diff options
Diffstat (limited to 'ChangeLog')
| -rw-r--r-- | ChangeLog | 2518 |
1 files changed, 2492 insertions, 26 deletions
@@ -1,4 +1,2463 @@ -Changes in version 0.2.9.5-rc - 2016-1?-?? +Changes in version 0.3.1.3-alpha - 2017-06-08 + Tor 0.3.1.3-alpha fixes a pair of bugs that would allow an attacker to + remotely crash a hidden service with an assertion failure. Anyone + running a hidden service should upgrade to this version, or to some + other version with fixes for TROVE-2017-004 and TROVE-2017-005. + + Tor 0.3.1.3-alpha also includes fixes for several key management bugs + that sometimes made relays unreliable, as well as several other + bugfixes described below. + + o Major bugfixes (hidden service, relay, security): + - Fix a remotely triggerable assertion failure when a hidden service + handles a malformed BEGIN cell. Fixes bug 22493, tracked as + TROVE-2017-004 and as CVE-2017-0375; bugfix on 0.3.0.1-alpha. + - Fix a remotely triggerable assertion failure caused by receiving a + BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug + 22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix + on 0.2.2.1-alpha. + + o Major bugfixes (relay, link handshake): + - When performing the v3 link handshake on a TLS connection, report + that we have the x509 certificate that we actually used on that + connection, even if we have changed certificates since that + connection was first opened. Previously, we would claim to have + used our most recent x509 link certificate, which would sometimes + make the link handshake fail. Fixes one case of bug 22460; bugfix + on 0.2.3.6-alpha. + + o Major bugfixes (relays, key management): + - Regenerate link and authentication certificates whenever the key + that signs them changes; also, regenerate link certificates + whenever the signed key changes. Previously, these processes were + only weakly coupled, and we relays could (for minutes to hours) + wind up with an inconsistent set of keys and certificates, which + other relays would not accept. Fixes two cases of bug 22460; + bugfix on 0.3.0.1-alpha. + - When sending an Ed25519 signing->link certificate in a CERTS cell, + send the certificate that matches the x509 certificate that we + used on the TLS connection. Previously, there was a race condition + if the TLS context rotated after we began the TLS handshake but + before we sent the CERTS cell. Fixes a case of bug 22460; bugfix + on 0.3.0.1-alpha. + + o Major bugfixes (torrc, crash): + - Fix a crash bug when using %include in torrc. Fixes bug 22417; + bugfix on 0.3.1.1-alpha. Patch by Daniel Pinto. + + o Minor features (code style): + - Add "Falls through" comments to our codebase, in order to silence + GCC 7's -Wimplicit-fallthrough warnings. Patch from Andreas + Stieger. Closes ticket 22446. + + o Minor features (diagnostic): + - Add logging messages to try to diagnose a rare bug that seems to + generate RSA->Ed25519 cross-certificates dated in the 1970s. We + think this is happening because of incorrect system clocks, but + we'd like to know for certain. Diagnostic for bug 22466. + + o Minor bugfixes (correctness): + - Avoid undefined behavior when parsing IPv6 entries from the geoip6 + file. Fixes bug 22490; bugfix on 0.2.4.6-alpha. + + o Minor bugfixes (directory protocol): + - Check for libzstd >= 1.1, because older versions lack the + necessary streaming API. Fixes bug 22413; bugfix on 0.3.1.1-alpha. + + o Minor bugfixes (link handshake): + - Lower the lifetime of the RSA->Ed25519 cross-certificate to six + months, and regenerate it when it is within one month of expiring. + Previously, we had generated this certificate at startup with a + ten-year lifetime, but that could lead to weird behavior when Tor + was started with a grossly inaccurate clock. Mitigates bug 22466; + mitigation on 0.3.0.1-alpha. + + o Minor bugfixes (storage directories): + - Always check for underflows in the cached storage directory usage. + If the usage does underflow, re-calculate it. Also, avoid a + separate underflow when the usage is not known. Fixes bug 22424; + bugfix on 0.3.1.1-alpha. + + o Minor bugfixes (unit tests): + - The unit tests now pass on systems where localhost is misconfigured + to some IPv4 address other than 127.0.0.1. Fixes bug 6298; bugfix + on 0.0.9pre2. + + o Documentation: + - Clarify the manpage for the (deprecated) torify script. Closes + ticket 6892. + +Changes in version 0.3.0.8 - 2017-06-08 + Tor 0.3.0.8 fixes a pair of bugs that would allow an attacker to + remotely crash a hidden service with an assertion failure. Anyone + running a hidden service should upgrade to this version, or to some + other version with fixes for TROVE-2017-004 and TROVE-2017-005. + + Tor 0.3.0.8 also includes fixes for several key management bugs + that sometimes made relays unreliable, as well as several other + bugfixes described below. + + o Major bugfixes (hidden service, relay, security, backport + from 0.3.1.3-alpha): + - Fix a remotely triggerable assertion failure when a hidden service + handles a malformed BEGIN cell. Fixes bug 22493, tracked as + TROVE-2017-004 and as CVE-2017-0375; bugfix on 0.3.0.1-alpha. + - Fix a remotely triggerable assertion failure caused by receiving a + BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug + 22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix + on 0.2.2.1-alpha. + + o Major bugfixes (relay, link handshake, backport from 0.3.1.3-alpha): + - When performing the v3 link handshake on a TLS connection, report + that we have the x509 certificate that we actually used on that + connection, even if we have changed certificates since that + connection was first opened. Previously, we would claim to have + used our most recent x509 link certificate, which would sometimes + make the link handshake fail. Fixes one case of bug 22460; bugfix + on 0.2.3.6-alpha. + + o Major bugfixes (relays, key management, backport from 0.3.1.3-alpha): + - Regenerate link and authentication certificates whenever the key + that signs them changes; also, regenerate link certificates + whenever the signed key changes. Previously, these processes were + only weakly coupled, and we relays could (for minutes to hours) + wind up with an inconsistent set of keys and certificates, which + other relays would not accept. Fixes two cases of bug 22460; + bugfix on 0.3.0.1-alpha. + - When sending an Ed25519 signing->link certificate in a CERTS cell, + send the certificate that matches the x509 certificate that we + used on the TLS connection. Previously, there was a race condition + if the TLS context rotated after we began the TLS handshake but + before we sent the CERTS cell. Fixes a case of bug 22460; bugfix + on 0.3.0.1-alpha. + + o Major bugfixes (hidden service v3, backport from 0.3.1.1-alpha): + - Stop rejecting v3 hidden service descriptors because their size + did not match an old padding rule. Fixes bug 22447; bugfix on + tor-0.3.0.1-alpha. + + o Minor features (fallback directory list, backport from 0.3.1.3-alpha): + - Replace the 177 fallbacks originally introduced in Tor 0.2.9.8 in + December 2016 (of which ~126 were still functional) with a list of + 151 fallbacks (32 new, 119 unchanged, 58 removed) generated in May + 2017. Resolves ticket 21564. + + o Minor bugfixes (configuration, backport from 0.3.1.1-alpha): + - Do not crash when starting with LearnCircuitBuildTimeout 0. Fixes + bug 22252; bugfix on 0.2.9.3-alpha. + + o Minor bugfixes (correctness, backport from 0.3.1.3-alpha): + - Avoid undefined behavior when parsing IPv6 entries from the geoip6 + file. Fixes bug 22490; bugfix on 0.2.4.6-alpha. + + o Minor bugfixes (link handshake, backport from 0.3.1.3-alpha): + - Lower the lifetime of the RSA->Ed25519 cross-certificate to six + months, and regenerate it when it is within one month of expiring. + Previously, we had generated this certificate at startup with a + ten-year lifetime, but that could lead to weird behavior when Tor + was started with a grossly inaccurate clock. Mitigates bug 22466; + mitigation on 0.3.0.1-alpha. + + o Minor bugfixes (memory leak, directory authority, backport from + 0.3.1.2-alpha): + - When directory authorities reject a router descriptor due to + keypinning, free the router descriptor rather than leaking the + memory. Fixes bug 22370; bugfix on 0.2.7.2-alpha. + + +Changes in version 0.2.9.11 - 2017-06-08 + Tor 0.2.9.11 backports a fix for a bug that would allow an attacker to + remotely crash a hidden service with an assertion failure. Anyone + running a hidden service should upgrade to this version, or to some + other version with fixes for TROVE-2017-005. (Versions before 0.3.0 + are not affected by TROVE-2017-004.) + + Tor 0.2.9.11 also backports fixes for several key management bugs + that sometimes made relays unreliable, as well as several other + bugfixes described below. + + o Major bugfixes (hidden service, relay, security, backport + from 0.3.1.3-alpha): + - Fix a remotely triggerable assertion failure caused by receiving a + BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug + 22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix + on 0.2.2.1-alpha. + + o Major bugfixes (relay, link handshake, backport from 0.3.1.3-alpha): + - When performing the v3 link handshake on a TLS connection, report + that we have the x509 certificate that we actually used on that + connection, even if we have changed certificates since that + connection was first opened. Previously, we would claim to have + used our most recent x509 link certificate, which would sometimes + make the link handshake fail. Fixes one case of bug 22460; bugfix + on 0.2.3.6-alpha. + + o Minor features (fallback directory list, backport from 0.3.1.3-alpha): + - Replace the 177 fallbacks originally introduced in Tor 0.2.9.8 in + December 2016 (of which ~126 were still functional) with a list of + 151 fallbacks (32 new, 119 unchanged, 58 removed) generated in May + 2017. Resolves ticket 21564. + + o Minor features (future-proofing, backport from 0.3.0.7): + - Tor no longer refuses to download microdescriptors or descriptors if + they are listed as "published in the future". This change will + eventually allow us to stop listing meaningful "published" dates + in microdescriptor consensuses, and thereby allow us to reduce the + resources required to download consensus diffs by over 50%. + Implements part of ticket 21642; implements part of proposal 275. + + o Minor features (directory authorities, backport from 0.3.0.4-rc) + - Directory authorities now reject relays running versions + 0.2.9.1-alpha through 0.2.9.4-alpha, because those relays + suffer from bug 20499 and don't keep their consensus cache + up-to-date. Resolves ticket 20509. + + o Minor features (geoip): + - Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2 + Country database. + + o Minor bugfixes (control port, backport from 0.3.0.6): + - The GETINFO extra-info/digest/<digest> command was broken because + of a wrong base16 decode return value check, introduced when + refactoring that API. Fixes bug 22034; bugfix on 0.2.9.1-alpha. + + o Minor bugfixes (correctness, backport from 0.3.1.3-alpha): + - Avoid undefined behavior when parsing IPv6 entries from the geoip6 + file. Fixes bug 22490; bugfix on 0.2.4.6-alpha. + + o Minor bugfixes (Linux seccomp2 sandbox, backport from 0.3.0.7): + - The getpid() system call is now permitted under the Linux seccomp2 + sandbox, to avoid crashing with versions of OpenSSL (and other + libraries) that attempt to learn the process's PID by using the + syscall rather than the VDSO code. Fixes bug 21943; bugfix + on 0.2.5.1-alpha. + + o Minor bugfixes (memory leak, directory authority, backport + from 0.3.1.2-alpha): + - When directory authorities reject a router descriptor due to + keypinning, free the router descriptor rather than leaking the + memory. Fixes bug 22370; bugfix on 0.2.7.2-alpha. + +Changes in version 0.2.8.14 - 2017-06-08 + Tor 0.2.7.8 backports a fix for a bug that would allow an attacker to + remotely crash a hidden service with an assertion failure. Anyone + running a hidden service should upgrade to this version, or to some + other version with fixes for TROVE-2017-005. (Versions before 0.3.0 + are not affected by TROVE-2017-004.) + + o Major bugfixes (hidden service, relay, security): + - Fix a remotely triggerable assertion failure caused by receiving a + BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug + 22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix + on 0.2.2.1-alpha. + + o Minor features (geoip): + - Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2 + Country database. + + o Minor features (fallback directory list, backport from 0.3.1.3-alpha): + - Replace the 177 fallbacks originally introduced in Tor 0.2.9.8 in + December 2016 (of which ~126 were still functional) with a list of + 151 fallbacks (32 new, 119 unchanged, 58 removed) generated in May + 2017. Resolves ticket 21564. + + o Minor bugfixes (correctness): + - Avoid undefined behavior when parsing IPv6 entries from the geoip6 + file. Fixes bug 22490; bugfix on 0.2.4.6-alpha. + +Changes in version 0.2.7.8 - 2017-06-08 + Tor 0.2.7.8 backports a fix for a bug that would allow an attacker to + remotely crash a hidden service with an assertion failure. Anyone + running a hidden service should upgrade to this version, or to some + other version with fixes for TROVE-2017-005. (Versions before 0.3.0 + are not affected by TROVE-2017-004.) + + o Major bugfixes (hidden service, relay, security): + - Fix a remotely triggerable assertion failure caused by receiving a + BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug + 22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix + on 0.2.2.1-alpha. + + o Minor features (geoip): + - Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2 + Country database. + + o Minor bugfixes (correctness): + - Avoid undefined behavior when parsing IPv6 entries from the geoip6 + file. Fixes bug 22490; bugfix on 0.2.4.6-alpha. + + +Changes in version 0.2.6.12 - 2017-06-08 + Tor 0.2.6.12 backports a fix for a bug that would allow an attacker to + remotely crash a hidden service with an assertion failure. Anyone + running a hidden service should upgrade to this version, or to some + other version with fixes for TROVE-2017-005. (Versions before 0.3.0 + are not affected by TROVE-2017-004.) + + o Major bugfixes (hidden service, relay, security): + - Fix a remotely triggerable assertion failure caused by receiving a + BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug + 22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix + on 0.2.2.1-alpha. + + o Minor features (geoip): + - Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2 + Country database. + + o Minor bugfixes (correctness): + - Avoid undefined behavior when parsing IPv6 entries from the geoip6 + file. Fixes bug 22490; bugfix on 0.2.4.6-alpha. + +Changes in version 0.2.5.14 - 2017-06-08 + Tor 0.2.5.14 backports a fix for a bug that would allow an attacker to + remotely crash a hidden service with an assertion failure. Anyone + running a hidden service should upgrade to this version, or to some + other version with fixes for TROVE-2017-005. (Versions before 0.3.0 + are not affected by TROVE-2017-004.) + + o Major bugfixes (hidden service, relay, security): + - Fix a remotely triggerable assertion failure caused by receiving a + BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug + 22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix + on 0.2.2.1-alpha. + + o Minor features (geoip): + - Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2 + Country database. + + o Minor bugfixes (correctness): + - Avoid undefined behavior when parsing IPv6 entries from the geoip6 + file. Fixes bug 22490; bugfix on 0.2.4.6-alpha. + +Changes in version 0.2.4.29 - 2017-06-08 + Tor 0.2.4.29 backports a fix for a bug that would allow an attacker to + remotely crash a hidden service with an assertion failure. Anyone + running a hidden service should upgrade to this version, or to some + other version with fixes for TROVE-2017-005. (Versions before 0.3.0 + are not affected by TROVE-2017-004.) + + o Major bugfixes (hidden service, relay, security): + - Fix a remotely triggerable assertion failure caused by receiving a + BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug + 22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix + on 0.2.2.1-alpha. + + o Minor features (geoip): + - Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2 + Country database. + + o Minor bugfixes (correctness): + - Avoid undefined behavior when parsing IPv6 entries from the geoip6 + file. Fixes bug 22490; bugfix on 0.2.4.6-alpha. + + +Changes in version 0.3.1.2-alpha - 2017-05-26 + Tor 0.3.1.2-alpha is the second release in the 0.3.1.x series. It + fixes a few bugs found while testing 0.3.1.1-alpha, including a + memory corruption bug that affected relay stability. + + o Major bugfixes (crash, relay): + - Fix a memory-corruption bug in relays that set MyFamily. + Previously, they would double-free MyFamily elements when making + the next descriptor or when changing their configuration. Fixes + bug 22368; bugfix on 0.3.1.1-alpha. + + o Minor bugfixes (logging): + - Log a better message when a directory authority replies to an + upload with an unexpected status code. Fixes bug 11121; bugfix + on 0.1.0.1-rc. + + o Minor bugfixes (memory leak, directory authority): + - When directory authorities reject a router descriptor due to + keypinning, free the router descriptor rather than leaking the + memory. Fixes bug 22370; bugfix on 0.2.7.2-alpha. + + +Changes in version 0.3.1.1-alpha - 2017-05-22 + Tor 0.3.1.1-alpha is the first release in the 0.3.1.x series. It + reduces the bandwidth usage for Tor's directory protocol, adds some + basic padding to resist netflow-based traffic analysis and to serve as + the basis of other padding in the future, and adds rust support to the + build system. + + It also contains numerous other small features and improvements to + security, correctness, and performance. + + Below are the changes since 0.3.0.7. + + o Major features (directory protocol): + - Tor relays and authorities can now serve clients an abbreviated + version of the consensus document, containing only the changes + since an older consensus document that the client holds. Clients + now request these documents when available. When both client and + server use this new protocol, they will use far less bandwidth (up + to 94% less) to keep the client's consensus up-to-date. Implements + proposal 140; closes ticket 13339. Based on work by Daniel MartÃ. + - Tor can now compress directory traffic with lzma or with zstd + compression algorithms, which can deliver better bandwidth + performance. Because lzma is computationally expensive, it's only + used for documents that can be compressed once and served many + times. Support for these algorithms requires that tor is built + with the libzstd and/or liblzma libraries available. Implements + proposal 278; closes ticket 21662. + - Relays now perform the more expensive compression operations, and + consensus diff generation, in worker threads. This separation + avoids delaying the main thread when a new consensus arrives. + + o Major features (experimental): + - Tor can now build modules written in Rust. To turn this on, pass + the "--enable-rust" flag to the configure script. It's not time to + get excited yet: currently, there is no actual Rust functionality + beyond some simple glue code, and a notice at startup to tell you + that Rust is running. Still, we hope that programmers and + packagers will try building Tor with Rust support, so that we can + find issues and solve portability problems. Closes ticket 22106. + + o Major features (traffic analysis resistance): + - Connections between clients and relays now send a padding cell in + each direction every 1.5 to 9.5 seconds (tunable via consensus + parameters). This padding will not resist specialized + eavesdroppers, but it should be enough to make many ISPs' routine + network flow logging less useful in traffic analysis against + Tor users. + + Padding is negotiated using Tor's link protocol, so both relays + and clients must upgrade for this to take effect. Clients may + still send padding despite the relay's version by setting + ConnectionPadding 1 in torrc, and may disable padding by setting + ConnectionPadding 0 in torrc. Padding may be minimized for mobile + users with the torrc option ReducedConnectionPadding. Implements + Proposal 251 and Section 2 of Proposal 254; closes ticket 16861. + - Relays will publish 24 hour totals of padding and non-padding cell + counts to their extra-info descriptors, unless PaddingStatistics 0 + is set in torrc. These 24 hour totals are also rounded to + multiples of 10000. + + o Major bugfixes (connection usage): + - We use NETINFO cells to try to determine if both relays involved + in a connection will agree on the canonical status of that + connection. We prefer the connections where this is the case for + extend cells, and try to close connections where relays disagree + on their canonical status early. Also, we now prefer the oldest + valid connection for extend cells. These two changes should reduce + the number of long-term connections that are kept open between + relays. Fixes bug 17604; bugfix on 0.2.5.5-alpha. + - Relays now log hourly statistics (look for + "channel_check_for_duplicates" lines) on the total number of + connections to other relays. If the number of connections per + relay is unexpectedly large, this log message is at notice level. + Otherwise it is at info. + + o Major bugfixes (entry guards): + - Don't block bootstrapping when a primary bridge is offline and we + can't get its descriptor. Fixes bug 22325; fixes one case of bug + 21969; bugfix on 0.3.0.3-alpha. + + o Major bugfixes (linux TPROXY support): + - Fix a typo that had prevented TPROXY-based transparent proxying + from working under Linux. Fixes bug 18100; bugfix on 0.2.6.3-alpha. + Patch from "d4fq0fQAgoJ". + + o Minor features (security, windows): + - Enable a couple of pieces of Windows hardening: one + (HeapEnableTerminationOnCorruption) that has been on-by-default + since Windows 8, and unavailable before Windows 7; and one + (PROCESS_DEP_DISABLE_ATL_THUNK_EMULATION) which we believe doesn't + affect us, but shouldn't do any harm. Closes ticket 21953. + + o Minor features (config options): + - Allow "%include" directives in torrc configuration files. These + directives import the settings from other files, or from all the + files in a directory. Closes ticket 1922. Code by Daniel Pinto. + - Make SAVECONF return an error when overwriting a torrc that has + includes. Using SAVECONF with the FORCE option will allow it to + overwrite torrc even if includes are used. Related to ticket 1922. + - Add "GETINFO config-can-saveconf" to tell controllers if SAVECONF + will work without the FORCE option. Related to ticket 1922. + + o Minor features (controller): + - Warn the first time that a controller requests data in the long- + deprecated 'GETINFO network-status' format. Closes ticket 21703. + + o Minor features (defaults): + - The default value for UseCreateFast is now 0: clients which + haven't yet received a consensus document will now use a proper + ntor handshake to talk to their directory servers whenever they + can. Closes ticket 21407. + - Onion key rotation and expiry intervals are now defined as a + network consensus parameter, per proposal 274. The default + lifetime of an onion key is increased from 7 to 28 days. Old onion + keys will expire after 7 days by default. This change will make + consensus diffs much smaller, and save significant bandwidth. + Closes ticket 21641. + + o Minor features (fallback directory list): + - Update the fallback directory mirror whitelist and blacklist based + on operator emails. Closes task 21121. + - Replace the 177 fallbacks originally introduced in Tor 0.2.9.8 in + December 2016 (of which ~126 were still functional) with a list of + 151 fallbacks (32 new, 119 unchanged, 58 removed) generated in May + 2017. Resolves ticket 21564. + + o Minor features (hidden services, logging): + - Log a message when a hidden service descriptor has fewer + introduction points than specified in + HiddenServiceNumIntroductionPoints. Closes tickets 21598. + - Log a message when a hidden service reaches its introduction point + circuit limit, and when that limit is reset. Follow up to ticket + 21594; closes ticket 21622. + - Warn user if multiple entries in EntryNodes and at least one + HiddenService are used together. Pinning EntryNodes along with a + hidden service can be possibly harmful; for instance see ticket + 14917 or 21155. Closes ticket 21155. + + o Minor features (linux seccomp2 sandbox): + - We now have a document storage backend compatible with the Linux + seccomp2 sandbox. This backend is used for consensus documents and + diffs between them; in the long term, we'd like to use it for + unparseable directory material too. Closes ticket 21645 + - Increase the maximum allowed size passed to mprotect(PROT_WRITE) + from 1MB to 16MB. This was necessary with the glibc allocator in + order to allow worker threads to allocate more memory -- which in + turn is necessary because of our new use of worker threads for + compression. Closes ticket 22096. + + o Minor features (logging): + - Log files are no longer created world-readable by default. + (Previously, most distributors would store the logs in a non- + world-readable location to prevent inappropriate access. This + change is an extra precaution.) Closes ticket 21729; patch + from toralf. + + o Minor features (performance): + - Our Keccak (SHA-3) implementation now accesses memory more + efficiently, especially on little-endian systems. Closes + ticket 21737. + - Add an O(1) implementation of channel_find_by_global_id(), to + speed some controller functions. + + o Minor features (relay, configuration): + - The MyFamily option may now be repeated as many times as desired, + for relays that want to configure large families. Closes ticket + 4998; patch by Daniel Pinto. + + o Minor features (safety): + - Add an explicit check to extrainfo_parse_entry_from_string() for + NULL inputs. We don't believe this can actually happen, but it may + help silence a warning from the Clang analyzer. Closes + ticket 21496. + + o Minor features (testing): + - Add a "--disable-memory-sentinels" feature to help with fuzzing. + When Tor is compiled with this option, we disable a number of + redundant memory-safety failsafes that are intended to stop bugs + from becoming security issues. This makes it easier to hunt for + bugs that would be security issues without the failsafes turned + on. Closes ticket 21439. + - Add a general event-tracing instrumentation support to Tor. This + subsystem will enable developers and researchers to add fine- + grained instrumentation to their Tor instances, for use when + examining Tor network performance issues. There are no trace + events yet, and event-tracing is off by default unless enabled at + compile time. Implements ticket 13802. + - Improve our version parsing tests: add tests for typical version + components, add tests for invalid versions, including numeric + range and non-numeric prefixes. Unit tests 21278, 21450, and + 21507. Partially implements 21470. + + o Minor bugfixes (bandwidth accounting): + - Roll over monthly accounting at the configured hour and minute, + rather than always at 00:00. Fixes bug 22245; bugfix on 0.0.9rc1. + Found by Andrey Karpov with PVS-Studio. + + o Minor bugfixes (code correctness): + - Accurately identify client connections by their lack of peer + authentication. This means that we bail out earlier if asked to + extend to a client. Follow-up to 21407. Fixes bug 21406; bugfix + on 0.2.4.23. + + o Minor bugfixes (configuration): + - Do not crash when starting with LearnCircuitBuildTimeout 0. Fixes + bug 22252; bugfix on 0.2.9.3-alpha. + + o Minor bugfixes (connection lifespan): + - Allow more control over how long TLS connections are kept open: + unify CircuitIdleTimeout and PredictedPortsRelevanceTime into a + single option called CircuitsAvailableTimeout. Also, allow the + consensus to control the default values for both this preference + and the lifespan of relay-to-relay connections. Fixes bug 17592; + bugfix on 0.2.5.5-alpha. + - Increase the initial circuit build timeout testing frequency, to + help ensure that ReducedConnectionPadding clients finish learning + a timeout before their orconn would expire. The initial testing + rate was set back in the days of TAP and before the Tor Browser + updater, when we had to be much more careful about new clients + making lots of circuits. With this change, a circuit build timeout + is learned in about 15-20 minutes, instead of 100-120 minutes. + + o Minor bugfixes (controller): + - GETINFO onions/current and onions/detached no longer respond with + 551 on empty lists. Fixes bug 21329; bugfix on 0.2.7.1-alpha. + - Trigger HS descriptor events on the control port when the client + fails to pick a hidden service directory for a hidden service. + This can happen if all the hidden service directories are in + ExcludeNodes, or they have all been queried within the last 15 + minutes. Fixes bug 22042; bugfix on 0.2.5.2-alpha. + + o Minor bugfixes (directory authority): + - When rejecting a router descriptor for running an obsolete version + of Tor without ntor support, warn about the obsolete tor version, + not the missing ntor key. Fixes bug 20270; bugfix on 0.2.9.3-alpha. + - Prevent the shared randomness subsystem from asserting when + initialized by a bridge authority with an incomplete configuration + file. Fixes bug 21586; bugfix on 0.2.9.8. + + o Minor bugfixes (exit-side DNS): + - Fix an untriggerable assertion that checked the output of a + libevent DNS error, so that the assertion actually behaves as + expected. Fixes bug 22244; bugfix on 0.2.0.20-rc. Found by Andrey + Karpov using PVS-Studio. + + o Minor bugfixes (fallback directories): + - Make the usage example in updateFallbackDirs.py actually work, and + explain what it does. Fixes bug 22270; bugfix on 0.3.0.3-alpha. + - Decrease the guard flag average required to be a fallback. This + allows us to keep relays that have their guard flag removed when + they restart. Fixes bug 20913; bugfix on 0.2.8.1-alpha. + - Decrease the minimum number of fallbacks to 100. Fixes bug 20913; + bugfix on 0.2.8.1-alpha. + - Make sure fallback directory mirrors have the same address, port, + and relay identity key for at least 30 days before they are + selected. Fixes bug 20913; bugfix on 0.2.8.1-alpha. + + o Minor bugfixes (hidden services): + - Stop printing a cryptic warning when a hidden service gets a + request to connect to a virtual port that it hasn't configured. + Fixes bug 16706; bugfix on 0.2.6.3-alpha. + - Simplify hidden service descriptor creation by using an existing + flag to check if an introduction point is established. Fixes bug + 21599; bugfix on 0.2.7.2-alpha. + + o Minor bugfixes (memory leak): + - Fix a small memory leak at exit from the backtrace handler code. + Fixes bug 21788; bugfix on 0.2.5.2-alpha. Patch from Daniel Pinto. + + o Minor bugfixes (protocol, logging): + - Downgrade a log statement about unexpected relay cells from "bug" + to "protocol warning", because there is at least one use case + where it can be triggered by a buggy tor implementation. Fixes bug + 21293; bugfix on 0.1.1.14-alpha. + + o Minor bugfixes (testing): + - Use unbuffered I/O for utility functions around the + process_handle_t type. This fixes unit test failures reported on + OpenBSD and FreeBSD. Fixes bug 21654; bugfix on 0.2.3.1-alpha. + - Make display of captured unit test log messages consistent. Fixes + bug 21510; bugfix on 0.2.9.3-alpha. + - Make test-network.sh always call chutney's test-network.sh. + Previously, this only worked on systems which had bash installed, + due to some bash-specific code in the script. Fixes bug 19699; + bugfix on 0.3.0.4-rc. Follow-up to ticket 21581. + + o Minor bugfixes (voting consistency): + - Reject version numbers with non-numeric prefixes (such as +, -, or + whitespace). Disallowing whitespace prevents differential version + parsing between POSIX-based and Windows platforms. Fixes bug 21507 + and part of 21508; bugfix on 0.0.8pre1. + + o Minor bugfixes (windows, relay): + - Resolve "Failure from drain_fd: No error" warnings on Windows + relays. Fixes bug 21540; bugfix on 0.2.6.3-alpha. + + o Code simplification and refactoring: + - Break up the 630-line function connection_dir_client_reached_eof() + into a dozen smaller functions. This change should help + maintainability and readability of the client directory code. + - Isolate our use of the openssl headers so that they are only + included from our crypto wrapper modules, and from tests that + examine those modules' internals. Closes ticket 21841. + - Simplify our API to launch directory requests, making it more + extensible and less error-prone. Now it's easier to add extra + headers to directory requests. Closes ticket 21646. + - Our base64 decoding functions no longer overestimate the output + space that they need when parsing unpadded inputs. Closes + ticket 17868. + - Remove unused "ROUTER_ADDED_NOTIFY_GENERATOR" internal value. + Resolves ticket 22213. + - The logic that directory caches use to spool request to clients, + serving them one part at a time so as not to allocate too much + memory, has been refactored for consistency. Previously there was + a separate spooling implementation per type of spoolable data. Now + there is one common spooling implementation, with extensible data + types. Closes ticket 21651. + - Tor's compression module now supports multiple backends. Part of + the implementation for proposal 278; closes ticket 21663. + + o Documentation: + - Clarify the behavior of the KeepAliveIsolateSOCKSAuth sub-option. + Closes ticket 21873. + - Correct documentation about the default DataDirectory value. + Closes ticket 21151. + - Document the default behavior of NumEntryGuards and + NumDirectoryGuards correctly. Fixes bug 21715; bugfix + on 0.3.0.1-alpha. + - Document key=value pluggable transport arguments for Bridge lines + in torrc. Fixes bug 20341; bugfix on 0.2.5.1-alpha. + - Note that bandwidth-limiting options don't affect TCP headers or + DNS. Closes ticket 17170. + + o Removed features (configuration options, all in ticket 22060): + - These configuration options are now marked Obsolete, and no longer + have any effect: AllowInvalidNodes, AllowSingleHopCircuits, + AllowSingleHopExits, ExcludeSingleHopRelays, FastFirstHopPK, + TLSECGroup, WarnUnsafeSocks. They were first marked as deprecated + in 0.2.9.2-alpha and have now been removed. The previous default + behavior is now always chosen; the previous (less secure) non- + default behavior is now unavailable. + - CloseHSClientCircuitsImmediatelyOnTimeout and + CloseHSServiceRendCircuitsImmediatelyOnTimeout were deprecated in + 0.2.9.2-alpha and now have been removed. HS circuits never close + on circuit build timeout; they have a longer timeout period. + - {Control,DNS,Dir,Socks,Trans,NATD,OR}ListenAddress were deprecated + in 0.2.9.2-alpha and now have been removed. Use the ORPort option + (and others) to configure listen-only and advertise-only addresses. + + o Removed features (tools): + - We've removed the tor-checkkey tool from src/tools. Long ago, we + used it to help people detect RSA keys that were generated by + versions of Debian affected by CVE-2008-0166. But those keys have + been out of circulation for ages, and this tool is no longer + required. Closes ticket 21842. + + +Changes in version 0.3.0.7 - 2017-05-15 + Tor 0.3.0.7 fixes a medium-severity security bug in earlier versions + of Tor 0.3.0.x, where an attacker could cause a Tor relay process + to exit. Relays running earlier versions of Tor 0.3.0.x should upgrade; + clients are not affected. + + o Major bugfixes (hidden service directory, security): + - Fix an assertion failure in the hidden service directory code, which + could be used by an attacker to remotely cause a Tor relay process to + exit. Relays running earlier versions of Tor 0.3.0.x should upgrade. + should upgrade. This security issue is tracked as TROVE-2017-002. + Fixes bug 22246; bugfix on 0.3.0.1-alpha. + + o Minor features: + - Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2 + Country database. + + o Minor features (future-proofing): + - Tor no longer refuses to download microdescriptors or descriptors + if they are listed as "published in the future". This change will + eventually allow us to stop listing meaningful "published" dates + in microdescriptor consensuses, and thereby allow us to reduce the + resources required to download consensus diffs by over 50%. + Implements part of ticket 21642; implements part of proposal 275. + + o Minor bugfixes (Linux seccomp2 sandbox): + - The getpid() system call is now permitted under the Linux seccomp2 + sandbox, to avoid crashing with versions of OpenSSL (and other + libraries) that attempt to learn the process's PID by using the + syscall rather than the VDSO code. Fixes bug 21943; bugfix + on 0.2.5.1-alpha. + + +Changes in version 0.3.0.6 - 2017-04-26 + Tor 0.3.0.6 is the first stable release of the Tor 0.3.0 series. + + With the 0.3.0 series, clients and relays now use Ed25519 keys to + authenticate their link connections to relays, rather than the old + RSA1024 keys that they used before. (Circuit crypto has been + Curve25519-authenticated since 0.2.4.8-alpha.) We have also replaced + the guard selection and replacement algorithm to behave more robustly + in the presence of unreliable networks, and to resist guard- + capture attacks. + + This series also includes numerous other small features and bugfixes, + along with more groundwork for the upcoming hidden-services revamp. + + Per our stable release policy, we plan to support the Tor 0.3.0 + release series for at least the next nine months, or for three months + after the first stable release of the 0.3.1 series: whichever is + longer. If you need a release with long-term support, we recommend + that you stay with the 0.2.9 series. + + Below are the changes since 0.3.0.5-rc. For a list of all changes + since 0.2.9, see the ReleaseNotes file. + + o Minor features (geoip): + - Update geoip and geoip6 to the April 4 2017 Maxmind GeoLite2 + Country database. + + o Minor bugfixes (control port): + - The GETINFO extra-info/digest/<digest> command was broken because + of a wrong base16 decode return value check, introduced when + refactoring that API. Fixes bug 22034; bugfix on 0.2.9.1-alpha. + + o Minor bugfixes (crash prevention): + - Fix a (currently untriggerable, but potentially dangerous) crash + bug when base32-encoding inputs whose sizes are not a multiple of + 5. Fixes bug 21894; bugfix on 0.2.9.1-alpha. + + +Changes in version 0.3.0.5-rc - 2017-04-05 + Tor 0.3.0.5-rc fixes a few remaining bugs, large and small, in the + 0.3.0 release series. + + This is the second release candidate in the Tor 0.3.0 series, and has + much fewer changes than the first. If we find no new bugs or + regressions here, the first stable 0.3.0 release will be nearly + identical to it. + + o Major bugfixes (crash, directory connections): + - Fix a rare crash when sending a begin cell on a circuit whose + linked directory connection had already been closed. Fixes bug + 21576; bugfix on 0.2.9.3-alpha. Reported by Alec Muffett. + + o Major bugfixes (guard selection): + - Fix a guard selection bug where Tor would refuse to bootstrap in + some cases if the user swapped a bridge for another bridge in + their configuration file. Fixes bug 21771; bugfix on 0.3.0.1-alpha. + Reported by "torvlnt33r". + + o Minor features (geoip): + - Update geoip and geoip6 to the March 7 2017 Maxmind GeoLite2 + Country database. + + o Minor bugfix (compilation): + - Fix a warning when compiling hs_service.c. Previously, it had no + exported symbols when compiled for libor.a, resulting in a + compilation warning from clang. Fixes bug 21825; bugfix + on 0.3.0.1-alpha. + + o Minor bugfixes (hidden services): + - Make hidden services check for failed intro point connections, + even when they have exceeded their intro point creation limit. + Fixes bug 21596; bugfix on 0.2.7.2-alpha. Reported by Alec Muffett. + - Make hidden services with 8 to 10 introduction points check for + failed circuits immediately after startup. Previously, they would + wait for 5 minutes before performing their first checks. Fixes bug + 21594; bugfix on 0.2.3.9-alpha. Reported by Alec Muffett. + + o Minor bugfixes (memory leaks): + - Fix a memory leak when using GETCONF on a port option. Fixes bug + 21682; bugfix on 0.3.0.3-alpha. + + o Minor bugfixes (relay): + - Avoid a double-marked-circuit warning that could happen when we + receive DESTROY cells under heavy load. Fixes bug 20059; bugfix + on 0.1.0.1-rc. + + o Minor bugfixes (tests): + - Run the entry_guard_parse_from_state_full() test with the time set + to a specific date. (The guard state that this test was parsing + contained guards that had expired since the test was first + written.) Fixes bug 21799; bugfix on 0.3.0.1-alpha. + + o Documentation: + - Update the description of the directory server options in the + manual page, to clarify that a relay no longer needs to set + DirPort in order to be a directory cache. Closes ticket 21720. + + + +Changes in version 0.2.8.13 - 2017-03-03 + Tor 0.2.8.13 backports a security fix from later Tor + releases. Anybody running Tor 0.2.8.12 or earlier should upgrade to this + this release, if for some reason they cannot upgrade to a later + release series, and if they build Tor with the --enable-expensive-hardening + option. + + Note that support for Tor 0.2.8.x is ending next year: we will not issue + any fixes for the Tor 0.2.8.x series after 1 Jan 2018. If you need + a Tor release series with longer-term support, we recommend Tor 0.2.9.x. + + o Major bugfixes (parsing, backported from 0.3.0.4-rc): + - Fix an integer underflow bug when comparing malformed Tor + versions. This bug could crash Tor when built with + --enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor + 0.2.9.8, which were built with -ftrapv by default. In other cases + it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix + on 0.0.8pre1. Found by OSS-Fuzz. + + o Minor features (geoip): + - Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2 + Country database. + + +Changes in version 0.2.7.7 - 2017-03-03 + Tor 0.2.7.7 backports a number of security fixes from later Tor + releases. Anybody running Tor 0.2.7.6 or earlier should upgrade to + this release, if for some reason they cannot upgrade to a later + release series. + + Note that support for Tor 0.2.7.x is ending this year: we will not issue + any fixes for the Tor 0.2.7.x series after 1 August 2017. If you need + a Tor release series with longer-term support, we recommend Tor 0.2.9.x. + + o Directory authority changes (backport from 0.2.8.5-rc): + - Urras is no longer a directory authority. Closes ticket 19271. + + o Directory authority changes (backport from 0.2.9.2-alpha): + - The "Tonga" bridge authority has been retired; the new bridge + authority is "Bifroest". Closes tickets 19728 and 19690. + + o Directory authority key updates (backport from 0.2.8.1-alpha): + - Update the V3 identity key for the dannenberg directory authority: + it was changed on 18 November 2015. Closes task 17906. Patch + by "teor". + + o Major bugfixes (parsing, security, backport from 0.2.9.8): + - Fix a bug in parsing that could cause clients to read a single + byte past the end of an allocated region. This bug could be used + to cause hardened clients (built with --enable-expensive-hardening) + to crash if they tried to visit a hostile hidden service. Non- + hardened clients are only affected depending on the details of + their platform's memory allocator. Fixes bug 21018; bugfix on + 0.2.0.8-alpha. Found by using libFuzzer. Also tracked as TROVE- + 2016-12-002 and as CVE-2016-1254. + + o Major bugfixes (security, client, DNS proxy, backport from 0.2.8.3-alpha): + - Stop a crash that could occur when a client running with DNSPort + received a query with multiple address types, and the first + address type was not supported. Found and fixed by Scott Dial. + Fixes bug 18710; bugfix on 0.2.5.4-alpha. + - Prevent a class of security bugs caused by treating the contents + of a buffer chunk as if they were a NUL-terminated string. At + least one such bug seems to be present in all currently used + versions of Tor, and would allow an attacker to remotely crash + most Tor instances, especially those compiled with extra compiler + hardening. With this defense in place, such bugs can't crash Tor, + though we should still fix them as they occur. Closes ticket + 20384 (TROVE-2016-10-001). + + o Major bugfixes (security, pointers, backport from 0.2.8.2-alpha): + - Avoid a difficult-to-trigger heap corruption attack when extending + a smartlist to contain over 16GB of pointers. Fixes bug 18162; + bugfix on 0.1.1.11-alpha, which fixed a related bug incompletely. + Reported by Guido Vranken. + + o Major bugfixes (dns proxy mode, crash, backport from 0.2.8.2-alpha): + - Avoid crashing when running as a DNS proxy. Fixes bug 16248; + bugfix on 0.2.0.1-alpha. Patch from "cypherpunks". + + o Major bugfixes (key management, backport from 0.2.8.3-alpha): + - If OpenSSL fails to generate an RSA key, do not retain a dangling + pointer to the previous (uninitialized) key value. The impact here + should be limited to a difficult-to-trigger crash, if OpenSSL is + running an engine that makes key generation failures possible, or + if OpenSSL runs out of memory. Fixes bug 19152; bugfix on + 0.2.1.10-alpha. Found by Yuan Jochen Kang, Suman Jana, and + Baishakhi Ray. + + o Major bugfixes (parsing, backported from 0.3.0.4-rc): + - Fix an integer underflow bug when comparing malformed Tor + versions. This bug could crash Tor when built with + --enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor + 0.2.9.8, which were built with -ftrapv by default. In other cases + it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix + on 0.0.8pre1. Found by OSS-Fuzz. + + o Minor features (security, memory erasure, backport from 0.2.8.1-alpha): + - Make memwipe() do nothing when passed a NULL pointer or buffer of + zero size. Check size argument to memwipe() for underflow. Fixes + bug 18089; bugfix on 0.2.3.25 and 0.2.4.6-alpha. Reported by "gk", + patch by "teor". + + o Minor features (bug-resistance, backport from 0.2.8.2-alpha): + - Make Tor survive errors involving connections without a + corresponding event object. Previously we'd fail with an + assertion; now we produce a log message. Related to bug 16248. + + o Minor features (geoip): + - Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2 + Country database. + + +Changes in version 0.2.6.11 - 2017-03-03 + Tor 0.2.6.11 backports a number of security fixes from later Tor + releases. Anybody running Tor 0.2.6.10 or earlier should upgrade to + this release, if for some reason they cannot upgrade to a later + release series. + + Note that support for Tor 0.2.6.x is ending this year: we will not issue + any fixes for the Tor 0.2.6.x series after 1 August 2017. If you need + a Tor release series with longer-term support, we recommend Tor 0.2.9.x. + + o Directory authority changes (backport from 0.2.8.5-rc): + - Urras is no longer a directory authority. Closes ticket 19271. + + o Directory authority changes (backport from 0.2.9.2-alpha): + - The "Tonga" bridge authority has been retired; the new bridge + authority is "Bifroest". Closes tickets 19728 and 19690. + + o Directory authority key updates (backport from 0.2.8.1-alpha): + - Update the V3 identity key for the dannenberg directory authority: + it was changed on 18 November 2015. Closes task 17906. Patch + by "teor". + + o Major features (security fixes, backport from 0.2.9.4-alpha): + - Prevent a class of security bugs caused by treating the contents + of a buffer chunk as if they were a NUL-terminated string. At + least one such bug seems to be present in all currently used + versions of Tor, and would allow an attacker to remotely crash + most Tor instances, especially those compiled with extra compiler + hardening. With this defense in place, such bugs can't crash Tor, + though we should still fix them as they occur. Closes ticket + 20384 (TROVE-2016-10-001). + + o Major bugfixes (parsing, security, backport from 0.2.9.8): + - Fix a bug in parsing that could cause clients to read a single + byte past the end of an allocated region. This bug could be used + to cause hardened clients (built with --enable-expensive-hardening) + to crash if they tried to visit a hostile hidden service. Non- + hardened clients are only affected depending on the details of + their platform's memory allocator. Fixes bug 21018; bugfix on + 0.2.0.8-alpha. Found by using libFuzzer. Also tracked as TROVE- + 2016-12-002 and as CVE-2016-1254. + + o Major bugfixes (security, client, DNS proxy, backport from 0.2.8.3-alpha): + - Stop a crash that could occur when a client running with DNSPort + received a query with multiple address types, and the first + address type was not supported. Found and fixed by Scott Dial. + Fixes bug 18710; bugfix on 0.2.5.4-alpha. + + o Major bugfixes (security, correctness, backport from 0.2.7.4-rc): + - Fix an error that could cause us to read 4 bytes before the + beginning of an openssl string. This bug could be used to cause + Tor to crash on systems with unusual malloc implementations, or + systems with unusual hardening installed. Fixes bug 17404; bugfix + on 0.2.3.6-alpha. + + o Major bugfixes (security, pointers, backport from 0.2.8.2-alpha): + - Avoid a difficult-to-trigger heap corruption attack when extending + a smartlist to contain over 16GB of pointers. Fixes bug 18162; + bugfix on 0.1.1.11-alpha, which fixed a related bug incompletely. + Reported by Guido Vranken. + + o Major bugfixes (dns proxy mode, crash, backport from 0.2.8.2-alpha): + - Avoid crashing when running as a DNS proxy. Fixes bug 16248; + bugfix on 0.2.0.1-alpha. Patch from "cypherpunks". + + o Major bugfixes (guard selection, backport from 0.2.7.6): + - Actually look at the Guard flag when selecting a new directory + guard. When we implemented the directory guard design, we + accidentally started treating all relays as if they have the Guard + flag during guard selection, leading to weaker anonymity and worse + performance. Fixes bug 17772; bugfix on 0.2.4.8-alpha. Discovered + by Mohsen Imani. + + o Major bugfixes (key management, backport from 0.2.8.3-alpha): + - If OpenSSL fails to generate an RSA key, do not retain a dangling + pointer to the previous (uninitialized) key value. The impact here + should be limited to a difficult-to-trigger crash, if OpenSSL is + running an engine that makes key generation failures possible, or + if OpenSSL runs out of memory. Fixes bug 19152; bugfix on + 0.2.1.10-alpha. Found by Yuan Jochen Kang, Suman Jana, and + Baishakhi Ray. + + o Major bugfixes (parsing, backported from 0.3.0.4-rc): + - Fix an integer underflow bug when comparing malformed Tor + versions. This bug could crash Tor when built with + --enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor + 0.2.9.8, which were built with -ftrapv by default. In other cases + it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix + on 0.0.8pre1. Found by OSS-Fuzz. + + o Minor features (security, memory erasure, backport from 0.2.8.1-alpha): + - Make memwipe() do nothing when passed a NULL pointer or buffer of + zero size. Check size argument to memwipe() for underflow. Fixes + bug 18089; bugfix on 0.2.3.25 and 0.2.4.6-alpha. Reported by "gk", + patch by "teor". + + o Minor features (bug-resistance, backport from 0.2.8.2-alpha): + - Make Tor survive errors involving connections without a + corresponding event object. Previously we'd fail with an + assertion; now we produce a log message. Related to bug 16248. + + o Minor features (geoip): + - Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2 + Country database. + + o Minor bugfixes (compilation, backport from 0.2.7.6): + - Fix a compilation warning with Clang 3.6: Do not check the + presence of an address which can never be NULL. Fixes bug 17781. + + +Changes in version 0.2.5.13 - 2017-03-03 + Tor 0.2.5.13 backports a number of security fixes from later Tor + releases. Anybody running Tor 0.2.5.13 or earlier should upgrade to + this release, if for some reason they cannot upgrade to a later + release series. + + Note that support for Tor 0.2.5.x is ending next year: we will not issue + any fixes for the Tor 0.2.5.x series after 1 May 2018. If you need + a Tor release series with longer-term support, we recommend Tor 0.2.9.x. + + o Directory authority changes (backport from 0.2.8.5-rc): + - Urras is no longer a directory authority. Closes ticket 19271. + + o Directory authority changes (backport from 0.2.9.2-alpha): + - The "Tonga" bridge authority has been retired; the new bridge + authority is "Bifroest". Closes tickets 19728 and 19690. + + o Directory authority key updates (backport from 0.2.8.1-alpha): + - Update the V3 identity key for the dannenberg directory authority: + it was changed on 18 November 2015. Closes task 17906. Patch + by "teor". + + o Major features (security fixes, backport from 0.2.9.4-alpha): + - Prevent a class of security bugs caused by treating the contents + of a buffer chunk as if they were a NUL-terminated string. At + least one such bug seems to be present in all currently used + versions of Tor, and would allow an attacker to remotely crash + most Tor instances, especially those compiled with extra compiler + hardening. With this defense in place, such bugs can't crash Tor, + though we should still fix them as they occur. Closes ticket + 20384 (TROVE-2016-10-001). + + o Major bugfixes (parsing, security, backport from 0.2.9.8): + - Fix a bug in parsing that could cause clients to read a single + byte past the end of an allocated region. This bug could be used + to cause hardened clients (built with --enable-expensive-hardening) + to crash if they tried to visit a hostile hidden service. Non- + hardened clients are only affected depending on the details of + their platform's memory allocator. Fixes bug 21018; bugfix on + 0.2.0.8-alpha. Found by using libFuzzer. Also tracked as TROVE- + 2016-12-002 and as CVE-2016-1254. + + o Major bugfixes (security, client, DNS proxy, backport from 0.2.8.3-alpha): + - Stop a crash that could occur when a client running with DNSPort + received a query with multiple address types, and the first + address type was not supported. Found and fixed by Scott Dial. + Fixes bug 18710; bugfix on 0.2.5.4-alpha. + + o Major bugfixes (security, correctness, backport from 0.2.7.4-rc): + - Fix an error that could cause us to read 4 bytes before the + beginning of an openssl string. This bug could be used to cause + Tor to crash on systems with unusual malloc implementations, or + systems with unusual hardening installed. Fixes bug 17404; bugfix + on 0.2.3.6-alpha. + + o Major bugfixes (security, pointers, backport from 0.2.8.2-alpha): + - Avoid a difficult-to-trigger heap corruption attack when extending + a smartlist to contain over 16GB of pointers. Fixes bug 18162; + bugfix on 0.1.1.11-alpha, which fixed a related bug incompletely. + Reported by Guido Vranken. + + o Major bugfixes (dns proxy mode, crash, backport from 0.2.8.2-alpha): + - Avoid crashing when running as a DNS proxy. Fixes bug 16248; + bugfix on 0.2.0.1-alpha. Patch from "cypherpunks". + + o Major bugfixes (guard selection, backport from 0.2.7.6): + - Actually look at the Guard flag when selecting a new directory + guard. When we implemented the directory guard design, we + accidentally started treating all relays as if they have the Guard + flag during guard selection, leading to weaker anonymity and worse + performance. Fixes bug 17772; bugfix on 0.2.4.8-alpha. Discovered + by Mohsen Imani. + + o Major bugfixes (key management, backport from 0.2.8.3-alpha): + - If OpenSSL fails to generate an RSA key, do not retain a dangling + pointer to the previous (uninitialized) key value. The impact here + should be limited to a difficult-to-trigger crash, if OpenSSL is + running an engine that makes key generation failures possible, or + if OpenSSL runs out of memory. Fixes bug 19152; bugfix on + 0.2.1.10-alpha. Found by Yuan Jochen Kang, Suman Jana, and + Baishakhi Ray. + + o Major bugfixes (parsing, backported from 0.3.0.4-rc): + - Fix an integer underflow bug when comparing malformed Tor + versions. This bug could crash Tor when built with + --enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor + 0.2.9.8, which were built with -ftrapv by default. In other cases + it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix + on 0.0.8pre1. Found by OSS-Fuzz. + + o Minor features (security, memory erasure, backport from 0.2.8.1-alpha): + - Make memwipe() do nothing when passed a NULL pointer or buffer of + zero size. Check size argument to memwipe() for underflow. Fixes + bug 18089; bugfix on 0.2.3.25 and 0.2.4.6-alpha. Reported by "gk", + patch by "teor". + + o Minor features (bug-resistance, backport from 0.2.8.2-alpha): + - Make Tor survive errors involving connections without a + corresponding event object. Previously we'd fail with an + assertion; now we produce a log message. Related to bug 16248. + + o Minor features (geoip): + - Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2 + Country database. + + o Minor bugfixes (compilation, backport from 0.2.7.6): + - Fix a compilation warning with Clang 3.6: Do not check the + presence of an address which can never be NULL. Fixes bug 17781. + + o Minor bugfixes (crypto error-handling, backport from 0.2.7.2-alpha): + - Check for failures from crypto_early_init, and refuse to continue. + A previous typo meant that we could keep going with an + uninitialized crypto library, and would have OpenSSL initialize + its own PRNG. Fixes bug 16360; bugfix on 0.2.5.2-alpha, introduced + when implementing ticket 4900. Patch by "teor". + + o Minor bugfixes (hidden service, backport from 0.2.7.1-alpha): + - Fix an out-of-bounds read when parsing invalid INTRODUCE2 cells on + a client authorized hidden service. Fixes bug 15823; bugfix + on 0.2.1.6-alpha. + + +Changes in version 0.2.4.28 - 2017-03-03 + Tor 0.2.4.28 backports a number of security fixes from later Tor + releases. Anybody running Tor 0.2.4.27 or earlier should upgrade to + this release, if for some reason they cannot upgrade to a later + release series. + + Note that support for Tor 0.2.4.x is ending soon: we will not issue + any fixes for the Tor 0.2.4.x series after 1 August 2017. If you need + a Tor release series with long-term support, we recommend Tor 0.2.9.x. + + o Directory authority changes (backport from 0.2.8.5-rc): + - Urras is no longer a directory authority. Closes ticket 19271. + + o Directory authority changes (backport from 0.2.9.2-alpha): + - The "Tonga" bridge authority has been retired; the new bridge + authority is "Bifroest". Closes tickets 19728 and 19690. + + o Directory authority key updates (backport from 0.2.8.1-alpha): + - Update the V3 identity key for the dannenberg directory authority: + it was changed on 18 November 2015. Closes task 17906. Patch + by "teor". + + o Major features (security fixes, backport from 0.2.9.4-alpha): + - Prevent a class of security bugs caused by treating the contents + of a buffer chunk as if they were a NUL-terminated string. At + least one such bug seems to be present in all currently used + versions of Tor, and would allow an attacker to remotely crash + most Tor instances, especially those compiled with extra compiler + hardening. With this defense in place, such bugs can't crash Tor, + though we should still fix them as they occur. Closes ticket + 20384 (TROVE-2016-10-001). + + o Major bugfixes (parsing, security, backport from 0.2.9.8): + - Fix a bug in parsing that could cause clients to read a single + byte past the end of an allocated region. This bug could be used + to cause hardened clients (built with --enable-expensive-hardening) + to crash if they tried to visit a hostile hidden service. Non- + hardened clients are only affected depending on the details of + their platform's memory allocator. Fixes bug 21018; bugfix on + 0.2.0.8-alpha. Found by using libFuzzer. Also tracked as TROVE- + 2016-12-002 and as CVE-2016-1254. + + o Major bugfixes (security, correctness, backport from 0.2.7.4-rc): + - Fix an error that could cause us to read 4 bytes before the + beginning of an openssl string. This bug could be used to cause + Tor to crash on systems with unusual malloc implementations, or + systems with unusual hardening installed. Fixes bug 17404; bugfix + on 0.2.3.6-alpha. + + o Major bugfixes (security, pointers, backport from 0.2.8.2-alpha): + - Avoid a difficult-to-trigger heap corruption attack when extending + a smartlist to contain over 16GB of pointers. Fixes bug 18162; + bugfix on 0.1.1.11-alpha, which fixed a related bug incompletely. + Reported by Guido Vranken. + + o Major bugfixes (dns proxy mode, crash, backport from 0.2.8.2-alpha): + - Avoid crashing when running as a DNS proxy. Fixes bug 16248; + bugfix on 0.2.0.1-alpha. Patch from "cypherpunks". + + o Major bugfixes (guard selection, backport from 0.2.7.6): + - Actually look at the Guard flag when selecting a new directory + guard. When we implemented the directory guard design, we + accidentally started treating all relays as if they have the Guard + flag during guard selection, leading to weaker anonymity and worse + performance. Fixes bug 17772; bugfix on 0.2.4.8-alpha. Discovered + by Mohsen Imani. + + o Major bugfixes (key management, backport from 0.2.8.3-alpha): + - If OpenSSL fails to generate an RSA key, do not retain a dangling + pointer to the previous (uninitialized) key value. The impact here + should be limited to a difficult-to-trigger crash, if OpenSSL is + running an engine that makes key generation failures possible, or + if OpenSSL runs out of memory. Fixes bug 19152; bugfix on + 0.2.1.10-alpha. Found by Yuan Jochen Kang, Suman Jana, and + Baishakhi Ray. + + o Major bugfixes (parsing, backported from 0.3.0.4-rc): + - Fix an integer underflow bug when comparing malformed Tor + versions. This bug could crash Tor when built with + --enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor + 0.2.9.8, which were built with -ftrapv by default. In other cases + it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix + on 0.0.8pre1. Found by OSS-Fuzz. + + o Minor features (security, memory erasure, backport from 0.2.8.1-alpha): + - Make memwipe() do nothing when passed a NULL pointer or buffer of + zero size. Check size argument to memwipe() for underflow. Fixes + bug 18089; bugfix on 0.2.3.25 and 0.2.4.6-alpha. Reported by "gk", + patch by "teor". + + o Minor features (bug-resistance, backport from 0.2.8.2-alpha): + - Make Tor survive errors involving connections without a + corresponding event object. Previously we'd fail with an + assertion; now we produce a log message. Related to bug 16248. + + o Minor features (DoS-resistance, backport from 0.2.7.1-alpha): + - Make it harder for attackers to overload hidden services with + introductions, by blocking multiple introduction requests on the + same circuit. Resolves ticket 15515. + + o Minor features (geoip): + - Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2 + Country database. + + o Minor bugfixes (compilation, backport from 0.2.7.6): + - Fix a compilation warning with Clang 3.6: Do not check the + presence of an address which can never be NULL. Fixes bug 17781. + + o Minor bugfixes (hidden service, backport from 0.2.7.1-alpha): + - Fix an out-of-bounds read when parsing invalid INTRODUCE2 cells on + a client authorized hidden service. Fixes bug 15823; bugfix + on 0.2.1.6-alpha. + + +Changes in version 0.3.0.4-rc - 2017-03-01 + Tor 0.3.0.4-rc fixes some remaining bugs, large and small, in the + 0.3.0 release series, and introduces a few reliability features to + keep them from coming back. + + This is the first release candidate in the Tor 0.3.0 series. If we + find no new bugs or regressions here, the first stable 0.3.0 release + will be nearly identical to it. + + o Major bugfixes (bridges): + - When the same bridge is configured multiple times with the same + identity, but at different address:port combinations, treat those + bridge instances as separate guards. This fix restores the ability + of clients to configure the same bridge with multiple pluggable + transports. Fixes bug 21027; bugfix on 0.3.0.1-alpha. + + o Major bugfixes (hidden service directory v3): + - Stop crashing on a failed v3 hidden service descriptor lookup + failure. Fixes bug 21471; bugfixes on tor-0.3.0.1-alpha. + + o Major bugfixes (parsing): + - When parsing a malformed content-length field from an HTTP + message, do not read off the end of the buffer. This bug was a + potential remote denial-of-service attack against Tor clients and + relays. A workaround was released in October 2016, to prevent this + bug from crashing Tor. This is a fix for the underlying issue, + which should no longer matter (if you applied the earlier patch). + Fixes bug 20894; bugfix on 0.2.0.16-alpha. Bug found by fuzzing + using AFL (http://lcamtuf.coredump.cx/afl/). + - Fix an integer underflow bug when comparing malformed Tor + versions. This bug could crash Tor when built with + --enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor + 0.2.9.8, which were built with -ftrapv by default. In other cases + it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix + on 0.0.8pre1. Found by OSS-Fuzz. + + o Minor feature (protocol versioning): + - Add new protocol version for proposal 224. HSIntro now advertises + version "3-4" and HSDir version "1-2". Fixes ticket 20656. + + o Minor features (directory authorities): + - Directory authorities now reject descriptors that claim to be + malformed versions of Tor. Helps prevent exploitation of + bug 21278. + - Reject version numbers with components that exceed INT32_MAX. + Otherwise 32-bit and 64-bit platforms would behave inconsistently. + Fixes bug 21450; bugfix on 0.0.8pre1. + - Directory authorities now reject relays running versions + 0.2.9.1-alpha through 0.2.9.4-alpha, because those relays + suffer from bug 20499 and don't keep their consensus cache + up-to-date. Resolves ticket 20509. + + o Minor features (geoip): + - Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2 + Country database. + + o Minor features (reliability, crash): + - Try better to detect problems in buffers where they might grow (or + think they have grown) over 2 GB in size. Diagnostic for + bug 21369. + + o Minor features (testing): + - During 'make test-network-all', if tor logs any warnings, ask + chutney to output them. Requires a recent version of chutney with + the 21572 patch. Implements 21570. + + o Minor bugfixes (certificate expiration time): + - Avoid using link certificates that don't become valid till some + time in the future. Fixes bug 21420; bugfix on 0.2.4.11-alpha + + o Minor bugfixes (code correctness): + - Repair a couple of (unreachable or harmless) cases of the risky + comparison-by-subtraction pattern that caused bug 21278. + - Remove a redundant check for the UseEntryGuards option from the + options_transition_affects_guards() function. Fixes bug 21492; + bugfix on 0.3.0.1-alpha. + + o Minor bugfixes (directory mirrors): + - Allow relays to use directory mirrors without a DirPort: these + relays need to be contacted over their ORPorts using a begindir + connection. Fixes one case of bug 20711; bugfix on 0.2.8.2-alpha. + - Clarify the message logged when a remote relay is unexpectedly + missing an ORPort or DirPort: users were confusing this with a + local port. Fixes another case of bug 20711; bugfix + on 0.2.8.2-alpha. + + o Minor bugfixes (guards): + - Don't warn about a missing guard state on timeout-measurement + circuits: they aren't supposed to be using guards. Fixes an + instance of bug 21007; bugfix on 0.3.0.1-alpha. + - Silence a BUG() warning when attempting to use a guard whose + descriptor we don't know, and make this scenario less likely to + happen. Fixes bug 21415; bugfix on 0.3.0.1-alpha. + + o Minor bugfixes (hidden service): + - Pass correct buffer length when encoding legacy ESTABLISH_INTRO + cells. Previously, we were using sizeof() on a pointer, instead of + the real destination buffer. Fortunately, that value was only used + to double-check that there was enough room--which was already + enforced elsewhere. Fixes bug 21553; bugfix on 0.3.0.1-alpha. + + o Minor bugfixes (testing): + - Fix Raspbian build issues related to missing socket errno in + test_util.c. Fixes bug 21116; bugfix on tor-0.2.8.2. Patch + by "hein". + - Rename "make fuzz" to "make test-fuzz-corpora", since it doesn't + actually fuzz anything. Fixes bug 21447; bugfix on 0.3.0.3-alpha. + - Use bash in src/test/test-network.sh. This ensures we reliably + call chutney's newer tools/test-network.sh when available. Fixes + bug 21562; bugfix on 0.2.9.1-alpha. + + o Documentation: + - Small fixes to the fuzzing documentation. Closes ticket 21472. + + +Changes in version 0.2.9.10 - 2017-03-01 + Tor 0.2.9.10 backports a security fix from later Tor release. It also + includes fixes for some major issues affecting directory authorities, + LibreSSL compatibility, and IPv6 correctness. + + The Tor 0.2.9.x release series is now marked as a long-term-support + series. We intend to backport security fixes to 0.2.9.x until at + least January of 2020. + + o Major bugfixes (directory authority, 0.3.0.3-alpha): + - During voting, when marking a relay as a probable sybil, do not + clear its BadExit flag: sybils can still be bad in other ways + too. (We still clear the other flags.) Fixes bug 21108; bugfix + on 0.2.0.13-alpha. + + o Major bugfixes (IPv6 Exits, backport from 0.3.0.3-alpha): + - Stop rejecting all IPv6 traffic on Exits whose exit policy rejects + any IPv6 addresses. Instead, only reject a port over IPv6 if the + exit policy rejects that port on more than an IPv6 /16 of + addresses. This bug was made worse by 17027 in 0.2.8.1-alpha, + which rejected a relay's own IPv6 address by default. Fixes bug + 21357; bugfix on commit 004f3f4e53 in 0.2.4.7-alpha. + + o Major bugfixes (parsing, also in 0.3.0.4-rc): + - Fix an integer underflow bug when comparing malformed Tor + versions. This bug could crash Tor when built with + --enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor + 0.2.9.8, which were built with -ftrapv by default. In other cases + it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix + on 0.0.8pre1. Found by OSS-Fuzz. + + o Minor features (directory authorities, also in 0.3.0.4-rc): + - Directory authorities now reject descriptors that claim to be + malformed versions of Tor. Helps prevent exploitation of + bug 21278. + - Reject version numbers with components that exceed INT32_MAX. + Otherwise 32-bit and 64-bit platforms would behave inconsistently. + Fixes bug 21450; bugfix on 0.0.8pre1. + + o Minor features (geoip): + - Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2 + Country database. + + o Minor features (portability, compilation, backport from 0.3.0.3-alpha): + - Autoconf now checks to determine if OpenSSL structures are opaque, + instead of explicitly checking for OpenSSL version numbers. Part + of ticket 21359. + - Support building with recent LibreSSL code that uses opaque + structures. Closes ticket 21359. + + o Minor bugfixes (code correctness, also in 0.3.0.4-rc): + - Repair a couple of (unreachable or harmless) cases of the risky + comparison-by-subtraction pattern that caused bug 21278. + + o Minor bugfixes (tor-resolve, backport from 0.3.0.3-alpha): + - The tor-resolve command line tool now rejects hostnames over 255 + characters in length. Previously, it would silently truncate them, + which could lead to bugs. Fixes bug 21280; bugfix on 0.0.9pre5. + Patch by "junglefowl". + + +Changes in version 0.3.0.3-alpha - 2017-02-03 + Tor 0.3.0.3-alpha fixes a few significant bugs introduced over the + 0.3.0.x development series, including some that could cause + authorities to behave badly. There is also a fix for a longstanding + bug that could prevent IPv6 exits from working. Tor 0.3.0.3-alpha also + includes some smaller features and bugfixes. + + The Tor 0.3.0.x release series is now in patch-freeze: no additional + features will be considered for inclusion in 0.3.0.x. We suspect that + some bugs will probably remain, however, and we encourage people to + test this release. + + o Major bugfixes (directory authority): + - During voting, when marking a relay as a probable sybil, do not + clear its BadExit flag: sybils can still be bad in other ways + too. (We still clear the other flags.) Fixes bug 21108; bugfix + on 0.2.0.13-alpha. + - When deciding whether we have just found a router to be reachable, + do not penalize it for not having performed an Ed25519 link + handshake if it does not claim to support an Ed25519 handshake. + Previously, we would treat such relays as non-running. Fixes bug + 21107; bugfix on 0.3.0.1-alpha. + + o Major bugfixes (entry guards): + - Stop trying to build circuits through entry guards for which we + have no descriptor. Also, stop crashing in the case that we *do* + accidentally try to build a circuit in such a state. Fixes bug + 21242; bugfix on 0.3.0.1-alpha. + + o Major bugfixes (IPv6 Exits): + - Stop rejecting all IPv6 traffic on Exits whose exit policy rejects + any IPv6 addresses. Instead, only reject a port over IPv6 if the + exit policy rejects that port on more than an IPv6 /16 of + addresses. This bug was made worse by 17027 in 0.2.8.1-alpha, + which rejected a relay's own IPv6 address by default. Fixes bug + 21357; bugfix on commit 004f3f4e53 in 0.2.4.7-alpha. + + o Minor feature (client): + - Enable IPv6 traffic on the SocksPort by default. To disable this, + a user will have to specify "NoIPv6Traffic". Closes ticket 21269. + + o Minor feature (fallback scripts): + - Add a check_existing mode to updateFallbackDirs.py, which checks + if fallbacks in the hard-coded list are working. Closes ticket + 20174. Patch by haxxpop. + + o Minor features (ciphersuite selection): + - Clients now advertise a list of ciphersuites closer to the ones + preferred by Firefox. Closes part of ticket 15426. + - Allow relays to accept a wider range of ciphersuites, including + chacha20-poly1305 and AES-CCM. Closes the other part of 15426. + + o Minor features (controller, configuration): + - Each of the *Port options, such as SocksPort, ORPort, ControlPort, + and so on, now comes with a __*Port variant that will not be saved + to the torrc file by the controller's SAVECONF command. This + change allows TorBrowser to set up a single-use domain socket for + each time it launches Tor. Closes ticket 20956. + - The GETCONF command can now query options that may only be + meaningful in context-sensitive lists. This allows the controller + to query the mixed SocksPort/__SocksPort style options introduced + in feature 20956. Implements ticket 21300. + + o Minor features (portability, compilation): + - Autoconf now checks to determine if OpenSSL structures are opaque, + instead of explicitly checking for OpenSSL version numbers. Part + of ticket 21359. + - Support building with recent LibreSSL code that uses opaque + structures. Closes ticket 21359. + + o Minor features (relay): + - We now allow separation of exit and relay traffic to different + source IP addresses, using the OutboundBindAddressExit and + OutboundBindAddressOR options respectively. Closes ticket 17975. + Written by Michael Sonntag. + + o Minor bugfix (logging): + - Don't recommend the use of Tor2web in non-anonymous mode. + Recommending Tor2web is a bad idea because the client loses all + anonymity. Tor2web should only be used in specific cases by users + who *know* and understand the issues. Fixes bug 21294; bugfix + on 0.2.9.3-alpha. + + o Minor bugfixes (client): + - Always recover from failures in extend_info_from_node(), in an + attempt to prevent any recurrence of bug 21242. Fixes bug 21372; + bugfix on 0.2.3.1-alpha. + + o Minor bugfixes (client, entry guards): + - Fix a bug warning (with backtrace) when we fail a channel that + circuits to fallback directories on it. Fixes bug 21128; bugfix + on 0.3.0.1-alpha. + - Fix a spurious bug warning (with backtrace) when removing an + expired entry guard. Fixes bug 21129; bugfix on 0.3.0.1-alpha. + - Fix a bug of the new guard algorithm where tor could stall for up + to 10 minutes before retrying a guard after a long period of no + network. Fixes bug 21052; bugfix on 0.3.0.1-alpha. + - Do not try to build circuits until we have descriptors for our + primary entry guards. Related to fix for bug 21242. + + o Minor bugfixes (configure, autoconf): + - Rename the configure option --enable-expensive-hardening to + --enable-fragile-hardening. Expensive hardening makes the tor + daemon abort when some kinds of issues are detected. Thus, it + makes tor more at risk of remote crashes but safer against RCE or + heartbleed bug category. We now try to explain this issue in a + message from the configure script. Fixes bug 21290; bugfix + on 0.2.5.4-alpha. + + o Minor bugfixes (controller): + - Restore the (deprecated) DROPGUARDS controller command. Fixes bug + 20824; bugfix on 0.3.0.1-alpha. + + o Minor bugfixes (hidden service): + - Clean up the code for expiring intro points with no associated + circuits. It was causing, rarely, a service with some expiring + introduction points to not open enough additional introduction + points. Fixes part of bug 21302; bugfix on 0.2.7.2-alpha. + - Stop setting the torrc option HiddenServiceStatistics to "0" just + because we're not a bridge or relay. Instead, we preserve whatever + value the user set (or didn't set). Fixes bug 21150; bugfix + on 0.2.6.2-alpha. + - Resolve two possible underflows which could lead to creating and + closing a lot of introduction point circuits in a non-stop loop. + Fixes bug 21302; bugfix on 0.2.7.2-alpha. + + o Minor bugfixes (portability): + - Use "OpenBSD" compiler macro instead of "OPENBSD" or "__OpenBSD__". + It is supported by OpenBSD itself, and also by most OpenBSD + variants (such as Bitrig). Fixes bug 20980; bugfix + on 0.1.2.1-alpha. + - When mapping a file of length greater than SIZE_MAX, do not + silently truncate its contents. This issue could occur on 32 bit + systems with large file support and files which are larger than 4 + GB. Fixes bug 21134; bugfix on 0.3.0.1-alpha. + + o Minor bugfixes (tor-resolve): + - The tor-resolve command line tool now rejects hostnames over 255 + characters in length. Previously, it would silently truncate them, + which could lead to bugs. Fixes bug 21280; bugfix on 0.0.9pre5. + Patch by "junglefowl". + + o Minor bugfixes (Windows services): + - Be sure to initialize the monotonic time subsystem before using + it, even when running as an NT service. Fixes bug 21356; bugfix + on 0.2.9.1-alpha. + + +Changes in version 0.3.0.2-alpha - 2017-01-23 + Tor 0.3.0.2-alpha fixes a denial-of-service bug where an attacker could + cause relays and clients to crash, even if they were not built with + the --enable-expensive-hardening option. This bug affects all 0.2.9.x + versions, and also affects 0.3.0.1-alpha: all relays running an affected + version should upgrade. + + Tor 0.3.0.2-alpha also improves how exit relays and clients handle DNS + time-to-live values, makes directory authorities enforce the 1-to-1 + mapping of relay RSA identity keys to ED25519 identity keys, fixes a + client-side onion service reachability bug, does better at selecting + the set of fallback directories, and more. + + o Major bugfixes (security, also in 0.2.9.9): + - Downgrade the "-ftrapv" option from "always on" to "only on when + --enable-expensive-hardening is provided." This hardening option, like + others, can turn survivable bugs into crashes--and having it on by + default made a (relatively harmless) integer overflow bug into a + denial-of-service bug. Fixes bug 21278 (TROVE-2017-001); bugfix on + 0.2.9.1-alpha. + + o Major features (security): + - Change the algorithm used to decide DNS TTLs on client and server + side, to better resist DNS-based correlation attacks like the + DefecTor attack of Greschbach, Pulls, Roberts, Winter, and + Feamster. Now relays only return one of two possible DNS TTL + values, and clients are willing to believe DNS TTL values up to 3 + hours long. Closes ticket 19769. + + o Major features (directory authority, security): + - The default for AuthDirPinKeys is now 1: directory authorities + will reject relays where the RSA identity key matches a previously + seen value, but the Ed25519 key has changed. Closes ticket 18319. + + o Major bugfixes (client, guard, crash): + - In circuit_get_global_origin_list(), return the actual list of + origin circuits. The previous version of this code returned the + list of all the circuits, and could have caused strange bugs, + including possible crashes. Fixes bug 21118; bugfix + on 0.3.0.1-alpha. + + o Major bugfixes (client, onion service, also in 0.2.9.9): + - Fix a client-side onion service reachability bug, where multiple + socks requests to an onion service (or a single slow request) + could cause us to mistakenly mark some of the service's + introduction points as failed, and we cache that failure so + eventually we run out and can't reach the service. Also resolves a + mysterious "Remote server sent bogus reason code 65021" log + warning. The bug was introduced in ticket 17218, where we tried to + remember the circuit end reason as a uint16_t, which mangled + negative values. Partially fixes bug 21056 and fixes bug 20307; + bugfix on 0.2.8.1-alpha. + + o Major bugfixes (DNS): + - Fix a bug that prevented exit nodes from caching DNS records for + more than 60 seconds. Fixes bug 19025; bugfix on 0.2.4.7-alpha. + + o Minor features (controller): + - Add "GETINFO sr/current" and "GETINFO sr/previous" keys, to expose + shared-random values to the controller. Closes ticket 19925. + + o Minor features (entry guards): + - Add UseEntryGuards to TEST_OPTIONS_DEFAULT_VALUES in order to not + break regression tests. + - Require UseEntryGuards when UseBridges is set, in order to make + sure bridges aren't bypassed. Resolves ticket 20502. + + o Minor features (fallback directories): + - Select 200 fallback directories for each release. Closes + ticket 20881. + - Allow 3 fallback relays per operator, which is safe now that we + are choosing 200 fallback relays. Closes ticket 20912. + - Exclude relays affected by bug 20499 from the fallback list. + Exclude relays from the fallback list if they are running versions + known to be affected by bug 20499, or if in our tests they deliver + a stale consensus (i.e. one that expired more than 24 hours ago). + Closes ticket 20539. + - Reduce the minimum fallback bandwidth to 1 MByte/s. Part of + ticket 18828. + - Require fallback directories to have the same address and port for + 7 days (now that we have enough relays with this stability). + Relays whose OnionOO stability timer is reset on restart by bug + 18050 should upgrade to Tor 0.2.8.7 or later, which has a fix for + this issue. Closes ticket 20880; maintains short-term fix + in 0.2.8.2-alpha. + - Require fallbacks to have flags for 90% of the time (weighted + decaying average), rather than 95%. This allows at least 73% of + clients to bootstrap in the first 5 seconds without contacting an + authority. Part of ticket 18828. + - Annotate updateFallbackDirs.py with the bandwidth and consensus + weight for each candidate fallback. Closes ticket 20878. + - Make it easier to change the output sort order of fallbacks. + Closes ticket 20822. + - Display the relay fingerprint when downloading consensuses from + fallbacks. Closes ticket 20908. + + o Minor features (geoip, also in 0.2.9.9): + - Update geoip and geoip6 to the January 4 2017 Maxmind GeoLite2 + Country database. + + o Minor features (next-gen onion service directories): + - Remove the "EnableOnionServicesV3" consensus parameter that we + introduced in 0.3.0.1-alpha: relays are now always willing to act + as v3 onion service directories. Resolves ticket 19899. + + o Minor features (linting): + - Enhance the changes file linter to warn on Tor versions that are + prefixed with "tor-". Closes ticket 21096. + + o Minor features (logging): + - In several places, describe unset ed25519 keys as "<unset>", + rather than the scary "AAAAAAAA...AAA". Closes ticket 21037. + + o Minor bugfix (control protocol): + - The reply to a "GETINFO config/names" request via the control + protocol now spells the type "Dependent" correctly. This is a + breaking change in the control protocol. (The field seems to be + ignored by the most common known controllers.) Fixes bug 18146; + bugfix on 0.1.1.4-alpha. + + o Minor bugfixes (bug resilience): + - Fix an unreachable size_t overflow in base64_decode(). Fixes bug + 19222; bugfix on 0.2.0.9-alpha. Found by Guido Vranken; fixed by + Hans Jerry Illikainen. + + o Minor bugfixes (build): + - Replace obsolete Autoconf macros with their modern equivalent and + prevent similar issues in the future. Fixes bug 20990; bugfix + on 0.1.0.1-rc. + + o Minor bugfixes (client, guards): + - Fix bug where Tor would think that there are circuits waiting for + better guards even though those circuits have been freed. Fixes + bug 21142; bugfix on 0.3.0.1-alpha. + + o Minor bugfixes (config): + - Don't assert on startup when trying to get the options list and + LearnCircuitBuildTimeout is set to 0: we are currently parsing the + options so of course they aren't ready yet. Fixes bug 21062; + bugfix on 0.2.9.3-alpha. + + o Minor bugfixes (controller): + - Make the GETINFO interface for inquiring about entry guards + support the new guards backend. Fixes bug 20823; bugfix + on 0.3.0.1-alpha. + + o Minor bugfixes (dead code): + - Remove a redundant check for PidFile changes at runtime in + options_transition_allowed(): this check is already performed + regardless of whether the sandbox is active. Fixes bug 21123; + bugfix on 0.2.5.4-alpha. + + o Minor bugfixes (documentation): + - Update the tor manual page to document every option that can not + be changed while tor is running. Fixes bug 21122. + + o Minor bugfixes (fallback directories): + - Stop failing when a relay has no uptime data in + updateFallbackDirs.py. Fixes bug 20945; bugfix on 0.2.8.1-alpha. + - Avoid checking fallback candidates' DirPorts if they are down in + OnionOO. When a relay operator has multiple relays, this + prioritizes relays that are up over relays that are down. Fixes + bug 20926; bugfix on 0.2.8.3-alpha. + - Stop failing when OUTPUT_COMMENTS is True in updateFallbackDirs.py. + Fixes bug 20877; bugfix on 0.2.8.3-alpha. + + o Minor bugfixes (guards, bootstrapping): + - When connecting to a directory guard during bootstrap, do not mark + the guard as successful until we receive a good-looking directory + response from it. Fixes bug 20974; bugfix on 0.3.0.1-alpha. + + o Minor bugfixes (onion services): + - Fix the config reload pruning of old vs new services so it + actually works when both ephemeral and non-ephemeral services are + configured. Fixes bug 21054; bugfix on 0.3.0.1-alpha. + - Allow the number of introduction points to be as low as 0, rather + than as low as 3. Fixes bug 21033; bugfix on 0.2.7.2-alpha. + + o Minor bugfixes (IPv6): + - Make IPv6-using clients try harder to find an IPv6 directory + server. Fixes bug 20999; bugfix on 0.2.8.2-alpha. + - When IPv6 addresses have not been downloaded yet (microdesc + consensus documents don't list relay IPv6 addresses), use hard- + coded addresses for authorities, fallbacks, and configured + bridges. Now IPv6-only clients can use microdescriptors. Fixes bug + 20996; bugfix on b167e82 from 19608 in 0.2.8.5-alpha. + + o Minor bugfixes (memory leaks): + - Fix a memory leak when configuring hidden services. Fixes bug + 20987; bugfix on 0.3.0.1-alpha. + + o Minor bugfixes (portability, also in 0.2.9.9): + - Avoid crashing when Tor is built using headers that contain + CLOCK_MONOTONIC_COARSE, but then tries to run on an older kernel + without CLOCK_MONOTONIC_COARSE. Fixes bug 21035; bugfix + on 0.2.9.1-alpha. + - Fix Libevent detection on platforms without Libevent 1 headers + installed. Fixes bug 21051; bugfix on 0.2.9.1-alpha. + + o Minor bugfixes (relay): + - Honor DataDirectoryGroupReadable when tor is a relay. Previously, + initializing the keys would reset the DataDirectory to 0700 + instead of 0750 even if DataDirectoryGroupReadable was set to 1. + Fixes bug 19953; bugfix on 0.0.2pre16. Patch by "redfish". + + o Minor bugfixes (testing): + - Remove undefined behavior from the backtrace generator by removing + its signal handler. Fixes bug 21026; bugfix on 0.2.5.2-alpha. + + o Minor bugfixes (unit tests): + - Allow the unit tests to pass even when DNS lookups of bogus + addresses do not fail as expected. Fixes bug 20862 and 20863; + bugfix on unit tests introduced in 0.2.8.1-alpha + through 0.2.9.4-alpha. + + o Code simplification and refactoring: + - Refactor code to manipulate global_origin_circuit_list into + separate functions. Closes ticket 20921. + + o Documentation (formatting): + - Clean up formatting of tor.1 man page and HTML doc, where <pre> + blocks were incorrectly appearing. Closes ticket 20885. + + o Documentation (man page): + - Clarify many options in tor.1 and add some min/max values for + HiddenService options. Closes ticket 21058. + + +Changes in version 0.2.9.9 - 2017-01-23 + Tor 0.2.9.9 fixes a denial-of-service bug where an attacker could + cause relays and clients to crash, even if they were not built with + the --enable-expensive-hardening option. This bug affects all 0.2.9.x + versions, and also affects 0.3.0.1-alpha: all relays running an affected + version should upgrade. + + This release also resolves a client-side onion service reachability + bug, and resolves a pair of small portability issues. + + o Major bugfixes (security): + - Downgrade the "-ftrapv" option from "always on" to "only on when + --enable-expensive-hardening is provided." This hardening option, + like others, can turn survivable bugs into crashes -- and having + it on by default made a (relatively harmless) integer overflow bug + into a denial-of-service bug. Fixes bug 21278 (TROVE-2017-001); + bugfix on 0.2.9.1-alpha. + + o Major bugfixes (client, onion service): + - Fix a client-side onion service reachability bug, where multiple + socks requests to an onion service (or a single slow request) + could cause us to mistakenly mark some of the service's + introduction points as failed, and we cache that failure so + eventually we run out and can't reach the service. Also resolves a + mysterious "Remote server sent bogus reason code 65021" log + warning. The bug was introduced in ticket 17218, where we tried to + remember the circuit end reason as a uint16_t, which mangled + negative values. Partially fixes bug 21056 and fixes bug 20307; + bugfix on 0.2.8.1-alpha. + + o Minor features (geoip): + - Update geoip and geoip6 to the January 4 2017 Maxmind GeoLite2 + Country database. + + o Minor bugfixes (portability): + - Avoid crashing when Tor is built using headers that contain + CLOCK_MONOTONIC_COARSE, but then tries to run on an older kernel + without CLOCK_MONOTONIC_COARSE. Fixes bug 21035; bugfix + on 0.2.9.1-alpha. + - Fix Libevent detection on platforms without Libevent 1 headers + installed. Fixes bug 21051; bugfix on 0.2.9.1-alpha. + + +Changes in version 0.3.0.1-alpha - 2016-12-19 + Tor 0.3.0.1-alpha is the first alpha release in the 0.3.0 development + series. It strengthens Tor's link and circuit handshakes by + identifying relays by their Ed25519 keys, improves the algorithm that + clients use to choose and maintain their list of guards, and includes + additional backend support for the next-generation hidden service + design. It also contains numerous other small features and + improvements to security, correctness, and performance. + + Below are the changes since 0.2.9.8. + + o Major features (guard selection algorithm): + - Tor's guard selection algorithm has been redesigned from the + ground up, to better support unreliable networks and restrictive + sets of entry nodes, and to better resist guard-capture attacks by + hostile local networks. Implements proposal 271; closes + ticket 19877. + + o Major features (next-generation hidden services): + - Relays can now handle v3 ESTABLISH_INTRO cells as specified by + prop224 aka "Next Generation Hidden Services". Service and clients + don't use this functionality yet. Closes ticket 19043. Based on + initial code by Alec Heifetz. + - Relays now support the HSDir version 3 protocol, so that they can + can store and serve v3 descriptors. This is part of the next- + generation onion service work detailled in proposal 224. Closes + ticket 17238. + + o Major features (protocol, ed25519 identity keys): + - Relays now use Ed25519 to prove their Ed25519 identities and to + one another, and to clients. This algorithm is faster and more + secure than the RSA-based handshake we've been doing until now. + Implements the second big part of proposal 220; Closes + ticket 15055. + - Clients now support including Ed25519 identity keys in the EXTEND2 + cells they generate. By default, this is controlled by a consensus + parameter, currently disabled. You can turn this feature on for + testing by setting ExtendByEd25519ID in your configuration. This + might make your traffic appear different than the traffic + generated by other users, however. Implements part of ticket + 15056; part of proposal 220. + - Relays now understand requests to extend to other relays by their + Ed25519 identity keys. When an Ed25519 identity key is included in + an EXTEND2 cell, the relay will only extend the circuit if the + other relay can prove ownership of that identity. Implements part + of ticket 15056; part of proposal 220. + + o Major bugfixes (scheduler): + - Actually compare circuit policies in ewma_cmp_cmux(). This bug + caused the channel scheduler to behave more or less randomly, + rather than preferring channels with higher-priority circuits. + Fixes bug 20459; bugfix on 0.2.6.2-alpha. + + o Minor features (controller): + - When HSFETCH arguments cannot be parsed, say "Invalid argument" + rather than "unrecognized." Closes ticket 20389; patch from + Ivan Markin. + + o Minor features (diagnostic, directory client): + - Warn when we find an unexpected inconsistency in directory + download status objects. Prevents some negative consequences of + bug 20593. + + o Minor features (directory authority): + - Add a new authority-only AuthDirTestEd25519LinkKeys option (on by + default) to control whether authorities should try to probe relays + by their Ed25519 link keys. This option will go away in a few + releases--unless we encounter major trouble in our ed25519 link + protocol rollout, in which case it will serve as a safety option. + + o Minor features (directory cache): + - Relays and bridges will now refuse to serve the consensus they + have if they know it is too old for a client to use. Closes + ticket 20511. + + o Minor features (ed25519 link handshake): + - Advertise support for the ed25519 link handshake using the + subprotocol-versions mechanism, so that clients can tell which + relays can identity themselves by Ed25519 ID. Closes ticket 20552. + + o Minor features (fingerprinting resistence, authentication): + - Extend the length of RSA keys used for TLS link authentication to + 2048 bits. (These weren't used for forward secrecy; for forward + secrecy, we used P256.) Closes ticket 13752. + + o Minor features (infrastructure): + - Implement smartlist_add_strdup() function. Replaces the use of + smartlist_add(sl, tor_strdup(str)). Closes ticket 20048. + + o Minor bugfixes (client): + - When clients that use bridges start up with a cached consensus on + disk, they were ignoring it and downloading a new one. Now they + use the cached one. Fixes bug 20269; bugfix on 0.2.3.12-alpha. + + o Minor bugfixes (configuration): + - Accept non-space whitespace characters after the severity level in + the `Log` option. Fixes bug 19965; bugfix on 0.2.1.1-alpha. + - Support "TByte" and "TBytes" units in options given in bytes. + "TB", "terabyte(s)", "TBit(s)" and "terabit(s)" were already + supported. Fixes bug 20622; bugfix on 0.2.0.14-alpha. + + o Minor bugfixes (consensus weight): + - Add new consensus method that initializes bw weights to 1 instead + of 0. This prevents a zero weight from making it all the way to + the end (happens in small testing networks) and causing an error. + Fixes bug 14881; bugfix on 0.2.2.17-alpha. + + o Minor bugfixes (descriptors): + - Correctly recognise downloaded full descriptors as valid, even + when using microdescriptors as circuits. This affects clients with + FetchUselessDescriptors set, and may affect directory authorities. + Fixes bug 20839; bugfix on 0.2.3.2-alpha. + + o Minor bugfixes (directory system): + - Download all consensus flavors, descriptors, and authority + certificates when FetchUselessDescriptors is set, regardless of + whether tor is a directory cache or not. Fixes bug 20667; bugfix + on all recent tor versions. + - Bridges and relays now use microdescriptors (like clients do) + rather than old-style router descriptors. Now bridges will blend + in with clients in terms of the circuits they build. Fixes bug + 6769; bugfix on 0.2.3.2-alpha. + + o Minor bugfixes (ed25519 certificates): + - Correctly interpret ed25519 certificates that would expire some + time after 19 Jan 2038. Fixes bug 20027; bugfix on 0.2.7.2-alpha. + + o Minor bugfixes (hidden services): + - Stop ignoring misconfigured hidden services. Instead, refuse to + start tor until the misconfigurations have been corrected. Fixes + bug 20559; bugfix on multiple commits in 0.2.7.1-alpha + and earlier. + + o Minor bugfixes (memory leak at exit): + - Fix a small harmless memory leak at exit of the previously unused + RSA->Ed identity cross-certificate. Fixes bug 17779; bugfix + on 0.2.7.2-alpha. + + o Minor bugfixes (util): + - When finishing writing a file to disk, if we were about to replace + the file with the temporary file created before and we fail to + replace it, remove the temporary file so it doesn't stay on disk. + Fixes bug 20646; bugfix on tor-0.2.0.7-alpha. Patch by fk. + + o Minor bugfixes (Windows): + - Check for getpagesize before using it to mmap files. This fixes + compilation in some MinGW environments. Fixes bug 20530; bugfix on + 0.1.2.1-alpha. Reported by "ice". + + o Code simplification and refactoring: + - Abolish all global guard context in entrynodes.c; replace with new + guard_selection_t structure as preparation for proposal 271. + Closes ticket 19858. + - Introduce rend_service_is_ephemeral() that tells if given onion + service is ephemeral. Replace unclear NULL-checkings for service + directory with this function. Closes ticket 20526. + - Extract magic numbers in circuituse.c into defined variables. + - Refactor circuit_is_available_for_use to remove unnecessary check. + - Refactor circuit_predict_and_launch_new for readability and + testability. Closes ticket 18873. + - Refactor large if statement in purpose_needs_anonymity to use + switch statement instead. Closes part of ticket 20077. + - Refactor the hashing API to return negative values for errors, as + is done as throughout the codebase. Closes ticket 20717. + - Remove data structures that were used to index or_connection + objects by their RSA identity digests. These structures are fully + redundant with the similar structures used in the + channel abstraction. + - Remove duplicate code in the channel_write_*cell() functions. + Closes ticket 13827; patch from Pingl. + - Remove redundant behavior of is_sensitive_dir_purpose, refactor to + use only purpose_needs_anonymity. Closes part of ticket 20077. + - The code to generate and parse EXTEND and EXTEND2 cells has been + replaced with code automatically generated by the + "trunnel" utility. + + o Documentation: + - Include the "TBits" unit in Tor's man page. Fixes part of bug + 20622; bugfix on tor-0.2.5.1-alpha. + - Change '1' to 'weight_scale' in consensus bw weights calculation + comments, as that is reality. Closes ticket 20273. Patch + from pastly. + - Correct the value for AuthDirGuardBWGuarantee in the manpage, from + 250 KBytes to 2 MBytes. Fixes bug 20435; bugfix + on tor-0.2.5.6-alpha. + - Stop the man page from incorrectly stating that HiddenServiceDir + must already exist. Fixes 20486. + - Clarify that when ClientRejectInternalAddresses is enabled (which + is the default), multicast DNS hostnames for machines on the local + network (of the form *.local) are also rejected. Closes + ticket 17070. + + o Removed features: + - The AuthDirMaxServersPerAuthAddr option no longer exists: The same + limit for relays running on a single IP applies to authority IP + addresses as well as to non-authority IP addresses. Closes + ticket 20960. + - The UseDirectoryGuards torrc option no longer exists: all users + that use entry guards will also use directory guards. Related to + proposal 271; implements part of ticket 20831. + + o Testing: + - New unit tests for tor_htonll(). Closes ticket 19563. Patch + from "overcaffeinated". + - Perform the coding style checks when running the tests and fail + when coding style violations are found. Closes ticket 5500. + - Add tests for networkstatus_compute_bw_weights_v10. + - Add unit tests circuit_predict_and_launch_new. + - Extract dummy_origin_circuit_new so it can be used by other + test functions. + + +Changes in version 0.2.8.12 - 2016-12-19 + Tor 0.2.8.12 backports a fix for a medium-severity issue (bug 21018 + below) where Tor clients could crash when attempting to visit a + hostile hidden service. Clients are recommended to upgrade as packages + become available for their systems. + + It also includes an updated list of fallback directories, backported + from 0.2.9. + + Now that the Tor 0.2.9 series is stable, only major bugfixes will be + backported to 0.2.8 in the future. + + o Major bugfixes (parsing, security, backported from 0.2.9.8): + - Fix a bug in parsing that could cause clients to read a single + byte past the end of an allocated region. This bug could be used + to cause hardened clients (built with --enable-expensive-hardening) + to crash if they tried to visit a hostile hidden service. Non- + hardened clients are only affected depending on the details of + their platform's memory allocator. Fixes bug 21018; bugfix on + 0.2.0.8-alpha. Found by using libFuzzer. Also tracked as TROVE- + 2016-12-002 and as CVE-2016-1254. + + o Minor features (fallback directory list, backported from 0.2.9.8): + - Replace the 81 remaining fallbacks of the 100 originally + introduced in Tor 0.2.8.3-alpha in March 2016, with a list of 177 + fallbacks (123 new, 54 existing, 27 removed) generated in December + 2016. Resolves ticket 20170. + + o Minor features (geoip, backported from 0.2.9.7-rc): + - Update geoip and geoip6 to the December 7 2016 Maxmind GeoLite2 + Country database. + + +Changes in version 0.2.9.8 - 2016-12-19 + Tor 0.2.9.8 is the first stable release of the Tor 0.2.9 series. + + The Tor 0.2.9 series makes mandatory a number of security features + that were formerly optional. It includes support for a new shared- + randomness protocol that will form the basis for next generation + hidden services, includes a single-hop hidden service mode for + optimizing .onion services that don't actually want to be hidden, + tries harder not to overload the directory authorities with excessive + downloads, and supports a better protocol versioning scheme for + improved compatibility with other implementations of the Tor protocol. + + And of course, there are numerous other bugfixes and improvements. + + This release also includes a fix for a medium-severity issue (bug + 21018 below) where Tor clients could crash when attempting to visit a + hostile hidden service. Clients are recommended to upgrade as packages + become available for their systems. + + Below are the changes since 0.2.9.7-rc. For a list of all changes + since 0.2.8, see the ReleaseNotes file. + + o Major bugfixes (parsing, security): + - Fix a bug in parsing that could cause clients to read a single + byte past the end of an allocated region. This bug could be used + to cause hardened clients (built with --enable-expensive-hardening) + to crash if they tried to visit a hostile hidden service. Non- + hardened clients are only affected depending on the details of + their platform's memory allocator. Fixes bug 21018; bugfix on + 0.2.0.8-alpha. Found by using libFuzzer. Also tracked as TROVE- + 2016-12-002 and as CVE-2016-1254. + + o Minor features (fallback directory list): + - Replace the 81 remaining fallbacks of the 100 originally + introduced in Tor 0.2.8.3-alpha in March 2016, with a list of 177 + fallbacks (123 new, 54 existing, 27 removed) generated in December + 2016. Resolves ticket 20170. + + +Changes in version 0.2.9.7-rc - 2016-12-12 + Tor 0.2.9.7-rc fixes a few small bugs remaining in Tor 0.2.9.6-rc, + including a few that had prevented tests from passing on + some platforms. + + o Minor features (geoip): + - Update geoip and geoip6 to the December 7 2016 Maxmind GeoLite2 + Country database. + + o Minor bugfix (build): + - The current Git revision when building from a local repository is + now detected correctly when using git worktrees. Fixes bug 20492; + bugfix on 0.2.3.9-alpha. + + o Minor bugfixes (directory authority): + - When computing old Tor protocol line version in protover, we were + looking at 0.2.7.5 twice instead of a specific case for + 0.2.9.1-alpha. Fixes bug 20810; bugfix on 0.2.9.4-alpha. + + o Minor bugfixes (download scheduling): + - Resolve a "bug" warning when considering a download schedule whose + delay had approached INT_MAX. Fixes 20875; bugfix on 0.2.9.5-alpha. + + o Minor bugfixes (logging): + - Downgrade a harmless log message about the + pending_entry_connections list from "warn" to "info". Mitigates + bug 19926. + + o Minor bugfixes (memory leak): + - Fix a small memory leak when receiving AF_UNIX connections on a + SocksPort. Fixes bug 20716; bugfix on 0.2.6.3-alpha. + - When moving a signed descriptor object from a source to an + existing destination, free the allocated memory inside that + destination object. Fixes bug 20715; bugfix on 0.2.8.3-alpha. + + o Minor bugfixes (memory leak, use-after-free, linux seccomp2 sandbox): + - Fix a memory leak and use-after-free error when removing entries + from the sandbox's getaddrinfo() cache. Fixes bug 20710; bugfix on + 0.2.5.5-alpha. Patch from "cypherpunks". + + o Minor bugfixes (portability): + - Use the correct spelling of MAC_OS_X_VERSION_10_12 on configure.ac + Fixes bug 20935; bugfix on 0.2.9.6-rc. + + o Minor bugfixes (unit tests): + - Stop expecting NetBSD unit tests to report success for ipfw. Part + of a fix for bug 19960; bugfix on 0.2.9.5-alpha. + - Fix tolerances in unit tests for monotonic time comparisons + between nanoseconds and microseconds. Previously, we accepted a 10 + us difference only, which is not realistic on every platform's + clock_gettime(). Fixes bug 19974; bugfix on 0.2.9.1-alpha. + - Remove a double-free in the single onion service unit test. Stop + ignoring a return value. Make future changes less error-prone. + Fixes bug 20864; bugfix on 0.2.9.6-rc. + + +Changes in version 0.2.8.11 - 2016-12-08 + Tor 0.2.8.11 backports fixes for additional portability issues that + could prevent Tor from building correctly on OSX Sierra, or with + OpenSSL 1.1. Affected users should upgrade; others can safely stay + with 0.2.8.10. + + o Minor bugfixes (portability): + - Avoid compilation errors when building on OSX Sierra. Sierra began + to support the getentropy() and clock_gettime() APIs, but created + a few problems in doing so. Tor 0.2.9 has a more thorough set of + workarounds; in 0.2.8, we are just using the /dev/urandom and mach + monotonic time interfaces. Fixes bug 20865. Bugfix + on 0.2.8.1-alpha. + + o Minor bugfixes (portability, backport from 0.2.9.5-alpha): + - Fix compilation with OpenSSL 1.1 and less commonly-used CPU + architectures. Closes ticket 20588. + + +Changes in version 0.2.8.10 - 2016-12-02 + Tor 0.2.8.10 backports a fix for a bug that would sometimes make clients + unusable after they left standby mode. It also backports fixes for + a few portability issues and a small but problematic memory leak. + + o Major bugfixes (client reliability, backport from 0.2.9.5-alpha): + - When Tor leaves standby because of a new application request, open + circuits as needed to serve that request. Previously, we would + potentially wait a very long time. Fixes part of bug 19969; bugfix + on 0.2.8.1-alpha. + + o Major bugfixes (client performance, backport from 0.2.9.5-alpha): + - Clients now respond to new application stream requests immediately + when they arrive, rather than waiting up to one second before + starting to handle them. Fixes part of bug 19969; bugfix + on 0.2.8.1-alpha. + + o Minor bugfixes (portability, backport from 0.2.9.6-rc): + - Work around a bug in the OSX 10.12 SDK that would prevent us from + successfully targeting earlier versions of OSX. Resolves + ticket 20235. + + o Minor bugfixes (portability, backport from 0.2.9.5-alpha): + - Fix implicit conversion warnings under OpenSSL 1.1. Fixes bug + 20551; bugfix on 0.2.1.1-alpha. + + o Minor bugfixes (relay, backport from 0.2.9.5-alpha): + - Work around a memory leak in OpenSSL 1.1 when encoding public + keys. Fixes bug 20553; bugfix on 0.0.2pre8. + + o Minor features (geoip): + - Update geoip and geoip6 to the November 3 2016 Maxmind GeoLite2 + Country database. + +Changes in version 0.2.9.6-rc - 2016-12-02 + Tor 0.2.9.6-rc fixes a few remaining bugs found in the previous alpha + version. We hope that it will be ready to become stable soon, and we + encourage everyone to test this release. If no showstopper bugs are + found here, the next 0.2.9 release will be stable. + + o Major bugfixes (relay, resolver, logging): + - For relays that don't know their own address, avoid attempting a + local hostname resolve for each descriptor we download. This + will cut down on the number of "Success: chose address 'x.x.x.x'" + log lines, and also avoid confusing clock jumps if the resolver + is slow. Fixes bugs 20423 and 20610; bugfix on 0.2.8.1-alpha. + + o Minor bugfixes (client, fascistfirewall): + - Avoid spurious warnings when ReachableAddresses or FascistFirewall + is set. Fixes bug 20306; bugfix on 0.2.8.2-alpha. + + o Minor bugfixes (hidden services): + - Stop ignoring the anonymity status of saved keys for hidden + services and single onion services when first starting tor. + Instead, refuse to start tor if any hidden service key has been + used in a different hidden service anonymity mode. Fixes bug + 20638; bugfix on 17178 in 0.2.9.3-alpha; reported by ahf. + + o Minor bugfixes (portability): + - Work around a bug in the OSX 10.12 SDK that would prevent us from + successfully targeting earlier versions of OSX. Resolves + ticket 20235. + - Run correctly when built on Windows build environments that + require _vcsprintf(). Fixes bug 20560; bugfix on 0.2.2.11-alpha. + + o Minor bugfixes (single onion services, Tor2web): + - Stop complaining about long-term one-hop circuits deliberately + created by single onion services and Tor2web. These log messages + are intended to diagnose issue 8387, which relates to circuits + hanging around forever for no reason. Fixes bug 20613; bugfix on + 0.2.9.1-alpha. Reported by "pastly". + + o Minor bugfixes (unit tests): + - Stop spurious failures in the local interface address discovery + unit tests. Fixes bug 20634; bugfix on 0.2.8.1-alpha; patch by + Neel Chauhan. + + o Documentation: + - Correct the minimum bandwidth value in torrc.sample, and queue a + corresponding change for torrc.minimal. Closes ticket 20085. + + +Changes in version 0.2.9.5-alpha - 2016-11-08 + Tor 0.2.9.5-alpha fixes numerous bugs discovered in the previous alpha + version. We believe one or two probably remain, and we encourage + everyone to test this release. + + o Major bugfixes (client performance): + - Clients now respond to new application stream requests immediately + when they arrive, rather than waiting up to one second before + starting to handle them. Fixes part of bug 19969; bugfix + on 0.2.8.1-alpha. + + o Major bugfixes (client reliability): + - When Tor leaves standby because of a new application request, open + circuits as needed to serve that request. Previously, we would + potentially wait a very long time. Fixes part of bug 19969; bugfix + on 0.2.8.1-alpha. + + o Major bugfixes (download scheduling): + - When using an exponential backoff schedule, do not give up on + downloading just because we have failed a bunch of times. Since + each delay is longer than the last, retrying indefinitely won't + hurt. Fixes bug 20536; bugfix on 0.2.9.1-alpha. + - If a consensus expires while we are waiting for certificates to + download, stop waiting for certificates. + - If we stop waiting for certificates less than a minute after we + started downloading them, do not consider the certificate download + failure a separate failure. Fixes bug 20533; bugfix + on 0.2.0.9-alpha. + - Remove the maximum delay on exponential-backoff scheduling. Since + we now allow an infinite number of failures (see ticket 20536), we + must now allow the time to grow longer on each failure. Fixes part + of bug 20534; bugfix on 0.2.9.1-alpha. + - Make our initial download delays closer to those from 0.2.8. Fixes + another part of bug 20534; bugfix on 0.2.9.1-alpha. + - When determining when to download a directory object, handle times + after 2038 if the operating system supports them. (Someday this + will be important!) Fixes bug 20587; bugfix on 0.2.8.1-alpha. + - When using exponential backoff in test networks, use a lower + exponent, so the delays do not vary as much. This helps test + networks bootstrap consistently. Fixes bug 20597; bugfix on 20499. + + o Minor features (geoip): + - Update geoip and geoip6 to the November 3 2016 Maxmind GeoLite2 + Country database. + + o Minor bugfixes (client directory scheduling): + - Treat "relay too busy to answer request" as a failed request and a + reason to back off on our retry frequency. This is safe now that + exponential backoffs retry indefinitely, and avoids a bug where we + would reset our download schedule erroneously. Fixes bug 20593; + bugfix on 0.2.9.1-alpha. + + o Minor bugfixes (client, logging): + - Remove a BUG warning in circuit_pick_extend_handshake(). Instead, + assume all nodes support EXTEND2. Use ntor whenever a key is + available. Fixes bug 20472; bugfix on 0.2.9.3-alpha. + - On DNSPort, stop logging a BUG warning on a failed hostname + lookup. Fixes bug 19869; bugfix on 0.2.9.1-alpha. + + o Minor bugfixes (hidden services): + - When configuring hidden services, check every hidden service + directory's permissions. Previously, we only checked the last + hidden service. Fixes bug 20529; bugfix the work to fix 13942 + in 0.2.6.2-alpha. + + o Minor bugfixes (portability): + - Fix compilation with OpenSSL 1.1 and less commonly-used CPU + architectures. Closes ticket 20588. + - Use ECDHE ciphers instead of ECDH in tortls tests. LibreSSL has + removed the ECDH ciphers which caused the tests to fail on + platforms which use it. Fixes bug 20460; bugfix on 0.2.8.1-alpha. + - Fix implicit conversion warnings under OpenSSL 1.1. Fixes bug + 20551; bugfix on 0.2.1.1-alpha. + + o Minor bugfixes (relay bootstrap): + - Ensure relays don't make multiple connections during bootstrap. + Fixes bug 20591; bugfix on 0.2.8.1-alpha. + + o Minor bugfixes (relay): + - Work around a memory leak in OpenSSL 1.1 when encoding public + keys. Fixes bug 20553; bugfix on 0.0.2pre8. + - Avoid a small memory leak when informing worker threads about + rotated onion keys. Fixes bug 20401; bugfix on 0.2.6.3-alpha. + - Do not try to parallelize workers more than 16x without the user + explicitly configuring us to do so, even if we do detect more than + 16 CPU cores. Fixes bug 19968; bugfix on 0.2.3.1-alpha. + + o Minor bugfixes (single onion services): + - Start correctly when creating a single onion service in a + directory that did not previously exist. Fixes bug 20484; bugfix + on 0.2.9.3-alpha. + + o Minor bugfixes (testing): + - Avoid a unit test failure on systems with over 16 detectable CPU + cores. Fixes bug 19968; bugfix on 0.2.3.1-alpha. + + o Documentation: + - Clarify that setting HiddenServiceNonAnonymousMode requires you to + also set "SOCKSPort 0". Fixes bug 20487; bugfix on 0.2.9.3-alpha. + - Module-level documentation for several more modules. Closes + tickets 19287 and 19290. Changes in version 0.2.8.9 - 2016-10-17 @@ -123,7 +2582,7 @@ Changes in version 0.2.9.4-alpha - 2016-10-17 o Minor bugfixes (getpass): - Defensively fix a non-triggerable heap corruption at do_getpass() to protect ourselves from mistakes in the future. Fixes bug - #19223; bugfix on 0.2.7.3-rc. Bug found by Guido Vranken, patch + 19223; bugfix on 0.2.7.3-rc. Bug found by Guido Vranken, patch by nherring. o Minor bugfixes (hidden service): @@ -194,7 +2653,7 @@ Changes in version 0.2.9.3-alpha - 2016-09-23 o Major bugfixes (circuit building): - Hidden service client-to-intro-point and service-to-rendezvous- - point cicruits use the TAP key supplied by the protocol, to avoid + point circuits use the TAP key supplied by the protocol, to avoid epistemic attacks. Fixes bug 19163; bugfix on 0.2.4.18-rc. o Major bugfixes (compilation, OpenBSD): @@ -216,8 +2675,9 @@ Changes in version 0.2.9.3-alpha - 2016-09-23 OpenSSL 0.9.7 or later since 2009. Closes ticket 19998. o Minor feature (fallback directories): - - Remove broken entries from the hard-coded fallback directory list. - Closes ticket 20190; patch by teor. + - Remove 8 fallbacks that are no longer suitable, leaving 81 of the + 100 fallbacks originally introduced in Tor 0.2.8.2-alpha in March + 2016. Closes ticket 20190; patch by teor. o Minor features (geoip, also in 0.2.8.8): - Update geoip and geoip6 to the September 6 2016 Maxmind GeoLite2 @@ -312,7 +2772,7 @@ Changes in version 0.2.9.3-alpha - 2016-09-23 - Document the default PathsNeededToBuildCircuits value that's used by clients when the directory authorities don't set min_paths_for_circs_pct. Fixes bug 20117; bugfix on 02c320916e02 - in tor-0.2.4.10-alpha. Patch by teor, reported by Jesse V. + in 0.2.4.10-alpha. Patch by teor, reported by Jesse V. - Fix manual for the User option: it takes a username, not a UID. Fixes bug 19122; bugfix on 0.0.2pre16 (the first version to have a manpage!). @@ -351,12 +2811,12 @@ Changes in version 0.2.9.3-alpha - 2016-09-23 o Minor bugfixes (options): - Check the consistency of UseEntryGuards and EntryNodes more - reliably. Fixes bug 20074; bugfix on tor- 0.2.4.12-alpha. Patch + reliably. Fixes bug 20074; bugfix on 0.2.4.12-alpha. Patch by teor. - Stop changing the configured value of UseEntryGuards on authorities and Tor2web clients. Fixes bug 20074; bugfix on - commits 51fc6799 in tor-0.1.1.16-rc and acda1735 in tor-0.2.4.3- - alpha. Patch by teor. + commits 51fc6799 in 0.1.1.16-rc and acda1735 in 0.2.4.3-alpha. + Patch by teor. o Minor bugfixes (Tor2web): - Prevent Tor2web clients running hidden services, these services @@ -395,8 +2855,9 @@ Changes in version 0.2.8.8 - 2016-09-23 this one. o Minor feature (fallback directories): - - Remove broken fallbacks from the hard-coded fallback directory - list. Closes ticket 20190; patch by teor. + - Remove 8 fallbacks that are no longer suitable, leaving 81 of the + 100 fallbacks originally introduced in Tor 0.2.8.2-alpha in March + 2016. Closes ticket 20190; patch by teor. o Minor features (geoip): - Update geoip and geoip6 to the September 6 2016 Maxmind GeoLite2 @@ -850,8 +3311,9 @@ Changes in version 0.2.8.6 - 2016-08-02 is signed. Fixes bug 19682; bugfix on 0.2.8.1-alpha. o Minor bugfixes (fallback directories): - - Remove a fallback that was on the hardcoded list, then opted-out. - Fixes bug 19782; update to fallback list from 0.2.8.2-alpha. + - Remove 1 fallback that was on the hardcoded list, then opted-out, + leaving 89 of the 100 fallbacks originally introduced in Tor + 0.2.8.2-alpha in March 2016. Closes ticket 19782; patch by teor. o Minor bugfixes (Linux seccomp2 sandbox): - Allow more syscalls when running with "Sandbox 1" enabled: @@ -875,7 +3337,7 @@ Changes in version 0.2.8.5-rc - 2016-07-07 o Major bugfixes (heartbeat): - Fix a regression that would crash Tor when the periodic "heartbeat" log messages were disabled. Fixes bug 19454; bugfix on - tor-0.2.8.1-alpha. Reported by "kubaku". + 0.2.8.1-alpha. Reported by "kubaku". o Minor features (build): - Tor now again builds with the recent OpenSSL 1.1 development @@ -923,8 +3385,9 @@ Changes in version 0.2.8.5-rc - 2016-07-07 - Update fallback whitelist and blacklist based on relay operator emails. Blacklist unsuitable (non-working, over-volatile) fallbacks. Resolves ticket 19071. Patch by teor. - - Update hard-coded fallback list to remove unsuitable fallbacks. - Resolves ticket 19071. Patch by teor. + - Remove 10 unsuitable fallbacks, leaving 90 of the 100 fallbacks + originally introduced in Tor 0.2.8.2-alpha in March 2016. Closes + ticket 19071; patch by teor. Changes in version 0.2.8.4-rc - 2016-06-15 @@ -1021,7 +3484,7 @@ Changes in version 0.2.8.3-alpha - 2016-05-26 o Major bugfixes (testing): - Fix a bug that would block 'make test-network-all' on systems where - IPv6 packets were lost. Fixes bug 19008; bugfix on tor-0.2.7.3-rc. + IPv6 packets were lost. Fixes bug 19008; bugfix on 0.2.7.3-rc. - Avoid "WSANOTINITIALISED" warnings in the unit tests. Fixes bug 18668; bugfix on 0.2.8.1-alpha. @@ -1034,10 +3497,12 @@ Changes in version 0.2.8.3-alpha - 2016-05-26 - Give each fallback the same weight for client selection; restrict fallbacks to one per operator; report fallback directory detail changes when rebuilding list; add new fallback directory mirrors - to the whitelist; update fallback directories based on the latest - OnionOO data; and any other minor simplifications and fixes. - Closes tasks 17158, 17905, 18749, bug 18689, and fixes part of bug - 18812 on 0.2.8.1-alpha; patch by "teor". + to the whitelist; and many other minor simplifications and fixes. + Closes tasks 17905, 18749, bug 18689, and fixes part of bug 18812 on + 0.2.8.1-alpha; patch by "teor". + - Replace the 21 fallbacks generated in January 2016 and included in + Tor 0.2.8.1-alpha, with a list of 100 fallbacks generated in March + 2016. Closes task 17158; patch by "teor". o Minor features (geoip): - Update geoip and geoip6 to the May 4 2016 Maxmind GeoLite2 @@ -1307,7 +3772,7 @@ Changes in version 0.2.8.2-alpha - 2016-03-28 testing versions of the static libraries. Fixes bug 18490; bugfix on 0.2.7.1-alpha. - Avoid spurious failures from configure files related to calling - exit(0) in TOR_SEARCH_LIBRARY. Fixes bug 18625; bugfix on + exit(0) in TOR_SEARCH_LIBRARY. Fixes bug 18626; bugfix on 0.2.0.1-alpha. Patch from "cypherpunks". - Silence spurious clang-scan warnings in the ed25519_donna code by explicitly initializing some objects. Fixes bug 18384; bugfix on @@ -1481,10 +3946,11 @@ Changes in version 0.2.8.1-alpha - 2016-02-04 should reduces failures due to fallback churn. Implements ticket 4483. Patch by "teor". Implements IPv4 portions of proposal 210 by "mikeperry" and "teor". - - Include a trial list of default fallback directories, based on an - opt-in survey of suitable relays. Doing this should make clients - bootstrap more quickly and reliably, and reduce the load on the - directory authorities. Closes ticket 15775. Patch by "teor". + - Include a trial list of 21 default fallback directories, generated + in January 2016, based on an opt-in survey of suitable relays. + Doing this should make clients bootstrap more quickly and reliably, + and reduce the load on the directory authorities. Closes ticket + 15775. Patch by "teor". Candidates identified using an OnionOO script by "weasel", "teor", "gsathya", and "karsten". - Previously only relays that explicitly opened a directory port |