diff options
Diffstat (limited to 'ChangeLog')
| -rw-r--r-- | ChangeLog | 2043 |
1 files changed, 2038 insertions, 5 deletions
@@ -1,3 +1,2037 @@ +Changes in version 0.3.5.4-alpha - 2018-11-08 + Tor 0.3.5.4-alpha includes numerous bugfixes on earlier versions and + improves our continuous integration support. It continues our attempts + to stabilize this alpha branch and build it into a foundation for an + acceptable long-term-support release. + + o Major bugfixes (compilation, rust): + - Rust tests can now build and run successfully with the + --enable-fragile-hardening option enabled. Doing this currently + requires the rust beta channel; it will be possible with stable + rust once Rust version 1.31 is released. Patch from Alex Crichton. + Fixes bugs 27272, 27273, and 27274. Bugfix on 0.3.1.1-alpha. + + o Major bugfixes (embedding, main loop): + - When DisableNetwork becomes set, actually disable periodic events + that are already enabled. (Previously, we would refrain from + enabling new ones, but we would leave the old ones turned on.) + Fixes bug 28348; bugfix on 0.3.4.1-alpha. + + o Minor features (continuous integration): + - Add a Travis CI build for --enable-nss on Linux gcc. Closes + ticket 27751. + - Add new CI job to Travis configuration to run stem-based + integration tests. Closes ticket 27913. + + o Minor features (Windows, continuous integration): + - Build tor on Windows Server 2012 R2 and Windows Server 2016 using + Appveyor's CI. Closes ticket 28318. + + o Minor bugfixes (C correctness, also in 0.3.4.9): + - Avoid undefined behavior in an end-of-string check when parsing + the BEGIN line in a directory object. Fixes bug 28202; bugfix + on 0.2.0.3-alpha. + + o Minor bugfixes (compilation): + - Fix a pair of missing headers on OpenBSD. Fixes bug 28303; bugfix + on 0.3.5.1-alpha. Patch from Kris Katterjohn. + + o Minor bugfixes (compilation, OpenSolaris): + - Fix compilation on OpenSolaris and its descendants by adding a + missing include to compat_pthreads.c. Fixes bug 27963; bugfix + on 0.3.5.1-alpha. + + o Minor bugfixes (configuration): + - Refuse to start with relative file paths and RunAsDaemon set + (regression from the fix for bug 22731). Fixes bug 28298; bugfix + on 0.3.3.1-alpha. + + o Minor bugfixes (directory authority, also in 0.3.4.9): + - Log additional info when we get a relay that shares an ed25519 ID + with a different relay, instead of a BUG() warning with a + backtrace. Fixes bug 27800; bugfix on 0.3.2.1-alpha. + + o Minor bugfixes (onion service v3): + - Build the service descriptor's signing key certificate before + uploading, so we always have a fresh one: leaving no chances for + it to expire service side. Fixes bug 27838; bugfix + on 0.3.2.1-alpha. + + o Minor bugfixes (onion service v3, client authorization): + - Fix an assert() when adding a client authorization for the first + time and then sending a HUP signal to the service. Before that, + Tor would stop abruptly. Fixes bug 27995; bugfix on 0.3.5.1-alpha. + + o Minor bugfixes (onion services): + - Unless we have explicitly set HiddenServiceVersion, detect the + onion service version and then look for invalid options. + Previously, we did the reverse, but that broke existing configs + which were pointed to a v2 service and had options like + HiddenServiceAuthorizeClient set. Fixes bug 28127; bugfix on + 0.3.5.1-alpha. Patch by Neel Chauhan. + + o Minor bugfixes (portability): + - Make the OPE code (which is used for v3 onion services) run + correctly on big-endian platforms. Fixes bug 28115; bugfix + on 0.3.5.1-alpha. + + o Minor bugfixes (protover, rust): + - Reject extra commas in version strings. Fixes bug 27197; bugfix + on 0.3.3.3-alpha. + + o Minor bugfixes (relay shutdown, systemd): + - Notify systemd of ShutdownWaitLength so it can be set to longer + than systemd's TimeoutStopSec. In Tor's systemd service file, set + TimeoutSec to 60 seconds to allow Tor some time to shut down. + Fixes bug 28113; bugfix on 0.2.6.2-alpha. + + o Minor bugfixes (rust, also in 0.3.4.9): + - Fix a potential null dereference in protover_all_supported(). Add + a test for it. Fixes bug 27804; bugfix on 0.3.3.1-alpha. + - Return a string that can be safely freed by C code, not one + created by the rust allocator, in protover_all_supported(). Fixes + bug 27740; bugfix on 0.3.3.1-alpha. + + o Minor bugfixes (rust, directory authority, also in 0.3.4.9): + - Fix an API mismatch in the rust implementation of + protover_compute_vote(). This bug could have caused crashes on any + directory authorities running Tor with Rust (which we do not yet + recommend). Fixes bug 27741; bugfix on 0.3.3.6. + + o Minor bugfixes (testing): + - Avoid hangs and race conditions in test_rebind.py. Fixes bug + 27968; bugfix on 0.3.5.1-alpha. + + o Minor bugfixes (testing, also in 0.3.4.9): + - Treat backtrace test failures as expected on BSD-derived systems + (NetBSD, OpenBSD, and macOS/Darwin) until we solve bug 17808. + (FreeBSD failures have been treated as expected since 18204 in + 0.2.8.) Fixes bug 27948; bugfix on 0.2.5.2-alpha. + + o Documentation (onion service manpage): + - Improve HSv3 client authorization by making some options more + explicit and detailed. Closes ticket 28026. Patch by Mike Tigas. + + +Changes in version 0.3.4.9 - 2018-11-02 + Tor 0.3.4.9 is the second stable release in its series; it backports + numerous fixes, including a fix for a bandwidth management bug that + was causing memory exhaustion on relays. Anyone running an earlier + version of Tor 0.3.4.9 should upgrade. + + o Major bugfixes (compilation, backport from 0.3.5.3-alpha): + - Fix compilation on ARM (and other less-used CPUs) when compiling + with OpenSSL before 1.1. Fixes bug 27781; bugfix on 0.3.4.1-alpha. + + o Major bugfixes (mainloop, bootstrap, backport from 0.3.5.3-alpha): + - Make sure Tor bootstraps and works properly if only the + ControlPort is set. Prior to this fix, Tor would only bootstrap + when a client port was set (Socks, Trans, NATD, DNS or HTTPTunnel + port). Fixes bug 27849; bugfix on 0.3.4.1-alpha. + + o Major bugfixes (relay, backport from 0.3.5.3-alpha): + - When our write bandwidth limit is exhausted, stop writing on the + connection. Previously, we had a typo in the code that would make + us stop reading instead, leading to relay connections being stuck + indefinitely and consuming kernel RAM. Fixes bug 28089; bugfix + on 0.3.4.1-alpha. + + o Major bugfixes (restart-in-process, backport from 0.3.5.1-alpha): + - Fix a use-after-free error that could be caused by passing Tor an + impossible set of options that would fail during options_act(). + Fixes bug 27708; bugfix on 0.3.3.1-alpha. + + o Minor features (continuous integration, backport from 0.3.5.1-alpha): + - Don't do a distcheck with --disable-module-dirauth in Travis. + Implements ticket 27252. + - Only run one online rust build in Travis, to reduce network + errors. Skip offline rust builds on Travis for Linux gcc, because + they're redundant. Implements ticket 27252. + - Skip gcc on OSX in Travis CI, because it's rarely used. Skip a + duplicate hardening-off build in Travis on Tor 0.2.9. Skip gcc on + Linux with default settings, because all the non-default builds + use gcc on Linux. Implements ticket 27252. + + o Minor features (continuous integration, backport from 0.3.5.3-alpha): + - Use the Travis Homebrew addon to install packages on macOS during + Travis CI. The package list is the same, but the Homebrew addon + does not do a `brew update` by default. Implements ticket 27738. + + o Minor features (geoip): + - Update geoip and geoip6 to the October 9 2018 Maxmind GeoLite2 + Country database. Closes ticket 27991. + + o Minor bugfixes (32-bit OSX and iOS, timing, backport from 0.3.5.2-alpha): + - Fix an integer overflow bug in our optimized 32-bit millisecond- + difference algorithm for 32-bit Apple platforms. Previously, it + would overflow when calculating the difference between two times + more than 47 days apart. Fixes part of bug 27139; bugfix + on 0.3.4.1-alpha. + - Improve the precision of our 32-bit millisecond difference + algorithm for 32-bit Apple platforms. Fixes part of bug 27139; + bugfix on 0.3.4.1-alpha. + - Relax the tolerance on the mainloop/update_time_jumps test when + running on 32-bit Apple platforms. Fixes part of bug 27139; bugfix + on 0.3.4.1-alpha. + + o Minor bugfixes (C correctness, to appear in 0.3.5.4-alpha): + - Avoid undefined behavior in an end-of-string check when parsing + the BEGIN line in a directory object. Fixes bug 28202; bugfix + on 0.2.0.3-alpha. + + o Minor bugfixes (CI, appveyor, to appear in 0.3.5.4-alpha): + - Only install the necessary mingw packages during our appveyor + builds. This change makes the build a little faster, and prevents + a conflict with a preinstalled mingw openssl that appveyor now + ships. Fixes bugs 27943 and 27765; bugfix on 0.3.4.2-alpha. + + o Minor bugfixes (code safety, backport from 0.3.5.3-alpha): + - Rewrite our assertion macros so that they no longer suppress the + compiler's -Wparentheses warnings. Fixes bug 27709; bugfix + + o Minor bugfixes (continuous integration, backport from 0.3.5.1-alpha): + - Stop reinstalling identical packages in our Windows CI. Fixes bug + 27464; bugfix on 0.3.4.1-alpha. + + o Minor bugfixes (directory authority, to appear in 0.3.5.4-alpha): + - Log additional info when we get a relay that shares an ed25519 ID + with a different relay, instead making a BUG() warning. Fixes bug + 27800; bugfix on 0.3.2.1-alpha. + + o Minor bugfixes (directory connection shutdown, backport from 0.3.5.1-alpha): + - Avoid a double-close when shutting down a stalled directory + connection. Fixes bug 26896; bugfix on 0.3.4.1-alpha. + + o Minor bugfixes (HTTP tunnel, backport from 0.3.5.1-alpha): + - Fix a bug warning when closing an HTTP tunnel connection due to an + HTTP request we couldn't handle. Fixes bug 26470; bugfix + on 0.3.2.1-alpha. + + o Minor bugfixes (netflow padding, backport from 0.3.5.1-alpha): + - Ensure circuitmux queues are empty before scheduling or sending + padding. Fixes bug 25505; bugfix on 0.3.1.1-alpha. + + o Minor bugfixes (onion service v3, backport from 0.3.5.1-alpha): + - When the onion service directory can't be created or has the wrong + permissions, do not log a stack trace. Fixes bug 27335; bugfix + on 0.3.2.1-alpha. + + o Minor bugfixes (onion service v3, backport from 0.3.5.2-alpha): + - Close all SOCKS request (for the same .onion) if the newly fetched + descriptor is unusable. Before that, we would close only the first + one leaving the other hanging and let to time out by themselves. + Fixes bug 27410; bugfix on 0.3.2.1-alpha. + + o Minor bugfixes (onion service v3, backport from 0.3.5.3-alpha): + - When selecting a v3 rendezvous point, don't only look at the + protover, but also check whether the curve25519 onion key is + present. This way we avoid picking a relay that supports the v3 + rendezvous but for which we don't have the microdescriptor. Fixes + bug 27797; bugfix on 0.3.2.1-alpha. + + o Minor bugfixes (protover, backport from 0.3.5.3-alpha): + - Reject protocol names containing bytes other than alphanumeric + characters and hyphens ([A-Za-z0-9-]). Fixes bug 27316; bugfix + on 0.2.9.4-alpha. + + o Minor bugfixes (rust, backport from 0.3.5.1-alpha): + - Compute protover votes correctly in the rust version of the + protover code. Previously, the protover rewrite in 24031 allowed + repeated votes from the same voter for the same protocol version + to be counted multiple times in protover_compute_vote(). Fixes bug + 27649; bugfix on 0.3.3.5-rc. + - Reject protover names that contain invalid characters. Fixes bug + 27687; bugfix on 0.3.3.1-alpha. + + o Minor bugfixes (rust, backport from 0.3.5.2-alpha): + - protover_all_supported() would attempt to allocate up to 16GB on + some inputs, leading to a potential memory DoS. Fixes bug 27206; + bugfix on 0.3.3.5-rc. + + o Minor bugfixes (rust, directory authority, to appear in 0.3.5.4-alpha): + - Fix an API mismatch in the rust implementation of + protover_compute_vote(). This bug could have caused crashes on any + directory authorities running Tor with Rust (which we do not yet + recommend). Fixes bug 27741; bugfix on 0.3.3.6. + + o Minor bugfixes (rust, to appear in 0.3.5.4-alpha): + - Fix a potential null dereference in protover_all_supported(). Add + a test for it. Fixes bug 27804; bugfix on 0.3.3.1-alpha. + - Return a string that can be safely freed by C code, not one + created by the rust allocator, in protover_all_supported(). Fixes + bug 27740; bugfix on 0.3.3.1-alpha. + + o Minor bugfixes (testing, backport from 0.3.5.1-alpha): + - If a unit test running in a subprocess exits abnormally or with a + nonzero status code, treat the test as having failed, even if the + test reported success. Without this fix, memory leaks don't cause + the tests to fail, even with LeakSanitizer. Fixes bug 27658; + bugfix on 0.2.2.4-alpha. + + o Minor bugfixes (testing, backport from 0.3.5.3-alpha): + - Make the hs_service tests use the same time source when creating + the introduction point and when testing it. Now tests work better + on very slow systems like ARM or Travis. Fixes bug 27810; bugfix + on 0.3.2.1-alpha. + + o Minor bugfixes (testing, to appear in 0.3.5.4-alpha): + - Treat backtrace test failures as expected on BSD-derived systems + (NetBSD, OpenBSD, and macOS/Darwin) until we solve bug 17808. + (FreeBSD failures have been treated as expected since 18204 in + 0.2.8.) Fixes bug 27948; bugfix on 0.2.5.2-alpha. + + +Changes in version 0.3.5.3-alpha - 2018-10-17 + Tor 0.3.5.3-alpha fixes several bugs, mostly from previous 0.3.5.x + versions. One important fix for relays addresses a problem with rate- + limiting code from back in 0.3.4.x: If the fix works out, we'll be + backporting it soon. This release is still an alpha, but we hope it's + getting closer and closer to stability. + + o Major features (onion services): + - Version 3 onion services can now use the per-service + HiddenServiceExportCircuitID option to differentiate client + circuits. It communicates with the service by using the HAProxy + protocol to assign virtual IP addresses to inbound client + circuits. Closes ticket 4700. Patch by Mahrud Sayrafi. + + o Major bugfixes (compilation): + - Fix compilation on ARM (and other less-used CPUs) when compiling + with OpenSSL before 1.1. Fixes bug 27781; bugfix on 0.3.4.1-alpha. + + o Major bugfixes (initialization, crash): + - Fix an assertion crash that would stop Tor from starting up if it + tried to activate a periodic event too early. Fixes bug 27861; + bugfix on 0.3.5.1-alpha. + + o Major bugfixes (mainloop, bootstrap): + - Make sure Tor bootstraps and works properly if only the + ControlPort is set. Prior to this fix, Tor would only bootstrap + when a client port was set (Socks, Trans, NATD, DNS or HTTPTunnel + port). Fixes bug 27849; bugfix on 0.3.4.1-alpha. + + o Major bugfixes (relay): + - When our write bandwidth limit is exhausted, stop writing on the + connection. Previously, we had a typo in the code that would make + us stop reading instead, leading to relay connections being stuck + indefinitely and consuming kernel RAM. Fixes bug 28089; bugfix + on 0.3.4.1-alpha. + + o Minor features (continuous integration): + - Use the Travis Homebrew addon to install packages on macOS during + Travis CI. The package list is the same, but the Homebrew addon + does not do a `brew update` by default. Implements ticket 27738. + - Report what program produced the mysterious core file that we + occasionally see on Travis CI during make distcheck. Closes + ticket 28024. + + o Minor features (geoip): + - Update geoip and geoip6 to the October 9 2018 Maxmind GeoLite2 + Country database. Closes ticket 27991. + + o Minor bugfixes (code safety): + - Rewrite our assertion macros so that they no longer suppress the + compiler's -Wparentheses warnings. Fixes bug 27709; bugfix + on 0.0.6. + + o Minor bugfixes (compilation): + - Compile the ed25519-donna code with a correct declaration of + crypto_strongest_rand(). Previously, we built it with one type, + but linked it against another in the unit tests, which caused + compilation failures with LTO enabled. This could have caused + other undefined behavior in the tests. Fixes bug 27728; bugfix + on 0.3.5.1-alpha. + + o Minor bugfixes (compilation, netbsd): + - Add a missing include back into procmon.c. Fixes bug 27990; bugfix + on 0.3.5.1-alpha. + + o Minor bugfixes (continuous integration, appveyor): + - Install only the necessary mingw packages during our appveyor + builds. This change makes the build a little faster, and prevents + a conflict with a preinstalled mingw openssl that appveyor now + ships. Fixes bugs 27765 and 27943; bugfix on 0.3.4.2-alpha. + + o Minor bugfixes (directory permissions): + - When a user requests a group-readable DataDirectory, give it to + them. Previously, when the DataDirectory and the CacheDirectory + were the same, the default setting (0) for + CacheDirectoryGroupReadable would override the setting for + DataDirectoryGroupReadable. Fixes bug 26913; bugfix + on 0.3.3.1-alpha. + + o Minor bugfixes (memory leaks): + - Fix a small memory leak when calling Tor with --dump-config. Fixes + bug 27893; bugfix on 0.3.2.1-alpha. + + o Minor bugfixes (networking): + - In retry_listeners_ports(), make sure that we're removing a member + of old_conns smartlist at most once. Fixes bug 27808; bugfix + on 0.3.5.1-alpha. + - Refrain from attempting socket rebinding when old and new + listeners are in different address families. Fixes bug 27928; + bugfix on 0.3.5.1-alpha. + + o Minor bugfixes (onion service v3): + - Stop dumping a stack trace when trying to connect to an intro + point without having a descriptor for it. Fixes bug 27774; bugfix + on 0.3.2.1-alpha. + - Don't warn so loudly when Tor is unable to decode an onion + descriptor. This can now happen as a normal use case if a client + gets a descriptor with client authorization but the client is not + authorized. Fixes bug 27550; bugfix on 0.3.5.1-alpha. + - When selecting a v3 rendezvous point, don't only look at the + protover, but also check whether the curve25519 onion key is + present. This way we avoid picking a relay that supports the v3 + rendezvous but for which we don't have the microdescriptor. Fixes + bug 27797; bugfix on 0.3.2.1-alpha. + + o Minor bugfixes (protover): + - Reject protocol names containing bytes other than alphanumeric + characters and hyphens ([A-Za-z0-9-]). Fixes bug 27316; bugfix + on 0.2.9.4-alpha. + + o Minor bugfixes (testing): + - Make the hs_service tests use the same time source when creating + the introduction point and when testing it. Now tests work better + on very slow systems like ARM or Travis. Fixes bug 27810; bugfix + on 0.3.2.1-alpha. + - In test_rebind.py, check if the Python version is in the supported + range. Fixes bug 27675; bugfix on 0.3.5.1-alpha. + + o Code simplification and refactoring: + - Divide more large Tor source files -- especially ones that span + multiple areas of functionality -- into smaller parts, including + onion.c and main.c. Closes ticket 26747. + - Divide the "routerparse.c" module into separate modules for each + group of parsed objects. Closes ticket 27924. + - Move protover_rust.c to the same place protover.c was moved to. + Closes ticket 27814. + - Split directory.c into separate pieces for client, server, and + common functionality. Closes ticket 26744. + - Split the non-statistics-related parts from the rephist.c and + geoip.c modules. Closes ticket 27892. + - Split the router.c file into relay-only and shared components, to + help with future modularization. Closes ticket 27864. + + o Documentation: + - In the tor-resolve(1) manpage, fix the reference to socks- + extensions.txt by adding a web URL. Resolves ticket 27853. + - Mention that we require Python to be 2.7 or newer for some + integration tests that we ship with Tor. Resolves ticket 27677. + + +Changes in version 0.3.5.2-alpha - 2018-09-21 + Tor 0.3.5.2-alpha fixes several bugs in 0.3.5.1-alpha, including one + that made Tor think it had run out of sockets. Anybody running a relay + or an onion service on 0.3.5.1-alpha should upgrade. + + o Major bugfixes (relay bandwidth statistics): + - When we close relayed circuits, report the data in the circuit + queues as being written in our relay bandwidth stats. This + mitigates guard discovery and other attacks that close circuits + for the explicit purpose of noticing this discrepancy in + statistics. Fixes bug 23512; bugfix on 0.0.8pre3. + + o Major bugfixes (socket accounting): + - In our socket accounting code, count a socket as closed even when + it is closed indirectly by the TLS layer. Previously, we would + count these sockets as still in use, and incorrectly believe that + we had run out of sockets. Fixes bug 27795; bugfix + on 0.3.5.1-alpha. + + o Minor bugfixes (32-bit OSX and iOS, timing): + - Fix an integer overflow bug in our optimized 32-bit millisecond- + difference algorithm for 32-bit Apple platforms. Previously, it + would overflow when calculating the difference between two times + more than 47 days apart. Fixes part of bug 27139; bugfix + on 0.3.4.1-alpha. + - Improve the precision of our 32-bit millisecond difference + algorithm for 32-bit Apple platforms. Fixes part of bug 27139; + bugfix on 0.3.4.1-alpha. + - Relax the tolerance on the mainloop/update_time_jumps test when + running on 32-bit Apple platforms. Fixes part of bug 27139; bugfix + on 0.3.4.1-alpha. + + o Minor bugfixes (onion service v3): + - Close all SOCKS request (for the same .onion) if the newly fetched + descriptor is unusable. Before that, we would close only the first + one leaving the other hanging and let to time out by themselves. + Fixes bug 27410; bugfix on 0.3.2.1-alpha. + + o Minor bugfixes (memory leak): + - Fix an unlikely memory leak when trying to read a private key from + a ridiculously large file. Fixes bug 27764; bugfix on + 0.3.5.1-alpha. This is CID 1439488. + + o Minor bugfixes (NSS): + - Correctly detect failure to open a dummy TCP socket when stealing + ownership of an fd from the NSS layer. Fixes bug 27782; bugfix + on 0.3.5.1-alpha. + + o Minor bugfixes (rust): + - protover_all_supported() would attempt to allocate up to 16GB on + some inputs, leading to a potential memory DoS. Fixes bug 27206; + bugfix on 0.3.3.5-rc. + + o Minor bugfixes (testing): + - Revise the "conditionvar_timeout" test so that it succeeds even on + heavily loaded systems where the test threads are not scheduled + within 200 msec. Fixes bug 27073; bugfix on 0.2.6.3-alpha. + + o Code simplification and refactoring: + - Divide the routerlist.c and dirserv.c modules into smaller parts. + Closes ticket 27799. + + +Changes in version 0.3.5.1-alpha - 2018-09-18 + Tor 0.3.5.1-alpha is the first release of the 0.3.5.x series. It adds + client authorization for modern (v3) onion services, improves + bootstrap reporting, begins reorganizing Tor's codebase, adds optional + support for NSS in place of OpenSSL, and much more. + + o Major features (onion services, UI change): + - For a newly created onion service, the default version is now 3. + Tor still supports existing version 2 services, but the operator + now needs to set "HiddenServiceVersion 2" in order to create a new + version 2 service. For existing services, Tor now learns the + version by reading the key file. Closes ticket 27215. + + o Major features (relay, UI change): + - Relays no longer run as exits by default. If the "ExitRelay" + option is auto (or unset), and no exit policy is specified with + ExitPolicy or ReducedExitPolicy, we now treat ExitRelay as 0. + Previously in this case, we allowed exit traffic and logged a + warning message. Closes ticket 21530. Patch by Neel Chauhan. + - Tor now validates that the ContactInfo config option is valid UTF- + 8 when parsing torrc. Closes ticket 27428. + + o Major features (bootstrap): + - Don't report directory progress until after a connection to a + relay or bridge has succeeded. Previously, we'd report 80% + progress based on cached directory information when we couldn't + even connect to the network. Closes ticket 27169. + + o Major features (new code layout): + - Nearly all of Tor's source code has been moved around into more + logical places. The "common" directory is now divided into a set + of libraries in "lib", and files in the "or" directory have been + split into "core" (logic absolutely needed for onion routing), + "feature" (independent modules in Tor), and "app" (to configure + and invoke the rest of Tor). See doc/HACKING/CodeStructure.md for + more information. Closes ticket 26481. + + This refactoring is not complete: although the libraries have been + refactored to be acyclic, the main body of Tor is still too + interconnected. We will attempt to improve this in the future. + + o Major features (onion services v3): + - Implement onion service client authorization at the descriptor + level: only authorized clients can decrypt a service's descriptor + to find out how to contact it. A new torrc option was added to + control this client side: ClientOnionAuthDir <path>. On the + service side, if the "authorized_clients/" directory exists in the + onion service directory path, client configurations are read from + the files within. See the manpage for more details. Closes ticket + 27547. Patch done by Suphanat Chunhapanya (haxxpop). + - Improve revision counter generation in next-gen onion services. + Onion services can now scale by hosting multiple instances on + different hosts without synchronization between them, which was + previously impossible because descriptors would get rejected by + HSDirs. Addresses ticket 25552. + + o Major features (portability, cryptography, experimental, TLS): + - Tor now has the option to compile with the NSS library instead of + OpenSSL. This feature is experimental, and we expect that bugs may + remain. It is mainly intended for environments where Tor's + performance is not CPU-bound, and where NSS is already known to be + installed. To try it out, configure Tor with the --enable-nss + flag. Closes tickets 26631, 26815, and 26816. + + If you are experimenting with this option and using an old cached + consensus, Tor may fail to start. To solve this, delete your + "cached-consensus" and "cached-microdesc-consensus" files, + (if present), and restart Tor. + + o Major bugfixes (directory authority): + - Actually check that the address we get from DirAuthority + configuration line is valid IPv4. Explicitly disallow DirAuthority + address to be a DNS hostname. Fixes bug 26488; bugfix + on 0.1.2.10-rc. + + o Major bugfixes (restart-in-process): + - Fix a use-after-free error that could be caused by passing Tor an + impossible set of options that would fail during options_act(). + Fixes bug 27708; bugfix on 0.3.3.1-alpha. + + o Minor features (admin tools): + - Add a new --key-expiration option to print the expiration date of + the signing cert in an ed25519_signing_cert file. Resolves + issue 19506. + + o Minor features (build): + - If you pass the "--enable-pic" option to configure, Tor will try + to tell the compiler to build position-independent code suitable + to link into a dynamic library. (The default remains -fPIE, for + code suitable for a relocatable executable.) Closes ticket 23846. + + o Minor features (code correctness, testing): + - Tor's build process now includes a "check-includes" make target to + verify that no module of Tor relies on any headers from a higher- + level module. We hope to use this feature over time to help + refactor our codebase. Closes ticket 26447. + + o Minor features (code layout): + - We have a new "lowest-level" error-handling API for use by code + invoked from within the logging module. With this interface, the + logging code is no longer at risk of calling into itself if a + failure occurs while it is trying to log something. Closes + ticket 26427. + + o Minor features (compilation): + - Tor's configure script now supports a --with-malloc= option to + select your malloc implementation. Supported options are + "tcmalloc", "jemalloc", "openbsd" (deprecated), and "system" (the + default). Addresses part of ticket 20424. Based on a patch from + Alex Xu. + + o Minor features (config): + - The "auto" keyword in torrc is now case-insensitive. Closes + ticket 26663. + + o Minor features (continuous integration): + - Don't do a distcheck with --disable-module-dirauth in Travis. + Implements ticket 27252. + - Install libcap-dev and libseccomp2-dev so these optional + dependencies get tested on Travis CI. Closes ticket 26560. + - Only run one online rust build in Travis, to reduce network + errors. Skip offline rust builds on Travis for Linux gcc, because + they're redundant. Implements ticket 27252. + - Skip gcc on OSX in Travis CI, because it's rarely used. Skip a + duplicate hardening-off build in Travis on Tor 0.2.9. Skip gcc on + Linux with default settings, because all the non-default builds + use gcc on Linux. Implements ticket 27252. + + o Minor features (controller): + - Emit CIRC_BW events as soon as we detect that we processed an + invalid or otherwise dropped cell on a circuit. This allows + vanguards and other controllers to react more quickly to dropped + cells. Closes ticket 27678. + - For purposes of CIRC_BW-based dropped cell detection, track half- + closed stream ids, and allow their ENDs, SENDMEs, DATA and path + bias check cells to arrive without counting it as dropped until + either the END arrives, or the windows are empty. Closes + ticket 25573. + - Implement a 'GETINFO md/all' controller command to enable getting + all known microdescriptors. Closes ticket 8323. + - The GETINFO command now support an "uptime" argument, to return + Tor's uptime in seconds. Closes ticket 25132. + + o Minor features (denial-of-service avoidance): + - Make our OOM handler aware of the DNS cache so that it doesn't + fill up the memory. This check is important for our DoS mitigation + subsystem. Closes ticket 18642. Patch by Neel Chauhan. + + o Minor features (development): + - Tor's makefile now supports running the "clippy" Rust style tool + on our Rust code. Closes ticket 22156. + + o Minor features (directory authority): + - There is no longer an artificial upper limit on the length of + bandwidth lines. Closes ticket 26223. + - When a bandwidth file is used to obtain the bandwidth measurements, + include this bandwidth file headers in the votes. Closes + ticket 3723. + - Improved support for networks with only a single authority or a + single fallback directory. Patch from Gabriel Somlo. Closes + ticket 25928. + + o Minor features (embedding API): + - The Tor controller API now supports a function to launch Tor with + a preconstructed owning controller FD, so that embedding + applications don't need to manage controller ports and + authentication. Closes ticket 24204. + - The Tor controller API now has a function that returns the name + and version of the backend implementing the API. Closes + ticket 26947. + + o Minor features (geoip): + - Update geoip and geoip6 to the September 6 2018 Maxmind GeoLite2 + Country database. Closes ticket 27631. + + o Minor features (memory management): + - Get Libevent to use the same memory allocator as Tor, by calling + event_set_mem_functions() during initialization. Resolves + ticket 8415. + + o Minor features (memory usage): + - When not using them, store legacy TAP public onion keys in DER- + encoded format, rather than as expanded public keys. This should + save several megabytes on typical clients. Closes ticket 27246. + + o Minor features (OpenSSL): + - When possible, use RFC5869 HKDF implementation from OpenSSL rather + than our own. Resolves ticket 19979. + + o Minor features (Rust, code quality): + - Improve rust code quality in the rust protover implementation by + making it more idiomatic. Includes changing an internal API to + take &str instead of &String. Closes ticket 26492. + + o Minor features (testing): + - Add scripts/test/chutney-git-bisect.sh, for bisecting using + chutney. Implements ticket 27211. + + o Minor features (tor-resolve): + - The tor-resolve utility can now be used with IPv6 SOCKS proxies. + Side-effect of the refactoring for ticket 26526. + + o Minor features (UI): + - Log each included configuration file or directory as we read it, + to provide more visibility about where Tor is reading from. Patch + from Unto Sten; closes ticket 27186. + - Lower log level of "Scheduler type KIST has been enabled" to INFO. + Closes ticket 26703. + + o Minor bugfixes (bootstrap): + - Try harder to get descriptors in non-exit test networks, by using + the mid weight for the third hop when there are no exits. Fixes + bug 27237; bugfix on 0.2.6.2-alpha. + + o Minor bugfixes (C correctness): + - Avoid casting smartlist index to int implicitly, as it may trigger + a warning (-Wshorten-64-to-32). Fixes bug 26282; bugfix on + 0.2.3.13-alpha, 0.2.7.1-alpha and 0.2.1.1-alpha. + - Use time_t for all values in + predicted_ports_prediction_time_remaining(). Rework the code that + computes difference between durations/timestamps. Fixes bug 27165; + bugfix on 0.3.1.1-alpha. + + o Minor bugfixes (client, memory usage): + - When not running as a directory cache, there is no need to store + the text of the current consensus networkstatus in RAM. + Previously, however, clients would store it anyway, at a cost of + over 5 MB. Now, they do not. Fixes bug 27247; bugfix + on 0.3.0.1-alpha. + + o Minor bugfixes (client, reachableaddresses): + - Instead of adding a "reject *:*" line to ReachableAddresses when + loading the configuration, add one to the policy after parsing it + in parse_reachable_addresses(). This prevents extra "reject *.*" + lines from accumulating on reloads. Fixes bug 20874; bugfix on + 0.1.1.5-alpha. Patch by Neel Chauhan. + + o Minor bugfixes (code quality): + - Rename sandbox_getaddrinfo() and other functions to no longer + misleadingly suggest that they are sandbox-only. Fixes bug 26525; + bugfix on 0.2.7.1-alpha. + + o Minor bugfixes (configuration, Onion Services): + - In rend_service_parse_port_config(), disallow any input to remain + after address-port pair was parsed. This will catch address and + port being whitespace-separated by mistake of the user. Fixes bug + 27044; bugfix on 0.2.9.10. + + o Minor bugfixes (continuous integration): + - Stop reinstalling identical packages in our Windows CI. Fixes bug + 27464; bugfix on 0.3.4.1-alpha. + + o Minor bugfixes (controller): + - Consider all routerinfo errors other than "not a server" to be + transient for the purpose of "GETINFO exit-policy/*" controller + request. Print stacktrace in the unlikely case of failing to + recompute routerinfo digest. Fixes bug 27034; bugfix + on 0.3.4.1-alpha. + + o Minor bugfixes (directory connection shutdown): + - Avoid a double-close when shutting down a stalled directory + connection. Fixes bug 26896; bugfix on 0.3.4.1-alpha. + + o Minor bugfixes (HTTP tunnel): + - Fix a bug warning when closing an HTTP tunnel connection due to an + HTTP request we couldn't handle. Fixes bug 26470; bugfix + on 0.3.2.1-alpha. + + o Minor bugfixes (ipv6): + - In addrs_in_same_network_family(), we choose the subnet size based + on the IP version (IPv4 or IPv6). Previously, we chose a fixed + subnet size of /16 for both IPv4 and IPv6 addresses. Fixes bug + 15518; bugfix on 0.2.3.1-alpha. Patch by Neel Chauhan. + + o Minor bugfixes (logging): + - As a precaution, do an early return from log_addr_has_changed() if + Tor is running as client. Also, log a stack trace for debugging as + this function should only be called when Tor runs as server. Fixes + bug 26892; bugfix on 0.1.1.9-alpha. + - Refrain from mentioning bug 21018 in the logs, as it is already + fixed. Fixes bug 25477; bugfix on 0.2.9.8. + + o Minor bugfixes (logging, documentation): + - When SafeLogging is enabled, scrub IP address in + channel_tls_process_netinfo_cell(). Also, add a note to manpage + that scrubbing is not guaranteed on loglevels below Notice. Fixes + bug 26882; bugfix on 0.2.4.10-alpha. + + o Minor bugfixes (netflow padding): + - Ensure circuitmux queues are empty before scheduling or sending + padding. Fixes bug 25505; bugfix on 0.3.1.1-alpha. + + o Minor bugfixes (onion service v2): + - Log at level "info", not "warning", in the case that we do not + have a consensus when a .onion request comes in. This can happen + normally while bootstrapping. Fixes bug 27040; bugfix + on 0.2.8.2-alpha. + + o Minor bugfixes (onion service v3): + - When the onion service directory can't be created or has the wrong + permissions, do not log a stack trace. Fixes bug 27335; bugfix + on 0.3.2.1-alpha. + + o Minor bugfixes (OS compatibility): + - Properly handle configuration changes that move a listener to/from + wildcard IP address. If the first attempt to bind a socket fails, + close the old listener and try binding the socket again. Fixes bug + 17873; bugfix on 0.0.8pre-1. + + o Minor bugfixes (performance):: + - Rework node_is_a_configured_bridge() to no longer call + node_get_all_orports(), which was performing too many memory + allocations. Fixes bug 27224; bugfix on 0.2.3.9. + + o Minor bugfixes (relay statistics): + - Update relay descriptor on bandwidth changes only when the uptime + is smaller than 24h, in order to reduce the efficiency of guard + discovery attacks. Fixes bug 24104; bugfix on 0.1.1.6-alpha. + + o Minor bugfixes (relays): + - Consider the fact that we'll be making direct connections to our + entry and guard nodes when computing the fraction of nodes that + have their descriptors. Also, if we are using bridges and there is + at least one bridge with a full descriptor, treat the fraction of + guards available as 100%. Fixes bug 25886; bugfix on 0.2.4.10-alpha. + Patch by Neel Chauhan. + - Update the message logged on relays when DirCache is disabled. + Since 0.3.3.5-rc, authorities require DirCache (V2Dir) for the + Guard flag. Fixes bug 24312; bugfix on 0.3.3.5-rc. + + o Minor bugfixes (rust, protover): + - Compute protover votes correctly in the rust version of the + protover code. Previously, the protover rewrite in 24031 allowed + repeated votes from the same voter for the same protocol version + to be counted multiple times in protover_compute_vote(). Fixes bug + 27649; bugfix on 0.3.3.5-rc. + - Reject protover names that contain invalid characters. Fixes bug + 27687; bugfix on 0.3.3.1-alpha. + + o Minor bugfixes (testing): + - Fix two unit tests to work when HOME environment variable is not + set. Fixes bug 27096; bugfix on 0.2.8.1-alpha. + - If a unit test running in a subprocess exits abnormally or with a + nonzero status code, treat the test as having failed, even if the + test reported success. Without this fix, memory leaks don't cause + the tests to fail, even with LeakSanitizer. Fixes bug 27658; + bugfix on 0.2.2.4-alpha. + - When logging a version mismatch in our openssl_version tests, + report the actual offending version strings. Fixes bug 26152; + bugfix on 0.2.9.1-alpha. + - Fix forking tests on Windows when there is a space somewhere in + the path. Fixes bug 26437; bugfix on 0.2.2.4-alpha. + + o Code simplification and refactoring: + - 'updateFallbackDirs.py' now ignores the blacklist file, as it's not + longer needed. Closes ticket 26502. + - Include paths to header files within Tor are now qualified by + directory within the top-level src directory. + - Many structures have been removed from the centralized "or.h" + header, and moved into their own headers. This will allow us to + reduce the number of places in the code that rely on each + structure's contents and layout. Closes ticket 26383. + - Remove ATTR_NONNULL macro from codebase. Resolves ticket 26527. + - Remove GetAdaptersAddresses_fn_t. The code that used it was + removed as part of the 26481 refactor. Closes ticket 27467. + - Rework Tor SOCKS server code to use Trunnel and benefit from + autogenerated functions for parsing and generating SOCKS wire + format. New implementation is cleaner, more maintainable and + should be less prone to heartbleed-style vulnerabilities. + Implements a significant fraction of ticket 3569. + - Split sampled_guards_update_from_consensus() and + select_entry_guard_for_circuit() into subfunctions. In + entry_guards_update_primary() unite three smartlist enumerations + into one and move smartlist comparison code out of the function. + Closes ticket 21349. + - Tor now assumes that you have standards-conformant stdint.h and + inttypes.h headers when compiling. Closes ticket 26626. + - Unify our bloom filter logic. Previously we had two copies of this + code: one for routerlist filtering, and one for address set + calculations. Closes ticket 26510. + - Use the simpler strcmpstart() helper in + rend_parse_v2_service_descriptor instead of strncmp(). Closes + ticket 27630. + - Utility functions that can perform a DNS lookup are now wholly + separated from those that can't, in separate headers and C + modules. Closes ticket 26526. + + o Documentation: + - Copy paragraph and URL to Tor's code of conduct document from + CONTRIBUTING to new CODE_OF_CONDUCT file. Resolves ticket 26638. + - Remove old instructions from INSTALL document. Closes ticket 26588. + - Warn users that they should not include MyFamily line(s) in their + torrc when running Tor bridge. Closes ticket 26908. + + o Removed features: + - Tor no longer supports building with the dmalloc library. For + debugging memory issues, we suggest using gperftools or msan + instead. Closes ticket 26426. + - Tor no longer attempts to run on Windows environments without the + GetAdaptersAddresses() function. This function has existed since + Windows XP, which is itself already older than we support. + - Remove Tor2web functionality for version 2 onion services. The + Tor2webMode and Tor2webRendezvousPoints options are now obsolete. + (This feature was never shipped in vanilla Tor and it was only + possible to use this feature by building the support at compile + time. Tor2webMode is not implemented for version 3 onion services.) + Closes ticket 26367. + + +Changes in version 0.2.9.17 - 2018-09-10 + Tor 0.2.9.17 backports numerous bugfixes from later versions of Tor. + + o Minor features (compatibility, backport from 0.3.4.8): + - Tell OpenSSL to maintain backward compatibility with previous + RSA1024/DH1024 users in Tor. With OpenSSL 1.1.1-pre6, these + ciphers are disabled by default. Closes ticket 27344. + + o Minor features (continuous integration, backport from 0.3.4.7-rc): + - Enable macOS builds in our Travis CI configuration. Closes + ticket 24629. + - Install libcap-dev and libseccomp2-dev so these optional + dependencies get tested on Travis CI. Closes ticket 26560. + - Run asciidoc during Travis CI. Implements ticket 27087. + - Use ccache in our Travis CI configuration. Closes ticket 26952. + + o Minor features (geoip): + - Update geoip and geoip6 to the August 7 2018 Maxmind GeoLite2 + Country database. Closes ticket 27089. + + o Minor bugfixes (compilation, backport from 0.3.4.6-rc): + - When compiling with --enable-openbsd-malloc or --enable-tcmalloc, + tell the compiler not to include the system malloc implementation. + Fixes bug 20424; bugfix on 0.2.0.20-rc. + + o Minor bugfixes (compilation, backport from 0.3.4.7-rc): + - Silence a spurious compiler warning on the GetAdaptersAddresses + function pointer cast. This issue is already fixed by 26481 in + 0.3.5 and later, by removing the lookup and cast. Fixes bug 27465; + bugfix on 0.2.3.11-alpha. + - Stop calling SetProcessDEPPolicy() on 64-bit Windows. It is not + supported, and always fails. Some compilers warn about the + function pointer cast on 64-bit Windows. Fixes bug 27461; bugfix + on 0.2.2.23-alpha. + + o Minor bugfixes (compilation, windows, backport from 0.3.4.7-rc): + - Don't link or search for pthreads when building for Windows, even + if we are using build environment (like mingw) that provides a + pthreads library. Fixes bug 27081; bugfix on 0.1.0.1-rc. + + o Minor bugfixes (continuous integration, backport from 0.3.4.6-rc): + - Skip a pair of unreliable key generation tests on Windows, until + the underlying issue in bug 26076 is resolved. Fixes bug 26830 and + bug 26853; bugfix on 0.2.7.3-rc and 0.3.2.1-alpha respectively. + + o Minor bugfixes (continuous integration, backport from 0.3.4.7-rc): + - Pass the module flags to distcheck configure, and log the flags + before running configure. (Backported to 0.2.9 and later as a + precaution.) Fixes bug 27088; bugfix on 0.3.4.1-alpha. + + o Minor bugfixes (continuous integration, backport from 0.3.4.8): + - When a Travis build fails, and showing a log fails, keep trying to + show the other logs. Fixes bug 27453; bugfix on 0.3.4.7-rc. + - When we use echo in Travis, don't pass a --flag as the first + argument. Fixes bug 27418; bugfix on 0.3.4.7-rc. + + o Minor bugfixes (directory authority, backport from 0.3.4.6-rc): + - When voting for recommended versions, make sure that all of the + versions are well-formed and parsable. Fixes bug 26485; bugfix + on 0.1.1.6-alpha. + + o Minor bugfixes (linux seccomp2 sandbox, backport from 0.3.4.7-rc): + - Fix a bug in out sandboxing rules for the openat() syscall. + Previously, no openat() call would be permitted, which would break + filesystem operations on recent glibc versions. Fixes bug 25440; + bugfix on 0.2.9.15. Diagnosis and patch from Daniel Pinto. + + o Minor bugfixes (onion services, backport from 0.3.4.8): + - Silence a spurious compiler warning in + rend_client_send_introduction(). Fixes bug 27463; bugfix + on 0.1.1.2-alpha. + + o Minor bugfixes (single onion services, Tor2web, backport from 0.3.4.6-rc): + - Log a protocol warning when single onion services or Tor2web clients + fail to authenticate direct connections to relays. + Fixes bug 26924; bugfix on 0.2.9.1-alpha. + + o Minor bugfixes (testing, backport from 0.3.4.6-rc): + - Disable core dumps in test_bt.sh, to avoid failures in "make + distcheck". Fixes bug 26787; bugfix on 0.2.5.2-alpha. + + o Minor bugfixes (testing, chutney, backport from 0.3.4.8): + - Before running make test-network-all, delete old logs and test + result files, to avoid spurious failures. Fixes bug 27295; bugfix + on 0.2.7.3-rc. + + o Minor bugfixes (testing, openssl compatibility, backport from 0.3.4.7-rc): + - Our "tortls/cert_matches_key" unit test no longer relies on + OpenSSL internals. Previously, it relied on unsupported OpenSSL + behavior in a way that caused it to crash with OpenSSL 1.0.2p. + Fixes bug 27226; bugfix on 0.2.5.1-alpha. + + o Minor bugfixes (Windows, compilation, backport from 0.3.4.7-rc): + - Silence a compilation warning on MSVC 2017 and clang-cl. Fixes bug + 27185; bugfix on 0.2.2.2-alpha. + + +Changes in version 0.3.2.12 - 2018-09-10 + Tor 0.3.2.12 backport numerous fixes from later versions of Tor. + + o Minor features (compatibility, backport from 0.3.4.8): + - Tell OpenSSL to maintain backward compatibility with previous + RSA1024/DH1024 users in Tor. With OpenSSL 1.1.1-pre6, these + ciphers are disabled by default. Closes ticket 27344. + + o Minor features (continuous integration, backport from 0.3.4.7-rc): + - Enable macOS builds in our Travis CI configuration. Closes + ticket 24629. + - Install libcap-dev and libseccomp2-dev so these optional + dependencies get tested on Travis CI. Closes ticket 26560. + - Run asciidoc during Travis CI. Implements ticket 27087. + - Use ccache in our Travis CI configuration. Closes ticket 26952. + + o Minor features (continuous integration, rust, backport from 0.3.4.7-rc): + - Use cargo cache in our Travis CI configuration. Closes + ticket 26952. + + o Minor features (controller, backport from 0.3.4.6-rc): + - The control port now exposes the list of HTTPTunnelPorts and + ExtOrPorts via GETINFO net/listeners/httptunnel and + net/listeners/extor respectively. Closes ticket 26647. + + o Minor features (directory authorities, backport from 0.3.4.7-rc): + - Authorities no longer vote to make the subprotocol version + "LinkAuth=1" a requirement: it is unsupportable with NSS, and + hasn't been needed since Tor 0.3.0.1-alpha. Closes ticket 27286. + + o Minor features (geoip): + - Update geoip and geoip6 to the August 7 2018 Maxmind GeoLite2 + Country database. Closes ticket 27089. + + o Minor bugfixes (compilation, backport from 0.3.4.6-rc): + - When compiling with --enable-openbsd-malloc or --enable-tcmalloc, + tell the compiler not to include the system malloc implementation. + Fixes bug 20424; bugfix on 0.2.0.20-rc. + - Don't try to use a pragma to temporarily disable the + -Wunused-const-variable warning if the compiler doesn't support + it. Fixes bug 26785; bugfix on 0.3.2.11. + + o Minor bugfixes (compilation, backport from 0.3.4.7-rc): + - Silence a spurious compiler warning on the GetAdaptersAddresses + function pointer cast. This issue is already fixed by 26481 in + 0.3.5 and later, by removing the lookup and cast. Fixes bug 27465; + bugfix on 0.2.3.11-alpha. + - Stop calling SetProcessDEPPolicy() on 64-bit Windows. It is not + supported, and always fails. Some compilers warn about the + function pointer cast on 64-bit Windows. Fixes bug 27461; bugfix + on 0.2.2.23-alpha. + + o Minor bugfixes (compilation, windows, backport from 0.3.4.7-rc): + - Don't link or search for pthreads when building for Windows, even + if we are using build environment (like mingw) that provides a + pthreads library. Fixes bug 27081; bugfix on 0.1.0.1-rc. + + o Minor bugfixes (continuous integration, backport from 0.3.4.6-rc): + - Skip a pair of unreliable key generation tests on Windows, until + the underlying issue in bug 26076 is resolved. Fixes bug 26830 and + bug 26853; bugfix on 0.2.7.3-rc and 0.3.2.1-alpha respectively. + + o Minor bugfixes (continuous integration, backport from 0.3.4.7-rc): + - Build with zstd on macOS. Fixes bug 27090; bugfix on 0.3.1.5-alpha. + - Pass the module flags to distcheck configure, and log the flags + before running configure. (Backported to 0.2.9 and later as a + precaution.) Fixes bug 27088; bugfix on 0.3.4.1-alpha. + + o Minor bugfixes (continuous integration, backport from 0.3.4.8): + - When a Travis build fails, and showing a log fails, keep trying to + show the other logs. Fixes bug 27453; bugfix on 0.3.4.7-rc. + - When we use echo in Travis, don't pass a --flag as the first + argument. Fixes bug 27418; bugfix on 0.3.4.7-rc. + + o Minor bugfixes (directory authority, backport from 0.3.4.6-rc): + - When voting for recommended versions, make sure that all of the + versions are well-formed and parsable. Fixes bug 26485; bugfix + on 0.1.1.6-alpha. + + o Minor bugfixes (linux seccomp2 sandbox, backport from 0.3.4.7-rc): + - Fix a bug in out sandboxing rules for the openat() syscall. + Previously, no openat() call would be permitted, which would break + filesystem operations on recent glibc versions. Fixes bug 25440; + bugfix on 0.2.9.15. Diagnosis and patch from Daniel Pinto. + + o Minor bugfixes (logging, backport from 0.3.4.6-rc): + - Improve the log message when connection initiators fail to + authenticate direct connections to relays. Fixes bug 26927; bugfix + on 0.3.0.1-alpha. + + o Minor bugfixes (onion services, backport from 0.3.4.7-rc): + - Fix bug that causes services to not ever rotate their descriptors + if they were getting SIGHUPed often. Fixes bug 26932; bugfix + on 0.3.2.1-alpha. + + o Minor bugfixes (onion services, backport from 0.3.4.8): + - Silence a spurious compiler warning in + rend_client_send_introduction(). Fixes bug 27463; bugfix + on 0.1.1.2-alpha. + + o Minor bugfixes (rust, backport from 0.3.4.7-rc): + - Backport test_rust.sh from master. Fixes bug 26497; bugfix + on 0.3.1.5-alpha. + - Consistently use ../../.. as a fallback for $abs_top_srcdir in + test_rust.sh. Fixes bug 27093; bugfix on 0.3.4.3-alpha. + - Stop setting $CARGO_HOME. cargo will use the user's $CARGO_HOME, or + $HOME/.cargo by default. Fixes bug 26497; bugfix on 0.3.1.5-alpha. + + o Minor bugfixes (single onion services, Tor2web, backport from 0.3.4.6-rc): + - Log a protocol warning when single onion services or Tor2web clients + fail to authenticate direct connections to relays. + Fixes bug 26924; bugfix on 0.2.9.1-alpha. + + o Minor bugfixes (testing, backport from 0.3.4.6-rc): + - Disable core dumps in test_bt.sh, to avoid failures in "make + distcheck". Fixes bug 26787; bugfix on 0.2.5.2-alpha. + + o Minor bugfixes (testing, chutney, backport from 0.3.4.8): + - When running make test-network-all, use the mixed+hs-v2 network. + (A previous fix to chutney removed v3 onion services from the + mixed+hs-v23 network, so seeing "mixed+hs-v23" in tests is + confusing.) Fixes bug 27345; bugfix on 0.3.2.1-alpha. + - Before running make test-network-all, delete old logs and test + result files, to avoid spurious failures. Fixes bug 27295; bugfix + on 0.2.7.3-rc. + + o Minor bugfixes (testing, openssl compatibility): + - Our "tortls/cert_matches_key" unit test no longer relies on OpenSSL + internals. Previously, it relied on unsupported OpenSSL behavior in + a way that caused it to crash with OpenSSL 1.0.2p. Fixes bug 27226; + bugfix on 0.2.5.1-alpha. + + o Minor bugfixes (testing, openssl compatibility, backport from 0.3.4.7-rc): + - Our "tortls/cert_matches_key" unit test no longer relies on + OpenSSL internals. Previously, it relied on unsupported OpenSSL + behavior in a way that caused it to crash with OpenSSL 1.0.2p. + Fixes bug 27226; bugfix on 0.2.5.1-alpha. + + o Minor bugfixes (Windows, compilation, backport from 0.3.4.7-rc): + - Silence a compilation warning on MSVC 2017 and clang-cl. Fixes bug + 27185; bugfix on 0.2.2.2-alpha. + + +Changes in version 0.3.3.10 - 2018-09-10 + Tor 0.3.3.10 backports numerous fixes from later versions of Tor. + + o Minor features (bug workaround, backport from 0.3.4.7-rc): + - Compile correctly on systems that provide the C11 stdatomic.h + header, but where C11 atomic functions don't actually compile. + Closes ticket 26779; workaround for Debian issue 903709. + + o Minor features (compatibility, backport from 0.3.4.8): + - Tell OpenSSL to maintain backward compatibility with previous + RSA1024/DH1024 users in Tor. With OpenSSL 1.1.1-pre6, these + ciphers are disabled by default. Closes ticket 27344. + + o Minor features (continuous integration, backport from 0.3.4.7-rc): + - Backport Travis rust distcheck to 0.3.3. Closes ticket 24629. + - Enable macOS builds in our Travis CI configuration. Closes + ticket 24629. + - Install libcap-dev and libseccomp2-dev so these optional + dependencies get tested on Travis CI. Closes ticket 26560. + - Run asciidoc during Travis CI. Implements ticket 27087. + - Use ccache in our Travis CI configuration. Closes ticket 26952. + + o Minor features (continuous integration, rust, backport from 0.3.4.7-rc): + - Use cargo cache in our Travis CI configuration. Closes + ticket 26952. + + o Minor features (controller, backport from 0.3.4.6-rc): + - The control port now exposes the list of HTTPTunnelPorts and + ExtOrPorts via GETINFO net/listeners/httptunnel and + net/listeners/extor respectively. Closes ticket 26647. + + o Minor features (directory authorities, backport from 0.3.4.7-rc): + - Authorities no longer vote to make the subprotocol version + "LinkAuth=1" a requirement: it is unsupportable with NSS, and + hasn't been needed since Tor 0.3.0.1-alpha. Closes ticket 27286. + + o Minor features (geoip): + - Update geoip and geoip6 to the August 7 2018 Maxmind GeoLite2 + Country database. Closes ticket 27089. + + o Minor bugfixes (compilation, backport from 0.3.4.6-rc): + - When compiling with --enable-openbsd-malloc or --enable-tcmalloc, + tell the compiler not to include the system malloc implementation. + Fixes bug 20424; bugfix on 0.2.0.20-rc. + - Don't try to use a pragma to temporarily disable the + -Wunused-const-variable warning if the compiler doesn't support + it. Fixes bug 26785; bugfix on 0.3.2.11. + + o Minor bugfixes (compilation, backport from 0.3.4.7-rc): + - Silence a spurious compiler warning on the GetAdaptersAddresses + function pointer cast. This issue is already fixed by 26481 in + 0.3.5 and later, by removing the lookup and cast. Fixes bug 27465; + bugfix on 0.2.3.11-alpha. + - Stop calling SetProcessDEPPolicy() on 64-bit Windows. It is not + supported, and always fails. Some compilers warn about the + function pointer cast on 64-bit Windows. Fixes bug 27461; bugfix + on 0.2.2.23-alpha. + + o Minor bugfixes (compilation, windows, backport from 0.3.4.7-rc): + - Don't link or search for pthreads when building for Windows, even + if we are using build environment (like mingw) that provides a + pthreads library. Fixes bug 27081; bugfix on 0.1.0.1-rc. + + o Minor bugfixes (continuous integration, backport from 0.3.4.6-rc): + - Skip a pair of unreliable key generation tests on Windows, until + the underlying issue in bug 26076 is resolved. Fixes bug 26830 and + bug 26853; bugfix on 0.2.7.3-rc and 0.3.2.1-alpha respectively. + + o Minor bugfixes (continuous integration, backport from 0.3.4.7-rc): + - Build with zstd on macOS. Fixes bug 27090; bugfix on 0.3.1.5-alpha. + - Pass the module flags to distcheck configure, and log the flags + before running configure. (Backported to 0.2.9 and later as a + precaution.) Fixes bug 27088; bugfix on 0.3.4.1-alpha. + + o Minor bugfixes (continuous integration, backport from 0.3.4.8): + - When a Travis build fails, and showing a log fails, keep trying to + show the other logs. Fixes bug 27453; bugfix on 0.3.4.7-rc. + - When we use echo in Travis, don't pass a --flag as the first + argument. Fixes bug 27418; bugfix on 0.3.4.7-rc. + + o Minor bugfixes (directory authority, backport from 0.3.4.6-rc): + - When voting for recommended versions, make sure that all of the + versions are well-formed and parsable. Fixes bug 26485; bugfix + on 0.1.1.6-alpha. + + o Minor bugfixes (in-process restart, backport from 0.3.4.7-rc): + - Always call tor_free_all() when leaving tor_run_main(). When we + did not, restarting tor in-process would cause an assertion + failure. Fixes bug 26948; bugfix on 0.3.3.1-alpha. + + o Minor bugfixes (linux seccomp2 sandbox, backport from 0.3.4.7-rc): + - Fix a bug in our sandboxing rules for the openat() syscall. + Previously, no openat() call would be permitted, which would break + filesystem operations on recent glibc versions. Fixes bug 25440; + bugfix on 0.2.9.15. Diagnosis and patch from Daniel Pinto. + + o Minor bugfixes (logging, backport from 0.3.4.6-rc): + - Improve the log message when connection initiators fail to + authenticate direct connections to relays. Fixes bug 26927; bugfix + on 0.3.0.1-alpha. + + o Minor bugfixes (onion services, backport from 0.3.4.7-rc): + - Fix bug that causes services to not ever rotate their descriptors + if they were getting SIGHUPed often. Fixes bug 26932; bugfix + on 0.3.2.1-alpha. + + o Minor bugfixes (onion services, backport from 0.3.4.8): + - Silence a spurious compiler warning in + rend_client_send_introduction(). Fixes bug 27463; bugfix + on 0.1.1.2-alpha. + + o Minor bugfixes (portability, backport from 0.3.4.6-rc): + - Work around two different bugs in the OS X 10.10 and later SDKs + that would prevent us from successfully targeting earlier versions + of OS X. Fixes bug 26876; bugfix on 0.3.3.1-alpha. + + o Minor bugfixes (portability, backport from 0.3.4.7-rc): + - Fix compilation of the unit tests on GNU/Hurd, which does not + define PATH_MAX. Fixes bug 26873; bugfix on 0.3.3.1-alpha. Patch + from "paulusASol". + + o Minor bugfixes (rust, backport from 0.3.4.7-rc): + - Backport test_rust.sh from master. Fixes bug 26497; bugfix + on 0.3.1.5-alpha. + - Consistently use ../../.. as a fallback for $abs_top_srcdir in + test_rust.sh. Fixes bug 27093; bugfix on 0.3.4.3-alpha. + - Protover parsing was accepting the presence of whitespace in + version strings, which the C implementation would choke on, e.g. + "Desc=1\t,2". Fixes bug 27177; bugfix on 0.3.3.5-rc. + - Protover parsing was ignoring a 2nd hyphen and everything after + it, accepting entries like "Link=1-5-foo". Fixes bug 27164; bugfix + on 0.3.3.1-alpha. + - Stop setting $CARGO_HOME. cargo will use the user's $CARGO_HOME, or + $HOME/.cargo by default. Fixes bug 26497; bugfix on 0.3.1.5-alpha. + - cd to ${abs_top_builddir}/src/rust before running cargo in + src/test/test_rust.sh. This makes the working directory consistent + between builds and tests. Fixes bug 26497; bugfix on 0.3.3.2-alpha. + + o Minor bugfixes (single onion services, Tor2web, backport from 0.3.4.6-rc): + - Log a protocol warning when single onion services or Tor2web clients + fail to authenticate direct connections to relays. + Fixes bug 26924; bugfix on 0.2.9.1-alpha. + + o Minor bugfixes (testing, backport from 0.3.4.6-rc): + - Disable core dumps in test_bt.sh, to avoid failures in "make + distcheck". Fixes bug 26787; bugfix on 0.2.5.2-alpha. + + o Minor bugfixes (testing, chutney, backport from 0.3.4.8): + - When running make test-network-all, use the mixed+hs-v2 network. + (A previous fix to chutney removed v3 onion services from the + mixed+hs-v23 network, so seeing "mixed+hs-v23" in tests is + confusing.) Fixes bug 27345; bugfix on 0.3.2.1-alpha. + - Before running make test-network-all, delete old logs and test + result files, to avoid spurious failures. Fixes bug 27295; bugfix + on 0.2.7.3-rc. + + o Minor bugfixes (testing, openssl compatibility, backport from 0.3.4.7-rc): + - Our "tortls/cert_matches_key" unit test no longer relies on + OpenSSL internals. Previously, it relied on unsupported OpenSSL + behavior in a way that caused it to crash with OpenSSL 1.0.2p. + Fixes bug 27226; bugfix on 0.2.5.1-alpha. + + o Minor bugfixes (v3 onion services, backport from 0.3.4.6-rc): + - Stop sending ed25519 link specifiers in v3 onion service introduce + cells and descriptors, when the rendezvous or introduction point + doesn't support ed25519 link authentication. Fixes bug 26627; + bugfix on 0.3.2.4-alpha. + + o Minor bugfixes (Windows, compilation, backport from 0.3.4.7-rc): + - Silence a compilation warning on MSVC 2017 and clang-cl. Fixes bug + 27185; bugfix on 0.2.2.2-alpha. + + +Changes in version 0.3.4.8 - 2018-09-10 + Tor 0.3.4.8 is the first stable release in its series; it includes + compilation and portability fixes. + + The Tor 0.3.4 series includes improvements for running Tor in + low-power and embedded environments, which should help performance in + general. We've begun work on better modularity, and included preliminary + changes on the directory authority side to accommodate a new bandwidth + measurement system. We've also integrated more continuous-integration + systems into our development process, and made corresponding changes to + Tor's testing infrastructure. Finally, we've continued to refine + our anti-denial-of-service code. + + Below are the changes since 0.3.4.7-rc. For a complete list of changes + since 0.3.3.9, see the ReleaseNotes file. + + o Minor features (compatibility): + - Tell OpenSSL to maintain backward compatibility with previous + RSA1024/DH1024 users in Tor. With OpenSSL 1.1.1-pre6, these + ciphers are disabled by default. Closes ticket 27344. + + o Minor features (continuous integration): + - Log the compiler path and version during Appveyor builds. + Implements ticket 27449. + - Show config.log and test-suite.log after failed Appveyor builds. + Also upload the zipped full logs as a build artifact. Implements + ticket 27430. + + o Minor bugfixes (compilation): + - Silence a spurious compiler warning on the GetAdaptersAddresses + function pointer cast. This issue is already fixed by 26481 in + 0.3.5 and later, by removing the lookup and cast. Fixes bug 27465; + bugfix on 0.2.3.11-alpha. + - Stop calling SetProcessDEPPolicy() on 64-bit Windows. It is not + supported, and always fails. Some compilers warn about the + function pointer cast on 64-bit Windows. Fixes bug 27461; bugfix + on 0.2.2.23-alpha. + + o Minor bugfixes (continuous integration): + - Disable gcc hardening in Appveyor Windows 64-bit builds. As of + August 29 2018, Appveyor images come with gcc 8.2.0 by default. + Executables compiled for 64-bit Windows with this version of gcc + crash when Tor's --enable-gcc-hardening flag is set. Fixes bug + 27460; bugfix on 0.3.4.1-alpha. + - When a Travis build fails, and showing a log fails, keep trying to + show the other logs. Fixes bug 27453; bugfix on 0.3.4.7-rc. + - When we use echo in Travis, don't pass a --flag as the first + argument. Fixes bug 27418; bugfix on 0.3.4.7-rc. + + o Minor bugfixes (onion services): + - Silence a spurious compiler warning in + rend_client_send_introduction(). Fixes bug 27463; bugfix + on 0.1.1.2-alpha. + + o Minor bugfixes (testing, chutney): + - When running make test-network-all, use the mixed+hs-v2 network. + (A previous fix to chutney removed v3 onion services from the + mixed+hs-v23 network, so seeing "mixed+hs-v23" in tests is + confusing.) Fixes bug 27345; bugfix on 0.3.2.1-alpha. + - Before running make test-network-all, delete old logs and test + result files, to avoid spurious failures. Fixes bug 27295; bugfix + on 0.2.7.3-rc. + +Changes in version 0.3.4.7-rc - 2018-08-24 + Tor 0.3.4.7-rc fixes several small compilation, portability, and + correctness issues in previous versions of Tor. This version is a + release candidate: if no serious bugs are found, we expect that the + stable 0.3.4 release will be (almost) the same as this release. + + o Minor features (bug workaround): + - Compile correctly on systems that provide the C11 stdatomic.h + header, but where C11 atomic functions don't actually compile. + Closes ticket 26779; workaround for Debian issue 903709. + + o Minor features (continuous integration): + - Backport Travis rust distcheck to 0.3.3. Closes ticket 24629. + - Enable macOS builds in our Travis CI configuration. Closes + ticket 24629. + - Install libcap-dev and libseccomp2-dev so these optional + dependencies get tested on Travis CI. Closes ticket 26560. + - Only post Appveyor IRC notifications when the build fails. + Implements ticket 27275. + - Run asciidoc during Travis CI. Implements ticket 27087. + - Use ccache in our Travis CI configuration. Closes ticket 26952. + + o Minor features (continuous integration, rust): + - Use cargo cache in our Travis CI configuration. Closes + ticket 26952. + + o Minor features (directory authorities): + - Authorities no longer vote to make the subprotocol version + "LinkAuth=1" a requirement: it is unsupportable with NSS, and + hasn't been needed since Tor 0.3.0.1-alpha. Closes ticket 27286. + + o Minor features (geoip): + - Update geoip and geoip6 to the August 7 2018 Maxmind GeoLite2 + Country database. Closes ticket 27089. + + o Minor bugfixes (compilation, windows): + - Don't link or search for pthreads when building for Windows, even + if we are using build environment (like mingw) that provides a + pthreads library. Fixes bug 27081; bugfix on 0.1.0.1-rc. + + o Minor bugfixes (continuous integration): + - Improve Appveyor CI IRC logging. Generate correct branches and + URLs for pull requests and tags. Use unambiguous short commits. + Fixes bug 26979; bugfix on master. + - Build with zstd on macOS. Fixes bug 27090; bugfix on 0.3.1.5-alpha. + - Pass the module flags to distcheck configure, and log the flags + before running configure. (Backported to 0.2.9 and later as a + precaution.) Fixes bug 27088; bugfix on 0.3.4.1-alpha. + + o Minor bugfixes (in-process restart): + - Always call tor_free_all() when leaving tor_run_main(). When we + did not, restarting tor in-process would cause an assertion + failure. Fixes bug 26948; bugfix on 0.3.3.1-alpha. + + o Minor bugfixes (linux seccomp2 sandbox): + - Fix a bug in out sandboxing rules for the openat() syscall. + Previously, no openat() call would be permitted, which would break + filesystem operations on recent glibc versions. Fixes bug 25440; + bugfix on 0.2.9.15. Diagnosis and patch from Daniel Pinto. + + o Minor bugfixes (onion services): + - Fix bug that causes services to not ever rotate their descriptors + if they were getting SIGHUPed often. Fixes bug 26932; bugfix + on 0.3.2.1-alpha. + + o Minor bugfixes (portability): + - Fix compilation of the unit tests on GNU/Hurd, which does not + define PATH_MAX. Fixes bug 26873; bugfix on 0.3.3.1-alpha. Patch + from "paulusASol". + + o Minor bugfixes (rust): + - Backport test_rust.sh from master. Fixes bug 26497; bugfix + on 0.3.1.5-alpha. + - Consistently use ../../.. as a fallback for $abs_top_srcdir in + test_rust.sh. Fixes bug 27093; bugfix on 0.3.4.3-alpha. + - Protover parsing was accepting the presence of whitespace in + version strings, which the C implementation would choke on, e.g. + "Desc=1\t,2". Fixes bug 27177; bugfix on 0.3.3.5-rc. + - Protover parsing was ignoring a 2nd hyphen and everything after + it, accepting entries like "Link=1-5-foo". Fixes bug 27164; bugfix + on 0.3.3.1-alpha. + - Stop setting $CARGO_HOME. cargo will use the user's $CARGO_HOME, or + $HOME/.cargo by default. Fixes bug 26497; bugfix on 0.3.1.5-alpha. + - cd to ${abs_top_builddir}/src/rust before running cargo in + src/test/test_rust.sh. This makes the working directory consistent + between builds and tests. Fixes bug 26497; bugfix on 0.3.3.2-alpha. + + o Minor bugfixes (testing, bootstrap): + - When calculating bootstrap progress, check exit policies and the + exit flag. Previously, Tor would only check the exit flag, which + caused race conditions in small and fast networks like chutney. + Fixes bug 27236; bugfix on 0.2.6.3-alpha. + + o Minor bugfixes (testing, openssl compatibility): + - Our "tortls/cert_matches_key" unit test no longer relies on + OpenSSL internals. Previously, it relied on unsupported OpenSSL + behavior in a way that caused it to crash with OpenSSL 1.0.2p. + Fixes bug 27226; bugfix on 0.2.5.1-alpha. + + o Minor bugfixes (Windows, compilation): + - Silence a compilation warning on MSVC 2017 and clang-cl. Fixes bug + 27185; bugfix on 0.2.2.2-alpha. + + +Changes in version 0.3.4.6-rc - 2018-08-06 + Tor 0.3.4.6-rc fixes several small compilation, portability, and + correctness issues in previous versions of Tor. This version is a + release candidate: if no serious bugs are found, we expect that the + stable 0.3.4 release will be (almost) the same as this release. + + o Major bugfixes (event scheduler): + - When we enable a periodic event, schedule it in the event loop + rather than running it immediately. Previously, we would re-run + periodic events immediately in the middle of (for example) + changing our options, with unpredictable effects. Fixes bug 27003; + bugfix on 0.3.4.1-alpha. + + o Minor features (compilation): + - When building Tor, prefer to use Python 3 over Python 2, and more + recent (contemplated) versions over older ones. Closes + ticket 26372. + - When compiling with --enable-openbsd-malloc or --enable-tcmalloc, + tell the compiler not to include the system malloc implementation. + Fixes bug 20424; bugfix on 0.2.0.20-rc. + - Don't try to use a pragma to temporarily disable the + -Wunused-const-variable warning if the compiler doesn't support + it. Fixes bug 26785; bugfix on 0.3.2.11. + + o Minor bugfixes (continuous integration): + - Skip a pair of unreliable key generation tests on Windows, until + the underlying issue in bug 26076 is resolved. Fixes bug 26830 and + bug 26853; bugfix on 0.2.7.3-rc and 0.3.2.1-alpha respectively. + + o Minor features (controller): + - The control port now exposes the list of HTTPTunnelPorts and + ExtOrPorts via GETINFO net/listeners/httptunnel and + net/listeners/extor respectively. Closes ticket 26647. + + o Minor bugfixes (directory authority): + - When voting for recommended versions, make sure that all of the + versions are well-formed and parsable. Fixes bug 26485; bugfix + on 0.1.1.6-alpha. + + o Minor features (geoip): + - Update geoip and geoip6 to the July 3 2018 Maxmind GeoLite2 + Country database. Closes ticket 26674. + + o Minor features (Rust, portability): + - Rust cross-compilation is now supported. Closes ticket 25895. + + o Minor bugfixes (compilation): + - Update build system so that tor builds again with --disable-unittests + after recent refactoring. Fixes bug 26789; bugfix on 0.3.4.3-alpha. + - Fix a compilation warning on some versions of GCC when building + code that calls routerinfo_get_my_routerinfo() twice, assuming + that the second call will succeed if the first one did. Fixes bug + 26269; bugfix on 0.2.8.2-alpha. + + o Minor bugfixes (controller): + - Report the port correctly when a port is configured to bind to + "auto". Fixes bug 26568; bugfix on 0.3.4.1-alpha. + - Parse the "HSADDRESS=" parameter in HSPOST commands properly. + Previously, it was misparsed and ignored. Fixes bug 26523; bugfix + on 0.3.3.1-alpha. Patch by "akwizgran". + + o Minor bugfixes (correctness, flow control): + - Upon receiving a stream-level SENDME cell, verify that our window + has not grown too large. Fixes bug 26214; bugfix on svn + r54 (pre-0.0.1). + + o Minor bugfixes (memory, correctness): + - Fix a number of small memory leaks identified by coverity. Fixes + bug 26467; bugfix on numerous Tor versions. + + o Minor bugfixes (logging): + - Improve the log message when connection initiators fail to + authenticate direct connections to relays. Fixes bug 26927; bugfix + on 0.3.0.1-alpha. + + o Minor bugfixes (portability): + - Avoid a compilation error in test_bwmgt.c on Solaris 10. Fixes bug + 26994; bugfix on 0.3.4.1-alpha. + - Work around two different bugs in the OS X 10.10 and later SDKs + that would prevent us from successfully targeting earlier versions + of OS X. Fixes bug 26876; bugfix on 0.3.3.1-alpha. + + o Minor bugfixes (single onion services, Tor2web): + - Log a protocol warning when single onion services or Tor2web + clients fail to authenticate direct connections to relays. Fixes + bug 26924; bugfix on 0.2.9.1-alpha. + + o Minor bugfixes (testing): + - Disable core dumps in test_bt.sh, to avoid failures in "make + distcheck". Fixes bug 26787; bugfix on 0.2.5.2-alpha. + + o Minor bugfixes (testing, compatibility): + - When running the ntor_ref.py and hs_ntor_ref.py tests, make sure + only to pass strings (rather than "bytes" objects) to the Python + subprocess module. Python 3 on Windows seems to require this. + Fixes bug 26535; bugfix on 0.2.5.5-alpha (for ntor_ref.py) and + 0.3.1.1-alpha (for hs_ntor_ref.py). + + o Minor bugfixes (v3 onion services): + - Stop sending ed25519 link specifiers in v3 onion service introduce + cells and descriptors, when the rendezvous or introduction point + doesn't support ed25519 link authentication. Fixes bug 26627; + bugfix on 0.3.2.4-alpha. + + +Changes in version 0.3.4.5-rc - 2018-07-13 + Tor 0.3.4.5-rc moves to a new bridge authority, meaning people running + bridge relays should upgrade. + + o Directory authority changes: + - The "Bifroest" bridge authority has been retired; the new bridge + authority is "Serge", and it is operated by George from the + TorBSD project. Closes ticket 26771. + + +Changes in version 0.3.3.9 - 2018-07-13 + Tor 0.3.3.9 moves to a new bridge authority, meaning people running + bridge relays should upgrade. + + o Directory authority changes: + - The "Bifroest" bridge authority has been retired; the new bridge + authority is "Serge", and it is operated by George from the + TorBSD project. Closes ticket 26771. + + +Changes in version 0.3.2.11 - 2018-07-13 + Tor 0.3.2.11 moves to a new bridge authority, meaning people running + bridge relays should upgrade. We also take this opportunity to backport + other minor fixes. + + o Directory authority changes: + - The "Bifroest" bridge authority has been retired; the new bridge + authority is "Serge", and it is operated by George from the + TorBSD project. Closes ticket 26771. + + o Directory authority changes (backport from 0.3.3.7): + - Add an IPv6 address for the "dannenberg" directory authority. + Closes ticket 26343. + + o Major bugfixes (directory authorities, backport from 0.3.4.1-alpha): + - When directory authorities read a zero-byte bandwidth file, they + would previously log a warning with the contents of an + uninitialised buffer. They now log a warning about the empty file + instead. Fixes bug 26007; bugfix on 0.2.2.1-alpha. + + o Major bugfixes (onion service, backport from 0.3.4.1-alpha): + - Correctly detect when onion services get disabled after HUP. Fixes + bug 25761; bugfix on 0.3.2.1. + + o Minor features (sandbox, backport from 0.3.3.4-alpha): + - Explicitly permit the poll() system call when the Linux + seccomp2-based sandbox is enabled: apparently, some versions of + libc use poll() when calling getpwnam(). Closes ticket 25313. + + o Minor feature (continuous integration, backport from 0.3.3.5-rc): + - Update the Travis CI configuration to use the stable Rust channel, + now that we have decided to require that. Closes ticket 25714. + + o Minor features (continuous integration, backport from 0.3.4.1-alpha): + - Our .travis.yml configuration now includes support for testing the + results of "make distcheck". (It's not uncommon for "make check" + to pass but "make distcheck" to fail.) Closes ticket 25814. + - Our Travis CI configuration now integrates with the Coveralls + coverage analysis tool. Closes ticket 25818. + + o Minor features (relay, diagnostic, backport from 0.3.4.3-alpha): + - Add several checks to detect whether Tor relays are uploading + their descriptors without specifying why they regenerated them. + Diagnostic for ticket 25686. + + o Minor features (compilation, backport from 0.3.4.4-rc): + - When building Tor, prefer to use Python 3 over Python 2, and more + recent (contemplated) versions over older ones. Closes + ticket 26372. + + o Minor features (geoip): + - Update geoip and geoip6 to the July 3 2018 Maxmind GeoLite2 + Country database. Closes ticket 26674. + + o Minor bugfixes (correctness, client, backport from 0.3.4.1-alpha): + - Upon receiving a malformed connected cell, stop processing the + cell immediately. Previously we would mark the connection for + close, but continue processing the cell as if the connection were + open. Fixes bug 26072; bugfix on 0.2.4.7-alpha. + + o Minor bugfixes (Linux seccomp2 sandbox, backport from 0.3.4.1-alpha): + - Allow the nanosleep() system call, which glibc uses to implement + sleep() and usleep(). Fixes bug 24969; bugfix on 0.2.5.1-alpha. + + o Minor bugfixes (testing, compatibility, backport from 0.3.4.4-rc): + - When running the hs_ntor_ref.py test, make sure only to pass + strings (rather than "bytes" objects) to the Python subprocess + module. Python 3 on Windows seems to require this. Fixes bug + 26535; bugfix on 0.3.1.1-alpha. + - When running the ntor_ref.py test, make sure only to pass strings + (rather than "bytes" objects) to the Python subprocess module. + Python 3 on Windows seems to require this. Fixes bug 26535; bugfix + on 0.2.5.5-alpha. + + o Minor bugfixes (compatibility, openssl, backport from 0.3.4.2-alpha): + - Work around a change in OpenSSL 1.1.1 where return values that + would previously indicate "no password" now indicate an empty + password. Without this workaround, Tor instances running with + OpenSSL 1.1.1 would accept descriptors that other Tor instances + would reject. Fixes bug 26116; bugfix on 0.2.5.16. + + o Minor bugfixes (documentation, backport from 0.3.3.5-rc): + - Document that the PerConnBW{Rate,Burst} options will fall back to + their corresponding consensus parameters only if those parameters + are set. Previously we had claimed that these values would always + be set in the consensus. Fixes bug 25296; bugfix on 0.2.2.7-alpha. + + o Minor bugfixes (compilation, backport from 0.3.4.4-rc): + - Fix a compilation warning on some versions of GCC when building + code that calls routerinfo_get_my_routerinfo() twice, assuming + that the second call will succeed if the first one did. Fixes bug + 26269; bugfix on 0.2.8.2-alpha. + + o Minor bugfixes (client, backport from 0.3.4.1-alpha): + - Don't consider Tor running as a client if the ControlPort is open, + but no actual client ports are open. Fixes bug 26062; bugfix + on 0.2.9.4-alpha. + + o Minor bugfixes (hardening, backport from 0.3.4.2-alpha): + - Prevent a possible out-of-bounds smartlist read in + protover_compute_vote(). Fixes bug 26196; bugfix on 0.2.9.4-alpha. + + o Minor bugfixes (C correctness, backport from 0.3.3.4-alpha): + - Fix a very unlikely (impossible, we believe) null pointer + dereference. Fixes bug 25629; bugfix on 0.2.9.15. Found by + Coverity; this is CID 1430932. + + o Minor bugfixes (onion service, backport from 0.3.4.1-alpha): + - Fix a memory leak when a v3 onion service is configured and gets a + SIGHUP signal. Fixes bug 25901; bugfix on 0.3.2.1-alpha. + - When parsing the descriptor signature, look for the token plus an + extra white-space at the end. This is more correct but also will + allow us to support new fields that might start with "signature". + Fixes bug 26069; bugfix on 0.3.0.1-alpha. + + o Minor bugfixes (relay, backport from 0.3.4.3-alpha): + - Relays now correctly block attempts to re-extend to the previous + relay by Ed25519 identity. Previously they would warn in this + case, but not actually reject the attempt. Fixes bug 26158; bugfix + on 0.3.0.1-alpha. + + o Minor bugfixes (relay, crash, backport from 0.3.4.1-alpha): + - Avoid a crash when running with DirPort set but ORPort turned off. + Fixes a case of bug 23693; bugfix on 0.3.1.1-alpha. + + o Minor bugfixes (compilation, backport from 0.3.4.2-alpha): + - Silence unused-const-variable warnings in zstd.h with some GCC + versions. Fixes bug 26272; bugfix on 0.3.1.1-alpha. + + o Minor bugfixes (testing, backport from 0.3.3.4-alpha): + - Avoid intermittent test failures due to a test that had relied on + onion service introduction point creation finishing within 5 + seconds of real clock time. Fixes bug 25450; bugfix + on 0.3.1.3-alpha. + + o Minor bugfixes (compilation, backport from 0.3.3.4-alpha): + - Fix a C99 compliance issue in our configuration script that caused + compilation issues when compiling Tor with certain versions of + xtools. Fixes bug 25474; bugfix on 0.3.2.5-alpha. + + o Minor bugfixes (memory, correctness, backport from 0.3.4.4-rc): + - Fix a number of small memory leaks identified by coverity. Fixes + bug 26467; bugfix on numerous Tor versions. + + o Code simplification and refactoring (backport from 0.3.3.5-rc): + - Move the list of default directory authorities to its own file. + Closes ticket 24854. Patch by "beastr0". + + +Changes in version 0.2.9.16 - 2018-07-13 + Tor 0.2.9.16 moves to a new bridge authority, meaning people running + bridge relays should upgrade. We also take this opportunity to backport + other minor fixes. + + o Directory authority changes: + - The "Bifroest" bridge authority has been retired; the new bridge + authority is "Serge", and it is operated by George from the + TorBSD project. Closes ticket 26771. + + o Directory authority changes (backport from 0.3.3.7): + - Add an IPv6 address for the "dannenberg" directory authority. + Closes ticket 26343. + + o Major bugfixes (directory authorities, backport from 0.3.4.1-alpha): + - When directory authorities read a zero-byte bandwidth file, they + would previously log a warning with the contents of an + uninitialised buffer. They now log a warning about the empty file + instead. Fixes bug 26007; bugfix on 0.2.2.1-alpha. + + o Minor features (sandbox, backport from 0.3.3.4-alpha): + - Explicitly permit the poll() system call when the Linux + seccomp2-based sandbox is enabled: apparently, some versions of + libc use poll() when calling getpwnam(). Closes ticket 25313. + + o Minor features (continuous integration, backport from 0.3.4.1-alpha): + - Our .travis.yml configuration now includes support for testing the + results of "make distcheck". (It's not uncommon for "make check" + to pass but "make distcheck" to fail.) Closes ticket 25814. + - Our Travis CI configuration now integrates with the Coveralls + coverage analysis tool. Closes ticket 25818. + + o Minor features (compilation, backport from 0.3.4.4-rc): + - When building Tor, prefer to use Python 3 over Python 2, and more + recent (contemplated) versions over older ones. Closes + ticket 26372. + + o Minor features (geoip): + - Update geoip and geoip6 to the July 3 2018 Maxmind GeoLite2 + Country database. Closes ticket 26674. + + o Minor bugfixes (correctness, client, backport from 0.3.4.1-alpha): + - Upon receiving a malformed connected cell, stop processing the + cell immediately. Previously we would mark the connection for + close, but continue processing the cell as if the connection were + open. Fixes bug 26072; bugfix on 0.2.4.7-alpha. + + o Minor bugfixes (Linux seccomp2 sandbox, backport from 0.3.4.1-alpha): + - Allow the nanosleep() system call, which glibc uses to implement + sleep() and usleep(). Fixes bug 24969; bugfix on 0.2.5.1-alpha. + + o Minor bugfixes (testing, compatibility, backport from 0.3.4.4-rc): + - When running the ntor_ref.py test, make sure only to pass strings + (rather than "bytes" objects) to the Python subprocess module. + Python 3 on Windows seems to require this. Fixes bug 26535; bugfix + on 0.2.5.5-alpha. + + o Minor bugfixes (compatibility, openssl, backport from 0.3.4.2-alpha): + - Work around a change in OpenSSL 1.1.1 where return values that + would previously indicate "no password" now indicate an empty + password. Without this workaround, Tor instances running with + OpenSSL 1.1.1 would accept descriptors that other Tor instances + would reject. Fixes bug 26116; bugfix on 0.2.5.16. + + o Minor bugfixes (compilation, backport from 0.3.4.4-rc): + - Fix a compilation warning on some versions of GCC when building + code that calls routerinfo_get_my_routerinfo() twice, assuming + that the second call will succeed if the first one did. Fixes bug + 26269; bugfix on 0.2.8.2-alpha. + + o Minor bugfixes (client, backport from 0.3.4.1-alpha): + - Don't consider Tor running as a client if the ControlPort is open, + but no actual client ports are open. Fixes bug 26062; bugfix + on 0.2.9.4-alpha. + + o Minor bugfixes (hardening, backport from 0.3.4.2-alpha): + - Prevent a possible out-of-bounds smartlist read in + protover_compute_vote(). Fixes bug 26196; bugfix on 0.2.9.4-alpha. + + o Minor bugfixes (C correctness, backport from 0.3.3.4-alpha): + - Fix a very unlikely (impossible, we believe) null pointer + dereference. Fixes bug 25629; bugfix on 0.2.9.15. Found by + Coverity; this is CID 1430932. + + o Minor bugfixes (memory, correctness, backport from 0.3.4.4-rc): + - Fix a number of small memory leaks identified by coverity. Fixes + bug 26467; bugfix on numerous Tor versions. + + o Code simplification and refactoring (backport from 0.3.3.5-rc): + - Move the list of default directory authorities to its own file. + Closes ticket 24854. Patch by "beastr0". + + +Changes in version 0.3.4.4-rc - 2018-07-09 + Tor 0.3.4.4-rc fixes several small compilation, portability, and + correctness issues in previous versions of Tor. This version is a + release candidate: if no serious bugs are found, we expect that the + stable 0.3.4 release will be (almost) the same as this release. + + o Minor features (compilation): + - When building Tor, prefer to use Python 3 over Python 2, and more + recent (contemplated) versions over older ones. Closes + ticket 26372. + + o Minor features (geoip): + - Update geoip and geoip6 to the July 3 2018 Maxmind GeoLite2 + Country database. Closes ticket 26674. + + o Minor features (Rust, portability): + - Rust cross-compilation is now supported. Closes ticket 25895. + + o Minor bugfixes (compilation): + - Fix a compilation warning on some versions of GCC when building + code that calls routerinfo_get_my_routerinfo() twice, assuming + that the second call will succeed if the first one did. Fixes bug + 26269; bugfix on 0.2.8.2-alpha. + + o Minor bugfixes (control port): + - Report the port correctly when a port is configured to bind to + "auto". Fixes bug 26568; bugfix on 0.3.4.1-alpha. + - Handle the HSADDRESS= argument to the HSPOST command properly. + (Previously, this argument was misparsed and thus ignored.) Fixes + bug 26523; bugfix on 0.3.3.1-alpha. Patch by "akwizgran". + + o Minor bugfixes (correctness, flow control): + - Upon receiving a stream-level SENDME cell, verify that our window + has not grown too large. Fixes bug 26214; bugfix on svn + r54 (pre-0.0.1). + + o Minor bugfixes (memory, correctness): + - Fix a number of small memory leaks identified by coverity. Fixes + bug 26467; bugfix on numerous Tor versions. + + o Minor bugfixes (testing, compatibility): + - When running the hs_ntor_ref.py test, make sure only to pass + strings (rather than "bytes" objects) to the Python subprocess + module. Python 3 on Windows seems to require this. Fixes bug + 26535; bugfix on 0.3.1.1-alpha. + - When running the ntor_ref.py test, make sure only to pass strings + (rather than "bytes" objects) to the Python subprocess module. + Python 3 on Windows seems to require this. Fixes bug 26535; bugfix + on 0.2.5.5-alpha. + + +Changes in version 0.3.3.8 - 2018-07-09 + Tor 0.3.3.8 backports several changes from the 0.3.4.x series, including + fixes for a memory leak affecting directory authorities. + + o Major bugfixes (directory authority, backport from 0.3.4.3-alpha): + - Stop leaking memory on directory authorities when planning to + vote. This bug was crashing authorities by exhausting their + memory. Fixes bug 26435; bugfix on 0.3.3.6. + + o Major bugfixes (rust, testing, backport from 0.3.4.3-alpha): + - Make sure that failing tests in Rust will actually cause the build + to fail: previously, they were ignored. Fixes bug 26258; bugfix + on 0.3.3.4-alpha. + + o Minor features (compilation, backport from 0.3.4.4-rc): + - When building Tor, prefer to use Python 3 over Python 2, and more + recent (contemplated) versions over older ones. Closes + ticket 26372. + + o Minor features (geoip): + - Update geoip and geoip6 to the July 3 2018 Maxmind GeoLite2 + Country database. Closes ticket 26674. + + o Minor features (relay, diagnostic, backport from 0.3.4.3-alpha): + - Add several checks to detect whether Tor relays are uploading + their descriptors without specifying why they regenerated them. + Diagnostic for ticket 25686. + + o Minor bugfixes (circuit path selection, backport from 0.3.4.1-alpha): + - Don't count path selection failures as circuit build failures. + This change should eliminate cases where Tor blames its guard or + the network for situations like insufficient microdescriptors + and/or overly restrictive torrc settings. Fixes bug 25705; bugfix + on 0.3.3.1-alpha. + + o Minor bugfixes (compilation, backport from 0.3.4.4-rc): + - Fix a compilation warning on some versions of GCC when building + code that calls routerinfo_get_my_routerinfo() twice, assuming + that the second call will succeed if the first one did. Fixes bug + 26269; bugfix on 0.2.8.2-alpha. + + o Minor bugfixes (control port, backport from 0.3.4.4-rc): + - Handle the HSADDRESS= argument to the HSPOST command properly. + (Previously, this argument was misparsed and thus ignored.) Fixes + bug 26523; bugfix on 0.3.3.1-alpha. Patch by "akwizgran". + + o Minor bugfixes (memory, correctness, backport from 0.3.4.4-rc): + - Fix a number of small memory leaks identified by coverity. Fixes + bug 26467; bugfix on numerous Tor versions. + + o Minor bugfixes (relay, backport from 0.3.4.3-alpha): + - Relays now correctly block attempts to re-extend to the previous + relay by Ed25519 identity. Previously they would warn in this + case, but not actually reject the attempt. Fixes bug 26158; bugfix + on 0.3.0.1-alpha. + + o Minor bugfixes (restart-in-process, backport from 0.3.4.1-alpha): + - When shutting down, Tor now clears all the flags in the control.c + module. This should prevent a bug where authentication cookies are + not generated on restart. Fixes bug 25512; bugfix on 0.3.3.1-alpha. + + o Minor bugfixes (testing, compatibility, backport from 0.3.4.4-rc): + - When running the hs_ntor_ref.py test, make sure only to pass + strings (rather than "bytes" objects) to the Python subprocess + module. Python 3 on Windows seems to require this. Fixes bug + 26535; bugfix on 0.3.1.1-alpha. + - When running the ntor_ref.py test, make sure only to pass strings + (rather than "bytes" objects) to the Python subprocess module. + Python 3 on Windows seems to require this. Fixes bug 26535; bugfix + on 0.2.5.5-alpha. + + +Changes in version 0.3.4.3-alpha - 2018-06-26 + Tor 0.3.4.3-alpha fixes several bugs in earlier versions, including + one that was causing stability issues on directory authorities. + + o Major bugfixes (directory authority): + - Stop leaking memory on directory authorities when planning to + vote. This bug was crashing authorities by exhausting their + memory. Fixes bug 26435; bugfix on 0.3.3.6. + + o Major bugfixes (rust, testing): + - Make sure that failing tests in Rust will actually cause the build + to fail: previously, they were ignored. Fixes bug 26258; bugfix + on 0.3.3.4-alpha. + + o Minor feature (directory authorities): + - Stop warning about incomplete bw lines before the first complete + bw line has been found, so that additional header lines can be + ignored. Fixes bug 25960; bugfix on 0.2.2.1-alpha + + o Minor features (relay, diagnostic): + - Add several checks to detect whether Tor relays are uploading + their descriptors without specifying why they regenerated them. + Diagnostic for ticket 25686. + + o Minor features (unit tests): + - Test complete bandwidth measurements files, and test that + incomplete bandwidth lines only give warnings when the end of the + header has not been detected. Fixes bug 25947; bugfix + on 0.2.2.1-alpha + + o Minor bugfixes (compilation): + - Refrain from compiling unit testing related object files when + --disable-unittests is set to configure script. Fixes bug 24891; + bugfix on 0.2.5.1-alpha. + - When linking the libtor_testing.a library, only include the + dirauth object files once. Previously, they were getting added + twice. Fixes bug 26402; bugfix on 0.3.4.1-alpha. + - The --enable-fatal-warnings flag now affects Rust code as well. + Closes ticket 26245. + + o Minor bugfixes (onion services): + - Recompute some consensus information after detecting a clock jump, + or after transitioning from a non-live consensus to a live + consensus. We do this to avoid having an outdated state, and + miscalculating the index for next-generation onion services. Fixes + bug 24977; bugfix on 0.3.2.1-alpha. + + o Minor bugfixes (relay): + - Relays now correctly block attempts to re-extend to the previous + relay by Ed25519 identity. Previously they would warn in this + case, but not actually reject the attempt. Fixes bug 26158; bugfix + on 0.3.0.1-alpha. + + o Minor bugfixes (testing): + - Fix compilation of the doctests in the Rust crypto crate. Fixes + bug 26415; bugfix on 0.3.4.1-alpha. + - Instead of trying to read the geoip configuration files from + within the unit tests, instead create our own ersatz files with + just enough geoip data in the format we expect. Trying to read + from the source directory created problems on Windows with mingw, + where the build system's paths are not the same as the platform's + paths. Fixes bug 25787; bugfix on 0.3.4.1-alpha. + - Refrain from trying to get an item from an empty smartlist in + test_bridges_clear_bridge_list. Set DEBUG_SMARTLIST in unit tests + to catch improper smartlist usage. Furthermore, enable + DEBUG_SMARTLIST globally when build is configured with fragile + hardening. Fixes bug 26196; bugfix on 0.3.4.1-alpha. + + Changes in version 0.3.3.7 - 2018-06-12 Tor 0.3.3.7 backports several changes from the 0.3.4.x series, including fixes for bugs affecting compatibility and stability. @@ -196,7 +2230,7 @@ Changes in version 0.3.3.6 - 2018-05-22 Fixes bug 26069; bugfix on 0.3.0.1-alpha. o Minor bugfixes (relay, crash, backport from 0.3.4.1-alpha): - - Avoid a crash when running with DirPort set but ORPort tuned off. + - Avoid a crash when running with DirPort set but ORPort turned off. Fixes a case of bug 23693; bugfix on 0.3.1.1-alpha. o Documentation (backport from 0.3.4.1-alpha): @@ -499,7 +2533,7 @@ Changes in version 0.3.4.1-alpha - 2018-05-17 here.) Fixes bug 24910; bugfix on 0.2.4.17-rc. o Minor bugfixes (relay, crash): - - Avoid a crash when running with DirPort set but ORPort tuned off. + - Avoid a crash when running with DirPort set but ORPort turned off. Fixes a case of bug 23693; bugfix on 0.3.1.1-alpha. o Minor bugfixes (restart-in-process): @@ -617,7 +2651,7 @@ Changes in version 0.3.4.1-alpha - 2018-05-17 once had an ed25519 key associated with their RSA key to always have that key, instead of allowing them to drop back to a version that didn't support ed25519. This means they need to use a new RSA - key if the want to downgrade to an older version of tor without + key if they want to downgrade to an older version of tor without ed25519. Closes ticket 20522. o Documentation: @@ -15540,7 +17574,7 @@ Changes in version 0.2.2.36 - 2012-05-24 issue 4788. - Update to the May 1 2012 Maxmind GeoLite Country database. - - Feature removal: + o Feature removal: - When sending or relaying a RELAY_EARLY cell, we used to convert it to a RELAY cell if the connection was using the v1 link protocol. This was a workaround for older versions of Tor, which @@ -28476,4 +30510,3 @@ Changes in version 0.0.2pre13 - 2003-10-19 - If --DebugLogFile is specified, log to it at -l debug - If --LogFile is specified, use it instead of commandline - If --RunAsDaemon is set, tor forks and backgrounds on startup - |