diff options
Diffstat (limited to 'ChangeLog')
-rw-r--r-- | ChangeLog | 504 |
1 files changed, 503 insertions, 1 deletions
@@ -1,3 +1,505 @@ +Changes in version 0.4.3.8 - 2021-02-03 + Tor 0.4.3.8 backports numerous bugfixes from later releases, + including one that made v3 onion services more susceptible to + denial-of-service attacks, and a feature that makes some kinds of + DoS attacks harder to perform. + + Note that this is, in all likelihood, the last release of Tor 0.4.3.x, + which will reach end-of-life on 15 Feb 2021. + + o Major bugfixes (onion service v3, backport from 0.4.5.3-rc): + - Stop requiring a live consensus for v3 clients and services, and + allow a "reasonably live" consensus instead. This allows v3 onion + services to work even if the authorities fail to generate a + consensus for more than 2 hours in a row. Fixes bug 40237; bugfix + on 0.3.5.1-alpha. + + o Major bugfixes (stats, onion services, backport from 0.4.4.5): + - Fix a bug where we were undercounting the Tor network's total + onion service traffic, by ignoring any traffic originating from + clients. Now we count traffic from both clients and services. + Fixes bug 40117; bugfix on 0.2.6.2-alpha. + + o Major feature (exit, backport from 0.4.5.5-rc): + - Re-entry into the network is now denied at the Exit level to all + relays' ORPorts and authorities' ORPorts and DirPorts. This change + should help mitgate a set of denial-of-service attacks. Closes + ticket 2667. + + o Minor feature (build system, backport from 0.4.5.4-rc): + - New "make lsp" command to generate the compile_commands.json file + used by the ccls language server. The "bear" program is needed for + this. Closes ticket 40227. + + o Minor features (compilation, backport from 0.4.5.2-rc): + - Disable deprecation warnings when building with OpenSSL 3.0.0 or + later. There are a number of APIs newly deprecated in OpenSSL + 3.0.0 that Tor still requires. (A later version of Tor will try to + stop depending on these APIs.) Closes ticket 40165. + + o Minor features (crypto, backport from 0.4.5.3-rc): + - Fix undefined behavior on our Keccak library. The bug only + appeared on platforms with 32-byte CPU cache lines (e.g. armv5tel) + and would result in wrong digests. Fixes bug 40210; bugfix on + 0.2.8.1-alpha. Thanks to Bernhard Übelacker, Arnd Bergmann and + weasel for diagnosing this. + + o Minor bugfixes (compatibility, backport from 0.4.5.1-rc): + - Strip '\r' characters when reading text files on Unix platforms. + This should resolve an issue where a relay operator migrates a + relay from Windows to Unix, but does not change the line ending of + Tor's various state files to match the platform, and the CRLF line + endings from Windows end up leaking into other files such as the + extra-info document. Fixes bug 33781; bugfix on 0.0.9pre5. + + o Minor bugfixes (compilation, backport from 0.4.5.1-rc): + - Resolve a compilation warning that could occur in + test_connection.c. Fixes bug 40113; bugfix on 0.2.9.3-alpha. + + o Minor bugfixes (compilation, backport from 0.4.5.3-rc): + - Fix a compilation warning about unreachable fallthrough + annotations when building with "--enable-all-bugs-are-fatal" on + some compilers. Fixes bug 40241; bugfix on 0.3.5.4-alpha. + + o Minor bugfixes (SOCKS5, backport from 0.4.5.3-rc): + - Handle partial SOCKS5 messages correctly. Previously, our code + would send an incorrect error message if it got a SOCKS5 request + that wasn't complete. Fixes bug 40190; bugfix on 0.3.5.1-alpha. + + o Minor bugfixes (testing, backport from 0.4.5.2-alpha): + - Fix the `config/parse_tcp_proxy_line` test so that it works + correctly on systems where the DNS provider hijacks invalid + queries. Fixes part of bug 40179; bugfix on 0.4.3.1-alpha. + - Fix our Python reference-implementation for the v3 onion service + handshake so that it works correctly with the version of hashlib + provided by Python 3.9. Fixes part of bug 40179; bugfix + on 0.3.1.6-rc. + - Fix the `tortls/openssl/log_one_error` test to work with OpenSSL + 3.0.0. Fixes bug 40170; bugfix on 0.2.8.1-alpha. + + +Changes in version 0.4.3.7 - 2020-11-12 + Tor 0.4.3.7 backports several bugfixes from later releases. It + includes a fix for TROVE-2020-005, a security issue that could be + used, under certain cases, by an adversary to observe traffic patterns + on a limited number of circuits intended for a different relay. + + Please be aware that support for the 0.4.3.x series will end on 15 + February 2021. Please upgrade to 0.4.4.x or 0.4.5.x before then, or + downgrade to 0.3.5.x, which will be supported until at least 1 + February 2022. + + o Major features (fallback directory list, backport form 0.4.4.3-alpha): + - Replace the 148 fallback directories originally included in Tor + 0.4.1.4-rc (of which around 105 are still functional) with a list + of 144 fallbacks generated in July 2020. Closes ticket 40061. + + o Major bugfixes (security, backport from 0.4.5.1-alpha): + - When completing a channel, relays now check more thoroughly to + make sure that it matches any pending circuits before attaching + those circuits. Previously, address correctness and Ed25519 + identities were not checked in this case, but only when extending + circuits on an existing channel. Fixes bug 40080; bugfix on + 0.2.7.2-alpha. Resolves TROVE-2020-005. + + o Major bugfixes (NSS, backport from 0.4.4.3-alpha): + - When running with NSS enabled, make sure that NSS knows to expect + nonblocking sockets. Previously, we set our TCP sockets as + nonblocking, but did not tell NSS, which in turn could lead to + unexpected blocking behavior. Fixes bug 40035; bugfix + on 0.3.5.1-alpha. + + o Minor features (security, backport from 0.4.4.4-rc): + - Channels using obsolete versions of the Tor link protocol are no + longer allowed to circumvent address-canonicity checks. (This is + only a minor issue, since such channels have no way to set ed25519 + keys, and therefore should always be rejected for circuits that + specify ed25519 identities.) Closes ticket 40081. + + o Minor features (subprotocol versions, backport from 0.4.5.1-alpha): + - Tor no longer allows subprotocol versions larger than 63. + Previously version numbers up to UINT32_MAX were allowed, which + significantly complicated our code. Implements proposal 318; + closes ticket 40133. + + o Minor features (tests, backport from 0.4.4.5): + - Our "make check" target now runs the unit tests in 8 parallel + chunks. Doing this speeds up hardened CI builds by more than a + factor of two. Closes ticket 40098. + + o Minor features (tests, v2 onion services, backport from 0.4.5.1-alpha): + - Fix a rendezvous cache unit test that was triggering an underflow + on the global rend cache allocation. Fixes bug 40125; bugfix + on 0.2.8.1-alpha. + - Fix another rendezvous cache unit test that was triggering an + underflow on the global rend cache allocation. Fixes bug 40126; + bugfix on 0.2.8.1-alpha. + + o Minor bugfixes (correctness, buffers, backport from 0.4.4.4-rc): + - Fix a correctness bug that could cause an assertion failure if we + ever tried using the buf_move_all() function with an empty input + buffer. As far as we know, no released versions of Tor do this. + Fixes bug 40076; bugfix on 0.3.3.1-alpha. + + o Minor bugfixes (logging, backport from 0.4.5.1-alpha): + - Remove a debug logging statement that uselessly spammed the logs. + Fixes bug 40135; bugfix on 0.3.5.0-alpha. + + o Minor bugfixes (rate limiting, bridges, pluggable transports, backport from 0.4.4.4-rc): + - On a bridge, treat all connections from an ExtORPort as remote by + default for the purposes of rate-limiting. Previously, bridges + would treat the connection as local unless they explicitly + received a "USERADDR" command. ExtORPort connections still count + as local if there is a USERADDR command with an explicit local + address. Fixes bug 33747; bugfix on 0.2.5.1-alpha. + + o Minor bugfixes (relay configuration, crash, backport from 0.4.5.1-alpha): + - Avoid a fatal assert() when failing to create a listener + connection for an address that was in use. Fixes bug 40073; bugfix + on 0.3.5.1-alpha. + + o Minor bugfixes (relay, usability, backport from 0.4.4.3-alpha): + - Adjust the rules for when to warn about having too many + connections to other relays. Previously we'd tolerate up to 1.5 + connections per relay on average. Now we tolerate more connections + for directory authorities, and raise the number of total + connections we need to see before we warn. Fixes bug 33880; bugfix + on 0.3.1.1-alpha. + + o Minor bugfixes (tests, 0.4.4.5): + - Fix the behavior of the rend_cache/clean_v2_descs_as_dir when run + on its own. Previously, it would exit with an error. Fixes bug + 40099; bugfix on 0.2.8.1-alpha. + + o Minor bugfixes (v2 onion services, backport from 0.4.5.1-alpha): + - For HSFETCH commands on v2 onion services addresses, check the + length of bytes decoded, not the base32 length. Fixes bug 34400; + bugfix on 0.4.1.1-alpha. Patch by Neel Chauhan. + + o Minor bugfixes (windows, backport from 0.4.4.4-rc): + - Fix a bug that prevented Tor from starting if its log file grew + above 2GB. Fixes bug 31036; bugfix on 0.2.1.8-alpha. + + o Deprecated features (onion service v2, backport form 0.4.4.2-alpha): + - Add a deprecation warning for version 2 onion services. Closes + ticket 40003. + + o Removed features (backport from 0.4.4.3-alpha): + - Our "check-local" test target no longer tries to use the + Coccinelle semantic patching tool parse all the C files. While it + is a good idea to try to make sure Coccinelle works on our C + before we run a Coccinelle patch, doing so on every test run has + proven to be disruptive. You can still run this tool manually with + "make check-cocci". Closes ticket 40030. ticket 40030. + + +Changes in version 0.4.3.6 - 2020-07-09 + Tor 0.4.3.6 backports several bugfixes from later releases, including + some affecting usability. + + This release also fixes TROVE-2020-001, a medium-severity denial of + service vulnerability affecting all versions of Tor when compiled with + the NSS encryption library. (This is not the default configuration.) + Using this vulnerability, an attacker could cause an affected Tor + instance to crash remotely. This issue is also tracked as CVE-2020- + 15572. Anybody running a version of Tor built with the NSS library + should upgrade to 0.3.5.11, 0.4.2.8, 0.4.3.6, or 0.4.4.2-alpha + or later. + + o Major bugfixes (NSS, security, backport from 0.4.4.2-alpha): + - Fix a crash due to an out-of-bound memory access when Tor is + compiled with NSS support. Fixes bug 33119; bugfix on + 0.3.5.1-alpha. This issue is also tracked as TROVE-2020-001 + and CVE-2020-15572. + + o Minor bugfix (CI, Windows, backport from 0.4.4.2-alpha): + - Use the correct 64-bit printf format when compiling with MINGW on + Appveyor. Fixes bug 40026; bugfix on 0.3.5.5-alpha. + + o Minor bugfixes (client performance, backport from 0.4.4.1-alpha): + - Resume use of preemptively-built circuits when UseEntryGuards is set + to 0. We accidentally disabled this feature with that config + setting, leading to slower load times. Fixes bug 34303; bugfix + on 0.3.3.2-alpha. + + o Minor bugfixes (compiler warnings, backport from 0.4.4.2-alpha): + - Fix a compiler warning on platforms with 32-bit time_t values. + Fixes bug 40028; bugfix on 0.3.2.8-rc. + + o Minor bugfixes (linux seccomp sandbox, nss, backport from 0.4.4.1-alpha): + - Fix a startup crash when tor is compiled with --enable-nss and + sandbox support is enabled. Fixes bug 34130; bugfix on + 0.3.5.1-alpha. Patch by Daniel Pinto. + + o Minor bugfixes (logging, backport from 0.4.4.2-alpha): + - Downgrade a noisy log message that could occur naturally when + receiving an extrainfo document that we no longer want. Fixes bug + 16016; bugfix on 0.2.6.3-alpha. + + o Minor bugfixes (manual page, backport from 0.4.4.1-alpha): + - Update the man page to reflect that MinUptimeHidServDirectoryV2 + defaults to 96 hours. Fixes bug 34299; bugfix on 0.2.6.3-alpha. + + o Minor bugfixes (onion service v3, backport from 0.4.4.1-alpha): + - Prevent an assert() that would occur when cleaning the client + descriptor cache, and attempting to close circuits for a non- + decrypted descriptor (lacking client authorization). Fixes bug + 33458; bugfix on 0.4.2.1-alpha. + + o Minor bugfixes (portability, backport from 0.4.4.1-alpha): + - Fix a portability error in the configure script, where we were + using "==" instead of "=". Fixes bug 34233; bugfix on 0.4.3.5. + + o Minor bugfixes (relays, backport from 0.4.4.1-alpha): + - Stop advertising incorrect IPv6 ORPorts in relay and bridge + descriptors, when the IPv6 port was configured as "auto". Fixes + bug 32588; bugfix on 0.2.3.9-alpha. + + o Documentation (backport from 0.4.4.1-alpha): + - Fix several doxygen warnings related to imbalanced groups. Closes + ticket 34255. + + +Changes in version 0.4.3.5 - 2020-05-15 + Tor 0.4.3.5 is the first stable release in the 0.4.3.x series. This + series adds support for building without relay code enabled, and + implements functionality needed for OnionBalance with v3 onion + services. It includes significant refactoring of our configuration and + controller functionality, and fixes numerous smaller bugs and + performance issues. + + Per our support policy, we support each stable release series for nine + months after its first stable release, or three months after the first + stable release of the next series: whichever is longer. This means + that 0.4.3.x will be supported until around February 2021--later, if + 0.4.4.x is later than anticipated. + + Note also that support for 0.4.1.x is about to end on May 20 of this + year; 0.4.2.x will be supported until September 15. We still plan to + continue supporting 0.3.5.x, our long-term stable series, until + Feb 2022. + + Below are the changes since 0.4.3.4-rc. For a complete list of changes + since 0.4.2.6, see the ReleaseNotes file. + + o Minor bugfixes (compiler compatibility): + - Avoid compiler warnings from Clang 10 related to the use of GCC- + style "/* falls through */" comments. Both Clang and GCC allow + __attribute__((fallthrough)) instead, so that's what we're using + now. Fixes bug 34078; bugfix on 0.3.1.3-alpha. + - Fix compilation warnings with GCC 10.0.1. Fixes bug 34077; bugfix + on 0.4.0.3-alpha. + + o Minor bugfixes (logging): + - Stop truncating IPv6 addresses and ports in channel and connection + logs. Fixes bug 33918; bugfix on 0.2.4.4-alpha. + - Fix a logic error in a log message about whether an address was + invalid. Previously, the code would never report that onion + addresses were onion addresses. Fixes bug 34131; bugfix + on 0.4.3.1-alpha. + + +Changes in version 0.4.3.4-rc - 2020-04-13 + Tor 0.4.3.4-rc is the first release candidate in its series. It fixes + several bugs from earlier versions, including one affecting DoS + defenses on bridges using pluggable transports. + + o Major bugfixes (DoS defenses, bridges, pluggable transport): + - Fix a bug that was preventing DoS defenses from running on bridges + with a pluggable transport. Previously, the DoS subsystem was not + given the transport name of the client connection, thus failed to + find the GeoIP cache entry for that client address. Fixes bug + 33491; bugfix on 0.3.3.2-alpha. + + o Minor feature (sendme, flow control): + - Default to sending SENDME version 1 cells. (Clients are already + sending these, because of a consensus parameter telling them to do + so: this change only affects what clients would do if the + consensus didn't contain a recommendation.) Closes ticket 33623. + + o Minor features (testing): + - The unit tests now support a "TOR_SKIP_TESTCASES" environment + variable to specify a list of space-separated test cases that + should not be executed. We will use this to disable certain tests + that are failing on Appveyor because of mismatched OpenSSL + libraries. Part of ticket 33643. + + o Minor bugfixes (--disable-module-relay): + - Fix an assertion failure when Tor is built without the relay + module, and then invoked with the "User" option. Fixes bug 33668; + bugfix on 0.4.3.1-alpha. + + o Minor bugfixes (--disable-module-relay,--disable-module-dirauth): + - Set some output arguments in the relay and dirauth module stubs, + to guard against future stub argument handling bugs like 33668. + Fixes bug 33674; bugfix on 0.4.3.1-alpha. + + o Minor bugfixes (build system): + - Correctly output the enabled module in the configure summary. + Before that, the list shown was just plain wrong. Fixes bug 33646; + bugfix on 0.4.3.2-alpha. + + o Minor bugfixes (client, IPv6): + - Stop forcing all non-SocksPorts to prefer IPv6 exit connections. + Instead, prefer IPv6 connections by default, but allow users to + change their configs using the "NoPreferIPv6" port flag. Fixes bug + 33608; bugfix on 0.4.3.1-alpha. + - Revert PreferIPv6 set by default on the SocksPort because it broke + the torsocks use case. Tor doesn't have a way for an application + to request the hostname to be resolved for a specific IP version, + but torsocks requires that. Up until now, IPv4 was used by default + so torsocks is expecting that, and can't handle a possible IPv6 + being returned. Fixes bug 33804; bugfix on 0.4.3.1-alpha. + + o Minor bugfixes (key portability): + - When reading PEM-encoded key data, tolerate CRLF line-endings even + if we are not running on Windows. Previously, non-Windows hosts + would reject these line-endings in certain positions, making + certain key files hard to move from one host to another. Fixes bug + 33032; bugfix on 0.3.5.1-alpha. + + o Minor bugfixes (logging): + - Flush stderr, stdout, and file logs during shutdown, if supported + by the OS. This change helps make sure that any final logs are + recorded. Fixes bug 33087; bugfix on 0.4.1.6. + - Stop closing stderr and stdout during shutdown. Closing these file + descriptors can hide sanitiser logs. Fixes bug 33087; bugfix + on 0.4.1.6. + + o Minor bugfixes (onion services v3): + - Relax severity of a log message that can appear naturally when + decoding onion service descriptors as a relay. Also add some + diagnostics to debug any future bugs in that area. Fixes bug + 31669; bugfix on 0.3.0.1-alpha. + - Block a client-side assertion by disallowing the registration of + an x25519 client auth key that's all zeroes. Fixes bug 33545; + bugfix on 0.4.3.1-alpha. Based on patch from "cypherpunks". + + o Code simplification and refactoring: + - Disable our coding standards best practices tracker in our git + hooks. (0.4.3 branches only.) Closes ticket 33678. + + o Testing: + - Avoid conflicts between the fake sockets in tor's unit tests, and + real file descriptors. Resolves issues running unit tests with + GitHub Actions, where the process that embeds or launches the + tests has already opened a large number of file descriptors. Fixes + bug 33782; bugfix on 0.2.8.1-alpha. Found and fixed by + Putta Khunchalee. + + o Testing (CI): + - In our Appveyor Windows CI, copy required DLLs to test and app + directories, before running tor's tests. This ensures that tor.exe + and test*.exe use the correct version of each DLL. This fix is not + required, but we hope it will avoid DLL search issues in future. + Fixes bug 33673; bugfix on 0.3.4.2-alpha. + - On Appveyor, skip the crypto/openssl_version test, which is + failing because of a mismatched library installation. Fix + for 33643. + + +Changes in version 0.4.3.3-alpha - 2020-03-18 + Tor 0.4.3.3-alpha fixes several bugs in previous releases, including + TROVE-2020-002, a major denial-of-service vulnerability that affected + all released Tor instances since 0.2.1.5-alpha. Using this + vulnerability, an attacker could cause Tor instances to consume a huge + amount of CPU, disrupting their operations for several seconds or + minutes. This attack could be launched by anybody against a relay, or + by a directory cache against any client that had connected to it. The + attacker could launch this attack as much as they wanted, thereby + disrupting service or creating patterns that could aid in traffic + analysis. This issue was found by OSS-Fuzz, and is also tracked + as CVE-2020-10592. + + We do not have reason to believe that this attack is currently being + exploited in the wild, but nonetheless we advise everyone to upgrade + as soon as packages are available. + + o Major bugfixes (security, denial-of-service): + - Fix a denial-of-service bug that could be used by anyone to + consume a bunch of CPU on any Tor relay or authority, or by + directories to consume a bunch of CPU on clients or hidden + services. Because of the potential for CPU consumption to + introduce observable timing patterns, we are treating this as a + high-severity security issue. Fixes bug 33119; bugfix on + 0.2.1.5-alpha. Found by OSS-Fuzz. We are also tracking this issue + as TROVE-2020-002 and CVE-2020-10592. + + o Major bugfixes (circuit padding, memory leak): + - Avoid a remotely triggered memory leak in the case that a circuit + padding machine is somehow negotiated twice on the same circuit. + Fixes bug 33619; bugfix on 0.4.0.1-alpha. Found by Tobias Pulls. + This is also tracked as TROVE-2020-004 and CVE-2020-10593. + + o Major bugfixes (directory authority): + - Directory authorities will now send a 503 (not enough bandwidth) + code to clients when under bandwidth pressure. Known relays and + other authorities will always be answered regardless of the + bandwidth situation. Fixes bug 33029; bugfix on 0.1.2.5-alpha. + + o Minor features (diagnostic): + - Improve assertions and add some memory-poisoning code to try to + track down possible causes of a rare crash (32564) in the EWMA + code. Closes ticket 33290. + + o Minor features (directory authorities): + - Directory authorities now reject descriptors from relays running + Tor versions from the 0.2.9 and 0.4.0 series. The 0.3.5 series is + still allowed. Resolves ticket 32672. Patch by Neel Chauhan. + + o Minor features (usability): + - Include more information when failing to parse a configuration + value. This should make it easier to tell what's going wrong when + a configuration file doesn't parse. Closes ticket 33460. + + o Minor bugfix (relay, configuration): + - Warn if the ContactInfo field is not set, and tell the relay + operator that not having a ContactInfo field set might cause their + relay to get rejected in the future. Fixes bug 33361; bugfix + on 0.1.1.10-alpha. + + o Minor bugfixes (coding best practices checks): + - Allow the "practracker" script to read unicode files when using + Python 2. We made the script use unicode literals in 0.4.3.1-alpha, + but didn't change the codec for opening files. Fixes bug 33374; + bugfix on 0.4.3.1-alpha. + + o Minor bugfixes (continuous integration): + - Remove the buggy and unused mirroring job. Fixes bug 33213; bugfix + on 0.3.2.2-alpha. + + o Minor bugfixes (onion service v3, client): + - Remove a BUG() warning that would cause a stack trace if an onion + service descriptor was freed while we were waiting for a + rendezvous circuit to complete. Fixes bug 28992; bugfix + on 0.3.2.1-alpha. + + o Minor bugfixes (onion services v3): + - Fix an assertion failure that could result from a corrupted + ADD_ONION control port command. Found by Saibato. Fixes bug 33137; + bugfix on 0.3.3.1-alpha. This issue is also tracked + as TROVE-2020-003. + + o Documentation (manpage): + - Alphabetize the Server and Directory server sections of the tor + manpage. Also split Statistics options into their own section of + the manpage. Closes ticket 33188. Work by Swati Thacker as part of + Google Season of Docs. + - Document the __OwningControllerProcess torrc option and specify + its polling interval. Resolves issue 32971. + + o Testing (Travis CI): + - Remove a redundant distcheck job. Closes ticket 33194. + - Sort the Travis jobs in order of speed: putting the slowest jobs + first takes full advantage of Travis job concurrency. Closes + ticket 33194. + - Stop allowing the Chutney IPv6 Travis job to fail. This job was + previously configured to fast_finish (which requires + allow_failure), to speed up the build. Closes ticket 33195. + - When a Travis chutney job fails, use chutney's new "diagnostics.sh" + tool to produce detailed diagnostic output. Closes ticket 32792. + + Changes in version 0.4.3.2-alpha - 2020-02-10 This is the second stable alpha release in the Tor 0.4.3.x series. It fixes several bugs present in the previous alpha release. Anybody @@ -415,7 +917,7 @@ Changes in version 0.4.3.1-alpha - 2020-01-22 o Minor bugfixes (controller): - In routerstatus_has_changed(), check all the fields that are output over the control port. Fixes bug 20218; bugfix - on 0.1.1.11-alpha + on 0.1.1.11-alpha. o Minor bugfixes (correctness checks): - Use GCC/Clang's printf-checking feature to make sure that |