diff options
38 files changed, 757 insertions, 318 deletions
@@ -1,3 +1,332 @@ +Changes in version 0.4.7.2-alpha - 2021-10-26 + This second alpha release of the 0.4.7.x series adds two major + features: congestion control (prop324) for network performance, and + the MiddleOnly flag (prop335) voted by the authorities to pin relays + to the middle position for various network health reasons. This + release also fixes numerous bugs. + + The congestion control feature, detailed in proposal 324, still needs + more work before we can enable it by default. It is currently in its + testing and tuning phase which means that you should expect more + 0.4.7.x alphas as congestion control gets stabilized and tuned for + optimal performance. And so, at this release, it can not be used + without a custom patch. + + o Major features (congestion control): + - Implement support for flow control over congestion controlled + circuits. This work comes from proposal 324. Closes ticket 40450. + + o Major features (directory authority): + - Add a new consensus method to handle MiddleOnly specially. When + enough authorities are using this method, then any relay tagged + with the MiddleOnly flag will have its Exit, Guard, HSDir, and + V2Dir flags automatically cleared, and will have its BadExit flag + automatically set. Implements part of proposal 335. + - Authorities can now be configured to label relays as "MiddleOnly". + When voting for this flag, authorities automatically vote against + Exit, Guard, HSDir, and V2Dir; and in favor of BadExit. Implements + part of proposal 335. Based on a patch from Neel Chauhan. + + o Major bugfix (relay, metrics): + - On the MetricsPort, the DNS error statistics are not reported by + record type ("record=...") anymore due to a libevent bug + (https://github.com/libevent/libevent/issues/1219). Fixes bug + 40490; bugfix on 0.4.7.1-alpha. + + o Major bugfixes (relay, overload state): + - Relays report the general overload state for DNS timeout errors + only if X% of all DNS queries over Y seconds are errors. Before + that, it only took 1 timeout to report the overload state which + was just too low of a threshold. The X and Y values are 1% and 10 + minutes respectively but they are also controlled by consensus + parameters. Fixes bug 40491; bugfix on 0.4.6.1-alpha. + + o Minor feature (authority, relay): + - Reject End-Of-Life relays running version 0.4.2.x, 0.4.3.x, + 0.4.4.x and 0.4.5 alphas/rc. Closes ticket 40480. + + o Minor feature (onion service v2): + - Onion service v2 addresses are now not recognized anymore by tor + meaning a bad hostname is returned when attempting to pass it on a + SOCKS connection. No more deprecation log is emitted client side. + Closes ticket 40476. + - See https://blog.torproject.org/v2-deprecation-timeline for + details on how to transition from v2 to v3. + + o Minor features (fallbackdir): + - Regenerate fallback directories for October 2021. Closes + ticket 40493. + + o Minor features (logging, heartbeat): + - When a relay receives a cell that isn't encrypted properly for it, + but the relay is the last hop on the circuit, the relay now counts + how many cells of this kind it receives, on how many circuits, and + reports this information in the log. Previously, we'd log each + cell at PROTOCOL_WARN level, which is far too verbose to be + useful. Fixes part of ticket 40400. + + o Minor features (testing): + - We now have separate fuzzers for the inner layers of v3 onion + service descriptors, to prevent future bugs like 40392. Closes + ticket 40488. + + o Minor bugfixes (compilation): + - Fix compilation error when __NR_time is not defined. Fixes bug + 40465; bugfix on 0.2.5.5-alpha. Patch by Daniel Pinto. + + o Minor bugfixes (dirauth, bandwidth scanner): + - Add the AuthDirDontVoteOnDirAuthBandwidth dirauth config parameter + to avoid voting on bandwidth scanner weights to v3 directory + authorities. Fixes bug 40471; bugfix on 0.2.2.1-alpha. Patch by + Neel Chauhan. + + o Minor bugfixes (fragile-hardening, sandbox): + - When building with --enable-fragile-hardening, add or relax Linux + seccomp rules to allow AddressSanitizer to execute normally if the + process terminates with the sandbox active. This has the side + effect of disabling the filtering of file- and directory-open + requests on most systems and dilutes the effectiveness of the + sandbox overall, as a wider range of system calls must be + permitted. Fixes bug 11477; bugfix on 0.2.5.4-alpha. + + o Minor bugfixes (logging): + - If a channel has never received or transmitted a cell, or seen a + client, do not calculate time diffs against 1/1/1970 but log a + better prettier message. Fixes bug 40182; bugfix on 0.2.4.4. + + o Minor bugfixes (onion service): + - Fix a warning BUG that would occur often on heavily loaded onion + service leading to filling the logs with useless warnings. Fixes + bug 34083; bugfix on 0.3.2.1-alpha. + + o Minor bugfix (CI, onion service): + - Exclude onion service version 2 Stem tests in our CI. Fixes bug 40500; + bugfix on 0.3.2.1-alpha. + + o Minor bugfixes (onion service, config): + - Fix a memory leak for a small config line string that could occur + if the onion service failed to be configured from file properly. + Fixes bug 40484; bugfix on 0.3.2.1-alpha. + + o Minor bugfixes (onion service, TROVE-2021-008): + - Only log v2 access attempts once total, in order to not pollute + the logs with warnings and to avoid recording the times on disk + when v2 access was attempted. Note that the onion address was + _never_ logged. This counts as a Low-severity security issue. + Fixes bug 40474; bugfix on 0.4.5.8. + - Note that due to #40476 which removes v2 support entirely, this + log line is not emitted anymore. We still mention this in the + changelog because it is a Low-severity TROVE. + + o Minor bugfixes (usability): + - Do not log "RENDEZVOUS1 cell with unrecognized rendezvous cookie" + at LOG_PROTOCOL_WARN; instead log it at DEBUG. This warning can + happen naturally if a client gives up on a rendezvous circuit + after sending INTRODUCE1. Fixes part of bug 40400; bugfix + on 0.1.1.13-alpha. + - Do not log "circuit_receive_relay_cell failed" at + LOG_PROTOCOL_WARN; instead log it at DEBUG. In every case where we + would want to log this as a protocol warning, we are already + logging another warning from inside circuit_receive_relay_cell. + Fixes part of bug 40400; bugfix on 0.1.1.9-alpha. + + o Code simplification and refactoring: + - Lower the official maximum for "guard-extreme-restriction-percent" + to 100. This has no effect on when the guard code will generate a + warning, but it makes the intent of the option clearer. Fixes bug + 40486; bugfix on 0.3.0.1-alpha. + + o Testing: + - Add unit tests for the Linux seccomp sandbox. Resolves + issue 16803. + + o Code simplification and refactoring (rust): + - Remove Rust support and its associated code. It is unsupported and + Rust focus should be shifted to arti. Closes ticket 40469. + + o Testing (CI, chutney): + - Bump the data size that chutney transmits to 5MBytes in order to + trigger the flow control and congestion window code. Closes + ticket 40485. + + +Changes in version 0.4.6.8 - 2021-10-26 + This version fixes several bugs from earlier versions of Tor. One + highlight is a fix on how we track DNS timeouts to report general + relay overload. + + o Major bugfixes (relay, overload state): + - Relays report the general overload state for DNS timeout errors + only if X% of all DNS queries over Y seconds are errors. Before + that, it only took 1 timeout to report the overload state which + was just too low of a threshold. The X and Y values are 1% and 10 + minutes respectively but they are also controlled by consensus + parameters. Fixes bug 40491; bugfix on 0.4.6.1-alpha. + + o Minor features (fallbackdir): + - Regenerate fallback directories for October 2021. Closes + ticket 40493. + + o Minor features (testing): + - On a testing network, relays can now use the + TestingMinTimeToReportBandwidth option to change the smallest + amount of time over which they're willing to report their observed + maximum bandwidth. Previously, this was fixed at 1 day. For + safety, values under 2 hours are only supported on testing + networks. Part of a fix for ticket 40337. + - Relays on testing networks no longer rate-limit how frequently + they are willing to report new bandwidth measurements. Part of a + fix for ticket 40337. + - Relays on testing networks now report their observed bandwidths + immediately from startup. Previously, they waited until they had + been running for a full day. Closes ticket 40337. + + o Minor bugfix (onion service): + - Do not flag an HSDir as non-running in case the descriptor upload + or fetch fails. An onion service closes pending directory + connections before uploading a new descriptor which can thus lead + to wrongly flagging many relays and thus affecting circuit building + path selection. Fixes bug 40434; bugfix on 0.2.0.13-alpha. + - Improve logging when a bad HS version is given. Fixes bug 40476; + bugfix on 0.4.6.1-alpha. + + o Minor bugfix (CI, onion service): + - Exclude onion service version 2 Stem tests in our CI. Fixes bug 40500; + bugfix on 0.3.2.1-alpha. + + o Minor bugfixes (compatibility): + - Fix compatibility with the most recent Libevent versions, which no + longer have an evdns_set_random_bytes() function. Because this + function has been a no-op since Libevent 2.0.4-alpha, it is safe + for us to just stop calling it. Fixes bug 40371; bugfix + on 0.2.1.7-alpha. + + o Minor bugfixes (onion service, TROVE-2021-008): + - Only log v2 access attempts once total, in order to not pollute + the logs with warnings and to avoid recording the times on disk + when v2 access was attempted. Note that the onion address was + _never_ logged. This counts as a Low-severity security issue. + Fixes bug 40474; bugfix on 0.4.5.8. + + +Changes in version 0.4.5.11 - 2021-10-26 + The major change in this version is that v2 onion services are now + disabled at the client, service, and relay: any Tor nodes running this + version and onward will stop supporting v2 onion services. This is the + last step in the long deprecation process of v2 onion services. + Everyone running an earlier version, whether as a client, a relay, or + an onion service, should upgrade to Tor 0.3.5.17, 0.4.5.11, + or 0.4.6.8. + + o Major feature (onion service v2): + - See https://blog.torproject.org/v2-deprecation-timeline for + details on how to transition from v2 to v3. + - The control port commands HSFETCH and HSPOST no longer allow + version 2, and it is no longer possible to create a v2 service + with ADD_ONION. + - Tor no longer allows creating v2 services, or connecting as a + client to a v2 service. Relays will decline to be a v2 HSDir or + introduction point. This effectively disables onion service + version 2 Tor-wide. Closes ticket 40476. + + o Minor features (bridge, backport from 0.4.6.8): + - We now announce the URL to Tor's new bridge status at + https://bridges.torproject.org/ when Tor is configured to run as a + bridge relay. Closes ticket 30477. + + o Minor features (fallbackdir): + - Regenerate fallback directories for October 2021. Closes + ticket 40493. + + o Minor features (logging, diagnostic, backport from 0.4.6.5): + - Log decompression failures at a higher severity level, since they + can help provide missing context for other warning messages. We + rate-limit these messages, to avoid flooding the logs if they + begin to occur frequently. Closes ticket 40175. + + o Minor features (testing, backport from 0.4.6.8): + - On a testing network, relays can now use the + TestingMinTimeToReportBandwidth option to change the smallest + amount of time over which they're willing to report their observed + maximum bandwidth. Previously, this was fixed at 1 day. For + safety, values under 2 hours are only supported on testing + networks. Part of a fix for ticket 40337. + - Relays on testing networks no longer rate-limit how frequently + they are willing to report new bandwidth measurements. Part of a + fix for ticket 40337. + - Relays on testing networks now report their observed bandwidths + immediately from startup. Previously, they waited until they had + been running for a full day. Closes ticket 40337. + + o Minor bugfix (CI, onion service): + - Exclude onion service version 2 Stem tests in our CI. Fixes bug 40500; + bugfix on 0.3.2.1-alpha. + + o Minor bugfix (onion service, backport from 0.4.6.8): + - Do not flag an HSDir as non-running in case the descriptor upload + or fetch fails. An onion service closes pending directory + connections before uploading a new descriptor which can thus lead + to wrongly flagging many relays and thus affecting circuit building + path selection. Fixes bug 40434; bugfix on 0.2.0.13-alpha. + + o Minor bugfixes (compatibility, backport from 0.4.6.8): + - Fix compatibility with the most recent Libevent versions, which no + longer have an evdns_set_random_bytes() function. Because this + function has been a no-op since Libevent 2.0.4-alpha, it is safe + for us to just stop calling it. Fixes bug 40371; bugfix + on 0.2.1.7-alpha. + + o Minor bugfixes (consensus handling, backport from 0.4.6.4-rc): + - Avoid a set of bugs that could be caused by inconsistently + preferring an out-of-date consensus stored in a stale directory + cache over a more recent one stored on disk as the latest + consensus. Fixes bug 40375; bugfix on 0.3.1.1-alpha. + + o Minor bugfixes (onion service, TROVE-2021-008, backport from 0.4.6.8): + - Only log v2 access attempts once total, in order to not pollute + the logs with warnings and to avoid recording the times on disk + when v2 access was attempted. Note that the onion address was + _never_ logged. This counts as a Low-severity security issue. + Fixes bug 40474; bugfix on 0.4.5.8. + + +Changes in version 0.3.5.17 - 2021-10-26 + The major change in this version is that v2 onion services are now + disabled at the client, service, and relay: any Tor nodes running this + version and onward will stop supporting v2 onion services. This is the + last step in the long deprecation process of v2 onion services. + Everyone running an earlier version, whether as a client, a relay, or + an onion service, should upgrade to Tor 0.3.5.17, 0.4.5.11, + or 0.4.6.8. + + o Major feature (onion service v2, backport from 0.4.5.11): + - See https://blog.torproject.org/v2-deprecation-timeline for + details on how to transition from v2 to v3. + - The control port commands HSFETCH and HSPOST no longer allow + version 2, and it is no longer possible to create a v2 service + with ADD_ONION. + - Tor no longer allows creating v2 services, or connecting as a + client to a v2 service. Relays will decline to be a v2 HSDir or + introduction point. This effectively disables onion service + version 2 Tor-wide. Closes ticket 40476. + + o Minor features (bridge, backport from 0.4.6.8): + - We now announce the URL to Tor's new bridge status at + https://bridges.torproject.org/ when Tor is configured to run as a + bridge relay. Closes ticket 30477. + + o Minor features (fallbackdir): + - Regenerate fallback directories for October 2021. Closes + ticket 40493. + + o Minor bugfixes (compatibility, backport from 0.4.6.8): + - Fix compatibility with the most recent Libevent versions, which no + longer have an evdns_set_random_bytes() function. Because this + function has been a no-op since Libevent 2.0.4-alpha, it is safe + for us to just stop calling it. Fixes bug 40371; bugfix + on 0.2.1.7-alpha. + + Changes in version 0.4.7.1-alpha - 2021-09-17 This version is the first alpha release of the 0.4.7.x series. One major feature is Vanguards Lite, from proposal 333, to help mitigate diff --git a/Makefile.am b/Makefile.am index df3f88d6f5..b059496688 100644 --- a/Makefile.am +++ b/Makefile.am @@ -680,3 +680,7 @@ lsp: else \ echo "No bear command found. On debian, apt install bear"; \ fi + +# Reproducible tarball. We change the tar options for this. +dist-reprod: + $(MAKE) dist am__tar="$${TAR-tar} --format=gnu --owner=root --group=root --sort=name --mtime=\"`git show --no-patch --format='%ci'`\" -chof - $(distdir)" diff --git a/ReleaseNotes b/ReleaseNotes index 8bcb61e7fa..8401162ebe 100644 --- a/ReleaseNotes +++ b/ReleaseNotes @@ -2,6 +2,183 @@ This document summarizes new features and bugfixes in each stable release of Tor. If you want to see more detailed descriptions of the changes in each development snapshot, see the ChangeLog file. +Changes in version 0.4.6.8 - 2021-10-26 + This version fixes several bugs from earlier versions of Tor. One + highlight is a fix on how we track DNS timeouts to report general + relay overload. + + o Major bugfixes (relay, overload state): + - Relays report the general overload state for DNS timeout errors + only if X% of all DNS queries over Y seconds are errors. Before + that, it only took 1 timeout to report the overload state which + was just too low of a threshold. The X and Y values are 1% and 10 + minutes respectively but they are also controlled by consensus + parameters. Fixes bug 40491; bugfix on 0.4.6.1-alpha. + + o Minor features (fallbackdir): + - Regenerate fallback directories for October 2021. Closes + ticket 40493. + + o Minor features (testing): + - On a testing network, relays can now use the + TestingMinTimeToReportBandwidth option to change the smallest + amount of time over which they're willing to report their observed + maximum bandwidth. Previously, this was fixed at 1 day. For + safety, values under 2 hours are only supported on testing + networks. Part of a fix for ticket 40337. + - Relays on testing networks no longer rate-limit how frequently + they are willing to report new bandwidth measurements. Part of a + fix for ticket 40337. + - Relays on testing networks now report their observed bandwidths + immediately from startup. Previously, they waited until they had + been running for a full day. Closes ticket 40337. + + o Minor bugfix (onion service): + - Do not flag an HSDir as non-running in case the descriptor upload + or fetch fails. An onion service closes pending directory + connections before uploading a new descriptor which can thus lead + to wrongly flagging many relays and thus affecting circuit building + path selection. Fixes bug 40434; bugfix on 0.2.0.13-alpha. + - Improve logging when a bad HS version is given. Fixes bug 40476; + bugfix on 0.4.6.1-alpha. + + o Minor bugfix (CI, onion service): + - Exclude onion service version 2 Stem tests in our CI. Fixes bug 40500; + bugfix on 0.3.2.1-alpha. + + o Minor bugfixes (compatibility): + - Fix compatibility with the most recent Libevent versions, which no + longer have an evdns_set_random_bytes() function. Because this + function has been a no-op since Libevent 2.0.4-alpha, it is safe + for us to just stop calling it. Fixes bug 40371; bugfix + on 0.2.1.7-alpha. + + o Minor bugfixes (onion service, TROVE-2021-008): + - Only log v2 access attempts once total, in order to not pollute + the logs with warnings and to avoid recording the times on disk + when v2 access was attempted. Note that the onion address was + _never_ logged. This counts as a Low-severity security issue. + Fixes bug 40474; bugfix on 0.4.5.8. + + +Changes in version 0.4.5.11 - 2021-10-26 + The major change in this version is that v2 onion services are now + disabled at the client, service, and relay: any Tor nodes running this + version and onward will stop supporting v2 onion services. This is the + last step in the long deprecation process of v2 onion services. + Everyone running an earlier version, whether as a client, a relay, or + an onion service, should upgrade to Tor 0.3.5.17, 0.4.5.11, + or 0.4.6.8. + + o Major feature (onion service v2): + - See https://blog.torproject.org/v2-deprecation-timeline for + details on how to transition from v2 to v3. + - The control port commands HSFETCH and HSPOST no longer allow + version 2, and it is no longer possible to create a v2 service + with ADD_ONION. + - Tor no longer allows creating v2 services, or connecting as a + client to a v2 service. Relays will decline to be a v2 HSDir or + introduction point. This effectively disables onion service + version 2 Tor-wide. Closes ticket 40476. + + o Minor features (bridge, backport from 0.4.6.8): + - We now announce the URL to Tor's new bridge status at + https://bridges.torproject.org/ when Tor is configured to run as a + bridge relay. Closes ticket 30477. + + o Minor features (fallbackdir): + - Regenerate fallback directories for October 2021. Closes + ticket 40493. + + o Minor features (logging, diagnostic, backport from 0.4.6.5): + - Log decompression failures at a higher severity level, since they + can help provide missing context for other warning messages. We + rate-limit these messages, to avoid flooding the logs if they + begin to occur frequently. Closes ticket 40175. + + o Minor features (testing, backport from 0.4.6.8): + - On a testing network, relays can now use the + TestingMinTimeToReportBandwidth option to change the smallest + amount of time over which they're willing to report their observed + maximum bandwidth. Previously, this was fixed at 1 day. For + safety, values under 2 hours are only supported on testing + networks. Part of a fix for ticket 40337. + - Relays on testing networks no longer rate-limit how frequently + they are willing to report new bandwidth measurements. Part of a + fix for ticket 40337. + - Relays on testing networks now report their observed bandwidths + immediately from startup. Previously, they waited until they had + been running for a full day. Closes ticket 40337. + + o Minor bugfix (CI, onion service): + - Exclude onion service version 2 Stem tests in our CI. Fixes bug 40500; + bugfix on 0.3.2.1-alpha. + + o Minor bugfix (onion service, backport from 0.4.6.8): + - Do not flag an HSDir as non-running in case the descriptor upload + or fetch fails. An onion service closes pending directory + connections before uploading a new descriptor which can thus lead + to wrongly flagging many relays and thus affecting circuit building + path selection. Fixes bug 40434; bugfix on 0.2.0.13-alpha. + + o Minor bugfixes (compatibility, backport from 0.4.6.8): + - Fix compatibility with the most recent Libevent versions, which no + longer have an evdns_set_random_bytes() function. Because this + function has been a no-op since Libevent 2.0.4-alpha, it is safe + for us to just stop calling it. Fixes bug 40371; bugfix + on 0.2.1.7-alpha. + + o Minor bugfixes (consensus handling, backport from 0.4.6.4-rc): + - Avoid a set of bugs that could be caused by inconsistently + preferring an out-of-date consensus stored in a stale directory + cache over a more recent one stored on disk as the latest + consensus. Fixes bug 40375; bugfix on 0.3.1.1-alpha. + + o Minor bugfixes (onion service, TROVE-2021-008, backport from 0.4.6.8): + - Only log v2 access attempts once total, in order to not pollute + the logs with warnings and to avoid recording the times on disk + when v2 access was attempted. Note that the onion address was + _never_ logged. This counts as a Low-severity security issue. + Fixes bug 40474; bugfix on 0.4.5.8. + + +Changes in version 0.3.5.17 - 2021-10-26 + The major change in this version is that v2 onion services are now + disabled at the client, service, and relay: any Tor nodes running this + version and onward will stop supporting v2 onion services. This is the + last step in the long deprecation process of v2 onion services. + Everyone running an earlier version, whether as a client, a relay, or + an onion service, should upgrade to Tor 0.3.5.17, 0.4.5.11, + or 0.4.6.8. + + o Major feature (onion service v2, backport from 0.4.5.11): + - See https://blog.torproject.org/v2-deprecation-timeline for + details on how to transition from v2 to v3. + - The control port commands HSFETCH and HSPOST no longer allow + version 2, and it is no longer possible to create a v2 service + with ADD_ONION. + - Tor no longer allows creating v2 services, or connecting as a + client to a v2 service. Relays will decline to be a v2 HSDir or + introduction point. This effectively disables onion service + version 2 Tor-wide. Closes ticket 40476. + + o Minor features (bridge, backport from 0.4.6.8): + - We now announce the URL to Tor's new bridge status at + https://bridges.torproject.org/ when Tor is configured to run as a + bridge relay. Closes ticket 30477. + + o Minor features (fallbackdir): + - Regenerate fallback directories for October 2021. Closes + ticket 40493. + + o Minor bugfixes (compatibility, backport from 0.4.6.8): + - Fix compatibility with the most recent Libevent versions, which no + longer have an evdns_set_random_bytes() function. Because this + function has been a no-op since Libevent 2.0.4-alpha, it is safe + for us to just stop calling it. Fixes bug 40371; bugfix + on 0.2.1.7-alpha. + + Changes in version 0.4.6.7 - 2021-08-16 This version fixes several bugs from earlier versions of Tor, including one that could lead to a denial-of-service attack. Everyone running an earlier @@ -32,6 +209,10 @@ Changes in version 0.4.6.7 - 2021-08-16 - Send back the extended SOCKS error 0xF6 (Onion Service Invalid Address) for a v2 onion address. Fixes bug 40421; bugfix on 0.4.6.2-alpha. + o Minor bugfix (CI, onion service): + - Exclude onion service version 2 Stem tests in our CI. Fixes bug 40500; + bugfix on 0.3.2.1-alpha. + o Minor bugfixes (relay): - Reduce the compression level for data streaming from HIGH to LOW in order to reduce CPU load on the directory relays. Fixes bug 40301; @@ -143,194 +324,6 @@ Changes in version 0.4.6.6 - 2021-06-30 on 0.3.3.2-alpha. -Changes in version 0.4.5.9 - 2021-06-14 - Tor 0.4.5.9 fixes several security issues, including a - denial-of-service attack against onion service clients, and another - denial-of-service attack against relays. Everybody should upgrade to - one of 0.3.5.15, 0.4.4.9, 0.4.5.9, or 0.4.6.5. - - o Major bugfixes (security, backport from 0.4.6.5): - - Don't allow relays to spoof RELAY_END or RELAY_RESOLVED cell on - half-closed streams. Previously, clients failed to validate which - hop sent these cells: this would allow a relay on a circuit to end - a stream that wasn't actually built with it. Fixes bug 40389; - bugfix on 0.3.5.1-alpha. This issue is also tracked as TROVE-2021- - 003 and CVE-2021-34548. - - o Major bugfixes (security, defense-in-depth, backport from 0.4.6.5): - - Detect more failure conditions from the OpenSSL RNG code. - Previously, we would detect errors from a missing RNG - implementation, but not failures from the RNG code itself. - Fortunately, it appears those failures do not happen in practice - when Tor is using OpenSSL's default RNG implementation. Fixes bug - 40390; bugfix on 0.2.8.1-alpha. This issue is also tracked as - TROVE-2021-004. Reported by Jann Horn at Google's Project Zero. - - o Major bugfixes (security, denial of service, backport from 0.4.6.5): - - Resist a hashtable-based CPU denial-of-service attack against - relays. Previously we used a naive unkeyed hash function to look - up circuits in a circuitmux object. An attacker could exploit this - to construct circuits with chosen circuit IDs, to create - collisions and make the hash table inefficient. Now we use a - SipHash construction here instead. Fixes bug 40391; bugfix on - 0.2.4.4-alpha. This issue is also tracked as TROVE-2021-005 and - CVE-2021-34549. Reported by Jann Horn from Google's Project Zero. - - Fix an out-of-bounds memory access in v3 onion service descriptor - parsing. An attacker could exploit this bug by crafting an onion - service descriptor that would crash any client that tried to visit - it. Fixes bug 40392; bugfix on 0.3.0.1-alpha. This issue is also - tracked as TROVE-2021-006 and CVE-2021-34550. Reported by Sergei - Glazunov from Google's Project Zero. - - o Minor features (compatibility, backport from 0.4.6.4-rc): - - Remove an assertion function related to TLS renegotiation. It was - used nowhere outside the unit tests, and it was breaking - compilation with recent alpha releases of OpenSSL 3.0.0. Closes - ticket 40399. - - o Minor features (geoip data): - - Update the geoip files to match the IPFire Location Database, as - retrieved on 2021/06/10. - - o Minor bugfixes (control, sandbox, backport from 0.4.6.4-rc): - - Allow the control command SAVECONF to succeed when the seccomp - sandbox is enabled, and make SAVECONF keep only one backup file to - simplify implementation. Previously SAVECONF allowed a large - number of backup files, which made it incompatible with the - sandbox. Fixes bug 40317; bugfix on 0.2.5.4-alpha. Patch by - Daniel Pinto. - - o Minor bugfixes (metrics port, backport from 0.4.6.4-rc): - - Fix a bug that made tor try to re-bind() on an already open - MetricsPort every 60 seconds. Fixes bug 40370; bugfix - on 0.4.5.1-alpha. - - -Changes in version 0.4.4.9 - 2021-06-14 - Tor 0.4.4.9 fixes several security issues, including a - denial-of-service attack against onion service clients, and another - denial-of-service attack against relays. Everybody should upgrade to - one of 0.3.5.15, 0.4.4.9, 0.4.5.9, or 0.4.6.5. - - Note that the scheduled end-of-life date for the Tor 0.4.4.x series is - June 15. This is therefore the last release in its series. Everybody - still running 0.4.4.x should plan to upgrade to 0.4.5.x or later. - - o Major bugfixes (security, backport from 0.4.6.5): - - Don't allow relays to spoof RELAY_END or RELAY_RESOLVED cell on - half-closed streams. Previously, clients failed to validate which - hop sent these cells: this would allow a relay on a circuit to end - a stream that wasn't actually built with it. Fixes bug 40389; - bugfix on 0.3.5.1-alpha. This issue is also tracked as TROVE-2021- - 003 and CVE-2021-34548. - - o Major bugfixes (security, defense-in-depth, backport from 0.4.6.5): - - Detect more failure conditions from the OpenSSL RNG code. - Previously, we would detect errors from a missing RNG - implementation, but not failures from the RNG code itself. - Fortunately, it appears those failures do not happen in practice - when Tor is using OpenSSL's default RNG implementation. Fixes bug - 40390; bugfix on 0.2.8.1-alpha. This issue is also tracked as - TROVE-2021-004. Reported by Jann Horn at Google's Project Zero. - - o Major bugfixes (security, denial of service, backport from 0.4.6.5): - - Resist a hashtable-based CPU denial-of-service attack against - relays. Previously we used a naive unkeyed hash function to look - up circuits in a circuitmux object. An attacker could exploit this - to construct circuits with chosen circuit IDs, to create - collisions and make the hash table inefficient. Now we use a - SipHash construction here instead. Fixes bug 40391; bugfix on - 0.2.4.4-alpha. This issue is also tracked as TROVE-2021-005 and - CVE-2021-34549. Reported by Jann Horn from Google's Project Zero. - - Fix an out-of-bounds memory access in v3 onion service descriptor - parsing. An attacker could exploit this bug by crafting an onion - service descriptor that would crash any client that tried to visit - it. Fixes bug 40392; bugfix on 0.3.0.1-alpha. This issue is also - tracked as TROVE-2021-006 and CVE-2021-34550. Reported by Sergei - Glazunov from Google's Project Zero. - - o Minor features (compatibility, backport from 0.4.6.4-rc): - - Remove an assertion function related to TLS renegotiation. It was - used nowhere outside the unit tests, and it was breaking - compilation with recent alpha releases of OpenSSL 3.0.0. Closes - ticket 40399. - - o Minor features (fallback directory list, backport from 0.4.6.2-alpha): - - Regenerate the list of fallback directories to contain a new set - of 200 relays. Closes ticket 40265. - - o Minor features (geoip data): - - Update the geoip files to match the IPFire Location Database, as - retrieved on 2021/06/10. - - o Minor bugfixes (channel, DoS, backport from 0.4.6.2-alpha): - - Fix a non-fatal BUG() message due to a too-early free of a string, - when listing a client connection from the DoS defenses subsystem. - Fixes bug 40345; bugfix on 0.4.3.4-rc. - - o Minor bugfixes (compiler warnings, backport from 0.4.6.3-rc): - - Fix an indentation problem that led to a warning from GCC 11.1.1. - Fixes bug 40380; bugfix on 0.3.0.1-alpha. - - -Changes in version 0.3.5.15 - 2021-06-14 - Tor 0.3.5.15 fixes several security issues, including a - denial-of-service attack against onion service clients, and another - denial-of-service attack against relays. Everybody should upgrade to - one of 0.3.5.15, 0.4.4.9, 0.4.5.9, or 0.4.6.5. - - o Major bugfixes (security, backport from 0.4.6.5): - - Don't allow relays to spoof RELAY_END or RELAY_RESOLVED cell on - half-closed streams. Previously, clients failed to validate which - hop sent these cells: this would allow a relay on a circuit to end - a stream that wasn't actually built with it. Fixes bug 40389; - bugfix on 0.3.5.1-alpha. This issue is also tracked as TROVE-2021- - 003 and CVE-2021-34548. - - o Major bugfixes (security, defense-in-depth, backport from 0.4.6.5): - - Detect more failure conditions from the OpenSSL RNG code. - Previously, we would detect errors from a missing RNG - implementation, but not failures from the RNG code itself. - Fortunately, it appears those failures do not happen in practice - when Tor is using OpenSSL's default RNG implementation. Fixes bug - 40390; bugfix on 0.2.8.1-alpha. This issue is also tracked as - TROVE-2021-004. Reported by Jann Horn at Google's Project Zero. - - o Major bugfixes (security, denial of service, backport from 0.4.6.5): - - Resist a hashtable-based CPU denial-of-service attack against - relays. Previously we used a naive unkeyed hash function to look - up circuits in a circuitmux object. An attacker could exploit this - to construct circuits with chosen circuit IDs, to create - collisions and make the hash table inefficient. Now we use a - SipHash construction here instead. Fixes bug 40391; bugfix on - 0.2.4.4-alpha. This issue is also tracked as TROVE-2021-005 and - CVE-2021-34549. Reported by Jann Horn from Google's Project Zero. - - Fix an out-of-bounds memory access in v3 onion service descriptor - parsing. An attacker could exploit this bug by crafting an onion - service descriptor that would crash any client that tried to visit - it. Fixes bug 40392; bugfix on 0.3.0.1-alpha. This issue is also - tracked as TROVE-2021-006 and CVE-2021-34550. Reported by Sergei - Glazunov from Google's Project Zero. - - o Minor bugfixes (compiler warnings, backport from 0.4.6.3-rc): - - Fix an indentation problem that led to a warning from GCC 11.1.1. - Fixes bug 40380; bugfix on 0.3.0.1-alpha. - - o Minor features (compatibility, backport from 0.4.6.4-rc): - - Remove an assertion function related to TLS renegotiation. It was - used nowhere outside the unit tests, and it was breaking - compilation with recent alpha releases of OpenSSL 3.0.0. Closes - ticket 40399. - - o Minor features (fallback directory list, backport from 0.4.6.2-alpha): - - Regenerate the list of fallback directories to contain a new set - of 200 relays. Closes ticket 40265. - - o Minor features (geoip data): - - Update the geoip files to match the IPFire Location Database, as - retrieved on 2021/06/10. - - Changes in version 0.4.6.5 - 2021-06-14 Tor 0.4.6.5 is the first stable release in its series. The 0.4.6.x series includes numerous features and bugfixes, including a significant @@ -641,6 +634,194 @@ Changes in version 0.4.6.5 - 2021-06-14 for now.) Closes ticket 40282. +Changes in version 0.4.5.9 - 2021-06-14 + Tor 0.4.5.9 fixes several security issues, including a + denial-of-service attack against onion service clients, and another + denial-of-service attack against relays. Everybody should upgrade to + one of 0.3.5.15, 0.4.4.9, 0.4.5.9, or 0.4.6.5. + + o Major bugfixes (security, backport from 0.4.6.5): + - Don't allow relays to spoof RELAY_END or RELAY_RESOLVED cell on + half-closed streams. Previously, clients failed to validate which + hop sent these cells: this would allow a relay on a circuit to end + a stream that wasn't actually built with it. Fixes bug 40389; + bugfix on 0.3.5.1-alpha. This issue is also tracked as TROVE-2021- + 003 and CVE-2021-34548. + + o Major bugfixes (security, defense-in-depth, backport from 0.4.6.5): + - Detect more failure conditions from the OpenSSL RNG code. + Previously, we would detect errors from a missing RNG + implementation, but not failures from the RNG code itself. + Fortunately, it appears those failures do not happen in practice + when Tor is using OpenSSL's default RNG implementation. Fixes bug + 40390; bugfix on 0.2.8.1-alpha. This issue is also tracked as + TROVE-2021-004. Reported by Jann Horn at Google's Project Zero. + + o Major bugfixes (security, denial of service, backport from 0.4.6.5): + - Resist a hashtable-based CPU denial-of-service attack against + relays. Previously we used a naive unkeyed hash function to look + up circuits in a circuitmux object. An attacker could exploit this + to construct circuits with chosen circuit IDs, to create + collisions and make the hash table inefficient. Now we use a + SipHash construction here instead. Fixes bug 40391; bugfix on + 0.2.4.4-alpha. This issue is also tracked as TROVE-2021-005 and + CVE-2021-34549. Reported by Jann Horn from Google's Project Zero. + - Fix an out-of-bounds memory access in v3 onion service descriptor + parsing. An attacker could exploit this bug by crafting an onion + service descriptor that would crash any client that tried to visit + it. Fixes bug 40392; bugfix on 0.3.0.1-alpha. This issue is also + tracked as TROVE-2021-006 and CVE-2021-34550. Reported by Sergei + Glazunov from Google's Project Zero. + + o Minor features (compatibility, backport from 0.4.6.4-rc): + - Remove an assertion function related to TLS renegotiation. It was + used nowhere outside the unit tests, and it was breaking + compilation with recent alpha releases of OpenSSL 3.0.0. Closes + ticket 40399. + + o Minor features (geoip data): + - Update the geoip files to match the IPFire Location Database, as + retrieved on 2021/06/10. + + o Minor bugfixes (control, sandbox, backport from 0.4.6.4-rc): + - Allow the control command SAVECONF to succeed when the seccomp + sandbox is enabled, and make SAVECONF keep only one backup file to + simplify implementation. Previously SAVECONF allowed a large + number of backup files, which made it incompatible with the + sandbox. Fixes bug 40317; bugfix on 0.2.5.4-alpha. Patch by + Daniel Pinto. + + o Minor bugfixes (metrics port, backport from 0.4.6.4-rc): + - Fix a bug that made tor try to re-bind() on an already open + MetricsPort every 60 seconds. Fixes bug 40370; bugfix + on 0.4.5.1-alpha. + + +Changes in version 0.4.4.9 - 2021-06-14 + Tor 0.4.4.9 fixes several security issues, including a + denial-of-service attack against onion service clients, and another + denial-of-service attack against relays. Everybody should upgrade to + one of 0.3.5.15, 0.4.4.9, 0.4.5.9, or 0.4.6.5. + + Note that the scheduled end-of-life date for the Tor 0.4.4.x series is + June 15. This is therefore the last release in its series. Everybody + still running 0.4.4.x should plan to upgrade to 0.4.5.x or later. + + o Major bugfixes (security, backport from 0.4.6.5): + - Don't allow relays to spoof RELAY_END or RELAY_RESOLVED cell on + half-closed streams. Previously, clients failed to validate which + hop sent these cells: this would allow a relay on a circuit to end + a stream that wasn't actually built with it. Fixes bug 40389; + bugfix on 0.3.5.1-alpha. This issue is also tracked as TROVE-2021- + 003 and CVE-2021-34548. + + o Major bugfixes (security, defense-in-depth, backport from 0.4.6.5): + - Detect more failure conditions from the OpenSSL RNG code. + Previously, we would detect errors from a missing RNG + implementation, but not failures from the RNG code itself. + Fortunately, it appears those failures do not happen in practice + when Tor is using OpenSSL's default RNG implementation. Fixes bug + 40390; bugfix on 0.2.8.1-alpha. This issue is also tracked as + TROVE-2021-004. Reported by Jann Horn at Google's Project Zero. + + o Major bugfixes (security, denial of service, backport from 0.4.6.5): + - Resist a hashtable-based CPU denial-of-service attack against + relays. Previously we used a naive unkeyed hash function to look + up circuits in a circuitmux object. An attacker could exploit this + to construct circuits with chosen circuit IDs, to create + collisions and make the hash table inefficient. Now we use a + SipHash construction here instead. Fixes bug 40391; bugfix on + 0.2.4.4-alpha. This issue is also tracked as TROVE-2021-005 and + CVE-2021-34549. Reported by Jann Horn from Google's Project Zero. + - Fix an out-of-bounds memory access in v3 onion service descriptor + parsing. An attacker could exploit this bug by crafting an onion + service descriptor that would crash any client that tried to visit + it. Fixes bug 40392; bugfix on 0.3.0.1-alpha. This issue is also + tracked as TROVE-2021-006 and CVE-2021-34550. Reported by Sergei + Glazunov from Google's Project Zero. + + o Minor features (compatibility, backport from 0.4.6.4-rc): + - Remove an assertion function related to TLS renegotiation. It was + used nowhere outside the unit tests, and it was breaking + compilation with recent alpha releases of OpenSSL 3.0.0. Closes + ticket 40399. + + o Minor features (fallback directory list, backport from 0.4.6.2-alpha): + - Regenerate the list of fallback directories to contain a new set + of 200 relays. Closes ticket 40265. + + o Minor features (geoip data): + - Update the geoip files to match the IPFire Location Database, as + retrieved on 2021/06/10. + + o Minor bugfixes (channel, DoS, backport from 0.4.6.2-alpha): + - Fix a non-fatal BUG() message due to a too-early free of a string, + when listing a client connection from the DoS defenses subsystem. + Fixes bug 40345; bugfix on 0.4.3.4-rc. + + o Minor bugfixes (compiler warnings, backport from 0.4.6.3-rc): + - Fix an indentation problem that led to a warning from GCC 11.1.1. + Fixes bug 40380; bugfix on 0.3.0.1-alpha. + + +Changes in version 0.3.5.15 - 2021-06-14 + Tor 0.3.5.15 fixes several security issues, including a + denial-of-service attack against onion service clients, and another + denial-of-service attack against relays. Everybody should upgrade to + one of 0.3.5.15, 0.4.4.9, 0.4.5.9, or 0.4.6.5. + + o Major bugfixes (security, backport from 0.4.6.5): + - Don't allow relays to spoof RELAY_END or RELAY_RESOLVED cell on + half-closed streams. Previously, clients failed to validate which + hop sent these cells: this would allow a relay on a circuit to end + a stream that wasn't actually built with it. Fixes bug 40389; + bugfix on 0.3.5.1-alpha. This issue is also tracked as TROVE-2021- + 003 and CVE-2021-34548. + + o Major bugfixes (security, defense-in-depth, backport from 0.4.6.5): + - Detect more failure conditions from the OpenSSL RNG code. + Previously, we would detect errors from a missing RNG + implementation, but not failures from the RNG code itself. + Fortunately, it appears those failures do not happen in practice + when Tor is using OpenSSL's default RNG implementation. Fixes bug + 40390; bugfix on 0.2.8.1-alpha. This issue is also tracked as + TROVE-2021-004. Reported by Jann Horn at Google's Project Zero. + + o Major bugfixes (security, denial of service, backport from 0.4.6.5): + - Resist a hashtable-based CPU denial-of-service attack against + relays. Previously we used a naive unkeyed hash function to look + up circuits in a circuitmux object. An attacker could exploit this + to construct circuits with chosen circuit IDs, to create + collisions and make the hash table inefficient. Now we use a + SipHash construction here instead. Fixes bug 40391; bugfix on + 0.2.4.4-alpha. This issue is also tracked as TROVE-2021-005 and + CVE-2021-34549. Reported by Jann Horn from Google's Project Zero. + - Fix an out-of-bounds memory access in v3 onion service descriptor + parsing. An attacker could exploit this bug by crafting an onion + service descriptor that would crash any client that tried to visit + it. Fixes bug 40392; bugfix on 0.3.0.1-alpha. This issue is also + tracked as TROVE-2021-006 and CVE-2021-34550. Reported by Sergei + Glazunov from Google's Project Zero. + + o Minor bugfixes (compiler warnings, backport from 0.4.6.3-rc): + - Fix an indentation problem that led to a warning from GCC 11.1.1. + Fixes bug 40380; bugfix on 0.3.0.1-alpha. + + o Minor features (compatibility, backport from 0.4.6.4-rc): + - Remove an assertion function related to TLS renegotiation. It was + used nowhere outside the unit tests, and it was breaking + compilation with recent alpha releases of OpenSSL 3.0.0. Closes + ticket 40399. + + o Minor features (fallback directory list, backport from 0.4.6.2-alpha): + - Regenerate the list of fallback directories to contain a new set + of 200 relays. Closes ticket 40265. + + o Minor features (geoip data): + - Update the geoip files to match the IPFire Location Database, as + retrieved on 2021/06/10. + + Changes in version 0.4.5.8 - 2021-05-10 Tor 0.4.5.8 fixes several bugs in earlier version, backporting fixes from the 0.4.6.x series. diff --git a/changes/bug40400 b/changes/bug40400 deleted file mode 100644 index 47bb1e6a1e..0000000000 --- a/changes/bug40400 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes (usability): - - Do not log "circuit_receive_relay_cell failed" at LOG_PROTOCOL_WARN; - instead log it at DEBUG. In every case where we would want to log - this as a protocol warning, we are already logging another warning - from inside circuit_receive_relay_cell. Fixes part of bug 40400; - bugfix on 0.1.1.9-alpha. diff --git a/changes/bug40400_part2 b/changes/bug40400_part2 deleted file mode 100644 index 9b834d5ea1..0000000000 --- a/changes/bug40400_part2 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (usability): - - Do not log "RENDEZVOUS1 cell with unrecognized rendezvous cookie" - at LOG_PROTOCOL_WARN; instead log it at DEBUG. This warning can happen - naturally if a client gives up on a rendezvous circuit after sending - INTRODUCE1. Fixes part of bug 40400; bugfix on 0.1.1.13-alpha. diff --git a/changes/bug40400_part3 b/changes/bug40400_part3 deleted file mode 100644 index b78e800229..0000000000 --- a/changes/bug40400_part3 +++ /dev/null @@ -1,7 +0,0 @@ - o Minor features (logging, heartbeat): - - When a relay receives a cell that isn't encrypted properly for - it, but the relay is the last hop on the circuit, the relay - now counts how many cells of this kind it receives, on how - many circuits, and reports this information in the log. - Previously, we'd log each cell at PROTOCOL_WARN level, which - is far too verbose to be useful. Fixes part of ticket 40400. diff --git a/changes/bug40465 b/changes/bug40465 deleted file mode 100644 index d4d225c62e..0000000000 --- a/changes/bug40465 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (compilation): - - Fix compilation error when __NR_time is not defined. Fixes bug - 40465; bugfix on 0.2.5.5-alpha. Patch by Daniel Pinto. diff --git a/changes/bug40471 b/changes/bug40471 deleted file mode 100644 index 323e049599..0000000000 --- a/changes/bug40471 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (dirauth, bandwidth scanner): - - Add the AuthDirDontVoteOnDirAuthBandwidth dirauth config parameter to - avoid voting on bandwidth scanner weights to v3 directory authorities. - Fixes bug 40471; bugfix on 0.2.2.1-alpha. Patch by Neel Chauhan. diff --git a/changes/bug40486 b/changes/bug40486 deleted file mode 100644 index 83315bfb2b..0000000000 --- a/changes/bug40486 +++ /dev/null @@ -1,5 +0,0 @@ - o Code simplification and refactoring: - - Lower the official maximum for "guard-extreme-restriction-percent" to - 100. This has no effect on when the guard code will generate a warning, - but it makes the intent of the option clearer. Fixes bug 40486; bugfix - on 0.3.0.1-alpha. diff --git a/changes/bug40488 b/changes/bug40488 deleted file mode 100644 index 6fc265cc20..0000000000 --- a/changes/bug40488 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features (testing): - - We now have separate fuzzers for the inner layers of v3 onion - service descriptors, to prevent future bugs like 40392. - Closes ticket 40488. diff --git a/changes/issue11477 b/changes/issue11477 deleted file mode 100644 index bb5d9e4099..0000000000 --- a/changes/issue11477 +++ /dev/null @@ -1,8 +0,0 @@ - o Minor bugfixes (fragile-hardening, sandbox): - - When building with --enable-fragile-hardening, add or relax Linux - seccomp rules to allow AddressSanitizer to execute normally if the - process terminates with the sandbox active. This has the side - effect of disabling the filtering of file- and directory-open - requests on most systems and dilutes the effectiveness of the - sandbox overall, as a wider range of system calls must be - permitted. Fixes bug 11477; bugfix on 0.2.5.4-alpha. diff --git a/changes/issue16803 b/changes/issue16803 deleted file mode 100644 index 7d0dd833e2..0000000000 --- a/changes/issue16803 +++ /dev/null @@ -1,2 +0,0 @@ - o Testing: - - Add unit tests for the Linux seccomp sandbox. Resolves issue 16803. diff --git a/changes/prop335 b/changes/prop335 deleted file mode 100644 index 4fa61ca2e9..0000000000 --- a/changes/prop335 +++ /dev/null @@ -1,11 +0,0 @@ - o Major features (directory authority): - - Authorities can now be configured to label relays as "MiddleOnly". - When voting for this flag, authorities automatically vote against - Exit, Guard, HSDir, and V2Dir; and in favor of BadExit. - Implements part of proposal 335. Based on a patch from Neel - Chauhan. - - Add a new consensus method to handle MiddleOnly specially. When - enough authorities are using this method, then any relay - tagged with the MiddleOnly flag will have its Exit, Guard, HSDir, - and V2Dir flags automatically cleared, and will have its BadExit flag - automatically set. Implements part of proposal 335. diff --git a/changes/ticket26299 b/changes/ticket26299 new file mode 100644 index 0000000000..6b08adf53c --- /dev/null +++ b/changes/ticket26299 @@ -0,0 +1,3 @@ + o Minor feature (reproducible build): + - The repository can now build reproducible tarballs which adds the build + command "make dist-reprod" for that purpose. Closes ticket 26299. diff --git a/changes/ticket30477 b/changes/ticket30477 deleted file mode 100644 index 379fc4e7eb..0000000000 --- a/changes/ticket30477 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features (bridge): - - We now announce the URL to Tor's new bridge status at - https://bridges.torproject.org/ when Tor is configured to run as a bridge - relay. Closes ticket 30477. diff --git a/changes/ticket34083 b/changes/ticket34083 deleted file mode 100644 index 417d01c5a5..0000000000 --- a/changes/ticket34083 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (onion service): - - Fix a warning BUG that would occur often on heavily loaded onion service - leading to filling the logs with useless warnings. Fixes bug 34083; bugfix - on 0.3.2.1-alpha. - diff --git a/changes/ticket40182 b/changes/ticket40182 deleted file mode 100644 index ad75c38534..0000000000 --- a/changes/ticket40182 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (logging): - - If a channel has never received, transmitted a cell or seen a client, do - not calculate time diffs against 1/1/1970 but log another prettier - message. Fixes bug 40182; bugfix on 0.2.4.4. diff --git a/changes/ticket40450 b/changes/ticket40450 deleted file mode 100644 index 6753bd04f5..0000000000 --- a/changes/ticket40450 +++ /dev/null @@ -1,3 +0,0 @@ - o Major features (congestion control): - - Implement support for flow control over congestion controlled circuits. - This work comes from proposal 324. Closes ticket 40450. diff --git a/changes/ticket40469 b/changes/ticket40469 deleted file mode 100644 index 1cb792b4ba..0000000000 --- a/changes/ticket40469 +++ /dev/null @@ -1,4 +0,0 @@ - o Code simplification and refactoring (rust): - - Remove Rust support and its associated code. It is unsupported and Rust - focus should be shifted to arti. Closes 40469. - diff --git a/changes/ticket40474 b/changes/ticket40474 deleted file mode 100644 index d2a7231106..0000000000 --- a/changes/ticket40474 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (onion service, TROVE-2021-008): - - Only log once any v2 access attempts in order to not pollute the logs - with warnings and avoid recording the times on disk when v2 access was - attempted. Important to note that the onion address was _never_ logged. - That is a Low security issue. Fixes bug 40474; bugfix on 0.4.5.8. diff --git a/changes/ticket40476 b/changes/ticket40476 deleted file mode 100644 index 7179d8b1c6..0000000000 --- a/changes/ticket40476 +++ /dev/null @@ -1,7 +0,0 @@ - o Minor feature (onion service v2): - - Onion service v2 address are now not recognized anymore by tor meaning a - bad hostname is returned when attempting to pass it on a SOCKS - connection. No more deprecation log is emitted client side. Closes - ticket 40476. - - See https://blog.torproject.org/v2-deprecation-timeline for details on - how to transition from v2 to v3. diff --git a/changes/ticket40480 b/changes/ticket40480 deleted file mode 100644 index 525e848a1f..0000000000 --- a/changes/ticket40480 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor feature (authority, relay): - - Reject End-Of-Life relays running version 0.4.2.x, 0.4.3.x, 0.4.4.x and - 0.4.5 alphas and rc. Closes ticket 40480. diff --git a/changes/ticket40484 b/changes/ticket40484 deleted file mode 100644 index 9a9ffdf448..0000000000 --- a/changes/ticket40484 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (onion service, config): - - Fix a memory leak for a small config line string that could occur if the - service failed to be configured from file properly. Fixes bug 40484; - bugfix on 0.3.2.1-alpha. - diff --git a/changes/ticket40485 b/changes/ticket40485 deleted file mode 100644 index 849ee0719f..0000000000 --- a/changes/ticket40485 +++ /dev/null @@ -1,3 +0,0 @@ - o Testing (CI, chutney): - - Bump the data size that chutney transmit to 5MB in order to trigger flow - control and congestion window code. Closes ticket 40485. diff --git a/changes/ticket40490 b/changes/ticket40490 deleted file mode 100644 index 6e9ef50b42..0000000000 --- a/changes/ticket40490 +++ /dev/null @@ -1,5 +0,0 @@ - o Major bugfix (relay, metrics): - - On the MetricsPort, the DNS error statistics are not reported by record - type ("record=...") anymore due to a libevent bug - (https://github.com/libevent/libevent/issues/1219). Fixes bug 40490; - bugfix on 0.4.7.1-alpha. diff --git a/changes/ticket40491 b/changes/ticket40491 deleted file mode 100644 index 01c6c7d748..0000000000 --- a/changes/ticket40491 +++ /dev/null @@ -1,7 +0,0 @@ - o Major bugfixes (relay, overload state): - - Report the general overload state for DNS timeout errors only if X% of all - DNS queries over Y seconds are errors. Before that, it only took 1 timeout - to report the overload state which was just too low of a threshold. The X - and Y values are 1% and 10 minutes respectively but they are also - controlled by consensus parameters. Fixes bug 40491; bugfix on - 0.4.6.1-alpha. diff --git a/changes/ticket40493 b/changes/ticket40493 deleted file mode 100644 index eb9baf916b..0000000000 --- a/changes/ticket40493 +++ /dev/null @@ -1,2 +0,0 @@ - o Minor features (fallbackdir): - - Regenerate fallback directories for October 2021. Close ticket 40493. diff --git a/changes/ticket40504 b/changes/ticket40504 new file mode 100644 index 0000000000..9095591419 --- /dev/null +++ b/changes/ticket40504 @@ -0,0 +1,3 @@ + o Documentation (man, relay): + - Missing "OverloadStatistics" in tor.1 manpage. Fixes bug 40504; bugfix on + 0.4.6.1-alpha. diff --git a/configure.ac b/configure.ac index 85b23f24f9..366df64609 100644 --- a/configure.ac +++ b/configure.ac @@ -4,7 +4,7 @@ dnl Copyright (c) 2007-2019, The Tor Project, Inc. dnl See LICENSE for licensing information AC_PREREQ([2.63]) -AC_INIT([tor],[0.4.7.1-alpha]) +AC_INIT([tor],[0.4.7.2-alpha-dev]) AC_CONFIG_SRCDIR([src/app/main/tor_main.c]) AC_CONFIG_MACRO_DIR([m4]) @@ -18,7 +18,7 @@ AC_DEFINE_UNQUOTED([CONFIG_FLAGS], ["$configure_flags"], [Flags passed to config # version number changes. Tor uses it to make sure that it # only shuts down for missing "required protocols" when those protocols # are listed as required by a consensus after this date. -AC_DEFINE(APPROX_RELEASE_DATE, ["2021-09-17"], # for 0.4.7.1-alpha +AC_DEFINE(APPROX_RELEASE_DATE, ["2021-10-28"], # for 0.4.7.2-alpha-dev [Approximate date when this software was released. (Updated when the version changes.)]) # "foreign" means we don't follow GNU package layout standards diff --git a/contrib/win32build/tor-mingw.nsi.in b/contrib/win32build/tor-mingw.nsi.in index 5b285a5ca9..51ec48835a 100644 --- a/contrib/win32build/tor-mingw.nsi.in +++ b/contrib/win32build/tor-mingw.nsi.in @@ -8,7 +8,7 @@ !include "LogicLib.nsh" !include "FileFunc.nsh" !insertmacro GetParameters -!define VERSION "0.4.7.1-alpha" +!define VERSION "0.4.7.2-alpha-dev" !define INSTALLER "tor-${VERSION}-win32.exe" !define WEBSITE "https://www.torproject.org/" !define LICENSE "LICENSE" diff --git a/doc/asciidoc-helper.sh b/doc/asciidoc-helper.sh index edc9b5b0ea..fdaab05b8e 100755 --- a/doc/asciidoc-helper.sh +++ b/doc/asciidoc-helper.sh @@ -12,6 +12,8 @@ if [ $# != 3 ]; then exit 1 fi +export SOURCE_DATE_EPOCH=$(git show --no-patch --format='%ct') + output=$3 if [ "$1" = "html" ]; then @@ -19,7 +21,7 @@ if [ "$1" = "html" ]; then base=${output%%.html.in} if [ "$2" != none ]; then - TZ=UTC "$2" -d manpage -o "$output" "$input" + TZ=UTC "$2" -f "$(dirname $0)/nofooter.conf" -d manpage -o "$output" "$input"; else echo "==================================" echo diff --git a/doc/man/tor.1.txt b/doc/man/tor.1.txt index 3116957bc2..5627b4f01f 100644 --- a/doc/man/tor.1.txt +++ b/doc/man/tor.1.txt @@ -2772,6 +2772,26 @@ types of statistics that Tor relays collect and publish: is enabled, it will be published as part of the extra-info document. (Default: 1) +[[OverloadStatistics]] **OverloadStatistics** *0**|**1**:: + Relays and bridges only. + When this option is enabled, a Tor relay will write an overload general + line in the server descriptor if the relay is considered overloaded. + (Default: 1) + + + A relay is considered overloaded if at least one of these conditions is + met: + - Onionskins are starting to be dropped. + - The OOM was invoked. + + - (Exit only) DNS timeout occurs X% of the time over Y seconds (values + controlled by consensus parameters, see param-spec.txt). + + + If ExtraInfoStatistics is enabled, it can also put two more specific + overload lines in the extra-info document if at least one of these + conditions is met: + - TCP Port exhaustion. + - Connection rate limits have been reached (read and write side). + [[PaddingStatistics]] **PaddingStatistics** **0**|**1**:: Relays and bridges only. When this option is enabled, Tor collects statistics for padding cells diff --git a/doc/nofooter.conf b/doc/nofooter.conf new file mode 100644 index 0000000000..f16d76b2da --- /dev/null +++ b/doc/nofooter.conf @@ -0,0 +1,3 @@ +# There is a single space on the footer-text line to make it reproducible. +[footer-text] + diff --git a/scripts/ci/ci-driver.sh b/scripts/ci/ci-driver.sh index ff4881dd8e..8d009adb59 100755 --- a/scripts/ci/ci-driver.sh +++ b/scripts/ci/ci-driver.sh @@ -282,7 +282,7 @@ fi ############################################################################# # Determine the version of Tor. -TOR_VERSION=$(grep -m 1 AC_INIT configure.ac | sed -e 's/.*\[//; s/\].*//;') +TOR_VERSION=$(grep -m 1 AC_INIT ${CI_SRCDIR}/configure.ac | sed -e 's/.*\[//; s/\].*//;') # Use variables like these when we need to behave differently depending on # Tor version. Only create the variables we need. @@ -467,10 +467,9 @@ fi if [[ "${STEM}" = "yes" ]]; then start_section "Stem" - EXCLUDE_TESTS="" - if [[ "${TOR_VER_AT_LEAST_046}" = 'yes' ]]; then - EXCLUDE_TESTS="--exclude-test control.controller.test_ephemeral_hidden_services_v2 --exclude-test control.controller.test_hidden_services_conf --exclude-test control.controller.test_with_ephemeral_hidden_services_basic_auth --exclude-test control.controller.test_without_ephemeral_hidden_services --exclude-test control.controller.test_with_ephemeral_hidden_services_basic_auth_no_credentials" - fi + # 0.3.5 and onward have now disabled onion service v2 so we need to exclude + # these Stem tests from now on. + EXCLUDE_TESTS="--exclude-test control.controller.test_ephemeral_hidden_services_v2 --exclude-test control.controller.test_hidden_services_conf --exclude-test control.controller.test_with_ephemeral_hidden_services_basic_auth --exclude-test control.controller.test_without_ephemeral_hidden_services --exclude-test control.controller.test_with_ephemeral_hidden_services_basic_auth_no_credentials" if [[ "${TOR_VER_AT_LEAST_044}" = 'yes' ]]; then # XXXX This should probably be part of some test-stem make target. diff --git a/scripts/git/git-list-tor-branches.sh b/scripts/git/git-list-tor-branches.sh index 62547dcc5d..29e91dd1b6 100755 --- a/scripts/git/git-list-tor-branches.sh +++ b/scripts/git/git-list-tor-branches.sh @@ -8,7 +8,7 @@ SCRIPT_NAME=$(basename "$0") function usage() { - echo "$SCRIPT_NAME [-h] [-l|-s|-b|-m] [-R]" + echo "$SCRIPT_NAME [-h] [-l|-s|-b|-m] [-R|-M]" echo echo " arguments:" echo " -h: show this help text" @@ -20,6 +20,7 @@ function usage() echo " ( branch parent path suffix parent_suffix ) arrays" echo echo " -R: omit release branches." + echo " -M: omit maint branches." } # list : just a list of branch names. @@ -27,9 +28,10 @@ function usage() # suffix: write a list of suffixes. # merge: branch, upstream, path, suffix, upstream suffix. mode="list" +skip_maint_branches="no" skip_release_branches="no" -while getopts "hblmsR" opt ; do +while getopts "hblmsRM" opt ; do case "$opt" in h) usage exit 0 @@ -42,6 +44,8 @@ while getopts "hblmsR" opt ; do ;; m) mode="merge" ;; + M) skip_maint_branches="yes" + ;; R) skip_release_branches="yes" ;; *) echo "Unknown option" @@ -80,6 +84,9 @@ branch() { suffix="_${brname_nodots#maint-}" location="\$GIT_PATH/\$TOR_WKT_NAME/$brname" is_maint="yes" + if [[ "$skip_maint_branches" = "yes" ]]; then + return + fi elif [[ "$brname" =~ ^release- ]]; then suffix="_r${brname_nodots#release-}" location="\$GIT_PATH/\$TOR_WKT_NAME/$brname" diff --git a/scripts/maint/geoip/update_geoip.sh b/scripts/maint/geoip/update_geoip.sh index 9289e7a969..743683ab62 100755 --- a/scripts/maint/geoip/update_geoip.sh +++ b/scripts/maint/geoip/update_geoip.sh @@ -5,7 +5,7 @@ set -e DIR=$(cd "$(dirname "$0")" && pwd) TMP=$(mktemp -d) -location update +location --quiet update location dump "$TMP/geoip-dump.txt" OLDDIR=$(pwd) diff --git a/src/core/or/congestion_control_flow.c b/src/core/or/congestion_control_flow.c index 9e0cd670c7..805654664c 100644 --- a/src/core/or/congestion_control_flow.c +++ b/src/core/or/congestion_control_flow.c @@ -447,7 +447,7 @@ flow_control_decide_xoff(edge_connection_t *stream) if (total_buffered > buffer_limit_xoff) { if (!stream->xoff_sent) { - log_info(LD_EDGE, "Sending XOFF: %ld %d", + log_info(LD_EDGE, "Sending XOFF: %"TOR_PRIuSZ" %d", total_buffered, buffer_limit_xoff); tor_trace(TR_SUBSYS(cc), TR_EV(flow_decide_xoff_sending), stream); @@ -544,7 +544,7 @@ flow_control_decide_xon(edge_connection_t *stream, size_t n_written) /* If we have no drain start timestamp, and we still have * remaining buffer, start the buffering counter */ if (!stream->drain_start_usec && total_buffered > 0) { - log_debug(LD_EDGE, "Began edge buffering: %d %d %ld", + log_debug(LD_EDGE, "Began edge buffering: %d %d %"TOR_PRIuSZ, stream->ewma_rate_last_sent, stream->ewma_drain_rate, total_buffered); @@ -580,7 +580,7 @@ flow_control_decide_xon(edge_connection_t *stream, size_t n_written) (uint32_t)n_count_ewma(drain_rate, stream->ewma_drain_rate, xon_ewma_cnt); - log_debug(LD_EDGE, "Updating drain rate: %d %d %ld", + log_debug(LD_EDGE, "Updating drain rate: %d %d %"TOR_PRIuSZ, drain_rate, stream->ewma_drain_rate, total_buffered); @@ -600,7 +600,7 @@ flow_control_decide_xon(edge_connection_t *stream, size_t n_written) if (stream_drain_rate_changed(stream)) { /* If we are still buffering and the rate changed, update * advisory XON */ - log_info(LD_EDGE, "Sending rate-change XON: %d %d %ld", + log_info(LD_EDGE, "Sending rate-change XON: %d %d %"TOR_PRIuSZ, stream->ewma_rate_last_sent, stream->ewma_drain_rate, total_buffered); @@ -608,7 +608,7 @@ flow_control_decide_xon(edge_connection_t *stream, size_t n_written) circuit_send_stream_xon(stream); } } else if (total_buffered == 0) { - log_info(LD_EDGE, "Sending XON: %d %d %ld", + log_info(LD_EDGE, "Sending XON: %d %d %"TOR_PRIuSZ, stream->ewma_rate_last_sent, stream->ewma_drain_rate, total_buffered); diff --git a/src/win32/orconfig.h b/src/win32/orconfig.h index 2d97ea858a..7c9b01ac34 100644 --- a/src/win32/orconfig.h +++ b/src/win32/orconfig.h @@ -217,7 +217,7 @@ #define USING_TWOS_COMPLEMENT /* Version number of package */ -#define VERSION "0.4.7.1-alpha" +#define VERSION "0.4.7.2-alpha-dev" #define HAVE_STRUCT_SOCKADDR_IN6 #define HAVE_STRUCT_IN6_ADDR |