variety of + circumstances. Fixes bug 11469; bugfix on 0.2.4.3-alpha. + - When a circuit accidentally has the same circuit ID for its + forward and reverse direction, correctly detect the direction of + cells using that circuit. Previously, this bug made roughly one + circuit in a million non-functional. Fixes bug 12195; this is a + bugfix on every version of Tor. + + o Minor features (security): + - New --enable-expensive-hardening option to enable security + hardening options that consume nontrivial amounts of CPU and + memory. Right now, this includes AddressSanitizer and UbSan, which + are supported in newer versions of GCC and Clang. Closes ticket + 11477. + - Authorities now assign the Guard flag to the fastest 25% of the + network (it used to be the fastest 50%). Also raise the consensus + weight that guarantees the Guard flag from 250 to 2000. For the + current network, this results in about 1100 guards, down from 2500. + This step paves the way for moving the number of entry guards + down to 1 (proposal 236) while still providing reasonable expected + performance for most users. Implements ticket 12690. + + o Minor features (security, memory management): + - Memory allocation tricks (mempools and buffer freelists) are now + disabled by default. You can turn them back on with + --enable-mempools and --enable-buf-freelists respectively. We're + disabling these features because malloc performance is good enough + on most platforms, and a similar feature in OpenSSL exacerbated + exploitation of the Heartbleed attack. Resolves ticket 11476. + + o Minor features (bridge client): + - Report a more useful failure message when we can't connect to a + bridge because we don't have the right pluggable transport + configured. Resolves ticket 9665. Patch from Fábio J. Bertinatto. + + o Minor features (bridge): + - Add an ExtORPortCookieAuthFileGroupReadable option to make the + cookie file for the ExtORPort g+r by default. + + o Minor features (bridges, pluggable transports): + - Bridges now write the SHA1 digest of their identity key + fingerprint (that is, a hash of a hash of their public key) to + notice-level logs, and to a new hashed-fingerprint file. This + information will help bridge operators look up their bridge in + Globe and similar tools. Resolves ticket 10884. + - Improve the message that Tor displays when running as a bridge + using pluggable transports without an Extended ORPort listener. + Also, log the message in the log file too. Resolves ticket 11043. + - Add threshold cutoffs to the networkstatus document created by + the Bridge Authority. Fixes bug 1117. + - On Windows, spawn background processes using the CREATE_NO_WINDOW + flag. Now Tor Browser Bundle 3.5 with pluggable transports enabled + doesn't pop up a blank console window. (In Tor Browser Bundle 2.x, + Vidalia set this option for us.) Implements ticket 10297. + + o Minor features (build): + - The configure script has a --disable-seccomp option to turn off + support for libseccomp on systems that have it, in case it (or + Tor's use of it) is broken. Resolves ticket 11628. + - Assume that a user using ./configure --host wants to cross-compile, + and give an error if we cannot find a properly named + tool-chain. Add a --disable-tool-name-check option to proceed + nevertheless. Addresses ticket 9869. Patch by Benedikt Gollatz. + - If we run ./configure and the compiler recognizes -fstack-protector + but the linker rejects it, warn the user about a potentially missing + libssp package. Addresses ticket 9948. Patch from Benedikt Gollatz. + - Add support for `--library-versions` flag. Implements ticket 6384. + - Return the "unexpected sendme" warnings to a warn severity, but make + them rate limited, to help diagnose ticket 8093. + - Detect a missing asciidoc, and warn the user about it, during + configure rather than at build time. Fixes issue 6506. Patch from + Arlo Breault. + + o Minor features (client): + - Add a new option, PredictedPortsRelevanceTime, to control how long + after having received a request to connect to a given port Tor + will try to keep circuits ready in anticipation of future requests + for that port. Patch from "unixninja92"; implements ticket 9176. + + o Minor features (config options and command line): + - Add an --allow-missing-torrc commandline option that tells Tor to + run even if the configuration file specified by -f is not available. + Implements ticket 10060. + - Add support for the TPROXY transparent proxying facility on Linux. + See documentation for the new TransProxyType option for more + details. Implementation by "thomo". Closes ticket 10582. + + o Minor features (config options): + - Config (torrc) lines now handle fingerprints which are missing + their initial '$'. Resolves ticket 4341; improvement over 0.0.9pre5. + - Support a --dump-config option to print some or all of the + configured options. Mainly useful for debugging the command-line + option parsing code. Helps resolve ticket 4647. + - Raise awareness of safer logging: notify user of potentially + unsafe config options, like logging more verbosely than severity + "notice" or setting SafeLogging to 0. Resolves ticket 5584. + - Add a new configuration option TestingV3AuthVotingStartOffset + that bootstraps a network faster by changing the timing for + consensus votes. Addresses ticket 8532. + - Add a new torrc option "ServerTransportOptions" that allows + bridge operators to pass configuration parameters to their + pluggable transports. Resolves ticket 8929. + - The config (torrc) file now accepts bandwidth and space limits in + bits as well as bytes. (Anywhere that you can say "2 Kilobytes", + you can now say "16 kilobits", and so on.) Resolves ticket 9214. + Patch by CharlieB. + + o Minor features (controller): + - Make the entire exit policy available from the control port via + GETINFO exit-policy/*. Implements enhancement 7952. Patch from + "rl1987". + - Because of the fix for ticket 11396, the real limit for memory + usage may no longer match the configured MaxMemInQueues value. The + real limit is now exposed via GETINFO limits/max-mem-in-queues. + - Add a new "HS_DESC" controller event that reports activities + related to hidden service descriptors. Resolves ticket 8510. + - New "DROPGUARDS" controller command to forget all current entry + guards. Not recommended for ordinary use, since replacing guards + too frequently makes several attacks easier. Resolves ticket 9934; + patch from "ra". + - Implement the TRANSPORT_LAUNCHED control port event that + notifies controllers about new launched pluggable + transports. Resolves ticket 5609. + + o Minor features (diagnostic): + - When logging a warning because of bug 7164, additionally check the + hash table for consistency (as proposed on ticket 11737). This may + help diagnose bug 7164. + - When we log a heartbeat, log how many one-hop circuits we have + that are at least 30 minutes old, and log status information about + a few of them. This is an attempt to track down bug 8387. + - When encountering an unexpected CR while writing text to a file on + Windows, log the name of the file. Should help diagnosing + bug 11233. + - Give more specific warnings when a client notices that an onion + handshake has failed. Fixes ticket 9635. + - Add significant new logging code to attempt to diagnose bug 12184, + where relays seem to run out of available circuit IDs. + - Improve the diagnostic log message for bug 8387 even further to + try to improve our odds of figuring out why one-hop directory + circuits sometimes do not get closed. + - Add more log messages to diagnose bug 7164, which causes + intermittent "microdesc_free() called but md was still referenced" + warnings. We now include more information, to figure out why we + might be cleaning a microdescriptor for being too old if it's + still referenced by a live node_t object. + - Log current accounting state (bytes sent and received + remaining + time for the current accounting period) in the relay's heartbeat + message. Implements ticket 5526; patch from Peter Retzlaff. + + o Minor features (geoip): + - Update geoip and geoip6 to the August 7 2014 Maxmind GeoLite2 + Country database. + + o Minor features (interface): + - Generate a warning if any ports are listed in the SocksPolicy, + DirPolicy, AuthDirReject, AuthDirInvalid, AuthDirBadDir, or + AuthDirBadExit options. (These options only support address + ranges.) Fixes part of ticket 11108. + + o Minor features (kernel API usage): + - Use the SOCK_NONBLOCK socket type, if supported, to open nonblocking + sockets in a single system call. Implements ticket 5129. + + o Minor features (log messages): + - When ServerTransportPlugin is set on a bridge, Tor can write more + useful statistics about bridge use in its extrainfo descriptors, + but only if the Extended ORPort ("ExtORPort") is set too. Add a + log message to inform the user in this case. Resolves ticket 9651. + - When receiving a new controller connection, log the origin address. + Resolves ticket 9698; patch from "sigpipe". + - When logging OpenSSL engine status at startup, log the status of + more engines. Fixes ticket 10043; patch from Joshua Datko. + + o Minor features (log verbosity): + - Demote the message that we give when a flushing connection times + out for too long from NOTICE to INFO. It was usually meaningless. + Resolves ticket 5286. + - Don't log so many notice-level bootstrapping messages at startup + about downloading descriptors. Previously, we'd log a notice + whenever we learned about more routers. Now, we only log a notice + at every 5% of progress. Fixes bug 9963. + - Warn less verbosely when receiving a malformed + ESTABLISH_RENDEZVOUS cell. Fixes ticket 11279. + + o Minor features (performance): + - If we're using the pure-C 32-bit curve25519_donna implementation + of curve25519, build it with the -fomit-frame-pointer option to + make it go faster on register-starved hosts. This improves our + handshake performance by about 6% on i386 hosts without nacl. + Closes ticket 8109. + + o Minor features (relay): + - If a circuit timed out for at least 3 minutes, check if we have a + new external IP address, and publish a new descriptor with the new + IP address if it changed. Resolves ticket 2454. + + o Minor features (testing): + - If Python is installed, "make check" now runs extra tests beyond + the unit test scripts. + - When bootstrapping a test network, sometimes very few relays get + the Guard flag. Now a new option "TestingDirAuthVoteGuard" can + specify a set of relays which should be voted Guard regardless of + their uptime or bandwidth. Addresses ticket 9206. + + o Minor features (transparent proxy, *BSD): + - Support FreeBSD's ipfw firewall interface for TransPort ports on + FreeBSD. To enable it, set "TransProxyType ipfw". Resolves ticket + 10267; patch from "yurivict". + - Support OpenBSD's divert-to rules with the pf firewall for + transparent proxy ports. To enable it, set "TransProxyType + pf-divert". This allows Tor to run a TransPort transparent proxy + port on OpenBSD 4.4 or later without root privileges. See the + pf.conf(5) manual page for information on configuring pf to use + divert-to rules. Closes ticket 10896; patch from Dana Koch. + + o Minor bugfixes (bridge client): + - Stop accepting bridge lines containing hostnames. Doing so would + cause clients to perform DNS requests on the hostnames, which was + not sensible behavior. Fixes bug 10801; bugfix on 0.2.0.1-alpha. + + o Minor bugfixes (bridges): + - Avoid potential crashes or bad behavior when launching a + server-side managed proxy with ORPort or ExtORPort temporarily + disabled. Fixes bug 9650; bugfix on 0.2.3.16-alpha. + - Fix a bug where the first connection works to a bridge that uses a + pluggable transport with client-side parameters, but we don't send + the client-side parameters on subsequent connections. (We don't + use any pluggable transports with client-side parameters yet, + but ScrambleSuit will soon become the first one.) Fixes bug 9162; + bugfix on 0.2.0.3-alpha. Based on a patch from "rl1987". + + o Minor bugfixes (build, auxiliary programs): + - Stop preprocessing the "torify" script with autoconf, since + it no longer refers to LOCALSTATEDIR. Fixes bug 5505; patch + from Guilhem. + - The tor-fw-helper program now follows the standard convention and + exits with status code "0" on success. Fixes bug 9030; bugfix on + 0.2.3.1-alpha. Patch by Arlo Breault. + - Corrected ./configure advice for what openssl dev package you should + install on Debian. Fixes bug 9207; bugfix on 0.2.0.1-alpha. + + o Minor bugfixes (client): + - Avoid "Tried to open a socket with DisableNetwork set" warnings + when starting a client with bridges configured and DisableNetwork + set. (Tor launcher starts Tor with DisableNetwork set the first + time it runs.) Fixes bug 10405; bugfix on 0.2.3.9-alpha. + - Improve the log message when we can't connect to a hidden service + because all of the hidden service directory nodes hosting its + descriptor are excluded. Improves on our fix for bug 10722, which + was a bugfix on 0.2.0.10-alpha. + - Raise a control port warning when we fail to connect to all of + our bridges. Previously, we didn't inform the controller, and + the bootstrap process would stall. Fixes bug 11069; bugfix on + 0.2.1.2-alpha. + - Exit immediately when a process-owning controller exits. + Previously, tor relays would wait for a little while after their + controller exited, as if they had gotten an INT signal -- but this + was problematic, since there was no feedback for the user. To do a + clean shutdown, controllers should send an INT signal and give Tor + a chance to clean up. Fixes bug 10449; bugfix on 0.2.2.28-beta. + - Stop attempting to connect to bridges before our pluggable + transports are configured (harmless but resulted in some erroneous + log messages). Fixes bug 11156; bugfix on 0.2.3.2-alpha. + - Fix connections to IPv6 addresses over SOCKS5. Previously, we were + generating incorrect SOCKS5 responses, and confusing client + applications. Fixes bug 10987; bugfix on 0.2.4.7-alpha. + + o Minor bugfixes (client, DNSPort): + - When using DNSPort, try to respond to AAAA requests with AAAA + answers. Previously, we hadn't looked at the request type when + deciding which answer type to prefer. Fixes bug 10468; bugfix on + 0.2.4.7-alpha. + - When receiving a DNS query for an unsupported record type, reply + with no answer rather than with a NOTIMPL error. This behavior + isn't correct either, but it will break fewer client programs, we + hope. Fixes bug 10268; bugfix on 0.2.0.1-alpha. Original patch + from "epoch". + + o Minor bugfixes (client, logging during bootstrap): + - Only report the first fatal bootstrap error on a given OR + connection. This stops us from telling the controller bogus error + messages like "DONE". Fixes bug 10431; bugfix on 0.2.1.1-alpha. + - Avoid generating spurious warnings when starting with + DisableNetwork enabled. Fixes bug 11200 and bug 10405; bugfix on + 0.2.3.9-alpha. + + o Minor bugfixes (closing OR connections): + - If write_to_buf() in connection_write_to_buf_impl_() ever fails, + check if it's an or_connection_t and correctly call + connection_or_close_for_error() rather than + connection_mark_for_close() directly. Fixes bug 11304; bugfix on + 0.2.4.4-alpha. + - When closing all connections on setting DisableNetwork to 1, use + connection_or_close_normally() rather than closing OR connections + out from under the channel layer. Fixes bug 11306; bugfix on + 0.2.4.4-alpha. + + o Minor bugfixes (code correctness): + - Previously we used two temporary files when writing descriptors to + disk; now we only use one. Fixes bug 1376. + - Remove an erroneous (but impossible and thus harmless) pointer + comparison that would have allowed compilers to skip a bounds + check in channeltls.c. Fixes bugs 10313 and 9980; bugfix on + 0.2.0.10-alpha. Noticed by Jared L Wong and David Fifield. + - Fix an always-true assertion in pluggable transports code so it + actually checks what it was trying to check. Fixes bug 10046; + bugfix on 0.2.3.9-alpha. Found by "dcb". + + o Minor bugfixes (command line): + - Use a single command-line parser for parsing torrc options on the + command line and for finding special command-line options to avoid + inconsistent behavior for torrc option arguments that have the same + names as command-line options. Fixes bugs 4647 and 9578; bugfix on + 0.0.9pre5. + - No longer allow 'tor --hash-password' with no arguments. Fixes bug + 9573; bugfix on 0.0.9pre5. + + o Minor bugfixes (compilation): + - Compile correctly with builds and forks of OpenSSL (such as + LibreSSL) that disable compression. Fixes bug 12602; bugfix on + 0.2.1.1-alpha. Patch from "dhill". + - Restore the ability to compile Tor with V2_HANDSHAKE_SERVER + turned off (that is, without support for v2 link handshakes). Fixes + bug 4677; bugfix on 0.2.3.2-alpha. Patch from "piet". + - In routerlist_assert_ok(), don't take the address of a + routerinfo's cache_info member unless that routerinfo is non-NULL. + Fixes bug 13096; bugfix on 0.1.1.9-alpha. Patch by "teor". + - Fix a large number of false positive warnings from the clang + analyzer static analysis tool. This should make real warnings + easier for clang analyzer to find. Patch from "teor". Closes + ticket 13036. + - Resolve GCC complaints on OpenBSD about discarding constness in + TO_{ORIGIN,OR}_CIRCUIT functions. Fixes part of bug 11633; bugfix + on 0.1.1.23. Patch from Dana Koch. + - Resolve clang complaints on OpenBSD with -Wshorten-64-to-32 due to + treatment of long and time_t as comparable types. Fixes part of + bug 11633. Patch from Dana Koch. + - When deciding whether to build the 64-bit curve25519 + implementation, detect platforms where we can compile 128-bit + arithmetic but cannot link it. Fixes bug 11729; bugfix on + 0.2.4.8-alpha. Patch from "conradev". + - Fix compilation when DNS_CACHE_DEBUG is enabled. Fixes bug 11761; + bugfix on 0.2.3.13-alpha. Found by "cypherpunks". + - Fix compilation with dmalloc. Fixes bug 11605; bugfix + on 0.2.4.10-alpha. + - Build and run correctly on systems like OpenBSD-current that have + patched OpenSSL to remove get_cipher_by_char and/or its + implementations. Fixes issue 13325. + + o Minor bugfixes (controller and command-line): + - If changing a config option via "setconf" fails in a recoverable + way, we used to nonetheless write our new control ports to the + file described by the "ControlPortWriteToFile" option. Now we only + write out that file if we successfully switch to the new config + option. Fixes bug 5605; bugfix on 0.2.2.26-beta. Patch from "Ryman". + + o Minor bugfixes (directory server): + - No longer accept malformed http headers when parsing urls from + headers. Now we reply with Bad Request ("400"). Fixes bug 2767; + bugfix on 0.0.6pre1. + - When sending a compressed set of descriptors or microdescriptors, + make sure to finalize the zlib stream. Previously, we would write + all the compressed data, but if the last descriptor we wanted to + send was missing or too old, we would not mark the stream as + finished. This caused problems for decompression tools. Fixes bug + 11648; bugfix on 0.1.1.23. + + o Minor bugfixes (hidden service): + - Only retry attempts to connect to a chosen rendezvous point 8 + times, not 30. Fixes bug 4241; bugfix on 0.1.0.1-rc. + + o Minor bugfixes (interface): + - Reject relative control socket paths and emit a warning. Previously, + single-component control socket paths would be rejected, but Tor + would not log why it could not validate the config. Fixes bug 9258; + bugfix on 0.2.3.16-alpha. + + o Minor bugfixes (log messages): + - Fix a bug where clients using bridges would report themselves + as 50% bootstrapped even without a live consensus document. + Fixes bug 9922; bugfix on 0.2.1.1-alpha. + - Suppress a warning where, if there's only one directory authority + in the network, we would complain that votes and signatures cannot + be uploaded to other directory authorities. Fixes bug 10842; + bugfix on 0.2.2.26-beta. + - Report bootstrapping progress correctly when we're downloading + microdescriptors. We had updated our "do we have enough microdescs + to begin building circuits?" logic most recently in 0.2.4.10-alpha + (see bug 5956), but we left the bootstrap status event logic at + "how far through getting 1/4 of them are we?" Fixes bug 9958; + bugfix on 0.2.2.36, which is where they diverged (see bug 5343). + + o Minor bugfixes (logging): + - Downgrade "Unexpected onionskin length after decryption" warning + to a protocol-warn, since there's nothing relay operators can do + about a client that sends them a malformed create cell. Resolves + bug 12996; bugfix on 0.0.6rc1. + - Log more specific warnings when we get an ESTABLISH_RENDEZVOUS + cell on a cannibalized or non-OR circuit. Resolves ticket 12997. + - When logging information about an EXTEND2 or EXTENDED2 cell, log + their names correctly. Fixes part of bug 12700; bugfix + on 0.2.4.8-alpha. + - When logging information about a relay cell whose command we don't + recognize, log its command as an integer. Fixes part of bug 12700; + bugfix on 0.2.1.10-alpha. + - Escape all strings from the directory connection before logging + them. Fixes bug 13071; bugfix on 0.1.1.15. Patch from "teor". + - Squelch a spurious LD_BUG message "No origin circuit for + successful SOCKS stream" in certain hidden service failure cases; + fixes bug 10616. + - Downgrade the severity of the 'unexpected sendme cell from client' + from 'warn' to 'protocol warning'. Closes ticket 8093. + + o Minor bugfixes (misc code correctness): + - In munge_extrainfo_into_routerinfo(), check the return value of + memchr(). This would have been a serious issue if we ever passed + it a non-extrainfo. Fixes bug 8791; bugfix on 0.2.0.6-alpha. Patch + from Arlo Breault. + - On the chance that somebody manages to build Tor on a + platform where time_t is unsigned, correct the way that + microdesc_add_to_cache() handles negative time arguments. + Fixes bug 8042; bugfix on 0.2.3.1-alpha. + - Fix various instances of undefined behavior in channeltls.c, + tor_memmem(), and eventdns.c that would cause us to construct + pointers to memory outside an allocated object. (These invalid + pointers were not accessed, but C does not even allow them to + exist.) Fixes bug 10363; bugfixes on 0.1.1.1-alpha, 0.1.2.1-alpha, + 0.2.0.10-alpha, and 0.2.3.6-alpha. Reported by "bobnomnom". + - Use the AddressSanitizer and Ubsan sanitizers (in clang-3.4) to + fix some miscellaneous errors in our tests and codebase. Fixes bug + 11232. Bugfixes on versions back as far as 0.2.1.11-alpha. + - Always check return values for unlink, munmap, UnmapViewOfFile; + check strftime return values more often. In some cases all we can + do is report a warning, but this may help prevent deeper bugs from + going unnoticed. Closes ticket 8787; bugfixes on many, many tor + versions. + - Fix numerous warnings from the clang "scan-build" static analyzer. + Some of these are programming style issues; some of them are false + positives that indicated awkward code; some are undefined behavior + cases related to constructing (but not using) invalid pointers; + some are assumptions about API behavior; some are (harmlessly) + logging sizeof(ptr) bytes from a token when sizeof(*ptr) would be + correct; and one or two are genuine bugs that weren't reachable + from the rest of the program. Fixes bug 8793; bugfixes on many, + many tor versions. + + o Minor bugfixes (node selection): + - If ExcludeNodes is set, consider non-excluded hidden service + directory servers before excluded ones. Do not consider excluded + hidden service directory servers at all if StrictNodes is + set. (Previously, we would sometimes decide to connect to those + servers, and then realize before we initiated a connection that + we had excluded them.) Fixes bug 10722; bugfix on 0.2.0.10-alpha. + Reported by "mr-4". + - If we set the ExitNodes option but it doesn't include any nodes + that have the Exit flag, we would choose not to bootstrap. Now we + bootstrap so long as ExitNodes includes nodes which can exit to + some port. Fixes bug 10543; bugfix on 0.2.4.10-alpha. + + o Minor bugfixes (performance): + - Avoid a bug where every successful connection made us recompute + the flag telling us whether we have sufficient information to + build circuits. Previously, we would forget our cached value + whenever we successfully opened a channel (or marked a router as + running or not running for any other reason), regardless of + whether we had previously believed the router to be running. This + forced us to run an expensive update operation far too often. + Fixes bug 12170; bugfix on 0.1.2.1-alpha. + - Avoid using tor_memeq() for checking relay cell integrity. This + removes a possible performance bottleneck. Fixes part of bug + 12169; bugfix on 0.2.1.31. + + o Minor bugfixes (platform-specific): + - When dumping a malformed directory object to disk, save it in + binary mode on Windows, not text mode. Fixes bug 11342; bugfix on + 0.2.2.1-alpha. + - Don't report failures from make_socket_reuseable() on incoming + sockets on OSX: this can happen when incoming connections close + early. Fixes bug 10081. + + o Minor bugfixes (pluggable transports): + - Avoid another 60-second delay when starting Tor in a pluggable- + transport-using configuration when we already have cached + descriptors for our bridges. Fixes bug 11965; bugfix + on 0.2.3.6-alpha. + + o Minor bugfixes (protocol correctness): + - When receiving a VERSIONS cell with an odd number of bytes, close + the connection immediately since the cell is malformed. Fixes bug + 10365; bugfix on 0.2.0.10-alpha. Spotted by "bobnomnom"; fix by + "rl1987". + + o Minor bugfixes (relay, other): + - We now drop CREATE cells for already-existent circuit IDs and for + zero-valued circuit IDs, regardless of other factors that might + otherwise have called for DESTROY cells. Fixes bug 12191; bugfix + on 0.0.8pre1. + - When rejecting DATA cells for stream_id zero, still count them + against the circuit's deliver window so that we don't fail to send + a SENDME. Fixes bug 11246; bugfix on 0.2.4.10-alpha. + + o Minor bugfixes (relay, threading): + - Check return code on spawn_func() in cpuworker code, so that we + don't think we've spawned a nonworking cpuworker and write junk to + it forever. Fix related to bug 4345; bugfix on all released Tor + versions. Found by "skruffy". + - Use a pthread_attr to make sure that spawn_func() cannot return an + error while at the same time launching a thread. Fix related to + bug 4345; bugfix on all released Tor versions. Reported + by "cypherpunks". + + o Minor bugfixes (relays and bridges): + - Avoid crashing on a malformed resolv.conf file when running a + relay using Libevent 1. Fixes bug 8788; bugfix on 0.1.1.23. + - Non-exit relays no longer launch mock DNS requests to check for + DNS hijacking. This has been unnecessary since 0.2.1.7-alpha, when + non-exit relays stopped servicing DNS requests. Fixes bug 965; + bugfix on 0.2.1.7-alpha. Patch from Matt Pagan. + - Bridges now report complete directory request statistics. Related + to bug 5824; bugfix on 0.2.2.1-alpha. + - Bridges now never collect statistics that were designed for + relays. Fixes bug 5824; bugfix on 0.2.3.8-alpha. + + o Minor bugfixes (testing): + - Fix all valgrind warnings produced by the unit tests. There were + over a thousand memory leak warnings previously, mostly produced + by forgetting to free things in the unit test code. Fixes bug + 11618, bugfixes on many versions of Tor. + + o Minor bugfixes (tor-fw-helper): + - Give a correct log message when tor-fw-helper fails to launch. + (Previously, we would say something like "tor-fw-helper sent us a + string we could not parse".) Fixes bug 9781; bugfix + on 0.2.4.2-alpha. + + o Minor bugfixes (trivial memory leaks): + - Fix a small memory leak when signing a directory object. Fixes bug + 11275; bugfix on 0.2.4.13-alpha. + - Resolve some memory leaks found by coverity in the unit tests, on + exit in tor-gencert, and on a failure to compute digests for our + own keys when generating a v3 networkstatus vote. These leaks + should never have affected anyone in practice. + + o Code simplification and refactoring: + - Remove some old fallback code designed to keep Tor clients working + in a network with only two working relays. Elsewhere in the code we + have long since stopped supporting such networks, so there wasn't + much point in keeping it around. Addresses ticket 9926. + - Reject 0-length EXTEND2 cells more explicitly. Fixes bug 10536; + bugfix on 0.2.4.8-alpha. Reported by "cypherpunks". + - Extract the common duplicated code for creating a subdirectory + of the data directory and writing to a file in it. Fixes ticket + 4282; patch from Peter Retzlaff. + - Since OpenSSL 0.9.7, the i2d_*() functions support allocating output + buffer. Avoid calling twice: i2d_RSAPublicKey(), i2d_DHparams(), + i2d_X509(), and i2d_PublicKey(). Resolves ticket 5170. + - Add a set of accessor functions for the circuit timeout data + structure. Fixes ticket 6153; patch from "piet". + - Clean up exit paths from connection_listener_new(). Closes ticket + 8789. Patch from Arlo Breault. + - Since we rely on OpenSSL 0.9.8 now, we can use EVP_PKEY_cmp() + and drop our own custom pkey_eq() implementation. Fixes bug 9043. + - Use a doubly-linked list to implement the global circuit list. + Resolves ticket 9108. Patch from Marek Majkowski. + - Remove contrib/id_to_fp.c since it wasn't used anywhere. + - Remove constants and tests for PKCS1 padding; it's insecure and + shouldn't be used for anything new. Fixes bug 8792; patch + from Arlo Breault. + - Remove instances of strcpy() from the unit tests. They weren't + hurting anything, since they were only in the unit tests, but it's + embarassing to have strcpy() in the code at all, and some analysis + tools don't like it. Fixes bug 8790; bugfix on 0.2.3.6-alpha and + 0.2.3.8-alpha. Patch from Arlo Breault. + - Remove is_internal_IP() function. Resolves ticket 4645. + - Remove unused function circuit_dump_by_chan from circuitlist.c. + Closes issue 9107; patch from "marek". + - Change our use of the ENUM_BF macro to avoid declarations that + confuse Doxygen. + - Get rid of router->address, since in all cases it was just the + string representation of router->addr. Resolves ticket 5528. + + o Documentation: + - Adjust the URLs in the README to refer to the new locations of + several documents on the website. Fixes bug 12830. Patch from + Matt Pagan. + - Document 'reject6' and 'accept6' ExitPolicy entries. Resolves + ticket 12878. + - Update manpage to describe some of the files you can expect to + find in Tor's DataDirectory. Addresses ticket 9839. + - Clean up several option names in the manpage to match their real + names, add the missing documentation for a couple of testing and + directory authority options, remove the documentation for a + V2-directory fetching option that no longer exists. Resolves + ticket 11634. + - Correct the documenation so that it lists the correct directory + for the stats files. (They are in a subdirectory called "stats", + not "status".) + - In the manpage, move more authority-only options into the + directory authority section so that operators of regular directory + caches don't get confused. + - Fix the layout of the SOCKSPort flags in the manpage. Fixes bug + 11061; bugfix on 0.2.4.7-alpha. + - Resolve warnings from Doxygen. + - Document in the manpage that "KBytes" may also be written as + "kilobytes" or "KB", that "Kbits" may also be written as + "kilobits", and so forth. Closes ticket 9222. + - Document that the ClientOnly config option overrides ORPort. + Our old explanation made ClientOnly sound as though it did + nothing at all. Resolves bug 9059. + - Explain that SocksPolicy, DirPolicy, and similar options don't + take port arguments. Fixes the other part of ticket 11108. + - Fix a comment about the rend_server_descriptor_t.protocols field + to more accurately describe its range. Also, make that field + unsigned, to more accurately reflect its usage. Fixes bug 9099; + bugfix on 0.2.1.5-alpha. + - Fix the manpage's description of HiddenServiceAuthorizeClient: + the maximum client name length is 16, not 19. Fixes bug 11118; + bugfix on 0.2.1.6-alpha. + + o Package cleanup: + - The contrib directory has been sorted and tidied. Before, it was + an unsorted dumping ground for useful and not-so-useful things. + Now, it is divided based on functionality, and the items which + seemed to be nonfunctional or useless have been removed. Resolves + ticket 8966; based on patches from "rl1987". + + o Removed code and features: + - Clients now reject any directory authority certificates lacking + a dir-key-crosscert element. These have been included since + 0.2.1.9-alpha, so there's no real reason for them to be optional + any longer. Completes proposal 157. Resolves ticket 10162. + - Remove all code that existed to support the v2 directory system, + since there are no longer any v2 directory authorities. Resolves + ticket 10758. + - Remove the HSAuthoritativeDir and AlternateHSAuthority torrc + options, which were used for designating authorities as "Hidden + service authorities". There has been no use of hidden service + authorities since 0.2.2.1-alpha, when we stopped uploading or + downloading v0 hidden service descriptors. Fixes bug 10881; also + part of a fix for bug 10841. + - Remove /tor/dbg-stability.txt URL that was meant to help debug WFU + and MTBF calculations, but that nobody was using. Fixes bug 11742. + - The TunnelDirConns and PreferTunnelledDirConns options no longer + exist; tunneled directory connections have been available since + 0.1.2.5-alpha, and turning them off is not a good idea. This is a + brute-force fix for 10849, where "TunnelDirConns 0" would break + hidden services. + - Remove all code for the long unused v1 directory protocol. + Resolves ticket 11070. + - Remove all remaining code related to version-0 hidden service + descriptors: they have not been in use since 0.2.2.1-alpha. Fixes + the rest of bug 10841. + - Remove migration code from when we renamed the "cached-routers" + file to "cached-descriptors" back in 0.2.0.8-alpha. This + incidentally resolves ticket 6502 by cleaning up the related code + a bit. Patch from Akshay Hebbar. + + o Test infrastructure: + - Tor now builds each source file in two modes: a mode that avoids + exposing identifiers needlessly, and another mode that exposes + more identifiers for testing. This lets the compiler do better at + optimizing the production code, while enabling us to take more + radical measures to let the unit tests test things. + - The production builds no longer include functions used only in + the unit tests; all functions exposed from a module only for + unit-testing are now static in production builds. + - Add an --enable-coverage configuration option to make the unit + tests (and a new src/or/tor-cov target) to build with gcov test + coverage support. + - Update to the latest version of tinytest. + - Improve the tinytest implementation of string operation tests so + that comparisons with NULL strings no longer crash the tests; they + now just fail, normally. Fixes bug 9004; bugfix on 0.2.2.4-alpha. + - New macros in test.h to simplify writing mock-functions for unit + tests. Part of ticket 11507. Patch from Dana Koch. + - We now have rudimentary function mocking support that our unit + tests can use to test functions in isolation. Function mocking + lets the tests temporarily replace a function's dependencies with + stub functions, so that the tests can check the function without + invoking the other functions it calls. + + o Testing: + - Complete tests for the status.c module. Resolves ticket 11507. + Patch from Dana Koch. + - Add more unit tests for the <circid,channel>->circuit map, and + the destroy-cell-tracking code to fix bug 7912. + - Unit tests for failing cases of the TAP onion handshake. + - More unit tests for address-manipulation functions. + + o Distribution (systemd): + - Include a tor.service file in contrib/dist for use with systemd. + Some distributions will be able to use this file unmodified; + others will need to tweak it, or write their own. Patch from Jamie + Nguyen; resolves ticket 8368. + - Verify configuration file via ExecStartPre in the systemd unit + file. Patch from intrigeri; resolves ticket 12730. + - Explicitly disable RunAsDaemon in the systemd unit file. Our + current systemd unit uses "Type = simple", so systemd does not + expect tor to fork. If the user has "RunAsDaemon 1" in their + torrc, then things won't work as expected. This is e.g. the case + on Debian (and derivatives), since there we pass "--defaults-torrc + /usr/share/tor/tor-service-defaults-torrc" (that contains + "RunAsDaemon 1") by default. Patch by intrigeri; resolves + ticket 12731. + + +Changes in version 0.2.4.25 - 2014-10-20 + Tor 0.2.4.25 disables SSL3 in response to the recent "POODLE" attack + (even though POODLE does not affect Tor). It also works around a crash + bug caused by some operating systems' response to the "POODLE" attack + (which does affect Tor). + + o Major security fixes (also in 0.2.5.9-rc): + - Disable support for SSLv3. All versions of OpenSSL in use with Tor + today support TLS 1.0 or later, so we can safely turn off support + for this old (and insecure) protocol. Fixes bug 13426. + + o Major bugfixes (openssl bug workaround, also in 0.2.5.9-rc): + - Avoid crashing when using OpenSSL version 0.9.8zc, 1.0.0o, or + 1.0.1j, built with the 'no-ssl3' configuration option. Fixes bug + 13471. This is a workaround for an OpenSSL bug. + + +Changes in version 0.2.4.24 - 2014-09-22 + Tor 0.2.4.24 fixes a bug that affects consistency and speed when + connecting to hidden services, and it updates the location of one of + the directory authorities. + + o Major bugfixes: + - Clients now send the correct address for their chosen rendezvous + point when trying to access a hidden service. They used to send + the wrong address, which would still work some of the time because + they also sent the identity digest of the rendezvous point, and if + the hidden service happened to try connecting to the rendezvous + point from a relay that already had a connection open to it, + the relay would reuse that connection. Now connections to hidden + services should be more robust and faster. Also, this bug meant + that clients were leaking to the hidden service whether they were + on a little-endian (common) or big-endian (rare) system, which for + some users might have reduced their anonymity. Fixes bug 13151; + bugfix on 0.2.1.5-alpha. + + o Directory authority changes: + - Change IP address for gabelmoo (v3 directory authority). + + o Minor features (geoip): + - Update geoip and geoip6 to the August 7 2014 Maxmind GeoLite2 + Country database. + + +Changes in version 0.2.4.23 - 2014-07-28 + Tor 0.2.4.23 brings us a big step closer to slowing down the risk from + guard rotation, and also backports several important fixes from the + Tor 0.2.5 alpha release series. + + o Major features: + - Clients now look at the "usecreatefast" consensus parameter to + decide whether to use CREATE_FAST or CREATE cells for the first hop + of their circuit. This approach can improve security on connections + where Tor's circuit handshake is stronger than the available TLS + connection security levels, but the tradeoff is more computational + load on guard relays. Implements proposal 221. Resolves ticket 9386. + - Make the number of entry guards configurable via a new + NumEntryGuards consensus parameter, and the number of directory + guards configurable via a new NumDirectoryGuards consensus + parameter. Implements ticket 12688. + + o Major bugfixes: + - Fix a bug in the bounds-checking in the 32-bit curve25519-donna + implementation that caused incorrect results on 32-bit + implementations when certain malformed inputs were used along with + a small class of private ntor keys. This bug does not currently + appear to allow an attacker to learn private keys or impersonate a + Tor server, but it could provide a means to distinguish 32-bit Tor + implementations from 64-bit Tor implementations. Fixes bug 12694; + bugfix on 0.2.4.8-alpha. Bug found by Robert Ransom; fix from + Adam Langley. + + o Minor bugfixes: + - Warn and drop the circuit if we receive an inbound 'relay early' + cell. Those used to be normal to receive on hidden service circuits + due to bug 1038, but the buggy Tor versions are long gone from + the network so we can afford to resume watching for them. Resolves + the rest of bug 1038; bugfix on 0.2.1.19. + - Correct a confusing error message when trying to extend a circuit + via the control protocol but we don't know a descriptor or + microdescriptor for one of the specified relays. Fixes bug 12718; + bugfix on 0.2.3.1-alpha. + - Avoid an illegal read from stack when initializing the TLS + module using a version of OpenSSL without all of the ciphers + used by the v2 link handshake. Fixes bug 12227; bugfix on + 0.2.4.8-alpha. Found by "starlight". + + o Minor features: + - Update geoip and geoip6 to the July 10 2014 Maxmind GeoLite2 + Country database. + + Changes in version 0.2.4.22 - 2014-05-16 Tor 0.2.4.22 backports numerous high-priority fixes from the Tor 0.2.5 alpha release series. These include blocking all authority signing diff --git a/changes/13295 b/changes/13295 deleted file mode 100644 index 433432595f..0000000000 --- a/changes/13295 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes: - - Disable sandbox name resolver cache when running tor-resolve: - tor-resolve doesn't use the sandbox code, and turning it on was - breaking attempts to do tor-resolve on a non-default server on - Linux. Fixes bug 13295; bugfix on 0.2.5.3-alpha. diff --git a/changes/19271 b/changes/19271 deleted file mode 100644 index dc06ead999..0000000000 --- a/changes/19271 +++ /dev/null @@ -1,2 +0,0 @@ - o Directory authority changes: - - Urras is no longer a directory authority. Closes ticket 19271. diff --git a/changes/bifroest b/changes/bifroest deleted file mode 100644 index 41af658ed8..0000000000 --- a/changes/bifroest +++ /dev/null @@ -1,3 +0,0 @@ - o Directory authority changes (also in 0.2.8.7): - - The "Tonga" bridge authority has been retired; the new bridge - authority is "Bifroest". Closes tickets 19728 and 19690. diff --git a/changes/bufferevent_compilation b/changes/bufferevent_compilation deleted file mode 100644 index 3a328731fe..0000000000 --- a/changes/bufferevent_compilation +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes: - - Fix compilation when building with bufferevents enabled. (This - configuration is still not expected to work, however.) - Fixes bugs 12438, 12474, 11578; bugfixes on 0.2.5.1-alpha and - 0.2.5.3-alpha. Patches from Anthony G. Basile and Sathyanarayanan - Gunasekaran. diff --git a/changes/bug1038-3 b/changes/bug1038-3 deleted file mode 100644 index 5af4afa46f..0000000000 --- a/changes/bug1038-3 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes: - - Warn and drop the circuit if we receive an inbound 'relay early' - cell. Those used to be normal to receive on hidden service circuits - due to bug 1038, but the buggy Tor versions are long gone from - the network so we can afford to resume watching for them. Resolves - the rest of bug 1038; bugfix on 0.2.1.19. diff --git a/changes/bug11200-caching b/changes/bug11200-caching deleted file mode 100644 index e3fbaeca73..0000000000 --- a/changes/bug11200-caching +++ /dev/null @@ -1,7 +0,0 @@ - o Major bugfixes: - - When Tor starts with DisabledNetwork set, it would correctly - conclude that it shouldn't try making circuits, but it would - mistakenly cache this conclusion and continue believing it even - when DisableNetwork is set to 0. Fixes the bug introduced by the - fix for bug 11200; bugfix on 0.2.5.4-alpha. - diff --git a/changes/bug12160 b/changes/bug12160 deleted file mode 100644 index 2a7ace3410..0000000000 --- a/changes/bug12160 +++ /dev/null @@ -1,4 +0,0 @@ - o Bugfixes - - Correctly update the local mark on the controlling channel when changing - the address of an or_connection_t after the handshake. Fixes bug #12160; - bugfix on 0.2.4.4-alpha. diff --git a/changes/bug12602 b/changes/bug12602 deleted file mode 100644 index 29fa49ac45..0000000000 --- a/changes/bug12602 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (portability): - - Compile correctly with builds and forks of OpenSSL (such as - LibreSSL) that disable compression. Fixes bug 12602; bugfix on - 0.2.1.1-alpha. Patch from "dhill". - diff --git a/changes/bug12700 b/changes/bug12700 deleted file mode 100644 index 1d8caeb8bd..0000000000 --- a/changes/bug12700 +++ /dev/null @@ -1,10 +0,0 @@ - o Minor bugfixes: - - When logging information about an EXTEND2 or EXTENDED2 cell, log - their names correctly. Fixes part of bug 12700; bugfix on - 0.2.4.8-alpha. - - o Minor bugfixes: - - When logging information about a relay cell whose command we - don't recognize, log its command as an integer. Fixes part of - bug 12700; bugfix on 0.2.1.10-alpha. - diff --git a/changes/bug12718 b/changes/bug12718 deleted file mode 100644 index 0c5f708446..0000000000 --- a/changes/bug12718 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes: - - Correct a confusing error message when trying to extend a circuit - via the control protocol but we don't know a descriptor or - microdescriptor for one of the specified relays. Fixes bug 12718; - bugfix on 0.2.3.1-alpha. diff --git a/changes/bug12730-systemd-verify-config b/changes/bug12730-systemd-verify-config deleted file mode 100644 index 221633c78e..0000000000 --- a/changes/bug12730-systemd-verify-config +++ /dev/null @@ -1,3 +0,0 @@ - o Distribution: - - Verify configuration file via ExecStartPre in the systemd unit file. - Patch from intrigeri; resolves ticket 12730. diff --git a/changes/bug12731-systemd-no-run-as-daemon b/changes/bug12731-systemd-no-run-as-daemon deleted file mode 100644 index f92e5aff00..0000000000 --- a/changes/bug12731-systemd-no-run-as-daemon +++ /dev/null @@ -1,9 +0,0 @@ - o Distribution: - - Explicitly disable RunAsDaemon in the systemd unit file. - Our current systemd unit uses "Type = simple", so systemd does - not expect tor to fork. If the user has "RunAsDaemon 1" in their - torrc, then things won't work as expected. This is e.g. the case - on Debian (and derivatives), since there we pass - "--defaults-torrc /usr/share/tor/tor-service-defaults-torrc" - (that contains "RunAsDaemon 1") by default. - Patch by intrigeri; resolves ticket 12731. diff --git a/changes/bug12830 b/changes/bug12830 deleted file mode 100644 index 835ebe2fa7..0000000000 --- a/changes/bug12830 +++ /dev/null @@ -1,4 +0,0 @@ - o Documentation: - - Adjust the URLs in the README to refer to the new locations of - several documents on the website. Patch from Matt Pagan. Fixes - bug 12830. diff --git a/changes/bug12848 b/changes/bug12848 deleted file mode 100644 index 7aa79c395e..0000000000 --- a/changes/bug12848 +++ /dev/null @@ -1,4 +0,0 @@ - o Major bugfixes (relay): - - Avoid queuing or sending destroy cells for circuit ID zero when - we fail to send a CREATE cell. Fixes bug 12848; bugfix on - 0.0.8pre1. Found and fixed by "cypherpunks". diff --git a/changes/bug12864 b/changes/bug12864 deleted file mode 100644 index 79e751f427..0000000000 --- a/changes/bug12864 +++ /dev/null @@ -1,7 +0,0 @@ - o Minor bugfixes: - - Restore the functionality of CookieAuthFileGroupReadable. Fixes bug - 12864; bugfix on 0.2.5.1-alpha. - - o Minor features: - - Add an ExtORPortCookieAuthFileGroupReadable option to make the - cookie file for the ExtORPort g+r by default. diff --git a/changes/bug12878 b/changes/bug12878 deleted file mode 100644 index a05fc446b9..0000000000 --- a/changes/bug12878 +++ /dev/null @@ -1,3 +0,0 @@ - o Documentation: - - Document 'reject6' and 'accept6' ExitPolicy entries. Resolves - ticket 12878. diff --git a/changes/bug12908 b/changes/bug12908 deleted file mode 100644 index bd6784cbd2..0000000000 --- a/changes/bug12908 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Warn about attempts to run hidden services and relays in the - same process: that's probably not a good idea. Closes ticket - 12908. diff --git a/changes/bug12948 b/changes/bug12948 deleted file mode 100644 index 431c0a1019..0000000000 --- a/changes/bug12948 +++ /dev/null @@ -1,8 +0,0 @@ - o Major bugfixes: - - Resume expanding abbreviations for command-line options. The fix - for bug 4647 accidentally removed our hack from bug 586 that rewrote - HashedControlPassword to __HashedControlSessionPassword when it - appears on the commandline (which allowed the user to set her - own HashedControlPassword in the torrc file while the controller - generates a fresh session password for each run). Fixes bug 12948; - bugfix on 0.2.5.1-alpha. diff --git a/changes/bug12996 b/changes/bug12996 deleted file mode 100644 index 4b4fb0dceb..0000000000 --- a/changes/bug12996 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes: - - Downgrade "Unexpected onionskin length after decryption" warning - to a protocol-warn, since there's nothing relay operators can do - about a client that sends them a malformed create cell. Resolves - bug 12996; bugfix on 0.0.6rc1. diff --git a/changes/bug12997 b/changes/bug12997 deleted file mode 100644 index fb6e7a8459..0000000000 --- a/changes/bug12997 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Log more specific warnings when we get an ESTABLISH_RENDEZVOUS cell - on a cannibalized or non-OR circuit. Resolves ticket 12997. diff --git a/changes/bug13071 b/changes/bug13071 deleted file mode 100644 index 8212b6c049..0000000000 --- a/changes/bug13071 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (relay): - - Escape all strings from the directory connection before logging them. - Fixes bug 13071; bugfix on 0.1.1.15. Patch from "teor". diff --git a/changes/bug13081 b/changes/bug13081 deleted file mode 100644 index 154f73fb0a..0000000000 --- a/changes/bug13081 +++ /dev/null @@ -1,3 +0,0 @@ - o Compilation fixes: - - Make the nmake make files work again. Fixes bug 13081. Bugfix on 0.2.5.1-alpha. Patch - from "NewEraCracker". diff --git a/changes/bug13085 b/changes/bug13085 deleted file mode 100644 index a46457c797..0000000000 --- a/changes/bug13085 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (controller): - - Actually send TRANSPORT_LAUNCHED and HS_DESC events to controllers. - Fixes bug 13085; bugfix on 0.2.5.1-alpha. Patch by "teor". diff --git a/changes/bug13096 b/changes/bug13096 deleted file mode 100644 index 521faaf143..0000000000 --- a/changes/bug13096 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (conformance): - - In routerlist_assert_ok(), don't take the address of a routerinfo's - cache_info member unless that routerinfo is non-NULL. Fixes bug - 13096; bugfix on 0.1.1.9-alpha. Patch by "teor". diff --git a/changes/bug13100 b/changes/bug13100 deleted file mode 100644 index bbe43e65a7..0000000000 --- a/changes/bug13100 +++ /dev/null @@ -1,3 +0,0 @@ - o Directory authority changes: - - Change IP address for gabelmoo (v3 directory authority). - diff --git a/changes/bug13124 b/changes/bug13124 deleted file mode 100644 index be7df70347..0000000000 --- a/changes/bug13124 +++ /dev/null @@ -1,8 +0,0 @@ - o Minor bugfixes: - - Reduce the log severity of the "Pluggable transport proxy does - not provide any needed transports and will not be launched." - message, since Tor Browser includes several ClientTransportPlugin - lines in its torrc-defaults file, leading every Tor Browser user - who looks at her logs to see these notices and wonder if they're - dangerous. Resolves bug 13124; bugfix on 0.2.5.3-alpha. - diff --git a/changes/bug13151-client b/changes/bug13151-client deleted file mode 100644 index 1218dfdfab..0000000000 --- a/changes/bug13151-client +++ /dev/null @@ -1,13 +0,0 @@ - o Major bugfixes: - - Clients now send the correct address for their chosen rendezvous - point when trying to access a hidden service. They used to send - the wrong address, which would still work some of the time because - they also sent the identity digest of the rendezvous point, and if - the hidden service happened to try connecting to the rendezvous - point from a relay that already had a connection open to it, - the relay would reuse that connection. Now connections to hidden - services should be more robust and faster. Also, this bug meant - that clients were leaking to the hidden service whether they were - on a little-endian (common) or big-endian (rare) system, which for - some users might have reduced their anonymity. Fixes bug 13151; - bugfix on 0.2.1.5-alpha. diff --git a/changes/bug13296 b/changes/bug13296 deleted file mode 100644 index d6fe038c30..0000000000 --- a/changes/bug13296 +++ /dev/null @@ -1,5 +0,0 @@ - o Directory authority changes: - - Remove turtles as a directory authority. - - Add longclaw as a new (v3) directory authority. This implements - ticket 13296. This keeps the directory authority count at 9. - diff --git a/changes/bug13325 b/changes/bug13325 deleted file mode 100644 index b1da4d0bd5..0000000000 --- a/changes/bug13325 +++ /dev/null @@ -1,4 +0,0 @@ - o Compilation fixes: - - Build and run correctly on systems like OpenBSD-current that - have patched OpenSSL to remove get_cipher_by_char and/or its - implementations. Fixes issue 13325. diff --git a/changes/bug13471 b/changes/bug13471 deleted file mode 100644 index c116a4aeeb..0000000000 --- a/changes/bug13471 +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfixes (openssl bug workaround): - - Avoid crashing when using OpenSSL version 0.9.8zc, 1.0.0o, or - 1.0.1j, built with the 'no-ssl3' configuration option. Fixes - bug 13471. This is a workaround for an OpenSSL bug. - diff --git a/changes/bug13988 b/changes/bug13988 deleted file mode 100644 index e816335a3b..0000000000 --- a/changes/bug13988 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (statistics): - - Increase period over which bandwidth observations are aggregated - from 15 minutes to 4 hours. Fixes bug 13988; bugfix on 0.0.8pre1. diff --git a/changes/bug14013 b/changes/bug14013 deleted file mode 100644 index 640cf859f5..0000000000 --- a/changes/bug14013 +++ /dev/null @@ -1,6 +0,0 @@ - o Major bugfixes: - - When reading a hexadecimal, base-32, or base-64 encoded value - from a string, always overwrite the complete output buffer. This - prevents some bugs where we would look at (but fortunately, not - reveal) uninitialized memory on the stack. Fixes bug 14013; - bugfix on all versions of Tor. diff --git a/changes/bug14125 b/changes/bug14125 deleted file mode 100644 index fe6821a332..0000000000 --- a/changes/bug14125 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (dirauth): - - Enlarge the buffer to read bw-auth generated files to avoid an - issue when parsing the file in dirserv_read_measured_bandwidths(). - Bugfix on 0.2.2.1-alpha, fixes #14125. - diff --git a/changes/bug14129 b/changes/bug14129 deleted file mode 100644 index 6153cd84fd..0000000000 --- a/changes/bug14129 +++ /dev/null @@ -1,7 +0,0 @@ - o Major bugfixes (exit node stability): - - - Fix an assertion failure that could occur under high DNS load. Fixes - bug 14129; bugfix on Tor 0.0.7rc1. Found by "jowr"; diagnosed and fixed - by "cypherpunks". - - diff --git a/changes/bug14142-parse-virtual-addr b/changes/bug14142-parse-virtual-addr deleted file mode 100644 index f78b7c7d81..0000000000 --- a/changes/bug14142-parse-virtual-addr +++ /dev/null @@ -1,7 +0,0 @@ - o Minor bugfixes (client): - - Check for a missing option value in parse_virtual_addr_network - before asserting on the NULL in tor_addr_parse_mask_ports. - This avoids crashing on torrc lines like - Vi[rtualAddrNetworkIPv[4|6]] when no value follows the option. - Bugfix on 0.2.3 (de4cc126cbb5 on 24 November 2012), fixes #14142. - Patch by "teor". diff --git a/changes/bug14195 b/changes/bug14195 deleted file mode 100644 index d2b82f31b0..0000000000 --- a/changes/bug14195 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (client): - - Fix a memory leak when using AutomapHostsOnResolve. - Fixes bug 14195; bugfix on 0.1.0.1-rc. diff --git a/changes/bug14220 b/changes/bug14220 deleted file mode 100644 index 51cfa502bc..0000000000 --- a/changes/bug14220 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (compilation): - - Build without warnings with the stock OpenSSL srtp.h header, - which has a duplicate declaration of SSL_get_selected_srtp_profile(). - Fixes bug 14220; this is OpenSSL's bug, not ours. diff --git a/changes/bug14261 b/changes/bug14261 deleted file mode 100644 index 1260ccba1e..0000000000 --- a/changes/bug14261 +++ /dev/null @@ -1,5 +0,0 @@ - O Minor bugfixes (directory authority): - - Allow directory authorities to fetch more data from one - another if they find themselves missing lots of votes. - Previously, they had been bumping against the 10 MB queued - data limit. Fixes bug 14261. Bugfix on 0.1.2.5-alpha. diff --git a/changes/bug15083 b/changes/bug15083 deleted file mode 100644 index 5cc79b5ba1..0000000000 --- a/changes/bug15083 +++ /dev/null @@ -1,10 +0,0 @@ - o Major bugfixes (relay, stability, possible security): - - Fix a bug that could lead to a relay crashing with an assertion - failure if a buffer of exactly the wrong layout was passed - to buf_pullup() at exactly the wrong time. Fixes bug 15083; - bugfix on 0.2.0.10-alpha. Patch from 'cypherpunks'. - - - Do not assert if the 'data' pointer on a buffer is advanced to the very - end of the buffer; log a BUG message instead. Only assert if it is - past that point. Fixes bug 15083; bugfix on 0.2.0.10-alpha. - diff --git a/changes/bug15088 b/changes/bug15088 deleted file mode 100644 index 95878bdb39..0000000000 --- a/changes/bug15088 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (Linux seccomp2 sandbox): - - Upon receiving sighup, do not crash during attempts to call - wait4. Fixes bug 15088; bugfix on 0.2.5.1-alpha. Patch from - "sanic". diff --git a/changes/bug15205 b/changes/bug15205 deleted file mode 100644 index 0cb9f3f4bc..0000000000 --- a/changes/bug15205 +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfixes (crash, OSX, security): - - Fix a remote denial-of-service opportunity caused by a bug - in OSX's _strlcat_chk() function. Fixes bug 15205; bug first - appeared in OSX 10.9. - diff --git a/changes/bug15515 b/changes/bug15515 deleted file mode 100644 index dda7c2fcd8..0000000000 --- a/changes/bug15515 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features (DoS-resistance): - - Make it harder for attackers to overwhelm hidden services with - introductions, by blocking multiple introduction requests on the - same circuit. Resolves ticket #15515. diff --git a/changes/bug15600 b/changes/bug15600 deleted file mode 100644 index ee1d6cfe19..0000000000 --- a/changes/bug15600 +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfixes (security, hidden service): - - Fix an issue that would allow a malicious client to trigger - an assertion failure and halt a hidden service. Fixes - bug 15600; bugfix on 0.2.1.6-alpha. Reported by "skruffy". - diff --git a/changes/bug15601 b/changes/bug15601 deleted file mode 100644 index 2cc880af7f..0000000000 --- a/changes/bug15601 +++ /dev/null @@ -1,4 +0,0 @@ - o Major bugfixes (security, hidden service): - - Fix a bug that could cause a client to crash with an assertion - failure when parsing a malformed hidden service descriptor. - Fixes bug 15601; bugfix on 0.2.1.5-alpha. Found by "DonnCha". diff --git a/changes/bug15823 b/changes/bug15823 deleted file mode 100644 index 987de5d9ac..0000000000 --- a/changes/bug15823 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (hidden service): - - Fix an out-of-bounds read when parsing invalid INTRODUCE2 cells - on a client authorized hidden service. Fixes bug 15823; bugfix - on 0.2.1.6-alpha. diff --git a/changes/bug16248 b/changes/bug16248 deleted file mode 100644 index 399b7093cd..0000000000 --- a/changes/bug16248 +++ /dev/null @@ -1,8 +0,0 @@ - o Major bugfixes (dns proxy mode, crash): - - Avoid crashing when running as a DNS proxy. Closes bug 16248; bugfix on - 0.2.0.1-alpha. Patch from 'cypherpunks'. - - o Minor features (bug-resistance): - - Make Tor survive errors involving connections without a corresponding - event object. Previously we'd fail with an assertion; now we produce a - log message. Related to bug 16248. diff --git a/changes/bug16360-failed-crypto-early-init b/changes/bug16360-failed-crypto-early-init deleted file mode 100644 index 21972bce52..0000000000 --- a/changes/bug16360-failed-crypto-early-init +++ /dev/null @@ -1,7 +0,0 @@ - o Minor bugfixes (crypto error-handling): - - If crypto_early_init fails, a typo in a return value from tor_init - means that tor_main continues running, rather than returning - an error value. - Fixes bug 16360; bugfix on d3fb846d8c98 in 0.2.5.2-alpha, - introduced when implementing #4900. - Patch by "teor". diff --git a/changes/bug17404 b/changes/bug17404 deleted file mode 100644 index d524f6662d..0000000000 --- a/changes/bug17404 +++ /dev/null @@ -1,6 +0,0 @@ - o Major bugfixes (security, correctness): - - Fix a programming error that could cause us to read 4 bytes before - the beginning of an openssl string. This could be used to provoke - a crash on systems with an unusual malloc implementation, or - systems with unsual hardening installed. Fixes bug 17404; bugfix - on 0.2.3.6-alpha. diff --git a/changes/bug17772 b/changes/bug17772 deleted file mode 100644 index 54d457c601..0000000000 --- a/changes/bug17772 +++ /dev/null @@ -1,7 +0,0 @@ - o Major bugfixes (guard selection): - - Actually look at the Guard flag when selecting a new directory - guard. When we implemented the directory guard design, we - accidentally started treating all relays as if they have the Guard - flag during guard selection, leading to weaker anonymity and worse - performance. Fixes bug 17222; bugfix on 0.2.4.8-alpha. Discovered - by Mohsen Imani. diff --git a/changes/bug17781 b/changes/bug17781 deleted file mode 100644 index 01ed231b0a..0000000000 --- a/changes/bug17781 +++ /dev/null @@ -1,3 +0,0 @@ - o Compilation fixes: - - Fix a compilation warning with Clang 3.6: Do not check the - presence of an address which can never be NULL. Fixes bug 17781. diff --git a/changes/bug17906 b/changes/bug17906 deleted file mode 100644 index fff76d1c59..0000000000 --- a/changes/bug17906 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features (authorities): - - Update the V3 identity key for dannenberg, it was changed on - 18 November 2015. - Closes task #17906. Patch by "teor". diff --git a/changes/bug18089 b/changes/bug18089 deleted file mode 100644 index c1fb342f77..0000000000 --- a/changes/bug18089 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor fixes (security): - - Make memwipe() do nothing when passed a NULL pointer - or zero size. Check size argument to memwipe() for underflow. - Closes bug #18089. Reported by "gk", patch by "teor". - Bugfix on 0.2.3.25 and 0.2.4.6-alpha (#7352), - commit 49dd5ef3 on 7 Nov 2012. diff --git a/changes/bug18162 b/changes/bug18162 deleted file mode 100644 index 0844d6f62f..0000000000 --- a/changes/bug18162 +++ /dev/null @@ -1,7 +0,0 @@ - o Major bugfixes (security, pointers): - - - Avoid a difficult-to-trigger heap corruption attack when extending - a smartlist to contain over 16GB of pointers. Fixes bug #18162; - bugfix on Tor 0.1.1.11-alpha, which fixed a related bug - incompletely. Reported by Guido Vranken. - diff --git a/changes/bug18329-minimal b/changes/bug18329-minimal deleted file mode 100644 index 804c4e8dd1..0000000000 --- a/changes/bug18329-minimal +++ /dev/null @@ -1,6 +0,0 @@ - o Minor features (bridge): - - Bridges now include notice in their descriptors that they are bridges, - and notice of their distribution status, based on their publication - settings. Implements ticket 18329. For more fine-grained control of - how a bridge is distributed, upgrade to 0.3.2.x or later. - diff --git a/changes/bug18710 b/changes/bug18710 deleted file mode 100644 index 269395563d..0000000000 --- a/changes/bug18710 +++ /dev/null @@ -1,6 +0,0 @@ - o Major bugfixes (DNS proxy): - - Stop a crash that could occur when a client running with DNSPort - received a query with multiple address types, where the first - address type was not supported. Found and fixed by Scott Dial. - Fixes bug 18710; bugfix on 0.2.5.4-alpha. - diff --git a/changes/bug20384 b/changes/bug20384 deleted file mode 100644 index 591015ad94..0000000000 --- a/changes/bug20384 +++ /dev/null @@ -1,10 +0,0 @@ - o Major features (security fixes): - - Prevent a class of security bugs caused by treating the contents - of a buffer chunk as if they were a NUL-terminated string. At - least one such bug seems to be present in all currently used - versions of Tor, and would allow an attacker to remotely crash - most Tor instances, especially those compiled with extra compiler - hardening. With this defense in place, such bugs can't crash Tor, - though we should still fix them as they occur. Closes ticket - 20384 (TROVE-2016-10-001). - diff --git a/changes/bug21018 b/changes/bug21018 deleted file mode 100644 index 49a8b47a25..0000000000 --- a/changes/bug21018 +++ /dev/null @@ -1,11 +0,0 @@ - o Major bugfixes (parsing, security): - - - Fix a bug in parsing that could cause clients to read a single - byte past the end of an allocated region. This bug could be - used to cause hardened clients (built with - --enable-expensive-hardening) to crash if they tried to visit - a hostile hidden service. Non-hardened clients are only - affected depending on the details of their platform's memory - allocator. Fixes bug 21018; bugfix on 0.2.0.8-alpha. Found by - using libFuzzer. Also tracked as TROVE-2016-12-002 and as - CVE-2016-1254. diff --git a/changes/bug22490 b/changes/bug22490 deleted file mode 100644 index 244dd50b36..0000000000 --- a/changes/bug22490 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (correctness): - - Avoid undefined behavior when parsing IPv6 entries from the geoip6 - file. Fixes bug 22490; bugfix on 0.2.4.6-alpha. diff --git a/changes/bug22636 b/changes/bug22636 deleted file mode 100644 index 770cac72e9..0000000000 --- a/changes/bug22636 +++ /dev/null @@ -1,8 +0,0 @@ - o Build features: - - Tor's repository now includes a Travis Continuous Integration (CI) - configuration file (.travis.yml). This is meant to help new developers and - contributors who fork Tor to a Github repository be better able to test - their changes, and understand what we expect to pass. To use this new build - feature, you must fork Tor to your Github account, then go into the - "Integrations" menu in the repository settings for your fork and enable - Travis, then push your changes. diff --git a/changes/bug22737 b/changes/bug22737 deleted file mode 100644 index f0de8e6c41..0000000000 --- a/changes/bug22737 +++ /dev/null @@ -1,12 +0,0 @@ - o Minor bugfixes (defensive programming, undefined behavior): - - - Fix a memset() off the end of an array when packing cells. This - bug should be harmless in practice, since the corrupted bytes - are still in the same structure, and are always padding bytes, - ignored, or immediately overwritten, depending on compiler - behavior. Nevertheless, because the memset()'s purpose is to - make sure that any other cell-handling bugs can't expose bytes - to the network, we need to fix it. Fixes bug 22737; bugfix on - 0.2.4.11-alpha. Fixes CID 1401591. - - diff --git a/changes/bug22789 b/changes/bug22789 deleted file mode 100644 index a653592848..0000000000 --- a/changes/bug22789 +++ /dev/null @@ -1,7 +0,0 @@ - o Major bugfixes (openbsd, denial-of-service): - - Avoid an assertion failure bug affecting our implementation of - inet_pton(AF_INET6) on certain OpenBSD systems whose strtol() - handling of "0xfoo" differs from what we had expected. - Fixes bug 22789; bugfix on 0.2.3.8-alpha. Also tracked as - TROVE-2017-007. - diff --git a/changes/bug8093 b/changes/bug8093 deleted file mode 100644 index f0fbc618c2..0000000000 --- a/changes/bug8093 +++ /dev/null @@ -1,3 +0,0 @@ - o Downgraded warnings: - - Downgrade the severity of the 'unexpected sendme cell from client' from - 'warn' to 'protocol warning'. Closes ticket 8093. diff --git a/changes/bug8387 b/changes/bug8387 deleted file mode 100644 index 2ec0487bf8..0000000000 --- a/changes/bug8387 +++ /dev/null @@ -1,11 +0,0 @@ - o Major bugfixes (client): - - - Perform circuit cleanup operations even when circuit - construction operations are disabled (because the network is - disabled, or because there isn't enough directory information). - Previously, when we were not building predictive circuits, we - were not closing expired circuits either. - - Fixes bug 8387; bugfix on 0.1.1.11-alpha. This bug became visible - in 0.2.4.10-alpha when we became more strict about when we have - "enough directory information to build circuits". diff --git a/changes/curve25519-donna32-bug b/changes/curve25519-donna32-bug deleted file mode 100644 index 7fccab1b0c..0000000000 --- a/changes/curve25519-donna32-bug +++ /dev/null @@ -1,12 +0,0 @@ - o Major bugfixes: - - - Fix a bug in the bounds-checking in the 32-bit curve25519-donna - implementation that caused incorrect results on 32-bit - implementations when certain malformed inputs were used along with - a small class of private ntor keys. This bug does not currently - appear to allow an attacker to learn private keys or impersonate a - Tor server, but it could provide a means to distinguish 32-bit Tor - implementations from 64-bit Tor implementations. Fixes bug 12694; - bugfix on 0.2.4.8-alpha. Bug found by Robert Ransom; fix from - Adam Langley. - diff --git a/changes/disable_sslv3 b/changes/disable_sslv3 deleted file mode 100644 index bb4c2df7a2..0000000000 --- a/changes/disable_sslv3 +++ /dev/null @@ -1,4 +0,0 @@ - o Major security fixes: - - Disable support for SSLv3. All versions of OpenSSL in use with - Tor today support TLS 1.0 or later, so we can safely turn off - support for this old (and insecure) protocol. Fixes bug 13426. diff --git a/changes/further-12184-diagnostic b/changes/further-12184-diagnostic deleted file mode 100644 index 89e9f4612f..0000000000 --- a/changes/further-12184-diagnostic +++ /dev/null @@ -1,2 +0,0 @@ - o Minor features (diagnostic): - - Slightly enhance the diagnostic message for bug 12184. diff --git a/changes/geoip-2017-11-06 b/changes/geoip-2017-11-06 deleted file mode 100644 index f034be9006..0000000000 --- a/changes/geoip-2017-11-06 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features (geoip): - - Update geoip and geoip6 to the November 6 2017 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-april2015 b/changes/geoip-april2015 deleted file mode 100644 index 7db38ed797..0000000000 --- a/changes/geoip-april2015 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update geoip to the April 8 2015 Maxmind GeoLite2 Country database. - diff --git a/changes/geoip-april2016 b/changes/geoip-april2016 deleted file mode 100644 index 4cd03e556b..0000000000 --- a/changes/geoip-april2016 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the April 5 2016 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-april2017 b/changes/geoip-april2017 deleted file mode 100644 index b489eaf016..0000000000 --- a/changes/geoip-april2017 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the April 4 2017 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-august2014 b/changes/geoip-august2014 deleted file mode 100644 index 90d8ecb300..0000000000 --- a/changes/geoip-august2014 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update geoip to the August 7 2014 Maxmind GeoLite2 Country database. - diff --git a/changes/geoip-august2016 b/changes/geoip-august2016 deleted file mode 100644 index 370ab64cac..0000000000 --- a/changes/geoip-august2016 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the August 2 2016 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-august2017 b/changes/geoip-august2017 deleted file mode 100644 index 2dab18a63f..0000000000 --- a/changes/geoip-august2017 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the August 3 2017 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-december2015 b/changes/geoip-december2015 deleted file mode 100644 index 597bcc92f8..0000000000 --- a/changes/geoip-december2015 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the December 1 2015 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-december2016 b/changes/geoip-december2016 deleted file mode 100644 index 60754ea21d..0000000000 --- a/changes/geoip-december2016 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the December 7 2016 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-february2016 b/changes/geoip-february2016 deleted file mode 100644 index 49a8041fad..0000000000 --- a/changes/geoip-february2016 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the February 2 2016 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-february2017 b/changes/geoip-february2017 deleted file mode 100644 index ec54b6122a..0000000000 --- a/changes/geoip-february2017 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-january2015 b/changes/geoip-january2015 deleted file mode 100644 index 67324f27f2..0000000000 --- a/changes/geoip-january2015 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update geoip to the January 7 2015 Maxmind GeoLite2 Country database. - diff --git a/changes/geoip-january2016 b/changes/geoip-january2016 deleted file mode 100644 index fe2d5c7dc7..0000000000 --- a/changes/geoip-january2016 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the January 5 2016 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-january2017 b/changes/geoip-january2017 deleted file mode 100644 index de1a4cbe2a..0000000000 --- a/changes/geoip-january2017 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the January 4 2017 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-july2014 b/changes/geoip-july2014 deleted file mode 100644 index a0523ecac9..0000000000 --- a/changes/geoip-july2014 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update geoip to the July 10 2014 Maxmind GeoLite2 Country database. - diff --git a/changes/geoip-july2015 b/changes/geoip-july2015 deleted file mode 100644 index 381c2df231..0000000000 --- a/changes/geoip-july2015 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the July 8 2015 Maxmind GeoLite2 Country database. - diff --git a/changes/geoip-july2016 b/changes/geoip-july2016 deleted file mode 100644 index d9963bd6a8..0000000000 --- a/changes/geoip-july2016 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the July 6 2016 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-july2017 b/changes/geoip-july2017 deleted file mode 100644 index ed10369f1b..0000000000 --- a/changes/geoip-july2017 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the July 4 2017 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-jun2016 b/changes/geoip-jun2016 deleted file mode 100644 index 8d308f6f72..0000000000 --- a/changes/geoip-jun2016 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the June 7 2016 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-june2015 b/changes/geoip-june2015 deleted file mode 100644 index 9d6cd3658b..0000000000 --- a/changes/geoip-june2015 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update geoip to the June 3 2015 Maxmind GeoLite2 Country database. - diff --git a/changes/geoip-june2017 b/changes/geoip-june2017 deleted file mode 100644 index 2ea7bf105e..0000000000 --- a/changes/geoip-june2017 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the June 8 2017 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-march2015 b/changes/geoip-march2015 deleted file mode 100644 index 565781280a..0000000000 --- a/changes/geoip-march2015 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update geoip to the March 3 2015 Maxmind GeoLite2 Country database. - diff --git a/changes/geoip-march2016 b/changes/geoip-march2016 deleted file mode 100644 index d7b1bd42f9..0000000000 --- a/changes/geoip-march2016 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the March 3 2016 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-march2017 b/changes/geoip-march2017 deleted file mode 100644 index 6dc92baa2f..0000000000 --- a/changes/geoip-march2017 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the March 7 2017 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-may2016 b/changes/geoip-may2016 deleted file mode 100644 index 3fd42dce24..0000000000 --- a/changes/geoip-may2016 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the May 4 2016 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-may2017 b/changes/geoip-may2017 deleted file mode 100644 index 4e504d7a0a..0000000000 --- a/changes/geoip-may2017 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-november2014 b/changes/geoip-november2014 deleted file mode 100644 index 52cbeb3e41..0000000000 --- a/changes/geoip-november2014 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update geoip to the November 15 2014 Maxmind GeoLite2 Country database. - diff --git a/changes/geoip-november2016 b/changes/geoip-november2016 deleted file mode 100644 index 5190ed66f4..0000000000 --- a/changes/geoip-november2016 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the November 3 2016 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-october2015 b/changes/geoip-october2015 deleted file mode 100644 index f20febec5a..0000000000 --- a/changes/geoip-october2015 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the October 9 2015 Maxmind GeoLite2 Country database. - diff --git a/changes/geoip-october2016 b/changes/geoip-october2016 deleted file mode 100644 index fff9a1eeb5..0000000000 --- a/changes/geoip-october2016 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the October 4 2016 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-october2017 b/changes/geoip-october2017 deleted file mode 100644 index 11f623e85f..0000000000 --- a/changes/geoip-october2017 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features (geoip): - - Update geoip and geoip6 to the October 4 2017 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-september2015 b/changes/geoip-september2015 deleted file mode 100644 index a4f99efaa2..0000000000 --- a/changes/geoip-september2015 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the September 3 2015 Maxmind GeoLite2 Country database. - diff --git a/changes/geoip-september2016 b/changes/geoip-september2016 deleted file mode 100644 index a14c7c699f..0000000000 --- a/changes/geoip-september2016 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the September 6 2016 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-september2017 b/changes/geoip-september2017 deleted file mode 100644 index be01ff9521..0000000000 --- a/changes/geoip-september2017 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Update geoip and geoip6 to the September 6 2017 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip6-april2015 b/changes/geoip6-april2015 deleted file mode 100644 index 241c9119b6..0000000000 --- a/changes/geoip6-april2015 +++ /dev/null @@ -1,2 +0,0 @@ - o Minor features: - - Update geoip6 to the April 8 2015 Maxmind GeoLite2 Country database. diff --git a/changes/geoip6-august2014 b/changes/geoip6-august2014 deleted file mode 100644 index 7e7c9a975d..0000000000 --- a/changes/geoip6-august2014 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update geoip6 to the August 7 2014 Maxmind GeoLite2 Country database. - diff --git a/changes/geoip6-january2015 b/changes/geoip6-january2015 deleted file mode 100644 index b86fe2be57..0000000000 --- a/changes/geoip6-january2015 +++ /dev/null @@ -1,2 +0,0 @@ - o Minor features: - - Update geoip6 to the January 7 2015 Maxmind GeoLite2 Country database. diff --git a/changes/geoip6-july2014 b/changes/geoip6-july2014 deleted file mode 100644 index 155788ef88..0000000000 --- a/changes/geoip6-july2014 +++ /dev/null @@ -1,2 +0,0 @@ - o Minor features: - - Update geoip6 to the July 10 2014 Maxmind GeoLite2 Country database. diff --git a/changes/geoip6-june2015 b/changes/geoip6-june2015 deleted file mode 100644 index 527dbff53b..0000000000 --- a/changes/geoip6-june2015 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update geoip6 to the June 3 2015 Maxmind GeoLite2 Country database. - diff --git a/changes/geoip6-march2015 b/changes/geoip6-march2015 deleted file mode 100644 index 9a38c65e62..0000000000 --- a/changes/geoip6-march2015 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update geoip6 to the March 3 2015 Maxmind GeoLite2 Country database. - diff --git a/changes/geoip6-november2014 b/changes/geoip6-november2014 deleted file mode 100644 index e91fcc0d3b..0000000000 --- a/changes/geoip6-november2014 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update geoip6 to the November 15 2014 Maxmind GeoLite2 Country database. - diff --git a/changes/longclaw_23592 b/changes/longclaw_23592 deleted file mode 100644 index 91e2da8972..0000000000 --- a/changes/longclaw_23592 +++ /dev/null @@ -1,3 +0,0 @@ - o Directory authority changes: - - The directory authority "Longclaw" has changed its IP address. - Closes ticket 23592. diff --git a/changes/rsa_init_bug b/changes/rsa_init_bug deleted file mode 100644 index 6b5fb4f2f9..0000000000 --- a/changes/rsa_init_bug +++ /dev/null @@ -1,7 +0,0 @@ - o Major bugfixes (key management): - - If OpenSSL fails to generate an RSA key, do not retain a dangling pointer - to the previous (uninitialized) key value. The impact here should be - limited to a difficult-to-trigger crash, if OpenSSL is running an - engine that makes key generation failures possible, or if OpenSSL runs - out of memory. Fixes bug 19152; bugfix on 0.2.1.10-alpha. Found by - Yuan Jochen Kang, Suman Jana, and Baishakhi Ray. diff --git a/changes/test.h_msvc b/changes/test.h_msvc deleted file mode 100644 index 3afbc13aaa..0000000000 --- a/changes/test.h_msvc +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (compilation): - - Fix compilation of test.h with MSVC. Patch from Gisle Vanem; - bugfix on 0.2.5.5-alpha. diff --git a/changes/ticket12688 b/changes/ticket12688 deleted file mode 100644 index 88228e5506..0000000000 --- a/changes/ticket12688 +++ /dev/null @@ -1,6 +0,0 @@ - Major features: - - Make the number of entry guards configurable via a new - NumEntryGuards consensus parameter, and the number of directory - guards configurable via a new NumDirectoryGuards consensus - parameter. Implements ticket 12688. - diff --git a/changes/ticket12690 b/changes/ticket12690 deleted file mode 100644 index 5091883602..0000000000 --- a/changes/ticket12690 +++ /dev/null @@ -1,9 +0,0 @@ - o Minor features: - - Authorities now assign the Guard flag to the fastest 25% of the - network (it used to be the fastest 50%). Also raise the consensus - weight that guarantees the Guard flag from 250 to 2000. For the - current network, this results in about 1100 guards, down from 2500. - This step paves the way for moving the number of entry guards - down to 1 (proposal 236) while still providing reasonable expected - performance for most users. Implements ticket 12690. - diff --git a/changes/ticket13036 b/changes/ticket13036 deleted file mode 100644 index 1b4784358a..0000000000 --- a/changes/ticket13036 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes: - - Fix a large number of false positive warnings from the clang - analyzer static analysis tool. This should make real warnings - easier for clang analyzer to find. Patch from "teor". Closes - ticket 13036. diff --git a/changes/ticket14128 b/changes/ticket14128 deleted file mode 100644 index 38b25fa7dc..0000000000 --- a/changes/ticket14128 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor features (controller): - - New "GETINFO bw-event-cache" to get information about recent bandwidth - events. Closes ticket 14128. Useful for controllers to get recent - bandwidth history after the fix for 13988. - diff --git a/changes/ticket14487 b/changes/ticket14487 deleted file mode 100644 index 577337ff24..0000000000 --- a/changes/ticket14487 +++ /dev/null @@ -1,3 +0,0 @@ - o Directory authority IP change: - - The directory authority Faravahar has a new IP address. Closes - ticket 14487. diff --git a/changes/ticket23910 b/changes/ticket23910 deleted file mode 100644 index eb38fcf32f..0000000000 --- a/changes/ticket23910 +++ /dev/null @@ -1,3 +0,0 @@ - o Directory authority changes: - - Add bastet as a ninth directory authority to the default list. Closes - ticket 23910. diff --git a/changes/trove-2017-001.2 b/changes/trove-2017-001.2 deleted file mode 100644 index 3ef073cf9f..0000000000 --- a/changes/trove-2017-001.2 +++ /dev/null @@ -1,8 +0,0 @@ - o Major bugfixes (parsing): - - Fix an integer underflow bug when comparing malformed Tor versions. - This bug is harmless, except when Tor has been built with - --enable-expensive-hardening, which would turn it into a crash; - or on Tor 0.2.9.1-alpha through Tor 0.2.9.8, which were built with - -ftrapv by default. - Part of TROVE-2017-001. Fixes bug 21278; bugfix on - 0.0.8pre1. Found by OSS-Fuzz. diff --git a/changes/trove-2017-005 b/changes/trove-2017-005 deleted file mode 100644 index cebb013f86..0000000000 --- a/changes/trove-2017-005 +++ /dev/null @@ -1,7 +0,0 @@ - o Major bugfixes (hidden service, relay, security): - - Fix an assertion failure caused by receiving a BEGIN_DIR cell on - a hidden service rendezvous circuit. Fixes bug 22494, tracked as - TROVE-2017-005 and CVE-2017-0376; bugfix on 0.2.2.1-alpha. Found - by armadev. - - diff --git a/changes/trove-2017-009 b/changes/trove-2017-009 deleted file mode 100644 index 166a5faec6..0000000000 --- a/changes/trove-2017-009 +++ /dev/null @@ -1,10 +0,0 @@ - o Major bugfixes (security): - - When checking for replays in the INTRODUCE1 cell data for a (legacy) - hiddden service, correctly detect replays in the RSA-encrypted part of - the cell. We were previously checking for replays on the entire cell, - but those can be circumvented due to the malleability of Tor's legacy - hybrid encryption. This fix helps prevent a traffic confirmation - attack. Fixes bug 24244; bugfix on 0.2.4.1-alpha. This issue is also - tracked as TROVE-2017-009 and CVE-2017-8819. - - diff --git a/changes/trove-2017-011 b/changes/trove-2017-011 deleted file mode 100644 index 82d20d9e78..0000000000 --- a/changes/trove-2017-011 +++ /dev/null @@ -1,8 +0,0 @@ - o Major bugfixes (security): - - Fix a denial of service bug where an attacker could use a malformed - directory object to cause a Tor instance to pause while OpenSSL would - try to read a passphrase from the terminal. (If the terminal was not - available, tor would continue running.) Fixes bug 24246; bugfix on - every version of Tor. Also tracked as TROVE-2017-011 and - CVE-2017-8821. Found by OSS-Fuzz as testcase 6360145429790720. - diff --git a/changes/trove-2017-012-part1 b/changes/trove-2017-012-part1 deleted file mode 100644 index 9fccc2cf65..0000000000 --- a/changes/trove-2017-012-part1 +++ /dev/null @@ -1,6 +0,0 @@ - o Major bugfixes (security, relay): - - When running as a relay, make sure that we never build a path through - ourselves, even in the case where we have somehow lost the version of - our descriptor appearing in the consensus. Fixes part of bug 21534; - bugfix on 0.2.0.1-alpha. This issue is also tracked as TROVE-2017-012 - and CVE-2017-8822. |