aboutsummaryrefslogtreecommitdiff
path: root/ChangeLog
diff options
context:
space:
mode:
Diffstat (limited to 'ChangeLog')
-rw-r--r--ChangeLog711
1 files changed, 710 insertions, 1 deletions
diff --git a/ChangeLog b/ChangeLog
index 7cc4f44881..47c9881a92 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,713 @@
-Changes in version 0.3.0.4-??? - 2017-02-??
+Changes in version 0.3.0.13 - 2017-12-01
+ Tor 0.3.0.13 backports important security and stability bugfixes from
+ later Tor releases. All Tor users should upgrade to this release, or
+ to another of the releases coming out today.
+
+ Note: the Tor 0.3.0 series will no longer be supported after 26 Jan
+ 2018. If you need a release with long-term support, please stick with
+ the 0.2.9 series. Otherwise, please upgrade to 0.3.1 or later.
+
+ o Major bugfixes (security, backport from 0.3.2.6-alpha):
+ - Fix a denial of service bug where an attacker could use a
+ malformed directory object to cause a Tor instance to pause while
+ OpenSSL would try to read a passphrase from the terminal. (Tor
+ instances run without a terminal, which is the case for most Tor
+ packages, are not impacted.) Fixes bug 24246; bugfix on every
+ version of Tor. Also tracked as TROVE-2017-011 and CVE-2017-8821.
+ Found by OSS-Fuzz as testcase 6360145429790720.
+ - Fix a denial of service issue where an attacker could crash a
+ directory authority using a malformed router descriptor. Fixes bug
+ 24245; bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2017-010
+ and CVE-2017-8820.
+ - When checking for replays in the INTRODUCE1 cell data for a
+ (legacy) onion service, correctly detect replays in the RSA-
+ encrypted part of the cell. We were previously checking for
+ replays on the entire cell, but those can be circumvented due to
+ the malleability of Tor's legacy hybrid encryption. This fix helps
+ prevent a traffic confirmation attack. Fixes bug 24244; bugfix on
+ 0.2.4.1-alpha. This issue is also tracked as TROVE-2017-009
+ and CVE-2017-8819.
+
+ o Major bugfixes (security, onion service v2, backport from 0.3.2.6-alpha):
+ - Fix a use-after-free error that could crash v2 Tor onion services
+ when they failed to open circuits while expiring introduction
+ points. Fixes bug 24313; bugfix on 0.2.7.2-alpha. This issue is
+ also tracked as TROVE-2017-013 and CVE-2017-8823.
+
+ o Major bugfixes (security, relay, backport from 0.3.2.6-alpha):
+ - When running as a relay, make sure that we never build a path
+ through ourselves, even in the case where we have somehow lost the
+ version of our descriptor appearing in the consensus. Fixes part
+ of bug 21534; bugfix on 0.2.0.1-alpha. This issue is also tracked
+ as TROVE-2017-012 and CVE-2017-8822.
+ - When running as a relay, make sure that we never choose ourselves
+ as a guard. Fixes part of bug 21534; bugfix on 0.3.0.1-alpha. This
+ issue is also tracked as TROVE-2017-012 and CVE-2017-8822.
+
+ o Major bugfixes (exit relays, DNS, backport from 0.3.2.4-alpha):
+ - Fix an issue causing DNS to fail on high-bandwidth exit nodes,
+ making them nearly unusable. Fixes bugs 21394 and 18580; bugfix on
+ 0.1.2.2-alpha, which introduced eventdns. Thanks to Dhalgren for
+ identifying and finding a workaround to this bug and to Moritz,
+ Arthur Edelstein, and Roger for helping to track it down and
+ analyze it.
+
+ o Minor features (security, windows, backport from 0.3.1.1-alpha):
+ - Enable a couple of pieces of Windows hardening: one
+ (HeapEnableTerminationOnCorruption) that has been on-by-default
+ since Windows 8, and unavailable before Windows 7; and one
+ (PROCESS_DEP_DISABLE_ATL_THUNK_EMULATION) which we believe doesn't
+ affect us, but shouldn't do any harm. Closes ticket 21953.
+
+ o Minor features (bridge, backport from 0.3.1.9):
+ - Bridges now include notice in their descriptors that they are
+ bridges, and notice of their distribution status, based on their
+ publication settings. Implements ticket 18329. For more fine-
+ grained control of how a bridge is distributed, upgrade to 0.3.2.x
+ or later.
+
+ o Minor features (directory authority, backport from 0.3.2.6-alpha):
+ - Add an IPv6 address for the "bastet" directory authority. Closes
+ ticket 24394.
+
+ o Minor features (geoip):
+ - Update geoip and geoip6 to the November 6 2017 Maxmind GeoLite2
+ Country database.
+
+ o Minor bugfix (relay address resolution, backport from 0.3.2.1-alpha):
+ - Avoid unnecessary calls to directory_fetches_from_authorities() on
+ relays, to prevent spurious address resolutions and descriptor
+ rebuilds. This is a mitigation for bug 21789. Fixes bug 23470;
+ bugfix on in 0.2.8.1-alpha.
+
+ o Minor bugfixes (compilation, backport from 0.3.2.1-alpha):
+ - Fix unused variable warnings in donna's Curve25519 SSE2 code.
+ Fixes bug 22895; bugfix on 0.2.7.2-alpha.
+
+ o Minor bugfixes (logging, relay shutdown, annoyance, backport from 0.3.2.2-alpha):
+ - When a circuit is marked for close, do not attempt to package any
+ cells for channels on that circuit. Previously, we would detect
+ this condition lower in the call stack, when we noticed that the
+ circuit had no attached channel, and log an annoying message.
+ Fixes bug 8185; bugfix on 0.2.5.4-alpha.
+
+ o Minor bugfixes (relay, crash, backport from 0.3.2.4-alpha):
+ - Avoid a crash when transitioning from client mode to bridge mode.
+ Previously, we would launch the worker threads whenever our
+ "public server" mode changed, but not when our "server" mode
+ changed. Fixes bug 23693; bugfix on 0.2.6.3-alpha.
+
+ o Minor bugfixes (testing, backport from 0.3.1.6-rc):
+ - Fix an undersized buffer in test-memwipe.c. Fixes bug 23291;
+ bugfix on 0.2.7.2-alpha. Found and patched by Ties Stuij.
+
+
+Changes in version 0.3.0.12 - 2017-10-25
+ Tor 0.3.0.12 backports a collection of bugfixes from later Tor release
+ series, including a bugfix for a crash issue that had affected relays
+ under memory pressure. It also adds a new directory authority, Bastet.
+
+ Note: the Tor 0.3.0 series will no longer be supported after 26 Jan
+ 2018. If you need a release with long-term support, please stick with
+ the 0.2.9 series. Otherwise, please upgrade to 0.3.1 or later.
+
+ o Directory authority changes:
+ - Add "Bastet" as a ninth directory authority to the default list.
+ Closes ticket 23910.
+ - The directory authority "Longclaw" has changed its IP address.
+ Closes ticket 23592.
+
+ o Major bugfixes (relay, crash, assertion failure, backport from 0.3.2.2-alpha):
+ - Fix a timing-based assertion failure that could occur when the
+ circuit out-of-memory handler freed a connection's output buffer.
+ Fixes bug 23690; bugfix on 0.2.6.1-alpha.
+
+ o Minor features (directory authorities, backport from 0.3.2.2-alpha):
+ - Remove longclaw's IPv6 address, as it will soon change. Authority
+ IPv6 addresses were originally added in 0.2.8.1-alpha. This leaves
+ 3/8 directory authorities with IPv6 addresses, but there are also
+ 52 fallback directory mirrors with IPv6 addresses. Resolves 19760.
+
+ o Minor features (geoip):
+ - Update geoip and geoip6 to the October 4 2017 Maxmind GeoLite2
+ Country database.
+
+ o Minor bugfixes (directory authority, backport from 0.3.1.5-alpha):
+ - When a directory authority rejects a descriptor or extrainfo with
+ a given digest, mark that digest as undownloadable, so that we do
+ not attempt to download it again over and over. We previously
+ tried to avoid downloading such descriptors by other means, but we
+ didn't notice if we accidentally downloaded one anyway. This
+ behavior became problematic in 0.2.7.2-alpha, when authorities
+ began pinning Ed25519 keys. Fixes bug 22349; bugfix
+ on 0.2.1.19-alpha.
+
+ o Minor bugfixes (hidden service, relay, backport from 0.3.2.2-alpha):
+ - Avoid a possible double close of a circuit by the intro point on
+ error of sending the INTRO_ESTABLISHED cell. Fixes bug 23610;
+ bugfix on 0.3.0.1-alpha.
+
+ o Minor bugfixes (memory safety, backport from 0.3.2.3-alpha):
+ - Clear the address when node_get_prim_orport() returns early.
+ Fixes bug 23874; bugfix on 0.2.8.2-alpha.
+
+ o Minor bugfixes (Windows service, backport from 0.3.1.6-rc):
+ - When running as a Windows service, set the ID of the main thread
+ correctly. Failure to do so made us fail to send log messages to
+ the controller in 0.2.1.16-rc, slowed down controller event
+ delivery in 0.2.7.3-rc and later, and crash with an assertion
+ failure in 0.3.1.1-alpha. Fixes bug 23081; bugfix on 0.2.1.6-alpha.
+ Patch and diagnosis from "Vort".
+
+
+Changes in version 0.3.0.11 - 2017-09-18
+ Tor 0.3.0.11 backports a collection of bugfixes from Tor the 0.3.1
+ series.
+
+ Most significantly, it includes a fix for TROVE-2017-008, a
+ security bug that affects hidden services running with the
+ SafeLogging option disabled. For more information, see
+ https://trac.torproject.org/projects/tor/ticket/23490
+
+ o Minor features (code style, backport from 0.3.1.7):
+ - Add "Falls through" comments to our codebase, in order to silence
+ GCC 7's -Wimplicit-fallthrough warnings. Patch from Andreas
+ Stieger. Closes ticket 22446.
+
+ o Minor features:
+ - Update geoip and geoip6 to the September 6 2017 Maxmind GeoLite2
+ Country database.
+
+ o Minor bugfixes (compilation, backport from 0.3.1.7):
+ - Avoid compiler warnings in the unit tests for calling tor_sscanf()
+ with wide string outputs. Fixes bug 15582; bugfix on 0.2.6.2-alpha.
+
+ o Minor bugfixes (controller, backport from 0.3.1.7):
+ - Do not crash when receiving a HSPOST command with an empty body.
+ Fixes part of bug 22644; bugfix on 0.2.7.1-alpha.
+ - Do not crash when receiving a POSTDESCRIPTOR command with an empty
+ body. Fixes part of bug 22644; bugfix on 0.2.0.1-alpha.
+
+ o Minor bugfixes (file limits, osx, backport from 0.3.1.5-alpha):
+ - When setting the maximum number of connections allowed by the OS,
+ always allow some extra file descriptors for other files. Fixes
+ bug 22797; bugfix on 0.2.0.10-alpha.
+
+ o Minor bugfixes (logging, relay, backport from 0.3.1.6-rc):
+ - Remove a forgotten debugging message when an introduction point
+ successfully establishes a hidden service prop224 circuit with
+ a client.
+ - Change three other log_warn() for an introduction point to
+ protocol warnings, because they can be failure from the network
+ and are not relevant to the operator. Fixes bug 23078; bugfix on
+ 0.3.0.1-alpha and 0.3.0.2-alpha.
+
+
+Changes in version 0.3.0.10 - 2017-08-02
+ Tor 0.3.0.10 backports a collection of small-to-medium bugfixes
+ from the current Tor alpha series. OpenBSD users and TPROXY users
+ should upgrade; others are probably okay sticking with 0.3.0.9.
+
+ o Major features (build system, continuous integration, backport from 0.3.1.5-alpha):
+ - Tor's repository now includes a Travis Continuous Integration (CI)
+ configuration file (.travis.yml). This is meant to help new
+ developers and contributors who fork Tor to a Github repository be
+ better able to test their changes, and understand what we expect
+ to pass. To use this new build feature, you must fork Tor to your
+ Github account, then go into the "Integrations" menu in the
+ repository settings for your fork and enable Travis, then push
+ your changes. Closes ticket 22636.
+
+ o Major bugfixes (linux TPROXY support, backport from 0.3.1.1-alpha):
+ - Fix a typo that had prevented TPROXY-based transparent proxying
+ from working under Linux. Fixes bug 18100; bugfix on 0.2.6.3-alpha.
+ Patch from "d4fq0fQAgoJ".
+
+ o Major bugfixes (openbsd, denial-of-service, backport from 0.3.1.5-alpha):
+ - Avoid an assertion failure bug affecting our implementation of
+ inet_pton(AF_INET6) on certain OpenBSD systems whose strtol()
+ handling of "0xfoo" differs from what we had expected. Fixes bug
+ 22789; bugfix on 0.2.3.8-alpha. Also tracked as TROVE-2017-007.
+
+ o Minor features (backport from 0.3.1.5-alpha):
+ - Update geoip and geoip6 to the July 4 2017 Maxmind GeoLite2
+ Country database.
+
+ o Minor bugfixes (bandwidth accounting, backport from 0.3.1.2-alpha):
+ - Roll over monthly accounting at the configured hour and minute,
+ rather than always at 00:00. Fixes bug 22245; bugfix on 0.0.9rc1.
+ Found by Andrey Karpov with PVS-Studio.
+
+ o Minor bugfixes (compilation warnings, backport from 0.3.1.5-alpha):
+ - Suppress -Wdouble-promotion warnings with clang 4.0. Fixes bug 22915;
+ bugfix on 0.2.8.1-alpha.
+ - Fix warnings when building with libscrypt and openssl scrypt
+ support on Clang. Fixes bug 22916; bugfix on 0.2.7.2-alpha.
+ - When building with certain versions of the mingw C header files,
+ avoid float-conversion warnings when calling the C functions
+ isfinite(), isnan(), and signbit(). Fixes bug 22801; bugfix
+ on 0.2.8.1-alpha.
+
+ o Minor bugfixes (compilation, mingw, backport from 0.3.1.1-alpha):
+ - Backport a fix for an "unused variable" warning that appeared
+ in some versions of mingw. Fixes bug 22838; bugfix on
+ 0.2.8.1-alpha.
+
+ o Minor bugfixes (coverity build support, backport from 0.3.1.5-alpha):
+ - Avoid Coverity build warnings related to our BUG() macro. By
+ default, Coverity treats BUG() as the Linux kernel does: an
+ instant abort(). We need to override that so our BUG() macro
+ doesn't prevent Coverity from analyzing functions that use it.
+ Fixes bug 23030; bugfix on 0.2.9.1-alpha.
+
+ o Minor bugfixes (directory authority, backport from 0.3.1.1-alpha):
+ - When rejecting a router descriptor for running an obsolete version
+ of Tor without ntor support, warn about the obsolete tor version,
+ not the missing ntor key. Fixes bug 20270; bugfix on 0.2.9.3-alpha.
+
+ o Minor bugfixes (linux seccomp2 sandbox, backport from 0.3.1.5-alpha):
+ - Avoid a sandbox failure when trying to re-bind to a socket and
+ mark it as IPv6-only. Fixes bug 20247; bugfix on 0.2.5.1-alpha.
+
+ o Minor bugfixes (unit tests, backport from 0.3.1.5-alpha)
+ - Fix a memory leak in the link-handshake/certs_ok_ed25519 test.
+ Fixes bug 22803; bugfix on 0.3.0.1-alpha.
+
+
+Changes in version 0.3.0.9 - 2017-06-29
+ Tor 0.3.0.9 fixes a path selection bug that would allow a client
+ to use a guard that was in the same network family as a chosen exit
+ relay. This is a security regression; all clients running earlier
+ versions of 0.3.0.x or 0.3.1.x should upgrade to 0.3.0.9 or
+ 0.3.1.4-alpha.
+
+ This release also backports several other bugfixes from the 0.3.1.x
+ series.
+
+ o Major bugfixes (path selection, security, backport from 0.3.1.4-alpha):
+ - When choosing which guard to use for a circuit, avoid the exit's
+ family along with the exit itself. Previously, the new guard
+ selection logic avoided the exit, but did not consider its family.
+ Fixes bug 22753; bugfix on 0.3.0.1-alpha. Tracked as TROVE-2017-
+ 006 and CVE-2017-0377.
+
+ o Major bugfixes (entry guards, backport from 0.3.1.1-alpha):
+ - Don't block bootstrapping when a primary bridge is offline and we
+ can't get its descriptor. Fixes bug 22325; fixes one case of bug
+ 21969; bugfix on 0.3.0.3-alpha.
+
+ o Major bugfixes (entry guards, backport from 0.3.1.4-alpha):
+ - When starting with an old consensus, do not add new entry guards
+ unless the consensus is "reasonably live" (under 1 day old). Fixes
+ one root cause of bug 22400; bugfix on 0.3.0.1-alpha.
+
+ o Minor features (geoip):
+ - Update geoip and geoip6 to the June 8 2017 Maxmind GeoLite2
+ Country database.
+
+ o Minor bugfixes (voting consistency, backport from 0.3.1.1-alpha):
+ - Reject version numbers with non-numeric prefixes (such as +, -, or
+ whitespace). Disallowing whitespace prevents differential version
+ parsing between POSIX-based and Windows platforms. Fixes bug 21507
+ and part of 21508; bugfix on 0.0.8pre1.
+
+ o Minor bugfixes (linux seccomp2 sandbox, backport from 0.3.1.4-alpha):
+ - Permit the fchmod system call, to avoid crashing on startup when
+ starting with the seccomp2 sandbox and an unexpected set of
+ permissions on the data directory or its contents. Fixes bug
+ 22516; bugfix on 0.2.5.4-alpha.
+
+ o Minor bugfixes (defensive programming, backport from 0.3.1.4-alpha):
+ - Fix a memset() off the end of an array when packing cells. This
+ bug should be harmless in practice, since the corrupted bytes are
+ still in the same structure, and are always padding bytes,
+ ignored, or immediately overwritten, depending on compiler
+ behavior. Nevertheless, because the memset()'s purpose is to make
+ sure that any other cell-handling bugs can't expose bytes to the
+ network, we need to fix it. Fixes bug 22737; bugfix on
+ 0.2.4.11-alpha. Fixes CID 1401591.
+
+
+Changes in version 0.3.0.8 - 2017-06-08
+ Tor 0.3.0.8 fixes a pair of bugs that would allow an attacker to
+ remotely crash a hidden service with an assertion failure. Anyone
+ running a hidden service should upgrade to this version, or to some
+ other version with fixes for TROVE-2017-004 and TROVE-2017-005.
+
+ Tor 0.3.0.8 also includes fixes for several key management bugs
+ that sometimes made relays unreliable, as well as several other
+ bugfixes described below.
+
+ o Major bugfixes (hidden service, relay, security, backport
+ from 0.3.1.3-alpha):
+ - Fix a remotely triggerable assertion failure when a hidden service
+ handles a malformed BEGIN cell. Fixes bug 22493, tracked as
+ TROVE-2017-004 and as CVE-2017-0375; bugfix on 0.3.0.1-alpha.
+ - Fix a remotely triggerable assertion failure caused by receiving a
+ BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug
+ 22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix
+ on 0.2.2.1-alpha.
+
+ o Major bugfixes (relay, link handshake, backport from 0.3.1.3-alpha):
+ - When performing the v3 link handshake on a TLS connection, report
+ that we have the x509 certificate that we actually used on that
+ connection, even if we have changed certificates since that
+ connection was first opened. Previously, we would claim to have
+ used our most recent x509 link certificate, which would sometimes
+ make the link handshake fail. Fixes one case of bug 22460; bugfix
+ on 0.2.3.6-alpha.
+
+ o Major bugfixes (relays, key management, backport from 0.3.1.3-alpha):
+ - Regenerate link and authentication certificates whenever the key
+ that signs them changes; also, regenerate link certificates
+ whenever the signed key changes. Previously, these processes were
+ only weakly coupled, and we relays could (for minutes to hours)
+ wind up with an inconsistent set of keys and certificates, which
+ other relays would not accept. Fixes two cases of bug 22460;
+ bugfix on 0.3.0.1-alpha.
+ - When sending an Ed25519 signing->link certificate in a CERTS cell,
+ send the certificate that matches the x509 certificate that we
+ used on the TLS connection. Previously, there was a race condition
+ if the TLS context rotated after we began the TLS handshake but
+ before we sent the CERTS cell. Fixes a case of bug 22460; bugfix
+ on 0.3.0.1-alpha.
+
+ o Major bugfixes (hidden service v3, backport from 0.3.1.1-alpha):
+ - Stop rejecting v3 hidden service descriptors because their size
+ did not match an old padding rule. Fixes bug 22447; bugfix on
+ tor-0.3.0.1-alpha.
+
+ o Minor features (fallback directory list, backport from 0.3.1.3-alpha):
+ - Replace the 177 fallbacks originally introduced in Tor 0.2.9.8 in
+ December 2016 (of which ~126 were still functional) with a list of
+ 151 fallbacks (32 new, 119 unchanged, 58 removed) generated in May
+ 2017. Resolves ticket 21564.
+
+ o Minor bugfixes (configuration, backport from 0.3.1.1-alpha):
+ - Do not crash when starting with LearnCircuitBuildTimeout 0. Fixes
+ bug 22252; bugfix on 0.2.9.3-alpha.
+
+ o Minor bugfixes (correctness, backport from 0.3.1.3-alpha):
+ - Avoid undefined behavior when parsing IPv6 entries from the geoip6
+ file. Fixes bug 22490; bugfix on 0.2.4.6-alpha.
+
+ o Minor bugfixes (link handshake, backport from 0.3.1.3-alpha):
+ - Lower the lifetime of the RSA->Ed25519 cross-certificate to six
+ months, and regenerate it when it is within one month of expiring.
+ Previously, we had generated this certificate at startup with a
+ ten-year lifetime, but that could lead to weird behavior when Tor
+ was started with a grossly inaccurate clock. Mitigates bug 22466;
+ mitigation on 0.3.0.1-alpha.
+
+ o Minor bugfixes (memory leak, directory authority, backport from
+ 0.3.1.2-alpha):
+ - When directory authorities reject a router descriptor due to
+ keypinning, free the router descriptor rather than leaking the
+ memory. Fixes bug 22370; bugfix on 0.2.7.2-alpha.
+
+
+
+Changes in version 0.3.0.7 - 2017-05-15
+ Tor 0.3.0.7 fixes a medium-severity security bug in earlier versions
+ of Tor 0.3.0.x, where an attacker could cause a Tor relay process to
+ exit. Relays running earlier versions of Tor 0.3.0.x should upgrade;
+ clients are not affected.
+
+ o Major bugfixes (hidden service directory, security):
+ - Fix an assertion failure in the hidden service directory code,
+ which could be used by an attacker to remotely cause a Tor relay
+ process to exit. Relays running earlier versions of Tor 0.3.0.x
+ should upgrade. This security issue is tracked as TROVE-2017-002.
+ Fixes bug 22246; bugfix on 0.3.0.1-alpha.
+
+ o Minor features:
+ - Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2
+ Country database.
+
+ o Minor features (future-proofing):
+ - Tor no longer refuses to download microdescriptors or descriptors
+ if they are listed as "published in the future". This change will
+ eventually allow us to stop listing meaningful "published" dates
+ in microdescriptor consensuses, and thereby allow us to reduce the
+ resources required to download consensus diffs by over 50%.
+ Implements part of ticket 21642; implements part of proposal 275.
+
+ o Minor bugfixes (Linux seccomp2 sandbox):
+ - The getpid() system call is now permitted under the Linux seccomp2
+ sandbox, to avoid crashing with versions of OpenSSL (and other
+ libraries) that attempt to learn the process's PID by using the
+ syscall rather than the VDSO code. Fixes bug 21943; bugfix
+ on 0.2.5.1-alpha.
+
+
+Changes in version 0.3.0.6 - 2017-04-26
+ Tor 0.3.0.6 is the first stable release of the Tor 0.3.0 series.
+
+ With the 0.3.0 series, clients and relays now use Ed25519 keys to
+ authenticate their link connections to relays, rather than the old
+ RSA1024 keys that they used before. (Circuit crypto has been
+ Curve25519-authenticated since 0.2.4.8-alpha.) We have also replaced
+ the guard selection and replacement algorithm to behave more robustly
+ in the presence of unreliable networks, and to resist guard-
+ capture attacks.
+
+ This series also includes numerous other small features and bugfixes,
+ along with more groundwork for the upcoming hidden-services revamp.
+
+ Per our stable release policy, we plan to support the Tor 0.3.0
+ release series for at least the next nine months, or for three months
+ after the first stable release of the 0.3.1 series: whichever is
+ longer. If you need a release with long-term support, we recommend
+ that you stay with the 0.2.9 series.
+
+ Below are the changes since 0.3.0.5-rc. For a list of all changes
+ since 0.2.9, see the ReleaseNotes file.
+
+ o Minor features (geoip):
+ - Update geoip and geoip6 to the April 4 2017 Maxmind GeoLite2
+ Country database.
+
+ o Minor bugfixes (control port):
+ - The GETINFO extra-info/digest/<digest> command was broken because
+ of a wrong base16 decode return value check, introduced when
+ refactoring that API. Fixes bug 22034; bugfix on 0.2.9.1-alpha.
+
+ o Minor bugfixes (crash prevention):
+ - Fix a (currently untriggerable, but potentially dangerous) crash
+ bug when base32-encoding inputs whose sizes are not a multiple of
+ 5. Fixes bug 21894; bugfix on 0.2.9.1-alpha.
+
+
+Changes in version 0.3.0.5-rc - 2017-04-05
+ Tor 0.3.0.5-rc fixes a few remaining bugs, large and small, in the
+ 0.3.0 release series.
+
+ This is the second release candidate in the Tor 0.3.0 series, and has
+ much fewer changes than the first. If we find no new bugs or
+ regressions here, the first stable 0.3.0 release will be nearly
+ identical to it.
+
+ o Major bugfixes (crash, directory connections):
+ - Fix a rare crash when sending a begin cell on a circuit whose
+ linked directory connection had already been closed. Fixes bug
+ 21576; bugfix on 0.2.9.3-alpha. Reported by Alec Muffett.
+
+ o Major bugfixes (guard selection):
+ - Fix a guard selection bug where Tor would refuse to bootstrap in
+ some cases if the user swapped a bridge for another bridge in
+ their configuration file. Fixes bug 21771; bugfix on 0.3.0.1-alpha.
+ Reported by "torvlnt33r".
+
+ o Minor features (geoip):
+ - Update geoip and geoip6 to the March 7 2017 Maxmind GeoLite2
+ Country database.
+
+ o Minor bugfix (compilation):
+ - Fix a warning when compiling hs_service.c. Previously, it had no
+ exported symbols when compiled for libor.a, resulting in a
+ compilation warning from clang. Fixes bug 21825; bugfix
+ on 0.3.0.1-alpha.
+
+ o Minor bugfixes (hidden services):
+ - Make hidden services check for failed intro point connections,
+ even when they have exceeded their intro point creation limit.
+ Fixes bug 21596; bugfix on 0.2.7.2-alpha. Reported by Alec Muffett.
+ - Make hidden services with 8 to 10 introduction points check for
+ failed circuits immediately after startup. Previously, they would
+ wait for 5 minutes before performing their first checks. Fixes bug
+ 21594; bugfix on 0.2.3.9-alpha. Reported by Alec Muffett.
+
+ o Minor bugfixes (memory leaks):
+ - Fix a memory leak when using GETCONF on a port option. Fixes bug
+ 21682; bugfix on 0.3.0.3-alpha.
+
+ o Minor bugfixes (relay):
+ - Avoid a double-marked-circuit warning that could happen when we
+ receive DESTROY cells under heavy load. Fixes bug 20059; bugfix
+ on 0.1.0.1-rc.
+
+ o Minor bugfixes (tests):
+ - Run the entry_guard_parse_from_state_full() test with the time set
+ to a specific date. (The guard state that this test was parsing
+ contained guards that had expired since the test was first
+ written.) Fixes bug 21799; bugfix on 0.3.0.1-alpha.
+
+ o Documentation:
+ - Update the description of the directory server options in the
+ manual page, to clarify that a relay no longer needs to set
+ DirPort in order to be a directory cache. Closes ticket 21720.
+
+
+Changes in version 0.3.0.4-rc - 2017-03-01
+ Tor 0.3.0.4-rc fixes some remaining bugs, large and small, in the
+ 0.3.0 release series, and introduces a few reliability features to
+ keep them from coming back.
+
+ This is the first release candidate in the Tor 0.3.0 series. If we
+ find no new bugs or regressions here, the first stable 0.3.0 release
+ will be nearly identical to it.
+
+ o Major bugfixes (bridges):
+ - When the same bridge is configured multiple times with the same
+ identity, but at different address:port combinations, treat those
+ bridge instances as separate guards. This fix restores the ability
+ of clients to configure the same bridge with multiple pluggable
+ transports. Fixes bug 21027; bugfix on 0.3.0.1-alpha.
+
+ o Major bugfixes (hidden service directory v3):
+ - Stop crashing on a failed v3 hidden service descriptor lookup
+ failure. Fixes bug 21471; bugfixes on tor-0.3.0.1-alpha.
+
+ o Major bugfixes (parsing):
+ - When parsing a malformed content-length field from an HTTP
+ message, do not read off the end of the buffer. This bug was a
+ potential remote denial-of-service attack against Tor clients and
+ relays. A workaround was released in October 2016, to prevent this
+ bug from crashing Tor. This is a fix for the underlying issue,
+ which should no longer matter (if you applied the earlier patch).
+ Fixes bug 20894; bugfix on 0.2.0.16-alpha. Bug found by fuzzing
+ using AFL (http://lcamtuf.coredump.cx/afl/).
+ - Fix an integer underflow bug when comparing malformed Tor
+ versions. This bug could crash Tor when built with
+ --enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor
+ 0.2.9.8, which were built with -ftrapv by default. In other cases
+ it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix
+ on 0.0.8pre1. Found by OSS-Fuzz.
+
+ o Minor feature (protocol versioning):
+ - Add new protocol version for proposal 224. HSIntro now advertises
+ version "3-4" and HSDir version "1-2". Fixes ticket 20656.
+
+ o Minor features (directory authorities):
+ - Directory authorities now reject descriptors that claim to be
+ malformed versions of Tor. Helps prevent exploitation of
+ bug 21278.
+ - Reject version numbers with components that exceed INT32_MAX.
+ Otherwise 32-bit and 64-bit platforms would behave inconsistently.
+ Fixes bug 21450; bugfix on 0.0.8pre1.
+
+ o Minor features (geoip):
+ - Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2
+ Country database.
+
+ o Minor features (reliability, crash):
+ - Try better to detect problems in buffers where they might grow (or
+ think they have grown) over 2 GB in size. Diagnostic for
+ bug 21369.
+
+ o Minor features (testing):
+ - During 'make test-network-all', if tor logs any warnings, ask
+ chutney to output them. Requires a recent version of chutney with
+ the 21572 patch. Implements 21570.
+
+ o Minor bugfixes (certificate expiration time):
+ - Avoid using link certificates that don't become valid till some
+ time in the future. Fixes bug 21420; bugfix on 0.2.4.11-alpha
+
+ o Minor bugfixes (code correctness):
+ - Repair a couple of (unreachable or harmless) cases of the risky
+ comparison-by-subtraction pattern that caused bug 21278.
+ - Remove a redundant check for the UseEntryGuards option from the
+ options_transition_affects_guards() function. Fixes bug 21492;
+ bugfix on 0.3.0.1-alpha.
+
+ o Minor bugfixes (directory mirrors):
+ - Allow relays to use directory mirrors without a DirPort: these
+ relays need to be contacted over their ORPorts using a begindir
+ connection. Fixes one case of bug 20711; bugfix on 0.2.8.2-alpha.
+ - Clarify the message logged when a remote relay is unexpectedly
+ missing an ORPort or DirPort: users were confusing this with a
+ local port. Fixes another case of bug 20711; bugfix
+ on 0.2.8.2-alpha.
+
+ o Minor bugfixes (guards):
+ - Don't warn about a missing guard state on timeout-measurement
+ circuits: they aren't supposed to be using guards. Fixes an
+ instance of bug 21007; bugfix on 0.3.0.1-alpha.
+ - Silence a BUG() warning when attempting to use a guard whose
+ descriptor we don't know, and make this scenario less likely to
+ happen. Fixes bug 21415; bugfix on 0.3.0.1-alpha.
+
+ o Minor bugfixes (hidden service):
+ - Pass correct buffer length when encoding legacy ESTABLISH_INTRO
+ cells. Previously, we were using sizeof() on a pointer, instead of
+ the real destination buffer. Fortunately, that value was only used
+ to double-check that there was enough room--which was already
+ enforced elsewhere. Fixes bug 21553; bugfix on 0.3.0.1-alpha.
+
+ o Minor bugfixes (testing):
+ - Fix Raspbian build issues related to missing socket errno in
+ test_util.c. Fixes bug 21116; bugfix on tor-0.2.8.2. Patch
+ by "hein".
+ - Rename "make fuzz" to "make test-fuzz-corpora", since it doesn't
+ actually fuzz anything. Fixes bug 21447; bugfix on 0.3.0.3-alpha.
+ - Use bash in src/test/test-network.sh. This ensures we reliably
+ call chutney's newer tools/test-network.sh when available. Fixes
+ bug 21562; bugfix on 0.2.9.1-alpha.
+
+ o Documentation:
+ - Small fixes to the fuzzing documentation. Closes ticket 21472.
+
+
+Changes in version 0.2.9.10 - 2017-03-01
+ Tor 0.2.9.10 backports a security fix from later Tor release. It also
+ includes fixes for some major issues affecting directory authorities,
+ LibreSSL compatibility, and IPv6 correctness.
+
+ The Tor 0.2.9.x release series is now marked as a long-term-support
+ series. We intend to backport security fixes to 0.2.9.x until at
+ least January of 2020.
+
+ o Major bugfixes (directory authority, 0.3.0.3-alpha):
+ - During voting, when marking a relay as a probable sybil, do not
+ clear its BadExit flag: sybils can still be bad in other ways
+ too. (We still clear the other flags.) Fixes bug 21108; bugfix
+ on 0.2.0.13-alpha.
+
+ o Major bugfixes (IPv6 Exits, backport from 0.3.0.3-alpha):
+ - Stop rejecting all IPv6 traffic on Exits whose exit policy rejects
+ any IPv6 addresses. Instead, only reject a port over IPv6 if the
+ exit policy rejects that port on more than an IPv6 /16 of
+ addresses. This bug was made worse by 17027 in 0.2.8.1-alpha,
+ which rejected a relay's own IPv6 address by default. Fixes bug
+ 21357; bugfix on commit 004f3f4e53 in 0.2.4.7-alpha.
+
+ o Major bugfixes (parsing, also in 0.3.0.4-rc):
+ - Fix an integer underflow bug when comparing malformed Tor
+ versions. This bug could crash Tor when built with
+ --enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor
+ 0.2.9.8, which were built with -ftrapv by default. In other cases
+ it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix
+ on 0.0.8pre1. Found by OSS-Fuzz.
+
+ o Minor features (directory authorities, also in 0.3.0.4-rc):
+ - Directory authorities now reject descriptors that claim to be
+ malformed versions of Tor. Helps prevent exploitation of
+ bug 21278.
+ - Reject version numbers with components that exceed INT32_MAX.
+ Otherwise 32-bit and 64-bit platforms would behave inconsistently.
+ Fixes bug 21450; bugfix on 0.0.8pre1.
+
+ o Minor features (geoip):
+ - Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2
+ Country database.
+
+ o Minor features (portability, compilation, backport from 0.3.0.3-alpha):
+ - Autoconf now checks to determine if OpenSSL structures are opaque,
+ instead of explicitly checking for OpenSSL version numbers. Part
+ of ticket 21359.
+ - Support building with recent LibreSSL code that uses opaque
+ structures. Closes ticket 21359.
+
+ o Minor bugfixes (code correctness, also in 0.3.0.4-rc):
+ - Repair a couple of (unreachable or harmless) cases of the risky
+ comparison-by-subtraction pattern that caused bug 21278.
+
+ o Minor bugfixes (tor-resolve, backport from 0.3.0.3-alpha):
+ - The tor-resolve command line tool now rejects hostnames over 255
+ characters in length. Previously, it would silently truncate them,
+ which could lead to bugs. Fixes bug 21280; bugfix on 0.0.9pre5.
+ Patch by "junglefowl".
Changes in version 0.3.0.3-alpha - 2017-02-03
7apu2bq3rhoylwmucxizk54afw5jyda7pho4j5zdcqpwkufke7zdzwad.onion