diff options
260 files changed, 3251 insertions, 1148 deletions
@@ -1,3 +1,1385 @@ +Changes in version 0.3.5.17 - 2021-10-26 + The major change in this version is that v2 onion services are now + disabled at the client, service, and relay: any Tor nodes running this + version and onward will stop supporting v2 onion services. This is the + last step in the long deprecation process of v2 onion services. + Everyone running an earlier version, whether as a client, a relay, or + an onion service, should upgrade to Tor 0.3.5.17, 0.4.5.11, + or 0.4.6.8. + + o Major feature (onion service v2, backport from 0.4.5.11): + - See https://blog.torproject.org/v2-deprecation-timeline for + details on how to transition from v2 to v3. + - The control port commands HSFETCH and HSPOST no longer allow + version 2, and it is no longer possible to create a v2 service + with ADD_ONION. + - Tor no longer allows creating v2 services, or connecting as a + client to a v2 service. Relays will decline to be a v2 HSDir or + introduction point. This effectively disables onion service + version 2 Tor-wide. Closes ticket 40476. + + o Minor features (bridge, backport from 0.4.6.8): + - We now announce the URL to Tor's new bridge status at + https://bridges.torproject.org/ when Tor is configured to run as a + bridge relay. Closes ticket 30477. + + o Minor features (fallbackdir): + - Regenerate fallback directories for October 2021. Closes + ticket 40493. + + o Minor bugfixes (compatibility, backport from 0.4.6.8): + - Fix compatibility with the most recent Libevent versions, which no + longer have an evdns_set_random_bytes() function. Because this + function has been a no-op since Libevent 2.0.4-alpha, it is safe + for us to just stop calling it. Fixes bug 40371; bugfix + on 0.2.1.7-alpha. + + +Changes in version 0.3.5.16 - 2021-08-16 + This version fixes several bugs from earlier versions of Tor, + including one that could lead to a denial-of-service attack. Everyone + running an earlier version, whether as a client, a relay, or an onion + service, should upgrade to Tor 0.3.5.16, 0.4.5.10, or 0.4.6.7. + + o Major bugfixes (cryptography, security): + - Resolve an assertion failure caused by a behavior mismatch between + our batch-signature verification code and our single-signature + verification code. This assertion failure could be triggered + remotely, leading to a denial of service attack. We fix this issue + by disabling batch verification. Fixes bug 40078; bugfix on + 0.2.6.1-alpha. This issue is also tracked as TROVE-2021-007 and + CVE-2021-38385. Found by Henry de Valence. + + o Minor feature (fallbackdir): + - Regenerate fallback directories list. Close ticket 40447. + + o Minor features (geoip data): + - Update the geoip files to match the IPFire Location Database, as + retrieved on 2021/08/12. + + o Minor bugfix (crypto, backport from 0.4.6.7): + - Disable the unused batch verification feature of ed25519-donna. + Fixes bug 40078; bugfix on 0.2.6.1-alpha. Found by Henry + de Valence. + + o Minor bugfixes (relay, backport from 0.4.6.7): + - Reduce the compression level for data streaming from HIGH to LOW. + Fixes bug 40301; bugfix on 0.3.5.1-alpha. + + +Changes in version 0.3.5.15 - 2021-06-14 + Tor 0.3.5.15 fixes several security issues, including a + denial-of-service attack against onion service clients, and another + denial-of-service attack against relays. Everybody should upgrade to + one of 0.3.5.15, 0.4.4.9, 0.4.5.9, or 0.4.6.5. + + o Major bugfixes (security, backport from 0.4.6.5): + - Don't allow relays to spoof RELAY_END or RELAY_RESOLVED cell on + half-closed streams. Previously, clients failed to validate which + hop sent these cells: this would allow a relay on a circuit to end + a stream that wasn't actually built with it. Fixes bug 40389; + bugfix on 0.3.5.1-alpha. This issue is also tracked as TROVE-2021- + 003 and CVE-2021-34548. + + o Major bugfixes (security, defense-in-depth, backport from 0.4.6.5): + - Detect more failure conditions from the OpenSSL RNG code. + Previously, we would detect errors from a missing RNG + implementation, but not failures from the RNG code itself. + Fortunately, it appears those failures do not happen in practice + when Tor is using OpenSSL's default RNG implementation. Fixes bug + 40390; bugfix on 0.2.8.1-alpha. This issue is also tracked as + TROVE-2021-004. Reported by Jann Horn at Google's Project Zero. + + o Major bugfixes (security, denial of service, backport from 0.4.6.5): + - Resist a hashtable-based CPU denial-of-service attack against + relays. Previously we used a naive unkeyed hash function to look + up circuits in a circuitmux object. An attacker could exploit this + to construct circuits with chosen circuit IDs, to create + collisions and make the hash table inefficient. Now we use a + SipHash construction here instead. Fixes bug 40391; bugfix on + 0.2.4.4-alpha. This issue is also tracked as TROVE-2021-005 and + CVE-2021-34549. Reported by Jann Horn from Google's Project Zero. + - Fix an out-of-bounds memory access in v3 onion service descriptor + parsing. An attacker could exploit this bug by crafting an onion + service descriptor that would crash any client that tried to visit + it. Fixes bug 40392; bugfix on 0.3.0.1-alpha. This issue is also + tracked as TROVE-2021-006 and CVE-2021-34550. Reported by Sergei + Glazunov from Google's Project Zero. + + o Minor bugfixes (compiler warnings, backport from 0.4.6.3-rc): + - Fix an indentation problem that led to a warning from GCC 11.1.1. + Fixes bug 40380; bugfix on 0.3.0.1-alpha. + + o Minor features (compatibility, backport from 0.4.6.4-rc): + - Remove an assertion function related to TLS renegotiation. It was + used nowhere outside the unit tests, and it was breaking + compilation with recent alpha releases of OpenSSL 3.0.0. Closes + ticket 40399. + + o Minor features (fallback directory list, backport from 0.4.6.2-alpha): + - Regenerate the list of fallback directories to contain a new set + of 200 relays. Closes ticket 40265. + + o Minor features (geoip data): + - Update the geoip files to match the IPFire Location Database, as + retrieved on 2021/06/10. + + +Changes in version 0.3.5.14 - 2021-03-16 + Tor 0.3.5.14 backports fixes for two important denial-of-service bugs + in earlier versions of Tor. + + One of these vulnerabilities (TROVE-2021-001) would allow an attacker + who can send directory data to a Tor instance to force that Tor + instance to consume huge amounts of CPU. This is easiest to exploit + against authorities, since anybody can upload to them, but directory + caches could also exploit this vulnerability against relays or clients + when they download. The other vulnerability (TROVE-2021-002) only + affects directory authorities, and would allow an attacker to remotely + crash the authority with an assertion failure. Patches have already + been provided to the authority operators, to help ensure + network stability. + + We recommend that everybody upgrade to one of the releases that fixes + these issues (0.3.5.14, 0.4.4.8, or 0.4.5.7) as they become available + to you. + + This release also updates our GeoIP data source, and fixes a + compatibility issue. + + o Major bugfixes (security, denial of service, backport from 0.4.5.7): + - Disable the dump_desc() function that we used to dump unparseable + information to disk. It was called incorrectly in several places, + in a way that could lead to excessive CPU usage. Fixes bug 40286; + bugfix on 0.2.2.1-alpha. This bug is also tracked as TROVE-2021- + 001 and CVE-2021-28089. + - Fix a bug in appending detached signatures to a pending consensus + document that could be used to crash a directory authority. Fixes + bug 40316; bugfix on 0.2.2.6-alpha. Tracked as TROVE-2021-002 + and CVE-2021-28090. + + o Minor features (geoip data, backport from 0.4.5.7): + - We have switched geoip data sources. Previously we shipped IP-to- + country mappings from Maxmind's GeoLite2, but in 2019 they changed + their licensing terms, so we were unable to update them after that + point. We now ship geoip files based on the IPFire Location + Database instead. (See https://location.ipfire.org/ for more + information). This release updates our geoip files to match the + IPFire Location Database as retrieved on 2021/03/12. Closes + ticket 40224. + + o Removed features (mallinfo deprecated, backport from 0.4.5.7): + - Remove mallinfo() usage entirely. Libc 2.33+ now deprecates it. + Closes ticket 40309. + + +Changes in version 0.3.5.13 - 2020-02-03 + Tor 0.3.5.13 backports numerous bugfixes from later releases, + including one that made v3 onion services more susceptible to + denial-of-service attacks, and a feature that makes some kinds of + DoS attacks harder to perform. + + o Major bugfixes (onion service v3, backport from 0.4.5.3-rc): + - Stop requiring a live consensus for v3 clients and services, and + allow a "reasonably live" consensus instead. This allows v3 onion + services to work even if the authorities fail to generate a + consensus for more than 2 hours in a row. Fixes bug 40237; bugfix + on 0.3.5.1-alpha. + + o Major bugfixes (stats, onion services, backport from 0.4.4.5): + - Fix a bug where we were undercounting the Tor network's total + onion service traffic, by ignoring any traffic originating from + clients. Now we count traffic from both clients and services. + Fixes bug 40117; bugfix on 0.2.6.2-alpha. + + o Major feature (exit, backport from 0.4.5.5-rc): + - Re-entry into the network is now denied at the Exit level to all + relays' ORPorts and authorities' ORPorts and DirPorts. This change + should help mitgate a set of denial-of-service attacks. Closes + ticket 2667. + + o Minor feature (build system, backport from 0.4.5.4-rc): + - New "make lsp" command to generate the compile_commands.json file + used by the ccls language server. The "bear" program is needed for + this. Closes ticket 40227. + + o Minor features (compilation, backport from 0.4.5.2-rc): + - Disable deprecation warnings when building with OpenSSL 3.0.0 or + later. There are a number of APIs newly deprecated in OpenSSL + 3.0.0 that Tor still requires. (A later version of Tor will try to + stop depending on these APIs.) Closes ticket 40165. + + o Minor features (crypto, backport from 0.4.5.3-rc): + - Fix undefined behavior on our Keccak library. The bug only + appeared on platforms with 32-byte CPU cache lines (e.g. armv5tel) + and would result in wrong digests. Fixes bug 40210; bugfix on + 0.2.8.1-alpha. Thanks to Bernhard Ãœbelacker, Arnd Bergmann and + weasel for diagnosing this. + + o Minor bugfixes (compatibility, backport from 0.4.5.1-rc): + - Strip '\r' characters when reading text files on Unix platforms. + This should resolve an issue where a relay operator migrates a + relay from Windows to Unix, but does not change the line ending of + Tor's various state files to match the platform, and the CRLF line + endings from Windows end up leaking into other files such as the + extra-info document. Fixes bug 33781; bugfix on 0.0.9pre5. + + o Minor bugfixes (compilation, backport from 0.4.5.1-rc): + - Resolve a compilation warning that could occur in + test_connection.c. Fixes bug 40113; bugfix on 0.2.9.3-alpha. + + o Minor bugfixes (compilation, backport from 0.4.5.3-rc): + - Fix a compilation warning about unreachable fallthrough + annotations when building with "--enable-all-bugs-are-fatal" on + some compilers. Fixes bug 40241; bugfix on 0.3.5.4-alpha. + + o Minor bugfixes (SOCKS5, backport from 0.4.5.3-rc): + - Handle partial SOCKS5 messages correctly. Previously, our code + would send an incorrect error message if it got a SOCKS5 request + that wasn't complete. Fixes bug 40190; bugfix on 0.3.5.1-alpha. + + o Minor bugfixes (testing, backport from 0.4.5.2-alpha): + - Fix our Python reference-implementation for the v3 onion service + handshake so that it works correctly with the version of hashlib + provided by Python 3.9. Fixes part of bug 40179; bugfix + on 0.3.1.6-rc. + - Fix the `tortls/openssl/log_one_error` test to work with OpenSSL + 3.0.0. Fixes bug 40170; bugfix on 0.2.8.1-alpha. + + +Changes in version 0.3.5.12 - 2020-11-12 + Tor 0.4.3.7 backports several bugfixes from later releases. It + includes a fix for TROVE-2020-005, a security issue that could be + used, under certain cases, by an adversary to observe traffic patterns + on a limited number of circuits intended for a different relay. + + o Major features (fallback directory list, backport form 0.4.4.3-alpha): + - Replace the 148 fallback directories originally included in Tor + 0.4.1.4-rc (of which around 105 are still functional) with a list + of 144 fallbacks generated in July 2020. Closes ticket 40061. + + o Major bugfixes (security, backport from 0.4.5.1-alpha): + - When completing a channel, relays now check more thoroughly to + make sure that it matches any pending circuits before attaching + those circuits. Previously, address correctness and Ed25519 + identities were not checked in this case, but only when extending + circuits on an existing channel. Fixes bug 40080; bugfix on + 0.2.7.2-alpha. Resolves TROVE-2020-005. + + o Major bugfixes (NSS, backport from 0.4.4.3-alpha): + - When running with NSS enabled, make sure that NSS knows to expect + nonblocking sockets. Previously, we set our TCP sockets as + nonblocking, but did not tell NSS, which in turn could lead to + unexpected blocking behavior. Fixes bug 40035; bugfix + on 0.3.5.1-alpha. + + o Minor features (security, backport from 0.4.4.4-rc): + - Channels using obsolete versions of the Tor link protocol are no + longer allowed to circumvent address-canonicity checks. (This is + only a minor issue, since such channels have no way to set ed25519 + keys, and therefore should always be rejected for circuits that + specify ed25519 identities.) Closes ticket 40081. + + o Minor features (debugging, directory system): + - Don't crash when we find a non-guard with a guard-fraction value + set. Instead, log a bug warning, in an attempt to figure out how + this happened. Diagnostic for ticket 32868. + + o Minor features (subprotocol versions, backport from 0.4.5.1-alpha): + - Tor no longer allows subprotocol versions larger than 63. + Previously version numbers up to UINT32_MAX were allowed, which + significantly complicated our code. Implements proposal 318; + closes ticket 40133. + + o Minor features (tests, backport from 0.4.4.5): + - Our "make check" target now runs the unit tests in 8 parallel + chunks. Doing this speeds up hardened CI builds by more than a + factor of two. Closes ticket 40098. + + o Minor features (tests, v2 onion services, backport from 0.4.5.1-alpha): + - Fix a rendezvous cache unit test that was triggering an underflow + on the global rend cache allocation. Fixes bug 40125; bugfix + on 0.2.8.1-alpha. + - Fix another rendezvous cache unit test that was triggering an + underflow on the global rend cache allocation. Fixes bug 40126; + bugfix on 0.2.8.1-alpha. + + o Minor bugfixes (correctness, buffers, backport from 0.4.4.4-rc): + - Fix a correctness bug that could cause an assertion failure if we + ever tried using the buf_move_all() function with an empty input + buffer. As far as we know, no released versions of Tor do this. + Fixes bug 40076; bugfix on 0.3.3.1-alpha. + + o Minor bugfixes (logging, backport from 0.4.5.1-alpha): + - Remove a debug logging statement that uselessly spammed the logs. + Fixes bug 40135; bugfix on 0.3.5.0-alpha. + + o Minor bugfixes (rate limiting, bridges, pluggable transports, backport from 0.4.4.4-rc): + - On a bridge, treat all connections from an ExtORPort as remote by + default for the purposes of rate-limiting. Previously, bridges + would treat the connection as local unless they explicitly + received a "USERADDR" command. ExtORPort connections still count + as local if there is a USERADDR command with an explicit local + address. Fixes bug 33747; bugfix on 0.2.5.1-alpha. + + o Minor bugfixes (relay configuration, crash, backport from 0.4.5.1-alpha): + - Avoid a fatal assert() when failing to create a listener + connection for an address that was in use. Fixes bug 40073; bugfix + on 0.3.5.1-alpha. + + o Minor bugfixes (relay, usability, backport from 0.4.4.3-alpha): + - Adjust the rules for when to warn about having too many + connections to other relays. Previously we'd tolerate up to 1.5 + connections per relay on average. Now we tolerate more connections + for directory authorities, and raise the number of total + connections we need to see before we warn. Fixes bug 33880; bugfix + on 0.3.1.1-alpha. + + o Minor bugfixes (relays, backport from 0.4.4.1-alpha): + - Stop advertising incorrect IPv6 ORPorts in relay and bridge + descriptors, when the IPv6 port was configured as "auto". Fixes + bug 32588; bugfix on 0.2.3.9-alpha. + + o Minor bugfixes (tests, 0.4.4.5): + - Fix the behavior of the rend_cache/clean_v2_descs_as_dir when run + on its own. Previously, it would exit with an error. Fixes bug + 40099; bugfix on 0.2.8.1-alpha. + + o Minor bugfixes (windows, backport from 0.4.4.4-rc): + - Fix a bug that prevented Tor from starting if its log file grew + above 2GB. Fixes bug 31036; bugfix on 0.2.1.8-alpha. + + o Deprecated features (onion service v2, backport form 0.4.4.2-alpha): + - Add a deprecation warning for version 2 onion services. Closes + ticket 40003. + + +Changes in version 0.3.5.11 - 2020-07-09 + Tor 0.3.5.11 backports fixes from later tor releases, including several + usability, portability, and reliability fixes. + + This release also fixes TROVE-2020-001, a medium-severity denial of + service vulnerability affecting all versions of Tor when compiled with + the NSS encryption library. (This is not the default configuration.) + Using this vulnerability, an attacker could cause an affected Tor + instance to crash remotely. This issue is also tracked as CVE-2020- + 15572. Anybody running a version of Tor built with the NSS library + should upgrade to 0.3.5.11, 0.4.2.8, 0.4.3.6, or 0.4.4.2-alpha + or later. + + o Major bugfixes (NSS, security, backport from 0.4.4.2-alpha): + - Fix a crash due to an out-of-bound memory access when Tor is + compiled with NSS support. Fixes bug 33119; bugfix on + 0.3.5.1-alpha. This issue is also tracked as TROVE-2020-001 + and CVE-2020-15572. + + o Major bugfixes (DoS defenses, bridges, pluggable transport, backport from 0.4.3.4-rc): + - Fix a bug that was preventing DoS defenses from running on bridges + with a pluggable transport. Previously, the DoS subsystem was not + given the transport name of the client connection, thus failed to + find the GeoIP cache entry for that client address. Fixes bug + 33491; bugfix on 0.3.3.2-alpha. + + o Minor features (testing, backport from 0.4.3.4-rc): + - The unit tests now support a "TOR_SKIP_TESTCASES" environment + variable to specify a list of space-separated test cases that + should not be executed. We will use this to disable certain tests + that are failing on Appveyor because of mismatched OpenSSL + libraries. Part of ticket 33643. + + o Minor bugfix (CI, Windows, backport from 0.4.4.2-alpha): + - Use the correct 64-bit printf format when compiling with MINGW on + Appveyor. Fixes bug 40026; bugfix on 0.3.5.5-alpha. + + o Minor bugfix (relay, configuration, backport from 0.4.3.3-alpha): + - Warn if the ContactInfo field is not set, and tell the relay + operator that not having a ContactInfo field set might cause their + relay to get rejected in the future. Fixes bug 33361; bugfix + on 0.1.1.10-alpha. + + o Minor bugfixes (client performance, backport from 0.4.4.1-alpha): + - Resume use of preemptively-built circuits when UseEntryGuards is set + to 0. We accidentally disabled this feature with that config + setting, leading to slower load times. Fixes bug 34303; bugfix + on 0.3.3.2-alpha. + + o Minor bugfixes (compiler compatibility, backport from 0.4.3.5): + - Avoid compiler warnings from Clang 10 related to the use of GCC- + style "/* falls through */" comments. Both Clang and GCC allow + __attribute__((fallthrough)) instead, so that's what we're using + now. Fixes bug 34078; bugfix on 0.3.1.3-alpha. + + o Minor bugfixes (compiler warnings, backport from 0.4.4.2-alpha): + - Fix a compiler warning on platforms with 32-bit time_t values. + Fixes bug 40028; bugfix on 0.3.2.8-rc. + + o Minor bugfixes (embedded Tor, backport from 0.4.3.1-alpha): + - When starting Tor any time after the first time in a process, + register the thread in which it is running as the main thread. + Previously, we only did this on Windows, which could lead to bugs + like 23081 on non-Windows platforms. Fixes bug 32884; bugfix + on 0.3.3.1-alpha. + + o Minor bugfixes (key portability, backport from 0.4.3.4-rc): + - When reading PEM-encoded key data, tolerate CRLF line-endings even + if we are not running on Windows. Previously, non-Windows hosts + would reject these line-endings in certain positions, making + certain key files hard to move from one host to another. Fixes bug + 33032; bugfix on 0.3.5.1-alpha. + + o Minor bugfixes (logging, backport from 0.4.4.2-alpha): + - Downgrade a noisy log message that could occur naturally when + receiving an extrainfo document that we no longer want. Fixes bug + 16016; bugfix on 0.2.6.3-alpha. + + o Minor bugfixes (onion service v3, client, backport from 0.4.3.3-alpha): + - Remove a BUG() warning that would cause a stack trace if an onion + service descriptor was freed while we were waiting for a + rendezvous circuit to complete. Fixes bug 28992; bugfix + on 0.3.2.1-alpha. + + o Testing (CI, backport from 0.4.3.4-rc): + - In our Appveyor Windows CI, copy required DLLs to test and app + directories, before running tor's tests. This ensures that tor.exe + and test*.exe use the correct version of each DLL. This fix is not + required, but we hope it will avoid DLL search issues in future. + Fixes bug 33673; bugfix on 0.3.4.2-alpha. + - On Appveyor, skip the crypto/openssl_version test, which is + failing because of a mismatched library installation. Fix + for 33643. + + +Changes in version 0.3.5.10 - 2020-03-18 + Tor 0.3.5.10 backports many fixes from later Tor releases, including a + fix for TROVE-2020-002, a major denial-of-service vulnerability that + affected all released Tor instances since 0.2.1.5-alpha. Using this + vulnerability, an attacker could cause Tor instances to consume a huge + amount of CPU, disrupting their operations for several seconds or + minutes. This attack could be launched by anybody against a relay, or + by a directory cache against any client that had connected to it. The + attacker could launch this attack as much as they wanted, thereby + disrupting service or creating patterns that could aid in traffic + analysis. This issue was found by OSS-Fuzz, and is also tracked + as CVE-2020-10592. + + We do not have reason to believe that this attack is currently being + exploited in the wild, but nonetheless we advise everyone to upgrade + as soon as packages are available. + + o Major bugfixes (security, denial-of-service, backport from 0.4.3.3-alpha): + - Fix a denial-of-service bug that could be used by anyone to + consume a bunch of CPU on any Tor relay or authority, or by + directories to consume a bunch of CPU on clients or hidden + services. Because of the potential for CPU consumption to + introduce observable timing patterns, we are treating this as a + high-severity security issue. Fixes bug 33119; bugfix on + 0.2.1.5-alpha. Found by OSS-Fuzz. We are also tracking this issue + as TROVE-2020-002 and CVE-2020-10592. + + o Major bugfixes (linux seccomp sandbox, backport from 0.4.3.1-alpha): + - Correct how we use libseccomp. Particularly, stop assuming that + rules are applied in a particular order or that more rules are + processed after the first match. Neither is the case! In + libseccomp <2.4.0 this lead to some rules having no effect. + libseccomp 2.4.0 changed how rules are generated, leading to a + different ordering, which in turn led to a fatal crash during + startup. Fixes bug 29819; bugfix on 0.2.5.1-alpha. Patch by + Peter Gerber. + + o Minor features (continuous integration, backport from 0.4.3.2-alpha): + - Stop allowing failures on the Travis CI stem tests job. It looks + like all the stem hangs we were seeing before are now fixed. + Closes ticket 33075. + + o Minor bugfixes (bridges, backport from 0.4.3.1-alpha): + - Lowercase the configured value of BridgeDistribution before adding + it to the descriptor. Fixes bug 32753; bugfix on 0.3.2.3-alpha. + + o Minor bugfixes (crash, backport from 0.4.2.4-rc): + - When running Tor with an option like --verify-config or + --dump-config that does not start the event loop, avoid crashing + if we try to exit early because of an error. Fixes bug 32407; + bugfix on 0.3.3.1-alpha. + + o Minor bugfixes (logging, backport from 0.4.3.2-alpha): + - If we encounter a bug when flushing a buffer to a TLS connection, + only log the bug once per invocation of the Tor process. + Previously we would log with every occurrence, which could cause + us to run out of disk space. Fixes bug 33093; bugfix + on 0.3.2.2-alpha. + + o Minor bugfixes (onion services v3, backport from 0.4.3.3-alpha): + - Fix an assertion failure that could result from a corrupted + ADD_ONION control port command. Found by Saibato. Fixes bug 33137; + bugfix on 0.3.3.1-alpha. This issue is also tracked + as TROVE-2020-003. + + o Minor bugfixes (rust, build, backport from 0.4.3.2-alpha): + - Fix a syntax warning given by newer versions of Rust that was + creating problems for our continuous integration. Fixes bug 33212; + bugfix on 0.3.5.1-alpha. + + o Testing (backport from 0.4.3.1-alpha): + - Re-enable the Travis CI macOS Chutney build, but don't let it + prevent the Travis job from finishing. (The Travis macOS jobs are + slow, so we don't want to have it delay the whole CI process.) + Closes ticket 32629. + - Turn off Tor's Sandbox in Chutney jobs, and run those jobs on + Ubuntu Bionic. Turning off the Sandbox is a work-around, until we + fix the sandbox errors in 32722. Closes ticket 32240. + + o Testing (continuous integration, backport from 0.4.3.1-alpha): + - Use zstd in our Travis Linux builds. Closes ticket 32242. + + o Testing (Travis CI, backport from 0.4.3.3-alpha): + - Remove a redundant distcheck job. Closes ticket 33194. + - Sort the Travis jobs in order of speed: putting the slowest jobs + first takes full advantage of Travis job concurrency. Closes + ticket 33194. + - Stop allowing the Chutney IPv6 Travis job to fail. This job was + previously configured to fast_finish (which requires + - When a Travis chutney job fails, use chutney's new "diagnostics.sh" + tool to produce detailed diagnostic output. Closes ticket 32792. + + +Changes in version 0.3.5.9 - 2019-12-09 + Tor 0.3.5.9 backports serveral fixes from later releases, including + several that affect bridge users, relay stability, onion services, + and much more. + + o Directory authority changes (backport from 0.4.1.5): + - The directory authority "dizum" has a new IP address. Closes + ticket 31406. + + o Major bugfixes (bridges, backport from 0.4.1.2-alpha): + - Consider our directory information to have changed when our list + of bridges changes. Previously, Tor would not re-compute the + status of its directory information when bridges changed, and + therefore would not realize that it was no longer able to build + circuits. Fixes part of bug 29875. + - Do not count previously configured working bridges towards our + total of working bridges. Previously, when Tor's list of bridges + changed, it would think that the old bridges were still usable, + and delay fetching router descriptors for the new ones. Fixes part + of bug 29875; bugfix on 0.3.0.1-alpha. + + o Major bugfixes (circuit build, guard, backport from 0.4.1.4-rc): + - When considering upgrading circuits from "waiting for guard" to + "open", always ignore circuits that are marked for close. Otherwise, + we can end up in the situation where a subsystem is notified that + a closing circuit has just opened, leading to undesirable + behavior. Fixes bug 30871; bugfix on 0.3.0.1-alpha. + + o Major bugfixes (NSS, relay, backport from 0.4.0.4-rc): + - When running with NSS, disable TLS 1.2 ciphersuites that use + SHA384 for their PRF. Due to an NSS bug, the TLS key exporters for + these ciphersuites don't work -- which caused relays to fail to + handshake with one another when these ciphersuites were enabled. + Fixes bug 29241; bugfix on 0.3.5.1-alpha. + + o Major bugfixes (Onion service reachability, backport from 0.4.1.3-alpha): + - Properly clean up the introduction point map when circuits change + purpose from onion service circuits to pathbias, measurement, or + other circuit types. This should fix some service-side instances + of introduction point failure. Fixes bug 29034; bugfix + on 0.3.2.1-alpha. + + o Major bugfixes (onion service v3, backport from 0.4.1.1-alpha): + - Fix an unreachable bug in which an introduction point could try to + send an INTRODUCE_ACK with a status code that Trunnel would refuse + to encode, leading the relay to assert(). We've consolidated the + ABI values into Trunnel now. Fixes bug 30454; bugfix + on 0.3.0.1-alpha. + - Clients can now handle unknown status codes from INTRODUCE_ACK + cells. (The NACK behavior will stay the same.) This will allow us + to extend status codes in the future without breaking the normal + client behavior. Fixes another part of bug 30454; bugfix + on 0.3.0.1-alpha. + + o Major bugfixes (torrc parsing, backport from 0.4.2.2-alpha): + - Stop ignoring torrc options after an %include directive, when the + included directory ends with a file that does not contain any + config options (but does contain comments or whitespace). Fixes + bug 31408; bugfix on 0.3.1.1-alpha. + + o Major bugfixes (v3 onion services, backport from 0.4.2.3-alpha): + - Onion services now always use the exact number of intro points + configured with the HiddenServiceNumIntroductionPoints option (or + fewer if nodes are excluded). Before, a service could sometimes + pick more intro points than configured. Fixes bug 31548; bugfix + on 0.3.2.1-alpha. + + o Minor features (address selection, backport from 0.4.0.3-alpha): + - Treat the subnet 100.64.0.0/10 as public for some purposes; + private for others. This subnet is the RFC 6598 (Carrier Grade + NAT) IP range, and is deployed by many ISPs as an alternative to + RFC 1918 that does not break existing internal networks. Tor now + blocks SOCKS and control ports on these addresses and warns users + if client ports or ExtORPorts are listening on a RFC 6598 address. + Closes ticket 28525. Patch by Neel Chauhan. + + o Minor features (bandwidth authority, backport from 0.4.0.4-rc): + - Make bandwidth authorities ignore relays that are reported in the + bandwidth file with the flag "vote=0". This change allows us to + report unmeasured relays for diagnostic reasons without including + their bandwidth in the bandwidth authorities' vote. Closes + ticket 29806. + + o Minor features (compile-time modules, backport from version 0.4.1.1-alpha): + - Add a "--list-modules" command to print a list of which compile- + time modules are enabled. Closes ticket 30452. + + o Minor features (continuous integration, backport from 0.4.0.4-rc): + - On Travis Rust builds, cleanup Rust registry and refrain from + caching the "target/" directory to speed up builds. Resolves + issue 29962. + + o Minor features (continuous integration, backport from 0.4.0.5): + - In Travis, tell timelimit to use stem's backtrace signals, and + launch python directly from timelimit, so python receives the + signals from timelimit, rather than make. Closes ticket 30117. + + o Minor features (continuous integration, backport from 0.4.1.1-alpha): + - Remove sudo configuration lines from .travis.yml as they are no + longer needed with current Travis build environment. Resolves + issue 30213. + + o Minor features (continuous integration, backport from 0.4.1.4-rc): + - Our Travis configuration now uses Chutney to run some network + integration tests automatically. Closes ticket 29280. + + o Minor features (continuous integration, backport from 0.4.2.2-alpha): + - When building on Appveyor and Travis, pass the "-k" flag to make, + so that we are informed of all compilation failures, not just the + first one or two. Closes ticket 31372. + + o Minor features (fallback directory list, backport from 0.4.1.4-rc): + - Replace the 157 fallbacks originally introduced in Tor 0.3.5.6-rc + in December 2018 (of which ~122 were still functional), with a + list of 148 fallbacks (70 new, 78 existing, 79 removed) generated + in June 2019. Closes ticket 28795. + + o Minor features (geoip, backport from 0.4.2.5): + - Update geoip and geoip6 to the December 3 2019 Maxmind GeoLite2 + Country database. Closes ticket 32685. + + o Minor features (NSS, diagnostic, backport from 0.4.0.4-rc): + - Try to log an error from NSS (if there is any) and a more useful + description of our situation if we are using NSS and a call to + SSL_ExportKeyingMaterial() fails. Diagnostic for ticket 29241. + + o Minor features (stem tests, backport from 0.4.2.1-alpha): + - Change "make test-stem" so it only runs the stem tests that use + tor. This change makes test-stem faster and more reliable. Closes + ticket 31554. + + o Minor bugfixes (security, backport from 0.4.0.4-rc): + - Verify in more places that we are not about to create a buffer + with more than INT_MAX bytes, to avoid possible OOB access in the + event of bugs. Fixes bug 30041; bugfix on 0.2.0.16. Found and + fixed by Tobias Stoeckmann. + - Fix a potential double free bug when reading huge bandwidth files. + The issue is not exploitable in the current Tor network because + the vulnerable code is only reached when directory authorities + read bandwidth files, but bandwidth files come from a trusted + source (usually the authorities themselves). Furthermore, the + issue is only exploitable in rare (non-POSIX) 32-bit architectures, + which are not used by any of the current authorities. Fixes bug + 30040; bugfix on 0.3.5.1-alpha. Bug found and fixed by + Tobias Stoeckmann. + + o Minor bugfix (continuous integration, backport from 0.4.0.4-rc): + - Reset coverage state on disk after Travis CI has finished. This + should prevent future coverage merge errors from causing the test + suite for the "process" subsystem to fail. The process subsystem + was introduced in 0.4.0.1-alpha. Fixes bug 29036; bugfix + on 0.2.9.15. + - Terminate test-stem if it takes more than 9.5 minutes to run. + (Travis terminates the job after 10 minutes of no output.) + Diagnostic for 29437. Fixes bug 30011; bugfix on 0.3.5.4-alpha. + + o Minor bugfixes (Appveyor CI, backport from 0.4.2.2-alpha): + - Avoid spurious errors when Appveyor CI fails before the install step. + Fixes bug 31884; bugfix on 0.3.4.2-alpha. + + o Minor bugfixes (build system, backport form 0.4.2.1-alpha): + - Do not include the deprecated <sys/sysctl.h> on Linux or Windows + systems. Fixes bug 31673; bugfix on 0.2.5.4-alpha. + + o Minor bugfixes (C correctness, backport from 0.4.0.4-rc): + - Fix an unlikely memory leak in consensus_diff_apply(). Fixes bug + 29824; bugfix on 0.3.1.1-alpha. This is Coverity warning + CID 1444119. + + o Minor bugfixes (circuit isolation, backport from 0.4.1.3-alpha): + - Fix a logic error that prevented the SessionGroup sub-option from + being accepted. Fixes bug 22619; bugfix on 0.2.7.2-alpha. + + o Minor bugfixes (client, onion service v3, backport from 0.4.2.4-rc): + - Fix a BUG() assertion that occurs within a very small race window + between when a client intro circuit opens and when its descriptor + gets cleaned up from the cache. The circuit is now closed early, + which will trigger a re-fetch of the descriptor and continue the + connection. Fixes bug 28970; bugfix on 0.3.2.1-alpha. + + o Minor bugfixes (clock skew detection, backport from 0.4.1.5): + - Don't believe clock skew results from NETINFO cells that appear to + arrive before we sent the VERSIONS cells they are responding to. + Previously, we would accept them up to 3 minutes "in the past". + Fixes bug 31343; bugfix on 0.2.4.4-alpha. + + o Minor bugfixes (compilation warning, backport from 0.4.1.5): + - Fix a compilation warning on Windows about casting a function + pointer for GetTickCount64(). Fixes bug 31374; bugfix + on 0.2.9.1-alpha. + + o Minor bugfixes (compilation, backport from 0.4.0.2-alpha): + - Silence a compiler warning in test-memwipe.c on OpenBSD. Fixes bug + 29145; bugfix on 0.2.9.3-alpha. Patch from Kris Katterjohn. + + o Minor bugfixes (compilation, backport from 0.4.1.5): + - Avoid using labs() on time_t, which can cause compilation warnings + on 64-bit Windows builds. Fixes bug 31343; bugfix on 0.2.4.4-alpha. + + o Minor bugfixes (compilation, backport from 0.4.2.1-alpha): + - Suppress spurious float-conversion warnings from GCC when calling + floating-point classifier functions on FreeBSD. Fixes part of bug + 31687; bugfix on 0.3.1.5-alpha. + + o Minor bugfixes (compilation, unusual configurations, backport from 0.4.1.1-alpha): + - Avoid failures when building with the ALL_BUGS_ARE_FATAL option + due to missing declarations of abort(), and prevent other such + failures in the future. Fixes bug 30189; bugfix on 0.3.4.1-alpha. + + o Minor bugfixes (configuration, proxies, backport from 0.4.1.2-alpha): + - Fix a bug that prevented us from supporting SOCKS5 proxies that + want authentication along with configured (but unused!) + ClientTransportPlugins. Fixes bug 29670; bugfix on 0.2.6.1-alpha. + + o Minor bugfixes (connections, backport from 0.4.2.3-rc): + - Avoid trying to read data from closed connections, which can cause + needless loops in Libevent and infinite loops in Shadow. Fixes bug + 30344; bugfix on 0.1.1.1-alpha. + + o Minor bugfixes (continuous integration, backport from 0.4.1.3-alpha): + - Allow the test-stem job to fail in Travis, because it sometimes + hangs. Fixes bug 30744; bugfix on 0.3.5.4-alpha. + - Skip test_rebind on macOS in Travis, because it is unreliable on + macOS on Travis. Fixes bug 30713; bugfix on 0.3.5.1-alpha. + - Skip test_rebind when the TOR_SKIP_TEST_REBIND environment + variable is set. Fixes bug 30713; bugfix on 0.3.5.1-alpha. + + o Minor bugfixes (crash on exit, backport from 0.4.1.4-rc): + - Avoid a set of possible code paths that could try to use freed + memory in routerlist_free() while Tor was exiting. Fixes bug + 31003; bugfix on 0.1.2.2-alpha. + + o Minor bugfixes (directory authorities, backport from 0.4.1.3-alpha): + - Stop crashing after parsing an unknown descriptor purpose + annotation. We think this bug can only be triggered by modifying a + local file. Fixes bug 30781; bugfix on 0.2.0.8-alpha. + + o Minor bugfixes (directory authority, backport from 0.4.1.2-alpha): + - Move the "bandwidth-file-headers" line in directory authority + votes so that it conforms to dir-spec.txt. Fixes bug 30316; bugfix + on 0.3.5.1-alpha. + + o Minor bugfixes (error handling, backport from 0.4.2.1-alpha): + - On abort, try harder to flush the output buffers of log messages. + On some platforms (macOS), log messages could be discarded when + the process terminates. Fixes bug 31571; bugfix on 0.3.5.1-alpha. + - Report the tor version whenever an assertion fails. Previously, we + only reported the Tor version on some crashes, and some non-fatal + assertions. Fixes bug 31571; bugfix on 0.3.5.1-alpha. + + o Minor bugfixes (FreeBSD, PF-based proxy, IPv6, backport from 0.4.2.1-alpha): + - When extracting an IPv6 address from a PF-based proxy, verify that + we are actually configured to receive an IPv6 address, and log an + internal error if not. Fixes part of bug 31687; bugfix + on 0.2.3.4-alpha. + + o Minor bugfixes (guards, backport from 0.4.2.1-alpha): + - When tor is missing descriptors for some primary entry guards, + make the log message less alarming. It's normal for descriptors to + expire, as long as tor fetches new ones soon after. Fixes bug + 31657; bugfix on 0.3.3.1-alpha. + + o Minor bugfixes (logging, backport from 0.4.0.2-alpha): + - Avoid logging that we are relaxing a circuit timeout when that + timeout is fixed. Fixes bug 28698; bugfix on 0.2.4.7-alpha. + + o Minor bugfixes (logging, backport from 0.4.0.3-alpha): + - Correct a misleading error message when IPv4Only or IPv6Only is + used but the resolved address can not be interpreted as an address + of the specified IP version. Fixes bug 13221; bugfix on + 0.2.3.9-alpha. Patch from Kris Katterjohn. + - Log the correct port number for listening sockets when "auto" is + used to let Tor pick the port number. Previously, port 0 was + logged instead of the actual port number. Fixes bug 29144; bugfix + on 0.3.5.1-alpha. Patch from Kris Katterjohn. + - Stop logging a BUG() warning when Tor is waiting for exit + descriptors. Fixes bug 28656; bugfix on 0.3.5.1-alpha. + + o Minor bugfixes (logging, backport from 0.4.1.1-alpha): + - Do not log a warning when running with an OpenSSL version other + than the one Tor was compiled with, if the two versions should be + compatible. Previously, we would warn whenever the version was + different. Fixes bug 30190; bugfix on 0.2.4.2-alpha. + + o Minor bugfixes (logging, backport from 0.4.2.1-alpha): + - Change log level of message "Hash of session info was not as + expected" to LOG_PROTOCOL_WARN. Fixes bug 12399; bugfix + on 0.1.1.10-alpha. + + o Minor bugfixes (logging, backport from 0.4.2.2-alpha): + - Rate-limit our the logging message about the obsolete .exit + notation. Previously, there was no limit on this warning, which + could potentially be triggered many times by a hostile website. + Fixes bug 31466; bugfix on 0.2.2.1-alpha. + + o Minor bugfixes (logging, protocol violations, backport from 0.4.2.2-alpha): + - Do not log a nonfatal assertion failure when receiving a VERSIONS + cell on a connection using the obsolete v1 link protocol. Log a + protocol_warn instead. Fixes bug 31107; bugfix on 0.2.4.4-alpha. + + o Minor bugfixes (mainloop, periodic events, in-process API, backport from 0.4.2.3-alpha): + - Reset the periodic events' "enabled" flag when Tor is shut down + cleanly. Previously, this flag was left on, which caused periodic + events not to be re-enabled when Tor was relaunched in-process + with tor_api.h after a shutdown. Fixes bug 32058; bugfix + on 0.3.3.1-alpha. + + o Minor bugfixes (memory leak, backport from 0.4.1.1-alpha): + - Avoid a minor memory leak that could occur on relays when failing + to create a "keys" directory. Fixes bug 30148; bugfix + on 0.3.3.1-alpha. + + o Minor bugfixes (memory leak, backport from 0.4.1.4-rc): + - Fix a trivial memory leak when parsing an invalid value + from a download schedule in the configuration. Fixes bug + 30894; bugfix on 0.3.4.1-alpha. + + o Minor bugfixes (memory management, backport from 0.4.0.3-alpha): + - Refactor the shared random state's memory management so that it + actually takes ownership of the shared random value pointers. + Fixes bug 29706; bugfix on 0.2.9.1-alpha. + + o Minor bugfixes (memory management, testing, backport from 0.4.0.3-alpha): + - Stop leaking parts of the shared random state in the shared-random + unit tests. Fixes bug 29599; bugfix on 0.2.9.1-alpha. + + o Minor bugfixes (onion services, backport from 0.4.1.1-alpha): + - Avoid a GCC 9.1.1 warning (and possible crash depending on libc + implemenation) when failing to load an onion service client + authorization file. Fixes bug 30475; bugfix on 0.3.5.1-alpha. + + o Minor bugfixes (out-of-memory handler, backport from 0.4.1.2-alpha): + - When purging the DNS cache because of an out-of-memory condition, + try purging just the older entries at first. Previously, we would + always purge the whole thing. Fixes bug 29617; bugfix + on 0.3.5.1-alpha. + + o Minor bugfixes (portability, backport from 0.4.1.2-alpha): + - Avoid crashing in our tor_vasprintf() implementation on systems + that define neither vasprintf() nor _vscprintf(). (This bug has + been here long enough that we question whether people are running + Tor on such systems, but we're applying the fix out of caution.) + Fixes bug 30561; bugfix on 0.2.8.2-alpha. Found and fixed by + Tobias Stoeckmann. + + o Minor bugfixes (relay, backport from 0.4.2.2-alpha): + - Avoid crashing when starting with a corrupt keys directory where + the old ntor key and the new ntor key are identical. Fixes bug + 30916; bugfix on 0.2.4.8-alpha. + + o Minor bugfixes (rust, backport from 0.4.0.5): + - Abort on panic in all build profiles, instead of potentially + unwinding into C code. Fixes bug 27199; bugfix on 0.3.3.1-alpha. + + o Minor bugfixes (rust, backport from 0.4.2.1-alpha): + - Correctly exclude a redundant rust build job in Travis. Fixes bug + 31463; bugfix on 0.3.5.4-alpha. + + o Minor bugfixes (single onion services, backport from 0.4.0.3-alpha): + - Allow connections to single onion services to remain idle without + being disconnected. Previously, relays acting as rendezvous points + for single onion services were mistakenly closing idle rendezvous + circuits after 60 seconds, thinking that they were unused + directory-fetching circuits that had served their purpose. Fixes + bug 29665; bugfix on 0.2.1.26. + + o Minor bugfixes (stats, backport from 0.4.0.3-alpha): + - When ExtraInfoStatistics is 0, stop including PaddingStatistics in + relay and bridge extra-info documents. Fixes bug 29017; bugfix + on 0.3.1.1-alpha. + + o Minor bugfixes (testing, backport from 0.4.0.3-alpha): + - Downgrade some LOG_ERR messages in the address/* tests to + warnings. The LOG_ERR messages were occurring when we had no + configured network. We were failing the unit tests, because we + backported 28668 to 0.3.5.8, but did not backport 29530. Fixes bug + 29530; bugfix on 0.3.5.8. + - Fix our gcov wrapper script to look for object files at the + correct locations. Fixes bug 29435; bugfix on 0.3.5.1-alpha. + + o Minor bugfixes (testing, backport from 0.4.0.4-rc): + - Backport the 0.3.4 src/test/test-network.sh to 0.2.9. We need a + recent test-network.sh to use new chutney features in CI. Fixes + bug 29703; bugfix on 0.2.9.1-alpha. + - Fix a test failure on Windows caused by an unexpected "BUG" + warning in our tests for tor_gmtime_r(-1). Fixes bug 29922; bugfix + on 0.2.9.3-alpha. + + o Minor bugfixes (testing, backport from 0.4.2.3-alpha): + - When testing port rebinding, don't busy-wait for tor to log. + Instead, actually sleep for a short time before polling again. + Also improve the formatting of control commands and log messages. + Fixes bug 31837; bugfix on 0.3.5.1-alpha. + + o Minor bugfixes (TLS protocol, backport form 0.4.0.4-rc): + - When classifying a client's selection of TLS ciphers, if the + client ciphers are not yet available, do not cache the result. + Previously, we had cached the unavailability of the cipher list + and never looked again, which in turn led us to assume that the + client only supported the ancient V1 link protocol. This, in turn, + was causing Stem integration tests to stall in some cases. Fixes + bug 30021; bugfix on 0.2.4.8-alpha. + + o Minor bugfixes (tls, logging, backport from 0.4.2.3-alpha): + - Log bugs about the TLS read buffer's length only once, rather than + filling the logs with similar warnings. Fixes bug 31939; bugfix + on 0.3.0.4-rc. + + o Minor bugfixes (v2 single onion services, backport from 0.4.2.1-alpha): + - Always retry v2 single onion service intro and rend circuits with + a 3-hop path. Previously, v2 single onion services used a 3-hop + path when rendezvous circuits were retried after a remote or + delayed failure, but a 1-hop path for immediate retries. Fixes bug + 23818; bugfix on 0.2.9.3-alpha. + - Make v3 single onion services fall back to a 3-hop intro, when all + intro points are unreachable via a 1-hop path. Previously, v3 + single onion services failed when all intro nodes were unreachable + via a 1-hop path. Fixes bug 23507; bugfix on 0.3.2.1-alpha. + + o Minor bugfixes (Windows, CI, backport from 0.4.0.3-alpha): + - Skip the Appveyor 32-bit Windows Server 2016 job, and 64-bit + Windows Server 2012 R2 job. The remaining 2 jobs still provide + coverage of 64/32-bit, and Windows Server 2016/2012 R2. Also set + fast_finish, so failed jobs terminate the build immediately. Fixes + bug 29601; bugfix on 0.3.5.4-alpha. + + o Documentation (backport from 0.4.2.1-alpha): + - Use RFC 2397 data URL scheme to embed an image into tor-exit- + notice.html so that operators no longer have to host it + themselves. Closes ticket 31089. + + o Testing (backport from 0.4.1.2-alpha): + - Specify torrc paths (with empty files) when launching tor in + integration tests; refrain from reading user and system torrcs. + Resolves issue 29702. + + o Testing (continuous integration, backport from 0.4.1.1-alpha): + - In Travis, show stem's tor log after failure. Closes ticket 30234. + + o Testing (continuous integration, backport from 0.4.1.5): + - In Travis, make stem log a controller trace to the console, and + tail stem's tor log after failure. Closes ticket 30591. + - In Travis, only run the stem tests that use a tor binary. Closes + ticket 30694. + + o Testing (continuous integration, backport from 0.4.2.3-alpha): + - Disable all but one Travis CI macOS build, to mitigate slow + scheduling of Travis macOS jobs. Closes ticket 32177. + - Run the chutney IPv6 networks as part of Travis CI. Closes + ticket 30860. + - Simplify the Travis CI build matrix, and optimise for build time. + Closes ticket 31859. + - Use Windows Server 2019 instead of Windows Server 2016 in our + Appveyor builds. Closes ticket 32086. + + o Testing (continuous integration, backport from 0.4.2.4-rc): + - Use Ubuntu Bionic images for our Travis CI builds, so we can get a + recent version of coccinelle. But leave chutney on Ubuntu Trusty, + until we can fix some Bionic permissions issues (see ticket + 32240). Related to ticket 31919. + - Install the mingw OpenSSL package in Appveyor. This makes sure + that the OpenSSL headers and libraries match in Tor's Appveyor + builds. (This bug was triggered by an Appveyor image update.) + Fixes bug 32449; bugfix on 0.3.5.6-rc. + - In Travis, use Xcode 11.2 on macOS 10.14. Closes ticket 32241. + + o Testing (continuous integration, backport from 0.4.2.5): + - Require C99 standards-conforming code in Travis CI, but allow GNU gcc + extensions. Also activates clang's -Wtypedef-redefinition warnings. + Build some jobs with -std=gnu99, and some jobs without. + Closes ticket 32500. + + +Changes in version 0.3.5.8 - 2019-02-21 + Tor 0.3.5.8 backports serveral fixes from later releases, including fixes + for an annoying SOCKS-parsing bug that affected users in earlier 0.3.5.x + releases. + + It also includes a fix for a medium-severity security bug affecting Tor + 0.3.2.1-alpha and later. All Tor instances running an affected release + should upgrade to 0.3.3.12, 0.3.4.11, 0.3.5.8, or 0.4.0.2-alpha. + + o Major bugfixes (cell scheduler, KIST, security): + - Make KIST consider the outbuf length when computing what it can + put in the outbuf. Previously, KIST acted as though the outbuf + were empty, which could lead to the outbuf becoming too full. It + is possible that an attacker could exploit this bug to cause a Tor + client or relay to run out of memory and crash. Fixes bug 29168; + bugfix on 0.3.2.1-alpha. This issue is also being tracked as + TROVE-2019-001 and CVE-2019-8955. + + o Major bugfixes (networking, backport from 0.4.0.2-alpha): + - Gracefully handle empty username/password fields in SOCKS5 + username/password auth messsage and allow SOCKS5 handshake to + continue. Previously, we had rejected these handshakes, breaking + certain applications. Fixes bug 29175; bugfix on 0.3.5.1-alpha. + + o Minor features (compilation, backport from 0.4.0.2-alpha): + - Compile correctly when OpenSSL is built with engine support + disabled, or with deprecated APIs disabled. Closes ticket 29026. + Patches from "Mangix". + + o Minor features (geoip): + - Update geoip and geoip6 to the February 5 2019 Maxmind GeoLite2 + Country database. Closes ticket 29478. + + o Minor features (testing, backport from 0.4.0.2-alpha): + - Treat all unexpected ERR and BUG messages as test failures. Closes + ticket 28668. + + o Minor bugfixes (onion service v3, client, backport from 0.4.0.1-alpha): + - Stop logging a "BUG()" warning and stacktrace when we find a SOCKS + connection waiting for a descriptor that we actually have in the + cache. It turns out that this can actually happen, though it is + rare. Now, tor will recover and retry the descriptor. Fixes bug + 28669; bugfix on 0.3.2.4-alpha. + + o Minor bugfixes (IPv6, backport from 0.4.0.1-alpha): + - Fix tor_ersatz_socketpair on IPv6-only systems. Previously, the + IPv6 socket was bound using an address family of AF_INET instead + of AF_INET6. Fixes bug 28995; bugfix on 0.3.5.1-alpha. Patch from + Kris Katterjohn. + + o Minor bugfixes (build, compatibility, rust, backport from 0.4.0.2-alpha): + - Update Cargo.lock file to match the version made by the latest + version of Rust, so that "make distcheck" will pass again. Fixes + bug 29244; bugfix on 0.3.3.4-alpha. + + o Minor bugfixes (client, clock skew, backport from 0.4.0.1-alpha): + - Select guards even if the consensus has expired, as long as the + consensus is still reasonably live. Fixes bug 24661; bugfix + on 0.3.0.1-alpha. + + o Minor bugfixes (compilation, backport from 0.4.0.1-alpha): + - Compile correctly on OpenBSD; previously, we were missing some + headers required in order to detect it properly. Fixes bug 28938; + bugfix on 0.3.5.1-alpha. Patch from Kris Katterjohn. + + o Minor bugfixes (documentation, backport from 0.4.0.2-alpha): + - Describe the contents of the v3 onion service client authorization + files correctly: They hold public keys, not private keys. Fixes + bug 28979; bugfix on 0.3.5.1-alpha. Spotted by "Felixix". + + o Minor bugfixes (logging, backport from 0.4.0.1-alpha): + - Rework rep_hist_log_link_protocol_counts() to iterate through all + link protocol versions when logging incoming/outgoing connection + counts. Tor no longer skips version 5, and we won't have to + remember to update this function when new link protocol version is + developed. Fixes bug 28920; bugfix on 0.2.6.10. + + o Minor bugfixes (logging, backport from 0.4.0.2-alpha): + - Log more information at "warning" level when unable to read a + private key; log more information at "info" level when unable to + read a public key. We had warnings here before, but they were lost + during our NSS work. Fixes bug 29042; bugfix on 0.3.5.1-alpha. + + o Minor bugfixes (misc, backport from 0.4.0.2-alpha): + - The amount of total available physical memory is now determined + using the sysctl identifier HW_PHYSMEM (rather than HW_USERMEM) + when it is defined and a 64-bit variant is not available. Fixes + bug 28981; bugfix on 0.2.5.4-alpha. Patch from Kris Katterjohn. + + o Minor bugfixes (onion services, backport from 0.4.0.2-alpha): + - Avoid crashing if ClientOnionAuthDir (incorrectly) contains more + than one private key for a hidden service. Fixes bug 29040; bugfix + on 0.3.5.1-alpha. + - In hs_cache_store_as_client() log an HSDesc we failed to parse at + "debug" level. Tor used to log it as a warning, which caused very + long log lines to appear for some users. Fixes bug 29135; bugfix + on 0.3.2.1-alpha. + - Stop logging "Tried to establish rendezvous on non-OR circuit..." + as a warning. Instead, log it as a protocol warning, because there + is nothing that relay operators can do to fix it. Fixes bug 29029; + bugfix on 0.2.5.7-rc. + + o Minor bugfixes (tests, directory clients, backport from 0.4.0.1-alpha): + - Mark outdated dirservers when Tor only has a reasonably live + consensus. Fixes bug 28569; bugfix on 0.3.2.5-alpha. + + o Minor bugfixes (tests, backport from 0.4.0.2-alpha): + - Detect and suppress "bug" warnings from the util/time test on + Windows. Fixes bug 29161; bugfix on 0.2.9.3-alpha. + - Do not log an error-level message if we fail to find an IPv6 + network interface from the unit tests. Fixes bug 29160; bugfix + on 0.2.7.3-rc. + + o Minor bugfixes (usability, backport from 0.4.0.1-alpha): + - Stop saying "Your Guard ..." in pathbias_measure_{use,close}_rate(). + Some users took this phrasing to mean that the mentioned guard was + under their control or responsibility, which it is not. Fixes bug + 28895; bugfix on Tor 0.3.0.1-alpha. + + +Changes in version 0.3.5.7 - 2019-01-07 + Tor 0.3.5.7 is the first stable release in its series; it includes + compilation and portability fixes, and a fix for a severe problem + affecting directory caches. + + The Tor 0.3.5 series includes several new features and performance + improvements, including client authorization for v3 onion services, + cleanups to bootstrap reporting, support for improved bandwidth- + measurement tools, experimental support for NSS in place of OpenSSL, + and much more. It also begins a full reorganization of Tor's code + layout, for improved modularity and maintainability in the future. + Finally, there is the usual set of performance improvements and + bugfixes that we try to do in every release series. + + There are a couple of changes in the 0.3.5 that may affect + compatibility. First, the default version for newly created onion + services is now v3. Use the HiddenServiceVersion option if you want to + override this. Second, some log messages related to bootstrapping have + changed; if you use stem, you may need to update to the latest version + so it will recognize them. + + We have designated 0.3.5 as a "long-term support" (LTS) series: we + will continue to patch major bugs in typical configurations of 0.3.5 + until at least 1 Feb 2022. (We do not plan to provide long-term + support for embedding, Rust support, NSS support, running a directory + authority, or unsupported platforms. For these, you will need to stick + with the latest stable release.) + + Below are the changes since 0.3.5.6-rc. For a complete list of changes + since 0.3.4.9, see the ReleaseNotes file. + + o Major bugfixes (relay, directory): + - Always reactivate linked connections in the main loop so long as + any linked connection has been active. Previously, connections + serving directory information wouldn't get reactivated after the + first chunk of data was sent (usually 32KB), which would prevent + clients from bootstrapping. Fixes bug 28912; bugfix on + 0.3.4.1-alpha. Patch by "cypherpunks3". + + o Minor features (compilation): + - When possible, place our warning flags in a separate file, to + avoid flooding verbose build logs. Closes ticket 28924. + + o Minor features (geoip): + - Update geoip and geoip6 to the January 3 2019 Maxmind GeoLite2 + Country database. Closes ticket 29012. + + o Minor features (OpenSSL bug workaround): + - Work around a bug in OpenSSL 1.1.1a, which prevented the TLS 1.3 + key export function from handling long labels. When this bug is + detected, Tor will disable TLS 1.3. We recommend upgrading to a + version of OpenSSL without this bug when it becomes available. + Closes ticket 28973. + + o Minor features (performance): + - Remove about 96% of the work from the function that we run at + startup to test our curve25519_basepoint implementation. Since + this function has yet to find an actual failure, we now only run + it for 8 iterations instead of 200. Based on our profile + information, this change should save around 8% of our startup time + on typical desktops, and may have a similar effect on other + platforms. Closes ticket 28838. + - Stop re-validating our hardcoded Diffie-Hellman parameters on + every startup. Doing this wasted time and cycles, especially on + low-powered devices. Closes ticket 28851. + + o Minor bugfixes (compilation): + - Fix compilation for Android by adding a missing header to + freespace.c. Fixes bug 28974; bugfix on 0.3.5.1-alpha. + + o Minor bugfixes (correctness): + - Fix an unreached code path where we checked the value of + "hostname" inside send_resolved_hostname_cell(). Previously, we + used it before checking it; now we check it first. Fixes bug + 28879; bugfix on 0.1.2.7-alpha. + + o Minor bugfixes (testing): + - Make sure that test_rebind.py actually obeys its timeout, even + when it receives a large number of log messages. Fixes bug 28883; + bugfix on 0.3.5.4-alpha. + - Stop running stem's unit tests as part of "make test-stem", but + continue to run stem's unit and online tests during "make test- + stem-full". Fixes bug 28568; bugfix on 0.2.6.3-alpha. + + o Minor bugfixes (windows services): + - Make Tor start correctly as an NT service again: previously it was + broken by refactoring. Fixes bug 28612; bugfix on 0.3.5.3-alpha. + + o Code simplification and refactoring: + - When parsing a port configuration, make it more obvious to static + analyzer tools that we always initialize the address. Closes + ticket 28881. + + +Changes in version 0.3.5.6-rc - 2018-12-18 + Tor 0.3.5.6-rc fixes numerous small bugs in earlier versions of Tor. + It is the first release candidate in the 0.3.5.x series; if no further + huge bugs are found, our next release may be the stable 0.3.5.x. + + o Minor features (continuous integration, Windows): + - Always show the configure and test logs, and upload them as build + artifacts, when building for Windows using Appveyor CI. + Implements 28459. + + o Minor features (fallback directory list): + - Replace the 150 fallbacks originally introduced in Tor + 0.3.3.1-alpha in January 2018 (of which ~115 were still + functional), with a list of 157 fallbacks (92 new, 65 existing, 85 + removed) generated in December 2018. Closes ticket 24803. + + o Minor features (geoip): + - Update geoip and geoip6 to the December 5 2018 Maxmind GeoLite2 + Country database. Closes ticket 28744. + + o Minor bugfixes (compilation): + - Add missing dependency on libgdi32.dll for tor-print-ed-signing- + cert.exe on Windows. Fixes bug 28485; bugfix on 0.3.5.1-alpha. + + o Minor bugfixes (continuous integration, Windows): + - Explicitly specify the path to the OpenSSL library and do not + download OpenSSL from Pacman, but instead use the library that is + already provided by AppVeyor. Fixes bug 28574; bugfix on master. + + o Minor bugfixes (onion service v3): + - When deleting an ephemeral onion service (DEL_ONION), do not close + any rendezvous circuits in order to let the existing client + connections finish by themselves or closed by the application. The + HS v2 is doing that already so now we have the same behavior for + all versions. Fixes bug 28619; bugfix on 0.3.3.1-alpha. + + o Minor bugfixes (restart-in-process, boostrap): + - Add missing resets of bootstrap tracking state when shutting down + (regression caused by ticket 27169). Fixes bug 28524; bugfix + on 0.3.5.1-alpha. + + o Minor bugfixes (testing): + - Use a separate DataDirectory for the test_rebind script. + Previously, this script would run using the default DataDirectory, + and sometimes fail. Fixes bug 28562; bugfix on 0.3.5.1-alpha. + Patch from Taylor R Campbell. + - Stop leaking memory in an entry guard unit test. Fixes bug 28554; + bugfix on 0.3.0.1-alpha. + + o Minor bugfixes (Windows): + - Correctly identify Windows 8.1, Windows 10, and Windows Server + 2008 and later from their NT versions. Fixes bug 28096; bugfix on + 0.2.2.34; reported by Keifer Bly. + - On recent Windows versions, the GetVersionEx() function may report + an earlier Windows version than the running OS. To avoid user + confusion, add "[or later]" to Tor's version string on affected + versions of Windows. Fixes bug 28096; bugfix on 0.2.2.34; reported + by Keifer Bly. + - Remove Windows versions that were never supported by the + GetVersionEx() function. Stop duplicating the latest Windows + version in get_uname(). Fixes bug 28096; bugfix on 0.2.2.34; + reported by Keifer Bly. + + o Testing: + - Increase logging and tag all log entries with timestamps in + test_rebind.py. Provides diagnostics for issue 28229. + + o Code simplification and refactoring (shared random, dirauth): + - Change many tor_assert() to use BUG() instead. The idea is to not + crash a dirauth but rather scream loudly with a stacktrace and let + it continue run. The shared random subsystem is very resilient and + if anything wrong happens with it, at worst a non coherent value + will be put in the vote and discarded by the other authorities. + Closes ticket 19566. + + o Documentation (onion services): + - Document in the man page that changing ClientOnionAuthDir value or + adding a new file in the directory will not work at runtime upon + sending a HUP if Sandbox 1. Closes ticket 28128. + - Note in the man page that the only real way to fully revoke an + onion service v3 client authorization is by restarting the tor + process. Closes ticket 28275. + + +Changes in version 0.3.5.5-alpha - 2018-11-16 + Tor 0.3.5.5-alpha includes numerous bugfixes on earlier releases, + including several that we hope to backport to older release series in + the future. + + o Major bugfixes (OpenSSL, portability): + - Fix our usage of named groups when running as a TLS 1.3 client in + OpenSSL 1.1.1. Previously, we only initialized EC groups when + running as a relay, which caused clients to fail to negotiate TLS + 1.3 with relays. Fixes bug 28245; bugfix on 0.2.9.15 (when TLS 1.3 + support was added). + + o Minor features (geoip): + - Update geoip and geoip6 to the November 6 2018 Maxmind GeoLite2 + Country database. Closes ticket 28395. + + o Minor bugfixes (compilation): + - Initialize a variable unconditionally in aes_new_cipher(), since + some compilers cannot tell that we always initialize it before + use. Fixes bug 28413; bugfix on 0.2.9.3-alpha. + + o Minor bugfixes (connection, relay): + - Avoid a logging a BUG() stacktrace when closing connection held + open because the write side is rate limited but not the read side. + Now, the connection read side is simply shut down until Tor is + able to flush the connection and close it. Fixes bug 27750; bugfix + on 0.3.4.1-alpha. + + o Minor bugfixes (continuous integration, Windows): + - Manually configure the zstd compiler options, when building using + mingw on Appveyor Windows CI. The MSYS2 mingw zstd package does + not come with a pkg-config file. Fixes bug 28454; bugfix + on 0.3.4.1-alpha. + - Stop using an external OpenSSL install, and stop installing MSYS2 + packages, when building using mingw on Appveyor Windows CI. Fixes + bug 28399; bugfix on 0.3.4.1-alpha. + + o Minor bugfixes (documentation): + - Make Doxygen work again after the code movement in the 0.3.5 + source tree. Fixes bug 28435; bugfix on 0.3.5.1-alpha. + + o Minor bugfixes (Linux seccomp2 sandbox): + - Permit the "shutdown()" system call, which is apparently used by + OpenSSL under some circumstances. Fixes bug 28183; bugfix + on 0.2.5.1-alpha. + + o Minor bugfixes (logging): + - Stop talking about the Named flag in log messages. Clients have + ignored the Named flag since 0.3.2. Fixes bug 28441; bugfix + on 0.3.2.1-alpha. + + o Minor bugfixes (memory leaks): + - Fix a harmless memory leak in libtorrunner.a. Fixes bug 28419; + bugfix on 0.3.3.1-alpha. Patch from Martin Kepplinger. + + o Minor bugfixes (onion services): + - On an intro point for a version 3 onion service, stop closing + introduction circuits on an NACK. This lets the client decide + whether to reuse the circuit or discard it. Previously, we closed + intro circuits when sending NACKs. Fixes bug 27841; bugfix on + 0.3.2.1-alpha. Patch by Neel Chaunan. + - When replacing a descriptor in the client cache, make sure to + close all client introduction circuits for the old descriptor, so + we don't end up with unusable leftover circuits. Fixes bug 27471; + bugfix on 0.3.2.1-alpha. + + Changes in version 0.3.5.4-alpha - 2018-11-08 Tor 0.3.5.4-alpha includes numerous bugfixes on earlier versions and improves our continuous integration support. It continues our attempts diff --git a/ReleaseNotes b/ReleaseNotes index e0a25a74b7..5e46554c07 100644 --- a/ReleaseNotes +++ b/ReleaseNotes @@ -2,6 +2,1870 @@ This document summarizes new features and bugfixes in each stable release of Tor. If you want to see more detailed descriptions of the changes in each development snapshot, see the ChangeLog file. +Changes in version 0.3.5.17 - 2021-10-26 + The major change in this version is that v2 onion services are now + disabled at the client, service, and relay: any Tor nodes running this + version and onward will stop supporting v2 onion services. This is the + last step in the long deprecation process of v2 onion services. + Everyone running an earlier version, whether as a client, a relay, or + an onion service, should upgrade to Tor 0.3.5.17, 0.4.5.11, + or 0.4.6.8. + + o Major feature (onion service v2, backport from 0.4.5.11): + - See https://blog.torproject.org/v2-deprecation-timeline for + details on how to transition from v2 to v3. + - The control port commands HSFETCH and HSPOST no longer allow + version 2, and it is no longer possible to create a v2 service + with ADD_ONION. + - Tor no longer allows creating v2 services, or connecting as a + client to a v2 service. Relays will decline to be a v2 HSDir or + introduction point. This effectively disables onion service + version 2 Tor-wide. Closes ticket 40476. + + o Minor features (bridge, backport from 0.4.6.8): + - We now announce the URL to Tor's new bridge status at + https://bridges.torproject.org/ when Tor is configured to run as a + bridge relay. Closes ticket 30477. + + o Minor features (fallbackdir): + - Regenerate fallback directories for October 2021. Closes + ticket 40493. + + o Minor bugfixes (compatibility, backport from 0.4.6.8): + - Fix compatibility with the most recent Libevent versions, which no + longer have an evdns_set_random_bytes() function. Because this + function has been a no-op since Libevent 2.0.4-alpha, it is safe + for us to just stop calling it. Fixes bug 40371; bugfix + on 0.2.1.7-alpha. + + +Changes in version 0.3.5.16 - 2021-08-16 + This version fixes several bugs from earlier versions of Tor, including one + that could lead to a denial-of-service attack. Everyone running an earlier + version, whether as a client, a relay, or an onion service, should upgrade + to Tor 0.3.5.16, 0.4.5.10, or 0.4.6.7. + + o Major bugfixes (cryptography, security): + - Resolve an assertion failure caused by a behavior mismatch between our + batch-signature verification code and our single-signature verification + code. This assertion failure could be triggered remotely, leading to a + denial of service attack. We fix this issue by disabling batch + verification. Fixes bug 40078; bugfix on 0.2.6.1-alpha. This issue is + also tracked as TROVE-2021-007 and CVE-2021-38385. Found by Henry de + Valence. + + o Minor feature (fallbackdir): + - Regenerate fallback directories list. Close ticket 40447. + + o Minor features (geoip data): + - Update the geoip files to match the IPFire Location Database, + as retrieved on 2021/08/12. + + o Minor bugfix (crypto): + - Disable the unused batch verification feature of ed25519-donna. Fixes + bug 40078; bugfix on 0.2.6.1-alpha. Found by Henry de Valence. + + o Minor bugfixes (relay, backport from 0.4.6.x): + - Reduce the compression level for data streaming from HIGH to LOW. Fixes + bug 40301; bugfix on 0.3.5.1-alpha. + + +Changes in version 0.3.5.15 - 2021-06-14 + Tor 0.3.5.15 fixes several security issues, including a + denial-of-service attack against onion service clients, and another + denial-of-service attack against relays. Everybody should upgrade to + one of 0.3.5.15, 0.4.4.9, 0.4.5.9, or 0.4.6.5. + + o Major bugfixes (security, backport from 0.4.6.5): + - Don't allow relays to spoof RELAY_END or RELAY_RESOLVED cell on + half-closed streams. Previously, clients failed to validate which + hop sent these cells: this would allow a relay on a circuit to end + a stream that wasn't actually built with it. Fixes bug 40389; + bugfix on 0.3.5.1-alpha. This issue is also tracked as TROVE-2021- + 003 and CVE-2021-34548. + + o Major bugfixes (security, defense-in-depth, backport from 0.4.6.5): + - Detect more failure conditions from the OpenSSL RNG code. + Previously, we would detect errors from a missing RNG + implementation, but not failures from the RNG code itself. + Fortunately, it appears those failures do not happen in practice + when Tor is using OpenSSL's default RNG implementation. Fixes bug + 40390; bugfix on 0.2.8.1-alpha. This issue is also tracked as + TROVE-2021-004. Reported by Jann Horn at Google's Project Zero. + + o Major bugfixes (security, denial of service, backport from 0.4.6.5): + - Resist a hashtable-based CPU denial-of-service attack against + relays. Previously we used a naive unkeyed hash function to look + up circuits in a circuitmux object. An attacker could exploit this + to construct circuits with chosen circuit IDs, to create + collisions and make the hash table inefficient. Now we use a + SipHash construction here instead. Fixes bug 40391; bugfix on + 0.2.4.4-alpha. This issue is also tracked as TROVE-2021-005 and + CVE-2021-34549. Reported by Jann Horn from Google's Project Zero. + - Fix an out-of-bounds memory access in v3 onion service descriptor + parsing. An attacker could exploit this bug by crafting an onion + service descriptor that would crash any client that tried to visit + it. Fixes bug 40392; bugfix on 0.3.0.1-alpha. This issue is also + tracked as TROVE-2021-006 and CVE-2021-34550. Reported by Sergei + Glazunov from Google's Project Zero. + + o Minor bugfixes (compiler warnings, backport from 0.4.6.3-rc): + - Fix an indentation problem that led to a warning from GCC 11.1.1. + Fixes bug 40380; bugfix on 0.3.0.1-alpha. + + o Minor features (compatibility, backport from 0.4.6.4-rc): + - Remove an assertion function related to TLS renegotiation. It was + used nowhere outside the unit tests, and it was breaking + compilation with recent alpha releases of OpenSSL 3.0.0. Closes + ticket 40399. + + o Minor features (fallback directory list, backport from 0.4.6.2-alpha): + - Regenerate the list of fallback directories to contain a new set + of 200 relays. Closes ticket 40265. + + o Minor features (geoip data): + - Update the geoip files to match the IPFire Location Database, as + retrieved on 2021/06/10. + + +Changes in version 0.3.5.14 - 2021-03-16 + Tor 0.3.5.14 backports fixes for two important denial-of-service bugs + in earlier versions of Tor. + + One of these vulnerabilities (TROVE-2021-001) would allow an attacker + who can send directory data to a Tor instance to force that Tor + instance to consume huge amounts of CPU. This is easiest to exploit + against authorities, since anybody can upload to them, but directory + caches could also exploit this vulnerability against relays or clients + when they download. The other vulnerability (TROVE-2021-002) only + affects directory authorities, and would allow an attacker to remotely + crash the authority with an assertion failure. Patches have already + been provided to the authority operators, to help ensure + network stability. + + We recommend that everybody upgrade to one of the releases that fixes + these issues (0.3.5.14, 0.4.4.8, or 0.4.5.7) as they become available + to you. + + This release also updates our GeoIP data source, and fixes a + compatibility issue. + + o Major bugfixes (security, denial of service, backport from 0.4.5.7): + - Disable the dump_desc() function that we used to dump unparseable + information to disk. It was called incorrectly in several places, + in a way that could lead to excessive CPU usage. Fixes bug 40286; + bugfix on 0.2.2.1-alpha. This bug is also tracked as TROVE-2021- + 001 and CVE-2021-28089. + - Fix a bug in appending detached signatures to a pending consensus + document that could be used to crash a directory authority. Fixes + bug 40316; bugfix on 0.2.2.6-alpha. Tracked as TROVE-2021-002 + and CVE-2021-28090. + + o Minor features (geoip data, backport from 0.4.5.7): + - We have switched geoip data sources. Previously we shipped IP-to- + country mappings from Maxmind's GeoLite2, but in 2019 they changed + their licensing terms, so we were unable to update them after that + point. We now ship geoip files based on the IPFire Location + Database instead. (See https://location.ipfire.org/ for more + information). This release updates our geoip files to match the + IPFire Location Database as retrieved on 2021/03/12. Closes + ticket 40224. + + o Removed features (mallinfo deprecated, backport from 0.4.5.7): + - Remove mallinfo() usage entirely. Libc 2.33+ now deprecates it. + Closes ticket 40309. + + +Changes in version 0.3.5.13 - 2020-02-03 + Tor 0.3.5.13 backports numerous bugfixes from later releases, + including one that made v3 onion services more susceptible to + denial-of-service attacks, and a feature that makes some kinds of + DoS attacks harder to perform. + + o Major bugfixes (onion service v3, backport from 0.4.5.3-rc): + - Stop requiring a live consensus for v3 clients and services, and + allow a "reasonably live" consensus instead. This allows v3 onion + services to work even if the authorities fail to generate a + consensus for more than 2 hours in a row. Fixes bug 40237; bugfix + on 0.3.5.1-alpha. + + o Major bugfixes (stats, onion services, backport from 0.4.4.5): + - Fix a bug where we were undercounting the Tor network's total + onion service traffic, by ignoring any traffic originating from + clients. Now we count traffic from both clients and services. + Fixes bug 40117; bugfix on 0.2.6.2-alpha. + + o Major feature (exit, backport from 0.4.5.5-rc): + - Re-entry into the network is now denied at the Exit level to all + relays' ORPorts and authorities' ORPorts and DirPorts. This change + should help mitgate a set of denial-of-service attacks. Closes + ticket 2667. + + o Minor feature (build system, backport from 0.4.5.4-rc): + - New "make lsp" command to generate the compile_commands.json file + used by the ccls language server. The "bear" program is needed for + this. Closes ticket 40227. + + o Minor features (compilation, backport from 0.4.5.2-rc): + - Disable deprecation warnings when building with OpenSSL 3.0.0 or + later. There are a number of APIs newly deprecated in OpenSSL + 3.0.0 that Tor still requires. (A later version of Tor will try to + stop depending on these APIs.) Closes ticket 40165. + + o Minor features (crypto, backport from 0.4.5.3-rc): + - Fix undefined behavior on our Keccak library. The bug only + appeared on platforms with 32-byte CPU cache lines (e.g. armv5tel) + and would result in wrong digests. Fixes bug 40210; bugfix on + 0.2.8.1-alpha. Thanks to Bernhard Ãœbelacker, Arnd Bergmann and + weasel for diagnosing this. + + o Minor bugfixes (compatibility, backport from 0.4.5.1-rc): + - Strip '\r' characters when reading text files on Unix platforms. + This should resolve an issue where a relay operator migrates a + relay from Windows to Unix, but does not change the line ending of + Tor's various state files to match the platform, and the CRLF line + endings from Windows end up leaking into other files such as the + extra-info document. Fixes bug 33781; bugfix on 0.0.9pre5. + + o Minor bugfixes (compilation, backport from 0.4.5.1-rc): + - Resolve a compilation warning that could occur in + test_connection.c. Fixes bug 40113; bugfix on 0.2.9.3-alpha. + + o Minor bugfixes (compilation, backport from 0.4.5.3-rc): + - Fix a compilation warning about unreachable fallthrough + annotations when building with "--enable-all-bugs-are-fatal" on + some compilers. Fixes bug 40241; bugfix on 0.3.5.4-alpha. + + o Minor bugfixes (SOCKS5, backport from 0.4.5.3-rc): + - Handle partial SOCKS5 messages correctly. Previously, our code + would send an incorrect error message if it got a SOCKS5 request + that wasn't complete. Fixes bug 40190; bugfix on 0.3.5.1-alpha. + + o Minor bugfixes (testing, backport from 0.4.5.2-alpha): + - Fix our Python reference-implementation for the v3 onion service + handshake so that it works correctly with the version of hashlib + provided by Python 3.9. Fixes part of bug 40179; bugfix + on 0.3.1.6-rc. + - Fix the `tortls/openssl/log_one_error` test to work with OpenSSL + 3.0.0. Fixes bug 40170; bugfix on 0.2.8.1-alpha. + + +Changes in version 0.3.5.12 - 2020-11-12 + Tor 0.4.3.7 backports several bugfixes from later releases. It + includes a fix for TROVE-2020-005, a security issue that could be + used, under certain cases, by an adversary to observe traffic patterns + on a limited number of circuits intended for a different relay. + + o Major features (fallback directory list, backport form 0.4.4.3-alpha): + - Replace the 148 fallback directories originally included in Tor + 0.4.1.4-rc (of which around 105 are still functional) with a list + of 144 fallbacks generated in July 2020. Closes ticket 40061. + + o Major bugfixes (security, backport from 0.4.5.1-alpha): + - When completing a channel, relays now check more thoroughly to + make sure that it matches any pending circuits before attaching + those circuits. Previously, address correctness and Ed25519 + identities were not checked in this case, but only when extending + circuits on an existing channel. Fixes bug 40080; bugfix on + 0.2.7.2-alpha. Resolves TROVE-2020-005. + + o Major bugfixes (NSS, backport from 0.4.4.3-alpha): + - When running with NSS enabled, make sure that NSS knows to expect + nonblocking sockets. Previously, we set our TCP sockets as + nonblocking, but did not tell NSS, which in turn could lead to + unexpected blocking behavior. Fixes bug 40035; bugfix + on 0.3.5.1-alpha. + + o Minor features (security, backport from 0.4.4.4-rc): + - Channels using obsolete versions of the Tor link protocol are no + longer allowed to circumvent address-canonicity checks. (This is + only a minor issue, since such channels have no way to set ed25519 + keys, and therefore should always be rejected for circuits that + specify ed25519 identities.) Closes ticket 40081. + + o Minor features (debugging, directory system): + - Don't crash when we find a non-guard with a guard-fraction value + set. Instead, log a bug warning, in an attempt to figure out how + this happened. Diagnostic for ticket 32868. + + o Minor features (subprotocol versions, backport from 0.4.5.1-alpha): + - Tor no longer allows subprotocol versions larger than 63. + Previously version numbers up to UINT32_MAX were allowed, which + significantly complicated our code. Implements proposal 318; + closes ticket 40133. + + o Minor features (tests, backport from 0.4.4.5): + - Our "make check" target now runs the unit tests in 8 parallel + chunks. Doing this speeds up hardened CI builds by more than a + factor of two. Closes ticket 40098. + + o Minor features (tests, v2 onion services, backport from 0.4.5.1-alpha): + - Fix a rendezvous cache unit test that was triggering an underflow + on the global rend cache allocation. Fixes bug 40125; bugfix + on 0.2.8.1-alpha. + - Fix another rendezvous cache unit test that was triggering an + underflow on the global rend cache allocation. Fixes bug 40126; + bugfix on 0.2.8.1-alpha. + + o Minor bugfixes (correctness, buffers, backport from 0.4.4.4-rc): + - Fix a correctness bug that could cause an assertion failure if we + ever tried using the buf_move_all() function with an empty input + buffer. As far as we know, no released versions of Tor do this. + Fixes bug 40076; bugfix on 0.3.3.1-alpha. + + o Minor bugfixes (logging, backport from 0.4.5.1-alpha): + - Remove a debug logging statement that uselessly spammed the logs. + Fixes bug 40135; bugfix on 0.3.5.0-alpha. + + o Minor bugfixes (rate limiting, bridges, pluggable transports, backport from 0.4.4.4-rc): + - On a bridge, treat all connections from an ExtORPort as remote by + default for the purposes of rate-limiting. Previously, bridges + would treat the connection as local unless they explicitly + received a "USERADDR" command. ExtORPort connections still count + as local if there is a USERADDR command with an explicit local + address. Fixes bug 33747; bugfix on 0.2.5.1-alpha. + + o Minor bugfixes (relay configuration, crash, backport from 0.4.5.1-alpha): + - Avoid a fatal assert() when failing to create a listener + connection for an address that was in use. Fixes bug 40073; bugfix + on 0.3.5.1-alpha. + + o Minor bugfixes (relay, usability, backport from 0.4.4.3-alpha): + - Adjust the rules for when to warn about having too many + connections to other relays. Previously we'd tolerate up to 1.5 + connections per relay on average. Now we tolerate more connections + for directory authorities, and raise the number of total + connections we need to see before we warn. Fixes bug 33880; bugfix + on 0.3.1.1-alpha. + + o Minor bugfixes (relays, backport from 0.4.4.1-alpha): + - Stop advertising incorrect IPv6 ORPorts in relay and bridge + descriptors, when the IPv6 port was configured as "auto". Fixes + bug 32588; bugfix on 0.2.3.9-alpha. + + o Minor bugfixes (tests, 0.4.4.5): + - Fix the behavior of the rend_cache/clean_v2_descs_as_dir when run + on its own. Previously, it would exit with an error. Fixes bug + 40099; bugfix on 0.2.8.1-alpha. + + o Minor bugfixes (windows, backport from 0.4.4.4-rc): + - Fix a bug that prevented Tor from starting if its log file grew + above 2GB. Fixes bug 31036; bugfix on 0.2.1.8-alpha. + + o Deprecated features (onion service v2, backport form 0.4.4.2-alpha): + - Add a deprecation warning for version 2 onion services. Closes + ticket 40003. + + +Changes in version 0.3.5.11 - 2020-07-09 + Tor 0.3.5.11 backports fixes from later tor releases, including several + usability, portability, and reliability fixes. + + This release also fixes TROVE-2020-001, a medium-severity denial of + service vulnerability affecting all versions of Tor when compiled with + the NSS encryption library. (This is not the default configuration.) + Using this vulnerability, an attacker could cause an affected Tor + instance to crash remotely. This issue is also tracked as CVE-2020- + 15572. Anybody running a version of Tor built with the NSS library + should upgrade to 0.3.5.11, 0.4.2.8, 0.4.3.6, or 0.4.4.2-alpha + or later. + + o Major bugfixes (NSS, security, backport from 0.4.4.2-alpha): + - Fix a crash due to an out-of-bound memory access when Tor is + compiled with NSS support. Fixes bug 33119; bugfix on + 0.3.5.1-alpha. This issue is also tracked as TROVE-2020-001 + and CVE-2020-15572. + + o Major bugfixes (DoS defenses, bridges, pluggable transport, backport from 0.4.3.4-rc): + - Fix a bug that was preventing DoS defenses from running on bridges + with a pluggable transport. Previously, the DoS subsystem was not + given the transport name of the client connection, thus failed to + find the GeoIP cache entry for that client address. Fixes bug + 33491; bugfix on 0.3.3.2-alpha. + + o Minor features (testing, backport from 0.4.3.4-rc): + - The unit tests now support a "TOR_SKIP_TESTCASES" environment + variable to specify a list of space-separated test cases that + should not be executed. We will use this to disable certain tests + that are failing on Appveyor because of mismatched OpenSSL + libraries. Part of ticket 33643. + + o Minor bugfix (CI, Windows, backport from 0.4.4.2-alpha): + - Use the correct 64-bit printf format when compiling with MINGW on + Appveyor. Fixes bug 40026; bugfix on 0.3.5.5-alpha. + + o Minor bugfix (relay, configuration, backport from 0.4.3.3-alpha): + - Warn if the ContactInfo field is not set, and tell the relay + operator that not having a ContactInfo field set might cause their + relay to get rejected in the future. Fixes bug 33361; bugfix + on 0.1.1.10-alpha. + + o Minor bugfixes (client performance, backport from 0.4.4.1-alpha): + - Resume use of preemptively-built circuits when UseEntryGuards is set + to 0. We accidentally disabled this feature with that config + setting, leading to slower load times. Fixes bug 34303; bugfix + on 0.3.3.2-alpha. + + o Minor bugfixes (compiler compatibility, backport from 0.4.3.5): + - Avoid compiler warnings from Clang 10 related to the use of GCC- + style "/* falls through */" comments. Both Clang and GCC allow + __attribute__((fallthrough)) instead, so that's what we're using + now. Fixes bug 34078; bugfix on 0.3.1.3-alpha. + + o Minor bugfixes (compiler warnings, backport from 0.4.4.2-alpha): + - Fix a compiler warning on platforms with 32-bit time_t values. + Fixes bug 40028; bugfix on 0.3.2.8-rc. + + o Minor bugfixes (embedded Tor, backport from 0.4.3.1-alpha): + - When starting Tor any time after the first time in a process, + register the thread in which it is running as the main thread. + Previously, we only did this on Windows, which could lead to bugs + like 23081 on non-Windows platforms. Fixes bug 32884; bugfix + on 0.3.3.1-alpha. + + o Minor bugfixes (key portability, backport from 0.4.3.4-rc): + - When reading PEM-encoded key data, tolerate CRLF line-endings even + if we are not running on Windows. Previously, non-Windows hosts + would reject these line-endings in certain positions, making + certain key files hard to move from one host to another. Fixes bug + 33032; bugfix on 0.3.5.1-alpha. + + o Minor bugfixes (logging, backport from 0.4.4.2-alpha): + - Downgrade a noisy log message that could occur naturally when + receiving an extrainfo document that we no longer want. Fixes bug + 16016; bugfix on 0.2.6.3-alpha. + + o Minor bugfixes (onion service v3, client, backport from 0.4.3.3-alpha): + - Remove a BUG() warning that would cause a stack trace if an onion + service descriptor was freed while we were waiting for a + rendezvous circuit to complete. Fixes bug 28992; bugfix + on 0.3.2.1-alpha. + + o Testing (CI, backport from 0.4.3.4-rc): + - In our Appveyor Windows CI, copy required DLLs to test and app + directories, before running tor's tests. This ensures that tor.exe + and test*.exe use the correct version of each DLL. This fix is not + required, but we hope it will avoid DLL search issues in future. + Fixes bug 33673; bugfix on 0.3.4.2-alpha. + - On Appveyor, skip the crypto/openssl_version test, which is + failing because of a mismatched library installation. Fix + for 33643. + + +Changes in version 0.3.5.10 - 2020-03-18 + Tor 0.3.5.10 backports many fixes from later Tor releases, including a + fix for TROVE-2020-002, a major denial-of-service vulnerability that + affected all released Tor instances since 0.2.1.5-alpha. Using this + vulnerability, an attacker could cause Tor instances to consume a huge + amount of CPU, disrupting their operations for several seconds or + minutes. This attack could be launched by anybody against a relay, or + by a directory cache against any client that had connected to it. The + attacker could launch this attack as much as they wanted, thereby + disrupting service or creating patterns that could aid in traffic + analysis. This issue was found by OSS-Fuzz, and is also tracked + as CVE-2020-10592. + + We do not have reason to believe that this attack is currently being + exploited in the wild, but nonetheless we advise everyone to upgrade + as soon as packages are available. + + o Major bugfixes (security, denial-of-service, backport from 0.4.3.3-alpha): + - Fix a denial-of-service bug that could be used by anyone to + consume a bunch of CPU on any Tor relay or authority, or by + directories to consume a bunch of CPU on clients or hidden + services. Because of the potential for CPU consumption to + introduce observable timing patterns, we are treating this as a + high-severity security issue. Fixes bug 33119; bugfix on + 0.2.1.5-alpha. Found by OSS-Fuzz. We are also tracking this issue + as TROVE-2020-002 and CVE-2020-10592. + + o Major bugfixes (linux seccomp sandbox, backport from 0.4.3.1-alpha): + - Correct how we use libseccomp. Particularly, stop assuming that + rules are applied in a particular order or that more rules are + processed after the first match. Neither is the case! In + libseccomp <2.4.0 this lead to some rules having no effect. + libseccomp 2.4.0 changed how rules are generated, leading to a + different ordering, which in turn led to a fatal crash during + startup. Fixes bug 29819; bugfix on 0.2.5.1-alpha. Patch by + Peter Gerber. + + o Minor features (continuous integration, backport from 0.4.3.2-alpha): + - Stop allowing failures on the Travis CI stem tests job. It looks + like all the stem hangs we were seeing before are now fixed. + Closes ticket 33075. + + o Minor bugfixes (bridges, backport from 0.4.3.1-alpha): + - Lowercase the configured value of BridgeDistribution before adding + it to the descriptor. Fixes bug 32753; bugfix on 0.3.2.3-alpha. + + o Minor bugfixes (crash, backport from 0.4.2.4-rc): + - When running Tor with an option like --verify-config or + --dump-config that does not start the event loop, avoid crashing + if we try to exit early because of an error. Fixes bug 32407; + bugfix on 0.3.3.1-alpha. + + o Minor bugfixes (logging, backport from 0.4.3.2-alpha): + - If we encounter a bug when flushing a buffer to a TLS connection, + only log the bug once per invocation of the Tor process. + Previously we would log with every occurrence, which could cause + us to run out of disk space. Fixes bug 33093; bugfix + on 0.3.2.2-alpha. + + o Minor bugfixes (onion services v3, backport from 0.4.3.3-alpha): + - Fix an assertion failure that could result from a corrupted + ADD_ONION control port command. Found by Saibato. Fixes bug 33137; + bugfix on 0.3.3.1-alpha. This issue is also tracked + as TROVE-2020-003. + + o Minor bugfixes (rust, build, backport from 0.4.3.2-alpha): + - Fix a syntax warning given by newer versions of Rust that was + creating problems for our continuous integration. Fixes bug 33212; + bugfix on 0.3.5.1-alpha. + + o Testing (backport from 0.4.3.1-alpha): + - Re-enable the Travis CI macOS Chutney build, but don't let it + prevent the Travis job from finishing. (The Travis macOS jobs are + slow, so we don't want to have it delay the whole CI process.) + Closes ticket 32629. + - Turn off Tor's Sandbox in Chutney jobs, and run those jobs on + Ubuntu Bionic. Turning off the Sandbox is a work-around, until we + fix the sandbox errors in 32722. Closes ticket 32240. + + o Testing (continuous integration, backport from 0.4.3.1-alpha): + - Use zstd in our Travis Linux builds. Closes ticket 32242. + + o Testing (Travis CI, backport from 0.4.3.3-alpha): + - Remove a redundant distcheck job. Closes ticket 33194. + - Sort the Travis jobs in order of speed: putting the slowest jobs + first takes full advantage of Travis job concurrency. Closes + ticket 33194. + - Stop allowing the Chutney IPv6 Travis job to fail. This job was + previously configured to fast_finish (which requires + - When a Travis chutney job fails, use chutney's new "diagnostics.sh" + tool to produce detailed diagnostic output. Closes ticket 32792. + + +Changes in version 0.3.5.9 - 2019-12-09 + Tor 0.3.5.9 backports serveral fixes from later releases, including + several that affect bridge users, relay stability, onion services, + and much more. + + o Directory authority changes (backport from 0.4.1.5): + - The directory authority "dizum" has a new IP address. Closes + ticket 31406. + + o Major bugfixes (bridges, backport from 0.4.1.2-alpha): + - Consider our directory information to have changed when our list + of bridges changes. Previously, Tor would not re-compute the + status of its directory information when bridges changed, and + therefore would not realize that it was no longer able to build + circuits. Fixes part of bug 29875. + - Do not count previously configured working bridges towards our + total of working bridges. Previously, when Tor's list of bridges + changed, it would think that the old bridges were still usable, + and delay fetching router descriptors for the new ones. Fixes part + of bug 29875; bugfix on 0.3.0.1-alpha. + + o Major bugfixes (circuit build, guard, backport from 0.4.1.4-rc): + - When considering upgrading circuits from "waiting for guard" to + "open", always ignore circuits that are marked for close. Otherwise, + we can end up in the situation where a subsystem is notified that + a closing circuit has just opened, leading to undesirable + behavior. Fixes bug 30871; bugfix on 0.3.0.1-alpha. + + o Major bugfixes (NSS, relay, backport from 0.4.0.4-rc): + - When running with NSS, disable TLS 1.2 ciphersuites that use + SHA384 for their PRF. Due to an NSS bug, the TLS key exporters for + these ciphersuites don't work -- which caused relays to fail to + handshake with one another when these ciphersuites were enabled. + Fixes bug 29241; bugfix on 0.3.5.1-alpha. + + o Major bugfixes (Onion service reachability, backport from 0.4.1.3-alpha): + - Properly clean up the introduction point map when circuits change + purpose from onion service circuits to pathbias, measurement, or + other circuit types. This should fix some service-side instances + of introduction point failure. Fixes bug 29034; bugfix + on 0.3.2.1-alpha. + + o Major bugfixes (onion service v3, backport from 0.4.1.1-alpha): + - Fix an unreachable bug in which an introduction point could try to + send an INTRODUCE_ACK with a status code that Trunnel would refuse + to encode, leading the relay to assert(). We've consolidated the + ABI values into Trunnel now. Fixes bug 30454; bugfix + on 0.3.0.1-alpha. + - Clients can now handle unknown status codes from INTRODUCE_ACK + cells. (The NACK behavior will stay the same.) This will allow us + to extend status codes in the future without breaking the normal + client behavior. Fixes another part of bug 30454; bugfix + on 0.3.0.1-alpha. + + o Major bugfixes (torrc parsing, backport from 0.4.2.2-alpha): + - Stop ignoring torrc options after an %include directive, when the + included directory ends with a file that does not contain any + config options (but does contain comments or whitespace). Fixes + bug 31408; bugfix on 0.3.1.1-alpha. + + o Major bugfixes (v3 onion services, backport from 0.4.2.3-alpha): + - Onion services now always use the exact number of intro points + configured with the HiddenServiceNumIntroductionPoints option (or + fewer if nodes are excluded). Before, a service could sometimes + pick more intro points than configured. Fixes bug 31548; bugfix + on 0.3.2.1-alpha. + + o Minor features (address selection, backport from 0.4.0.3-alpha): + - Treat the subnet 100.64.0.0/10 as public for some purposes; + private for others. This subnet is the RFC 6598 (Carrier Grade + NAT) IP range, and is deployed by many ISPs as an alternative to + RFC 1918 that does not break existing internal networks. Tor now + blocks SOCKS and control ports on these addresses and warns users + if client ports or ExtORPorts are listening on a RFC 6598 address. + Closes ticket 28525. Patch by Neel Chauhan. + + o Minor features (bandwidth authority, backport from 0.4.0.4-rc): + - Make bandwidth authorities ignore relays that are reported in the + bandwidth file with the flag "vote=0". This change allows us to + report unmeasured relays for diagnostic reasons without including + their bandwidth in the bandwidth authorities' vote. Closes + ticket 29806. + + o Minor features (compile-time modules, backport from version 0.4.1.1-alpha): + - Add a "--list-modules" command to print a list of which compile- + time modules are enabled. Closes ticket 30452. + + o Minor features (continuous integration, backport from 0.4.0.4-rc): + - On Travis Rust builds, cleanup Rust registry and refrain from + caching the "target/" directory to speed up builds. Resolves + issue 29962. + + o Minor features (continuous integration, backport from 0.4.0.5): + - In Travis, tell timelimit to use stem's backtrace signals, and + launch python directly from timelimit, so python receives the + signals from timelimit, rather than make. Closes ticket 30117. + + o Minor features (continuous integration, backport from 0.4.1.1-alpha): + - Remove sudo configuration lines from .travis.yml as they are no + longer needed with current Travis build environment. Resolves + issue 30213. + + o Minor features (continuous integration, backport from 0.4.1.4-rc): + - Our Travis configuration now uses Chutney to run some network + integration tests automatically. Closes ticket 29280. + + o Minor features (continuous integration, backport from 0.4.2.2-alpha): + - When building on Appveyor and Travis, pass the "-k" flag to make, + so that we are informed of all compilation failures, not just the + first one or two. Closes ticket 31372. + + o Minor features (fallback directory list, backport from 0.4.1.4-rc): + - Replace the 157 fallbacks originally introduced in Tor 0.3.5.6-rc + in December 2018 (of which ~122 were still functional), with a + list of 148 fallbacks (70 new, 78 existing, 79 removed) generated + in June 2019. Closes ticket 28795. + + o Minor features (geoip, backport from 0.4.2.5): + - Update geoip and geoip6 to the December 3 2019 Maxmind GeoLite2 + Country database. Closes ticket 32685. + + o Minor features (NSS, diagnostic, backport from 0.4.0.4-rc): + - Try to log an error from NSS (if there is any) and a more useful + description of our situation if we are using NSS and a call to + SSL_ExportKeyingMaterial() fails. Diagnostic for ticket 29241. + + o Minor features (stem tests, backport from 0.4.2.1-alpha): + - Change "make test-stem" so it only runs the stem tests that use + tor. This change makes test-stem faster and more reliable. Closes + ticket 31554. + + o Minor bugfixes (security, backport from 0.4.0.4-rc): + - Verify in more places that we are not about to create a buffer + with more than INT_MAX bytes, to avoid possible OOB access in the + event of bugs. Fixes bug 30041; bugfix on 0.2.0.16. Found and + fixed by Tobias Stoeckmann. + - Fix a potential double free bug when reading huge bandwidth files. + The issue is not exploitable in the current Tor network because + the vulnerable code is only reached when directory authorities + read bandwidth files, but bandwidth files come from a trusted + source (usually the authorities themselves). Furthermore, the + issue is only exploitable in rare (non-POSIX) 32-bit architectures, + which are not used by any of the current authorities. Fixes bug + 30040; bugfix on 0.3.5.1-alpha. Bug found and fixed by + Tobias Stoeckmann. + + o Minor bugfix (continuous integration, backport from 0.4.0.4-rc): + - Reset coverage state on disk after Travis CI has finished. This + should prevent future coverage merge errors from causing the test + suite for the "process" subsystem to fail. The process subsystem + was introduced in 0.4.0.1-alpha. Fixes bug 29036; bugfix + on 0.2.9.15. + - Terminate test-stem if it takes more than 9.5 minutes to run. + (Travis terminates the job after 10 minutes of no output.) + Diagnostic for 29437. Fixes bug 30011; bugfix on 0.3.5.4-alpha. + + o Minor bugfixes (Appveyor CI, backport from 0.4.2.2-alpha): + - Avoid spurious errors when Appveyor CI fails before the install step. + Fixes bug 31884; bugfix on 0.3.4.2-alpha. + + o Minor bugfixes (build system, backport form 0.4.2.1-alpha): + - Do not include the deprecated <sys/sysctl.h> on Linux or Windows + systems. Fixes bug 31673; bugfix on 0.2.5.4-alpha. + + o Minor bugfixes (C correctness, backport from 0.4.0.4-rc): + - Fix an unlikely memory leak in consensus_diff_apply(). Fixes bug + 29824; bugfix on 0.3.1.1-alpha. This is Coverity warning + CID 1444119. + + o Minor bugfixes (circuit isolation, backport from 0.4.1.3-alpha): + - Fix a logic error that prevented the SessionGroup sub-option from + being accepted. Fixes bug 22619; bugfix on 0.2.7.2-alpha. + + o Minor bugfixes (client, onion service v3, backport from 0.4.2.4-rc): + - Fix a BUG() assertion that occurs within a very small race window + between when a client intro circuit opens and when its descriptor + gets cleaned up from the cache. The circuit is now closed early, + which will trigger a re-fetch of the descriptor and continue the + connection. Fixes bug 28970; bugfix on 0.3.2.1-alpha. + + o Minor bugfixes (clock skew detection, backport from 0.4.1.5): + - Don't believe clock skew results from NETINFO cells that appear to + arrive before we sent the VERSIONS cells they are responding to. + Previously, we would accept them up to 3 minutes "in the past". + Fixes bug 31343; bugfix on 0.2.4.4-alpha. + + o Minor bugfixes (compilation warning, backport from 0.4.1.5): + - Fix a compilation warning on Windows about casting a function + pointer for GetTickCount64(). Fixes bug 31374; bugfix + on 0.2.9.1-alpha. + + o Minor bugfixes (compilation, backport from 0.4.0.2-alpha): + - Silence a compiler warning in test-memwipe.c on OpenBSD. Fixes bug + 29145; bugfix on 0.2.9.3-alpha. Patch from Kris Katterjohn. + + o Minor bugfixes (compilation, backport from 0.4.1.5): + - Avoid using labs() on time_t, which can cause compilation warnings + on 64-bit Windows builds. Fixes bug 31343; bugfix on 0.2.4.4-alpha. + + o Minor bugfixes (compilation, backport from 0.4.2.1-alpha): + - Suppress spurious float-conversion warnings from GCC when calling + floating-point classifier functions on FreeBSD. Fixes part of bug + 31687; bugfix on 0.3.1.5-alpha. + + o Minor bugfixes (compilation, unusual configurations, backport from 0.4.1.1-alpha): + - Avoid failures when building with the ALL_BUGS_ARE_FATAL option + due to missing declarations of abort(), and prevent other such + failures in the future. Fixes bug 30189; bugfix on 0.3.4.1-alpha. + + o Minor bugfixes (configuration, proxies, backport from 0.4.1.2-alpha): + - Fix a bug that prevented us from supporting SOCKS5 proxies that + want authentication along with configured (but unused!) + ClientTransportPlugins. Fixes bug 29670; bugfix on 0.2.6.1-alpha. + + o Minor bugfixes (connections, backport from 0.4.2.3-rc): + - Avoid trying to read data from closed connections, which can cause + needless loops in Libevent and infinite loops in Shadow. Fixes bug + 30344; bugfix on 0.1.1.1-alpha. + + o Minor bugfixes (continuous integration, backport from 0.4.1.3-alpha): + - Allow the test-stem job to fail in Travis, because it sometimes + hangs. Fixes bug 30744; bugfix on 0.3.5.4-alpha. + - Skip test_rebind on macOS in Travis, because it is unreliable on + macOS on Travis. Fixes bug 30713; bugfix on 0.3.5.1-alpha. + - Skip test_rebind when the TOR_SKIP_TEST_REBIND environment + variable is set. Fixes bug 30713; bugfix on 0.3.5.1-alpha. + + o Minor bugfixes (crash on exit, backport from 0.4.1.4-rc): + - Avoid a set of possible code paths that could try to use freed + memory in routerlist_free() while Tor was exiting. Fixes bug + 31003; bugfix on 0.1.2.2-alpha. + + o Minor bugfixes (directory authorities, backport from 0.4.1.3-alpha): + - Stop crashing after parsing an unknown descriptor purpose + annotation. We think this bug can only be triggered by modifying a + local file. Fixes bug 30781; bugfix on 0.2.0.8-alpha. + + o Minor bugfixes (directory authority, backport from 0.4.1.2-alpha): + - Move the "bandwidth-file-headers" line in directory authority + votes so that it conforms to dir-spec.txt. Fixes bug 30316; bugfix + on 0.3.5.1-alpha. + + o Minor bugfixes (error handling, backport from 0.4.2.1-alpha): + - On abort, try harder to flush the output buffers of log messages. + On some platforms (macOS), log messages could be discarded when + the process terminates. Fixes bug 31571; bugfix on 0.3.5.1-alpha. + - Report the tor version whenever an assertion fails. Previously, we + only reported the Tor version on some crashes, and some non-fatal + assertions. Fixes bug 31571; bugfix on 0.3.5.1-alpha. + + o Minor bugfixes (FreeBSD, PF-based proxy, IPv6, backport from 0.4.2.1-alpha): + - When extracting an IPv6 address from a PF-based proxy, verify that + we are actually configured to receive an IPv6 address, and log an + internal error if not. Fixes part of bug 31687; bugfix + on 0.2.3.4-alpha. + + o Minor bugfixes (guards, backport from 0.4.2.1-alpha): + - When tor is missing descriptors for some primary entry guards, + make the log message less alarming. It's normal for descriptors to + expire, as long as tor fetches new ones soon after. Fixes bug + 31657; bugfix on 0.3.3.1-alpha. + + o Minor bugfixes (logging, backport from 0.4.0.2-alpha): + - Avoid logging that we are relaxing a circuit timeout when that + timeout is fixed. Fixes bug 28698; bugfix on 0.2.4.7-alpha. + + o Minor bugfixes (logging, backport from 0.4.0.3-alpha): + - Correct a misleading error message when IPv4Only or IPv6Only is + used but the resolved address can not be interpreted as an address + of the specified IP version. Fixes bug 13221; bugfix on + 0.2.3.9-alpha. Patch from Kris Katterjohn. + - Log the correct port number for listening sockets when "auto" is + used to let Tor pick the port number. Previously, port 0 was + logged instead of the actual port number. Fixes bug 29144; bugfix + on 0.3.5.1-alpha. Patch from Kris Katterjohn. + - Stop logging a BUG() warning when Tor is waiting for exit + descriptors. Fixes bug 28656; bugfix on 0.3.5.1-alpha. + + o Minor bugfixes (logging, backport from 0.4.1.1-alpha): + - Do not log a warning when running with an OpenSSL version other + than the one Tor was compiled with, if the two versions should be + compatible. Previously, we would warn whenever the version was + different. Fixes bug 30190; bugfix on 0.2.4.2-alpha. + + o Minor bugfixes (logging, backport from 0.4.2.1-alpha): + - Change log level of message "Hash of session info was not as + expected" to LOG_PROTOCOL_WARN. Fixes bug 12399; bugfix + on 0.1.1.10-alpha. + + o Minor bugfixes (logging, backport from 0.4.2.2-alpha): + - Rate-limit our the logging message about the obsolete .exit + notation. Previously, there was no limit on this warning, which + could potentially be triggered many times by a hostile website. + Fixes bug 31466; bugfix on 0.2.2.1-alpha. + + o Minor bugfixes (logging, protocol violations, backport from 0.4.2.2-alpha): + - Do not log a nonfatal assertion failure when receiving a VERSIONS + cell on a connection using the obsolete v1 link protocol. Log a + protocol_warn instead. Fixes bug 31107; bugfix on 0.2.4.4-alpha. + + o Minor bugfixes (mainloop, periodic events, in-process API, backport from 0.4.2.3-alpha): + - Reset the periodic events' "enabled" flag when Tor is shut down + cleanly. Previously, this flag was left on, which caused periodic + events not to be re-enabled when Tor was relaunched in-process + with tor_api.h after a shutdown. Fixes bug 32058; bugfix + on 0.3.3.1-alpha. + + o Minor bugfixes (memory leak, backport from 0.4.1.1-alpha): + - Avoid a minor memory leak that could occur on relays when failing + to create a "keys" directory. Fixes bug 30148; bugfix + on 0.3.3.1-alpha. + + o Minor bugfixes (memory leak, backport from 0.4.1.4-rc): + - Fix a trivial memory leak when parsing an invalid value + from a download schedule in the configuration. Fixes bug + 30894; bugfix on 0.3.4.1-alpha. + + o Minor bugfixes (memory management, backport from 0.4.0.3-alpha): + - Refactor the shared random state's memory management so that it + actually takes ownership of the shared random value pointers. + Fixes bug 29706; bugfix on 0.2.9.1-alpha. + + o Minor bugfixes (memory management, testing, backport from 0.4.0.3-alpha): + - Stop leaking parts of the shared random state in the shared-random + unit tests. Fixes bug 29599; bugfix on 0.2.9.1-alpha. + + o Minor bugfixes (onion services, backport from 0.4.1.1-alpha): + - Avoid a GCC 9.1.1 warning (and possible crash depending on libc + implemenation) when failing to load an onion service client + authorization file. Fixes bug 30475; bugfix on 0.3.5.1-alpha. + + o Minor bugfixes (out-of-memory handler, backport from 0.4.1.2-alpha): + - When purging the DNS cache because of an out-of-memory condition, + try purging just the older entries at first. Previously, we would + always purge the whole thing. Fixes bug 29617; bugfix + on 0.3.5.1-alpha. + + o Minor bugfixes (portability, backport from 0.4.1.2-alpha): + - Avoid crashing in our tor_vasprintf() implementation on systems + that define neither vasprintf() nor _vscprintf(). (This bug has + been here long enough that we question whether people are running + Tor on such systems, but we're applying the fix out of caution.) + Fixes bug 30561; bugfix on 0.2.8.2-alpha. Found and fixed by + Tobias Stoeckmann. + + o Minor bugfixes (relay, backport from 0.4.2.2-alpha): + - Avoid crashing when starting with a corrupt keys directory where + the old ntor key and the new ntor key are identical. Fixes bug + 30916; bugfix on 0.2.4.8-alpha. + + o Minor bugfixes (rust, backport from 0.4.0.5): + - Abort on panic in all build profiles, instead of potentially + unwinding into C code. Fixes bug 27199; bugfix on 0.3.3.1-alpha. + + o Minor bugfixes (rust, backport from 0.4.2.1-alpha): + - Correctly exclude a redundant rust build job in Travis. Fixes bug + 31463; bugfix on 0.3.5.4-alpha. + + o Minor bugfixes (single onion services, backport from 0.4.0.3-alpha): + - Allow connections to single onion services to remain idle without + being disconnected. Previously, relays acting as rendezvous points + for single onion services were mistakenly closing idle rendezvous + circuits after 60 seconds, thinking that they were unused + directory-fetching circuits that had served their purpose. Fixes + bug 29665; bugfix on 0.2.1.26. + + o Minor bugfixes (stats, backport from 0.4.0.3-alpha): + - When ExtraInfoStatistics is 0, stop including PaddingStatistics in + relay and bridge extra-info documents. Fixes bug 29017; bugfix + on 0.3.1.1-alpha. + + o Minor bugfixes (testing, backport from 0.4.0.3-alpha): + - Downgrade some LOG_ERR messages in the address/* tests to + warnings. The LOG_ERR messages were occurring when we had no + configured network. We were failing the unit tests, because we + backported 28668 to 0.3.5.8, but did not backport 29530. Fixes bug + 29530; bugfix on 0.3.5.8. + - Fix our gcov wrapper script to look for object files at the + correct locations. Fixes bug 29435; bugfix on 0.3.5.1-alpha. + + o Minor bugfixes (testing, backport from 0.4.0.4-rc): + - Backport the 0.3.4 src/test/test-network.sh to 0.2.9. We need a + recent test-network.sh to use new chutney features in CI. Fixes + bug 29703; bugfix on 0.2.9.1-alpha. + - Fix a test failure on Windows caused by an unexpected "BUG" + warning in our tests for tor_gmtime_r(-1). Fixes bug 29922; bugfix + on 0.2.9.3-alpha. + + o Minor bugfixes (testing, backport from 0.4.2.3-alpha): + - When testing port rebinding, don't busy-wait for tor to log. + Instead, actually sleep for a short time before polling again. + Also improve the formatting of control commands and log messages. + Fixes bug 31837; bugfix on 0.3.5.1-alpha. + + o Minor bugfixes (TLS protocol, backport form 0.4.0.4-rc): + - When classifying a client's selection of TLS ciphers, if the + client ciphers are not yet available, do not cache the result. + Previously, we had cached the unavailability of the cipher list + and never looked again, which in turn led us to assume that the + client only supported the ancient V1 link protocol. This, in turn, + was causing Stem integration tests to stall in some cases. Fixes + bug 30021; bugfix on 0.2.4.8-alpha. + + o Minor bugfixes (tls, logging, backport from 0.4.2.3-alpha): + - Log bugs about the TLS read buffer's length only once, rather than + filling the logs with similar warnings. Fixes bug 31939; bugfix + on 0.3.0.4-rc. + + o Minor bugfixes (v2 single onion services, backport from 0.4.2.1-alpha): + - Always retry v2 single onion service intro and rend circuits with + a 3-hop path. Previously, v2 single onion services used a 3-hop + path when rendezvous circuits were retried after a remote or + delayed failure, but a 1-hop path for immediate retries. Fixes bug + 23818; bugfix on 0.2.9.3-alpha. + - Make v3 single onion services fall back to a 3-hop intro, when all + intro points are unreachable via a 1-hop path. Previously, v3 + single onion services failed when all intro nodes were unreachable + via a 1-hop path. Fixes bug 23507; bugfix on 0.3.2.1-alpha. + + o Minor bugfixes (Windows, CI, backport from 0.4.0.3-alpha): + - Skip the Appveyor 32-bit Windows Server 2016 job, and 64-bit + Windows Server 2012 R2 job. The remaining 2 jobs still provide + coverage of 64/32-bit, and Windows Server 2016/2012 R2. Also set + fast_finish, so failed jobs terminate the build immediately. Fixes + bug 29601; bugfix on 0.3.5.4-alpha. + + o Documentation (backport from 0.4.2.1-alpha): + - Use RFC 2397 data URL scheme to embed an image into tor-exit- + notice.html so that operators no longer have to host it + themselves. Closes ticket 31089. + + o Testing (backport from 0.4.1.2-alpha): + - Specify torrc paths (with empty files) when launching tor in + integration tests; refrain from reading user and system torrcs. + Resolves issue 29702. + + o Testing (continuous integration, backport from 0.4.1.1-alpha): + - In Travis, show stem's tor log after failure. Closes ticket 30234. + + o Testing (continuous integration, backport from 0.4.1.5): + - In Travis, make stem log a controller trace to the console, and + tail stem's tor log after failure. Closes ticket 30591. + - In Travis, only run the stem tests that use a tor binary. Closes + ticket 30694. + + o Testing (continuous integration, backport from 0.4.2.3-alpha): + - Disable all but one Travis CI macOS build, to mitigate slow + scheduling of Travis macOS jobs. Closes ticket 32177. + - Run the chutney IPv6 networks as part of Travis CI. Closes + ticket 30860. + - Simplify the Travis CI build matrix, and optimise for build time. + Closes ticket 31859. + - Use Windows Server 2019 instead of Windows Server 2016 in our + Appveyor builds. Closes ticket 32086. + + o Testing (continuous integration, backport from 0.4.2.4-rc): + - Use Ubuntu Bionic images for our Travis CI builds, so we can get a + recent version of coccinelle. But leave chutney on Ubuntu Trusty, + until we can fix some Bionic permissions issues (see ticket + 32240). Related to ticket 31919. + - Install the mingw OpenSSL package in Appveyor. This makes sure + that the OpenSSL headers and libraries match in Tor's Appveyor + builds. (This bug was triggered by an Appveyor image update.) + Fixes bug 32449; bugfix on 0.3.5.6-rc. + - In Travis, use Xcode 11.2 on macOS 10.14. Closes ticket 32241. + + o Testing (continuous integration, backport from 0.4.2.5): + - Require C99 standards-conforming code in Travis CI, but allow GNU gcc + extensions. Also activates clang's -Wtypedef-redefinition warnings. + Build some jobs with -std=gnu99, and some jobs without. + Closes ticket 32500. + + +Changes in version 0.3.5.8 - 2019-02-21 + Tor 0.3.5.8 backports serveral fixes from later releases, including fixes + for an annoying SOCKS-parsing bug that affected users in earlier 0.3.5.x + releases. + + It also includes a fix for a medium-severity security bug affecting Tor + 0.3.2.1-alpha and later. All Tor instances running an affected release + should upgrade to 0.3.3.12, 0.3.4.11, 0.3.5.8, or 0.4.0.2-alpha. + + o Major bugfixes (cell scheduler, KIST, security): + - Make KIST consider the outbuf length when computing what it can + put in the outbuf. Previously, KIST acted as though the outbuf + were empty, which could lead to the outbuf becoming too full. It + is possible that an attacker could exploit this bug to cause a Tor + client or relay to run out of memory and crash. Fixes bug 29168; + bugfix on 0.3.2.1-alpha. This issue is also being tracked as + TROVE-2019-001 and CVE-2019-8955. + + o Major bugfixes (networking, backport from 0.4.0.2-alpha): + - Gracefully handle empty username/password fields in SOCKS5 + username/password auth messsage and allow SOCKS5 handshake to + continue. Previously, we had rejected these handshakes, breaking + certain applications. Fixes bug 29175; bugfix on 0.3.5.1-alpha. + + o Minor features (compilation, backport from 0.4.0.2-alpha): + - Compile correctly when OpenSSL is built with engine support + disabled, or with deprecated APIs disabled. Closes ticket 29026. + Patches from "Mangix". + + o Minor features (geoip): + - Update geoip and geoip6 to the February 5 2019 Maxmind GeoLite2 + Country database. Closes ticket 29478. + + o Minor features (testing, backport from 0.4.0.2-alpha): + - Treat all unexpected ERR and BUG messages as test failures. Closes + ticket 28668. + + o Minor bugfixes (onion service v3, client, backport from 0.4.0.1-alpha): + - Stop logging a "BUG()" warning and stacktrace when we find a SOCKS + connection waiting for a descriptor that we actually have in the + cache. It turns out that this can actually happen, though it is + rare. Now, tor will recover and retry the descriptor. Fixes bug + 28669; bugfix on 0.3.2.4-alpha. + + o Minor bugfixes (IPv6, backport from 0.4.0.1-alpha): + - Fix tor_ersatz_socketpair on IPv6-only systems. Previously, the + IPv6 socket was bound using an address family of AF_INET instead + of AF_INET6. Fixes bug 28995; bugfix on 0.3.5.1-alpha. Patch from + Kris Katterjohn. + + o Minor bugfixes (build, compatibility, rust, backport from 0.4.0.2-alpha): + - Update Cargo.lock file to match the version made by the latest + version of Rust, so that "make distcheck" will pass again. Fixes + bug 29244; bugfix on 0.3.3.4-alpha. + + o Minor bugfixes (client, clock skew, backport from 0.4.0.1-alpha): + - Select guards even if the consensus has expired, as long as the + consensus is still reasonably live. Fixes bug 24661; bugfix + on 0.3.0.1-alpha. + + o Minor bugfixes (compilation, backport from 0.4.0.1-alpha): + - Compile correctly on OpenBSD; previously, we were missing some + headers required in order to detect it properly. Fixes bug 28938; + bugfix on 0.3.5.1-alpha. Patch from Kris Katterjohn. + + o Minor bugfixes (documentation, backport from 0.4.0.2-alpha): + - Describe the contents of the v3 onion service client authorization + files correctly: They hold public keys, not private keys. Fixes + bug 28979; bugfix on 0.3.5.1-alpha. Spotted by "Felixix". + + o Minor bugfixes (logging, backport from 0.4.0.1-alpha): + - Rework rep_hist_log_link_protocol_counts() to iterate through all + link protocol versions when logging incoming/outgoing connection + counts. Tor no longer skips version 5, and we won't have to + remember to update this function when new link protocol version is + developed. Fixes bug 28920; bugfix on 0.2.6.10. + + o Minor bugfixes (logging, backport from 0.4.0.2-alpha): + - Log more information at "warning" level when unable to read a + private key; log more information at "info" level when unable to + read a public key. We had warnings here before, but they were lost + during our NSS work. Fixes bug 29042; bugfix on 0.3.5.1-alpha. + + o Minor bugfixes (misc, backport from 0.4.0.2-alpha): + - The amount of total available physical memory is now determined + using the sysctl identifier HW_PHYSMEM (rather than HW_USERMEM) + when it is defined and a 64-bit variant is not available. Fixes + bug 28981; bugfix on 0.2.5.4-alpha. Patch from Kris Katterjohn. + + o Minor bugfixes (onion services, backport from 0.4.0.2-alpha): + - Avoid crashing if ClientOnionAuthDir (incorrectly) contains more + than one private key for a hidden service. Fixes bug 29040; bugfix + on 0.3.5.1-alpha. + - In hs_cache_store_as_client() log an HSDesc we failed to parse at + "debug" level. Tor used to log it as a warning, which caused very + long log lines to appear for some users. Fixes bug 29135; bugfix + on 0.3.2.1-alpha. + - Stop logging "Tried to establish rendezvous on non-OR circuit..." + as a warning. Instead, log it as a protocol warning, because there + is nothing that relay operators can do to fix it. Fixes bug 29029; + bugfix on 0.2.5.7-rc. + + o Minor bugfixes (tests, directory clients, backport from 0.4.0.1-alpha): + - Mark outdated dirservers when Tor only has a reasonably live + consensus. Fixes bug 28569; bugfix on 0.3.2.5-alpha. + + o Minor bugfixes (tests, backport from 0.4.0.2-alpha): + - Detect and suppress "bug" warnings from the util/time test on + Windows. Fixes bug 29161; bugfix on 0.2.9.3-alpha. + - Do not log an error-level message if we fail to find an IPv6 + network interface from the unit tests. Fixes bug 29160; bugfix + on 0.2.7.3-rc. + + o Minor bugfixes (usability, backport from 0.4.0.1-alpha): + - Stop saying "Your Guard ..." in pathbias_measure_{use,close}_rate(). + Some users took this phrasing to mean that the mentioned guard was + under their control or responsibility, which it is not. Fixes bug + 28895; bugfix on Tor 0.3.0.1-alpha. + + +Changes in version 0.3.5.7 - 2019-01-07 + Tor 0.3.5.7 is the first stable release in its series; it includes + compilation and portability fixes, and a fix for a severe problem + affecting directory caches. + + The Tor 0.3.5 series includes several new features and performance + improvements, including client authorization for v3 onion services, + cleanups to bootstrap reporting, support for improved bandwidth- + measurement tools, experimental support for NSS in place of OpenSSL, + and much more. It also begins a full reorganization of Tor's code + layout, for improved modularity and maintainability in the future. + Finally, there is the usual set of performance improvements and + bugfixes that we try to do in every release series. + + There are a couple of changes in the 0.3.5 that may affect + compatibility. First, the default version for newly created onion + services is now v3. Use the HiddenServiceVersion option if you want to + override this. Second, some log messages related to bootstrapping have + changed; if you use stem, you may need to update to the latest version + so it will recognize them. + + We have designated 0.3.5 as a "long-term support" (LTS) series: we + will continue to patch major bugs in typical configurations of 0.3.5 + until at least 1 Feb 2022. (We do not plan to provide long-term + support for embedding, Rust support, NSS support, running a directory + authority, or unsupported platforms. For these, you will need to stick + with the latest stable release.) + + Below are the changes since 0.3.4.9. For a complete list of changes + since 0.3.5.6-rc, see the ChangeLog file. + + o Major features (bootstrap): + - Don't report directory progress until after a connection to a + relay or bridge has succeeded. Previously, we'd report 80% + progress based on cached directory information when we couldn't + even connect to the network. Closes ticket 27169. + + o Major features (new code layout): + - Nearly all of Tor's source code has been moved around into more + logical places. The "common" directory is now divided into a set + of libraries in "lib", and files in the "or" directory have been + split into "core" (logic absolutely needed for onion routing), + "feature" (independent modules in Tor), and "app" (to configure + and invoke the rest of Tor). See doc/HACKING/CodeStructure.md for + more information. Closes ticket 26481. + + This refactoring is not complete: although the libraries have been + refactored to be acyclic, the main body of Tor is still too + interconnected. We will attempt to improve this in the future. + + o Major features (onion services v3): + - Implement onion service client authorization at the descriptor + level: only authorized clients can decrypt a service's descriptor + to find out how to contact it. A new torrc option was added to + control this client side: ClientOnionAuthDir <path>. On the + service side, if the "authorized_clients/" directory exists in the + onion service directory path, client configurations are read from + the files within. See the manpage for more details. Closes ticket + 27547. Patch done by Suphanat Chunhapanya (haxxpop). + - Improve revision counter generation in next-gen onion services. + Onion services can now scale by hosting multiple instances on + different hosts without synchronization between them, which was + previously impossible because descriptors would get rejected by + HSDirs. Addresses ticket 25552. + - Version 3 onion services can now use the per-service + HiddenServiceExportCircuitID option to differentiate client + circuits. It communicates with the service by using the HAProxy + protocol to assign virtual IP addresses to inbound client + circuits. Closes ticket 4700. Patch by Mahrud Sayrafi. + + o Major features (onion services, UI change): + - For a newly created onion service, the default version is now 3. + Tor still supports existing version 2 services, but the operator + now needs to set "HiddenServiceVersion 2" in order to create a new + version 2 service. For existing services, Tor now learns the + version by reading the key file. Closes ticket 27215. + + o Major features (portability, cryptography, experimental, TLS): + - Tor now has the option to compile with the NSS library instead of + OpenSSL. This feature is experimental, and we expect that bugs may + remain. It is mainly intended for environments where Tor's + performance is not CPU-bound, and where NSS is already known to be + installed. To try it out, configure Tor with the --enable-nss + flag. Closes tickets 26631, 26815, and 26816. + + If you are experimenting with this option and using an old cached + consensus, Tor may fail to start. To solve this, delete your + "cached-consensus" and "cached-microdesc-consensus" files, + (if present), and restart Tor. + + o Major features (relay, UI change): + - Relays no longer run as exits by default. If the "ExitRelay" + option is auto (or unset), and no exit policy is specified with + ExitPolicy or ReducedExitPolicy, we now treat ExitRelay as 0. + Previously in this case, we allowed exit traffic and logged a + warning message. Closes ticket 21530. Patch by Neel Chauhan. + - Tor now validates that the ContactInfo config option is valid UTF- + 8 when parsing torrc. Closes ticket 27428. + + o Major bugfixes (compilation): + - Fix compilation on ARM (and other less-used CPUs) when compiling + with OpenSSL before 1.1. Fixes bug 27781; bugfix on 0.3.4.1-alpha. + + o Major bugfixes (compilation, rust): + - Rust tests can now build and run successfully with the + --enable-fragile-hardening option enabled. Doing this currently + requires the rust beta channel; it will be possible with stable + rust once Rust version 1.31 is released. Patch from Alex Crichton. + Fixes bugs 27272, 27273, and 27274. Bugfix on 0.3.1.1-alpha. + + o Major bugfixes (directory authority): + - Actually check that the address we get from DirAuthority + configuration line is valid IPv4. Explicitly disallow DirAuthority + address to be a DNS hostname. Fixes bug 26488; bugfix + on 0.1.2.10-rc. + + o Major bugfixes (embedding, main loop): + - When DisableNetwork becomes set, actually disable periodic events + that are already enabled. (Previously, we would refrain from + enabling new ones, but we would leave the old ones turned on.) + Fixes bug 28348; bugfix on 0.3.4.1-alpha. + + o Major bugfixes (main loop, bootstrap): + - Make sure Tor bootstraps and works properly if only the + ControlPort is set. Prior to this fix, Tor would only bootstrap + when a client port was set (Socks, Trans, NATD, DNS or HTTPTunnel + port). Fixes bug 27849; bugfix on 0.3.4.1-alpha. + + o Major bugfixes (onion service v3): + - On an intro point for a version 3 onion service, stop closing + introduction circuits on a NACK. This lets the client decide + whether to reuse the circuit or discard it. Previously, we closed + intro circuits when sending NACKs. Fixes bug 27841; bugfix on + 0.3.2.1-alpha. Patch by Neel Chaunan. + + o Major bugfixes (OpenSSL, portability): + - Fix our usage of named groups when running as a TLS 1.3 client in + OpenSSL 1.1.1. Previously, we only initialized EC groups when + running as a relay, which caused clients to fail to negotiate TLS + 1.3 with relays. Fixes bug 28245; bugfix on 0.2.9.15 (when TLS 1.3 + support was added). + + o Major bugfixes (relay bandwidth statistics): + - When we close relayed circuits, report the data in the circuit + queues as being written in our relay bandwidth stats. This + mitigates guard discovery and other attacks that close circuits + for the explicit purpose of noticing this discrepancy in + statistics. Fixes bug 23512; bugfix on 0.0.8pre3. + + o Major bugfixes (relay): + - When our write bandwidth limit is exhausted, stop writing on the + connection. Previously, we had a typo in the code that would make + us stop reading instead, leading to relay connections being stuck + indefinitely and consuming kernel RAM. Fixes bug 28089; bugfix + on 0.3.4.1-alpha. + - Always reactivate linked connections in the main loop so long as + any linked connection has been active. Previously, connections + serving directory information wouldn't get reactivated after the + first chunk of data was sent (usually 32KB), which would prevent + clients from bootstrapping. Fixes bug 28912; bugfix on + 0.3.4.1-alpha. Patch by "cypherpunks3". + + o Major bugfixes (restart-in-process): + - Fix a use-after-free error that could be caused by passing Tor an + impossible set of options that would fail during options_act(). + Fixes bug 27708; bugfix on 0.3.3.1-alpha. + + o Minor features (admin tools): + - Add a new --key-expiration option to print the expiration date of + the signing cert in an ed25519_signing_cert file. Resolves + issue 19506. + + o Minor features (build): + - If you pass the "--enable-pic" option to configure, Tor will try + to tell the compiler to build position-independent code suitable + to link into a dynamic library. (The default remains -fPIE, for + code suitable for a relocatable executable.) Closes ticket 23846. + + o Minor features (code correctness, testing): + - Tor's build process now includes a "check-includes" make target to + verify that no module of Tor relies on any headers from a higher- + level module. We hope to use this feature over time to help + refactor our codebase. Closes ticket 26447. + + o Minor features (code layout): + - We have a new "lowest-level" error-handling API for use by code + invoked from within the logging module. With this interface, the + logging code is no longer at risk of calling into itself if a + failure occurs while it is trying to log something. Closes + ticket 26427. + + o Minor features (compilation): + - When possible, place our warning flags in a separate file, to + avoid flooding verbose build logs. Closes ticket 28924. + - Tor's configure script now supports a --with-malloc= option to + select your malloc implementation. Supported options are + "tcmalloc", "jemalloc", "openbsd" (deprecated), and "system" (the + default). Addresses part of ticket 20424. Based on a patch from + Alex Xu. + + o Minor features (config): + - The "auto" keyword in torrc is now case-insensitive. Closes + ticket 26663. + + o Minor features (continuous integration): + - Add a Travis CI build for --enable-nss on Linux gcc. Closes + ticket 27751. + - Add new CI job to Travis configuration to run stem-based + integration tests. Closes ticket 27913. + - Use the Travis Homebrew addon to install packages on macOS during + Travis CI. The package list is the same, but the Homebrew addon + does not do a `brew update` by default. Implements ticket 27738. + - Report what program produced the mysterious core file that we + occasionally see on Travis CI during make distcheck. Closes + ticket 28024. + - Don't do a distcheck with --disable-module-dirauth in Travis. + Implements ticket 27252. + - Install libcap-dev and libseccomp2-dev so these optional + dependencies get tested on Travis CI. Closes ticket 26560. + - Only run one online rust build in Travis, to reduce network + errors. Skip offline rust builds on Travis for Linux gcc, because + they're redundant. Implements ticket 27252. + - Skip gcc on OSX in Travis CI, because it's rarely used. Skip a + duplicate hardening-off build in Travis on Tor 0.2.9. Skip gcc on + Linux with default settings, because all the non-default builds + use gcc on Linux. Implements ticket 27252. + + o Minor features (continuous integration, Windows): + - Always show the configure and test logs, and upload them as build + artifacts, when building for Windows using Appveyor CI. + Implements 28459. + - Build tor on Windows Server 2012 R2 and Windows Server 2016 using + Appveyor's CI. Closes ticket 28318. + + o Minor features (controller): + - Emit CIRC_BW events as soon as we detect that we processed an + invalid or otherwise dropped cell on a circuit. This allows + vanguards and other controllers to react more quickly to dropped + cells. Closes ticket 27678. + - For purposes of CIRC_BW-based dropped cell detection, track half- + closed stream ids, and allow their ENDs, SENDMEs, DATA and path + bias check cells to arrive without counting it as dropped until + either the END arrives, or the windows are empty. Closes + ticket 25573. + - Implement a 'GETINFO md/all' controller command to enable getting + all known microdescriptors. Closes ticket 8323. + - The GETINFO command now support an "uptime" argument, to return + Tor's uptime in seconds. Closes ticket 25132. + + o Minor features (denial-of-service avoidance): + - Make our OOM handler aware of the DNS cache so that it doesn't + fill up the memory. This check is important for our DoS mitigation + subsystem. Closes ticket 18642. Patch by Neel Chauhan. + + o Minor features (development): + - Tor's makefile now supports running the "clippy" Rust style tool + on our Rust code. Closes ticket 22156. + + o Minor features (directory authority): + - There is no longer an artificial upper limit on the length of + bandwidth lines. Closes ticket 26223. + - When a bandwidth file is used to obtain the bandwidth measurements, + include this bandwidth file headers in the votes. Closes + ticket 3723. + - Improved support for networks with only a single authority or a + single fallback directory. Patch from Gabriel Somlo. Closes + ticket 25928. + + o Minor features (embedding API): + - The Tor controller API now supports a function to launch Tor with + a preconstructed owning controller FD, so that embedding + applications don't need to manage controller ports and + authentication. Closes ticket 24204. + - The Tor controller API now has a function that returns the name + and version of the backend implementing the API. Closes + ticket 26947. + + o Minor features (fallback directory list): + - Replace the 150 fallbacks originally introduced in Tor + 0.3.3.1-alpha in January 2018 (of which ~115 were still + functional), with a list of 157 fallbacks (92 new, 65 existing, 85 + removed) generated in December 2018. Closes ticket 24803. + + o Minor features (geoip): + - Update geoip and geoip6 to the January 3 2019 Maxmind GeoLite2 + Country database. Closes ticket 29012. + + o Minor features (memory management): + - Get Libevent to use the same memory allocator as Tor, by calling + event_set_mem_functions() during initialization. Resolves + ticket 8415. + + o Minor features (memory usage): + - When not using them, store legacy TAP public onion keys in DER- + encoded format, rather than as expanded public keys. This should + save several megabytes on typical clients. Closes ticket 27246. + + o Minor features (OpenSSL bug workaround): + - Work around a bug in OpenSSL 1.1.1a, which prevented the TLS 1.3 + key export function from handling long labels. When this bug is + detected, Tor will disable TLS 1.3. We recommend upgrading to a + version of OpenSSL without this bug when it becomes available. + Closes ticket 28973. + + o Minor features (OpenSSL): + - When possible, use RFC5869 HKDF implementation from OpenSSL rather + than our own. Resolves ticket 19979. + + o Minor features (performance): + - Remove about 96% of the work from the function that we run at + startup to test our curve25519_basepoint implementation. Since + this function has yet to find an actual failure, we now only run + it for 8 iterations instead of 200. Based on our profile + information, this change should save around 8% of our startup time + on typical desktops, and may have a similar effect on other + platforms. Closes ticket 28838. + - Stop re-validating our hardcoded Diffie-Hellman parameters on + every startup. Doing this wasted time and cycles, especially on + low-powered devices. Closes ticket 28851. + + o Minor features (Rust, code quality): + - Improve rust code quality in the rust protover implementation by + making it more idiomatic. Includes changing an internal API to + take &str instead of &String. Closes ticket 26492. + + o Minor features (testing): + - Add scripts/test/chutney-git-bisect.sh, for bisecting using + chutney. Implements ticket 27211. + + o Minor features (tor-resolve): + - The tor-resolve utility can now be used with IPv6 SOCKS proxies. + Side-effect of the refactoring for ticket 26526. + + o Minor features (UI): + - Log each included configuration file or directory as we read it, + to provide more visibility about where Tor is reading from. Patch + from Unto Sten; closes ticket 27186. + - Lower log level of "Scheduler type KIST has been enabled" to INFO. + Closes ticket 26703. + + o Minor bugfixes (32-bit OSX and iOS, timing): + - Fix an integer overflow bug in our optimized 32-bit millisecond- + difference algorithm for 32-bit Apple platforms. Previously, it + would overflow when calculating the difference between two times + more than 47 days apart. Fixes part of bug 27139; bugfix + on 0.3.4.1-alpha. + - Improve the precision of our 32-bit millisecond difference + algorithm for 32-bit Apple platforms. Fixes part of bug 27139; + bugfix on 0.3.4.1-alpha. + - Relax the tolerance on the mainloop/update_time_jumps test when + running on 32-bit Apple platforms. Fixes part of bug 27139; bugfix + on 0.3.4.1-alpha. + + o Minor bugfixes (bootstrap): + - Try harder to get descriptors in non-exit test networks, by using + the mid weight for the third hop when there are no exits. Fixes + bug 27237; bugfix on 0.2.6.2-alpha. + + o Minor bugfixes (C correctness): + - Avoid casting smartlist index to int implicitly, as it may trigger + a warning (-Wshorten-64-to-32). Fixes bug 26282; bugfix on + 0.2.3.13-alpha, 0.2.7.1-alpha and 0.2.1.1-alpha. + - Use time_t for all values in + predicted_ports_prediction_time_remaining(). Rework the code that + computes difference between durations/timestamps. Fixes bug 27165; + bugfix on 0.3.1.1-alpha. + + o Minor bugfixes (client, memory usage): + - When not running as a directory cache, there is no need to store + the text of the current consensus networkstatus in RAM. + Previously, however, clients would store it anyway, at a cost of + over 5 MB. Now, they do not. Fixes bug 27247; bugfix + on 0.3.0.1-alpha. + + o Minor bugfixes (client, ReachableAddresses): + - Instead of adding a "reject *:*" line to ReachableAddresses when + loading the configuration, add one to the policy after parsing it + in parse_reachable_addresses(). This prevents extra "reject *.*" + lines from accumulating on reloads. Fixes bug 20874; bugfix on + 0.1.1.5-alpha. Patch by Neel Chauhan. + + o Minor bugfixes (code quality): + - Rename sandbox_getaddrinfo() and other functions to no longer + misleadingly suggest that they are sandbox-only. Fixes bug 26525; + bugfix on 0.2.7.1-alpha. + + o Minor bugfixes (code safety): + - Rewrite our assertion macros so that they no longer suppress the + compiler's -Wparentheses warnings. Fixes bug 27709; bugfix + on 0.0.6. + + o Minor bugfixes (compilation): + - Initialize a variable unconditionally in aes_new_cipher(), since + some compilers cannot tell that we always initialize it before + use. Fixes bug 28413; bugfix on 0.2.9.3-alpha. + + o Minor bugfixes (configuration): + - Refuse to start with relative file paths and RunAsDaemon set + (regression from the fix for bug 22731). Fixes bug 28298; bugfix + on 0.3.3.1-alpha. + + o Minor bugfixes (configuration, Onion Services): + - In rend_service_parse_port_config(), disallow any input to remain + after address-port pair was parsed. This will catch address and + port being whitespace-separated by mistake of the user. Fixes bug + 27044; bugfix on 0.2.9.10. + + o Minor bugfixes (connection, relay): + - Avoid a logging a BUG() stacktrace when closing connection held + open because the write side is rate limited but not the read side. + Now, the connection read side is simply shut down until Tor is + able to flush the connection and close it. Fixes bug 27750; bugfix + on 0.3.4.1-alpha. + + o Minor bugfixes (continuous integration, Windows): + - Stop reinstalling identical packages in our Windows CI. Fixes bug + 27464; bugfix on 0.3.4.1-alpha. + - Install only the necessary mingw packages during our appveyor + builds. This change makes the build a little faster, and prevents + a conflict with a preinstalled mingw openssl that appveyor now + ships. Fixes bugs 27765 and 27943; bugfix on 0.3.4.2-alpha. + - Explicitly specify the path to the OpenSSL library and do not + download OpenSSL from Pacman, but instead use the library that is + already provided by AppVeyor. Fixes bug 28574; bugfix on master. + - Manually configure the zstd compiler options, when building using + mingw on Appveyor Windows CI. The MSYS2 mingw zstd package does + not come with a pkg-config file. Fixes bug 28454; bugfix + on 0.3.4.1-alpha. + - Stop using an external OpenSSL install, and stop installing MSYS2 + packages, when building using mingw on Appveyor Windows CI. Fixes + bug 28399; bugfix on 0.3.4.1-alpha. + + o Minor bugfixes (controller): + - Consider all routerinfo errors other than "not a server" to be + transient for the purpose of "GETINFO exit-policy/*" controller + request. Print stacktrace in the unlikely case of failing to + recompute routerinfo digest. Fixes bug 27034; bugfix + on 0.3.4.1-alpha. + + o Minor bugfixes (correctness): + - Fix an unreached code path where we checked the value of + "hostname" inside send_resolved_hostname_cell(). Previously, we + used it before checking it; now we check it first. Fixes bug + 28879; bugfix on 0.1.2.7-alpha. + + o Minor bugfixes (directory connection shutdown): + - Avoid a double-close when shutting down a stalled directory + connection. Fixes bug 26896; bugfix on 0.3.4.1-alpha. + + o Minor bugfixes (directory permissions): + - When a user requests a group-readable DataDirectory, give it to + them. Previously, when the DataDirectory and the CacheDirectory + were the same, the default setting (0) for + CacheDirectoryGroupReadable would override the setting for + DataDirectoryGroupReadable. Fixes bug 26913; bugfix + on 0.3.3.1-alpha. + + o Minor bugfixes (HTTP tunnel): + - Fix a bug warning when closing an HTTP tunnel connection due to an + HTTP request we couldn't handle. Fixes bug 26470; bugfix + on 0.3.2.1-alpha. + + o Minor bugfixes (ipv6): + - In addrs_in_same_network_family(), we choose the subnet size based + on the IP version (IPv4 or IPv6). Previously, we chose a fixed + subnet size of /16 for both IPv4 and IPv6 addresses. Fixes bug + 15518; bugfix on 0.2.3.1-alpha. Patch by Neel Chauhan. + + o Minor bugfixes (Linux seccomp2 sandbox): + - Permit the "shutdown()" system call, which is apparently used by + OpenSSL under some circumstances. Fixes bug 28183; bugfix + on 0.2.5.1-alpha. + + o Minor bugfixes (logging): + - Stop talking about the Named flag in log messages. Clients have + ignored the Named flag since 0.3.2. Fixes bug 28441; bugfix + on 0.3.2.1-alpha. + - As a precaution, do an early return from log_addr_has_changed() if + Tor is running as client. Also, log a stack trace for debugging as + this function should only be called when Tor runs as server. Fixes + bug 26892; bugfix on 0.1.1.9-alpha. + - Refrain from mentioning bug 21018 in the logs, as it is already + fixed. Fixes bug 25477; bugfix on 0.2.9.8. + + o Minor bugfixes (logging, documentation): + - When SafeLogging is enabled, scrub IP address in + channel_tls_process_netinfo_cell(). Also, add a note to manpage + that scrubbing is not guaranteed on loglevels below Notice. Fixes + bug 26882; bugfix on 0.2.4.10-alpha. + + o Minor bugfixes (memory leaks): + - Fix a harmless memory leak in libtorrunner.a. Fixes bug 28419; + bugfix on 0.3.3.1-alpha. Patch from Martin Kepplinger. + - Fix a small memory leak when calling Tor with --dump-config. Fixes + bug 27893; bugfix on 0.3.2.1-alpha. + + o Minor bugfixes (netflow padding): + - Ensure circuitmux queues are empty before scheduling or sending + padding. Fixes bug 25505; bugfix on 0.3.1.1-alpha. + + o Minor bugfixes (onion service v2): + - Log at level "info", not "warning", in the case that we do not + have a consensus when a .onion request comes in. This can happen + normally while bootstrapping. Fixes bug 27040; bugfix + on 0.2.8.2-alpha. + + o Minor bugfixes (onion service v3): + - When deleting an ephemeral onion service (DEL_ONION), do not close + any rendezvous circuits in order to let the existing client + connections finish by themselves or closed by the application. The + HS v2 is doing that already so now we have the same behavior for + all versions. Fixes bug 28619; bugfix on 0.3.3.1-alpha. + - Build the service descriptor's signing key certificate before + uploading, so we always have a fresh one: leaving no chances for + it to expire service side. Fixes bug 27838; bugfix + on 0.3.2.1-alpha. + - Stop dumping a stack trace when trying to connect to an intro + point without having a descriptor for it. Fixes bug 27774; bugfix + on 0.3.2.1-alpha. + - When selecting a v3 rendezvous point, don't only look at the + protover, but also check whether the curve25519 onion key is + present. This way we avoid picking a relay that supports the v3 + rendezvous but for which we don't have the microdescriptor. Fixes + bug 27797; bugfix on 0.3.2.1-alpha. + - Close all SOCKS request (for the same .onion) if the newly fetched + descriptor is unusable. Before that, we would close only the first + one leaving the other hanging and let to time out by themselves. + Fixes bug 27410; bugfix on 0.3.2.1-alpha. + - When the onion service directory can't be created or has the wrong + permissions, do not log a stack trace. Fixes bug 27335; bugfix + on 0.3.2.1-alpha. + - When replacing a descriptor in the client cache, make sure to + close all client introduction circuits for the old descriptor, so + we don't end up with unusable leftover circuits. Fixes bug 27471; + bugfix on 0.3.2.1-alpha. + + o Minor bugfixes (OS compatibility): + - Properly handle configuration changes that move a listener to/from + wildcard IP address. If the first attempt to bind a socket fails, + close the old listener and try binding the socket again. Fixes bug + 17873; bugfix on 0.0.8pre-1. + + o Minor bugfixes (performance):: + - Rework node_is_a_configured_bridge() to no longer call + node_get_all_orports(), which was performing too many memory + allocations. Fixes bug 27224; bugfix on 0.2.3.9. + + o Minor bugfixes (protover): + - Reject protocol names containing bytes other than alphanumeric + characters and hyphens ([A-Za-z0-9-]). Fixes bug 27316; bugfix + on 0.2.9.4-alpha. + + o Minor bugfixes (protover, rust): + - Reject extra commas in version strings. Fixes bug 27197; bugfix + on 0.3.3.3-alpha. + - protover_all_supported() would attempt to allocate up to 16GB on + some inputs, leading to a potential memory DoS. Fixes bug 27206; + bugfix on 0.3.3.5-rc. + - Compute protover votes correctly in the rust version of the + protover code. Previously, the protover rewrite in 24031 allowed + repeated votes from the same voter for the same protocol version + to be counted multiple times in protover_compute_vote(). Fixes bug + 27649; bugfix on 0.3.3.5-rc. + - Reject protover names that contain invalid characters. Fixes bug + 27687; bugfix on 0.3.3.1-alpha. + + o Minor bugfixes (relay shutdown, systemd): + - Notify systemd of ShutdownWaitLength so it can be set to longer + than systemd's TimeoutStopSec. In Tor's systemd service file, set + TimeoutSec to 60 seconds to allow Tor some time to shut down. + Fixes bug 28113; bugfix on 0.2.6.2-alpha. + + o Minor bugfixes (relay statistics): + - Update relay descriptor on bandwidth changes only when the uptime + is smaller than 24h, in order to reduce the efficiency of guard + discovery attacks. Fixes bug 24104; bugfix on 0.1.1.6-alpha. + + o Minor bugfixes (relay): + - Consider the fact that we'll be making direct connections to our + entry and guard nodes when computing the fraction of nodes that + have their descriptors. Also, if we are using bridges and there is + at least one bridge with a full descriptor, treat the fraction of + guards available as 100%. Fixes bug 25886; bugfix on 0.2.4.10-alpha. + Patch by Neel Chauhan. + - Update the message logged on relays when DirCache is disabled. + Since 0.3.3.5-rc, authorities require DirCache (V2Dir) for the + Guard flag. Fixes bug 24312; bugfix on 0.3.3.5-rc. + + o Minor bugfixes (testing): + - Stop running stem's unit tests as part of "make test-stem", but + continue to run stem's unit and online tests during "make test- + stem-full". Fixes bug 28568; bugfix on 0.2.6.3-alpha. + - Stop leaking memory in an entry guard unit test. Fixes bug 28554; + bugfix on 0.3.0.1-alpha. + - Make the hs_service tests use the same time source when creating + the introduction point and when testing it. Now tests work better + on very slow systems like ARM or Travis. Fixes bug 27810; bugfix + on 0.3.2.1-alpha. + - Revise the "conditionvar_timeout" test so that it succeeds even on + heavily loaded systems where the test threads are not scheduled + within 200 msec. Fixes bug 27073; bugfix on 0.2.6.3-alpha. + - Fix two unit tests to work when HOME environment variable is not + set. Fixes bug 27096; bugfix on 0.2.8.1-alpha. + - If a unit test running in a subprocess exits abnormally or with a + nonzero status code, treat the test as having failed, even if the + test reported success. Without this fix, memory leaks don't cause + the tests to fail, even with LeakSanitizer. Fixes bug 27658; + bugfix on 0.2.2.4-alpha. + - When logging a version mismatch in our openssl_version tests, + report the actual offending version strings. Fixes bug 26152; + bugfix on 0.2.9.1-alpha. + - Fix forking tests on Windows when there is a space somewhere in + the path. Fixes bug 26437; bugfix on 0.2.2.4-alpha. + + o Minor bugfixes (Windows): + - Correctly identify Windows 8.1, Windows 10, and Windows Server + 2008 and later from their NT versions. Fixes bug 28096; bugfix on + 0.2.2.34; reported by Keifer Bly. + - On recent Windows versions, the GetVersionEx() function may report + an earlier Windows version than the running OS. To avoid user + confusion, add "[or later]" to Tor's version string on affected + versions of Windows. Fixes bug 28096; bugfix on 0.2.2.34; reported + by Keifer Bly. + - Remove Windows versions that were never supported by the + GetVersionEx() function. Stop duplicating the latest Windows + version in get_uname(). Fixes bug 28096; bugfix on 0.2.2.34; + reported by Keifer Bly. + + o Code simplification and refactoring: + - When parsing a port configuration, make it more obvious to static + analyzer tools that we always initialize the address. Closes + ticket 28881. + - Divide more large Tor source files -- especially ones that span + multiple areas of functionality -- into smaller parts, including + onion.c and main.c. Closes ticket 26747. + - Divide the "routerparse.c" module into separate modules for each + group of parsed objects. Closes ticket 27924. + - Move protover_rust.c to the same place protover.c was moved to. + Closes ticket 27814. + - Split directory.c into separate pieces for client, server, and + common functionality. Closes ticket 26744. + - Split the non-statistics-related parts from the rephist.c and + geoip.c modules. Closes ticket 27892. + - Split the router.c file into relay-only and shared components, to + help with future modularization. Closes ticket 27864. + - Divide the routerlist.c and dirserv.c modules into smaller parts. + Closes ticket 27799. + - 'updateFallbackDirs.py' now ignores the blacklist file, as it's not + longer needed. Closes ticket 26502. + - Include paths to header files within Tor are now qualified by + directory within the top-level src directory. + - Many structures have been removed from the centralized "or.h" + header, and moved into their own headers. This will allow us to + reduce the number of places in the code that rely on each + structure's contents and layout. Closes ticket 26383. + - Remove ATTR_NONNULL macro from codebase. Resolves ticket 26527. + - Remove GetAdaptersAddresses_fn_t. The code that used it was + removed as part of the 26481 refactor. Closes ticket 27467. + - Rework Tor SOCKS server code to use Trunnel and benefit from + autogenerated functions for parsing and generating SOCKS wire + format. New implementation is cleaner, more maintainable and + should be less prone to heartbleed-style vulnerabilities. + Implements a significant fraction of ticket 3569. + - Split sampled_guards_update_from_consensus() and + select_entry_guard_for_circuit() into subfunctions. In + entry_guards_update_primary() unite three smartlist enumerations + into one and move smartlist comparison code out of the function. + Closes ticket 21349. + - Tor now assumes that you have standards-conformant stdint.h and + inttypes.h headers when compiling. Closes ticket 26626. + - Unify our bloom filter logic. Previously we had two copies of this + code: one for routerlist filtering, and one for address set + calculations. Closes ticket 26510. + - Use the simpler strcmpstart() helper in + rend_parse_v2_service_descriptor instead of strncmp(). Closes + ticket 27630. + - Utility functions that can perform a DNS lookup are now wholly + separated from those that can't, in separate headers and C + modules. Closes ticket 26526. + + o Documentation: + - In the tor-resolve(1) manpage, fix the reference to socks- + extensions.txt by adding a web URL. Resolves ticket 27853. + - Mention that we require Python to be 2.7 or newer for some + integration tests that we ship with Tor. Resolves ticket 27677. + - Copy paragraph and URL to Tor's code of conduct document from + CONTRIBUTING to new CODE_OF_CONDUCT file. Resolves ticket 26638. + - Remove old instructions from INSTALL document. Closes ticket 26588. + - Warn users that they should not include MyFamily line(s) in their + torrc when running Tor bridge. Closes ticket 26908. + + o Removed features: + - Tor no longer supports building with the dmalloc library. For + debugging memory issues, we suggest using gperftools or msan + instead. Closes ticket 26426. + - Tor no longer attempts to run on Windows environments without the + GetAdaptersAddresses() function. This function has existed since + Windows XP, which is itself already older than we support. + - Remove Tor2web functionality for version 2 onion services. The + Tor2webMode and Tor2webRendezvousPoints options are now obsolete. + (This feature was never shipped in vanilla Tor and it was only + possible to use this feature by building the support at compile + time. Tor2webMode is not implemented for version 3 onion services.) + Closes ticket 26367. + + o Testing: + - Increase logging and tag all log entries with timestamps in + test_rebind.py. Provides diagnostics for issue 28229. + + o Code simplification and refactoring (shared random, dirauth): + - Change many tor_assert() to use BUG() instead. The idea is to not + crash a dirauth but rather scream loudly with a stacktrace and let + it continue run. The shared random subsystem is very resilient and + if anything wrong happens with it, at worst a non coherent value + will be put in the vote and discarded by the other authorities. + Closes ticket 19566. + + o Documentation (onion services): + - Improve HSv3 client authorization by making some options more + explicit and detailed. Closes ticket 28026. Patch by Mike Tigas. + - Document in the man page that changing ClientOnionAuthDir value or + adding a new file in the directory will not work at runtime upon + sending a HUP if Sandbox 1. Closes ticket 28128. + - Note in the man page that the only real way to fully revoke an + onion service v3 client authorization is by restarting the tor + process. Closes ticket 28275. + + Changes in version 0.3.4.9 - 2018-11-02 Tor 0.3.4.9 is the second stable release in its series; it backports numerous fixes, including a fix for a bandwidth management bug that diff --git a/changes/29241_diagnostic b/changes/29241_diagnostic deleted file mode 100644 index 1e38654957..0000000000 --- a/changes/29241_diagnostic +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features (NSS, diagnostic): - - Try to log an error from NSS (if there is any) and a more useful - description of our situation if we are using NSS and a call to - SSL_ExportKeyingMaterial() fails. Diagnostic for ticket 29241. diff --git a/changes/40241 b/changes/40241 deleted file mode 100644 index c9b2e2c011..0000000000 --- a/changes/40241 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (compilation): - - Fix a compilation warning about unreachable fallthrough annotations - when building with "--enable-all-bugs-are-fatal" on some compilers. - Fixes bug 40241; bugfix on 0.3.5.4-alpha. diff --git a/changes/40241_v2 b/changes/40241_v2 deleted file mode 100644 index 85038297f7..0000000000 --- a/changes/40241_v2 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (compilation): - - Fix another warning about unreachable fallthrough annotations - when building with "--enable-all-bugs-are-fatal" on some compilers. - Fixes bug 40241; bugfix on 0.4.5.3-rc. diff --git a/changes/bug12399 b/changes/bug12399 deleted file mode 100644 index 922c08c5e3..0000000000 --- a/changes/bug12399 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (logging): - - Change log level of message "Hash of session info was not as expected" - to LOG_PROTOCOL_WARN. Fixes bug 12399; bugfix on 0.1.1.10-alpha. diff --git a/changes/bug13221 b/changes/bug13221 deleted file mode 100644 index 13935a1921..0000000000 --- a/changes/bug13221 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (logging): - - Correct a misleading error message when IPv4Only or IPv6Only - is used but the resolved address can not be interpreted as an - address of the specified IP version. Fixes bug 13221; bugfix - on 0.2.3.9-alpha. Patch from Kris Katterjohn. diff --git a/changes/bug16016 b/changes/bug16016 deleted file mode 100644 index 313ef672e9..0000000000 --- a/changes/bug16016 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (logging): - - Downgrade a noisy log message that could occur naturally when - receiving an extrainfo document that we no longer want. - Fixes bug 16016; bugfix on 0.2.6.3-alpha. diff --git a/changes/bug22619 b/changes/bug22619 deleted file mode 100644 index 9c71996f5b..0000000000 --- a/changes/bug22619 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (circuit isolation): - - Fix a logic error that prevented the SessionGroup sub-option from - being accepted. Fixes bug 22619; bugfix on 0.2.7.2-alpha. diff --git a/changes/bug23507 b/changes/bug23507 deleted file mode 100644 index de18273fdb..0000000000 --- a/changes/bug23507 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (v3 single onion services): - - Make v3 single onion services fall back to a 3-hop intro, when there - all intro points are unreachable via a 1-hop path. Previously, v3 - single onion services failed when all intro nodes were unreachable - via a 1-hop path. Fixes bug 23507; bugfix on 0.3.2.1-alpha. diff --git a/changes/bug23818_v2 b/changes/bug23818_v2 deleted file mode 100644 index 0219a20f49..0000000000 --- a/changes/bug23818_v2 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes (v2 single onion services): - - Always retry v2 single onion service intro and rend circuits with a - 3-hop path. Previously, v2 single onion services used a 3-hop path - when rend circuits were retried after a remote or delayed failure, - but a 1-hop path for immediate retries. Fixes bug 23818; - bugfix on 0.2.9.3-alpha. diff --git a/changes/bug23818_v3 b/changes/bug23818_v3 deleted file mode 100644 index c430144d81..0000000000 --- a/changes/bug23818_v3 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes (v3 single onion services): - - Always retry v3 single onion service intro and rend circuits with a - 3-hop path. Previously, v3 single onion services used a 3-hop path - when rend circuits were retried after a remote or delayed failure, - but a 1-hop path for immediate retries. Fixes bug 23818; - bugfix on 0.3.2.1-alpha. diff --git a/changes/bug24661 b/changes/bug24661 deleted file mode 100644 index a915a93e0e..0000000000 --- a/changes/bug24661 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (client, guard selection): - - When Tor's consensus has expired, but is still reasonably live, use it - to select guards. Fixes bug 24661; bugfix on 0.3.0.1-alpha. diff --git a/changes/bug27197 b/changes/bug27197 deleted file mode 100644 index e389f85065..0000000000 --- a/changes/bug27197 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (protover, rust): - - Reject extra commas in version string. Fixes bug 27197; bugfix on - 0.3.3.3-alpha. diff --git a/changes/bug27199 b/changes/bug27199 deleted file mode 100644 index f9d2a422f9..0000000000 --- a/changes/bug27199 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (rust): - - Abort on panic in all build profiles, instead of potentially unwinding - into C code. Fixes bug 27199; bugfix on 0.3.3.1-alpha. diff --git a/changes/bug27740 b/changes/bug27740 deleted file mode 100644 index 76a17b7dda..0000000000 --- a/changes/bug27740 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (rust): - - Return a string that can be safely freed by C code, not one created by - the rust allocator, in protover_all_supported(). Fixes bug 27740; bugfix - on 0.3.3.1-alpha. diff --git a/changes/bug27741 b/changes/bug27741 deleted file mode 100644 index 531e264b63..0000000000 --- a/changes/bug27741 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (rust, directory authority): - - Fix an API mismatch in the rust implementation of - protover_compute_vote(). This bug could have caused crashes on any - directory authorities running Tor with Rust (which we do not yet - recommend). Fixes bug 27741; bugfix on 0.3.3.6. diff --git a/changes/bug27750 b/changes/bug27750 deleted file mode 100644 index c234788b1c..0000000000 --- a/changes/bug27750 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes (connection, relay): - - Avoid a wrong BUG() stacktrace in case a closing connection is being held - open because the write side is rate limited but not the read side. Now, - the connection read side is simply shutdown instead of kept open until tor - is able to flush the connection and then fully close it. Fixes bug 27750; - bugfix on 0.3.4.1-alpha. diff --git a/changes/bug27800 b/changes/bug27800 deleted file mode 100644 index 63d5dbc681..0000000000 --- a/changes/bug27800 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (directory authority): - - Log additional info when we get a relay that shares an ed25519 - ID with a different relay, instead making a BUG() warning. - Fixes bug 27800; bugfix on 0.3.2.1-alpha. diff --git a/changes/bug27804 b/changes/bug27804 deleted file mode 100644 index fa7fec0bc5..0000000000 --- a/changes/bug27804 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (rust): - - Fix a potential null dereference in protover_all_supported(). - Add a test for it. Fixes bug 27804; bugfix on 0.3.3.1-alpha. diff --git a/changes/bug27841 b/changes/bug27841 deleted file mode 100644 index 9cd1da7275..0000000000 --- a/changes/bug27841 +++ /dev/null @@ -1,7 +0,0 @@ - o Minor bugfixes (onion services): - - On an intro point for a version 3 onion service, we do not close - an introduction circuit on an NACK. This lets the client decide - whether to reuse the circuit or discard it. Previously, we closed - intro circuits on NACKs. Fixes bug 27841; bugfix on 0.3.2.1-alpha. - Patch by Neel Chaunan - diff --git a/changes/bug27948 b/changes/bug27948 deleted file mode 100644 index fea16f3d0f..0000000000 --- a/changes/bug27948 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes (tests): - - Treat backtrace test failures as expected on BSD-derived systems - (NetBSD, OpenBSD, and macOS/Darwin) until we solve bug 17808. - (FreeBSD failures have been treated as expected since 18204 in 0.2.8.) - Fixes bug 27948; bugfix on 0.2.5.2-alpha. - diff --git a/changes/bug27963_timeradd b/changes/bug27963_timeradd deleted file mode 100644 index 34b361cf8d..0000000000 --- a/changes/bug27963_timeradd +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (compilation, opensolaris): - - Add a missing include to compat_pthreads.c, to fix compilation - on OpenSolaris and its descendants. Fixes bug 27963; bugfix - on 0.3.5.1-alpha. diff --git a/changes/bug27968 b/changes/bug27968 deleted file mode 100644 index 78c8eee33a..0000000000 --- a/changes/bug27968 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (testing): - - Avoid hangs and race conditions in test_rebind.py. - Fixes bug 27968; bugfix on 0.3.5.1-alpha. diff --git a/changes/bug28096 b/changes/bug28096 deleted file mode 100644 index 6847df9798..0000000000 --- a/changes/bug28096 +++ /dev/null @@ -1,13 +0,0 @@ - o Minor bugfixes (Windows): - - Correctly identify Windows 8.1, Windows 10, and Windows Server 2008 - and later from their NT versions. - Fixes bug 28096; bugfix on 0.2.2.34; reported by Keifer Bly. - - On recent Windows versions, the GetVersionEx() function may report - an earlier Windows version than the running OS. To avoid user - confusion, add "[or later]" to Tor's version string on affected - versions of Windows. - Fixes bug 28096; bugfix on 0.2.2.34; reported by Keifer Bly. - - Remove Windows versions that were never supported by the - GetVersionEx() function. Stop duplicating the latest Windows - version in get_uname(). - Fixes bug 28096; bugfix on 0.2.2.34; reported by Keifer Bly. diff --git a/changes/bug28115 b/changes/bug28115 deleted file mode 100644 index e3e29968eb..0000000000 --- a/changes/bug28115 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (portability): - - Make the OPE code (which is used for v3 onion services) run correctly - on big-endian platforms. Fixes bug 28115; bugfix on 0.3.5.1-alpha. diff --git a/changes/bug28127 b/changes/bug28127 deleted file mode 100644 index 541128c88e..0000000000 --- a/changes/bug28127 +++ /dev/null @@ -1,7 +0,0 @@ - o Minor bugfixes (onion services): - - Unless we have explicitly set HiddenServiceVersion, detect the onion - service version and then look for invalid options. Previously, we - did the reverse, but that broke existing configs which were pointed - to a v2 hidden service and had options like HiddenServiceAuthorizeClient - set Fixes bug 28127; bugfix on 0.3.5.1-alpha. Patch by Neel Chauhan. - diff --git a/changes/bug28183 b/changes/bug28183 deleted file mode 100644 index 8d35dcdc01..0000000000 --- a/changes/bug28183 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (Linux seccomp2 sandbox): - - Permit the "shutdown()" system call, which is apparently - used by OpenSSL under some circumstances. Fixes bug 28183; - bugfix on 0.2.5.1-alpha. diff --git a/changes/bug28202 b/changes/bug28202 deleted file mode 100644 index 182daac4f1..0000000000 --- a/changes/bug28202 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (C correctness): - - Avoid undefined behavior in an end-of-string check when parsing the - BEGIN line in a directory object. Fixes bug 28202; bugfix on - 0.2.0.3-alpha. diff --git a/changes/bug28245 b/changes/bug28245 deleted file mode 100644 index d7e6deb810..0000000000 --- a/changes/bug28245 +++ /dev/null @@ -1,6 +0,0 @@ - o Major bugfixes (OpenSSL, portability): - - Fix our usage of named groups when running as a TLS 1.3 client in - OpenSSL 1.1.1. Previously, we only initialized EC groups when running - as a server, which caused clients to fail to negotiate TLS 1.3 with - relays. Fixes bug 28245; bugfix on 0.2.9.15 when TLS 1.3 support was - added. diff --git a/changes/bug28298 b/changes/bug28298 deleted file mode 100644 index 8db340f3df..0000000000 --- a/changes/bug28298 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (configuration): - - Resume refusing to start with relative file paths and RunAsDaemon - set (regression from the fix for bug 22731). Fixes bug 28298; - bugfix on 0.3.3.1-alpha. diff --git a/changes/bug28303 b/changes/bug28303 deleted file mode 100644 index 80f1302e5e..0000000000 --- a/changes/bug28303 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (compilation): - - Fix a pair of missing headers on OpenBSD. Fixes bug 28303; - bugfix on 0.3.5.1-alpha. Patch from Kris Katterjohn. diff --git a/changes/bug28348_034 b/changes/bug28348_034 deleted file mode 100644 index 3913c03a4c..0000000000 --- a/changes/bug28348_034 +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfixes (embedding, main loop): - - When DisableNetwork becomes set, actually disable periodic events that - are already enabled. (Previously, we would refrain from enabling new - ones, but we would leave the old ones turned on.) - Fixes bug 28348; bugfix on 0.3.4.1-alpha. diff --git a/changes/bug28399 b/changes/bug28399 deleted file mode 100644 index 9096db70b0..0000000000 --- a/changes/bug28399 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (continuous integration, Windows): - - Stop using an external OpenSSL install, and stop installing MSYS2 - packages, when building using mingw on Appveyor Windows CI. - Fixes bug 28399; bugfix on 0.3.4.1-alpha. diff --git a/changes/bug28413 b/changes/bug28413 deleted file mode 100644 index 4c88bea7e7..0000000000 --- a/changes/bug28413 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (compilation): - - Initialize a variable in aes_new_cipher(), since some compilers - cannot tell that we always initialize it before use. Fixes bug 28413; - bugfix on 0.2.9.3-alpha. diff --git a/changes/bug28419 b/changes/bug28419 deleted file mode 100644 index 52ceb0a2a7..0000000000 --- a/changes/bug28419 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (memory leaks): - - Fix a harmless memory leak in libtorrunner.a. Fixes bug 28419; - bugfix on 0.3.3.1-alpha. Patch from Martin Kepplinger.
\ No newline at end of file diff --git a/changes/bug28435 b/changes/bug28435 deleted file mode 100644 index 2a886cb8b7..0000000000 --- a/changes/bug28435 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (documentation): - - Make Doxygen work again after the 0.3.5 source tree moves. - Fixes bug 28435; bugfix on 0.3.5.1-alpha. diff --git a/changes/bug28441 b/changes/bug28441 deleted file mode 100644 index d259b9f742..0000000000 --- a/changes/bug28441 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (logging): - - Stop talking about the Named flag in log messages. Clients have - ignored the Named flag since 0.3.2. Fixes bug 28441; - bugfix on 0.3.2.1-alpha. diff --git a/changes/bug28454 b/changes/bug28454 deleted file mode 100644 index ca46ae2777..0000000000 --- a/changes/bug28454 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (continuous integration, Windows): - - Manually configure the zstd compiler options, when building using - mingw on Appveyor Windows CI. The MSYS2 mingw zstd package does not - come with a pkg-config file. Fixes bug 28454; bugfix on 0.3.4.1-alpha. diff --git a/changes/bug28485 b/changes/bug28485 deleted file mode 100644 index a8309ae21f..0000000000 --- a/changes/bug28485 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (compilation): - - Add missing dependency on libgdi32.dll for tor-print-ed-signing-cert.exe - on Windows. Fixes bug 28485; bugfix on 0.3.5.1-alpha. diff --git a/changes/bug28524 b/changes/bug28524 deleted file mode 100644 index 1cad700422..0000000000 --- a/changes/bug28524 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (restart-in-process, boostrap): - - Add missing resets of bootstrap tracking state when shutting - down (regression caused by ticket 27169). Fixes bug 28524; - bugfix on 0.3.5.1-alpha. diff --git a/changes/bug28525 b/changes/bug28525 deleted file mode 100644 index 988ffb2192..0000000000 --- a/changes/bug28525 +++ /dev/null @@ -1,7 +0,0 @@ - o Minor features (address selection): - - Make Tor aware of the RFC 6598 (Carrier Grade NAT) IP range, which is the - subnet 100.64.0.0/10. This is deployed by many ISPs as an alternative to - RFC 1918 that does not break existing internal networks. This patch fixes - security issues caused by RFC 6518 by blocking control ports on these - addresses and warns users if client ports or ExtORPorts are listening on - a RFC 6598 address. Closes ticket 28525. Patch by Neel Chauhan. diff --git a/changes/bug28554 b/changes/bug28554 deleted file mode 100644 index 9a0b281406..0000000000 --- a/changes/bug28554 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (unit tests, guard selection): - - Stop leaking memory in an entry guard unit test. Fixes bug 28554; - bugfix on 0.3.0.1-alpha. diff --git a/changes/bug28562 b/changes/bug28562 deleted file mode 100644 index e14362164d..0000000000 --- a/changes/bug28562 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (testing): - - Use a separate DataDirectory for the test_rebind script. - Previously, this script would run using the default DataDirectory, - and sometimes fail. Fixes bug 28562; bugfix on 0.3.5.1-alpha. - Patch from Taylor R Campbell. diff --git a/changes/bug28568 b/changes/bug28568 deleted file mode 100644 index 919ec08903..0000000000 --- a/changes/bug28568 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (testing): - - Stop running stem's unit tests as part of "make test-stem". But continue - to run stem's unit and online tests during "make test-stem-full". - Fixes bug 28568; bugfix on 0.2.6.3-alpha. diff --git a/changes/bug28569 b/changes/bug28569 deleted file mode 100644 index 45a57a80ae..0000000000 --- a/changes/bug28569 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (unit tests, directory clients): - - Mark outdated dirservers when Tor only has a reasonably live consensus. - Fixes bug 28569; bugfix on 0.3.2.5-alpha. diff --git a/changes/bug28612 b/changes/bug28612 deleted file mode 100644 index 559f254234..0000000000 --- a/changes/bug28612 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (windows services): - - Make Tor start correctly as an NT service again: previously it - was broken by refactoring. Fixes bug 28612; bugfix on 0.3.5.3-alpha. - diff --git a/changes/bug28619 b/changes/bug28619 deleted file mode 100644 index 86be8cb2fb..0000000000 --- a/changes/bug28619 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes (hidden service v3): - - When deleting an ephemeral onion service (DEL_ONION), do not close any - rendezvous circuits in order to let the existing client connections - finish by themselves or closed by the application. The HS v2 is doing - that already so now we have the same behavior for all versions. Fixes - bug 28619; bugfix on 0.3.3.1-alpha. diff --git a/changes/bug28656 b/changes/bug28656 deleted file mode 100644 index d3a13d196c..0000000000 --- a/changes/bug28656 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (logging): - - Stop logging a BUG() warning when tor is waiting for exit descriptors. - Fixes bug 28656; bugfix on 0.3.5.1-alpha. diff --git a/changes/bug28698 b/changes/bug28698 deleted file mode 100644 index 716aa0c552..0000000000 --- a/changes/bug28698 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfix (logging): - - Avoid logging about relaxing circuits when their time is fixed. - Fixes bug 28698; bugfix on 0.2.4.7-alpha diff --git a/changes/bug28895 b/changes/bug28895 deleted file mode 100644 index 25fb167b2e..0000000000 --- a/changes/bug28895 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (usability): - - Stop saying "Your Guard ..." in pathbias_measure_{use,close}_rate() - as that confusingly suggests that mentioned guard node is under control - and responsibility of end user, which it is not. Fixes bug 28895; - bugfix on Tor 0.3.0.1-alpha. diff --git a/changes/bug28920 b/changes/bug28920 deleted file mode 100644 index e698686a6d..0000000000 --- a/changes/bug28920 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes (logging): - - Rework rep_hist_log_link_protocol_counts() to iterate through all link - protocol versions when logging incoming/outgoing connection counts. Tor - no longer skips version 5 and we don't have to remember to update this - function when new link protocol version is developed. Fixes bug 28920; - bugfix on 0.2.6.10. diff --git a/changes/bug28938 b/changes/bug28938 deleted file mode 100644 index de6c5f7b79..0000000000 --- a/changes/bug28938 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (compilation): - - Fix missing headers required for proper detection of - OpenBSD. Fixes bug 28938; bugfix on 0.3.5.1-alpha. - Patch from Kris Katterjohn. diff --git a/changes/bug28974 b/changes/bug28974 deleted file mode 100644 index 2d74f5674f..0000000000 --- a/changes/bug28974 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (compilation): - - Fix compilation for Android by adding a missing header to - freespace.c. Fixes bug 28974; bugfix on 0.3.5.1-alpha. diff --git a/changes/bug28979 b/changes/bug28979 deleted file mode 100644 index 0625fd5d25..0000000000 --- a/changes/bug28979 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (documentation): - - Describe the contents of the v3 onion service client authorization - files correctly: They hold public keys, not private keys. Fixes bug - 28979; bugfix on 0.3.5.1-alpha. Spotted by "Felixix". diff --git a/changes/bug28981 b/changes/bug28981 deleted file mode 100644 index c0ea92ab35..0000000000 --- a/changes/bug28981 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (misc): - - The amount of total available physical memory is now determined - using the sysctl identifier HW_PHYSMEM (rather than HW_USERMEM) - when it is defined and a 64-bit variant is not available. Fixes - bug 28981; bugfix on 0.2.5.4-alpha. Patch from Kris Katterjohn. diff --git a/changes/bug28995 b/changes/bug28995 deleted file mode 100644 index f76b6a085a..0000000000 --- a/changes/bug28995 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfix (IPv6): - Fix tor_ersatz_socketpair on IPv6-only systems. Previously, - the IPv6 socket was bound using an address family of AF_INET - instead of AF_INET6. Fixes bug 28995; bugfix on 0.3.5.1-alpha. - Patch from Kris Katterjohn. diff --git a/changes/bug29017 b/changes/bug29017 deleted file mode 100644 index 5c4a53c43f..0000000000 --- a/changes/bug29017 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (stats): - - When ExtraInfoStatistics is 0, stop including PaddingStatistics in - relay and bridge extra-info documents. Fixes bug 29017; - bugfix on 0.3.1.1-alpha. diff --git a/changes/bug29029 b/changes/bug29029 deleted file mode 100644 index e100a8c2ed..0000000000 --- a/changes/bug29029 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (logging, onion services): - - Stop logging "Tried to establish rendezvous on non-OR circuit..." as - a warning. Instead, log it as a protocol warning, because there is - nothing that relay operators can do to fix it. Fixes bug 29029; - bugfix on 0.2.5.7-rc. diff --git a/changes/bug29034 b/changes/bug29034 deleted file mode 100644 index e7aa9af00b..0000000000 --- a/changes/bug29034 +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfixes (Onion service reachability): - - Properly clean up the introduction point map when circuits change purpose - from onion service circuits to pathbias, measurement, or other circuit types. - This should fix some service-side instances of introduction point failure. - Fixes bug 29034; bugfix on 0.3.2.1-alpha. diff --git a/changes/bug29036 b/changes/bug29036 deleted file mode 100644 index 8b96c5c8fa..0000000000 --- a/changes/bug29036 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfix (continuous integration): - - Reset coverage state on disk after Travis CI has finished. This is being - done to prevent future gcda file merge errors which causes the test suite - for the process subsystem to fail. The process subsystem was introduced - in 0.4.0.1-alpha. Fixes bug 29036; bugfix on 0.2.9.15. diff --git a/changes/bug29040 b/changes/bug29040 deleted file mode 100644 index 0662aaa8a5..0000000000 --- a/changes/bug29040 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (onion services): - - Avoid crashing if ClientOnionAuthDir (incorrectly) contains - more than one private key for a hidden service. Fixes bug 29040; - bugfix on 0.3.5.1-alpha. diff --git a/changes/bug29042 b/changes/bug29042 deleted file mode 100644 index 8d76939cea..0000000000 --- a/changes/bug29042 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (logging): - - Log more information at "warning" level when unable to read a private - key; log more information ad "info" level when unable to read a public - key. We had warnings here before, but they were lost during our - NSS work. Fixes bug 29042; bugfix on 0.3.5.1-alpha. diff --git a/changes/bug29135 b/changes/bug29135 deleted file mode 100644 index fd7b1ae80e..0000000000 --- a/changes/bug29135 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (onion services, logging): - - In hs_cache_store_as_client() log an HSDesc we failed to parse at Debug - loglevel. Tor used to log it at Warning loglevel, which caused - very long log lines to appear for some users. Fixes bug 29135; bugfix on - 0.3.2.1-alpha. diff --git a/changes/bug29144 b/changes/bug29144 deleted file mode 100644 index 5801224f14..0000000000 --- a/changes/bug29144 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (logging): - - Log the correct port number for listening sockets when "auto" is - used to let Tor pick the port number. Previously, port 0 was - logged instead of the actual port number. Fixes bug 29144; - bugfix on 0.3.5.1-alpha. Patch from Kris Katterjohn. diff --git a/changes/bug29145 b/changes/bug29145 deleted file mode 100644 index 40d3da4b91..0000000000 --- a/changes/bug29145 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (compilation, testing): - - Silence a compiler warning in test-memwipe.c on OpenBSD. Fixes - bug 29145; bugfix on 0.2.9.3-alpha. Patch from Kris Katterjohn. diff --git a/changes/bug29161 b/changes/bug29161 deleted file mode 100644 index 39a638acf6..0000000000 --- a/changes/bug29161 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (tests): - - Detect and suppress "bug" warnings from the util/time test on Windows. - Fixes bug 29161; bugfix on 0.2.9.3-alpha. diff --git a/changes/bug29175_035 b/changes/bug29175_035 deleted file mode 100644 index 134c1d9529..0000000000 --- a/changes/bug29175_035 +++ /dev/null @@ -1,4 +0,0 @@ - o Major bugfixes (networking): - - Gracefully handle empty username/password fields in SOCKS5 - username/password auth messsage and allow SOCKS5 handshake to - continue. Fixes bug 29175; bugfix on 0.3.5.1-alpha. diff --git a/changes/bug29241 b/changes/bug29241 deleted file mode 100644 index 7f25e154d1..0000000000 --- a/changes/bug29241 +++ /dev/null @@ -1,6 +0,0 @@ - o Major bugfixes (NSS, relay): - - When running with NSS, disable TLS 1.2 ciphersuites that use SHA384 - for their PRF. Due to an NSS bug, the TLS key exporters for these - ciphersuites don't work -- which caused relays to fail to handshake - with one another when these ciphersuites were enabled. - Fixes bug 29241; bugfix on 0.3.5.1-alpha. diff --git a/changes/bug29244 b/changes/bug29244 deleted file mode 100644 index 6206a95463..0000000000 --- a/changes/bug29244 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (build, compatibility): - - Update Cargo.lock file to match the version made by the latest - version of Rust, so that "make distcheck" will pass again. - Fixes bug 29244; bugfix on 0.3.3.4-alpha. diff --git a/changes/bug29530_035 b/changes/bug29530_035 deleted file mode 100644 index 6dfcd51e7b..0000000000 --- a/changes/bug29530_035 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (testing): - - Downgrade some LOG_ERR messages in the address/* tests to warnings. - The LOG_ERR messages were occurring when we had no configured network. - We were failing the unit tests, because we backported 28668 to 0.3.5.8, - but did not backport 29530. Fixes bug 29530; bugfix on 0.3.5.8. diff --git a/changes/bug29599 b/changes/bug29599 deleted file mode 100644 index 14e2f5d077..0000000000 --- a/changes/bug29599 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (memory management, testing): - - Stop leaking parts of the shared random state in the shared-random unit - tests. Fixes bug 29599; bugfix on 0.2.9.1-alpha. diff --git a/changes/bug29601 b/changes/bug29601 deleted file mode 100644 index c4ba5fbc8b..0000000000 --- a/changes/bug29601 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes (Windows, CI): - - Skip the Appveyor 32-bit Windows Server 2016 job, and 64-bit Windows - Server 2012 R2 job. The remaining 2 jobs still provide coverage of - 64/32-bit, and Windows Server 2016/2012 R2. Also set fast_finish, so - failed jobs terminate the build immediately. - Fixes bug 29601; bugfix on 0.3.5.4-alpha. diff --git a/changes/bug29665 b/changes/bug29665 deleted file mode 100644 index d89046faf5..0000000000 --- a/changes/bug29665 +++ /dev/null @@ -1,7 +0,0 @@ - o Minor bugfixes (single onion services): - - Allow connections to single onion services to remain idle without - being disconnected. Relays acting as rendezvous points for - single onion services were mistakenly closing idle established - rendezvous circuits after 60 seconds, thinking that they are unused - directory-fetching circuits that had served their purpose. Fixes - bug 29665; bugfix on 0.2.1.26. diff --git a/changes/bug29670 b/changes/bug29670 deleted file mode 100644 index 00b0c33327..0000000000 --- a/changes/bug29670 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (configuration, proxies): - - Fix a bug that prevented us from supporting SOCKS5 proxies that want - authentication along with configued (but unused!) - ClientTransportPlugins. Fixes bug 29670; bugfix on 0.2.6.1-alpha. diff --git a/changes/bug29703 b/changes/bug29703 deleted file mode 100644 index 0e17ee45e6..0000000000 --- a/changes/bug29703 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (testing): - - Backport the 0.3.4 src/test/test-network.sh to 0.2.9. - We need a recent test-network.sh to use new chutney features in CI. - Fixes bug 29703; bugfix on 0.2.9.1-alpha. diff --git a/changes/bug29706_minimal b/changes/bug29706_minimal deleted file mode 100644 index 9d4a43326c..0000000000 --- a/changes/bug29706_minimal +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (memory management, testing): - - Stop leaking parts of the shared random state in the shared-random unit - tests. The previous fix in 29599 was incomplete. - Fixes bug 29706; bugfix on 0.2.9.1-alpha. diff --git a/changes/bug29819 b/changes/bug29819 deleted file mode 100644 index d37ac83d66..0000000000 --- a/changes/bug29819 +++ /dev/null @@ -1,8 +0,0 @@ - o Minor bugfixes (linux seccomp sandbox): - - Correct how we use libseccomp. Particularly, stop assuming that - rules are applied in a particular order or that more rules are - processed after the first match. Neither is the case! In libseccomp - <2.4.0 this lead to some rules having no effect. Libseccomp 2.4.0 - changed how rules are generated leading to a different ordering - which in turn lead to a fatal crash during startup. Fixes bug - 29819; bugfix on 0.2.5.1-alpha. Patch by Peter Gerber. diff --git a/changes/bug29875 b/changes/bug29875 deleted file mode 100644 index 58a1c871cd..0000000000 --- a/changes/bug29875 +++ /dev/null @@ -1,11 +0,0 @@ - o Major bugfixes (bridges): - - Do not count previously configured working bridges towards our total of - working bridges. Previously, when Tor's list of bridges changed, it - would think that the old bridges were still usable, and delay fetching - router descriptors for the new ones. Fixes part of bug 29875; bugfix - on 0.3.0.1-alpha. - - Consider our directory information to have changed when our list of - bridges changes. Previously, Tor would not re-compute the status of its - directory information when bridges changed, and therefore would not - realize that it was no longer able to build circuits. Fixes part of bug - 29875. diff --git a/changes/bug29922 b/changes/bug29922 deleted file mode 100644 index dacb951097..0000000000 --- a/changes/bug29922 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (testing, windows): - - Fix a test failure caused by an unexpected bug warning in - our test for tor_gmtime_r(-1). Fixes bug 29922; - bugfix on 0.2.9.3-alpha. diff --git a/changes/bug30011 b/changes/bug30011 deleted file mode 100644 index 4c9069e291..0000000000 --- a/changes/bug30011 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (CI): - - Terminate test-stem if it takes more than 9.5 minutes to run. - (Travis terminates the job after 10 minutes of no output.) - Diagnostic for 29437. Fixes bug 30011; bugfix on 0.3.5.4-alpha. diff --git a/changes/bug30021 b/changes/bug30021 deleted file mode 100644 index 2a887f3cf2..0000000000 --- a/changes/bug30021 +++ /dev/null @@ -1,8 +0,0 @@ - o Minor bugfixes (TLS protocol, integration tests): - - When classifying a client's selection of TLS ciphers, if the client - ciphers are not yet available, do not cache the result. Previously, - we had cached the unavailability of the cipher list and never looked - again, which in turn led us to assume that the client only supported - the ancient V1 link protocol. This, in turn, was causing Stem - integration tests to stall in some cases. - Fixes bug 30021; bugfix on 0.2.4.8-alpha. diff --git a/changes/bug30040 b/changes/bug30040 deleted file mode 100644 index 7d80528a10..0000000000 --- a/changes/bug30040 +++ /dev/null @@ -1,9 +0,0 @@ - o Minor bugfixes (security): - - Fix a potential double free bug when reading huge bandwidth files. The - issue is not exploitable in the current Tor network because the - vulnerable code is only reached when directory authorities read bandwidth - files, but bandwidth files come from a trusted source (usually the - authorities themselves). Furthermore, the issue is only exploitable in - rare (non-POSIX) 32-bit architectures which are not used by any of the - current authorities. Fixes bug 30040; bugfix on 0.3.5.1-alpha. Bug found - and fixed by Tobias Stoeckmann. diff --git a/changes/bug30041 b/changes/bug30041 deleted file mode 100644 index 801c8f67ac..0000000000 --- a/changes/bug30041 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (hardening): - - Verify in more places that we are not about to create a buffer - with more than INT_MAX bytes, to avoid possible OOB access in the event - of bugs. Fixes bug 30041; bugfix on 0.2.0.16. Found and fixed by - Tobias Stoeckmann. diff --git a/changes/bug30148 b/changes/bug30148 deleted file mode 100644 index 7d0257e3fe..0000000000 --- a/changes/bug30148 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (memory leak): - - Avoid a minor memory leak that could occur on relays when - creating a keys directory failed. Fixes bug 30148; bugfix on - 0.3.3.1-alpha. diff --git a/changes/bug30189 b/changes/bug30189 deleted file mode 100644 index f8c932a5f9..0000000000 --- a/changes/bug30189 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (compilation, unusual configuration): - - Avoid failures when building with ALL_BUGS_ARE_FAILED due to - missing declarations of abort(), and prevent other such failures - in the future. Fixes bug 30189; bugfix on 0.3.4.1-alpha. diff --git a/changes/bug30190 b/changes/bug30190 deleted file mode 100644 index e2352c3b9c..0000000000 --- a/changes/bug30190 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (lib): - do not log a warning for OpenSSL versions that should be compatible - Fixes bug 30190; bugfix on 0.2.4.2-alpha diff --git a/changes/bug30316 b/changes/bug30316 deleted file mode 100644 index 3e396318ad..0000000000 --- a/changes/bug30316 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (directory authority): - - Move the "bandwidth-file-headers" line in directory authority votes - so that it conforms to dir-spec.txt. Fixes bug 30316; bugfix on - 0.3.5.1-alpha. diff --git a/changes/bug30344 b/changes/bug30344 deleted file mode 100644 index 37561bf944..0000000000 --- a/changes/bug30344 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (connection): - - Avoid reading data from closed connections, which can cause needless - loops in libevent and infinite loops in Shadow. Fixes bug 30344; bugfix - on 0.1.1.1-alpha. diff --git a/changes/bug30452 b/changes/bug30452 deleted file mode 100644 index 2bb401d87d..0000000000 --- a/changes/bug30452 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features (compile-time modules): - - Add a --list-modules command to print a list of which compile-time - modules are enabled. Closes ticket 30452. diff --git a/changes/bug30475 b/changes/bug30475 deleted file mode 100644 index 839597b885..0000000000 --- a/changes/bug30475 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (): - - Avoid a GCC 9.1.1 warning (and possible crash depending on libc - implemenation) when failing to load a hidden service client authorization - file. Fixes bug 30475; bugfix on 0.3.5.1-alpha. diff --git a/changes/bug30561 b/changes/bug30561 deleted file mode 100644 index afb3f02c62..0000000000 --- a/changes/bug30561 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes (portability): - - Avoid crashing in our tor_vasprintf() implementation on systems that - define neither vasprintf() nor _vscprintf(). (This bug has been here - long enough that we question whether people are running Tor on such - systems, but we're applying the fix out of caution.) Fixes bug 30561; - bugfix on 0.2.8.2-alpha. Found and fixed by Tobias Stoeckmann. diff --git a/changes/bug30713 b/changes/bug30713 deleted file mode 100644 index e00b98da65..0000000000 --- a/changes/bug30713 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (testing): - - Skip test_rebind when the TOR_SKIP_TEST_REBIND environmental variable is - set. Fixes bug 30713; bugfix on 0.3.5.1-alpha. - - Skip test_rebind on macOS in Travis, because it is unreliable on - macOS on Travis. Fixes bug 30713; bugfix on 0.3.5.1-alpha. diff --git a/changes/bug30744 b/changes/bug30744 deleted file mode 100644 index 9f07d4855f..0000000000 --- a/changes/bug30744 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (continuous integration): - - Allow the test-stem job to fail in Travis, because it sometimes hangs. - Fixes bug 30744; bugfix on 0.3.5.4-alpha. diff --git a/changes/bug30781 b/changes/bug30781 deleted file mode 100644 index 7c7adf470e..0000000000 --- a/changes/bug30781 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (directory authorities): - - Stop crashing after parsing an unknown descriptor purpose annotation. - We think this bug can only be triggered by modifying a local file. - Fixes bug 30781; bugfix on 0.2.0.8-alpha. diff --git a/changes/bug30894 b/changes/bug30894 deleted file mode 100644 index 64c14c4e6d..0000000000 --- a/changes/bug30894 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (memory leaks): - - Fix a trivial memory leak when parsing an invalid value - from a download schedule in the configuration. Fixes bug - 30894; bugfix on 0.3.4.1-alpha. diff --git a/changes/bug30916 b/changes/bug30916 deleted file mode 100644 index b006bfc75d..0000000000 --- a/changes/bug30916 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (relay): - - Avoid crashing when starting with a corrupt keys directory where - the old ntor key and the new ntor key are identical. Fixes bug 30916; - bugfix on 0.2.4.8-alpha. diff --git a/changes/bug31003 b/changes/bug31003 deleted file mode 100644 index 6c75163380..0000000000 --- a/changes/bug31003 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (crash on exit): - - Avoid a set of possible code paths that could use try to use freed memory - in routerlist_free() while Tor was exiting. Fixes bug 31003; bugfix on - 0.1.2.2-alpha. diff --git a/changes/bug31036 b/changes/bug31036 deleted file mode 100644 index d9921dba43..0000000000 --- a/changes/bug31036 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (windows): - - Fix a bug that prevented Tor from starting if its log file - grew above 2GB. Fixes bug 31036; bugfix on 0.2.1.8-alpha. diff --git a/changes/bug31107 b/changes/bug31107 deleted file mode 100644 index 9652927c30..0000000000 --- a/changes/bug31107 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (logging, protocol violations): - - Do not log a nonfatal assertion failure when receiving a VERSIONS - cell on a connection using the obsolete v1 link protocol. Log a - protocol_warn instead. Fixes bug 31107; bugfix on 0.2.4.4-alpha. diff --git a/changes/bug31343 b/changes/bug31343 deleted file mode 100644 index 17a8057ead..0000000000 --- a/changes/bug31343 +++ /dev/null @@ -1,9 +0,0 @@ - o Minor bugfixes (compilation): - - Avoid using labs() on time_t, which can cause compilation warnings - on 64-bit Windows builds. Fixes bug 31343; bugfix on 0.2.4.4-alpha. - - o Minor bugfixes (clock skew detection): - - Don't believe clock skew results from NETINFO cells that appear to - arrive before the VERSIONS cells they are responding to were sent. - Previously, we would accept them up to 3 minutes "in the past". - Fixes bug 31343; bugfix on 0.2.4.4-alpha. diff --git a/changes/bug31408 b/changes/bug31408 deleted file mode 100644 index 3e4ffa927d..0000000000 --- a/changes/bug31408 +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfixes (torrc): - - Stop ignoring torrc options after an %include directive, when the - included directory ends with a file that does not contain any config - options. (But does contain comments or whitespace.) - Fixes bug 31408; bugfix on 0.3.1.1-alpha. diff --git a/changes/bug31463 b/changes/bug31463 deleted file mode 100644 index d85c0887c3..0000000000 --- a/changes/bug31463 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (rust): - - Correctly exclude a redundant rust build job in Travis. Fixes bug 31463; - bugfix on 0.3.5.4-alpha. diff --git a/changes/bug31571 b/changes/bug31571 deleted file mode 100644 index 86de3537ba..0000000000 --- a/changes/bug31571 +++ /dev/null @@ -1,7 +0,0 @@ - o Minor bugfixes (error handling): - - Report the tor version whenever an assertion fails. Previously, we only - reported the Tor version on some crashes, and some non-fatal assertions. - Fixes bug 31571; bugfix on 0.3.5.1-alpha. - - On abort, try harder to flush the output buffers of log messages. On - some platforms (macOS), log messages can be discarded when the process - terminates. Fixes bug 31571; bugfix on 0.3.5.1-alpha. diff --git a/changes/bug31657 b/changes/bug31657 deleted file mode 100644 index 08e9d95fdf..0000000000 --- a/changes/bug31657 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (guards): - - When tor is missing descriptors for some primary entry guards, make the - log message less alarming. It's normal for descriptors to expire, as long - as tor fetches new ones soon after. Fixes bug 31657; - bugfix on 0.3.3.1-alpha. diff --git a/changes/bug31837 b/changes/bug31837 deleted file mode 100644 index 0f976edfe0..0000000000 --- a/changes/bug31837 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (testing): - - When testing port rebinding, don't busy-wait for tor to log. Instead, - actually sleep for a short time before polling again. Also improve the - formatting of control commands and log messages. - Fixes bug 31837; bugfix on 0.3.5.1-alpha. diff --git a/changes/bug31884 b/changes/bug31884 deleted file mode 100644 index ddb6c50d74..0000000000 --- a/changes/bug31884 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (Appveyor CI): - - Avoid spurious errors when Appveyor CI fails before the install step. - Fixes bug 31884; bugfix on 0.3.4.2-alpha. diff --git a/changes/bug31939 b/changes/bug31939 deleted file mode 100644 index a36ea495d6..0000000000 --- a/changes/bug31939 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (tls, logging): - - Log TLS read buffer length bugs once, rather than filling the logs - with similar warnings. Fixes bug 31939; bugfix on 0.3.0.4-rc. diff --git a/changes/bug32449 b/changes/bug32449 deleted file mode 100644 index 213d8a1014..0000000000 --- a/changes/bug32449 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (CI, appveyor): - - Install the mingw OpenSSL package in Appveyor. This makes sure that - the OpenSSL headers and libraries match in Tor's Appveyor builds. - (This bug was triggered by an Appveyor image update.) - Fixes bug 32449; bugfix on 0.3.5.6-rc. diff --git a/changes/bug32588 b/changes/bug32588 deleted file mode 100644 index f31f2ce1ad..0000000000 --- a/changes/bug32588 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (relays): - - Stop advertising incorrect IPv6 ORPorts in relay and bridge descriptors, - when the IPv6 port was configured as "auto". - Fixes bug 32588; bugfix on 0.2.3.9-alpha diff --git a/changes/bug32753 b/changes/bug32753 deleted file mode 100644 index 6f59c7729d..0000000000 --- a/changes/bug32753 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (bridges): - - Lowercase the value of BridgeDistribution from torrc before adding it to - the descriptor. Fixes bug 32753; bugfix on 0.3.2.3-alpha. diff --git a/changes/bug32884 b/changes/bug32884 deleted file mode 100644 index 9ab1d24464..0000000000 --- a/changes/bug32884 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (embedded Tor): - - When starting Tor any time after the first time in a process, register - the thread in which it is running as the main thread. Previously, we - only did this on Windows, which could lead to bugs like 23081 on - non-Windows platforms. Fixes bug 32884; bugfix on 0.3.3.1-alpha. diff --git a/changes/bug33032 b/changes/bug33032 deleted file mode 100644 index 0c665f25df..0000000000 --- a/changes/bug33032 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes (key portability): - - When reading PEM-encoded key data, tolerate CRLF line-endings even if - we are not running on Windows. Previously, non-Windows hosts - would reject these line-endings in certain positions, making - certain key files hard to move from one host to another. - Fixes bug 33032; bugfix on 0.3.5.1-alpha. diff --git a/changes/bug33093_logging b/changes/bug33093_logging deleted file mode 100644 index e26e4a64af..0000000000 --- a/changes/bug33093_logging +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (logging): - - If we encounter a bug when flushing a buffer to a TLS connection, - only log the bug once per invocation of the Tor process. Previously we - would log with every occurrence, which could cause us to run out of - disk space. Fixes bug 33093; bugfix on 0.3.2.2-alpha. diff --git a/changes/bug33119 b/changes/bug33119 deleted file mode 100644 index c976654b26..0000000000 --- a/changes/bug33119 +++ /dev/null @@ -1,4 +0,0 @@ - o Major bugfixes (NSS): - - Fix out-of-bound memory access in `tor_tls_cert_matches_key()` when Tor is - compiled with NSS support. Fixes bug 33119; bugfix on 0.3.5.1-alpha. This - issue is also tracked as TROVE-2020-001. diff --git a/changes/bug33673 b/changes/bug33673 deleted file mode 100644 index 37c00f2e6e..0000000000 --- a/changes/bug33673 +++ /dev/null @@ -1,6 +0,0 @@ - o Testing: - - In our Appveyor Windows CI, copy required DLLs to test and app, before - running tor's tests. This ensures that tor.exe and test*.exe use the - correct version of each DLL. This fix is not required, but we hope it - will avoid DLL search issues in future. - Fixes bug 33673; bugfix on 0.3.4.2-alpha. diff --git a/changes/bug33781 b/changes/bug33781 deleted file mode 100644 index 9f63ab0a2c..0000000000 --- a/changes/bug33781 +++ /dev/null @@ -1,7 +0,0 @@ - o Minor bugfixes (compatibility): - - Strip '\r' characters when reading text files on Unix platforms. - This should resolve an issue where a relay operator migrates a relay from - Windows to Unix, but does not change the line ending of Tor's various state - files to match the platform, the CRLF line endings from Windows ends up leaking - into other files such as the extra-info document. Fixes bug 33781; bugfix on - 0.0.9pre5. diff --git a/changes/bug34078 b/changes/bug34078 deleted file mode 100644 index 1015d24547..0000000000 --- a/changes/bug34078 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (compiler compatibility): - - Avoid compiler warnings from Clang 10 related to the use of - GCC-style "/* falls through */" comments. Both Clang and GCC allow - __attribute__((fallthrough)) instead, so that's what we're using now. - Fixes bug 34078; bugfix on 0.3.1.3-alpha. diff --git a/changes/bug34303 b/changes/bug34303 deleted file mode 100644 index dce57f4646..0000000000 --- a/changes/bug34303 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (client performance): - - Resume being willing to use preemptively-built circuits when - UseEntryGuards is set to 0. We accidentally disabled this feature - with that config setting, leading to slower load times. Fixes bug - 34303; bugfix on 0.3.3.2-alpha. diff --git a/changes/bug40028 b/changes/bug40028 deleted file mode 100644 index cfd1ffe516..0000000000 --- a/changes/bug40028 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (compiler warnings): - - Fix a compiler warning on platforms with 32-bit time_t values. - Fixes bug 40028; bugfix on 0.3.2.8-rc. diff --git a/changes/bug40076 b/changes/bug40076 deleted file mode 100644 index 9ef5969ae8..0000000000 --- a/changes/bug40076 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (correctness, buffers): - - Fix a correctness bug that could cause an assertion failure if we ever - tried using the buf_move_all() function with an empty input. - As far as we know, no released versions of Tor do this. - Fixes bug 40076; bugfix on 0.3.3.1-alpha. diff --git a/changes/bug40078 b/changes/bug40078 deleted file mode 100644 index 717309e076..0000000000 --- a/changes/bug40078 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfix (crypto): - - Disable the unused batch verification feature of ed25519-donna. Fixes - bug 40078; bugfix on 0.2.6.1-alpha. Found by Henry de Valence.
\ No newline at end of file diff --git a/changes/bug40080 b/changes/bug40080 deleted file mode 100644 index 8162466354..0000000000 --- a/changes/bug40080 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes (security): - - When completing a channel, relays now check more thoroughly to make - sure that it matches any pending circuits before attaching those - circuits. Previously, address correctness and Ed25519 identities were not - checked in this case, but only when extending circuits on an existing - channel. Fixes bug 40080; bugfix on 0.2.7.2-alpha. diff --git a/changes/bug40099 b/changes/bug40099 deleted file mode 100644 index 278ede2023..0000000000 --- a/changes/bug40099 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (tests): - - Fix the behavior of the rend_cache/clean_v2_descs_as_dir when run on - its own. Previously, it would exit with an error. - Fixes bug 40099; bugfix on 0.2.8.1-alpha. diff --git a/changes/bug40113 b/changes/bug40113 deleted file mode 100644 index adf4634097..0000000000 --- a/changes/bug40113 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (compilation): - - Resolve a compilation warning that could occur in test_connection.c. - Fixes bug 40113; bugfix on 0.2.9.3-alpha. diff --git a/changes/bug40117 b/changes/bug40117 deleted file mode 100644 index 77646edf9c..0000000000 --- a/changes/bug40117 +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfixes (stats, onion services): - - Fix a bug where we were undercounting the Tor network's total onion - service traffic, by only counting rendezvous traffic originating from - services and ignoring any traffic originating from clients. Fixes bug - 40117; bugfix on 0.2.6.2-alpha. diff --git a/changes/bug40179_part1 b/changes/bug40179_part1 deleted file mode 100644 index c302373534..0000000000 --- a/changes/bug40179_part1 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (testing, portability): - - Fix our Python reference-implementation for the v3 onion service - handshake so that it works correctly with the version of hashlib provided - by Python 3.9. Fixes part of bug 40179; bugfix on 0.3.1.6-rc. diff --git a/changes/bug40190 b/changes/bug40190 deleted file mode 100644 index 0f3d6941dc..0000000000 --- a/changes/bug40190 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (SOCKS5): - - Handle partial socks5 messages correctly. Previously, our code would - send an incorrect error message if it got a socks5 request that wasn't - complete. Fixes bug 40190; bugfix on 0.3.5.1-alpha. diff --git a/changes/bug40210 b/changes/bug40210 deleted file mode 100644 index f492262a11..0000000000 --- a/changes/bug40210 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor features (crypto): - - Fix undefined behavior on our Keccak library. The bug only appears on - platforms with 32-byte CPU cache lines (e.g. armv5tel) and would result - in wrong digests. Fixes bug 40210; bugfix on 0.2.8.1-alpha. Thanks to - Bernhard Ãœbelacker, Arnd Bergmann and weasel for diagnosing this. diff --git a/changes/bug40316 b/changes/bug40316 deleted file mode 100644 index cd275b5c9c..0000000000 --- a/changes/bug40316 +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfixes (security, denial of service): - - Fix a bug in appending detached signatures to a pending consensus - document that could be used to crash a directory authority. - Fixes bug 40316; bugfix on 0.2.2.6-alpha. Tracked as - TROVE-2021-002 and CVE-2021-28090. diff --git a/changes/bug40371 b/changes/bug40371 deleted file mode 100644 index 8cc7117f9f..0000000000 --- a/changes/bug40371 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes (compatibility): - - Fix compatibility with the most recent Libevent versions, which - no longer have an evdns_set_random_bytes() function. Because - this function has been a no-op since Libevent 2.0.4-alpha, - it is safe for us to just stop calling it. Fixes bug 40371; - bugfix on 0.2.1.7-alpha. diff --git a/changes/bug40380 b/changes/bug40380 deleted file mode 100644 index 24d2876b7d..0000000000 --- a/changes/bug40380 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (compiler warnings): - - Fix an indentation problem that led to a warning from GCC 11.1.1. - Fixes bug 40380; bugfix on 0.3.0.1-alpha. diff --git a/changes/bug40391 b/changes/bug40391 deleted file mode 100644 index e3c186275f..0000000000 --- a/changes/bug40391 +++ /dev/null @@ -1,9 +0,0 @@ - o Major bugfixes (security): - - Resist a hashtable-based CPU denial-of-service attack against - relays. Previously we used a naive unkeyed hash function to look up - circuits in a circuitmux object. An attacker could exploit this to - construct circuits with chosen circuit IDs in order to try to create - collisions and make the hash table inefficient. Now we use a SipHash - construction for this hash table instead. Fixes bug 40391; bugfix on - 0.2.4.4-alpha. This issue is also tracked as TROVE-2021-005. - Reported by Jann Horn from Google's Project Zero. diff --git a/changes/bug40392 b/changes/bug40392 deleted file mode 100644 index 4dffa50bb2..0000000000 --- a/changes/bug40392 +++ /dev/null @@ -1,4 +0,0 @@ - o Major bugfixes (security, denial of service, onion services): - - Fix an out-of-bounds memory access in v3 descriptor parsing. Fixes bug - 40392; bugfix on 0.3.0.1-alpha. This issue is also tracked as - TROVE-2021-006. Reported by Sergei Glazunov from Google's Project Zero.
\ No newline at end of file diff --git a/changes/bug40399 b/changes/bug40399 deleted file mode 100644 index 7954b85eaf..0000000000 --- a/changes/bug40399 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor features (compatibility): - - Remove an assertion function related to TLS renegotiation. - It was used nowhere outside the unit tests, and it was breaking - compilation with recent alpha releases of OpenSSL 3.0.0. - Closes ticket 40399. diff --git a/changes/chutney_ci b/changes/chutney_ci deleted file mode 100644 index b17d587329..0000000000 --- a/changes/chutney_ci +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features (continuous integration): - - Our Travis configuration now uses Chutney to run some network - integration tests automatically. Closes ticket 29280. diff --git a/changes/cid1444119 b/changes/cid1444119 deleted file mode 100644 index bb6854e66f..0000000000 --- a/changes/cid1444119 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (C correctness): - - Fix an unlikely memory leak in consensus_diff_apply(). Fixes bug 29824; - bugfix on 0.3.1.1-alpha. This is Coverity warning CID 1444119. diff --git a/changes/doc31089 b/changes/doc31089 deleted file mode 100644 index 2fc0ba4f7d..0000000000 --- a/changes/doc31089 +++ /dev/null @@ -1,4 +0,0 @@ - o Documentation: - - Use RFC 2397 data URL scheme to embed image into tor-exit-notice.html - so that operators would no longer have to host it themselves. - Closes ticket 31089. diff --git a/changes/geoip-2018-11-06 b/changes/geoip-2018-11-06 deleted file mode 100644 index 5c18ea4244..0000000000 --- a/changes/geoip-2018-11-06 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features (geoip): - - Update geoip and geoip6 to the November 6 2018 Maxmind GeoLite2 - Country database. Closes ticket 28395. - diff --git a/changes/geoip-2018-12-05 b/changes/geoip-2018-12-05 deleted file mode 100644 index 20ccf2d8a5..0000000000 --- a/changes/geoip-2018-12-05 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features (geoip): - - Update geoip and geoip6 to the December 5 2018 Maxmind GeoLite2 - Country database. Closes ticket 28744. - diff --git a/changes/geoip-2019-01-03 b/changes/geoip-2019-01-03 deleted file mode 100644 index 27ffb7f460..0000000000 --- a/changes/geoip-2019-01-03 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features (geoip): - - Update geoip and geoip6 to the January 3 2019 Maxmind GeoLite2 - Country database. Closes ticket 29012. - diff --git a/changes/geoip-2019-02-05 b/changes/geoip-2019-02-05 deleted file mode 100644 index 78ee6d4242..0000000000 --- a/changes/geoip-2019-02-05 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features (geoip): - - Update geoip and geoip6 to the February 5 2019 Maxmind GeoLite2 - Country database. Closes ticket 29478. - diff --git a/changes/geoip-2019-03-04 b/changes/geoip-2019-03-04 deleted file mode 100644 index c8ce5dad5d..0000000000 --- a/changes/geoip-2019-03-04 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features (geoip): - - Update geoip and geoip6 to the March 4 2019 Maxmind GeoLite2 - Country database. Closes ticket 29666. - diff --git a/changes/geoip-2019-04-02 b/changes/geoip-2019-04-02 deleted file mode 100644 index 7302d939f6..0000000000 --- a/changes/geoip-2019-04-02 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features (geoip): - - Update geoip and geoip6 to the April 2 2019 Maxmind GeoLite2 - Country database. Closes ticket 29992. - diff --git a/changes/geoip-2019-05-13 b/changes/geoip-2019-05-13 deleted file mode 100644 index 0a2fa18971..0000000000 --- a/changes/geoip-2019-05-13 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features (geoip): - - Update geoip and geoip6 to the May 13 2019 Maxmind GeoLite2 - Country database. Closes ticket 30522. - diff --git a/changes/geoip-2019-06-10 b/changes/geoip-2019-06-10 deleted file mode 100644 index 2d1e065649..0000000000 --- a/changes/geoip-2019-06-10 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features (geoip): - - Update geoip and geoip6 to the June 10 2019 Maxmind GeoLite2 - Country database. Closes ticket 30852. - diff --git a/changes/geoip-2019-10-01 b/changes/geoip-2019-10-01 deleted file mode 100644 index c7ed17b5c4..0000000000 --- a/changes/geoip-2019-10-01 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features (geoip): - - Update geoip and geoip6 to the October 1 2019 Maxmind GeoLite2 - Country database. Closes ticket 31931. - diff --git a/changes/geoip-2019-11-06 b/changes/geoip-2019-11-06 deleted file mode 100644 index a470981012..0000000000 --- a/changes/geoip-2019-11-06 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features (geoip): - - Update geoip and geoip6 to the November 6 2019 Maxmind GeoLite2 - Country database. Closes ticket 32440. - diff --git a/changes/geoip-2019-12-03 b/changes/geoip-2019-12-03 deleted file mode 100644 index ea62b6ee89..0000000000 --- a/changes/geoip-2019-12-03 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features (geoip): - - Update geoip and geoip6 to the December 3 2019 Maxmind GeoLite2 - Country database. Closes ticket 32685. - diff --git a/changes/geoip-2021-03-12 b/changes/geoip-2021-03-12 deleted file mode 100644 index 01c1b0f162..0000000000 --- a/changes/geoip-2021-03-12 +++ /dev/null @@ -1,9 +0,0 @@ - o Minor features (geoip data): - - We have switched geoip data sources. Previously we shipped - IP-to-country mappings from Maxmind's GeoLite2, but in 2019 they - changed their licensing term, so we were unable to update them after - that point. We now ship geoip files based on the IPFire Location - Database instead. (See https://location.ipfire.org/ for more - information). This release updates our geoip files to match the - IPFire Location Database as retrieved on 2021/03/12. Closes - ticket 40224. diff --git a/changes/geoip-2021-04-13 b/changes/geoip-2021-04-13 deleted file mode 100644 index db21a1c037..0000000000 --- a/changes/geoip-2021-04-13 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features (geoip data): - - Update the geoip files to match the IPFire Location Database, - as retrieved on 2021/04/13. diff --git a/changes/geoip-2021-05-07 b/changes/geoip-2021-05-07 deleted file mode 100644 index 07bf12c4d8..0000000000 --- a/changes/geoip-2021-05-07 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features (geoip data): - - Update the geoip files to match the IPFire Location Database, - as retrieved on 2021/05/07. diff --git a/changes/geoip-2021-06-10 b/changes/geoip-2021-06-10 deleted file mode 100644 index 2b798012c8..0000000000 --- a/changes/geoip-2021-06-10 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features (geoip data): - - Update the geoip files to match the IPFire Location Database, - as retrieved on 2021/06/10. diff --git a/changes/geoip-2021-08-12 b/changes/geoip-2021-08-12 deleted file mode 100644 index 59afcc5bb7..0000000000 --- a/changes/geoip-2021-08-12 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features (geoip data): - - Update the geoip files to match the IPFire Location Database, - as retrieved on 2021/08/12. diff --git a/changes/log_32868 b/changes/log_32868 deleted file mode 100644 index 34476078b2..0000000000 --- a/changes/log_32868 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features (debugging, directory system): - - Don't crash when we find a non-guard with a guard-fraction value set. - Instead, log a bug warning, in an attempt to figure out how this - happened. Diagnostic for ticket 32868. diff --git a/changes/parallel_unit_test b/changes/parallel_unit_test deleted file mode 100644 index 79de28636d..0000000000 --- a/changes/parallel_unit_test +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features (tests): - - Our "make check" target now runs the unit tests in 8 parallel chunks. - Doing this speeds up hardened CI builds by more than a factor of two. - Closes ticket 40098. diff --git a/changes/rust_asan b/changes/rust_asan deleted file mode 100644 index 1ca7ae6888..0000000000 --- a/changes/rust_asan +++ /dev/null @@ -1,8 +0,0 @@ - o Major bugfixes (compilation, rust): - - Rust tests can now build and run successfully with the - --enable-fragile-hardening option enabled. - Doing this currently requires the rust beta channel; it will - be possible with stable rust as of rust version 1.31 is out. - Patch from Alex Crichton. - Fixes bugs 27272, 27273, and 27274. - Bugfix on 0.3.1.1-alpha. diff --git a/changes/ticket19566 b/changes/ticket19566 deleted file mode 100644 index bf7071e660..0000000000 --- a/changes/ticket19566 +++ /dev/null @@ -1,6 +0,0 @@ - o Code simplification and refactoring (shared random, dirauth): - - Change many tor_assert() to use BUG() instead. The idea is to not crash - a dirauth but rather scream loudly with a stacktrace and let it continue - run. The shared random subsystem is very resilient and if anything wrong - happens with it, at worst a non coherent value will be put in the vote - and discarded by the other authorities. Closes ticket 19566. diff --git a/changes/ticket24803 b/changes/ticket24803 deleted file mode 100644 index e76a9eeab9..0000000000 --- a/changes/ticket24803 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor features (fallback directory list): - - Replace the 150 fallbacks originally introduced in Tor 0.3.3.1-alpha in - January 2018 (of which ~115 were still functional), with a list of - 157 fallbacks (92 new, 65 existing, 85 removed) generated in - December 2018. Closes ticket 24803. diff --git a/changes/ticket2667 b/changes/ticket2667 deleted file mode 100644 index cc42286ef9..0000000000 --- a/changes/ticket2667 +++ /dev/null @@ -1,4 +0,0 @@ - o Major feature (exit): - - Re-entry into the network is now denied at the Exit level to all relays' - ORPort and authorities' ORPort+DirPort. This is to help mitigate a series - of attacks. See ticket for more information. Closes ticket 2667. diff --git a/changes/ticket27471 b/changes/ticket27471 deleted file mode 100644 index ffe77d268e..0000000000 --- a/changes/ticket27471 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (hidden service v3, client): - - When replacing a descriptor in the client cache with a newer descriptor, - make sure to close all client introduction circuits of the old - descriptor so we don't end up with unusable leftover circuits. Fixes bug - 27471; bugfix on 0.3.2.1-alpha. diff --git a/changes/ticket27751 b/changes/ticket27751 deleted file mode 100644 index 593c473b61..0000000000 --- a/changes/ticket27751 +++ /dev/null @@ -1,2 +0,0 @@ - o Minor features (continuous integration): - - Add a Travis CI build for --enable-nss on Linux gcc. Closes ticket 27751. diff --git a/changes/ticket27838 b/changes/ticket27838 deleted file mode 100644 index 1699730d7a..0000000000 --- a/changes/ticket27838 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (hidden service v3): - - Build the service descriptor signing key certificate before uploading so - we always have a fresh one leaving no chances for it to expire service - side. Fixes bug 27838; bugfix on 0.3.2.1-alpha. diff --git a/changes/ticket27913 b/changes/ticket27913 deleted file mode 100644 index 81ce725932..0000000000 --- a/changes/ticket27913 +++ /dev/null @@ -1,3 +0,0 @@ - o Testing: - - Add new CI job to Travis configuration that runs stem-based - integration tests. Closes ticket 27913. diff --git a/changes/ticket27995 b/changes/ticket27995 deleted file mode 100644 index 8c75425749..0000000000 --- a/changes/ticket27995 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (hidden service v3, client authorization): - - Fix an assert() when adding a client authorization for the first time - and then sending a HUP signal to the service. Before that, tor would - stop abruptly. Fixes bug 27995; bugfix on 0.3.5.1-alpha. diff --git a/changes/ticket28026 b/changes/ticket28026 deleted file mode 100644 index a6911c2cab..0000000000 --- a/changes/ticket28026 +++ /dev/null @@ -1,3 +0,0 @@ - o Documentation (hidden service manpage): - - Improve HSv3 client authorization by making some options more explicit - and detailed. Closes ticket 28026. Patch by "mtigas". diff --git a/changes/ticket28113 b/changes/ticket28113 deleted file mode 100644 index 30dd825a9b..0000000000 --- a/changes/ticket28113 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (relay shutdown, systemd): - - Notify systemd of ShutdownWaitLength so it can be set to longer than - systemd's TimeoutStopSec. In tor's systemd service file, set - TimeoutSec to 60 seconds, to allow tor some time to shut down. - Fixes bug 28113; bugfix on 0.2.6.2-alpha. diff --git a/changes/ticket28128 b/changes/ticket28128 deleted file mode 100644 index 6d08c74242..0000000000 --- a/changes/ticket28128 +++ /dev/null @@ -1,4 +0,0 @@ - o Documentation (hidden service manpage, sandbox): - - Document in the man page that changing ClientOnionAuthDir value or - adding a new file in the directory will not work at runtime upon sending - a HUP if Sandbox 1. Closes ticket 28128. diff --git a/changes/ticket28229_diag b/changes/ticket28229_diag deleted file mode 100644 index cd02b81faa..0000000000 --- a/changes/ticket28229_diag +++ /dev/null @@ -1,3 +0,0 @@ - o Testing: - - Increase logging and tag all log entries with timestamps - in test_rebind.py. Provides diagnostics for issue 28229. diff --git a/changes/ticket28275 b/changes/ticket28275 deleted file mode 100644 index eadca86b7b..0000000000 --- a/changes/ticket28275 +++ /dev/null @@ -1,4 +0,0 @@ - o Documentation (hidden service v3, man page): - - Note in the man page that the only real way to fully revoke an onion - service v3 client authorization is by restarting the tor process. Closes - ticket 28275. diff --git a/changes/ticket28318 b/changes/ticket28318 deleted file mode 100644 index 24dc1e9580..0000000000 --- a/changes/ticket28318 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features (Windows, continuous integration): - - Build tor on Windows Server 2012 R2 and Windows Server 2016 using - Appveyor's CI. Closes ticket 28318. diff --git a/changes/ticket28459 b/changes/ticket28459 deleted file mode 100644 index 6b5839b52b..0000000000 --- a/changes/ticket28459 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features (continuous integration, Windows): - - Always show the configure and test logs, and upload them as build - artifacts, when building for Windows using Appveyor CI. - Implements 28459. diff --git a/changes/ticket28574 b/changes/ticket28574 deleted file mode 100644 index 562810f511..0000000000 --- a/changes/ticket28574 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (continuous integration, Windows): - - Explicitly specify the path to the OpenSSL library and do not download - OpenSSL from Pacman, but instead use the library that is already provided - by AppVeyor. Fixes bug 28574; bugfix on master. diff --git a/changes/ticket28668 b/changes/ticket28668 deleted file mode 100644 index 6386e0051f..0000000000 --- a/changes/ticket28668 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features (testing): - - Treat all unexpected ERR and BUG messages as test failures. - Closes ticket 28668. diff --git a/changes/ticket28669 b/changes/ticket28669 deleted file mode 100644 index 32c6114ffc..0000000000 --- a/changes/ticket28669 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfix (hidden service v3, client): - - Avoid a BUG() stacktrace in case a SOCKS connection is found waiting for - the descriptor while we do have it in the cache. There is a rare case - when this can happen. Now, tor will recover and retry the descriptor. - Fixes bug 28669; bugfix on 0.3.2.4-alpha. - diff --git a/changes/ticket28795 b/changes/ticket28795 deleted file mode 100644 index 6ae72562bf..0000000000 --- a/changes/ticket28795 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor features (fallback directory list): - - Replace the 157 fallbacks originally introduced in Tor 0.3.5.6-rc - in December 2018 (of which ~122 were still functional), with a - list of 148 fallbacks (70 new, 78 existing, 79 removed) generated - in June 2019. Closes ticket 28795. diff --git a/changes/ticket28838 b/changes/ticket28838 deleted file mode 100644 index 6c290bf82b..0000000000 --- a/changes/ticket28838 +++ /dev/null @@ -1,8 +0,0 @@ - o Minor features (performance): - - Remove about 96% of the work from the function that we run at - startup to test our curve25519_basepoint implementation. Since - this function has yet to find an actual failure, we'll only - run it for 8 iterations instead of 200. Based on our profile - information, this change should save around 8% of our startup - time on typical desktops, and may have a similar effect on - other platforms. Closes ticket 28838. diff --git a/changes/ticket28851 b/changes/ticket28851 deleted file mode 100644 index bab0318662..0000000000 --- a/changes/ticket28851 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features (performance): - - Stop re-validating our hardcoded Diffie-Hellman parameters on every - startup. Doing this wasted time and cycles, especially on low-powered - devices. Closes ticket 28851. diff --git a/changes/ticket28879 b/changes/ticket28879 deleted file mode 100644 index 126420f6ca..0000000000 --- a/changes/ticket28879 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (correctness): - - Fix an unreached code-path where we checked the value of "hostname" - inside send_resolved_hostnam_cell(). Previously, we used it before - checking it; now we check it first. Fixes bug 28879; bugfix on - 0.1.2.7-alpha. diff --git a/changes/ticket28881 b/changes/ticket28881 deleted file mode 100644 index 1b015a6c37..0000000000 --- a/changes/ticket28881 +++ /dev/null @@ -1,4 +0,0 @@ - o Code simplification and refactoring: - - When parsing a port configuration, make it more - obvious to static analyzer tools that we will always initialize the - address. Closes ticket 28881. diff --git a/changes/ticket28883 b/changes/ticket28883 deleted file mode 100644 index 1d8b6cb416..0000000000 --- a/changes/ticket28883 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (testing): - - Make sure that test_rebind.py actually obeys its timeout, even - when it receives a large number of log messages. Fixes bug 28883; - bugfix on 0.3.5.4-alpha. diff --git a/changes/ticket28912 b/changes/ticket28912 deleted file mode 100644 index 4119b778bc..0000000000 --- a/changes/ticket28912 +++ /dev/null @@ -1,6 +0,0 @@ - o Major bugfixes (relay, directory): - - A connection serving directory information wouldn't get reactivated after - the first chunk of data was sent (usually 32KB). Tor now always activate - the main loop event that goes through these connections as long as at - least one connection is still active. Fixes bug 28912; bugfix on - 0.3.4.1-alpha. Patch by "cypherpunks3". diff --git a/changes/ticket28924 b/changes/ticket28924 deleted file mode 100644 index 055a6cf285..0000000000 --- a/changes/ticket28924 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features (compilation): - - When possible, place our warning flags in a separate file, to avoid - flooding verbose build logs to an unacceptable amount. Closes ticket - 28924. diff --git a/changes/ticket28970 b/changes/ticket28970 deleted file mode 100644 index 138c575fcc..0000000000 --- a/changes/ticket28970 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes (clietn, hidden service v3): - - Fix a BUG() assertion that occurs within a very small race window between - a client intro circuit opens and its descriptor that gets cleaned up from - the cache. The circuit is now closed which will trigger a re-fetch of the - descriptor and continue the HS connection. Fixes bug 28970; bugfix on - 0.3.2.1-alpha. diff --git a/changes/ticket28973 b/changes/ticket28973 deleted file mode 100644 index b1d208ee51..0000000000 --- a/changes/ticket28973 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor features (OpenSSL bug workaround): - - Work around a bug in OpenSSL 1.1.1a, which prevented the TLS 1.3 - key export function from handling long labels. When this bug - is detected, Tor will disable TLS 1.3. We recommend upgrading to - a version of OpenSSL without this bug when it becomes available. - Closes ticket 28973. diff --git a/changes/ticket28992 b/changes/ticket28992 deleted file mode 100644 index 3e45d73e45..0000000000 --- a/changes/ticket28992 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (onion service v3, client): - - Remove a BUG() that is causing a stacktrace for a situation that very - rarely happens but still can. Fixes bug 28992; bugfix on 0.3.2.1-alpha. diff --git a/changes/ticket29026 b/changes/ticket29026 deleted file mode 100644 index 1db873dfcf..0000000000 --- a/changes/ticket29026 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features (compilation): - - Compile correctly when OpenSSL is built with engine support - disabled, or with deprecated APIs disabled. Closes ticket - 29026. Patches from "Mangix". diff --git a/changes/ticket29160 b/changes/ticket29160 deleted file mode 100644 index 8e11183064..0000000000 --- a/changes/ticket29160 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (tests): - - Do not log an error-level message if we fail to find an IPv6 - network interface from the unit tests. Fixes bug 29160; bugfix on - 0.2.7.3-rc. diff --git a/changes/ticket29168 b/changes/ticket29168 deleted file mode 100644 index 65c5232f65..0000000000 --- a/changes/ticket29168 +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfixes (cell scheduler, KIST): - - Make KIST to always take into account the outbuf length when computing - what we can actually put in the outbuf. This could lead to the outbuf - being filled up and thus a possible memory DoS vector. TROVE-2019-001. - Fixes bug 29168; bugfix on 0.3.2.1-alpha. diff --git a/changes/ticket29435 b/changes/ticket29435 deleted file mode 100644 index d48ae98e4b..0000000000 --- a/changes/ticket29435 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (testing): - - Fix our gcov wrapper script to look for object files at the - correct locations. Fixes bug 29435; bugfix on 0.3.5.1-alpha. diff --git a/changes/ticket29617 b/changes/ticket29617 deleted file mode 100644 index 4d50ea9627..0000000000 --- a/changes/ticket29617 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (out-of-memory handler): - - When purging the DNS cache because of an out-of-memory condition, - try purging just the older entries at first. Previously, we would - purge the whole thing. Fixes bug 29617; bugfix on 0.3.5.1-alpha. diff --git a/changes/ticket29702 b/changes/ticket29702 deleted file mode 100644 index e1cc1f867b..0000000000 --- a/changes/ticket29702 +++ /dev/null @@ -1,4 +0,0 @@ - o Testing: - - Specify torrc paths (with empty files) when launching tor in - integration tests; refrain from reading user and system torrcs. - Resolves issue 29702. diff --git a/changes/ticket29806 b/changes/ticket29806 deleted file mode 100644 index 6afefd4c04..0000000000 --- a/changes/ticket29806 +++ /dev/null @@ -1,7 +0,0 @@ - o Minor features (bandwidth authority): - - Make bandwidth authorities to ignore relays that are reported in the - bandwidth file with the key-value "vote=0". - This change allows to report the relays that were not measured due - some failure and diagnose the reasons without the bandwidth being included in the - bandwidth authorities vote. - Closes ticket 29806. diff --git a/changes/ticket29962 b/changes/ticket29962 deleted file mode 100644 index e36cc0cf9a..0000000000 --- a/changes/ticket29962 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features (continuous integration): - - On Travis Rust builds, cleanup Rust registry and refrain from caching - target/ directory to speed up builds. Resolves issue 29962. diff --git a/changes/ticket30117 b/changes/ticket30117 deleted file mode 100644 index 5b6e6dabf7..0000000000 --- a/changes/ticket30117 +++ /dev/null @@ -1,4 +0,0 @@ - o Testing (continuous integration): - - In Travis, tell timelimit to use stem's backtrace signals. And launch - python directly from timelimit, so python receives the signals from - timelimit, rather than make. Closes ticket 30117. diff --git a/changes/ticket30213 b/changes/ticket30213 deleted file mode 100644 index acb7614807..0000000000 --- a/changes/ticket30213 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features (continuous integration): - - Remove sudo configuration lines from .travis.yml as they are no longer - needed with current Travis build environment. Resolves issue 30213. diff --git a/changes/ticket30234 b/changes/ticket30234 deleted file mode 100644 index 5a0076bad2..0000000000 --- a/changes/ticket30234 +++ /dev/null @@ -1,2 +0,0 @@ - o Testing (continuous integration): - - In Travis, show stem's tor log after failure. Closes ticket 30234. diff --git a/changes/ticket30454 b/changes/ticket30454 deleted file mode 100644 index 77c45d0feb..0000000000 --- a/changes/ticket30454 +++ /dev/null @@ -1,10 +0,0 @@ - o Major bugfixes (hidden service v3): - - An intro point could try to send an INTRODUCE_ACK with a status code - that it wasn't able to encode leading to a hard assert() of the relay. - Fortunately, that specific code path can not be reached thus this issue - can't be triggered. We've consolidated the ABI values into trunnel now. - Fixes bug 30454; bugfix on 0.3.0.1-alpha. - - HSv3 client will now be able to properly handle unknown status code from - a INTRODUCE_ACK cell (nack) even if they do not know it. The NACK - behavior will stay the same. This will allow us to extend status code if - we want in the future without breaking the normal client behavior. diff --git a/changes/ticket30477 b/changes/ticket30477 deleted file mode 100644 index 379fc4e7eb..0000000000 --- a/changes/ticket30477 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features (bridge): - - We now announce the URL to Tor's new bridge status at - https://bridges.torproject.org/ when Tor is configured to run as a bridge - relay. Closes ticket 30477. diff --git a/changes/ticket30591 b/changes/ticket30591 deleted file mode 100644 index f97c024009..0000000000 --- a/changes/ticket30591 +++ /dev/null @@ -1,3 +0,0 @@ - o Testing (continuous integration): - - In Travis, make stem log a controller trace to the console. And tail - stem's tor log after failure. Closes ticket 30591. diff --git a/changes/ticket30694 b/changes/ticket30694 deleted file mode 100644 index 70dbf6481a..0000000000 --- a/changes/ticket30694 +++ /dev/null @@ -1,3 +0,0 @@ - o Testing (continuous integration): - - In Travis, only run the stem tests that use a tor binary. - Closes ticket 30694. diff --git a/changes/ticket30860 b/changes/ticket30860 deleted file mode 100644 index b946f735c4..0000000000 --- a/changes/ticket30860 +++ /dev/null @@ -1,3 +0,0 @@ - o Testing: - - Run the chutney IPv6 networks as part of Travis CI. - Closes ticket 30860. diff --git a/changes/ticket30871 b/changes/ticket30871 deleted file mode 100644 index 81c076bb02..0000000000 --- a/changes/ticket30871 +++ /dev/null @@ -1,6 +0,0 @@ - o Major bugfixes (circuit build, guard): - - When considering upgrading circuits from "waiting for guard" to "open", - always ignore the ones that are mark for close. Else, we can end up in - the situation where a subsystem is notified of that circuit opening but - still marked for close leading to undesirable behavior. Fixes bug 30871; - bugfix on 0.3.0.1-alpha. diff --git a/changes/ticket31372_appveyor b/changes/ticket31372_appveyor deleted file mode 100644 index e7bb03182e..0000000000 --- a/changes/ticket31372_appveyor +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features (continuous integration): - - When building on Appveyor, pass the "-k" flag to make, so that - we are informed of all compilation failures, not just the first - one or two. Closes part of ticket 31372. diff --git a/changes/ticket31372_travis b/changes/ticket31372_travis deleted file mode 100644 index 403869b2ed..0000000000 --- a/changes/ticket31372_travis +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features (continuous integration): - - When building on Travis, pass the "-k" flag to make, so that - we are informed of all compilation failures, not just the first - one or two. Closes part of ticket 31372. diff --git a/changes/ticket31374 b/changes/ticket31374 deleted file mode 100644 index e8eef9cd49..0000000000 --- a/changes/ticket31374 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (compilation warning): - - Fix a compilation warning on Windows about casting a function - pointer for GetTickCount64(). Fixes bug 31374; bugfix on - 0.2.9.1-alpha. diff --git a/changes/ticket31406 b/changes/ticket31406 deleted file mode 100644 index 0ebe6f6c47..0000000000 --- a/changes/ticket31406 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features (directory authority): - - A new IP address the directory authority "dizum" has been changed. Closes - ticket 31406; diff --git a/changes/ticket31466 b/changes/ticket31466 deleted file mode 100644 index e535b4502e..0000000000 --- a/changes/ticket31466 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (logging): - - Rate-limit our the logging message about the obsolete .exit notation. - Previously, there was no limit on this warning, which could potentially - be triggered many times by a hostile website. Fixes bug 31466; - bugfix on 0.2.2.1-alpha. diff --git a/changes/ticket31548 b/changes/ticket31548 deleted file mode 100644 index fef0b5d01f..0000000000 --- a/changes/ticket31548 +++ /dev/null @@ -1,7 +0,0 @@ - o Major bugfixes (hidden service v3): - - Make onion service always use the exact amount of configured intro points - (or less due to node exlusion). Before, a service could sometimes pick - more intro points than configured with the - HiddenServiceNumIntroductionPoints option. Fixes bug 31548; bugfix on - 0.3.2.1-alpha. - diff --git a/changes/ticket31554 b/changes/ticket31554 deleted file mode 100644 index 73f4159ff3..0000000000 --- a/changes/ticket31554 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features (stem tests): - - Change "make test-stem" so it only runs the stem tests that use tor. - This change makes test-stem faster and more reliable. - Closes ticket 31554. diff --git a/changes/ticket31673 b/changes/ticket31673 deleted file mode 100644 index 3b2bb4a46e..0000000000 --- a/changes/ticket31673 +++ /dev/null @@ -1,3 +0,0 @@ - o New system requirements (build system): - - Do not include the deprecated <sys/sysctl.h> on Linux or Windows system. - Closes 31673; diff --git a/changes/ticket31687_1 b/changes/ticket31687_1 deleted file mode 100644 index 2f4d440974..0000000000 --- a/changes/ticket31687_1 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (compilation): - - Suppress spurious float-conversion warnings from GCC when calling - floating-point classifier functions on FreeBSD. Fixes part of bug - 31687; bugfix on 0.3.1.5-alpha. diff --git a/changes/ticket31687_2 b/changes/ticket31687_2 deleted file mode 100644 index eadc698275..0000000000 --- a/changes/ticket31687_2 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (FreeBSD, PF-based proxy, IPv6): - - When extracting an IPv6 address from a PF-based proxy, verify - that we are actually configured to receive an IPv6 address, - and log an internal error if not. Fixes part of bug 31687; - bugfix on 0.2.3.4-alpha. diff --git a/changes/ticket31859 b/changes/ticket31859 deleted file mode 100644 index dbc591e00b..0000000000 --- a/changes/ticket31859 +++ /dev/null @@ -1,3 +0,0 @@ - o Testing: - - Simplify the Travis CI build matrix, and optimise for build time. - Closes ticket 31859. diff --git a/changes/ticket31919_bionic b/changes/ticket31919_bionic deleted file mode 100644 index eb41644555..0000000000 --- a/changes/ticket31919_bionic +++ /dev/null @@ -1,5 +0,0 @@ - o Minor features (continuous integration): - - Use Ubuntu Bionic images for our Travis CI builds, so we can get - a recent version of coccinelle. But leave chutney on Ubuntu Trusty, - until we can fix some Bionic permissions issues (see ticket 32240). - Related to ticket 31919. diff --git a/changes/ticket32058 b/changes/ticket32058 deleted file mode 100644 index b40bcda416..0000000000 --- a/changes/ticket32058 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (mainloop, periodic events): - - Periodic events enabled flag was not unset properly when shutting down tor - cleanly. This had the side effect to not re-enable periodic events when - tor_api.h is used to relaunch tor after a shutdown. Fixes bug 32058; - bugfix on 0.3.3.1-alpha. diff --git a/changes/ticket32086 b/changes/ticket32086 deleted file mode 100644 index b9312c2bea..0000000000 --- a/changes/ticket32086 +++ /dev/null @@ -1,3 +0,0 @@ - o Testing: - - Use Windows Server 2019 instead of Windows Server 2016 in our - Appveyor builds. Closes ticket 32086. diff --git a/changes/ticket32240 b/changes/ticket32240 deleted file mode 100644 index 35cc3df27e..0000000000 --- a/changes/ticket32240 +++ /dev/null @@ -1,4 +0,0 @@ - o Testing: - - Turn off Tor's Sandbox in Chutney jobs, and run those jobs on Ubuntu - Bionic. Turning off the Sandbox is a work-around, until we fix the - sandbox errors in 32722. Closes ticket 32240. diff --git a/changes/ticket32241 b/changes/ticket32241 deleted file mode 100644 index 4243cec175..0000000000 --- a/changes/ticket32241 +++ /dev/null @@ -1,2 +0,0 @@ - o Testing (continuous integration): - - In Travis, use Xcode 11.2 on macOS 10.14. Closes ticket 32241. diff --git a/changes/ticket32242 b/changes/ticket32242 deleted file mode 100644 index d63d5a586e..0000000000 --- a/changes/ticket32242 +++ /dev/null @@ -1,2 +0,0 @@ - o Testing (continuous integration): - - Use zstd in our Travis Linux builds. Closes ticket 32242. diff --git a/changes/ticket32407 b/changes/ticket32407 deleted file mode 100644 index badb09abfe..0000000000 --- a/changes/ticket32407 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (crash): - - When running Tor with an option like --verify-config or --dump-config - that does not start the event loop, avoid crashing if we try to exit - early because of an error. Fixes bug 32407; bugfix on 0.3.3.1-alpha. diff --git a/changes/ticket32500 b/changes/ticket32500 deleted file mode 100644 index 2c0f35df72..0000000000 --- a/changes/ticket32500 +++ /dev/null @@ -1,5 +0,0 @@ - o Testing: - - Require C99 standards-conforming code in Travis CI, but allow GNU gcc - extensions. Also activates clang's -Wtypedef-redefinition warnings. - Build some jobs with -std=gnu99, and some jobs without. - Closes ticket 32500. diff --git a/changes/ticket32629 b/changes/ticket32629 deleted file mode 100644 index 740746c572..0000000000 --- a/changes/ticket32629 +++ /dev/null @@ -1,4 +0,0 @@ - o Testing: - - Re-enable the Travis CI macOS Chutney build, but allow the job to finish - before it finishes, because the Travis macOS jobs are slow. - Closes ticket 32629. diff --git a/changes/ticket32792 b/changes/ticket32792 deleted file mode 100644 index 553cf0ca81..0000000000 --- a/changes/ticket32792 +++ /dev/null @@ -1,3 +0,0 @@ - o Testing: - - When a Travis chutney job fails, use chutney's new "diagnostics.sh" tool - to produce detailed diagnostic output. Closes ticket 32792. diff --git a/changes/ticket33075 b/changes/ticket33075 deleted file mode 100644 index 69698d90b3..0000000000 --- a/changes/ticket33075 +++ /dev/null @@ -1,4 +0,0 @@ - o Testing: - - Stop allowing failures on the Travis CI stem tests job. It looks like all - the stem hangs we were seeing are now fixed, but let's make sure we see - them if they happen again. Closes ticket 33075. diff --git a/changes/ticket33119 b/changes/ticket33119 deleted file mode 100644 index 11c20bc7a2..0000000000 --- a/changes/ticket33119 +++ /dev/null @@ -1,8 +0,0 @@ - o Major bugfixes (security, denial-of-service): - - Fix a denial-of-service bug that could be used by anyone to consume a - bunch of CPU on any Tor relay or authority, or by directories to - consume a bunch of CPU on clients or hidden services. Because - of the potential for CPU consumption to introduce observable - timing patterns, we are treating this as a high-severity security - issue. Fixes bug 33119; bugfix on 0.2.1.5-alpha. We are also tracking - this issue as TROVE-2020-002. diff --git a/changes/ticket33194 b/changes/ticket33194 deleted file mode 100644 index b87e55348e..0000000000 --- a/changes/ticket33194 +++ /dev/null @@ -1,4 +0,0 @@ - o Testing: - - Remove a redundant distcheck job. Closes ticket 33194. - - Sort the Travis jobs in order of speed. Putting the slowest jobs first - takes full advantage of Travis job concurrency. Closes ticket 33194. diff --git a/changes/ticket33195 b/changes/ticket33195 deleted file mode 100644 index 11abd4816e..0000000000 --- a/changes/ticket33195 +++ /dev/null @@ -1,4 +0,0 @@ - o Testing: - - Stop allowing the Chutney IPv6 Travis job to fail. This job was - previously configured to fast_finish (which requires allow_failure), to - speed up the build. Closes ticket 33195. diff --git a/changes/ticket33212 b/changes/ticket33212 deleted file mode 100644 index aeb09e0c67..0000000000 --- a/changes/ticket33212 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (rust, build): - - Fix a syntax warning given by newer versions of Rust, and creating - problems for our continuous integration. - Fixes bug 33212; bugfix on 0.3.5.1-alpha. diff --git a/changes/ticket33361 b/changes/ticket33361 deleted file mode 100644 index bc9715d6a1..0000000000 --- a/changes/ticket33361 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfix (relay, configuration): - - Now warn if the ContactInfo field is not set and mention that the relay - might get rejected if so. Fixes bug 33361; bugfix on 0.1.1.10-alpha. diff --git a/changes/ticket33491 b/changes/ticket33491 deleted file mode 100644 index 595ea863ea..0000000000 --- a/changes/ticket33491 +++ /dev/null @@ -1,6 +0,0 @@ - o Major bugfixes (DoS defenses, bridges, pluggable transport): - - DoS subsystem was not given the transport name of the client connection - when tor is a bridge and thus failing to find the GeoIP cache entry for - that client address. This resulted in failing to apply DoS defenses on - bridges with a pluggable transport. Fixes bug 33491; bugfix on - 0.3.3.2-alpha. diff --git a/changes/ticket33643 b/changes/ticket33643 deleted file mode 100644 index 7fddab74eb..0000000000 --- a/changes/ticket33643 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor features (testing): - - The unit tests now support a "TOR_SKIP_TESTCASES" environment variable - to specify a list of space-separated test cases that should not be - executed. We will use this to disable certain tests that are failing on - Appveyor because of mismatched OpenSSL libraries. Part of ticket 33643. diff --git a/changes/ticket33643_part2 b/changes/ticket33643_part2 deleted file mode 100644 index 28193d2af5..0000000000 --- a/changes/ticket33643_part2 +++ /dev/null @@ -1,3 +0,0 @@ - o Testing (CI): - - On appveyor, skip the crypto/openssl_version test, which is failing - because of a mismatched library installation. Fix for 33643. diff --git a/changes/ticket33747 b/changes/ticket33747 deleted file mode 100644 index 57c72e9d0a..0000000000 --- a/changes/ticket33747 +++ /dev/null @@ -1,7 +0,0 @@ - o Minor bugfixes (rate limiting, bridges, pluggable transports): - - On a bridge, treat all connections from an ExtORPort as remote - by default for the purposes of rate-limiting. Previously, - bridges would treat the connection as local unless they explicitly - received a "USERADDR" command. ExtORPort connections still - count as local if there is a USERADDR command with an explicit local - address. Fixes bug 33747; bugfix on 0.2.5.1-alpha. diff --git a/changes/ticket33880 b/changes/ticket33880 deleted file mode 100644 index c1889bb134..0000000000 --- a/changes/ticket33880 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes (relay, usability): - - Adjust the rules for when to warn about having too many connections - to other relays. Previously we'd tolerate up to 1.5 connections - per relay on average. Now we tolerate more connections for directory - authorities, and raise the number of total connections we need - to see before we warn. Fixes bug 33880; bugfix on 0.3.1.1-alpha. diff --git a/changes/ticket40003 b/changes/ticket40003 deleted file mode 100644 index 240f464353..0000000000 --- a/changes/ticket40003 +++ /dev/null @@ -1,3 +0,0 @@ - o Deprecated features (onion service v2): - - Add deprecation warning for onion service version 2. Tor now logs a - warning once if a version 2 service is configured. Closes ticket 40003. diff --git a/changes/ticket40026 b/changes/ticket40026 deleted file mode 100644 index f87c2964e0..0000000000 --- a/changes/ticket40026 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfix (CI, Windows): - - Don't use stdio 64 bit printf format when compiling with MINGW on - Appveyor. Fixes bug 40026; bugfix on 0.3.5.5-alpha. diff --git a/changes/ticket40035 b/changes/ticket40035 deleted file mode 100644 index 8cdd447199..0000000000 --- a/changes/ticket40035 +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfixes (NSS): - - When running with NSS enabled, make sure that NSS knows to expect - nonblocking sockets. Previously, we set our TCP sockets as blocking, - but did not tell NSS about the fact, which in turn could lead to - unexpected blocking behavior. Fixes bug 40035; bugfix on 0.3.5.1-alpha. diff --git a/changes/ticket40061 b/changes/ticket40061 deleted file mode 100644 index 227664d010..0000000000 --- a/changes/ticket40061 +++ /dev/null @@ -1,5 +0,0 @@ - o Major feature (fallback directory list): - - Replace the 148 fallback directories originally included in - Tor 0.4.1.4-rc (of which around 105 are still functional) with - a list of 144 fallbacks generated in July 2020. - Closes ticket 40061. diff --git a/changes/ticket40073 b/changes/ticket40073 deleted file mode 100644 index 30b028c042..0000000000 --- a/changes/ticket40073 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (relay configuration, crash): - - Avoid a fatal assert() when failing to create a listener connection for an - address that was in use. Fixes bug 40073; bugfix on 0.3.5.1-alpha. diff --git a/changes/ticket40081 b/changes/ticket40081 deleted file mode 100644 index 683ae33518..0000000000 --- a/changes/ticket40081 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor features (security): - - Channels using obsolete versions of the Tor link protocol are no - longer allowed to circumvent address-canonicity checks. - (This is only a minor issue, since such channels have no way to - set ed25519 keys, and therefore should always be rejected.) - Closes ticket 40081. diff --git a/changes/ticket40125 b/changes/ticket40125 deleted file mode 100644 index c68e3ce7b3..0000000000 --- a/changes/ticket40125 +++ /dev/null @@ -1,4 +0,0 @@ - o Testing (onion service v2): - - Fix a rendezvous cache unit test that was triggering an underflow on the - global rend cache allocation. Fixes bug 40125; bugfix on - 0.2.8.1-alpha. diff --git a/changes/ticket40126 b/changes/ticket40126 deleted file mode 100644 index 1f5806e6cb..0000000000 --- a/changes/ticket40126 +++ /dev/null @@ -1,4 +0,0 @@ - o Testing (onion service v2): - - Fix another rendezvous cache unit test that was triggering an underflow on the - global rend cache allocation. Fixes bug 40126; bugfix on - 0.2.8.1-alpha. diff --git a/changes/ticket40133 b/changes/ticket40133 deleted file mode 100644 index 8bbe00b6b2..0000000000 --- a/changes/ticket40133 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor features (protocol simplification): - - Tor no longer allows subprotocol versions larger than 63. Previously - versions up to UINT32_MAX were allowed, which significantly complicated - our code. - Implements proposal 318; closes ticket 40133. diff --git a/changes/ticket40135 b/changes/ticket40135 deleted file mode 100644 index 9b60b4f655..0000000000 --- a/changes/ticket40135 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfix (logging): - - Remove a debug logging statement that uselessly spam the logs. Fixes bug - 40135; bugfix on 0.3.5.0-alpha. diff --git a/changes/ticket40165 b/changes/ticket40165 deleted file mode 100644 index a8dd0a339b..0000000000 --- a/changes/ticket40165 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor features (compilation): - - Disable deprecation warnings when building with OpenSSL 3.0.0 or later. - There are a number of newly deprecated APIs in OpenSSL 3.0.0 that Tor - still requires. (A later version of Tor will try to stop depending on - these.) Closes ticket 40165. diff --git a/changes/ticket40170 b/changes/ticket40170 deleted file mode 100644 index cc1c8dbad1..0000000000 --- a/changes/ticket40170 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (tests): - - Fix the "tortls/openssl/log_one_error" test to work with OpenSSL 3.0.0. - Fixes bug 40170; bugfix on 0.2.8.1-alpha. diff --git a/changes/ticket40227 b/changes/ticket40227 deleted file mode 100644 index e5efad0f95..0000000000 --- a/changes/ticket40227 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor feature (build system): - - New "make lsp" command to auto generate the compile_commands.json file - used by the ccls server. The "bear" program is needed for this. Closes - ticket 40227. diff --git a/changes/ticket40237 b/changes/ticket40237 deleted file mode 100644 index fc32f59cd4..0000000000 --- a/changes/ticket40237 +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfixes (onion service v3): - - Stop requiring a live consensus for v3 clients and services to work. The - use of a reasonably live consensus will allow v3 to work properly in most - cases if the network failed to generate a consensus for more than 2 hours - in a row. Fixes bug 40237; bugfix on 0.3.5.1-alpha. diff --git a/changes/ticket40265 b/changes/ticket40265 deleted file mode 100644 index 2a346d64c3..0000000000 --- a/changes/ticket40265 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor feature (fallback directory): - - Renegerate the list to a new set of 200 relays acting as fallback - directories. Closes ticket 40265. diff --git a/changes/ticket40286_minimal b/changes/ticket40286_minimal deleted file mode 100644 index 6a04ca79eb..0000000000 --- a/changes/ticket40286_minimal +++ /dev/null @@ -1,6 +0,0 @@ - o Major bugfixes (security, denial of service): - - Disable the dump_desc() function that we used to dump unparseable - information to disk. It was called incorrectly in several places, - in a way that could lead to excessive CPU usage. Fixes bug 40286; - bugfix on 0.2.2.1-alpha. This bug is also tracked as - TROVE-2021-001 and CVE-2021-28089. diff --git a/changes/ticket40301 b/changes/ticket40301 deleted file mode 100644 index c1fd821e3f..0000000000 --- a/changes/ticket40301 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (relay): - - Reduce the compression level for data streaming from HIGH to LOW. Fixes - bug 40301; bugfix on 0.3.5.1-alpha. - diff --git a/changes/ticket40309 b/changes/ticket40309 deleted file mode 100644 index 087ac36a4f..0000000000 --- a/changes/ticket40309 +++ /dev/null @@ -1,3 +0,0 @@ - o New system requirements (mallinfo() deprecated): - - Remove mallinfo() usage entirely. Libc 2.33+ now deprecates it. Closes - ticket 40309. diff --git a/changes/ticket40389 b/changes/ticket40389 deleted file mode 100644 index 7dcf65b32e..0000000000 --- a/changes/ticket40389 +++ /dev/null @@ -1,3 +0,0 @@ - o Major bugfixes (relay, TROVE): - - Don't allow entry or middle relays to spoof RELAY_END or RELAY_RESOLVED - cell on half-closed streams. Fixes bug 40389; bugfix on 0.3.5.1-alpha. diff --git a/changes/ticket40390 b/changes/ticket40390 deleted file mode 100644 index b56fa4d9da..0000000000 --- a/changes/ticket40390 +++ /dev/null @@ -1,8 +0,0 @@ - o Major bugfixes (security, defense-in-depth): - - Detect a wider variety of failure conditions from the OpenSSL RNG - code. Previously, we would detect errors from a missing RNG - implementation, but not failures from the RNG code itself. - Fortunately, it appears those failures do not happen in practice - when Tor is using OpenSSL's default RNG implementation. - Fixes bug 40390; bugfix on 0.2.8.1-alpha. This issue is also tracked as - TROVE-2021-004. Reported by Jann Horn at Google's Project Zero. diff --git a/changes/ticket40447 b/changes/ticket40447 deleted file mode 100644 index d1be646a7d..0000000000 --- a/changes/ticket40447 +++ /dev/null @@ -1,2 +0,0 @@ - o Minor feature (fallbackdir): - - Regenerate fallback directories list. Close ticket 40447. diff --git a/changes/ticket40476 b/changes/ticket40476 deleted file mode 100644 index 062e36f9bc..0000000000 --- a/changes/ticket40476 +++ /dev/null @@ -1,8 +0,0 @@ - o Major feature (onion service v2): - - Tor does NOT allow anymore to create v2 services, to connect as a client - to a v2 service and for a relay to be a v2 HSDir or introduction point. - This effectively disable onion service version 2 tor wide. Closes 40476. - - The control port command HSFETCH and HSPOST don't allow version 2 as well. - It is also not possible to create a v2 service with ADD_ONION. - - See https://blog.torproject.org/v2-deprecation-timeline for details on - how to transition from v2 to v3. diff --git a/changes/ticket40493 b/changes/ticket40493 deleted file mode 100644 index eb9baf916b..0000000000 --- a/changes/ticket40493 +++ /dev/null @@ -1,2 +0,0 @@ - o Minor features (fallbackdir): - - Regenerate fallback directories for October 2021. Close ticket 40493. diff --git a/changes/trove_2020_003 b/changes/trove_2020_003 deleted file mode 100644 index aa1a8f1c78..0000000000 --- a/changes/trove_2020_003 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (onion services v3): - - Fix assertion failure that could result from a corrupted ADD_ONION control - port command. Found by Saibato. Fixes bug 33137; bugfix on - 0.3.3.1-alpha. This issue is also being tracked as TROVE-2020-003. diff --git a/scripts/maint/sortChanges.py b/scripts/maint/sortChanges.py index 986b94b025..2264b1c7fa 100755 --- a/scripts/maint/sortChanges.py +++ b/scripts/maint/sortChanges.py @@ -43,7 +43,7 @@ REPLACEMENTS = { def score(s,fname=None): m = re.match(r'^ +o ([^\n]*)\n(.*)', s, re.M|re.S) if not m: - print >>sys.stderr, "Can't score %r from %s"%(s,fname) + print("Can't score %r from %s"%(s,fname)) heading = m.group(1) heading = REPLACEMENTS.get(heading, heading) lw = m.group(1).lower() @@ -100,9 +100,9 @@ changes.sort() last_lw = "this is not a header" for _, lw, header, rest in changes: if lw == last_lw: - print rest, + print(rest) else: - print - print " o",header - print rest, + print("") + print(" o %s" % (header)) + print(rest), last_lw = lw |