diff options
Diffstat (limited to 'ChangeLog')
| -rw-r--r-- | ChangeLog | 1678 |
1 files changed, 1505 insertions, 173 deletions
@@ -1,231 +1,1559 @@ -Changes in version 0.2.5.4-alpha - 2014-04-?? +Changes in version 0.2.6.2-alpha - 2014-12-?? + Tor 0.2.6.2-alpha is the second alpha release in the 0.2.6.x series. + + o Major features (relay, infrastructure): + - Completely revision of the code that relays use to decide which + cell to send next. Formerly, we selected the best circuit to write + on each channel, but we didn't select among channels in any + sophisticated way. Now, we choose the best circuits globally from + among those whose channels are ready to deliver traffic. + + This patch implements a new inter-cmux comparison API, a global + high/low watermark mechanism and a global scheduler loop for + transmission prioritization across all channels as well as among + circuits on one channel. This schedule is currently tuned to + (tolerantly) avoid making changes in the current network + performance, but it should form the basis for major circuit + performance increases. Code by Andrea; tuning by Rob Jansen; + implements ticket 9262. + + o Major features (hidden services): + - Add a HiddenServiceStatistics option that allows Tor relays to + gather and publish statistics the overall size and volume of + hidden service usage. Specifically, when this option is turned on, + an HSDir will publish an approximate number of hidden services + that have published descriptors to it the past 24 hours. Also, if + a relay has acted as a hidden service rendezvous point, it will + publish the approximate amount of rendezvous cells it has relayed + the past 24 hours. The statistics themselves are obfuscated so + that the exact values cannot be derived. For more details see + proposal 238, "Better hidden service stats from Tor relays". This + feature is currently disabled by default. Implements feature 13192. - o Major features (security): - - Block authority signing keys that were used on an authorities - vulnerable to the "heartbleed" bug in openssl (CVE-2014-0160). - (We don't have any evidence that these keys _were_ compromised; - we're doing this to be prudent.) Resolves ticket 11464. + o Major bugfixes (hidden services): + - When closing an introduction circuit that was opened in parallel + with others, don't mark the introduction point as unreachable. + Previously, the first successful connection to an introduction + point would make the other introduction points get marked as + having timed out. Fixes bug 13698; bugfix on 0.0.6rc2. - o Deprecated versions: - - Tor 0.2.2.x has reached end-of-life; it has received no patches or - attention for some while. Directory authorities no longer accept - descriptors from Tor relays running any version of Tor prior to Tor - 0.2.3.16-alpha. Resolves ticket 11149. + o Minor features (client): + - Validate hostnames in SOCKS5 requests more strictly. If SafeSocks + is enabled, reject requests with IP addresses as hostnames. + Resolves ticket 13315. - o Major features (relay performance): - - Faster server-side lookups of rendezvous and introduction point - circuits by using hashtables instead of linear searches over all - the circuits. These functions previously accounted between 3 and - 7% of CPU usage on some busy relays. - - o Major features (seccomp2 sandbox): - - Refinements and improvements to the Linux seccomp2 sandbox code: - the sandbox can now run a test network for multiple hours without - crashing. (Previous crash reasons included: reseeding the OpenSSL PRNG, - seeding the Libevent PRNG, using the wrong combination of CLOEXEC and - NONBLOCK at the same place and time, having server keys, being an - authority, receiving a HUP, or using IPv6.) The sandbox is still - experimental, and more bugs will probably turn up. To try it, - enable "Sandbox 1" on a Linux host. - - Strengthen the Linux seccomp2 sandbox code: the sandbox can now - test the arguments for rename(), and blocks _sysctl() entirely. - - When the Linux syscall sandbox finds an illegal system call, it - now tries to log a stack trace before exiting. Resolves ticket - 11465. + o Minor features (controller): + - Add a "SIGNAL HEARTBEAT" Tor controller command that tells Tor to + write an unscheduled heartbeat message to the log. Implements + feature 9503. - o Major bugfixes (TLS cipher selection): - - Generate the server's preference list for ciphersuites - automatically based on uniform criteria, and considering all - OpenSSL ciphersuites with acceptable strength and forward - secrecy. (The sort order is: prefer AES to 3DES; break ties by - preferring ECDHE to DHE; break ties by preferring GCM to CBC; - break ties by preferring SHA384 to SHA256 to SHA1; and finally, - break ties by preferring AES256 to AES128.) This resolves bugs - #11513, #11492, #11498, #11499. Bugs reported by 'cypherpunks'. - Bugfix on 0.2.4.8-alpha. - - o Major bugfixes (undefined behavior): - - Fix two instances of possible undefined behavior in channeltls.c - that could, under unlucky circumstances, have led to a pointer - overflow. Fixes bug #10363; bugfixes on 0.2.0.10-alpha and - 0.2.3.6-alpha. Reported by "bobnomnom". - - Fix another possibly undefined pointer operations in tor_memmem - fallback implementation. Another case of bug #10363; bugfix on - 0.1.1.1-alpha. - - Fix another possibly undefined pointer operations in the eventdns - fallback implementation. Another case of bug #10363; bugfix on - 0.1.2.1-alpha. - - Use AddressSanitizer and Ubsan sanitizers (in clang-3.4) to fix some - miscellaneous errors in our tests and codebase. Fix for bug 11232. - Bugfixes on versions back as far as 0.2.1.11-alpha. + o Minor features (geoip): + - Update geoip and geoip6 to the November 15 2014 Maxmind GeoLite2 + Country database. + + o Minor features (hidden services): + - When re-enabling the network, don't try to build introduction + circuits until we have successfully built a circuit. This makes + hidden services come up faster when the network is re-enabled. + Patch from "akwizgran". Closes ticket 13447. + - Inform Tor controller about nature of a failure to retrieve hidden + service descriptor by sending reason string with "HS_DESC FAILED" + controller event. Implements feature 13212. + - New HiddenServiceDirGroupReadable option to cause hidden service + directories and hostname files to be created group-readable. Patch + from "anon", David Stainton, and "meejah". Closes ticket 11291. + + o Minor features (transparent firewall): + - Update the transparent proxy option checks to allow for both ipfw + and pf on OS X. Closes ticket 14002. + + o Minor bugfixes (client, micordescriptors): + - Use a full 256 bits of the SHA256 digest of a microdescriptor when + computing which microdescriptors to download. This keeps us from + erroneous download behavior if two microdescriptor digests ever + have the same first 160 bits. Fixes part of bug 13399; bugfix + on 0.2.3.1-alpha. + - Reset a router's status if its microdescriptor digest changes, + even if the first 160 bits remain the same. Fixes part of bug + 13399; bugfix on 0.2.3.1-alpha. + + o Minor bugfixes (compilation): + - Silence clang warnings under --enable-expensive-hardening, + including implicit truncation of 64 bit values to 32 bit, const + char assignment to self, tautological compare, and additional + parentheses around equality tests. Fixes bug 13577; bugfix + on 0.2.5.4-alpha. + - Fix a clang warning about checking whether an address in the + middle of a structure is NULL. Fixes bug 14001; bugfix + on 0.2.1.2-alpha. + + o Minor bugfixes (hidden services): + - Correctly send a controller event when we find that a rendezvous + circuit has finished. Fixes bug 13936; bugfix on 0.1.1.5-alpha. + - Pre-check directory permissions for new hidden-services to avoid + at least one case of "Bug: Acting on config options left us in a + broken state. Dying." Fixes bug 13942; bugfix on 0.0.6pre1. + - When adding a new hidden service (for example, via SETCONF), Tor + no longer congratulates the user for running a relay. Fixes bug + 13941; bugfix on 0.2.6.1-alpha. + - When fetching hidden service descriptors, we now check not only + for whether we got the hidden service we had in mind, but also + whether we got the particular descriptors we wanted. This prevents + a class of inefficient but annoying DoS attacks by hidden service + directories. Fixes bug 13214; bugfix on 0.2.1.6-alpha. Reported + by "special". o Minor bugfixes (logging): - - Log only one message when we start logging in an unsafe - way. Previously, we would log as many messages as we had - problems. Fix for #9870; bugfix on 0.2.5.1-alpha. - - Using the Linux syscall sandbox no longer prevents stack-trace - logging on crashes or errors. Fixes part 11465; bugfix on - 0.2.5.1-alpha. - - Only report the first fatal boostrap error on a given OR - connection. This prevents controllers from declaring that a - connection has failed because of "DONE" or other junk reasons. - Fixes bug 10431; bugfix on 0.2.1.1-alpha. + - Downgrade warnings about RSA signature failures to info log level. + Emit a warning when extra info document is found incompatible with + a corresponding router descriptor. Fixes bug 9812; bugfix + on 0.0.6rc3. + - Log the circuit ID correctly in + connection_ap_handshake_attach_circuit(). Fixes bug 13701; bugfix + on 0.0.6. - o Minor bugfixes (closing channels): - - If write_to_buf() in connection_write_to_buf_impl_() ever fails, - check if it's an or_connection_t and correctly call - connection_or_close_for_error() rather than connection_mark_for_close() - directly. Fixes bug #11304; bugfix on 0.2.4.4-alpha. - - When closing all connections on setting DisableNetwork to 1, use - connection_or_close_normally() rather than closing orconns out from - under the channel layer. Fixes bug #11306; bugfix on 0.2.4.4-alpha. + o Minor bugfixes (misc): + - Stop allowing invalid address patterns like "*/24" that contain + both a wildcard address and a bit prefix length. This affects all + our address-range parsing code. Fixes bug 7484; bugfix + on 0.0.2pre14. - o Minor bugfixes (controller): - - Avoid sending an garbage value to the controller when a circuit is - cannibalized. Fixes bug 11519; bugfix on 0.2.3.11-alpha. + o Code simplification and refactoring: + - Stop using can_complete_circuits as a global variable; access it + with a function instead. + - Avoid using operators directly as macro arguments: this lets us + apply coccinelle transformations to our codebase more directly. + Closes ticket 13172. + - Combine the functions used to parse ClientTransportPlugin and + ServerTransportPlugin into a single function. Closes ticket 6456. + - Add inline functions and convenience macros for quick lookup of + state component of channel_t structure. Refactor various parts of + codebase to use convenience macros instead of checking state + member of channel_t directly. Fixes issue 7356. + - Document all members of was_router_added_t enum and rename + ROUTER_WAS_NOT_NEW to ROUTER_IS_ALREADY_KNOWN to make it less + confusable with ROUTER_WAS_TOO_OLD. Fixes issue 13644. + - In connection_exit_begin_conn(), use END_CIRC_REASON_TORPROTOCOL + constant instead of hardcoded value. Fixes issue 13840. + - Refactor our generic strmap and digestmap types into a single + implementation, so that we can add a new digest256map + type trivially. - o Minor bugfixes (tor-fw-helper): - - Allow tor-fw-helper to build again by adding src/ext to its - CPPFLAGS. Fixes bug 11296; bugfix on 0.2.5.3-alpha. + o Directory authority changes: + - Remove turtles as a directory authority. + - Add longclaw as a new (v3) directory authority. This implements + ticket 13296. This keeps the directory authority count at 9. + + o Documentation: + - Document the bridge-authority-only 'networkstatus-bridges' file. + Closes ticket 13713; patch from "tom". + - Fix typo in PredictedPortsRelevanceTime option description in + manpage. Resolves issue 13707. + - Stop suggesting that users specify nodes by nickname: it isn't a + good idea. Also, properly cross-reference how to specify nodes in + all parts of the manual for options that take a list of nodes. + Closes ticket 13381. + + o Major removed features: + - Tor clients no longer support connecting to hidden services + running on Tor 0.2.2.x and earlier; the Support022HiddenServices + option has been removed. (There shouldn't be any hidden services + running these versions on the network.) Closes ticket 7803. + + o Testing: + - New tests for many parts of channel, relay, and circuit mux + functionality. Code by Andrea; part of 9262. + - New tests for parse_transport_line(). Part of ticket 6456. + - In the unit tests, use 'chgrp' to change the group of the unit + test temporary directory to the current user, so that the sticky + bit doesn't interfere with tests that check directory groups. + Closes 13678. + + +Changes in version 0.2.6.1-alpha - 2014-10-30 + Tor 0.2.6.1-alpha is the first release in the Tor 0.2.6.x series. It + includes numerous code cleanups and new tests, and fixes a large + number of annoying bugs. Out-of-memory conditions are handled better + than in 0.2.5, pluggable transports have improved proxy support, and + clients now use optimistic data for contacting hidden services. Also, + we are now more robust to changes in what we consider a parseable + directory object, so that tightening restrictions does not have a risk + of introducing infinite download loops. + + This is the first alpha release in a new series, so expect there to be + bugs. Users who would rather test out a more stable branch should stay + with 0.2.5.x for now. + + o New compiler and system requirements: + - Tor 0.2.6.x requires that your compiler support more of the C99 + language standard than before. The 'configure' script now detects + whether your compiler supports C99 mid-block declarations and + designated initializers. If it does not, Tor will not compile. + + We may revisit this requirement if it turns out that a significant + number of people need to build Tor with compilers that don't + bother implementing a 15-year-old standard. Closes ticket 13233. + - Tor no longer supports systems without threading support. When we + began working on Tor, there were several systems that didn't have + threads, or where the thread support wasn't able to run the + threads of a single process on multiple CPUs. That no longer + holds: every system where Tor needs to run well now has threading + support. Resolves ticket 12439. + + o Removed platform support: + - We no longer include special code to build on Windows CE; as far + as we know, nobody has used Tor on Windows CE in a very long time. + Closes ticket 11446. + + o Major features (bridges): + - Expose the outgoing upstream HTTP/SOCKS proxy to pluggable + transports if they are configured via the "TOR_PT_PROXY" + environment variable. Implements proposal 232. Resolves + ticket 8402. + + o Major features (client performance, hidden services): + - Allow clients to use optimistic data when connecting to a hidden + service, which should remove a round-trip from hidden service + initialization. See proposal 181 for details. Implements + ticket 13211. + + o Major features (directory system): + - Upon receiving an unparseable directory object, if its digest + matches what we expected, then don't try to download it again. + Previously, when we got a descriptor we didn't like, we would keep + trying to download it over and over. Closes ticket 11243. + + o Major features (sample torrc): + - Add a new, infrequently-changed "torrc.minimal". This file is + similar to torrc.sample, but it will change as infrequently as + possible, for the benefit of users whose systems prompt them for + intervention whenever a default configuration file is changed. + Making this change allows us to update torrc.sample to be a more + generally useful "sample torrc". + + o Major bugfixes (directory authorities): + - Do not assign the HSDir flag to relays if they are not Valid, or + currently hibernating. Fixes #12573. Bugfix on tor-0.2.0.10-alpha + + o Major bugfixes (directory bandwidth performance): + - Don't flush the zlib buffer aggressively when compressing + directory information for clients. This should save about 7% of + the bandwidth currently used for compressed descriptors and + microdescriptors. Fixes bug 11787; bugfix on 0.1.1.23. + + o Minor features (security, memory wiping): + - Ensure we securely wipe keys from memory after + crypto_digest_get_digest and init_curve25519_keypair_from_file + have finished using them. Resolves ticket 13477. + + o Minor features (security, out-of-memory handling): + - When handling an out-of-memory condition, allocate less memory for + temporary data structures. Fixes issue 10115. + - When handling an out-of-memory condition, consider more types of + buffers, including those on directory connections, and zlib + buffers. Resolves ticket 11792. + + o Minor features: + - When identity keypair is generated for first time, log a + congratulatory message that links to the new relay lifecycle + document. Implements feature 10427. + + o Minor features (client): + - Clients are now willing to send optimistic data (before they + receive a 'connected' cell) to relays of any version. (Relays + without support for optimistic data are no longer supported on the + Tor network.) Resolves ticket 13153. + + o Minor features (directory authorities): + - Don't list relays with a bandwidth estimate of 0 in the consensus. + Implements a feature proposed during discussion of bug 13000. + - In tor-gencert, report an error if the user provides the same + argument more than once. + - If a directory authority can't find a best consensus method in the + votes that it holds, it now falls back to its favorite consensus + method. Previously, it fell back to method 1. Neither of these is + likely to get enough signatures, but "fall back to favorite" + doesn't require us to maintain support an obsolete consensus + method. Implements part of proposal 215. + + o Minor features (logging): + - On Unix-like systems, you can now use named pipes as the target of + the Log option, and other options that try to append to files. + Closes ticket 12061. Patch from "carlo von lynX". + - When opening a log file at startup, send it every log message that + we generated between startup and opening it. Previously, log + messages that were generated before opening the log file were only + logged to stdout. Closes ticket 6938. + - Add a TruncateLogFile option to overwrite logs instead of + appending to them. Closes ticket #5583. + + o Minor features (portability, Solaris): + - Threads are no longer disabled by default on Solaris; we believe + that the versions of Solaris with broken threading support are all + obsolete by now. Resolves ticket 9495. + + o Minor features (relay): + - Re-check our address after we detect a changed IP address from + getsockname(). This ensures that the controller command "GETINFO + address" will report the correct value. Resolves ticket 11582. + Patch from "ra". + - A new AccountingRule option lets Relays set whether they'd like + AccountingMax to be applied separately to inbound and outbound + traffic, or applied to the sum of inbound and outbound traffic. + Resolves ticket 961. Patch by "chobe". + + o Minor features (testing networks): + - Add the TestingDirAuthVoteExit option, which lists nodes to assign + the "Exit" flag regardless of their uptime, bandwidth, or exit + policy. TestingTorNetwork must be set for this option to have any + effect. Previously, authorities would take up to 35 minutes to + give nodes the Exit flag in a test network. Partially implements + ticket 13161. + + o Minor features (validation): + - Check all date/time values passed to tor_timegm and + parse_rfc1123_time for validity, taking leap years into account. + Improves HTTP header validation. Implemented with bug 13476. + - In correct_tm(), limit the range of values returned by system + localtime(_r) and gmtime(_r) to be between the years 1 and 8099. + This means we don't have to deal with negative or too large dates, + even if a clock is wrong. Otherwise we might fail to read a file + written by us which includes such a date. Fixes bug 13476. + + o Minor bugfixes (bridge clients): + - When configured to use a bridge without an identity digest (not + recommended), avoid launching an extra channel to it when + bootstrapping. Fixes bug 7733; bugfix on 0.2.4.4-alpha. o Minor bugfixes (bridges): - - Avoid potential crashes or bad behavior when launching a - server-side managed proxy with ORPort or ExtORPort temporarily - disabled. Fixes bug 9650; bugfix on 0.2.3.16-alpha. + - When DisableNetwork is set, do not launch pluggable transport + plugins, and if any are running, terminate them. Fixes bug 13213; + bugfix on 0.2.3.6-alpha. - o Minor bugfixes (misc): - - Don't re-initialize a second set of openssl mutexes when starting - up. Fixes bug 11726; bugfix on 0.2.5.3-alpha. + o Minor bugfixes (C correctness): + - Fix several instances of possible integer overflow/underflow/NaN. + Fixes bug 13104; bugfix on 0.2.3.1-alpha and later. Patches + from "teor". + - In circuit_build_times_calculate_timeout() in circuitstats.c, + avoid dividing by zero in the pareto calculations. This traps + under clang's "undefined-trap" sanitizer. Fixes bug 13290; bugfix + on tor-0.2.2.2-alpha. + - Fix an integer overflow in format_time_interval(). Fixes bug + 13393; bugfix on 0.2.0.10-alpha. + - Set the correct day of year value when the system's localtime(_r) + or gmtime(_r) functions fail to set struct tm. Not externally + visible. Fixes bug 13476; bugfix on 0.0.2pre14. + - Avoid unlikely signed integer overflow in tor_timegm on systems + with 32-bit time_t. Fixes bug 13476; bugfix on 0.0.2pre14. - o Minor bugfixes (memory leaks): - - Fix a minor memory leak that occurred when signing a directory - object. Fixes bug 11275; bugfix on 0.2.4.13-alpha. + o Minor bugfixes (client): + - Fix smartlist_choose_node_by_bandwidth() so that relays with the + BadExit flag are not considered worthy candidates. Fixes bug + 13066; bugfix on 0.1.2.3-alpha. + - Use the consensus schedule for downloading consensuses, and not + the generic schedule. Fixes bug 11679; bugfix on 0.2.2.6-alpha. + - Handle unsupported or malformed SOCKS5 requests properly by + responding with the appropriate error message before closing the + connection. Fixes bugs 12971 and 13314; bugfix on 0.0.2pre13. + + o Minor bugfixes (client, torrc): + - Stop modifying the value of our DirReqStatistics torrc option just + because we're not a bridge or relay. This bug was causing Tor + Browser users to write "DirReqStatistics 0" in their torrc files + as if they had chosen to change the config. Fixes bug 4244; bugfix + on 0.2.3.1-alpha. + - When GeoIPExcludeUnkonwn is enabled, do not incorrectly decide + that our options have changed every time we SIGHUP. Fixes bug + 9801; bugfix on 0.2.4.10-alpha. Patch from "qwerty1". - o Minor bugfixes (platform-specific): - - Fix compilation on Solaris, which does not have <endian.h>. - Fixes bug 11426; bugfix on 0.2.5.3-alpha. - - When dumping a malformed directory object to disk, save it in binary - mode on windows, not text mode. Fixes bug 11342; bugfix on - 0.2.2.1-alpha. - - When reporting a failure from make_socket_reuseable(), don't - report a warning when we get a failure from an incoming socket - on OSX. Fix for bug 10081. + o Minor bugfixes (controller): + - Return an error when the second or later arguments of the + "setevents" controller command are invalid events. Previously we + would return success while silently skipping invalid events. Fixes + bug 13205; bugfix on 0.2.3.2-alpha. Reported by "fpxnns". + + o Minor bugfixes (directory system): + - Always believe that v3 directory authorities serve extra-info + documents, whether they advertise "caches-extra-info" or not. + Fixes part of bug 11683; bugfix on 0.2.0.1-alpha. + - When running as a v3 directory authority, advertise that you serve + extra-info documents so that clients who want them can find them + from you too. Fixes part of bug 11683; bugfix on 0.2.0.1-alpha. + - Check the BRIDGE_DIRINFO flag bitwise rather than using equality. + Previously, directories offering BRIDGE_DIRINFO and some other + flag (i.e. microdescriptors or extrainfo) would be ignored when + looking for bridges. Partially fixes bug 13163; bugfix + on 0.2.0.7-alpha. + + o Minor bugfixes (networking): + - Check for orconns and use connection_or_close_for_error() rather + than connection_mark_for_close() directly in the getsockopt() + failure case of connection_handle_write_impl(). Fixes bug 11302; + bugfix on 0.2.4.4-alpha. - o Minor bugfixes (trivial memory leaks): - - Free placeholder entries in our circuit table at exit; fixes - a harmless memory leak. Fixes bug 11278; bugfix on 0.2.5.1-alpha. - - Resolve some memory leaks found by coverity in the unit tests, - on exit in tor-gencert, and on a failure to compute digests - for our own keys when generating a v3 networkstatus vote. - These leaks should never have affected anyone in practice. + o Minor bugfixes (relay): + - When generating our family list, remove spaces from around the + entries. Fixes bug 12728; bugfix on 0.2.1.7-alpha. + - If our previous bandwidth estimate was 0 bytes, allow publishing a + new relay descriptor immediately. Fixes bug 13000; bugfix + on 0.1.1.6-alpha. - o Minor bugfixes (hidden service): - - Only retry attempts to connect to a chosen rendezvous point 8 times, - not 30. Fixes bug #4241; bugfix on 0.1.0.1-rc. + o Minor bugfixes (testing networks): + - Fix TestingDirAuthVoteGuard to properly give out Guard flags in a + testing network. Fixes bug 13064; bugfix on 0.2.5.2-alpha. + - Stop using the default authorities in networks which provide both + AlternateDirAuthority and AlternateBridgeAuthority. Partially + fixes bug 13163; bugfix on 0.2.0.13-alpha. - o Minor bugfixes (bridge client): - - Stop accepting bridge lines containing hostnames. Doing so allowed - clients to perform DNS requests on the hostnames, which was not - sensible behavior. Fixes bug 10801; bugfix on 0.2.0.1-alpha. + o Minor bugfixes (testing): + - Stop spawn test failures due to a race condition between the + SIGCHLD handler updating the process status, and the test reading + it. Fixes bug 13291; bugfix on 0.2.3.3-alpha. + + o Minor bugfixes (testing, Windows): + - Avoid passing an extra backslash when creating a temporary + directory for running the unit tests on Windows. Fixes bug 12392; + bugfix on 0.2.2.25-alpha. Patch from Gisle Vanem. + + o Minor bugfixes (windows): + - Remove code to special-case handling of NTE_BAD_KEYSET when + acquiring windows CryptoAPI context. This error can't actually + occur for the parameters we're providing. Fixes bug 10816; bugfix + on 0.0.2pre26. + + o Minor bugfixes (zlib): + - Avoid truncating a zlib stream when trying to finalize it with an + empty output buffer. Fixes bug 11824; bugfix on 0.1.1.23. + + o Build fixes: + - Allow our configure script to build correctly with autoconf 2.62 + again. Fixes bug 12693; bugfix on 0.2.5.2-alpha. + - Improve the error message from ./configure to make it clear that + when asciidoc has not been found, the user will have to either add + --disable-asciidoc argument or install asciidoc. Resolves + ticket 13228. + + o Code simplification and refactoring: + - Change the entry_is_live() function to take named bitfield + elements instead of an unnamed list of booleans. Closes + ticket 12202. + - Refactor and unit-test entry_is_time_to_retry() in entrynodes.c. + Resolves ticket 12205. + - Use calloc and reallocarray functions instead of multiply- + then-malloc. This makes it less likely for us to fall victim to an + integer overflow attack when allocating. Resolves ticket 12855. + - Use the standard macro name SIZE_MAX, instead of our + own SIZE_T_MAX. + - Document usage of the NO_DIRINFO and ALL_DIRINFO flags clearly in + functions which take them as arguments. Replace 0 with NO_DIRINFO + in a function call for clarity. Seeks to prevent future issues + like 13163. + - Avoid 4 null pointer errors under clang static analysis by using + tor_assert() to prove that the pointers aren't null. Fixes + bug 13284. + - Rework the API of policies_parse_exit_policy() to use a bitmask to + represent parsing options, instead of a confusing mess of + booleans. Resolves ticket 8197. + - Introduce a helper function to parse ExitPolicy in + or_options_t structure. + + o Documentation: + - Add a doc/TUNING document with tips for handling large numbers of + TCP connections when running busy Tor relay. Update the warning + message to point to this file when running out of sockets + operating system is allowing to use simultaneously. Resolves + ticket 9708. + + o Removed features: + - We no longer remind the user about configuration options that have + been obsolete since 0.2.3.x or earlier. Patch by Adrien Bak. + - Remove our old, non-weighted bandwidth-based node selection code. + Previously, we used it as a fallback when we couldn't perform + weighted bandwidth-based node selection. But that would only + happen in the cases where we had no consensus, or when we had a + consensus generated by buggy or ancient directory authorities. In + either case, it's better to use the more modern, better maintained + algorithm, with reasonable defaults for the weights. Closes + ticket 13126. + - Remove the --disable-curve25519 configure option. Relays and + clients now are required to support curve25519 and the + ntor handshake. + - The old "StrictEntryNodes" and "StrictExitNodes" options, which + used to be deprecated synonyms for "StrictNodes", are now marked + obsolete. Resolves ticket 12226. + - Clients don't understand the BadDirectory flag in the consensus + anymore, and ignore it. + + o Testing: + - Refactor the function that chooses guard nodes so that it can more + easily be tested; write some tests for it. + - Fix and re-enable the fgets_eagain unit test. Fixes bug 12503; + bugfix on 0.2.3.1-alpha. Patch from "cypherpunks." + - Create unit tests for format_time_interval(). With bug 13393. + - Add unit tests for tor_timegm signed overflow, tor_timegm and + parse_rfc1123_time validity checks, correct_tm year clamping. Unit + tests (visible) fixes in bug 13476. + - Add a "coverage-html" make target to generate HTML-visualized + coverage results when building with --enable-coverage. (Requires + lcov.) Patch from Kevin Murray. + - Enable the backtrace handler (where supported) when running the + unit tests. + - Revise all unit tests that used the legacy test_* macros to + instead use the recommended tt_* macros. This patch was generated + with coccinelle, to avoid manual errors. Closes ticket 13119. + + o Distribution (systemd): + - systemd unit file: only allow tor to write to /var/lib/tor and + /var/log/tor. The rest of the filesystem is accessible for reading + only. Patch by intrigeri; resolves ticket 12751. + - systemd unit file: ensure that the process and all its children + can never gain new privileges. Patch by intrigeri; resolves + ticket 12939. + - systemd unit file: set up /var/run/tor as writable for the Tor + service. Patch by intrigeri; resolves ticket 13196. + + o Removed features (directory authorities): + - Remove code that prevented authorities from listing Tor relays + affected by CVE-2011-2769 as guards. These relays are already + rejected altogether due to the minimum version requirement of + 0.2.3.16-alpha. Closes ticket 13152. + - The "AuthDirRejectUnlisted" option no longer has any effect, as + the fingerprints file (approved-routers) has been deprecated. + - Directory authorities do not support being Naming dirauths anymore. + The "NamingAuthoritativeDir" config option is now obsolete. + - Directory authorities do not support giving out the BadDirectory + flag anymore. + - Directory authorities no longer advertise or support consensus + methods 1 through 12 inclusive. These consensus methods were + obsolete and/or insecure: maintaining the ability to support them + served no good purpose. Implements part of proposal 215; closes + ticket 10163. + + o Testing (test-network.sh): + - Stop using "echo -n", as some shells' built-in echo doesn't + support "-n". Instead, use "/bin/echo -n". Partially fixes + bug 13161. + - Stop an apparent test-network hang when used with make -j2. Fixes + bug 13331. + - Add a --delay option to test-network.sh, which configures the + delay before the chutney network tests for data transmission. + Partially implements ticket 13161. + + +Changes in version 0.2.5.10 - 2014-10-24 + Tor 0.2.5.10 is the first stable release in the 0.2.5 series. + + It adds several new security features, including improved + denial-of-service resistance for relays, new compiler hardening + options, and a system-call sandbox for hardened installations on Linux + (requires seccomp2). The controller protocol has several new features, + resolving IPv6 addresses should work better than before, and relays + should be a little more CPU-efficient. We've added support for more + OpenBSD and FreeBSD transparent proxy types. We've improved the build + system and testing infrastructure to allow unit testing of more parts + of the Tor codebase. Finally, we've addressed several nagging pluggable + transport usability issues, and included numerous other small bugfixes + and features mentioned below. + + This release marks end-of-life for Tor 0.2.3.x; those Tor versions + have accumulated many known flaws; everyone should upgrade. + + o Deprecated versions: + - Tor 0.2.3.x has reached end-of-life; it has received no patches or + attention for some while. + + +Changes in version 0.2.5.9-rc - 2014-10-20 + Tor 0.2.5.9-rc is the third release candidate for the Tor 0.2.5.x + series. It disables SSL3 in response to the recent "POODLE" attack + (even though POODLE does not affect Tor). It also works around a crash + bug caused by some operating systems' response to the "POODLE" attack + (which does affect Tor). It also contains a few miscellaneous fixes. + + o Major security fixes: + - Disable support for SSLv3. All versions of OpenSSL in use with Tor + today support TLS 1.0 or later, so we can safely turn off support + for this old (and insecure) protocol. Fixes bug 13426. + + o Major bugfixes (openssl bug workaround): + - Avoid crashing when using OpenSSL version 0.9.8zc, 1.0.0o, or + 1.0.1j, built with the 'no-ssl3' configuration option. Fixes bug + 13471. This is a workaround for an OpenSSL bug. + + o Minor bugfixes: + - Disable the sandbox name resolver cache when running tor-resolve: + tor-resolve doesn't use the sandbox code, and turning it on was + breaking attempts to do tor-resolve on a non-default server on + Linux. Fixes bug 13295; bugfix on 0.2.5.3-alpha. + + o Compilation fixes: + - Build and run correctly on systems like OpenBSD-current that have + patched OpenSSL to remove get_cipher_by_char and/or its + implementations. Fixes issue 13325. + + o Downgraded warnings: + - Downgrade the severity of the 'unexpected sendme cell from client' + from 'warn' to 'protocol warning'. Closes ticket 8093. + + +Changes in version 0.2.4.25 - 2014-10-20 + Tor 0.2.4.25 disables SSL3 in response to the recent "POODLE" attack + (even though POODLE does not affect Tor). It also works around a crash + bug caused by some operating systems' response to the "POODLE" attack + (which does affect Tor). + + o Major security fixes (also in 0.2.5.9-rc): + - Disable support for SSLv3. All versions of OpenSSL in use with Tor + today support TLS 1.0 or later, so we can safely turn off support + for this old (and insecure) protocol. Fixes bug 13426. + + o Major bugfixes (openssl bug workaround, also in 0.2.5.9-rc): + - Avoid crashing when using OpenSSL version 0.9.8zc, 1.0.0o, or + 1.0.1j, built with the 'no-ssl3' configuration option. Fixes bug + 13471. This is a workaround for an OpenSSL bug. + + +Changes in version 0.2.5.8-rc - 2014-09-22 + Tor 0.2.5.8-rc is the second release candidate for the Tor 0.2.5.x + series. It fixes a bug that affects consistency and speed when + connecting to hidden services, and it updates the location of one of + the directory authorities. + + o Major bugfixes: + - Clients now send the correct address for their chosen rendezvous + point when trying to access a hidden service. They used to send + the wrong address, which would still work some of the time because + they also sent the identity digest of the rendezvous point, and if + the hidden service happened to try connecting to the rendezvous + point from a relay that already had a connection open to it, + the relay would reuse that connection. Now connections to hidden + services should be more robust and faster. Also, this bug meant + that clients were leaking to the hidden service whether they were + on a little-endian (common) or big-endian (rare) system, which for + some users might have reduced their anonymity. Fixes bug 13151; + bugfix on 0.2.1.5-alpha. + + o Directory authority changes: + - Change IP address for gabelmoo (v3 directory authority). + + +Changes in version 0.2.4.24 - 2014-09-22 + Tor 0.2.4.24 fixes a bug that affects consistency and speed when + connecting to hidden services, and it updates the location of one of + the directory authorities. + + o Major bugfixes: + - Clients now send the correct address for their chosen rendezvous + point when trying to access a hidden service. They used to send + the wrong address, which would still work some of the time because + they also sent the identity digest of the rendezvous point, and if + the hidden service happened to try connecting to the rendezvous + point from a relay that already had a connection open to it, + the relay would reuse that connection. Now connections to hidden + services should be more robust and faster. Also, this bug meant + that clients were leaking to the hidden service whether they were + on a little-endian (common) or big-endian (rare) system, which for + some users might have reduced their anonymity. Fixes bug 13151; + bugfix on 0.2.1.5-alpha. + + o Directory authority changes: + - Change IP address for gabelmoo (v3 directory authority). + + o Minor features (geoip): + - Update geoip and geoip6 to the August 7 2014 Maxmind GeoLite2 + Country database. + + +Changes in version 0.2.5.7-rc - 2014-09-11 + Tor 0.2.5.7-rc fixes several regressions from earlier in the 0.2.5.x + release series, and some long-standing bugs related to ORPort reachability + testing and failure to send CREATE cells. It is the first release + candidate for the Tor 0.2.5.x series. + + o Major bugfixes (client, startup): + - Start making circuits as soon as DisabledNetwork is turned off. + When Tor started with DisabledNetwork set, it would correctly + conclude that it shouldn't build circuits, but it would mistakenly + cache this conclusion, and continue believing it even when + DisableNetwork is set to 0. Fixes the bug introduced by the fix + for bug 11200; bugfix on 0.2.5.4-alpha. + - Resume expanding abbreviations for command-line options. The fix + for bug 4647 accidentally removed our hack from bug 586 that + rewrote HashedControlPassword to __HashedControlSessionPassword + when it appears on the commandline (which allowed the user to set + her own HashedControlPassword in the torrc file while the + controller generates a fresh session password for each run). Fixes + bug 12948; bugfix on 0.2.5.1-alpha. + - Warn about attempts to run hidden services and relays in the same + process: that's probably not a good idea. Closes ticket 12908. + + o Major bugfixes (relay): + - Avoid queuing or sending destroy cells for circuit ID zero when we + fail to send a CREATE cell. Fixes bug 12848; bugfix on 0.0.8pre1. + Found and fixed by "cypherpunks". + - Fix ORPort reachability detection on relays running behind a + proxy, by correctly updating the "local" mark on the controlling + channel when changing the address of an or_connection_t after the + handshake. Fixes bug 12160; bugfix on 0.2.4.4-alpha. + + o Minor features (bridge): + - Add an ExtORPortCookieAuthFileGroupReadable option to make the + cookie file for the ExtORPort g+r by default. + + o Minor features (geoip): + - Update geoip and geoip6 to the August 7 2014 Maxmind GeoLite2 + Country database. + + o Minor bugfixes (logging): + - Reduce the log severity of the "Pluggable transport proxy does not + provide any needed transports and will not be launched." message, + since Tor Browser includes several ClientTransportPlugin lines in + its torrc-defaults file, leading every Tor Browser user who looks + at her logs to see these notices and wonder if they're dangerous. + Resolves bug 13124; bugfix on 0.2.5.3-alpha. + - Downgrade "Unexpected onionskin length after decryption" warning + to a protocol-warn, since there's nothing relay operators can do + about a client that sends them a malformed create cell. Resolves + bug 12996; bugfix on 0.0.6rc1. + - Log more specific warnings when we get an ESTABLISH_RENDEZVOUS + cell on a cannibalized or non-OR circuit. Resolves ticket 12997. + - When logging information about an EXTEND2 or EXTENDED2 cell, log + their names correctly. Fixes part of bug 12700; bugfix + on 0.2.4.8-alpha. + - When logging information about a relay cell whose command we don't + recognize, log its command as an integer. Fixes part of bug 12700; + bugfix on 0.2.1.10-alpha. + - Escape all strings from the directory connection before logging + them. Fixes bug 13071; bugfix on 0.1.1.15. Patch from "teor". + + o Minor bugfixes (controller): + - Restore the functionality of CookieAuthFileGroupReadable. Fixes + bug 12864; bugfix on 0.2.5.1-alpha. + - Actually send TRANSPORT_LAUNCHED and HS_DESC events to + controllers. Fixes bug 13085; bugfix on 0.2.5.1-alpha. Patch + by "teor". + + o Minor bugfixes (compilation): + - Fix compilation of test.h with MSVC. Patch from Gisle Vanem; + bugfix on 0.2.5.5-alpha. + - Make the nmake make files work again. Fixes bug 13081. Bugfix on + 0.2.5.1-alpha. Patch from "NewEraCracker". + - In routerlist_assert_ok(), don't take the address of a + routerinfo's cache_info member unless that routerinfo is non-NULL. + Fixes bug 13096; bugfix on 0.1.1.9-alpha. Patch by "teor". + - Fix a large number of false positive warnings from the clang + analyzer static analysis tool. This should make real warnings + easier for clang analyzer to find. Patch from "teor". Closes + ticket 13036. + + o Distribution (systemd): + - Verify configuration file via ExecStartPre in the systemd unit + file. Patch from intrigeri; resolves ticket 12730. + - Explicitly disable RunAsDaemon in the systemd unit file. Our + current systemd unit uses "Type = simple", so systemd does not + expect tor to fork. If the user has "RunAsDaemon 1" in their + torrc, then things won't work as expected. This is e.g. the case + on Debian (and derivatives), since there we pass "--defaults-torrc + /usr/share/tor/tor-service-defaults-torrc" (that contains + "RunAsDaemon 1") by default. Patch by intrigeri; resolves + ticket 12731. + + o Documentation: + - Adjust the URLs in the README to refer to the new locations of + several documents on the website. Fixes bug 12830. Patch from + Matt Pagan. + - Document 'reject6' and 'accept6' ExitPolicy entries. Resolves + ticket 12878. + + +Changes in version 0.2.5.6-alpha - 2014-07-28 + Tor 0.2.5.6-alpha brings us a big step closer to slowing down the + risk from guard rotation, and fixes a variety of other issues to get + us closer to a release candidate. + + o Major features (also in 0.2.4.23): + - Make the number of entry guards configurable via a new + NumEntryGuards consensus parameter, and the number of directory + guards configurable via a new NumDirectoryGuards consensus + parameter. Implements ticket 12688. + + o Major bugfixes (also in 0.2.4.23): + - Fix a bug in the bounds-checking in the 32-bit curve25519-donna + implementation that caused incorrect results on 32-bit + implementations when certain malformed inputs were used along with + a small class of private ntor keys. This bug does not currently + appear to allow an attacker to learn private keys or impersonate a + Tor server, but it could provide a means to distinguish 32-bit Tor + implementations from 64-bit Tor implementations. Fixes bug 12694; + bugfix on 0.2.4.8-alpha. Bug found by Robert Ransom; fix from + Adam Langley. + + o Major bugfixes: + - Perform circuit cleanup operations even when circuit + construction operations are disabled (because the network is + disabled, or because there isn't enough directory information). + Previously, when we were not building predictive circuits, we + were not closing expired circuits either. Fixes bug 8387; bugfix on + 0.1.1.11-alpha. This bug became visible in 0.2.4.10-alpha when we + became more strict about when we have "enough directory information + to build circuits". + + o Minor features: + - Authorities now assign the Guard flag to the fastest 25% of the + network (it used to be the fastest 50%). Also raise the consensus + weight that guarantees the Guard flag from 250 to 2000. For the + current network, this results in about 1100 guards, down from 2500. + This step paves the way for moving the number of entry guards + down to 1 (proposal 236) while still providing reasonable expected + performance for most users. Implements ticket 12690. + - Update geoip and geoip6 to the July 10 2014 Maxmind GeoLite2 + Country database. + - Slightly enhance the diagnostic message for bug 12184. + + o Minor bugfixes (also in 0.2.4.23): + - Warn and drop the circuit if we receive an inbound 'relay early' + cell. Those used to be normal to receive on hidden service circuits + due to bug 1038, but the buggy Tor versions are long gone from + the network so we can afford to resume watching for them. Resolves + the rest of bug 1038; bugfix on 0.2.1.19. + - Correct a confusing error message when trying to extend a circuit + via the control protocol but we don't know a descriptor or + microdescriptor for one of the specified relays. Fixes bug 12718; + bugfix on 0.2.3.1-alpha. + + o Minor bugfixes: + - Fix compilation when building with bufferevents enabled. (This + configuration is still not expected to work, however.) + Fixes bugs 12438, 12474, 11578; bugfixes on 0.2.5.1-alpha and + 0.2.5.3-alpha. Patches from Anthony G. Basile and Sathyanarayanan + Gunasekaran. + - Compile correctly with builds and forks of OpenSSL (such as + LibreSSL) that disable compression. Fixes bug 12602; bugfix on + 0.2.1.1-alpha. Patch from "dhill". - o Minor bugfixes (exit): + +Changes in version 0.2.4.23 - 2014-07-28 + Tor 0.2.4.23 brings us a big step closer to slowing down the risk from + guard rotation, and also backports several important fixes from the + Tor 0.2.5 alpha release series. + + o Major features: + - Clients now look at the "usecreatefast" consensus parameter to + decide whether to use CREATE_FAST or CREATE cells for the first hop + of their circuit. This approach can improve security on connections + where Tor's circuit handshake is stronger than the available TLS + connection security levels, but the tradeoff is more computational + load on guard relays. Implements proposal 221. Resolves ticket 9386. + - Make the number of entry guards configurable via a new + NumEntryGuards consensus parameter, and the number of directory + guards configurable via a new NumDirectoryGuards consensus + parameter. Implements ticket 12688. + + o Major bugfixes: + - Fix a bug in the bounds-checking in the 32-bit curve25519-donna + implementation that caused incorrect results on 32-bit + implementations when certain malformed inputs were used along with + a small class of private ntor keys. This bug does not currently + appear to allow an attacker to learn private keys or impersonate a + Tor server, but it could provide a means to distinguish 32-bit Tor + implementations from 64-bit Tor implementations. Fixes bug 12694; + bugfix on 0.2.4.8-alpha. Bug found by Robert Ransom; fix from + Adam Langley. + + o Minor bugfixes: + - Warn and drop the circuit if we receive an inbound 'relay early' + cell. Those used to be normal to receive on hidden service circuits + due to bug 1038, but the buggy Tor versions are long gone from + the network so we can afford to resume watching for them. Resolves + the rest of bug 1038; bugfix on 0.2.1.19. + - Correct a confusing error message when trying to extend a circuit + via the control protocol but we don't know a descriptor or + microdescriptor for one of the specified relays. Fixes bug 12718; + bugfix on 0.2.3.1-alpha. + - Avoid an illegal read from stack when initializing the TLS + module using a version of OpenSSL without all of the ciphers + used by the v2 link handshake. Fixes bug 12227; bugfix on + 0.2.4.8-alpha. Found by "starlight". + + o Minor features: + - Update geoip and geoip6 to the July 10 2014 Maxmind GeoLite2 + Country database. + + +Changes in version 0.2.5.5-alpha - 2014-06-18 + Tor 0.2.5.5-alpha fixes a wide variety of remaining issues in the Tor + 0.2.5.x release series, including a couple of DoS issues, some + performance regressions, a large number of bugs affecting the Linux + seccomp2 sandbox code, and various other bugfixes. It also adds + diagnostic bugfixes for a few tricky issues that we're trying to + track down. + + o Major features (security, traffic analysis resistance): + - Several major improvements to the algorithm used to decide when to + close TLS connections. Previous versions of Tor closed connections + at a fixed interval after the last time a non-padding cell was + sent over the connection, regardless of the target of the + connection. Now, we randomize the intervals by adding up to 50% of + their base value, we measure the length of time since connection + last had at least one circuit, and we allow connections to known + ORs to remain open a little longer (15 minutes instead of 3 + minutes minimum). These changes should improve Tor's resistance + against some kinds of traffic analysis, and lower some overhead + from needlessly closed connections. Fixes ticket 6799. + Incidentally fixes ticket 12023; bugfix on 0.2.5.1-alpha. + + o Major bugfixes (security, OOM, new since 0.2.5.4-alpha, also in 0.2.4.22): + - Fix a memory leak that could occur if a microdescriptor parse + fails during the tokenizing step. This bug could enable a memory + exhaustion attack by directory servers. Fixes bug 11649; bugfix + on 0.2.2.6-alpha. + + o Major bugfixes (security, directory authorities): + - Directory authorities now include a digest of each relay's + identity key as a part of its microdescriptor. + + This is a workaround for bug 11743 (reported by "cypherpunks"), + where Tor clients do not support receiving multiple + microdescriptors with the same SHA256 digest in the same + consensus. When clients receive a consensus like this, they only + use one of the relays. Without this fix, a hostile relay could + selectively disable some client use of target relays by + constructing a router descriptor with a different identity and the + same microdescriptor parameters and getting the authorities to + list it in a microdescriptor consensus. This fix prevents an + attacker from causing a microdescriptor collision, because the + router's identity is not forgeable. + + o Major bugfixes (relay): + - Use a direct dirport connection when uploading non-anonymous + descriptors to the directory authorities. Previously, relays would + incorrectly use tunnel connections under a fairly wide variety of + circumstances. Fixes bug 11469; bugfix on 0.2.4.3-alpha. + - When a circuit accidentally has the same circuit ID for its + forward and reverse direction, correctly detect the direction of + cells using that circuit. Previously, this bug made roughly one + circuit in a million non-functional. Fixes bug 12195; this is a + bugfix on every version of Tor. + + o Major bugfixes (client, pluggable transports): + - When managing pluggable transports, use OS notification facilities + to learn if they have crashed, and don't attempt to kill any + process that has already exited. Fixes bug 8746; bugfix + on 0.2.3.6-alpha. + + o Minor features (diagnostic): + - When logging a warning because of bug 7164, additionally check the + hash table for consistency (as proposed on ticket 11737). This may + help diagnose bug 7164. + - When we log a heartbeat, log how many one-hop circuits we have + that are at least 30 minutes old, and log status information about + a few of them. This is an attempt to track down bug 8387. + - When encountering an unexpected CR while writing text to a file on + Windows, log the name of the file. Should help diagnosing + bug 11233. + - Give more specific warnings when a client notices that an onion + handshake has failed. Fixes ticket 9635. + - Add significant new logging code to attempt to diagnose bug 12184, + where relays seem to run out of available circuit IDs. + - Improve the diagnostic log message for bug 8387 even further to + try to improve our odds of figuring out why one-hop directory + circuits sometimes do not get closed. + + o Minor features (security, memory management): + - Memory allocation tricks (mempools and buffer freelists) are now + disabled by default. You can turn them back on with + --enable-mempools and --enable-buf-freelists respectively. We're + disabling these features because malloc performance is good enough + on most platforms, and a similar feature in OpenSSL exacerbated + exploitation of the Heartbleed attack. Resolves ticket 11476. + + o Minor features (security): + - Apply the secure SipHash-2-4 function to the hash table mapping + circuit IDs and channels to circuits. We missed this one when we + were converting all the other hash functions to use SipHash back + in 0.2.5.3-alpha. Resolves ticket 11750. + + o Minor features (build): + - The configure script has a --disable-seccomp option to turn off + support for libseccomp on systems that have it, in case it (or + Tor's use of it) is broken. Resolves ticket 11628. + + o Minor features (other): + - Update geoip and geoip6 to the June 4 2014 Maxmind GeoLite2 + Country database. + + o Minor bugfixes (security, new since 0.2.5.4-alpha, also in 0.2.4.22): + - When running a hidden service, do not allow TunneledDirConns 0; + this will keep the hidden service from running, and also + make it publish its descriptors directly over HTTP. Fixes bug 10849; + bugfix on 0.2.1.1-alpha. + + o Minor bugfixes (performance): + - Avoid a bug where every successful connection made us recompute + the flag telling us whether we have sufficient information to + build circuits. Previously, we would forget our cached value + whenever we successfully opened a channel (or marked a router as + running or not running for any other reason), regardless of + whether we had previously believed the router to be running. This + forced us to run an expensive update operation far too often. + Fixes bug 12170; bugfix on 0.1.2.1-alpha. + - Avoid using tor_memeq() for checking relay cell integrity. This + removes a possible performance bottleneck. Fixes part of bug + 12169; bugfix on 0.2.1.31. + + o Minor bugfixes (compilation): + - Fix compilation of test_status.c when building with MVSC. Bugfix + on 0.2.5.4-alpha. Patch from Gisle Vanem. + - Resolve GCC complaints on OpenBSD about discarding constness in + TO_{ORIGIN,OR}_CIRCUIT functions. Fixes part of bug 11633; bugfix + on 0.1.1.23. Patch from Dana Koch. + - Resolve clang complaints on OpenBSD with -Wshorten-64-to-32 due to + treatment of long and time_t as comparable types. Fixes part of + bug 11633. Patch from Dana Koch. + - Make Tor compile correctly with --disable-buf-freelists. Fixes bug + 11623; bugfix on 0.2.5.3-alpha. + - When deciding whether to build the 64-bit curve25519 + implementation, detect platforms where we can compile 128-bit + arithmetic but cannot link it. Fixes bug 11729; bugfix on + 0.2.4.8-alpha. Patch from "conradev". + - Fix compilation when DNS_CACHE_DEBUG is enabled. Fixes bug 11761; + bugfix on 0.2.3.13-alpha. Found by "cypherpunks". + - Fix compilation with dmalloc. Fixes bug 11605; bugfix + on 0.2.4.10-alpha. + + o Minor bugfixes (Directory server): + - When sending a compressed set of descriptors or microdescriptors, + make sure to finalize the zlib stream. Previously, we would write + all the compressed data, but if the last descriptor we wanted to + send was missing or too old, we would not mark the stream as + finished. This caused problems for decompression tools. Fixes bug + 11648; bugfix on 0.1.1.23. + + o Minor bugfixes (Linux seccomp sandbox): + - Make the seccomp sandbox code compile under ARM Linux. Fixes bug + 11622; bugfix on 0.2.5.1-alpha. + - Avoid crashing when re-opening listener ports with the seccomp + sandbox active. Fixes bug 12115; bugfix on 0.2.5.1-alpha. + - Avoid crashing with the seccomp sandbox enabled along with + ConstrainedSockets. Fixes bug 12139; bugfix on 0.2.5.1-alpha. + - When we receive a SIGHUP with the sandbox enabled, correctly + support rotating our log files. Fixes bug 12032; bugfix + on 0.2.5.1-alpha. + - Avoid crash when running with sandboxing enabled and + DirReqStatistics not disabled. Fixes bug 12035; bugfix + on 0.2.5.1-alpha. + - Fix a "BUG" warning when trying to write bridge-stats files with + the Linux syscall sandbox filter enabled. Fixes bug 12041; bugfix + on 0.2.5.1-alpha. + - Prevent the sandbox from crashing on startup when run with the + --enable-expensive-hardening configuration option. Fixes bug + 11477; bugfix on 0.2.5.4-alpha. + - When running with DirPortFrontPage and sandboxing both enabled, + reload the DirPortFrontPage correctly when restarting. Fixes bug + 12028; bugfix on 0.2.5.1-alpha. + - Don't try to enable the sandbox when using the Tor binary to check + its configuration, hash a passphrase, or so on. Doing so was + crashing on startup for some users. Fixes bug 11609; bugfix + on 0.2.5.1-alpha. + - Avoid warnings when running with sandboxing and node statistics + enabled at the same time. Fixes part of 12064; bugfix on + 0.2.5.1-alpha. Patch from Michael Wolf. + - Avoid warnings when running with sandboxing enabled at the same + time as cookie authentication, hidden services, or directory + authority voting. Fixes part of 12064; bugfix on 0.2.5.1-alpha. + - Do not allow options that require calls to exec to be enabled + alongside the seccomp2 sandbox: they will inevitably crash. Fixes + bug 12043; bugfix on 0.2.5.1-alpha. + - Handle failures in getpwnam()/getpwuid() when running with the + User option set and the Linux syscall sandbox enabled. Fixes bug + 11946; bugfix on 0.2.5.1-alpha. + - Refactor the getaddrinfo workaround that the seccomp sandbox uses + to avoid calling getaddrinfo() after installing the sandbox + filters. Previously, it preloaded a cache with the IPv4 address + for our hostname, and nothing else. Now, it loads the cache with + every address that it used to initialize the Tor process. Fixes + bug 11970; bugfix on 0.2.5.1-alpha. + + o Minor bugfixes (pluggable transports): + - Enable the ExtORPortCookieAuthFile option, to allow changing the + default location of the authentication token for the extended OR + Port as used by sever-side pluggable transports. We had + implemented this option before, but the code to make it settable + had been omitted. Fixes bug 11635; bugfix on 0.2.5.1-alpha. + - Avoid another 60-second delay when starting Tor in a pluggable- + transport-using configuration when we already have cached + descriptors for our bridges. Fixes bug 11965; bugfix + on 0.2.3.6-alpha. + + o Minor bugfixes (client): + - Avoid "Tried to open a socket with DisableNetwork set" warnings + when starting a client with bridges configured and DisableNetwork + set. (Tor launcher starts Tor with DisableNetwork set the first + time it runs.) Fixes bug 10405; bugfix on 0.2.3.9-alpha. + + o Minor bugfixes (testing): + - The Python parts of the test scripts now work on Python 3 as well + as Python 2, so systems where '/usr/bin/python' is Python 3 will + no longer have the tests break. Fixes bug 11608; bugfix + on 0.2.5.2-alpha. + - When looking for versions of python that we could run the tests + with, check for "python2.7" and "python3.3"; previously we were + only looking for "python", "python2", and "python3". Patch from + Dana Koch. Fixes bug 11632; bugfix on 0.2.5.2-alpha. + - Fix all valgrind warnings produced by the unit tests. There were + over a thousand memory leak warnings previously, mostly produced + by forgetting to free things in the unit test code. Fixes bug + 11618, bugfixes on many versions of Tor. + + o Minor bugfixes (tor-fw-helper): + - Give a correct log message when tor-fw-helper fails to launch. + (Previously, we would say something like "tor-fw-helper sent us a + string we could not parse".) Fixes bug 9781; bugfix + on 0.2.4.2-alpha. + + o Minor bugfixes (relay, threading): + - Check return code on spawn_func() in cpuworker code, so that we + don't think we've spawned a nonworking cpuworker and write junk to + it forever. Fix related to bug 4345; bugfix on all released Tor + versions. Found by "skruffy". + - Use a pthread_attr to make sure that spawn_func() cannot return an + error while at the same time launching a thread. Fix related to + bug 4345; bugfix on all released Tor versions. Reported + by "cypherpunks". + + o Minor bugfixes (relay, oom prevention): + - Correctly detect the total available system memory. We tried to do + this in 0.2.5.4-alpha, but the code was set up to always return an + error value, even on success. Fixes bug 11805; bugfix + on 0.2.5.4-alpha. + + o Minor bugfixes (relay, other): + - We now drop CREATE cells for already-existent circuit IDs and for + zero-valued circuit IDs, regardless of other factors that might + otherwise have called for DESTROY cells. Fixes bug 12191; bugfix + on 0.0.8pre1. + - Avoid an illegal read from stack when initializing the TLS module + using a version of OpenSSL without all of the ciphers used by the + v2 link handshake. Fixes bug 12227; bugfix on 0.2.4.8-alpha. Found + by "starlight". + - When rejecting DATA cells for stream_id zero, still count them + against the circuit's deliver window so that we don't fail to send + a SENDME. Fixes bug 11246; bugfix on 0.2.4.10-alpha. + + o Minor bugfixes (logging): + - Fix a misformatted log message about delayed directory fetches. + Fixes bug 11654; bugfix on 0.2.5.3-alpha. + - Squelch a spurious LD_BUG message "No origin circuit for + successful SOCKS stream" in certain hidden service failure cases; + fixes bug 10616. + + o Distribution: + - Include a tor.service file in contrib/dist for use with systemd. + Some distributions will be able to use this file unmodified; + others will need to tweak it, or write their own. Patch from Jamie + Nguyen; resolves ticket 8368. + + o Documentation: + - Clean up several option names in the manpage to match their real + names, add the missing documentation for a couple of testing and + directory authority options, remove the documentation for a + V2-directory fetching option that no longer exists. Resolves + ticket 11634. + - Correct the documenation so that it lists the correct directory + for the stats files. (They are in a subdirectory called "stats", + not "status".) + - In the manpage, move more authority-only options into the + directory authority section so that operators of regular directory + caches don't get confused. + + o Package cleanup: + - The contrib directory has been sorted and tidied. Before, it was + an unsorted dumping ground for useful and not-so-useful things. + Now, it is divided based on functionality, and the items which + seemed to be nonfunctional or useless have been removed. Resolves + ticket 8966; based on patches from "rl1987". + + o Removed code: + - Remove /tor/dbg-stability.txt URL that was meant to help debug WFU + and MTBF calculations, but that nobody was using. Fixes #11742. + - The TunnelDirConns and PreferTunnelledDirConns options no longer + exist; tunneled directory connections have been available since + 0.1.2.5-alpha, and turning them off is not a good idea. This is a + brute-force fix for 10849, where "TunnelDirConns 0" would break + hidden services. + + +Changes in version 0.2.4.22 - 2014-05-16 + Tor 0.2.4.22 backports numerous high-priority fixes from the Tor 0.2.5 + alpha release series. These include blocking all authority signing + keys that may have been affected by the OpenSSL "heartbleed" bug, + choosing a far more secure set of TLS ciphersuites by default, closing + a couple of memory leaks that could be used to run a target relay out + of RAM, and several others. + + o Major features (security, backport from 0.2.5.4-alpha): + - Block authority signing keys that were used on authorities + vulnerable to the "heartbleed" bug in OpenSSL (CVE-2014-0160). (We + don't have any evidence that these keys _were_ compromised; we're + doing this to be prudent.) Resolves ticket 11464. + + o Major bugfixes (security, OOM): + - Fix a memory leak that could occur if a microdescriptor parse + fails during the tokenizing step. This bug could enable a memory + exhaustion attack by directory servers. Fixes bug 11649; bugfix + on 0.2.2.6-alpha. + + o Major bugfixes (TLS cipher selection, backport from 0.2.5.4-alpha): + - The relay ciphersuite list is now generated automatically based on + uniform criteria, and includes all OpenSSL ciphersuites with + acceptable strength and forward secrecy. Previously, we had left + some perfectly fine ciphersuites unsupported due to omission or + typo. Resolves bugs 11513, 11492, 11498, 11499. Bugs reported by + 'cypherpunks'. Bugfix on 0.2.4.8-alpha. + - Relays now trust themselves to have a better view than clients of + which TLS ciphersuites are better than others. (Thanks to bug + 11513, the relay list is now well-considered, whereas the client + list has been chosen mainly for anti-fingerprinting purposes.) + Relays prefer: AES over 3DES; then ECDHE over DHE; then GCM over + CBC; then SHA384 over SHA256 over SHA1; and last, AES256 over + AES128. Resolves ticket 11528. + - Clients now try to advertise the same list of ciphersuites as + Firefox 28. This change enables selection of (fast) GCM + ciphersuites, disables some strange old ciphers, and stops + advertising the ECDH (not to be confused with ECDHE) ciphersuites. + Resolves ticket 11438. + + o Minor bugfixes (configuration, security): + - When running a hidden service, do not allow TunneledDirConns 0: + trying to set that option together with a hidden service would + otherwise prevent the hidden service from running, and also make + it publish its descriptors directly over HTTP. Fixes bug 10849; + bugfix on 0.2.1.1-alpha. + + o Minor bugfixes (controller, backport from 0.2.5.4-alpha): + - Avoid sending a garbage value to the controller when a circuit is + cannibalized. Fixes bug 11519; bugfix on 0.2.3.11-alpha. + + o Minor bugfixes (exit relay, backport from 0.2.5.4-alpha): - Stop leaking memory when we successfully resolve a PTR record. Fixes bug 11437; bugfix on 0.2.4.7-alpha. - o Minor features (Transparent proxy): - - Support the ipfw firewall interface for transparent proxy support on - FreeBSD. To enable it, set "TransProxyType ipfw" in your torrc. - Resolves ticket 10267; patch from "yurivict". - - Support OpenBSD's divert-to rules with the pf firewall, when - "TransProxyType pf-divert" is specified. This allows Tor to run a - TransPort transparent proxy port on OpenBSD 4.4 or later without - root privileges. See the pf.conf(5) manual page for information on - configuring pf to use divert-to rules. Closes ticket 10896; patch - from Dana Koch. + o Minor bugfixes (bridge client, backport from 0.2.5.4-alpha): + - Avoid 60-second delays in the bootstrapping process when Tor is + launching for a second time while using bridges. Fixes bug 9229; + bugfix on 0.2.0.3-alpha. - o Minor features (security): - - New --enable-expensive-hardening option to turn on security hardening - options that consume nontrivial amounts of CPU and memory. Right now, - this includes AddressSanitizer and UbSan. Closes ticket 11477. + o Minor bugfixes (relays and bridges, backport from 0.2.5.4-alpha): + - Give the correct URL in the warning message when trying to run a + relay on an ancient version of Windows. Fixes bug 9393. - o Minor features (usability): - - Demote the message that we give when a flushing connection times - out for too long from NOTICE to INFO. It was usually meaningless. - Resolves ticket 5286. + o Minor bugfixes (compilation): + - Fix a compilation error when compiling with --disable-curve25519. + Fixes bug 9700; bugfix on 0.2.4.17-rc. + + o Minor bugfixes: + - Downgrade the warning severity for the the "md was still + referenced 1 node(s)" warning. Tor 0.2.5.4-alpha has better code + for trying to diagnose this bug, and the current warning in + earlier versions of tor achieves nothing useful. Addresses warning + from bug 7164. + + o Minor features (log verbosity, backport from 0.2.5.4-alpha): + - When we run out of usable circuit IDs on a channel, log only one + warning for the whole channel, and describe how many circuits + there were on the channel. Fixes part of ticket 11553. + + o Minor features (security, backport from 0.2.5.4-alpha): + - Decrease the lower limit of MaxMemInCellQueues to 256 MBytes (but + leave the default at 8GBytes), to better support Raspberry Pi + users. Fixes bug 9686; bugfix on 0.2.4.14-alpha. + + o Documentation (backport from 0.2.5.4-alpha): + - Correctly document that we search for a system torrc file before + looking in ~/.torrc. Fixes documentation side of 9213; bugfix on + 0.2.3.18-rc. + + +Changes in version 0.2.5.4-alpha - 2014-04-25 + Tor 0.2.5.4-alpha includes several security and performance + improvements for clients and relays, including blacklisting authority + signing keys that were used while susceptible to the OpenSSL + "heartbleed" bug, fixing two expensive functions on busy relays, + improved TLS ciphersuite preference lists, support for run-time + hardening on compilers that support AddressSanitizer, and more work on + the Linux sandbox code. + + There are also several usability fixes for clients (especially clients + that use bridges), two new TransPort protocols supported (one on + OpenBSD, one on FreeBSD), and various other bugfixes. - o Minor features (performance, compatibility): - - Update the list of TLS cipehrsuites that a client advertises - to match those advertised by Firefox 28. This enables selection of - (fast) GCM ciphersuites, disables some strange old ciphers, and - disables the ECDH (not to be confused with ECDHE) ciphersuites. + This release marks end-of-life for Tor 0.2.2.x; those Tor versions + have accumulated many known flaws; everyone should upgrade. + + o Major features (security): + - If you don't specify MaxMemInQueues yourself, Tor now tries to + pick a good value based on your total system memory. Previously, + the default was always 8 GB. You can still override the default by + setting MaxMemInQueues yourself. Resolves ticket 11396. + - Block authority signing keys that were used on authorities + vulnerable to the "heartbleed" bug in OpenSSL (CVE-2014-0160). (We + don't have any evidence that these keys _were_ compromised; we're + doing this to be prudent.) Resolves ticket 11464. + + o Major features (relay performance): + - Speed up server-side lookups of rendezvous and introduction point + circuits by using hashtables instead of linear searches. These + functions previously accounted between 3 and 7% of CPU usage on + some busy relays. Resolves ticket 9841. + - Avoid wasting CPU when extending a circuit over a channel that is + nearly out of circuit IDs. Previously, we would do a linear scan + over possible circuit IDs before finding one or deciding that we + had exhausted our possibilities. Now, we try at most 64 random + circuit IDs before deciding that we probably won't succeed. Fixes + a possible root cause of ticket 11553. + + o Major features (seccomp2 sandbox, Linux only): + - The seccomp2 sandbox can now run a test network for multiple hours + without crashing. The sandbox is still experimental, and more bugs + will probably turn up. To try it, enable "Sandbox 1" on a Linux + host. Resolves ticket 11351. + - Strengthen sandbox code: the sandbox can now test the arguments + for rename(), and blocks _sysctl() entirely. Resolves another part + of ticket 11351. + - When the sandbox blocks a system call, it now tries to log a stack + trace before exiting. Resolves ticket 11465. + + o Major bugfixes (TLS cipher selection): + - The relay ciphersuite list is now generated automatically based on + uniform criteria, and includes all OpenSSL ciphersuites with + acceptable strength and forward secrecy. Previously, we had left + some perfectly fine ciphersuites unsupported due to omission or + typo. Resolves bugs 11513, 11492, 11498, 11499. Bugs reported by + 'cypherpunks'. Bugfix on 0.2.4.8-alpha. + - Relays now trust themselves to have a better view than clients of + which TLS ciphersuites are better than others. (Thanks to bug + 11513, the relay list is now well-considered, whereas the client + list has been chosen mainly for anti-fingerprinting purposes.) + Relays prefer: AES over 3DES; then ECDHE over DHE; then GCM over + CBC; then SHA384 over SHA256 over SHA1; and last, AES256 over + AES128. Resolves ticket 11528. + - Clients now try to advertise the same list of ciphersuites as + Firefox 28. This change enables selection of (fast) GCM + ciphersuites, disables some strange old ciphers, and stops + advertising the ECDH (not to be confused with ECDHE) ciphersuites. Resolves ticket 11438. + o Major bugfixes (bridge client): + - Avoid 60-second delays in the bootstrapping process when Tor is + launching for a second time while using bridges. Fixes bug 9229; + bugfix on 0.2.0.3-alpha. - o Minor bugfixes (IPv6): - - When using DNSPort and AutomapHostsOnResolve, respond to AAAA - requests with AAAA automapped answers. Fixes bug 10468; bugfix - on 0.2.4.7-alpha. + o Minor features (transparent proxy, *BSD): + - Support FreeBSD's ipfw firewall interface for TransPort ports on + FreeBSD. To enable it, set "TransProxyType ipfw". Resolves ticket + 10267; patch from "yurivict". + - Support OpenBSD's divert-to rules with the pf firewall for + transparent proxy ports. To enable it, set "TransProxyType + pf-divert". This allows Tor to run a TransPort transparent proxy + port on OpenBSD 4.4 or later without root privileges. See the + pf.conf(5) manual page for information on configuring pf to use + divert-to rules. Closes ticket 10896; patch from Dana Koch. + + o Minor features (security): + - New --enable-expensive-hardening option to enable security + hardening options that consume nontrivial amounts of CPU and + memory. Right now, this includes AddressSanitizer and UbSan, which + are supported in newer versions of GCC and Clang. Closes ticket + 11477. + + o Minor features (log verbosity): + - Demote the message that we give when a flushing connection times + out for too long from NOTICE to INFO. It was usually meaningless. + Resolves ticket 5286. + - Don't log so many notice-level bootstrapping messages at startup + about downloading descriptors. Previously, we'd log a notice + whenever we learned about more routers. Now, we only log a notice + at every 5% of progress. Fixes bug 9963. + - Warn less verbosely when receiving a malformed + ESTABLISH_RENDEZVOUS cell. Fixes ticket 11279. + - When we run out of usable circuit IDs on a channel, log only one + warning for the whole channel, and describe how many circuits + there were on the channel. Fixes part of ticket 11553. o Minor features (relay): - - If a circuit timed out for at least 3 minutes check if we have a new - external IP address the next time we run our routine checks. If our - IP address has changed, then publish a new descriptor with the new - IP address. Resolves ticket 2454. - - Warn less verbosely when receiving a misformed ESTABLISH_RENDEZVOUS - cell. Fixes ticket 11279. + - If a circuit timed out for at least 3 minutes, check if we have a + new external IP address, and publish a new descriptor with the new + IP address if it changed. Resolves ticket 2454. o Minor features (controller): - Make the entire exit policy available from the control port via - GETINFO exit-policy/*. Implements enhancement #7952. Patch from + GETINFO exit-policy/*. Implements enhancement 7952. Patch from "rl1987". - - o Minor features (misc): - - Always check return values for unlink, munmap, UnmapViewOfFile; - check strftime return values more often. In some cases all we - can do is report a warning, but this may help prevent deeper - bugs from going unnoticed. Closes ticket 8787. + - Because of the fix for ticket 11396, the real limit for memory + usage may no longer match the configured MaxMemInQueues value. The + real limit is now exposed via GETINFO limits/max-mem-in-queues. o Minor features (bridge client): - - Report a failure to connect to a bridge because its transport - type has no configured pluggable transport as a new type of bootstrap - failure. Resolves ticket 9665. Patch from Fábio J. Bertinatto. + - Report a more useful failure message when we can't connect to a + bridge because we don't have the right pluggable transport + configured. Resolves ticket 9665. Patch from Fábio J. Bertinatto. o Minor features (diagnostic): - - Try harder to diagnose a possible cause of bug 7164, which causes + - Add more log messages to diagnose bug 7164, which causes intermittent "microdesc_free() called but md was still referenced" - warnings. We now log more information about the likely error case, - to try to figure out why we might be cleaning a microdescriptor - as old if it's still referenced by a live node. + warnings. We now include more information, to figure out why we + might be cleaning a microdescriptor for being too old if it's + still referenced by a live node_t object. + + o Minor bugfixes (client, DNSPort): + - When using DNSPort, try to respond to AAAA requests with AAAA + answers. Previously, we hadn't looked at the request type when + deciding which answer type to prefer. Fixes bug 10468; bugfix on + 0.2.4.7-alpha. + - When receiving a DNS query for an unsupported record type, reply + with no answer rather than with a NOTIMPL error. This behavior + isn't correct either, but it will break fewer client programs, we + hope. Fixes bug 10268; bugfix on 0.2.0.1-alpha. Original patch + from "epoch". + + o Minor bugfixes (exit relay): + - Stop leaking memory when we successfully resolve a PTR record. + Fixes bug 11437; bugfix on 0.2.4.7-alpha. + + o Minor bugfixes (bridge client): + - Stop accepting bridge lines containing hostnames. Doing so would + cause clients to perform DNS requests on the hostnames, which was + not sensible behavior. Fixes bug 10801; bugfix on 0.2.0.1-alpha. + - Avoid a 60-second delay in the bootstrapping process when a Tor + client with pluggable transports re-reads its configuration at + just the wrong time. Re-fixes bug 11156; bugfix on 0.2.5.3-alpha. + + o Minor bugfixes (client, logging during bootstrap): + - Warn only once if we start logging in an unsafe way. Previously, + we complain as many times as we had problems. Fixes bug 9870; + bugfix on 0.2.5.1-alpha. + - Only report the first fatal bootstrap error on a given OR + connection. This stops us from telling the controller bogus error + messages like "DONE". Fixes bug 10431; bugfix on 0.2.1.1-alpha. + - Be more helpful when trying to run sandboxed on Linux without + libseccomp. Instead of saying "Sandbox is not implemented on this + platform", we now explain that we need to be built with + libseccomp. Fixes bug 11543; bugfix on 0.2.5.1-alpha. + - Avoid generating spurious warnings when starting with + DisableNetwork enabled. Fixes bug 11200 and bug 10405; bugfix on + 0.2.3.9-alpha. + + o Minor bugfixes (closing OR connections): + - If write_to_buf() in connection_write_to_buf_impl_() ever fails, + check if it's an or_connection_t and correctly call + connection_or_close_for_error() rather than + connection_mark_for_close() directly. Fixes bug 11304; bugfix on + 0.2.4.4-alpha. + - When closing all connections on setting DisableNetwork to 1, use + connection_or_close_normally() rather than closing OR connections + out from under the channel layer. Fixes bug 11306; bugfix on + 0.2.4.4-alpha. + + o Minor bugfixes (controller): + - Avoid sending a garbage value to the controller when a circuit is + cannibalized. Fixes bug 11519; bugfix on 0.2.3.11-alpha. + + o Minor bugfixes (tor-fw-helper): + - Allow tor-fw-helper to build again by adding src/ext to its + CPPFLAGS. Fixes bug 11296; bugfix on 0.2.5.3-alpha. + + o Minor bugfixes (bridges): + - Avoid potential crashes or bad behavior when launching a + server-side managed proxy with ORPort or ExtORPort temporarily + disabled. Fixes bug 9650; bugfix on 0.2.3.16-alpha. + + o Minor bugfixes (platform-specific): + - Fix compilation on Solaris, which does not have <endian.h>. Fixes + bug 11426; bugfix on 0.2.5.3-alpha. + - When dumping a malformed directory object to disk, save it in + binary mode on Windows, not text mode. Fixes bug 11342; bugfix on + 0.2.2.1-alpha. + - Don't report failures from make_socket_reuseable() on incoming + sockets on OSX: this can happen when incoming connections close + early. Fixes bug 10081. + + o Minor bugfixes (trivial memory leaks): + - Fix a small memory leak when signing a directory object. Fixes bug + 11275; bugfix on 0.2.4.13-alpha. + - Free placeholder entries in our circuit table at exit; fixes a + harmless memory leak. Fixes bug 11278; bugfix on 0.2.5.1-alpha. + - Don't re-initialize a second set of OpenSSL mutexes when starting + up. Previously, we'd make one set of mutexes, and then immediately + replace them with another. Fixes bug 11726; bugfix on + 0.2.5.3-alpha. + - Resolve some memory leaks found by coverity in the unit tests, on + exit in tor-gencert, and on a failure to compute digests for our + own keys when generating a v3 networkstatus vote. These leaks + should never have affected anyone in practice. + + o Minor bugfixes (hidden service): + - Only retry attempts to connect to a chosen rendezvous point 8 + times, not 30. Fixes bug 4241; bugfix on 0.1.0.1-rc. + + o Minor bugfixes (misc code correctness): + - Fix various instances of undefined behavior in channeltls.c, + tor_memmem(), and eventdns.c that would cause us to construct + pointers to memory outside an allocated object. (These invalid + pointers were not accessed, but C does not even allow them to + exist.) Fixes bug 10363; bugfixes on 0.1.1.1-alpha, 0.1.2.1-alpha, + 0.2.0.10-alpha, and 0.2.3.6-alpha. Reported by "bobnomnom". + - Use the AddressSanitizer and Ubsan sanitizers (in clang-3.4) to + fix some miscellaneous errors in our tests and codebase. Fixes bug + 11232. Bugfixes on versions back as far as 0.2.1.11-alpha. + - Always check return values for unlink, munmap, UnmapViewOfFile; + check strftime return values more often. In some cases all we can + do is report a warning, but this may help prevent deeper bugs from + going unnoticed. Closes ticket 8787; bugfixes on many, many tor + versions. + - Fix numerous warnings from the clang "scan-build" static analyzer. + Some of these are programming style issues; some of them are false + positives that indicated awkward code; some are undefined behavior + cases related to constructing (but not using) invalid pointers; + some are assumptions about API behavior; some are (harmlessly) + logging sizeof(ptr) bytes from a token when sizeof(*ptr) would be + correct; and one or two are genuine bugs that weren't reachable + from the rest of the program. Fixes bug 8793; bugfixes on many, + many tor versions. o Documentation: - - Build the torify.1 manpage again. Previously, we were only - trying to build it when also building tor-fw-helper. That's why - we didn't notice that we'd broken the ability to build it. - Fixes bug 11321; bugfix on 0.2.5.1-alpha. + - Build the torify.1 manpage again. Previously, we were only trying + to build it when also building tor-fw-helper. That's why we didn't + notice that we'd broken the ability to build it. Fixes bug 11321; + bugfix on 0.2.5.1-alpha. - Fix the layout of the SOCKSPort flags in the manpage. Fixes bug 11061; bugfix on 0.2.4.7-alpha. - Correctly document that we search for a system torrc file before - looking in ~/.torrc. Fixes documentation side of 9213; bugfix - on 0.2.3.18-rc. + looking in ~/.torrc. Fixes documentation side of 9213; bugfix on + 0.2.3.18-rc. - Resolve warnings from Doxygen. o Code simplifications and refactoring: - - Removing is_internal_IP() function. Resolves ticket 4645. - - Remove unused function circuit_dump_by_chan from circuitlist.c. Closes - issue #9107; patch from "marek". + - Remove is_internal_IP() function. Resolves ticket 4645. + - Remove unused function circuit_dump_by_chan from circuitlist.c. + Closes issue 9107; patch from "marek". - Change our use of the ENUM_BF macro to avoid declarations that confuse Doxygen. + o Deprecated versions: + - Tor 0.2.2.x has reached end-of-life; it has received no patches or + attention for some while. Directory authorities no longer accept + descriptors from relays running any version of Tor prior to Tor + 0.2.3.16-alpha. Resolves ticket 11149. + o Testing: - - New macros in test.h to simplify writting mock-functions for unit + - New macros in test.h to simplify writing mock-functions for unit tests. Part of ticket 11507. Patch from Dana Koch. - Complete tests for the status.c module. Resolves ticket 11507. Patch from Dana Koch. o Removed code: - - Remove all code for the long unused v1 directory protocol. Resolves - ticket 11070. - + - Remove all code for the long unused v1 directory protocol. + Resolves ticket 11070. Changes in version 0.2.5.3-alpha - 2014-03-22 @@ -1648,6 +2976,10 @@ Changes in version 0.2.4.11-alpha - 2013-03-11 - Randomize the lifetime of our SSL link certificate, so censors can't use the static value for filtering Tor flows. Resolves ticket 8443; related to ticket 4014 which was included in 0.2.2.33. + - Support a new version of the link protocol that allows 4-byte circuit + IDs. Previously, circuit IDs were limited to 2 bytes, which presented + a possible resource exhaustion issue. Closes ticket 7351; implements + proposal 214. o Minor features (portability): - Tweak the curve25519-donna*.c implementations to tolerate systems |