diff options
Diffstat (limited to 'ChangeLog')
| -rw-r--r-- | ChangeLog | 1117 |
1 files changed, 1113 insertions, 4 deletions
@@ -1,3 +1,1088 @@ +Changes in version 0.2.9.1-alpha - 2016-??-?? + + +Changes in version 0.2.8.2-alpha - 2016-03-28 + Tor 0.2.8.2-alpha is the second alpha in its series. It fixes numerous + bugs in earlier versions of Tor, including some that prevented + authorities using Tor 0.2.7.x from running correctly. IPv6 and + directory support should also be much improved. + + o New system requirements: + - Tor no longer supports versions of OpenSSL with a broken + implementation of counter mode. (This bug was present in OpenSSL + 1.0.0, and was fixed in OpenSSL 1.0.0a.) Tor still detects, but no + longer runs with, these versions. + - Tor no longer attempts to support platforms where the "time_t" + type is unsigned. (To the best of our knowledge, only OpenVMS does + this, and Tor has never actually built on OpenVMS.) Closes + ticket 18184. + - Tor now uses Autoconf version 2.63 or later, and Automake 1.11 or + later (released in 2008 and 2009 respectively). If you are + building Tor from the git repository instead of from the source + distribution, and your tools are older than this, you will need to + upgrade. Closes ticket 17732. + + o Major bugfixes (security, pointers): + - Avoid a difficult-to-trigger heap corruption attack when extending + a smartlist to contain over 16GB of pointers. Fixes bug 18162; + bugfix on 0.1.1.11-alpha, which fixed a related bug incompletely. + Reported by Guido Vranken. + + o Major bugfixes (bridges, pluggable transports): + - Modify the check for OR connections to private addresses. Allow + bridges on private addresses, including pluggable transports that + ignore the (potentially private) address in the bridge line. Fixes + bug 18517; bugfix on 0.2.8.1-alpha. Reported by gk, patch by teor. + + o Major bugfixes (compilation): + - Repair hardened builds under the clang compiler. Previously, our + use of _FORTIFY_SOURCE would conflict with clang's address + sanitizer. Fixes bug 14821; bugfix on 0.2.5.4-alpha. + + o Major bugfixes (crash on shutdown): + - Correctly handle detaching circuits from muxes when shutting down. + Fixes bug 18116; bugfix on 0.2.8.1-alpha. + - Fix an assert-on-exit bug related to counting memory usage in + rephist.c. Fixes bug 18651; bugfix on 0.2.8.1-alpha. + + o Major bugfixes (crash on startup): + - Fix a segfault during startup: If a Unix domain socket was + configured as listener (such as a ControlSocket or a SocksPort + "unix:" socket), and tor was started as root but not configured to + switch to another user, tor would segfault while trying to string + compare a NULL value. Fixes bug 18261; bugfix on 0.2.8.1-alpha. + Patch by weasel. + + o Major bugfixes (dns proxy mode, crash): + - Avoid crashing when running as a DNS proxy. Fixes bug 16248; + bugfix on 0.2.0.1-alpha. Patch from "cypherpunks". + + o Major bugfixes (relays, bridge clients): + - Ensure relays always allow IPv4 OR and Dir connections. Ensure + bridge clients use the address configured in the bridge line. + Fixes bug 18348; bugfix on 0.2.8.1-alpha. Reported by sysrqb, + patch by teor. + + o Major bugfixes (voting): + - Actually enable support for authorities to match routers by their + Ed25519 identities. Previously, the code had been written, but + some debugging code that had accidentally been left in the + codebase made it stay turned off. Fixes bug 17702; bugfix + on 0.2.7.2-alpha. + - When collating votes by Ed25519 identities, authorities now + include a "NoEdConsensus" flag if the ed25519 value (or lack + thereof) for a server does not reflect the majority consensus. + Related to bug 17668; bugfix on 0.2.7.2-alpha. + - When generating a vote with keypinning disabled, never include two + entries for the same ed25519 identity. This bug was causing + authorities to generate votes that they could not parse when a + router violated key pinning by changing its RSA identity but + keeping its Ed25519 identity. Fixes bug 17668; fixes part of bug + 18318. Bugfix on 0.2.7.2-alpha. + + o Minor features (security, win32): + - Set SO_EXCLUSIVEADDRUSE on Win32 to avoid a local port-stealing + attack. Fixes bug 18123; bugfix on all tor versions. Patch + by teor. + + o Minor features (bug-resistance): + - Make Tor survive errors involving connections without a + corresponding event object. Previously we'd fail with an + assertion; now we produce a log message. Related to bug 16248. + + o Minor features (build): + - Detect systems with FreeBSD-derived kernels (such as GNU/kFreeBSD) + as having possible IPFW support. Closes ticket 18448. Patch from + Steven Chamberlain. + + o Minor features (code hardening): + - Use tor_snprintf() and tor_vsnprintf() even in external and low- + level code, to harden against accidental failures to NUL- + terminate. Part of ticket 17852. Patch from jsturgix. Found + with Flawfinder. + + o Minor features (crypto): + - Validate the hard-coded Diffie-Hellman parameters and ensure that + p is a safe prime, and g is a suitable generator. Closes + ticket 18221. + + o Minor features (geoip): + - Update geoip and geoip6 to the March 3 2016 Maxmind GeoLite2 + Country database. + + o Minor features (hidden service directory): + - Streamline relay-side hsdir handling: when relays consider whether + to accept an uploaded hidden service descriptor, they no longer + check whether they are one of the relays in the network that is + "supposed" to handle that descriptor. Implements ticket 18332. + + o Minor features (IPv6): + - Add ClientPreferIPv6DirPort, which is set to 0 by default. If set + to 1, tor prefers IPv6 directory addresses. + - Add ClientUseIPv4, which is set to 1 by default. If set to 0, tor + avoids using IPv4 for client OR and directory connections. + - Try harder to obey the IP version restrictions "ClientUseIPv4 0", + "ClientUseIPv6 0", "ClientPreferIPv6ORPort", and + "ClientPreferIPv6DirPort". Closes ticket 17840; patch by teor. + + o Minor features (linux seccomp2 sandbox): + - Reject attempts to change our Address with "Sandbox 1" enabled. + Changing Address with Sandbox turned on would never actually work, + but previously it would fail in strange and confusing ways. Found + while fixing 18548. + + o Minor features (robustness): + - Exit immediately with an error message if the code attempts to use + Libevent without having initialized it. This should resolve some + frequently-made mistakes in our unit tests. Closes ticket 18241. + + o Minor features (unix domain sockets): + - Add a new per-socket option, RelaxDirModeCheck, to allow creating + Unix domain sockets without checking the permissions on the parent + directory. (Tor checks permissions by default because some + operating systems only check permissions on the parent directory. + However, some operating systems do look at permissions on the + socket, and tor's default check is unneeded.) Closes ticket 18458. + Patch by weasel. + + o Minor bugfixes (exit policies, security): + - Refresh an exit relay's exit policy when interface addresses + change. Previously, tor only refreshed the exit policy when the + configured external address changed. Fixes bug 18208; bugfix on + 0.2.7.3-rc. Patch by teor. + + o Minor bugfixes (security, hidden services): + - Prevent hidden services connecting to client-supplied rendezvous + addresses that are reserved as internal or multicast. Fixes bug + 8976; bugfix on 0.2.3.21-rc. Patch by dgoulet and teor. + + o Minor bugfixes (build): + - Do not link the unit tests against both the testing and non- + testing versions of the static libraries. Fixes bug 18490; bugfix + on 0.2.7.1-alpha. + - Avoid spurious failures from configure files related to calling + exit(0) in TOR_SEARCH_LIBRARY. Fixes bug 18625; bugfix on + 0.2.0.1-alpha. Patch from "cypherpunks". + - Silence spurious clang-scan warnings in the ed25519_donna code by + explicitly initializing some objects. Fixes bug 18384; bugfix on + 0.2.7.2-alpha. Patch by teor. + + o Minor bugfixes (client, bootstrap): + - Count receipt of new microdescriptors as progress towards + bootstrapping. Previously, with EntryNodes set, Tor might not + successfully repopulate the guard set on bootstrapping. Fixes bug + 16825; bugfix on 0.2.3.1-alpha. + + o Minor bugfixes (code correctness): + - Update to the latest version of Trunnel, which tries harder to + avoid generating code that can invoke memcpy(p,NULL,0). Bug found + by clang address sanitizer. Fixes bug 18373; bugfix + on 0.2.7.2-alpha. + + o Minor bugfixes (configuration): + - Fix a tiny memory leak when parsing a port configuration ending in + ":auto". Fixes bug 18374; bugfix on 0.2.3.3-alpha. + + o Minor bugfixes (containers): + - If we somehow attempt to construct a heap with more than + 1073741822 elements, avoid an integer overflow when maintaining + the heap property. Fixes bug 18296; bugfix on 0.1.2.1-alpha. + + o Minor bugfixes (correctness): + - Fix a bad memory handling bug that would occur if we had queued a + cell on a channel's incoming queue. Fortunately, we can't actually + queue a cell like that as our code is constructed today, but it's + best to avoid this kind of error, even if there isn't any code + that triggers it today. Fixes bug 18570; bugfix on 0.2.4.4-alpha. + + o Minor bugfixes (directory): + - When generating a URL for a directory server on an IPv6 address, + wrap the IPv6 address in square brackets. Fixes bug 18051; bugfix + on 0.2.3.9-alpha. Patch from Malek. + + o Minor bugfixes (fallback directory mirrors): + - When requesting extrainfo descriptors from a trusted directory + server, check whether it is an authority or a fallback directory + which supports extrainfo descriptors. Fixes bug 18489; bugfix on + 0.2.4.7-alpha. Reported by atagar, patch by teor. + + o Minor bugfixes (hidden service, client): + - Handle the case where the user makes several fast consecutive + requests to the same .onion address. Previously, the first six + requests would each trigger a descriptor fetch, each picking a + directory (there are 6 overall) and the seventh one would fail + because no directories were left, thereby triggering a close on + all current directory connections asking for the hidden service. + The solution here is to not close the connections if we have + pending directory fetches. Fixes bug 15937; bugfix + on 0.2.7.1-alpha. + + o Minor bugfixes (hidden service, control port): + - Add the onion address to the HS_DESC event for the UPLOADED action + both on success or failure. It was previously hardcoded with + UNKNOWN. Fixes bug 16023; bugfix on 0.2.7.2-alpha. + + o Minor bugfixes (hidden service, directory): + - Bridges now refuse "rendezvous2" (hidden service descriptor) + publish attempts. Suggested by ticket 18332. + + o Minor bugfixes (linux seccomp2 sandbox): + - Allow the setrlimit syscall, and the prlimit and prlimit64 + syscalls, which some libc implementations use under the hood. + Fixes bug 15221; bugfix on 0.2.5.1-alpha. + - Avoid a 10-second delay when starting as a client with "Sandbox 1" + enabled and no DNS resolvers configured. This should help TAILS + start up faster. Fixes bug 18548; bugfix on 0.2.5.1-alpha. + - Fix the sandbox's interoperability with unix domain sockets under + setuid. Fixes bug 18253; bugfix on 0.2.8.1-alpha. + + o Minor bugfixes (logging): + - When logging information about an unparsable networkstatus vote or + consensus, do not say "vote" when we mean consensus. Fixes bug + 18368; bugfix on 0.2.0.8-alpha. + - Scrub service name in "unrecognized service ID" log messages. + Fixes bug 18600; bugfix on 0.2.4.11-alpha. + - Downgrade logs and backtraces about IP versions to info-level. + Only log backtraces once each time tor runs. Assists in diagnosing + bug 18351; bugfix on 0.2.8.1-alpha. Reported by sysrqb and + Christian, patch by teor. + + o Minor bugfixes (memory safety): + - Avoid freeing an uninitialized pointer when opening a socket fails + in get_interface_addresses_ioctl(). Fixes bug 18454; bugfix on + 0.2.3.11-alpha. Reported by toralf and "cypherpunks", patch + by teor. + - Correctly duplicate addresses in get_interface_address6_list(). + Fixes bug 18454; bugfix on 0.2.8.1-alpha. Reported by toralf, + patch by "cypherpunks". + - Fix a memory leak in tor-gencert. Fixes part of bug 18672; bugfix + on 0.2.0.1-alpha. + - Fix a memory leak in "tor --list-fingerprint". Fixes part of bug + 18672; bugfix on 0.2.5.1-alpha. + + o Minor bugfixes (private directory): + - Prevent a race condition when creating private directories. Fixes + part of bug 17852; bugfix on 0.0.2pre13. Part of ticket 17852. + Patch from jsturgix. Found with Flawfinder. + + o Minor bugfixes (test networks, IPv6): + - Allow internal IPv6 addresses in descriptors in test networks. + Fixes bug 17153; bugfix on 0.2.3.16-alpha. Patch by teor, reported + by karsten. + + o Minor bugfixes (testing): + - We no longer disable assertions in the unit tests when coverage is + enabled. Instead, we require you to say --disable-asserts-in-tests + to the configure script if you need assertions disabled in the + unit tests (for example, if you want to perform branch coverage). + Fixes bug 18242; bugfix on 0.2.7.1-alpha. + + o Minor bugfixes (time parsing): + - Avoid overflow in tor_timegm when parsing dates in and after 2038 + on platforms with 32-bit time_t. Fixes bug 18479; bugfix on + 0.0.2pre14. Patch by teor. + + o Minor bugfixes (tor-gencert): + - Correctly handle the case where an authority operator enters a + passphrase but sends an EOF before sending a newline. Fixes bug + 17443; bugfix on 0.2.0.20-rc. Found by junglefowl. + + o Code simplification and refactoring: + - Quote all the string interpolations in configure.ac -- even those + which we are pretty sure can't contain spaces. Closes ticket + 17744. Patch from zerosion. + - Remove specialized code for non-inplace AES_CTR. 99% of our AES is + inplace, so there's no need to have a separate implementation for + the non-inplace code. Closes ticket 18258. Patch from Malek. + - Simplify return types for some crypto functions that can't + actually fail. Patch from Hassan Alsibyani. Closes ticket 18259. + + o Documentation: + - Change build messages to refer to "Fedora" instead of "Fedora + Core", and "dnf" instead of "yum". Closes tickets 18459 and 18426. + Patches from "icanhasaccount" and "cypherpunks". + + o Removed features: + - We no longer maintain an internal freelist in memarea.c. + Allocators should be good enough to make this code unnecessary, + and it's doubtful that it ever had any performance benefit. + + o Testing: + - Fix several warnings from clang's address sanitizer produced in + the unit tests. + - Treat backtrace test failures as expected on FreeBSD until we + solve bug 17808. Closes ticket 18204. + + +Changes in version 0.2.8.1-alpha - 2016-02-04 + Tor 0.2.8.1-alpha is the first alpha release in its series. It + includes numerous small features and bugfixes against previous Tor + versions, and numerous small infrastructure improvements. The most + notable features are a set of improvements to the directory subsystem. + + o Major features (security, Linux): + - When Tor starts as root on Linux and is told to switch user ID, it + can now retain the capability to bind to low ports. By default, + Tor will do this only when it's switching user ID and some low + ports have been configured. You can change this behavior with the + new option KeepBindCapabilities. Closes ticket 8195. + + o Major features (directory system): + - When bootstrapping multiple consensus downloads at a time, use the + first one that starts downloading, and close the rest. This + reduces failures when authorities or fallback directories are slow + or down. Together with the code for feature 15775, this feature + should reduces failures due to fallback churn. Implements ticket + 4483. Patch by "teor". Implements IPv4 portions of proposal 210 by + "mikeperry" and "teor". + - Include a trial list of default fallback directories, based on an + opt-in survey of suitable relays. Doing this should make clients + bootstrap more quickly and reliably, and reduce the load on the + directory authorities. Closes ticket 15775. Patch by "teor". + Candidates identified using an OnionOO script by "weasel", "teor", + "gsathya", and "karsten". + - Previously only relays that explicitly opened a directory port + (DirPort) accepted directory requests from clients. Now all + relays, with and without a DirPort, accept and serve tunneled + directory requests that they receive through their ORPort. You can + disable this behavior using the new DirCache option. Closes + ticket 12538. + + o Major key updates: + - Update the V3 identity key for the dannenberg directory authority: + it was changed on 18 November 2015. Closes task 17906. Patch + by "teor". + + o Minor features (security, clock): + - Warn when the system clock appears to move back in time (when the + state file was last written in the future). Tor doesn't know that + consensuses have expired if the clock is in the past. Patch by + "teor". Implements ticket 17188. + + o Minor features (security, exit policies): + - ExitPolicyRejectPrivate now rejects more private addresses by + default. Specifically, it now rejects the relay's outbound bind + addresses (if configured), and the relay's configured port + addresses (such as ORPort and DirPort). Fixes bug 17027; bugfix on + 0.2.0.11-alpha. Patch by "teor". + + o Minor features (security, memory erasure): + - Set the unused entries in a smartlist to NULL. This helped catch + a (harmless) bug, and shouldn't affect performance too much. + Implements ticket 17026. + - Use SecureMemoryWipe() function to securely clean memory on + Windows. Previously we'd use OpenSSL's OPENSSL_cleanse() function. + Implements feature 17986. + - Use explicit_bzero or memset_s when present. Previously, we'd use + OpenSSL's OPENSSL_cleanse() function. Closes ticket 7419; patches + from <logan@hackers.mu> and <selven@hackers.mu>. + - Make memwipe() do nothing when passed a NULL pointer or buffer of + zero size. Check size argument to memwipe() for underflow. Fixes + bug 18089; bugfix on 0.2.3.25 and 0.2.4.6-alpha. Reported by "gk", + patch by "teor". + + o Minor features (security, RNG): + - Adjust Tor's use of OpenSSL's RNG APIs so that they absolutely, + positively are not allowed to fail. Previously we depended on + internal details of OpenSSL's behavior. Closes ticket 17686. + - Never use the system entropy output directly for anything besides + seeding the PRNG. When we want to generate important keys, instead + of using system entropy directly, we now hash it with the PRNG + stream. This may help resist certain attacks based on broken OS + entropy implementations. Closes part of ticket 17694. + - Use modern system calls (like getentropy() or getrandom()) to + generate strong entropy on platforms that have them. Closes + ticket 13696. + + o Minor features (accounting): + - Added two modes to the AccountingRule option: One for limiting + only the number of bytes sent ("AccountingRule out"), and one for + limiting only the number of bytes received ("AccountingRule in"). + Closes ticket 15989; patch from "unixninja92". + + o Minor features (build): + - Since our build process now uses "make distcheck", we no longer + force "make dist" to depend on "make check". Closes ticket 17893; + patch from "cypherpunks." + - Tor now builds successfully with the recent OpenSSL 1.1 + development branch, and with the latest LibreSSL. Closes tickets + 17549, 17921, and 17984. + + o Minor features (controller): + - Adds the FallbackDir entries to 'GETINFO config/defaults'. Closes + tickets 16774 and 17817. Patch by George Tankersley. + - New 'GETINFO hs/service/desc/id/' command to retrieve a hidden + service descriptor from a service's local hidden service + descriptor cache. Closes ticket 14846. + - Add 'GETINFO exit-policy/reject-private/[default,relay]', so + controllers can examine the the reject rules added by + ExitPolicyRejectPrivate. This makes it easier for stem to display + exit policies. + + o Minor features (crypto): + - Add SHA512 support to crypto.c. Closes ticket 17663; patch from + George Tankersley. + - Add SHA3 and SHAKE support to crypto.c. Closes ticket 17783. + - When allocating a digest state object, allocate no more space than + we actually need. Previously, we would allocate as much space as + the state for the largest algorithm would need. This change saves + up to 672 bytes per circuit. Closes ticket 17796. + - Improve performance when hashing non-multiple of 8 sized buffers, + based on Andrew Moon's public domain SipHash-2-4 implementation. + Fixes bug 17544; bugfix on 0.2.5.3-alpha. + + o Minor features (directory downloads): + - Wait for busy authorities and fallback directories to become non- + busy when bootstrapping. (A similar change was made in 6c443e987d + for directory caches chosen from the consensus.) Closes ticket + 17864; patch by "teor". + - Add UseDefaultFallbackDirs, which enables any hard-coded fallback + directory mirrors. The default is 1; set it to 0 to disable + fallbacks. Implements ticket 17576. Patch by "teor". + + o Minor features (geoip): + - Update geoip and geoip6 to the January 5 2016 Maxmind GeoLite2 + Country database. + + o Minor features (IPv6): + - Add an argument 'ipv6=address:orport' to the DirAuthority and + FallbackDir torrc options, to specify an IPv6 address for an + authority or fallback directory. Add hard-coded ipv6 addresses for + directory authorities that have them. Closes ticket 17327; patch + from Nick Mathewson and "teor". + - Add address policy assume_action support for IPv6 addresses. + - Limit IPv6 mask bits to 128. + - Warn when comparing against an AF_UNSPEC address in a policy, it's + almost always a bug. Closes ticket 17863; patch by "teor". + - Allow users to configure directory authorities and fallback + directory servers with IPv6 addresses and ORPorts. Resolves + ticket 6027. + - routerset_parse now accepts IPv6 literal addresses. Fixes bug + 17060; bugfix on 0.2.1.3-alpha. Patch by "teor". + - Make tor_ersatz_socketpair work on IPv6-only systems. Fixes bug + 17638; bugfix on 0.0.2pre8. Patch by "teor". + + o Minor features (logging): + - When logging to syslog, allow a tag to be added to the syslog + identity (the string prepended to every log message). The tag can + be configured with SyslogIdentityTag and defaults to none. Setting + it to "foo" will cause logs to be tagged as "Tor-foo". Closes + ticket 17194. + + o Minor features (portability): + - Use timingsafe_memcmp() where available. Closes ticket 17944; + patch from <logan@hackers.mu>. + + o Minor features (relay, address discovery): + - Add a family argument to get_interface_addresses_raw() and + subfunctions to make network interface address interogation more + efficient. Now Tor can specifically ask for IPv4, IPv6 or both + types of interfaces from the operating system. Resolves + ticket 17950. + - When get_interface_address6_list(.,AF_UNSPEC,.) is called and + fails to enumerate interface addresses using the platform-specific + API, have it rely on the UDP socket fallback technique to try and + find out what IP addresses (both IPv4 and IPv6) our machine has. + Resolves ticket 17951. + + o Minor features (replay cache): + - The replay cache now uses SHA256 instead of SHA1. Implements + feature 8961. Patch by "teor", issue reported by "rransom". + + o Minor features (unix file permissions): + - Defer creation of Unix sockets until after setuid. This avoids + needing CAP_CHOWN and CAP_FOWNER when using systemd's + CapabilityBoundingSet, or chown and fowner when using SELinux. + Implements part of ticket 17562. Patch from Jamie Nguyen. + - If any directory created by Tor is marked as group readable, the + filesystem group is allowed to be either the default GID or the + root user. Allowing root to read the DataDirectory prevents the + need for CAP_READ_SEARCH when using systemd's + CapabilityBoundingSet, or dac_read_search when using SELinux. + Implements part of ticket 17562. Patch from Jamie Nguyen. + - Introduce a new DataDirectoryGroupReadable option. If it is set to + 1, the DataDirectory will be made readable by the default GID. + Implements part of ticket 17562. Patch from Jamie Nguyen. + + o Minor bugfixes (accounting): + - The max bandwidth when using 'AccountRule sum' is now correctly + logged. Fixes bug 18024; bugfix on 0.2.6.1-alpha. Patch + from "unixninja92". + + o Minor bugfixes (code correctness): + - When closing an entry connection, generate a warning if we should + have sent an end cell for it but we haven't. Fixes bug 17876; + bugfix on 0.2.3.2-alpha. + - Assert that allocated memory held by the reputation code is freed + according to its internal counters. Fixes bug 17753; bugfix + on 0.1.1.1-alpha. + - Assert when the TLS contexts fail to initialize. Fixes bug 17683; + bugfix on 0.0.6. + + o Minor bugfixes (compilation): + - Mark all object files that include micro-revision.i as depending + on it, so as to make parallel builds more reliable. Fixes bug + 17826; bugfix on 0.2.5.1-alpha. + - Don't try to use the pthread_condattr_setclock() function unless + it actually exists. Fixes compilation on NetBSD-6.x. Fixes bug + 17819; bugfix on 0.2.6.3-alpha. + - Fix backtrace compilation on FreeBSD. Fixes bug 17827; bugfix + on 0.2.5.2-alpha. + - Fix compilation of sandbox.c with musl-libc. Fixes bug 17347; + bugfix on 0.2.5.1-alpha. Patch from 'jamestk'. + - Fix search for libevent libraries on OpenBSD (and other systems + that install libevent 1 and libevent 2 in parallel). Fixes bug + 16651; bugfix on 0.1.0.7-rc. Patch from "rubiate". + - Isolate environment variables meant for tests from the rest of the + build system. Fixes bug 17818; bugfix on 0.2.7.3-rc. + - Replace usage of 'INLINE' with 'inline'. Fixes bug 17804; bugfix + on 0.0.2pre8. + - Remove config.log only from make distclean, not from make clean. + Fixes bug 17924; bugfix on 0.2.4.1-alpha. + + o Minor bugfixes (crypto): + - Check the return value of HMAC() and assert on failure. Fixes bug + 17658; bugfix on 0.2.3.6-alpha. Patch by "teor". + + o Minor bugfixes (fallback directories): + - Mark fallbacks as "too busy" when they return a 503 response, + rather than just marking authorities. Fixes bug 17572; bugfix on + 0.2.4.7-alpha. Patch by "teor". + + o Minor bugfixes (IPv6): + - Update the limits in max_dl_per_request for IPv6 address length. + Fixes bug 17573; bugfix on 0.2.1.5-alpha. + + o Minor bugfixes (linux seccomp2 sandbox): + - Fix a crash when using offline master ed25519 keys with the Linux + seccomp2 sandbox enabled. Fixes bug 17675; bugfix on 0.2.7.3-rc. + + o Minor bugfixes (logging): + - In log messages that include a function name, use __FUNCTION__ + instead of __PRETTY_FUNCTION__. In GCC, these are synonymous, but + with clang __PRETTY_FUNCTION__ has extra information we don't + need. Fixes bug 16563; bugfix on 0.0.2pre8. Fix by Tom van + der Woerdt. + - Remove needless quotes from a log message about unparseable + addresses. Fixes bug 17843; bugfix on 0.2.3.3-alpha. + + o Minor bugfixes (portability): + - Remove an #endif from configure.ac so that we correctly detect the + presence of in6_addr.s6_addr32. Fixes bug 17923; bugfix + on 0.2.0.13-alpha. + + o Minor bugfixes (relays): + - Check that both the ORPort and DirPort (if present) are reachable + before publishing a relay descriptor. Otherwise, relays publish a + descriptor with DirPort 0 when the DirPort reachability test takes + longer than the ORPort reachability test. Fixes bug 18050; bugfix + on 0.1.0.1-rc. Reported by "starlight", patch by "teor". + + o Minor bugfixes (relays, hidden services): + - Refuse connection requests to private OR addresses unless + ExtendAllowPrivateAddresses is set. Previously, tor would connect, + then refuse to send any cells to a private address. Fixes bugs + 17674 and 8976; bugfix on 0.2.3.21-rc. Patch by "teor". + + o Minor bugfixes (safe logging): + - When logging a malformed hostname received through socks4, scrub + it if SafeLogging says we should. Fixes bug 17419; bugfix + on 0.1.1.16-rc. + + o Minor bugfixes (statistics code): + - Consistently check for overflow in round_*_to_next_multiple_of + functions, and add unit tests with additional and maximal values. + Fixes part of bug 13192; bugfix on 0.2.2.1-alpha. + - Handle edge cases in the laplace functions: avoid division by + zero, avoid taking the log of zero, and silence clang type + conversion warnings using round and trunc. Add unit tests for edge + cases with maximal values. Fixes part of bug 13192; bugfix + on 0.2.6.2-alpha. + + o Minor bugfixes (testing): + - The test for log_heartbeat was incorrectly failing in timezones + with non-integer offsets. Instead of comparing the end of the time + string against a constant, compare it to the output of + format_local_iso_time when given the correct input. Fixes bug + 18039; bugfix on 0.2.5.4-alpha. + - Make unit tests pass on IPv6-only systems, and systems without + localhost addresses (like some FreeBSD jails). Fixes bug 17632; + bugfix on 0.2.7.3-rc. Patch by "teor". + - Fix a memory leak in the ntor test. Fixes bug 17778; bugfix + on 0.2.4.8-alpha. + - Check the full results of SHA256 and SHA512 digests in the unit + tests. Bugfix on 0.2.2.4-alpha. Patch by "teor". + + o Code simplification and refactoring: + - Move logging of redundant policy entries in + policies_parse_exit_policy_internal into its own function. Closes + ticket 17608; patch from "juce". + - Extract the more complicated parts of circuit_mark_for_close() + into a new function that we run periodically before circuits are + freed. This change removes more than half of the functions + currently in the "blob". Closes ticket 17218. + - Clean up a little duplicated code in + crypto_expand_key_material_TAP(). Closes ticket 17587; patch + from "pfrankw". + - Decouple the list of streams waiting to be attached to circuits + from the overall connection list. This change makes it possible to + attach streams quickly while simplifying Tor's callgraph and + avoiding O(N) scans of the entire connection list. Closes + ticket 17590. + - When a direct directory request fails immediately on launch, + instead of relaunching that request from inside the code that + launches it, instead mark the connection for teardown. This change + simplifies Tor's callback and prevents the directory-request + launching code from invoking itself recursively. Closes + ticket 17589 + - Remove code for configuring OpenSSL dynamic locks; OpenSSL doesn't + use them. Closes ticket 17926. + + o Documentation: + - Add a description of the correct use of the '--keygen' command- + line option. Closes ticket 17583; based on text by 's7r'. + - Document the minimum HeartbeatPeriod value. Closes ticket 15638. + - Explain actual minima for BandwidthRate. Closes ticket 16382. + - Fix a minor formatting typo in the manpage. Closes ticket 17791. + - Mention torspec URL in the manpage and point the reader to it + whenever we mention a document that belongs in torspce. Fixes + issue 17392. + + o Removed features: + - Remove client-side support for connecting to Tor relays running + versions of Tor before 0.2.3.6-alpha. These relays didn't support + the v3 TLS handshake protocol, and are no longer allowed on the + Tor network. Implements the client side of ticket 11150. Based on + patches by Tom van der Woerdt. + + o Testing: + - Add unit tests to check for common RNG failure modes, such as + returning all zeroes, identical values, or incrementing values + (OpenSSL's rand_predictable feature). Patch by "teor". + - Log more information when the backtrace tests fail. Closes ticket + 17892. Patch from "cypherpunks." + - Always test both ed25519 backends, so that we can be sure that our + batch-open replacement code works. Part of ticket 16794. + - Cover dns_resolve_impl() in dns.c with unit tests. Implements a + portion of ticket 16831. + - More unit tests for compat_libevent.c, procmon.c, tortls.c, + util_format.c, directory.c, and options_validate.c. Closes tickets + 17075, 17082, 17084, 17003, and 17076 respectively. Patches from + Ola Bini. + - Unit tests for directory_handle_command_get. Closes ticket 17004. + Patch from Reinaldo de Souza Jr. + + +Changes in version 0.2.7.6 - 2015-12-10 + Tor version 0.2.7.6 fixes a major bug in entry guard selection, as + well as a minor bug in hidden service reliability. + + o Major bugfixes (guard selection): + - Actually look at the Guard flag when selecting a new directory + guard. When we implemented the directory guard design, we + accidentally started treating all relays as if they have the Guard + flag during guard selection, leading to weaker anonymity and worse + performance. Fixes bug 17772; bugfix on 0.2.4.8-alpha. Discovered + by Mohsen Imani. + + o Minor features (geoip): + - Update geoip and geoip6 to the December 1 2015 Maxmind GeoLite2 + Country database. + + o Minor bugfixes (compilation): + - When checking for net/pfvar.h, include netinet/in.h if possible. + This fixes transparent proxy detection on OpenBSD. Fixes bug + 17551; bugfix on 0.1.2.1-alpha. Patch from "rubiate". + - Fix a compilation warning with Clang 3.6: Do not check the + presence of an address which can never be NULL. Fixes bug 17781. + + o Minor bugfixes (correctness): + - When displaying an IPv6 exit policy, include the mask bits + correctly even when the number is greater than 31. Fixes bug + 16056; bugfix on 0.2.4.7-alpha. Patch from "gturner". + - The wrong list was used when looking up expired intro points in a + rend service object, causing what we think could be reachability + issues for hidden services, and triggering a BUG log. Fixes bug + 16702; bugfix on 0.2.7.2-alpha. + - Fix undefined behavior in the tor_cert_checksig function. Fixes + bug 17722; bugfix on 0.2.7.2-alpha. + + +Changes in version 0.2.7.5 - 2015-11-20 + The Tor 0.2.7 release series is dedicated to the memory of Tor user + and privacy advocate Caspar Bowden (1961-2015). Caspar worked + tirelessly to advocate human rights regardless of national borders, + and oppose the encroachments of mass surveillance. He opposed national + exceptionalism, he brought clarity to legal and policy debates, he + understood and predicted the impact of mass surveillance on the world, + and he laid the groundwork for resisting it. While serving on the Tor + Project's board of directors, he brought us his uncompromising focus + on technical excellence in the service of humankind. Caspar was an + inimitable force for good and a wonderful friend. He was kind, + humorous, generous, gallant, and believed we should protect one + another without exception. We honor him here for his ideals, his + efforts, and his accomplishments. Please honor his memory with works + that would make him proud. + + Tor 0.2.7.5 is the first stable release in the Tor 0.2.7 series. + + The 0.2.7 series adds a more secure identity key type for relays, + improves cryptography performance, resolves several longstanding + hidden-service performance issues, improves controller support for + hidden services, and includes small bugfixes and performance + improvements throughout the program. This release series also includes + more tests than before, and significant simplifications to which parts + of Tor invoke which others. + + (This release contains no code changes since 0.2.7.4-rc.) + + +Changes in version 0.2.7.4-rc - 2015-10-21 + Tor 0.2.7.4-rc is the second release candidate in the 0.2.7 series. It + fixes some important memory leaks, and a scary-looking (but mostly + harmless in practice) invalid-read bug. It also has a few small + bugfixes, notably fixes for compilation and portability on different + platforms. If no further significant bounds are found, the next + release will the the official stable release. + + o Major bugfixes (security, correctness): + - Fix an error that could cause us to read 4 bytes before the + beginning of an openssl string. This bug could be used to cause + Tor to crash on systems with unusual malloc implementations, or + systems with unusual hardening installed. Fixes bug 17404; bugfix + on 0.2.3.6-alpha. + + o Major bugfixes (correctness): + - Fix a use-after-free bug in validate_intro_point_failure(). Fixes + bug 17401; bugfix on 0.2.7.3-rc. + + o Major bugfixes (memory leaks): + - Fix a memory leak in ed25519 batch signature checking. Fixes bug + 17398; bugfix on 0.2.6.1-alpha. + - Fix a memory leak in rend_cache_failure_entry_free(). Fixes bug + 17402; bugfix on 0.2.7.3-rc. + - Fix a memory leak when reading an expired signing key from disk. + Fixes bug 17403; bugfix on 0.2.7.2-rc. + + o Minor features (geoIP): + - Update geoip and geoip6 to the October 9 2015 Maxmind GeoLite2 + Country database. + + o Minor bugfixes (compilation): + - Repair compilation with the most recent (unreleased, alpha) + vesions of OpenSSL 1.1. Fixes part of ticket 17237. + - Fix an integer overflow warning in test_crypto_slow.c. Fixes bug + 17251; bugfix on 0.2.7.2-alpha. + - Fix compilation of sandbox.c with musl-libc. Fixes bug 17347; + bugfix on 0.2.5.1-alpha. Patch from 'jamestk'. + + o Minor bugfixes (portability): + - Use libexecinfo on FreeBSD to enable backtrace support. Fixes + part of bug 17151; bugfix on 0.2.5.2-alpha. Patch from + Marcin Cieślak. + + o Minor bugfixes (sandbox): + - Add the "hidserv-stats" filename to our sandbox filter for the + HiddenServiceStatistics option to work properly. Fixes bug 17354; + bugfix on 0.2.6.2-alpha. Patch from David Goulet. + + o Minor bugfixes (testing): + - Add unit tests for get_interface_address* failure cases. Fixes bug + 17173; bugfix on 0.2.7.3-rc. Patch by fk/teor. + - Fix breakage when running 'make check' with BSD make. Fixes bug + 17154; bugfix on 0.2.7.3-rc. Patch by Marcin Cieślak. + - Make the get_ifaddrs_* unit tests more tolerant of different + network configurations. (Don't assume every test box has an IPv4 + address, and don't assume every test box has a non-localhost + address.) Fixes bug 17255; bugfix on 0.2.7.3-rc. Patch by "teor". + - Skip backtrace tests when backtrace support is not compiled in. + Fixes part of bug 17151; bugfix on 0.2.7.1-alpha. Patch from + Marcin Cieślak. + + o Documentation: + - Fix capitalization of SOCKS in sample torrc. Closes ticket 15609. + - Note that HiddenServicePorts can take a unix domain socket. Closes + ticket 17364. + + +Changes in version 0.2.7.3-rc - 2015-09-25 + Tor 0.2.7.3-rc is the first release candidate in the 0.2.7 series. It + contains numerous usability fixes for Ed25519 keys, safeguards against + several misconfiguration problems, significant simplifications to + Tor's callgraph, and numerous bugfixes and small features. + + This is the most tested release of Tor to date. The unit tests cover + 39.40% of the code, and the integration tests (accessible with "make + test-full-online", requiring stem and chutney and a network + connection) raise the coverage to 64.49%. + + o Major features (security, hidden services): + - Hidden services, if using the EntryNodes option, are required to + use more than one EntryNode, in order to avoid a guard discovery + attack. (This would only affect people who had configured hidden + services and manually specified the EntryNodes option with a + single entry-node. The impact was that it would be easy to + remotely identify the guard node used by such a hidden service. + See ticket for more information.) Fixes ticket 14917. + + o Major features (Ed25519 keys, keypinning): + - The key-pinning option on directory authorities is now advisory- + only by default. In a future version, or when the AuthDirPinKeys + option is set, pins are enforced again. Disabling key-pinning + seemed like a good idea so that we can survive the fallout of any + usability problems associated with Ed25519 keys. Closes + ticket 17135. + + o Major features (Ed25519 performance): + - Improve the speed of Ed25519 operations and Curve25519 keypair + generation when built targeting 32 bit x86 platforms with SSE2 + available. Implements ticket 16535. + - Improve the runtime speed of Ed25519 signature verification by + using Ed25519-donna's batch verification support. Implements + ticket 16533. + + o Major features (performance testing): + - The test-network.sh script now supports performance testing. + Requires corresponding chutney performance testing changes. Patch + by "teor". Closes ticket 14175. + + o Major features (relay, Ed25519): + - Significant usability improvements for Ed25519 key management. Log + messages are better, and the code can recover from far more + failure conditions. Thanks to "s7r" for reporting and diagnosing + so many of these! + - Add a new OfflineMasterKey option to tell Tor never to try loading + or generating a secret Ed25519 identity key. You can use this in + combination with tor --keygen to manage offline and/or encrypted + Ed25519 keys. Implements ticket 16944. + - Add a --newpass option to allow changing or removing the + passphrase of an encrypted key with tor --keygen. Implements part + of ticket 16769. + - On receiving a HUP signal, check to see whether the Ed25519 + signing key has changed, and reload it if so. Closes ticket 16790. + + o Major bugfixes (relay, Ed25519): + - Avoid crashing on 'tor --keygen'. Fixes bug 16679; bugfix on + 0.2.7.2-alpha. Reported by "s7r". + - Improve handling of expired signing keys with offline master keys. + Fixes bug 16685; bugfix on 0.2.7.2-alpha. Reported by "s7r". + + o Minor features (client-side privacy): + - New KeepAliveIsolateSOCKSAuth option to indefinitely extend circuit + lifespan when IsolateSOCKSAuth and streams with SOCKS + authentication are attached to the circuit. This allows + applications like TorBrowser to manage circuit lifetime on their + own. Implements feature 15482. + - When logging malformed hostnames from SOCKS5 requests, respect + SafeLogging configuration. Fixes bug 16891; bugfix on 0.1.1.16-rc. + + o Minor features (compilation): + - Give a warning as early as possible when trying to build with an + unsupported OpenSSL version. Closes ticket 16901. + - Fail during configure if we're trying to build against an OpenSSL + built without ECC support. Fixes bug 17109, bugfix on 0.2.7.1-alpha + which started requiring ECC. + + o Minor features (geoip): + - Update geoip and geoip6 to the September 3 2015 Maxmind GeoLite2 + Country database. + + o Minor features (hidden services): + - Relays need to have the Fast flag to get the HSDir flag. As this + is being written, we'll go from 2745 HSDirs down to 2342, a ~14% + drop. This change should make some attacks against the hidden + service directory system harder. Fixes ticket 15963. + - Turn on hidden service statistics collection by setting the torrc + option HiddenServiceStatistics to "1" by default. (This keeps + track only of the fraction of traffic used by hidden services, and + the total number of hidden services in existence.) Closes + ticket 15254. + - Client now uses an introduction point failure cache to know when + to fetch or keep a descriptor in their cache. Previously, failures + were recorded implicitly, but not explicitly remembered. Closes + ticket 16389. + + o Minor features (testing, authorities, documentation): + - New TestingDirAuthVote{Exit,Guard,HSDir}IsStrict flags to + explicitly manage consensus flags in testing networks. Patch by + "robgjansen", modified by "teor". Implements part of ticket 14882. + + o Minor bugfixes (security, exit policies): + - ExitPolicyRejectPrivate now also rejects the relay's published + IPv6 address (if any), and any publicly routable IPv4 or IPv6 + addresses on any local interfaces. ticket 17027. Patch by "teor". + Fixes bug 17027; bugfix on 0.2.0.11-alpha. + + o Minor bug fixes (torrc exit policies): + - In torrc, "accept6 *" and "reject6 *" ExitPolicy lines now only + produce IPv6 wildcard addresses. Previously they would produce + both IPv4 and IPv6 wildcard addresses. Patch by "teor". Fixes part + of bug 16069; bugfix on 0.2.4.7-alpha. + - When parsing torrc ExitPolicies, we now warn for a number of cases + where the user's intent is likely to differ from Tor's actual + behavior. These include: using an IPv4 address with an accept6 or + reject6 line; using "private" on an accept6 or reject6 line; and + including any ExitPolicy lines after accept *:* or reject *:*. + Related to ticket 16069. + - When parsing torrc ExitPolicies, we now issue an info-level + message when expanding an "accept/reject *" line to include both + IPv4 and IPv6 wildcard addresses. Related to ticket 16069. + - In each instance above, usage advice is provided to avoid the + message. Resolves ticket 16069. Patch by "teor". Fixes part of bug + 16069; bugfix on 0.2.4.7-alpha. + + o Minor bugfixes (authority): + - Don't assign "HSDir" to a router if it isn't Valid and Running. + Fixes bug 16524; bugfix on 0.2.7.2-alpha. + - Downgrade log messages about Ed25519 key issues if they are in old + cached router descriptors. Fixes part of bug 16286; bugfix + on 0.2.7.2-alpha. + - When we find an Ed25519 key issue in a cached descriptor, stop + saying the descriptor was just "uploaded". Fixes another part of + bug 16286; bugfix on 0.2.7.2-alpha. + + o Minor bugfixes (control port): + - Repair a warning and a spurious result when getting the maximum + number of file descriptors from the controller. Fixes bug 16697; + bugfix on 0.2.7.2-alpha. + + o Minor bugfixes (correctness): + - When calling channel_free_list(), avoid calling smartlist_remove() + while inside a FOREACH loop. This partially reverts commit + 17356fe7fd96af where the correct SMARTLIST_DEL_CURRENT was + incorrectly removed. Fixes bug 16924; bugfix on 0.2.4.4-alpha. + + o Minor bugfixes (documentation): + - Advise users on how to configure separate IPv4 and IPv6 exit + policies in the manpage and sample torrcs. Related to ticket 16069. + - Fix the usage message of tor-resolve(1) so that it no longer lists + the removed -F option. Fixes bug 16913; bugfix on 0.2.2.28-beta. + - Fix an error in the manual page and comments for + TestingDirAuthVoteHSDir[IsStrict], which suggested that a HSDir + required "ORPort connectivity". While this is true, it is in no + way unique to the HSDir flag. Of all the flags, only HSDirs need a + DirPort configured in order for the authorities to assign that + particular flag. Patch by "teor". Fixed as part of 14882; bugfix + on 0.2.6.3-alpha. + + o Minor bugfixes (Ed25519): + - Fix a memory leak when reading router descriptors with expired + Ed25519 certificates. Fixes bug 16539; bugfix on 0.2.7.2-alpha. + + o Minor bugfixes (linux seccomp2 sandbox): + - Allow bridge authorities to run correctly under the seccomp2 + sandbox. Fixes bug 16964; bugfix on 0.2.5.1-alpha. + - Allow routers with ed25519 keys to run correctly under the + seccomp2 sandbox. Fixes bug 16965; bugfix on 0.2.7.2-alpha. + + o Minor bugfixes (open file limit): + - Fix set_max_file_descriptors() to set by default the max open file + limit to the current limit when setrlimit() fails. Fixes bug + 16274; bugfix on 0.2.0.10-alpha. Patch by dgoulet. + + o Minor bugfixes (portability): + - Try harder to normalize the exit status of the Tor process to the + standard-provided range. Fixes bug 16975; bugfix on every version + of Tor ever. + - Check correctly for Windows socket errors in the workqueue + backend. Fixes bug 16741; bugfix on 0.2.6.3-alpha. + - Fix the behavior of crypto_rand_time_range() when told to consider + times before 1970. (These times were possible when running in a + simulated network environment where time()'s output starts at + zero.) Fixes bug 16980; bugfix on 0.2.7.1-alpha. + - Restore correct operation of TLS client-cipher detection on + OpenSSL 1.1. Fixes bug 14047; bugfix on 0.2.7.2-alpha. + + o Minor bugfixes (relay): + - Ensure that worker threads actually exit when a fatal error or + shutdown is indicated. This fix doesn't currently affect the + behavior of Tor, because Tor workers never indicates fatal error + or shutdown except in the unit tests. Fixes bug 16868; bugfix + on 0.2.6.3-alpha. + - Unblock threads before releasing the work queue mutex to ensure + predictable scheduling behavior. Fixes bug 16644; bugfix + on 0.2.6.3-alpha. + + o Code simplification and refactoring: + - Change the function that's called when we need to retry all + downloads so that it only reschedules the downloads to happen + immediately, rather than launching them all at once itself. This + further simplifies Tor's callgraph. + - Move some format-parsing functions out of crypto.c and + crypto_curve25519.c into crypto_format.c and/or util_format.c. + - Move the client-only parts of init_keys() into a separate + function. Closes ticket 16763. + - Simplify the microdesc_free() implementation so that it no longer + appears (to code analysis tools) to potentially invoke a huge + suite of other microdesc functions. + - Simply the control graph further by deferring the inner body of + directory_all_unreachable() into a callback. Closes ticket 16762. + - Treat the loss of an owning controller as equivalent to a SIGTERM + signal. This removes a tiny amount of duplicated code, and + simplifies our callgraph. Closes ticket 16788. + - When generating an event to send to the controller, we no longer + put the event over the network immediately. Instead, we queue + these events, and use a Libevent callback to deliver them. This + change simplifies Tor's callgraph by reducing the number of + functions from which all other Tor functions are reachable. Closes + ticket 16695. + - Wrap Windows-only C files inside '#ifdef _WIN32' so that tools + that try to scan or compile every file on Unix won't decide that + they are broken. + - Remove the unused "nulterminate" argument from buf_pullup(). + + o Documentation: + - Recommend a 40 GB example AccountingMax in torrc.sample rather + than a 4 GB max. Closes ticket 16742. + - Include the TUNING document in our source tarball. It is referred + to in the ChangeLog and an error message. Fixes bug 16929; bugfix + on 0.2.6.1-alpha. + + o Removed code: + - The internal pure-C tor-fw-helper tool is now removed from the Tor + distribution, in favor of the pure-Go clone available from + https://gitweb.torproject.org/tor-fw-helper.git/ . The libraries + used by the C tor-fw-helper are not, in our opinion, very + confidence- inspiring in their secure-programming techniques. + Closes ticket 13338. + - Remove the code that would try to aggressively flush controller + connections while writing to them. This code was introduced in + 0.1.2.7-alpha, in order to keep output buffers from exceeding + their limits. But there is no longer a maximum output buffer size, + and flushing data in this way caused some undesirable recursions + in our call graph. Closes ticket 16480. + + o Testing: + - Make "bridges+hs" the default test network. This tests almost all + tor functionality during make test-network, while allowing tests + to succeed on non-IPv6 systems. Requires chutney commit 396da92 in + test-network-bridges-hs. Closes tickets 16945 (tor) and 16946 + (chutney). Patches by "teor". + - Autodetect CHUTNEY_PATH if the chutney and Tor sources are side- + by-side in the same parent directory. Closes ticket 16903. Patch + by "teor". + - Use environment variables rather than autoconf substitutions to + send variables from the build system to the test scripts. This + change should be easier to maintain, and cause 'make distcheck' to + work better than before. Fixes bug 17148. + - Add a new set of callgraph analysis scripts that use clang to + produce a list of which Tor functions are reachable from which + other Tor functions. We're planning to use these to help simplify + our code structure by identifying illogical dependencies. + - Add new 'test-full' and 'test-full-online' targets to run all + tests, including integration tests with stem and chutney. + - Make the test-workqueue test work on Windows by initializing the + network before we begin. + - New make target (make test-network-all) to run multiple applicable + chutney test cases. Patch from Teor; closes 16953. + - Unit test dns_resolve(), dns_clip_ttl() and dns_get_expiry_ttl() + functions in dns.c. Implements a portion of ticket 16831. + - When building Tor with testing coverage enabled, run Chutney tests + (if any) using the 'tor-cov' coverage binary. + - When running test-network or test-stem, check for the absence of + stem/chutney before doing any build operations. + + Changes in version 0.2.7.2-alpha - 2015-07-27 This, the second alpha in the Tor 0.2.7 series, has a number of new features, including a way to manually pick the number of introduction @@ -367,7 +1452,7 @@ Changes in version 0.2.6.8 - 2015-05-21 - Revert commit that made directory authorities assign the HSDir flag to relay without a DirPort; this was bad because such relays can't handle BEGIN_DIR cells. Fixes bug 15850; bugfix - on tor-0.2.6.3-alpha. + on 0.2.6.3-alpha. o Minor bugfixes (hidden service, backport from 0.2.7.1-alpha): - Fix an out-of-bounds read when parsing invalid INTRODUCE2 cells on @@ -408,7 +1493,7 @@ Changes in version 0.2.7.1-alpha - 2015-05-12 - Revert commit that made directory authorities assign the HSDir flag to relay without a DirPort; this was bad because such relays can't handle BEGIN_DIR cells. Fixes bug 15850; bugfix - on tor-0.2.6.3-alpha. + on 0.2.6.3-alpha. o Minor features (clock-jump tolerance): - Recover better when our clock jumps back many hours, like might @@ -588,7 +1673,7 @@ Changes in version 0.2.7.1-alpha - 2015-05-12 o Removed code: - Remove `USE_OPENSSL_BASE64` and the corresponding fallback code and always use the internal Base64 decoder. The internal decoder - has been part of tor since tor-0.2.0.10-alpha, and no one should + has been part of tor since 0.2.0.10-alpha, and no one should be using the OpenSSL one. Part of ticket 15652. - Remove the 'tor_strclear()' function; use memwipe() instead. Closes ticket 14922. @@ -631,6 +1716,30 @@ Changes in version 0.2.4.27 - 2015-04-06 Resolves ticket 15515. +Changes in version 0.2.5.12 - 2015-04-06 + Tor 0.2.5.12 backports two fixes from 0.2.6.7 for security issues that + could be used by an attacker to crash hidden services, or crash clients + visiting hidden services. Hidden services should upgrade as soon as + possible; clients should upgrade whenever packages become available. + + This release also backports a simple improvement to make hidden + services a bit less vulnerable to denial-of-service attacks. + + o Major bugfixes (security, hidden service): + - Fix an issue that would allow a malicious client to trigger an + assertion failure and halt a hidden service. Fixes bug 15600; + bugfix on 0.2.1.6-alpha. Reported by "disgleirio". + - Fix a bug that could cause a client to crash with an assertion + failure when parsing a malformed hidden service descriptor. Fixes + bug 15601; bugfix on 0.2.1.5-alpha. Found by "DonnchaC". + + o Minor features (DoS-resistance, hidden service): + - Introduction points no longer allow multiple INTRODUCE1 cells to + arrive on the same circuit. This should make it more expensive for + attackers to overwhelm hidden services with introductions. + Resolves ticket 15515. + + Changes in version 0.2.6.7 - 2015-04-06 Tor 0.2.6.7 fixes two security issues that could be used by an attacker to crash hidden services, or crash clients visiting hidden @@ -8593,7 +9702,7 @@ Changes in version 0.2.2.26-beta - 2011-05-17 at least _half_ the length of the store, not _twice_ the length of the store. Bugfix on 0.2.2.6-alpha; fixes part of bug 2230. - Fix a potential null-pointer dereference while computing a - consensus. Bugfix on tor-0.2.0.3-alpha, found with the help of + consensus. Bugfix on 0.2.0.3-alpha, found with the help of clang's analyzer. - Avoid a possible null-pointer dereference when rebuilding the mdesc cache without actually having any descriptors to cache. Bugfix on |