aboutsummaryrefslogtreecommitdiff
path: root/ChangeLog
diff options
context:
space:
mode:
Diffstat (limited to 'ChangeLog')
-rw-r--r--ChangeLog565
1 files changed, 562 insertions, 3 deletions
diff --git a/ChangeLog b/ChangeLog
index 9617af918f..9f3dc46400 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,562 @@
+Changes in version 0.3.1.4-alpha - 2017-06-29
+ Tor 0.3.1.4-alpha fixes a path selection bug that would allow a client
+ to use a guard that was in the same network family as a chosen exit
+ relay. This is a security regression; all clients running earlier
+ versions of 0.3.0.x or 0.3.1.x should upgrade to 0.3.0.9
+ or 0.3.1.4-alpha.
+
+ This release also fixes several other bugs introduced in 0.3.0.x
+ and 0.3.1.x, including others that can affect bandwidth usage
+ and correctness.
+
+ o New dependencies:
+ - To build with zstd and lzma support, Tor now requires the
+ pkg-config tool at build time. (This requirement was new in
+ 0.3.1.1-alpha, but was not noted at the time. Noting it here to
+ close ticket 22623.)
+
+ o Major bugfixes (path selection, security):
+ - When choosing which guard to use for a circuit, avoid the exit's
+ family along with the exit itself. Previously, the new guard
+ selection logic avoided the exit, but did not consider its family.
+ Fixes bug 22753; bugfix on 0.3.0.1-alpha. Tracked as TROVE-2016-
+ 006 and CVE-2017-0377.
+
+ o Major bugfixes (compression, zstd):
+ - Correctly detect a full buffer when decompressing a large zstd-
+ compressed input. Previously, we would sometimes treat a full
+ buffer as an error. Fixes bug 22628; bugfix on 0.3.1.1-alpha.
+
+ o Major bugfixes (directory protocol):
+ - Ensure that we send "304 Not modified" as HTTP status code when a
+ client is attempting to fetch a consensus or consensus diff, and
+ the best one we can send them is one they already have. Fixes bug
+ 22702; bugfix on 0.3.1.1-alpha.
+
+ o Major bugfixes (entry guards):
+ - When starting with an old consensus, do not add new entry guards
+ unless the consensus is "reasonably live" (under 1 day old). Fixes
+ one root cause of bug 22400; bugfix on 0.3.0.1-alpha.
+
+ o Minor features (bug mitigation, diagnostics, logging):
+ - Avoid an assertion failure, and log a better error message, when
+ unable to remove a file from the consensus cache on Windows.
+ Attempts to mitigate and diagnose bug 22752.
+
+ o Minor features (geoip):
+ - Update geoip and geoip6 to the June 8 2017 Maxmind GeoLite2
+ Country database.
+
+ o Minor bugfixes (compression):
+ - When compressing or decompressing a buffer, check for a failure to
+ create a compression object. Fixes bug 22626; bugfix
+ on 0.3.1.1-alpha.
+ - When decompressing a buffer, check for extra data after the end of
+ the compressed data. Fixes bug 22629; bugfix on 0.3.1.1-alpha.
+ - When decompressing an object received over an anonymous directory
+ connection, if we have already decompressed it using an acceptable
+ compression method, do not reject it for looking like an
+ unacceptable compression method. Fixes part of bug 22670; bugfix
+ on 0.3.1.1-alpha.
+ - When serving directory votes compressed with zlib, do not claim to
+ have compressed them with zstd. Fixes bug 22669; bugfix
+ on 0.3.1.1-alpha.
+ - When spooling compressed data to an output buffer, don't try to
+ spool more data when there is no more data to spool and we are not
+ trying to flush the input. Previously, we would sometimes launch
+ compression requests with nothing to do, which interferes with our
+ 22672 checks. Fixes bug 22719; bugfix on 0.2.0.16-alpha.
+
+ o Minor bugfixes (defensive programming):
+ - Detect and break out of infinite loops in our compression code. We
+ don't think that any such loops exist now, but it's best to be
+ safe. Closes ticket 22672.
+ - Fix a memset() off the end of an array when packing cells. This
+ bug should be harmless in practice, since the corrupted bytes are
+ still in the same structure, and are always padding bytes,
+ ignored, or immediately overwritten, depending on compiler
+ behavior. Nevertheless, because the memset()'s purpose is to make
+ sure that any other cell-handling bugs can't expose bytes to the
+ network, we need to fix it. Fixes bug 22737; bugfix on
+ 0.2.4.11-alpha. Fixes CID 1401591.
+
+ o Minor bugfixes (linux seccomp2 sandbox):
+ - Permit the fchmod system call, to avoid crashing on startup when
+ starting with the seccomp2 sandbox and an unexpected set of
+ permissions on the data directory or its contents. Fixes bug
+ 22516; bugfix on 0.2.5.4-alpha.
+ - Fix a crash in the LZMA module, when the sandbox was enabled, and
+ liblzma would allocate more than 16 MB of memory. We solve this by
+ bumping the mprotect() limit in the sandbox module from 16 MB to
+ 20 MB. Fixes bug 22751; bugfix on 0.3.1.1-alpha.
+
+ o Minor bugfixes (logging):
+ - When decompressing, do not warn if we fail to decompress using a
+ compression method that we merely guessed. Fixes part of bug
+ 22670; bugfix on 0.1.1.14-alpha.
+ - When decompressing, treat mismatch between content-encoding and
+ actual compression type as a protocol warning. Fixes part of bug
+ 22670; bugfix on 0.1.1.9-alpha.
+ - Downgrade "assigned_to_cpuworker failed" message to info-level
+ severity. In every case that can reach it, either a better warning
+ has already been logged, or no warning is warranted. Fixes bug
+ 22356; bugfix on 0.2.6.3-alpha.
+ - Demote a warn that was caused by libevent delays to info if
+ netflow padding is less than 4.5 seconds late, or to notice
+ if it is more (4.5 seconds is the amount of time that a netflow
+ record might be emitted after, if we chose the maximum timeout).
+ Fixes bug 22212; bugfix on 0.3.1.1-alpha.
+
+ o Minor bugfixes (process behavior):
+ - When exiting because of an error, always exit with a nonzero exit
+ status. Previously, we would fail to report an error in our exit
+ status in cases related to __OwningControllerProcess failure,
+ lockfile contention, and Ed25519 key initialization. Fixes bug
+ 22720; bugfix on versions 0.2.1.6-alpha, 0.2.2.28-beta, and
+ 0.2.7.2-alpha respectively. Reported by "f55jwk4f"; patch
+ from "huyvq".
+
+ o Documentation:
+ - Add a manpage description for the key-pinning-journal file. Closes
+ ticket 22347.
+ - Correctly note that bandwidth accounting values are stored in the
+ state file, and the bw_accounting file is now obsolete. Closes
+ ticket 16082.
+ - Document more of the files in the Tor data directory, including
+ cached-extrainfo, secret_onion_key{,_ntor}.old, hidserv-stats,
+ approved-routers, sr-random, and diff-cache. Found while fixing
+ ticket 22347.
+
+
+Changes in version 0.3.0.9 - 2017-06-29
+ Tor 0.3.0.9 fixes a path selection bug that would allow a client
+ to use a guard that was in the same network family as a chosen exit
+ relay. This is a security regression; all clients running earlier
+ versions of 0.3.0.x or 0.3.1.x should upgrade to 0.3.0.9 or
+ 0.3.1.4-alpha.
+
+ This release also backports several other bugfixes from the 0.3.1.x
+ series.
+
+ o Major bugfixes (path selection, security, backport from 0.3.1.4-alpha):
+ - When choosing which guard to use for a circuit, avoid the exit's
+ family along with the exit itself. Previously, the new guard
+ selection logic avoided the exit, but did not consider its family.
+ Fixes bug 22753; bugfix on 0.3.0.1-alpha. Tracked as TROVE-2016-
+ 006 and CVE-2017-0377.
+
+ o Major bugfixes (entry guards, backport from 0.3.1.1-alpha):
+ - Don't block bootstrapping when a primary bridge is offline and we
+ can't get its descriptor. Fixes bug 22325; fixes one case of bug
+ 21969; bugfix on 0.3.0.3-alpha.
+
+ o Major bugfixes (entry guards, backport from 0.3.1.4-alpha):
+ - When starting with an old consensus, do not add new entry guards
+ unless the consensus is "reasonably live" (under 1 day old). Fixes
+ one root cause of bug 22400; bugfix on 0.3.0.1-alpha.
+
+ o Minor features (geoip):
+ - Update geoip and geoip6 to the June 8 2017 Maxmind GeoLite2
+ Country database.
+
+ o Minor bugfixes (voting consistency, backport from 0.3.1.1-alpha):
+ - Reject version numbers with non-numeric prefixes (such as +, -, or
+ whitespace). Disallowing whitespace prevents differential version
+ parsing between POSIX-based and Windows platforms. Fixes bug 21507
+ and part of 21508; bugfix on 0.0.8pre1.
+
+ o Minor bugfixes (linux seccomp2 sandbox, backport from 0.3.1.4-alpha):
+ - Permit the fchmod system call, to avoid crashing on startup when
+ starting with the seccomp2 sandbox and an unexpected set of
+ permissions on the data directory or its contents. Fixes bug
+ 22516; bugfix on 0.2.5.4-alpha.
+
+ o Minor bugfixes (defensive programming, backport from 0.3.1.4-alpha):
+ - Fix a memset() off the end of an array when packing cells. This
+ bug should be harmless in practice, since the corrupted bytes are
+ still in the same structure, and are always padding bytes,
+ ignored, or immediately overwritten, depending on compiler
+ behavior. Nevertheless, because the memset()'s purpose is to make
+ sure that any other cell-handling bugs can't expose bytes to the
+ network, we need to fix it. Fixes bug 22737; bugfix on
+ 0.2.4.11-alpha. Fixes CID 1401591.
+
+
+Changes in version 0.3.1.3-alpha - 2017-06-08
+ Tor 0.3.1.3-alpha fixes a pair of bugs that would allow an attacker to
+ remotely crash a hidden service with an assertion failure. Anyone
+ running a hidden service should upgrade to this version, or to some
+ other version with fixes for TROVE-2017-004 and TROVE-2017-005.
+
+ Tor 0.3.1.3-alpha also includes fixes for several key management bugs
+ that sometimes made relays unreliable, as well as several other
+ bugfixes described below.
+
+ o Major bugfixes (hidden service, relay, security):
+ - Fix a remotely triggerable assertion failure when a hidden service
+ handles a malformed BEGIN cell. Fixes bug 22493, tracked as
+ TROVE-2017-004 and as CVE-2017-0375; bugfix on 0.3.0.1-alpha.
+ - Fix a remotely triggerable assertion failure caused by receiving a
+ BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug
+ 22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix
+ on 0.2.2.1-alpha.
+
+ o Major bugfixes (relay, link handshake):
+ - When performing the v3 link handshake on a TLS connection, report
+ that we have the x509 certificate that we actually used on that
+ connection, even if we have changed certificates since that
+ connection was first opened. Previously, we would claim to have
+ used our most recent x509 link certificate, which would sometimes
+ make the link handshake fail. Fixes one case of bug 22460; bugfix
+ on 0.2.3.6-alpha.
+
+ o Major bugfixes (relays, key management):
+ - Regenerate link and authentication certificates whenever the key
+ that signs them changes; also, regenerate link certificates
+ whenever the signed key changes. Previously, these processes were
+ only weakly coupled, and we relays could (for minutes to hours)
+ wind up with an inconsistent set of keys and certificates, which
+ other relays would not accept. Fixes two cases of bug 22460;
+ bugfix on 0.3.0.1-alpha.
+ - When sending an Ed25519 signing->link certificate in a CERTS cell,
+ send the certificate that matches the x509 certificate that we
+ used on the TLS connection. Previously, there was a race condition
+ if the TLS context rotated after we began the TLS handshake but
+ before we sent the CERTS cell. Fixes a case of bug 22460; bugfix
+ on 0.3.0.1-alpha.
+
+ o Major bugfixes (torrc, crash):
+ - Fix a crash bug when using %include in torrc. Fixes bug 22417;
+ bugfix on 0.3.1.1-alpha. Patch by Daniel Pinto.
+
+ o Minor features (code style):
+ - Add "Falls through" comments to our codebase, in order to silence
+ GCC 7's -Wimplicit-fallthrough warnings. Patch from Andreas
+ Stieger. Closes ticket 22446.
+
+ o Minor features (diagnostic):
+ - Add logging messages to try to diagnose a rare bug that seems to
+ generate RSA->Ed25519 cross-certificates dated in the 1970s. We
+ think this is happening because of incorrect system clocks, but
+ we'd like to know for certain. Diagnostic for bug 22466.
+
+ o Minor bugfixes (correctness):
+ - Avoid undefined behavior when parsing IPv6 entries from the geoip6
+ file. Fixes bug 22490; bugfix on 0.2.4.6-alpha.
+
+ o Minor bugfixes (directory protocol):
+ - Check for libzstd >= 1.1, because older versions lack the
+ necessary streaming API. Fixes bug 22413; bugfix on 0.3.1.1-alpha.
+
+ o Minor bugfixes (link handshake):
+ - Lower the lifetime of the RSA->Ed25519 cross-certificate to six
+ months, and regenerate it when it is within one month of expiring.
+ Previously, we had generated this certificate at startup with a
+ ten-year lifetime, but that could lead to weird behavior when Tor
+ was started with a grossly inaccurate clock. Mitigates bug 22466;
+ mitigation on 0.3.0.1-alpha.
+
+ o Minor bugfixes (storage directories):
+ - Always check for underflows in the cached storage directory usage.
+ If the usage does underflow, re-calculate it. Also, avoid a
+ separate underflow when the usage is not known. Fixes bug 22424;
+ bugfix on 0.3.1.1-alpha.
+
+ o Minor bugfixes (unit tests):
+ - The unit tests now pass on systems where localhost is misconfigured
+ to some IPv4 address other than 127.0.0.1. Fixes bug 6298; bugfix
+ on 0.0.9pre2.
+
+ o Documentation:
+ - Clarify the manpage for the (deprecated) torify script. Closes
+ ticket 6892.
+
+Changes in version 0.3.0.8 - 2017-06-08
+ Tor 0.3.0.8 fixes a pair of bugs that would allow an attacker to
+ remotely crash a hidden service with an assertion failure. Anyone
+ running a hidden service should upgrade to this version, or to some
+ other version with fixes for TROVE-2017-004 and TROVE-2017-005.
+
+ Tor 0.3.0.8 also includes fixes for several key management bugs
+ that sometimes made relays unreliable, as well as several other
+ bugfixes described below.
+
+ o Major bugfixes (hidden service, relay, security, backport
+ from 0.3.1.3-alpha):
+ - Fix a remotely triggerable assertion failure when a hidden service
+ handles a malformed BEGIN cell. Fixes bug 22493, tracked as
+ TROVE-2017-004 and as CVE-2017-0375; bugfix on 0.3.0.1-alpha.
+ - Fix a remotely triggerable assertion failure caused by receiving a
+ BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug
+ 22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix
+ on 0.2.2.1-alpha.
+
+ o Major bugfixes (relay, link handshake, backport from 0.3.1.3-alpha):
+ - When performing the v3 link handshake on a TLS connection, report
+ that we have the x509 certificate that we actually used on that
+ connection, even if we have changed certificates since that
+ connection was first opened. Previously, we would claim to have
+ used our most recent x509 link certificate, which would sometimes
+ make the link handshake fail. Fixes one case of bug 22460; bugfix
+ on 0.2.3.6-alpha.
+
+ o Major bugfixes (relays, key management, backport from 0.3.1.3-alpha):
+ - Regenerate link and authentication certificates whenever the key
+ that signs them changes; also, regenerate link certificates
+ whenever the signed key changes. Previously, these processes were
+ only weakly coupled, and we relays could (for minutes to hours)
+ wind up with an inconsistent set of keys and certificates, which
+ other relays would not accept. Fixes two cases of bug 22460;
+ bugfix on 0.3.0.1-alpha.
+ - When sending an Ed25519 signing->link certificate in a CERTS cell,
+ send the certificate that matches the x509 certificate that we
+ used on the TLS connection. Previously, there was a race condition
+ if the TLS context rotated after we began the TLS handshake but
+ before we sent the CERTS cell. Fixes a case of bug 22460; bugfix
+ on 0.3.0.1-alpha.
+
+ o Major bugfixes (hidden service v3, backport from 0.3.1.1-alpha):
+ - Stop rejecting v3 hidden service descriptors because their size
+ did not match an old padding rule. Fixes bug 22447; bugfix on
+ tor-0.3.0.1-alpha.
+
+ o Minor features (fallback directory list, backport from 0.3.1.3-alpha):
+ - Replace the 177 fallbacks originally introduced in Tor 0.2.9.8 in
+ December 2016 (of which ~126 were still functional) with a list of
+ 151 fallbacks (32 new, 119 unchanged, 58 removed) generated in May
+ 2017. Resolves ticket 21564.
+
+ o Minor bugfixes (configuration, backport from 0.3.1.1-alpha):
+ - Do not crash when starting with LearnCircuitBuildTimeout 0. Fixes
+ bug 22252; bugfix on 0.2.9.3-alpha.
+
+ o Minor bugfixes (correctness, backport from 0.3.1.3-alpha):
+ - Avoid undefined behavior when parsing IPv6 entries from the geoip6
+ file. Fixes bug 22490; bugfix on 0.2.4.6-alpha.
+
+ o Minor bugfixes (link handshake, backport from 0.3.1.3-alpha):
+ - Lower the lifetime of the RSA->Ed25519 cross-certificate to six
+ months, and regenerate it when it is within one month of expiring.
+ Previously, we had generated this certificate at startup with a
+ ten-year lifetime, but that could lead to weird behavior when Tor
+ was started with a grossly inaccurate clock. Mitigates bug 22466;
+ mitigation on 0.3.0.1-alpha.
+
+ o Minor bugfixes (memory leak, directory authority, backport from
+ 0.3.1.2-alpha):
+ - When directory authorities reject a router descriptor due to
+ keypinning, free the router descriptor rather than leaking the
+ memory. Fixes bug 22370; bugfix on 0.2.7.2-alpha.
+
+
+Changes in version 0.2.9.11 - 2017-06-08
+ Tor 0.2.9.11 backports a fix for a bug that would allow an attacker to
+ remotely crash a hidden service with an assertion failure. Anyone
+ running a hidden service should upgrade to this version, or to some
+ other version with fixes for TROVE-2017-005. (Versions before 0.3.0
+ are not affected by TROVE-2017-004.)
+
+ Tor 0.2.9.11 also backports fixes for several key management bugs
+ that sometimes made relays unreliable, as well as several other
+ bugfixes described below.
+
+ o Major bugfixes (hidden service, relay, security, backport
+ from 0.3.1.3-alpha):
+ - Fix a remotely triggerable assertion failure caused by receiving a
+ BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug
+ 22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix
+ on 0.2.2.1-alpha.
+
+ o Major bugfixes (relay, link handshake, backport from 0.3.1.3-alpha):
+ - When performing the v3 link handshake on a TLS connection, report
+ that we have the x509 certificate that we actually used on that
+ connection, even if we have changed certificates since that
+ connection was first opened. Previously, we would claim to have
+ used our most recent x509 link certificate, which would sometimes
+ make the link handshake fail. Fixes one case of bug 22460; bugfix
+ on 0.2.3.6-alpha.
+
+ o Minor features (fallback directory list, backport from 0.3.1.3-alpha):
+ - Replace the 177 fallbacks originally introduced in Tor 0.2.9.8 in
+ December 2016 (of which ~126 were still functional) with a list of
+ 151 fallbacks (32 new, 119 unchanged, 58 removed) generated in May
+ 2017. Resolves ticket 21564.
+
+ o Minor features (future-proofing, backport from 0.3.0.7):
+ - Tor no longer refuses to download microdescriptors or descriptors if
+ they are listed as "published in the future". This change will
+ eventually allow us to stop listing meaningful "published" dates
+ in microdescriptor consensuses, and thereby allow us to reduce the
+ resources required to download consensus diffs by over 50%.
+ Implements part of ticket 21642; implements part of proposal 275.
+
+ o Minor features (directory authorities, backport from 0.3.0.4-rc)
+ - Directory authorities now reject relays running versions
+ 0.2.9.1-alpha through 0.2.9.4-alpha, because those relays
+ suffer from bug 20499 and don't keep their consensus cache
+ up-to-date. Resolves ticket 20509.
+
+ o Minor features (geoip):
+ - Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2
+ Country database.
+
+ o Minor bugfixes (control port, backport from 0.3.0.6):
+ - The GETINFO extra-info/digest/<digest> command was broken because
+ of a wrong base16 decode return value check, introduced when
+ refactoring that API. Fixes bug 22034; bugfix on 0.2.9.1-alpha.
+
+ o Minor bugfixes (correctness, backport from 0.3.1.3-alpha):
+ - Avoid undefined behavior when parsing IPv6 entries from the geoip6
+ file. Fixes bug 22490; bugfix on 0.2.4.6-alpha.
+
+ o Minor bugfixes (Linux seccomp2 sandbox, backport from 0.3.0.7):
+ - The getpid() system call is now permitted under the Linux seccomp2
+ sandbox, to avoid crashing with versions of OpenSSL (and other
+ libraries) that attempt to learn the process's PID by using the
+ syscall rather than the VDSO code. Fixes bug 21943; bugfix
+ on 0.2.5.1-alpha.
+
+ o Minor bugfixes (memory leak, directory authority, backport
+ from 0.3.1.2-alpha):
+ - When directory authorities reject a router descriptor due to
+ keypinning, free the router descriptor rather than leaking the
+ memory. Fixes bug 22370; bugfix on 0.2.7.2-alpha.
+
+Changes in version 0.2.8.14 - 2017-06-08
+ Tor 0.2.7.8 backports a fix for a bug that would allow an attacker to
+ remotely crash a hidden service with an assertion failure. Anyone
+ running a hidden service should upgrade to this version, or to some
+ other version with fixes for TROVE-2017-005. (Versions before 0.3.0
+ are not affected by TROVE-2017-004.)
+
+ o Major bugfixes (hidden service, relay, security):
+ - Fix a remotely triggerable assertion failure caused by receiving a
+ BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug
+ 22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix
+ on 0.2.2.1-alpha.
+
+ o Minor features (geoip):
+ - Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2
+ Country database.
+
+ o Minor features (fallback directory list, backport from 0.3.1.3-alpha):
+ - Replace the 177 fallbacks originally introduced in Tor 0.2.9.8 in
+ December 2016 (of which ~126 were still functional) with a list of
+ 151 fallbacks (32 new, 119 unchanged, 58 removed) generated in May
+ 2017. Resolves ticket 21564.
+
+ o Minor bugfixes (correctness):
+ - Avoid undefined behavior when parsing IPv6 entries from the geoip6
+ file. Fixes bug 22490; bugfix on 0.2.4.6-alpha.
+
+Changes in version 0.2.7.8 - 2017-06-08
+ Tor 0.2.7.8 backports a fix for a bug that would allow an attacker to
+ remotely crash a hidden service with an assertion failure. Anyone
+ running a hidden service should upgrade to this version, or to some
+ other version with fixes for TROVE-2017-005. (Versions before 0.3.0
+ are not affected by TROVE-2017-004.)
+
+ o Major bugfixes (hidden service, relay, security):
+ - Fix a remotely triggerable assertion failure caused by receiving a
+ BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug
+ 22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix
+ on 0.2.2.1-alpha.
+
+ o Minor features (geoip):
+ - Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2
+ Country database.
+
+ o Minor bugfixes (correctness):
+ - Avoid undefined behavior when parsing IPv6 entries from the geoip6
+ file. Fixes bug 22490; bugfix on 0.2.4.6-alpha.
+
+
+Changes in version 0.2.6.12 - 2017-06-08
+ Tor 0.2.6.12 backports a fix for a bug that would allow an attacker to
+ remotely crash a hidden service with an assertion failure. Anyone
+ running a hidden service should upgrade to this version, or to some
+ other version with fixes for TROVE-2017-005. (Versions before 0.3.0
+ are not affected by TROVE-2017-004.)
+
+ o Major bugfixes (hidden service, relay, security):
+ - Fix a remotely triggerable assertion failure caused by receiving a
+ BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug
+ 22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix
+ on 0.2.2.1-alpha.
+
+ o Minor features (geoip):
+ - Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2
+ Country database.
+
+ o Minor bugfixes (correctness):
+ - Avoid undefined behavior when parsing IPv6 entries from the geoip6
+ file. Fixes bug 22490; bugfix on 0.2.4.6-alpha.
+
+Changes in version 0.2.5.14 - 2017-06-08
+ Tor 0.2.5.14 backports a fix for a bug that would allow an attacker to
+ remotely crash a hidden service with an assertion failure. Anyone
+ running a hidden service should upgrade to this version, or to some
+ other version with fixes for TROVE-2017-005. (Versions before 0.3.0
+ are not affected by TROVE-2017-004.)
+
+ o Major bugfixes (hidden service, relay, security):
+ - Fix a remotely triggerable assertion failure caused by receiving a
+ BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug
+ 22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix
+ on 0.2.2.1-alpha.
+
+ o Minor features (geoip):
+ - Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2
+ Country database.
+
+ o Minor bugfixes (correctness):
+ - Avoid undefined behavior when parsing IPv6 entries from the geoip6
+ file. Fixes bug 22490; bugfix on 0.2.4.6-alpha.
+
+Changes in version 0.2.4.29 - 2017-06-08
+ Tor 0.2.4.29 backports a fix for a bug that would allow an attacker to
+ remotely crash a hidden service with an assertion failure. Anyone
+ running a hidden service should upgrade to this version, or to some
+ other version with fixes for TROVE-2017-005. (Versions before 0.3.0
+ are not affected by TROVE-2017-004.)
+
+ o Major bugfixes (hidden service, relay, security):
+ - Fix a remotely triggerable assertion failure caused by receiving a
+ BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug
+ 22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix
+ on 0.2.2.1-alpha.
+
+ o Minor features (geoip):
+ - Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2
+ Country database.
+
+ o Minor bugfixes (correctness):
+ - Avoid undefined behavior when parsing IPv6 entries from the geoip6
+ file. Fixes bug 22490; bugfix on 0.2.4.6-alpha.
+
+
+Changes in version 0.3.1.2-alpha - 2017-05-26
+ Tor 0.3.1.2-alpha is the second release in the 0.3.1.x series. It
+ fixes a few bugs found while testing 0.3.1.1-alpha, including a
+ memory corruption bug that affected relay stability.
+
+ o Major bugfixes (crash, relay):
+ - Fix a memory-corruption bug in relays that set MyFamily.
+ Previously, they would double-free MyFamily elements when making
+ the next descriptor or when changing their configuration. Fixes
+ bug 22368; bugfix on 0.3.1.1-alpha.
+
+ o Minor bugfixes (logging):
+ - Log a better message when a directory authority replies to an
+ upload with an unexpected status code. Fixes bug 11121; bugfix
+ on 0.1.0.1-rc.
+
+ o Minor bugfixes (memory leak, directory authority):
+ - When directory authorities reject a router descriptor due to
+ keypinning, free the router descriptor rather than leaking the
+ memory. Fixes bug 22370; bugfix on 0.2.7.2-alpha.
+
+
Changes in version 0.3.1.1-alpha - 2017-05-22
Tor 0.3.1.1-alpha is the first release in the 0.3.1.x series. It
reduces the bandwidth usage for Tor's directory protocol, adds some
@@ -1621,7 +2180,7 @@ Changes in version 0.3.0.1-alpha - 2016-12-19
subprotocol-versions mechanism, so that clients can tell which
relays can identity themselves by Ed25519 ID. Closes ticket 20552.
- o Minor features (fingerprinting resistence, authentication):
+ o Minor features (fingerprinting resistance, authentication):
- Extend the length of RSA keys used for TLS link authentication to
2048 bits. (These weren't used for forward secrecy; for forward
secrecy, we used P256.) Closes ticket 13752.
@@ -4687,7 +5246,7 @@ Changes in version 0.2.6.8 - 2015-05-21
o Major bugfixes (hidden services, backport from 0.2.7.1-alpha):
- Revert commit that made directory authorities assign the HSDir
- flag to relay without a DirPort; this was bad because such relays
+ flag to relays without a DirPort; this was bad because such relays
can't handle BEGIN_DIR cells. Fixes bug 15850; bugfix
on 0.2.6.3-alpha.
@@ -4728,7 +5287,7 @@ Changes in version 0.2.7.1-alpha - 2015-05-12
o Major bugfixes (hidden services):
- Revert commit that made directory authorities assign the HSDir
- flag to relay without a DirPort; this was bad because such relays
+ flag to relays without a DirPort; this was bad because such relays
can't handle BEGIN_DIR cells. Fixes bug 15850; bugfix
on 0.2.6.3-alpha.
7apu2bq3rhoylwmucxizk54afw5jyda7pho4j5zdcqpwkufke7zdzwad.onion