summaryrefslogtreecommitdiff
path: root/ChangeLog
diff options
context:
space:
mode:
Diffstat (limited to 'ChangeLog')
-rw-r--r--ChangeLog3497
1 files changed, 3440 insertions, 57 deletions
diff --git a/ChangeLog b/ChangeLog
index b87449ab69..3909b1783a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,3384 @@
+Changes in version 0.2.2.36 - 2012-05-24
+ Tor 0.2.2.36 updates the addresses for two of the eight directory
+ authorities, fixes some potential anonymity and security issues,
+ and fixes several crash bugs.
+
+ Tor 0.2.1.x has reached its end-of-life. Those Tor versions have many
+ known flaws, and nobody should be using them. You should upgrade. If
+ you're using a Linux or BSD and its packages are obsolete, stop using
+ those packages and upgrade anyway.
+
+ o Directory authority changes:
+ - Change IP address for maatuska (v3 directory authority).
+ - Change IP address for ides (v3 directory authority), and rename
+ it to turtles.
+
+ o Security fixes:
+ - When building or running with any version of OpenSSL earlier
+ than 0.9.8s or 1.0.0f, disable SSLv3 support. These OpenSSL
+ versions have a bug (CVE-2011-4576) in which their block cipher
+ padding includes uninitialized data, potentially leaking sensitive
+ information to any peer with whom they make a SSLv3 connection. Tor
+ does not use SSL v3 by default, but a hostile client or server
+ could force an SSLv3 connection in order to gain information that
+ they shouldn't have been able to get. The best solution here is to
+ upgrade to OpenSSL 0.9.8s or 1.0.0f (or later). But when building
+ or running with a non-upgraded OpenSSL, we disable SSLv3 entirely
+ to make sure that the bug can't happen.
+ - Never use a bridge or a controller-supplied node as an exit, even
+ if its exit policy allows it. Found by wanoskarnet. Fixes bug
+ 5342. Bugfix on 0.1.1.15-rc (for controller-purpose descriptors)
+ and 0.2.0.3-alpha (for bridge-purpose descriptors).
+ - Only build circuits if we have a sufficient threshold of the total
+ descriptors that are marked in the consensus with the "Exit"
+ flag. This mitigates an attack proposed by wanoskarnet, in which
+ all of a client's bridges collude to restrict the exit nodes that
+ the client knows about. Fixes bug 5343.
+ - Provide controllers with a safer way to implement the cookie
+ authentication mechanism. With the old method, if another locally
+ running program could convince a controller that it was the Tor
+ process, then that program could trick the contoller into telling
+ it the contents of an arbitrary 32-byte file. The new "SAFECOOKIE"
+ authentication method uses a challenge-response approach to prevent
+ this attack. Fixes bug 5185; implements proposal 193.
+
+ o Major bugfixes:
+ - Avoid logging uninitialized data when unable to decode a hidden
+ service descriptor cookie. Fixes bug 5647; bugfix on 0.2.1.5-alpha.
+ - Avoid a client-side assertion failure when receiving an INTRODUCE2
+ cell on a general purpose circuit. Fixes bug 5644; bugfix on
+ 0.2.1.6-alpha.
+ - Fix builds when the path to sed, openssl, or sha1sum contains
+ spaces, which is pretty common on Windows. Fixes bug 5065; bugfix
+ on 0.2.2.1-alpha.
+ - Correct our replacements for the timeradd() and timersub() functions
+ on platforms that lack them (for example, Windows). The timersub()
+ function is used when expiring circuits, while timeradd() is
+ currently unused. Bug report and patch by Vektor. Fixes bug 4778;
+ bugfix on 0.2.2.24-alpha.
+ - Fix the SOCKET_OK test that we use to tell when socket
+ creation fails so that it works on Win64. Fixes part of bug 4533;
+ bugfix on 0.2.2.29-beta. Bug found by wanoskarnet.
+
+ o Minor bugfixes:
+ - Reject out-of-range times like 23:59:61 in parse_rfc1123_time().
+ Fixes bug 5346; bugfix on 0.0.8pre3.
+ - Make our number-parsing functions always treat too-large values
+ as an error, even when those values exceed the width of the
+ underlying type. Previously, if the caller provided these
+ functions with minima or maxima set to the extreme values of the
+ underlying integer type, these functions would return those
+ values on overflow rather than treating overflow as an error.
+ Fixes part of bug 5786; bugfix on 0.0.9.
+ - Older Linux kernels erroneously respond to strange nmap behavior
+ by having accept() return successfully with a zero-length
+ socket. When this happens, just close the connection. Previously,
+ we would try harder to learn the remote address: but there was
+ no such remote address to learn, and our method for trying to
+ learn it was incorrect. Fixes bugs 1240, 4745, and 4747. Bugfix
+ on 0.1.0.3-rc. Reported and diagnosed by "r1eo".
+ - Correct parsing of certain date types in parse_http_time().
+ Without this patch, If-Modified-Since would behave
+ incorrectly. Fixes bug 5346; bugfix on 0.2.0.2-alpha. Patch from
+ Esteban Manchado Velázques.
+ - Change the BridgePassword feature (part of the "bridge community"
+ design, which is not yet implemented) to use a time-independent
+ comparison. The old behavior might have allowed an adversary
+ to use timing to guess the BridgePassword value. Fixes bug 5543;
+ bugfix on 0.2.0.14-alpha.
+ - Detect and reject certain misformed escape sequences in
+ configuration values. Previously, these values would cause us
+ to crash if received in a torrc file or over an authenticated
+ control port. Bug found by Esteban Manchado Velázquez, and
+ independently by Robert Connolly from Matta Consulting who further
+ noted that it allows a post-authentication heap overflow. Patch
+ by Alexander Schrijver. Fixes bugs 5090 and 5402 (CVE 2012-1668);
+ bugfix on 0.2.0.16-alpha.
+ - Fix a compile warning when using the --enable-openbsd-malloc
+ configure option. Fixes bug 5340; bugfix on 0.2.0.20-rc.
+ - During configure, detect when we're building with clang version
+ 3.0 or lower and disable the -Wnormalized=id and -Woverride-init
+ CFLAGS. clang doesn't support them yet.
+ - When sending an HTTP/1.1 proxy request, include a Host header.
+ Fixes bug 5593; bugfix on 0.2.2.1-alpha.
+ - Fix a NULL-pointer dereference on a badly formed SETCIRCUITPURPOSE
+ command. Found by mikeyc. Fixes bug 5796; bugfix on 0.2.2.9-alpha.
+ - If we hit the error case where routerlist_insert() replaces an
+ existing (old) server descriptor, make sure to remove that
+ server descriptor from the old_routers list. Fix related to bug
+ 1776. Bugfix on 0.2.2.18-alpha.
+
+ o Minor bugfixes (documentation and log messages):
+ - Fix a typo in a log message in rend_service_rendezvous_has_opened().
+ Fixes bug 4856; bugfix on Tor 0.0.6.
+ - Update "ClientOnly" man page entry to explain that there isn't
+ really any point to messing with it. Resolves ticket 5005.
+ - Document the GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays
+ directory authority option (introduced in Tor 0.2.2.34).
+ - Downgrade the "We're missing a certificate" message from notice
+ to info: people kept mistaking it for a real problem, whereas it
+ is seldom the problem even when we are failing to bootstrap. Fixes
+ bug 5067; bugfix on 0.2.0.10-alpha.
+ - Correctly spell "connect" in a log message on failure to create a
+ controlsocket. Fixes bug 4803; bugfix on 0.2.2.26-beta.
+ - Clarify the behavior of MaxCircuitDirtiness with hidden service
+ circuits. Fixes issue 5259.
+
+ o Minor features:
+ - Directory authorities now reject versions of Tor older than
+ 0.2.1.30, and Tor versions between 0.2.2.1-alpha and 0.2.2.20-alpha
+ inclusive. These versions accounted for only a small fraction of
+ the Tor network, and have numerous known security issues. Resolves
+ issue 4788.
+ - Update to the May 1 2012 Maxmind GeoLite Country database.
+
+ - Feature removal:
+ - When sending or relaying a RELAY_EARLY cell, we used to convert
+ it to a RELAY cell if the connection was using the v1 link
+ protocol. This was a workaround for older versions of Tor, which
+ didn't handle RELAY_EARLY cells properly. Now that all supported
+ versions can handle RELAY_EARLY cells, and now that we're enforcing
+ the "no RELAY_EXTEND commands except in RELAY_EARLY cells" rule,
+ remove this workaround. Addresses bug 4786.
+
+
+Changes in version 0.2.3.15-alpha - 2012-04-30
+ Tor 0.2.3.15-alpha fixes a variety of smaller bugs, including making
+ the development branch build on Windows again.
+
+ o Minor bugfixes (on 0.2.2.x and earlier):
+ - Make sure that there are no unhandled pending TLS errors before
+ reading from a TLS stream. We had checks in 0.1.0.3-rc, but
+ lost them in 0.1.0.5-rc when we refactored read_to_buf_tls().
+ Bugfix on 0.1.0.5-rc; fixes bug 4528.
+ - Fix an assert that directory authorities could trigger on sighup
+ during some configuration state transitions. We now don't treat
+ it as a fatal error when the new descriptor we just generated in
+ init_keys() isn't accepted. Fixes bug 4438; bugfix on 0.2.1.9-alpha.
+ - After we pick a directory mirror, we would refuse to use it if
+ it's in our ExcludeExitNodes list, resulting in mysterious failures
+ to bootstrap for people who just wanted to avoid exiting from
+ certain locations. Fixes bug 5623; bugfix on 0.2.2.25-alpha.
+ - When building with --enable-static-tor on OpenBSD, do not
+ erroneously attempt to link -lrt. Fixes bug 5103.
+
+ o Minor bugfixes (on 0.2.3.x):
+ - When Tor is built with kernel headers from a recent (last few
+ years) Linux kernel, do not fail to run on older (pre-2.6.28
+ Linux kernels). Fixes bug 5112; bugfix on 0.2.3.1-alpha.
+ - Fix cross-compilation isssues with mingw. Bugfixes on 0.2.3.6-alpha
+ and 0.2.3.12-alpha.
+ - Fix compilation with miniupnpc version 1.6; patch from
+ Anthony G. Basile. Fixes bug 5434; bugfix on 0.2.3.12-alpha.
+ - Fix compilation with MSVC, which had defined MS_WINDOWS. Bugfix
+ on 0.2.3.13-alpha; found and fixed by Gisle Vanem.
+ - Fix compilation on platforms without unistd.h, or where environ
+ is defined in stdlib.h. Fixes bug 5704; bugfix on 0.2.3.13-alpha.
+
+ o Minor features:
+ - Directory authorities are now a little more lenient at accepting
+ older router descriptors, or newer router descriptors that don't
+ make big changes. This should help ameliorate past and future
+ issues where routers think they have uploaded valid descriptors,
+ but the authorities don't think so. Fix for ticket 2479.
+ - Make the code that clients use to detect an address change be
+ IPv6-aware, so that it won't fill clients' logs with error
+ messages when trying to get the IPv4 address of an IPv6
+ connection. Implements ticket 5537.
+
+ o Removed features:
+ - Remove the GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays option;
+ authorities needed to use it for a while to keep the network working
+ as people upgraded to 0.2.1.31, 0.2.2.34, or 0.2.3.6-alpha, but
+ that was six months ago. As of now, it should no longer be needed
+ or used.
+
+
+Changes in version 0.2.3.14-alpha - 2012-04-23
+ Tor 0.2.3.14-alpha fixes yet more bugs to get us closer to a release
+ candidate. It also dramatically speeds up AES: fast relays should
+ consider switching to the newer OpenSSL library.
+
+ o Directory authority changes:
+ - Change IP address for ides (v3 directory authority), and rename
+ it to turtles.
+
+ o Major bugfixes:
+ - Avoid logging uninitialized data when unable to decode a hidden
+ service descriptor cookie. Fixes bug 5647; bugfix on 0.2.1.5-alpha.
+ - Avoid a client-side assertion failure when receiving an INTRODUCE2
+ cell on a general purpose circuit. Fixes bug 5644; bugfix on
+ 0.2.1.6-alpha.
+ - If authorities are unable to get a v2 consensus document from other
+ directory authorities, they no longer fall back to fetching
+ them from regular directory caches. Fixes bug 5635; bugfix on
+ 0.2.2.26-beta, where routers stopped downloading v2 consensus
+ documents entirely.
+ - When we start a Tor client with a normal consensus already cached,
+ be willing to download a microdescriptor consensus. Fixes bug 4011;
+ fix on 0.2.3.1-alpha.
+
+ o Major features (performance):
+ - When built to use OpenSSL 1.0.1, and built for an x86 or x86_64
+ instruction set, take advantage of OpenSSL's AESNI, bitsliced, or
+ vectorized AES implementations as appropriate. These can be much,
+ much faster than other AES implementations.
+
+ o Minor bugfixes (0.2.2.x and earlier):
+ - Don't launch more than 10 service-side introduction-point circuits
+ for a hidden service in five minutes. Previously, we would consider
+ launching more introduction-point circuits if at least one second
+ had passed without any introduction-point circuits failing. Fixes
+ bug 4607; bugfix on 0.0.7pre1.
+ - Change the BridgePassword feature (part of the "bridge community"
+ design, which is not yet implemented) to use a time-independent
+ comparison. The old behavior might have allowed an adversary
+ to use timing to guess the BridgePassword value. Fixes bug 5543;
+ bugfix on 0.2.0.14-alpha.
+ - Enforce correct return behavior of tor_vsscanf() when the '%%'
+ pattern is used. Fixes bug 5558. Bugfix on 0.2.1.13.
+ - When sending an HTTP/1.1 proxy request, include a Host header.
+ Fixes bug 5593; bugfix on 0.2.2.1-alpha.
+ - Don't log that we have "decided to publish new relay descriptor"
+ unless we are actually publishing a descriptor. Fixes bug 3942;
+ bugfix on 0.2.2.28-beta.
+
+ o Minor bugfixes (0.2.3.x):
+ - Fix a bug where a bridge authority crashes (on a failed assert)
+ if it has seen no directory requests when it's time to write
+ statistics to disk. Fixes bug 5508. Bugfix on 0.2.3.6-alpha.
+ - Fix bug stomping on ORPort option NoListen and ignoring option
+ NoAdvertise. Fixes bug 5151; bugfix on 0.2.3.9-alpha.
+ - In the testsuite, provide a large enough buffer in the tor_sscanf
+ unit test. Otherwise we'd overrun that buffer and crash during
+ the unit tests. Found by weasel. Fixes bug 5449; bugfix on
+ 0.2.3.12-alpha.
+ - Make sure we create the keys directory if it doesn't exist and we're
+ about to store the dynamic Diffie-Hellman parameters. Fixes bug
+ 5572; bugfix on 0.2.3.13-alpha.
+ - Fix a small memory leak when trying to decode incorrect base16
+ authenticator during SAFECOOKIE authentication. Found by
+ Coverity Scan. Fixes CID 507. Bugfix on 0.2.3.13-alpha.
+
+ o Minor features:
+ - Add more information to a log statement that might help track down
+ bug 4091. If you're seeing "Bug: tor_addr_is_internal() called with a
+ non-IP address" messages (or any Bug messages, for that matter!),
+ please let us know about it.
+ - Relays now understand an IPv6 address when they get one from a
+ directory server. Resolves ticket 4875.
+ - Resolve IPv6 addresses in bridge and entry statistics to country
+ code "??" which means we at least count them. Resolves ticket 5053;
+ improves on 0.2.3.9-alpha.
+ - Update to the April 3 2012 Maxmind GeoLite Country database.
+ - Begin a doc/state-contents.txt file to explain the contents of
+ the Tor state file. Fixes bug 2987.
+
+ o Default torrc changes:
+ - Stop listing "socksport 9050" in torrc.sample. We open a socks
+ port on 9050 by default anyway, so this should not change anything
+ in practice.
+ - Stop mentioning the deprecated *ListenAddress options in
+ torrc.sample. Fixes bug 5438.
+ - Document unit of bandwidth related options in sample torrc.
+ Fixes bug 5621.
+
+ o Removed features:
+ - The "torify" script no longer supports the "tsocks" socksifier
+ tool, since tsocks doesn't support DNS and UDP right for Tor.
+ Everyone should be using torsocks instead. Fixes bugs 3530 and
+ 5180. Based on a patch by "ugh".
+
+ o Code refactoring:
+ - Change the symmetric cipher interface so that creating and
+ initializing a stream cipher are no longer separate functions.
+ - Remove all internal support for unpadded RSA. We never used it, and
+ it would be a bad idea to start.
+
+
+Changes in version 0.2.3.13-alpha - 2012-03-26
+ Tor 0.2.3.13-alpha fixes a variety of stability and correctness bugs
+ in managed pluggable transports, as well as providing other cleanups
+ that get us closer to a release candidate.
+
+ o Directory authority changes:
+ - Change IP address for maatuska (v3 directory authority).
+
+ o Security fixes:
+ - Provide controllers with a safer way to implement the cookie
+ authentication mechanism. With the old method, if another locally
+ running program could convince a controller that it was the Tor
+ process, then that program could trick the contoller into telling
+ it the contents of an arbitrary 32-byte file. The new "SAFECOOKIE"
+ authentication method uses a challenge-response approach to prevent
+ this attack. Fixes bug 5185, implements proposal 193.
+ - Never use a bridge or a controller-supplied node as an exit, even
+ if its exit policy allows it. Found by wanoskarnet. Fixes bug
+ 5342. Bugfix on 0.1.1.15-rc (for controller-purpose descriptors)
+ and 0.2.0.3-alpha (for bridge-purpose descriptors).
+ - Only build circuits if we have a sufficient threshold of the total
+ descriptors that are marked in the consensus with the "Exit"
+ flag. This mitigates an attack proposed by wanoskarnet, in which
+ all of a client's bridges collude to restrict the exit nodes that
+ the client knows about. Fixes bug 5343.
+
+ o Major bugfixes (on Tor 0.2.3.x):
+ - Avoid an assert when managed proxies like obfsproxy are configured,
+ and we receive HUP signals or setconf attempts too rapidly. This
+ situation happens most commonly when Vidalia tries to attach to
+ Tor or tries to configure the Tor it's attached to. Fixes bug 5084;
+ bugfix on 0.2.3.6-alpha.
+ - Fix a relay-side pluggable transports bug where managed proxies were
+ unreachable from the Internet, because Tor asked them to bind on
+ localhost. Fixes bug 4725; bugfix on 0.2.3.9-alpha.
+ - Stop discarding command-line arguments when TestingTorNetwork
+ is set. Discovered by Kevin Bauer. Fixes bug 5373; bugfix on
+ 0.2.3.9-alpha, where task 4552 added support for two layers of
+ torrc files.
+ - Resume allowing the unit tests to run in gdb. This was accidentally
+ made impossible when the DisableDebuggerAttachment option was
+ introduced. Fixes bug 5448; bugfix on 0.2.3.9-alpha.
+ - Resume building with nat-pmp support. Fixes bug 4955; bugfix on
+ 0.2.3.11-alpha. Reported by Anthony G. Basile.
+
+ o Minor bugfixes (on 0.2.2.x and earlier):
+ - Ensure we don't cannibalize circuits that are longer than three hops
+ already, so we don't end up making circuits with 5 or more
+ hops. Patch contributed by wanoskarnet. Fixes bug 5231; bugfix on
+ 0.1.0.1-rc which introduced cannibalization.
+ - Detect and reject certain misformed escape sequences in
+ configuration values. Previously, these values would cause us
+ to crash if received in a torrc file or over an authenticated
+ control port. Bug found by Esteban Manchado Velázquez, and
+ independently by Robert Connolly from Matta Consulting who further
+ noted that it allows a post-authentication heap overflow. Patch
+ by Alexander Schrijver. Fixes bugs 5090 and 5402 (CVE 2012-1668);
+ bugfix on 0.2.0.16-alpha.
+ - Fix a compile warning when using the --enable-openbsd-malloc
+ configure option. Fixes bug 5340; bugfix on 0.2.0.20-rc.
+ - Directory caches no longer refuse to clean out descriptors because
+ of missing v2 networkstatus documents, unless they're configured
+ to retrieve v2 networkstatus documents. Fixes bug 4838; bugfix on
+ 0.2.2.26-beta. Patch by Daniel Bryg.
+ - Update to the latest version of the tinytest unit testing framework.
+ This includes a couple of bugfixes that can be relevant for
+ running forked unit tests on Windows, and removes all reserved
+ identifiers.
+
+ o Minor bugfixes (on 0.2.3.x):
+ - On a failed pipe() call, don't leak file descriptors. Fixes bug
+ 4296; bugfix on 0.2.3.1-alpha.
+ - Spec conformance: on a v3 handshake, do not send a NETINFO cell
+ until after we have received a CERTS cell. Fixes bug 4361; bugfix
+ on 0.2.3.6-alpha. Patch by "frosty".
+ - When binding to an IPv6 address, set the IPV6_V6ONLY socket
+ option, so that the IP stack doesn't decide to use it for IPv4
+ too. Fixes bug 4760; bugfix on 0.2.3.9-alpha.
+ - Ensure that variables set in Tor's environment cannot override
+ environment variables that Tor passes to a managed
+ pluggable-transport proxy. Previously, Tor would pass every
+ variable in its environment to managed proxies along with the new
+ ones, in such a way that on many operating systems, the inherited
+ environment variables would override those which Tor tried to
+ explicitly set. Bugfix on 0.2.3.12-alpha for most Unixoid systems;
+ bugfix on 0.2.3.9-alpha for Windows.
+
+ o Minor features:
+ - A wide variety of new unit tests by Esteban Manchado Velázquez.
+ - Shorten links in the tor-exit-notice file. Patch by Christian Kujau.
+ - Update to the March 6 2012 Maxmind GeoLite Country database.
+
+
+Changes in version 0.2.3.12-alpha - 2012-02-13
+ Tor 0.2.3.12-alpha lets fast exit relays scale better, allows clients
+ to use bridges that run Tor 0.2.2.x, and resolves several big bugs
+ when Tor is configured to use a pluggable transport like obfsproxy.
+
+ o Major bugfixes:
+ - Fix builds when the path to sed, openssl, or sha1sum contains
+ spaces, which is pretty common on Windows. Fixes bug 5065; bugfix
+ on 0.2.2.1-alpha.
+ - Set the SO_REUSEADDR socket option before we call bind() on outgoing
+ connections. This change should allow busy exit relays to stop
+ running out of available sockets as quickly. Fixes bug 4950;
+ bugfix on 0.2.2.26-beta.
+ - Allow 0.2.3.x clients to use 0.2.2.x bridges. Previously the client
+ would ask the bridge for microdescriptors, which are only supported
+ in 0.2.3.x, and then fail to bootstrap when it didn't get the
+ answers it wanted. Fixes bug 4013; bugfix on 0.2.3.2-alpha.
+ - Properly set up obfsproxy's environment when in managed mode. The
+ Tor Browser Bundle needs LD_LIBRARY_PATH to be passed to obfsproxy,
+ and when you run your Tor as a daemon, there's no HOME. Fixes bugs
+ 5076 and 5082; bugfix on 0.2.3.6-alpha.
+
+ o Minor features:
+ - Use the dead_strip option when building Tor on OS X. This reduces
+ binary size by almost 19% when linking openssl and libevent
+ statically, which we do for Tor Browser Bundle.
+ - Fix broken URLs in the sample torrc file, and tell readers about
+ the OutboundBindAddress, ExitPolicyRejectPrivate, and
+ PublishServerDescriptor options. Addresses bug 4652.
+ - Update to the February 7 2012 Maxmind GeoLite Country database.
+
+ o Minor bugfixes:
+ - Downgrade the "We're missing a certificate" message from notice
+ to info: people kept mistaking it for a real problem, whereas it
+ is seldom the problem even when we are failing to bootstrap. Fixes
+ bug 5067; bugfix on 0.2.0.10-alpha.
+ - Don't put "TOR_PT_EXTENDED_SERVER_PORT=127.0.0.1:4200" in a
+ managed pluggable transport server proxy's environment.
+ Previously, we would put it there, even though Tor doesn't
+ implement an 'extended server port' yet, and even though Tor
+ almost certainly isn't listening at that address. For now, we set
+ it to an empty string to avoid crashing older obfsproxies. Bugfix
+ on 0.2.3.6-alpha.
+ - Log the heartbeat message every HeartbeatPeriod seconds, not every
+ HeartbeatPeriod + 1 seconds. Fixes bug 4942; bugfix on
+ 0.2.3.1-alpha. Bug reported by Scott Bennett.
+ - Calculate absolute paths correctly on Windows. Fixes bug 4973;
+ bugfix on 0.2.3.11-alpha.
+ - Update "ClientOnly" man page entry to explain that there isn't
+ really any point to messing with it. Resolves ticket 5005.
+ - Use the correct CVE number for CVE-2011-4576 in our comments and
+ log messages. Found by "fermenthor". Resolves bug 5066; bugfix on
+ 0.2.3.11-alpha.
+
+ o Code simplifications and refactoring:
+ - Use the _WIN32 macro throughout our code to detect Windows.
+ (Previously we had used the obsolete 'WIN32' and the idiosyncratic
+ 'MS_WINDOWS'.)
+
+
+Changes in version 0.2.3.11-alpha - 2012-01-22
+ Tor 0.2.3.11-alpha marks feature-freeze for the 0.2.3 tree. It deploys
+ the last step of the plan to limit maximum circuit length, includes
+ a wide variety of hidden service performance and correctness fixes,
+ works around an OpenSSL security flaw if your distro is too stubborn
+ to upgrade, and fixes a bunch of smaller issues.
+
+ o Major features:
+ - Now that Tor 0.2.0.x is completely deprecated, enable the final
+ part of "Proposal 110: Avoiding infinite length circuits" by
+ refusing all circuit-extend requests that do not use a relay_early
+ cell. This change helps Tor resist a class of denial-of-service
+ attacks by limiting the maximum circuit length.
+ - Adjust the number of introduction points that a hidden service
+ will try to maintain based on how long its introduction points
+ remain in use and how many introductions they handle. Fixes
+ part of bug 3825.
+ - Try to use system facilities for enumerating local interface
+ addresses, before falling back to our old approach (which was
+ binding a UDP socket, and calling getsockname() on it). That
+ approach was scaring OS X users whose draconian firewall
+ software warned about binding to UDP sockets, regardless of
+ whether packets were sent. Now we try to use getifaddrs(),
+ SIOCGIFCONF, or GetAdaptersAddresses(), depending on what the
+ system supports. Resolves ticket 1827.
+
+ o Major security workaround:
+ - When building or running with any version of OpenSSL earlier
+ than 0.9.8s or 1.0.0f, disable SSLv3 support. These OpenSSL
+ versions have a bug (CVE-2011-4576) in which their block cipher
+ padding includes uninitialized data, potentially leaking sensitive
+ information to any peer with whom they make a SSLv3 connection. Tor
+ does not use SSL v3 by default, but a hostile client or server
+ could force an SSLv3 connection in order to gain information that
+ they shouldn't have been able to get. The best solution here is to
+ upgrade to OpenSSL 0.9.8s or 1.0.0f (or later). But when building
+ or running with a non-upgraded OpenSSL, we disable SSLv3 entirely
+ to make sure that the bug can't happen.
+
+ o Major bugfixes:
+ - Fix the SOCKET_OK test that we use to tell when socket
+ creation fails so that it works on Win64. Fixes part of bug 4533;
+ bugfix on 0.2.2.29-beta. Bug found by wanoskarnet.
+ - Correct our replacements for the timeradd() and timersub() functions
+ on platforms that lack them (for example, Windows). The timersub()
+ function is used when expiring circuits, while timeradd() is
+ currently unused. Bug report and patch by Vektor. Fixes bug 4778;
+ bugfix on 0.2.2.24-alpha and 0.2.3.1-alpha.
+ - Do not use OpenSSL 1.0.0's counter mode: it has a critical bug
+ that was fixed in OpenSSL 1.0.0a. We test for the counter mode
+ bug at runtime, not compile time, because some distributions hack
+ their OpenSSL to mis-report its version. Fixes bug 4779; bugfix
+ on 0.2.3.9-alpha. Found by Pascal.
+
+ o Minor features (controller):
+ - Use absolute path names when reporting the torrc filename in the
+ control protocol, so a controller can more easily find the torrc
+ file. Resolves bug 1101.
+ - Extend the control protocol to report flags that control a circuit's
+ path selection in CIRC events and in replies to 'GETINFO
+ circuit-status'. Implements part of ticket 2411.
+ - Extend the control protocol to report the hidden service address
+ and current state of a hidden-service-related circuit in CIRC
+ events and in replies to 'GETINFO circuit-status'. Implements part
+ of ticket 2411.
+ - When reporting the path to the cookie file to the controller,
+ give an absolute path. Resolves ticket 4881.
+ - Allow controllers to request an event notification whenever a
+ circuit is cannibalized or its purpose is changed. Implements
+ part of ticket 3457.
+ - Include the creation time of a circuit in CIRC and CIRC2
+ control-port events and the list produced by the 'GETINFO
+ circuit-status' control-port command.
+
+ o Minor features (directory authorities):
+ - Directory authorities now reject versions of Tor older than
+ 0.2.1.30, and Tor versions between 0.2.2.1-alpha and 0.2.2.20-alpha
+ inclusive. These versions accounted for only a small fraction of
+ the Tor network, and have numerous known security issues. Resolves
+ issue 4788.
+ - Authority operators can now vote for all relays in a given
+ set of countries to be BadDir/BadExit/Invalid/Rejected.
+ - Provide two consensus parameters (FastFlagMinThreshold and
+ FastFlagMaxThreshold) to control the range of allowable bandwidths
+ for the Fast directory flag. These allow authorities to run
+ experiments on appropriate requirements for being a "Fast" node.
+ The AuthDirFastGuarantee config value still applies.
+ - Document the GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays
+ directory authority option (introduced in Tor 0.2.2.34).
+
+ o Minor features (other):
+ - Don't disable the DirPort when we cannot exceed our AccountingMax
+ limit during this interval because the effective bandwidthrate is
+ low enough. This is useful in a situation where AccountMax is only
+ used as an additional safeguard or to provide statistics.
+ - Prepend an informative header to generated dynamic_dh_params files.
+ - If EntryNodes are given, but UseEntryGuards is set to 0, warn that
+ EntryNodes will have no effect. Resolves issue 2571.
+ - Log more useful messages when we fail to disable debugger
+ attachment.
+ - Log which authority we're missing votes from when we go to fetch
+ them from the other auths.
+ - Log (at debug level) whenever a circuit's purpose is changed.
+ - Add missing documentation for the MaxClientCircuitsPending,
+ UseMicrodescriptors, UserspaceIOCPBuffers, and
+ _UseFilteringSSLBufferevents options, all introduced during
+ the 0.2.3.x series.
+ - Update to the January 3 2012 Maxmind GeoLite Country database.
+
+ o Minor bugfixes (hidden services):
+ - Don't close hidden service client circuits which have almost
+ finished connecting to their destination when they reach
+ the normal circuit-build timeout. Previously, we would close
+ introduction circuits which are waiting for an acknowledgement
+ from the introduction point, and rendezvous circuits which have
+ been specified in an INTRODUCE1 cell sent to a hidden service,
+ after the normal CBT. Now, we mark them as 'timed out', and launch
+ another rendezvous attempt in parallel. This behavior change can
+ be disabled using the new CloseHSClientCircuitsImmediatelyOnTimeout
+ option. Fixes part of bug 1297; bugfix on 0.2.2.2-alpha.
+ - Don't close hidden-service-side rendezvous circuits when they
+ reach the normal circuit-build timeout. This behaviour change can
+ be disabled using the new
+ CloseHSServiceRendCircuitsImmediatelyOnTimeout option. Fixes the
+ remaining part of bug 1297; bugfix on 0.2.2.2-alpha.
+ - Make sure we never mark the wrong rendezvous circuit as having
+ had its introduction cell acknowleged by the introduction-point
+ relay. Previously, when we received an INTRODUCE_ACK cell on a
+ client-side hidden-service introduction circuit, we might have
+ marked a rendezvous circuit other than the one we specified in
+ the INTRODUCE1 cell as INTRO_ACKED, which would have produced
+ a warning message and interfered with the hidden service
+ connection-establishment process. Fixes bug 4759; bugfix on
+ 0.2.3.3-alpha, when we added the stream-isolation feature which
+ might cause Tor to open multiple rendezvous circuits for the same
+ hidden service.
+ - Don't trigger an assertion failure when we mark a new client-side
+ hidden-service introduction circuit for close during the process
+ of creating it. Fixes bug 4796; bugfix on 0.2.3.6-alpha. Reported
+ by murb.
+
+ o Minor bugfixes (log messages):
+ - Correctly spell "connect" in a log message on failure to create a
+ controlsocket. Fixes bug 4803; bugfix on 0.2.2.26-beta and
+ 0.2.3.2-alpha.
+ - Fix a typo in a log message in rend_service_rendezvous_has_opened().
+ Fixes bug 4856; bugfix on Tor 0.0.6.
+ - Fix the log message describing how we work around discovering
+ that our version is the ill-fated OpenSSL 0.9.8l. Fixes bug
+ 4837; bugfix on 0.2.2.9-alpha.
+ - When logging about a disallowed .exit name, do not also call it
+ an "invalid onion address". Fixes bug 3325; bugfix on 0.2.2.9-alpha.
+
+ o Minor bugfixes (build fixes):
+ - During configure, detect when we're building with clang version
+ 3.0 or lower and disable the -Wnormalized=id and -Woverride-init
+ CFLAGS. clang doesn't support them yet.
+ - During configure, search for library containing cos function as
+ libm lives in libcore on some platforms (BeOS/Haiku). Linking
+ against libm was hard-coded before. Fixes the first part of bug
+ 4727; bugfix on 0.2.2.2-alpha. Patch and analysis by Martin Hebnes
+ Pedersen.
+ - Detect attempts to build Tor on (as yet hypothetical) versions
+ of Windows where sizeof(intptr_t) != sizeof(SOCKET). Partial
+ fix for bug 4533. Bugfix on 0.2.2.28-beta.
+ - Preprocessor directives should not be put inside the arguments
+ of a macro. This would break compilation with GCC releases prior
+ to version 3.3. We would never recommend such an old GCC version,
+ but it is apparently required for binary compatibility on some
+ platforms (namely, certain builds of Haiku). Fixes the other part
+ of bug 4727; bugfix on 0.2.3.3-alpha. Patch and analysis by Martin
+ Hebnes Pedersen.
+
+ o Minor bugfixes (other):
+ - Older Linux kernels erroneously respond to strange nmap behavior
+ by having accept() return successfully with a zero-length
+ socket. When this happens, just close the connection. Previously,
+ we would try harder to learn the remote address: but there was
+ no such remote address to learn, and our method for trying to
+ learn it was incorrect. Fixes bugs 1240, 4745, and 4747. Bugfix
+ on 0.1.0.3-rc. Reported and diagnosed by "r1eo".
+ - Fix null-pointer access that could occur if TLS allocation failed.
+ Fixes bug 4531; bugfix on 0.2.0.20-rc. Found by "troll_un". This was
+ erroneously listed as fixed in 0.2.3.9-alpha, but the fix had
+ accidentally been reverted.
+ - Fix our implementation of crypto_random_hostname() so it can't
+ overflow on ridiculously large inputs. (No Tor version has ever
+ provided this kind of bad inputs, but let's be correct in depth.)
+ Fixes bug 4413; bugfix on 0.2.2.9-alpha. Fix by Stephen Palmateer.
+ - Find more places in the code that should have been testing for
+ invalid sockets using the SOCKET_OK macro. Required for a fix
+ for bug 4533. Bugfix on 0.2.2.28-beta.
+ - Fix an assertion failure when, while running with bufferevents, a
+ connection finishes connecting after it is marked for close, but
+ before it is closed. Fixes bug 4697; bugfix on 0.2.3.1-alpha.
+ - test_util_spawn_background_ok() hardcoded the expected value
+ for ENOENT to 2. This isn't portable as error numbers are
+ platform specific, and particularly the hurd has ENOENT at
+ 0x40000002. Construct expected string at runtime, using the correct
+ value for ENOENT. Fixes bug 4733; bugfix on 0.2.3.1-alpha.
+ - Reject attempts to disable DisableDebuggerAttachment while Tor is
+ running. Fixes bug 4650; bugfix on 0.2.3.9-alpha.
+ - Use an appropriate-width type for sockets in tor-fw-helper on
+ win64. Fixes bug 1983 at last. Bugfix on 0.2.3.9-alpha.
+
+ o Feature removal:
+ - When sending or relaying a RELAY_EARLY cell, we used to convert
+ it to a RELAY cell if the connection was using the v1 link
+ protocol. This was a workaround for older versions of Tor, which
+ didn't handle RELAY_EARLY cells properly. Now that all supported
+ versions can handle RELAY_EARLY cells, and now that we're enforcing
+ the "no RELAY_EXTEND commands except in RELAY_EARLY cells" rule,
+ remove this workaround. Addresses bug 4786.
+
+ o Code simplifications and refactoring:
+ - Use OpenSSL's built-in SSL_state_string_long() instead of our
+ own homebrewed ssl_state_to_string() replacement. Patch from
+ Emile Snyder. Fixes bug 4653.
+ - Use macros to indicate OpenSSL versions, so we don't need to worry
+ about accidental hexadecimal bit shifts.
+ - Remove some workaround code for OpenSSL 0.9.6 (which is no longer
+ supported).
+ - Convert more instances of tor_snprintf+tor_strdup into tor_asprintf.
+ - Use the smartlist_add_asprintf() alias more consistently.
+ - Use a TOR_INVALID_SOCKET macro when initializing a socket to an
+ invalid value, rather than just -1.
+ - Rename a handful of old identifiers, mostly related to crypto
+ structures and crypto functions. By convention, our "create an
+ object" functions are called "type_new()", our "free an object"
+ functions are called "type_free()", and our types indicate that
+ they are types only with a final "_t". But a handful of older
+ types and functions broke these rules, with function names like
+ "type_create" or "subsystem_op_type", or with type names like
+ type_env_t.
+
+
+Changes in version 0.2.3.10-alpha - 2011-12-16
+ Tor 0.2.3.10-alpha fixes a critical heap-overflow security issue in
+ Tor's buffers code. Absolutely everybody should upgrade.
+
+ The bug relied on an incorrect calculation when making data continuous
+ in one of our IO buffers, if the first chunk of the buffer was
+ misaligned by just the wrong amount. The miscalculation would allow an
+ attacker to overflow a piece of heap-allocated memory. To mount this
+ attack, the attacker would need to either open a SOCKS connection to
+ Tor's SocksPort (usually restricted to localhost), or target a Tor
+ instance configured to make its connections through a SOCKS proxy
+ (which Tor does not do by default).
+
+ Good security practice requires that all heap-overflow bugs should be
+ presumed to be exploitable until proven otherwise, so we are treating
+ this as a potential code execution attack. Please upgrade immediately!
+ This bug does not affect bufferevents-based builds of Tor. Special
+ thanks to "Vektor" for reporting this issue to us!
+
+ This release also contains a few minor bugfixes for issues discovered
+ in 0.2.3.9-alpha.
+
+ o Major bugfixes:
+ - Fix a heap overflow bug that could occur when trying to pull
+ data into the first chunk of a buffer, when that chunk had
+ already had some data drained from it. Fixes CVE-2011-2778;
+ bugfix on 0.2.0.16-alpha. Reported by "Vektor".
+
+ o Minor bugfixes:
+ - If we can't attach streams to a rendezvous circuit when we
+ finish connecting to a hidden service, clear the rendezvous
+ circuit's stream-isolation state and try to attach streams
+ again. Previously, we cleared rendezvous circuits' isolation
+ state either too early (if they were freshly built) or not at all
+ (if they had been built earlier and were cannibalized). Bugfix on
+ 0.2.3.3-alpha; fixes bug 4655.
+ - Fix compilation of the libnatpmp helper on non-Windows. Bugfix on
+ 0.2.3.9-alpha; fixes bug 4691. Reported by Anthony G. Basile.
+ - Fix an assertion failure when a relay with accounting enabled
+ starts up while dormant. Fixes bug 4702; bugfix on 0.2.3.9-alpha.
+
+ o Minor features:
+ - Update to the December 6 2011 Maxmind GeoLite Country database.
+
+
+Changes in version 0.2.2.35 - 2011-12-16
+ Tor 0.2.2.35 fixes a critical heap-overflow security issue in Tor's
+ buffers code. Absolutely everybody should upgrade.
+
+ The bug relied on an incorrect calculation when making data continuous
+ in one of our IO buffers, if the first chunk of the buffer was
+ misaligned by just the wrong amount. The miscalculation would allow an
+ attacker to overflow a piece of heap-allocated memory. To mount this
+ attack, the attacker would need to either open a SOCKS connection to
+ Tor's SocksPort (usually restricted to localhost), or target a Tor
+ instance configured to make its connections through a SOCKS proxy
+ (which Tor does not do by default).
+
+ Good security practice requires that all heap-overflow bugs should be
+ presumed to be exploitable until proven otherwise, so we are treating
+ this as a potential code execution attack. Please upgrade immediately!
+ This bug does not affect bufferevents-based builds of Tor. Special
+ thanks to "Vektor" for reporting this issue to us!
+
+ Tor 0.2.2.35 also fixes several bugs in previous versions, including
+ crash bugs for unusual configurations, and a long-term bug that
+ would prevent Tor from starting on Windows machines with draconian
+ AV software.
+
+ With this release, we remind everyone that 0.2.0.x has reached its
+ formal end-of-life. Those Tor versions have many known flaws, and
+ nobody should be using them. You should upgrade -- ideally to the
+ 0.2.2.x series. If you're using a Linux or BSD and its packages are
+ obsolete, stop using those packages and upgrade anyway.
+
+ The Tor 0.2.1.x series is also approaching its end-of-life: it will no
+ longer receive support after some time in early 2012.
+
+ o Major bugfixes:
+ - Fix a heap overflow bug that could occur when trying to pull
+ data into the first chunk of a buffer, when that chunk had
+ already had some data drained from it. Fixes CVE-2011-2778;
+ bugfix on 0.2.0.16-alpha. Reported by "Vektor".
+ - Initialize Libevent with the EVENT_BASE_FLAG_NOLOCK flag enabled, so
+ that it doesn't attempt to allocate a socketpair. This could cause
+ some problems on Windows systems with overzealous firewalls. Fix for
+ bug 4457; workaround for Libevent versions 2.0.1-alpha through
+ 2.0.15-stable.
+ - If we mark an OR connection for close based on a cell we process,
+ don't process any further cells on it. We already avoid further
+ reads on marked-for-close connections, but now we also discard the
+ cells we'd already read. Fixes bug 4299; bugfix on 0.2.0.10-alpha,
+ which was the first version where we might mark a connection for
+ close based on processing a cell on it.
+ - Correctly sanity-check that we don't underflow on a memory
+ allocation (and then assert) for hidden service introduction
+ point decryption. Bug discovered by Dan Rosenberg. Fixes bug 4410;
+ bugfix on 0.2.1.5-alpha.
+ - Fix a memory leak when we check whether a hidden service
+ descriptor has any usable introduction points left. Fixes bug
+ 4424. Bugfix on 0.2.2.25-alpha.
+ - Don't crash when we're running as a relay and don't have a GeoIP
+ file. Bugfix on 0.2.2.34; fixes bug 4340. This backports a fix
+ we've had in the 0.2.3.x branch already.
+ - When running as a client, do not print a misleading (and plain
+ wrong) log message that we're collecting "directory request"
+ statistics: clients don't collect statistics. Also don't create a
+ useless (because empty) stats file in the stats/ directory. Fixes
+ bug 4353; bugfix on 0.2.2.34.
+
+ o Minor bugfixes:
+ - Detect failure to initialize Libevent. This fix provides better
+ detection for future instances of bug 4457.
+ - Avoid frequent calls to the fairly expensive cull_wedged_cpuworkers
+ function. This was eating up hideously large amounts of time on some
+ busy servers. Fixes bug 4518; bugfix on 0.0.9.8.
+ - Resolve an integer overflow bug in smartlist_ensure_capacity().
+ Fixes bug 4230; bugfix on Tor 0.1.0.1-rc. Based on a patch by
+ Mansour Moufid.
+ - Don't warn about unused log_mutex in log.c when building with
+ --disable-threads using a recent GCC. Fixes bug 4437; bugfix on
+ 0.1.0.6-rc which introduced --disable-threads.
+ - When configuring, starting, or stopping an NT service, stop
+ immediately after the service configuration attempt has succeeded
+ or failed. Fixes bug 3963; bugfix on 0.2.0.7-alpha.
+ - When sending a NETINFO cell, include the original address
+ received for the other side, not its canonical address. Found
+ by "troll_un"; fixes bug 4349; bugfix on 0.2.0.10-alpha.
+ - Fix a typo in a hibernation-related log message. Fixes bug 4331;
+ bugfix on 0.2.2.23-alpha; found by "tmpname0901".
+ - Fix a memory leak in launch_direct_bridge_descriptor_fetch() that
+ occurred when a client tried to fetch a descriptor for a bridge
+ in ExcludeNodes. Fixes bug 4383; bugfix on 0.2.2.25-alpha.
+ - Backport fixes for a pair of compilation warnings on Windows.
+ Fixes bug 4521; bugfix on 0.2.2.28-beta and on 0.2.2.29-beta.
+ - If we had ever tried to call tor_addr_to_str on an address of
+ unknown type, we would have done a strdup on an uninitialized
+ buffer. Now we won't. Fixes bug 4529; bugfix on 0.2.1.3-alpha.
+ Reported by "troll_un".
+ - Correctly detect and handle transient lookup failures from
+ tor_addr_lookup. Fixes bug 4530; bugfix on 0.2.1.5-alpha.
+ Reported by "troll_un".
+ - Fix null-pointer access that could occur if TLS allocation failed.
+ Fixes bug 4531; bugfix on 0.2.0.20-rc. Found by "troll_un".
+ - Use tor_socket_t type for listener argument to accept(). Fixes bug
+ 4535; bugfix on 0.2.2.28-beta. Found by "troll_un".
+
+ o Minor features:
+ - Add two new config options for directory authorities:
+ AuthDirFastGuarantee sets a bandwidth threshold for guaranteeing the
+ Fast flag, and AuthDirGuardBWGuarantee sets a bandwidth threshold
+ that is always sufficient to satisfy the bandwidth requirement for
+ the Guard flag. Now it will be easier for researchers to simulate
+ Tor networks with different values. Resolves ticket 4484.
+ - When Tor ignores a hidden service specified in its configuration,
+ include the hidden service's directory in the warning message.
+ Previously, we would only tell the user that some hidden service
+ was ignored. Bugfix on 0.0.6; fixes bug 4426.
+ - Update to the December 6 2011 Maxmind GeoLite Country database.
+
+ o Packaging changes:
+ - Make it easier to automate expert package builds on Windows,
+ by removing an absolute path from makensis.exe command.
+
+
+Changes in version 0.2.3.9-alpha - 2011-12-08
+ Tor 0.2.3.9-alpha introduces initial IPv6 support for bridges, adds
+ a "DisableNetwork" security feature that bundles can use to avoid
+ touching the network until bridges are configured, moves forward on
+ the pluggable transport design, fixes a flaw in the hidden service
+ design that unnecessarily prevented clients with wrong clocks from
+ reaching hidden services, and fixes a wide variety of other issues.
+
+ o Major features:
+ - Clients can now connect to private bridges over IPv6. Bridges
+ still need at least one IPv4 address in order to connect to
+ other relays. Note that we don't yet handle the case where the
+ user has two bridge lines for the same bridge (one IPv4, one
+ IPv6). Implements parts of proposal 186.
+ - New "DisableNetwork" config option to prevent Tor from launching any
+ connections or accepting any connections except on a control port.
+ Bundles and controllers can set this option before letting Tor talk
+ to the rest of the network, for example to prevent any connections
+ to a non-bridge address. Packages like Orbot can also use this
+ option to instruct Tor to save power when the network is off.
+ - Clients and bridges can now be configured to use a separate
+ "transport" proxy. This approach makes the censorship arms race
+ easier by allowing bridges to use protocol obfuscation plugins. It
+ implements the "managed proxy" part of proposal 180 (ticket 3472).
+ - When using OpenSSL 1.0.0 or later, use OpenSSL's counter mode
+ implementation. It makes AES_CTR about 7% faster than our old one
+ (which was about 10% faster than the one OpenSSL used to provide).
+ Resolves ticket 4526.
+ - Add a "tor2web mode" for clients that want to connect to hidden
+ services non-anonymously (and possibly more quickly). As a safety
+ measure to try to keep users from turning this on without knowing
+ what they are doing, tor2web mode must be explicitly enabled at
+ compile time, and a copy of Tor compiled to run in tor2web mode
+ cannot be used as a normal Tor client. Implements feature 2553.
+ - Add experimental support for running on Windows with IOCP and no
+ kernel-space socket buffers. This feature is controlled by a new
+ "UserspaceIOCPBuffers" config option (off by default), which has
+ no effect unless Tor has been built with support for bufferevents,
+ is running on Windows, and has enabled IOCP. This may, in the long
+ run, help solve or mitigate bug 98.
+ - Use a more secure consensus parameter voting algorithm. Now at
+ least three directory authorities or a majority of them must
+ vote on a given parameter before it will be included in the
+ consensus. Implements proposal 178.
+
+ o Major bugfixes:
+ - Hidden services now ignore the timestamps on INTRODUCE2 cells.
+ They used to check that the timestamp was within 30 minutes
+ of their system clock, so they could cap the size of their
+ replay-detection cache, but that approach unnecessarily refused
+ service to clients with wrong clocks. Bugfix on 0.2.1.6-alpha, when
+ the v3 intro-point protocol (the first one which sent a timestamp
+ field in the INTRODUCE2 cell) was introduced; fixes bug 3460.
+ - Only use the EVP interface when AES acceleration is enabled,
+ to avoid a 5-7% performance regression. Resolves issue 4525;
+ bugfix on 0.2.3.8-alpha.
+
+ o Privacy/anonymity features (bridge detection):
+ - Make bridge SSL certificates a bit more stealthy by using random
+ serial numbers, in the same fashion as OpenSSL when generating
+ self-signed certificates. Implements ticket 4584.
+ - Introduce a new config option "DynamicDHGroups", enabled by
+ default, which provides each bridge with a unique prime DH modulus
+ to be used during SSL handshakes. This option attempts to help
+ against censors who might use the Apache DH modulus as a static
+ identifier for bridges. Addresses ticket 4548.
+
+ o Minor features (new/different config options):
+ - New configuration option "DisableDebuggerAttachment" (on by default)
+ to prevent basic debugging attachment attempts by other processes.
+ Supports Mac OS X and Gnu/Linux. Resolves ticket 3313.
+ - Allow MapAddress directives to specify matches against super-domains,
+ as in "MapAddress *.torproject.org *.torproject.org.torserver.exit".
+ Implements issue 933.
+ - Slightly change behavior of "list" options (that is, config
+ options that can appear more than once) when they appear both in
+ torrc and on the command line. Previously, the command-line options
+ would be appended to the ones from torrc. Now, the command-line
+ options override the torrc options entirely. This new behavior
+ allows the user to override list options (like exit policies and
+ ports to listen on) from the command line, rather than simply
+ appending to the list.
+ - You can get the old (appending) command-line behavior for "list"
+ options by prefixing the option name with a "+".
+ - You can remove all the values for a "list" option from the command
+ line without adding any new ones by prefixing the option name
+ with a "/".
+ - Add experimental support for a "defaults" torrc file to be parsed
+ before the regular torrc. Torrc options override the defaults file's
+ options in the same way that the command line overrides the torrc.
+ The SAVECONF controller command saves only those options which
+ differ between the current configuration and the defaults file. HUP
+ reloads both files. (Note: This is an experimental feature; its
+ behavior will probably be refined in future 0.2.3.x-alpha versions
+ to better meet packagers' needs.) Implements task 4552.
+
+ o Minor features:
+ - Try to make the introductory warning message that Tor prints on
+ startup more useful for actually finding help and information.
+ Resolves ticket 2474.
+ - Running "make version" now displays the version of Tor that
+ we're about to build. Idea from katmagic; resolves issue 4400.
+ - Expire old or over-used hidden service introduction points.
+ Required by fix for bug 3460.
+ - Move the replay-detection cache for the RSA-encrypted parts of
+ INTRODUCE2 cells to the introduction point data structures.
+ Previously, we would use one replay-detection cache per hidden
+ service. Required by fix for bug 3460.
+ - Reduce the lifetime of elements of hidden services' Diffie-Hellman
+ public key replay-detection cache from 60 minutes to 5 minutes. This
+ replay-detection cache is now used only to detect multiple
+ INTRODUCE2 cells specifying the same rendezvous point, so we can
+ avoid launching multiple simultaneous attempts to connect to it.
+
+ o Minor bugfixes (on Tor 0.2.2.x and earlier):
+ - Resolve an integer overflow bug in smartlist_ensure_capacity().
+ Fixes bug 4230; bugfix on Tor 0.1.0.1-rc. Based on a patch by
+ Mansour Moufid.
+ - Fix a minor formatting issue in one of tor-gencert's error messages.
+ Fixes bug 4574.
+ - Prevent a false positive from the check-spaces script, by disabling
+ the "whitespace between function name and (" check for functions
+ named 'op()'.
+ - Fix a log message suggesting that people contact a non-existent
+ email address. Fixes bug 3448.
+ - Fix null-pointer access that could occur if TLS allocation failed.
+ Fixes bug 4531; bugfix on 0.2.0.20-rc. Found by "troll_un".
+ - Report a real bootstrap problem to the controller on router
+ identity mismatch. Previously we just said "foo", which probably
+ made a lot of sense at the time. Fixes bug 4169; bugfix on
+ 0.2.1.1-alpha.
+ - If we had ever tried to call tor_addr_to_str() on an address of
+ unknown type, we would have done a strdup() on an uninitialized
+ buffer. Now we won't. Fixes bug 4529; bugfix on 0.2.1.3-alpha.
+ Reported by "troll_un".
+ - Correctly detect and handle transient lookup failures from
+ tor_addr_lookup(). Fixes bug 4530; bugfix on 0.2.1.5-alpha.
+ Reported by "troll_un".
+ - Use tor_socket_t type for listener argument to accept(). Fixes bug
+ 4535; bugfix on 0.2.2.28-beta. Found by "troll_un".
+ - Initialize conn->addr to a valid state in spawn_cpuworker(). Fixes
+ bug 4532; found by "troll_un".
+
+ o Minor bugfixes (on Tor 0.2.3.x):
+ - Fix a compile warning in tor_inet_pton(). Bugfix on 0.2.3.8-alpha;
+ fixes bug 4554.
+ - Don't send two ESTABLISH_RENDEZVOUS cells when opening a new
+ circuit for use as a hidden service client's rendezvous point.
+ Fixes bugs 4641 and 4171; bugfix on 0.2.3.3-alpha. Diagnosed
+ with help from wanoskarnet.
+ - Restore behavior of overriding SocksPort, ORPort, and similar
+ options from the command line. Bugfix on 0.2.3.3-alpha.
+
+ o Build fixes:
+ - Properly handle the case where the build-tree is not the same
+ as the source tree when generating src/common/common_sha1.i,
+ src/or/micro-revision.i, and src/or/or_sha1.i. Fixes bug 3953;
+ bugfix on 0.2.0.1-alpha.
+
+ o Code simplifications, cleanups, and refactorings:
+ - Remove the pure attribute from all functions that used it
+ previously. In many cases we assigned it incorrectly, because the
+ functions might assert or call impure functions, and we don't have
+ evidence that keeping the pure attribute is worthwhile. Implements
+ changes suggested in ticket 4421.
+ - Remove some dead code spotted by coverity. Fixes cid 432.
+ Bugfix on 0.2.3.1-alpha, closes bug 4637.
+
+
+Changes in version 0.2.3.8-alpha - 2011-11-22
+ Tor 0.2.3.8-alpha fixes some crash and assert bugs, including a
+ socketpair-related bug that has been bothering Windows users. It adds
+ support to serve microdescriptors to controllers, so Vidalia's network
+ map can resume listing relays (once Vidalia implements its side),
+ and adds better support for hardware AES acceleration. Finally, it
+ starts the process of adjusting the bandwidth cutoff for getting the
+ "Fast" flag from 20KB to (currently) 32KB -- preliminary results show
+ that tiny relays harm performance more than they help network capacity.
+
+ o Major bugfixes:
+ - Initialize Libevent with the EVENT_BASE_FLAG_NOLOCK flag enabled, so
+ that it doesn't attempt to allocate a socketpair. This could cause
+ some problems on Windows systems with overzealous firewalls. Fix for
+ bug 4457; workaround for Libevent versions 2.0.1-alpha through
+ 2.0.15-stable.
+ - Correctly sanity-check that we don't underflow on a memory
+ allocation (and then assert) for hidden service introduction
+ point decryption. Bug discovered by Dan Rosenberg. Fixes bug 4410;
+ bugfix on 0.2.1.5-alpha.
+ - Remove the artificially low cutoff of 20KB to guarantee the Fast
+ flag. In the past few years the average relay speed has picked
+ up, and while the "top 7/8 of the network get the Fast flag" and
+ "all relays with 20KB or more of capacity get the Fast flag" rules
+ used to have the same result, now the top 7/8 of the network has
+ a capacity more like 32KB. Bugfix on 0.2.1.14-rc. Fixes bug 4489.
+ - Fix a rare assertion failure when checking whether a v0 hidden
+ service descriptor has any usable introduction points left, and
+ we don't have enough information to build a circuit to the first
+ intro point named in the descriptor. The HS client code in
+ 0.2.3.x no longer uses v0 HS descriptors, but this assertion can
+ trigger on (and crash) v0 HS authorities. Fixes bug 4411.
+ Bugfix on 0.2.3.1-alpha; diagnosed by frosty_un.
+ - Make bridge authorities not crash when they are asked for their own
+ descriptor. Bugfix on 0.2.3.7-alpha, reported by Lucky Green.
+ - When running as a client, do not print a misleading (and plain
+ wrong) log message that we're collecting "directory request"
+ statistics: clients don't collect statistics. Also don't create a
+ useless (because empty) stats file in the stats/ directory. Fixes
+ bug 4353; bugfix on 0.2.2.34 and 0.2.3.7-alpha.
+
+ o Major features:
+ - Allow Tor controllers like Vidalia to obtain the microdescriptor
+ for a relay by identity digest or nickname. Previously,
+ microdescriptors were only available by their own digests, so a
+ controller would have to ask for and parse the whole microdescriptor
+ consensus in order to look up a single relay's microdesc. Fixes
+ bug 3832; bugfix on 0.2.3.1-alpha.
+ - Use OpenSSL's EVP interface for AES encryption, so that all AES
+ operations can use hardware acceleration (if present). Resolves
+ ticket 4442.
+
+ o Minor bugfixes (on 0.2.2.x and earlier):
+ - Detect failure to initialize Libevent. This fix provides better
+ detection for future instances of bug 4457.
+ - Avoid frequent calls to the fairly expensive cull_wedged_cpuworkers
+ function. This was eating up hideously large amounts of time on some
+ busy servers. Fixes bug 4518; bugfix on 0.0.9.8.
+ - Don't warn about unused log_mutex in log.c when building with
+ --disable-threads using a recent GCC. Fixes bug 4437; bugfix on
+ 0.1.0.6-rc which introduced --disable-threads.
+ - Allow manual 'authenticate' commands to the controller interface
+ from netcat (nc) as well as telnet. We were rejecting them because
+ they didn't come with the expected whitespace at the end of the
+ command. Bugfix on 0.1.1.1-alpha; fixes bug 2893.
+ - Fix some (not actually triggerable) buffer size checks in usage of
+ tor_inet_ntop. Fixes bug 4434; bugfix on Tor 0.2.0.1-alpha. Patch
+ by Anders Sundman.
+ - Fix parsing of some corner-cases with tor_inet_pton(). Fixes
+ bug 4515; bugfix on 0.2.0.1-alpha; fix by Anders Sundman.
+ - When configuring, starting, or stopping an NT service, stop
+ immediately after the service configuration attempt has succeeded
+ or failed. Fixes bug 3963; bugfix on 0.2.0.7-alpha.
+ - When sending a NETINFO cell, include the original address
+ received for the other side, not its canonical address. Found
+ by "troll_un"; fixes bug 4349; bugfix on 0.2.0.10-alpha.
+ - Rename the bench_{aes,dmap} functions to test_*, so that tinytest
+ can pick them up when the tests aren't disabled. Bugfix on
+ 0.2.2.4-alpha which introduced tinytest.
+ - Fix a memory leak when we check whether a hidden service
+ descriptor has any usable introduction points left. Fixes bug
+ 4424. Bugfix on 0.2.2.25-alpha.
+ - Fix a memory leak in launch_direct_bridge_descriptor_fetch() that
+ occurred when a client tried to fetch a descriptor for a bridge
+ in ExcludeNodes. Fixes bug 4383; bugfix on 0.2.2.25-alpha.
+
+ o Minor bugfixes (on 0.2.3.x):
+ - Make util unit tests build correctly with MSVC. Bugfix on
+ 0.2.3.3-alpha. Patch by Gisle Vanem.
+ - Successfully detect AUTH_CHALLENGE cells with no recognized
+ authentication type listed. Fixes bug 4367; bugfix on 0.2.3.6-alpha.
+ Found by frosty_un.
+ - If a relay receives an AUTH_CHALLENGE cell it can't answer,
+ it should still send a NETINFO cell to allow the connection to
+ become open. Fixes bug 4368; fix on 0.2.3.6-alpha; bug found by
+ "frosty".
+ - Log less loudly when we get an invalid authentication certificate
+ from a source other than a directory authority: it's not unusual
+ to see invalid certs because of clock skew. Fixes bug 4370; bugfix
+ on 0.2.3.6-alpha.
+ - Tolerate servers with more clock skew in their authentication
+ certificates than previously. Fixes bug 4371; bugfix on
+ 0.2.3.6-alpha.
+ - Fix a couple of compile warnings on Windows. Fixes bug 4469; bugfix
+ on 0.2.3.4-alpha and 0.2.3.6-alpha.
+
+ o Minor features:
+ - Add two new config options for directory authorities:
+ AuthDirFastGuarantee sets a bandwidth threshold for guaranteeing the
+ Fast flag, and AuthDirGuardBWGuarantee sets a bandwidth threshold
+ that is always sufficient to satisfy the bandwidth requirement for
+ the Guard flag. Now it will be easier for researchers to simulate
+ Tor networks with different values. Resolves ticket 4484.
+ - When Tor ignores a hidden service specified in its configuration,
+ include the hidden service's directory in the warning message.
+ Previously, we would only tell the user that some hidden service
+ was ignored. Bugfix on 0.0.6; fixes bug 4426.
+ - When we fail to initialize Libevent, retry with IOCP disabled so we
+ don't need to turn on multi-threading support in Libevent, which in
+ turn requires a working socketpair(). This is a workaround for bug
+ 4457, which affects Libevent versions from 2.0.1-alpha through
+ 2.0.15-stable.
+ - Detect when we try to build on a platform that doesn't define
+ AF_UNSPEC to 0. We don't work there, so refuse to compile.
+ - Update to the November 1 2011 Maxmind GeoLite Country database.
+
+ o Packaging changes:
+ - Make it easier to automate expert package builds on Windows,
+ by removing an absolute path from makensis.exe command.
+
+ o Code simplifications and refactoring:
+ - Remove some redundant #include directives throughout the code.
+ Patch from Andrea Gelmini.
+ - Unconditionally use OpenSSL's AES implementation instead of our
+ old built-in one. OpenSSL's AES has been better for a while, and
+ relatively few servers should still be on any version of OpenSSL
+ that doesn't have good optimized assembly AES.
+ - Use the name "CERTS" consistently to refer to the new cell type;
+ we were calling it CERT in some places and CERTS in others.
+
+ o Testing:
+ - Numerous new unit tests for functions in util.c and address.c by
+ Anders Sundman.
+ - The long-disabled benchmark tests are now split into their own
+ ./src/test/bench binary.
+ - The benchmark tests can now use more accurate timers than
+ gettimeofday() when such timers are available.
+
+
+Changes in version 0.2.3.7-alpha - 2011-10-30
+ Tor 0.2.3.7-alpha fixes a crash bug in 0.2.3.6-alpha introduced by
+ the new v3 handshake. It also resolves yet another bridge address
+ enumeration issue.
+
+ o Major bugfixes:
+ - If we mark an OR connection for close based on a cell we process,
+ don't process any further cells on it. We already avoid further
+ reads on marked-for-close connections, but now we also discard the
+ cells we'd already read. Fixes bug 4299; bugfix on 0.2.0.10-alpha,
+ which was the first version where we might mark a connection for
+ close based on processing a cell on it.
+ - Fix a double-free bug that would occur when we received an invalid
+ certificate in a CERT cell in the new v3 handshake. Fixes bug 4343;
+ bugfix on 0.2.3.6-alpha.
+ - Bridges no longer include their address in NETINFO cells on outgoing
+ OR connections, to allow them to blend in better with clients.
+ Removes another avenue for enumerating bridges. Reported by
+ "troll_un". Fixes bug 4348; bugfix on 0.2.0.10-alpha, when NETINFO
+ cells were introduced.
+
+ o Trivial fixes:
+ - Fixed a typo in a hibernation-related log message. Fixes bug 4331;
+ bugfix on 0.2.2.23-alpha; found by "tmpname0901".
+
+
+Changes in version 0.2.3.6-alpha - 2011-10-26
+ Tor 0.2.3.6-alpha includes the fix from 0.2.2.34 for a critical
+ anonymity vulnerability where an attacker can deanonymize Tor
+ users. Everybody should upgrade.
+
+ This release also features support for a new v3 connection handshake
+ protocol, and fixes to make hidden service connections more robust.
+
+ o Major features:
+ - Implement a new handshake protocol (v3) for authenticating Tors to
+ each other over TLS. It should be more resistant to fingerprinting
+ than previous protocols, and should require less TLS hacking for
+ future Tor implementations. Implements proposal 176.
+ - Allow variable-length padding cells to disguise the length of
+ Tor's TLS records. Implements part of proposal 184.
+
+ o Privacy/anonymity fixes (clients):
+ - Clients and bridges no longer send TLS certificate chains on
+ outgoing OR connections. Previously, each client or bridge would
+ use the same cert chain for all outgoing OR connections until
+ its IP address changes, which allowed any relay that the client
+ or bridge contacted to determine which entry guards it is using.
+ Fixes CVE-2011-2768. Bugfix on 0.0.9pre5; found by "frosty_un".
+ - If a relay receives a CREATE_FAST cell on a TLS connection, it
+ no longer considers that connection as suitable for satisfying a
+ circuit EXTEND request. Now relays can protect clients from the
+ CVE-2011-2768 issue even if the clients haven't upgraded yet.
+ - Directory authorities no longer assign the Guard flag to relays
+ that haven't upgraded to the above "refuse EXTEND requests
+ to client connections" fix. Now directory authorities can
+ protect clients from the CVE-2011-2768 issue even if neither
+ the clients nor the relays have upgraded yet. There's a new
+ "GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays" config option
+ to let us transition smoothly, else tomorrow there would be no
+ guard relays.
+
+ o Major bugfixes (hidden services):
+ - Improve hidden service robustness: when an attempt to connect to
+ a hidden service ends, be willing to refetch its hidden service
+ descriptors from each of the HSDir relays responsible for them
+ immediately. Previously, we would not consider refetching the
+ service's descriptors from each HSDir for 15 minutes after the last
+ fetch, which was inconvenient if the hidden service was not running
+ during the first attempt. Bugfix on 0.2.0.18-alpha; fixes bug 3335.
+ - When one of a hidden service's introduction points appears to be
+ unreachable, stop trying it. Previously, we would keep trying
+ to build circuits to the introduction point until we lost the
+ descriptor, usually because the user gave up and restarted Tor.
+ Partly fixes bug 3825.
+ - Don't launch a useless circuit after failing to use one of a
+ hidden service's introduction points. Previously, we would
+ launch a new introduction circuit, but not set the hidden service
+ which that circuit was intended to connect to, so it would never
+ actually be used. A different piece of code would then create a
+ new introduction circuit correctly. Bug reported by katmagic and
+ found by Sebastian Hahn. Bugfix on 0.2.1.13-alpha; fixes bug 4212.
+
+ o Major bugfixes (other):
+ - Bridges now refuse CREATE or CREATE_FAST cells on OR connections
+ that they initiated. Relays could distinguish incoming bridge
+ connections from client connections, creating another avenue for
+ enumerating bridges. Fixes CVE-2011-2769. Bugfix on 0.2.0.3-alpha.
+ Found by "frosty_un".
+ - Don't update the AccountingSoftLimitHitAt state file entry whenever
+ tor gets started. This prevents a wrong average bandwidth
+ estimate, which would cause relays to always start a new accounting
+ interval at the earliest possible moment. Fixes bug 2003; bugfix
+ on 0.2.2.7-alpha. Reported by BryonEldridge, who also helped
+ immensely in tracking this bug down.
+ - Fix a crash bug when changing node restrictions while a DNS lookup
+ is in-progress. Fixes bug 4259; bugfix on 0.2.2.25-alpha. Bugfix
+ by "Tey'".
+
+ o Minor bugfixes (on 0.2.2.x and earlier):
+ - When a hidden service turns an extra service-side introduction
+ circuit into a general-purpose circuit, free the rend_data and
+ intro_key fields first, so we won't leak memory if the circuit
+ is cannibalized for use as another service-side introduction
+ circuit. Bugfix on 0.2.1.7-alpha; fixes bug 4251.
+ - Rephrase the log message emitted if the TestSocks check is
+ successful. Patch from Fabian Keil; fixes bug 4094.
+ - Bridges now skip DNS self-tests, to act a little more stealthily.
+ Fixes bug 4201; bugfix on 0.2.0.3-alpha, which first introduced
+ bridges. Patch by "warms0x".
+ - Remove a confusing dollar sign from the example fingerprint in the
+ man page, and also make the example fingerprint a valid one. Fixes
+ bug 4309; bugfix on 0.2.1.3-alpha.
+ - Fix internal bug-checking logic that was supposed to catch
+ failures in digest generation so that it will fail more robustly
+ if we ask for a nonexistent algorithm. Found by Coverity Scan.
+ Bugfix on 0.2.2.1-alpha; fixes Coverity CID 479.
+ - Report any failure in init_keys() calls launched because our
+ IP address has changed. Spotted by Coverity Scan. Bugfix on
+ 0.1.1.4-alpha; fixes CID 484.
+
+ o Minor bugfixes (on 0.2.3.x):
+ - Fix a bug in configure.in that kept it from building a configure
+ script with autoconf versions earlier than 2.61. Fixes bug 2430;
+ bugfix on 0.2.3.1-alpha.
+ - Don't warn users that they are exposing a client port to the
+ Internet if they have specified an RFC1918 address. Previously,
+ we would warn if the user had specified any non-loopback
+ address. Bugfix on 0.2.3.3-alpha. Fixes bug 4018; reported by Tas.
+ - Fix memory leaks in the failing cases of the new SocksPort and
+ ControlPort code. Found by Coverity Scan. Bugfix on 0.2.3.3-alpha;
+ fixes coverity CIDs 485, 486, and 487.
+
+ o Minor features:
+ - When a hidden service's introduction point times out, consider
+ trying it again during the next attempt to connect to the
+ HS. Previously, we would not try it again unless a newly fetched
+ descriptor contained it. Required by fixes for bugs 1297 and 3825.
+ - The next version of Windows will be called Windows 8, and it has
+ a major version of 6, minor version of 2. Correctly identify that
+ version instead of calling it "Very recent version". Resolves
+ ticket 4153; reported by funkstar.
+ - The Bridge Authority now writes statistics on how many bridge
+ descriptors it gave out in total, and how many unique descriptors
+ it gave out. It also lists how often the most and least commonly
+ fetched descriptors were given out, as well as the median and
+ 25th/75th percentile. Implements tickets 4200 and 4294.
+ - Update to the October 4 2011 Maxmind GeoLite Country database.
+
+ o Code simplifications and refactoring:
+ - Remove some old code to remember statistics about which descriptors
+ we've served as a directory mirror. The feature wasn't used and
+ is outdated now that microdescriptors are around.
+ - Rename Tor functions that turn strings into addresses, so that
+ "parse" indicates that no hostname resolution occurs, and
+ "lookup" indicates that hostname resolution may occur. This
+ should help prevent mistakes in the future. Fixes bug 3512.
+
+
+Changes in version 0.2.2.34 - 2011-10-26
+ Tor 0.2.2.34 fixes a critical anonymity vulnerability where an attacker
+ can deanonymize Tor users. Everybody should upgrade.
+
+ The attack relies on four components: 1) Clients reuse their TLS cert
+ when talking to different relays, so relays can recognize a user by
+ the identity key in her cert. 2) An attacker who knows the client's
+ identity key can probe each guard relay to see if that identity key
+ is connected to that guard relay right now. 3) A variety of active
+ attacks in the literature (starting from "Low-Cost Traffic Analysis
+ of Tor" by Murdoch and Danezis in 2005) allow a malicious website to
+ discover the guard relays that a Tor user visiting the website is using.
+ 4) Clients typically pick three guards at random, so the set of guards
+ for a given user could well be a unique fingerprint for her. This
+ release fixes components #1 and #2, which is enough to block the attack;
+ the other two remain as open research problems. Special thanks to
+ "frosty_un" for reporting the issue to us!
+
+ Clients should upgrade so they are no longer recognizable by the TLS
+ certs they present. Relays should upgrade so they no longer allow a
+ remote attacker to probe them to test whether unpatched clients are
+ currently connected to them.
+
+ This release also fixes several vulnerabilities that allow an attacker
+ to enumerate bridge relays. Some bridge enumeration attacks still
+ remain; see for example proposal 188.
+
+ o Privacy/anonymity fixes (clients):
+ - Clients and bridges no longer send TLS certificate chains on
+ outgoing OR connections. Previously, each client or bridge would
+ use the same cert chain for all outgoing OR connections until
+ its IP address changes, which allowed any relay that the client
+ or bridge contacted to determine which entry guards it is using.
+ Fixes CVE-2011-2768. Bugfix on 0.0.9pre5; found by "frosty_un".
+ - If a relay receives a CREATE_FAST cell on a TLS connection, it
+ no longer considers that connection as suitable for satisfying a
+ circuit EXTEND request. Now relays can protect clients from the
+ CVE-2011-2768 issue even if the clients haven't upgraded yet.
+ - Directory authorities no longer assign the Guard flag to relays
+ that haven't upgraded to the above "refuse EXTEND requests
+ to client connections" fix. Now directory authorities can
+ protect clients from the CVE-2011-2768 issue even if neither
+ the clients nor the relays have upgraded yet. There's a new
+ "GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays" config option
+ to let us transition smoothly, else tomorrow there would be no
+ guard relays.
+
+ o Privacy/anonymity fixes (bridge enumeration):
+ - Bridge relays now do their directory fetches inside Tor TLS
+ connections, like all the other clients do, rather than connecting
+ directly to the DirPort like public relays do. Removes another
+ avenue for enumerating bridges. Fixes bug 4115; bugfix on 0.2.0.35.
+ - Bridges relays now build circuits for themselves in a more similar
+ way to how clients build them. Removes another avenue for
+ enumerating bridges. Fixes bug 4124; bugfix on 0.2.0.3-alpha,
+ when bridges were introduced.
+ - Bridges now refuse CREATE or CREATE_FAST cells on OR connections
+ that they initiated. Relays could distinguish incoming bridge
+ connections from client connections, creating another avenue for
+ enumerating bridges. Fixes CVE-2011-2769. Bugfix on 0.2.0.3-alpha.
+ Found by "frosty_un".
+
+ o Major bugfixes:
+ - Fix a crash bug when changing node restrictions while a DNS lookup
+ is in-progress. Fixes bug 4259; bugfix on 0.2.2.25-alpha. Bugfix
+ by "Tey'".
+ - Don't launch a useless circuit after failing to use one of a
+ hidden service's introduction points. Previously, we would
+ launch a new introduction circuit, but not set the hidden service
+ which that circuit was intended to connect to, so it would never
+ actually be used. A different piece of code would then create a
+ new introduction circuit correctly. Bug reported by katmagic and
+ found by Sebastian Hahn. Bugfix on 0.2.1.13-alpha; fixes bug 4212.
+
+ o Minor bugfixes:
+ - Change an integer overflow check in the OpenBSD_Malloc code so
+ that GCC is less likely to eliminate it as impossible. Patch
+ from Mansour Moufid. Fixes bug 4059.
+ - When a hidden service turns an extra service-side introduction
+ circuit into a general-purpose circuit, free the rend_data and
+ intro_key fields first, so we won't leak memory if the circuit
+ is cannibalized for use as another service-side introduction
+ circuit. Bugfix on 0.2.1.7-alpha; fixes bug 4251.
+ - Bridges now skip DNS self-tests, to act a little more stealthily.
+ Fixes bug 4201; bugfix on 0.2.0.3-alpha, which first introduced
+ bridges. Patch by "warms0x".
+ - Fix internal bug-checking logic that was supposed to catch
+ failures in digest generation so that it will fail more robustly
+ if we ask for a nonexistent algorithm. Found by Coverity Scan.
+ Bugfix on 0.2.2.1-alpha; fixes Coverity CID 479.
+ - Report any failure in init_keys() calls launched because our
+ IP address has changed. Spotted by Coverity Scan. Bugfix on
+ 0.1.1.4-alpha; fixes CID 484.
+
+ o Minor bugfixes (log messages and documentation):
+ - Remove a confusing dollar sign from the example fingerprint in the
+ man page, and also make the example fingerprint a valid one. Fixes
+ bug 4309; bugfix on 0.2.1.3-alpha.
+ - The next version of Windows will be called Windows 8, and it has
+ a major version of 6, minor version of 2. Correctly identify that
+ version instead of calling it "Very recent version". Resolves
+ ticket 4153; reported by funkstar.
+ - Downgrade log messages about circuit timeout calibration from
+ "notice" to "info": they don't require or suggest any human
+ intervention. Patch from Tom Lowenthal. Fixes bug 4063;
+ bugfix on 0.2.2.14-alpha.
+
+ o Minor features:
+ - Turn on directory request statistics by default and include them in
+ extra-info descriptors. Don't break if we have no GeoIP database.
+ Backported from 0.2.3.1-alpha; implements ticket 3951.
+ - Update to the October 4 2011 Maxmind GeoLite Country database.
+
+
+Changes in version 0.2.1.31 - 2011-10-26
+ Tor 0.2.1.31 backports important security and privacy fixes for
+ oldstable. This release is intended only for package maintainers and
+ others who cannot use the 0.2.2 stable series. All others should be
+ using Tor 0.2.2.x or newer.
+
+ o Security fixes (also included in 0.2.2.x):
+ - Replace all potentially sensitive memory comparison operations
+ with versions whose runtime does not depend on the data being
+ compared. This will help resist a class of attacks where an
+ adversary can use variations in timing information to learn
+ sensitive data. Fix for one case of bug 3122. (Safe memcmp
+ implementation by Robert Ransom based partially on code by DJB.)
+ - Fix an assert in parsing router descriptors containing IPv6
+ addresses. This one took down the directory authorities when
+ somebody tried some experimental code. Bugfix on 0.2.1.3-alpha.
+
+ o Privacy/anonymity fixes (also included in 0.2.2.x):
+ - Clients and bridges no longer send TLS certificate chains on
+ outgoing OR connections. Previously, each client or bridge would
+ use the same cert chain for all outgoing OR connections until
+ its IP address changes, which allowed any relay that the client
+ or bridge contacted to determine which entry guards it is using.
+ Fixes CVE-2011-2768. Bugfix on 0.0.9pre5; found by "frosty_un".
+ - If a relay receives a CREATE_FAST cell on a TLS connection, it
+ no longer considers that connection as suitable for satisfying a
+ circuit EXTEND request. Now relays can protect clients from the
+ CVE-2011-2768 issue even if the clients haven't upgraded yet.
+ - Bridges now refuse CREATE or CREATE_FAST cells on OR connections
+ that they initiated. Relays could distinguish incoming bridge
+ connections from client connections, creating another avenue for
+ enumerating bridges. Fixes CVE-2011-2769. Bugfix on 0.2.0.3-alpha.
+ Found by "frosty_un".
+ - When receiving a hidden service descriptor, check that it is for
+ the hidden service we wanted. Previously, Tor would store any
+ hidden service descriptors that a directory gave it, whether it
+ wanted them or not. This wouldn't have let an attacker impersonate
+ a hidden service, but it did let directories pre-seed a client
+ with descriptors that it didn't want. Bugfix on 0.0.6.
+ - Avoid linkability based on cached hidden service descriptors: forget
+ all hidden service descriptors cached as a client when processing a
+ SIGNAL NEWNYM command. Fixes bug 3000; bugfix on 0.0.6.
+ - Make the bridge directory authority refuse to answer directory
+ requests for "all" descriptors. It used to include bridge
+ descriptors in its answer, which was a major information leak.
+ Found by "piebeer". Bugfix on 0.2.0.3-alpha.
+ - Don't attach new streams to old rendezvous circuits after SIGNAL
+ NEWNYM. Previously, we would keep using an existing rendezvous
+ circuit if it remained open (i.e. if it were kept open by a
+ long-lived stream, or if a new stream were attached to it before
+ Tor could notice that it was old and no longer in use). Bugfix on
+ 0.1.1.15-rc; fixes bug 3375.
+
+ o Minor bugfixes (also included in 0.2.2.x):
+ - When we restart our relay, we might get a successful connection
+ from the outside before we've started our reachability tests,
+ triggering a warning: "ORPort found reachable, but I have no
+ routerinfo yet. Failing to inform controller of success." This
+ bug was harmless unless Tor is running under a controller
+ like Vidalia, in which case the controller would never get a
+ REACHABILITY_SUCCEEDED status event. Bugfix on 0.1.2.6-alpha;
+ fixes bug 1172.
+ - Build correctly on OSX with zlib 1.2.4 and higher with all warnings
+ enabled. Fixes bug 1526.
+ - Remove undocumented option "-F" from tor-resolve: it hasn't done
+ anything since 0.2.1.16-rc.
+ - Avoid signed/unsigned comparisons by making SIZE_T_CEILING unsigned.
+ None of the cases where we did this before were wrong, but by making
+ this change we avoid warnings. Fixes bug 2475; bugfix on 0.2.1.28.
+ - Fix a rare crash bug that could occur when a client was configured
+ with a large number of bridges. Fixes bug 2629; bugfix on
+ 0.2.1.2-alpha. Bugfix by trac user "shitlei".
+ - Correct the warning displayed when a rendezvous descriptor exceeds
+ the maximum size. Fixes bug 2750; bugfix on 0.2.1.5-alpha. Found by
+ John Brooks.
+ - Fix an uncommon assertion failure when running with DNSPort under
+ heavy load. Fixes bug 2933; bugfix on 0.2.0.1-alpha.
+ - When warning about missing zlib development packages during compile,
+ give the correct package names. Bugfix on 0.2.0.1-alpha.
+ - Require that introduction point keys and onion keys have public
+ exponent 65537. Bugfix on 0.2.0.10-alpha.
+ - Do not crash when our configuration file becomes unreadable, for
+ example due to a permissions change, between when we start up
+ and when a controller calls SAVECONF. Fixes bug 3135; bugfix
+ on 0.0.9pre6.
+ - Fix warnings from GCC 4.6's "-Wunused-but-set-variable" option.
+ Fixes bug 3208.
+ - Always NUL-terminate the sun_path field of a sockaddr_un before
+ passing it to the kernel. (Not a security issue: kernels are
+ smart enough to reject bad sockaddr_uns.) Found by Coverity;
+ CID #428. Bugfix on Tor 0.2.0.3-alpha.
+ - Don't stack-allocate the list of supplementary GIDs when we're
+ about to log them. Stack-allocating NGROUPS_MAX gid_t elements
+ could take up to 256K, which is way too much stack. Found by
+ Coverity; CID #450. Bugfix on 0.2.1.7-alpha.
+
+ o Minor bugfixes (only in 0.2.1.x):
+ - Resume using micro-version numbers in 0.2.1.x: our Debian packages
+ rely on them. Bugfix on 0.2.1.30.
+ - Use git revisions instead of svn revisions when generating our
+ micro-version numbers. Bugfix on 0.2.1.15-rc; fixes bug 2402.
+
+ o Minor features (also included in 0.2.2.x):
+ - Adjust the expiration time on our SSL session certificates to
+ better match SSL certs seen in the wild. Resolves ticket 4014.
+ - Allow nameservers with IPv6 address. Resolves bug 2574.
+ - Update to the October 4 2011 Maxmind GeoLite Country database.
+
+
+Changes in version 0.2.3.5-alpha - 2011-09-28
+ Tor 0.2.3.5-alpha fixes two bugs that make it possible to enumerate
+ bridge relays; fixes an assertion error that many users started hitting
+ today; and adds the ability to refill token buckets more often than
+ once per second, allowing significant performance improvements.
+
+ o Security fixes:
+ - Bridge relays now do their directory fetches inside Tor TLS
+ connections, like all the other clients do, rather than connecting
+ directly to the DirPort like public relays do. Removes another
+ avenue for enumerating bridges. Fixes bug 4115; bugfix on 0.2.0.35.
+ - Bridges relays now build circuits for themselves in a more similar
+ way to how clients build them. Removes another avenue for
+ enumerating bridges. Fixes bug 4124; bugfix on 0.2.0.3-alpha,
+ when bridges were introduced.
+
+ o Major bugfixes:
+ - Fix an "Assertion md->held_by_node == 1 failed" error that could
+ occur when the same microdescriptor was referenced by two node_t
+ objects at once. Fix for bug 4118; bugfix on Tor 0.2.3.1-alpha.
+
+ o Major features (networking):
+ - Add a new TokenBucketRefillInterval option to refill token buckets
+ more frequently than once per second. This should improve network
+ performance, alleviate queueing problems, and make traffic less
+ bursty. Implements proposal 183; closes ticket 3630. Design by
+ Florian Tschorsch and Björn Scheuermann; implementation by
+ Florian Tschorsch.
+
+ o Minor bugfixes:
+ - Change an integer overflow check in the OpenBSD_Malloc code so
+ that GCC is less likely to eliminate it as impossible. Patch
+ from Mansour Moufid. Fixes bug 4059.
+
+ o Minor bugfixes (usability):
+ - Downgrade log messages about circuit timeout calibration from
+ "notice" to "info": they don't require or suggest any human
+ intervention. Patch from Tom Lowenthal. Fixes bug 4063;
+ bugfix on 0.2.2.14-alpha.
+
+ o Minor features (diagnostics):
+ - When the system call to create a listener socket fails, log the
+ error message explaining why. This may help diagnose bug 4027.
+
+
+Changes in version 0.2.3.4-alpha - 2011-09-13
+ Tor 0.2.3.4-alpha includes the fixes from 0.2.2.33, including a slight
+ tweak to Tor's TLS handshake that makes relays and bridges that run
+ this new version reachable from Iran again. It also fixes a few new
+ bugs in 0.2.3.x, and teaches relays to recognize when they're not
+ listed in the network consensus and republish.
+
+ o Major bugfixes (also part of 0.2.2.33):
+ - Avoid an assertion failure when reloading a configuration with
+ TrackExitHosts changes. Found and fixed by 'laruldan'. Fixes bug
+ 3923; bugfix on 0.2.2.25-alpha.
+
+ o Minor features (security, also part of 0.2.2.33):
+ - Check for replays of the public-key encrypted portion of an
+ INTRODUCE1 cell, in addition to the current check for replays of
+ the g^x value. This prevents a possible class of active attacks
+ by an attacker who controls both an introduction point and a
+ rendezvous point, and who uses the malleability of AES-CTR to
+ alter the encrypted g^x portion of the INTRODUCE1 cell. We think
+ that these attacks is infeasible (requiring the attacker to send
+ on the order of zettabytes of altered cells in a short interval),
+ but we'd rather block them off in case there are any classes of
+ this attack that we missed. Reported by Willem Pinckaers.
+
+ o Minor features (also part of 0.2.2.33):
+ - Adjust the expiration time on our SSL session certificates to
+ better match SSL certs seen in the wild. Resolves ticket 4014.
+ - Change the default required uptime for a relay to be accepted as
+ a HSDir (hidden service directory) from 24 hours to 25 hours.
+ Improves on 0.2.0.10-alpha; resolves ticket 2649.
+ - Add a VoteOnHidServDirectoriesV2 config option to allow directory
+ authorities to abstain from voting on assignment of the HSDir
+ consensus flag. Related to bug 2649.
+ - Update to the September 6 2011 Maxmind GeoLite Country database.
+
+ o Minor bugfixes (also part of 0.2.2.33):
+ - Demote the 'replay detected' log message emitted when a hidden
+ service receives the same Diffie-Hellman public key in two different
+ INTRODUCE2 cells to info level. A normal Tor client can cause that
+ log message during its normal operation. Bugfix on 0.2.1.6-alpha;
+ fixes part of bug 2442.
+ - Demote the 'INTRODUCE2 cell is too {old,new}' log message to info
+ level. There is nothing that a hidden service's operator can do
+ to fix its clients' clocks. Bugfix on 0.2.1.6-alpha; fixes part
+ of bug 2442.
+ - Clarify a log message specifying the characters permitted in
+ HiddenServiceAuthorizeClient client names. Previously, the log
+ message said that "[A-Za-z0-9+-_]" were permitted; that could have
+ given the impression that every ASCII character between "+" and "_"
+ was permitted. Now we say "[A-Za-z0-9+_-]". Bugfix on 0.2.1.5-alpha.
+
+ o Build fixes (also part of 0.2.2.33):
+ - Clean up some code issues that prevented Tor from building on older
+ BSDs. Fixes bug 3894; reported by "grarpamp".
+ - Search for a platform-specific version of "ar" when cross-compiling.
+ Should fix builds on iOS. Resolves bug 3909, found by Marco Bonetti.
+
+ o Major bugfixes:
+ - Fix a bug where the SocksPort option (for example) would get
+ ignored and replaced by the default if a SocksListenAddress
+ option was set. Bugfix on 0.2.3.3-alpha; fixes bug 3936. Fix by
+ Fabian Keil.
+
+ o Major features:
+ - Relays now try regenerating and uploading their descriptor more
+ frequently if they are not listed in the consensus, or if the
+ version of their descriptor listed in the consensus is too
+ old. This fix should prevent situations where a server declines
+ to re-publish itself because it has done so too recently, even
+ though the authorities decided not to list its recent-enough
+ descriptor. Fix for bug 3327.
+
+ o Minor features:
+ - Relays now include a reason for regenerating their descriptors
+ in an HTTP header when uploading to the authorities. This will
+ make it easier to debug descriptor-upload issues in the future.
+ - When starting as root and then changing our UID via the User
+ control option, and we have a ControlSocket configured, make sure
+ that the ControlSocket is owned by the same account that Tor will
+ run under. Implements ticket 3421; fix by Jérémy Bobbio.
+
+ o Minor bugfixes:
+ - Abort if tor_vasprintf fails in connection_printf_to_buf (a
+ utility function used in the control-port code). This shouldn't
+ ever happen unless Tor is completely out of memory, but if it did
+ happen and Tor somehow recovered from it, Tor could have sent a log
+ message to a control port in the middle of a reply to a controller
+ command. Fixes part of bug 3428; bugfix on 0.1.2.3-alpha.
+ - Make 'FetchUselessDescriptors' cause all descriptor types and
+ all consensus types (including microdescriptors) to get fetched.
+ Fixes bug 3851; bugfix on 0.2.3.1-alpha.
+
+ o Code refactoring:
+ - Make a new "entry connection" struct as an internal subtype of "edge
+ connection", to simplify the code and make exit connections smaller.
+
+
+Changes in version 0.2.2.33 - 2011-09-13
+ Tor 0.2.2.33 fixes several bugs, and includes a slight tweak to Tor's
+ TLS handshake that makes relays and bridges that run this new version
+ reachable from Iran again.
+
+ o Major bugfixes:
+ - Avoid an assertion failure when reloading a configuration with
+ TrackExitHosts changes. Found and fixed by 'laruldan'. Fixes bug
+ 3923; bugfix on 0.2.2.25-alpha.
+
+ o Minor features (security):
+ - Check for replays of the public-key encrypted portion of an
+ INTRODUCE1 cell, in addition to the current check for replays of
+ the g^x value. This prevents a possible class of active attacks
+ by an attacker who controls both an introduction point and a
+ rendezvous point, and who uses the malleability of AES-CTR to
+ alter the encrypted g^x portion of the INTRODUCE1 cell. We think
+ that these attacks are infeasible (requiring the attacker to send
+ on the order of zettabytes of altered cells in a short interval),
+ but we'd rather block them off in case there are any classes of
+ this attack that we missed. Reported by Willem Pinckaers.
+
+ o Minor features:
+ - Adjust the expiration time on our SSL session certificates to
+ better match SSL certs seen in the wild. Resolves ticket 4014.
+ - Change the default required uptime for a relay to be accepted as
+ a HSDir (hidden service directory) from 24 hours to 25 hours.
+ Improves on 0.2.0.10-alpha; resolves ticket 2649.
+ - Add a VoteOnHidServDirectoriesV2 config option to allow directory
+ authorities to abstain from voting on assignment of the HSDir
+ consensus flag. Related to bug 2649.
+ - Update to the September 6 2011 Maxmind GeoLite Country database.
+
+ o Minor bugfixes (documentation and log messages):
+ - Correct the man page to explain that HashedControlPassword and
+ CookieAuthentication can both be set, in which case either method
+ is sufficient to authenticate to Tor. Bugfix on 0.2.0.7-alpha,
+ when we decided to allow these config options to both be set. Issue
+ raised by bug 3898.
+ - Demote the 'replay detected' log message emitted when a hidden
+ service receives the same Diffie-Hellman public key in two different
+ INTRODUCE2 cells to info level. A normal Tor client can cause that
+ log message during its normal operation. Bugfix on 0.2.1.6-alpha;
+ fixes part of bug 2442.
+ - Demote the 'INTRODUCE2 cell is too {old,new}' log message to info
+ level. There is nothing that a hidden service's operator can do
+ to fix its clients' clocks. Bugfix on 0.2.1.6-alpha; fixes part
+ of bug 2442.
+ - Clarify a log message specifying the characters permitted in
+ HiddenServiceAuthorizeClient client names. Previously, the log
+ message said that "[A-Za-z0-9+-_]" were permitted; that could have
+ given the impression that every ASCII character between "+" and "_"
+ was permitted. Now we say "[A-Za-z0-9+_-]". Bugfix on 0.2.1.5-alpha.
+
+ o Build fixes:
+ - Provide a substitute implementation of lround() for MSVC, which
+ apparently lacks it. Patch from Gisle Vanem.
+ - Clean up some code issues that prevented Tor from building on older
+ BSDs. Fixes bug 3894; reported by "grarpamp".
+ - Search for a platform-specific version of "ar" when cross-compiling.
+ Should fix builds on iOS. Resolves bug 3909, found by Marco Bonetti.
+
+
+Changes in version 0.2.3.3-alpha - 2011-09-01
+ Tor 0.2.3.3-alpha adds a new "stream isolation" feature to improve Tor's
+ security, and provides client-side support for the microdescriptor
+ and optimistic data features introduced earlier in the 0.2.3.x
+ series. It also includes numerous critical bugfixes in the (optional)
+ bufferevent-based networking backend.
+
+ o Major features (stream isolation):
+ - You can now configure Tor so that streams from different
+ applications are isolated on different circuits, to prevent an
+ attacker who sees your streams as they leave an exit node from
+ linking your sessions to one another. To do this, choose some way
+ to distinguish the applications: have them connect to different
+ SocksPorts, or have one of them use SOCKS4 while the other uses
+ SOCKS5, or have them pass different authentication strings to the
+ SOCKS proxy. Then, use the new SocksPort syntax to configure the
+ degree of isolation you need. This implements Proposal 171.
+ - There's a new syntax for specifying multiple client ports (such as
+ SOCKSPort, TransPort, DNSPort, NATDPort): you can now just declare
+ multiple *Port entries with full addr:port syntax on each.
+ The old *ListenAddress format is still supported, but you can't
+ mix it with the new *Port syntax.
+
+ o Major features (other):
+ - Enable microdescriptor fetching by default for clients. This allows
+ clients to download a much smaller amount of directory information.
+ To disable it (and go back to the old-style consensus and
+ descriptors), set "UseMicrodescriptors 0" in your torrc file.
+ - Tor's firewall-helper feature, introduced in 0.2.3.1-alpha (see the
+ "PortForwarding" config option), now supports Windows.
+ - When using an exit relay running 0.2.3.x, clients can now
+ "optimistically" send data before the exit relay reports that
+ the stream has opened. This saves a round trip when starting
+ connections where the client speaks first (such as web browsing).
+ This behavior is controlled by a consensus parameter (currently
+ disabled). To turn it on or off manually, use the "OptimisticData"
+ torrc option. Implements proposal 181; code by Ian Goldberg.
+
+ o Major bugfixes (bufferevents, fixes on 0.2.3.1-alpha):
+ - When using IOCP on Windows, we need to enable Libevent windows
+ threading support.
+ - The IOCP backend now works even when the user has not specified
+ the (internal, debugging-only) _UseFilteringSSLBufferevents option.
+ Fixes part of bug 3752.
+ - Correctly record the bytes we've read and written when using
+ bufferevents, so that we can include them in our bandwidth history
+ and advertised bandwidth. Fixes bug 3803.
+ - Apply rate-limiting only at the bottom of a chain of filtering
+ bufferevents. This prevents us from filling up internal read
+ buffers and violating rate-limits when filtering bufferevents
+ are enabled. Fixes part of bug 3804.
+ - Add high-watermarks to the output buffers for filtered
+ bufferevents. This prevents us from filling up internal write
+ buffers and wasting CPU cycles when filtering bufferevents are
+ enabled. Fixes part of bug 3804.
+ - Correctly notice when data has been written from a bufferevent
+ without flushing it completely. Fixes bug 3805.
+ - Fix a bug where server-side tunneled bufferevent-based directory
+ streams would get closed prematurely. Fixes bug 3814.
+ - Fix a use-after-free error with per-connection rate-limiting
+ buckets. Fixes bug 3888.
+
+ o Major bugfixes (also part of 0.2.2.31-rc):
+ - If we're configured to write our ControlPorts to disk, only write
+ them after switching UID and creating the data directory. This way,
+ we don't fail when starting up with a nonexistent DataDirectory
+ and a ControlPortWriteToFile setting based on that directory. Fixes
+ bug 3747; bugfix on Tor 0.2.2.26-beta.
+
+ o Minor features:
+ - Added a new CONF_CHANGED event so that controllers can be notified
+ of any configuration changes made by other controllers, or by the
+ user. Implements ticket 1692.
+ - Use evbuffer_copyout() in inspect_evbuffer(). This fixes a memory
+ leak when using bufferevents, and lets Libevent worry about how to
+ best copy data out of a buffer.
+ - Replace files in stats/ rather than appending to them. Now that we
+ include statistics in extra-info descriptors, it makes no sense to
+ keep old statistics forever. Implements ticket 2930.
+
+ o Minor features (build compatibility):
+ - Limited, experimental support for building with nmake and MSVC.
+ - Provide a substitute implementation of lround() for MSVC, which
+ apparently lacks it. Patch from Gisle Vanem.
+
+ o Minor features (also part of 0.2.2.31-rc):
+ - Update to the August 2 2011 Maxmind GeoLite Country database.
+
+ o Minor bugfixes (on 0.2.3.x-alpha):
+ - Fix a spurious warning when parsing SOCKS requests with
+ bufferevents enabled. Fixes bug 3615; bugfix on 0.2.3.2-alpha.
+ - Get rid of a harmless warning that could happen on relays running
+ with bufferevents. The warning was caused by someone doing an http
+ request to a relay's orport. Also don't warn for a few related
+ non-errors. Fixes bug 3700; bugfix on 0.2.3.1-alpha.
+
+ o Minor bugfixes (on 2.2.x and earlier):
+ - Correct the man page to explain that HashedControlPassword and
+ CookieAuthentication can both be set, in which case either method
+ is sufficient to authenticate to Tor. Bugfix on 0.2.0.7-alpha,
+ when we decided to allow these config options to both be set. Issue
+ raised by bug 3898.
+ - The "--quiet" and "--hush" options now apply not only to Tor's
+ behavior before logs are configured, but also to Tor's behavior in
+ the absense of configured logs. Fixes bug 3550; bugfix on
+ 0.2.0.10-alpha.
+
+ o Minor bugfixes (also part of 0.2.2.31-rc):
+ - Write several files in text mode, on OSes that distinguish text
+ mode from binary mode (namely, Windows). These files are:
+ 'buffer-stats', 'dirreq-stats', and 'entry-stats' on relays
+ that collect those statistics; 'client_keys' and 'hostname' for
+ hidden services that use authentication; and (in the tor-gencert
+ utility) newly generated identity and signing keys. Previously,
+ we wouldn't specify text mode or binary mode, leading to an
+ assertion failure. Fixes bug 3607. Bugfix on 0.2.1.1-alpha (when
+ the DirRecordUsageByCountry option which would have triggered
+ the assertion failure was added), although this assertion failure
+ would have occurred in tor-gencert on Windows in 0.2.0.1-alpha.
+ - Selectively disable deprecation warnings on OS X because Lion
+ started deprecating the shipped copy of openssl. Fixes bug 3643.
+ - Remove an extra pair of quotation marks around the error
+ message in control-port STATUS_GENERAL BUG events. Bugfix on
+ 0.1.2.6-alpha; fixes bug 3732.
+ - When unable to format an address as a string, report its value
+ as "???" rather than reusing the last formatted address. Bugfix
+ on 0.2.1.5-alpha.
+
+ o Code simplifications and refactoring:
+ - Rewrite the listener-selection logic so that parsing which ports
+ we want to listen on is now separate from binding to the ports
+ we want.
+
+ o Build changes:
+ - Building Tor with bufferevent support now requires Libevent
+ 2.0.13-stable or later. Previous versions of Libevent had bugs in
+ SSL-related bufferevents and related issues that would make Tor
+ work badly with bufferevents. Requiring 2.0.13-stable also allows
+ Tor with bufferevents to take advantage of Libevent APIs
+ introduced after 2.0.8-rc.
+
+
+Changes in version 0.2.2.32 - 2011-08-27
+ The Tor 0.2.2 release series is dedicated to the memory of Andreas
+ Pfitzmann (1958-2010), a pioneer in anonymity and privacy research,
+ a founder of the PETS community, a leader in our field, a mentor,
+ and a friend. He left us with these words: "I had the possibility
+ to contribute to this world that is not as it should be. I hope I
+ could help in some areas to make the world a better place, and that
+ I could also encourage other people to be engaged in improving the
+ world. Please, stay engaged. This world needs you, your love, your
+ initiative -- now I cannot be part of that anymore."
+
+ Tor 0.2.2.32, the first stable release in the 0.2.2 branch, is finally
+ ready. More than two years in the making, this release features improved
+ client performance and hidden service reliability, better compatibility
+ for Android, correct behavior for bridges that listen on more than
+ one address, more extensible and flexible directory object handling,
+ better reporting of network statistics, improved code security, and
+ many many other features and bugfixes.
+
+
+Changes in version 0.2.2.31-rc - 2011-08-17
+ Tor 0.2.2.31-rc is the second and hopefully final release candidate
+ for the Tor 0.2.2.x series.
+
+ o Major bugfixes:
+ - Remove an extra pair of quotation marks around the error
+ message in control-port STATUS_GENERAL BUG events. Bugfix on
+ 0.1.2.6-alpha; fixes bug 3732.
+ - If we're configured to write our ControlPorts to disk, only write
+ them after switching UID and creating the data directory. This way,
+ we don't fail when starting up with a nonexistent DataDirectory
+ and a ControlPortWriteToFile setting based on that directory. Fixes
+ bug 3747; bugfix on Tor 0.2.2.26-beta.
+
+ o Minor features:
+ - Update to the August 2 2011 Maxmind GeoLite Country database.
+
+ o Minor bugfixes:
+ - Allow GETINFO fingerprint to return a fingerprint even when
+ we have not yet built a router descriptor. Fixes bug 3577;
+ bugfix on 0.2.0.1-alpha.
+ - Write several files in text mode, on OSes that distinguish text
+ mode from binary mode (namely, Windows). These files are:
+ 'buffer-stats', 'dirreq-stats', and 'entry-stats' on relays
+ that collect those statistics; 'client_keys' and 'hostname' for
+ hidden services that use authentication; and (in the tor-gencert
+ utility) newly generated identity and signing keys. Previously,
+ we wouldn't specify text mode or binary mode, leading to an
+ assertion failure. Fixes bug 3607. Bugfix on 0.2.1.1-alpha (when
+ the DirRecordUsageByCountry option which would have triggered
+ the assertion failure was added), although this assertion failure
+ would have occurred in tor-gencert on Windows in 0.2.0.1-alpha.
+ - Selectively disable deprecation warnings on OS X because Lion
+ started deprecating the shipped copy of openssl. Fixes bug 3643.
+ - When unable to format an address as a string, report its value
+ as "???" rather than reusing the last formatted address. Bugfix
+ on 0.2.1.5-alpha.
+
+
+Changes in version 0.2.3.2-alpha - 2011-07-18
+ Tor 0.2.3.2-alpha introduces two new experimental features:
+ microdescriptors and pluggable transports. It also continues cleaning
+ up a variety of recently introduced features.
+
+ o Major features:
+ - Clients can now use microdescriptors instead of regular descriptors
+ to build circuits. Microdescriptors are authority-generated
+ summaries of regular descriptors' contents, designed to change
+ very rarely (see proposal 158 for details). This feature is
+ designed to save bandwidth, especially for clients on slow internet
+ connections. It's off by default for now, since nearly no caches
+ support it, but it will be on-by-default for clients in a future
+ version. You can use the UseMicrodescriptors option to turn it on.
+ - Tor clients using bridges can now be configured to use a separate
+ 'transport' proxy for each bridge. This approach helps to resist
+ censorship by allowing bridges to use protocol obfuscation
+ plugins. It implements part of proposal 180. Implements ticket 2841.
+ - While we're trying to bootstrap, record how many TLS connections
+ fail in each state, and report which states saw the most failures
+ in response to any bootstrap failures. This feature may speed up
+ diagnosis of censorship events. Implements ticket 3116.
+
+ o Major bugfixes (on 0.2.3.1-alpha):
+ - When configuring a large set of nodes in EntryNodes (as with
+ 'EntryNodes {cc}' or 'EntryNodes 1.1.1.1/16'), choose only a
+ random subset to be guards, and choose them in random
+ order. Fixes bug 2798.
+ - Tor could crash when remembering a consensus in a non-used consensus
+ flavor without having a current consensus set. Fixes bug 3361.
+ - Comparing an unknown address to a microdescriptor's shortened exit
+ policy would always give a "rejected" result. Fixes bug 3599.
+ - Using microdescriptors as a client no longer prevents Tor from
+ uploading and downloading hidden service descriptors. Fixes
+ bug 3601.
+
+ o Minor features:
+ - Allow nameservers with IPv6 address. Resolves bug 2574.
+ - Accept attempts to include a password authenticator in the
+ handshake, as supported by SOCKS5. This handles SOCKS clients that
+ don't know how to omit a password when authenticating. Resolves
+ bug 1666.
+ - When configuring a large set of nodes in EntryNodes, and there are
+ enough of them listed as Guard so that we don't need to consider
+ the non-guard entries, prefer the ones listed with the Guard flag.
+ - Check for and recover from inconsistency in the microdescriptor
+ cache. This will make it harder for us to accidentally free a
+ microdescriptor without removing it from the appropriate data
+ structures. Fixes issue 3135; issue noted by "wanoskarnet".
+ - Log SSL state transitions at log level DEBUG, log domain
+ HANDSHAKE. This can be useful for debugging censorship events.
+ Implements ticket 3264.
+ - Add port 6523 (Gobby) to LongLivedPorts. Patch by intrigeri;
+ implements ticket 3439.
+
+ o Minor bugfixes (on 0.2.3.1-alpha):
+ - Do not free all general-purpose regular descriptors just
+ because microdescriptor use is enabled. Fixes bug 3113.
+ - Correctly link libevent_openssl when --enable-static-libevent
+ is passed to configure. Fixes bug 3118.
+ - Bridges should not complain during their heartbeat log messages that
+ they are unlisted in the consensus: that's more or less the point
+ of being a bridge. Fixes bug 3183.
+ - Report a SIGNAL event to controllers when acting on a delayed
+ SIGNAL NEWNYM command. Previously, we would report a SIGNAL
+ event to the controller if we acted on a SIGNAL NEWNYM command
+ immediately, and otherwise not report a SIGNAL event for the
+ command at all. Fixes bug 3349.
+ - Fix a crash when handling the SIGNAL controller command or
+ reporting ERR-level status events with bufferevents enabled. Found
+ by Robert Ransom. Fixes bug 3367.
+ - Always ship the tor-fw-helper manpage in our release tarballs.
+ Fixes bug 3389. Reported by Stephen Walker.
+ - Fix a class of double-mark-for-close bugs when bufferevents
+ are enabled. Fixes bug 3403.
+ - Update tor-fw-helper to support libnatpmp-20110618. Fixes bug 3434.
+ - Add SIGNAL to the list returned by the 'GETINFO events/names'
+ control-port command. Fixes part of bug 3465.
+ - Prevent using negative indices during unit test runs when read_all()
+ fails. Spotted by coverity.
+ - Fix a rare memory leak when checking the nodelist without it being
+ present. Found by coverity.
+ - Only try to download a microdescriptor-flavored consensus from
+ a directory cache that provides them.
+
+ o Minor bugfixes (on 0.2.2.x and earlier):
+ - Assert that hidden-service-related operations are not performed
+ using single-hop circuits. Previously, Tor would assert that
+ client-side streams are not attached to single-hop circuits,
+ but not that other sensitive operations on the client and service
+ side are not performed using single-hop circuits. Fixes bug 3332;
+ bugfix on 0.0.6.
+ - Don't publish a new relay descriptor when we reload our onion key,
+ unless the onion key has actually changed. Fixes bug 3263 and
+ resolves another cause of bug 1810. Bugfix on 0.1.1.11-alpha.
+ - Allow GETINFO fingerprint to return a fingerprint even when
+ we have not yet built a router descriptor. Fixes bug 3577;
+ bugfix on 0.2.0.1-alpha.
+ - Make 'tor --digests' list hashes of all Tor source files. Bugfix
+ on 0.2.2.4-alpha; fixes bug 3427.
+
+ o Code simplification and refactoring:
+ - Use tor_sscanf() in place of scanf() in more places through the
+ code. This makes us a little more locale-independent, and
+ should help shut up code-analysis tools that can't tell
+ a safe sscanf string from a dangerous one.
+ - Use tt_assert(), not tor_assert(), for checking for test failures.
+ This makes the unit tests more able to go on in the event that
+ one of them fails.
+ - Split connection_about_to_close() into separate functions for each
+ connection type.
+
+ o Build changes:
+ - On Windows, we now define the _WIN32_WINNT macros only if they
+ are not already defined. This lets the person building Tor decide,
+ if they want, to require a later version of Windows.
+
+
+Changes in version 0.2.2.30-rc - 2011-07-07
+ Tor 0.2.2.30-rc is the first release candidate for the Tor 0.2.2.x
+ series. It fixes a few smaller bugs, but generally appears stable.
+ Please test it and let us know whether it is!
+
+ o Minor bugfixes:
+ - Send a SUCCEEDED stream event to the controller when a reverse
+ resolve succeeded. Fixes bug 3536; bugfix on 0.0.8pre1. Issue
+ discovered by katmagic.
+ - Always NUL-terminate the sun_path field of a sockaddr_un before
+ passing it to the kernel. (Not a security issue: kernels are
+ smart enough to reject bad sockaddr_uns.) Found by Coverity;
+ CID #428. Bugfix on Tor 0.2.0.3-alpha.
+ - Don't stack-allocate the list of supplementary GIDs when we're
+ about to log them. Stack-allocating NGROUPS_MAX gid_t elements
+ could take up to 256K, which is way too much stack. Found by
+ Coverity; CID #450. Bugfix on 0.2.1.7-alpha.
+ - Add BUILDTIMEOUT_SET to the list returned by the 'GETINFO
+ events/names' control-port command. Bugfix on 0.2.2.9-alpha;
+ fixes part of bug 3465.
+ - Fix a memory leak when receiving a descriptor for a hidden
+ service we didn't ask for. Found by Coverity; CID #30. Bugfix
+ on 0.2.2.26-beta.
+
+ o Minor features:
+ - Update to the July 1 2011 Maxmind GeoLite Country database.
+
+
+Changes in version 0.2.2.29-beta - 2011-06-20
+ Tor 0.2.2.29-beta reverts an accidental behavior change for users who
+ have bridge lines in their torrc but don't want to use them; gets
+ us closer to having the control socket feature working on Debian;
+ and fixes a variety of smaller bugs.
+
+ o Major bugfixes:
+ - Revert the UseBridges option to its behavior before 0.2.2.28-beta.
+ When we changed the default behavior to "use bridges if any
+ are listed in the torrc", we surprised users who had bridges
+ in their torrc files but who didn't actually want to use them.
+ Partial resolution for bug 3354.
+
+ o Privacy fixes:
+ - Don't attach new streams to old rendezvous circuits after SIGNAL
+ NEWNYM. Previously, we would keep using an existing rendezvous
+ circuit if it remained open (i.e. if it were kept open by a
+ long-lived stream, or if a new stream were attached to it before
+ Tor could notice that it was old and no longer in use). Bugfix on
+ 0.1.1.15-rc; fixes bug 3375.
+
+ o Minor bugfixes:
+ - Fix a bug when using ControlSocketsGroupWritable with User. The
+ directory's group would be checked against the current group, not
+ the configured group. Patch by Jérémy Bobbio. Fixes bug 3393;
+ bugfix on 0.2.2.26-beta.
+ - Make connection_printf_to_buf()'s behaviour sane. Its callers
+ expect it to emit a CRLF iff the format string ends with CRLF;
+ it actually emitted a CRLF iff (a) the format string ended with
+ CRLF or (b) the resulting string was over 1023 characters long or
+ (c) the format string did not end with CRLF *and* the resulting
+ string was 1021 characters long or longer. Bugfix on 0.1.1.9-alpha;
+ fixes part of bug 3407.
+ - Make send_control_event_impl()'s behaviour sane. Its callers
+ expect it to always emit a CRLF at the end of the string; it
+ might have emitted extra control characters as well. Bugfix on
+ 0.1.1.9-alpha; fixes another part of bug 3407.
+ - Make crypto_rand_int() check the value of its input correctly.
+ Previously, it accepted values up to UINT_MAX, but could return a
+ negative number if given a value above INT_MAX+1. Found by George
+ Kadianakis. Fixes bug 3306; bugfix on 0.2.2pre14.
+ - Avoid a segfault when reading a malformed circuit build state
+ with more than INT_MAX entries. Found by wanoskarnet. Bugfix on
+ 0.2.2.4-alpha.
+ - When asked about a DNS record type we don't support via a
+ client DNSPort, reply with NOTIMPL rather than an empty
+ reply. Patch by intrigeri. Fixes bug 3369; bugfix on 2.0.1-alpha.
+ - Fix a rare memory leak during stats writing. Found by coverity.
+
+ o Minor features:
+ - Update to the June 1 2011 Maxmind GeoLite Country database.
+
+ o Code simplifications and refactoring:
+ - Remove some dead code as indicated by coverity.
+ - Remove a few dead assignments during router parsing. Found by
+ coverity.
+ - Add some forgotten return value checks during unit tests. Found
+ by coverity.
+ - Don't use 1-bit wide signed bit fields. Found by coverity.
+
+
+Changes in version 0.2.2.28-beta - 2011-06-04
+ Tor 0.2.2.28-beta makes great progress towards a new stable release: we
+ fixed a big bug in whether relays stay in the consensus consistently,
+ we moved closer to handling bridges and hidden services correctly,
+ and we started the process of better handling the dreaded "my Vidalia
+ died, and now my Tor demands a password when I try to reconnect to it"
+ usability issue.
+
+ o Major bugfixes:
+ - Don't decide to make a new descriptor when receiving a HUP signal.
+ This bug has caused a lot of 0.2.2.x relays to disappear from the
+ consensus periodically. Fixes the most common case of triggering
+ bug 1810; bugfix on 0.2.2.7-alpha.
+ - Actually allow nameservers with IPv6 addresses. Fixes bug 2574.
+ - Don't try to build descriptors if "ORPort auto" is set and we
+ don't know our actual ORPort yet. Fix for bug 3216; bugfix on
+ 0.2.2.26-beta.
+ - Resolve a crash that occurred when setting BridgeRelay to 1 with
+ accounting enabled. Fixes bug 3228; bugfix on 0.2.2.18-alpha.
+ - Apply circuit timeouts to opened hidden-service-related circuits
+ based on the correct start time. Previously, we would apply the
+ circuit build timeout based on time since the circuit's creation;
+ it was supposed to be applied based on time since the circuit
+ entered its current state. Bugfix on 0.0.6; fixes part of bug 1297.
+ - Use the same circuit timeout for client-side introduction
+ circuits as for other four-hop circuits, rather than the timeout
+ for single-hop directory-fetch circuits; the shorter timeout may
+ have been appropriate with the static circuit build timeout in
+ 0.2.1.x and earlier, but caused many hidden service access attempts
+ to fail with the adaptive CBT introduced in 0.2.2.2-alpha. Bugfix
+ on 0.2.2.2-alpha; fixes another part of bug 1297.
+ - In ticket 2511 we fixed a case where you could use an unconfigured
+ bridge if you had configured it as a bridge the last time you ran
+ Tor. Now fix another edge case: if you had configured it as a bridge
+ but then switched to a different bridge via the controller, you
+ would still be willing to use the old one. Bugfix on 0.2.0.1-alpha;
+ fixes bug 3321.
+
+ o Major features:
+ - Add an __OwningControllerProcess configuration option and a
+ TAKEOWNERSHIP control-port command. Now a Tor controller can ensure
+ that when it exits, Tor will shut down. Implements feature 3049.
+ - If "UseBridges 1" is set and no bridges are configured, Tor will
+ now refuse to build any circuits until some bridges are set.
+ If "UseBridges auto" is set, Tor will use bridges if they are
+ configured and we are not running as a server, but otherwise will
+ make circuits as usual. The new default is "auto". Patch by anonym,
+ so the Tails LiveCD can stop automatically revealing you as a Tor
+ user on startup.
+
+ o Minor bugfixes:
+ - Fix warnings from GCC 4.6's "-Wunused-but-set-variable" option.
+ - Remove a trailing asterisk from "exit-policy/default" in the
+ output of the control port command "GETINFO info/names". Bugfix
+ on 0.1.2.5-alpha.
+ - Use a wide type to hold sockets when built for 64-bit Windows builds.
+ Fixes bug 3270.
+ - Warn when the user configures two HiddenServiceDir lines that point
+ to the same directory. Bugfix on 0.0.6 (the version introducing
+ HiddenServiceDir); fixes bug 3289.
+ - Remove dead code from rend_cache_lookup_v2_desc_as_dir. Fixes
+ part of bug 2748; bugfix on 0.2.0.10-alpha.
+ - Log malformed requests for rendezvous descriptors as protocol
+ warnings, not warnings. Also, use a more informative log message
+ in case someone sees it at log level warning without prior
+ info-level messages. Fixes the other part of bug 2748; bugfix
+ on 0.2.0.10-alpha.
+ - Clear the table recording the time of the last request for each
+ hidden service descriptor from each HS directory on SIGNAL NEWNYM.
+ Previously, we would clear our HS descriptor cache on SIGNAL
+ NEWNYM, but if we had previously retrieved a descriptor (or tried
+ to) from every directory responsible for it, we would refuse to
+ fetch it again for up to 15 minutes. Bugfix on 0.2.2.25-alpha;
+ fixes bug 3309.
+ - Fix a log message that said "bits" while displaying a value in
+ bytes. Found by wanoskarnet. Fixes bug 3318; bugfix on
+ 0.2.0.1-alpha.
+ - When checking for 1024-bit keys, check for 1024 bits, not 128
+ bytes. This allows Tor to correctly discard keys of length 1017
+ through 1023. Bugfix on 0.0.9pre5.
+
+ o Minor features:
+ - Relays now log the reason for publishing a new relay descriptor,
+ so we have a better chance of hunting down instances of bug 1810.
+ Resolves ticket 3252.
+ - Revise most log messages that refer to nodes by nickname to
+ instead use the "$key=nickname at address" format. This should be
+ more useful, especially since nicknames are less and less likely
+ to be unique. Resolves ticket 3045.
+ - Log (at info level) when purging pieces of hidden-service-client
+ state because of SIGNAL NEWNYM.
+
+ o Removed options:
+ - Remove undocumented option "-F" from tor-resolve: it hasn't done
+ anything since 0.2.1.16-rc.
+
+
+Changes in version 0.2.2.27-beta - 2011-05-18
+ Tor 0.2.2.27-beta fixes a bridge-related stability bug in the previous
+ release, and also adds a few more general bugfixes.
+
+ o Major bugfixes:
+ - Fix a crash bug when changing bridges in a running Tor process.
+ Fixes bug 3213; bugfix on 0.2.2.26-beta.
+ - When the controller configures a new bridge, don't wait 10 to 60
+ seconds before trying to fetch its descriptor. Bugfix on
+ 0.2.0.3-alpha; fixes bug 3198 (suggested by 2355).
+
+ o Minor bugfixes:
+ - Require that onion keys have exponent 65537 in microdescriptors too.
+ Fixes more of bug 3207; bugfix on 0.2.2.26-beta.
+ - Tor used to limit HttpProxyAuthenticator values to 48 characters.
+ Changed the limit to 512 characters by removing base64 newlines.
+ Fixes bug 2752. Fix by Michael Yakubovich.
+ - When a client starts or stops using bridges, never use a circuit
+ that was built before the configuration change. This behavior could
+ put at risk a user who uses bridges to ensure that her traffic
+ only goes to the chosen addresses. Bugfix on 0.2.0.3-alpha; fixes
+ bug 3200.
+
+
+Changes in version 0.2.2.26-beta - 2011-05-17
+ Tor 0.2.2.26-beta fixes a variety of potential privacy problems. It
+ also introduces a new "socksport auto" approach that should make it
+ easier to run multiple Tors on the same system, and does a lot of
+ cleanup to get us closer to a release candidate.
+
+ o Security/privacy fixes:
+ - Replace all potentially sensitive memory comparison operations
+ with versions whose runtime does not depend on the data being
+ compared. This will help resist a class of attacks where an
+ adversary can use variations in timing information to learn
+ sensitive data. Fix for one case of bug 3122. (Safe memcmp
+ implementation by Robert Ransom based partially on code by DJB.)
+ - When receiving a hidden service descriptor, check that it is for
+ the hidden service we wanted. Previously, Tor would store any
+ hidden service descriptors that a directory gave it, whether it
+ wanted them or not. This wouldn't have let an attacker impersonate
+ a hidden service, but it did let directories pre-seed a client
+ with descriptors that it didn't want. Bugfix on 0.0.6.
+ - On SIGHUP, do not clear out all TrackHostExits mappings, client
+ DNS cache entries, and virtual address mappings: that's what
+ NEWNYM is for. Fixes bug 1345; bugfix on 0.1.0.1-rc.
+
+ o Major features:
+ - The options SocksPort, ControlPort, and so on now all accept a
+ value "auto" that opens a socket on an OS-selected port. A
+ new ControlPortWriteToFile option tells Tor to write its
+ actual control port or ports to a chosen file. If the option
+ ControlPortFileGroupReadable is set, the file is created as
+ group-readable. Now users can run two Tor clients on the same
+ system without needing to manually mess with parameters. Resolves
+ part of ticket 3076.
+ - Set SO_REUSEADDR on all sockets, not just listeners. This should
+ help busy exit nodes avoid running out of useable ports just
+ because all the ports have been used in the near past. Resolves
+ issue 2850.
+
+ o Minor features:
+ - New "GETINFO net/listeners/(type)" controller command to return
+ a list of addresses and ports that are bound for listeners for a
+ given connection type. This is useful when the user has configured
+ "SocksPort auto" and the controller needs to know which port got
+ chosen. Resolves another part of ticket 3076.
+ - Add a new ControlSocketsGroupWritable configuration option: when
+ it is turned on, ControlSockets are group-writeable by the default
+ group of the current user. Patch by Jérémy Bobbio; implements
+ ticket 2972.
+ - Tor now refuses to create a ControlSocket in a directory that is
+ world-readable (or group-readable if ControlSocketsGroupWritable
+ is 0). This is necessary because some operating systems do not
+ enforce permissions on an AF_UNIX sockets. Permissions on the
+ directory holding the socket, however, seems to work everywhere.
+ - Rate-limit a warning about failures to download v2 networkstatus
+ documents. Resolves part of bug 1352.
+ - Backport code from 0.2.3.x that allows directory authorities to
+ clean their microdescriptor caches. Needed to resolve bug 2230.
+ - When an HTTPS proxy reports "403 Forbidden", we now explain
+ what it means rather than calling it an unexpected status code.
+ Closes bug 2503. Patch from Michael Yakubovich.
+ - Update to the May 1 2011 Maxmind GeoLite Country database.
+
+ o Minor bugfixes:
+ - Authorities now clean their microdesc cache periodically and when
+ reading from disk initially, not only when adding new descriptors.
+ This prevents a bug where we could lose microdescriptors. Bugfix
+ on 0.2.2.6-alpha. Fixes bug 2230.
+ - Do not crash when our configuration file becomes unreadable, for
+ example due to a permissions change, between when we start up
+ and when a controller calls SAVECONF. Fixes bug 3135; bugfix
+ on 0.0.9pre6.
+ - Avoid a bug that would keep us from replacing a microdescriptor
+ cache on Windows. (We would try to replace the file while still
+ holding it open. That's fine on Unix, but Windows doesn't let us
+ do that.) Bugfix on 0.2.2.6-alpha; bug found by wanoskarnet.
+ - Add missing explanations for the authority-related torrc options
+ RephistTrackTime, BridgePassword, and V3AuthUseLegacyKey in the
+ man page. Resolves issue 2379.
+ - As an authority, do not upload our own vote or signature set to
+ ourself. It would tell us nothing new, and as of 0.2.2.24-alpha,
+ it would get flagged as a duplicate. Resolves bug 3026.
+ - Accept hidden service descriptors if we think we might be a hidden
+ service directory, regardless of what our consensus says. This
+ helps robustness, since clients and hidden services can sometimes
+ have a more up-to-date view of the network consensus than we do,
+ and if they think that the directory authorities list us a HSDir,
+ we might actually be one. Related to bug 2732; bugfix on
+ 0.2.0.10-alpha.
+ - When a controller changes TrackHostExits, remove mappings for
+ hosts that should no longer have their exits tracked. Bugfix on
+ 0.1.0.1-rc.
+ - When a controller changes VirtualAddrNetwork, remove any mappings
+ for hosts that were automapped to the old network. Bugfix on
+ 0.1.1.19-rc.
+ - When a controller changes one of the AutomapHosts* options, remove
+ any mappings for hosts that should no longer be automapped. Bugfix
+ on 0.2.0.1-alpha.
+ - Do not reset the bridge descriptor download status every time we
+ re-parse our configuration or get a configuration change. Fixes
+ bug 3019; bugfix on 0.2.0.3-alpha.
+
+ o Minor bugfixes (code cleanup):
+ - When loading the microdesc journal, remember its current size.
+ In 0.2.2, this helps prevent the microdesc journal from growing
+ without limit on authorities (who are the only ones to use it in
+ 0.2.2). Fixes a part of bug 2230; bugfix on 0.2.2.6-alpha.
+ Fix posted by "cypherpunks."
+ - The microdesc journal is supposed to get rebuilt only if it is
+ at least _half_ the length of the store, not _twice_ the length
+ of the store. Bugfix on 0.2.2.6-alpha; fixes part of bug 2230.
+ - Fix a potential null-pointer dereference while computing a
+ consensus. Bugfix on tor-0.2.0.3-alpha, found with the help of
+ clang's analyzer.
+ - Avoid a possible null-pointer dereference when rebuilding the mdesc
+ cache without actually having any descriptors to cache. Bugfix on
+ 0.2.2.6-alpha. Issue discovered using clang's static analyzer.
+ - If we fail to compute the identity digest of a v3 legacy keypair,
+ warn, and don't use a buffer-full of junk instead. Bugfix on
+ 0.2.1.1-alpha; fixes bug 3106.
+ - Resolve an untriggerable issue in smartlist_string_num_isin(),
+ where if the function had ever in the future been used to check
+ for the presence of a too-large number, it would have given an
+ incorrect result. (Fortunately, we only used it for 16-bit
+ values.) Fixes bug 3175; bugfix on 0.1.0.1-rc.
+ - Require that introduction point keys and onion handshake keys
+ have a public exponent of 65537. Starts to fix bug 3207; bugfix
+ on 0.2.0.10-alpha.
+
+ o Removed features:
+ - Caches no longer download and serve v2 networkstatus documents
+ unless FetchV2Networkstatus flag is set: these documents haven't
+ haven't been used by clients or relays since 0.2.0.x. Resolves
+ bug 3022.
+
+
+Changes in version 0.2.3.1-alpha - 2011-05-05
+ Tor 0.2.3.1-alpha adds some new experimental features, including support
+ for an improved network IO backend, IOCP networking on Windows,
+ microdescriptor caching, "fast-start" support for streams, and automatic
+ home router configuration. There are also numerous internal improvements
+ to try to make the code easier for developers to work with.
+
+ This is the first alpha release in a new series, so expect there to be
+ bugs. Users who would rather test out a more stable branch should
+ stay with 0.2.2.x for now.
+
+ o Major features:
+ - Tor can now optionally build with the "bufferevents" buffered IO
+ backend provided by Libevent 2. To use this feature, make sure you
+ have the latest possible version of Libevent, and pass the
+ --enable-bufferevents flag to configure when building Tor from
+ source. This feature will make our networking code more flexible,
+ let us stack layers on each other, and let us use more efficient
+ zero-copy transports where available.
+ - As an experimental feature, Tor can use IOCP for networking on Windows.
+ Once this code is tuned and optimized, it promises much better
+ performance than the select-based backend we've used in the past. To
+ try this feature, you must build Tor with Libevent 2, configure Tor
+ with the "bufferevents" buffered IO backend, and add "DisableIOCP 0" to
+ your torrc. There are known bugs here: only try this if you can help
+ debug it as it breaks.
+ - The EntryNodes option can now include country codes like {de} or IP
+ addresses or network masks. Previously we had disallowed these options
+ because we didn't have an efficient way to keep the list up to
+ date. Fixes bug 1982, but see bug 2798 for an unresolved issue here.
+ - Exit nodes now accept and queue data on not-yet-connected streams.
+ Previously, the client wasn't allowed to send data until the stream was
+ connected, which slowed down all connections. This change will enable
+ clients to perform a "fast-start" on streams and send data without
+ having to wait for a confirmation that the stream has opened. (Patch
+ from Ian Goldberg; implements the server side of Proposal 174.)
+ - Tor now has initial support for automatic port mapping on the many
+ home routers that support NAT-PMP or UPnP. (Not yet supported on
+ Windows). To build the support code, you'll need to have libnatpnp
+ library and/or the libminiupnpc library, and you'll need to enable the
+ feature specifically by passing "--enable-upnp" and/or
+ "--enable-natpnp" to configure. To turn it on, use the new
+ PortForwarding option.
+ - Caches now download, cache, and serve multiple "flavors" of the
+ consensus, including a flavor that describes microdescriptors.
+ - Caches now download, cache, and serve microdescriptors -- small
+ summaries of router descriptors that are authenticated by all of the
+ directory authorities. Once enough caches are running this code,
+ clients will be able to save significant amounts of directory bandwidth
+ by downloading microdescriptors instead of router descriptors.
+
+ o Minor features:
+ - Make logging resolution configurable with a new LogTimeGranularity
+ option, and change the default from 1 millisecond to 1 second.
+ Implements enhancement 1668.
+ - We log which torrc file we're using on startup. Implements ticket
+ 2444.
+ - Ordinarily, Tor does not count traffic from private addresses (like
+ 127.0.0.1 or 10.0.0.1) when calculating rate limits or accounting.
+ There is now a new option, CountPrivateBandwidth, to disable this
+ behavior. Patch from Daniel Cagara.
+ - New --enable-static-tor configure option for building Tor as
+ statically as possible. Idea, general hackery and thoughts from
+ Alexei Czeskis, John Gilmore, Jacob Appelbaum. Implements ticket
+ 2702.
+ - If you set the NumCPUs option to 0, Tor will now try to detect how
+ many CPUs you have. This is the new default behavior.
+ - Turn on directory request statistics by default and include them in
+ extra-info descriptors. Don't break if we have no GeoIP database.
+ - Relays that set "ConnDirectionStatistics 1" write statistics on the
+ bidirectional use of connections to disk every 24 hours.
+ - Add a GeoIP file digest to the extra-info descriptor. Implements
+ enhancement 1883.
+ - The NodeFamily option -- which let you declare that you want to
+ consider nodes to be part of a family whether they list themselves
+ that way or not -- now allows IP address ranges and country codes.
+ - Add a new 'Heartbeat' log message type to periodically log a message
+ describing Tor's status at level Notice. This feature is meant for
+ operators who log at notice, and want to make sure that their Tor
+ server is still working. Implementation by George Kadianakis.
+
+ o Minor bugfixes (on 0.2.2.25-alpha):
+ - When loading the microdesc journal, remember its current size.
+ In 0.2.2, this helps prevent the microdesc journal from growing
+ without limit on authorities (who are the only ones to use it in
+ 0.2.2). Fixes a part of bug 2230; bugfix on 0.2.2.6-alpha.
+ Fix posted by "cypherpunks."
+ - The microdesc journal is supposed to get rebuilt only if it is
+ at least _half_ the length of the store, not _twice_ the length
+ of the store. Bugfix on 0.2.2.6-alpha; fixes part of bug 2230.
+ - If as an authority we fail to compute the identity digest of a v3
+ legacy keypair, warn, and don't use a buffer-full of junk instead.
+ Bugfix on 0.2.1.1-alpha; fixes bug 3106.
+ - Authorities now clean their microdesc cache periodically and when
+ reading from disk initially, not only when adding new descriptors.
+ This prevents a bug where we could lose microdescriptors. Bugfix
+ on 0.2.2.6-alpha.
+
+ o Minor features (controller):
+ - Add a new SIGNAL event to the controller interface so that
+ controllers can be notified when Tor handles a signal. Resolves
+ issue 1955. Patch by John Brooks.
+ - Add a new GETINFO option to get total bytes read and written. Patch
+ from pipe, revised by atagar. Resolves ticket 2345.
+ - Implement some GETINFO controller fields to provide information about
+ the Tor process's pid, euid, username, and resource limits.
+
+ o Build changes:
+ - Our build system requires automake 1.6 or later to create the
+ Makefile.in files. Previously, you could have used 1.4.
+ This only affects developers and people building Tor from git;
+ people who build Tor from the source distribution without changing
+ the Makefile.am files should be fine.
+ - Our autogen.sh script uses autoreconf to launch autoconf, automake, and
+ so on. This is more robust against some of the failure modes
+ associated with running the autotools pieces on their own.
+
+ o Minor packaging issues:
+ - On OpenSUSE, create the /var/run/tor directory on startup if it is not
+ already created. Patch from Andreas Stieger. Fixes bug 2573.
+
+ o Code simplifications and refactoring:
+ - A major revision to our internal node-selecting and listing logic.
+ Tor already had at least two major ways to look at the question of
+ "which Tor servers do we know about": a list of router descriptors,
+ and a list of entries in the current consensus. With
+ microdescriptors, we're adding a third. Having so many systems
+ without an abstraction layer over them was hurting the codebase.
+ Now, we have a new "node_t" abstraction that presents a consistent
+ interface to a client's view of a Tor node, and holds (nearly) all
+ of the mutable state formerly in routerinfo_t and routerstatus_t.
+ - The helper programs tor-gencert, tor-resolve, and tor-checkkey
+ no longer link against Libevent: they never used it, but
+ our library structure used to force them to link it.
+
+ o Removed features:
+ - Remove some old code to work around even older versions of Tor that
+ used forked processes to handle DNS requests. Such versions of Tor
+ are no longer in use as servers.
+
+ o Documentation fixes:
+ - Correct a broken faq link in the INSTALL file. Fixes bug 2307.
+ - Add missing documentation for the authority-related torrc options
+ RephistTrackTime, BridgePassword, and V3AuthUseLegacyKey. Resolves
+ issue 2379.
+
+
+Changes in version 0.2.2.25-alpha - 2011-04-29
+ Tor 0.2.2.25-alpha fixes many bugs: hidden service clients are more
+ robust, routers no longer overreport their bandwidth, Win7 should crash
+ a little less, and NEWNYM (as used by Vidalia's "new identity" button)
+ now prevents hidden service-related activity from being linkable. It
+ provides more information to Vidalia so you can see if your bridge is
+ working. Also, 0.2.2.25-alpha revamps the Entry/Exit/ExcludeNodes and
+ StrictNodes configuration options to make them more reliable, more
+ understandable, and more regularly applied. If you use those options,
+ please see the revised documentation for them in the manual page.
+
+ o Major bugfixes:
+ - Relays were publishing grossly inflated bandwidth values because
+ they were writing their state files wrong--now they write the
+ correct value. Also, resume reading bandwidth history from the
+ state file correctly. Fixes bug 2704; bugfix on 0.2.2.23-alpha.
+ - Improve hidden service robustness: When we find that we have
+ extended a hidden service's introduction circuit to a relay not
+ listed as an introduction point in the HS descriptor we currently
+ have, retry with an introduction point from the current
+ descriptor. Previously we would just give up. Fixes bugs 1024 and
+ 1930; bugfix on 0.2.0.10-alpha.
+ - Clients now stop trying to use an exit node associated with a given
+ destination by TrackHostExits if they fail to reach that exit node.
+ Fixes bug 2999. Bugfix on 0.2.0.20-rc.
+ - Fix crash bug on platforms where gmtime and localtime can return
+ NULL. Windows 7 users were running into this one. Fixes part of bug
+ 2077. Bugfix on all versions of Tor. Found by boboper.
+
+ o Security and stability fixes:
+ - Don't double-free a parsable, but invalid, microdescriptor, even if
+ it is followed in the blob we're parsing by an unparsable
+ microdescriptor. Fixes an issue reported in a comment on bug 2954.
+ Bugfix on 0.2.2.6-alpha; fix by "cypherpunks".
+ - If the Nickname configuration option isn't given, Tor would pick a
+ nickname based on the local hostname as the nickname for a relay.
+ Because nicknames are not very important in today's Tor and the
+ "Unnamed" nickname has been implemented, this is now problematic
+ behavior: It leaks information about the hostname without being
+ useful at all. Fixes bug 2979; bugfix on 0.1.2.2-alpha, which
+ introduced the Unnamed nickname. Reported by tagnaq.
+ - Fix an uncommon assertion failure when running with DNSPort under
+ heavy load. Fixes bug 2933; bugfix on 0.2.0.1-alpha.
+ - Avoid linkability based on cached hidden service descriptors: forget
+ all hidden service descriptors cached as a client when processing a
+ SIGNAL NEWNYM command. Fixes bug 3000; bugfix on 0.0.6.
+
+ o Major features:
+ - Export GeoIP information on bridge usage to controllers even if we
+ have not yet been running for 24 hours. Now Vidalia bridge operators
+ can get more accurate and immediate feedback about their
+ contributions to the network.
+
+ o Major features and bugfixes (node selection):
+ - Revise and reconcile the meaning of the ExitNodes, EntryNodes,
+ ExcludeEntryNodes, ExcludeExitNodes, ExcludeNodes, and StrictNodes
+ options. Previously, we had been ambiguous in describing what
+ counted as an "exit" node, and what operations exactly "StrictNodes
+ 0" would permit. This created confusion when people saw nodes built
+ through unexpected circuits, and made it hard to tell real bugs from
+ surprises. Now the intended behavior is:
+ . "Exit", in the context of ExitNodes and ExcludeExitNodes, means
+ a node that delivers user traffic outside the Tor network.
+ . "Entry", in the context of EntryNodes, means a node used as the
+ first hop of a multihop circuit. It doesn't include direct
+ connections to directory servers.
+ . "ExcludeNodes" applies to all nodes.
+ . "StrictNodes" changes the behavior of ExcludeNodes only. When
+ StrictNodes is set, Tor should avoid all nodes listed in
+ ExcludeNodes, even when it will make user requests fail. When
+ StrictNodes is *not* set, then Tor should follow ExcludeNodes
+ whenever it can, except when it must use an excluded node to
+ perform self-tests, connect to a hidden service, provide a
+ hidden service, fulfill a .exit request, upload directory
+ information, or fetch directory information.
+ Collectively, the changes to implement the behavior fix bug 1090.
+ - ExcludeNodes now takes precedence over EntryNodes and ExitNodes: if
+ a node is listed in both, it's treated as excluded.
+ - ExcludeNodes now applies to directory nodes -- as a preference if
+ StrictNodes is 0, or an absolute requirement if StrictNodes is 1.
+ Don't exclude all the directory authorities and set StrictNodes to 1
+ unless you really want your Tor to break.
+ - ExcludeNodes and ExcludeExitNodes now override exit enclaving.
+ - ExcludeExitNodes now overrides .exit requests.
+ - We don't use bridges listed in ExcludeNodes.
+ - When StrictNodes is 1:
+ . We now apply ExcludeNodes to hidden service introduction points
+ and to rendezvous points selected by hidden service users. This
+ can make your hidden service less reliable: use it with caution!
+ . If we have used ExcludeNodes on ourself, do not try relay
+ reachability self-tests.
+ . If we have excluded all the directory authorities, we will not
+ even try to upload our descriptor if we're a relay.
+ . Do not honor .exit requests to an excluded node.
+ - Remove a misfeature that caused us to ignore the Fast/Stable flags
+ when ExitNodes is set. Bugfix on 0.2.2.7-alpha.
+ - When the set of permitted nodes changes, we now remove any mappings
+ introduced via TrackExitHosts to now-excluded nodes. Bugfix on
+ 0.1.0.1-rc.
+ - We never cannibalize a circuit that had excluded nodes on it, even
+ if StrictNodes is 0. Bugfix on 0.1.0.1-rc.
+ - Revert a change where we would be laxer about attaching streams to
+ circuits than when building the circuits. This was meant to prevent
+ a set of bugs where streams were never attachable, but our improved
+ code here should make this unnecessary. Bugfix on 0.2.2.7-alpha.
+ - Keep track of how many times we launch a new circuit to handle a
+ given stream. Too many launches could indicate an inconsistency
+ between our "launch a circuit to handle this stream" logic and our
+ "attach this stream to one of the available circuits" logic.
+ - Improve log messages related to excluded nodes.
+
+ o Minor bugfixes:
+ - Fix a spurious warning when moving from a short month to a long
+ month on relays with month-based BandwidthAccounting. Bugfix on
+ 0.2.2.17-alpha; fixes bug 3020.
+ - When a client finds that an origin circuit has run out of 16-bit
+ stream IDs, we now mark it as unusable for new streams. Previously,
+ we would try to close the entire circuit. Bugfix on 0.0.6.
+ - Add a forgotten cast that caused a compile warning on OS X 10.6.
+ Bugfix on 0.2.2.24-alpha.
+ - Be more careful about reporting the correct error from a failed
+ connect() system call. Under some circumstances, it was possible to
+ look at an incorrect value for errno when sending the end reason.
+ Bugfix on 0.1.0.1-rc.
+ - Correctly handle an "impossible" overflow cases in connection byte
+ counting, where we write or read more than 4GB on an edge connection
+ in a single second. Bugfix on 0.1.2.8-beta.
+ - Correct the warning displayed when a rendezvous descriptor exceeds
+ the maximum size. Fixes bug 2750; bugfix on 0.2.1.5-alpha. Found by
+ John Brooks.
+ - Clients and hidden services now use HSDir-flagged relays for hidden
+ service descriptor downloads and uploads even if the relays have no
+ DirPort set and the client has disabled TunnelDirConns. This will
+ eventually allow us to give the HSDir flag to relays with no
+ DirPort. Fixes bug 2722; bugfix on 0.2.1.6-alpha.
+ - Downgrade "no current certificates known for authority" message from
+ Notice to Info. Fixes bug 2899; bugfix on 0.2.0.10-alpha.
+ - Make the SIGNAL DUMP control-port command work on FreeBSD. Fixes bug
+ 2917. Bugfix on 0.1.1.1-alpha.
+ - Only limit the lengths of single HS descriptors, even when multiple
+ HS descriptors are published to an HSDir relay in a single POST
+ operation. Fixes bug 2948; bugfix on 0.2.1.5-alpha. Found by hsdir.
+ - Write the current time into the LastWritten line in our state file,
+ rather than the time from the previous write attempt. Also, stop
+ trying to use a time of -1 in our log statements. Fixes bug 3039;
+ bugfix on 0.2.2.14-alpha.
+ - Be more consistent in our treatment of file system paths. "~" should
+ get expanded to the user's home directory in the Log config option.
+ Fixes bug 2971; bugfix on 0.2.0.1-alpha, which introduced the
+ feature for the -f and --DataDirectory options.
+
+ o Minor features:
+ - Make sure every relay writes a state file at least every 12 hours.
+ Previously, a relay could go for weeks without writing its state
+ file, and on a crash could lose its bandwidth history, capacity
+ estimates, client country statistics, and so on. Addresses bug 3012.
+ - Send END_STREAM_REASON_NOROUTE in response to EHOSTUNREACH errors.
+ Clients before 0.2.1.27 didn't handle NOROUTE correctly, but such
+ clients are already deprecated because of security bugs.
+ - Don't allow v0 hidden service authorities to act as clients.
+ Required by fix for bug 3000.
+ - Ignore SIGNAL NEWNYM commands on relay-only Tor instances. Required
+ by fix for bug 3000.
+ - Ensure that no empty [dirreq-](read|write)-history lines are added
+ to an extrainfo document. Implements ticket 2497.
+
+ o Code simplification and refactoring:
+ - Remove workaround code to handle directory responses from servers
+ that had bug 539 (they would send HTTP status 503 responses _and_
+ send a body too). Since only server versions before
+ 0.2.0.16-alpha/0.1.2.19 were affected, there is no longer reason to
+ keep the workaround in place.
+ - Remove the old 'fuzzy time' logic. It was supposed to be used for
+ handling calculations where we have a known amount of clock skew and
+ an allowed amount of unknown skew. But we only used it in three
+ places, and we never adjusted the known/unknown skew values. This is
+ still something we might want to do someday, but if we do, we'll
+ want to do it differently.
+ - Avoid signed/unsigned comparisons by making SIZE_T_CEILING unsigned.
+ None of the cases where we did this before were wrong, but by making
+ this change we avoid warnings. Fixes bug 2475; bugfix on 0.2.1.28.
+ - Use GetTempDir to find the proper temporary directory location on
+ Windows when generating temporary files for the unit tests. Patch by
+ Gisle Vanem.
+
+
+Changes in version 0.2.2.24-alpha - 2011-04-08
+ Tor 0.2.2.24-alpha fixes a variety of bugs, including a big bug that
+ prevented Tor clients from effectively using "multihomed" bridges,
+ that is, bridges that listen on multiple ports or IP addresses so users
+ can continue to use some of their addresses even if others get blocked.
+
+ o Major bugfixes:
+ - Fix a bug where bridge users who configure the non-canonical
+ address of a bridge automatically switch to its canonical
+ address. If a bridge listens at more than one address, it should be
+ able to advertise those addresses independently and any non-blocked
+ addresses should continue to work. Bugfix on Tor 0.2.0.x. Fixes
+ bug 2510.
+ - If you configured Tor to use bridge A, and then quit and
+ configured Tor to use bridge B instead, it would happily continue
+ to use bridge A if it's still reachable. While this behavior is
+ a feature if your goal is connectivity, in some scenarios it's a
+ dangerous bug. Bugfix on Tor 0.2.0.1-alpha; fixes bug 2511.
+ - Directory authorities now use data collected from their own
+ uptime observations when choosing whether to assign the HSDir flag
+ to relays, instead of trusting the uptime value the relay reports in
+ its descriptor. This change helps prevent an attack where a small
+ set of nodes with frequently-changing identity keys can blackhole
+ a hidden service. (Only authorities need upgrade; others will be
+ fine once they do.) Bugfix on 0.2.0.10-alpha; fixes bug 2709.
+
+ o Minor bugfixes:
+ - When we restart our relay, we might get a successful connection
+ from the outside before we've started our reachability tests,
+ triggering a warning: "ORPort found reachable, but I have no
+ routerinfo yet. Failing to inform controller of success." This
+ bug was harmless unless Tor is running under a controller
+ like Vidalia, in which case the controller would never get a
+ REACHABILITY_SUCCEEDED status event. Bugfix on 0.1.2.6-alpha;
+ fixes bug 1172.
+ - Make directory authorities more accurate at recording when
+ relays that have failed several reachability tests became
+ unreachable, so we can provide more accuracy at assigning Stable,
+ Guard, HSDir, etc flags. Bugfix on 0.2.0.6-alpha. Resolves bug 2716.
+ - Fix an issue that prevented static linking of libevent on
+ some platforms (notably Linux). Fixes bug 2698; bugfix on
+ versions 0.2.1.23/0.2.2.8-alpha (the versions introducing
+ the --with-static-libevent configure option).
+ - We now ask the other side of a stream (the client or the exit)
+ for more data on that stream when the amount of queued data on
+ that stream dips low enough. Previously, we wouldn't ask the
+ other side for more data until either it sent us more data (which
+ it wasn't supposed to do if it had exhausted its window!) or we
+ had completely flushed all our queued data. This flow control fix
+ should improve throughput. Fixes bug 2756; bugfix on the earliest
+ released versions of Tor (svn commit r152).
+ - Avoid a double-mark-for-free warning when failing to attach a
+ transparent proxy connection. (We thought we had fixed this in
+ 0.2.2.23-alpha, but it turns out our fix was checking the wrong
+ connection.) Fixes bug 2757; bugfix on 0.1.2.1-alpha (the original
+ bug) and 0.2.2.23-alpha (the incorrect fix).
+ - When warning about missing zlib development packages during compile,
+ give the correct package names. Bugfix on 0.2.0.1-alpha.
+
+ o Minor features:
+ - Directory authorities now log the source of a rejected POSTed v3
+ networkstatus vote.
+ - Make compilation with clang possible when using
+ --enable-gcc-warnings by removing two warning options that clang
+ hasn't implemented yet and by fixing a few warnings. Implements
+ ticket 2696.
+ - When expiring circuits, use microsecond timers rather than
+ one-second timers. This can avoid an unpleasant situation where a
+ circuit is launched near the end of one second and expired right
+ near the beginning of the next, and prevent fluctuations in circuit
+ timeout values.
+ - Use computed circuit-build timeouts to decide when to launch
+ parallel introduction circuits for hidden services. (Previously,
+ we would retry after 15 seconds.)
+ - Update to the April 1 2011 Maxmind GeoLite Country database.
+
+ o Packaging fixes:
+ - Create the /var/run/tor directory on startup on OpenSUSE if it is
+ not already created. Patch from Andreas Stieger. Fixes bug 2573.
+
+ o Documentation changes:
+ - Modernize the doxygen configuration file slightly. Fixes bug 2707.
+ - Resolve all doxygen warnings except those for missing documentation.
+ Fixes bug 2705.
+ - Add doxygen documentation for more functions, fields, and types.
+
+
+Changes in version 0.2.2.23-alpha - 2011-03-08
+ Tor 0.2.2.23-alpha lets relays record their bandwidth history so when
+ they restart they don't lose their bandwidth capacity estimate. This
+ release also fixes a diverse set of user-facing bugs, ranging from
+ relays overrunning their rate limiting to clients falsely warning about
+ clock skew to bridge descriptor leaks by our bridge directory authority.
+
+ o Major bugfixes:
+ - Stop sending a CLOCK_SKEW controller status event whenever
+ we fetch directory information from a relay that has a wrong clock.
+ Instead, only inform the controller when it's a trusted authority
+ that claims our clock is wrong. Bugfix on 0.1.2.6-alpha; fixes
+ the rest of bug 1074.
+ - Fix an assert in parsing router descriptors containing IPv6
+ addresses. This one took down the directory authorities when
+ somebody tried some experimental code. Bugfix on 0.2.1.3-alpha.
+ - Make the bridge directory authority refuse to answer directory
+ requests for "all" descriptors. It used to include bridge
+ descriptors in its answer, which was a major information leak.
+ Found by "piebeer". Bugfix on 0.2.0.3-alpha.
+ - If relays set RelayBandwidthBurst but not RelayBandwidthRate,
+ Tor would ignore their RelayBandwidthBurst setting,
+ potentially using more bandwidth than expected. Bugfix on
+ 0.2.0.1-alpha. Reported by Paul Wouters. Fixes bug 2470.
+ - Ignore and warn if the user mistakenly sets "PublishServerDescriptor
+ hidserv" in her torrc. The 'hidserv' argument never controlled
+ publication of hidden service descriptors. Bugfix on 0.2.0.1-alpha.
+
+ o Major features:
+ - Relays now save observed peak bandwidth throughput rates to their
+ state file (along with total usage, which was already saved)
+ so that they can determine their correct estimated bandwidth on
+ restart. Resolves bug 1863, where Tor relays would reset their
+ estimated bandwidth to 0 after restarting.
+ - Directory authorities now take changes in router IP address and
+ ORPort into account when determining router stability. Previously,
+ if a router changed its IP or ORPort, the authorities would not
+ treat it as having any downtime for the purposes of stability
+ calculation, whereas clients would experience downtime since the
+ change could take a while to propagate to them. Resolves issue 1035.
+ - Enable Address Space Layout Randomization (ASLR) and Data Execution
+ Prevention (DEP) by default on Windows to make it harder for
+ attackers to exploit vulnerabilities. Patch from John Brooks.
+
+ o Minor bugfixes (on 0.2.1.x and earlier):
+ - Fix a rare crash bug that could occur when a client was configured
+ with a large number of bridges. Fixes bug 2629; bugfix on
+ 0.2.1.2-alpha. Bugfix by trac user "shitlei".
+ - Avoid a double mark-for-free warning when failing to attach a
+ transparent proxy connection. Bugfix on 0.1.2.1-alpha. Fixes
+ bug 2279.
+ - Correctly detect failure to allocate an OpenSSL BIO. Fixes bug 2378;
+ found by "cypherpunks". This bug was introduced before the first
+ Tor release, in svn commit r110.
+ - Country codes aren't supported in EntryNodes until 0.2.3.x, so
+ don't mention them in the manpage. Fixes bug 2450; issue
+ spotted by keb and G-Lo.
+ - Fix a bug in bandwidth history state parsing that could have been
+ triggered if a future version of Tor ever changed the timing
+ granularity at which bandwidth history is measured. Bugfix on
+ Tor 0.1.1.11-alpha.
+ - When a relay decides that its DNS is too broken for it to serve
+ as an exit server, it advertised itself as a non-exit, but
+ continued to act as an exit. This could create accidental
+ partitioning opportunities for users. Instead, if a relay is
+ going to advertise reject *:* as its exit policy, it should
+ really act with exit policy "reject *:*". Fixes bug 2366.
+ Bugfix on Tor 0.1.2.5-alpha. Bugfix by user "postman" on trac.
+ - In the special case where you configure a public exit relay as your
+ bridge, Tor would be willing to use that exit relay as the last
+ hop in your circuit as well. Now we fail that circuit instead.
+ Bugfix on 0.2.0.12-alpha. Fixes bug 2403. Reported by "piebeer".
+ - Fix a bug with our locking implementation on Windows that couldn't
+ correctly detect when a file was already locked. Fixes bug 2504,
+ bugfix on 0.2.1.6-alpha.
+ - Fix IPv6-related connect() failures on some platforms (BSD, OS X).
+ Bugfix on 0.2.0.3-alpha; fixes first part of bug 2660. Patch by
+ "piebeer".
+ - Set target port in get_interface_address6() correctly. Bugfix
+ on 0.1.1.4-alpha and 0.2.0.3-alpha; fixes second part of bug 2660.
+ - Directory authorities are now more robust to hops back in time
+ when calculating router stability. Previously, if a run of uptime
+ or downtime appeared to be negative, the calculation could give
+ incorrect results. Bugfix on 0.2.0.6-alpha; noticed when fixing
+ bug 1035.
+ - Fix an assert that got triggered when using the TestingTorNetwork
+ configuration option and then issuing a GETINFO config-text control
+ command. Fixes bug 2250; bugfix on 0.2.1.2-alpha.
+
+ o Minor bugfixes (on 0.2.2.x):
+ - Clients should not weight BadExit nodes as Exits in their node
+ selection. Similarly, directory authorities should not count BadExit
+ bandwidth as Exit bandwidth when computing bandwidth-weights.
+ Bugfix on 0.2.2.10-alpha; fixes bug 2203.
+ - Correctly clear our dir_read/dir_write history when there is an
+ error parsing any bw history value from the state file. Bugfix on
+ Tor 0.2.2.15-alpha.
+ - Resolve a bug in verifying signatures of directory objects
+ with digests longer than SHA1. Bugfix on 0.2.2.20-alpha.
+ Fixes bug 2409. Found by "piebeer".
+ - Bridge authorities no longer crash on SIGHUP when they try to
+ publish their relay descriptor to themselves. Fixes bug 2572. Bugfix
+ on 0.2.2.22-alpha.
+
+ o Minor features:
+ - Log less aggressively about circuit timeout changes, and improve
+ some other circuit timeout messages. Resolves bug 2004.
+ - Log a little more clearly about the times at which we're no longer
+ accepting new connections. Resolves bug 2181.
+ - Reject attempts at the client side to open connections to private
+ IP addresses (like 127.0.0.1, 10.0.0.1, and so on) with
+ a randomly chosen exit node. Attempts to do so are always
+ ill-defined, generally prevented by exit policies, and usually
+ in error. This will also help to detect loops in transparent
+ proxy configurations. You can disable this feature by setting
+ "ClientRejectInternalAddresses 0" in your torrc.
+ - Always treat failure to allocate an RSA key as an unrecoverable
+ allocation error.
+ - Update to the March 1 2011 Maxmind GeoLite Country database.
+
+ o Minor features (log subsystem):
+ - Add documentation for configuring logging at different severities in
+ different log domains. We've had this feature since 0.2.1.1-alpha,
+ but for some reason it never made it into the manpage. Fixes
+ bug 2215.
+ - Make it simpler to specify "All log domains except for A and B".
+ Previously you needed to say "[*,~A,~B]". Now you can just say
+ "[~A,~B]".
+ - Add a "LogMessageDomains 1" option to include the domains of log
+ messages along with the messages. Without this, there's no way
+ to use log domains without reading the source or doing a lot
+ of guessing.
+
+ o Packaging changes:
+ - Stop shipping the Tor specs files and development proposal documents
+ in the tarball. They are now in a separate git repository at
+ git://git.torproject.org/torspec.git
+
+
+Changes in version 0.2.1.30 - 2011-02-23
+ Tor 0.2.1.30 fixes a variety of less critical bugs. The main other
+ change is a slight tweak to Tor's TLS handshake that makes relays
+ and bridges that run this new version reachable from Iran again.
+ We don't expect this tweak will win the arms race long-term, but it
+ buys us time until we roll out a better solution.
+
+ o Major bugfixes:
+ - Stop sending a CLOCK_SKEW controller status event whenever
+ we fetch directory information from a relay that has a wrong clock.
+ Instead, only inform the controller when it's a trusted authority
+ that claims our clock is wrong. Bugfix on 0.1.2.6-alpha; fixes
+ the rest of bug 1074.
+ - Fix a bounds-checking error that could allow an attacker to
+ remotely crash a directory authority. Bugfix on 0.2.1.5-alpha.
+ Found by "piebeer".
+ - If relays set RelayBandwidthBurst but not RelayBandwidthRate,
+ Tor would ignore their RelayBandwidthBurst setting,
+ potentially using more bandwidth than expected. Bugfix on
+ 0.2.0.1-alpha. Reported by Paul Wouters. Fixes bug 2470.
+ - Ignore and warn if the user mistakenly sets "PublishServerDescriptor
+ hidserv" in her torrc. The 'hidserv' argument never controlled
+ publication of hidden service descriptors. Bugfix on 0.2.0.1-alpha.
+
+ o Minor features:
+ - Adjust our TLS Diffie-Hellman parameters to match those used by
+ Apache's mod_ssl.
+ - Update to the February 1 2011 Maxmind GeoLite Country database.
+
+ o Minor bugfixes:
+ - Check for and reject overly long directory certificates and
+ directory tokens before they have a chance to hit any assertions.
+ Bugfix on 0.2.1.28. Found by "doorss".
+ - Bring the logic that gathers routerinfos and assesses the
+ acceptability of circuits into line. This prevents a Tor OP from
+ getting locked in a cycle of choosing its local OR as an exit for a
+ path (due to a .exit request) and then rejecting the circuit because
+ its OR is not listed yet. It also prevents Tor clients from using an
+ OR running in the same instance as an exit (due to a .exit request)
+ if the OR does not meet the same requirements expected of an OR
+ running elsewhere. Fixes bug 1859; bugfix on 0.1.0.1-rc.
+
+ o Packaging changes:
+ - Stop shipping the Tor specs files and development proposal documents
+ in the tarball. They are now in a separate git repository at
+ git://git.torproject.org/torspec.git
+ - Do not include Git version tags as though they are SVN tags when
+ generating a tarball from inside a repository that has switched
+ between branches. Bugfix on 0.2.1.15-rc; fixes bug 2402.
+
+
+Changes in version 0.2.2.22-alpha - 2011-01-25
+ Tor 0.2.2.22-alpha fixes a few more less-critical security issues. The
+ main other change is a slight tweak to Tor's TLS handshake that makes
+ relays and bridges that run this new version reachable from Iran again.
+ We don't expect this tweak will win the arms race long-term, but it
+ will buy us a bit more time until we roll out a better solution.
+
+ o Major bugfixes:
+ - Fix a bounds-checking error that could allow an attacker to
+ remotely crash a directory authority. Bugfix on 0.2.1.5-alpha.
+ Found by "piebeer".
+ - Don't assert when changing from bridge to relay or vice versa
+ via the controller. The assert happened because we didn't properly
+ initialize our keys in this case. Bugfix on 0.2.2.18-alpha; fixes
+ bug 2433. Reported by bastik.
+
+ o Minor features:
+ - Adjust our TLS Diffie-Hellman parameters to match those used by
+ Apache's mod_ssl.
+ - Provide a log message stating which geoip file we're parsing
+ instead of just stating that we're parsing the geoip file.
+ Implements ticket 2432.
+
+ o Minor bugfixes:
+ - Check for and reject overly long directory certificates and
+ directory tokens before they have a chance to hit any assertions.
+ Bugfix on 0.2.1.28 / 0.2.2.20-alpha. Found by "doorss".
+
+
+Changes in version 0.2.2.21-alpha - 2011-01-15
+ Tor 0.2.2.21-alpha includes all the patches from Tor 0.2.1.29, which
+ continues our recent code security audit work. The main fix resolves
+ a remote heap overflow vulnerability that can allow remote code
+ execution (CVE-2011-0427). Other fixes address a variety of assert
+ and crash bugs, most of which we think are hard to exploit remotely.
+
+ o Major bugfixes (security), also included in 0.2.1.29:
+ - Fix a heap overflow bug where an adversary could cause heap
+ corruption. This bug probably allows remote code execution
+ attacks. Reported by "debuger". Fixes CVE-2011-0427. Bugfix on
+ 0.1.2.10-rc.
+ - Prevent a denial-of-service attack by disallowing any
+ zlib-compressed data whose compression factor is implausibly
+ high. Fixes part of bug 2324; reported by "doorss".
+ - Zero out a few more keys in memory before freeing them. Fixes
+ bug 2384 and part of bug 2385. These key instances found by
+ "cypherpunks", based on Andrew Case's report about being able
+ to find sensitive data in Tor's memory space if you have enough
+ permissions. Bugfix on 0.0.2pre9.
+
+ o Major bugfixes (crashes), also included in 0.2.1.29:
+ - Prevent calls to Libevent from inside Libevent log handlers.
+ This had potential to cause a nasty set of crashes, especially
+ if running Libevent with debug logging enabled, and running
+ Tor with a controller watching for low-severity log messages.
+ Bugfix on 0.1.0.2-rc. Fixes bug 2190.
+ - Add a check for SIZE_T_MAX to tor_realloc() to try to avoid
+ underflow errors there too. Fixes the other part of bug 2324.
+ - Fix a bug where we would assert if we ever had a
+ cached-descriptors.new file (or another file read directly into
+ memory) of exactly SIZE_T_CEILING bytes. Fixes bug 2326; bugfix
+ on 0.2.1.25. Found by doorss.
+ - Fix some potential asserts and parsing issues with grossly
+ malformed router caches. Fixes bug 2352; bugfix on Tor 0.2.1.27.
+ Found by doorss.
+
+ o Minor bugfixes (other), also included in 0.2.1.29:
+ - Fix a bug with handling misformed replies to reverse DNS lookup
+ requests in DNSPort. Bugfix on Tor 0.2.0.1-alpha. Related to a
+ bug reported by doorss.
+ - Fix compilation on mingw when a pthreads compatibility library
+ has been installed. (We don't want to use it, so we shouldn't
+ be including pthread.h.) Fixes bug 2313; bugfix on 0.1.0.1-rc.
+ - Fix a bug where we would declare that we had run out of virtual
+ addresses when the address space was only half-exhausted. Bugfix
+ on 0.1.2.1-alpha.
+ - Correctly handle the case where AutomapHostsOnResolve is set but
+ no virtual addresses are available. Fixes bug 2328; bugfix on
+ 0.1.2.1-alpha. Bug found by doorss.
+ - Correctly handle wrapping around when we run out of virtual
+ address space. Found by cypherpunks; bugfix on 0.2.0.5-alpha.
+
+ o Minor features, also included in 0.2.1.29:
+ - Update to the January 1 2011 Maxmind GeoLite Country database.
+ - Introduce output size checks on all of our decryption functions.
+
+ o Build changes, also included in 0.2.1.29:
+ - Tor does not build packages correctly with Automake 1.6 and earlier;
+ added a check to Makefile.am to make sure that we're building with
+ Automake 1.7 or later.
+ - The 0.2.1.28 tarball was missing src/common/OpenBSD_malloc_Linux.c
+ because we built it with a too-old version of automake. Thus that
+ release broke ./configure --enable-openbsd-malloc, which is popular
+ among really fast exit relays on Linux.
+
+ o Major bugfixes, new in 0.2.2.21-alpha:
+ - Prevent crash/heap corruption when the cbtnummodes consensus
+ parameter is set to 0 or large values. Fixes bug 2317; bugfix
+ on 0.2.2.14-alpha.
+
+ o Major features, new in 0.2.2.21-alpha:
+ - Introduce minimum/maximum values that clients will believe
+ from the consensus. Now we'll have a better chance to avoid crashes
+ or worse when a consensus param has a weird value.
+
+ o Minor features, new in 0.2.2.21-alpha:
+ - Make sure to disable DirPort if running as a bridge. DirPorts aren't
+ used on bridges, and it makes bridge scanning somewhat easier.
+ - If writing the state file to disk fails, wait up to an hour before
+ retrying again, rather than trying again each second. Fixes bug
+ 2346; bugfix on Tor 0.1.1.3-alpha.
+ - Make Libevent log messages get delivered to controllers later,
+ and not from inside the Libevent log handler. This prevents unsafe
+ reentrant Libevent calls while still letting the log messages
+ get through.
+ - Detect platforms that brokenly use a signed size_t, and refuse to
+ build there. Found and analyzed by doorss and rransom.
+ - Fix a bunch of compile warnings revealed by mingw with gcc 4.5.
+ Resolves bug 2314.
+
+ o Minor bugfixes, new in 0.2.2.21-alpha:
+ - Handle SOCKS messages longer than 128 bytes long correctly, rather
+ than waiting forever for them to finish. Fixes bug 2330; bugfix
+ on 0.2.0.16-alpha. Found by doorss.
+ - Add assertions to check for overflow in arguments to
+ base32_encode() and base32_decode(); fix a signed-unsigned
+ comparison there too. These bugs are not actually reachable in Tor,
+ but it's good to prevent future errors too. Found by doorss.
+ - Correctly detect failures to create DNS requests when using Libevent
+ versions before v2. (Before Libevent 2, we used our own evdns
+ implementation. Its return values for Libevent's evdns_resolve_*()
+ functions are not consistent with those from Libevent.) Fixes bug
+ 2363; bugfix on 0.2.2.6-alpha. Found by "lodger".
+
+ o Documentation, new in 0.2.2.21-alpha:
+ - Document the default socks host and port (127.0.0.1:9050) for
+ tor-resolve.
+
+
+Changes in version 0.2.1.29 - 2011-01-15
+ Tor 0.2.1.29 continues our recent code security audit work. The main
+ fix resolves a remote heap overflow vulnerability that can allow remote
+ code execution. Other fixes address a variety of assert and crash bugs,
+ most of which we think are hard to exploit remotely.
+
+ o Major bugfixes (security):
+ - Fix a heap overflow bug where an adversary could cause heap
+ corruption. This bug probably allows remote code execution
+ attacks. Reported by "debuger". Fixes CVE-2011-0427. Bugfix on
+ 0.1.2.10-rc.
+ - Prevent a denial-of-service attack by disallowing any
+ zlib-compressed data whose compression factor is implausibly
+ high. Fixes part of bug 2324; reported by "doorss".
+ - Zero out a few more keys in memory before freeing them. Fixes
+ bug 2384 and part of bug 2385. These key instances found by
+ "cypherpunks", based on Andrew Case's report about being able
+ to find sensitive data in Tor's memory space if you have enough
+ permissions. Bugfix on 0.0.2pre9.
+
+ o Major bugfixes (crashes):
+ - Prevent calls to Libevent from inside Libevent log handlers.
+ This had potential to cause a nasty set of crashes, especially
+ if running Libevent with debug logging enabled, and running
+ Tor with a controller watching for low-severity log messages.
+ Bugfix on 0.1.0.2-rc. Fixes bug 2190.
+ - Add a check for SIZE_T_MAX to tor_realloc() to try to avoid
+ underflow errors there too. Fixes the other part of bug 2324.
+ - Fix a bug where we would assert if we ever had a
+ cached-descriptors.new file (or another file read directly into
+ memory) of exactly SIZE_T_CEILING bytes. Fixes bug 2326; bugfix
+ on 0.2.1.25. Found by doorss.
+ - Fix some potential asserts and parsing issues with grossly
+ malformed router caches. Fixes bug 2352; bugfix on Tor 0.2.1.27.
+ Found by doorss.
+
+ o Minor bugfixes (other):
+ - Fix a bug with handling misformed replies to reverse DNS lookup
+ requests in DNSPort. Bugfix on Tor 0.2.0.1-alpha. Related to a
+ bug reported by doorss.
+ - Fix compilation on mingw when a pthreads compatibility library
+ has been installed. (We don't want to use it, so we shouldn't
+ be including pthread.h.) Fixes bug 2313; bugfix on 0.1.0.1-rc.
+ - Fix a bug where we would declare that we had run out of virtual
+ addresses when the address space was only half-exhausted. Bugfix
+ on 0.1.2.1-alpha.
+ - Correctly handle the case where AutomapHostsOnResolve is set but
+ no virtual addresses are available. Fixes bug 2328; bugfix on
+ 0.1.2.1-alpha. Bug found by doorss.
+ - Correctly handle wrapping around to when we run out of virtual
+ address space. Found by cypherpunks, bugfix on 0.2.0.5-alpha.
+ - The 0.2.1.28 tarball was missing src/common/OpenBSD_malloc_Linux.c
+ because we built it with a too-old version of automake. Thus that
+ release broke ./configure --enable-openbsd-malloc, which is popular
+ among really fast exit relays on Linux.
+
+ o Minor features:
+ - Update to the January 1 2011 Maxmind GeoLite Country database.
+ - Introduce output size checks on all of our decryption functions.
+
+ o Build changes:
+ - Tor does not build packages correctly with Automake 1.6 and earlier;
+ added a check to Makefile.am to make sure that we're building with
+ Automake 1.7 or later.
+
+
+Changes in version 0.2.2.20-alpha - 2010-12-17
+ Tor 0.2.2.20-alpha does some code cleanup to reduce the risk of remotely
+ exploitable bugs. We also fix a variety of other significant bugs,
+ change the IP address for one of our directory authorities, and update
+ the minimum version that Tor relays must run to join the network.
+
+ o Major bugfixes:
+ - Fix a remotely exploitable bug that could be used to crash instances
+ of Tor remotely by overflowing on the heap. Remote-code execution
+ hasn't been confirmed, but can't be ruled out. Everyone should
+ upgrade. Bugfix on the 0.1.1 series and later.
+ - Fix a bug that could break accounting on 64-bit systems with large
+ time_t values, making them hibernate for impossibly long intervals.
+ Fixes bug 2146. Bugfix on 0.0.9pre6; fix by boboper.
+ - Fix a logic error in directory_fetches_from_authorities() that
+ would cause all _non_-exits refusing single-hop-like circuits
+ to fetch from authorities, when we wanted to have _exits_ fetch
+ from authorities. Fixes more of 2097. Bugfix on 0.2.2.16-alpha;
+ fix by boboper.
+ - Fix a stream fairness bug that would cause newer streams on a given
+ circuit to get preference when reading bytes from the origin or
+ destination. Fixes bug 2210. Fix by Mashael AlSabah. This bug was
+ introduced before the first Tor release, in svn revision r152.
+
+ o Directory authority changes:
+ - Change IP address and ports for gabelmoo (v3 directory authority).
+
+ o Minor bugfixes:
+ - Avoid crashes when AccountingMax is set on clients. Fixes bug 2235.
+ Bugfix on 0.2.2.18-alpha. Diagnosed by boboper.
+ - Fix an off-by-one error in calculating some controller command
+ argument lengths. Fortunately, this mistake is harmless since
+ the controller code does redundant NUL termination too. Found by
+ boboper. Bugfix on 0.1.1.1-alpha.
+ - Do not dereference NULL if a bridge fails to build its
+ extra-info descriptor. Found by an anonymous commenter on
+ Trac. Bugfix on 0.2.2.19-alpha.
+
+ o Minor features:
+ - Update to the December 1 2010 Maxmind GeoLite Country database.
+ - Directory authorities now reject relays running any versions of
+ Tor between 0.2.1.3-alpha and 0.2.1.18 inclusive; they have
+ known bugs that keep RELAY_EARLY cells from working on rendezvous
+ circuits. Followup to fix for bug 2081.
+ - Directory authorities now reject relays running any version of Tor
+ older than 0.2.0.26-rc. That version is the earliest that fetches
+ current directory information correctly. Fixes bug 2156.
+ - Report only the top 10 ports in exit-port stats in order not to
+ exceed the maximum extra-info descriptor length of 50 KB. Implements
+ task 2196.
+
+
+Changes in version 0.2.1.28 - 2010-12-17
+ Tor 0.2.1.28 does some code cleanup to reduce the risk of remotely
+ exploitable bugs. We also took this opportunity to change the IP address
+ for one of our directory authorities, and to update the geoip database
+ we ship.
+
+ o Major bugfixes:
+ - Fix a remotely exploitable bug that could be used to crash instances
+ of Tor remotely by overflowing on the heap. Remote-code execution
+ hasn't been confirmed, but can't be ruled out. Everyone should
+ upgrade. Bugfix on the 0.1.1 series and later.
+
+ o Directory authority changes:
+ - Change IP address and ports for gabelmoo (v3 directory authority).
+
+ o Minor features:
+ - Update to the December 1 2010 Maxmind GeoLite Country database.
+
+
+Changes in version 0.2.1.27 - 2010-11-23
+ Yet another OpenSSL security patch broke its compatibility with Tor:
+ Tor 0.2.1.27 makes relays work with openssl 0.9.8p and 1.0.0.b. We
+ also took this opportunity to fix several crash bugs, integrate a new
+ directory authority, and update the bundled GeoIP database.
+
+ o Major bugfixes:
+ - Resolve an incompatibility with OpenSSL 0.9.8p and OpenSSL 1.0.0b:
+ No longer set the tlsext_host_name extension on server SSL objects;
+ but continue to set it on client SSL objects. Our goal in setting
+ it was to imitate a browser, not a vhosting server. Fixes bug 2204;
+ bugfix on 0.2.1.1-alpha.
+ - Do not log messages to the controller while shrinking buffer
+ freelists. Doing so would sometimes make the controller connection
+ try to allocate a buffer chunk, which would mess up the internals
+ of the freelist and cause an assertion failure. Fixes bug 1125;
+ fixed by Robert Ransom. Bugfix on 0.2.0.16-alpha.
+ - Learn our external IP address when we're a relay or bridge, even if
+ we set PublishServerDescriptor to 0. Bugfix on 0.2.0.3-alpha,
+ where we introduced bridge relays that don't need to publish to
+ be useful. Fixes bug 2050.
+ - Do even more to reject (and not just ignore) annotations on
+ router descriptors received anywhere but from the cache. Previously
+ we would ignore such annotations at first, but cache them to disk
+ anyway. Bugfix on 0.2.0.8-alpha. Found by piebeer.
+ - When you're using bridges and your network goes away and your
+ bridges get marked as down, recover when you attempt a new socks
+ connection (if the network is back), rather than waiting up to an
+ hour to try fetching new descriptors for your bridges. Bugfix on
+ 0.2.0.3-alpha; fixes bug 1981.
+
+ o Major features:
+ - Move to the November 2010 Maxmind GeoLite country db (rather
+ than the June 2009 ip-to-country GeoIP db) for our statistics that
+ count how many users relays are seeing from each country. Now we'll
+ have more accurate data, especially for many African countries.
+
+ o New directory authorities:
+ - Set up maatuska (run by Linus Nordberg) as the eighth v3 directory
+ authority.
+
+ o Minor bugfixes:
+ - Fix an assertion failure that could occur in directory caches or
+ bridge users when using a very short voting interval on a testing
+ network. Diagnosed by Robert Hogan. Fixes bug 1141; bugfix on
+ 0.2.0.8-alpha.
+ - Enforce multiplicity rules when parsing annotations. Bugfix on
+ 0.2.0.8-alpha. Found by piebeer.
+ - Allow handshaking OR connections to take a full KeepalivePeriod
+ seconds to handshake. Previously, we would close them after
+ IDLE_OR_CONN_TIMEOUT (180) seconds, the same timeout as if they
+ were open. Bugfix on 0.2.1.26; fixes bug 1840. Thanks to mingw-san
+ for analysis help.
+ - When building with --enable-gcc-warnings on OpenBSD, disable
+ warnings in system headers. This makes --enable-gcc-warnings
+ pass on OpenBSD 4.8.
+
+ o Minor features:
+ - Exit nodes didn't recognize EHOSTUNREACH as a plausible error code,
+ and so sent back END_STREAM_REASON_MISC. Clients now recognize a new
+ stream ending reason for this case: END_STREAM_REASON_NOROUTE.
+ Servers can start sending this code when enough clients recognize
+ it. Bugfix on 0.1.0.1-rc; fixes part of bug 1793.
+ - Build correctly on mingw with more recent versions of OpenSSL 0.9.8.
+ Patch from mingw-san.
+
+ o Removed files:
+ - Remove the old debian/ directory from the main Tor distribution.
+ The official Tor-for-debian git repository lives at the URL
+ https://git.torproject.org/debian/tor.git
+ - Stop shipping the old doc/website/ directory in the tarball. We
+ changed the website format in late 2010, and what we shipped in
+ 0.2.1.26 really wasn't that useful anyway.
+
+
Changes in version 0.2.2.19-alpha - 2010-11-22
Yet another OpenSSL security patch broke its compatibility with Tor:
Tor 0.2.2.19-alpha makes relays work with OpenSSL 0.9.8p and 1.0.0.b.
@@ -543,9 +3924,10 @@ Changes in version 0.2.2.14-alpha - 2010-07-12
o Minor features:
- New config option "WarnUnsafeSocks 0" disables the warning that
- occurs whenever Tor receives only an IP address instead of a
- hostname. Setups that do DNS locally over Tor are fine, and we
- shouldn't spam the logs in that case.
+ occurs whenever Tor receives a socks handshake using a version of
+ the socks protocol that can only provide an IP address (rather
+ than a hostname). Setups that do DNS locally over Tor are fine,
+ and we shouldn't spam the logs in that case.
- Convert the HACKING file to asciidoc, and add a few new sections
to it, explaining how we use Git, how we make changelogs, and
what should go in a patch.
@@ -1307,8 +4689,9 @@ Changes in version 0.2.2.5-alpha - 2009-10-11
o Major bugfixes:
- Make the tarball compile again. Oops. Bugfix on 0.2.2.4-alpha.
- o New directory authorities:
- - Move dizum to an alternate IP address.
+ o Directory authorities:
+ - Temporarily (just for this release) move dizum to an alternate
+ IP address.
Changes in version 0.2.2.4-alpha - 2009-10-10
@@ -1478,8 +4861,8 @@ Changes in version 0.2.2.1-alpha - 2009-08-26
oldest-bug prize.
o New options for gathering stats safely:
- - Directories that set "DirReqStatistics 1" write statistics on
- directory request to disk every 24 hours. As compared to the
+ - Directory mirrors that set "DirReqStatistics 1" write statistics
+ about directory requests to disk every 24 hours. As compared to the
--enable-geoip-stats flag in 0.2.1.x, there are a few improvements:
1) stats are written to disk exactly every 24 hours; 2) estimated
shares of v2 and v3 requests are determined as mean values, not at
@@ -1517,9 +4900,9 @@ Changes in version 0.2.2.1-alpha - 2009-08-26
the git commit (when we're building from a git checkout).
o Minor bugfixes:
- - If any the v3 certs we download are unparseable, we should actually
- notice the failure so we don't retry indefinitely. Bugfix on
- 0.2.0.x; reported by "rotator".
+ - If any of the v3 certs we download are unparseable, we should
+ actually notice the failure so we don't retry indefinitely. Bugfix
+ on 0.2.0.x; reported by "rotator".
- If the cached cert file is unparseable, warn but don't exit.
- Fix possible segmentation fault on directory authorities. Bugfix on
0.2.1.14-rc.
@@ -2306,7 +5689,7 @@ Changes in version 0.2.1.9-alpha - 2008-12-25
- When a download gets us zero good descriptors, do not notify
Tor that new directory information has arrived.
- Avoid some nasty corner cases in the logic for marking connections
- as too old or obsolete or noncanonical for circuits. Partial
+ as too old or obsolete or noncanonical for circuits. Partial
bugfix on bug 891.
o Minor features (controller):
@@ -3378,7 +6761,7 @@ Changes in version 0.2.0.22-rc - 2008-03-18
bugs. Bug found by lodger. Bugfix on 0.2.0.16-alpha.
- Fix the implementation of ClientDNSRejectInternalAddresses so that it
actually works, and doesn't warn about every single reverse lookup.
- Fixes the other part of bug 617. Bugfix on 0.2.0.1-alpha.
+ Fixes the other part of bug 617. Bugfix on 0.2.0.1-alpha.
o Minor features:
- Only log guard node status when guard node status has changed.
@@ -3561,7 +6944,7 @@ Changes in version 0.2.0.19-alpha - 2008-02-09
bandwidthburst values.
o Minor features (controller):
- - Reject controller commands over 1MB in length. This keeps rogue
+ - Reject controller commands over 1MB in length. This keeps rogue
processes from running us out of memory.
o Minor features (misc):
@@ -3605,7 +6988,7 @@ Changes in version 0.2.0.19-alpha - 2008-02-09
- Fix shell error when warning about missing packages in configure
script, on Fedora or Red Hat machines. Bugfix on 0.2.0.x.
- Do not become confused when receiving a spurious VERSIONS-like
- cell from a confused v1 client. Bugfix on 0.2.0.x.
+ cell from a confused v1 client. Bugfix on 0.2.0.x.
- Re-fetch v2 (as well as v0) rendezvous descriptors when all
introduction points for a hidden service have failed. Patch from
Karsten Loesing. Bugfix on 0.2.0.x.
@@ -3893,8 +7276,8 @@ Changes in version 0.2.0.14-alpha - 2007-12-23
- Make PublishServerDescriptor default to 1, so the default doesn't
have to change as we invent new directory protocol versions.
- Fix test for rlim_t on OSX 10.3: sys/resource.h doesn't want to
- be included unless sys/time.h is already included. Fixes
- bug 553. Bugfix on 0.2.0.x.
+ be included unless sys/time.h is already included. Fixes
+ bug 553. Bugfix on 0.2.0.x.
- If we receive a general-purpose descriptor and then receive an
identical bridge-purpose descriptor soon after, don't discard
the next one as a duplicate.
@@ -4001,7 +7384,7 @@ Changes in version 0.2.0.13-alpha - 2007-12-21
in really weird results on platforms whose sys/types.h files define
nonstandard integer types. Bugfix on 0.1.2.x.
- Fix compilation with --disable-threads set. Bugfix on 0.2.0.x.
- - Don't crash on name lookup when we have no current consensus. Fixes
+ - Don't crash on name lookup when we have no current consensus. Fixes
bug 538; bugfix on 0.2.0.x.
- Only Tors that want to mirror the v2 directory info should
create the "cached-status" directory in their datadir. (All Tors
@@ -4185,7 +7568,7 @@ Changes in version 0.2.0.10-alpha - 2007-11-10
- Use "If-Modified-Since" to avoid retrieving consensus
networkstatuses that we already have.
- When we have no consensus, check FallbackNetworkstatusFile (defaults
- to $PREFIX/share/tor/fallback-consensus) for a consensus. This way
+ to $PREFIX/share/tor/fallback-consensus) for a consensus. This way
we start knowing some directory caches.
- When we receive a consensus from the future, warn about skew.
- Improve skew reporting: try to give the user a better log message
@@ -4195,7 +7578,7 @@ Changes in version 0.2.0.10-alpha - 2007-11-10
- New --quiet command-line option to suppress the default console log.
Good in combination with --hash-password.
- Authorities send back an X-Descriptor-Not-New header in response to
- an accepted-but-discarded descriptor upload. Partially implements
+ an accepted-but-discarded descriptor upload. Partially implements
fix for bug 535.
- Make the log message for "tls error. breaking." more useful.
- Better log messages about certificate downloads, to attempt to
@@ -4232,15 +7615,15 @@ Changes in version 0.2.0.10-alpha - 2007-11-10
on 0.2.0.1-alpha.
- Stop leaking memory every time we load a v3 certificate. Bugfix
on 0.2.0.1-alpha. Fixes bug 536.
- - Stop leaking a cached networkstatus on exit. Bugfix on
+ - Stop leaking a cached networkstatus on exit. Bugfix on
0.2.0.3-alpha.
- Stop leaking voter information every time we free a consensus.
Bugfix on 0.2.0.3-alpha.
- Stop leaking signed data every time we check a voter signature.
Bugfix on 0.2.0.3-alpha.
- Stop leaking a signature every time we fail to parse a consensus or
- a vote. Bugfix on 0.2.0.3-alpha.
- - Stop leaking v2_download_status_map on shutdown. Bugfix on
+ a vote. Bugfix on 0.2.0.3-alpha.
+ - Stop leaking v2_download_status_map on shutdown. Bugfix on
0.2.0.9-alpha.
- Stop leaking conn->nickname every time we make a connection to a
Tor relay without knowing its expected identity digest (e.g. when
@@ -4371,7 +7754,7 @@ Changes in version 0.2.0.9-alpha - 2007-10-24
- Reattempt certificate downloads immediately on failure, as long as
we haven't failed a threshold number of times yet.
- Delay retrying consensus downloads while we're downloading
- certificates to verify the one we just got. Also, count getting a
+ certificates to verify the one we just got. Also, count getting a
consensus that we already have (or one that isn't valid) as a failure,
and count failing to get the certificates after 20 minutes as a
failure.
@@ -4463,13 +7846,13 @@ Changes in version 0.2.0.9-alpha - 2007-10-24
yet. Bug found by spending four hours without a v3 consensus. Bugfix
on 0.1.2.x.
- Detect the reason for failing to mmap a descriptor file we just
- wrote, and give a more useful log message. Fixes bug 533. Bugfix
+ wrote, and give a more useful log message. Fixes bug 533. Bugfix
on 0.1.2.x.
o Code simplifications and refactoring:
- Remove support for the old bw_accounting file: we've been storing
bandwidth accounting information in the state file since
- 0.1.2.5-alpha. This may result in bandwidth accounting errors
+ 0.1.2.5-alpha. This may result in bandwidth accounting errors
if you try to upgrade from 0.1.1.x or earlier, or if you try to
downgrade to 0.1.1.x or earlier.
- New convenience code to locate a file within the DataDirectory.
@@ -4509,9 +7892,9 @@ Changes in version 0.2.0.8-alpha - 2007-10-12
- When a v3 authority is missing votes or signatures, it now tries
to fetch them.
- Directory authorities track weighted fractional uptime as well as
- weighted mean-time-between failures. WFU is suitable for deciding
+ weighted mean-time-between failures. WFU is suitable for deciding
whether a node is "usually up", while MTBF is suitable for deciding
- whether a node is "likely to stay up." We need both, because
+ whether a node is "likely to stay up." We need both, because
"usually up" is a good requirement for guards, while "likely to
stay up" is a good requirement for long-lived connections.
@@ -4932,7 +8315,7 @@ Changes in version 0.2.0.5-alpha - 2007-08-19
- If we require CookieAuthentication, stop generating a new cookie
every time we change any piece of our config.
- When loading bandwidth history, do not believe any information in
- the future. Fixes bug 434.
+ the future. Fixes bug 434.
- When loading entry guard information, do not believe any information
in the future.
- When we have our clock set far in the future and generate an
@@ -5237,7 +8620,7 @@ Changes in version 0.2.0.1-alpha - 2007-06-01
- Change the way that Tor buffers data that it is waiting to write.
Instead of queueing data cells in an enormous ring buffer for each
client->OR or OR->OR connection, we now queue cells on a separate
- queue for each circuit. This lets us use less slack memory, and
+ queue for each circuit. This lets us use less slack memory, and
will eventually let us be smarter about prioritizing different kinds
of traffic.
- Use memory pools to allocate cells with better speed and memory
@@ -5297,7 +8680,7 @@ Changes in version 0.2.0.1-alpha - 2007-06-01
authorities should set. This will let future authorities choose
not to serve V2 directory information.
- Directory authorities allow multiple router descriptors and/or extra
- info documents to be uploaded in a single go. This will make
+ info documents to be uploaded in a single go. This will make
implementing proposal 104 simpler.
o Minor features (controller):
@@ -5314,15 +8697,15 @@ Changes in version 0.2.0.1-alpha - 2007-06-01
o Minor features (hidden services):
- Allow multiple HiddenServicePort directives with the same virtual
port; when they occur, the user is sent round-robin to one
- of the target ports chosen at random. Partially fixes bug 393 by
+ of the target ports chosen at random. Partially fixes bug 393 by
adding limited ad-hoc round-robining.
o Minor features (other):
- More unit tests.
- Add a new AutomapHostsOnResolve option: when it is enabled, any
resolve request for hosts matching a given pattern causes Tor to
- generate an internal virtual address mapping for that host. This
- allows DNSPort to work sensibly with hidden service users. By
+ generate an internal virtual address mapping for that host. This
+ allows DNSPort to work sensibly with hidden service users. By
default, .exit and .onion addresses are remapped; the list of
patterns can be reconfigured with AutomapHostsSuffixes.
- Add an "-F" option to tor-resolve to force a resolve for a .onion
@@ -5336,7 +8719,7 @@ Changes in version 0.2.0.1-alpha - 2007-06-01
o Removed features:
- Removed support for the old binary "version 0" controller protocol.
This has been deprecated since 0.1.1, and warnings have been issued
- since 0.1.2. When we encounter a v0 control message, we now send
+ since 0.1.2. When we encounter a v0 control message, we now send
back an error and close the connection.
- Remove the old "dns worker" server DNS code: it hasn't been default
since 0.1.2.2-alpha, and all the servers seem to be using the new
@@ -5359,7 +8742,7 @@ Changes in version 0.2.0.1-alpha - 2007-06-01
o Minor bugfixes (logging):
- When we hit an EOF on a log (probably because we're shutting down),
don't try to remove the log from the list: just mark it as
- unusable. (Bulletproofs against bug 222.)
+ unusable. (Bulletproofs against bug 222.)
o Minor bugfixes (other):
- In the exitlist script, only consider the most recently published
@@ -5369,7 +8752,7 @@ Changes in version 0.2.0.1-alpha - 2007-06-01
connections to that address. (Resolves bug 405.)
- Stop allowing hibernating servers to be "stable" or "fast".
- On Windows, we were preventing other processes from reading
- cached-routers while Tor was running. (Reported by janbar)
+ cached-routers while Tor was running. (Reported by janbar)
- Make the NodeFamilies config option work. (Reported by
lodger -- it has never actually worked, even though we added it
in Oct 2004.)
@@ -5542,10 +8925,10 @@ Changes in version 0.1.2.9-rc - 2007-03-02
o Minor bugfixes (other):
- Fix an assert that could trigger if a controller quickly set then
- cleared EntryNodes. (Bug found by Udo van den Heuvel.)
+ cleared EntryNodes. Bug found by Udo van den Heuvel.
- On architectures where sizeof(int)>4, still clamp declarable bandwidth
to INT32_MAX.
- - Fix a potential race condition in the rpm installer. Found by
+ - Fix a potential race condition in the rpm installer. Found by
Stefan Nordhausen.
- Try to fix eventdns warnings once and for all: do not treat a dns rcode
of 2 as indicating that the server is completely bad; it sometimes
@@ -5578,8 +8961,8 @@ Changes in version 0.1.2.8-beta - 2007-02-26
o Minor bugfixes (controller):
- Give the controller END_STREAM_REASON_DESTROY events _before_ we
clear the corresponding on_circuit variable, and remember later
- that we don't need to send a redundant CLOSED event. (Resolves part
- 3 of bug 367.)
+ that we don't need to send a redundant CLOSED event. Resolves part
+ 3 of bug 367.
- Report events where a resolve succeeded or where we got a socks
protocol error correctly, rather than calling both of them
"INTERNAL".
@@ -5613,7 +8996,7 @@ Changes in version 0.1.2.8-beta - 2007-02-26
tor_munmap() for systems with no mmap() call.
- When Tor receives a router descriptor that it asked for, but
no longer wants (because it has received fresh networkstatuses
- in the meantime), do not warn the user. Cache the descriptor if
+ in the meantime), do not warn the user. Cache the descriptor if
we're a cache; drop it if we aren't.
- Make earlier entry guards _really_ get retried when the network
comes back online.
@@ -5624,7 +9007,7 @@ Changes in version 0.1.2.8-beta - 2007-02-26
o Minor features (controller):
- Warn the user when an application uses the obsolete binary v0
- control protocol. We're planning to remove support for it during
+ control protocol. We're planning to remove support for it during
the next development series, so it's good to give people some
advance warning.
- Add STREAM_BW events to report per-entry-stream bandwidth
@@ -5644,7 +9027,7 @@ Changes in version 0.1.2.8-beta - 2007-02-26
(This is showing up in some profiles, but not others.)
o Minor features:
- - Remove some never-implemented options. Mark PathlenCoinWeight as
+ - Remove some never-implemented options. Mark PathlenCoinWeight as
obsolete.
- Implement proposal 106: Stop requiring clients to have well-formed
certificates; stop checking nicknames in certificates. (Clients
@@ -5685,10 +9068,10 @@ Changes in version 0.1.2.7-alpha - 2007-02-06
o Major bugfixes (NT services):
- Install as NT_AUTHORITY\LocalService rather than as SYSTEM; add a
command-line flag so that admins can override the default by saying
- "tor --service install --user "SomeUser"". This will not affect
- existing installed services. Also, warn the user that the service
+ "tor --service install --user "SomeUser"". This will not affect
+ existing installed services. Also, warn the user that the service
will look for its configuration file in the service user's
- %appdata% directory. (We can't do the 'hardwire the user's appdata
+ %appdata% directory. (We can't do the 'hardwire the user's appdata
directory' trick any more, since we may not have read access to that
directory.)
@@ -5735,7 +9118,7 @@ Changes in version 0.1.2.7-alpha - 2007-02-06
"DNS resolve socks failed" handshake reply; just close it.
- Stop using C functions that OpenBSD's linker doesn't like.
- Don't launch requests for descriptors unless we have networkstatuses
- from at least half of the authorities. This delays the first
+ from at least half of the authorities. This delays the first
download slightly under pathological circumstances, but can prevent
us from downloading a bunch of descriptors we don't need.
- Do not log IPs with TLS failures for incoming TLS
@@ -6113,7 +9496,7 @@ Changes in version 0.1.2.3-alpha - 2006-10-29
o Minor features, controller:
- Add a REASON field to CIRC events; for backward compatibility, this
field is sent only to controllers that have enabled the extended
- event format. Also, add additional reason codes to explain why
+ event format. Also, add additional reason codes to explain why
a given circuit has been destroyed or truncated. (Patches from
Mike Perry)
- Add a REMOTE_REASON field to extended CIRC events to tell the
@@ -6142,14 +9525,14 @@ Changes in version 0.1.2.3-alpha - 2006-10-29
- When the controller does a "GETINFO network-status", tell it
about even those routers whose descriptors are very old, and use
long nicknames where appropriate.
- - Change NT service functions to be loaded on demand. This lets us
+ - Change NT service functions to be loaded on demand. This lets us
build with MinGW without breaking Tor for Windows 98 users.
- Do DirPort reachability tests less often, since a single test
chews through many circuits before giving up.
- In the hidden service example in torrc.sample, stop recommending
esoteric and discouraged hidden service options.
- When stopping an NT service, wait up to 10 sec for it to actually
- stop. (Patch from Matt Edman; resolves bug 295.)
+ stop. Patch from Matt Edman; resolves bug 295.
- Fix handling of verbose nicknames with ORCONN controller events:
make them show up exactly when requested, rather than exactly when
not requested.
@@ -6805,7 +10188,7 @@ Changes in version 0.1.1.15-rc - 2006-03-11
- Add a new circuit purpose 'controller' to let the controller ask
for a circuit that Tor won't try to use. Extend the EXTENDCIRCUIT
controller command to let you specify the purpose if you're
- starting a new circuit. Add a new SETCIRCUITPURPOSE controller
+ starting a new circuit. Add a new SETCIRCUITPURPOSE controller
command to let you change a circuit's purpose after it's been
created.
- Accept "private:*" in routerdesc exit policies; not generated yet
@@ -6849,7 +10232,7 @@ Changes in version 0.1.1.14-alpha - 2006-02-20
be forward-compatible.
- Generate 18.0.0.0/8 address policy format in descs when we can;
warn when the mask is not reducible to a bit-prefix.
- - Let the user set ControlListenAddress in the torrc. This can be
+ - Let the user set ControlListenAddress in the torrc. This can be
dangerous, but there are some cases (like a secured LAN) where it
makes sense.
- Split ReachableAddresses into ReachableDirAddresses and
@@ -7308,7 +10691,7 @@ Changes in version 0.1.1.9-alpha - 2005-11-15
- Start making directory caches retain old routerinfos, so soon
clients can start asking by digest of descriptor rather than by
fingerprint of server.
- - Add half our entropy from RAND_poll in OpenSSL. This knows how
+ - Add half our entropy from RAND_poll in OpenSSL. This knows how
to use egd (if present), openbsd weirdness (if present), vms/os2
weirdness (if we ever port there), and more in the future.
@@ -8154,7 +11537,7 @@ Changes in version 0.1.0.1-rc - 2005-03-28
o Robustness/stability fixes:
- Make Tor use Niels Provos's libevent instead of its current
- poll-but-sometimes-select mess. This will let us use faster async
+ poll-but-sometimes-select mess. This will let us use faster async
cores (like epoll, kpoll, and /dev/poll), and hopefully work better
on Windows too.
- pthread support now too. This was forced because when we forked,
@@ -8272,7 +11655,7 @@ Changes in version 0.1.0.1-rc - 2005-03-28
Changes in version 0.0.9.6 - 2005-03-24
o Bugfixes on 0.0.9.x (crashes and asserts):
- Add new end stream reasons to maintainance branch. Fix bug where
- reason (8) could trigger an assert. Prevent bug from recurring.
+ reason (8) could trigger an assert. Prevent bug from recurring.
- Apparently win32 stat wants paths to not end with a slash.
- Fix assert triggers in assert_cpath_layer_ok(), where we were
blowing away the circuit that conn->cpath_layer points to, then
@@ -8495,7 +11878,7 @@ Changes in version 0.0.9rc5 - 2004-12-01
but doesn't seem to be currently; thanks to Ilja van Sprundel for
finding it.
- If anybody set DirFetchPostPeriod, give them StatusFetchPeriod
- instead. Impose minima and maxima for all *Period options; impose
+ instead. Impose minima and maxima for all *Period options; impose
even tighter maxima for fetching if we are a caching dirserver.
Clip rather than rejecting.
- Fetch cached running-routers from servers that serve it (that is,
@@ -9476,7 +12859,7 @@ Changes in version 0.0.2pre20 - 2004-01-30
- I've split the TotalBandwidth option into BandwidthRate (how many
bytes per second you want to allow, long-term) and
BandwidthBurst (how many bytes you will allow at once before the cap
- kicks in). This better token bucket approach lets you, say, set
+ kicks in). This better token bucket approach lets you, say, set
BandwidthRate to 10KB/s and BandwidthBurst to 10MB, allowing good
performance while not exceeding your monthly bandwidth quota.
- Push out a tls record's worth of data once you've got it, rather