aboutsummaryrefslogtreecommitdiff
path: root/ChangeLog
diff options
context:
space:
mode:
Diffstat (limited to 'ChangeLog')
-rw-r--r--ChangeLog411
1 files changed, 411 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
index b1f64c92f4..0c8c0d3107 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,414 @@
+Changes in version 0.3.1.7 - 2017-09-18
+ Tor 0.3.1.7 is the first stable release in the 0.3.1 series.
+
+ With the 0.3.1 series, Tor now serves and downloads directory
+ information in more compact formats, to save on bandwidth overhead. It
+ also contains a new padding system to resist netflow-based traffic
+ analysis, and experimental support for building parts of Tor in Rust
+ (though no parts of Tor are in Rust yet). There are also numerous
+ small features, bugfixes on earlier release series, and groundwork for
+ the hidden services revamp of 0.3.2.
+
+ This release also includes a fix for TROVE-2017-008, a security bug
+ that affects hidden services running with the SafeLogging option
+ disabled. For more information, see
+ https://trac.torproject.org/projects/tor/ticket/23490
+
+ Per our stable release policy, we plan to support each stable release
+ series for at least the next nine months, or for three months after
+ the first stable release of the next series: whichever is longer. If
+ you need a release with long-term support, we recommend that you stay
+ with the 0.2.9 series.
+
+ Below is a list of the changes since 0.3.1.6-rc. For a list of all
+ changes since 0.3.0, see the ReleaseNotes file.
+
+ o Major bugfixes (security, hidden services, loggging):
+ - Fix a bug where we could log uninitialized stack when a certain
+ hidden service error occurred while SafeLogging was disabled.
+ Fixes bug #23490; bugfix on 0.2.7.2-alpha. This is also tracked as
+ TROVE-2017-008 and CVE-2017-0380.
+
+ o Minor features (defensive programming):
+ - Create a pair of consensus parameters, nf_pad_tor2web and
+ nf_pad_single_onion, to disable netflow padding in the consensus
+ for non-anonymous connections in case the overhead is high. Closes
+ ticket 17857.
+
+ o Minor features (diagnostic):
+ - Add a stack trace to the bug warnings that can be logged when
+ trying to send an outgoing relay cell with n_chan == 0. Diagnostic
+ attempt for bug 23105.
+
+ o Minor features (geoip):
+ - Update geoip and geoip6 to the September 6 2017 Maxmind GeoLite2
+ Country database.
+
+ o Minor bugfixes (compilation):
+ - Avoid compiler warnings in the unit tests for calling tor_sscanf()
+ with wide string outputs. Fixes bug 15582; bugfix on 0.2.6.2-alpha.
+
+ o Minor bugfixes (controller):
+ - Do not crash when receiving a HSPOST command with an empty body.
+ Fixes part of bug 22644; bugfix on 0.2.7.1-alpha.
+ - Do not crash when receiving a POSTDESCRIPTOR command with an empty
+ body. Fixes part of bug 22644; bugfix on 0.2.0.1-alpha.
+
+ o Minor bugfixes (relay):
+ - Inform the geoip and rephist modules about all requests, even on
+ relays that are only fetching microdescriptors. Fixes a bug
+ related to 21585; bugfix on 0.3.0.1-alpha.
+
+ o Minor bugfixes (unit tests):
+ - Fix a channelpadding unit test failure on slow systems by using
+ mocked time instead of actual time. Fixes bug 23077; bugfix
+ on 0.3.1.1-alpha.
+
+
+Changes in version 0.3.1.6-rc - 2017-09-05
+ Tor 0.3.1.6-rc fixes a few small bugs and annoyances in the 0.3.1
+ release series, including a bug that produced weird behavior on
+ Windows directory caches.
+
+ This is the first release candidate in the Tor 0.3.1 series. If we
+ find no new bugs or regressions here, the first stable 0.3.1 release
+ will be nearly identical to it.
+
+ o Major bugfixes (windows, directory cache):
+ - On Windows, do not try to delete cached consensus documents and
+ diffs before they are unmapped from memory--Windows won't allow
+ that. Instead, allow the consensus cache directory to grow larger,
+ to hold files that might need to stay around longer. Fixes bug
+ 22752; bugfix on 0.3.1.1-alpha.
+
+ o Minor features (directory authority):
+ - Improve the message that authorities report to relays that present
+ RSA/Ed25519 keypairs that conflict with previously pinned keys.
+ Closes ticket 22348.
+
+ o Minor features (geoip):
+ - Update geoip and geoip6 to the August 3 2017 Maxmind GeoLite2
+ Country database.
+
+ o Minor features (testing):
+ - Add more tests for compression backend initialization. Closes
+ ticket 22286.
+
+ o Minor bugfixes (directory cache):
+ - Fix a memory leak when recovering space in the consensus cache.
+ Fixes bug 23139; bugfix on 0.3.1.1-alpha.
+
+ o Minor bugfixes (hidden service):
+ - Increase the number of circuits that a service is allowed to
+ open over a specific period of time. The value was lower than it
+ should be (8 vs 12) in the normal case of 3 introduction points.
+ Fixes bug 22159; bugfix on 0.3.0.5-rc.
+ - Fix a BUG warning during HSv3 descriptor decoding that could be
+ cause by a specially crafted descriptor. Fixes bug 23233; bugfix
+ on 0.3.0.1-alpha. Bug found by "haxxpop".
+ - Rate-limit the log messages if we exceed the maximum number of
+ allowed intro circuits. Fixes bug 22159; bugfix on 0.3.1.1-alpha.
+
+ o Minor bugfixes (logging, relay):
+ - Remove a forgotten debugging message when an introduction point
+ successfully establishes a hidden service prop224 circuit with
+ a client.
+ - Change three other log_warn() for an introduction point to
+ protocol warnings, because they can be failure from the network
+ and are not relevant to the operator. Fixes bug 23078; bugfix on
+ 0.3.0.1-alpha and 0.3.0.2-alpha.
+
+ o Minor bugfixes (relay):
+ - When a relay is not running as a directory cache, it will no
+ longer generate compressed consensuses and consensus diff
+ information. Previously, this was a waste of disk and CPU. Fixes
+ bug 23275; bugfix on 0.3.1.1-alpha.
+
+ o Minor bugfixes (robustness, error handling):
+ - Improve our handling of the cases where OpenSSL encounters a
+ memory error while encoding keys and certificates. We haven't
+ observed these errors in the wild, but if they do happen, we now
+ detect and respond better. Fixes bug 19418; bugfix on all versions
+ of Tor. Reported by Guido Vranken.
+
+ o Minor bugfixes (stability):
+ - Avoid crashing on a double-free when unable to load or process an
+ included file. Fixes bug 23155; bugfix on 0.3.1.1-alpha. Found
+ with the clang static analyzer.
+
+ o Minor bugfixes (testing):
+ - Fix an undersized buffer in test-memwipe.c. Fixes bug 23291;
+ bugfix on 0.2.7.2-alpha. Found and patched by Ties Stuij.
+ - Port the hs_ntor handshake test to work correctly with recent
+ versions of the pysha3 module. Fixes bug 23071; bugfix
+ on 0.3.1.1-alpha.
+
+ o Minor bugfixes (Windows service):
+ - When running as a Windows service, set the ID of the main thread
+ correctly. Failure to do so made us fail to send log messages to
+ the controller in 0.2.1.16-rc, slowed down controller event
+ delivery in 0.2.7.3-rc and later, and crash with an assertion
+ failure in 0.3.1.1-alpha. Fixes bug 23081; bugfix on 0.2.1.6-alpha.
+ Patch and diagnosis from "Vort".
+
+
+Changes in version 0.3.1.5-alpha - 2017-08-01
+ Tor 0.3.1.5-alpha improves the performance of consensus diff
+ calculation, fixes a crash bug on older versions of OpenBSD, and fixes
+ several other bugs. If no serious bugs are found in this version, the
+ next version will be a release candidate.
+
+ This release also marks the end of support for the Tor 0.2.4.x,
+ 0.2.6.x, and 0.2.7.x release series. Those releases will receive no
+ further bug or security fixes. Anyone still running or distributing
+ one of those versions should upgrade.
+
+ o Major features (build system, continuous integration):
+ - Tor's repository now includes a Travis Continuous Integration (CI)
+ configuration file (.travis.yml). This is meant to help new
+ developers and contributors who fork Tor to a Github repository be
+ better able to test their changes, and understand what we expect
+ to pass. To use this new build feature, you must fork Tor to your
+ Github account, then go into the "Integrations" menu in the
+ repository settings for your fork and enable Travis, then push
+ your changes. Closes ticket 22636.
+
+ o Major bugfixes (openbsd, denial-of-service):
+ - Avoid an assertion failure bug affecting our implementation of
+ inet_pton(AF_INET6) on certain OpenBSD systems whose strtol()
+ handling of "0xfoo" differs from what we had expected. Fixes bug
+ 22789; bugfix on 0.2.3.8-alpha. Also tracked as TROVE-2017-007.
+
+ o Major bugfixes (relay, performance):
+ - Perform circuit handshake operations at a higher priority than we
+ use for consensus diff creation and compression. This should
+ prevent circuits from starving when a relay or bridge receives a
+ new consensus, especially on lower-powered machines. Fixes bug
+ 22883; bugfix on 0.3.1.1-alpha.
+
+ o Minor features (bridge authority):
+ - Add "fingerprint" lines to the networkstatus-bridges file produced
+ by bridge authorities. Closes ticket 22207.
+
+ o Minor features (directory cache, consensus diff):
+ - Add a new MaxConsensusAgeForDiffs option to allow directory cache
+ operators with low-resource environments to adjust the number of
+ consensuses they'll store and generate diffs from. Most cache
+ operators should leave it unchanged. Helps to work around
+ bug 22883.
+
+ o Minor features (geoip):
+ - Update geoip and geoip6 to the July 4 2017 Maxmind GeoLite2
+ Country database.
+
+ o Minor features (relay, performance):
+ - Always start relays with at least two worker threads, to prevent
+ priority inversion on slow tasks. Part of the fix for bug 22883.
+ - Allow background work to be queued with different priorities, so
+ that a big pile of slow low-priority jobs will not starve out
+ higher priority jobs. This lays the groundwork for a fix for
+ bug 22883.
+
+ o Minor bugfixes (build system, rust):
+ - Fix a problem where Rust toolchains were not being found when
+ building without --enable-cargo-online-mode, due to setting the
+ $HOME environment variable instead of $CARGO_HOME. Fixes bug
+ 22830; bugfix on 0.3.1.1-alpha. Fix by Chelsea Komlo.
+
+ o Minor bugfixes (compatibility, zstd):
+ - Write zstd epilogues correctly when the epilogue requires
+ reallocation of the output buffer, even with zstd 1.3.0.
+ (Previously, we worked on 1.2.0 and failed with 1.3.0). Fixes bug
+ 22927; bugfix on 0.3.1.1-alpha.
+
+ o Minor bugfixes (compilation warnings):
+ - Suppress -Wdouble-promotion warnings with clang 4.0. Fixes bug
+ 22915; bugfix on 0.2.8.1-alpha.
+ - Fix warnings when building with libscrypt and openssl scrypt
+ support on Clang. Fixes bug 22916; bugfix on 0.2.7.2-alpha.
+ - Compile correctly when both openssl 1.1.0 and libscrypt are
+ detected. Previously this would cause an error. Fixes bug 22892;
+ bugfix on 0.3.1.1-alpha.
+ - When building with certain versions of the mingw C header files,
+ avoid float-conversion warnings when calling the C functions
+ isfinite(), isnan(), and signbit(). Fixes bug 22801; bugfix
+ on 0.2.8.1-alpha.
+
+ o Minor bugfixes (coverity build support):
+ - Avoid Coverity build warnings related to our BUG() macro. By
+ default, Coverity treats BUG() as the Linux kernel does: an
+ instant abort(). We need to override that so our BUG() macro
+ doesn't prevent Coverity from analyzing functions that use it.
+ Fixes bug 23030; bugfix on 0.2.9.1-alpha.
+
+ o Minor bugfixes (directory authority):
+ - When a directory authority rejects a descriptor or extrainfo with
+ a given digest, mark that digest as undownloadable, so that we do
+ not attempt to download it again over and over. We previously
+ tried to avoid downloading such descriptors by other means, but we
+ didn't notice if we accidentally downloaded one anyway. This
+ behavior became problematic in 0.2.7.2-alpha, when authorities
+ began pinning Ed25519 keys. Fixes bug 22349; bugfix
+ on 0.2.1.19-alpha.
+
+ o Minor bugfixes (error reporting, windows):
+ - When formatting Windows error messages, use the English format to
+ avoid codepage issues. Fixes bug 22520; bugfix on 0.1.2.8-alpha.
+ Patch from "Vort".
+
+ o Minor bugfixes (file limits, osx):
+ - When setting the maximum number of connections allowed by the OS,
+ always allow some extra file descriptors for other files. Fixes
+ bug 22797; bugfix on 0.2.0.10-alpha.
+
+ o Minor bugfixes (linux seccomp2 sandbox):
+ - Avoid a sandbox failure when trying to re-bind to a socket and
+ mark it as IPv6-only. Fixes bug 20247; bugfix on 0.2.5.1-alpha.
+
+ o Minor bugfixes (memory leaks):
+ - Fix a small memory leak when validating a configuration that uses
+ two or more AF_UNIX sockets for the same port type. Fixes bug
+ 23053; bugfix on 0.2.6.3-alpha. This is CID 1415725.
+
+ o Minor bugfixes (unit tests):
+ - test_consdiff_base64cmp would fail on OS X because while OS X
+ follows the standard of (less than zero/zero/greater than zero),
+ it doesn't follow the convention of (-1/0/+1). Make the test
+ comply with the standard. Fixes bug 22870; bugfix on 0.3.1.1-alpha.
+ - Fix a memory leak in the link-handshake/certs_ok_ed25519 test.
+ Fixes bug 22803; bugfix on 0.3.0.1-alpha.
+
+
+Changes in version 0.3.1.4-alpha - 2017-06-29
+ Tor 0.3.1.4-alpha fixes a path selection bug that would allow a client
+ to use a guard that was in the same network family as a chosen exit
+ relay. This is a security regression; all clients running earlier
+ versions of 0.3.0.x or 0.3.1.x should upgrade to 0.3.0.9
+ or 0.3.1.4-alpha.
+
+ This release also fixes several other bugs introduced in 0.3.0.x
+ and 0.3.1.x, including others that can affect bandwidth usage
+ and correctness.
+
+ o New dependencies:
+ - To build with zstd and lzma support, Tor now requires the
+ pkg-config tool at build time. (This requirement was new in
+ 0.3.1.1-alpha, but was not noted at the time. Noting it here to
+ close ticket 22623.)
+
+ o Major bugfixes (path selection, security):
+ - When choosing which guard to use for a circuit, avoid the exit's
+ family along with the exit itself. Previously, the new guard
+ selection logic avoided the exit, but did not consider its family.
+ Fixes bug 22753; bugfix on 0.3.0.1-alpha. Tracked as TROVE-2017-
+ 006 and CVE-2017-0377.
+
+ o Major bugfixes (compression, zstd):
+ - Correctly detect a full buffer when decompressing a large zstd-
+ compressed input. Previously, we would sometimes treat a full
+ buffer as an error. Fixes bug 22628; bugfix on 0.3.1.1-alpha.
+
+ o Major bugfixes (directory protocol):
+ - Ensure that we send "304 Not modified" as HTTP status code when a
+ client is attempting to fetch a consensus or consensus diff, and
+ the best one we can send them is one they already have. Fixes bug
+ 22702; bugfix on 0.3.1.1-alpha.
+
+ o Major bugfixes (entry guards):
+ - When starting with an old consensus, do not add new entry guards
+ unless the consensus is "reasonably live" (under 1 day old). Fixes
+ one root cause of bug 22400; bugfix on 0.3.0.1-alpha.
+
+ o Minor features (bug mitigation, diagnostics, logging):
+ - Avoid an assertion failure, and log a better error message, when
+ unable to remove a file from the consensus cache on Windows.
+ Attempts to mitigate and diagnose bug 22752.
+
+ o Minor features (geoip):
+ - Update geoip and geoip6 to the June 8 2017 Maxmind GeoLite2
+ Country database.
+
+ o Minor bugfixes (compression):
+ - When compressing or decompressing a buffer, check for a failure to
+ create a compression object. Fixes bug 22626; bugfix
+ on 0.3.1.1-alpha.
+ - When decompressing a buffer, check for extra data after the end of
+ the compressed data. Fixes bug 22629; bugfix on 0.3.1.1-alpha.
+ - When decompressing an object received over an anonymous directory
+ connection, if we have already decompressed it using an acceptable
+ compression method, do not reject it for looking like an
+ unacceptable compression method. Fixes part of bug 22670; bugfix
+ on 0.3.1.1-alpha.
+ - When serving directory votes compressed with zlib, do not claim to
+ have compressed them with zstd. Fixes bug 22669; bugfix
+ on 0.3.1.1-alpha.
+ - When spooling compressed data to an output buffer, don't try to
+ spool more data when there is no more data to spool and we are not
+ trying to flush the input. Previously, we would sometimes launch
+ compression requests with nothing to do, which interferes with our
+ 22672 checks. Fixes bug 22719; bugfix on 0.2.0.16-alpha.
+
+ o Minor bugfixes (defensive programming):
+ - Detect and break out of infinite loops in our compression code. We
+ don't think that any such loops exist now, but it's best to be
+ safe. Closes ticket 22672.
+ - Fix a memset() off the end of an array when packing cells. This
+ bug should be harmless in practice, since the corrupted bytes are
+ still in the same structure, and are always padding bytes,
+ ignored, or immediately overwritten, depending on compiler
+ behavior. Nevertheless, because the memset()'s purpose is to make
+ sure that any other cell-handling bugs can't expose bytes to the
+ network, we need to fix it. Fixes bug 22737; bugfix on
+ 0.2.4.11-alpha. Fixes CID 1401591.
+
+ o Minor bugfixes (linux seccomp2 sandbox):
+ - Permit the fchmod system call, to avoid crashing on startup when
+ starting with the seccomp2 sandbox and an unexpected set of
+ permissions on the data directory or its contents. Fixes bug
+ 22516; bugfix on 0.2.5.4-alpha.
+ - Fix a crash in the LZMA module, when the sandbox was enabled, and
+ liblzma would allocate more than 16 MB of memory. We solve this by
+ bumping the mprotect() limit in the sandbox module from 16 MB to
+ 20 MB. Fixes bug 22751; bugfix on 0.3.1.1-alpha.
+
+ o Minor bugfixes (logging):
+ - When decompressing, do not warn if we fail to decompress using a
+ compression method that we merely guessed. Fixes part of bug
+ 22670; bugfix on 0.1.1.14-alpha.
+ - When decompressing, treat mismatch between content-encoding and
+ actual compression type as a protocol warning. Fixes part of bug
+ 22670; bugfix on 0.1.1.9-alpha.
+ - Downgrade "assigned_to_cpuworker failed" message to info-level
+ severity. In every case that can reach it, either a better warning
+ has already been logged, or no warning is warranted. Fixes bug
+ 22356; bugfix on 0.2.6.3-alpha.
+ - Demote a warn that was caused by libevent delays to info if
+ netflow padding is less than 4.5 seconds late, or to notice
+ if it is more (4.5 seconds is the amount of time that a netflow
+ record might be emitted after, if we chose the maximum timeout).
+ Fixes bug 22212; bugfix on 0.3.1.1-alpha.
+
+ o Minor bugfixes (process behavior):
+ - When exiting because of an error, always exit with a nonzero exit
+ status. Previously, we would fail to report an error in our exit
+ status in cases related to __OwningControllerProcess failure,
+ lockfile contention, and Ed25519 key initialization. Fixes bug
+ 22720; bugfix on versions 0.2.1.6-alpha, 0.2.2.28-beta, and
+ 0.2.7.2-alpha respectively. Reported by "f55jwk4f"; patch
+ from "huyvq".
+
+ o Documentation:
+ - Add a manpage description for the key-pinning-journal file. Closes
+ ticket 22347.
+ - Correctly note that bandwidth accounting values are stored in the
+ state file, and the bw_accounting file is now obsolete. Closes
+ ticket 16082.
+ - Document more of the files in the Tor data directory, including
+ cached-extrainfo, secret_onion_key{,_ntor}.old, hidserv-stats,
+ approved-routers, sr-random, and diff-cache. Found while fixing
+ ticket 22347.
+
+
Changes in version 0.3.1.3-alpha - 2017-06-08
Tor 0.3.1.3-alpha fixes a pair of bugs that would allow an attacker to
remotely crash a hidden service with an assertion failure. Anyone
7apu2bq3rhoylwmucxizk54afw5jyda7pho4j5zdcqpwkufke7zdzwad.onion