aboutsummaryrefslogtreecommitdiff
path: root/ChangeLog
diff options
context:
space:
mode:
Diffstat (limited to 'ChangeLog')
-rw-r--r--ChangeLog488
1 files changed, 488 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
index 11d1479fcd..f5e6c01f82 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,491 @@
+Changes in version 0.4.6.12 - 2022-08-12
+ This version updates the geoip cache that we generate from IPFire location
+ database to use the August 9th, 2022 one. Everyone MUST update to this
+ latest release else circuit path selection and relay metrics are badly
+ affected.
+
+ o Major bugfixes (geoip data):
+ - IPFire informed us on August 12th that databases generated after
+ (including) August 10th did not have proper ARIN network allocations. We
+ are updating the database to use the one generated on August 9th, 2022.
+ Fixes bug 40658; bugfix on 0.4.6.11.
+
+
+Changes in version 0.4.6.11 - 2022-08-11
+ This version contains two major fixes aimed at reducing memory pressure on
+ relays and possible side-channel. The rest of the fixes were backported for
+ stability or safety purposes.
+
+ This is the very LAST version of this series. As of August 1st 2022, it is
+ end-of-life (EOL). We thus strongly recommend to upgrade to the latest
+ stable of the 0.4.7.x series.
+
+ o Major bugfixes (relay):
+ - Remove OR connections btrack subsystem entries when the connections
+ close normally. Before this, we would only remove the entry on error and
+ thus leaking memory for each normal OR connections. Fixes bug 40604;
+ bugfix on 0.4.0.1-alpha.
+ - Stop sending TRUNCATED cell and instead close the circuit from which we
+ received a DESTROY cell. This makes every relay in the circuit path to
+ stop queuing cells. Fixes bug 40623; bugfix on 0.1.0.2-rc.
+
+ o Minor features (fallbackdir):
+ - Regenerate fallback directories generated on August 11, 2022.
+
+ o Minor features (geoip data):
+ - Update the geoip files to match the IPFire Location Database, as
+ retrieved on 2022/08/11.
+
+ o Minor features (linux seccomp2 sandbox):
+ - Permit the clone3 syscall, which is apparently used in glibc-2.34
+ and later. Closes ticket 40590.
+
+ o Minor bugfixes (controller, path bias):
+ - When a circuit's path is specified, in full or in part, from the
+ controller API, do not count that circuit towards our path-bias
+ calculations. (Doing so was incorrect, since we cannot tell
+ whether the controller is selecting relays randomly.) Resolves a
+ "Bug" warning. Fixes bug 40515; bugfix on 0.2.4.10-alpha.
+
+ o Minor bugfixes (defense in depth):
+ - Change a test in the netflow padding code to make it more
+ _obviously_ safe against remotely triggered crashes. (It was safe
+ against these before, but not obviously so.) Fixes bug 40645;
+ bugfix on 0.3.1.1-alpha.
+
+ o Minor bugfixes (linux seccomp2 sandbox):
+ - Allow the rseq system call in the sandbox. This solves a crash
+ issue with glibc 2.35 on Linux. Patch from pmu-ipf. Fixes bug
+ 40601; bugfix on 0.3.5.11.
+
+ o Minor bugfixes (metrics port, onion service):
+ - The MetricsPort line for an onion service with multiple ports are now
+ unique that is one line per port. Before this, all ports of an onion
+ service would be on the same line which violates the Prometheus rules of
+ unique labels. Fixes bug 40581; bugfix on 0.4.5.1-alpha.
+
+ o Minor bugfixes (onion service, client):
+ - Fix a fatal assert due to a guard subsystem recursion triggered by
+ the onion service client. Fixes bug 40579; bugfix on 0.3.5.1-alpha.
+
+ o Minor bugfixes (performance, DoS):
+ - Fix one case of a not-especially viable denial-of-service attack
+ found by OSS-Fuzz in our consensus-diff parsing code. This attack
+ causes a lot small of memory allocations and then immediately
+ frees them: this is only slow when running with all the sanitizers
+ enabled. Fixes one case of bug 40472; bugfix on 0.3.1.1-alpha.
+
+ o Minor bugfixes (relay):
+ - Do not propagate either forward or backward a DESTROY remote reason when
+ closing a circuit in order to avoid a possible side channel. Fixes bug
+ 40649; bugfix on 0.1.2.4-alpha.
+
+
+Changes in version 0.4.6.10 - 2022-02-04
+ This version contains minor bugfixes but one in particular is that relays
+ don't advertise onion service v2 support at the protocol version level.
+
+ o Minor features (fallbackdir):
+ - Regenerate fallback directories generated on February 04, 2022.
+
+ o Minor features (geoip data):
+ - Update the geoip files to match the IPFire Location Database, as
+ retrieved on 2022/02/04.
+
+ o Minor bugfix (logging):
+ - Update a log notice dead URL to a working one. Fixes bug 40544;
+ bugfix on 0.3.5.1-alpha.
+
+ o Minor bugfix (relay):
+ - Remove the HSDir and HSIntro onion service v2 protocol versions so
+ relay stop advertising that they support them. Fixes bug 40509;
+ bugfix on 0.3.5.17.
+
+ o Minor bugfixes (MetricsPort, Prometheus):
+ - Add double quotes to the label values of the onion service
+ metrics. Fixes bug 40552; bugfix on 0.4.5.1-alpha.
+
+
+Changes in version 0.4.6.9 - 2021-12-15
+ This version fixes several bugs from earlier versions of Tor. One important
+ piece is the removal of DNS timeout metric from the overload general signal.
+ See below for more details.
+
+ o Major bugfixes (relay, overload):
+ - Don't make Tor DNS timeout trigger an overload general state.
+ These timeouts are different from DNS server timeout. They have to
+ be seen as timeout related to UX and not because of a network
+ problem. Fixes bug 40527; bugfix on 0.4.6.1-alpha.
+
+ o Minor feature (reproducible build):
+ - The repository can now build reproducible tarballs which adds the
+ build command "make dist-reprod" for that purpose. Closes
+ ticket 26299.
+
+ o Minor features (compilation):
+ - Give an error message if trying to build with a version of
+ LibreSSL known not to work with Tor. (There's an incompatibility
+ with LibreSSL versions 3.2.1 through 3.4.0 inclusive because of
+ their incompatibility with OpenSSL 1.1.1's TLSv1.3 APIs.) Closes
+ ticket 40511.
+
+ o Minor features (fallbackdir):
+ - Regenerate fallback directories generated on December 15, 2021.
+
+ o Minor features (geoip data):
+ - Update the geoip files to match the IPFire Location Database, as
+ retrieved on 2021/12/15.
+
+ o Minor bugfixes (compilation):
+ - Fix our configuration logic to detect whether we had OpenSSL 3:
+ previously, our logic was reversed. This has no other effect than
+ to change whether we suppress deprecated API warnings. Fixes bug
+ 40429; bugfix on 0.3.5.13.
+
+ o Minor bugfixes (relay):
+ - Reject IPv6-only DirPorts. Our reachability self-test forces
+ DirPorts to be IPv4, but our configuration parser allowed them to
+ be IPv6-only, which led to an assertion failure. Fixes bug 40494;
+ bugfix on 0.4.5.1-alpha.
+
+ o Documentation (man, relay):
+ - Missing "OverloadStatistics" in tor.1 manpage. Fixes bug 40504;
+ bugfix on 0.4.6.1-alpha.
+
+
+Changes in version 0.4.6.8 - 2021-10-26
+ This version fixes several bugs from earlier versions of Tor. One
+ highlight is a fix on how we track DNS timeouts to report general
+ relay overload.
+
+ o Major bugfixes (relay, overload state):
+ - Relays report the general overload state for DNS timeout errors
+ only if X% of all DNS queries over Y seconds are errors. Before
+ that, it only took 1 timeout to report the overload state which
+ was just too low of a threshold. The X and Y values are 1% and 10
+ minutes respectively but they are also controlled by consensus
+ parameters. Fixes bug 40491; bugfix on 0.4.6.1-alpha.
+
+ o Minor features (fallbackdir):
+ - Regenerate fallback directories for October 2021. Closes
+ ticket 40493.
+
+ o Minor features (testing):
+ - On a testing network, relays can now use the
+ TestingMinTimeToReportBandwidth option to change the smallest
+ amount of time over which they're willing to report their observed
+ maximum bandwidth. Previously, this was fixed at 1 day. For
+ safety, values under 2 hours are only supported on testing
+ networks. Part of a fix for ticket 40337.
+ - Relays on testing networks no longer rate-limit how frequently
+ they are willing to report new bandwidth measurements. Part of a
+ fix for ticket 40337.
+ - Relays on testing networks now report their observed bandwidths
+ immediately from startup. Previously, they waited until they had
+ been running for a full day. Closes ticket 40337.
+
+ o Minor bugfix (onion service):
+ - Do not flag an HSDir as non-running in case the descriptor upload
+ or fetch fails. An onion service closes pending directory
+ connections before uploading a new descriptor which can thus lead
+ to wrongly flagging many relays and thus affecting circuit building
+ path selection. Fixes bug 40434; bugfix on 0.2.0.13-alpha.
+ - Improve logging when a bad HS version is given. Fixes bug 40476;
+ bugfix on 0.4.6.1-alpha.
+
+ o Minor bugfix (CI, onion service):
+ - Exclude onion service version 2 Stem tests in our CI. Fixes bug 40500;
+ bugfix on 0.3.2.1-alpha.
+
+ o Minor bugfixes (compatibility):
+ - Fix compatibility with the most recent Libevent versions, which no
+ longer have an evdns_set_random_bytes() function. Because this
+ function has been a no-op since Libevent 2.0.4-alpha, it is safe
+ for us to just stop calling it. Fixes bug 40371; bugfix
+ on 0.2.1.7-alpha.
+
+ o Minor bugfixes (onion service, TROVE-2021-008):
+ - Only log v2 access attempts once total, in order to not pollute
+ the logs with warnings and to avoid recording the times on disk
+ when v2 access was attempted. Note that the onion address was
+ _never_ logged. This counts as a Low-severity security issue.
+ Fixes bug 40474; bugfix on 0.4.5.8.
+
+
+Changes in version 0.4.6.7 - 2021-08-16
+ This version fixes several bugs from earlier versions of Tor,
+ including one that could lead to a denial-of-service attack. Everyone
+ running an earlier version, whether as a client, a relay, or an onion
+ service, should upgrade to Tor 0.3.5.16, 0.4.5.10, or 0.4.6.7.
+
+ o Major bugfixes (cryptography, security):
+ - Resolve an assertion failure caused by a behavior mismatch between
+ our batch-signature verification code and our single-signature
+ verification code. This assertion failure could be triggered
+ remotely, leading to a denial of service attack. We fix this issue
+ by disabling batch verification. Fixes bug 40078; bugfix on
+ 0.2.6.1-alpha. This issue is also tracked as TROVE-2021-007 and
+ CVE-2021-38385. Found by Henry de Valence.
+
+ o Minor feature (fallbackdir):
+ - Regenerate fallback directories list. Close ticket 40447.
+
+ o Minor features (geoip data):
+ - Update the geoip files to match the IPFire Location Database, as
+ retrieved on 2021/08/12.
+
+ o Minor bugfix (crypto):
+ - Disable the unused batch verification feature of ed25519-donna.
+ Fixes bug 40078; bugfix on 0.2.6.1-alpha. Found by Henry
+ de Valence.
+
+ o Minor bugfixes (onion service):
+ - Send back the extended SOCKS error 0xF6 (Onion Service Invalid
+ Address) for a v2 onion address. Fixes bug 40421; bugfix
+ on 0.4.6.2-alpha.
+
+ o Minor bugfixes (relay):
+ - Reduce the compression level for data streaming from HIGH to LOW
+ in order to reduce CPU load on the directory relays. Fixes bug
+ 40301; bugfix on 0.3.5.1-alpha.
+
+ o Minor bugfixes (timekeeping):
+ - Calculate the time of day correctly on systems where the time_t
+ type includes leap seconds. (This is not the case on most
+ operating systems, but on those where it occurs, our tor_timegm
+ function did not correctly invert the system's gmtime function,
+ which could result in assertion failures when calculating voting
+ schedules.) Fixes bug 40383; bugfix on 0.2.0.3-alpha.
+
+
+Changes in version 0.4.6.6 - 2021-06-30
+ Tor 0.4.6.6 makes several small fixes on 0.4.6.5, including one that
+ allows Tor to build correctly on older versions of GCC. You should
+ upgrade to this version if you were having trouble building Tor
+ 0.4.6.5; otherwise, there is probably no need.
+
+ o Minor bugfixes (compilation):
+ - Fix a compilation error when trying to build Tor with a compiler
+ that does not support const variables in static initializers.
+ Fixes bug 40410; bugfix on 0.4.6.5.
+ - Suppress a strict-prototype warning when building with some
+ versions of NSS. Fixes bug 40409; bugfix on 0.3.5.1-alpha.
+
+ o Minor bugfixes (testing):
+ - Enable the deterministic RNG for unit tests that covers the
+ address set bloomfilter-based API's. Fixes bug 40419; bugfix
+ on 0.3.3.2-alpha.
+
+
+Changes in version 0.4.6.5 - 2021-06-14
+ Tor 0.4.6.5 is the first stable release in its series. The 0.4.6.x
+ series includes numerous features and bugfixes, including a significant
+ improvement to our circuit timeout algorithm that should improve
+ observed client performance, and a way for relays to report when they are
+ overloaded.
+
+ This release also includes security fixes for several security issues,
+ including a denial-of-service attack against onion service clients,
+ and another denial-of-service attack against relays. Everybody should
+ upgrade to one of 0.3.5.15, 0.4.4.9, 0.4.5.9, or 0.4.6.5.
+
+ Below are the changes since 0.4.6.4-rc. For a complete list of changes
+ since 0.4.5.8, see the ReleaseNotes file.
+
+ o Major bugfixes (security):
+ - Don't allow relays to spoof RELAY_END or RELAY_RESOLVED cell on
+ half-closed streams. Previously, clients failed to validate which
+ hop sent these cells: this would allow a relay on a circuit to end
+ a stream that wasn't actually built with it. Fixes bug 40389;
+ bugfix on 0.3.5.1-alpha. This issue is also tracked as TROVE-2021-
+ 003 and CVE-2021-34548.
+
+ o Major bugfixes (security, defense-in-depth):
+ - Detect more failure conditions from the OpenSSL RNG code.
+ Previously, we would detect errors from a missing RNG
+ implementation, but not failures from the RNG code itself.
+ Fortunately, it appears those failures do not happen in practice
+ when Tor is using OpenSSL's default RNG implementation. Fixes bug
+ 40390; bugfix on 0.2.8.1-alpha. This issue is also tracked as
+ TROVE-2021-004. Reported by Jann Horn at Google's Project Zero.
+
+ o Major bugfixes (security, denial of service):
+ - Resist a hashtable-based CPU denial-of-service attack against
+ relays. Previously we used a naive unkeyed hash function to look
+ up circuits in a circuitmux object. An attacker could exploit this
+ to construct circuits with chosen circuit IDs, to create
+ collisions and make the hash table inefficient. Now we use a
+ SipHash construction here instead. Fixes bug 40391; bugfix on
+ 0.2.4.4-alpha. This issue is also tracked as TROVE-2021-005 and
+ CVE-2021-34549. Reported by Jann Horn from Google's Project Zero.
+ - Fix an out-of-bounds memory access in v3 onion service descriptor
+ parsing. An attacker could exploit this bug by crafting an onion
+ service descriptor that would crash any client that tried to visit
+ it. Fixes bug 40392; bugfix on 0.3.0.1-alpha. This issue is also
+ tracked as TROVE-2021-006 and CVE-2021-34550. Reported by Sergei
+ Glazunov from Google's Project Zero.
+
+ o Minor features (geoip data):
+ - Update the geoip files to match the IPFire Location Database, as
+ retrieved on 2021/06/10.
+
+ o Minor features (logging, diagnostic):
+ - Log decompression failures at a higher severity level, since they
+ can help provide missing context for other warning messages. We
+ rate-limit these messages, to avoid flooding the logs if they
+ begin to occur frequently. Closes ticket 40175.
+
+
+Changes in version 0.4.6.4-rc - 2021-05-28
+ Tor 0.4.6.4-rc fixes a few bugs from previous releases. This, we hope,
+ the final release candidate in its series: unless major new issues are
+ found, the next release will be stable.
+
+ o Minor features (compatibility):
+ - Remove an assertion function related to TLS renegotiation. It was
+ used nowhere outside the unit tests, and it was breaking
+ compilation with recent alpha releases of OpenSSL 3.0.0. Closes
+ ticket 40399.
+
+ o Minor bugfixes (consensus handling):
+ - Avoid a set of bugs that could be caused by inconsistently
+ preferring an out-of-date consensus stored in a stale directory
+ cache over a more recent one stored on disk as the latest
+ consensus. Fixes bug 40375; bugfix on 0.3.1.1-alpha.
+
+ o Minor bugfixes (control, sandbox):
+ - Allow the control command SAVECONF to succeed when the seccomp
+ sandbox is enabled, and make SAVECONF keep only one backup file to
+ simplify implementation. Previously SAVECONF allowed a large
+ number of backup files, which made it incompatible with the
+ sandbox. Fixes bug 40317; bugfix on 0.2.5.4-alpha. Patch by
+ Daniel Pinto.
+
+ o Minor bugfixes (metrics port):
+ - Fix a bug that made tor try to re-bind() on an already open
+ MetricsPort every 60 seconds. Fixes bug 40370; bugfix
+ on 0.4.5.1-alpha.
+
+ o Removed features:
+ - Remove unneeded code for parsing private keys in directory
+ documents. This code was only used for client authentication in v2
+ onion services, which are now unsupported. Closes ticket 40374.
+
+
+Changes in version 0.4.5.8 - 2021-05-10
+ Tor 0.4.5.8 fixes several bugs in earlier version, backporting fixes
+ from the 0.4.6.x series.
+
+ o Minor features (compatibility, Linux seccomp sandbox, backport from 0.4.6.3-rc):
+ - Add a workaround to enable the Linux sandbox to work correctly
+ with Glibc 2.33. This version of Glibc has started using the
+ fstatat() system call, which previously our sandbox did not allow.
+ Closes ticket 40382; see the ticket for a discussion of trade-offs.
+
+ o Minor features (compilation, backport from 0.4.6.3-rc):
+ - Make the autoconf script build correctly with autoconf versions
+ 2.70 and later. Closes part of ticket 40335.
+
+ o Minor features (fallback directory list, backport from 0.4.6.2-alpha):
+ - Regenerate the list of fallback directories to contain a new set
+ of 200 relays. Closes ticket 40265.
+
+ o Minor features (geoip data):
+ - Update the geoip files to match the IPFire Location Database, as
+ retrieved on 2021/05/07.
+
+ o Minor features (onion services):
+ - Add warning message when connecting to now deprecated v2 onion
+ services. As announced, Tor 0.4.5.x is the last series that will
+ support v2 onions. Closes ticket 40373.
+
+ o Minor bugfixes (bridge, pluggable transport, backport from 0.4.6.2-alpha):
+ - Fix a regression that made it impossible start Tor using a bridge
+ line with a transport name and no fingerprint. Fixes bug 40360;
+ bugfix on 0.4.5.4-rc.
+
+ o Minor bugfixes (build, cross-compilation, backport from 0.4.6.3-rc):
+ - Allow a custom "ar" for cross-compilation. Our previous build
+ script had used the $AR environment variable in most places, but
+ it missed one. Fixes bug 40369; bugfix on 0.4.5.1-alpha.
+
+ o Minor bugfixes (channel, DoS, backport from 0.4.6.2-alpha):
+ - Fix a non-fatal BUG() message due to a too-early free of a string,
+ when listing a client connection from the DoS defenses subsystem.
+ Fixes bug 40345; bugfix on 0.4.3.4-rc.
+
+ o Minor bugfixes (compiler warnings, backport from 0.4.6.3-rc):
+ - Fix an indentation problem that led to a warning from GCC 11.1.1.
+ Fixes bug 40380; bugfix on 0.3.0.1-alpha.
+
+ o Minor bugfixes (controller, backport from 0.4.6.1-alpha):
+ - Fix a "BUG" warning that would appear when a controller chooses
+ the first hop for a circuit, and that circuit completes. Fixes bug
+ 40285; bugfix on 0.3.2.1-alpha.
+
+ o Minor bugfixes (onion service, client, memory leak, backport from 0.4.6.3-rc):
+ - Fix a bug where an expired cached descriptor could get overwritten
+ with a new one without freeing it, leading to a memory leak. Fixes
+ bug 40356; bugfix on 0.3.5.1-alpha.
+
+ o Minor bugfixes (testing, BSD, backport from 0.4.6.2-alpha):
+ - Fix pattern-matching errors when patterns expand to invalid paths
+ on BSD systems. Fixes bug 40318; bugfix on 0.4.5.1-alpha. Patch by
+ Daniel Pinto.
+
+
+Changes in version 0.4.6.3-rc - 2021-05-10
+ Tor 0.4.6.3-rc is the first release candidate in its series. It fixes
+ a few small bugs from previous versions, and adds a better error
+ message when trying to use (no longer supported) v2 onion services.
+
+ Though we anticipate that we'll be doing a bit more clean-up between
+ now and the stable release, we expect that our remaining changes will
+ be fairly simple. There will likely be at least one more release
+ candidate before 0.4.6.x is stable.
+
+ o Major bugfixes (onion service, control port):
+ - Make the ADD_ONION command properly configure client authorization.
+ Before this fix, the created onion failed to add the client(s).
+ Fixes bug 40378; bugfix on 0.4.6.1-alpha.
+
+ o Minor features (compatibility, Linux seccomp sandbox):
+ - Add a workaround to enable the Linux sandbox to work correctly
+ with Glibc 2.33. This version of Glibc has started using the
+ fstatat() system call, which previously our sandbox did not allow.
+ Closes ticket 40382; see the ticket for a discussion of trade-offs.
+
+ o Minor features (compilation):
+ - Make the autoconf script build correctly with autoconf versions
+ 2.70 and later. Closes part of ticket 40335.
+
+ o Minor features (geoip data):
+ - Update the geoip files to match the IPFire Location Database, as
+ retrieved on 2021/05/07.
+
+ o Minor features (onion services):
+ - Add a warning message when trying to connect to (no longer
+ supported) v2 onion services. Closes ticket 40373.
+
+ o Minor bugfixes (build, cross-compilation):
+ - Allow a custom "ar" for cross-compilation. Our previous build
+ script had used the $AR environment variable in most places, but
+ it missed one. Fixes bug 40369; bugfix on 0.4.5.1-alpha.
+
+ o Minor bugfixes (compiler warnings):
+ - Fix an indentation problem that led to a warning from GCC 11.1.1.
+ Fixes bug 40380; bugfix on 0.3.0.1-alpha.
+
+ o Minor bugfixes (logging, relay):
+ - Emit a warning if an Address is found to be internal and tor can't
+ use it. Fixes bug 40290; bugfix on 0.4.5.1-alpha.
+
+ o Minor bugfixes (onion service, client, memory leak):
+ - Fix a bug where an expired cached descriptor could get overwritten
+ with a new one without freeing it, leading to a memory leak. Fixes
+ bug 40356; bugfix on 0.3.5.1-alpha.
+
+
Changes in version 0.4.6.2-alpha - 2021-04-15
Tor 0.4.6.2-alpha is the second alpha in its series. It fixes several
small bugs in previous releases, and solves other issues that had
7apu2bq3rhoylwmucxizk54afw5jyda7pho4j5zdcqpwkufke7zdzwad.onion