aboutsummaryrefslogtreecommitdiff
path: root/ChangeLog
diff options
context:
space:
mode:
Diffstat (limited to 'ChangeLog')
-rw-r--r--ChangeLog916
1 files changed, 915 insertions, 1 deletions
diff --git a/ChangeLog b/ChangeLog
index 4d93e1987e..80f7785a81 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,912 @@
-Changes in version 0.2.6.4-?? - 2015-0?-??
+Changes in version 0.2.7.2-alpha - 2015-07-27
+ This, the second alpha in the Tor 0.2.7 series, has a number of new
+ features, including a way to manually pick the number of introduction
+ points for hidden services, and the much stronger Ed25519 signing key
+ algorithm for regular Tor relays (including support for encrypted
+ offline identity keys in the new algorithm).
+
+ Support for Ed25519 on relays is currently limited to signing router
+ descriptors; later alphas in this series will extend Ed25519 key
+ support to more parts of the Tor protocol.
+
+ o Major features (Ed25519 identity keys, Proposal 220):
+ - All relays now maintain a stronger identity key, using the Ed25519
+ elliptic curve signature format. This master key is designed so
+ that it can be kept offline. Relays also generate an online
+ signing key, and a set of other Ed25519 keys and certificates.
+ These are all automatically regenerated and rotated as needed.
+ Implements part of ticket 12498.
+ - Directory authorities now vote on Ed25519 identity keys along with
+ RSA1024 keys. Implements part of ticket 12498.
+ - Directory authorities track which Ed25519 identity keys have been
+ used with which RSA1024 identity keys, and do not allow them to
+ vary freely. Implements part of ticket 12498.
+ - Microdescriptors now include Ed25519 identity keys. Implements
+ part of ticket 12498.
+ - Add support for offline encrypted Ed25519 master keys. To use this
+ feature on your tor relay, run "tor --keygen" to make a new master
+ key (or to make a new signing key if you already have a master
+ key). Closes ticket 13642.
+
+ o Major features (Hidden services):
+ - Add the torrc option HiddenServiceNumIntroductionPoints, to
+ specify a fixed number of introduction points. Its maximum value
+ is 10 and default is 3. Using this option can increase a hidden
+ service's reliability under load, at the cost of making it more
+ visible that the hidden service is facing extra load. Closes
+ ticket 4862.
+ - Remove the adaptive algorithm for choosing the number of
+ introduction points, which used to change the number of
+ introduction points (poorly) depending on the number of
+ connections the HS sees. Closes ticket 4862.
+
+ o Major features (onion key cross-certification):
+ - Relay descriptors now include signatures of their own identity
+ keys, made using the TAP and ntor onion keys. These signatures
+ allow relays to prove ownership of their own onion keys. Because
+ of this change, microdescriptors will no longer need to include
+ RSA identity keys. Implements proposal 228; closes ticket 12499.
+ o Major features (performance):
+ - Improve the runtime speed of Ed25519 operations by using the
+ public-domain Ed25519-donna by Andrew M. ("floodyberry").
+ Implements ticket 16467.
+ - Improve the runtime speed of the ntor handshake by using an
+ optimized curve25519 basepoint scalarmult implementation from the
+ public-domain Ed25519-donna by Andrew M. ("floodyberry"), based on
+ ideas by Adam Langley. Implements ticket 9663.
+
+ o Major bugfixes (client-side privacy, also in 0.2.6.9):
+ - Properly separate out each SOCKSPort when applying stream
+ isolation. The error occurred because each port's session group
+ was being overwritten by a default value when the listener
+ connection was initialized. Fixes bug 16247; bugfix on
+ 0.2.6.3-alpha. Patch by "jojelino".
+
+ o Major bugfixes (hidden service clients, stability, also in 0.2.6.10):
+ - Stop refusing to store updated hidden service descriptors on a
+ client. This reverts commit 9407040c59218 (which indeed fixed bug
+ 14219, but introduced a major hidden service reachability
+ regression detailed in bug 16381). This is a temporary fix since
+ we can live with the minor issue in bug 14219 (it just results in
+ some load on the network) but the regression of 16381 is too much
+ of a setback. First-round fix for bug 16381; bugfix
+ on 0.2.6.3-alpha.
+
+ o Major bugfixes (hidden services):
+ - When cannibalizing a circuit for an introduction point, always
+ extend to the chosen exit node (creating a 4 hop circuit).
+ Previously Tor would use the current circuit exit node, which
+ changed the original choice of introduction point, and could cause
+ the hidden service to skip excluded introduction points or
+ reconnect to a skipped introduction point. Fixes bug 16260; bugfix
+ on 0.1.0.1-rc.
+
+ o Major bugfixes (open file limit):
+ - The open file limit wasn't checked before calling
+ tor_accept_socket_nonblocking(), which would make Tor exceed the
+ limit. Now, before opening a new socket, Tor validates the open
+ file limit just before, and if the max has been reached, return an
+ error. Fixes bug 16288; bugfix on 0.1.1.1-alpha.
+
+ o Major bugfixes (stability, also in 0.2.6.10):
+ - Stop crashing with an assertion failure when parsing certain kinds
+ of malformed or truncated microdescriptors. Fixes bug 16400;
+ bugfix on 0.2.6.1-alpha. Found by "torkeln"; fix based on a patch
+ by "cypherpunks_backup".
+ - Stop random client-side assertion failures that could occur when
+ connecting to a busy hidden service, or connecting to a hidden
+ service while a NEWNYM is in progress. Fixes bug 16013; bugfix
+ on 0.1.0.1-rc.
+
+ o Minor features (directory authorities, security, also in 0.2.6.9):
+ - The HSDir flag given by authorities now requires the Stable flag.
+ For the current network, this results in going from 2887 to 2806
+ HSDirs. Also, it makes it harder for an attacker to launch a sybil
+ attack by raising the effort for a relay to become Stable to
+ require at the very least 7 days, while maintaining the 96 hours
+ uptime requirement for HSDir. Implements ticket 8243.
+
+ o Minor features (client):
+ - Relax the validation of hostnames in SOCKS5 requests, allowing the
+ character '_' to appear, in order to cope with domains observed in
+ the wild that are serving non-RFC compliant records. Resolves
+ ticket 16430.
+ - Relax the validation done to hostnames in SOCKS5 requests, and
+ allow a single trailing '.' to cope with clients that pass FQDNs
+ using that syntax to explicitly indicate that the domain name is
+ fully-qualified. Fixes bug 16674; bugfix on 0.2.6.2-alpha.
+ - Add GroupWritable and WorldWritable options to unix-socket based
+ SocksPort and ControlPort options. These options apply to a single
+ socket, and override {Control,Socks}SocketsGroupWritable. Closes
+ ticket 15220.
+
+ o Minor features (control protocol):
+ - Support network-liveness GETINFO key and NETWORK_LIVENESS event in
+ the control protocol. Resolves ticket 15358.
+
+ o Minor features (directory authorities):
+ - Directory authorities no longer vote against the "Fast", "Stable",
+ and "HSDir" flags just because they were going to vote against
+ "Running": if the consensus turns out to be that the router was
+ running, then the authority's vote should count. Patch from Peter
+ Retzlaff; closes issue 8712.
+
+ o Minor features (geoip, also in 0.2.6.10):
+ - Update geoip to the June 3 2015 Maxmind GeoLite2 Country database.
+ - Update geoip6 to the June 3 2015 Maxmind GeoLite2 Country database.
+
+ o Minor features (hidden services):
+ - Add the new options "HiddenServiceMaxStreams" and
+ "HiddenServiceMaxStreamsCloseCircuit" to allow hidden services to
+ limit the maximum number of simultaneous streams per circuit, and
+ optionally tear down the circuit when the limit is exceeded. Part
+ of ticket 16052.
+
+ o Minor features (portability):
+ - Use C99 variadic macros when the compiler is not GCC. This avoids
+ failing compilations on MSVC, and fixes a log-file-based race
+ condition in our old workarounds. Original patch from Gisle Vanem.
+
+ o Minor bugfixes (compilation, also in 0.2.6.9):
+ - Build with --enable-systemd correctly when libsystemd is
+ installed, but systemd is not. Fixes bug 16164; bugfix on
+ 0.2.6.3-alpha. Patch from Peter Palfrader.
+
+ o Minor bugfixes (controller):
+ - Add the descriptor ID in each HS_DESC control event. It was
+ missing, but specified in control-spec.txt. Fixes bug 15881;
+ bugfix on 0.2.5.2-alpha.
+
+ o Minor bugfixes (crypto error-handling, also in 0.2.6.10):
+ - Check for failures from crypto_early_init, and refuse to continue.
+ A previous typo meant that we could keep going with an
+ uninitialized crypto library, and would have OpenSSL initialize
+ its own PRNG. Fixes bug 16360; bugfix on 0.2.5.2-alpha, introduced
+ when implementing ticket 4900. Patch by "teor".
+
+ o Minor bugfixes (hidden services):
+ - Fix a crash when reloading configuration while at least one
+ configured and one ephemeral hidden service exists. Fixes bug
+ 16060; bugfix on 0.2.7.1-alpha.
+ - Avoid crashing with a double-free bug when we create an ephemeral
+ hidden service but adding it fails for some reason. Fixes bug
+ 16228; bugfix on 0.2.7.1-alpha.
+
+ o Minor bugfixes (Linux seccomp2 sandbox):
+ - Use the sandbox in tor_open_cloexec whether or not O_CLOEXEC is
+ defined. Patch by "teor". Fixes bug 16515; bugfix on 0.2.3.1-alpha.
+
+ o Minor bugfixes (Linux seccomp2 sandbox, also in 0.2.6.10):
+ - Allow pipe() and pipe2() syscalls in the seccomp2 sandbox: we need
+ these when eventfd2() support is missing. Fixes bug 16363; bugfix
+ on 0.2.6.3-alpha. Patch from "teor".
+
+ o Minor bugfixes (Linux seccomp2 sandbox, also in 0.2.6.9):
+ - Fix sandboxing to work when running as a relay, by allowing the
+ renaming of secret_id_key, and allowing the eventfd2 and futex
+ syscalls. Fixes bug 16244; bugfix on 0.2.6.1-alpha. Patch by
+ Peter Palfrader.
+ - Allow systemd connections to work with the Linux seccomp2 sandbox
+ code. Fixes bug 16212; bugfix on 0.2.6.2-alpha. Patch by
+ Peter Palfrader.
+
+ o Minor bugfixes (relay):
+ - Fix a rarely-encountered memory leak when failing to initialize
+ the thread pool. Fixes bug 16631; bugfix on 0.2.6.3-alpha. Patch
+ from "cypherpunks".
+
+ o Minor bugfixes (systemd):
+ - Fix an accidental formatting error that broke the systemd
+ configuration file. Fixes bug 16152; bugfix on 0.2.7.1-alpha.
+ - Tor's systemd unit file no longer contains extraneous spaces.
+ These spaces would sometimes confuse tools like deb-systemd-
+ helper. Fixes bug 16162; bugfix on 0.2.5.5-alpha.
+
+ o Minor bugfixes (tests):
+ - Use the configured Python executable when running test-stem-full.
+ Fixes bug 16470; bugfix on 0.2.7.1-alpha.
+
+ o Minor bugfixes (tests, also in 0.2.6.9):
+ - Fix a crash in the unit tests when built with MSVC2013. Fixes bug
+ 16030; bugfix on 0.2.6.2-alpha. Patch from "NewEraCracker".
+
+ o Minor bugfixes (threads, comments):
+ - Always initialize return value in compute_desc_id in rendcommon.c
+ Patch by "teor". Fixes part of bug 16115; bugfix on 0.2.7.1-alpha.
+ - Check for NULL values in getinfo_helper_onions(). Patch by "teor".
+ Fixes part of bug 16115; bugfix on 0.2.7.1-alpha.
+ - Remove undefined directive-in-macro in test_util_writepid clang
+ 3.7 complains that using a preprocessor directive inside a macro
+ invocation in test_util_writepid in test_util.c is undefined.
+ Patch by "teor". Fixes part of bug 16115; bugfix on 0.2.7.1-alpha.
+
+ o Code simplification and refactoring:
+ - Define WINVER and _WIN32_WINNT centrally, in orconfig.h, in order
+ to ensure they remain consistent and visible everywhere.
+ - Remove some vestigial workarounds for the MSVC6 compiler. We
+ haven't supported that in ages.
+ - The link authentication code has been refactored for better
+ testability and reliability. It now uses code generated with the
+ "trunnel" binary encoding generator, to reduce the risk of bugs
+ due to programmer error. Done as part of ticket 12498.
+
+ o Documentation:
+ - Include a specific and (hopefully) accurate documentation of the
+ torrc file's meta-format in doc/torrc_format.txt. This is mainly
+ of interest to people writing programs to parse or generate torrc
+ files. This document is not a commitment to long-term
+ compatibility; some aspects of the current format are a bit
+ ridiculous. Closes ticket 2325.
+
+ o Removed features:
+ - Tor no longer supports copies of OpenSSL that are missing support
+ for Elliptic Curve Cryptography. (We began using ECC when
+ available in 0.2.4.8-alpha, for more safe and efficient key
+ negotiation.) In particular, support for at least one of P256 or
+ P224 is now required, with manual configuration needed if only
+ P224 is available. Resolves ticket 16140.
+ - Tor no longer supports versions of OpenSSL before 1.0. (If you are
+ on an operating system that has not upgraded to OpenSSL 1.0 or
+ later, and you compile Tor from source, you will need to install a
+ more recent OpenSSL to link Tor against.) These versions of
+ OpenSSL are still supported by the OpenSSL, but the numerous
+ cryptographic improvements in later OpenSSL releases makes them a
+ clear choice. Resolves ticket 16034.
+ - Remove the HidServDirectoryV2 option. Now all relays offer to
+ store hidden service descriptors. Related to 16543.
+ - Remove the VoteOnHidServDirectoriesV2 option, since all
+ authorities have long set it to 1. Closes ticket 16543.
+
+ o Testing:
+ - Document use of coverity, clang static analyzer, and clang dynamic
+ undefined behavior and address sanitizers in doc/HACKING. Include
+ detailed usage instructions in the blacklist. Patch by "teor".
+ Closes ticket 15817.
+ - The link authentication protocol code now has extensive tests.
+ - The relay descriptor signature testing code now has
+ extensive tests.
+ - The test_workqueue program now runs faster, and is enabled by
+ default as a part of "make check".
+ - Now that OpenSSL has its own scrypt implementation, add an unit
+ test that checks for interoperability between libscrypt_scrypt()
+ and OpenSSL's EVP_PBE_scrypt() so that we could not use libscrypt
+ and rely on EVP_PBE_scrypt() whenever possible. Resolves
+ ticket 16189.
+
+
+Changes in version 0.2.6.10 - 2015-07-12
+ Tor version 0.2.6.10 fixes some significant stability and hidden
+ service client bugs, bulletproofs the cryptography init process, and
+ fixes a bug when using the sandbox code with some older versions of
+ Linux. Everyone running an older version, especially an older version
+ of 0.2.6, should upgrade.
+
+ o Major bugfixes (hidden service clients, stability):
+ - Stop refusing to store updated hidden service descriptors on a
+ client. This reverts commit 9407040c59218 (which indeed fixed bug
+ 14219, but introduced a major hidden service reachability
+ regression detailed in bug 16381). This is a temporary fix since
+ we can live with the minor issue in bug 14219 (it just results in
+ some load on the network) but the regression of 16381 is too much
+ of a setback. First-round fix for bug 16381; bugfix
+ on 0.2.6.3-alpha.
+
+ o Major bugfixes (stability):
+ - Stop crashing with an assertion failure when parsing certain kinds
+ of malformed or truncated microdescriptors. Fixes bug 16400;
+ bugfix on 0.2.6.1-alpha. Found by "torkeln"; fix based on a patch
+ by "cypherpunks_backup".
+ - Stop random client-side assertion failures that could occur when
+ connecting to a busy hidden service, or connecting to a hidden
+ service while a NEWNYM is in progress. Fixes bug 16013; bugfix
+ on 0.1.0.1-rc.
+
+ o Minor features (geoip):
+ - Update geoip to the June 3 2015 Maxmind GeoLite2 Country database.
+ - Update geoip6 to the June 3 2015 Maxmind GeoLite2 Country database.
+
+ o Minor bugfixes (crypto error-handling):
+ - Check for failures from crypto_early_init, and refuse to continue.
+ A previous typo meant that we could keep going with an
+ uninitialized crypto library, and would have OpenSSL initialize
+ its own PRNG. Fixes bug 16360; bugfix on 0.2.5.2-alpha, introduced
+ when implementing ticket 4900. Patch by "teor".
+
+ o Minor bugfixes (Linux seccomp2 sandbox):
+ - Allow pipe() and pipe2() syscalls in the seccomp2 sandbox: we need
+ these when eventfd2() support is missing. Fixes bug 16363; bugfix
+ on 0.2.6.3-alpha. Patch from "teor".
+
+
+Changes in version 0.2.6.9 - 2015-06-11
+ Tor 0.2.6.9 fixes a regression in the circuit isolation code, increases the
+ requirements for receiving an HSDir flag, and addresses some other small
+ bugs in the systemd and sandbox code. Clients using circuit isolation
+ should upgrade; all directory authorities should upgrade.
+
+ o Major bugfixes (client-side privacy):
+ - Properly separate out each SOCKSPort when applying stream
+ isolation. The error occurred because each port's session group was
+ being overwritten by a default value when the listener connection
+ was initialized. Fixes bug 16247; bugfix on 0.2.6.3-alpha. Patch
+ by "jojelino".
+
+ o Minor feature (directory authorities, security):
+ - The HSDir flag given by authorities now requires the Stable flag.
+ For the current network, this results in going from 2887 to 2806
+ HSDirs. Also, it makes it harder for an attacker to launch a sybil
+ attack by raising the effort for a relay to become Stable which
+ takes at the very least 7 days to do so and by keeping the 96
+ hours uptime requirement for HSDir. Implements ticket 8243.
+
+ o Minor bugfixes (compilation):
+ - Build with --enable-systemd correctly when libsystemd is
+ installed, but systemd is not. Fixes bug 16164; bugfix on
+ 0.2.6.3-alpha. Patch from Peter Palfrader.
+
+ o Minor bugfixes (Linux seccomp2 sandbox):
+ - Fix sandboxing to work when running as a relaymby renaming of
+ secret_id_key, and allowing the eventfd2 and futex syscalls. Fixes
+ bug 16244; bugfix on 0.2.6.1-alpha. Patch by Peter Palfrader.
+ - Allow systemd connections to work with the Linux seccomp2 sandbox
+ code. Fixes bug 16212; bugfix on 0.2.6.2-alpha. Patch by
+ Peter Palfrader.
+
+ o Minor bugfixes (tests):
+ - Fix a crash in the unit tests when built with MSVC2013. Fixes bug
+ 16030; bugfix on 0.2.6.2-alpha. Patch from "NewEraCracker".
+
+
+Changes in version 0.2.6.8 - 2015-05-21
+ Tor 0.2.6.8 fixes a bit of dodgy code in parsing INTRODUCE2 cells, and
+ fixes an authority-side bug in assigning the HSDir flag. All directory
+ authorities should upgrade.
+
+ o Major bugfixes (hidden services, backport from 0.2.7.1-alpha):
+ - Revert commit that made directory authorities assign the HSDir
+ flag to relay without a DirPort; this was bad because such relays
+ can't handle BEGIN_DIR cells. Fixes bug 15850; bugfix
+ on tor-0.2.6.3-alpha.
+
+ o Minor bugfixes (hidden service, backport from 0.2.7.1-alpha):
+ - Fix an out-of-bounds read when parsing invalid INTRODUCE2 cells on
+ a client authorized hidden service. Fixes bug 15823; bugfix
+ on 0.2.1.6-alpha.
+
+ o Minor features (geoip):
+ - Update geoip to the April 8 2015 Maxmind GeoLite2 Country database.
+ - Update geoip6 to the April 8 2015 Maxmind GeoLite2
+ Country database.
+
+
+Changes in version 0.2.7.1-alpha - 2015-05-12
+ Tor 0.2.7.1-alpha is the first alpha release in its series. It
+ includes numerous small features and bugfixes against previous Tor
+ versions, and numerous small infrastructure improvements. The most
+ notable features are several new ways for controllers to interact with
+ the hidden services subsystem.
+
+ o New system requirements:
+ - Tor no longer includes workarounds to support Libevent versions
+ before 1.3e. Libevent 2.0 or later is recommended. Closes
+ ticket 15248.
+
+ o Major features (controller):
+ - Add the ADD_ONION and DEL_ONION commands that allow the creation
+ and management of hidden services via the controller. Closes
+ ticket 6411.
+ - New "GETINFO onions/current" and "GETINFO onions/detached"
+ commands to get information about hidden services created via the
+ controller. Part of ticket 6411.
+ - New HSFETCH command to launch a request for a hidden service
+ descriptor. Closes ticket 14847.
+ - New HSPOST command to upload a hidden service descriptor. Closes
+ ticket 3523. Patch by "DonnchaC".
+
+ o Major bugfixes (hidden services):
+ - Revert commit that made directory authorities assign the HSDir
+ flag to relay without a DirPort; this was bad because such relays
+ can't handle BEGIN_DIR cells. Fixes bug 15850; bugfix
+ on tor-0.2.6.3-alpha.
+
+ o Minor features (clock-jump tolerance):
+ - Recover better when our clock jumps back many hours, like might
+ happen for Tails or Whonix users who start with a very wrong
+ hardware clock, use Tor to discover a more accurate time, and then
+ fix their clock. Resolves part of ticket 8766.
+
+ o Minor features (command-line interface):
+ - Make --hash-password imply --hush to prevent unnecessary noise.
+ Closes ticket 15542. Patch from "cypherpunks".
+ - Print a warning whenever we find a relative file path being used
+ as torrc option. Resolves issue 14018.
+
+ o Minor features (controller):
+ - Add DirAuthority lines for default directory authorities to the
+ output of the "GETINFO config/defaults" command if not already
+ present. Implements ticket 14840.
+ - Controllers can now use "GETINFO hs/client/desc/id/..." to
+ retrieve items from the client's hidden service descriptor cache.
+ Closes ticket 14845.
+ - Implement a new controller command "GETINFO status/fresh-relay-
+ descs" to fetch a descriptor/extrainfo pair that was generated on
+ demand just for the controller's use. Implements ticket 14784.
+
+ o Minor features (DoS-resistance):
+ - Make it harder for attackers to overload hidden services with
+ introductions, by blocking multiple introduction requests on the
+ same circuit. Resolves ticket 15515.
+
+ o Minor features (geoip):
+ - Update geoip to the April 8 2015 Maxmind GeoLite2 Country database.
+ - Update geoip6 to the April 8 2015 Maxmind GeoLite2
+ Country database.
+
+ o Minor features (HS popularity countermeasure):
+ - To avoid leaking HS popularity, don't cycle the introduction point
+ when we've handled a fixed number of INTRODUCE2 cells but instead
+ cycle it when a random number of introductions is reached, thus
+ making it more difficult for an attacker to find out the amount of
+ clients that have used the introduction point for a specific HS.
+ Closes ticket 15745.
+
+ o Minor features (logging):
+ - Include the Tor version in all LD_BUG log messages, since people
+ tend to cut and paste those into the bugtracker. Implements
+ ticket 15026.
+
+ o Minor features (pluggable transports):
+ - When launching managed pluggable transports on Linux systems,
+ attempt to have the kernel deliver a SIGTERM on tor exit if the
+ pluggable transport process is still running. Resolves
+ ticket 15471.
+ - When launching managed pluggable transports, setup a valid open
+ stdin in the child process that can be used to detect if tor has
+ terminated. The "TOR_PT_EXIT_ON_STDIN_CLOSE" environment variable
+ can be used by implementations to detect this new behavior.
+ Resolves ticket 15435.
+
+ o Minor features (testing):
+ - Add a test to verify that the compiler does not eliminate our
+ memwipe() implementation. Closes ticket 15377.
+ - Add make rule `check-changes` to verify the format of changes
+ files. Closes ticket 15180.
+ - Add unit tests for control_event_is_interesting(). Add a compile-
+ time check that the number of events doesn't exceed the capacity
+ of control_event_t.event_mask. Closes ticket 15431, checks for
+ bugs similar to 13085. Patch by "teor".
+ - Command-line argument tests moved to Stem. Resolves ticket 14806.
+ - Integrate the ntor, backtrace, and zero-length keys tests into the
+ automake test suite. Closes ticket 15344.
+ - Remove assertions during builds to determine Tor's test coverage.
+ We don't want to trigger these even in assertions, so including
+ them artificially makes our branch coverage look worse than it is.
+ This patch provides the new test-stem-full and coverage-html-full
+ configure options. Implements ticket 15400.
+
+ o Minor bugfixes (build):
+ - Improve out-of-tree builds by making non-standard rules work and
+ clean up additional files and directories. Fixes bug 15053; bugfix
+ on 0.2.7.0-alpha.
+
+ o Minor bugfixes (command-line interface):
+ - When "--quiet" is provided along with "--validate-config", do not
+ write anything to stdout on success. Fixes bug 14994; bugfix
+ on 0.2.3.3-alpha.
+ - When complaining about bad arguments to "--dump-config", use
+ stderr, not stdout.
+
+ o Minor bugfixes (configuration, unit tests):
+ - Only add the default fallback directories when the DirAuthorities,
+ AlternateDirAuthority, and FallbackDir directory config options
+ are set to their defaults. The default fallback directory list is
+ currently empty, this fix will only change tor's behavior when it
+ has default fallback directories. Includes unit tests for
+ consider_adding_dir_servers(). Fixes bug 15642; bugfix on
+ 90f6071d8dc0 in 0.2.4.7-alpha. Patch by "teor".
+
+ o Minor bugfixes (correctness):
+ - For correctness, avoid modifying a constant string in
+ handle_control_postdescriptor. Fixes bug 15546; bugfix
+ on 0.1.1.16-rc.
+ - Remove side-effects from tor_assert() calls. This was harmless,
+ because we never disable assertions, but it is bad style and
+ unnecessary. Fixes bug 15211; bugfix on 0.2.5.5, 0.2.2.36,
+ and 0.2.0.10.
+
+ o Minor bugfixes (hidden service):
+ - Fix an out-of-bounds read when parsing invalid INTRODUCE2 cells on
+ a client authorized hidden service. Fixes bug 15823; bugfix
+ on 0.2.1.6-alpha.
+ - Remove an extraneous newline character from the end of hidden
+ service descriptors. Fixes bug 15296; bugfix on 0.2.0.10-alpha.
+
+ o Minor bugfixes (interface):
+ - Print usage information for --dump-config when it is used without
+ an argument. Also, fix the error message to use different wording
+ and add newline at the end. Fixes bug 15541; bugfix
+ on 0.2.5.1-alpha.
+
+ o Minor bugfixes (logs):
+ - When building Tor under Clang, do not include an extra set of
+ parentheses in log messages that include function names. Fixes bug
+ 15269; bugfix on every released version of Tor when compiled with
+ recent enough Clang.
+
+ o Minor bugfixes (network):
+ - When attempting to use fallback technique for network interface
+ lookup, disregard loopback and multicast addresses since they are
+ unsuitable for public communications.
+
+ o Minor bugfixes (statistics):
+ - Disregard the ConnDirectionStatistics torrc options when Tor is
+ not a relay since in that mode of operation no sensible data is
+ being collected and because Tor might run into measurement hiccups
+ when running as a client for some time, then becoming a relay.
+ Fixes bug 15604; bugfix on 0.2.2.35.
+
+ o Minor bugfixes (test networks):
+ - When self-testing reachability, use ExtendAllowPrivateAddresses to
+ determine if local/private addresses imply reachability. The
+ previous fix used TestingTorNetwork, which implies
+ ExtendAllowPrivateAddresses, but this excluded rare configurations
+ where ExtendAllowPrivateAddresses is set but TestingTorNetwork is
+ not. Fixes bug 15771; bugfix on 0.2.6.1-alpha. Patch by "teor",
+ issue discovered by CJ Ess.
+
+ o Minor bugfixes (testing):
+ - Check for matching value in server response in ntor_ref.py. Fixes
+ bug 15591; bugfix on 0.2.4.8-alpha. Reported and fixed
+ by "joelanders".
+ - Set the severity correctly when testing
+ get_interface_addresses_ifaddrs() and
+ get_interface_addresses_win32(), so that the tests fail gracefully
+ instead of triggering an assertion. Fixes bug 15759; bugfix on
+ 0.2.6.3-alpha. Reported by Nicolas Derive.
+
+ o Code simplification and refactoring:
+ - Move the hacky fallback code out of get_interface_address6() into
+ separate function and get it covered with unit-tests. Resolves
+ ticket 14710.
+ - Refactor hidden service client-side cache lookup to intelligently
+ report its various failure cases, and disentangle failure cases
+ involving a lack of introduction points. Closes ticket 14391.
+ - Use our own Base64 encoder instead of OpenSSL's, to allow more
+ control over the output. Part of ticket 15652.
+
+ o Documentation:
+ - Improve the descriptions of statistics-related torrc options in
+ the manpage to describe rationale and possible uses cases. Fixes
+ issue 15550.
+ - Improve the layout and formatting of ./configure --help messages.
+ Closes ticket 15024. Patch from "cypherpunks".
+ - Standardize on the term "server descriptor" in the manual page.
+ Previously, we had used "router descriptor", "server descriptor",
+ and "relay descriptor" interchangeably. Part of ticket 14987.
+
+ o Removed code:
+ - Remove `USE_OPENSSL_BASE64` and the corresponding fallback code
+ and always use the internal Base64 decoder. The internal decoder
+ has been part of tor since tor-0.2.0.10-alpha, and no one should
+ be using the OpenSSL one. Part of ticket 15652.
+ - Remove the 'tor_strclear()' function; use memwipe() instead.
+ Closes ticket 14922.
+
+ o Removed features:
+ - Remove the (seldom-used) DynamicDHGroups feature. For anti-
+ fingerprinting we now recommend pluggable transports; for forward-
+ secrecy in TLS, we now use the P-256 group. Closes ticket 13736.
+ - Remove the undocumented "--digests" command-line option. It
+ complicated our build process, caused subtle build issues on
+ multiple platforms, and is now redundant since we started
+ including git version identifiers. Closes ticket 14742.
+ - Tor no longer contains checks for ancient directory cache versions
+ that didn't know about microdescriptors.
+ - Tor no longer contains workarounds for stat files generated by
+ super-old versions of Tor that didn't choose guards sensibly.
+
+
+Changes in version 0.2.4.27 - 2015-04-06
+ Tor 0.2.4.27 backports two fixes from 0.2.6.7 for security issues that
+ could be used by an attacker to crash hidden services, or crash clients
+ visiting hidden services. Hidden services should upgrade as soon as
+ possible; clients should upgrade whenever packages become available.
+
+ This release also backports a simple improvement to make hidden
+ services a bit less vulnerable to denial-of-service attacks.
+
+ o Major bugfixes (security, hidden service):
+ - Fix an issue that would allow a malicious client to trigger an
+ assertion failure and halt a hidden service. Fixes bug 15600;
+ bugfix on 0.2.1.6-alpha. Reported by "disgleirio".
+ - Fix a bug that could cause a client to crash with an assertion
+ failure when parsing a malformed hidden service descriptor. Fixes
+ bug 15601; bugfix on 0.2.1.5-alpha. Found by "DonnchaC".
+
+ o Minor features (DoS-resistance, hidden service):
+ - Introduction points no longer allow multiple INTRODUCE1 cells to
+ arrive on the same circuit. This should make it more expensive for
+ attackers to overwhelm hidden services with introductions.
+ Resolves ticket 15515.
+
+
+Changes in version 0.2.6.7 - 2015-04-06
+ Tor 0.2.6.7 fixes two security issues that could be used by an
+ attacker to crash hidden services, or crash clients visiting hidden
+ services. Hidden services should upgrade as soon as possible; clients
+ should upgrade whenever packages become available.
+
+ This release also contains two simple improvements to make hidden
+ services a bit less vulnerable to denial-of-service attacks.
+
+ o Major bugfixes (security, hidden service):
+ - Fix an issue that would allow a malicious client to trigger an
+ assertion failure and halt a hidden service. Fixes bug 15600;
+ bugfix on 0.2.1.6-alpha. Reported by "disgleirio".
+ - Fix a bug that could cause a client to crash with an assertion
+ failure when parsing a malformed hidden service descriptor. Fixes
+ bug 15601; bugfix on 0.2.1.5-alpha. Found by "DonnchaC".
+
+ o Minor features (DoS-resistance, hidden service):
+ - Introduction points no longer allow multiple INTRODUCE1 cells to
+ arrive on the same circuit. This should make it more expensive for
+ attackers to overwhelm hidden services with introductions.
+ Resolves ticket 15515.
+ - Decrease the amount of reattempts that a hidden service performs
+ when its rendezvous circuits fail. This reduces the computational
+ cost for running a hidden service under heavy load. Resolves
+ ticket 11447.
+
+
+Changes in version 0.2.6.6 - 2015-03-24
+ Tor 0.2.6.6 is the first stable release in the 0.2.6 series.
+
+ It adds numerous safety, security, correctness, and performance
+ improvements. Client programs can be configured to use more kinds of
+ sockets, AutomapHosts works better, the multithreading backend is
+ improved, cell transmission is refactored, test coverage is much
+ higher, more denial-of-service attacks are handled, guard selection is
+ improved to handle long-term guards better, pluggable transports
+ should work a bit better, and some annoying hidden service performance
+ bugs should be addressed.
+
+ o Minor bugfixes (portability):
+ - Use the correct datatype in the SipHash-2-4 function to prevent
+ compilers from assuming any sort of alignment. Fixes bug 15436;
+ bugfix on 0.2.5.3-alpha.
+
+Changes in version 0.2.6.5-rc - 2015-03-18
+ Tor 0.2.6.5-rc is the second and (hopefully) last release candidate in
+ the 0.2.6. It fixes a small number of bugs found in 0.2.6.4-rc.
+
+ o Major bugfixes (client):
+ - Avoid crashing when making certain configuration option changes on
+ clients. Fixes bug 15245; bugfix on 0.2.6.3-alpha. Reported
+ by "anonym".
+
+ o Major bugfixes (pluggable transports):
+ - Initialize the extended OR Port authentication cookie before
+ launching pluggable transports. This prevents a race condition
+ that occured when server-side pluggable transports would cache the
+ authentication cookie before it has been (re)generated. Fixes bug
+ 15240; bugfix on 0.2.5.1-alpha.
+
+ o Major bugfixes (portability):
+ - Do not crash on startup when running on Solaris. Fixes a bug
+ related to our fix for 9495; bugfix on 0.2.6.1-alpha. Reported
+ by "ruebezahl".
+
+ o Minor features (heartbeat):
+ - On relays, report how many connections we negotiated using each
+ version of the Tor link protocols. This information will let us
+ know if removing support for very old versions of the Tor
+ protocols is harming the network. Closes ticket 15212.
+
+ o Code simplification and refactoring:
+ - Refactor main loop to extract the 'loop' part. This makes it
+ easier to run Tor under Shadow. Closes ticket 15176.
+
+
+Changes in version 0.2.5.11 - 2015-03-17
+ Tor 0.2.5.11 is the second stable release in the 0.2.5 series.
+
+ It backports several bugfixes from the 0.2.6 branch, including a
+ couple of medium-level security fixes for relays and exit nodes.
+ It also updates the list of directory authorities.
+
+ o Directory authority changes:
+ - Remove turtles as a directory authority.
+ - Add longclaw as a new (v3) directory authority. This implements
+ ticket 13296. This keeps the directory authority count at 9.
+ - The directory authority Faravahar has a new IP address. This
+ closes ticket 14487.
+
+ o Major bugfixes (crash, OSX, security):
+ - Fix a remote denial-of-service opportunity caused by a bug in
+ OSX's _strlcat_chk() function. Fixes bug 15205; bug first appeared
+ in OSX 10.9.
+
+ o Major bugfixes (relay, stability, possible security):
+ - Fix a bug that could lead to a relay crashing with an assertion
+ failure if a buffer of exactly the wrong layout was passed to
+ buf_pullup() at exactly the wrong time. Fixes bug 15083; bugfix on
+ 0.2.0.10-alpha. Patch from 'cypherpunks'.
+ - Do not assert if the 'data' pointer on a buffer is advanced to the
+ very end of the buffer; log a BUG message instead. Only assert if
+ it is past that point. Fixes bug 15083; bugfix on 0.2.0.10-alpha.
+
+ o Major bugfixes (exit node stability):
+ - Fix an assertion failure that could occur under high DNS load.
+ Fixes bug 14129; bugfix on Tor 0.0.7rc1. Found by "jowr";
+ diagnosed and fixed by "cypherpunks".
+
+ o Major bugfixes (Linux seccomp2 sandbox):
+ - Upon receiving sighup with the seccomp2 sandbox enabled, do not
+ crash during attempts to call wait4. Fixes bug 15088; bugfix on
+ 0.2.5.1-alpha. Patch from "sanic".
+
+ o Minor features (controller):
+ - New "GETINFO bw-event-cache" to get information about recent
+ bandwidth events. Closes ticket 14128. Useful for controllers to
+ get recent bandwidth history after the fix for ticket 13988.
+
+ o Minor features (geoip):
+ - Update geoip to the March 3 2015 Maxmind GeoLite2 Country database.
+ - Update geoip6 to the March 3 2015 Maxmind GeoLite2
+ Country database.
+
+ o Minor bugfixes (client, automapping):
+ - Avoid crashing on torrc lines for VirtualAddrNetworkIPv[4|6] when
+ no value follows the option. Fixes bug 14142; bugfix on
+ 0.2.4.7-alpha. Patch by "teor".
+ - Fix a memory leak when using AutomapHostsOnResolve. Fixes bug
+ 14195; bugfix on 0.1.0.1-rc.
+
+ o Minor bugfixes (compilation):
+ - Build without warnings with the stock OpenSSL srtp.h header, which
+ has a duplicate declaration of SSL_get_selected_srtp_profile().
+ Fixes bug 14220; this is OpenSSL's bug, not ours.
+
+ o Minor bugfixes (directory authority):
+ - Allow directory authorities to fetch more data from one another if
+ they find themselves missing lots of votes. Previously, they had
+ been bumping against the 10 MB queued data limit. Fixes bug 14261;
+ bugfix on 0.1.2.5-alpha.
+ - Enlarge the buffer to read bwauth generated files to avoid an
+ issue when parsing the file in dirserv_read_measured_bandwidths().
+ Fixes bug 14125; bugfix on 0.2.2.1-alpha.
+
+ o Minor bugfixes (statistics):
+ - Increase period over which bandwidth observations are aggregated
+ from 15 minutes to 4 hours. Fixes bug 13988; bugfix on 0.0.8pre1.
+
+ o Minor bugfixes (preventative security, C safety):
+ - When reading a hexadecimal, base-32, or base-64 encoded value from
+ a string, always overwrite the whole output buffer. This prevents
+ some bugs where we would look at (but fortunately, not reveal)
+ uninitialized memory on the stack. Fixes bug 14013; bugfix on all
+ versions of Tor.
+
+
+Changes in version 0.2.4.26 - 2015-03-17
+ Tor 0.2.4.26 includes an updated list of directory authorities. It
+ also backports a couple of stability and security bugfixes from 0.2.5
+ and beyond.
+
+ o Directory authority changes:
+ - Remove turtles as a directory authority.
+ - Add longclaw as a new (v3) directory authority. This implements
+ ticket 13296. This keeps the directory authority count at 9.
+ - The directory authority Faravahar has a new IP address. This
+ closes ticket 14487.
+
+ o Major bugfixes (exit node stability, also in 0.2.6.3-alpha):
+ - Fix an assertion failure that could occur under high DNS load.
+ Fixes bug 14129; bugfix on Tor 0.0.7rc1. Found by "jowr";
+ diagnosed and fixed by "cypherpunks".
+
+ o Major bugfixes (relay, stability, possible security, also in 0.2.6.4-rc):
+ - Fix a bug that could lead to a relay crashing with an assertion
+ failure if a buffer of exactly the wrong layout was passed to
+ buf_pullup() at exactly the wrong time. Fixes bug 15083; bugfix on
+ 0.2.0.10-alpha. Patch from 'cypherpunks'.
+ - Do not assert if the 'data' pointer on a buffer is advanced to the
+ very end of the buffer; log a BUG message instead. Only assert if
+ it is past that point. Fixes bug 15083; bugfix on 0.2.0.10-alpha.
+
+ o Minor features (geoip):
+ - Update geoip to the March 3 2015 Maxmind GeoLite2 Country database.
+ - Update geoip6 to the March 3 2015 Maxmind GeoLite2
+ Country database.
+
+Changes in version 0.2.6.4-rc - 2015-03-09
+ Tor 0.2.6.4-alpha fixes an issue in the directory code that an
+ attacker might be able to use in order to crash certain Tor
+ directories. It also resolves some minor issues left over from, or
+ introduced in, Tor 0.2.6.3-alpha or earlier.
+
+ o Major bugfixes (crash, OSX, security):
+ - Fix a remote denial-of-service opportunity caused by a bug in
+ OSX's _strlcat_chk() function. Fixes bug 15205; bug first appeared
+ in OSX 10.9.
+
+ o Major bugfixes (relay, stability, possible security):
+ - Fix a bug that could lead to a relay crashing with an assertion
+ failure if a buffer of exactly the wrong layout is passed to
+ buf_pullup() at exactly the wrong time. Fixes bug 15083; bugfix on
+ 0.2.0.10-alpha. Patch from "cypherpunks".
+ - Do not assert if the 'data' pointer on a buffer is advanced to the
+ very end of the buffer; log a BUG message instead. Only assert if
+ it is past that point. Fixes bug 15083; bugfix on 0.2.0.10-alpha.
+
+ o Major bugfixes (FreeBSD IPFW transparent proxy):
+ - Fix address detection with FreeBSD transparent proxies, when
+ "TransProxyType ipfw" is in use. Fixes bug 15064; bugfix
+ on 0.2.5.4-alpha.
+
+ o Major bugfixes (Linux seccomp2 sandbox):
+ - Pass IPPROTO_TCP rather than 0 to socket(), so that the Linux
+ seccomp2 sandbox doesn't fail. Fixes bug 14989; bugfix
+ on 0.2.6.3-alpha.
+ - Allow AF_UNIX hidden services to be used with the seccomp2
+ sandbox. Fixes bug 15003; bugfix on 0.2.6.3-alpha.
+ - Upon receiving sighup with the seccomp2 sandbox enabled, do not
+ crash during attempts to call wait4. Fixes bug 15088; bugfix on
+ 0.2.5.1-alpha. Patch from "sanic".
+
+ o Minor features (controller):
+ - Messages about problems in the bootstrap process now include
+ information about the server we were trying to connect to when we
+ noticed the problem. Closes ticket 15006.
+
+ o Minor features (geoip):
+ - Update geoip to the March 3 2015 Maxmind GeoLite2 Country database.
+ - Update geoip6 to the March 3 2015 Maxmind GeoLite2
+ Country database.
+
+ o Minor features (logs):
+ - Quiet some log messages in the heartbeat and at startup. Closes
+ ticket 14950.
+
+ o Minor bugfixes (certificate handling):
+ - If an authority operator accidentally makes a signing certificate
+ with a future publication time, do not discard its real signing
+ certificates. Fixes bug 11457; bugfix on 0.2.0.3-alpha.
+ - Remove any old authority certificates that have been superseded
+ for at least two days. Previously, we would keep superseded
+ certificates until they expired, if they were published close in
+ time to the certificate that superseded them. Fixes bug 11454;
+ bugfix on 0.2.1.8-alpha.
+
+ o Minor bugfixes (compilation):
+ - Fix a compilation warning on s390. Fixes bug 14988; bugfix
+ on 0.2.5.2-alpha.
+ - Fix a compilation warning on FreeBSD. Fixes bug 15151; bugfix
+ on 0.2.6.2-alpha.
+
+ o Minor bugfixes (testing):
+ - Fix endianness issues in unit test for resolve_my_address() to
+ have it pass on big endian systems. Fixes bug 14980; bugfix on
+ Tor 0.2.6.3-alpha.
+ - Avoid a side-effect in a tor_assert() in the unit tests. Fixes bug
+ 15188; bugfix on 0.1.2.3-alpha. Patch from Tom van der Woerdt.
+ - When running the new 'make test-stem' target, use the configured
+ python binary. Fixes bug 15037; bugfix on 0.2.6.3-alpha. Patch
+ from "cypherpunks".
+ - When running the zero-length-keys tests, do not use the default
+ torrc file. Fixes bug 15033; bugfix on 0.2.6.3-alpha. Reported
+ by "reezer".
+
+ o Directory authority IP change:
+ - The directory authority Faravahar has a new IP address. This
+ closes ticket 14487.
+
+ o Removed code:
+ - Remove some lingering dead code that once supported mempools.
+ Mempools were disabled by default in 0.2.5, and removed entirely
+ in 0.2.6.3-alpha. Closes more of ticket 14848; patch
+ by "cypherpunks".
Changes in version 0.2.6.3-alpha - 2015-02-19
@@ -49,6 +956,13 @@ Changes in version 0.2.6.3-alpha - 2015-02-19
notified of updates and their correct digests. Implements proposal
227. Closes ticket 10395.
+ o Major features (guards):
+ - Introduce the Guardfraction feature to improves load balancing on
+ guard nodes. Specifically, it aims to reduce the traffic gap that
+ guard nodes experience when they first get the Guard flag. This is
+ a required step if we want to increase the guard lifetime to 9
+ months or greater. Closes ticket 9321.
+
o Major features (performance):
- Make the CPU worker implementation more efficient by avoiding the
kernel and lengthening pipelines. The original implementation used