diff options
Diffstat (limited to 'ChangeLog')
| -rw-r--r-- | ChangeLog | 833 |
1 files changed, 756 insertions, 77 deletions
@@ -1,3 +1,684 @@ +Changes in version 0.2.8.17 - 2017-12-01 + Tor 0.2.8.17 backports important security and stability bugfixes from + later Tor releases. All Tor users should upgrade to this release, or + to another of the releases coming out today. + + Note: the Tor 0.2.8 series will no longer be supported after 1 Jan + 2018. If you need a release with long-term support, please upgrade with + the 0.2.9 series. Otherwise, please upgrade to 0.3.1 or later. + + o Major bugfixes (security, backport from 0.3.2.6-alpha): + - Fix a denial of service bug where an attacker could use a + malformed directory object to cause a Tor instance to pause while + OpenSSL would try to read a passphrase from the terminal. (Tor + instances run without a terminal, which is the case for most Tor + packages, are not impacted.) Fixes bug 24246; bugfix on every + version of Tor. Also tracked as TROVE-2017-011 and CVE-2017-8821. + Found by OSS-Fuzz as testcase 6360145429790720. + - When checking for replays in the INTRODUCE1 cell data for a + (legacy) onion service, correctly detect replays in the RSA- + encrypted part of the cell. We were previously checking for + replays on the entire cell, but those can be circumvented due to + the malleability of Tor's legacy hybrid encryption. This fix helps + prevent a traffic confirmation attack. Fixes bug 24244; bugfix on + 0.2.4.1-alpha. This issue is also tracked as TROVE-2017-009 + and CVE-2017-8819. + + o Major bugfixes (security, onion service v2, backport from 0.3.2.6-alpha): + - Fix a use-after-free error that could crash v2 Tor onion services + when they failed to open circuits while expiring introduction + points. Fixes bug 24313; bugfix on 0.2.7.2-alpha. This issue is + also tracked as TROVE-2017-013 and CVE-2017-8823. + + o Major bugfixes (security, relay, backport from 0.3.2.6-alpha): + - When running as a relay, make sure that we never build a path through + ourselves, even in the case where we have somehow lost the version of + our descriptor appearing in the consensus. Fixes part of bug 21534; + bugfix on 0.2.0.1-alpha. This issue is also tracked as TROVE-2017-012 + and CVE-2017-8822. + + o Minor features (bridge, backport from 0.3.1.9): + - Bridges now include notice in their descriptors that they are + bridges, and notice of their distribution status, based on their + publication settings. Implements ticket 18329. For more fine- + grained control of how a bridge is distributed, upgrade to 0.3.2.x + or later. + + o Minor features (directory authority, backport from 0.3.2.6-alpha): + - Add an IPv6 address for the "bastet" directory authority. Closes + ticket 24394. + + o Minor features (geoip): + - Update geoip and geoip6 to the November 6 2017 Maxmind GeoLite2 + Country database. + + o Minor bugfixes (testing, backport from 0.3.1.6-rc): + - Fix an undersized buffer in test-memwipe.c. Fixes bug 23291; + bugfix on 0.2.7.2-alpha. Found and patched by Ties Stuij. + + +Changes in version 0.2.8.16 - 2017-10-25 + Tor 0.2.8.16 backports a collection of bugfixes from later Tor release + series, including a bugfix for a crash issue that had affected relays + under memory pressure. It also adds a new directory authority, Bastet. + + Note: the Tor 0.2.8 series will no longer be supported after 1 Jan + 2018. If you need a release with long-term support, please stick with + the 0.2.9 series. Otherwise, please upgrade to 0.3.1 or later. + + o Directory authority changes: + - Add "Bastet" as a ninth directory authority to the default list. + Closes ticket 23910. + - The directory authority "Longclaw" has changed its IP address. + Closes ticket 23592. + + o Major bugfixes (relay, crash, assertion failure, backport from 0.3.2.2-alpha): + - Fix a timing-based assertion failure that could occur when the + circuit out-of-memory handler freed a connection's output buffer. + Fixes bug 23690; bugfix on 0.2.6.1-alpha. + + o Minor features (directory authorities, backport from 0.3.2.2-alpha): + - Remove longclaw's IPv6 address, as it will soon change. Authority + IPv6 addresses were originally added in 0.2.8.1-alpha. This leaves + 3/8 directory authorities with IPv6 addresses, but there are also + 52 fallback directory mirrors with IPv6 addresses. Resolves 19760. + + o Minor features (geoip): + - Update geoip and geoip6 to the October 4 2017 Maxmind GeoLite2 + Country database. + + +Changes in version 0.2.8.15 - 2017-09-18 + Tor 0.2.8.15 backports a collection of bugfixes from later + Tor series. + + Most significantly, it includes a fix for TROVE-2017-008, a + security bug that affects hidden services running with the + SafeLogging option disabled. For more information, see + https://trac.torproject.org/projects/tor/ticket/23490 + + Note that Tor 0.2.8.x will no longer be supported after 1 Jan + 2018. We suggest that you upgrade to the latest stable release if + possible. If you can't, we recommend that you upgrade at least to + 0.2.9, which will be supported until 2020. + + o Major bugfixes (openbsd, denial-of-service, backport from 0.3.1.5-alpha): + - Avoid an assertion failure bug affecting our implementation of + inet_pton(AF_INET6) on certain OpenBSD systems whose strtol() + handling of "0xx" differs from what we had expected. Fixes bug + 22789; bugfix on 0.2.3.8-alpha. Also tracked as TROVE-2017-007. + + o Minor features: + - Update geoip and geoip6 to the September 6 2017 Maxmind GeoLite2 + Country database. + + o Minor bugfixes (compilation, mingw, backport from 0.3.1.1-alpha): + - Backport a fix for an "unused variable" warning that appeared + in some versions of mingw. Fixes bug 22838; bugfix on + 0.2.8.1-alpha. + + o Minor bugfixes (defensive programming, undefined behavior, backport from 0.3.1.4-alpha): + - Fix a memset() off the end of an array when packing cells. This + bug should be harmless in practice, since the corrupted bytes are + still in the same structure, and are always padding bytes, + ignored, or immediately overwritten, depending on compiler + behavior. Nevertheless, because the memset()'s purpose is to make + sure that any other cell-handling bugs can't expose bytes to the + network, we need to fix it. Fixes bug 22737; bugfix on + 0.2.4.11-alpha. Fixes CID 1401591. + + o Build features (backport from 0.3.1.5-alpha): + - Tor's repository now includes a Travis Continuous Integration (CI) + configuration file (.travis.yml). This is meant to help new + developers and contributors who fork Tor to a Github repository be + better able to test their changes, and understand what we expect + to pass. To use this new build feature, you must fork Tor to your + Github account, then go into the "Integrations" menu in the + repository settings for your fork and enable Travis, then push + your changes. Closes ticket 22636. + + + +Changes in version 0.2.8.14 - 2017-06-08 + Tor 0.2.7.8 backports a fix for a bug that would allow an attacker to + remotely crash a hidden service with an assertion failure. Anyone + running a hidden service should upgrade to this version, or to some + other version with fixes for TROVE-2017-005. (Versions before 0.3.0 + are not affected by TROVE-2017-004.) + + o Major bugfixes (hidden service, relay, security): + - Fix a remotely triggerable assertion failure caused by receiving a + BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug + 22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix + on 0.2.2.1-alpha. + + o Minor features (geoip): + - Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2 + Country database. + + o Minor features (fallback directory list, backport from 0.3.1.3-alpha): + - Replace the 177 fallbacks originally introduced in Tor 0.2.9.8 in + December 2016 (of which ~126 were still functional) with a list of + 151 fallbacks (32 new, 119 unchanged, 58 removed) generated in May + 2017. Resolves ticket 21564. + + o Minor bugfixes (correctness): + - Avoid undefined behavior when parsing IPv6 entries from the geoip6 + file. Fixes bug 22490; bugfix on 0.2.4.6-alpha. + + +Changes in version 0.2.8.13 - 2017-03-03 + Tor 0.2.8.13 backports a security fix from later Tor + releases. Anybody running Tor 0.2.8.12 or earlier should upgrade to this + this release, if for some reason they cannot upgrade to a later + release series, and if they build Tor with the --enable-expensive-hardening + option. + + Note that support for Tor 0.2.8.x is ending next year: we will not issue + any fixes for the Tor 0.2.8.x series after 1 Jan 2018. If you need + a Tor release series with longer-term support, we recommend Tor 0.2.9.x. + + o Major bugfixes (parsing, backported from 0.3.0.4-rc): + - Fix an integer underflow bug when comparing malformed Tor + versions. This bug could crash Tor when built with + --enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor + 0.2.9.8, which were built with -ftrapv by default. In other cases + it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix + on 0.0.8pre1. Found by OSS-Fuzz. + + o Minor features (geoip): + - Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2 + Country database. + + +Changes in version 0.2.8.12 - 2016-12-19 + Tor 0.2.8.12 backports a fix for a medium-severity issue (bug 21018 + below) where Tor clients could crash when attempting to visit a + hostile hidden service. Clients are recommended to upgrade as packages + become available for their systems. + + It also includes an updated list of fallback directories, backported + from 0.2.9. + + Now that the Tor 0.2.9 series is stable, only major bugfixes will be + backported to 0.2.8 in the future. + + o Major bugfixes (parsing, security, backported from 0.2.9.8): + - Fix a bug in parsing that could cause clients to read a single + byte past the end of an allocated region. This bug could be used + to cause hardened clients (built with --enable-expensive-hardening) + to crash if they tried to visit a hostile hidden service. Non- + hardened clients are only affected depending on the details of + their platform's memory allocator. Fixes bug 21018; bugfix on + 0.2.0.8-alpha. Found by using libFuzzer. Also tracked as TROVE- + 2016-12-002 and as CVE-2016-1254. + + o Minor features (fallback directory list, backported from 0.2.9.8): + - Replace the 81 remaining fallbacks of the 100 originally + introduced in Tor 0.2.8.3-alpha in March 2016, with a list of 177 + fallbacks (123 new, 54 existing, 27 removed) generated in December + 2016. Resolves ticket 20170. + + o Minor features (geoip, backported from 0.2.9.7-rc): + - Update geoip and geoip6 to the December 7 2016 Maxmind GeoLite2 + Country database. + + +Changes in version 0.2.8.11 - 2016-12-08 + Tor 0.2.8.11 backports fixes for additional portability issues that + could prevent Tor from building correctly on OSX Sierra, or with + OpenSSL 1.1. Affected users should upgrade; others can safely stay + with 0.2.8.10. + + o Minor bugfixes (portability): + - Avoid compilation errors when building on OSX Sierra. Sierra began + to support the getentropy() and clock_gettime() APIs, but created + a few problems in doing so. Tor 0.2.9 has a more thorough set of + workarounds; in 0.2.8, we are just using the /dev/urandom and mach + monotonic time interfaces. Fixes bug 20865. Bugfix + on 0.2.8.1-alpha. + + o Minor bugfixes (portability, backport from 0.2.9.5-alpha): + - Fix compilation with OpenSSL 1.1 and less commonly-used CPU + architectures. Closes ticket 20588. + + +Changes in version 0.2.8.10 - 2016-12-02 + Tor 0.2.8.10 backports a fix for a bug that would sometimes make clients + unusable after they left standby mode. It also backports fixes for + a few portability issues and a small but problematic memory leak. + + o Major bugfixes (client reliability, backport from 0.2.9.5-alpha): + - When Tor leaves standby because of a new application request, open + circuits as needed to serve that request. Previously, we would + potentially wait a very long time. Fixes part of bug 19969; bugfix + on 0.2.8.1-alpha. + + o Major bugfixes (client performance, backport from 0.2.9.5-alpha): + - Clients now respond to new application stream requests immediately + when they arrive, rather than waiting up to one second before + starting to handle them. Fixes part of bug 19969; bugfix + on 0.2.8.1-alpha. + + o Minor bugfixes (portability, backport from 0.2.9.6-rc): + - Work around a bug in the OSX 10.12 SDK that would prevent us from + successfully targeting earlier versions of OSX. Resolves + ticket 20235. + + o Minor bugfixes (portability, backport from 0.2.9.5-alpha): + - Fix implicit conversion warnings under OpenSSL 1.1. Fixes bug + 20551; bugfix on 0.2.1.1-alpha. + + o Minor bugfixes (relay, backport from 0.2.9.5-alpha): + - Work around a memory leak in OpenSSL 1.1 when encoding public + keys. Fixes bug 20553; bugfix on 0.0.2pre8. + + o Minor features (geoip): + - Update geoip and geoip6 to the November 3 2016 Maxmind GeoLite2 + Country database. + + +Changes in version 0.2.8.9 - 2016-10-17 + Tor 0.2.8.9 backports a fix for a security hole in previous versions + of Tor that would allow a remote attacker to crash a Tor client, + hidden service, relay, or authority. All Tor users should upgrade to + this version, or to 0.2.9.4-alpha. Patches will be released for older + versions of Tor. + + o Major features (security fixes, also in 0.2.9.4-alpha): + - Prevent a class of security bugs caused by treating the contents + of a buffer chunk as if they were a NUL-terminated string. At + least one such bug seems to be present in all currently used + versions of Tor, and would allow an attacker to remotely crash + most Tor instances, especially those compiled with extra compiler + hardening. With this defense in place, such bugs can't crash Tor, + though we should still fix them as they occur. Closes ticket + 20384 (TROVE-2016-10-001). + + o Minor features (geoip): + - Update geoip and geoip6 to the October 4 2016 Maxmind GeoLite2 + Country database. + + +Changes in version 0.2.8.8 - 2016-09-23 + Tor 0.2.8.8 fixes two crash bugs present in previous versions of the + 0.2.8.x series. Relays running 0.2.8.x should upgrade, as should users + who select public relays as their bridges. + + o Major bugfixes (crash): + - Fix a complicated crash bug that could affect Tor clients + configured to use bridges when replacing a networkstatus consensus + in which one of their bridges was mentioned. OpenBSD users saw + more crashes here, but all platforms were potentially affected. + Fixes bug 20103; bugfix on 0.2.8.2-alpha. + + o Major bugfixes (relay, OOM handler): + - Fix a timing-dependent assertion failure that could occur when we + tried to flush from a circuit after having freed its cells because + of an out-of-memory condition. Fixes bug 20203; bugfix on + 0.2.8.1-alpha. Thanks to "cypherpunks" for help diagnosing + this one. + + o Minor feature (fallback directories): + - Remove broken fallbacks from the hard-coded fallback directory + list. Closes ticket 20190; patch by teor. + + o Minor features (geoip): + - Update geoip and geoip6 to the September 6 2016 Maxmind GeoLite2 + Country database. + + +Changes in version 0.2.8.7 - 2016-08-24 + Tor 0.2.8.7 fixes an important bug related to the ReachableAddresses + option in 0.2.8.6, and replaces a retiring bridge authority. Everyone + who sets the ReachableAddresses option, and all bridges, are strongly + encouraged to upgrade. + + o Directory authority changes: + - The "Tonga" bridge authority has been retired; the new bridge + authority is "Bifroest". Closes tickets 19728 and 19690. + + o Major bugfixes (client, security): + - Only use the ReachableAddresses option to restrict the first hop + in a path. In earlier versions of 0.2.8.x, it would apply to + every hop in the path, with a possible degradation in anonymity + for anyone using an uncommon ReachableAddress setting. Fixes bug + 19973; bugfix on 0.2.8.2-alpha. + + o Minor features (geoip): + - Update geoip and geoip6 to the August 2 2016 Maxmind GeoLite2 + Country database. + + o Minor bugfixes (compilation): + - Remove an inappropriate "inline" in tortls.c that was causing + warnings on older versions of GCC. Fixes bug 19903; bugfix + on 0.2.8.1-alpha. + + o Minor bugfixes (fallback directories): + - Avoid logging a NULL string pointer when loading fallback + directory information. Fixes bug 19947; bugfix on 0.2.4.7-alpha + and 0.2.8.1-alpha. Report and patch by "rubiate". + + +Changes in version 0.2.8.6 - 2016-08-02 + + Tor 0.2.8.6 is the first stable version of the Tor 0.2.8 series. + + The Tor 0.2.8 series improves client bootstrapping performance, + completes the authority-side implementation of improved identity + keys for relays, and includes numerous bugfixes and performance + improvements throughout the program. This release continues to + improve the coverage of Tor's test suite. For a full list of + changes since Tor 0.2.7, see the ReleaseNotes file. + + Changes since 0.2.8.5-rc: + + o Minor features (geoip): + - Update geoip and geoip6 to the July 6 2016 Maxmind GeoLite2 + Country database. + + o Minor bugfixes (compilation): + - Fix a compilation warning in the unit tests on systems where char + is signed. Fixes bug 19682; bugfix on 0.2.8.1-alpha. + + o Minor bugfixes (fallback directories): + - Remove a fallback that was on the hardcoded list, then opted-out. + Fixes bug 19782; update to fallback list from 0.2.8.2-alpha. + + o Minor bugfixes (Linux seccomp2 sandbox): + - Allow more syscalls when running with "Sandbox 1" enabled: + sysinfo, getsockopt(SO_SNDBUF), and setsockopt(SO_SNDBUFFORCE). On + some systems, these are required for Tor to start. Fixes bug + 18397; bugfix on 0.2.5.1-alpha. Patch from Daniel Pinto. + - Allow IPPROTO_UDP datagram sockets when running with "Sandbox 1", + so that get_interface_address6_via_udp_socket_hack() can work. + Fixes bug 19660; bugfix on 0.2.5.1-alpha. + + +Changes in version 0.2.8.5-rc - 2016-07-07 + Tor 0.2.8.5-rc is the second release candidate in the Tor 0.2.8 + series. If we find no new bugs or regressions here, the first stable + 0.2.8 release will be identical to it. It has a few small bugfixes + against previous versions. + + o Directory authority changes: + - Urras is no longer a directory authority. Closes ticket 19271. + + o Major bugfixes (heartbeat): + - Fix a regression that would crash Tor when the periodic + "heartbeat" log messages were disabled. Fixes bug 19454; bugfix on + 0.2.8.1-alpha. Reported by "kubaku". + + o Minor features (build): + - Tor now again builds with the recent OpenSSL 1.1 development + branch (tested against 1.1.0-pre6-dev). Closes ticket 19499. + - When building manual pages, set the timezone to "UTC", so that the + output is reproducible. Fixes bug 19558; bugfix on 0.2.2.9-alpha. + Patch from intrigeri. + + o Minor bugfixes (fallback directory selection): + - Avoid errors during fallback selection if there are no eligible + fallbacks. Fixes bug 19480; bugfix on 0.2.8.3-alpha. Patch + by teor. + + o Minor bugfixes (IPv6, microdescriptors): + - Don't check node addresses when we only have a routerstatus. This + allows IPv6-only clients to bootstrap by fetching microdescriptors + from fallback directory mirrors. (The microdescriptor consensus + has no IPv6 addresses in it.) Fixes bug 19608; bugfix + on 0.2.8.2-alpha. + + o Minor bugfixes (logging): + - Reduce pointlessly verbose log messages when directory servers + can't be found. Fixes bug 18849; bugfix on 0.2.8.3-alpha and + 0.2.8.1-alpha. Patch by teor. + - When a fallback directory changes its fingerprint from the hard- + coded fingerprint, log a less severe, more explanatory log + message. Fixes bug 18812; bugfix on 0.2.8.1-alpha. Patch by teor. + + o Minor bugfixes (Linux seccomp2 sandboxing): + - Allow statistics to be written to disk when "Sandbox 1" is + enabled. Fixes bugs 19556 and 19957; bugfix on 0.2.5.1-alpha and + 0.2.6.1-alpha respectively. + + o Minor bugfixes (user interface): + - Remove a warning message "Service [scrubbed] not found after + descriptor upload". This message appears when one uses HSPOST + control command to upload a service descriptor. Since there is + only a descriptor and no service, showing this message is + pointless and confusing. Fixes bug 19464; bugfix on 0.2.7.2-alpha. + + o Fallback directory list: + - Add a comment to the generated fallback directory list that + explains how to comment out unsuitable fallbacks in a way that's + compatible with the stem fallback parser. + - Update fallback whitelist and blacklist based on relay operator + emails. Blacklist unsuitable (non-working, over-volatile) + fallbacks. Resolves ticket 19071. Patch by teor. + - Update hard-coded fallback list to remove unsuitable fallbacks. + Resolves ticket 19071. Patch by teor. + + +Changes in version 0.2.8.4-rc - 2016-06-15 + Tor 0.2.8.4-rc is the first release candidate in the Tor 0.2.8 series. + If we find no new bugs or regressions here, the first stable 0.2.8 + release will be identical to it. It has a few small bugfixes against + previous versions. + + o Major bugfixes (user interface): + - Correctly give a warning in the cases where a relay is specified + by nickname, and one such relay is found, but it is not officially + Named. Fixes bug 19203; bugfix on 0.2.3.1-alpha. + + o Minor features (build): + - Tor now builds once again with the recent OpenSSL 1.1 development + branch (tested against 1.1.0-pre5 and 1.1.0-pre6-dev). + + o Minor features (geoip): + - Update geoip and geoip6 to the June 7 2016 Maxmind GeoLite2 + Country database. + + o Minor bugfixes (compilation): + - Cause the unit tests to compile correctly on mingw64 versions that + lack sscanf. Fixes bug 19213; bugfix on 0.2.7.1-alpha. + + o Minor bugfixes (downloading): + - Predict more correctly whether we'll be downloading over HTTP when + we determine the maximum length of a URL. This should avoid a + "BUG" warning about the Squid HTTP proxy and its URL limits. Fixes + bug 19191. + + +Changes in version 0.2.8.3-alpha - 2016-05-26 + Tor 0.2.8.3-alpha resolves several bugs, most of them introduced over + the course of the 0.2.8 development cycle. It improves the behavior of + directory clients, fixes several crash bugs, fixes a gap in compiler + hardening, and allows the full integration test suite to run on + more platforms. + + o Major bugfixes (security, client, DNS proxy): + - Stop a crash that could occur when a client running with DNSPort + received a query with multiple address types, and the first + address type was not supported. Found and fixed by Scott Dial. + Fixes bug 18710; bugfix on 0.2.5.4-alpha. + + o Major bugfixes (security, compilation): + - Correctly detect compiler flags on systems where _FORTIFY_SOURCE + is predefined. Previously, our use of -D_FORTIFY_SOURCE would + cause a compiler warning, thereby making other checks fail, and + needlessly disabling compiler-hardening support. Fixes one case of + bug 18841; bugfix on 0.2.3.17-beta. Patch from "trudokal". + + o Major bugfixes (security, directory authorities): + - Fix a crash and out-of-bounds write during authority voting, when + the list of relays includes duplicate ed25519 identity keys. Fixes + bug 19032; bugfix on 0.2.8.2-alpha. + + o Major bugfixes (client, bootstrapping): + - Check if bootstrap consensus downloads are still needed when the + linked connection attaches. This prevents tor making unnecessary + begindir-style connections, which are the only directory + connections tor clients make since the fix for 18483 was merged. + - Fix some edge cases where consensus download connections may not + have been closed, even though they were not needed. Related to fix + for 18809. + - Make relays retry consensus downloads the correct number of times, + rather than the more aggressive client retry count. Fixes part of + ticket 18809. + - Stop downloading consensuses when we have a consensus, even if we + don't have all the certificates for it yet. Fixes bug 18809; + bugfix on 0.2.8.1-alpha. Patches by arma and teor. + + o Major bugfixes (directory mirrors): + - Decide whether to advertise begindir support in the the same way + we decide whether to advertise our DirPort. Allowing these + decisions to become out-of-sync led to surprising behavior like + advertising begindir support when hibernation made us not + advertise a DirPort. Resolves bug 18616; bugfix on 0.2.8.1-alpha. + Patch by teor. + + o Major bugfixes (IPv6 bridges, client): + - Actually use IPv6 addresses when selecting directory addresses for + IPv6 bridges. Fixes bug 18921; bugfix on 0.2.8.1-alpha. Patch + by teor. + + o Major bugfixes (key management): + - If OpenSSL fails to generate an RSA key, do not retain a dangling + pointer to the previous (uninitialized) key value. The impact here + should be limited to a difficult-to-trigger crash, if OpenSSL is + running an engine that makes key generation failures possible, or + if OpenSSL runs out of memory. Fixes bug 19152; bugfix on + 0.2.1.10-alpha. Found by Yuan Jochen Kang, Suman Jana, and + Baishakhi Ray. + + o Major bugfixes (testing): + - Fix a bug that would block 'make test-network-all' on systems where + IPv6 packets were lost. Fixes bug 19008; bugfix on 0.2.7.3-rc. + - Avoid "WSANOTINITIALISED" warnings in the unit tests. Fixes bug 18668; + bugfix on 0.2.8.1-alpha. + + o Minor features (clients): + - Make clients, onion services, and bridge relays always use an + encrypted begindir connection for directory requests. Resolves + ticket 18483. Patch by teor. + + o Minor features (fallback directory mirrors): + - Give each fallback the same weight for client selection; restrict + fallbacks to one per operator; report fallback directory detail + changes when rebuilding list; add new fallback directory mirrors + to the whitelist; update fallback directories based on the latest + OnionOO data; and any other minor simplifications and fixes. + Closes tasks 17158, 17905, 18749, bug 18689, and fixes part of bug + 18812 on 0.2.8.1-alpha; patch by teor. + + o Minor features (geoip): + - Update geoip and geoip6 to the May 4 2016 Maxmind GeoLite2 + Country database. + + o Minor bugfixes (assert, portability): + - Fix an assertion failure in memarea.c on systems where "long" is + shorter than the size of a pointer. Fixes bug 18716; bugfix + on 0.2.1.1-alpha. + + o Minor bugfixes (bootstrap): + - Consistently use the consensus download schedule for authority + certificates. Fixes bug 18816; bugfix on 0.2.4.13-alpha. + + o Minor bugfixes (build): + - Remove a pair of redundant AM_CONDITIONAL declarations from + configure.ac. Fixes one final case of bug 17744; bugfix + on 0.2.8.2-alpha. + - Resolve warnings when building on systems that are concerned with + signed char. Fixes bug 18728; bugfix on 0.2.7.2-alpha + and 0.2.6.1-alpha. + - When libscrypt.h is found, but no libscrypt library can be linked, + treat libscrypt as absent. Fixes bug 19161; bugfix + on 0.2.6.1-alpha. + + o Minor bugfixes (client): + - Turn all TestingClientBootstrap* into non-testing torrc options. + This changes simply renames them by removing "Testing" in front of + them and they do not require TestingTorNetwork to be enabled + anymore. Fixes bug 18481; bugfix on 0.2.8.1-alpha. + - Make directory node selection more reliable, mainly for IPv6-only + clients and clients with few reachable addresses. Fixes bug 18929; + bugfix on 0.2.8.1-alpha. Patch by teor. + + o Minor bugfixes (controller, microdescriptors): + - Make GETINFO dir/status-vote/current/consensus conform to the + control specification by returning "551 Could not open cached + consensus..." when not caching consensuses. Fixes bug 18920; + bugfix on 0.2.2.6-alpha. + + o Minor bugfixes (crypto, portability): + - The SHA3 and SHAKE routines now produce the correct output on Big + Endian systems. No code calls either algorithm yet, so this is + primarily a build fix. Fixes bug 18943; bugfix on 0.2.8.1-alpha. + - Tor now builds again with the recent OpenSSL 1.1 development + branch (tested against 1.1.0-pre4 and 1.1.0-pre5-dev). Closes + ticket 18286. + + o Minor bugfixes (directories): + - When fetching extrainfo documents, compare their SHA256 digests + and Ed25519 signing key certificates with the routerinfo that led + us to fetch them, rather than with the most recent routerinfo. + Otherwise we generate many spurious warnings about mismatches. + Fixes bug 17150; bugfix on 0.2.7.2-alpha. + + o Minor bugfixes (logging): + - When we can't generate a signing key because OfflineMasterKey is + set, do not imply that we should have been able to load it. Fixes + bug 18133; bugfix on 0.2.7.2-alpha. + - Stop periodic_event_dispatch() from blasting twelve lines per + second at loglevel debug. Fixes bug 18729; fix on 0.2.8.1-alpha. + - When rejecting a misformed INTRODUCE2 cell, only log at + PROTOCOL_WARN severity. Fixes bug 18761; bugfix on 0.2.8.2-alpha. + + o Minor bugfixes (pluggable transports): + - Avoid reporting a spurious error when we decide that we don't need + to terminate a pluggable transport because it has already exited. + Fixes bug 18686; bugfix on 0.2.5.5-alpha. + + o Minor bugfixes (pointer arithmetic): + - Fix a bug in memarea_alloc() that could have resulted in remote + heap write access, if Tor had ever passed an unchecked size to + memarea_alloc(). Fortunately, all the sizes we pass to + memarea_alloc() are pre-checked to be less than 128 kilobytes. + Fixes bug 19150; bugfix on 0.2.1.1-alpha. Bug found by + Guido Vranken. + + o Minor bugfixes (relays): + - Consider more config options when relays decide whether to + regenerate their descriptor. Fixes more of bug 12538; bugfix + on 0.2.8.1-alpha. + - Resolve some edge cases where we might launch an ORPort + reachability check even when DisableNetwork is set. Noticed while + fixing bug 18616; bugfix on 0.2.3.9-alpha. + + o Minor bugfixes (statistics): + - We now include consensus downloads via IPv6 in our directory- + request statistics. Fixes bug 18460; bugfix on 0.2.3.14-alpha. + + o Minor bugfixes (testing): + - Allow directories in small networks to bootstrap by skipping + DirPort checks when the consensus has no exits. Fixes bug 19003; + bugfix on 0.2.8.1-alpha. Patch by teor. + - Fix a small memory leak that would occur when the + TestingEnableCellStatsEvent option was turned on. Fixes bug 18673; + bugfix on 0.2.5.2-alpha. + + o Minor bugfixes (time handling): + - When correcting a corrupt 'struct tm' value, fill in the tm_wday + field. Otherwise, our unit tests crash on Windows. Fixes bug + 18977; bugfix on 0.2.2.25-alpha. + + o Documentation: + - Document the contents of the 'datadir/keys' subdirectory in the + manual page. Closes ticket 17621. + - Stop recommending use of nicknames to identify relays in our + MapAddress documentation. Closes ticket 18312. + + Changes in version 0.2.8.2-alpha - 2016-03-28 Tor 0.2.8.2-alpha is the second alpha in its series. It fixes numerous bugs in earlier versions of Tor, including some that prevented @@ -330,14 +1011,14 @@ Changes in version 0.2.8.1-alpha - 2016-02-04 reduces failures when authorities or fallback directories are slow or down. Together with the code for feature 15775, this feature should reduces failures due to fallback churn. Implements ticket - 4483. Patch by "teor". Implements IPv4 portions of proposal 210 by - "mikeperry" and "teor". + 4483. Patch by teor. Implements IPv4 portions of proposal 210 by + mikeperry and teor. - Include a trial list of default fallback directories, based on an opt-in survey of suitable relays. Doing this should make clients bootstrap more quickly and reliably, and reduce the load on the - directory authorities. Closes ticket 15775. Patch by "teor". - Candidates identified using an OnionOO script by "weasel", "teor", - "gsathya", and "karsten". + directory authorities. Closes ticket 15775. Patch by teor. + Candidates identified using an OnionOO script by weasel, teor, + gsathya, and karsten. - Previously only relays that explicitly opened a directory port (DirPort) accepted directory requests from clients. Now all relays, with and without a DirPort, accept and serve tunneled @@ -348,20 +1029,20 @@ Changes in version 0.2.8.1-alpha - 2016-02-04 o Major key updates: - Update the V3 identity key for the dannenberg directory authority: it was changed on 18 November 2015. Closes task 17906. Patch - by "teor". + by teor. o Minor features (security, clock): - Warn when the system clock appears to move back in time (when the state file was last written in the future). Tor doesn't know that consensuses have expired if the clock is in the past. Patch by - "teor". Implements ticket 17188. + teor. Implements ticket 17188. o Minor features (security, exit policies): - ExitPolicyRejectPrivate now rejects more private addresses by default. Specifically, it now rejects the relay's outbound bind addresses (if configured), and the relay's configured port addresses (such as ORPort and DirPort). Fixes bug 17027; bugfix on - 0.2.0.11-alpha. Patch by "teor". + 0.2.0.11-alpha. Patch by teor. o Minor features (security, memory erasure): - Set the unused entries in a smartlist to NULL. This helped catch @@ -375,8 +1056,8 @@ Changes in version 0.2.8.1-alpha - 2016-02-04 from <logan@hackers.mu> and <selven@hackers.mu>. - Make memwipe() do nothing when passed a NULL pointer or buffer of zero size. Check size argument to memwipe() for underflow. Fixes - bug 18089; bugfix on 0.2.3.25 and 0.2.4.6-alpha. Reported by "gk", - patch by "teor". + bug 18089; bugfix on 0.2.3.25 and 0.2.4.6-alpha. Reported by gk, + patch by teor. o Minor features (security, RNG): - Adjust Tor's use of OpenSSL's RNG APIs so that they absolutely, @@ -432,10 +1113,10 @@ Changes in version 0.2.8.1-alpha - 2016-02-04 - Wait for busy authorities and fallback directories to become non- busy when bootstrapping. (A similar change was made in 6c443e987d for directory caches chosen from the consensus.) Closes ticket - 17864; patch by "teor". + 17864; patch by teor. - Add UseDefaultFallbackDirs, which enables any hard-coded fallback directory mirrors. The default is 1; set it to 0 to disable - fallbacks. Implements ticket 17576. Patch by "teor". + fallbacks. Implements ticket 17576. Patch by teor. o Minor features (geoip): - Update geoip and geoip6 to the January 5 2016 Maxmind GeoLite2 @@ -446,18 +1127,18 @@ Changes in version 0.2.8.1-alpha - 2016-02-04 FallbackDir torrc options, to specify an IPv6 address for an authority or fallback directory. Add hard-coded ipv6 addresses for directory authorities that have them. Closes ticket 17327; patch - from Nick Mathewson and "teor". + from Nick Mathewson and teor. - Add address policy assume_action support for IPv6 addresses. - Limit IPv6 mask bits to 128. - Warn when comparing against an AF_UNSPEC address in a policy, it's - almost always a bug. Closes ticket 17863; patch by "teor". + almost always a bug. Closes ticket 17863; patch by teor. - Allow users to configure directory authorities and fallback directory servers with IPv6 addresses and ORPorts. Resolves ticket 6027. - routerset_parse now accepts IPv6 literal addresses. Fixes bug - 17060; bugfix on 0.2.1.3-alpha. Patch by "teor". + 17060; bugfix on 0.2.1.3-alpha. Patch by teor. - Make tor_ersatz_socketpair work on IPv6-only systems. Fixes bug - 17638; bugfix on 0.0.2pre8. Patch by "teor". + 17638; bugfix on 0.0.2pre8. Patch by teor. o Minor features (logging): - When logging to syslog, allow a tag to be added to the syslog @@ -484,7 +1165,7 @@ Changes in version 0.2.8.1-alpha - 2016-02-04 o Minor features (replay cache): - The replay cache now uses SHA256 instead of SHA1. Implements - feature 8961. Patch by "teor", issue reported by "rransom". + feature 8961. Patch by teor, issue reported by rransom. o Minor features (unix file permissions): - Defer creation of Unix sockets until after setuid. This avoids @@ -525,8 +1206,6 @@ Changes in version 0.2.8.1-alpha - 2016-02-04 17819; bugfix on 0.2.6.3-alpha. - Fix backtrace compilation on FreeBSD. Fixes bug 17827; bugfix on 0.2.5.2-alpha. - - Fix compilation of sandbox.c with musl-libc. Fixes bug 17347; - bugfix on 0.2.5.1-alpha. Patch from 'jamestk'. - Fix search for libevent libraries on OpenBSD (and other systems that install libevent 1 and libevent 2 in parallel). Fixes bug 16651; bugfix on 0.1.0.7-rc. Patch from "rubiate". @@ -539,12 +1218,12 @@ Changes in version 0.2.8.1-alpha - 2016-02-04 o Minor bugfixes (crypto): - Check the return value of HMAC() and assert on failure. Fixes bug - 17658; bugfix on 0.2.3.6-alpha. Patch by "teor". + 17658; bugfix on 0.2.3.6-alpha. Patch by teor. o Minor bugfixes (fallback directories): - Mark fallbacks as "too busy" when they return a 503 response, rather than just marking authorities. Fixes bug 17572; bugfix on - 0.2.4.7-alpha. Patch by "teor". + 0.2.4.7-alpha. Patch by teor. o Minor bugfixes (IPv6): - Update the limits in max_dl_per_request for IPv6 address length. @@ -573,13 +1252,13 @@ Changes in version 0.2.8.1-alpha - 2016-02-04 before publishing a relay descriptor. Otherwise, relays publish a descriptor with DirPort 0 when the DirPort reachability test takes longer than the ORPort reachability test. Fixes bug 18050; bugfix - on 0.1.0.1-rc. Reported by "starlight", patch by "teor". + on 0.1.0.1-rc. Reported by "starlight", patch by teor. o Minor bugfixes (relays, hidden services): - Refuse connection requests to private OR addresses unless ExtendAllowPrivateAddresses is set. Previously, tor would connect, then refuse to send any cells to a private address. Fixes bugs - 17674 and 8976; bugfix on 0.2.3.21-rc. Patch by "teor". + 17674 and 8976; bugfix on 0.2.3.21-rc. Patch by teor. o Minor bugfixes (safe logging): - When logging a malformed hostname received through socks4, scrub @@ -604,11 +1283,11 @@ Changes in version 0.2.8.1-alpha - 2016-02-04 18039; bugfix on 0.2.5.4-alpha. - Make unit tests pass on IPv6-only systems, and systems without localhost addresses (like some FreeBSD jails). Fixes bug 17632; - bugfix on 0.2.7.3-rc. Patch by "teor". + bugfix on 0.2.7.3-rc. Patch by teor. - Fix a memory leak in the ntor test. Fixes bug 17778; bugfix on 0.2.4.8-alpha. - Check the full results of SHA256 and SHA512 digests in the unit - tests. Bugfix on 0.2.2.4-alpha. Patch by "teor". + tests. Bugfix on 0.2.2.4-alpha. Patch by teor. o Code simplification and refactoring: - Move logging of redundant policy entries in @@ -655,9 +1334,9 @@ Changes in version 0.2.8.1-alpha - 2016-02-04 o Testing: - Add unit tests to check for common RNG failure modes, such as returning all zeroes, identical values, or incrementing values - (OpenSSL's rand_predictable feature). Patch by "teor". + (OpenSSL's rand_predictable feature). Patch by teor. - Log more information when the backtrace tests fail. Closes ticket - 17892. Patch from "cypherpunks." + 17892. Patch from "cypherpunks". - Always test both ed25519 backends, so that we can be sure that our batch-open replacement code works. Part of ticket 16794. - Cover dns_resolve_impl() in dns.c with unit tests. Implements a @@ -771,7 +1450,7 @@ Changes in version 0.2.7.4-rc - 2015-10-21 - Fix an integer overflow warning in test_crypto_slow.c. Fixes bug 17251; bugfix on 0.2.7.2-alpha. - Fix compilation of sandbox.c with musl-libc. Fixes bug 17347; - bugfix on 0.2.5.1-alpha. Patch from 'jamestk'. + bugfix on 0.2.5.1-alpha. Patch from "jamestk". o Minor bugfixes (portability): - Use libexecinfo on FreeBSD to enable backtrace support. Fixes @@ -791,7 +1470,7 @@ Changes in version 0.2.7.4-rc - 2015-10-21 - Make the get_ifaddrs_* unit tests more tolerant of different network configurations. (Don't assume every test box has an IPv4 address, and don't assume every test box has a non-localhost - address.) Fixes bug 17255; bugfix on 0.2.7.3-rc. Patch by "teor". + address.) Fixes bug 17255; bugfix on 0.2.7.3-rc. Patch by teor. - Skip backtrace tests when backtrace support is not compiled in. Fixes part of bug 17151; bugfix on 0.2.7.1-alpha. Patch from Marcin Cieślak. @@ -841,7 +1520,7 @@ Changes in version 0.2.7.3-rc - 2015-09-25 o Major features (performance testing): - The test-network.sh script now supports performance testing. Requires corresponding chutney performance testing changes. Patch - by "teor". Closes ticket 14175. + by teor. Closes ticket 14175. o Major features (relay, Ed25519): - Significant usability improvements for Ed25519 key management. Log @@ -902,18 +1581,18 @@ Changes in version 0.2.7.3-rc - 2015-09-25 o Minor features (testing, authorities, documentation): - New TestingDirAuthVote{Exit,Guard,HSDir}IsStrict flags to explicitly manage consensus flags in testing networks. Patch by - "robgjansen", modified by "teor". Implements part of ticket 14882. + robgjansen, modified by teor. Implements part of ticket 14882. o Minor bugfixes (security, exit policies): - ExitPolicyRejectPrivate now also rejects the relay's published IPv6 address (if any), and any publicly routable IPv4 or IPv6 - addresses on any local interfaces. ticket 17027. Patch by "teor". + addresses on any local interfaces. ticket 17027. Patch by teor. Fixes bug 17027; bugfix on 0.2.0.11-alpha. o Minor bug fixes (torrc exit policies): - In torrc, "accept6 *" and "reject6 *" ExitPolicy lines now only produce IPv6 wildcard addresses. Previously they would produce - both IPv4 and IPv6 wildcard addresses. Patch by "teor". Fixes part + both IPv4 and IPv6 wildcard addresses. Patch by teor. Fixes part of bug 16069; bugfix on 0.2.4.7-alpha. - When parsing torrc ExitPolicies, we now warn for a number of cases where the user's intent is likely to differ from Tor's actual @@ -925,7 +1604,7 @@ Changes in version 0.2.7.3-rc - 2015-09-25 message when expanding an "accept/reject *" line to include both IPv4 and IPv6 wildcard addresses. Related to ticket 16069. - In each instance above, usage advice is provided to avoid the - message. Resolves ticket 16069. Patch by "teor". Fixes part of bug + message. Resolves ticket 16069. Patch by teor. Fixes part of bug 16069; bugfix on 0.2.4.7-alpha. o Minor bugfixes (authority): @@ -959,7 +1638,7 @@ Changes in version 0.2.7.3-rc - 2015-09-25 required "ORPort connectivity". While this is true, it is in no way unique to the HSDir flag. Of all the flags, only HSDirs need a DirPort configured in order for the authorities to assign that - particular flag. Patch by "teor". Fixed as part of 14882; bugfix + particular flag. Patch by teor. Fixed as part of 14882; bugfix on 0.2.6.3-alpha. o Minor bugfixes (Ed25519): @@ -1054,10 +1733,10 @@ Changes in version 0.2.7.3-rc - 2015-09-25 tor functionality during make test-network, while allowing tests to succeed on non-IPv6 systems. Requires chutney commit 396da92 in test-network-bridges-hs. Closes tickets 16945 (tor) and 16946 - (chutney). Patches by "teor". + (chutney). Patches by teor. - Autodetect CHUTNEY_PATH if the chutney and Tor sources are side- by-side in the same parent directory. Closes ticket 16903. Patch - by "teor". + by teor. - Use environment variables rather than autoconf substitutions to send variables from the build system to the test scripts. This change should be easier to maintain, and cause 'make distcheck' to @@ -1071,7 +1750,7 @@ Changes in version 0.2.7.3-rc - 2015-09-25 - Make the test-workqueue test work on Windows by initializing the network before we begin. - New make target (make test-network-all) to run multiple applicable - chutney test cases. Patch from Teor; closes 16953. + chutney test cases. Patch from teor; closes 16953. - Unit test dns_resolve(), dns_clip_ttl() and dns_get_expiry_ttl() functions in dns.c. Implements a portion of ticket 16831. - When building Tor with testing coverage enabled, run Chutney tests @@ -1245,7 +1924,7 @@ Changes in version 0.2.7.2-alpha - 2015-07-27 A previous typo meant that we could keep going with an uninitialized crypto library, and would have OpenSSL initialize its own PRNG. Fixes bug 16360; bugfix on 0.2.5.2-alpha, introduced - when implementing ticket 4900. Patch by "teor". + when implementing ticket 4900. Patch by teor. o Minor bugfixes (hidden services): - Fix a crash when reloading configuration while at least one @@ -1257,12 +1936,12 @@ Changes in version 0.2.7.2-alpha - 2015-07-27 o Minor bugfixes (Linux seccomp2 sandbox): - Use the sandbox in tor_open_cloexec whether or not O_CLOEXEC is - defined. Patch by "teor". Fixes bug 16515; bugfix on 0.2.3.1-alpha. + defined. Patch by teor. Fixes bug 16515; bugfix on 0.2.3.1-alpha. o Minor bugfixes (Linux seccomp2 sandbox, also in 0.2.6.10): - Allow pipe() and pipe2() syscalls in the seccomp2 sandbox: we need these when eventfd2() support is missing. Fixes bug 16363; bugfix - on 0.2.6.3-alpha. Patch from "teor". + on 0.2.6.3-alpha. Patch from teor. o Minor bugfixes (Linux seccomp2 sandbox, also in 0.2.6.9): - Fix sandboxing to work when running as a relay, by allowing the @@ -1295,13 +1974,13 @@ Changes in version 0.2.7.2-alpha - 2015-07-27 o Minor bugfixes (threads, comments): - Always initialize return value in compute_desc_id in rendcommon.c - Patch by "teor". Fixes part of bug 16115; bugfix on 0.2.7.1-alpha. - - Check for NULL values in getinfo_helper_onions(). Patch by "teor". + Patch by teor. Fixes part of bug 16115; bugfix on 0.2.7.1-alpha. + - Check for NULL values in getinfo_helper_onions(). Patch by teor. Fixes part of bug 16115; bugfix on 0.2.7.1-alpha. - Remove undefined directive-in-macro in test_util_writepid clang 3.7 complains that using a preprocessor directive inside a macro invocation in test_util_writepid in test_util.c is undefined. - Patch by "teor". Fixes part of bug 16115; bugfix on 0.2.7.1-alpha. + Patch by teor. Fixes part of bug 16115; bugfix on 0.2.7.1-alpha. o Code simplification and refactoring: - Define WINVER and _WIN32_WINNT centrally, in orconfig.h, in order @@ -1343,7 +2022,7 @@ Changes in version 0.2.7.2-alpha - 2015-07-27 o Testing: - Document use of coverity, clang static analyzer, and clang dynamic undefined behavior and address sanitizers in doc/HACKING. Include - detailed usage instructions in the blacklist. Patch by "teor". + detailed usage instructions in the blacklist. Patch by teor. Closes ticket 15817. - The link authentication protocol code now has extensive tests. - The relay descriptor signature testing code now has @@ -1393,12 +2072,12 @@ Changes in version 0.2.6.10 - 2015-07-12 A previous typo meant that we could keep going with an uninitialized crypto library, and would have OpenSSL initialize its own PRNG. Fixes bug 16360; bugfix on 0.2.5.2-alpha, introduced - when implementing ticket 4900. Patch by "teor". + when implementing ticket 4900. Patch by teor. o Minor bugfixes (Linux seccomp2 sandbox): - Allow pipe() and pipe2() syscalls in the seccomp2 sandbox: we need these when eventfd2() support is missing. Fixes bug 16363; bugfix - on 0.2.6.3-alpha. Patch from "teor". + on 0.2.6.3-alpha. Patch from teor. Changes in version 0.2.6.9 - 2015-06-11 @@ -1484,7 +2163,7 @@ Changes in version 0.2.7.1-alpha - 2015-05-12 - New HSFETCH command to launch a request for a hidden service descriptor. Closes ticket 14847. - New HSPOST command to upload a hidden service descriptor. Closes - ticket 3523. Patch by "DonnchaC". + ticket 3523. Patch by Donncha. o Major bugfixes (hidden services): - Revert commit that made directory authorities assign the HSDir @@ -1557,7 +2236,7 @@ Changes in version 0.2.7.1-alpha - 2015-05-12 - Add unit tests for control_event_is_interesting(). Add a compile- time check that the number of events doesn't exceed the capacity of control_event_t.event_mask. Closes ticket 15431, checks for - bugs similar to 13085. Patch by "teor". + bugs similar to 13085. Patch by teor. - Command-line argument tests moved to Stem. Resolves ticket 14806. - Integrate the ntor, backtrace, and zero-length keys tests into the automake test suite. Closes ticket 15344. @@ -1586,7 +2265,7 @@ Changes in version 0.2.7.1-alpha - 2015-05-12 currently empty, this fix will only change tor's behavior when it has default fallback directories. Includes unit tests for consider_adding_dir_servers(). Fixes bug 15642; bugfix on - 90f6071d8dc0 in 0.2.4.7-alpha. Patch by "teor". + 90f6071d8dc0 in 0.2.4.7-alpha. Patch by teor. o Minor bugfixes (correctness): - For correctness, avoid modifying a constant string in @@ -1634,7 +2313,7 @@ Changes in version 0.2.7.1-alpha - 2015-05-12 previous fix used TestingTorNetwork, which implies ExtendAllowPrivateAddresses, but this excluded rare configurations where ExtendAllowPrivateAddresses is set but TestingTorNetwork is - not. Fixes bug 15771; bugfix on 0.2.6.1-alpha. Patch by "teor", + not. Fixes bug 15771; bugfix on 0.2.6.1-alpha. Patch by teor, issue discovered by CJ Ess. o Minor bugfixes (testing): @@ -1837,7 +2516,7 @@ Changes in version 0.2.5.11 - 2015-03-17 - Fix a bug that could lead to a relay crashing with an assertion failure if a buffer of exactly the wrong layout was passed to buf_pullup() at exactly the wrong time. Fixes bug 15083; bugfix on - 0.2.0.10-alpha. Patch from 'cypherpunks'. + 0.2.0.10-alpha. Patch from "cypherpunks". - Do not assert if the 'data' pointer on a buffer is advanced to the very end of the buffer; log a BUG message instead. Only assert if it is past that point. Fixes bug 15083; bugfix on 0.2.0.10-alpha. @@ -1865,7 +2544,7 @@ Changes in version 0.2.5.11 - 2015-03-17 o Minor bugfixes (client, automapping): - Avoid crashing on torrc lines for VirtualAddrNetworkIPv[4|6] when no value follows the option. Fixes bug 14142; bugfix on - 0.2.4.7-alpha. Patch by "teor". + 0.2.4.7-alpha. Patch by teor. - Fix a memory leak when using AutomapHostsOnResolve. Fixes bug 14195; bugfix on 0.1.0.1-rc. @@ -1916,7 +2595,7 @@ Changes in version 0.2.4.26 - 2015-03-17 - Fix a bug that could lead to a relay crashing with an assertion failure if a buffer of exactly the wrong layout was passed to buf_pullup() at exactly the wrong time. Fixes bug 15083; bugfix on - 0.2.0.10-alpha. Patch from 'cypherpunks'. + 0.2.0.10-alpha. Patch from "cypherpunks". - Do not assert if the 'data' pointer on a buffer is advanced to the very end of the buffer; log a BUG message instead. Only assert if it is past that point. Fixes bug 15083; bugfix on 0.2.0.10-alpha. @@ -2174,12 +2853,12 @@ Changes in version 0.2.6.3-alpha - 2015-02-19 keep the default on a testing network at 30 seconds. This reduces HS bootstrap time to around 25 seconds. Also, change the default time in test-network.sh to match. Closes ticket 13401. Patch - by "teor". + by teor. - Create TestingDirAuthVoteHSDir to correspond to TestingDirAuthVoteExit/Guard. Ensures that authorities vote the HSDir flag for the listed relays regardless of uptime or ORPort connectivity. Respects the value of VoteOnHidServDirectoriesV2. - Partial implementation for ticket 14067. Patch by "teor". + Partial implementation for ticket 14067. Patch by teor. o Minor features (tor2web mode): - Introduce the config option Tor2webRendezvousPoints, which allows @@ -2199,7 +2878,7 @@ Changes in version 0.2.6.3-alpha - 2015-02-19 o Minor bugfixes (client, automapping): - Avoid crashing on torrc lines for VirtualAddrNetworkIPv[4|6] when no value follows the option. Fixes bug 14142; bugfix on - 0.2.4.7-alpha. Patch by "teor". + 0.2.4.7-alpha. Patch by teor. - Fix a memory leak when using AutomapHostsOnResolve. Fixes bug 14195; bugfix on 0.1.0.1-rc. - Prevent changes to other options from removing the wildcard value @@ -2267,7 +2946,7 @@ Changes in version 0.2.6.3-alpha - 2015-02-19 o Minor bugfixes (file handling): - Stop failing when key files are zero-length. Instead, generate new keys, and overwrite the empty key files. Fixes bug 13111; bugfix - on all versions of Tor. Patch by "teor". + on all versions of Tor. Patch by teor. - Stop generating a fresh .old RSA onion key file when the .old file is missing. Fixes part of 13111; bugfix on 0.0.6rc1. - Avoid overwriting .old key files with empty key files. @@ -2408,7 +3087,7 @@ Changes in version 0.2.6.3-alpha - 2015-02-19 - Test that tor generates new keys when keys are missing (existing behavior). - Test that tor does not overwrite key files that already contain - data (existing behavior). Tests bug 13111. Patch by "teor". + data (existing behavior). Tests bug 13111. Patch by teor. - New "make test-stem" target to run stem integration tests. Requires that the "STEM_SOURCE_DIR" environment variable be set. Closes ticket 14107. @@ -2431,7 +3110,7 @@ Changes in version 0.2.6.2-alpha - 2014-12-31 This release contains many new unit tests, along with major performance improvements for running testing networks using Chutney. - Thanks to a series of patches contributed by "teor", testing networks + Thanks to a series of patches contributed by teor, testing networks should now bootstrap in seconds, rather than minutes. o Major features (relay, infrastructure): @@ -2516,7 +3195,7 @@ Changes in version 0.2.6.2-alpha - 2014-12-31 feature 13212. - New HiddenServiceDirGroupReadable option to cause hidden service directories and hostname files to be created group-readable. Patch - from "anon", David Stainton, and "meejah". Closes ticket 11291. + from "anon", David Stainton, and meejah. Closes ticket 11291. o Minor features (systemd): - Where supported, when running with systemd, report successful @@ -2605,27 +3284,27 @@ Changes in version 0.2.6.2-alpha - 2014-12-31 network), allow Tor to build circuits once enough descriptors have been downloaded. This assists in bootstrapping a testing Tor network. Fixes bug 13718; bugfix on 0.2.4.10-alpha. Patch - by "teor". + by teor. - When V3AuthVotingInterval is low, give a lower If-Modified-Since header to directory servers. This allows us to obtain consensuses promptly when the consensus interval is very short. This assists in bootstrapping a testing Tor network. Fixes parts of bugs 13718 - and 13963; bugfix on 0.2.0.3-alpha. Patch by "teor". + and 13963; bugfix on 0.2.0.3-alpha. Patch by teor. - Stop assuming that private addresses are local when checking reachability in a TestingTorNetwork. Instead, when testing, assume all OR connections are remote. (This is necessary due to many test scenarios running all relays on localhost.) This assists in bootstrapping a testing Tor network. Fixes bug 13924; bugfix on - 0.1.0.1-rc. Patch by "teor". + 0.1.0.1-rc. Patch by teor. - Avoid building exit circuits from a consensus with no exits. Now thanks to our fix for 13718, we accept a no-exit network as not wholly lost, but we need to remember not to try to build exit - circuits on it. Closes ticket 13814; patch by "teor". + circuits on it. Closes ticket 13814; patch by teor. - Stop requiring exits to have non-zero bandwithcapacity in a TestingTorNetwork. Instead, when TestingMinExitFlagThreshold is 0, ignore exit bandwidthcapacity. This assists in bootstrapping a testing Tor network. Fixes parts of bugs 13718 and 13839; bugfix - on 0.2.0.3-alpha. Patch by "teor". + on 0.2.0.3-alpha. Patch by teor. - Add "internal" to some bootstrap statuses when no exits are available. If the consensus does not contain Exits, Tor will only build internal circuits. In this case, relevant statuses will @@ -2633,17 +3312,17 @@ Changes in version 0.2.6.2-alpha - 2014-12-31 spec.txt. When bootstrap completes, Tor will be ready to build internal circuits. If a future consensus contains Exits, exit circuits may become available. Fixes part of bug 13718; bugfix on - 0.2.4.10-alpha. Patch by "teor". + 0.2.4.10-alpha. Patch by teor. - Decrease minimum consensus interval to 10 seconds when TestingTorNetwork is set, or 5 seconds for the first consensus. Fix assumptions throughout the code that assume larger intervals. Fixes bugs 13718 and 13823; bugfix on 0.2.0.3-alpha. Patch - by "teor". + by teor. - Avoid excluding guards from path building in minimal test networks, when we're in a test network and excluding guards would exclude all relays. This typically occurs in incredibly small tor networks, and those using "TestingAuthVoteGuard *". Fixes part of - bug 13718; bugfix on 0.1.1.11-alpha. Patch by "teor". + bug 13718; bugfix on 0.1.1.11-alpha. Patch by teor. o Code simplification and refactoring: - Stop using can_complete_circuits as a global variable; access it @@ -2854,7 +3533,7 @@ Changes in version 0.2.6.1-alpha - 2014-10-30 o Minor bugfixes (C correctness): - Fix several instances of possible integer overflow/underflow/NaN. Fixes bug 13104; bugfix on 0.2.3.1-alpha and later. Patches - from "teor". + from teor. - In circuit_build_times_calculate_timeout() in circuitstats.c, avoid dividing by zero in the pareto calculations. This traps under clang's "undefined-trap" sanitizer. Fixes bug 13290; bugfix @@ -3245,14 +3924,14 @@ Changes in version 0.2.5.7-rc - 2014-09-11 recognize, log its command as an integer. Fixes part of bug 12700; bugfix on 0.2.1.10-alpha. - Escape all strings from the directory connection before logging - them. Fixes bug 13071; bugfix on 0.1.1.15. Patch from "teor". + them. Fixes bug 13071; bugfix on 0.1.1.15. Patch from teor. o Minor bugfixes (controller): - Restore the functionality of CookieAuthFileGroupReadable. Fixes bug 12864; bugfix on 0.2.5.1-alpha. - Actually send TRANSPORT_LAUNCHED and HS_DESC events to controllers. Fixes bug 13085; bugfix on 0.2.5.1-alpha. Patch - by "teor". + by teor. o Minor bugfixes (compilation): - Fix compilation of test.h with MSVC. Patch from Gisle Vanem; @@ -3261,10 +3940,10 @@ Changes in version 0.2.5.7-rc - 2014-09-11 0.2.5.1-alpha. Patch from "NewEraCracker". - In routerlist_assert_ok(), don't take the address of a routerinfo's cache_info member unless that routerinfo is non-NULL. - Fixes bug 13096; bugfix on 0.1.1.9-alpha. Patch by "teor". + Fixes bug 13096; bugfix on 0.1.1.9-alpha. Patch by teor. - Fix a large number of false positive warnings from the clang analyzer static analysis tool. This should make real warnings - easier for clang analyzer to find. Patch from "teor". Closes + easier for clang analyzer to find. Patch from teor. Closes ticket 13036. o Distribution (systemd): @@ -3730,7 +4409,7 @@ Changes in version 0.2.4.22 - 2014-05-16 acceptable strength and forward secrecy. Previously, we had left some perfectly fine ciphersuites unsupported due to omission or typo. Resolves bugs 11513, 11492, 11498, 11499. Bugs reported by - 'cypherpunks'. Bugfix on 0.2.4.8-alpha. + "cypherpunks". Bugfix on 0.2.4.8-alpha. - Relays now trust themselves to have a better view than clients of which TLS ciphersuites are better than others. (Thanks to bug 11513, the relay list is now well-considered, whereas the client @@ -3850,7 +4529,7 @@ Changes in version 0.2.5.4-alpha - 2014-04-25 acceptable strength and forward secrecy. Previously, we had left some perfectly fine ciphersuites unsupported due to omission or typo. Resolves bugs 11513, 11492, 11498, 11499. Bugs reported by - 'cypherpunks'. Bugfix on 0.2.4.8-alpha. + "cypherpunks". Bugfix on 0.2.4.8-alpha. - Relays now trust themselves to have a better view than clients of which TLS ciphersuites are better than others. (Thanks to bug 11513, the relay list is now well-considered, whereas the client @@ -4187,7 +4866,7 @@ Changes in version 0.2.5.3-alpha - 2014-03-22 needed for platforms like 32-bit Intel where "-fomit-frame-pointer" is on by default and table generation is not. This doesn't yet add Windows support; only Linux, OSX, and some BSDs are affected. - Reported by 'cypherpunks'; fixes bug 11047; bugfix on 0.2.5.2-alpha. + Reported by "cypherpunks"; fixes bug 11047; bugfix on 0.2.5.2-alpha. - Avoid strange behavior if two threads hit failed assertions at the same time and both try to log backtraces at once. (Previously, if this had happened, both threads would have stored their intermediate |