diff options
132 files changed, 1584 insertions, 671 deletions
@@ -1,3 +1,629 @@ +Changes in version 0.2.4.18-rc - 2013-10-?? + Tor 0.2.4.18-rc is the fourth release candidate for the Tor 0.2.4.x + series. [...] + + o Minor bugfixes: + - Always call circuit_n_chan_done(chan, 0) from channel_closed(), + so we can't leak pending circuits in some cases where + run_connection_housekeeping() calls connection_or_close_normally(). + Fixes bug 9776; bugfix on 0.2.4.17. + + o Minor features: + - Clients no longer send timestamps in their NETINFO cells. These were + not used for anything, and they provided one small way for clients + to be distinguished from each other as they moved from network to + network or behind NAT. Implements part of proposal 222. + - Clients now round timestamps in INTRODUCE cells down to the nearest + 10 minutes. If a new Support022HiddenServices option is set to 0, or + if it's set to "auto" and the feature is disabled in the consensus, + the timestamp is sent as 0 instead. Implements part of proposal 222. + - Stop sending timestamps in AUTHENTICATE cells. This is not such + a big deal from a security point of view, but it achieves no actual + good purpose, and isn't needed. Implements part of proposal 222. + - Reduce down accuracy of timestamps in hidden service descriptors. + Implements part of proposal 222. + - Update to the September 4 2013 Maxmind GeoLite Country database. + + +Changes in version 0.2.4.17-rc - 2013-09-05 + Tor 0.2.4.17-rc is the third release candidate for the Tor 0.2.4.x + series. It adds an emergency step to help us tolerate the massive + influx of users: 0.2.4 clients using the new (faster and safer) "NTor" + circuit-level handshakes now effectively jump the queue compared to + the 0.2.3 clients using "TAP" handshakes. This release also fixes a + big bug hindering bridge reachability tests. + + o Major features: + - Relays now process the new "NTor" circuit-level handshake requests + with higher priority than the old "TAP" circuit-level handshake + requests. We still process some TAP requests to not totally starve + 0.2.3 clients when NTor becomes popular. A new consensus parameter + "NumNTorsPerTAP" lets us tune the balance later if we need to. + Implements ticket 9574. + + o Major bugfixes: + - If the circuit build timeout logic is disabled (via the consensus, + or because we are an authority), then don't build testing circuits. + Fixes bug 9657; bugfix on 0.2.2.14-alpha. + - Bridges now send AUTH_CHALLENGE cells during their v3 handshakes; + previously they did not, which prevented them from receiving + successful connections from relays for self-test or bandwidth + testing. Also, when a relay is extending a circuit to a bridge, + it needs to send a NETINFO cell, even when the bridge hasn't sent + an AUTH_CHALLENGE cell. Fixes bug 9546; bugfix on 0.2.3.6-alpha. + - If the time to download the next old-style networkstatus is in + the future, do not decline to consider whether to download the + next microdescriptor networkstatus. Fixes bug 9564; bugfix on + 0.2.3.14-alpha. + + o Minor bugfixes: + - Avoid double-closing the listener socket in our socketpair() + replacement (used on Windows) in the case where the addresses on + our opened sockets don't match what we expected. Fixes bug 9400; + bugfix on 0.0.2pre7. Found by Coverity. + + o Minor fixes (config options): + - Avoid overflows when the user sets MaxCircuitDirtiness to a + ridiculously high value, by imposing a (ridiculously high) 30-day + maximum on MaxCircuitDirtiness. + - Fix the documentation of HeartbeatPeriod to say that the heartbeat + message is logged at notice, not at info. + - Warn and fail if a server is configured not to advertise any + ORPorts at all. (We need *something* to put in our descriptor, + or we just won't work.) + + o Minor features: + - Track how many "TAP" and "NTor" circuit handshake requests we get, + and how many we complete, and log it every hour to help relay + operators follow trends in network load. Addresses ticket 9658. + - Update to the August 7 2013 Maxmind GeoLite Country database. + + +Changes in version 0.2.4.16-rc - 2013-08-10 + Tor 0.2.4.16-rc is the second release candidate for the Tor 0.2.4.x + series. It fixes several crash bugs in the 0.2.4 branch. + + o Major bugfixes: + - Fix a bug in the voting algorithm that could yield incorrect results + when a non-naming authority declared too many flags. Fixes bug 9200; + bugfix on 0.2.0.3-alpha. + - Fix an uninitialized read that could in some cases lead to a remote + crash while parsing INTRODUCE2 cells. Bugfix on 0.2.4.1-alpha. + Anybody running a hidden service on the experimental 0.2.4.x + branch should upgrade. (This is, so far as we know, unrelated to + the recent news.) + - Avoid an assertion failure when processing DNS replies without the + answer types we expected. Fixes bug 9337; bugfix on 0.2.4.7-alpha. + - Avoid a crash when using --hash-password. Fixes bug 9295; bugfix on + 0.2.4.15-rc. Found by stem integration tests. + + o Minor bugfixes: + - Fix an invalid memory read that occured when a pluggable + transport proxy failed its configuration protocol. + Fixes bug 9288; bugfix on 0.2.4.1-alpha. + - When evaluating whether to use a connection that we haven't + decided is canonical using a recent link protocol version, + decide that it's canonical only if it used address _does_ + match the desired address. Fixes bug 9309; bugfix on + 0.2.4.4-alpha. Reported by skruffy. + - Make the default behavior of NumDirectoryGuards be to track + NumEntryGuards. Now a user who changes only NumEntryGuards will get + the behavior she expects. Fixes bug 9354; bugfix on 0.2.4.8-alpha. + - Fix a spurious compilation warning with some older versions of + GCC on FreeBSD. Fixes bug 9254; bugfix on 0.2.4.14-alpha. + + o Minor features: + - Update to the July 3 2013 Maxmind GeoLite Country database. + + +Changes in version 0.2.4.15-rc - 2013-07-01 + Tor 0.2.4.15-rc is the first release candidate for the Tor 0.2.4.x + series. It fixes a few smaller bugs, but generally appears stable. + Please test it and let us know whether it is! + + o Major bugfixes: + - When receiving a new configuration file via the control port's + LOADCONF command, do not treat the defaults file as absent. + Fixes bug 9122; bugfix on 0.2.3.9-alpha. + + o Minor features: + - Issue a warning when running with the bufferevents backend enabled. + It's still not stable, and people should know that they're likely + to hit unexpected problems. Closes ticket 9147. + + +Changes in version 0.2.4.14-alpha - 2013-06-18 + Tor 0.2.4.14-alpha fixes a pair of client guard enumeration problems + present in 0.2.4.13-alpha. + + o Major bugfixes: + - When we have too much memory queued in circuits (according to a new + MaxMemInCellQueues option), close the circuits consuming the most + memory. This prevents us from running out of memory as a relay if + circuits fill up faster than they can be drained. Fixes bug 9063; + bugfix on the 54th commit of Tor. This bug is a further fix beyond + bug 6252, whose fix was merged into 0.2.3.21-rc. + + This change also fixes an earlier approach taken in 0.2.4.13-alpha, + where we tried to solve this issue simply by imposing an upper limit + on the number of queued cells for a single circuit. That approach + proved to be problematic, since there are ways to provoke clients to + send a number of cells in excess of any such reasonable limit. Fixes + bug 9072; bugfix on 0.2.4.13-alpha. + + - Limit hidden service descriptors to at most ten introduction + points, to slow one kind of guard enumeration. Fixes bug 9002; + bugfix on 0.1.1.11-alpha. + + +Changes in version 0.2.4.13-alpha - 2013-06-14 + Tor 0.2.4.13-alpha fixes a variety of potential remote crash + vulnerabilities, makes socks5 username/password circuit isolation + actually actually work (this time for sure!), and cleans up a bunch + of other issues in preparation for a release candidate. + + o Major bugfixes (robustness): + - Close any circuit that has too many cells queued on it. Fixes + bug 9063; bugfix on the 54th commit of Tor. This bug is a further + fix beyond bug 6252, whose fix was merged into 0.2.3.21-rc. + - Prevent the get_freelists() function from running off the end of + the list of freelists if it somehow gets an unrecognized + allocation. Fixes bug 8844; bugfix on 0.2.0.16-alpha. Reported by + eugenis. + - Avoid an assertion failure on OpenBSD (and perhaps other BSDs) + when an exit connection with optimistic data succeeds immediately + rather than returning EINPROGRESS. Fixes bug 9017; bugfix on + 0.2.3.1-alpha. + - Fix a directory authority crash bug when building a consensus + using an older consensus as its basis. Fixes bug 8833. Bugfix + on 0.2.4.12-alpha. + + o Major bugfixes: + - Avoid a memory leak where we would leak a consensus body when we + find that a consensus which we couldn't previously verify due to + missing certificates is now verifiable. Fixes bug 8719; bugfix + on 0.2.0.10-alpha. + - We used to always request authority certificates by identity digest, + meaning we'd get the newest one even when we wanted one with a + different signing key. Then we would complain about being given + a certificate we already had, and never get the one we really + wanted. Now we use the "fp-sk/" resource as well as the "fp/" + resource to request the one we want. Fixes bug 5595; bugfix on + 0.2.0.8-alpha. + - Follow the socks5 protocol when offering username/password + authentication. The fix for bug 8117 exposed this bug, and it + turns out real-world applications like Pidgin do care. Bugfix on + 0.2.3.2-alpha; fixes bug 8879. + - Prevent failures on Windows Vista and later when rebuilding the + microdescriptor cache. Diagnosed by Robert Ransom. Fixes bug 8822; + bugfix on 0.2.4.12-alpha. + + o Minor bugfixes: + - Fix an impossible buffer overrun in the AES unit tests. Fixes + bug 8845; bugfix on 0.2.0.7-alpha. Found by eugenis. + - If for some reason we fail to write a microdescriptor while + rebuilding the cache, do not let the annotations from that + microdescriptor linger in the cache file, and do not let the + microdescriptor stay recorded as present in its old location. + Fixes bug 9047; bugfix on 0.2.2.6-alpha. + - Fix a memory leak that would occur whenever a configuration + option changed. Fixes bug 8718; bugfix on 0.2.3.3-alpha. + - Paste the description for PathBias parameters from the man + page into or.h, so the code documents them too. Fixes bug 7982; + bugfix on 0.2.3.17-beta and 0.2.4.8-alpha. + - Relays now treat a changed IPv6 ORPort as sufficient reason to + publish an updated descriptor. Fixes bug 6026; bugfix on + 0.2.4.1-alpha. + - When launching a resolve request on behalf of an AF_UNIX control + socket, omit the address field of the new entry connection, used in + subsequent controller events, rather than letting tor_dup_addr() + set it to "<unknown address type>". Fixes bug 8639; bugfix on + 0.2.4.12-alpha. + + o Minor bugfixes (log messages): + - Fix a scaling issue in the path bias accounting code that + resulted in "Bug:" log messages from either + pathbias_scale_close_rates() or pathbias_count_build_success(). + This represents a bugfix on a previous bugfix: the original fix + attempted in 0.2.4.10-alpha was incomplete. Fixes bug 8235; bugfix + on 0.2.4.1-alpha. + - Give a less useless error message when the user asks for an IPv4 + address on an IPv6-only port, or vice versa. Fixes bug 8846; bugfix + on 0.2.4.7-alpha. + + o Minor features: + - Downgrade "unexpected SENDME" warnings to protocol-warn for 0.2.4.x, + to tolerate bug 8093 for now. + - Add an "ignoring-advertised-bws" boolean to the flag-threshold lines + in directory authority votes to describe whether they have enough + measured bandwidths to ignore advertised (relay descriptor) + bandwidth claims. Resolves ticket 8711. + - Update to the June 5 2013 Maxmind GeoLite Country database. + + o Removed documentation: + - Remove some of the older contents of doc/ as obsolete; move others + to torspec.git. Fixes bug 8965. + + o Code simplification and refactoring: + - Avoid using character buffers when constructing most directory + objects: this approach was unwieldy and error-prone. Instead, + build smartlists of strings, and concatenate them when done. + + +Changes in version 0.2.4.12-alpha - 2013-04-18 + Tor 0.2.4.12-alpha moves Tor forward on several fronts: it starts the + process for lengthening the guard rotation period, makes directory + authority opinions in the consensus a bit less gameable, makes socks5 + username/password circuit isolation actually work, and fixes a wide + variety of other issues. + + o Major features: + - Raise the default time that a client keeps an entry guard from + "1-2 months" to "2-3 months", as suggested by Tariq Elahi's WPES + 2012 paper. (We would make it even longer, but we need better client + load balancing first.) Also, make the guard lifetime controllable + via a new GuardLifetime torrc option and a GuardLifetime consensus + parameter. Start of a fix for bug 8240; bugfix on 0.1.1.11-alpha. + - Directory authorities now prefer using measured bandwidths to + advertised ones when computing flags and thresholds. Resolves + ticket 8273. + - Directory authorities that have more than a threshold number + of relays with measured bandwidths now treat relays with unmeasured + bandwidths as having bandwidth 0. Resolves ticket 8435. + + o Major bugfixes (assert / resource use): + - Avoid a bug where our response to TLS renegotiation under certain + network conditions could lead to a busy-loop, with 100% CPU + consumption. Fixes bug 5650; bugfix on 0.2.0.16-alpha. + - Avoid an assertion when we discover that we'd like to write a cell + onto a closing connection: just discard the cell. Fixes another + case of bug 7350; bugfix on 0.2.4.4-alpha. + + o Major bugfixes (client-side privacy): + - When we mark a circuit as unusable for new circuits, have it + continue to be unusable for new circuits even if MaxCircuitDirtiness + is increased too much at the wrong time, or the system clock jumps + backwards. Fixes bug 6174; bugfix on 0.0.2pre26. + - If ClientDNSRejectInternalAddresses ("do not believe DNS queries + which have resolved to internal addresses") is set, apply that + rule to IPv6 as well. Fixes bug 8475; bugfix on 0.2.0.7-alpha. + - When an exit relay rejects a stream with reason "exit policy", but + we only know an exit policy summary (e.g. from the microdesc + consensus) for it, do not mark the relay as useless for all exiting. + Instead, mark just the circuit as unsuitable for that particular + address. Fixes part of bug 7582; bugfix on 0.2.3.2-alpha. + - Allow applications to get proper stream isolation with + IsolateSOCKSAuth. Many SOCKS5 clients that want to offer + username/password authentication also offer "no authentication". Tor + had previously preferred "no authentication", so the applications + never actually sent Tor their auth details. Now Tor selects + username/password authentication if it's offered. You can disable + this behavior on a per-SOCKSPort basis via PreferSOCKSNoAuth. Fixes + bug 8117; bugfix on 0.2.3.3-alpha. + + o Major bugfixes (other): + - When unable to find any working directory nodes to use as a + directory guard, give up rather than adding the same non-working + nodes to the directory guard list over and over. Fixes bug 8231; + bugfix on 0.2.4.8-alpha. + + o Minor features: + - Reject as invalid most directory objects containing a NUL. + Belt-and-suspender fix for bug 8037. + - In our testsuite, create temporary directories with a bit more + entropy in their name to make name collisions less likely. Fixes + bug 8638. + - Add CACHED keyword to ADDRMAP events in the control protocol + to indicate whether a DNS result will be cached or not. Resolves + ticket 8596. + - Update to the April 3 2013 Maxmind GeoLite Country database. + + o Minor features (build): + - Detect and reject attempts to build Tor with threading support + when OpenSSL has been compiled without threading support. + Fixes bug 6673. + - Clarify that when autoconf is checking for nacl, it is checking + specifically for nacl with a fast curve25519 implementation. + Fixes bug 8014. + - Warn if building on a platform with an unsigned time_t: there + are too many places where Tor currently assumes that time_t can + hold negative values. We'd like to fix them all, but probably + some will remain. + + o Minor bugfixes (build): + - Fix some bugs in tor-fw-helper-natpmp when trying to build and + run it on Windows. More bugs likely remain. Patch from Gisle Vanem. + Fixes bug 7280; bugfix on 0.2.3.1-alpha. + - Add the old src/or/micro-revision.i filename to CLEANFILES. + On the off chance that somebody has one, it will go away as soon + as they run "make clean". Fix for bug 7143; bugfix on 0.2.4.1-alpha. + - Build Tor correctly on 32-bit platforms where the compiler can build + but not run code using the "uint128_t" construction. Fixes bug 8587; + bugfix on 0.2.4.8-alpha. + - Fix compilation warning with some versions of clang that would + prefer the -Wswitch-enum compiler flag to warn about switch + statements with missing enum values, even if those switch + statements have a "default:" statement. Fixes bug 8598; bugfix + on 0.2.4.10-alpha. + + o Minor bugfixes (protocol): + - Fix the handling of a TRUNCATE cell when it arrives while the + circuit extension is in progress. Fixes bug 7947; bugfix on 0.0.7.1. + - Fix a misframing issue when reading the version numbers in a + VERSIONS cell. Previously we would recognize [00 01 00 02] as + 'version 1, version 2, and version 0x100', when it should have + only included versions 1 and 2. Fixes bug 8059; bugfix on + 0.2.0.10-alpha. Reported pseudonymously. + - Make the format and order of STREAM events for DNS lookups + consistent among the various ways to launch DNS lookups. Fixes + bug 8203; bugfix on 0.2.0.24-rc. Patch by "Desoxy." + - Correct our check for which versions of Tor support the EXTEND2 + cell. We had been willing to send it to Tor 0.2.4.7-alpha and + later, when support was really added in version 0.2.4.8-alpha. + Fixes bug 8464; bugfix on 0.2.4.8-alpha. + + o Minor bugfixes (other): + - Correctly store microdescriptors and extrainfo descriptors with + an internal NUL byte. Fixes bug 8037; bugfix on 0.2.0.1-alpha. + Bug reported by "cypherpunks". + - Increase the width of the field used to remember a connection's + link protocol version to two bytes. Harmless for now, since the + only currently recognized versions are one byte long. Reported + pseudonymously. Fixes bug 8062; bugfix on 0.2.0.10-alpha. + - If the state file's path bias counts are invalid (presumably from a + buggy Tor prior to 0.2.4.10-alpha), make them correct. Also add + additional checks and log messages to the scaling of Path Bias + counts, in case there still are remaining issues with scaling. + Should help resolve bug 8235. + - Eliminate several instances where we use "Nickname=ID" to refer to + nodes in logs. Use "Nickname (ID)" instead. (Elsewhere, we still use + "$ID=Nickname", which is also acceptable.) Fixes bug 7065. Bugfix + on 0.2.3.21-rc, 0.2.4.5-alpha, 0.2.4.8-alpha, and 0.2.4.10-alpha. + + o Minor bugfixes (syscalls): + - Always check the return values of functions fcntl() and + setsockopt(). We don't believe these are ever actually failing in + practice, but better safe than sorry. Also, checking these return + values should please analysis tools like Coverity. Patch from + 'flupzor'. Fixes bug 8206; bugfix on all versions of Tor. + - Use direct writes rather than stdio when building microdescriptor + caches, in an attempt to mitigate bug 8031, or at least make it + less common. + + o Minor bugfixes (config): + - When rejecting a configuration because we were unable to parse a + quoted string, log an actual error message. Fixes bug 7950; bugfix + on 0.2.0.16-alpha. + - Behave correctly when the user disables LearnCircuitBuildTimeout + but doesn't tell us what they would like the timeout to be. Fixes + bug 6304; bugfix on 0.2.2.14-alpha. + - When autodetecting the number of CPUs, use the number of available + CPUs in preference to the number of configured CPUs. Inform the + user if this reduces the number of available CPUs. Fixes bug 8002; + bugfix on 0.2.3.1-alpha. + - Make it an error when you set EntryNodes but disable UseGuardNodes, + since it will (surprisingly to some users) ignore EntryNodes. Fixes + bug 8180; bugfix on 0.2.3.11-alpha. + - Allow TestingTorNetworks to override the 4096-byte minimum for + the Fast threshold. Otherwise they can't bootstrap until they've + observed more traffic. Fixes bug 8508; bugfix on 0.2.4.10-alpha. + - Fix some logic errors when the user manually overrides the + PathsNeededToBuildCircuits option in torrc. Fixes bug 8599; bugfix + on 0.2.4.10-alpha. + + o Minor bugfixes (log messages to help diagnose bugs): + - If we fail to free a microdescriptor because of bug 7164, log + the filename and line number from which we tried to free it. + - Add another diagnostic to the heartbeat message: track and log + overhead that TLS is adding to the data we write. If this is + high, we are sending too little data to SSL_write at a time. + Diagnostic for bug 7707. + - Add more detail to a log message about relaxed timeouts, to help + track bug 7799. + - Warn more aggressively when flushing microdescriptors to a + microdescriptor cache fails, in an attempt to mitigate bug 8031, + or at least make it more diagnosable. + - Improve debugging output to help track down bug 8185 ("Bug: + outgoing relay cell has n_chan==NULL. Dropping.") + - Log the purpose of a path-bias testing circuit correctly. + Improves a log message from bug 8477; bugfix on 0.2.4.8-alpha. + + o Minor bugfixes (0.2.4.x log messages that were too noisy): + - Don't attempt to relax the timeout of already opened 1-hop circuits. + They might never timeout. This should eliminate some/all cases of + the relaxed timeout log message. + - Use circuit creation time for network liveness evaluation. This + should eliminate warning log messages about liveness caused + by changes in timeout evaluation. Fixes bug 6572; bugfix on + 0.2.4.8-alpha. + - Reduce a path bias length check from notice to info. The message + is triggered when creating controller circuits. Fixes bug 8196; + bugfix on 0.2.4.8-alpha. + - Fix a path state issue that triggered a notice during relay startup. + Fixes bug 8320; bugfix on 0.2.4.10-alpha. + - Reduce occurrences of warns about circuit purpose in + connection_ap_expire_building(). Fixes bug 8477; bugfix on + 0.2.4.11-alpha. + + o Minor bugfixes (pre-0.2.4.x log messages that were too noisy): + - If we encounter a write failure on a SOCKS connection before we + finish our SOCKS handshake, don't warn that we closed the + connection before we could send a SOCKS reply. Fixes bug 8427; + bugfix on 0.1.0.1-rc. + - Correctly recognize that [::1] is a loopback address. Fixes + bug 8377; bugfix on 0.2.1.3-alpha. + - Fix a directory authority warn caused when we have a large amount + of badexit bandwidth. Fixes bug 8419; bugfix on 0.2.2.10-alpha. + - Don't log inappropriate heartbeat messages when hibernating: a + hibernating node is _expected_ to drop out of the consensus, + decide it isn't bootstrapped, and so forth. Fixes bug 7302; + bugfix on 0.2.3.1-alpha. + - Don't complain about bootstrapping problems while hibernating. + These complaints reflect a general code problem, but not one + with any problematic effects (no connections are actually + opened). Fixes part of bug 7302; bugfix on 0.2.3.2-alpha. + + o Documentation fixes: + - Update tor-fw-helper.1.txt and tor-fw-helper.c to make option + names match. Fixes bug 7768. + - Make the torify manpage no longer refer to tsocks; torify hasn't + supported tsocks since 0.2.3.14-alpha. + - Make the tor manpage no longer reference tsocks. + - Fix the GeoIPExcludeUnknown documentation to refer to + ExcludeExitNodes rather than the currently nonexistent + ExcludeEntryNodes. Spotted by "hamahangi" on tor-talk. + + o Removed files: + - The tor-tsocks.conf is no longer distributed or installed. We + recommend that tsocks users use torsocks instead. Resolves + ticket 8290. + + +Changes in version 0.2.4.11-alpha - 2013-03-11 + Tor 0.2.4.11-alpha makes relay measurement by directory authorities + more robust, makes hidden service authentication work again, and + resolves a DPI fingerprint for Tor's SSL transport. + + o Major features (directory authorities): + - Directory authorities now support a new consensus method (17) + where they cap the published bandwidth of servers for which + insufficient bandwidth measurements exist. Fixes part of bug 2286. + - Directory authorities that set "DisableV2DirectoryInfo_ 1" no longer + serve any v2 directory information. Now we can test disabling the + old deprecated v2 directory format, and see whether doing so has + any effect on network load. Begins to fix bug 6783. + - Directory authorities now include inside each vote a statement of + the performance thresholds they used when assigning flags. + Implements ticket 8151. + + o Major bugfixes (directory authorities): + - Stop marking every relay as having been down for one hour every + time we restart a directory authority. These artificial downtimes + were messing with our Stable and Guard flag calculations. Fixes + bug 8218 (introduced by the fix for 1035). Bugfix on 0.2.2.23-alpha. + + o Major bugfixes (hidden services): + - Allow hidden service authentication to succeed again. When we + refactored the hidden service introduction code back + in 0.2.4.1-alpha, we didn't update the code that checks + whether authentication information is present, causing all + authentication checks to return "false". Fix for bug 8207; bugfix + on 0.2.4.1-alpha. Found by Coverity; this is CID 718615. + + o Minor features (relays, bridges): + - Make bridge relays check once a minute for whether their IP + address has changed, rather than only every 15 minutes. Resolves + bugs 1913 and 1992. + - Refactor resolve_my_address() so it returns the method by which we + decided our public IP address (explicitly configured, resolved from + explicit hostname, guessed from interfaces, learned by gethostname). + Now we can provide more helpful log messages when a relay guesses + its IP address incorrectly (e.g. due to unexpected lines in + /etc/hosts). Resolves ticket 2267. + - Teach bridge-using clients to avoid 0.2.2 bridges when making + microdescriptor-related dir requests, and only fall back to normal + descriptors if none of their bridges can handle microdescriptors + (as opposed to the fix in ticket 4013, which caused them to fall + back to normal descriptors if *any* of their bridges preferred + them). Resolves ticket 4994. + - Randomize the lifetime of our SSL link certificate, so censors can't + use the static value for filtering Tor flows. Resolves ticket 8443; + related to ticket 4014 which was included in 0.2.2.33. + + o Minor features (portability): + - Tweak the curve25519-donna*.c implementations to tolerate systems + that lack stdint.h. Fixes bug 3894; bugfix on 0.2.4.8-alpha. + - Use Ville Laurikari's implementation of AX_CHECK_SIGN() to determine + the signs of types during autoconf. This is better than our old + approach, which didn't work when cross-compiling. + - Detect the sign of enum values, rather than assuming that MSC is the + only compiler where enum types are all signed. Fixes bug 7727; + bugfix on 0.2.4.10-alpha. + + o Minor features (other): + - Say "KBytes" rather than "KB" in the man page (for various values + of K), to further reduce confusion about whether Tor counts in + units of memory or fractions of units of memory. Resolves ticket 7054. + - Clear the high bit on curve25519 public keys before passing them to + our backend, in case we ever wind up using a backend that doesn't do + so itself. If we used such a backend, and *didn't* clear the high bit, + we could wind up in a situation where users with such backends would + be distinguishable from users without. Fixes bug 8121; bugfix on + 0.2.4.8-alpha. + - Update to the March 6 2013 Maxmind GeoLite Country database. + + o Minor bugfixes (clients): + - When we receive a RELAY_END cell with the reason DONE, or with no + reason, before receiving a RELAY_CONNECTED cell, report the SOCKS + status as "connection refused". Previously we reported these cases + as success but then immediately closed the connection. Fixes bug + 7902; bugfix on 0.1.0.1-rc. Reported by "oftc_must_be_destroyed". + - Downgrade an assertion in connection_ap_expire_beginning to an + LD_BUG message. The fix for bug 8024 should prevent this message + from displaying, but just in case, a warn that we can diagnose + is better than more assert crashes. Fixes bug 8065; bugfix on + 0.2.4.8-alpha. + - Lower path use bias thresholds to .80 for notice and .60 for warn. + Also make the rate limiting flags for the path use bias log messages + independent from the original path bias flags. Fixes bug 8161; + bugfix on 0.2.4.10-alpha. + + o Minor bugfixes (relays): + - Stop trying to resolve our hostname so often (e.g. every time we + think about doing a directory fetch). Now we reuse the cached + answer in some cases. Fixes bugs 1992 (bugfix on 0.2.0.20-rc) + and 2410 (bugfix on 0.1.2.2-alpha). + - Stop sending a stray "(null)" in some cases for the server status + "EXTERNAL_ADDRESS" controller event. Resolves bug 8200; bugfix + on 0.1.2.6-alpha. + - When choosing which stream on a formerly stalled circuit to wake + first, make better use of the platform's weak RNG. Previously, + we had been using the % ("modulo") operator to try to generate a + 1/N chance of picking each stream, but this behaves badly with + many platforms' choice of weak RNG. Fixes bug 7801; bugfix on + 0.2.2.20-alpha. + - Use our own weak RNG when we need a weak RNG. Windows's rand() and + Irix's random() only return 15 bits; Solaris's random() returns more + bits but its RAND_MAX says it only returns 15, and so on. Motivated + by the fix for bug 7801; bugfix on 0.2.2.20-alpha. + + o Minor bugfixes (directory authorities): + - Directory authorities now use less space when formatting identical + microdescriptor lines in directory votes. Fixes bug 8158; bugfix + on 0.2.4.1-alpha. + + o Minor bugfixes (memory leaks spotted by Coverity -- bug 7816): + - Avoid leaking memory if we fail to compute a consensus signature + or we generate a consensus we can't parse. Bugfix on 0.2.0.5-alpha. + - Fix a memory leak when receiving headers from an HTTPS proxy. Bugfix + on 0.2.1.1-alpha. + - Fix a memory leak during safe-cookie controller authentication. + Bugfix on 0.2.3.13-alpha. + - Avoid memory leak of IPv6 policy content if we fail to format it into + a router descriptor. Bugfix on 0.2.4.7-alpha. + + o Minor bugfixes (other code correctness issues): + - Avoid a crash if we fail to generate an extrainfo descriptor. + Fixes bug 8208; bugfix on 0.2.3.16-alpha. Found by Coverity; + this is CID 718634. + - When detecting the largest possible file descriptor (in order to + close all file descriptors when launching a new program), actually + use _SC_OPEN_MAX. The old code for doing this was very, very broken. + Fixes bug 8209; bugfix on 0.2.3.1-alpha. Found by Coverity; this + is CID 743383. + - Fix a copy-and-paste error when adding a missing A1 to a routerset + because of GeoIPExcludeUnknown. Fix for Coverity CID 980650. + Bugfix on 0.2.4.10-alpha. + - Fix an impossible-to-trigger integer overflow when estimating how + long our onionskin queue would take. (This overflow would require us + to accept 4 million onionskins before processing 100 of them.) Fixes + bug 8210; bugfix on 0.2.4.10-alpha. + + o Code simplification and refactoring: + - Add a wrapper function for the common "log a message with a + rate-limit" case. + + Changes in version 0.2.4.10-alpha - 2013-02-04 Tor 0.2.4.10-alpha adds defenses at the directory authority level from certain attacks that flood the network with relays; changes the queue diff --git a/ReleaseNotes b/ReleaseNotes index d68eca99eb..f3e03e09ec 100644 --- a/ReleaseNotes +++ b/ReleaseNotes @@ -3,6 +3,961 @@ This document summarizes new features and bugfixes in each stable release of Tor. If you want to see more detailed descriptions of the changes in each development snapshot, see the ChangeLog file. +Changes in version 0.2.4.x - 2013-11-xx + The Tor 0.2.4 release series is dedicated to [...] + + Tor 0.2.4.x, the first stable release in the 0.2.4 branch, features + [...] + + o Major features (new circuit handshake): + - Tor now supports a new circuit extension handshake designed by Ian + Goldberg, Douglas Stebila, and Berkant Ustaoglu. Our original + circuit extension handshake, later called "TAP", was a bit slow + (especially on the relay side), had a fragile security proof, and + used weaker keys than we'd now prefer. The new circuit handshake + uses Dan Bernstein's "curve25519" elliptic-curve Diffie-Hellman + function, making it significantly more secure than the older + handshake, and significantly faster. Tor can use one of two built-in + pure-C curve25519-donna implementations by Adam Langley, or it + can link against the "nacl" library for a tuned version if present. + + The built-in version is very fast for 64-bit systems when building + with GCC. The built-in 32-bit version is still faster than the + old TAP protocol, but using libnacl is better on most such hosts. + + Implements proposal 216; closes ticket 7202. + + o Major features (better link encryption): + - Relays can now enable the ECDHE TLS ciphersuites when available + and appropriate. These ciphersuites let us negotiate forward-secure + TLS secret keys more safely and more efficiently than with our + previous use of Diffie-Hellman modulo a 1024-bit prime. By default, + public relays prefer the (faster) P224 group, and bridges prefer + the (more common) P256 group; you can override this with the + TLSECGroup option. + + This feature requires clients running 0.2.3.17-beta or later, + and requires both sides to be running OpenSSL 1.0.0 or later + with ECC support. OpenSSL 1.0.1, with the compile-time option + "enable-ec_nistp_64_gcc_128", is highly recommended. + + Implements the relay side of proposal 198; closes ticket 7200. + + o Major features (relay performance): + - Instead of limiting the number of queued onionskins (aka circuit + create requests) to a fixed, hard-to-configure number, we limit + the size of the queue based on how many we expect to be able to + process in a given amount of time. We estimate the time it will + take to process an onionskin based on average processing time + of previous onionskins. Closes ticket 7291. You'll never have to + configure MaxOnionsPending again. + - Relays process the new "NTor" circuit-level handshake requests + with higher priority than the old "TAP" circuit-level handshake + requests. We still process some TAP requests to not totally starve + 0.2.3 clients when NTor becomes popular. A new consensus parameter + "NumNTorsPerTAP" lets us tune the balance later if we need to. + Implements ticket 9574. + + o Major features (client bootstrapping resilience): + - Add a new "FallbackDir" torrc option to use when we can't use + a directory mirror from the consensus (either because we lack a + consensus, or because they're all down). Currently, all authorities + are fallbacks by default, and there are no other default fallbacks, + but that will change. This option will allow us to give clients a + longer list of servers to try to get a consensus from when first + connecting to the Tor network, and thereby reduce load on the + directory authorities. Implements proposal 206, "Preconfigured + directory sources for bootstrapping". We also removed the old + "FallbackNetworkstatus" option, since we never got it working well + enough to use it. Closes bug 572. + - If we have no circuits open, use a relaxed timeout (the + 95-percentile cutoff) until a circuit succeeds. This heuristic + should allow Tor to succeed at building circuits even when the + network connection drastically changes. Should help with bug 3443. + + o Major features (use of guards): + - Preliminary support for directory guards (proposal 207): when + possible, clients now use their entry guards for non-anonymous + directory requests. This can help prevent client enumeration. Note + that this behavior only works when we have a usable consensus + directory, and when options about what to download are more or less + standard. In the future we should re-bootstrap from our guards, + rather than re-bootstrapping from the preconfigured list of + directory sources that ships with Tor. Resolves ticket 6526. + - Raise the default time that a client keeps an entry guard from + "1-2 months" to "2-3 months", as suggested by Tariq Elahi's WPES + 2012 paper. (We would make it even longer, but we need better client + load balancing first.) Also, make the guard lifetime controllable + via a new GuardLifetime torrc option and a GuardLifetime consensus + parameter. Start of a fix for bug 8240; bugfix on 0.1.1.11-alpha. + + o Major features (bridges with pluggable transports): + - Bridges now report the pluggable transports they support to the + bridge authority, so it can pass the supported transports on to + bridgedb and/or eventually do reachability testing. Implements + ticket 3589. + - Automatically forward the TCP ports of pluggable transport + proxies using tor-fw-helper if PortForwarding is enabled. Implements + ticket 4567. + + o Major features (geoip database): + - Maxmind began labelling Tor relays as being in country "A1", + which breaks by-country node selection inside Tor. Now we use a + script to replace "A1" ("Anonymous Proxy") entries in our geoip + file with real country codes. This script fixes about 90% of "A1" + entries automatically and uses manual country code assignments to + fix the remaining 10%. See src/config/README.geoip for details. + Fixes bug 6266. + - Add GeoIP database for IPv6 addresses. The new config option + is GeoIPv6File. + - Update to the August 7 2013 Maxmind GeoLite Country database. + + o Major features (IPv6): + - Clients who set "ClientUseIPv6 1" may connect to entry nodes over + IPv6. Set "ClientPreferIPv6ORPort 1" to make this even more likely + to happen. Implements ticket 5535. + - All kind of relays, not just bridges, can now advertise an IPv6 + OR port. Implements ticket 6362. + - Relays can now exit to IPv6 addresses: make sure that you have IPv6 + connectivity, then set the IPv6Exit flag to 1. Also make sure your + exit policy reads as you would like: the address * applies to all + address families, whereas *4 is IPv4 address only, and *6 is IPv6 + addresses only. On the client side, you'll need to wait for enough + exits to support IPv6, apply the "IPv6Traffic" flag to a SocksPort, + and use Socks5. Closes ticket 5547, implements proposal 117 as + revised in proposal 208. + - Bridge authorities now accept IPv6 bridge addresses and include + them in network status documents. Implements ticket 5534. + - Directory authorities vote on IPv6 OR ports. Implements ticket 6363. + + o Major features (directory authorities): + - Directory authorities now prefer using measured bandwidths to + advertised ones when computing flags and thresholds. Resolves + ticket 8273. + - Directory authorities that vote measured bandwidths about more + than a threshold number of relays now treat relays with + unmeasured bandwidths as having bandwidth 0 when computing their + flags. Resolves ticket 8435. + - Directory authorities now support a new consensus method (17) + where they cap the published bandwidth of relays for which + insufficient bandwidth measurements exist. Fixes part of bug 2286. + - Directory authorities that set "DisableV2DirectoryInfo_ 1" no longer + serve any v2 directory information. Now we can test disabling the + old deprecated v2 directory format, and see whether doing so has + any effect on network load. Begins to fix bug 6783. + + o Major features (build and portability): + - Switch to a nonrecursive Makefile structure. Now instead of each + Makefile.am invoking other Makefile.am's, there is a master + Makefile.am that includes the others. This change makes our build + process slightly more maintainable, and improves parallelism for + building with make -j. Original patch by Stewart Smith; various + fixes by Jim Meyering. + - Where available, we now use automake's "silent" make rules by + default, so that warnings are easier to spot. You can get the old + behavior with "make V=1". Patch by Stewart Smith for ticket 6522. + - Resume building correctly with MSVC and Makefile.nmake. This patch + resolves numerous bugs and fixes reported by ultramage, including + 7305, 7308, 7309, 7310, 7312, 7313, 7315, 7316, and 7669. + + o Security features: + - Switch to a completely time-invariant approach for picking nodes + weighted by bandwidth. Our old approach would run through the + part of the loop after it had made its choice slightly slower + than it ran through the part of the loop before it had made its + choice. Addresses ticket 6538. + - Disable the use of Guard nodes when in Tor2WebMode. Guard usage + by tor2web clients allows hidden services to identify tor2web + clients through their repeated selection of the same rendezvous + and introduction point circuit endpoints (their guards). Resolves + ticket 6888. + + o Major bugfixes (relay denial of service): + - When we have too much memory queued in circuits (according to a new + MaxMemInCellQueues option), close the circuits consuming the most + memory. This prevents us from running out of memory as a relay if + circuits fill up faster than they can be drained. Fixes bug 9063; + bugfix on the 54th commit of Tor. This bug is a further fix beyond + bug 6252, whose fix was merged into 0.2.3.21-rc. + - Reject bogus create and relay cells with 0 circuit ID or 0 stream + ID: these could be used to create unexpected streams and circuits + which would count as "present" to some parts of Tor but "absent" + to others, leading to zombie circuits and streams or to a bandwidth + denial-of-service. Fixes bug 7889; bugfix on every released version + of Tor. Reported by "oftc_must_be_destroyed". + - Avoid a bug where our response to TLS renegotiation under certain + network conditions could lead to a busy-loop, with 100% CPU + consumption. Fixes bug 5650; bugfix on 0.2.0.16-alpha. + + o Major bugfixes (asserts, crashes, leaks): + - Avoid a memory leak where we would leak a consensus body when we + find that a consensus which we couldn't previously verify due to + missing certificates is now verifiable. Fixes bug 8719; bugfix + on 0.2.0.10-alpha. + - Fix a memory leak that would occur whenever a configuration + option changed. Fixes bug 8718; bugfix on 0.2.3.3-alpha. + - Prevent the get_freelists() function from running off the end of + the list of freelists if it somehow gets an unrecognized + allocation. Fixes bug 8844; bugfix on 0.2.0.16-alpha. Reported by + eugenis. + - Avoid an assertion failure on OpenBSD (and perhaps other BSDs) + when an exit connection with optimistic data succeeds immediately + rather than returning EINPROGRESS. Fixes bug 9017; bugfix on + 0.2.3.1-alpha. + + o Major bugfixes (relay rate limiting): + - When a TLS write is partially successful but incomplete, remember + that the flushed part has been flushed, and notice that bytes were + actually written. Reported and fixed pseudonymously. Fixes bug 7708; + bugfix on Tor 0.1.0.5-rc. + - Raise the default BandwidthRate/BandwidthBurst values from 5MB/10MB + to 1GB/1GB. The previous defaults were intended to be "basically + infinite", but it turns out they're now limiting our 100mbit+ + relays and bridges. Fixes bug 6605; bugfix on 0.2.0.10-alpha (the + last time we raised it). + + o Major bugfixes (client-side privacy): + - When we mark a circuit as unusable for new circuits, have it + continue to be unusable for new circuits even if MaxCircuitDirtiness + is increased too much at the wrong time, or the system clock jumps + backwards. Fixes bug 6174; bugfix on 0.0.2pre26. + - If ClientDNSRejectInternalAddresses ("do not believe DNS queries + which have resolved to internal addresses") is set, apply that + rule to IPv6 as well. Fixes bug 8475; bugfix on 0.2.0.7-alpha. + - When an exit relay rejects a stream with reason "exit policy", but + we only know an exit policy summary (e.g. from the microdesc + consensus) for it, do not mark the relay as useless for all exiting. + Instead, mark just the circuit as unsuitable for that particular + address. Fixes part of bug 7582; bugfix on 0.2.3.2-alpha. + + o Major bugfixes (stream isolation): + - Allow applications to get proper stream isolation with + IsolateSOCKSAuth. Many SOCKS5 clients that want to offer + username/password authentication also offer "no authentication". Tor + had previously preferred "no authentication", so the applications + never actually sent Tor their auth details. Now Tor selects + username/password authentication if it's offered. You can disable + this behavior on a per-SOCKSPort basis via PreferSOCKSNoAuth. Fixes + bug 8117; bugfix on 0.2.3.3-alpha. + - Follow the socks5 protocol when offering username/password + authentication. The fix for bug 8117 exposed this bug, and it + turns out real-world applications like Pidgin do care. Bugfix on + 0.2.3.2-alpha; fixes bug 8879. + + o Major bugfixes (client circuit building): + - Alter circuit build timeout measurement to start at the point + where we begin the CREATE/CREATE_FAST step (as opposed to circuit + initialization). This should make our timeout measurements more + uniform. Previously, we were sometimes including ORconn setup time + in our circuit build time measurements. Should resolve bug 3443. + - If the circuit build timeout logic is disabled (via the consensus, + or because we are an authority), then don't build testing circuits. + Fixes bug 9657; bugfix on 0.2.2.14-alpha. + + o Major bugfixes (client-side DNS): + - Turn off the client-side DNS cache by default. Updating and using + the DNS cache is now configurable on a per-client-port + level. SOCKSPort, DNSPort, etc lines may now contain + {No,}Cache{IPv4,IPv6,}DNS lines to indicate that we shouldn't + cache these types of DNS answers when we receive them from an + exit node in response to an application request on this port, and + {No,}UseCached{IPv4,IPv6,DNS} lines to indicate that if we have + cached DNS answers of these types, we shouldn't use them. It's + potentially risky to use cached DNS answers at the client, since + doing so can indicate to one exit what answers we've gotten + for DNS lookups in the past. With IPv6, this becomes especially + problematic. Using cached DNS answers for requests on the same + circuit would present less linkability risk, since all traffic + on a circuit is already linkable, but it would also provide + little performance benefit: the exit node caches DNS replies + too. Implements a simplified version of Proposal 205. Implements + ticket 7570. + + o Major bugfixes (hidden service privacy): + - Limit hidden service descriptors to at most ten introduction + points, to slow one kind of guard enumeration. Fixes bug 9002; + bugfix on 0.1.1.11-alpha. + + o Major bugfixes (directory fetching): + - If the time to download the next old-style networkstatus is in + the future, do not decline to consider whether to download the + next microdescriptor networkstatus. Fixes bug 9564; bugfix on + 0.2.3.14-alpha. + - We used to always request authority certificates by identity digest, + meaning we'd get the newest one even when we wanted one with a + different signing key. Then we would complain about being given + a certificate we already had, and never get the one we really + wanted. Now we use the "fp-sk/" resource as well as the "fp/" + resource to request the one we want. Fixes bug 5595; bugfix on + 0.2.0.8-alpha. + + o Major bugfixes (bridge reachability): + - Bridges now send AUTH_CHALLENGE cells during their v3 handshakes; + previously they did not, which prevented them from receiving + successful connections from relays for self-test or bandwidth + testing. Also, when a relay is extending a circuit to a bridge, + it needs to send a NETINFO cell, even when the bridge hasn't sent + an AUTH_CHALLENGE cell. Fixes bug 9546; bugfix on 0.2.3.6-alpha. + + o Major bugfixes (control interface): + - When receiving a new configuration file via the control port's + LOADCONF command, do not treat the defaults file as absent. + Fixes bug 9122; bugfix on 0.2.3.9-alpha. + + o Major bugfixes (directory authorities): + - Stop marking every relay as having been down for one hour every + time we restart a directory authority. These artificial downtimes + were messing with our Stable and Guard flag calculations. Fixes + bug 8218 (introduced by the fix for 1035). Bugfix on 0.2.2.23-alpha. + - When computing directory thresholds, ignore any rejected-as-sybil + nodes during the computation so that they can't influence Fast, + Guard, etc. (We should have done this for proposal 109.) Fixes + bug 8146. + - When marking a node as a likely sybil, reset its uptime metrics + to zero, so that it cannot time towards getting marked as Guard, + Stable, or HSDir. (We should have done this for proposal 109.) Fixes + bug 8147. + - Fix a bug in the voting algorithm that could yield incorrect results + when a non-naming authority declared too many flags. Fixes bug 9200; + bugfix on 0.2.0.3-alpha. + + o Internal abstraction features: + - Introduce new channel_t abstraction between circuits and + or_connection_t to allow for implementing alternate OR-to-OR + transports. A channel_t is an abstract object which can either be a + cell-bearing channel, which is responsible for authenticating and + handshaking with the remote OR and transmitting cells to and from + it, or a listening channel, which spawns new cell-bearing channels + at the request of remote ORs. Implements part of ticket 6465. + - Make a channel_tls_t subclass of channel_t, adapting it to the + existing or_connection_t code. The V2/V3 protocol handshaking + code which formerly resided in command.c has been moved below the + channel_t abstraction layer and may be found in channeltls.c now. + Implements the rest of ticket 6465. + - Introduce new circuitmux_t storing the queue of circuits for + a channel; this encapsulates and abstracts the queue logic and + circuit selection policy, and allows the latter to be overridden + easily by switching out a policy object. The existing EWMA behavior + is now implemented as a circuitmux_policy_t. Resolves ticket 6816. + + o New build requirements: + - Tor now requires OpenSSL 0.9.8 or later. OpenSSL 1.0.0 or later is + strongly recommended. + - Tor maintainers now require Automake version 1.9 or later to build + Tor from the Git repository. (Automake is not required when building + from a source distribution.) + + o Minor features (protocol): + - No longer include the "opt" prefix when generating routerinfos + or v2 directories: it has been needless since Tor 0.1.2. Closes + ticket 5124. + - Tor relays and clients now support a better CREATE/EXTEND cell + format, allowing the sender to specify multiple address, identity, + and handshake types. Implements Robert Ransom's proposal 200; + closes ticket 7199. + - Reject as invalid most directory objects containing a NUL. + Belt-and-suspender fix for bug 8037. + - Reject EXTEND cells sent to nonexistent streams. According to the + spec, an EXTEND cell sent to _any_ nonzero stream ID is invalid, but + we were only checking for stream IDs that were currently in use. + Found while hunting for more instances of bug 6271. Bugfix on + 0.0.2pre8, which introduced incremental circuit construction. + + o Minor features (security): + - Clear keys and key-derived material left on the stack in + rendservice.c and rendclient.c. Check return value of + crypto_pk_write_private_key_to_string() in rend_service_load_keys(). + These fixes should make us more forward-secure against cold-boot + attacks and the like. Fixes bug 2385. + - Use our own weak RNG when we need a weak RNG. Windows's rand() and + Irix's random() only return 15 bits; Solaris's random() returns more + bits but its RAND_MAX says it only returns 15, and so on. Motivated + by the fix for bug 7801; bugfix on 0.2.2.20-alpha. + + o Minor features (control protocol): + - Add CACHED keyword to ADDRMAP events in the control protocol + to indicate whether a DNS result will be cached or not. Resolves + ticket 8596. + - Allow an optional $ before the node identity digest in the + controller command GETINFO ns/id/<identity>, for consistency with + md/id/<identity> and desc/id/<identity>. Resolves ticket 7059. + - Add a "GETINFO signal/names" control port command. Implements + ticket 3842. + - Provide default values for all options via "GETINFO config/defaults". + Implements ticket 4971. + + o Minor features (path selection): + - When deciding whether we have enough descriptors to build circuits, + instead of looking at raw relay counts, look at which fraction + of (bandwidth-weighted) paths we're able to build. This approach + keeps clients from building circuits if their paths are likely to + stand out statistically. The default fraction of paths needed is + taken from the consensus directory; you can override it with the + new PathsNeededToBuildCircuits option. Fixes ticket 5956. + - When any country code is listed in ExcludeNodes or ExcludeExitNodes, + and we have GeoIP information, also exclude all nodes with unknown + countries "??" and "A1". This behavior is controlled by the + new GeoIPExcludeUnknown option: you can make such nodes always + excluded with "GeoIPExcludeUnknown 1", and disable the feature + with "GeoIPExcludeUnknown 0". Setting "GeoIPExcludeUnknown auto" + gets you the default behavior. Implements feature 7706. + + o Minor features (hidden services): + - Improve circuit build timeout handling for hidden services. + In particular: adjust build timeouts more accurately depending + upon the number of hop-RTTs that a particular circuit type + undergoes. Additionally, launch intro circuits in parallel + if they timeout, and take the first one to reply as valid. + - The Tor client now ignores sub-domain components of a .onion + address. This change makes HTTP "virtual" hosting + possible: http://foo.aaaaaaaaaaaaaaaa.onion/ and + http://bar.aaaaaaaaaaaaaaaa.onion/ can be two different websites + hosted on the same hidden service. Implements proposal 204. + - Enable Tor to read configuration, state, and key information from + a FIFO. Previously Tor would only read from files with a positive + stat.st_size. Code from meejah; fixes bug 6044. + + o Minor features (clients): + - Teach bridge-using clients to avoid 0.2.2.x bridges when making + microdescriptor-related dir requests, and only fall back to normal + descriptors if none of their bridges can handle microdescriptors + (as opposed to the fix in ticket 4013, which caused them to fall + back to normal descriptors if *any* of their bridges preferred + them). Resolves ticket 4994. + - Tweak tor-fw-helper to accept an arbitrary amount of arbitrary + TCP ports to forward. In the past it only accepted two ports: + the ORPort and the DirPort. + + o Minor features (bridges): + - Add a new torrc option "ServerTransportListenAddr" to let bridge + operators select the address where their pluggable transports will + listen for connections. Resolves ticket 7013. + - Make bridge relays check once a minute for whether their IP + address has changed, rather than only every 15 minutes. Resolves + bugs 1913 and 1992. + - Randomize the lifetime of our SSL link certificate, so censors can't + use the static value for filtering Tor flows. Resolves ticket 8443; + related to ticket 4014 which was included in 0.2.2.33. + - Bridge statistics now count bridge clients connecting over IPv6: + bridge statistics files now list "bridge-ip-versions" and + extra-info documents list "geoip6-db-digest". The control protocol + "CLIENTS_SEEN" and "ip-to-country" queries now support IPv6. Initial + implementation by "shkoo", addressing ticket 5055. + + o Minor features (relays): + - Option OutboundBindAddress can be specified multiple times and + accepts IPv6 addresses. Resolves ticket 6876. + + o Minor features (IPv6, client side): + - AutomapHostsOnResolve now supports IPv6 addresses. By default, we + prefer to hand out virtual IPv6 addresses, since there are more of + them and we can't run out. To override this behavior and make IPv4 + addresses preferred, set NoPreferIPv6Automap on whatever SOCKSPort + or DNSPort you're using for resolving. Implements ticket 7571. + - AutomapHostsOnResolve responses are now randomized, to avoid + annoying situations where Tor is restarted and applications + connect to the wrong addresses. + - Never try more than 1000 times to pick a new virtual address when + AutomapHostsOnResolve is set. That's good enough so long as we + aren't close to handing out our entire virtual address space; + if you're getting there, it's best to switch to IPv6 virtual + addresses anyway. + + o Minor features (IPv6, relay/authority side): + - New config option "AuthDirHasIPv6Connectivity 1" that directory + authorities should set if they have IPv6 connectivity and want to + do reachability tests for IPv6 relays. Implements feature 5974. + - A relay with an IPv6 OR port now sends that address in NETINFO + cells (in addition to its other address). Implements ticket 6364. + + o Minor features (directory authorities): + - Directory authorities now include inside each vote a statement of + the performance thresholds they used when assigning flags. + Implements ticket 8151. + - Add an "ignoring-advertised-bws" boolean to the flag-threshold lines + in directory authority votes to describe whether they have enough + measured bandwidths to ignore advertised (relay descriptor) + bandwidth claims. Resolves ticket 8711. + - When directory authorities are computing thresholds for flags, + never let the threshold for the Fast flag fall below 4096 + bytes. Also, do not consider nodes with extremely low bandwidths + when deciding thresholds for various directory flags. This change + should raise our threshold for Fast relays, possibly in turn + improving overall network performance; see ticket 1854. Resolves + ticket 8145. + - Directory authorities no long accept descriptors for any version of + Tor before 0.2.2.35, or for any 0.2.3 release before 0.2.3.10-alpha. + These versions are insecure, unsupported, or both. Implements + ticket 6789. + + o Minor features (path bias detection): + - Path Use Bias: Perform separate accounting for successful circuit + use. Keep separate statistics on stream attempt rates versus stream + success rates for each guard. Provide configurable thresholds to + determine when to emit log messages or disable use of guards that + fail too many stream attempts. Resolves ticket 7802. + - Create three levels of Path Bias log messages, as opposed to just + two. These are configurable via consensus as well as via the torrc + options PathBiasNoticeRate, PathBiasWarnRate, PathBiasExtremeRate. + The default values are 0.70, 0.50, and 0.30 respectively. + - Separate the log message levels from the decision to drop guards, + which also is available via torrc option PathBiasDropGuards. + PathBiasDropGuards still defaults to 0 (off). + - Deprecate PathBiasDisableRate in favor of PathBiasDropGuards + in combination with PathBiasExtremeRate. + - Increase the default values for PathBiasScaleThreshold and + PathBiasCircThreshold from (200, 20) to (300, 150). + - Add in circuit usage accounting to path bias. If we try to use a + built circuit but fail for any reason, it counts as path bias. + Certain classes of circuits where the adversary gets to pick your + destination node are exempt from this accounting. Usage accounting + can be specifically disabled via consensus parameter or torrc. + - Convert all internal path bias state to double-precision floating + point, to avoid roundoff error and other issues. + - Only record path bias information for circuits that have completed + *two* hops. Assuming end-to-end tagging is the attack vector, this + makes us more resilient to ambient circuit failure without any + detection capability loss. + + o Minor features (build): + - Tor now builds correctly on Bitrig, an OpenBSD fork. Patch from + dhill. Resolves ticket 6982. + - Work correctly on Unix systems where EAGAIN and EWOULDBLOCK are + separate error codes; or at least, don't break for that reason. + Fixes bug 7935. Reported by "oftc_must_be_destroyed". + - Compile on win64 using mingw64. Fixes bug 7260; patches from + "yayooo". + + o Build improvements (autotools): + - Warn if building on a platform with an unsigned time_t: there + are too many places where Tor currently assumes that time_t can + hold negative values. We'd like to fix them all, but probably + some will remain. + - Detect and reject attempts to build Tor with threading support + when OpenSSL has been compiled without threading support. + Fixes bug 6673. + - Do not report status verbosely from autogen.sh unless the -v flag + is specified. Fixes issue 4664. Patch from Onizuka. + - Try to detect if we are ever building on a platform where + memset(...,0,...) does not set the value of a double to 0.0. Such + platforms are permitted by the C standard, though in practice + they're pretty rare (since IEEE 754 is nigh-ubiquitous). We don't + currently support them, but it's better to detect them and fail + than to perform erroneously. + - We no longer warn so much when generating manpages from their + asciidoc source. + - Use Ville Laurikari's implementation of AX_CHECK_SIGN() to determine + the signs of types during autoconf. This is better than our old + approach, which didn't work when cross-compiling. + + o Minor features (log messages, warnings): + - Detect when we're running with a version of OpenSSL other than the + one we compiled with. This conflict has occasionally given people + hard-to-track-down errors. + - Warn users who run hidden services on a Tor client with + UseEntryGuards disabled that their hidden services will be + vulnerable to http://freehaven.net/anonbib/#hs-attack06 (the + attack which motivated Tor to support entry guards in the first + place). Resolves ticket 6889. + - Warn when we are binding low ports when hibernation is enabled; + previously we had warned when we were _advertising_ low ports with + hibernation enabled. Fixes bug 7285; bugfix on 0.2.3.9-alpha. + - Issue a warning when running with the bufferevents backend enabled. + It's still not stable, and people should know that they're likely + to hit unexpected problems. Closes ticket 9147. + + o Minor features (log messages, notices): + - Refactor resolve_my_address() so it returns the method by which we + decided our public IP address (explicitly configured, resolved from + explicit hostname, guessed from interfaces, learned by gethostname). + Now we can provide more helpful log messages when a relay guesses + its IP address incorrectly (e.g. due to unexpected lines in + /etc/hosts). Resolves ticket 2267. + - Track how many "TAP" and "NTor" circuit handshake requests we get, + and how many we complete, and log it every hour to help relay + operators follow trends in network load. Addresses ticket 9658. + + o Minor features (log messages, diagnostics): + - If we fail to free a microdescriptor because of bug 7164, log + the filename and line number from which we tried to free it. + - We compute the overhead from passing onionskins back and forth to + cpuworkers, and report it when dumping statistics in response to + SIGUSR1. Supports ticket 7291. + - Add another diagnostic to the heartbeat message: track and log + overhead that TLS is adding to the data we write. If this is + high, we are sending too little data to SSL_write at a time. + Diagnostic for bug 7707. + - Log packaged cell fullness as part of the heartbeat message. + Diagnosis to try to determine the extent of bug 7743. + - Add more detail to a log message about relaxed timeouts, to help + track bug 7799. + - When learning a fingerprint for a bridge, log its corresponding + transport type. Implements ticket 7896. + - Warn more aggressively when flushing microdescriptors to a + microdescriptor cache fails, in an attempt to mitigate bug 8031, + or at least make it more diagnosable. + - Improve the log message when "Bug/attack: unexpected sendme cell + from client" occurs, to help us track bug 8093. + - Improve debugging output to help track down bug 8185 ("Bug: + outgoing relay cell has n_chan==NULL. Dropping.") + + o Minor features (log messages, quieter bootstrapping): + - Log fewer lines at level "notice" about our OpenSSL and Libevent + versions and capabilities when everything is going right. Resolves + part of ticket 6736. + - Omit the first heartbeat log message, because it never has anything + useful to say, and it clutters up the bootstrapping messages. + Resolves ticket 6758. + - Don't log about reloading the microdescriptor cache at startup. Our + bootstrap warnings are supposed to tell the user when there's a + problem, and our bootstrap notices say when there isn't. Resolves + ticket 6759; bugfix on 0.2.2.6-alpha. + - Don't log "I learned some more directory information" when we're + reading cached directory information. Reserve it for when new + directory information arrives in response to a fetch. Resolves + ticket 6760. + - Don't complain about bootstrapping problems while hibernating. + These complaints reflect a general code problem, but not one + with any problematic effects (no connections are actually + opened). Fixes part of bug 7302; bugfix on 0.2.3.2-alpha. + + o Minor features (testing): + - In our testsuite, create temporary directories with a bit more + entropy in their name to make name collisions less likely. Fixes + bug 8638. + - Add benchmarks for DH (1024-bit multiplicative group) and ECDH + (P-256) Diffie-Hellman handshakes to src/or/bench. + - Add benchmark functions to test onion handshake performance. + + o Renamed options: + - The DirServer option is now DirAuthority, for consistency with + current naming patterns. You can still use the old DirServer form. + + o Minor bugfixes (protocol): + - Fix the handling of a TRUNCATE cell when it arrives while the + circuit extension is in progress. Fixes bug 7947; bugfix on 0.0.7.1. + - Fix a misframing issue when reading the version numbers in a + VERSIONS cell. Previously we would recognize [00 01 00 02] as + 'version 1, version 2, and version 0x100', when it should have + only included versions 1 and 2. Fixes bug 8059; bugfix on + 0.2.0.10-alpha. Reported pseudonymously. + - Make the format and order of STREAM events for DNS lookups + consistent among the various ways to launch DNS lookups. Fixes + bug 8203; bugfix on 0.2.0.24-rc. Patch by "Desoxy". + - When a Tor client gets a "truncated" relay cell, the first byte of + its payload specifies why the circuit was truncated. We were + ignoring this 'reason' byte when tearing down the circuit, resulting + in the controller not being told why the circuit closed. Now we + pass the reason from the truncated cell to the controller. Bugfix + on 0.1.2.3-alpha; fixes bug 7039. + + o Minor bugfixes (syscalls and disk interaction): + - Always check the return values of functions fcntl() and + setsockopt(). We don't believe these are ever actually failing in + practice, but better safe than sorry. Also, checking these return + values should please analysis tools like Coverity. Patch from + 'flupzor'. Fixes bug 8206; bugfix on all versions of Tor. + - Avoid double-closing the listener socket in our socketpair() + replacement (used on Windows) in the case where the addresses on + our opened sockets don't match what we expected. Fixes bug 9400; + bugfix on 0.0.2pre7. Found by Coverity. + - Correctly store microdescriptors and extrainfo descriptors that + include an internal NUL byte. Fixes bug 8037; bugfix on + 0.2.0.1-alpha. Bug reported by "cypherpunks". + - If for some reason we fail to write a microdescriptor while + rebuilding the cache, do not let the annotations from that + microdescriptor linger in the cache file, and do not let the + microdescriptor stay recorded as present in its old location. + Fixes bug 9047; bugfix on 0.2.2.6-alpha. + - Use direct writes rather than stdio when building microdescriptor + caches, in an attempt to mitigate bug 8031, or at least make it + less common. + + o Minor fixes (config options): + - Warn and fail if a server is configured not to advertise any + ORPorts at all. (We need *something* to put in our descriptor, + or we just won't work.) + - Behave correctly when the user disables LearnCircuitBuildTimeout + but doesn't tell us what they would like the timeout to be. Fixes + bug 6304; bugfix on 0.2.2.14-alpha. + - When autodetecting the number of CPUs, use the number of available + CPUs in preference to the number of configured CPUs. Inform the + user if this reduces the number of available CPUs. Fixes bug 8002; + bugfix on 0.2.3.1-alpha. + - Make it an error when you set EntryNodes but disable UseGuardNodes, + since it will (surprisingly to some users) ignore EntryNodes. Fixes + bug 8180; bugfix on 0.2.3.11-alpha. + - Avoid overflows when the user sets MaxCircuitDirtiness to a + ridiculously high value, by imposing a (ridiculously high) 30-day + maximum on MaxCircuitDirtiness. + - Rename the (internal-use-only) UsingTestingNetworkDefaults option + to start with a triple-underscore so the controller won't touch it. + Patch by Meejah. Fixes bug 3155. Bugfix on 0.2.2.23-alpha. + - Rename the (testing-use-only) _UseFilteringSSLBufferevents option + so it doesn't start with _. Fixes bug 3155. Bugfix on 0.2.3.1-alpha. + - Command-line option "--version" implies "--quiet". Fixes bug 6997. + + o Minor bugfixes (control protocol): + - Stop sending a stray "(null)" in some cases for the server status + "EXTERNAL_ADDRESS" controller event. Resolves bug 8200; bugfix + on 0.1.2.6-alpha. + - The ADDRMAP command can no longer generate an ill-formed error + code on a failed MAPADDRESS. It now says "internal" rather than + an English sentence fragment with spaces in the middle. Bugfix on + Tor 0.2.0.19-alpha. + + o Minor bugfixes (clients / edges): + - When we receive a RELAY_END cell with the reason DONE, or with no + reason, before receiving a RELAY_CONNECTED cell, report the SOCKS + status as "connection refused". Previously we reported these cases + as success but then immediately closed the connection. Fixes bug + 7902; bugfix on 0.1.0.1-rc. Reported by "oftc_must_be_destroyed". + - When choosing which stream on a formerly stalled circuit to wake + first, make better use of the platform's weak RNG. Previously, + we had been using the % ("modulo") operator to try to generate a + 1/N chance of picking each stream, but this behaves badly with + many platforms' choice of weak RNG. Fixes bug 7801; bugfix on + 0.2.2.20-alpha. + + o Minor bugfixes (path bias detection): + - If the state file's path bias counts are invalid (presumably from a + buggy Tor prior to 0.2.4.10-alpha), make them correct. Also add + additional checks and log messages to the scaling of Path Bias + counts, in case there still are remaining issues with scaling. + Should help resolve bug 8235. + - Prevent rounding error in path bias counts when scaling + them down, and use the correct scale factor default. Also demote + some path bias related log messages down a level and make others + less scary sounding. Fixes bug 6647. Bugfix on 0.2.3.17-beta. + - Remove a source of rounding error during path bias count scaling; + don't count cannibalized circuits as used for path bias until we + actually try to use them; and fix a circuit_package_relay_cell() + warning message about n_chan==NULL. Fixes bug 7802. + - Paste the description for PathBias parameters from the man + page into or.h, so the code documents them too. Fixes bug 7982; + bugfix on 0.2.3.17-beta. + + o Minor bugfixes (relays): + - Stop trying to resolve our hostname so often (e.g. every time we + think about doing a directory fetch). Now we reuse the cached + answer in some cases. Fixes bugs 1992 (bugfix on 0.2.0.20-rc) + and 2410 (bugfix on 0.1.2.2-alpha). + + o Minor bugfixes (blocking resistance): + - Only disable TLS session ticket support when running as a TLS + server. Now clients will blend better with regular Firefox + connections. Fixes bug 7189; bugfix on Tor 0.2.3.23-rc. + + o Minor bugfixes (IPv6): + - Use square brackets around IPv6 addresses in numerous places + that needed them, including log messages, HTTPS CONNECT proxy + requests, TransportProxy statefile entries, and pluggable transport + extra-info lines. Fixes bug 7011; patch by David Fifield. + + o Minor bugfixes (directory authorities): + - Reject consensus votes with more than 64 known-flags. We aren't even + close to that limit yet, and our code doesn't handle it correctly. + Fixes bug 6833; bugfix on 0.2.0.1-alpha. + - Correctly handle votes with more than 31 flags. Fixes bug 6853; + bugfix on 0.2.0.3-alpha. + + o Minor bugfixes (memory leaks): + - Avoid leaking memory if we fail to compute a consensus signature + or we generate a consensus we can't parse. Bugfix on 0.2.0.5-alpha. + - Fix a memory leak when receiving headers from an HTTPS proxy. Bugfix + on 0.2.1.1-alpha; fixes bug 7816. + - Fix a memory leak during safe-cookie controller authentication. + Bugfix on 0.2.3.13-alpha; fixes bug 7816. + - Free some more still-in-use memory at exit, to make hunting for + memory leaks easier. Resolves bug 7029. + + o Minor bugfixes (code correctness): + - Increase the width of the field used to remember a connection's + link protocol version to two bytes. Harmless for now, since the + only currently recognized versions are one byte long. Reported + pseudonymously. Fixes bug 8062; bugfix on 0.2.0.10-alpha. + - Fix a crash when debugging unit tests on Windows: deallocate a + shared library with FreeLibrary, not CloseHandle. Fixes bug 7306; + bugfix on 0.2.2.17-alpha. Reported by "ultramage". + - When detecting the largest possible file descriptor (in order to + close all file descriptors when launching a new program), actually + use _SC_OPEN_MAX. The old code for doing this was very, very broken. + Fixes bug 8209; bugfix on 0.2.3.1-alpha. Found by Coverity; this + is CID 743383. + - Avoid a crash if we fail to generate an extrainfo descriptor. + Fixes bug 8208; bugfix on 0.2.3.16-alpha. Found by Coverity; + this is CID 718634. + - Get rid of a couple of harmless clang warnings, where we compared + enums to ints. These warnings are newly introduced in clang 3.2. + + o Minor bugfixes (code cleanliness): + - Avoid use of reserved identifiers in our C code. The C standard + doesn't like us declaring anything that starts with an + underscore, so let's knock it off before we get in trouble. Fix + for bug 1031; bugfix on the first Tor commit. + - Fix round_to_power_of_2() so it doesn't invoke undefined behavior + with large values. This situation was untriggered, but nevertheless + incorrect. Fixes bug 6831; bugfix on 0.2.0.1-alpha. + - Fix an impossible buffer overrun in the AES unit tests. Fixes + bug 8845; bugfix on 0.2.0.7-alpha. Found by eugenis. + - Fix handling of rendezvous client authorization types over 8. + Fixes bug 6861; bugfix on 0.2.1.5-alpha. + - Remove a couple of extraneous semicolons that were upsetting the + cparser library. Patch by Christian Grothoff. Fixes bug 7115; + bugfix on 0.2.2.1-alpha. + + - When complaining about a client port on a public address, log + which address we're complaining about. Fixes bug 4020; bugfix on + 0.2.3.3-alpha. Patch by Tom Fitzhenry. + + o Minor bugfixes (log messages, warnings): + - If we encounter a write failure on a SOCKS connection before we + finish our SOCKS handshake, don't warn that we closed the + connection before we could send a SOCKS reply. Fixes bug 8427; + bugfix on 0.1.0.1-rc. + - Fix a directory authority warn caused when we have a large amount + of badexit bandwidth. Fixes bug 8419; bugfix on 0.2.2.10-alpha. + - Downgrade "Failed to hand off onionskin" messages to "debug" + severity, since they're typically redundant with the "Your computer + is too slow" messages. Fixes bug 7038; bugfix on 0.2.2.16-alpha. + - Avoid spurious warnings when configuring multiple client ports of + which only some are nonlocal. Previously, we had claimed that some + were nonlocal when in fact they weren't. Fixes bug 7836; bugfix on + 0.2.3.3-alpha. + + o Minor bugfixes (log messages, other): + - Fix log messages and comments to avoid saying "GMT" when we mean + "UTC". Fixes bug 6113. + - When rejecting a configuration because we were unable to parse a + quoted string, log an actual error message. Fixes bug 7950; bugfix + on 0.2.0.16-alpha. + - Correctly recognize that [::1] is a loopback address. Fixes + bug 8377; bugfix on 0.2.1.3-alpha. + - Don't log inappropriate heartbeat messages when hibernating: a + hibernating node is _expected_ to drop out of the consensus, + decide it isn't bootstrapped, and so forth. Fixes bug 7302; + bugfix on 0.2.3.1-alpha. + - Eliminate several instances where we use "Nickname=ID" to refer to + nodes in logs. Use "Nickname (ID)" instead. (Elsewhere, we still use + "$ID=Nickname", which is also acceptable.) Fixes bug 7065. Bugfix + on 0.2.3.21-rc. + + o Minor bugfixes (build): + - Fix some bugs in tor-fw-helper-natpmp when trying to build and + run it on Windows. More bugs likely remain. Patch from Gisle Vanem. + Fixes bug 7280; bugfix on 0.2.3.1-alpha. + + o Documentation fixes: + - Update tor-fw-helper.1.txt and tor-fw-helper.c to make option + names match. Fixes bug 7768. + - Make the torify manpage no longer refer to tsocks; torify hasn't + supported tsocks since 0.2.3.14-alpha. + - Make the tor manpage no longer reference tsocks. + - Fix the GeoIPExcludeUnknown documentation to refer to + ExcludeExitNodes rather than the currently nonexistent + ExcludeEntryNodes. Spotted by "hamahangi" on tor-talk. + - Resolve a typo in torrc.sample.in. Fixes bug 6819; bugfix on + 0.2.3.14-alpha. + - Fix the documentation of HeartbeatPeriod to say that the heartbeat + message is logged at notice, not at info. + - Say "KBytes" rather than "KB" in the man page (for various values + of K), to further reduce confusion about whether Tor counts in + units of memory or fractions of units of memory. Resolves ticket 7054. + + o Removed features: + - Stop exporting estimates of v2 and v3 directory traffic shares + in extrainfo documents. They were unneeded and sometimes inaccurate. + Also stop exporting any v2 directory request statistics. Resolves + ticket 5823. + - Drop support for detecting and warning about versions of Libevent + before 1.3e. Nothing reasonable ships with them any longer; warning + the user about them shouldn't be needed. Resolves ticket 6826. + - Now that all versions before 0.2.2.x are disallowed, we no longer + need to work around their missing features. Remove a bunch of + compatibility code. + + o Removed files: + - The tor-tsocks.conf is no longer distributed or installed. We + recommend that tsocks users use torsocks instead. Resolves + ticket 8290. + - Remove some of the older contents of doc/ as obsolete; move others + to torspec.git. Fixes bug 8965. + + o Code simplification: + - Avoid using character buffers when constructing most directory + objects: this approach was unwieldy and error-prone. Instead, + build smartlists of strings, and concatenate them when done. + - Rename "isin" functions to "contains", for grammar. Resolves + ticket 5285. + - Rename Tor's logging function log() to tor_log(), to avoid conflicts + with the natural logarithm function from the system libm. Resolves + ticket 7599. + - Start using OpenBSD's implementation of queue.h, so that we don't + need to hand-roll our own pointer and list structures whenever we + need them. (We can't rely on a sys/queue.h, since some operating + systems don't have them, and the ones that do have them don't all + present the same extensions.) + - Start using OpenBSD's implementation of queue.h (originally by + Niels Provos). + - Enhance our internal sscanf replacement so that we can eliminate + the last remaining uses of the system sscanf. (Though those uses + of sscanf were safe, sscanf itself is generally error prone, so + we want to eliminate when we can.) Fixes ticket 4195 and Coverity + CID 448. + - Replace all calls to snprintf() outside of src/ext with + tor_snprintf(). Also remove the #define to replace snprintf with + _snprintf on Windows; they have different semantics, and all of + our callers should be using tor_snprintf() anyway. Fixes bug 7304. + + + o Refactoring: + - Add a wrapper function for the common "log a message with a + rate-limit" case. + - Split the onion.c file into separate modules for the onion queue + and the different handshakes it supports. + - Move the client-side address-map/virtual-address/DNS-cache code + out of connection_edge.c into a new addressmap.c module. + - Move the entry node code from circuitbuild.c to its own file. + - Move the circuit build timeout tracking code from circuitbuild.c + to its own file. + - Source files taken from other packages now reside in src/ext; + previously they were scattered around the rest of Tor. + - Move the generic "config" code into a new file, and have "config.c" + hold only torrc- and state-related code. Resolves ticket 6823. + - Move the core of our "choose a weighted element at random" logic + into its own function, and give it unit tests. Now the logic is + testable, and a little less fragile too. + - Move ipv6_preferred from routerinfo_t to node_t. Addresses bug 4620. + - Move last_reachable and testing_since from routerinfo_t to node_t. + Implements ticket 5529. + - Add replaycache_t structure, functions and unit tests, then refactor + rend_service_introduce() to be more clear to read, improve, debug, + and test. Resolves bug 6177. + + o Removed code: + - Remove some now-needless code that tried to aggressively flush + OR connections as data was added to them. Since 0.2.0.1-alpha, our + cell queue logic has saved us from the failure mode that this code + was supposed to prevent. Removing this code will limit the number + of baroque control flow paths through Tor's network logic. Reported + pseudonymously on IRC. Fixes bug 6468; bugfix on 0.2.0.1-alpha. + - Remove unused code for parsing v1 directories and "running routers" + documents. Fixes bug 6887. + - Remove the marshalling/unmarshalling code for sending requests to + cpuworkers over a socket, and instead just send structs. The + recipient will always be the same Tor binary as the sender, so + any encoding is overkill. + - Remove the testing_since field of node_t, which hasn't been used + for anything since 0.2.0.9-alpha. + - Finally remove support for malloc_good_size and malloc_usable_size. + We had hoped that these functions would let us eke a little more + memory out of our malloc implementation. Unfortunately, the only + implementations that provided these functions are also ones that + are already efficient about not overallocation: they never got us + more than 7 or so bytes per allocation. Removing them saves us a + little code complexity and a nontrivial amount of build complexity. + + Changes in version 0.2.3.25 - 2012-11-19 The Tor 0.2.3 release series is dedicated to the memory of Len "rabbi" Sassaman (1980-2011), a long-time cypherpunk, anonymity researcher, diff --git a/changes/6783_big_hammer b/changes/6783_big_hammer deleted file mode 100644 index 2ff3249b33..0000000000 --- a/changes/6783_big_hammer +++ /dev/null @@ -1,6 +0,0 @@ - o Major features (deprecation): - - There's now a "DisableV2DirectoryInfo_" option that prevents us - from serving any directory requests for v2 directory information. - This is for us to test disabling the old deprecated V2 directory - format, so that we can see whether doing so has any effect on - network load. Part of a fix for bug 6783. diff --git a/changes/bug1992 b/changes/bug1992 deleted file mode 100644 index 6a751dc7e6..0000000000 --- a/changes/bug1992 +++ /dev/null @@ -1,11 +0,0 @@ - o Minor bugfixes: - - Stop trying to resolve our hostname so often (e.g. every time we - think about doing a directory fetch). Now we reuse the cached - answer in some cases. Fixes bugs 1992 (bugfix on 0.2.0.20-rc) - and 2410 (bugfix on 0.1.2.2-alpha). - - o Minor features: - - Make bridge relays check once a minute for whether their IP - address has changed, rather than only every 15 minutes. Resolves - bugs 1913 and 1992. - diff --git a/changes/bug2286 b/changes/bug2286 deleted file mode 100644 index 4f8dfbbf68..0000000000 --- a/changes/bug2286 +++ /dev/null @@ -1,5 +0,0 @@ - o Major features (directory authority): - - Directory authorities now support a new consensus method (17) - where they cap the published bandwidth of servers for which - insufficient bandwidth measurements exist. Fixes part of bug - 2286. diff --git a/changes/bug5595 b/changes/bug5595 deleted file mode 100644 index 31f4b84b03..0000000000 --- a/changes/bug5595 +++ /dev/null @@ -1,8 +0,0 @@ - o Critical bugfixes: - - Distinguish downloading an authority certificate by identity digest from - downloading one by identity digest/signing key digest pair; formerly we - always request them only by identity digest and get the newest one even - when we wanted one with a different signing key. Then we would complain - about being given a certificate we already had, and never get the one we - really wanted. Now we use the "fp-sk/" resource as well as the "fp/" - resource to request the one we want. Fixes bug 5595. diff --git a/changes/bug5650 b/changes/bug5650 deleted file mode 100644 index 401e317074..0000000000 --- a/changes/bug5650 +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfixes: - - Avoid a bug where our response to TLS renegotation under certain - network conditions could lead to a busy-loop, with 100% CPU - consumption. Fixes bug 5650; bugfix on 0.2.0.16-alpha. - diff --git a/changes/bug6026 b/changes/bug6026 deleted file mode 100644 index de5d6ead01..0000000000 --- a/changes/bug6026 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - Relays now treat a changed IPv6 ORPort as sufficient reason to - publish an updated descriptor. Fix for bug 6026; bugfix for - 0.2.4.1-alpha. diff --git a/changes/bug6174 b/changes/bug6174 deleted file mode 100644 index 79d2930ec3..0000000000 --- a/changes/bug6174 +++ /dev/null @@ -1,6 +0,0 @@ - o Major bugfixes: - - When we mark a circuit as unusable for new circuits, have it - continue to be unusable for new circuits even if MaxCircuitDirtiness - is increased too much at the wrong time, or the system clock jumped - backwards. Fix for bug 6174; bugfix on 0.0.2pre26. - diff --git a/changes/bug6206 b/changes/bug6206 deleted file mode 100644 index 61a16d291a..0000000000 --- a/changes/bug6206 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes: - - Always check the return values of functions fcntl() and - setsockopt(). We don't believe these are ever actually failing in - practice, but better safe than sorry. Also, checking these return - values should please some analysis tools (like Coverity). Patch - from 'flupzor'. Fix for bug 8206; bugfix on all versions of Tor. diff --git a/changes/bug6304 b/changes/bug6304 deleted file mode 100644 index 445560a8e1..0000000000 --- a/changes/bug6304 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - Behave correctly when the user disables LearnCircuitBuildTimeout - but doesn't tell us what they would like the timeout to be. Fixes - bug 6304; bugfix on 0.2.2.14-alpha. diff --git a/changes/bug6572 b/changes/bug6572 deleted file mode 100644 index 6508d1bcb5..0000000000 --- a/changes/bug6572 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (log messages) - - Use circuit creation time for network liveness evaluation. This - should eliminate warning log messages about liveness caused by - changes in timeout evaluation. Fixes bug 6572; bugfix on 0.2.4.8-alpha. diff --git a/changes/bug6673 b/changes/bug6673 deleted file mode 100644 index 506b449892..0000000000 --- a/changes/bug6673 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features (build): - - Detect and reject attempts to build Tor with threading support - when OpenSSL have been compiled with threading support disabled. - Fixes bug 6673. diff --git a/changes/bug7054 b/changes/bug7054 deleted file mode 100644 index 15680d72ce..0000000000 --- a/changes/bug7054 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (man page): - - Say "KBytes" rather than "KB" in the man page (for various values - of K), to further reduce confusion about whether Tor counts in - units of memory or fractions of units of memory. Fixes bug 7054. diff --git a/changes/bug7065 b/changes/bug7065 deleted file mode 100644 index 1ca6841021..0000000000 --- a/changes/bug7065 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfix (log cleanups): - - Eliminate several instances where we use Nickname=ID to refer to - nodes in logs. Use Nickname (ID) instead. (Elsewhere, we still use - $ID=Nickname, which is also acceptable.) Fixes bug #7065. Bugfix - on 0.2.3.21-rc, 0.2.4.5-alpha, 0.2.4.8-alpha, and 0.2.4.10-alpha. diff --git a/changes/bug7143 b/changes/bug7143 deleted file mode 100644 index d26135ae65..0000000000 --- a/changes/bug7143 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (build): - - Add the old src/or/micro-revision.i filename to CLEANFILES. - On the off chance that somebody has one, it will go away as soon - as they run "make clean". Fix for bug 7143; bugfix on 0.2.4.1-alpha. diff --git a/changes/bug7164_diagnostic b/changes/bug7164_diagnostic deleted file mode 100644 index 8bedfc4bd5..0000000000 --- a/changes/bug7164_diagnostic +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features (bug diagnostic): - - If we fail to free a microdescriptor because of bug #7164, log - the filename and line number from which we tried to free it. - This should help us finally fix #7164. diff --git a/changes/bug7280 b/changes/bug7280 deleted file mode 100644 index ef5d36a802..0000000000 --- a/changes/bug7280 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - Fix some bugs in tor-fw-helper-natpmp when trying to build and - run it on Windows. More bugs likely remain. Patch from Gisle Vanem. - Fixes bug 7280; bugfix on 0.2.3.1-alpha. diff --git a/changes/bug7302 b/changes/bug7302 deleted file mode 100644 index fec615ff90..0000000000 --- a/changes/bug7302 +++ /dev/null @@ -1,11 +0,0 @@ - o Minor bugfixes: - - Don't log inappropriate heartbeat messages when hibernating: a - hibernating node is _expected_ to drop out of the consensus, - decide it isn't bootstrapped, and so forth. Fixes part of bug - 7302; bugfix on 0.2.3.1-alpha. - - - Don't complain about bootstrapping problems while hibernating. - These complaints reflect a general code problems, but not one - with any problematic effects. (No connections are actually - opened.) Fixes part of bug 7302; bugfix on 0.2.3.2-alpha. - diff --git a/changes/bug7350 b/changes/bug7350 deleted file mode 100644 index b0ee9d0919..0000000000 --- a/changes/bug7350 +++ /dev/null @@ -1,4 +0,0 @@ - o Major bugfixes: - - Avoid an assertion when we discover that we'd like to write a cell - onto a closing connection: just discard the cell. Fixes another - case of bug 7350; bugfix on 0.2.4.4-alpha. diff --git a/changes/bug7582 b/changes/bug7582 deleted file mode 100644 index f3b0635765..0000000000 --- a/changes/bug7582 +++ /dev/null @@ -1,9 +0,0 @@ - o Major bugfixes: - - - When an exit node tells us that it is rejecting because of its - exit policy a stream we expected it to accept (because of its exit - policy), do not mark the node as useless for exiting if our - expectation was only based on an exit policy summary. Instead, - mark the circuit as unsuitable for that particular address. Fixes - part of bug 7582; bugfix on 0.2.3.2-alpha. - diff --git a/changes/bug7707_diagnostic b/changes/bug7707_diagnostic deleted file mode 100644 index 0c3138e785..0000000000 --- a/changes/bug7707_diagnostic +++ /dev/null @@ -1,5 +0,0 @@ - o Minor features: - - Add another diagnostic to the heartbeat message: track and log - overhead that TLS is adding to the data we write. If this is - high, we are sending too little data to SSL_write at a time. - Diagnostic for bug 7707. diff --git a/changes/bug7768 b/changes/bug7768 deleted file mode 100644 index e3f9600afb..0000000000 --- a/changes/bug7768 +++ /dev/null @@ -1,3 +0,0 @@ - o Documentation fixes: - - Update tor-fw-helper.1.txt and tor-fw-helper.c to make option - names match. Fixes bug 7768. diff --git a/changes/bug7799 b/changes/bug7799 deleted file mode 100644 index ed4570129c..0000000000 --- a/changes/bug7799 +++ /dev/null @@ -1,7 +0,0 @@ - o Minor changes (log clarification) - - Add more detail to a log message about relaxed timeouts. Hopefully - this additional detail will allow us to diagnose the cause of bug 7799. - o Minor bugfixes - - Don't attempt to relax the timeout of already opened 1-hop circuits. - They might never timeout. This should eliminate some/all cases of - the relaxed timeout log message. diff --git a/changes/bug7801 b/changes/bug7801 deleted file mode 100644 index 1d6d021f3f..0000000000 --- a/changes/bug7801 +++ /dev/null @@ -1,13 +0,0 @@ - o Minor bugfixes: - - When choosing which stream on a formerly stalled circuit to wake - first, make better use of the platform's weak RNG. Previously, we - had been using the % ("modulo") operator to try to generate a 1/N - chance of picking each stream, but this behaves badly with many - platforms' choice of weak RNG. Fix for bug 7801; bugfix on - 0.2.2.20-alpha. - - Use our own weak RNG when we need a weak RNG. Windows's rand() - and Irix's random() only return 15 bits; Solaris's random() - returns more bits but its RAND_MAX says it only returns 15, and - so on. Fixes another aspect of bug 7801; bugfix on - 0.2.2.20-alpha. - diff --git a/changes/bug7816.024 b/changes/bug7816.024 deleted file mode 100644 index b5d55f5d6d..0000000000 --- a/changes/bug7816.024 +++ /dev/null @@ -1,8 +0,0 @@ - o Minor bugfixes: - - Avoid leaking IPv6 policy content if we fail to format it into - a router descriptor. Spotted by Coverity. Fixes part of 7816; - bugfix on 0.2.4.7-alpha. - - - Avoid leaking memory if we fail to compute a consensus signature - or we generated a consensus we couldn't parse. Spotted by Coverity. - Fixes part of 7816; bugfix on 0.2.0.5-alpha. diff --git a/changes/bug7816_023 b/changes/bug7816_023 deleted file mode 100644 index a4530292cc..0000000000 --- a/changes/bug7816_023 +++ /dev/null @@ -1,7 +0,0 @@ - o Minor bugfixes (memory leak, controller): - - Fix a memory leak during safe-cookie controller authentication. - Spotted by Coverity. Fixes part of bug 7816; bugfix on 0.2.3.13-alpha. - - o Minor bugfixes (memory leak, HTTPS proxy support): - - Fix a memory leak when receiving headers from an HTTPS proxy. - Spotted by Coverity. Fixes part of bug 7816; bugfix on 0.2.1.1-alpha. diff --git a/changes/bug7816_023_small b/changes/bug7816_023_small deleted file mode 100644 index cd90f035f1..0000000000 --- a/changes/bug7816_023_small +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes: - - Fix various places where we leak file descriptors or memory on - error cases. Spotted by coverity. Fixes parts of bug 7816. diff --git a/changes/bug7902 b/changes/bug7902 deleted file mode 100644 index 051759dc0a..0000000000 --- a/changes/bug7902 +++ /dev/null @@ -1,7 +0,0 @@ - o Minor bugfixes: - - When we receive a RELAY_END cell with the reason DONE, or with no - reason, before receiving a RELAY_CONNECTED cell, report the SOCKS - status as "connection refused." Previously we reporting these - cases as success but then immediately closing the connection. - Fixes bug 7902; bugfix on 0.1.0.1-rc. Reported by "oftc_must_ - be_destroyed." diff --git a/changes/bug7947 b/changes/bug7947 deleted file mode 100644 index 6200ba2d8a..0000000000 --- a/changes/bug7947 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - Fix the handling of a TRUNCATE cell when it arrives while the circuit - extension is in progress. Fixes bug 7947; bugfix on 0.0.7.1. - diff --git a/changes/bug7950 b/changes/bug7950 deleted file mode 100644 index e62cca07a1..0000000000 --- a/changes/bug7950 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - When rejecting a configuration because we were unable to parse a - quoted string, log an actual error message. Fix for bug 7950; - bugfix on 0.2.0.16-alpha. diff --git a/changes/bug7982 b/changes/bug7982 deleted file mode 100644 index 46aa53249c..0000000000 --- a/changes/bug7982 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes: - - Copy-paste description for PathBias params from man page into or.h - comment. Fixes bug 7982. diff --git a/changes/bug8002 b/changes/bug8002 deleted file mode 100644 index d6e2ff2492..0000000000 --- a/changes/bug8002 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes: - - When autodetecting the number of CPUs, use the number of available - CPUs in preferernce to the number of configured CPUs. Inform the - user if this reduces the number of avialable CPUs. Fix for bug 8002. - Bugfix on 0.2.3.1-alpha. diff --git a/changes/bug8014 b/changes/bug8014 deleted file mode 100644 index c09a86098c..0000000000 --- a/changes/bug8014 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor usability improvements (build): - - Clarify that when autconf is checking for nacl, it is checking - specifically for nacl with a fast curve25519 implementation. - Fixes bug 8014. - diff --git a/changes/bug8031 b/changes/bug8031 deleted file mode 100644 index 17329ec5b5..0000000000 --- a/changes/bug8031 +++ /dev/null @@ -1,7 +0,0 @@ - o Minor bugfixes: - - Use direct writes rather than stdio when building microdescriptor - caches, in an attempt to mitigate bug 8031, or at least make it - less common. - - Warn more aggressively when flushing microdescriptors to a - microdescriptor cache fails, in an attempt to mitegate bug 8031, - or at least make it more diagnosable. diff --git a/changes/bug8037 b/changes/bug8037 deleted file mode 100644 index 989745fc39..0000000000 --- a/changes/bug8037 +++ /dev/null @@ -1,8 +0,0 @@ - o Minor bugfixes: - - Correctly store microdescriptors and extrainfo descriptors with - an internal NUL byte. Fixes bug 8037; bugfix on 0.2.0.1-alpha. - Bug reported by "cypherpunks". - - o Minor features: - - Reject as invalid most directory objects containing a - NUL. Belt-and-suspender fix for bug 8037. diff --git a/changes/bug8059 b/changes/bug8059 deleted file mode 100644 index 47273ed0ac..0000000000 --- a/changes/bug8059 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes (protocol conformance): - - Fix a misframing issue when reading the version numbers in a - VERSIONS cell. Previously we would recognize [00 01 00 02] as - 'version 1, version 2, and version 0x100', when it should have - only included versions 1 and 2. Fixes bug 8059; bugfix on - 0.2.0.10-alpha. Reported pseudonymously. diff --git a/changes/bug8062 b/changes/bug8062 deleted file mode 100644 index 805e51ed41..0000000000 --- a/changes/bug8062 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes: - - Increase the width of the field used to remember a connection's - link protocol version to two bytes. Harmless for now, since the - only currently recognized versions are one byte long. Reported - pseudynmously. Fixes bug 8062, bugfix on 0.2.0.10-alpha. diff --git a/changes/bug8065 b/changes/bug8065 deleted file mode 100644 index 06dbae8cd7..0000000000 --- a/changes/bug8065 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes: - - Downgrade an assertion in connection_ap_expire_beginning to - an LD_BUG message. The fix for bug 8024 should prevent this - message from displaying, but just in case a warn that we can - diagnose is better than more assert crashes. Fix for bug 8065; - bugfix on 0.2.4.8-alpha. diff --git a/changes/bug8093.part1 b/changes/bug8093.part1 deleted file mode 100644 index 2450794dd7..0000000000 --- a/changes/bug8093.part1 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Downgrade "unexpected SENDME" warnings to protocol-warn for 0.2.4, - for bug 8093. diff --git a/changes/bug8117 b/changes/bug8117 deleted file mode 100644 index 910e8056f4..0000000000 --- a/changes/bug8117 +++ /dev/null @@ -1,13 +0,0 @@ - o Major bugfixes: - - - Many SOCKS5 clients, when configured to offer a username/password, - offer both username/password authentication and "no authentication". - Tor had previously preferred no authentication, but this was - problematic when trying to make applications get proper stream - isolation with IsolateSOCKSAuth. Now, on any SOCKS port with - IsolateSOCKSAuth turned on (which is the default), Tor selects - username/password authentication if it's offered. If this confuses your - application, you can disable it on a per-SOCKSPort basis via - PreferSOCKSNoAuth. Fixes bug 8117; bugfix on 0.2.3.3-alpha. - - diff --git a/changes/bug8121 b/changes/bug8121 deleted file mode 100644 index 60cba72848..0000000000 --- a/changes/bug8121 +++ /dev/null @@ -1,7 +0,0 @@ - o Minor features: - - Clear the high bit on curve25519 public keys before passing them to - our backend, in case we ever wind up using a backend that doesn't do - so itself. If we used such a backend, and *didn't* clear the high bit, - we could wind up in a situation where users with such backends would - be distinguishable from users without. Fix for bug 8121; bugfix on - 0.2.4.8-alpha. diff --git a/changes/bug8151 b/changes/bug8151 deleted file mode 100644 index e20fa3c31a..0000000000 --- a/changes/bug8151 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor features (directory authority): - - Include inside each vote a statement of the performance - thresholds that made the authority vote for its flags. Implements - ticket 8151. -
\ No newline at end of file diff --git a/changes/bug8158 b/changes/bug8158 deleted file mode 100644 index 65b21c2a26..0000000000 --- a/changes/bug8158 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes: - - Use less space when formatting identical microdescriptor lines in - directory votes. Fixes bug 8158; bugfix on 0.2.4.1-alpha. diff --git a/changes/bug8161 b/changes/bug8161 deleted file mode 100644 index ab7b9c0cad..0000000000 --- a/changes/bug8161 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor changes: - - Lower path use bias thresholds to .80 for notice and .60 for warn. - Fixes bug #8161; bugfix on 0.2.4.10-alpa. - - Make the rate limiting flags for the path use bias log messages - independent from the original path bias flags. Fixes bug #8161; - bugfix on 0.2.4.10-alpha. diff --git a/changes/bug8180 b/changes/bug8180 deleted file mode 100644 index 39e6ce7f9a..0000000000 --- a/changes/bug8180 +++ /dev/null @@ -1,7 +0,0 @@ - o Minor bugfixes (security usability): - - Elevate the severity of the warning message when setting - EntryNodes but disabling UseGuardNodes to an error. The outcome - of letting Tor procede with those options enabled (which causes - EntryNodes to get ignored) is sufficiently different from what - was expected that it's best to just refuse to proceed. Fixes bug - 8180; bugfix on 0.2.3.11-alpha. diff --git a/changes/bug8185_diagnostic b/changes/bug8185_diagnostic deleted file mode 100644 index b0f8884758..0000000000 --- a/changes/bug8185_diagnostic +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Improve debugging output to attempt to diagnose the underlying - cause of bug 8185. diff --git a/changes/bug8200 b/changes/bug8200 deleted file mode 100644 index 65fc9dd03a..0000000000 --- a/changes/bug8200 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfix: - - Stop sending a stray "(null)" in some cases for the server status - "EXTERNAL_ADDRESS" controller event. Resolves bug 8200; bugfix - on 0.1.2.6-alpha. - diff --git a/changes/bug8203 b/changes/bug8203 deleted file mode 100644 index d26dc0fccf..0000000000 --- a/changes/bug8203 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - Make the format and order of STREAM events for DNS lookups consistent - among the various ways to launch DNS lookups. Fix for bug 8203; - bugfix on 0.2.0.24-rc. Patch by "Desoxy." diff --git a/changes/bug8207 b/changes/bug8207 deleted file mode 100644 index 0028d3380f..0000000000 --- a/changes/bug8207 +++ /dev/null @@ -1,7 +0,0 @@ - o Major bugfixes (hidden services): - - Allow hidden service authentication to succeed again. When we - refactored the hidden service introduction code back in 0.2.4.1-alpha, - we didn't update the code that checks whether authentication - information is present, causing all authentication checks to - return "false". Fix for bug 8207; bugfix on 0.2.4.1-alpha. Found by - Coverity; this is CID 718615. diff --git a/changes/bug8208 b/changes/bug8208 deleted file mode 100644 index c85db90b52..0000000000 --- a/changes/bug8208 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - Avoid a crash if we fail to generate an extrinfo descriptor. - Fixes bug 8208; bugfix on 0.2.3.16-alpha. Found by Coverity; - this is CID 718634. diff --git a/changes/bug8209 b/changes/bug8209 deleted file mode 100644 index c58923540b..0000000000 --- a/changes/bug8209 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes: - - When detecting the largest possible file descriptor (in order to close - all file descriptors when launching a new program), actually use - _SC_OPEN_MAX. The old code for doing this was very, very broken. - Fix for bug 8209; bugfix on 0.2.3.1-alpha. Found by Coverity; this - is CID 743383. diff --git a/changes/bug8210 b/changes/bug8210 deleted file mode 100644 index 85d41b844a..0000000000 --- a/changes/bug8210 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes: - - Fix an impossible-to-trigger integer overflow when - estimating how long out onionskin queue would take. (This overflow - would require us to accept 4 million onionskins before processing - 100 of them.) Fixes bug 8210; bugfix on 0.2.4.10-alpha. - diff --git a/changes/bug8218 b/changes/bug8218 deleted file mode 100644 index ce8d53ba62..0000000000 --- a/changes/bug8218 +++ /dev/null @@ -1,6 +0,0 @@ - o Major bugfixes: - - Stop marking every relay as having been down for one hour every - time we restart a directory authority. These artificial downtimes - were messing with our Stable and Guard flag calculations. Fixes - bug 8218 (introduced by the fix for 1035). Bugfix on 0.2.2.23-alpha. - diff --git a/changes/bug8231 b/changes/bug8231 deleted file mode 100644 index fd87a1daec..0000000000 --- a/changes/bug8231 +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfixes: - - When unable to find any working directory nodes to use as a - directory guard, give up rather than adding the same non-working - nodes to the list over and over. Fixes bug 8231; bugfix on - 0.2.4.8-alpha. diff --git a/changes/bug8235-diagnosing b/changes/bug8235-diagnosing deleted file mode 100644 index b760035cfc..0000000000 --- a/changes/bug8235-diagnosing +++ /dev/null @@ -1,5 +0,0 @@ - o Minor features (diagnostic) - - If the state file's path bias counts are invalid (presumably from a - buggy tor prior to 0.2.4.10-alpha), make them correct. - - Add additional checks and log messages to the scaling of Path Bias - counts, in case there still are remaining issues with scaling. diff --git a/changes/bug8253-fix b/changes/bug8253-fix deleted file mode 100644 index 3d36d06c88..0000000000 --- a/changes/bug8253-fix +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes (log messages) - - Fix a scaling issue in the path bias accounting code that resulted in - "Bug:" log messages from either pathbias_scale_close_rates() or - pathbias_count_build_success(). This represents a bugfix on a previous - bugfix: The original fix attempted in 0.2.4.10-alpha was incomplete. - Fixes bug 8235; bugfix on 0.2.4.1-alpha. diff --git a/changes/bug8273 b/changes/bug8273 deleted file mode 100644 index 257f57e7ab..0000000000 --- a/changes/bug8273 +++ /dev/null @@ -1,3 +0,0 @@ - o Critical bugfixes: - - When dirserv.c computes flags and thresholds, use measured bandwidths - in preference to advertised ones. diff --git a/changes/bug8290 b/changes/bug8290 deleted file mode 100644 index d1fce7d8b5..0000000000 --- a/changes/bug8290 +++ /dev/null @@ -1,9 +0,0 @@ - o Removed files: - - The tor-tsocks.conf is no longer distributed or installed. We - recommend that tsocks users use torsocks instead. Resolves - ticket 8290. - - o Documentation fixes: - - The torify manpage no longer refers to tsocks; torify hasn't - supported tsocks since 0.2.3.14-alpha. - - The manpages no longer reference tsocks. diff --git a/changes/bug8377 b/changes/bug8377 deleted file mode 100644 index c9ad151bc9..0000000000 --- a/changes/bug8377 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes: - - Correctly recognize that [::1] is a loopback address. Fixes bug #8377; - bugfix on 0.2.1.3-alpha. diff --git a/changes/bug8408 b/changes/bug8408 deleted file mode 100644 index ae9cf172e1..0000000000 --- a/changes/bug8408 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - Allow TestingTorNetworks to override the 4096-byte minimum for the Fast - threshold. Otherwise they can't bootstrap until they've observed more - traffic. Fixes bug 8508; bugfix on 0.2.4.10-alpha. diff --git a/changes/bug8427 b/changes/bug8427 deleted file mode 100644 index 22b003fc38..0000000000 --- a/changes/bug8427 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes: - - If we encounter a write failure on a SOCKS connection before we - finish our SOCKS handshake, don't warn that we closed the - connection before we could send a SOCKS reply. Fixes bug 8427; - bugfix on 0.1.0.1-rc. diff --git a/changes/bug8435 b/changes/bug8435 deleted file mode 100644 index da7ca7c1f8..0000000000 --- a/changes/bug8435 +++ /dev/null @@ -1,4 +0,0 @@ - o Major bugfixes: - - When dirserv.c computes flags and thresholds, ignore advertised - bandwidths if we have more than a threshold number of routers with - measured bandwidths. diff --git a/changes/bug8464 b/changes/bug8464 deleted file mode 100644 index 74ff2e39ff..0000000000 --- a/changes/bug8464 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes: - - Correct our check for which versions of Tor support the EXTEND2 - cell. We had been willing to send it to Tor 0.2.4.7-alpha and - later, when support was really added in version 0.2.4.8-alpha. - Fixes bug 8464; bugfix on 0.2.4.8-alpha. diff --git a/changes/bug8475 b/changes/bug8475 deleted file mode 100644 index eb8debedba..0000000000 --- a/changes/bug8475 +++ /dev/null @@ -1,4 +0,0 @@ - o Major bugfixes: - - If configured via ClientDNSRejectInternalAddresses not to report - DNS queries which have resolved to internal addresses, apply that - rule to IPv6 as well. Fixes bug 8475; bugfix on 0.2.0.7-alpha. diff --git a/changes/bug8477-easypart b/changes/bug8477-easypart deleted file mode 100644 index 0f8f1031c5..0000000000 --- a/changes/bug8477-easypart +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes: - - Log the purpose of a path-bias testing circuit correctly. - Improves a log message from bug 8477; bugfix on 0.2.4.8-alpha. diff --git a/changes/bug8587 b/changes/bug8587 deleted file mode 100644 index 84d2f1ec0d..0000000000 --- a/changes/bug8587 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (build): - - Build Tor correctly on 32-bit platforms where the compiler can build - but not run code using the "uint128_t" construction. Fixes bug 8587; - bugfix on 0.2.4.8-alpha. - diff --git a/changes/bug8596 b/changes/bug8596 deleted file mode 100644 index dd36bad855..0000000000 --- a/changes/bug8596 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Add CACHED keyword to ADDRMAP events in the control protocol to indicate - whether a DNS result will be cached or not. diff --git a/changes/bug8598 b/changes/bug8598 deleted file mode 100644 index e31c8f3c74..0000000000 --- a/changes/bug8598 +++ /dev/null @@ -1,6 +0,0 @@ - o Bugfixes: - - Fix compilation warning with some versions of clang that would prefer - the -Wswitch-enum compiler flag to warn about switch statements with - missing enum values, even if those switch statements have a default: - statement. Fixes bug 8598; bugfix on 0.2.4.10-alpha. - diff --git a/changes/bug8599 b/changes/bug8599 deleted file mode 100644 index 204ef58c3f..0000000000 --- a/changes/bug8599 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - Fix some logic errors when the user manually overrides the - PathsNeededToBuildCircuits option in torrc. Fixes bug 8599; bugfix - on 0.2.4.10-alpha. diff --git a/changes/bug8638 b/changes/bug8638 deleted file mode 100644 index 3a790e567d..0000000000 --- a/changes/bug8638 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features - In our testsuite, create temporary directories with a bit more entropy - in their name to make name collissions less likely. Fixes bug 8638. diff --git a/changes/bug8639 b/changes/bug8639 deleted file mode 100644 index 0db5c91429..0000000000 --- a/changes/bug8639 +++ /dev/null @@ -1,5 +0,0 @@ - o Normal bugfixes: - - When launching a resolve request on behalf of an AF_UNIX control - socket, omit the address field of the new entry connection, used in - subsequent controller events, rather than letting tor_dup_addr() set - it to "<unknown address type>". Fixes bug 8639. diff --git a/changes/bug8711 b/changes/bug8711 deleted file mode 100644 index 28a1daa454..0000000000 --- a/changes/bug8711 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor features (authority): - - Add a "ignoring-advertised-bws" boolean to our flag-thresholds - lines to describe whether we have enough measured bandwidths to - ignore advertised bandwidth claims. Closes ticket 8711. - - diff --git a/changes/bug8716 b/changes/bug8716 deleted file mode 100644 index 74c74f82a6..0000000000 --- a/changes/bug8716 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (memory leak): - - Fix a memory leak that would occur whenever a configuration - option changed. Fixes bug #8718; bugfix on 0.2.3.3-alpha. diff --git a/changes/bug8719 b/changes/bug8719 deleted file mode 100644 index c05b79ddec..0000000000 --- a/changes/bug8719 +++ /dev/null @@ -1,6 +0,0 @@ - o Major bugfixes (memory leak): - - Avoid a memory leak where we would leak a consensus body when we find - that a consensus which we couldn't previously verify due to missing - certificates is now verifiable. Fixes bug 8719; bugfix on - 0.2.0.10-alpha. - diff --git a/changes/bug8822 b/changes/bug8822 deleted file mode 100644 index c6787afe06..0000000000 --- a/changes/bug8822 +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfixes (windows): - - Prevent failures on Windows Vista and later when rebuilding the - microdescriptor cache. Diagnosed by Robert Ransom. Fixes bug 8822; - bugfix on 0.2.4.12-alpha. - diff --git a/changes/bug8833 b/changes/bug8833 deleted file mode 100644 index 681a86191f..0000000000 --- a/changes/bug8833 +++ /dev/null @@ -1,3 +0,0 @@ - o Major bugfixes (directory authority): - - Fix a crash bug when building a consensus using an older consensus as - its basis. Fixes bug 8833. Bugfix on 0.2.4.12-alpha. diff --git a/changes/bug8844 b/changes/bug8844 deleted file mode 100644 index 320e5f2845..0000000000 --- a/changes/bug8844 +++ /dev/null @@ -1,6 +0,0 @@ - o Major bugfixes: - - Prevent the get_freelists() function from running off the end of - the list of freelists if it somehow gets an unrecognized - allocation. Fixes bug 8844; bugfix on 0.2.0.16-alpha. Reported by - eugenis. - diff --git a/changes/bug8845 b/changes/bug8845 deleted file mode 100644 index ace043ab9b..0000000000 --- a/changes/bug8845 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (test): - - Fix an impossible buffer overrun in the AES unit tests. Fixes bug 8845; - bugfix on 0.2.0.7-alpha. Found by eugenis. diff --git a/changes/bug8846 b/changes/bug8846 deleted file mode 100644 index 377cc3708a..0000000000 --- a/changes/bug8846 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - Give a less useless error message when the user asks for an IPv4 - address on an IPv6-only port, or vice versa. Fixes bug 8846; bugfix - on 0.2.4.7-alpha. diff --git a/changes/bug8879 b/changes/bug8879 deleted file mode 100644 index 0d2a70086c..0000000000 --- a/changes/bug8879 +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfixes: - - Follow the socks5 protocol when offering username/password - authentication. The fix for bug 8117 exposed this bug, and it - turns out real-world applications like Pidgin do care. Bugfix on - 0.2.3.2-alpha; fixes bug 8879. diff --git a/changes/bug8965 b/changes/bug8965 deleted file mode 100644 index b5af279632..0000000000 --- a/changes/bug8965 +++ /dev/null @@ -1,3 +0,0 @@ - o Removed documentation: - - Remove some of the older contents of doc/ as obsolete; move others - to torspec.git. Fixes bug 8965. diff --git a/changes/bug9002 b/changes/bug9002 deleted file mode 100644 index c41ace394a..0000000000 --- a/changes/bug9002 +++ /dev/null @@ -1,4 +0,0 @@ - o Major bugfixes: - - Limit hidden service descriptors to at most ten introduction - points, to slow one kind of guard enumeration. Fixes bug 9002; - bugfix on 0.1.1.11-alpha. diff --git a/changes/bug9017 b/changes/bug9017 deleted file mode 100644 index 359c526b00..0000000000 --- a/changes/bug9017 +++ /dev/null @@ -1,6 +0,0 @@ - o Major bugfixes: - - Avoid an assertion failure on OpenBSD (and perhaps other BSDs) - when an exit connection with optimistic data succeeds immediately - rather than returning EINPROGRESS. Fixes bug 9017; bugfix on - 0.2.3.1-alpha. - diff --git a/changes/bug9047 b/changes/bug9047 deleted file mode 100644 index 497f0d3372..0000000000 --- a/changes/bug9047 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes: - - If for some reason we fail to write a microdescriptor while - rebuilding the cache, do not let the annotations from that - microdescriptor linger in the cache file, and do not let the - microdescriptor stay recorded as present in its old location. - Fixes bug 9047; bugfix on 0.2.2.6-alpha. diff --git a/changes/bug9063 b/changes/bug9063 deleted file mode 100644 index dcbecf6179..0000000000 --- a/changes/bug9063 +++ /dev/null @@ -1,3 +0,0 @@ - o Normal bugfixes: - - Close any circuit that has more cells queued than the spec permits. - Fixes bug #9063; bugfix on 0.2.4.12. diff --git a/changes/bug9063_redux b/changes/bug9063_redux deleted file mode 100644 index e6fae72efc..0000000000 --- a/changes/bug9063_redux +++ /dev/null @@ -1,15 +0,0 @@ - o Major bugfixes: - - When we have too much memory queued in circuits (according to a new - MaxMemInCellQueues option), close the circuits consuming the most - memory. This prevents us from running out of memory as a relay if - circuits fill up faster than they can be drained. Fixes - bug 9063; bugfix on the 54th commit of Tor. This bug is a further - fix beyond bug 6252, whose fix was merged into 0.2.3.21-rc. - - Also fixes an earlier approach taken in 0.2.4.13-alpha, where we - tried to solve this issue simply by imposing an upper limit on the - number of queued cells for a single circuit. That approach proved to - be problematic, since there are ways to provoke clients to send a - number of cells in excess of any such reasonable limit. - Fixes bug 9072; bugfix on 0.2.4.13-alpha. - diff --git a/changes/bug9072 b/changes/bug9072 deleted file mode 100644 index e594a38335..0000000000 --- a/changes/bug9072 +++ /dev/null @@ -1,3 +0,0 @@ - o Critical bugfixes: - - Disable middle relay queue overfill detection code due to possible - guard discovery attack, pending further analysis. Fixes bug #9072. diff --git a/changes/bug9122 b/changes/bug9122 deleted file mode 100644 index 5009da6126..0000000000 --- a/changes/bug9122 +++ /dev/null @@ -1,4 +0,0 @@ - o Major bugfixes: - - When receiving a new configuration file via the control port's - LOADCONF command, do not treat the defaults file as absent. - Fixes bug 9122; bugfix on 0.2.3.9-alpha. diff --git a/changes/bug9147 b/changes/bug9147 deleted file mode 100644 index e6064ea0e5..0000000000 --- a/changes/bug9147 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Issue a warning when running with the bufferevents backend enabled. - It's still not stable, and people should know that they're likely - to hit unexpected problems. Closes ticket 9147. diff --git a/changes/bug9200 b/changes/bug9200 deleted file mode 100644 index 7b64dd1744..0000000000 --- a/changes/bug9200 +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfixes: - - Fix a bug in the voting algorithm that could yield incorrect results - when a non-naming authority declared too many flags. Fixes bug 9200; - bugfix on 0.2.0.3-alpha. - diff --git a/changes/bug9254 b/changes/bug9254 deleted file mode 100644 index 5179bdc523..0000000000 --- a/changes/bug9254 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - Fix a spurious compilation warning with some older versions of - GCC on FreeBSD. Fixes bug 9254; bugfix on 0.2.4.14-alpha. - diff --git a/changes/bug9288 b/changes/bug9288 deleted file mode 100644 index 59bf414ea1..0000000000 --- a/changes/bug9288 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - Fix an invalid memory read that occured when a pluggable - transport proxy failed its configuration protocol. - Fixes bug 9288. diff --git a/changes/bug9295 b/changes/bug9295 deleted file mode 100644 index 2c113616c3..0000000000 --- a/changes/bug9295 +++ /dev/null @@ -1,4 +0,0 @@ - o Major bugfixes: - - Avoid a crash when using --hash-password. Fixes bug 9295; bugfix on - 0.2.4.15-rc. Found by stem integration tests. - diff --git a/changes/bug9309 b/changes/bug9309 deleted file mode 100644 index 38c462bc0f..0000000000 --- a/changes/bug9309 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes: - - When evaluating whether to use a connection that we haven't - decided is canonical using a recent link protocol version, - decide that it's canonical only if it used address _does_ - match the desired address. Fixes bug 9309; bugfix on - 0.2.4.4-alpha. Reported by skruffy. diff --git a/changes/bug9337 b/changes/bug9337 deleted file mode 100644 index ce99bc8184..0000000000 --- a/changes/bug9337 +++ /dev/null @@ -1,4 +0,0 @@ - o Major bugfixes (DNS): - - Avoid an assertion failure when processing DNS replies without the - answer types we expected. Fixes bug 9337; bugfix on 0.2.4.7-alpha. - diff --git a/changes/bug9354 b/changes/bug9354 deleted file mode 100644 index 68fc81a595..0000000000 --- a/changes/bug9354 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes: - - Make the default behavior of NumDirectoryGuards be to track - NumEntryGuards. Now a user who changes only NumEntryGuards will get - the behavior she expects. Fixes bug 9354; bugfix on 0.2.4.8-alpha. - diff --git a/changes/bug9366 b/changes/bug9366 deleted file mode 100644 index acc919e77f..0000000000 --- a/changes/bug9366 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features (usability): - - Warn and fail if a server is configured not to advertise any - ORPorts at all. (We need *something* to put in our descriptor, or - we just won't work.) diff --git a/changes/bug9400 b/changes/bug9400 deleted file mode 100644 index 974224068a..0000000000 --- a/changes/bug9400 +++ /dev/null @@ -1,7 +0,0 @@ - o Minor bugfixes: - - - Avoid double-closing the listener socket in our socketpair replacement - (used on Windows) in the case where the addresses on our opened - sockets don't match what we expected. Fixes bug 9400; bugfix on - every released Tor version. Found by Coverity. - diff --git a/changes/bug9543 b/changes/bug9543 deleted file mode 100644 index 753947f6fd..0000000000 --- a/changes/bug9543 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - Avoid overflows when the user sets MaxCircuitDirtiness to a - ridiculously high value, by imposing a (ridiculously high) 30-day - maximum on MaxCircuitDirtiness. diff --git a/changes/bug9546 b/changes/bug9546 deleted file mode 100644 index 2145e35d8f..0000000000 --- a/changes/bug9546 +++ /dev/null @@ -1,11 +0,0 @@ - o Major bugfixes: - - - When a relay is extending a circuit to a bridge, it needs to send a - NETINFO cell, even when the bridge hasn't sent an AUTH_CHALLENGE - cell. Fixes bug 9546; bugfix on 0.2.3.6-alpha. - - - Bridges send AUTH_CHALLENGE cells during their handshakes; previously - they did not, which prevented relays from successfully connecting - to a bridge for self-test or bandwidth testing. Fixes bug 9546; - bugfix on 0.2.3.6-alpha. - diff --git a/changes/bug9564 b/changes/bug9564 deleted file mode 100644 index 0df00e3698..0000000000 --- a/changes/bug9564 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes: - - If the time to download the next old-style networkstatus is in - the future, do not decline to consider whether to download the - next microdescriptor networkstatus. Fixes bug 9564. Bugfix on - 0.2.3.14-alpha. diff --git a/changes/bug9671_023 b/changes/bug9671_023 deleted file mode 100644 index 035ca5cdea..0000000000 --- a/changes/bug9671_023 +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfixes: - - If the circuit build timeout logic is disabled (via the consensus, - or because we are an authority), then don't build testing circuits. - Fixes bug 9657; bugfix on 0.2.2.14-alpha. - diff --git a/changes/bug9776 b/changes/bug9776 deleted file mode 100644 index ea3a96abb3..0000000000 --- a/changes/bug9776 +++ /dev/null @@ -1,5 +0,0 @@ - o Normal bugfixes: - - Always call circuit_n_chan_done(chan, 0) from channel_closed(), so we - can't leak pending circuits in some cases where - run_connection_housekeeping() calls connection_or_close_normally(). - Fixes bug #9776; bugfix on 0.2.4.17. diff --git a/changes/cov980650 b/changes/cov980650 deleted file mode 100644 index cbbada2e66..0000000000 --- a/changes/cov980650 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes: - - Fix a copy-and-paste error when adding a missing A1 to a routerset - because of GeoIPExcludeUnknown. Fix for coverity CID 980650. - Bugfix on 0.2.4.10-alpha. diff --git a/changes/doc-heartbeat-loglevel b/changes/doc-heartbeat-loglevel deleted file mode 100644 index 91f40ad260..0000000000 --- a/changes/doc-heartbeat-loglevel +++ /dev/null @@ -1,3 +0,0 @@ - o Minor documentation fixes: - - Fix the documentation of HeartbeatPeriod to say that the heartbeat - message is logged at notice, not at info. diff --git a/changes/easy.ratelim b/changes/easy.ratelim deleted file mode 100644 index cadd1e4f5e..0000000000 --- a/changes/easy.ratelim +++ /dev/null @@ -1,3 +0,0 @@ - o Code simplification and refactoring: - - Add a wrapper function for the common "log a message with a rate-limit" - case. diff --git a/changes/feature4994 b/changes/feature4994 deleted file mode 100644 index 4fa0e037b7..0000000000 --- a/changes/feature4994 +++ /dev/null @@ -1,7 +0,0 @@ - o Minor features: - - Teach bridge-using clients to avoid 0.2.2 bridges when making - microdescriptor-related dir requests, and only fall back to normal - descriptors if none of their bridges can handle microdescriptors - (as opposed to the fix in ticket 4013, which caused them to fall - back to normal descriptors if *any* of their bridges preferred - them). Resolves ticket 4994. diff --git a/changes/feature9574 b/changes/feature9574 deleted file mode 100644 index 723606e396..0000000000 --- a/changes/feature9574 +++ /dev/null @@ -1,7 +0,0 @@ - o Major features: - - Relays now process the new "NTor" circuit-level handshake requests - with higher priority than the old "TAP" circuit-level handshake - requests. We still process some TAP requests to not totally starve - 0.2.3 clients when NTor becomes popular. A new consensus parameter - "NumNTorsPerTAP" lets us tune the balance later if we need to. - Implements ticket 9574. diff --git a/changes/fix-geoipexclude-doc b/changes/fix-geoipexclude-doc deleted file mode 100644 index 63b544ef29..0000000000 --- a/changes/fix-geoipexclude-doc +++ /dev/null @@ -1,4 +0,0 @@ - o Documentation fixes: - - Fix the GeoIPExcludeUnknown documentation to refer to ExcludeExitNodes - rather than the currently nonexistent ExcludeEntryNodes. Spotted by - "hamahangi" on tor-talk. diff --git a/changes/geoip-apr2013 b/changes/geoip-apr2013 deleted file mode 100644 index 74d9c63b79..0000000000 --- a/changes/geoip-apr2013 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update to the April 3 2013 Maxmind GeoLite Country database. - diff --git a/changes/geoip-august2013 b/changes/geoip-august2013 deleted file mode 100644 index bd15177a0c..0000000000 --- a/changes/geoip-august2013 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update to the August 7 2013 Maxmind GeoLite Country database. - diff --git a/changes/geoip-feb2013 b/changes/geoip-feb2013 deleted file mode 100644 index b5d794258f..0000000000 --- a/changes/geoip-feb2013 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update to the February 6 2013 Maxmind GeoLite Country database. - diff --git a/changes/geoip-july2013 b/changes/geoip-july2013 deleted file mode 100644 index 097819dd7c..0000000000 --- a/changes/geoip-july2013 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update to the July 3 2013 Maxmind GeoLite Country database. - diff --git a/changes/geoip-june2013 b/changes/geoip-june2013 deleted file mode 100644 index f8e00a62c6..0000000000 --- a/changes/geoip-june2013 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update to the June 5 2013 Maxmind GeoLite Country database. - diff --git a/changes/geoip-mar2013 b/changes/geoip-mar2013 deleted file mode 100644 index e9cc3981b3..0000000000 --- a/changes/geoip-mar2013 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update to the March 6 2013 Maxmind GeoLite Country database. - diff --git a/changes/geoip-may2013 b/changes/geoip-may2013 deleted file mode 100644 index ff4b98f22b..0000000000 --- a/changes/geoip-may2013 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update to the May 9 2013 Maxmind GeoLite Country database. - diff --git a/changes/geoip-september2013 b/changes/geoip-september2013 deleted file mode 100644 index 0173f4cfe3..0000000000 --- a/changes/geoip-september2013 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor features: - - Update to the September 4 2013 Maxmind GeoLite Country database. - diff --git a/changes/integers_donna b/changes/integers_donna deleted file mode 100644 index e9c69e8e1c..0000000000 --- a/changes/integers_donna +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (portability) - - Tweak the curve25519-donna*.c implementations to tolerate systems - that lack stdint.h. Fixes bug 3894; bugfix on 0.2.4.8-alpha. diff --git a/changes/less_charbuf_usage b/changes/less_charbuf_usage deleted file mode 100644 index 2ec42b544a..0000000000 --- a/changes/less_charbuf_usage +++ /dev/null @@ -1,5 +0,0 @@ - o Code simplification and refactoring: - - Avoid using character buffers when constructing most directory - objects: this approach was unweildy and error-prone. Instead, - build smartlists of strings, and concatenate them when done. - diff --git a/changes/log-noise b/changes/log-noise deleted file mode 100644 index bbbf0d2c0c..0000000000 --- a/changes/log-noise +++ /dev/null @@ -1,11 +0,0 @@ - o Minor bugfixes (log message reduction) - - Fix a path state issue that triggered a notice during relay startup. - Fixes bug #8320; bugfix on 0.2.4.10-alpha. - - Reduce occurrences of warns about circuit purpose in - connection_ap_expire_building(). Fixes bug #8477; bugfix on - 0.2.4.11-alpha. - - Fix a directory authority warn caused when we have a large amount - of badexit bandwidth. Fixes bug #8419; bugfix on 0.2.2.10-alpha. - - Reduce a path bias length check notice log to info. The notice - is triggered when creating controller circuits. Fixes bug #8196; - bugfix on 0.2.4.8-alpha. diff --git a/changes/no_client_timestamps_024 b/changes/no_client_timestamps_024 deleted file mode 100644 index 41dea2f1a6..0000000000 --- a/changes/no_client_timestamps_024 +++ /dev/null @@ -1,14 +0,0 @@ - o Minor features (security, timestamp avoidance, proposal 222): - - Clients no longer send timestamps in their NETINFO cells. These were - not used for anything, and they provided one small way for clients - to be distinguished from each other as they moved from network to - network or behind NAT. Implements part of proposal 222. - - Clients now round timestamps in INTRODUCE cells down to the nearest - 10 minutes. If a new Support022HiddenServices option is set to 0, - or if it's set to "auto" and the feature is disabled in the consensus, - the timestamp is sent as 0 instead. Implements part of proposal 222. - - Stop sending timestamps in AUTHENTICATE cells. This is not such - a big deal from a security point of view, but it achieves no actual - good purpose, and isn't needed. Implements part of proposal 222. - - Reduce down accuracy of timestamps in hidden service descriptors. - Implements part of proposal 222. diff --git a/changes/signof_enum b/changes/signof_enum deleted file mode 100644 index ba4fb597d7..0000000000 --- a/changes/signof_enum +++ /dev/null @@ -1,7 +0,0 @@ - o Code simplifications and refactoring: - - Use Ville Laurikari's implementation of AX_CHECK_SIGN() to determine - the signs of types during autoconf. This is better than our old - approach, which didn't work when cross-compiling. - - Detect the sign of enum values, rather than assuming that MSC is the - only compiler where enum types are all signed. Fix for bug 7727; - bugfix on 0.2.4.10-alpha. diff --git a/changes/ticket2267 b/changes/ticket2267 deleted file mode 100644 index b589b5721f..0000000000 --- a/changes/ticket2267 +++ /dev/null @@ -1,8 +0,0 @@ - o Minor features: - - Refactor resolve_my_address() so it returns the method by which we - decided our public IP address (explicitly configured, resolved from - explicit hostname, guessed from interfaces, learned by gethostname). - Now we can provide more helpful log messages when a relay guesses - its IP address incorrectly (e.g. due to unexpected lines in - /etc/hosts). Resolves ticket 2267. - diff --git a/changes/ticket8240 b/changes/ticket8240 deleted file mode 100644 index 91e6f8c14a..0000000000 --- a/changes/ticket8240 +++ /dev/null @@ -1,4 +0,0 @@ - o Major security fixes: - - Make the default guard lifetime controllable via a new - GuardLifetime torrc option and a GuardLifetime consensus - parameter. Start of a fix for bug 8240; bugfix on 0.1.1.11-alpha. diff --git a/changes/ticket8443 b/changes/ticket8443 deleted file mode 100644 index ca6fb2f471..0000000000 --- a/changes/ticket8443 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Randomize the lifetime of our SSL link certificate, so censors can't - use the static value for filtering Tor flows. Resolves ticket 8443; - related to ticket 4014 which was included in 0.2.2.33. diff --git a/changes/ticket9658 b/changes/ticket9658 deleted file mode 100644 index a8db2efba8..0000000000 --- a/changes/ticket9658 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features: - - Track how many "TAP" and "NTor" circuit handshake requests we get, - and how many we complete, and log it every hour to help relay - operators follow trends in network load. Addresses ticket 9658. diff --git a/changes/v3_intro_len b/changes/v3_intro_len deleted file mode 100644 index fbe39bce3b..0000000000 --- a/changes/v3_intro_len +++ /dev/null @@ -1,8 +0,0 @@ - o Major bugfixes: - - - Fix an uninitialized read that could (in some cases) lead to a remote - crash while parsing INTRODUCE 1 cells. (This is, so far as we know, - unrelated to the recent news.) Fixes bug XXX; bugfix on - 0.2.4.1-alpha. Anybody running a hidden service on the experimental - 0.2.4.x branch should upgrade. - diff --git a/changes/warn-unsigned-time_t b/changes/warn-unsigned-time_t deleted file mode 100644 index 5f0c36d099..0000000000 --- a/changes/warn-unsigned-time_t +++ /dev/null @@ -1,5 +0,0 @@ - o Build improvements: - - Warn if building on a platform with an unsigned time_t: there - are too many places where Tor currently assumes that time_t can - hold negative values. We'd like to fix them all, but probably - some will remain. diff --git a/configure.ac b/configure.ac index 6f40ac4ad2..970be9ca6d 100644 --- a/configure.ac +++ b/configure.ac @@ -3,7 +3,7 @@ dnl Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson dnl Copyright (c) 2007-2013, The Tor Project, Inc. dnl See LICENSE for licensing information -AC_INIT([tor],[0.2.4.10-alpha-dev]) +AC_INIT([tor],[0.2.4.17-rc]) AC_CONFIG_SRCDIR([src/or/main.c]) AC_CONFIG_MACRO_DIR([m4]) AM_INIT_AUTOMAKE diff --git a/contrib/tor-mingw.nsi.in b/contrib/tor-mingw.nsi.in index d5379bd578..428f6a8dba 100644 --- a/contrib/tor-mingw.nsi.in +++ b/contrib/tor-mingw.nsi.in @@ -8,7 +8,7 @@ !include "LogicLib.nsh" !include "FileFunc.nsh" !insertmacro GetParameters -!define VERSION "0.2.4.10-alpha-dev" +!define VERSION "0.2.4.17-rc" !define INSTALLER "tor-${VERSION}-win32.exe" !define WEBSITE "https://www.torproject.org/" !define LICENSE "LICENSE" diff --git a/src/win32/orconfig.h b/src/win32/orconfig.h index f5d5cf4460..706c42c15d 100644 --- a/src/win32/orconfig.h +++ b/src/win32/orconfig.h @@ -241,7 +241,7 @@ #define USING_TWOS_COMPLEMENT /* Version number of package */ -#define VERSION "0.2.4.10-alpha-dev" +#define VERSION "0.2.4.17-rc" |