diff options
Diffstat (limited to 'ChangeLog')
| -rw-r--r-- | ChangeLog | 976 |
1 files changed, 976 insertions, 0 deletions
@@ -1,3 +1,979 @@ +Changes in version 0.4.6.2-alpha - 2021-04-15 + Tor 0.4.6.2-alpha is the second alpha in its series. It fixes several + small bugs in previous releases, and solves other issues that had + enabled denial-of-service attacks and affected integration with + other tools. + + o Minor features (client): + - Clients now check whether their streams are attempting to re-enter + the Tor network (i.e. to send Tor traffic over Tor), and close + them preemptively if they think exit relays will refuse them for + this reason. See ticket 2667 for details. Closes ticket 40271. + + o Minor features (command line): + - Add long format name "--torrc-file" equivalent to the existing + command-line option "-f". Closes ticket 40324. Patch by + Daniel Pinto. + + o Minor features (dormant mode): + - Add a new 'DormantTimeoutEnabled' option to allow coarse-grained + control over whether the client ever becomes dormant from + inactivity. Most people won't need this. Closes ticket 40228. + + o Minor features (fallback directory list): + - Regenerate the list of fallback directories to contain a new set + of 200 relays. Closes ticket 40265. + + o Minor features (geoip data): + - Update the geoip files to match the IPFire Location Database, as + retrieved on 2021/04/13. + + o Minor features (logging): + - Edit heartbeat log messages so that more of them begin with the + string "Heartbeat: ". Closes ticket 40322; patch + from 'cypherpunks'. + + o Minor bugfixes (bridge, pluggable transport): + - Fix a regression that made it impossible start Tor using a bridge + line with a transport name and no fingerprint. Fixes bug 40360; + bugfix on 0.4.5.4-rc. + + o Minor bugfixes (channel, DoS): + - Fix a non-fatal BUG() message due to a too-early free of a string, + when listing a client connection from the DoS defenses subsystem. + Fixes bug 40345; bugfix on 0.4.3.4-rc. + + o Minor bugfixes (compilation): + - Fix a compilation warning about unused functions when building + with a libc that lacks the GLOB_ALTDIRFUNC constant. Fixes bug + 40354; bugfix on 0.4.5.1-alpha. Patch by Daniel Pinto. + + o Minor bugfixes (configuration): + - Fix pattern-matching for directories on all platforms when using + %include options in configuration files. This patch also fixes + compilation on musl libc based systems. Fixes bug 40141; bugfix + on 0.4.5.1-alpha. + + o Minor bugfixes (relay): + - Move the "overload-general" line from extrainfo to the server + descriptor. Fixes bug 40364; bugfix on 0.4.6.1-alpha. + + o Minor bugfixes (testing, BSD): + - Fix pattern-matching errors when patterns expand to invalid paths + on BSD systems. Fixes bug 40318; bugfix on 0.4.5.1-alpha. Patch by + Daniel Pinto. + + o Documentation (manual): + - Move the ServerTransport* options to the "SERVER OPTIONS" section. + Closes issue 40331. + - Indicate that the HiddenServiceStatistics option also applies to + bridges. Closes ticket 40346. + - Move the description of BridgeRecordUsageByCountry to the section + "STATISTICS OPTIONS". Closes ticket 40323. + + +Changes in version 0.4.6.1-alpha - 2021-03-18 + Tor 0.4.6.1-alpha is the first alpha release in the 0.4.6.x series. It + improves client circuit performance, adds missing features, and + improves some of our DoS handling and statistics reporting. It also + includes numerous smaller bugfixes. + + Below are the changes since 0.4.5.7. (Note that this release DOES + include the fixes for the security bugs already fixed in 0.4.5.7.) + + o Major features (control port, onion services): + - Add controller support for creating version 3 onion services with + client authorization. Previously, only v2 onion services could be + created with client authorization. Closes ticket 40084. Patch by + Neel Chauhan. + + o Major features (directory authority): + - When voting on a relay with a Sybil-like appearance, add the Sybil + flag when clearing out the other flags. This lets a relay operator + know why their relay hasn't been included in the consensus. Closes + ticket 40255. Patch by Neel Chauhan. + + o Major features (metrics): + - Relays now report how overloaded they are in their extrainfo + documents. This information is controlled with the + OverloadStatistics torrc option, and it will be used to improve + decisions about the network's load balancing. Implements proposal + 328; closes ticket 40222. + + o Major features (relay, denial of service): + - Add a new DoS subsystem feature to control the rate of client + connections for relays. Closes ticket 40253. + + o Major features (statistics): + - Relays now publish statistics about the number of v3 onion + services and volume of v3 onion service traffic, in the same + manner they already do for v2 onions. Closes ticket 23126. + + o Major bugfixes (circuit build timeout): + - Improve the accuracy of our circuit build timeout calculation for + 60%, 70%, and 80% build rates for various guard choices. We now + use a maximum likelihood estimator for Pareto parameters of the + circuit build time distribution, instead of a "right-censored + estimator". This causes clients to ignore circuits that never + finish building in their timeout calculations. Previously, clients + were counting such unfinished circuits as having the highest + possible build time value, when in reality these circuits most + likely just contain relays that are offline. We also now wait a + bit longer to let circuits complete for measurement purposes, + lower the minimum possible effective timeout from 1.5 seconds to + 10ms, and increase the resolution of the circuit build time + histogram from 50ms bin widths to 10ms bin widths. Additionally, + we alter our estimate Xm by taking the maximum of the top 10 most + common build time values of the 10ms histogram, and compute Xm as + the average of these. Fixes bug 40168; bugfix on 0.2.2.14-alpha. + - Remove max_time calculation and associated warning from circuit + build timeout 'alpha' parameter estimation, as this is no longer + needed by our new estimator from 40168. Fixes bug 34088; bugfix + on 0.2.2.9-alpha. + + o Major bugfixes (signing key): + - In the tor-gencert utility, give an informative error message if + the passphrase given in `--create-identity-key` is too short. + Fixes bug 40189; bugfix on 0.2.0.1-alpha. Patch by Neel Chauhan. + + o Minor features (bridge): + - We now announce the URL to Tor's new bridge status at + https://bridges.torproject.org/ when Tor is configured to run as a + bridge relay. Closes ticket 30477. + + o Minor features (build system): + - New "make lsp" command to auto generate the compile_commands.json + file used by the ccls server. The "bear" program is needed for + this. Closes ticket 40227. + + o Minor features (command-line interface): + - Add build informations to `tor --version` in order to ease + reproducible builds. Closes ticket 32102. + - When parsing command-line flags that take an optional argument, + treat the argument as absent if it would start with a '-' + character. Arguments in that form are not intelligible for any of + our optional-argument flags. Closes ticket 40223. + - Allow a relay operator to list the ed25519 keys on the command + line by adding the `rsa` and `ed25519` arguments to the + --list-fingerprint flag to show the respective RSA and ed25519 + relay fingerprint. Closes ticket 33632. Patch by Neel Chauhan. + + o Minor features (control port, stream handling): + - Add the stream ID to the event line in the ADDRMAP control event. + Closes ticket 40249. Patch by Neel Chauhan. + + o Minor features (dormant mode): + - Add a new 'DormantTimeoutEnabled' option for coarse-grained + control over whether the client can become dormant from + inactivity. Most people won't need this. Closes ticket 40228. + + o Minor features (logging): + - Change the DoS subsystem heartbeat line format to be more clear on + what has been detected/rejected, and which option is disabled (if + any). Closes ticket 40308. + - In src/core/mainloop/mainloop.c and src/core/mainloop/connection.c, + put brackets around IPv6 addresses in log messages. Closes ticket + 40232. Patch by Neel Chauhan. + + o Minor features (performance, windows): + - Use SRWLocks to implement locking on Windows. Replaces the + "critical section" locking implementation with the faster + SRWLocks, available since Windows Vista. Closes ticket 17927. + Patch by Daniel Pinto. + + o Minor features (protocol, proxy support, defense in depth): + - Close HAProxy connections if they somehow manage to send us data + before we start reading. Closes another case of ticket 40017. + + o Minor features (tests, portability): + - Port the hs_build_address.py test script to work with recent + versions of python. Closes ticket 40213. Patch from + Samanta Navarro. + + o Minor features (vote document): + - Add a "stats" line to directory authority votes, to report various + statistics that authorities compute about the relays. This will + help us diagnose the network better. Closes ticket 40314. + + o Minor bugfixes (build): + - The configure script now shows whether or not lzma and zstd have + been used, not just if the enable flag was passed in. Fixes bug + 40236; bugfix on 0.4.3.1-alpha. + + o Minor bugfixes (compatibility): + - Fix a failure in the test cases when running on the "hppa" + architecture, along with a related test that might fail on other + architectures in the future. Fixes bug 40274; bugfix + on 0.2.5.1-alpha. + + o Minor bugfixes (controller): + - Fix a "BUG" warning that would appear when a controller chooses + the first hop for a circuit, and that circuit completes. Fixes bug + 40285; bugfix on 0.3.2.1-alpha. + + o Minor bugfixes (directory authorities, voting): + - Add a new consensus method (31) to support any future changes that + authorities decide to make to the value of bwweightscale or + maxunmeasuredbw. Previously, there was a bug that prevented the + authorities from parsing these consensus parameters correctly under + most circumstances. Fixes bug 19011; bugfix on 0.2.2.10-alpha. + + o Minor bugfixes (ipv6): + - Allow non-SOCKSPorts to disable IPv4, IPv6, and PreferIPv4. Some + rare configurations might break, but in this case you can disable + NoIPv4Traffic and NoIPv6Traffic as needed. Fixes bug 33607; bugfix + on 0.4.1.1-alpha. Patch by Neel Chauhan. + + o Minor bugfixes (key generation): + - Do not require a valid torrc when using the `--keygen` argument to + generate a signing key. This allows us to generate keys on systems + or users which may not run Tor. Fixes bug 40235; bugfix on + 0.2.7.2-alpha. Patch by Neel Chauhan. + + o Minor bugfixes (onion services, logging): + - Downgrade the severity of a few rendezvous circuit-related + warnings from warning to info. Fixes bug 40207; bugfix on + 0.3.2.1-alpha. Patch by Neel Chauhan. + + o Minor bugfixes (relay): + - Reduce the compression level for data streaming from HIGH to LOW. + This should reduce the CPU and memory burden for directory caches. + Fixes bug 40301; bugfix on 0.3.5.1-alpha. + + o Code simplification and refactoring: + - Remove the orconn_ext_or_id_map structure and related functions. + (Nothing outside of unit tests used them.) Closes ticket 33383. + Patch by Neel Chauhan. + + o Removed features: + - As of this release, Tor no longer supports the old v2 onion + services. They were deprecated last July for security, and support + will be removed entirely later this year. We strongly encourage + everybody to migrate to v3 onion services. For more information, + see https://blog.torproject.org/v2-deprecation-timeline . Closes + ticket 40266. (NOTE: We accidentally released an earlier version + of the 0.4.6.1-alpha changelog without this entry. Sorry for + the confusion!) + + o Code simplification and refactoring (metrics, DoS): + - Move the DoS subsystem into the subsys manager, including its + configuration options. Closes ticket 40261. + + o Removed features (relay): + - Because DirPorts are only used on authorities, relays no longer + advertise them. Similarly, self-testing for DirPorts has been + disabled, since an unreachable DirPort is no reason for a relay + not to advertise itself. (Configuring a DirPort will still work, + for now.) Closes ticket 40282. + + +Changes in version 0.3.5.14 - 2021-03-16 + Tor 0.3.5.14 backports fixes for two important denial-of-service bugs + in earlier versions of Tor. + + One of these vulnerabilities (TROVE-2021-001) would allow an attacker + who can send directory data to a Tor instance to force that Tor + instance to consume huge amounts of CPU. This is easiest to exploit + against authorities, since anybody can upload to them, but directory + caches could also exploit this vulnerability against relays or clients + when they download. The other vulnerability (TROVE-2021-002) only + affects directory authorities, and would allow an attacker to remotely + crash the authority with an assertion failure. Patches have already + been provided to the authority operators, to help ensure + network stability. + + We recommend that everybody upgrade to one of the releases that fixes + these issues (0.3.5.14, 0.4.4.8, or 0.4.5.7) as they become available + to you. + + This release also updates our GeoIP data source, and fixes a + compatibility issue. + + o Major bugfixes (security, denial of service, backport from 0.4.5.7): + - Disable the dump_desc() function that we used to dump unparseable + information to disk. It was called incorrectly in several places, + in a way that could lead to excessive CPU usage. Fixes bug 40286; + bugfix on 0.2.2.1-alpha. This bug is also tracked as TROVE-2021- + 001 and CVE-2021-28089. + - Fix a bug in appending detached signatures to a pending consensus + document that could be used to crash a directory authority. Fixes + bug 40316; bugfix on 0.2.2.6-alpha. Tracked as TROVE-2021-002 + and CVE-2021-28090. + + o Minor features (geoip data, backport from 0.4.5.7): + - We have switched geoip data sources. Previously we shipped IP-to- + country mappings from Maxmind's GeoLite2, but in 2019 they changed + their licensing terms, so we were unable to update them after that + point. We now ship geoip files based on the IPFire Location + Database instead. (See https://location.ipfire.org/ for more + information). This release updates our geoip files to match the + IPFire Location Database as retrieved on 2021/03/12. Closes + ticket 40224. + + o Removed features (mallinfo deprecated, backport from 0.4.5.7): + - Remove mallinfo() usage entirely. Libc 2.33+ now deprecates it. + Closes ticket 40309. + + +Changes in version 0.4.4.8 - 2021-03-16 + Tor 0.4.4.8 backports fixes for two important denial-of-service bugs + in earlier versions of Tor. + + One of these vulnerabilities (TROVE-2021-001) would allow an attacker + who can send directory data to a Tor instance to force that Tor + instance to consume huge amounts of CPU. This is easiest to exploit + against authorities, since anybody can upload to them, but directory + caches could also exploit this vulnerability against relays or clients + when they download. The other vulnerability (TROVE-2021-002) only + affects directory authorities, and would allow an attacker to remotely + crash the authority with an assertion failure. Patches have already + been provided to the authority operators, to help ensure + network stability. + + We recommend that everybody upgrade to one of the releases that fixes + these issues (0.3.5.14, 0.4.4.8, or 0.4.5.7) as they become available + to you. + + This release also updates our GeoIP data source, and fixes a + compatibility issue. + + o Major bugfixes (security, denial of service, backport from 0.4.5.7): + - Disable the dump_desc() function that we used to dump unparseable + information to disk. It was called incorrectly in several places, + in a way that could lead to excessive CPU usage. Fixes bug 40286; + bugfix on 0.2.2.1-alpha. This bug is also tracked as TROVE-2021- + 001 and CVE-2021-28089. + - Fix a bug in appending detached signatures to a pending consensus + document that could be used to crash a directory authority. Fixes + bug 40316; bugfix on 0.2.2.6-alpha. Tracked as TROVE-2021-002 + and CVE-2021-28090. + + o Minor features (geoip data, backport from 0.4.5.7): + - We have switched geoip data sources. Previously we shipped IP-to- + country mappings from Maxmind's GeoLite2, but in 2019 they changed + their licensing terms, so we were unable to update them after that + point. We now ship geoip files based on the IPFire Location + Database instead. (See https://location.ipfire.org/ for more + information). This release updates our geoip files to match the + IPFire Location Database as retrieved on 2021/03/12. Closes + ticket 40224. + + o Removed features (mallinfo deprecated, backport from 0.4.5.7): + - Remove mallinfo() usage entirely. Libc 2.33+ now deprecates it. + Closes ticket 40309. + + +Changes in version 0.4.5.7 - 2021-03-16 + Tor 0.4.5.7 fixes two important denial-of-service bugs in earlier + versions of Tor. + + One of these vulnerabilities (TROVE-2021-001) would allow an attacker + who can send directory data to a Tor instance to force that Tor + instance to consume huge amounts of CPU. This is easiest to exploit + against authorities, since anybody can upload to them, but directory + caches could also exploit this vulnerability against relays or clients + when they download. The other vulnerability (TROVE-2021-002) only + affects directory authorities, and would allow an attacker to remotely + crash the authority with an assertion failure. Patches have already + been provided to the authority operators, to help ensure + network stability. + + We recommend that everybody upgrade to one of the releases that fixes + these issues (0.3.5.14, 0.4.4.8, or 0.4.5.7) as they become available + to you. + + This release also updates our GeoIP data source, and fixes a few + smaller bugs in earlier releases. + + o Major bugfixes (security, denial of service): + - Disable the dump_desc() function that we used to dump unparseable + information to disk. It was called incorrectly in several places, + in a way that could lead to excessive CPU usage. Fixes bug 40286; + bugfix on 0.2.2.1-alpha. This bug is also tracked as TROVE-2021- + 001 and CVE-2021-28089. + - Fix a bug in appending detached signatures to a pending consensus + document that could be used to crash a directory authority. Fixes + bug 40316; bugfix on 0.2.2.6-alpha. Tracked as TROVE-2021-002 + and CVE-2021-28090. + + o Minor features (geoip data): + - We have switched geoip data sources. Previously we shipped IP-to- + country mappings from Maxmind's GeoLite2, but in 2019 they changed + their licensing terms, so we were unable to update them after that + point. We now ship geoip files based on the IPFire Location + Database instead. (See https://location.ipfire.org/ for more + information). This release updates our geoip files to match the + IPFire Location Database as retrieved on 2021/03/12. Closes + ticket 40224. + + o Minor bugfixes (directory authority): + - Now that exit relays don't allow exit connections to directory + authority DirPorts (to prevent network reentry), disable + authorities' reachability self test on the DirPort. Fixes bug + 40287; bugfix on 0.4.5.5-rc. + + o Minor bugfixes (documentation): + - Fix a formatting error in the documentation for + VirtualAddrNetworkIPv6. Fixes bug 40256; bugfix on 0.2.9.4-alpha. + + o Minor bugfixes (Linux, relay): + - Fix a bug in determining total available system memory that would + have been triggered if the format of Linux's /proc/meminfo file + had ever changed to include "MemTotal:" in the middle of a line. + Fixes bug 40315; bugfix on 0.2.5.4-alpha. + + o Minor bugfixes (metrics port): + - Fix a BUG() warning on the MetricsPort for an internal missing + handler. Fixes bug 40295; bugfix on 0.4.5.1-alpha. + + o Minor bugfixes (onion service): + - Remove a harmless BUG() warning when reloading tor configured with + onion services. Fixes bug 40334; bugfix on 0.4.5.1-alpha. + + o Minor bugfixes (portability): + - Fix a non-portable usage of "==" with "test" in the configure + script. Fixes bug 40298; bugfix on 0.4.5.1-alpha. + + o Minor bugfixes (relay): + - Remove a spammy log notice falsely claiming that the IPv4/v6 + address was missing. Fixes bug 40300; bugfix on 0.4.5.1-alpha. + - Do not query the address cache early in the boot process when + deciding if a relay needs to fetch early directory information + from an authority. This bug resulted in a relay falsely believing + it didn't have an address and thus triggering an authority fetch + at each boot. Related to our fix for 40300. + + o Removed features (mallinfo deprecated): + - Remove mallinfo() usage entirely. Libc 2.33+ now deprecates it. + Closes ticket 40309. + + +Changes in version 0.4.5.6 - 2021-02-15 + The Tor 0.4.5.x release series is dedicated to the memory of Karsten + Loesing (1979-2020), Tor developer, cypherpunk, husband, and father. + Karsten is best known for creating the Tor metrics portal and leading + the metrics team, but he was involved in Tor from the early days. For + example, while he was still a student he invented and implemented the + v2 onion service directory design, and he also served as an ambassador + to the many German researchers working in the anonymity field. We + loved him and respected him for his patience, his consistency, and his + welcoming approach to growing our community. + + This release series introduces significant improvements in relay IPv6 + address discovery, a new "MetricsPort" mechanism for relay operators + to measure performance, LTTng support, build system improvements to + help when using Tor as a static library, and significant bugfixes + related to Windows relay performance. It also includes numerous + smaller features and bugfixes. + + Below are the changes since 0.4.4.4-rc. For a complete list of changes + since 0.4.4.7, see the ReleaseNotes file. + + o Major bugfixes (IPv6, relay): + - Fix a bug that prevented a relay from publishing its descriptor if + an auto-discovered IPv6 that was found unreachable. Fixes bug + 40279; bugfix on 0.4.5.1-alpha. + + o Minor features (protocol versions): + - Stop claiming to support the "DirCache=1" subprotocol version. + Technically, we stopped supporting this subprotocol back in + 0.4.5.1-alpha, but we needed to wait for the authorities to stop + listing it as "required" before we could drop it from the list. + Closes ticket 40221. + + o Minor bugfixes (logging): + - Avoid a spurious log message about missing subprotocol versions, + when the consensus that we're reading from is older than the + current release. Previously we had made this message nonfatal, but + in practice, it is never relevant when the consensus is older than + the current release. Fixes bug 40281; bugfix on 0.4.0.1-alpha. + + o Minor bugfixes (metrics port): + - Fix a bug warning when a metrics port socket was unexpectedly + closed. Fixes bug 40257; bugfix on 0.4.5.1-alpha + + o Minor bugfixes (relay): + - Allow relays to have a RFC1918 address if PublishServerDescriptor + is set to 0 and AssumeReachable is set to 1. This is to support + the use case of a bridge on a local network, exposed via a + pluggable transport. Fixes bug 40208; bugfix on 0.4.5.1-alpha. + + o Minor bugfixes (relay, config): + - Fix a problem in the removal of duplicate ORPorts from the + internal port list when loading the config file. We were removing + the wrong ports, breaking valid torrc uses cases for multiple + ORPorts of the same address family. Fixes bug 40289; bugfix + on 0.4.5.1-alpha. + + +Changes in version 0.4.4.7 - 2021-02-03 + Tor 0.4.4.7 backports numerous bugfixes from later releases, + including one that made v3 onion services more susceptible to + denial-of-service attacks, and a feature that makes some kinds of + DoS attacks harder to perform. + + o Major bugfixes (onion service v3, backport from 0.4.5.3-rc): + - Stop requiring a live consensus for v3 clients and services, and + allow a "reasonably live" consensus instead. This allows v3 onion + services to work even if the authorities fail to generate a + consensus for more than 2 hours in a row. Fixes bug 40237; bugfix + on 0.3.5.1-alpha. + + o Major feature (exit, backport from 0.4.5.5-rc): + - Re-entry into the network is now denied at the Exit level to all + relays' ORPorts and authorities' ORPorts and DirPorts. This change + should help mitgate a set of denial-of-service attacks. Closes + ticket 2667. + + o Minor feature (build system, backport from 0.4.5.4-rc): + - New "make lsp" command to generate the compile_commands.json file + used by the ccls language server. The "bear" program is needed for + this. Closes ticket 40227. + + o Minor features (compilation, backport from 0.4.5.2-rc): + - Disable deprecation warnings when building with OpenSSL 3.0.0 or + later. There are a number of APIs newly deprecated in OpenSSL + 3.0.0 that Tor still requires. (A later version of Tor will try to + stop depending on these APIs.) Closes ticket 40165. + + o Minor features (crypto, backport from 0.4.5.3-rc): + - Fix undefined behavior on our Keccak library. The bug only + appeared on platforms with 32-byte CPU cache lines (e.g. armv5tel) + and would result in wrong digests. Fixes bug 40210; bugfix on + 0.2.8.1-alpha. Thanks to Bernhard Übelacker, Arnd Bergmann and + weasel for diagnosing this. + + o Minor bugfixes (compatibility, backport from 0.4.5.1-rc): + - Strip '\r' characters when reading text files on Unix platforms. + This should resolve an issue where a relay operator migrates a + relay from Windows to Unix, but does not change the line ending of + Tor's various state files to match the platform, and the CRLF line + endings from Windows end up leaking into other files such as the + extra-info document. Fixes bug 33781; bugfix on 0.0.9pre5. + + o Minor bugfixes (compilation, backport from 0.4.5.3-rc): + - Fix a compilation warning about unreachable fallthrough + annotations when building with "--enable-all-bugs-are-fatal" on + some compilers. Fixes bug 40241; bugfix on 0.3.5.4-alpha. + + o Minor bugfixes (SOCKS5, backport from 0.4.5.3-rc): + - Handle partial SOCKS5 messages correctly. Previously, our code + would send an incorrect error message if it got a SOCKS5 request + that wasn't complete. Fixes bug 40190; bugfix on 0.3.5.1-alpha. + + o Minor bugfixes (testing, backport from 0.4.5.2-alpha): + - Fix the `config/parse_tcp_proxy_line` test so that it works + correctly on systems where the DNS provider hijacks invalid + queries. Fixes part of bug 40179; bugfix on 0.4.3.1-alpha. + - Fix our Python reference-implementation for the v3 onion service + handshake so that it works correctly with the version of hashlib + provided by Python 3.9. Fixes part of bug 40179; bugfix + on 0.3.1.6-rc. + - Fix the `tortls/openssl/log_one_error` test to work with OpenSSL + 3.0.0. Fixes bug 40170; bugfix on 0.2.8.1-alpha. + + +Changes in version 0.4.3.8 - 2021-02-03 + Tor 0.4.3.8 backports numerous bugfixes from later releases, + including one that made v3 onion services more susceptible to + denial-of-service attacks, and a feature that makes some kinds of + DoS attacks harder to perform. + + Note that this is, in all likelihood, the last release of Tor 0.4.3.x, + which will reach end-of-life on 15 Feb 2021. + + o Major bugfixes (onion service v3, backport from 0.4.5.3-rc): + - Stop requiring a live consensus for v3 clients and services, and + allow a "reasonably live" consensus instead. This allows v3 onion + services to work even if the authorities fail to generate a + consensus for more than 2 hours in a row. Fixes bug 40237; bugfix + on 0.3.5.1-alpha. + + o Major bugfixes (stats, onion services, backport from 0.4.4.5): + - Fix a bug where we were undercounting the Tor network's total + onion service traffic, by ignoring any traffic originating from + clients. Now we count traffic from both clients and services. + Fixes bug 40117; bugfix on 0.2.6.2-alpha. + + o Major feature (exit, backport from 0.4.5.5-rc): + - Re-entry into the network is now denied at the Exit level to all + relays' ORPorts and authorities' ORPorts and DirPorts. This change + should help mitgate a set of denial-of-service attacks. Closes + ticket 2667. + + o Minor feature (build system, backport from 0.4.5.4-rc): + - New "make lsp" command to generate the compile_commands.json file + used by the ccls language server. The "bear" program is needed for + this. Closes ticket 40227. + + o Minor features (compilation, backport from 0.4.5.2-rc): + - Disable deprecation warnings when building with OpenSSL 3.0.0 or + later. There are a number of APIs newly deprecated in OpenSSL + 3.0.0 that Tor still requires. (A later version of Tor will try to + stop depending on these APIs.) Closes ticket 40165. + + o Minor features (crypto, backport from 0.4.5.3-rc): + - Fix undefined behavior on our Keccak library. The bug only + appeared on platforms with 32-byte CPU cache lines (e.g. armv5tel) + and would result in wrong digests. Fixes bug 40210; bugfix on + 0.2.8.1-alpha. Thanks to Bernhard Übelacker, Arnd Bergmann and + weasel for diagnosing this. + + o Minor bugfixes (compatibility, backport from 0.4.5.1-rc): + - Strip '\r' characters when reading text files on Unix platforms. + This should resolve an issue where a relay operator migrates a + relay from Windows to Unix, but does not change the line ending of + Tor's various state files to match the platform, and the CRLF line + endings from Windows end up leaking into other files such as the + extra-info document. Fixes bug 33781; bugfix on 0.0.9pre5. + + o Minor bugfixes (compilation, backport from 0.4.5.1-rc): + - Resolve a compilation warning that could occur in + test_connection.c. Fixes bug 40113; bugfix on 0.2.9.3-alpha. + + o Minor bugfixes (compilation, backport from 0.4.5.3-rc): + - Fix a compilation warning about unreachable fallthrough + annotations when building with "--enable-all-bugs-are-fatal" on + some compilers. Fixes bug 40241; bugfix on 0.3.5.4-alpha. + + o Minor bugfixes (SOCKS5, backport from 0.4.5.3-rc): + - Handle partial SOCKS5 messages correctly. Previously, our code + would send an incorrect error message if it got a SOCKS5 request + that wasn't complete. Fixes bug 40190; bugfix on 0.3.5.1-alpha. + + o Minor bugfixes (testing, backport from 0.4.5.2-alpha): + - Fix the `config/parse_tcp_proxy_line` test so that it works + correctly on systems where the DNS provider hijacks invalid + queries. Fixes part of bug 40179; bugfix on 0.4.3.1-alpha. + - Fix our Python reference-implementation for the v3 onion service + handshake so that it works correctly with the version of hashlib + provided by Python 3.9. Fixes part of bug 40179; bugfix + on 0.3.1.6-rc. + - Fix the `tortls/openssl/log_one_error` test to work with OpenSSL + 3.0.0. Fixes bug 40170; bugfix on 0.2.8.1-alpha. + + +Changes in version 0.3.5.13 - 2020-02-03 + Tor 0.3.5.13 backports numerous bugfixes from later releases, + including one that made v3 onion services more susceptible to + denial-of-service attacks, and a feature that makes some kinds of + DoS attacks harder to perform. + + o Major bugfixes (onion service v3, backport from 0.4.5.3-rc): + - Stop requiring a live consensus for v3 clients and services, and + allow a "reasonably live" consensus instead. This allows v3 onion + services to work even if the authorities fail to generate a + consensus for more than 2 hours in a row. Fixes bug 40237; bugfix + on 0.3.5.1-alpha. + + o Major bugfixes (stats, onion services, backport from 0.4.4.5): + - Fix a bug where we were undercounting the Tor network's total + onion service traffic, by ignoring any traffic originating from + clients. Now we count traffic from both clients and services. + Fixes bug 40117; bugfix on 0.2.6.2-alpha. + + o Major feature (exit, backport from 0.4.5.5-rc): + - Re-entry into the network is now denied at the Exit level to all + relays' ORPorts and authorities' ORPorts and DirPorts. This change + should help mitgate a set of denial-of-service attacks. Closes + ticket 2667. + + o Minor feature (build system, backport from 0.4.5.4-rc): + - New "make lsp" command to generate the compile_commands.json file + used by the ccls language server. The "bear" program is needed for + this. Closes ticket 40227. + + o Minor features (compilation, backport from 0.4.5.2-rc): + - Disable deprecation warnings when building with OpenSSL 3.0.0 or + later. There are a number of APIs newly deprecated in OpenSSL + 3.0.0 that Tor still requires. (A later version of Tor will try to + stop depending on these APIs.) Closes ticket 40165. + + o Minor features (crypto, backport from 0.4.5.3-rc): + - Fix undefined behavior on our Keccak library. The bug only + appeared on platforms with 32-byte CPU cache lines (e.g. armv5tel) + and would result in wrong digests. Fixes bug 40210; bugfix on + 0.2.8.1-alpha. Thanks to Bernhard Übelacker, Arnd Bergmann and + weasel for diagnosing this. + + o Minor bugfixes (compatibility, backport from 0.4.5.1-rc): + - Strip '\r' characters when reading text files on Unix platforms. + This should resolve an issue where a relay operator migrates a + relay from Windows to Unix, but does not change the line ending of + Tor's various state files to match the platform, and the CRLF line + endings from Windows end up leaking into other files such as the + extra-info document. Fixes bug 33781; bugfix on 0.0.9pre5. + + o Minor bugfixes (compilation, backport from 0.4.5.1-rc): + - Resolve a compilation warning that could occur in + test_connection.c. Fixes bug 40113; bugfix on 0.2.9.3-alpha. + + o Minor bugfixes (compilation, backport from 0.4.5.3-rc): + - Fix a compilation warning about unreachable fallthrough + annotations when building with "--enable-all-bugs-are-fatal" on + some compilers. Fixes bug 40241; bugfix on 0.3.5.4-alpha. + + o Minor bugfixes (SOCKS5, backport from 0.4.5.3-rc): + - Handle partial SOCKS5 messages correctly. Previously, our code + would send an incorrect error message if it got a SOCKS5 request + that wasn't complete. Fixes bug 40190; bugfix on 0.3.5.1-alpha. + + o Minor bugfixes (testing, backport from 0.4.5.2-alpha): + - Fix our Python reference-implementation for the v3 onion service + handshake so that it works correctly with the version of hashlib + provided by Python 3.9. Fixes part of bug 40179; bugfix + on 0.3.1.6-rc. + - Fix the `tortls/openssl/log_one_error` test to work with OpenSSL + 3.0.0. Fixes bug 40170; bugfix on 0.2.8.1-alpha. + + +Changes in version 0.4.5.5-rc - 2021-02-01 + Tor 0.4.5.5-rc is the third release candidate in its series. We're + coming closer and closer to a stable release series. This release + fixes an annoyance with address detection code, and somewhat mitigates + an ongoing denial-of-service attack. + + We anticipate no more code changes between this and the stable + release, though of course that could change. + + o Major feature (exit): + - Re-entry into the network is now denied at the Exit level to all + relays' ORPorts and authorities' ORPorts and DirPorts. This change + should help mitgate a set of denial-of-service attacks. Closes + ticket 2667. + + o Minor bugfixes (relay, configuration): + - Don't attempt to discover our address (IPv4 or IPv6) if no ORPort + for it can be found in the configuration. Fixes bug 40254; bugfix + on 0.4.5.1-alpha. + + +Changes in version 0.4.5.4-rc - 2021-01-22 + Tor 0.4.5.4-rc is the second release candidate in its series. It fixes + several bugs present in previous releases. + + We expect that the stable release will be the same, or almost the + same, as this release candidate, unless serious bugs are found. + + o Major bugfixes (authority, IPv6): + - Do not consider multiple relays in the same IPv6 /64 network to be + sybils. Fixes bug 40243; bugfix on 0.4.5.1-alpha. + + o Major bugfixes (directory cache, performance, windows): + - Limit the number of items in the consensus diff cache to 64 on + Windows. We hope this will mitigate an issue where Windows relay + operators reported Tor using 100% CPU, while we investigate better + solutions. Fixes bug 24857; bugfix on 0.3.1.1-alpha. + + o Minor feature (build system): + - New "make lsp" command to generate the compile_commands.json file + used by the ccls language server. The "bear" program is needed for + this. Closes ticket 40227. + + o Minor features (authority, logging): + - Log more information for directory authority operators during the + consensus voting process, and while processing relay descriptors. + Closes ticket 40245. + - Reject obsolete router/extrainfo descriptors earlier and more + quietly, to avoid spamming the logs. Fixes bug 40238; bugfix + on 0.4.5.1-alpha. + + o Minor bugfixes (compilation): + - Fix another warning about unreachable fallthrough annotations when + building with "--enable-all-bugs-are-fatal" on some compilers. + Fixes bug 40241; bugfix on 0.4.5.3-rc. + - Change the linker flag ordering in our library search code so that + it works for compilers that need the libraries to be listed in the + right order. Fixes bug 33624; bugfix on 0.1.1.0-alpha. + + o Minor bugfixes (config, bridge): + - Don't initiate a connection to a bridge configured to use a + missing transport. This change reverts an earlier fix that would + try to avoid such situations during configuration chcecking, but + which doesn't work with DisableNetwork. Fixes bug 40106; bugfix + on 0.4.5.1-alpha. + + o Minor bugfixes (onion services): + - Avoid a non-fatal assertion in certain edge-cases when + establishing a circuit to an onion service. Fixes bug 32666; + bugfix on 0.3.0.3-alpha. + + o Minor bugfixes (relay): + - If we were unable to build our descriptor, don't mark it as having + been advertised. Also remove an harmless BUG(). Fixes bug 40231; + bugfix on 0.4.5.1-alpha. + + +Changes in version 0.4.5.3-rc - 2021-01-12 + Tor 0.4.5.3-rc is the first release candidate in its series. It fixes + several bugs, including one that broke onion services on certain older + ARM CPUs, and another that made v3 onion services less reliable. + + Though we anticipate that we'll be doing a bit more clean-up between + now and the stable release, we expect that our remaining changes will + be fairly simple. There will be at least one more release candidate + before 0.4.5.x is stable. + + o Major bugfixes (onion service v3): + - Stop requiring a live consensus for v3 clients and services, and + allow a "reasonably live" consensus instead. This allows v3 onion + services to work even if the authorities fail to generate a + consensus for more than 2 hours in a row. Fixes bug 40237; bugfix + on 0.3.5.1-alpha. + + o Minor features (crypto): + - Fix undefined behavior on our Keccak library. The bug only + appeared on platforms with 32-byte CPU cache lines (e.g. armv5tel) + and would result in wrong digests. Fixes bug 40210; bugfix on + 0.2.8.1-alpha. Thanks to Bernhard Übelacker, Arnd Bergmann and + weasel for diagnosing this. + + o Minor features (documentation): + - Mention the "!badexit" directive that can appear in an authority's + approved-routers file, and update the description of the + "!invalid" directive. Closes ticket 40188. + + o Minor bugfixes (compilation): + - Fix a compilation warning about unreachable fallthrough + annotations when building with "--enable-all-bugs-are-fatal" on + some compilers. Fixes bug 40241; bugfix on 0.3.5.4-alpha. + - Fix the "--enable-static-tor" switch to properly set the "-static" + compile option onto the tor binary only. Fixes bug 40111; bugfix + on 0.2.3.1-alpha. + + o Minor bugfixes (config, bridge): + - Really fix the case where torrc has a missing ClientTransportPlugin + but is configured with a Bridge line and UseBridges. Previously, + we didn't look at the managed proxy list and thus would fail for + the "exec" case. Fixes bug 40106; bugfix on 0.4.5.1-alpha. + + o Minor bugfixes (logging, relay): + - Log our address as reported by the directory authorities, if none + was configured or detected before. Fixes bug 40201; bugfix + on 0.4.5.1-alpha. + - When a launching bandwidth testing circuit, don't incorrectly call + it a reachability test, or trigger a "CHECKING_REACHABILITY" + control event. Fixes bug 40205; bugfix on 0.4.5.1-alpha. + + o Minor bugfixes (relay, statistics): + - Report the correct connection statistics in our extrainfo + documents. Previously there was a problem in the file loading + function which would wrongly truncate a state file, causing the + wrong information to be reported. Fixes bug 40226; bugfix + on 0.4.5.1-alpha. + + o Minor bugfixes (SOCKS5): + - Handle partial SOCKS5 messages correctly. Previously, our code + would send an incorrect error message if it got a SOCKS5 request + that wasn't complete. Fixes bug 40190; bugfix on 0.3.5.1-alpha. + + +Changes in version 0.4.5.2-alpha - 2020-11-23 + Tor 0.4.5.2-alpha is the second alpha release in the 0.4.5.x series. + It fixes several bugs present in earlier releases, including one that + made it impractical to run relays on Windows. It also adds a few small + safety features to improve Tor's behavior in the presence of strange + compile-time options, misbehaving proxies, and future versions + of OpenSSL. + + o Major bugfixes (relay, windows): + - Fix a bug in our implementation of condition variables on Windows. + Previously, a relay on Windows would use 100% CPU after running + for some time. Because of this change, Tor now require Windows + Vista or later to build and run. Fixes bug 30187; bugfix on + 0.2.6.3-alpha. (This bug became more serious in 0.3.1.1-alpha with + the introduction of consensus diffs.) Patch by Daniel Pinto. + + o Minor features (compilation): + - Disable deprecation warnings when building with OpenSSL 3.0.0 or + later. There are a number of APIs newly deprecated in OpenSSL + 3.0.0 that Tor still requires. (A later version of Tor will try to + stop depending on these APIs.) Closes ticket 40165. + + o Minor features (protocol, proxy support, defense in depth): + - Respond more deliberately to misbehaving proxies that leave + leftover data on their connections, so as to make Tor even less + likely to allow the proxies to pass their data off as having come + from a relay. Closes ticket 40017. + + o Minor features (safety): + - Log a warning at startup if Tor is built with compile-time options + that are likely to make it less stable or reliable. Closes + ticket 18888. + + o Minor bugfixes (circuit, handshake): + - In the v3 handshaking code, use connection_or_change_state() to + change the state. Previously, we changed the state directly, but + this did not pass the state change to the pubsub or channel + objects, potentially leading to bugs. Fixes bug 32880; bugfix on + 0.2.3.6-alpha. Patch by Neel Chauhan. + + o Minor bugfixes (compilation): + - Use the correct 'ranlib' program when building libtor.a. + Previously we used the default ranlib, which broke some kinds of + cross-compilation. Fixes bug 40172; bugfix on 0.4.5.1-alpha. + - Remove a duplicate typedef in metrics_store.c. Fixes bug 40177; + bugfix on 0.4.5.1-alpha. + - When USDT tracing is enabled, and STAP_PROBEV() is missing, don't + attempt to build. Linux supports that macro but not the BSDs. + Fixes bug 40174; bugfix on 0.4.5.1-alpha. + + o Minor bugfixes (configuration): + - Exit Tor on a misconfiguration when the Bridge line is configured + to use a transport but no corresponding ClientTransportPlugin can + be found. Prior to this fix, Tor would attempt to connect to the + bridge directly without using the transport, making it easier for + adversaries to notice the bridge. Fixes bug 25528; bugfix + on 0.2.6.1-alpha. + - Fix an issue where an ORPort was compared with other kinds of + ports, when it should have been only checked against other + ORPorts. This bug would lead to "DirPort auto" getting ignored. + Fixes bug 40195; bugfix on 0.4.5.1-alpha. + - Fix a bug where a second non-ORPort with a variant family (ex: + SocksPort [::1]:9050) would be ignored due to a configuration + parsing error. Fixes bug 40183; bugfix on 0.4.5.1-alpha. + + o Minor bugfixes (crash, relay, signing key): + - Avoid assertion failures when we run Tor from the command line + with `--key-expiration sign`, but an ORPort is not set. Fixes bug + 40015; bugfix on 0.3.2.1-alpha. Patch by Neel Chauhan. + + o Minor bugfixes (logging): + - Remove trailing whitespace from control event log messages. Fixes + bug 32178; bugfix on 0.1.1.1-alpha. Based on a patch by + Amadeusz Pawlik. + - Turn warning-level log message about SENDME failure into a debug- + level message. (This event can happen naturally, and is no reason + for concern). Fixes bug 40142; bugfix on 0.4.1.1-alpha. + + o Minor bugfixes (relay, address discovery): + - Don't trigger an IP change when no new valid IP can be found. + Fixes bug 40071; bugfix on 0.4.5.1-alpha. + - When attempting to discover our IP, use a simple test circuit, + rather than a descriptor fetch: the same address information is + present in NETINFO cells, and is better authenticated there. Fixes + bug 40071; bugfix on 0.4.5.1-alpha. + + o Minor bugfixes (testing): + - Fix the `config/parse_tcp_proxy_line` test so that it works + correctly on systems where the DNS provider hijacks invalid + queries. Fixes part of bug 40179; bugfix on 0.4.3.1-alpha. + - Fix unit tests that used newly generated list of routers so that + they check them with respect to the date when they were generated, + not with respect to the current time. Fixes bug 40187; bugfix + on 0.4.5.1-alpha. + - Fix our Python reference-implementation for the v3 onion service + handshake so that it works correctly with the version of hashlib + provided by Python 3.9. Fixes part of bug 40179; bugfix + on 0.3.1.6-rc. + - Fix the `tortls/openssl/log_one_error` test to work with OpenSSL + 3.0.0. Fixes bug 40170; bugfix on 0.2.8.1-alpha. + + o Removed features (controller): + - Remove the "GETINFO network-status" controller command. It has + been deprecated since 0.3.1.1-alpha. Closes ticket 22473. + + Changes in version 0.4.4.6 - 2020-11-12 Tor 0.4.4.6 is the second stable release in the 0.4.4.x series. It backports fixes from later releases, including a fix for TROVE-2020- |