diff options
134 files changed, 1855 insertions, 574 deletions
@@ -1,3 +1,850 @@ +Changes in version 0.4.5.16 - 2023-01-12 + This version has one major bugfix for relay and a security fix, + TROVE-2022-002, affecting clients. We strongly recommend to upgrade to our + 0.4.7.x stable series. As a reminder, this series is EOL on February 15th, + 2023. + + o Major bugfixes (relay): + - When opening a channel because of a circuit request that did not + include an Ed25519 identity, record the Ed25519 identity that we + actually received, so that we can use the channel for other + circuit requests that _do_ list an Ed25519 identity. (Previously + we had code to record this identity, but a logic bug caused it to + be disabled.) Fixes bug 40563; bugfix on 0.3.0.1-alpha. Patch + from "cypherpunks". + + o Major bugfixes (TROVE-2022-002, client): + - The SafeSocks option had its logic inverted for SOCKS4 and + SOCKS4a. It would let the unsafe SOCKS4 pass but not the safe + SOCKS4a one. This is TROVE-2022-002 which was reported on + Hackerone by "cojabo". Fixes bug 40730; bugfix on 0.3.5.1-alpha. + + o Minor features (fallbackdir): + - Regenerate fallback directories generated on January 12, 2023. + + o Minor features (geoip data): + - Update the geoip files to match the IPFire Location Database, as + retrieved on 2023/01/12. + + +Changes in version 0.4.5.15 - 2022-12-06 + This version has several major changes for directory authorities. And a + major bugfix on OSX. Again, we strongly recommend to upgrade to our 0.4.7.x + series latest stable. This series is EOL on February 15th, 2023. + + o Directory authority changes (dizum): + - Change dizum IP address. Closes ticket 40687. + + o Directory authority changes (Faravahar): + - Remove Faravahar until its operator, Sina, set it back up online + outside of Team Cymru network. Closes ticket 40688. + + o Directory authority changes (moria1): + - Rotate the relay identity key and v3 identity key for moria1. They + have been online for more than a decade and refreshing keys + periodically is good practice. Advertise new ports too, to avoid + confusion. Closes ticket 40722. + + o Major bugfixes (OSX): + - Fix coarse-time computation on Apple platforms (like Mac M1) where + the Mach absolute time ticks do not correspond directly to + nanoseconds. Previously, we computed our shift value wrong, which + led us to give incorrect timing results. Fixes bug 40684; bugfix + on 0.3.3.1-alpha. + + o Major bugfixes (relay): + - Improve security of our DNS cache by randomly clipping the TTL + value. TROVE-2021-009. Fixes bug 40674; bugfix on 0.3.5.1-alpha. + + o Minor features (fallbackdir): + - Regenerate fallback directories generated on December 06, 2022. + + o Minor features (geoip data): + - Update the geoip files to match the IPFire Location Database, as + retrieved on 2022/12/06. + + +Changes in version 0.4.5.14 - 2022-08-12 + This version updates the geoip cache that we generate from IPFire location + database to use the August 9th, 2022 one. Everyone MUST update to this + latest release else circuit path selection and relay metrics are badly + affected. + + o Major bugfixes (geoip data): + - IPFire informed us on August 12th that databases generated after + (including) August 10th did not have proper ARIN network allocations. We + are updating the database to use the one generated on August 9th, 2022. + Fixes bug 40658; bugfix on 0.4.5.13. + + +Changes in version 0.4.5.13 - 2022-08-11 + This version contains two major fixes aimed at reducing memory pressure on + relays and possible side-channel. The rest of the fixes were backported for + stability or safety purposes. We strongly recommend to upgrade your relay to + this version or, ideally, to the latest stable of the 0.4.7.x series. + + o Major bugfixes (relay): + - Remove OR connections btrack subsystem entries when the connections + close normally. Before this, we would only remove the entry on error and + thus leaking memory for each normal OR connections. Fixes bug 40604; + bugfix on 0.4.0.1-alpha. + - Stop sending TRUNCATED cell and instead close the circuit from which we + received a DESTROY cell. This makes every relay in the circuit path to + stop queuing cells. Fixes bug 40623; bugfix on 0.1.0.2-rc. + + o Minor features (fallbackdir): + - Regenerate fallback directories generated on August 11, 2022. + + o Minor features (geoip data): + - Update the geoip files to match the IPFire Location Database, as + retrieved on 2022/08/11. + + o Minor features (linux seccomp2 sandbox): + - Permit the clone3 syscall, which is apparently used in glibc-2.34 + and later. Closes ticket 40590. + + o Minor bugfixes (controller, path bias): + - When a circuit's path is specified, in full or in part, from the + controller API, do not count that circuit towards our path-bias + calculations. (Doing so was incorrect, since we cannot tell + whether the controller is selecting relays randomly.) Resolves a + "Bug" warning. Fixes bug 40515; bugfix on 0.2.4.10-alpha. + + o Minor bugfixes (defense in depth): + - Change a test in the netflow padding code to make it more + _obviously_ safe against remotely triggered crashes. (It was safe + against these before, but not obviously so.) Fixes bug 40645; + bugfix on 0.3.1.1-alpha. + + o Minor bugfixes (linux seccomp2 sandbox): + - Allow the rseq system call in the sandbox. This solves a crash + issue with glibc 2.35 on Linux. Patch from pmu-ipf. Fixes bug + 40601; bugfix on 0.3.5.11. + + o Minor bugfixes (metrics port, onion service): + - The MetricsPort line for an onion service with multiple ports are now + unique that is one line per port. Before this, all ports of an onion + service would be on the same line which violates the Prometheus rules of + unique labels. Fixes bug 40581; bugfix on 0.4.5.1-alpha. + + o Minor bugfixes (onion service, client): + - Fix a fatal assert due to a guard subsystem recursion triggered by + the onion service client. Fixes bug 40579; bugfix on 0.3.5.1-alpha. + + o Minor bugfixes (performance, DoS): + - Fix one case of a not-especially viable denial-of-service attack + found by OSS-Fuzz in our consensus-diff parsing code. This attack + causes a lot small of memory allocations and then immediately + frees them: this is only slow when running with all the sanitizers + enabled. Fixes one case of bug 40472; bugfix on 0.3.1.1-alpha. + + o Minor bugfixes (relay): + - Do not propagate either forward or backward a DESTROY remote reason when + closing a circuit in order to avoid a possible side channel. Fixes bug + 40649; bugfix on 0.1.2.4-alpha. + + +Changes in version 0.4.5.12 - 2022-02-04 + This version contains mostly minor bugfixes for which you can find the + details below. The previous release (0.4.5.11) was suppose to update the + GeoIP and fallbackdir lists but a problem in our release pipeline prevented + those files to be updated correctly. Thus, this release regenerates up to + date lists. Furthermore, another fix to highlight is that relays don't + advertise onion service v2 support at the protocol version level. + + o Minor feature (reproducible build): + - The repository can now build reproducible tarballs which adds the + build command "make dist-reprod" for that purpose. Closes + ticket 26299. + + o Minor features (compilation): + - Give an error message if trying to build with a version of + LibreSSL known not to work with Tor. (There's an incompatibility + with LibreSSL versions 3.2.1 through 3.4.0 inclusive because of + their incompatibility with OpenSSL 1.1.1's TLSv1.3 APIs.) Closes + ticket 40511. + + o Minor features (fallbackdir): + - Regenerate fallback directories generated on February 04, 2022. + + o Minor features (geoip data): + - Update the geoip files to match the IPFire Location Database, as + retrieved on 2022/02/04. + + o Minor bugfix (logging): + - Update a log notice dead URL to a working one. Fixes bug 40544; + bugfix on 0.3.5.1-alpha. + + o Minor bugfix (relay): + - Remove the HSDir and HSIntro onion service v2 protocol versions so + relay stop advertising that they support them. Fixes bug 40509; + bugfix on 0.3.5.17. + + o Minor bugfixes (compilation): + - Fix a compilation error when trying to build Tor with a compiler + that does not support expanding statitically initialized const + values in macro's. Fixes bug 40410; bugfix on 0.4.5.1-alpha + - Fix our configuration logic to detect whether we had OpenSSL 3: + previously, our logic was reversed. This has no other effect than + to change whether we suppress deprecated API warnings. Fixes bug + 40429; bugfix on 0.3.5.13. + + o Minor bugfixes (MetricsPort, Prometheus): + - Add double quotes to the label values of the onion service + metrics. Fixes bug 40552; bugfix on 0.4.5.1-alpha. + + o Minor bugfixes (relay): + - Reject IPv6-only DirPorts. Our reachability self-test forces + DirPorts to be IPv4, but our configuration parser allowed them to + be IPv6-only, which led to an assertion failure. Fixes bug 40494; + bugfix on 0.4.5.1-alpha. + + +Changes in version 0.4.5.11 - 2021-10-26 + The major change in this version is that v2 onion services are now + disabled at the client, service, and relay: any Tor nodes running this + version and onward will stop supporting v2 onion services. This is the + last step in the long deprecation process of v2 onion services. + Everyone running an earlier version, whether as a client, a relay, or + an onion service, should upgrade to Tor 0.3.5.17, 0.4.5.11, + or 0.4.6.8. + + o Major feature (onion service v2): + - See https://blog.torproject.org/v2-deprecation-timeline for + details on how to transition from v2 to v3. + - The control port commands HSFETCH and HSPOST no longer allow + version 2, and it is no longer possible to create a v2 service + with ADD_ONION. + - Tor no longer allows creating v2 services, or connecting as a + client to a v2 service. Relays will decline to be a v2 HSDir or + introduction point. This effectively disables onion service + version 2 Tor-wide. Closes ticket 40476. + + o Minor features (bridge, backport from 0.4.6.8): + - We now announce the URL to Tor's new bridge status at + https://bridges.torproject.org/ when Tor is configured to run as a + bridge relay. Closes ticket 30477. + + o Minor features (fallbackdir): + - Regenerate fallback directories for October 2021. Closes + ticket 40493. + + o Minor features (logging, diagnostic, backport from 0.4.6.5): + - Log decompression failures at a higher severity level, since they + can help provide missing context for other warning messages. We + rate-limit these messages, to avoid flooding the logs if they + begin to occur frequently. Closes ticket 40175. + + o Minor features (testing, backport from 0.4.6.8): + - On a testing network, relays can now use the + TestingMinTimeToReportBandwidth option to change the smallest + amount of time over which they're willing to report their observed + maximum bandwidth. Previously, this was fixed at 1 day. For + safety, values under 2 hours are only supported on testing + networks. Part of a fix for ticket 40337. + - Relays on testing networks no longer rate-limit how frequently + they are willing to report new bandwidth measurements. Part of a + fix for ticket 40337. + - Relays on testing networks now report their observed bandwidths + immediately from startup. Previously, they waited until they had + been running for a full day. Closes ticket 40337. + + o Minor bugfix (CI, onion service): + - Exclude onion service version 2 Stem tests in our CI. Fixes bug 40500; + bugfix on 0.3.2.1-alpha. + + o Minor bugfix (onion service, backport from 0.4.6.8): + - Do not flag an HSDir as non-running in case the descriptor upload + or fetch fails. An onion service closes pending directory + connections before uploading a new descriptor which can thus lead + to wrongly flagging many relays and thus affecting circuit building + path selection. Fixes bug 40434; bugfix on 0.2.0.13-alpha. + + o Minor bugfixes (compatibility, backport from 0.4.6.8): + - Fix compatibility with the most recent Libevent versions, which no + longer have an evdns_set_random_bytes() function. Because this + function has been a no-op since Libevent 2.0.4-alpha, it is safe + for us to just stop calling it. Fixes bug 40371; bugfix + on 0.2.1.7-alpha. + + o Minor bugfixes (consensus handling, backport from 0.4.6.4-rc): + - Avoid a set of bugs that could be caused by inconsistently + preferring an out-of-date consensus stored in a stale directory + cache over a more recent one stored on disk as the latest + consensus. Fixes bug 40375; bugfix on 0.3.1.1-alpha. + + o Minor bugfixes (onion service, TROVE-2021-008, backport from 0.4.6.8): + - Only log v2 access attempts once total, in order to not pollute + the logs with warnings and to avoid recording the times on disk + when v2 access was attempted. Note that the onion address was + _never_ logged. This counts as a Low-severity security issue. + Fixes bug 40474; bugfix on 0.4.5.8. + + +Changes in version 0.4.5.10 - 2021-08-16 + This version fixes several bugs from earlier versions of Tor, + including one that could lead to a denial-of-service attack. Everyone + running an earlier version, whether as a client, a relay, or an onion + service, should upgrade to Tor 0.3.5.16, 0.4.5.10, or 0.4.6.7. + + o Major bugfixes (cryptography, security): + - Resolve an assertion failure caused by a behavior mismatch between + our batch-signature verification code and our single-signature + verification code. This assertion failure could be triggered + remotely, leading to a denial of service attack. We fix this issue + by disabling batch verification. Fixes bug 40078; bugfix on + 0.2.6.1-alpha. This issue is also tracked as TROVE-2021-007 and + CVE-2021-38385. Found by Henry de Valence. + + o Minor feature (fallbackdir): + - Regenerate fallback directories list. Closes ticket 40447. + + o Minor features (geoip data): + - Update the geoip files to match the IPFire Location Database, as + retrieved on 2021/08/12. + + o Minor features (testing): + - Enable the deterministic RNG for unit tests that covers the + address set bloomfilter-based API's. Fixes bug 40419; bugfix + on 0.3.3.2-alpha. + + o Minor bugfix (crypto, backport from 0.4.6.7): + - Disable the unused batch verification feature of ed25519-donna. + Fixes bug 40078; bugfix on 0.2.6.1-alpha. Found by Henry + de Valence. + + o Minor bugfixes (relay, backport from 0.4.6.7): + - Reduce the compression level for data streaming from HIGH to LOW. + Fixes bug 40301; bugfix on 0.3.5.1-alpha. + + o Minor bugfixes (timekeeping, backport from 0.4.6.7): + - Calculate the time of day correctly on systems where the time_t + type includes leap seconds. (This is not the case on most + operating systems, but on those where it occurs, our tor_timegm + function did not correctly invert the system's gmtime function, + which could result in assertion failures when calculating voting + schedules.) Fixes bug 40383; bugfix on 0.2.0.3-alpha. + + o Minor bugfixes (warnings, portability, backport from 0.4.6.6): + - Suppress a strict-prototype warning when building with some + versions of NSS. Fixes bug 40409; bugfix on 0.3.5.1-alpha. + + +Changes in version 0.4.5.9 - 2021-06-14 + Tor 0.4.5.9 fixes several security issues, including a + denial-of-service attack against onion service clients, and another + denial-of-service attack against relays. Everybody should upgrade to + one of 0.3.5.15, 0.4.4.9, 0.4.5.9, or 0.4.6.5. + + o Major bugfixes (security, backport from 0.4.6.5): + - Don't allow relays to spoof RELAY_END or RELAY_RESOLVED cell on + half-closed streams. Previously, clients failed to validate which + hop sent these cells: this would allow a relay on a circuit to end + a stream that wasn't actually built with it. Fixes bug 40389; + bugfix on 0.3.5.1-alpha. This issue is also tracked as TROVE-2021- + 003 and CVE-2021-34548. + + o Major bugfixes (security, defense-in-depth, backport from 0.4.6.5): + - Detect more failure conditions from the OpenSSL RNG code. + Previously, we would detect errors from a missing RNG + implementation, but not failures from the RNG code itself. + Fortunately, it appears those failures do not happen in practice + when Tor is using OpenSSL's default RNG implementation. Fixes bug + 40390; bugfix on 0.2.8.1-alpha. This issue is also tracked as + TROVE-2021-004. Reported by Jann Horn at Google's Project Zero. + + o Major bugfixes (security, denial of service, backport from 0.4.6.5): + - Resist a hashtable-based CPU denial-of-service attack against + relays. Previously we used a naive unkeyed hash function to look + up circuits in a circuitmux object. An attacker could exploit this + to construct circuits with chosen circuit IDs, to create + collisions and make the hash table inefficient. Now we use a + SipHash construction here instead. Fixes bug 40391; bugfix on + 0.2.4.4-alpha. This issue is also tracked as TROVE-2021-005 and + CVE-2021-34549. Reported by Jann Horn from Google's Project Zero. + - Fix an out-of-bounds memory access in v3 onion service descriptor + parsing. An attacker could exploit this bug by crafting an onion + service descriptor that would crash any client that tried to visit + it. Fixes bug 40392; bugfix on 0.3.0.1-alpha. This issue is also + tracked as TROVE-2021-006 and CVE-2021-34550. Reported by Sergei + Glazunov from Google's Project Zero. + + o Minor features (compatibility, backport from 0.4.6.4-rc): + - Remove an assertion function related to TLS renegotiation. It was + used nowhere outside the unit tests, and it was breaking + compilation with recent alpha releases of OpenSSL 3.0.0. Closes + ticket 40399. + + o Minor features (geoip data): + - Update the geoip files to match the IPFire Location Database, as + retrieved on 2021/06/10. + + o Minor bugfixes (control, sandbox, backport from 0.4.6.4-rc): + - Allow the control command SAVECONF to succeed when the seccomp + sandbox is enabled, and make SAVECONF keep only one backup file to + simplify implementation. Previously SAVECONF allowed a large + number of backup files, which made it incompatible with the + sandbox. Fixes bug 40317; bugfix on 0.2.5.4-alpha. Patch by + Daniel Pinto. + + o Minor bugfixes (metrics port, backport from 0.4.6.4-rc): + - Fix a bug that made tor try to re-bind() on an already open + MetricsPort every 60 seconds. Fixes bug 40370; bugfix + on 0.4.5.1-alpha. + + +Changes in version 0.4.5.8 - 2021-05-10 + Tor 0.4.5.8 fixes several bugs in earlier version, backporting fixes + from the 0.4.6.x series. + + o Minor features (compatibility, Linux seccomp sandbox, backport from 0.4.6.3-rc): + - Add a workaround to enable the Linux sandbox to work correctly + with Glibc 2.33. This version of Glibc has started using the + fstatat() system call, which previously our sandbox did not allow. + Closes ticket 40382; see the ticket for a discussion of trade-offs. + + o Minor features (compilation, backport from 0.4.6.3-rc): + - Make the autoconf script build correctly with autoconf versions + 2.70 and later. Closes part of ticket 40335. + + o Minor features (fallback directory list, backport from 0.4.6.2-alpha): + - Regenerate the list of fallback directories to contain a new set + of 200 relays. Closes ticket 40265. + + o Minor features (geoip data): + - Update the geoip files to match the IPFire Location Database, as + retrieved on 2021/05/07. + + o Minor features (onion services): + - Add warning message when connecting to now deprecated v2 onion + services. As announced, Tor 0.4.5.x is the last series that will + support v2 onions. Closes ticket 40373. + + o Minor bugfixes (bridge, pluggable transport, backport from 0.4.6.2-alpha): + - Fix a regression that made it impossible start Tor using a bridge + line with a transport name and no fingerprint. Fixes bug 40360; + bugfix on 0.4.5.4-rc. + + o Minor bugfixes (build, cross-compilation, backport from 0.4.6.3-rc): + - Allow a custom "ar" for cross-compilation. Our previous build + script had used the $AR environment variable in most places, but + it missed one. Fixes bug 40369; bugfix on 0.4.5.1-alpha. + + o Minor bugfixes (channel, DoS, backport from 0.4.6.2-alpha): + - Fix a non-fatal BUG() message due to a too-early free of a string, + when listing a client connection from the DoS defenses subsystem. + Fixes bug 40345; bugfix on 0.4.3.4-rc. + + o Minor bugfixes (compiler warnings, backport from 0.4.6.3-rc): + - Fix an indentation problem that led to a warning from GCC 11.1.1. + Fixes bug 40380; bugfix on 0.3.0.1-alpha. + + o Minor bugfixes (controller, backport from 0.4.6.1-alpha): + - Fix a "BUG" warning that would appear when a controller chooses + the first hop for a circuit, and that circuit completes. Fixes bug + 40285; bugfix on 0.3.2.1-alpha. + + o Minor bugfixes (onion service, client, memory leak, backport from 0.4.6.3-rc): + - Fix a bug where an expired cached descriptor could get overwritten + with a new one without freeing it, leading to a memory leak. Fixes + bug 40356; bugfix on 0.3.5.1-alpha. + + o Minor bugfixes (testing, BSD, backport from 0.4.6.2-alpha): + - Fix pattern-matching errors when patterns expand to invalid paths + on BSD systems. Fixes bug 40318; bugfix on 0.4.5.1-alpha. Patch by + Daniel Pinto. + + +Changes in version 0.4.5.7 - 2021-03-16 + Tor 0.4.5.7 fixes two important denial-of-service bugs in earlier + versions of Tor. + + One of these vulnerabilities (TROVE-2021-001) would allow an attacker + who can send directory data to a Tor instance to force that Tor + instance to consume huge amounts of CPU. This is easiest to exploit + against authorities, since anybody can upload to them, but directory + caches could also exploit this vulnerability against relays or clients + when they download. The other vulnerability (TROVE-2021-002) only + affects directory authorities, and would allow an attacker to remotely + crash the authority with an assertion failure. Patches have already + been provided to the authority operators, to help ensure + network stability. + + We recommend that everybody upgrade to one of the releases that fixes + these issues (0.3.5.14, 0.4.4.8, or 0.4.5.7) as they become available + to you. + + This release also updates our GeoIP data source, and fixes a few + smaller bugs in earlier releases. + + o Major bugfixes (security, denial of service): + - Disable the dump_desc() function that we used to dump unparseable + information to disk. It was called incorrectly in several places, + in a way that could lead to excessive CPU usage. Fixes bug 40286; + bugfix on 0.2.2.1-alpha. This bug is also tracked as TROVE-2021- + 001 and CVE-2021-28089. + - Fix a bug in appending detached signatures to a pending consensus + document that could be used to crash a directory authority. Fixes + bug 40316; bugfix on 0.2.2.6-alpha. Tracked as TROVE-2021-002 + and CVE-2021-28090. + + o Minor features (geoip data): + - We have switched geoip data sources. Previously we shipped IP-to- + country mappings from Maxmind's GeoLite2, but in 2019 they changed + their licensing terms, so we were unable to update them after that + point. We now ship geoip files based on the IPFire Location + Database instead. (See https://location.ipfire.org/ for more + information). This release updates our geoip files to match the + IPFire Location Database as retrieved on 2021/03/12. Closes + ticket 40224. + + o Minor bugfixes (directory authority): + - Now that exit relays don't allow exit connections to directory + authority DirPorts (to prevent network reentry), disable + authorities' reachability self test on the DirPort. Fixes bug + 40287; bugfix on 0.4.5.5-rc. + + o Minor bugfixes (documentation): + - Fix a formatting error in the documentation for + VirtualAddrNetworkIPv6. Fixes bug 40256; bugfix on 0.2.9.4-alpha. + + o Minor bugfixes (Linux, relay): + - Fix a bug in determining total available system memory that would + have been triggered if the format of Linux's /proc/meminfo file + had ever changed to include "MemTotal:" in the middle of a line. + Fixes bug 40315; bugfix on 0.2.5.4-alpha. + + o Minor bugfixes (metrics port): + - Fix a BUG() warning on the MetricsPort for an internal missing + handler. Fixes bug 40295; bugfix on 0.4.5.1-alpha. + + o Minor bugfixes (onion service): + - Remove a harmless BUG() warning when reloading tor configured with + onion services. Fixes bug 40334; bugfix on 0.4.5.1-alpha. + + o Minor bugfixes (portability): + - Fix a non-portable usage of "==" with "test" in the configure + script. Fixes bug 40298; bugfix on 0.4.5.1-alpha. + + o Minor bugfixes (relay): + - Remove a spammy log notice falsely claiming that the IPv4/v6 + address was missing. Fixes bug 40300; bugfix on 0.4.5.1-alpha. + - Do not query the address cache early in the boot process when + deciding if a relay needs to fetch early directory information + from an authority. This bug resulted in a relay falsely believing + it didn't have an address and thus triggering an authority fetch + at each boot. Related to our fix for 40300. + + o Removed features (mallinfo deprecated): + - Remove mallinfo() usage entirely. Libc 2.33+ now deprecates it. + Closes ticket 40309. + + +Changes in version 0.4.5.6 - 2021-02-15 + The Tor 0.4.5.x release series is dedicated to the memory of Karsten + Loesing (1979-2020), Tor developer, cypherpunk, husband, and father. + Karsten is best known for creating the Tor metrics portal and leading + the metrics team, but he was involved in Tor from the early days. For + example, while he was still a student he invented and implemented the + v2 onion service directory design, and he also served as an ambassador + to the many German researchers working in the anonymity field. We + loved him and respected him for his patience, his consistency, and his + welcoming approach to growing our community. + + This release series introduces significant improvements in relay IPv6 + address discovery, a new "MetricsPort" mechanism for relay operators + to measure performance, LTTng support, build system improvements to + help when using Tor as a static library, and significant bugfixes + related to Windows relay performance. It also includes numerous + smaller features and bugfixes. + + Below are the changes since 0.4.4.4-rc. For a complete list of changes + since 0.4.4.7, see the ReleaseNotes file. + + o Major bugfixes (IPv6, relay): + - Fix a bug that prevented a relay from publishing its descriptor if + an auto-discovered IPv6 that was found unreachable. Fixes bug + 40279; bugfix on 0.4.5.1-alpha. + + o Minor features (protocol versions): + - Stop claiming to support the "DirCache=1" subprotocol version. + Technically, we stopped supporting this subprotocol back in + 0.4.5.1-alpha, but we needed to wait for the authorities to stop + listing it as "required" before we could drop it from the list. + Closes ticket 40221. + + o Minor bugfixes (logging): + - Avoid a spurious log message about missing subprotocol versions, + when the consensus that we're reading from is older than the + current release. Previously we had made this message nonfatal, but + in practice, it is never relevant when the consensus is older than + the current release. Fixes bug 40281; bugfix on 0.4.0.1-alpha. + + o Minor bugfixes (metrics port): + - Fix a bug warning when a metrics port socket was unexpectedly + closed. Fixes bug 40257; bugfix on 0.4.5.1-alpha + + o Minor bugfixes (relay): + - Allow relays to have a RFC1918 address if PublishServerDescriptor + is set to 0 and AssumeReachable is set to 1. This is to support + the use case of a bridge on a local network, exposed via a + pluggable transport. Fixes bug 40208; bugfix on 0.4.5.1-alpha. + + o Minor bugfixes (relay, config): + - Fix a problem in the removal of duplicate ORPorts from the + internal port list when loading the config file. We were removing + the wrong ports, breaking valid torrc uses cases for multiple + ORPorts of the same address family. Fixes bug 40289; bugfix + on 0.4.5.1-alpha. + + +Changes in version 0.4.5.5-rc - 2021-02-01 + Tor 0.4.5.5-rc is the third release candidate in its series. We're + coming closer and closer to a stable release series. This release + fixes an annoyance with address detection code, and somewhat mitigates + an ongoing denial-of-service attack. + + We anticipate no more code changes between this and the stable + release, though of course that could change. + + o Major feature (exit): + - Re-entry into the network is now denied at the Exit level to all + relays' ORPorts and authorities' ORPorts and DirPorts. This change + should help mitgate a set of denial-of-service attacks. Closes + ticket 2667. + + o Minor bugfixes (relay, configuration): + - Don't attempt to discover our address (IPv4 or IPv6) if no ORPort + for it can be found in the configuration. Fixes bug 40254; bugfix + on 0.4.5.1-alpha. + + +Changes in version 0.4.5.4-rc - 2021-01-22 + Tor 0.4.5.4-rc is the second release candidate in its series. It fixes + several bugs present in previous releases. + + We expect that the stable release will be the same, or almost the + same, as this release candidate, unless serious bugs are found. + + o Major bugfixes (authority, IPv6): + - Do not consider multiple relays in the same IPv6 /64 network to be + sybils. Fixes bug 40243; bugfix on 0.4.5.1-alpha. + + o Major bugfixes (directory cache, performance, windows): + - Limit the number of items in the consensus diff cache to 64 on + Windows. We hope this will mitigate an issue where Windows relay + operators reported Tor using 100% CPU, while we investigate better + solutions. Fixes bug 24857; bugfix on 0.3.1.1-alpha. + + o Minor feature (build system): + - New "make lsp" command to generate the compile_commands.json file + used by the ccls language server. The "bear" program is needed for + this. Closes ticket 40227. + + o Minor features (authority, logging): + - Log more information for directory authority operators during the + consensus voting process, and while processing relay descriptors. + Closes ticket 40245. + - Reject obsolete router/extrainfo descriptors earlier and more + quietly, to avoid spamming the logs. Fixes bug 40238; bugfix + on 0.4.5.1-alpha. + + o Minor bugfixes (compilation): + - Fix another warning about unreachable fallthrough annotations when + building with "--enable-all-bugs-are-fatal" on some compilers. + Fixes bug 40241; bugfix on 0.4.5.3-rc. + - Change the linker flag ordering in our library search code so that + it works for compilers that need the libraries to be listed in the + right order. Fixes bug 33624; bugfix on 0.1.1.0-alpha. + + o Minor bugfixes (config, bridge): + - Don't initiate a connection to a bridge configured to use a + missing transport. This change reverts an earlier fix that would + try to avoid such situations during configuration chcecking, but + which doesn't work with DisableNetwork. Fixes bug 40106; bugfix + on 0.4.5.1-alpha. + + o Minor bugfixes (onion services): + - Avoid a non-fatal assertion in certain edge-cases when + establishing a circuit to an onion service. Fixes bug 32666; + bugfix on 0.3.0.3-alpha. + + o Minor bugfixes (relay): + - If we were unable to build our descriptor, don't mark it as having + been advertised. Also remove an harmless BUG(). Fixes bug 40231; + bugfix on 0.4.5.1-alpha. + + +Changes in version 0.4.5.3-rc - 2021-01-12 + Tor 0.4.5.3-rc is the first release candidate in its series. It fixes + several bugs, including one that broke onion services on certain older + ARM CPUs. + + Though we anticipate that we'll be doing a bit more clean-up between + now and the stable release, we expect that our remaining changes will + be fairly simple. There will be at least one more release candidate + before 0.4.5.x is stable. + + o Major bugfixes (onion service v3): + - Stop requiring a live consensus for v3 clients and services, and + allow a "reasonably live" consensus instead. This allows v3 onion + services to work even if the authorities fail to generate a + consensus for more than 2 hours in a row. Fixes bug 40237; bugfix + on 0.3.5.1-alpha. + + o Minor features (crypto): + - Fix undefined behavior on our Keccak library. The bug only + appeared on platforms with 32-byte CPU cache lines (e.g. armv5tel) + and would result in wrong digests. Fixes bug 40210; bugfix on + 0.2.8.1-alpha. Thanks to Bernhard Ãœbelacker, Arnd Bergmann and + weasel for diagnosing this. + + o Minor features (documentation): + - Mention the "!badexit" directive that can appear in an authority's + approved-routers file, and update the description of the + "!invalid" directive. Closes ticket 40188. + + o Minor bugfixes (compilation): + - Fix a compilation warning about unreachable fallthrough + annotations when building with "--enable-all-bugs-are-fatal" on + some compilers. Fixes bug 40241; bugfix on 0.3.5.4-alpha. + - Fix the "--enable-static-tor" switch to properly set the "-static" + compile option onto the tor binary only. Fixes bug 40111; bugfix + on 0.2.3.1-alpha. + + o Minor bugfixes (config, bridge): + - Really fix the case where torrc has a missing ClientTransportPlugin + but is configured with a Bridge line and UseBridges. Previously, + we didn't look at the managed proxy list and thus would fail for + the "exec" case. Fixes bug 40106; bugfix on 0.4.5.1-alpha. + + o Minor bugfixes (logging, relay): + - Log our address as reported by the directory authorities, if none + was configured or detected before. Fixes bug 40201; bugfix + on 0.4.5.1-alpha. + - When a launching bandwidth testing circuit, don't incorrectly call + it a reachability test, or trigger a "CHECKING_REACHABILITY" + control event. Fixes bug 40205; bugfix on 0.4.5.1-alpha. + + o Minor bugfixes (relay, statistics): + - Report the correct connection statistics in our extrainfo + documents. Previously there was a problem in the file loading + function which would wrongly truncate a state file, causing the + wrong information to be reported. Fixes bug 40226; bugfix + on 0.4.5.1-alpha. + + o Minor bugfixes (SOCKS5): + - Handle partial SOCKS5 messages correctly. Previously, our code + would send an incorrect error message if it got a SOCKS5 request + that wasn't complete. Fixes bug 40190; bugfix on 0.3.5.1-alpha. + + +Changes in version 0.4.5.2-alpha - 2020-11-23 + Tor 0.4.5.2-alpha is the second alpha release in the 0.4.5.x series. + It fixes several bugs present in earlier releases, including one that + made it impractical to run relays on Windows. It also adds a few small + safety features to improve Tor's behavior in the presence of strange + compile-time options, misbehaving proxies, and future versions + of OpenSSL. + + o Major bugfixes (relay, windows): + - Fix a bug in our implementation of condition variables on Windows. + Previously, a relay on Windows would use 100% CPU after running + for some time. Because of this change, Tor now require Windows + Vista or later to build and run. Fixes bug 30187; bugfix on + 0.2.6.3-alpha. (This bug became more serious in 0.3.1.1-alpha with + the introduction of consensus diffs.) Patch by Daniel Pinto. + + o Minor features (compilation): + - Disable deprecation warnings when building with OpenSSL 3.0.0 or + later. There are a number of APIs newly deprecated in OpenSSL + 3.0.0 that Tor still requires. (A later version of Tor will try to + stop depending on these APIs.) Closes ticket 40165. + + o Minor features (protocol, proxy support, defense in depth): + - Respond more deliberately to misbehaving proxies that leave + leftover data on their connections, so as to make Tor even less + likely to allow the proxies to pass their data off as having come + from a relay. Closes ticket 40017. + + o Minor features (safety): + - Log a warning at startup if Tor is built with compile-time options + that are likely to make it less stable or reliable. Closes + ticket 18888. + + o Minor bugfixes (circuit, handshake): + - In the v3 handshaking code, use connection_or_change_state() to + change the state. Previously, we changed the state directly, but + this did not pass the state change to the pubsub or channel + objects, potentially leading to bugs. Fixes bug 32880; bugfix on + 0.2.3.6-alpha. Patch by Neel Chauhan. + + o Minor bugfixes (compilation): + - Use the correct 'ranlib' program when building libtor.a. + Previously we used the default ranlib, which broke some kinds of + cross-compilation. Fixes bug 40172; bugfix on 0.4.5.1-alpha. + - Remove a duplicate typedef in metrics_store.c. Fixes bug 40177; + bugfix on 0.4.5.1-alpha. + - When USDT tracing is enabled, and STAP_PROBEV() is missing, don't + attempt to build. Linux supports that macro but not the BSDs. + Fixes bug 40174; bugfix on 0.4.5.1-alpha. + + o Minor bugfixes (configuration): + - Exit Tor on a misconfiguration when the Bridge line is configured + to use a transport but no corresponding ClientTransportPlugin can + be found. Prior to this fix, Tor would attempt to connect to the + bridge directly without using the transport, making it easier for + adversaries to notice the bridge. Fixes bug 25528; bugfix + on 0.2.6.1-alpha. + - Fix an issue where an ORPort was compared with other kinds of + ports, when it should have been only checked against other + ORPorts. This bug would lead to "DirPort auto" getting ignored. + Fixes bug 40195; bugfix on 0.4.5.1-alpha. + - Fix a bug where a second non-ORPort with a variant family (ex: + SocksPort [::1]:9050) would be ignored due to a configuration + parsing error. Fixes bug 40183; bugfix on 0.4.5.1-alpha. + + o Minor bugfixes (crash, relay, signing key): + - Avoid assertion failures when we run Tor from the command line + with `--key-expiration sign`, but an ORPort is not set. Fixes bug + 40015; bugfix on 0.3.2.1-alpha. Patch by Neel Chauhan. + + o Minor bugfixes (logging): + - Remove trailing whitespace from control event log messages. Fixes + bug 32178; bugfix on 0.1.1.1-alpha. Based on a patch by + Amadeusz Pawlik. + - Turn warning-level log message about SENDME failure into a debug- + level message. (This event can happen naturally, and is no reason + for concern). Fixes bug 40142; bugfix on 0.4.1.1-alpha. + + o Minor bugfixes (relay, address discovery): + - Don't trigger an IP change when no new valid IP can be found. + Fixes bug 40071; bugfix on 0.4.5.1-alpha. + - When attempting to discover our IP, use a simple test circuit, + rather than a descriptor fetch: the same address information is + present in NETINFO cells, and is better authenticated there. Fixes + bug 40071; bugfix on 0.4.5.1-alpha. + + o Minor bugfixes (testing): + - Fix the `config/parse_tcp_proxy_line` test so that it works + correctly on systems where the DNS provider hijacks invalid + queries. Fixes part of bug 40179; bugfix on 0.4.3.1-alpha. + - Fix unit tests that used newly generated list of routers so that + they check them with respect to the date when they were generated, + not with respect to the current time. Fixes bug 40187; bugfix + on 0.4.5.1-alpha. + - Fix our Python reference-implementation for the v3 onion service + handshake so that it works correctly with the version of hashlib + provided by Python 3.9. Fixes part of bug 40179; bugfix + on 0.3.1.6-rc. + - Fix the `tortls/openssl/log_one_error` test to work with OpenSSL + 3.0.0. Fixes bug 40170; bugfix on 0.2.8.1-alpha. + + o Removed features (controller): + - Remove the "GETINFO network-status" controller command. It has + been deprecated since 0.3.1.1-alpha. Closes ticket 22473. + + Changes in version 0.4.4.6 - 2020-11-12 Tor 0.4.4.6 is the second stable release in the 0.4.4.x series. It backports fixes from later releases, including a fix for TROVE-2020- diff --git a/ReleaseNotes b/ReleaseNotes index 2ce9ceaa90..cc2a0d920e 100644 --- a/ReleaseNotes +++ b/ReleaseNotes @@ -2,6 +2,1014 @@ This document summarizes new features and bugfixes in each stable release of Tor. If you want to see more detailed descriptions of the changes in each development snapshot, see the ChangeLog file. +Changes in version 0.4.5.16 - 2023-01-12 + This version has one major bugfix for relay and a security fix, + TROVE-2022-002, affecting clients. We strongly recommend to upgrade to our + 0.4.7.x stable series. As a reminder, this series is EOL on February 15th, + 2023. + + o Major bugfixes (relay): + - When opening a channel because of a circuit request that did not + include an Ed25519 identity, record the Ed25519 identity that we + actually received, so that we can use the channel for other + circuit requests that _do_ list an Ed25519 identity. (Previously + we had code to record this identity, but a logic bug caused it to + be disabled.) Fixes bug 40563; bugfix on 0.3.0.1-alpha. Patch + from "cypherpunks". + + o Major bugfixes (TROVE-2022-002, client): + - The SafeSocks option had its logic inverted for SOCKS4 and + SOCKS4a. It would let the unsafe SOCKS4 pass but not the safe + SOCKS4a one. This is TROVE-2022-002 which was reported on + Hackerone by "cojabo". Fixes bug 40730; bugfix on 0.3.5.1-alpha. + + o Minor features (fallbackdir): + - Regenerate fallback directories generated on January 12, 2023. + + o Minor features (geoip data): + - Update the geoip files to match the IPFire Location Database, as + retrieved on 2023/01/12. + + +Changes in version 0.4.5.15 - 2022-12-06 + This version has several major changes for directory authorities. And a + major bugfix on OSX. Again, we strongly recommend to upgrade to our 0.4.7.x + series latest stable. This series is EOL on February 15th, 2023. + + o Directory authority changes (dizum): + - Change dizum IP address. Closes ticket 40687. + + o Directory authority changes (Faravahar): + - Remove Faravahar until its operator, Sina, set it back up online + outside of Team Cymru network. Closes ticket 40688. + + o Directory authority changes (moria1): + - Rotate the relay identity key and v3 identity key for moria1. They + have been online for more than a decade and refreshing keys + periodically is good practice. Advertise new ports too, to avoid + confusion. Closes ticket 40722. + + o Major bugfixes (OSX): + - Fix coarse-time computation on Apple platforms (like Mac M1) where + the Mach absolute time ticks do not correspond directly to + nanoseconds. Previously, we computed our shift value wrong, which + led us to give incorrect timing results. Fixes bug 40684; bugfix + on 0.3.3.1-alpha. + + o Major bugfixes (relay): + - Improve security of our DNS cache by randomly clipping the TTL + value. TROVE-2021-009. Fixes bug 40674; bugfix on 0.3.5.1-alpha. + + o Minor features (fallbackdir): + - Regenerate fallback directories generated on December 06, 2022. + + o Minor features (geoip data): + - Update the geoip files to match the IPFire Location Database, as + retrieved on 2022/12/06. + + +Changes in version 0.4.5.14 - 2022-08-12 + This version updates the geoip cache that we generate from IPFire location + database to use the August 9th, 2022 one. Everyone MUST update to this + latest release else circuit path selection and relay metrics are badly + affected. + + o Major bugfixes (geoip data): + - IPFire informed us on August 12th that databases generated after + (including) August 10th did not have proper ARIN network allocations. We + are updating the database to use the one generated on August 9th, 2022. + Fixes bug 40658; bugfix on 0.4.5.13. + + +Changes in version 0.4.5.13 - 2022-08-11 + This version contains two major fixes aimed at reducing memory pressure on + relays and possible side-channel. The rest of the fixes were backported for + stability or safety purposes. We strongly recommend to upgrade your relay to + this version or, ideally, to the latest stable of the 0.4.7.x series. + + o Major bugfixes (relay): + - Remove OR connections btrack subsystem entries when the connections + close normally. Before this, we would only remove the entry on error and + thus leaking memory for each normal OR connections. Fixes bug 40604; + bugfix on 0.4.0.1-alpha. + - Stop sending TRUNCATED cell and instead close the circuit from which we + received a DESTROY cell. This makes every relay in the circuit path to + stop queuing cells. Fixes bug 40623; bugfix on 0.1.0.2-rc. + + o Minor features (fallbackdir): + - Regenerate fallback directories generated on August 11, 2022. + + o Minor features (geoip data): + - Update the geoip files to match the IPFire Location Database, as + retrieved on 2022/08/11. + + o Minor features (linux seccomp2 sandbox): + - Permit the clone3 syscall, which is apparently used in glibc-2.34 + and later. Closes ticket 40590. + + o Minor bugfixes (controller, path bias): + - When a circuit's path is specified, in full or in part, from the + controller API, do not count that circuit towards our path-bias + calculations. (Doing so was incorrect, since we cannot tell + whether the controller is selecting relays randomly.) Resolves a + "Bug" warning. Fixes bug 40515; bugfix on 0.2.4.10-alpha. + + o Minor bugfixes (defense in depth): + - Change a test in the netflow padding code to make it more + _obviously_ safe against remotely triggered crashes. (It was safe + against these before, but not obviously so.) Fixes bug 40645; + bugfix on 0.3.1.1-alpha. + + o Minor bugfixes (linux seccomp2 sandbox): + - Allow the rseq system call in the sandbox. This solves a crash + issue with glibc 2.35 on Linux. Patch from pmu-ipf. Fixes bug + 40601; bugfix on 0.3.5.11. + + o Minor bugfixes (metrics port, onion service): + - The MetricsPort line for an onion service with multiple ports are now + unique that is one line per port. Before this, all ports of an onion + service would be on the same line which violates the Prometheus rules of + unique labels. Fixes bug 40581; bugfix on 0.4.5.1-alpha. + + o Minor bugfixes (onion service, client): + - Fix a fatal assert due to a guard subsystem recursion triggered by + the onion service client. Fixes bug 40579; bugfix on 0.3.5.1-alpha. + + o Minor bugfixes (performance, DoS): + - Fix one case of a not-especially viable denial-of-service attack + found by OSS-Fuzz in our consensus-diff parsing code. This attack + causes a lot small of memory allocations and then immediately + frees them: this is only slow when running with all the sanitizers + enabled. Fixes one case of bug 40472; bugfix on 0.3.1.1-alpha. + + o Minor bugfixes (relay): + - Do not propagate either forward or backward a DESTROY remote reason when + closing a circuit in order to avoid a possible side channel. Fixes bug + 40649; bugfix on 0.1.2.4-alpha. + + +Changes in version 0.4.5.12 - 2022-02-04 + This version contains mostly minor bugfixes for which you can find the + details below. The previous release (0.4.5.11) was suppose to update the + GeoIP and fallbackdir lists but a problem in our release pipeline prevented + those files to be updated correctly. Thus, this release regenerates up to + date lists. Furthermore, another fix to highlight is that relays don't + advertise onion service v2 support at the protocol version level. + + o Minor feature (reproducible build): + - The repository can now build reproducible tarballs which adds the + build command "make dist-reprod" for that purpose. Closes + ticket 26299. + + o Minor features (compilation): + - Give an error message if trying to build with a version of + LibreSSL known not to work with Tor. (There's an incompatibility + with LibreSSL versions 3.2.1 through 3.4.0 inclusive because of + their incompatibility with OpenSSL 1.1.1's TLSv1.3 APIs.) Closes + ticket 40511. + + o Minor features (fallbackdir): + - Regenerate fallback directories generated on December 15, 2021. + - Regenerate fallback directories generated on February 04, 2022. + + o Minor features (geoip data): + - Update the geoip files to match the IPFire Location Database, as + retrieved on 2021/12/15. + - Update the geoip files to match the IPFire Location Database, as + retrieved on 2022/02/04. + + o Minor bugfix (logging): + - Update a log notice dead URL to a working one. Fixes bug 40544; + bugfix on 0.3.5.1-alpha. + + o Minor bugfix (relay): + - Remove the HSDir and HSIntro onion service v2 protocol versions so + relay stop advertising that they support them. Fixes bug 40509; + bugfix on 0.3.5.17. + + o Minor bugfixes (compilation): + - Fix a compilation error when trying to build Tor with a compiler + that does not support expanding statitically initialized const + values in macro's. Fixes bug 40410; bugfix on 0.4.5.1-alpha + - Fix our configuration logic to detect whether we had OpenSSL 3: + previously, our logic was reversed. This has no other effect than + to change whether we suppress deprecated API warnings. Fixes bug + 40429; bugfix on 0.3.5.13. + + o Minor bugfixes (MetricsPort, Prometheus): + - Add double quotes to the label values of the onion service + metrics. Fixes bug 40552; bugfix on 0.4.5.1-alpha. + + o Minor bugfixes (relay): + - Reject IPv6-only DirPorts. Our reachability self-test forces + DirPorts to be IPv4, but our configuration parser allowed them to + be IPv6-only, which led to an assertion failure. Fixes bug 40494; + bugfix on 0.4.5.1-alpha. + + +Changes in version 0.4.5.11 - 2021-10-26 + The major change in this version is that v2 onion services are now + disabled at the client, service, and relay: any Tor nodes running this + version and onward will stop supporting v2 onion services. This is the + last step in the long deprecation process of v2 onion services. + Everyone running an earlier version, whether as a client, a relay, or + an onion service, should upgrade to Tor 0.3.5.17, 0.4.5.11, + or 0.4.6.8. + + o Major feature (onion service v2): + - See https://blog.torproject.org/v2-deprecation-timeline for + details on how to transition from v2 to v3. + - The control port commands HSFETCH and HSPOST no longer allow + version 2, and it is no longer possible to create a v2 service + with ADD_ONION. + - Tor no longer allows creating v2 services, or connecting as a + client to a v2 service. Relays will decline to be a v2 HSDir or + introduction point. This effectively disables onion service + version 2 Tor-wide. Closes ticket 40476. + + o Minor features (bridge, backport from 0.4.6.8): + - We now announce the URL to Tor's new bridge status at + https://bridges.torproject.org/ when Tor is configured to run as a + bridge relay. Closes ticket 30477. + + o Minor features (fallbackdir): + - Regenerate fallback directories for October 2021. Closes + ticket 40493. + + o Minor features (logging, diagnostic, backport from 0.4.6.5): + - Log decompression failures at a higher severity level, since they + can help provide missing context for other warning messages. We + rate-limit these messages, to avoid flooding the logs if they + begin to occur frequently. Closes ticket 40175. + + o Minor features (testing, backport from 0.4.6.8): + - On a testing network, relays can now use the + TestingMinTimeToReportBandwidth option to change the smallest + amount of time over which they're willing to report their observed + maximum bandwidth. Previously, this was fixed at 1 day. For + safety, values under 2 hours are only supported on testing + networks. Part of a fix for ticket 40337. + - Relays on testing networks no longer rate-limit how frequently + they are willing to report new bandwidth measurements. Part of a + fix for ticket 40337. + - Relays on testing networks now report their observed bandwidths + immediately from startup. Previously, they waited until they had + been running for a full day. Closes ticket 40337. + + o Minor bugfix (CI, onion service): + - Exclude onion service version 2 Stem tests in our CI. Fixes bug 40500; + bugfix on 0.3.2.1-alpha. + + o Minor bugfix (onion service, backport from 0.4.6.8): + - Do not flag an HSDir as non-running in case the descriptor upload + or fetch fails. An onion service closes pending directory + connections before uploading a new descriptor which can thus lead + to wrongly flagging many relays and thus affecting circuit building + path selection. Fixes bug 40434; bugfix on 0.2.0.13-alpha. + + o Minor bugfixes (compatibility, backport from 0.4.6.8): + - Fix compatibility with the most recent Libevent versions, which no + longer have an evdns_set_random_bytes() function. Because this + function has been a no-op since Libevent 2.0.4-alpha, it is safe + for us to just stop calling it. Fixes bug 40371; bugfix + on 0.2.1.7-alpha. + + o Minor bugfixes (consensus handling, backport from 0.4.6.4-rc): + - Avoid a set of bugs that could be caused by inconsistently + preferring an out-of-date consensus stored in a stale directory + cache over a more recent one stored on disk as the latest + consensus. Fixes bug 40375; bugfix on 0.3.1.1-alpha. + + o Minor bugfixes (onion service, TROVE-2021-008, backport from 0.4.6.8): + - Only log v2 access attempts once total, in order to not pollute + the logs with warnings and to avoid recording the times on disk + when v2 access was attempted. Note that the onion address was + _never_ logged. This counts as a Low-severity security issue. + Fixes bug 40474; bugfix on 0.4.5.8. + + +Changes in version 0.4.5.10 - 2021-08-16 + This version fixes several bugs from earlier versions of Tor, including one + that could lead to a denial-of-service attack. Everyone running an earlier + version, whether as a client, a relay, or an onion service, should upgrade + to Tor 0.3.5.16, 0.4.5.10, or 0.4.6.7. + + o Major bugfixes (cryptography, security): + - Resolve an assertion failure caused by a behavior mismatch between our + batch-signature verification code and our single-signature verification + code. This assertion failure could be triggered remotely, leading to a + denial of service attack. We fix this issue by disabling batch + verification. Fixes bug 40078; bugfix on 0.2.6.1-alpha. This issue is + also tracked as TROVE-2021-007 and CVE-2021-38385. Found by Henry de + Valence. + + o Minor feature (fallbackdir): + - Regenerate fallback directories list. Closes ticket 40447. + + o Minor features (geoip data): + - Update the geoip files to match the IPFire Location Database, + as retrieved on 2021/08/12. + + o Minor features (testing): + - Enable the deterministic RNG for unit tests that covers the address set + bloomfilter-based API's. Fixes bug 40419; bugfix on 0.3.3.2-alpha. + + o Minor bugfix (crypto): + - Disable the unused batch verification feature of ed25519-donna. Fixes + bug 40078; bugfix on 0.2.6.1-alpha. Found by Henry de Valence. + + o Minor bugfixes (relay, backport from 0.4.6.x): + - Reduce the compression level for data streaming from HIGH to LOW. Fixes + bug 40301; bugfix on 0.3.5.1-alpha. + + o Minor bugfixes (timekeeping, backport from 0.4.6.x): + - Calculate the time of day correctly on systems where the time_t + type includes leap seconds. (This is not the case on most + operating systems, but on those where it occurs, our tor_timegm + function did not correctly invert the system's gmtime function, + which could result in assertion failures when calculating + voting schedules.) Fixes bug 40383; bugfix on 0.2.0.3-alpha. + + o Minor bugfixes (warnings, portability, backport from 0.4.6.x): + - Suppress a strict-prototype warning when building with some versions + of NSS. Fixes bug 40409; bugfix on 0.3.5.1-alpha. + + +Changes in version 0.4.5.9 - 2021-06-14 + Tor 0.4.5.9 fixes several security issues, including a + denial-of-service attack against onion service clients, and another + denial-of-service attack against relays. Everybody should upgrade to + one of 0.3.5.15, 0.4.4.9, 0.4.5.9, or 0.4.6.5. + + o Major bugfixes (security, backport from 0.4.6.5): + - Don't allow relays to spoof RELAY_END or RELAY_RESOLVED cell on + half-closed streams. Previously, clients failed to validate which + hop sent these cells: this would allow a relay on a circuit to end + a stream that wasn't actually built with it. Fixes bug 40389; + bugfix on 0.3.5.1-alpha. This issue is also tracked as TROVE-2021- + 003 and CVE-2021-34548. + + o Major bugfixes (security, defense-in-depth, backport from 0.4.6.5): + - Detect more failure conditions from the OpenSSL RNG code. + Previously, we would detect errors from a missing RNG + implementation, but not failures from the RNG code itself. + Fortunately, it appears those failures do not happen in practice + when Tor is using OpenSSL's default RNG implementation. Fixes bug + 40390; bugfix on 0.2.8.1-alpha. This issue is also tracked as + TROVE-2021-004. Reported by Jann Horn at Google's Project Zero. + + o Major bugfixes (security, denial of service, backport from 0.4.6.5): + - Resist a hashtable-based CPU denial-of-service attack against + relays. Previously we used a naive unkeyed hash function to look + up circuits in a circuitmux object. An attacker could exploit this + to construct circuits with chosen circuit IDs, to create + collisions and make the hash table inefficient. Now we use a + SipHash construction here instead. Fixes bug 40391; bugfix on + 0.2.4.4-alpha. This issue is also tracked as TROVE-2021-005 and + CVE-2021-34549. Reported by Jann Horn from Google's Project Zero. + - Fix an out-of-bounds memory access in v3 onion service descriptor + parsing. An attacker could exploit this bug by crafting an onion + service descriptor that would crash any client that tried to visit + it. Fixes bug 40392; bugfix on 0.3.0.1-alpha. This issue is also + tracked as TROVE-2021-006 and CVE-2021-34550. Reported by Sergei + Glazunov from Google's Project Zero. + + o Minor features (compatibility, backport from 0.4.6.4-rc): + - Remove an assertion function related to TLS renegotiation. It was + used nowhere outside the unit tests, and it was breaking + compilation with recent alpha releases of OpenSSL 3.0.0. Closes + ticket 40399. + + o Minor features (geoip data): + - Update the geoip files to match the IPFire Location Database, as + retrieved on 2021/06/10. + + o Minor bugfixes (control, sandbox, backport from 0.4.6.4-rc): + - Allow the control command SAVECONF to succeed when the seccomp + sandbox is enabled, and make SAVECONF keep only one backup file to + simplify implementation. Previously SAVECONF allowed a large + number of backup files, which made it incompatible with the + sandbox. Fixes bug 40317; bugfix on 0.2.5.4-alpha. Patch by + Daniel Pinto. + + o Minor bugfixes (metrics port, backport from 0.4.6.4-rc): + - Fix a bug that made tor try to re-bind() on an already open + MetricsPort every 60 seconds. Fixes bug 40370; bugfix + on 0.4.5.1-alpha. + + +Changes in version 0.4.5.8 - 2021-05-10 + Tor 0.4.5.8 fixes several bugs in earlier version, backporting fixes + from the 0.4.6.x series. + + o Minor features (compatibility, Linux seccomp sandbox, backport from 0.4.6.3-rc): + - Add a workaround to enable the Linux sandbox to work correctly + with Glibc 2.33. This version of Glibc has started using the + fstatat() system call, which previously our sandbox did not allow. + Closes ticket 40382; see the ticket for a discussion of trade-offs. + + o Minor features (compilation, backport from 0.4.6.3-rc): + - Make the autoconf script build correctly with autoconf versions + 2.70 and later. Closes part of ticket 40335. + + o Minor features (fallback directory list, backport from 0.4.6.2-alpha): + - Regenerate the list of fallback directories to contain a new set + of 200 relays. Closes ticket 40265. + + o Minor features (geoip data): + - Update the geoip files to match the IPFire Location Database, as + retrieved on 2021/05/07. + + o Minor features (onion services): + - Add warning message when connecting to now deprecated v2 onion + services. As announced, Tor 0.4.5.x is the last series that will + support v2 onions. Closes ticket 40373. + + o Minor bugfixes (bridge, pluggable transport, backport from 0.4.6.2-alpha): + - Fix a regression that made it impossible start Tor using a bridge + line with a transport name and no fingerprint. Fixes bug 40360; + bugfix on 0.4.5.4-rc. + + o Minor bugfixes (build, cross-compilation, backport from 0.4.6.3-rc): + - Allow a custom "ar" for cross-compilation. Our previous build + script had used the $AR environment variable in most places, but + it missed one. Fixes bug 40369; bugfix on 0.4.5.1-alpha. + + o Minor bugfixes (channel, DoS, backport from 0.4.6.2-alpha): + - Fix a non-fatal BUG() message due to a too-early free of a string, + when listing a client connection from the DoS defenses subsystem. + Fixes bug 40345; bugfix on 0.4.3.4-rc. + + o Minor bugfixes (compiler warnings, backport from 0.4.6.3-rc): + - Fix an indentation problem that led to a warning from GCC 11.1.1. + Fixes bug 40380; bugfix on 0.3.0.1-alpha. + + o Minor bugfixes (controller, backport from 0.4.6.1-alpha): + - Fix a "BUG" warning that would appear when a controller chooses + the first hop for a circuit, and that circuit completes. Fixes bug + 40285; bugfix on 0.3.2.1-alpha. + + o Minor bugfixes (onion service, client, memory leak, backport from 0.4.6.3-rc): + - Fix a bug where an expired cached descriptor could get overwritten + with a new one without freeing it, leading to a memory leak. Fixes + bug 40356; bugfix on 0.3.5.1-alpha. + + o Minor bugfixes (testing, BSD, backport from 0.4.6.2-alpha): + - Fix pattern-matching errors when patterns expand to invalid paths + on BSD systems. Fixes bug 40318; bugfix on 0.4.5.1-alpha. Patch by + Daniel Pinto. + + +Changes in version 0.4.5.7 - 2021-03-16 + Tor 0.4.5.7 fixes two important denial-of-service bugs in earlier + versions of Tor. + + One of these vulnerabilities (TROVE-2021-001) would allow an attacker + who can send directory data to a Tor instance to force that Tor + instance to consume huge amounts of CPU. This is easiest to exploit + against authorities, since anybody can upload to them, but directory + caches could also exploit this vulnerability against relays or clients + when they download. The other vulnerability (TROVE-2021-002) only + affects directory authorities, and would allow an attacker to remotely + crash the authority with an assertion failure. Patches have already + been provided to the authority operators, to help ensure + network stability. + + We recommend that everybody upgrade to one of the releases that fixes + these issues (0.3.5.14, 0.4.4.8, or 0.4.5.7) as they become available + to you. + + This release also updates our GeoIP data source, and fixes a few + smaller bugs in earlier releases. + + o Major bugfixes (security, denial of service): + - Disable the dump_desc() function that we used to dump unparseable + information to disk. It was called incorrectly in several places, + in a way that could lead to excessive CPU usage. Fixes bug 40286; + bugfix on 0.2.2.1-alpha. This bug is also tracked as TROVE-2021- + 001 and CVE-2021-28089. + - Fix a bug in appending detached signatures to a pending consensus + document that could be used to crash a directory authority. Fixes + bug 40316; bugfix on 0.2.2.6-alpha. Tracked as TROVE-2021-002 + and CVE-2021-28090. + + o Minor features (geoip data): + - We have switched geoip data sources. Previously we shipped IP-to- + country mappings from Maxmind's GeoLite2, but in 2019 they changed + their licensing terms, so we were unable to update them after that + point. We now ship geoip files based on the IPFire Location + Database instead. (See https://location.ipfire.org/ for more + information). This release updates our geoip files to match the + IPFire Location Database as retrieved on 2021/03/12. Closes + ticket 40224. + + o Minor bugfixes (directory authority): + - Now that exit relays don't allow exit connections to directory + authority DirPorts (to prevent network reentry), disable + authorities' reachability self test on the DirPort. Fixes bug + 40287; bugfix on 0.4.5.5-rc. + + o Minor bugfixes (documentation): + - Fix a formatting error in the documentation for + VirtualAddrNetworkIPv6. Fixes bug 40256; bugfix on 0.2.9.4-alpha. + + o Minor bugfixes (Linux, relay): + - Fix a bug in determining total available system memory that would + have been triggered if the format of Linux's /proc/meminfo file + had ever changed to include "MemTotal:" in the middle of a line. + Fixes bug 40315; bugfix on 0.2.5.4-alpha. + + o Minor bugfixes (metrics port): + - Fix a BUG() warning on the MetricsPort for an internal missing + handler. Fixes bug 40295; bugfix on 0.4.5.1-alpha. + + o Minor bugfixes (onion service): + - Remove a harmless BUG() warning when reloading tor configured with + onion services. Fixes bug 40334; bugfix on 0.4.5.1-alpha. + + o Minor bugfixes (portability): + - Fix a non-portable usage of "==" with "test" in the configure + script. Fixes bug 40298; bugfix on 0.4.5.1-alpha. + + o Minor bugfixes (relay): + - Remove a spammy log notice falsely claiming that the IPv4/v6 + address was missing. Fixes bug 40300; bugfix on 0.4.5.1-alpha. + - Do not query the address cache early in the boot process when + deciding if a relay needs to fetch early directory information + from an authority. This bug resulted in a relay falsely believing + it didn't have an address and thus triggering an authority fetch + at each boot. Related to our fix for 40300. + + o Removed features (mallinfo deprecated): + - Remove mallinfo() usage entirely. Libc 2.33+ now deprecates it. + Closes ticket 40309. + + +Changes in version 0.4.5.6 - 2021-02-15 + The Tor 0.4.5.x release series is dedicated to the memory of Karsten + Loesing (1979-2020), Tor developer, cypherpunk, husband, and father. + Karsten is best known for creating the Tor metrics portal and leading + the metrics team, but he was involved in Tor from the early days. For + example, while he was still a student he invented and implemented the + v2 onion service directory design, and he also served as an ambassador + to the many German researchers working in the anonymity field. We + loved him and respected him for his patience, his consistency, and his + welcoming approach to growing our community. + + This release series introduces significant improvements in relay IPv6 + address discovery, a new "MetricsPort" mechanism for relay operators + to measure performance, LTTng support, build system improvements to + help when using Tor as a static library, and significant bugfixes + related to Windows relay performance. It also includes numerous + smaller features and bugfixes. + + Below are the changes since 0.4.4.7. For a list of changes since + 0.4.5.5-rc, see the ChangeLog file. + + o Major features (build): + - When building Tor, first link all object files into a single + static library. This may help with embedding Tor in other + programs. Note that most Tor functions do not constitute a part of + a stable or supported API: only those functions in tor_api.h + should be used if embedding Tor. Closes ticket 40127. + + o Major features (metrics): + - Introduce a new MetricsPort which exposes, through an HTTP + interface, a series of metrics that tor collects at runtime. At + the moment, the only supported output format is Prometheus data + model. Closes ticket 40063. See the manual page for more + information and security considerations. + + o Major features (relay, IPv6): + - The torrc option Address now supports IPv6. This unifies our + address discovery interface to support IPv4, IPv6, and hostnames. + Closes ticket 33233. + - Launch IPv4 and IPv6 ORPort self-test circuits on relays and + bridges. Closes ticket 33222. + - Relays now automatically bind on IPv6 for their ORPort, unless + specified otherwise with the IPv4Only flag. Closes ticket 33246. + - When a relay with IPv6 support is told to open a connection to + another relay, and the extend cell lists both IPv4 and IPv6 + addresses, the first relay now picks randomly which address to + use. Closes ticket 33220. + - Relays now track their IPv6 ORPort reachability separately from + the reachability of their IPv4 ORPort. They will not publish a + descriptor unless _both_ ports appear to be externally reachable. + Closes ticket 34067. + + o Major features (tracing): + - Add event-tracing library support for USDT and LTTng-UST, and a + few tracepoints in the circuit subsystem. More will come + incrementally. This feature is compiled out by default: it needs + to be enabled at configure time. See documentation in + doc/HACKING/Tracing.md. Closes ticket 32910. + + o Major bugfixes (directory cache, performance, windows): + - Limit the number of items in the consensus diff cache to 64 on + Windows. We hope this will mitigate an issue where Windows relay + operators reported Tor using 100% CPU, while we investigate better + solutions. Fixes bug 24857; bugfix on 0.3.1.1-alpha. + + o Major bugfixes (relay, windows): + - Fix a bug in our implementation of condition variables on Windows. + Previously, a relay on Windows would use 100% CPU after running + for some time. Because of this change, Tor now require Windows + Vista or later to build and run. Fixes bug 30187; bugfix on + 0.2.6.3-alpha. (This bug became more serious in 0.3.1.1-alpha with + the introduction of consensus diffs.) Patch by Daniel Pinto. + + o Major bugfixes (TLS, buffer): + - When attempting to read N bytes on a TLS connection, really try to + read all N bytes. Previously, Tor would stop reading after the + first TLS record, which can be smaller than the N bytes requested, + and not check for more data until the next mainloop event. Fixes + bug 40006; bugfix on 0.1.0.5-rc. + + o Minor features (address discovery): + - If no Address statements are found, relays now prioritize guessing + their address by looking at the local interface instead of the + local hostname. If the interface address can't be found, the local + hostname is used. Closes ticket 33238. + + o Minor features (admin tools): + - Add a new --format argument to -key-expiration option to allow + specifying the time format of the expiration date. Adds Unix + timestamp format support. Patch by Daniel Pinto. Closes + ticket 30045. + + o Minor features (authority, logging): + - Log more information for directory authority operators during the + consensus voting process, and while processing relay descriptors. + Closes ticket 40245. + + o Minor features (bootstrap reporting): + - When reporting bootstrapping status on a relay, do not consider + connections that have never been the target of an origin circuit. + Previously, all connection failures were treated as potential + bootstrapping failures, including connections that had been opened + because of client requests. Closes ticket 25061. + + o Minor features (build): + - When running the configure script, try to detect version + mismatches between the OpenSSL headers and libraries, and suggest + that the user should try "--with-openssl-dir". Closes 40138. + - If the configure script has given any warnings, remind the user + about them at the end of the script. Related to 40138. + + o Minor features (configuration): + - Allow using wildcards (* and ?) with the %include option on + configuration files. Closes ticket 25140. Patch by Daniel Pinto. + - Allow the configuration options EntryNodes, ExcludeNodes, + ExcludeExitNodes, ExitNodes, MiddleNodes, HSLayer2Nodes and + HSLayer3Nodes to be specified multiple times. Closes ticket 28361. + Patch by Daniel Pinto. + + o Minor features (control port): + - Add a DROPTIMEOUTS command to drop circuit build timeout history + and reset the current timeout. Closes ticket 40002. + - When a stream enters the AP_CONN_STATE_CONTROLLER_WAIT status, + send a control port event. Closes ticket 32190. Patch by + Neel Chauhan. + - Introduce GETINFO "stats/ntor/{assigned/requested}" and + "stats/tap/{assigned/requested}" to get the NTor and TAP circuit + onion handshake counts respectively. Closes ticket 28279. Patch by + Neel Chauhan. + + o Minor features (control port, IPv6): + - Tor relays now try to report to the controller when they are + launching an IPv6 self-test. Closes ticket 34068. + - Introduce "GETINFO address/v4" and "GETINFO address/v6" in the + control port to fetch the Tor host's respective IPv4 or IPv6 + address. We keep "GETINFO address" for backwards-compatibility. + Closes ticket 40039. Patch by Neel Chauhan. + + o Minor features (directory authorities): + - Add a new consensus method 30 that removes the unnecessary "=" + padding from ntor-onion-key. Closes ticket 7869. Patch by + Daniel Pinto. + - Directory authorities now reject descriptors from relays running + Tor versions from the obsolete 0.4.1 series. Resolves ticket + 34357. Patch by Neel Chauhan. + - The AssumeReachable option no longer stops directory authorities + from checking whether other relays are running. A new + AuthDirTestReachability option can be used to disable these + checks. Closes ticket 34445. + - When looking for possible Sybil attacks, also consider IPv6 + addresses. Two routers are considered to have "the same" address + by this metric if they are in the same /64 network. Patch from + Maurice Pibouin. Closes ticket 7193. + + o Minor features (directory authorities, IPv6): + - Make authorities add their IPv6 ORPort (if any) to the trusted + servers list. Authorities previously added only their IPv4 + addresses. Closes ticket 32822. + + o Minor features (documentation): + - Mention the "!badexit" directive that can appear in an authority's + approved-routers file, and update the description of the + "!invalid" directive. Closes ticket 40188. + + o Minor features (ed25519, relay): + - Save a relay's base64-encoded ed25519 identity key to the data + directory in a file named fingerprint-ed25519. Closes ticket + 30642. Patch by Neel Chauhan. + + o Minor features (heartbeat): + - Include the total number of inbound and outbound IPv4 and IPv6 + connections in the heartbeat message. Closes ticket 29113. + + o Minor features (IPv6, ExcludeNodes): + - Handle IPv6 addresses in ExcludeNodes; previously they were + ignored. Closes ticket 34065. Patch by Neel Chauhan. + + o Minor features (logging): + - Add the running glibc version to the log, and the compiled glibc + version to the library list returned when using --library-versions. + Patch from Daniel Pinto. Closes ticket 40047. + - Consider an HTTP 301 response to be an error (like a 404) when + processing a directory response. Closes ticket 40053. + - Log directory fetch statistics as a single line. Closes + ticket 40159. + - Provide more complete descriptions of our connections when logging + about them. Closes ticket 40041. + - When describing a relay in the logs, we now include its ed25519 + identity. Closes ticket 22668. + + o Minor features (onion services): + - Only overwrite an onion service's existing hostname file if its + contents are wrong. This enables read-only onion-service + directories. Resolves ticket 40062. Patch by Neel Chauhan. + + o Minor features (pluggable transports): + - Add an OutboundBindAddressPT option to allow users to specify + which IPv4 and IPv6 address pluggable transports should use for + outgoing IP packets. Tor does not have a way to enforce that the + pluggable transport honors this option, so each pluggable transport + needs to implement support on its own. Closes ticket 5304. + + o Minor features (protocol, proxy support, defense in depth): + - Respond more deliberately to misbehaving proxies that leave + leftover data on their connections, so as to make Tor even less + likely to allow the proxies to pass their data off as having come + from a relay. Closes ticket 40017. + + o Minor features (relay address tracking): + - We now store relay addresses for OR connections in a more logical + way. Previously we would sometimes overwrite the actual address of + a connection with a "canonical address", and then store the "real + address" elsewhere to remember it. We now track the "canonical + address" elsewhere for the cases where we need it, and leave the + connection's address alone. Closes ticket 33898. + + o Minor features (relay): + - If a relay is unable to discover its address, attempt to learn it + from the NETINFO cell. Closes ticket 40022. + - Log immediately when launching a relay self-check. Previously we + would try to log before launching checks, or approximately when we + intended to launch checks, but this tended to be error-prone. + Closes ticket 34137. + + o Minor features (relay, address discovery): + - If Address option is not found in torrc, attempt to learn our + address with the configured ORPort address if any. Closes + ticket 33236. + + o Minor features (relay, IPv6): + - Add an AssumeReachableIPv6 option to disable self-checking IPv6 + reachability. Closes part of ticket 33224. + - Add new "assume-reachable" and "assume-reachable-ipv6" consensus + parameters to be used in an emergency to tell relays that they + should publish even if they cannot complete their ORPort self- + checks. Closes ticket 34064 and part of 33224. + - Allow relays to send IPv6-only extend cells. Closes ticket 33222. + - Declare support for the Relay=3 subprotocol version. Closes + ticket 33226. + - When launching IPv6 ORPort self-test circuits, make sure that the + second-last hop can initiate an IPv6 extend. Closes ticket 33222. + + o Minor features (safety): + - Log a warning at startup if Tor is built with compile-time options + that are likely to make it less stable or reliable. Closes + ticket 18888. + + o Minor features (specification update): + - Several fields in microdescriptors, router descriptors, and + consensus documents that were formerly optional are now required. + Implements proposal 315; closes ticket 40132. + + o Minor features (state management): + - When loading the state file, remove entries from the statefile + that have been obsolete for a long time. Ordinarily Tor preserves + unrecognized entries in order to keep forward-compatibility, but + these entries have not actually been used in any release since + before 0.3.5.x. Closes ticket 40137. + + o Minor features (statistics, ipv6): + - Relays now publish IPv6-specific counts of single-direction versus + bidirectional relay connections. Closes ticket 33264. + - Relays now publish their IPv6 read and write statistics over time, + if statistics are enabled. Closes ticket 33263. + + o Minor features (subprotocol versions): + - Use the new limitations on subprotocol versions due to proposal + 318 to simplify our implementation. Part of ticket 40133. + + o Minor features (testing configuration): + - The TestingTorNetwork option no longer implicitly sets + AssumeReachable to 1. This change allows us to test relays' self- + testing mechanisms, and to test authorities' relay-testing + functionality. Closes ticket 34446. + + o Minor features (testing): + - Added unit tests for channel_matches_target_addr_for_extend(). + Closes Ticket 33919. Patch by MrSquanchee. + + o Minor bugfixes (circuit padding): + - When circpad_send_padding_cell_for_callback is called, + `is_padding_timer_scheduled` flag was not reset. Now it is set to + 0 at the top of that function. Fixes bug 32671; bugfix + on 0.4.0.1-alpha. + - Add a per-circuit padding machine instance counter, so we can + differentiate between shutdown requests for old machines on a + circuit. Fixes bug 30992; bugfix on 0.4.1.1-alpha. + - Add the ability to keep circuit padding machines if they match a + set of circuit states or purposes. This allows us to have machines + that start up under some conditions but don't shut down under + others. We now use this mask to avoid starting up introduction + circuit padding again after the machines have already completed. + Fixes bug 32040; bugfix on 0.4.1.1-alpha. + + o Minor bugfixes (circuit, handshake): + - In the v3 handshaking code, use connection_or_change_state() to + change the state. Previously, we changed the state directly, but + this did not pass the state change to the pubsub or channel + objects, potentially leading to bugs. Fixes bug 32880; bugfix on + 0.2.3.6-alpha. Patch by Neel Chauhan. + + o Minor bugfixes (compilation): + - Change the linker flag ordering in our library search code so that + it works for compilers that need the libraries to be listed in the + right order. Fixes bug 33624; bugfix on 0.1.1.0-alpha. + - Fix the "--enable-static-tor" switch to properly set the "-static" + compile option onto the tor binary only. Fixes bug 40111; bugfix + on 0.2.3.1-alpha. + + o Minor bugfixes (configuration): + - Exit Tor on a misconfiguration when the Bridge line is configured + to use a transport but no corresponding ClientTransportPlugin can + be found. Prior to this fix, Tor would attempt to connect to the + bridge directly without using the transport, making it easier for + adversaries to notice the bridge. Fixes bug 25528; bugfix + on 0.2.6.1-alpha. + + o Minor bugfixes (control port): + - Make sure we send the SOCKS request address in relay begin cells + when a stream is attached with the purpose + CIRCUIT_PURPOSE_CONTROLLER. Fixes bug 33124; bugfix on 0.0.5. + Patch by Neel Chauhan. + + o Minor bugfixes (crash, relay, signing key): + - Avoid assertion failures when we run Tor from the command line + with `--key-expiration sign`, but an ORPort is not set. Fixes bug + 40015; bugfix on 0.3.2.1-alpha. Patch by Neel Chauhan. + + o Minor bugfixes (logging): + - Avoid a spurious log message about missing subprotocol versions, + when the consensus that we're reading from is older than the + current release. Previously we had made this message nonfatal, but + in practice, it is never relevant when the consensus is older than + the current release. Fixes bug 40281; bugfix on 0.4.0.1-alpha. + - Remove trailing whitespace from control event log messages. Fixes + bug 32178; bugfix on 0.1.1.1-alpha. Based on a patch by + Amadeusz Pawlik. + - Turn warning-level log message about SENDME failure into a debug- + level message. (This event can happen naturally, and is no reason + for concern). Fixes bug 40142; bugfix on 0.4.1.1-alpha. + - When logging a rate-limited message about how many messages have + been suppressed in the last N seconds, give an accurate value for + N, rounded up to the nearest minute. Previously we would report + the size of the rate-limiting interval, regardless of when the + messages started to occur. Fixes bug 19431; bugfix + on 0.2.2.16-alpha. + + o Minor bugfixes (onion services): + - Avoid a non-fatal assertion in certain edge-cases when + establishing a circuit to an onion service. Fixes bug 32666; + bugfix on 0.3.0.3-alpha. + + o Minor bugfixes (rust, protocol versions): + - Declare support for the onion service introduction point denial of + service extensions when building with Rust. Fixes bug 34248; + bugfix on 0.4.2.1-alpha. + - Make Rust protocol version support checks consistent with the + undocumented error behavior of the corresponding C code. Fixes bug + 34251; bugfix on 0.3.3.5-rc. + + o Minor bugfixes (self-testing): + - When receiving an incoming circuit, only accept it as evidence + that we are reachable if the declared address of its channel is + the same address we think that we have. Otherwise, it could be + evidence that we're reachable on some other address. Fixes bug + 20165; bugfix on 0.1.0.1-rc. + + o Minor bugfixes (spec conformance): + - Use the correct key type when generating signing->link + certificates. Fixes bug 40124; bugfix on 0.2.7.2-alpha. + + o Minor bugfixes (subprotocol versions): + - Consistently reject extra commas, instead of only rejecting + leading commas. Fixes bug 27194; bugfix on 0.2.9.4-alpha. + - In summarize_protover_flags(), treat empty strings the same as + NULL. This prevents protocols_known from being set. Previously, we + treated empty strings as normal strings, which led to + protocols_known being set. Fixes bug 34232; bugfix on + 0.3.3.2-alpha. Patch by Neel Chauhan. + + o Code simplification and refactoring: + - Add and use a set of functions to perform down-casts on constant + connection and channel pointers. Closes ticket 40046. + - Refactor our code that logs descriptions of connections, channels, + and the peers on them, to use a single call path. This change + enables us to refactor the data types that they use, and eliminates + many confusing usages of those types. Closes ticket 40041. + - Refactor some common node selection code into a single function. + Closes ticket 34200. + - Remove the now-redundant 'outbuf_flushlen' field from our + connection type. It was previously used for an older version of + our rate-limiting logic. Closes ticket 33097. + - Rename "fascist_firewall_*" identifiers to "reachable_addr_*" + instead, for consistency with other code. Closes ticket 18106. + - Rename functions about "advertised" ports which are not in fact + guaranteed to return the ports that have been advertised. Closes + ticket 40055. + - Split implementation of several command line options from + options_init_from_torrc into smaller isolated functions. Patch by + Daniel Pinto. Closes ticket 40102. + - When an extend cell is missing an IPv4 or IPv6 address, fill in + the address from the extend info. This is similar to what was done + in ticket 33633 for ed25519 keys. Closes ticket 33816. Patch by + Neel Chauhan. + + o Deprecated features: + - The "non-builtin" argument to the "--dump-config" command is now + deprecated. When it works, it behaves the same as "short", which + you should use instead. Closes ticket 33398. + + o Documentation: + - Replace URLs from our old bugtracker so that they refer to the new + bugtracker and wiki. Closes ticket 40101. + + o Removed features: + - We no longer ship or build a "tor.service" file for use with + systemd. No distribution included this script unmodified, and we + don't have the expertise ourselves to maintain this in a way that + all the various systemd-based distributions can use. Closes + ticket 30797. + - We no longer ship support for the Android logging API. Modern + versions of Android can use the syslog API instead. Closes + ticket 32181. + - The "optimistic data" feature is now always on; there is no longer + an option to disable it from the torrc file or from the consensus + directory. Closes part of 40139. + - The "usecreatefast" network parameter is now removed; there is no + longer an option for authorities to turn it off. Closes part + of 40139. + + o Testing: + - Add unit tests for bandwidth statistics manipulation functions. + Closes ticket 33812. Patch by MrSquanchee. + + o Code simplification and refactoring (autoconf): + - Remove autoconf checks for unused funcs and headers. Closes ticket + 31699; Patch by @bduszel + + o Code simplification and refactoring (maintainer scripts): + - Disable by default the pre-commit hook. Use the environment + variable TOR_EXTRA_PRE_COMMIT_CHECKS in order to run it. + Furthermore, stop running practracker in the pre-commit hook and + make check-local. Closes ticket 40019. + + o Code simplification and refactoring (relay address): + - Most of IPv4 representation was using "uint32_t". It has now been + moved to use the internal "tor_addr_t" interface instead. This is + so we can properly integrate IPv6 along IPv4 with common + interfaces. Closes ticket 40043. + + o Documentation (manual page): + - Move them from doc/ to doc/man/. Closes ticket 40044. + - Describe the status of the "Sandbox" option more accurately. It is + no longer "experimental", but it _is_ dependent on kernel and libc + versions. Closes ticket 23378. + + o Documentation (tracing): + - Document in depth the circuit subsystem trace events in the new + doc/tracing/EventsCircuit.md. Closes ticket 40036. + + o Removed features (controller): + - Remove the "GETINFO network-status" controller command. It has + been deprecated since 0.3.1.1-alpha. Closes ticket 22473. + + Changes in version 0.4.4.6 - 2020-11-12 Tor 0.4.4.6 is the second stable release in the 0.4.4.x series. It backports fixes from later releases, including a fix for TROVE-2020- diff --git a/changes/40241 b/changes/40241 deleted file mode 100644 index c9b2e2c011..0000000000 --- a/changes/40241 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (compilation): - - Fix a compilation warning about unreachable fallthrough annotations - when building with "--enable-all-bugs-are-fatal" on some compilers. - Fixes bug 40241; bugfix on 0.3.5.4-alpha. diff --git a/changes/40241_v2 b/changes/40241_v2 deleted file mode 100644 index 85038297f7..0000000000 --- a/changes/40241_v2 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (compilation): - - Fix another warning about unreachable fallthrough annotations - when building with "--enable-all-bugs-are-fatal" on some compilers. - Fixes bug 40241; bugfix on 0.4.5.3-rc. diff --git a/changes/autoconf-2.70 b/changes/autoconf-2.70 deleted file mode 100644 index 27a9f243b1..0000000000 --- a/changes/autoconf-2.70 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features (compilation): - - Make the autoconf script build correctly with autoconf versions 2.70 - and later. Closes part of ticket 40335. diff --git a/changes/bug24857 b/changes/bug24857 deleted file mode 100644 index ea9c763332..0000000000 --- a/changes/bug24857 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes (directory cache, performance, windows): - - Limit the number of items in the consensus diff cache to 64 on Windows. - We hope this will resolve an issue where Windows relay operators reported - Tor using 100% CPU while we investigate better solutions. Fixes bug 24857; - bugfix on 0.3.1.1-alpha. - diff --git a/changes/bug30187 b/changes/bug30187 deleted file mode 100644 index 2a3358d6be..0000000000 --- a/changes/bug30187 +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfixes (relay, windows): - - Fix bug where running a relay on Windows would use 100% - CPU after some time. Makes Windows >= Vista the required - Windows version to build and run tor. Fixes bug 30187; - bugfix on 0.4.5.1-alpha. Patch by Daniel Pinto. diff --git a/changes/bug32666 b/changes/bug32666 deleted file mode 100644 index d487b22148..0000000000 --- a/changes/bug32666 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (onion services): - - Avoid a non-fatal assertion in certain edge-cases when establishing a - circuit to onion service. Fixes bug 32666; bugfix on 0.3.0.3-alpha. diff --git a/changes/bug32880 b/changes/bug32880 deleted file mode 100644 index a25cabb7dc..0000000000 --- a/changes/bug32880 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (circuit, handshake): - - In the v3 handshaking code, Use connection_or_change_state() to change - the state. Previously, we changed the state directly, but this did not - pass a state change to the pubsub or channel object. Fixes bug 32880; - bugfix on 0.2.3.6-alpha. Patch by Neel Chauhan. diff --git a/changes/bug40015 b/changes/bug40015 deleted file mode 100644 index 1d190df751..0000000000 --- a/changes/bug40015 +++ /dev/null @@ -1,4 +0,0 @@ - o Major bugfixes (crash, relay, signing key): - - Avoid asserts when we run Tor from the command line with - `--key-expiration sign` when an ORPort is not set. Fixes - bug 40015; bugfix on 0.3.2.1-alpha. Patch by Neel Chauhan. diff --git a/changes/bug40017 b/changes/bug40017 deleted file mode 100644 index 3f5c2da968..0000000000 --- a/changes/bug40017 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor features (protocol, proxy support, defense in depth): - - Respond more deliberately to misbehaving proxies that leave leftover - data on their connections, so as to be even less likely as to allow - them to pass their data off as having come from a relay. - Closes ticket 40017. diff --git a/changes/bug40078 b/changes/bug40078 deleted file mode 100644 index 717309e076..0000000000 --- a/changes/bug40078 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfix (crypto): - - Disable the unused batch verification feature of ed25519-donna. Fixes - bug 40078; bugfix on 0.2.6.1-alpha. Found by Henry de Valence.
\ No newline at end of file diff --git a/changes/bug40172 b/changes/bug40172 deleted file mode 100644 index a73fcb39a3..0000000000 --- a/changes/bug40172 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (compilation): - - Fix a compilation issue in which the correct 'ranlib' program was not - used when building libtor.a. Fixes bug 40172; bugfix on 0.4.5.1-alpha. diff --git a/changes/bug40175 b/changes/bug40175 deleted file mode 100644 index aa2ce9566f..0000000000 --- a/changes/bug40175 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor features (logging, diagnostic): - - Log decompression failures at a higher severity level, since they - can help provide missing context for other warning messages. - We rate-limit these messages, to avoid flooding the logs if they - begin to occur frequently. Closes ticket 40175. diff --git a/changes/bug40177 b/changes/bug40177 deleted file mode 100644 index b08be64e47..0000000000 --- a/changes/bug40177 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (compilation): - - Remove a duplicate typedef in metrics_store.c. Fixes bug 40177; - bugfix on 0.4.5.1-alpha. diff --git a/changes/bug40179_part1 b/changes/bug40179_part1 deleted file mode 100644 index c302373534..0000000000 --- a/changes/bug40179_part1 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (testing, portability): - - Fix our Python reference-implementation for the v3 onion service - handshake so that it works correctly with the version of hashlib provided - by Python 3.9. Fixes part of bug 40179; bugfix on 0.3.1.6-rc. diff --git a/changes/bug40179_part2 b/changes/bug40179_part2 deleted file mode 100644 index 15dc861321..0000000000 --- a/changes/bug40179_part2 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (testing): - - Fix the config/parse_tcp_proxy_line test so that it works correctly on - systems where the DNS provider hijacks invalid queries. - Fixes part of bug 40179; bugfix on 0.4.3.1-alpha. diff --git a/changes/bug40187 b/changes/bug40187 deleted file mode 100644 index 563e4b4d76..0000000000 --- a/changes/bug40187 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (testing): - - Fix unit tests that used newly generated list of routers so that they - check them with respect to the date when they were generated, not - with respect to the current time. Fixes bug 40187; bugfix on - 0.4.5.1-alpha. diff --git a/changes/bug40190 b/changes/bug40190 deleted file mode 100644 index 0f3d6941dc..0000000000 --- a/changes/bug40190 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (SOCKS5): - - Handle partial socks5 messages correctly. Previously, our code would - send an incorrect error message if it got a socks5 request that wasn't - complete. Fixes bug 40190; bugfix on 0.3.5.1-alpha. diff --git a/changes/bug40210 b/changes/bug40210 deleted file mode 100644 index f492262a11..0000000000 --- a/changes/bug40210 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor features (crypto): - - Fix undefined behavior on our Keccak library. The bug only appears on - platforms with 32-byte CPU cache lines (e.g. armv5tel) and would result - in wrong digests. Fixes bug 40210; bugfix on 0.2.8.1-alpha. Thanks to - Bernhard Ãœbelacker, Arnd Bergmann and weasel for diagnosing this. diff --git a/changes/bug40238 b/changes/bug40238 deleted file mode 100644 index 35784a16bb..0000000000 --- a/changes/bug40238 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (logging): - - Reject obsolete router/extrainfo descs earlier and more quietly. - Fixes bug 40238; bugfix on 0.4.5.1-alpha.
\ No newline at end of file diff --git a/changes/bug40256_045 b/changes/bug40256_045 deleted file mode 100644 index 14e67659e0..0000000000 --- a/changes/bug40256_045 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (documentation): - - Fix a formatting error on the documentation for - VirtualAddrNetworkIPv6. Fixes bug 40256; bugfix on 0.2.9.4-alpha. diff --git a/changes/bug40281 b/changes/bug40281 deleted file mode 100644 index 0708039f04..0000000000 --- a/changes/bug40281 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes (logging): - - Avoid a spurious log message about missing subprotocol versions, when - the consensus that we're reading from is older than the current - release. . Previously we had made this message nonfatal in this case, - but in practice, it is never relevant when the consensus is older than - the current release. Fixes bug 40281; bugfix on 0.4.0.1-alpha. diff --git a/changes/bug40285_045 b/changes/bug40285_045 deleted file mode 100644 index db4f73cde0..0000000000 --- a/changes/bug40285_045 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (controller): - - Fix a "BUG" warning that would appear when a controller chooses the - first hop for a circuit, and that circuit completes. Fixes - bug 40285; bugfix on 0.3.2.1-alpha. diff --git a/changes/bug40287 b/changes/bug40287 deleted file mode 100644 index 5a9c899d52..0000000000 --- a/changes/bug40287 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (directory authority): - - Now that exit relays don't allow exit connections to directory authority - DirPorts (network reentry), disable authorities' reachability self test - on the DirPort. Fixes bug 40287; bugfix on 0.4.5.5-rc. diff --git a/changes/bug40298 b/changes/bug40298 deleted file mode 100644 index 8b8b0bbc12..0000000000 --- a/changes/bug40298 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (portability): - - Fix a non-portable usage of "==" with "test" in the configure script. - Fixes bug 40298; bugfix on 0.4.5.1-alpha. diff --git a/changes/bug40315 b/changes/bug40315 deleted file mode 100644 index 9e9c740d96..0000000000 --- a/changes/bug40315 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (Linux, relay): - - Fix a bug in determining total available system memory that would have - been triggered if the format of /proc/meminfo had ever changed - to include "MemTotal:" in the middle of a line. Fixes bug 40315; - bugfix on 0.2.5.4-alpha. diff --git a/changes/bug40316 b/changes/bug40316 deleted file mode 100644 index cd275b5c9c..0000000000 --- a/changes/bug40316 +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfixes (security, denial of service): - - Fix a bug in appending detached signatures to a pending consensus - document that could be used to crash a directory authority. - Fixes bug 40316; bugfix on 0.2.2.6-alpha. Tracked as - TROVE-2021-002 and CVE-2021-28090. diff --git a/changes/bug40317 b/changes/bug40317 deleted file mode 100644 index 18ec499a51..0000000000 --- a/changes/bug40317 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (control, sandbox): - - Allows the control command SAVECONF to succeed when the seccomp - sandbox is enabled. Makes SAVECONF keep only one backup file to - simplify implementation. Fixes bug 40317; bugfix on 0.2.5.4-alpha. - Patch by Daniel Pinto. diff --git a/changes/bug40318 b/changes/bug40318 deleted file mode 100644 index cc02f08ca0..0000000000 --- a/changes/bug40318 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (configuration tests bsd): - - Fix glob processing errors when globs expand to invalid paths on - BSD systems. Fixes bug 40318; bugfix on 0.4.5.1-alpha. Patch by - Daniel Pinto. diff --git a/changes/bug40371 b/changes/bug40371 deleted file mode 100644 index 8cc7117f9f..0000000000 --- a/changes/bug40371 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes (compatibility): - - Fix compatibility with the most recent Libevent versions, which - no longer have an evdns_set_random_bytes() function. Because - this function has been a no-op since Libevent 2.0.4-alpha, - it is safe for us to just stop calling it. Fixes bug 40371; - bugfix on 0.2.1.7-alpha. diff --git a/changes/bug40375 b/changes/bug40375 deleted file mode 100644 index 7ac32bc628..0000000000 --- a/changes/bug40375 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (consensus handling): - - Avoid a set of bugs that could be caused by inconsistently preferring - an out-of-date consensus stored in a stale directory cache over - a more recent one stored on disk as the latest consensus. - Fixes bug 40375; bugfix on 0.3.1.1-alpha. diff --git a/changes/bug40380 b/changes/bug40380 deleted file mode 100644 index 24d2876b7d..0000000000 --- a/changes/bug40380 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (compiler warnings): - - Fix an indentation problem that led to a warning from GCC 11.1.1. - Fixes bug 40380; bugfix on 0.3.0.1-alpha. diff --git a/changes/bug40383 b/changes/bug40383 deleted file mode 100644 index c4ca46fac7..0000000000 --- a/changes/bug40383 +++ /dev/null @@ -1,7 +0,0 @@ - o Minor bugfixes (timekeeping): - - Calculate the time of day correctly on systems where the time_t - type includes leap seconds. (This is not the case on most - operating systems, but on those where it occurs, our tor_timegm - function did not correctly invert the system's gmtime function, - which could result in assertion failures when calculating - voting schedules.) Fixes bug 40383; bugfix on 0.2.0.3-alpha. diff --git a/changes/bug40391 b/changes/bug40391 deleted file mode 100644 index e3c186275f..0000000000 --- a/changes/bug40391 +++ /dev/null @@ -1,9 +0,0 @@ - o Major bugfixes (security): - - Resist a hashtable-based CPU denial-of-service attack against - relays. Previously we used a naive unkeyed hash function to look up - circuits in a circuitmux object. An attacker could exploit this to - construct circuits with chosen circuit IDs in order to try to create - collisions and make the hash table inefficient. Now we use a SipHash - construction for this hash table instead. Fixes bug 40391; bugfix on - 0.2.4.4-alpha. This issue is also tracked as TROVE-2021-005. - Reported by Jann Horn from Google's Project Zero. diff --git a/changes/bug40392 b/changes/bug40392 deleted file mode 100644 index 4dffa50bb2..0000000000 --- a/changes/bug40392 +++ /dev/null @@ -1,4 +0,0 @@ - o Major bugfixes (security, denial of service, onion services): - - Fix an out-of-bounds memory access in v3 descriptor parsing. Fixes bug - 40392; bugfix on 0.3.0.1-alpha. This issue is also tracked as - TROVE-2021-006. Reported by Sergei Glazunov from Google's Project Zero.
\ No newline at end of file diff --git a/changes/bug40399 b/changes/bug40399 deleted file mode 100644 index 7954b85eaf..0000000000 --- a/changes/bug40399 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor features (compatibility): - - Remove an assertion function related to TLS renegotiation. - It was used nowhere outside the unit tests, and it was breaking - compilation with recent alpha releases of OpenSSL 3.0.0. - Closes ticket 40399. diff --git a/changes/bug40409 b/changes/bug40409 deleted file mode 100644 index b8d061be78..0000000000 --- a/changes/bug40409 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (warnings, portability): - - Suppress a strict-prototype warning when building with some versions - of NSS. Fixes bug 40409; bugfix on 0.3.5.1-alpha. diff --git a/changes/bug40429 b/changes/bug40429 deleted file mode 100644 index 9bf3b63818..0000000000 --- a/changes/bug40429 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (compilation): - - Fix our configuration logic to detect whether we had OpenSSL 3: - previously, our logic was reversed. This has no other effect than to - change whether we suppress deprecated API warnings. Fixes - bug 40429; bugfix on 0.3.5.13. diff --git a/changes/bug40472 b/changes/bug40472 deleted file mode 100644 index d87c1dc2cc..0000000000 --- a/changes/bug40472 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes (performance, DoS): - - Fix one case of a not-especially viable denial-of-service attack found - by OSS-Fuzz in our consensus-diff parsing code. This attack causes a - lot small of memory allocations and then immediately frees them: this - is only slow when running with all the sanitizers enabled. Fixes one - case of bug 40472; bugfix on 0.3.1.1-alpha. diff --git a/changes/bug40515 b/changes/bug40515 deleted file mode 100644 index d315e28411..0000000000 --- a/changes/bug40515 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes (controller, path bias): - - When a circuit's path is specified, in full or in part, from the - controller API, do not count that circuit towards our path-bias - calculations. (Doing so was incorrect, since we cannot tell whether - the controller is selecting relays randomly.) Resolves a "Bug" - warning. Fixes bug 40515; bugfix on 0.2.4.10-alpha. diff --git a/changes/bug40563 b/changes/bug40563 deleted file mode 100644 index e7a3deec6d..0000000000 --- a/changes/bug40563 +++ /dev/null @@ -1,8 +0,0 @@ - o Major bugfixes (relay): - - When opening a channel because of a circuit request that did not - include an Ed25519 identity, record the Ed25519 identity that we - actually received, so that we can use the channel for other circuit - requests that _do_ list an Ed25519 identity. - (Previously we had code to record this identity, but a logic bug - caused it to be disabled.) Fixes bug 40563; bugfix on 0.3.0.1-alpha. - Patch from "cypherpunks". diff --git a/changes/bug40645 b/changes/bug40645 deleted file mode 100644 index 044d5b67d2..0000000000 --- a/changes/bug40645 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (defense in depth): - - Change a test in the netflow padding code to make it more - _obviously_ safe against remotely triggered crashes. - (It was safe against these before, but not obviously so.) - Fixes bug 40645; bugfix on 0.3.1.1-alpha. diff --git a/changes/bug40684 b/changes/bug40684 deleted file mode 100644 index 8c751ede2c..0000000000 --- a/changes/bug40684 +++ /dev/null @@ -1,6 +0,0 @@ - o Major bugfixes (OSX): - - Fix coarse-time computation on Apple platforms (like Mac M1) where - the Mach absolute time ticks do not correspond directly to - nanoseconds. Previously, we computed our shift value wrong, which - led us to give incorrect timing results. - Fixes bug 40684; bugfix on 0.3.3.1-alpha. diff --git a/changes/clone3-sandbox b/changes/clone3-sandbox deleted file mode 100644 index dac8fe72da..0000000000 --- a/changes/clone3-sandbox +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features (linux seccomp2 sandbox): - - Permit the clone3 syscall, which is apparently used in glibc-2.34 and - later. Closes ticket 40590. diff --git a/changes/fallbackdirs-2021-12-15 b/changes/fallbackdirs-2021-12-15 deleted file mode 100644 index ce08cef5cb..0000000000 --- a/changes/fallbackdirs-2021-12-15 +++ /dev/null @@ -1,2 +0,0 @@ - o Minor features (fallbackdir): - - Regenerate fallback directories generated on December 15, 2021. diff --git a/changes/fallbackdirs-2022-02-04 b/changes/fallbackdirs-2022-02-04 deleted file mode 100644 index 3d4ec28fe9..0000000000 --- a/changes/fallbackdirs-2022-02-04 +++ /dev/null @@ -1,2 +0,0 @@ - o Minor features (fallbackdir): - - Regenerate fallback directories generated on February 04, 2022. diff --git a/changes/fallbackdirs-2022-08-11 b/changes/fallbackdirs-2022-08-11 deleted file mode 100644 index 21200700ad..0000000000 --- a/changes/fallbackdirs-2022-08-11 +++ /dev/null @@ -1,2 +0,0 @@ - o Minor features (fallbackdir): - - Regenerate fallback directories generated on August 11, 2022. diff --git a/changes/fallbackdirs-2022-12-06 b/changes/fallbackdirs-2022-12-06 deleted file mode 100644 index 17daf63f53..0000000000 --- a/changes/fallbackdirs-2022-12-06 +++ /dev/null @@ -1,2 +0,0 @@ - o Minor features (fallbackdir): - - Regenerate fallback directories generated on December 06, 2022. diff --git a/changes/fallbackdirs-2023-01-12 b/changes/fallbackdirs-2023-01-12 deleted file mode 100644 index e3788a16ae..0000000000 --- a/changes/fallbackdirs-2023-01-12 +++ /dev/null @@ -1,2 +0,0 @@ - o Minor features (fallbackdir): - - Regenerate fallback directories generated on January 12, 2023. diff --git a/changes/geoip-2021-03-12 b/changes/geoip-2021-03-12 deleted file mode 100644 index 01c1b0f162..0000000000 --- a/changes/geoip-2021-03-12 +++ /dev/null @@ -1,9 +0,0 @@ - o Minor features (geoip data): - - We have switched geoip data sources. Previously we shipped - IP-to-country mappings from Maxmind's GeoLite2, but in 2019 they - changed their licensing term, so we were unable to update them after - that point. We now ship geoip files based on the IPFire Location - Database instead. (See https://location.ipfire.org/ for more - information). This release updates our geoip files to match the - IPFire Location Database as retrieved on 2021/03/12. Closes - ticket 40224. diff --git a/changes/geoip-2021-04-13 b/changes/geoip-2021-04-13 deleted file mode 100644 index db21a1c037..0000000000 --- a/changes/geoip-2021-04-13 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features (geoip data): - - Update the geoip files to match the IPFire Location Database, - as retrieved on 2021/04/13. diff --git a/changes/geoip-2021-05-07 b/changes/geoip-2021-05-07 deleted file mode 100644 index 07bf12c4d8..0000000000 --- a/changes/geoip-2021-05-07 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features (geoip data): - - Update the geoip files to match the IPFire Location Database, - as retrieved on 2021/05/07. diff --git a/changes/geoip-2021-06-10 b/changes/geoip-2021-06-10 deleted file mode 100644 index 2b798012c8..0000000000 --- a/changes/geoip-2021-06-10 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features (geoip data): - - Update the geoip files to match the IPFire Location Database, - as retrieved on 2021/06/10. diff --git a/changes/geoip-2021-08-12 b/changes/geoip-2021-08-12 deleted file mode 100644 index 59afcc5bb7..0000000000 --- a/changes/geoip-2021-08-12 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features (geoip data): - - Update the geoip files to match the IPFire Location Database, - as retrieved on 2021/08/12. diff --git a/changes/geoip-2021-12-15 b/changes/geoip-2021-12-15 deleted file mode 100644 index 5123557138..0000000000 --- a/changes/geoip-2021-12-15 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features (geoip data): - - Update the geoip files to match the IPFire Location Database, - as retrieved on 2021/12/15. diff --git a/changes/geoip-2022-02-04 b/changes/geoip-2022-02-04 deleted file mode 100644 index 41921da85f..0000000000 --- a/changes/geoip-2022-02-04 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features (geoip data): - - Update the geoip files to match the IPFire Location Database, - as retrieved on 2022/02/04. diff --git a/changes/geoip-2022-08-11 b/changes/geoip-2022-08-11 deleted file mode 100644 index aad2392f1f..0000000000 --- a/changes/geoip-2022-08-11 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features (geoip data): - - Update the geoip files to match the IPFire Location Database, - as retrieved on 2022/08/11. diff --git a/changes/geoip-2022-08-12 b/changes/geoip-2022-08-12 deleted file mode 100644 index e8f282db01..0000000000 --- a/changes/geoip-2022-08-12 +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfixes (geoip data): - - IPFire informed us on August 12th that databases generated after - (including) August 10th did not have proper ARIN network allocations. We - are updating the database to use the one generated on August 9th, 2022. - Fixes bug 40658; bugfix on 0.4.5.13. diff --git a/changes/geoip-2022-12-06 b/changes/geoip-2022-12-06 deleted file mode 100644 index f96e833e63..0000000000 --- a/changes/geoip-2022-12-06 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features (geoip data): - - Update the geoip files to match the IPFire Location Database, - as retrieved on 2022/12/06. diff --git a/changes/geoip-2023-01-12 b/changes/geoip-2023-01-12 deleted file mode 100644 index 8378d34fbf..0000000000 --- a/changes/geoip-2023-01-12 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features (geoip data): - - Update the geoip files to match the IPFire Location Database, - as retrieved on 2023/01/12. diff --git a/changes/ticket18888 b/changes/ticket18888 deleted file mode 100644 index 279eab76ad..0000000000 --- a/changes/ticket18888 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features (safety): - - Log a warning at startup if Tor is built with compile-time options that - are likely to make it less stable or reliable. Closes ticket 18888. diff --git a/changes/ticket22473 b/changes/ticket22473 deleted file mode 100644 index c7496f9da7..0000000000 --- a/changes/ticket22473 +++ /dev/null @@ -1,3 +0,0 @@ - o Removed features (controller): - - Remove the "GETINFO network-status" controller command. It has - been deprecated since 0.3.1.1-alpha. Closes ticket 22473. diff --git a/changes/ticket25528 b/changes/ticket25528 deleted file mode 100644 index cfc6c91fb7..0000000000 --- a/changes/ticket25528 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes (client, bridge, configuration): - - Exit tor on a misconfiguration when the Bridge line has a transport but - no corresponding ClientTransportPlugin can be found. Prior to this fix, - tor would attempt to connect to the bridge directly without using the - transport leading to a possible leak on the wire. Fixes bug 25528; - bugfix on 0.2.6.1-alpha. diff --git a/changes/ticket26299 b/changes/ticket26299 deleted file mode 100644 index 6b08adf53c..0000000000 --- a/changes/ticket26299 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor feature (reproducible build): - - The repository can now build reproducible tarballs which adds the build - command "make dist-reprod" for that purpose. Closes ticket 26299. diff --git a/changes/ticket2667 b/changes/ticket2667 deleted file mode 100644 index cc42286ef9..0000000000 --- a/changes/ticket2667 +++ /dev/null @@ -1,4 +0,0 @@ - o Major feature (exit): - - Re-entry into the network is now denied at the Exit level to all relays' - ORPort and authorities' ORPort+DirPort. This is to help mitigate a series - of attacks. See ticket for more information. Closes ticket 2667. diff --git a/changes/ticket30477 b/changes/ticket30477 deleted file mode 100644 index 379fc4e7eb..0000000000 --- a/changes/ticket30477 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features (bridge): - - We now announce the URL to Tor's new bridge status at - https://bridges.torproject.org/ when Tor is configured to run as a bridge - relay. Closes ticket 30477. diff --git a/changes/ticket32178 b/changes/ticket32178 deleted file mode 100644 index c13e490cb0..0000000000 --- a/changes/ticket32178 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (logging): - - Remove trailing whitespaces from control event log messages. Fixes bug - 32178; bugfix on 0.1.1.1-alpha. Based on a patch by Amadeusz Pawlik. diff --git a/changes/ticket33624 b/changes/ticket33624 deleted file mode 100644 index eded3b4dee..0000000000 --- a/changes/ticket33624 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (configure, static build): - - Change our search library configure macro linker flag order so it works - for certain compilers that need the right order. Fixes bug 33624; bugfix - on 0.1.1.0-alpha. - diff --git a/changes/ticket40071 b/changes/ticket40071 deleted file mode 100644 index 1e294a68e7..0000000000 --- a/changes/ticket40071 +++ /dev/null @@ -1,7 +0,0 @@ - o Minor bugfixes (relay, address): - - Don't trigger an IP change if no new valid IP can be found. Fixes bug - 40071; bugfix on 0.4.5.1-alpha. - - When attempting to discover our IP, don't launch a descriptor fetch - anymore but rather a simple test circuit since the address discovery is - through the NETINFO cell now from the authorities. Fixes bug 40071; bugfix - on 0.4.5.1-alpha. diff --git a/changes/ticket40106 b/changes/ticket40106 deleted file mode 100644 index 3f344d478f..0000000000 --- a/changes/ticket40106 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes (config, bridge): - - Don't initiate a connection to a bridge without a corresponding - transport. Fixes bug 40106; bugfix on 0.4.5.1-alpha. - - This also reverts an earlier fix we did for this that would validate - configuration to avoid such situation but turns out it wouldn't work for - a DisableNetwork thus the new approach. diff --git a/changes/ticket40111 b/changes/ticket40111 deleted file mode 100644 index a82ca0d489..0000000000 --- a/changes/ticket40111 +++ /dev/null @@ -1,7 +0,0 @@ - o Minor bugfixes (configure, build): - - Fix the --enable-static-tor switch to properly set the -static compile - option onto the tor binary only. Fixes bug 40111; bugfix on - 0.2.3.1-alpha. - - Path to static libevent has been fixed as well which affects the - --enable-static-libevent to behave correctly now. The .a file is in - .libs/ of libevent repository, not at the root. diff --git a/changes/ticket40142 b/changes/ticket40142 deleted file mode 100644 index 25a96b3df3..0000000000 --- a/changes/ticket40142 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (logging, flow control): - - Turn a SENDME failure log warning into a debug. It can actually happen - naturally. Fixes bug 40142; bugfix on 0.4.1.1-alpha. diff --git a/changes/ticket40165 b/changes/ticket40165 deleted file mode 100644 index a8dd0a339b..0000000000 --- a/changes/ticket40165 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor features (compilation): - - Disable deprecation warnings when building with OpenSSL 3.0.0 or later. - There are a number of newly deprecated APIs in OpenSSL 3.0.0 that Tor - still requires. (A later version of Tor will try to stop depending on - these.) Closes ticket 40165. diff --git a/changes/ticket40170 b/changes/ticket40170 deleted file mode 100644 index cc1c8dbad1..0000000000 --- a/changes/ticket40170 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (tests): - - Fix the "tortls/openssl/log_one_error" test to work with OpenSSL 3.0.0. - Fixes bug 40170; bugfix on 0.2.8.1-alpha. diff --git a/changes/ticket40174 b/changes/ticket40174 deleted file mode 100644 index 869a2756f4..0000000000 --- a/changes/ticket40174 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (configure, build): - - With USDT tracing enabled, if STAP_PROBEV() is missing, don't attempt to - build. Linux supports that macro but not the BSDs. Fixes bug 40174; bugfix - on 0.4.5.1-alpha. diff --git a/changes/ticket40183 b/changes/ticket40183 deleted file mode 100644 index 3c4bdf21e2..0000000000 --- a/changes/ticket40183 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (port configuration): - - Second non ORPort of a different family (ex: SocksPort [::1]:9050) was - ignored due to a logical configuration parsing error. Fixes bug 40183; - bugfix on 0.4.5.1-alpha. diff --git a/changes/ticket40188 b/changes/ticket40188 deleted file mode 100644 index e29b2a9438..0000000000 --- a/changes/ticket40188 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features (documentation): - - Mention the !badexit directive that can appear in an authority's - approved-routers file, and update the description of the !invalid - directive. Closes ticket 40188. diff --git a/changes/ticket40195 b/changes/ticket40195 deleted file mode 100644 index caa0bace94..0000000000 --- a/changes/ticket40195 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (configuration, ports): - - Fix an issue where an ORPort was validated against other type of ports - when it should have been only checked against other ORPorts. This lead to - "DirPort auto" to be ignored and failing to be used. Fixes bug 40195; - bugfix on 0.4.5.1-alpha. diff --git a/changes/ticket40201 b/changes/ticket40201 deleted file mode 100644 index cdf8d99172..0000000000 --- a/changes/ticket40201 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (logging, relay): - - Logs the address discovered by the directory authorities if none were - configured or detected before. Fixes bug 40201; bugfix on 0.4.5.1-alpha. diff --git a/changes/ticket40205 b/changes/ticket40205 deleted file mode 100644 index e21c7fab7c..0000000000 --- a/changes/ticket40205 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (relay, logging, reachability): - - When launching bandwidth testing circuit, don't log notice that we are - doing a reachability test. Furthermore, avoid to trigger a - "CHECKING_REACHABILITY" control event. Fixes bug 40205; bugfix on - 0.4.5.1-alpha. diff --git a/changes/ticket40208 b/changes/ticket40208 deleted file mode 100644 index 5a3a1aa55e..0000000000 --- a/changes/ticket40208 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes (relay): - - Allow relays to have a RFC1918 address if PublishServerDescriptor is set - to 0 and AssumeReachable is set to 1. This is to support the use case of a - bridge on a local network that can be used by restricted users on that - network to reach the Tor network. Fixes bug 40208; bugfix on - 0.4.5.1-alpha. diff --git a/changes/ticket40221_045 b/changes/ticket40221_045 deleted file mode 100644 index 0f3ab894c2..0000000000 --- a/changes/ticket40221_045 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor features (protocol versions): - - Stop claiming to support the "DirCache=1" subprotocol version. - Technically, we stopped supporting this subprotocol back in - 0.4.5.1-alpha, but we needed to wait for the authorities to stop - listing it as "required" before we can drop support. Closes ticket - 40221. diff --git a/changes/ticket40226 b/changes/ticket40226 deleted file mode 100644 index 4775438f63..0000000000 --- a/changes/ticket40226 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (relay, statistics): - - The connection statistics were wrongly exported in the extrainfo document - due to a problem in the file loading function which would wrongly truncate - the file reporting the wrong information. It is now fixed. Fixes bug - 40226; bugfix on 0.4.5.1-alpha. diff --git a/changes/ticket40227 b/changes/ticket40227 deleted file mode 100644 index e5efad0f95..0000000000 --- a/changes/ticket40227 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor feature (build system): - - New "make lsp" command to auto generate the compile_commands.json file - used by the ccls server. The "bear" program is needed for this. Closes - ticket 40227. diff --git a/changes/ticket40231 b/changes/ticket40231 deleted file mode 100644 index a5ba598fd1..0000000000 --- a/changes/ticket40231 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (relay): - - If we were unable to build our descriptor, don't mark that we've - advertised our descriptor. Also remove an harmless BUG(). Fixes bug 40231; - bugfix on 0.4.5.1-alpha. diff --git a/changes/ticket40237 b/changes/ticket40237 deleted file mode 100644 index fc32f59cd4..0000000000 --- a/changes/ticket40237 +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfixes (onion service v3): - - Stop requiring a live consensus for v3 clients and services to work. The - use of a reasonably live consensus will allow v3 to work properly in most - cases if the network failed to generate a consensus for more than 2 hours - in a row. Fixes bug 40237; bugfix on 0.3.5.1-alpha. diff --git a/changes/ticket40243 b/changes/ticket40243 deleted file mode 100644 index 548ec95ab4..0000000000 --- a/changes/ticket40243 +++ /dev/null @@ -1,4 +0,0 @@ - o Major bugfixes (authority, IPv6): - - Do not consider multiple relays in the same IPv6 network to be sybils. - Sybils are selected based on the /128 now, not the /64. Fixes bug 40243; - bugfix on 0.4.5.1-alpha. diff --git a/changes/ticket40245 b/changes/ticket40245 deleted file mode 100644 index 641372333e..0000000000 --- a/changes/ticket40245 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features (logging): - - Give more visibility to directory authority operators during the - consensus voting process and while processing relay descriptors. - Closes ticket 40245. diff --git a/changes/ticket40254 b/changes/ticket40254 deleted file mode 100644 index 9945e3d3b8..0000000000 --- a/changes/ticket40254 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (relay, configuration): - - Don't attempt to discover address (IPv4 or IPv6) if no ORPort for it can - be found in the configuration. Fixes bug 40254; bugfix on 0.4.5.1-alpha. - diff --git a/changes/ticket40257 b/changes/ticket40257 deleted file mode 100644 index 4bcebc45a1..0000000000 --- a/changes/ticket40257 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (metrics port): - - Fix a bug warning when the socket was unexpectedly closed. Fixes bug - 40257; bugfix on 0.4.5.1-alpha diff --git a/changes/ticket40265 b/changes/ticket40265 deleted file mode 100644 index 2a346d64c3..0000000000 --- a/changes/ticket40265 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor feature (fallback directory): - - Renegerate the list to a new set of 200 relays acting as fallback - directories. Closes ticket 40265. diff --git a/changes/ticket40279 b/changes/ticket40279 deleted file mode 100644 index 351db40789..0000000000 --- a/changes/ticket40279 +++ /dev/null @@ -1,4 +0,0 @@ - o Major bugfixes (IPv6, relay): - - Fix a bug that prevented a relay to publish its descriptor in the case of - an auto-discovered IPv6 that was found unreachable for which we always - publish if the IPv4 is correct. Fixes bug 40279; bugfix on 0.4.5.1-alpha. diff --git a/changes/ticket40286_minimal b/changes/ticket40286_minimal deleted file mode 100644 index 6a04ca79eb..0000000000 --- a/changes/ticket40286_minimal +++ /dev/null @@ -1,6 +0,0 @@ - o Major bugfixes (security, denial of service): - - Disable the dump_desc() function that we used to dump unparseable - information to disk. It was called incorrectly in several places, - in a way that could lead to excessive CPU usage. Fixes bug 40286; - bugfix on 0.2.2.1-alpha. This bug is also tracked as - TROVE-2021-001 and CVE-2021-28089. diff --git a/changes/ticket40289 b/changes/ticket40289 deleted file mode 100644 index cdb36825b0..0000000000 --- a/changes/ticket40289 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes (relay, config): - - Fix a problem in the removal of duplicate ORPort from the internal port - list when loading config file. We were removing wrong ports breaking valid - torrc uses cases for multiple ORPorts of the same address family. Fixes - bug 40289; bugfix on 0.4.5.1-alpha. - diff --git a/changes/ticket40295 b/changes/ticket40295 deleted file mode 100644 index e6dba80120..0000000000 --- a/changes/ticket40295 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (metrics port): - - Fix a BUG() on the MetricsPort for an internal missing handler. Fixes bug - 40295; bugfix on 0.4.5.1-alpha. diff --git a/changes/ticket40300 b/changes/ticket40300 deleted file mode 100644 index b772ff60a4..0000000000 --- a/changes/ticket40300 +++ /dev/null @@ -1,8 +0,0 @@ - o Minor bugfixes (relay): - - Remove a spammy log notice that should not have been indicating the - operator that its IPv4/v6 was missing but it was not. Fixes bug 40300; - bugfix on 0.4.5.1-alpha. - - Do not query the address cache early in the boot process when deciding - if we a relay needs to fetch early directory information from an - authority. This resulted in a relay falsely believing it didn't have an - address and thus triggering an authority fetch at each boot. diff --git a/changes/ticket40301 b/changes/ticket40301 deleted file mode 100644 index c1fd821e3f..0000000000 --- a/changes/ticket40301 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (relay): - - Reduce the compression level for data streaming from HIGH to LOW. Fixes - bug 40301; bugfix on 0.3.5.1-alpha. - diff --git a/changes/ticket40309 b/changes/ticket40309 deleted file mode 100644 index 087ac36a4f..0000000000 --- a/changes/ticket40309 +++ /dev/null @@ -1,3 +0,0 @@ - o New system requirements (mallinfo() deprecated): - - Remove mallinfo() usage entirely. Libc 2.33+ now deprecates it. Closes - ticket 40309. diff --git a/changes/ticket40334 b/changes/ticket40334 deleted file mode 100644 index c1c34384a0..0000000000 --- a/changes/ticket40334 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (onion service): - - Remove a harmless BUG() warning when reloading tor configured with onion - services. Fixes bug 40334; bugfix on 0.4.5.1-alpha. diff --git a/changes/ticket40337 b/changes/ticket40337 deleted file mode 100644 index 1c86fc4c99..0000000000 --- a/changes/ticket40337 +++ /dev/null @@ -1,16 +0,0 @@ - o Minor features (testing): - - On a testing network, relays can now use the - TestingMinTimeToReportBandwidth option to change - the smallest amount of time over which they're willing to report - their observed maximum bandwidth. Previously, this was fixed - at 1 day. For safety, values under 2 hours are only supported on - testing networks. Part of a fix for ticket 40337. - - o Minor features (testing): - - Relays on testing networks now report their observed bandwidths - immediately from startup. Previously, they waited - until they had been running for a full day. Closes ticket - 40337. - - Relays on testing networks no longer rate-limit how frequently - they are willing to report new bandwidth measurements. Part of a fix - for ticket 40337. diff --git a/changes/ticket40345 b/changes/ticket40345 deleted file mode 100644 index 246e4a86af..0000000000 --- a/changes/ticket40345 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (channel, DoS): - - Fix a possible non fatal assertion BUG() due to a too early free of a - string when noting down the client connection for the DoS defenses - subsystem. Fixes bug 40345; bugfix on 0.4.3.4-rc - diff --git a/changes/ticket40356 b/changes/ticket40356 deleted file mode 100644 index 59c32ce0cc..0000000000 --- a/changes/ticket40356 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfix (onion service, client, memory leak): - - An expired cached descriptor could have been overwritten with a new one - leading to a memory leak. Fixes bug 40356; bugfix on 0.3.5.1-alpha. diff --git a/changes/ticket40360 b/changes/ticket40360 deleted file mode 100644 index 4a1b2c3446..0000000000 --- a/changes/ticket40360 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (bridge, pluggable transport): - - Fix a regression that prevented to configure a Bridge line without a - fingerprint (which is a normal use case). Fixes bug 40360; bugfix on - 0.4.5.4-rc. - diff --git a/changes/ticket40369 b/changes/ticket40369 deleted file mode 100644 index abb59a7125..0000000000 --- a/changes/ticket40369 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (build, cross-compilation): - - Allow a custom "ar" for cross-compilation. Our previous build script - had used the $AR environment variable in most places, but it missed - one. Fixes bug 40369; bugfix on 0.4.5.1-alpha. diff --git a/changes/ticket40370 b/changes/ticket40370 deleted file mode 100644 index fcdb0eb173..0000000000 --- a/changes/ticket40370 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfix (metrics port): - - Fix a bug that made tor try to re-bind() every 60 seconds on an already - open MetricsPort. Fixes bug 40370; bugfix on 0.4.5.1-alpha. - diff --git a/changes/ticket40373 b/changes/ticket40373 deleted file mode 100644 index e2ea297bc2..0000000000 --- a/changes/ticket40373 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features (onion services): - - Add warning message when connecting to soon-to-be-deprecated v2 onions. - Closes ticket 40373. diff --git a/changes/ticket40382 b/changes/ticket40382 deleted file mode 100644 index 5ac1b771b9..0000000000 --- a/changes/ticket40382 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor features (compatibility, Linux seccomp sandbox): - - Add a workaround to enable the Linux sandbox to work correctly - on systems running Glibc 2.33. These versions have started - using the fstatat() system call, which previously our sandbox did not - allow. - Closes ticket 40382; see the ticket for a discussion of tradeoffs. diff --git a/changes/ticket40389 b/changes/ticket40389 deleted file mode 100644 index 7dcf65b32e..0000000000 --- a/changes/ticket40389 +++ /dev/null @@ -1,3 +0,0 @@ - o Major bugfixes (relay, TROVE): - - Don't allow entry or middle relays to spoof RELAY_END or RELAY_RESOLVED - cell on half-closed streams. Fixes bug 40389; bugfix on 0.3.5.1-alpha. diff --git a/changes/ticket40390 b/changes/ticket40390 deleted file mode 100644 index b56fa4d9da..0000000000 --- a/changes/ticket40390 +++ /dev/null @@ -1,8 +0,0 @@ - o Major bugfixes (security, defense-in-depth): - - Detect a wider variety of failure conditions from the OpenSSL RNG - code. Previously, we would detect errors from a missing RNG - implementation, but not failures from the RNG code itself. - Fortunately, it appears those failures do not happen in practice - when Tor is using OpenSSL's default RNG implementation. - Fixes bug 40390; bugfix on 0.2.8.1-alpha. This issue is also tracked as - TROVE-2021-004. Reported by Jann Horn at Google's Project Zero. diff --git a/changes/ticket40410 b/changes/ticket40410 deleted file mode 100644 index 658e0683c7..0000000000 --- a/changes/ticket40410 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (compilation): - - Fix a compilation error when trying to build Tor with a compiler that - does not support expanding statitically initialized const values in - macro's. Fixes bug 40410; bugfix on 0.4.5.1-alpha diff --git a/changes/ticket40419 b/changes/ticket40419 deleted file mode 100644 index 0004329662..0000000000 --- a/changes/ticket40419 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features (testing): - - Enable the deterministic RNG for unit tests that covers the address set - bloomfilter-based API's. Fixes bug 40419; bugfix on 0.3.3.2-alpha. diff --git a/changes/ticket40434 b/changes/ticket40434 deleted file mode 100644 index 988bb416be..0000000000 --- a/changes/ticket40434 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfix (onion service): - - Do not flag an HSDir as non-running in case the descriptor upload or - fetch fails. An onion service closes pending directory connections - before uploading a new descriptor which can thus lead to wrongly - flagging many relays and thus affecting circuit building path selection. - Fixes bug 40434; bugfix on 0.2.0.13-alpha. diff --git a/changes/ticket40447 b/changes/ticket40447 deleted file mode 100644 index d1be646a7d..0000000000 --- a/changes/ticket40447 +++ /dev/null @@ -1,2 +0,0 @@ - o Minor feature (fallbackdir): - - Regenerate fallback directories list. Close ticket 40447. diff --git a/changes/ticket40474 b/changes/ticket40474 deleted file mode 100644 index d2a7231106..0000000000 --- a/changes/ticket40474 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (onion service, TROVE-2021-008): - - Only log once any v2 access attempts in order to not pollute the logs - with warnings and avoid recording the times on disk when v2 access was - attempted. Important to note that the onion address was _never_ logged. - That is a Low security issue. Fixes bug 40474; bugfix on 0.4.5.8. diff --git a/changes/ticket40476 b/changes/ticket40476 deleted file mode 100644 index 062e36f9bc..0000000000 --- a/changes/ticket40476 +++ /dev/null @@ -1,8 +0,0 @@ - o Major feature (onion service v2): - - Tor does NOT allow anymore to create v2 services, to connect as a client - to a v2 service and for a relay to be a v2 HSDir or introduction point. - This effectively disable onion service version 2 tor wide. Closes 40476. - - The control port command HSFETCH and HSPOST don't allow version 2 as well. - It is also not possible to create a v2 service with ADD_ONION. - - See https://blog.torproject.org/v2-deprecation-timeline for details on - how to transition from v2 to v3. diff --git a/changes/ticket40493 b/changes/ticket40493 deleted file mode 100644 index eb9baf916b..0000000000 --- a/changes/ticket40493 +++ /dev/null @@ -1,2 +0,0 @@ - o Minor features (fallbackdir): - - Regenerate fallback directories for October 2021. Close ticket 40493. diff --git a/changes/ticket40494 b/changes/ticket40494 deleted file mode 100644 index a0e6c38443..0000000000 --- a/changes/ticket40494 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (relay): - - Reject IPv6-only DirPorts. Our reachability self-test forces DirPorts to - be IPv4, but our configuration parser allowed them to be IPv6-only, - which led to an assertion failure. Fixes bug 40494; bugfix on - 0.4.5.1-alpha. diff --git a/changes/ticket40500 b/changes/ticket40500 deleted file mode 100644 index 2e5ff39761..0000000000 --- a/changes/ticket40500 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfix (CI, onion service): - - Exclude onion service version 2 Stem tests in our CI. Fixes bug 40500; - bugfix on 0.3.2.1-alpha. diff --git a/changes/ticket40509 b/changes/ticket40509 deleted file mode 100644 index ba4502ff3b..0000000000 --- a/changes/ticket40509 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfix (relay): - - Remove the HSDir and HSIntro onion service v2 protocol versions so relay - stop advertising that they support them. Fixes bug 40509; bugfix on - 0.3.5.17. diff --git a/changes/ticket40511 b/changes/ticket40511 deleted file mode 100644 index 756edd874d..0000000000 --- a/changes/ticket40511 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor features (compilation): - - Give an error message if trying to build with a version of LibreSSL - known not to work with Tor. (There's an incompatibility with - LibreSSL versions 3.2.1 through 3.4.0 inclusive because of their - incompatibility with OpenSSL 1.1.1's TLSv1.3 APIs.) - Closes ticket 40511. diff --git a/changes/ticket40544 b/changes/ticket40544 deleted file mode 100644 index b0754f0fd4..0000000000 --- a/changes/ticket40544 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfix (logging): - - Update a log notice dead URL to a working one. Fixes bug 40544; bugfix on - 0.3.5.1-alpha. diff --git a/changes/ticket40552 b/changes/ticket40552 deleted file mode 100644 index 7811f3a743..0000000000 --- a/changes/ticket40552 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (MetricsPort, Prometheus): - - Add double quotes to the label values of the onion service metrics. Fixes - bug 40552; bugfix on 0.4.5.1-alpha. diff --git a/changes/ticket40579 b/changes/ticket40579 deleted file mode 100644 index e2558c1102..0000000000 --- a/changes/ticket40579 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (onion service, client): - - Fix a fatal assert due to a guard subsystem recursion triggered by the - onion service client. Fixes bug 40579; bugfix on 0.3.5.1-alpha. diff --git a/changes/ticket40581 b/changes/ticket40581 deleted file mode 100644 index 315215d8ed..0000000000 --- a/changes/ticket40581 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (metrics port, onion service): - - Fix the metrics with a port label to be unique. Before this, all ports of - an onion service would be on the same line which violates the Prometheus - rules of unique labels. Fixes bug 40581; bugfix on 0.4.5.1-alpha. diff --git a/changes/ticket40601 b/changes/ticket40601 deleted file mode 100644 index 529e3badfe..0000000000 --- a/changes/ticket40601 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (linux seccomp2 sandbox): - - Allow the rseq system call in the sandbox. This solves a crash issue with - glibc 2.35 on Linux. Patch from pmu-ipf. Fixes bug 40601; bugfix on - 0.3.5.11. diff --git a/changes/ticket40604 b/changes/ticket40604 deleted file mode 100644 index ec24a46e66..0000000000 --- a/changes/ticket40604 +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfixes (relay): - - Remove OR connections btrack subsystem entries when the connections - closes normally. Before this, we would only close it on error and thus - leaking memory for each normal OR connections. Fixes bug 40604; bugfix - on 0.4.0.1-alpha. diff --git a/changes/ticket40623 b/changes/ticket40623 deleted file mode 100644 index d2a0e7eaad..0000000000 --- a/changes/ticket40623 +++ /dev/null @@ -1,4 +0,0 @@ - o Major bugfixes (relay): - - Stop sending TRUNCATED cell and instead close the circuits which sends a - DESTROY cell so every relay in the circuit path can stop queuing cells. - Fixes bug 40623; bugfix on 0.1.0.2-rc. diff --git a/changes/ticket40649 b/changes/ticket40649 deleted file mode 100644 index 28df58f106..0000000000 --- a/changes/ticket40649 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (relay): - - Do not propagate either forward or backward a DESTROY remote reason when - closing a circuit so to avoid a possible side channel. Fixes bug 40649; - bugfix on 0.1.2.4-alpha. diff --git a/changes/ticket40674 b/changes/ticket40674 deleted file mode 100644 index b371cafcf0..0000000000 --- a/changes/ticket40674 +++ /dev/null @@ -1,3 +0,0 @@ - o Major bugfixes (relay): - - Improve security of our DNS cache by randomly clipping the TTL value. - TROVE-2021-009. Fixes bug 40674; bugfix on 0.3.5.1-alpha. diff --git a/changes/ticket40687 b/changes/ticket40687 deleted file mode 100644 index e96119cf49..0000000000 --- a/changes/ticket40687 +++ /dev/null @@ -1,2 +0,0 @@ - o Directory authority changes (dizum): - - Change dizum IP address. Closes ticket 40687. diff --git a/changes/ticket40688 b/changes/ticket40688 deleted file mode 100644 index 79350cb836..0000000000 --- a/changes/ticket40688 +++ /dev/null @@ -1,3 +0,0 @@ - o Directory authority changes (Faravahar): - - Remove Faravahar until its operator, Sina, set it back up online outside - of Team Cymru network. Closes ticket 40688. diff --git a/changes/ticket40722 b/changes/ticket40722 deleted file mode 100644 index a9a9f520a9..0000000000 --- a/changes/ticket40722 +++ /dev/null @@ -1,5 +0,0 @@ - o Directory authority changes (moria1): - - Rotate the relay identity key and v3 identity key for moria1. They - have been online for more than a decade and refreshing keys - periodically is good practice. Advertise new ports too, to avoid - confusion. Closes ticket 40722. diff --git a/changes/ticket40730 b/changes/ticket40730 deleted file mode 100644 index f6d4c9de3b..0000000000 --- a/changes/ticket40730 +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfixes (TROVE-2022-002, client): - - The SafeSocks option had its logic inverted for SOCKS4 and SOCKS4a. It - would let the unsafe SOCKS4 pass but not the safe SOCKS4a one. This is - TROVE-2022-002 which was reported on Hackerone by "cojabo". Fixes bug - 40730; bugfix on 0.3.5.1-alpha. |