diff options
Diffstat (limited to 'ReleaseNotes')
| -rw-r--r-- | ReleaseNotes | 1013 |
1 files changed, 1012 insertions, 1 deletions
diff --git a/ReleaseNotes b/ReleaseNotes index a572293c07..2ce9ceaa90 100644 --- a/ReleaseNotes +++ b/ReleaseNotes @@ -2,6 +2,1017 @@ This document summarizes new features and bugfixes in each stable release of Tor. If you want to see more detailed descriptions of the changes in each development snapshot, see the ChangeLog file. +Changes in version 0.4.4.6 - 2020-11-12 + Tor 0.4.4.6 is the second stable release in the 0.4.4.x series. It + backports fixes from later releases, including a fix for TROVE-2020- + 005, a security issue that could be used, under certain cases, by an + adversary to observe traffic patterns on a limited number of circuits + intended for a different relay. + + o Major bugfixes (security, backport from 0.4.5.1-alpha): + - When completing a channel, relays now check more thoroughly to + make sure that it matches any pending circuits before attaching + those circuits. Previously, address correctness and Ed25519 + identities were not checked in this case, but only when extending + circuits on an existing channel. Fixes bug 40080; bugfix on + 0.2.7.2-alpha. Resolves TROVE-2020-005. + + o Minor features (directory authorities, backport from 0.4.5.1-alpha): + - Authorities now list a different set of protocols as required and + recommended. These lists have been chosen so that only truly + recommended and/or required protocols are included, and so that + clients using 0.2.9 or later will continue to work (even though + they are not supported), whereas only relays running 0.3.5 or + later will meet the requirements. Closes ticket 40162. + - Make it possible to specify multiple ConsensusParams torrc lines. + Now directory authority operators can for example put the main + ConsensusParams config in one torrc file and then add to it from a + different torrc file. Closes ticket 40164. + + o Minor features (subprotocol versions, backport from 0.4.5.1-alpha): + - Tor no longer allows subprotocol versions larger than 63. + Previously version numbers up to UINT32_MAX were allowed, which + significantly complicated our code. Implements proposal 318; + closes ticket 40133. + + o Minor features (tests, v2 onion services, backport from 0.4.5.1-alpha): + - Fix a rendezvous cache unit test that was triggering an underflow + on the global rend cache allocation. Fixes bug 40125; bugfix + on 0.2.8.1-alpha. + - Fix another rendezvous cache unit test that was triggering an + underflow on the global rend cache allocation. Fixes bug 40126; + bugfix on 0.2.8.1-alpha. + + o Minor bugfixes (compilation, backport from 0.4.5.1-alpha): + - Fix compiler warnings that would occur when building with + "--enable-all-bugs-are-fatal" and "--disable-module-relay" at the + same time. Fixes bug 40129; bugfix on 0.4.4.1-alpha. + - Resolve a compilation warning that could occur in + test_connection.c. Fixes bug 40113; bugfix on 0.2.9.3-alpha. + + o Minor bugfixes (logging, backport from 0.4.5.1-alpha): + - Remove a debug logging statement that uselessly spammed the logs. + Fixes bug 40135; bugfix on 0.3.5.0-alpha. + + o Minor bugfixes (relay configuration, crash, backport from 0.4.5.1-alpha): + - Avoid a fatal assert() when failing to create a listener + connection for an address that was in use. Fixes bug 40073; bugfix + on 0.3.5.1-alpha. + + o Minor bugfixes (v2 onion services, backport from 0.4.5.1-alpha): + - For HSFETCH commands on v2 onion services addresses, check the + length of bytes decoded, not the base32 length. Fixes bug 34400; + bugfix on 0.4.1.1-alpha. Patch by Neel Chauhan. + + +Changes in version 0.4.3.7 - 2020-11-12 + Tor 0.4.3.7 backports several bugfixes from later releases. It + includes a fix for TROVE-2020-005, a security issue that could be + used, under certain cases, by an adversary to observe traffic patterns + on a limited number of circuits intended for a different relay. + + Please be aware that support for the 0.4.3.x series will end on 15 + February 2021. Please upgrade to 0.4.4.x or 0.4.5.x before then, or + downgrade to 0.3.5.x, which will be supported until at least 1 + February 2022. + + o Major features (fallback directory list, backport form 0.4.4.3-alpha): + - Replace the 148 fallback directories originally included in Tor + 0.4.1.4-rc (of which around 105 are still functional) with a list + of 144 fallbacks generated in July 2020. Closes ticket 40061. + + o Major bugfixes (security, backport from 0.4.5.1-alpha): + - When completing a channel, relays now check more thoroughly to + make sure that it matches any pending circuits before attaching + those circuits. Previously, address correctness and Ed25519 + identities were not checked in this case, but only when extending + circuits on an existing channel. Fixes bug 40080; bugfix on + 0.2.7.2-alpha. Resolves TROVE-2020-005. + + o Major bugfixes (NSS, backport from 0.4.4.3-alpha): + - When running with NSS enabled, make sure that NSS knows to expect + nonblocking sockets. Previously, we set our TCP sockets as + nonblocking, but did not tell NSS, which in turn could lead to + unexpected blocking behavior. Fixes bug 40035; bugfix + on 0.3.5.1-alpha. + + o Minor features (security, backport from 0.4.4.4-rc): + - Channels using obsolete versions of the Tor link protocol are no + longer allowed to circumvent address-canonicity checks. (This is + only a minor issue, since such channels have no way to set ed25519 + keys, and therefore should always be rejected for circuits that + specify ed25519 identities.) Closes ticket 40081. + + o Minor features (subprotocol versions, backport from 0.4.5.1-alpha): + - Tor no longer allows subprotocol versions larger than 63. + Previously version numbers up to UINT32_MAX were allowed, which + significantly complicated our code. Implements proposal 318; + closes ticket 40133. + + o Minor features (tests, backport from 0.4.4.5): + - Our "make check" target now runs the unit tests in 8 parallel + chunks. Doing this speeds up hardened CI builds by more than a + factor of two. Closes ticket 40098. + + o Minor features (tests, v2 onion services, backport from 0.4.5.1-alpha): + - Fix a rendezvous cache unit test that was triggering an underflow + on the global rend cache allocation. Fixes bug 40125; bugfix + on 0.2.8.1-alpha. + - Fix another rendezvous cache unit test that was triggering an + underflow on the global rend cache allocation. Fixes bug 40126; + bugfix on 0.2.8.1-alpha. + + o Minor bugfixes (correctness, buffers, backport from 0.4.4.4-rc): + - Fix a correctness bug that could cause an assertion failure if we + ever tried using the buf_move_all() function with an empty input + buffer. As far as we know, no released versions of Tor do this. + Fixes bug 40076; bugfix on 0.3.3.1-alpha. + + o Minor bugfixes (logging, backport from 0.4.5.1-alpha): + - Remove a debug logging statement that uselessly spammed the logs. + Fixes bug 40135; bugfix on 0.3.5.0-alpha. + + o Minor bugfixes (rate limiting, bridges, pluggable transports, backport from 0.4.4.4-rc): + - On a bridge, treat all connections from an ExtORPort as remote by + default for the purposes of rate-limiting. Previously, bridges + would treat the connection as local unless they explicitly + received a "USERADDR" command. ExtORPort connections still count + as local if there is a USERADDR command with an explicit local + address. Fixes bug 33747; bugfix on 0.2.5.1-alpha. + + o Minor bugfixes (relay configuration, crash, backport from 0.4.5.1-alpha): + - Avoid a fatal assert() when failing to create a listener + connection for an address that was in use. Fixes bug 40073; bugfix + on 0.3.5.1-alpha. + + o Minor bugfixes (relay, usability, backport from 0.4.4.3-alpha): + - Adjust the rules for when to warn about having too many + connections to other relays. Previously we'd tolerate up to 1.5 + connections per relay on average. Now we tolerate more connections + for directory authorities, and raise the number of total + connections we need to see before we warn. Fixes bug 33880; bugfix + on 0.3.1.1-alpha. + + o Minor bugfixes (tests, 0.4.4.5): + - Fix the behavior of the rend_cache/clean_v2_descs_as_dir when run + on its own. Previously, it would exit with an error. Fixes bug + 40099; bugfix on 0.2.8.1-alpha. + + o Minor bugfixes (v2 onion services, backport from 0.4.5.1-alpha): + - For HSFETCH commands on v2 onion services addresses, check the + length of bytes decoded, not the base32 length. Fixes bug 34400; + bugfix on 0.4.1.1-alpha. Patch by Neel Chauhan. + + o Minor bugfixes (windows, backport from 0.4.4.4-rc): + - Fix a bug that prevented Tor from starting if its log file grew + above 2GB. Fixes bug 31036; bugfix on 0.2.1.8-alpha. + + o Deprecated features (onion service v2, backport form 0.4.4.2-alpha): + - Add a deprecation warning for version 2 onion services. Closes + ticket 40003. + + o Removed features (backport from 0.4.4.3-alpha): + - Our "check-local" test target no longer tries to use the + Coccinelle semantic patching tool parse all the C files. While it + is a good idea to try to make sure Coccinelle works on our C + before we run a Coccinelle patch, doing so on every test run has + proven to be disruptive. You can still run this tool manually with + "make check-cocci". Closes ticket 40030. ticket 40030. + + +Changes in version 0.3.5.12 - 2020-11-12 + Tor 0.4.3.7 backports several bugfixes from later releases. It + includes a fix for TROVE-2020-005, a security issue that could be + used, under certain cases, by an adversary to observe traffic patterns + on a limited number of circuits intended for a different relay. + + o Major features (fallback directory list, backport form 0.4.4.3-alpha): + - Replace the 148 fallback directories originally included in Tor + 0.4.1.4-rc (of which around 105 are still functional) with a list + of 144 fallbacks generated in July 2020. Closes ticket 40061. + + o Major bugfixes (security, backport from 0.4.5.1-alpha): + - When completing a channel, relays now check more thoroughly to + make sure that it matches any pending circuits before attaching + those circuits. Previously, address correctness and Ed25519 + identities were not checked in this case, but only when extending + circuits on an existing channel. Fixes bug 40080; bugfix on + 0.2.7.2-alpha. Resolves TROVE-2020-005. + + o Major bugfixes (NSS, backport from 0.4.4.3-alpha): + - When running with NSS enabled, make sure that NSS knows to expect + nonblocking sockets. Previously, we set our TCP sockets as + nonblocking, but did not tell NSS, which in turn could lead to + unexpected blocking behavior. Fixes bug 40035; bugfix + on 0.3.5.1-alpha. + + o Minor features (security, backport from 0.4.4.4-rc): + - Channels using obsolete versions of the Tor link protocol are no + longer allowed to circumvent address-canonicity checks. (This is + only a minor issue, since such channels have no way to set ed25519 + keys, and therefore should always be rejected for circuits that + specify ed25519 identities.) Closes ticket 40081. + + o Minor features (debugging, directory system): + - Don't crash when we find a non-guard with a guard-fraction value + set. Instead, log a bug warning, in an attempt to figure out how + this happened. Diagnostic for ticket 32868. + + o Minor features (subprotocol versions, backport from 0.4.5.1-alpha): + - Tor no longer allows subprotocol versions larger than 63. + Previously version numbers up to UINT32_MAX were allowed, which + significantly complicated our code. Implements proposal 318; + closes ticket 40133. + + o Minor features (tests, backport from 0.4.4.5): + - Our "make check" target now runs the unit tests in 8 parallel + chunks. Doing this speeds up hardened CI builds by more than a + factor of two. Closes ticket 40098. + + o Minor features (tests, v2 onion services, backport from 0.4.5.1-alpha): + - Fix a rendezvous cache unit test that was triggering an underflow + on the global rend cache allocation. Fixes bug 40125; bugfix + on 0.2.8.1-alpha. + - Fix another rendezvous cache unit test that was triggering an + underflow on the global rend cache allocation. Fixes bug 40126; + bugfix on 0.2.8.1-alpha. + + o Minor bugfixes (correctness, buffers, backport from 0.4.4.4-rc): + - Fix a correctness bug that could cause an assertion failure if we + ever tried using the buf_move_all() function with an empty input + buffer. As far as we know, no released versions of Tor do this. + Fixes bug 40076; bugfix on 0.3.3.1-alpha. + + o Minor bugfixes (logging, backport from 0.4.5.1-alpha): + - Remove a debug logging statement that uselessly spammed the logs. + Fixes bug 40135; bugfix on 0.3.5.0-alpha. + + o Minor bugfixes (rate limiting, bridges, pluggable transports, backport from 0.4.4.4-rc): + - On a bridge, treat all connections from an ExtORPort as remote by + default for the purposes of rate-limiting. Previously, bridges + would treat the connection as local unless they explicitly + received a "USERADDR" command. ExtORPort connections still count + as local if there is a USERADDR command with an explicit local + address. Fixes bug 33747; bugfix on 0.2.5.1-alpha. + + o Minor bugfixes (relay configuration, crash, backport from 0.4.5.1-alpha): + - Avoid a fatal assert() when failing to create a listener + connection for an address that was in use. Fixes bug 40073; bugfix + on 0.3.5.1-alpha. + + o Minor bugfixes (relay, usability, backport from 0.4.4.3-alpha): + - Adjust the rules for when to warn about having too many + connections to other relays. Previously we'd tolerate up to 1.5 + connections per relay on average. Now we tolerate more connections + for directory authorities, and raise the number of total + connections we need to see before we warn. Fixes bug 33880; bugfix + on 0.3.1.1-alpha. + + o Minor bugfixes (relays, backport from 0.4.4.1-alpha): + - Stop advertising incorrect IPv6 ORPorts in relay and bridge + descriptors, when the IPv6 port was configured as "auto". Fixes + bug 32588; bugfix on 0.2.3.9-alpha. + + o Minor bugfixes (tests, 0.4.4.5): + - Fix the behavior of the rend_cache/clean_v2_descs_as_dir when run + on its own. Previously, it would exit with an error. Fixes bug + 40099; bugfix on 0.2.8.1-alpha. + + o Minor bugfixes (windows, backport from 0.4.4.4-rc): + - Fix a bug that prevented Tor from starting if its log file grew + above 2GB. Fixes bug 31036; bugfix on 0.2.1.8-alpha. + + o Deprecated features (onion service v2, backport form 0.4.4.2-alpha): + - Add a deprecation warning for version 2 onion services. Closes + ticket 40003. + +Changes in version 0.4.4.5 - 2020-09-15 + Tor 0.4.4.5 is the first stable release in the 0.4.4.x series. This + series improves our guard selection algorithms, adds v3 onion balance + support, improves the amount of code that can be disabled when running + without relay support, and includes numerous small bugfixes and + enhancements. It also lays the ground for some IPv6 features that + we'll be developing more in the next (0.4.5) series. + + Per our support policy, we support each stable release series for nine + months after its first stable release, or three months after the first + stable release of the next series: whichever is longer. This means + that 0.4.4.x will be supported until around June 2021--or later, if + 0.4.5.x is later than anticipated. + + Note also that support for 0.4.2.x has just ended; support for 0.4.3 + will continue until Feb 15, 2021. We still plan to continue supporting + 0.3.5.x, our long-term stable series, until Feb 2022. + + Below are the changes since 0.4.3.6-rc. For a complete list of changes + since 0.4.4.4-rc, see the ChangeLog file. + + o Major features (Proposal 310, performance + security): + - Implements Proposal 310, "Bandaid on guard selection". Proposal + 310 solves load-balancing issues with older versions of the guard + selection algorithm, and improves its security. Under this new + algorithm, a newly selected guard never becomes Primary unless all + previously sampled guards are unreachable. Implements + recommendation from 32088. (Proposal 310 is linked to the CLAPS + project researching optimal client location-aware path selections. + This project is a collaboration between the UCLouvain Crypto Group, + the U.S. Naval Research Laboratory, and Princeton University.) + + o Major features (fallback directory list): + - Replace the 148 fallback directories originally included in Tor + 0.4.1.4-rc (of which around 105 are still functional) with a list + of 144 fallbacks generated in July 2020. Closes ticket 40061. + + o Major features (IPv6, relay): + - Consider IPv6-only EXTEND2 cells valid on relays. Log a protocol + warning if the IPv4 or IPv6 address is an internal address, and + internal addresses are not allowed. But continue to use the other + address, if it is valid. Closes ticket 33817. + - If a relay can extend over IPv4 and IPv6, and both addresses are + provided, it chooses between them uniformly at random. Closes + ticket 33817. + - Re-use existing IPv6 connections for circuit extends. Closes + ticket 33817. + - Relays may extend circuits over IPv6, if the relay has an IPv6 + ORPort, and the client supplies the other relay's IPv6 ORPort in + the EXTEND2 cell. IPv6 extends will be used by the relay IPv6 + ORPort self-tests in 33222. Closes ticket 33817. + + o Major features (v3 onion services): + - Allow v3 onion services to act as OnionBalance backend instances, + by using the HiddenServiceOnionBalanceInstance torrc option. + Closes ticket 32709. + + o Major bugfixes (NSS): + - When running with NSS enabled, make sure that NSS knows to expect + nonblocking sockets. Previously, we set our TCP sockets as + nonblocking, but did not tell NSS, which in turn could lead to + unexpected blocking behavior. Fixes bug 40035; bugfix + on 0.3.5.1-alpha. + + o Major bugfixes (onion services, DoS): + - Correct handling of parameters for the onion service DoS defense. + Previously, the consensus parameters for the onion service DoS + defenses were overwriting the parameters set by the service + operator using HiddenServiceEnableIntroDoSDefense. Fixes bug + 40109; bugfix on 0.4.2.1-alpha. + + o Major bugfixes (stats, onion services): + - Fix a bug where we were undercounting the Tor network's total + onion service traffic, by ignoring any traffic originating from + clients. Now we count traffic from both clients and services. + Fixes bug 40117; bugfix on 0.2.6.2-alpha. + + o Minor features (security): + - Channels using obsolete versions of the Tor link protocol are no + longer allowed to circumvent address-canonicity checks. (This is + only a minor issue, since such channels have no way to set ed25519 + keys, and therefore should always be rejected for circuits that + specify ed25519 identities.) Closes ticket 40081. + + o Minor features (bootstrap reporting): + - Report more detailed reasons for bootstrap failure when the + failure happens due to a TLS error. Previously we would just call + these errors "MISC" when they happened during read, and "DONE" + when they happened during any other TLS operation. Closes + ticket 32622. + + o Minor features (client-only compilation): + - Disable more code related to the ext_orport protocol when + compiling without support for relay mode. Closes ticket 33368. + - Disable more of our self-testing code when support for relay mode + is disabled. Closes ticket 33370. + - Most server-side DNS code is now disabled when building without + support for relay mode. Closes ticket 33366. + + o Minor features (code safety): + - Check for failures of tor_inet_ntop() and tor_inet_ntoa() + functions in DNS and IP address processing code, and adjust + codepaths to make them less likely to crash entire Tor instances. + Resolves issue 33788. + + o Minor features (continuous integration): + - Run unit-test and integration test (Stem, Chutney) jobs with + ALL_BUGS_ARE_FATAL macro being enabled on Travis and Appveyor. + Resolves ticket 32143. + + o Minor features (control port): + - If a ClientName was specified in ONION_CLIENT_AUTH_ADD for an + onion service, display it when we use ONION_CLIENT_AUTH_VIEW. + Closes ticket 40089. Patch by Neel Chauhan. + - Return a descriptive error message from the 'GETINFO status/fresh- + relay-descs' command on the control port. Previously, we returned + a generic error of "Error generating descriptor". Closes ticket + 32873. Patch by Neel Chauhan. + + o Minor features (defense in depth): + - Wipe more data from connection address fields before returning + them to the memory heap. Closes ticket 6198. + + o Minor features (denial-of-service memory limiter): + - Allow the user to configure even lower values for the + MaxMemInQueues parameter. Relays now enforce a minimum of 64 MB, + when previously the minimum was 256 MB. On clients, there is no + minimum. Relays and clients will both warn if the value is set so + low that Tor is likely to stop working. Closes ticket 24308. + + o Minor features (developer tooling): + - Add a script to help check the alphabetical ordering of option + names in the manual page. Closes ticket 33339. + - Refrain from listing all .a files that are generated by the Tor + build in .gitignore. Add a single wildcard *.a entry that covers + all of them for present and future. Closes ticket 33642. + - Add a script ("git-install-tools.sh") to install git hooks and + helper scripts. Closes ticket 33451. + + o Minor features (directory authority): + - Authorities now recommend the protocol versions that are supported + by Tor 0.3.5 and later. (Earlier versions of Tor have been + deprecated since January of this year.) This recommendation will + cause older clients and relays to give a warning on startup, or + when they download a consensus directory. Closes ticket 32696. + + o Minor features (directory authority, shared random): + - Refactor more authority-only parts of the shared-random scheduling + code to reside in the dirauth module, and to be disabled when + compiling with --disable-module-dirauth. Closes ticket 33436. + + o Minor features (directory): + - Remember the number of bytes we have downloaded for each directory + purpose while bootstrapping, and while fully bootstrapped. Log + this information as part of the heartbeat message. Closes + ticket 32720. + + o Minor features (entry guards): + - Reinstate support for GUARD NEW/UP/DOWN control port events. + Closes ticket 40001. + + o Minor features (IPv6 support): + - Adds IPv6 support to tor_addr_is_valid(). Adds tests for the above + changes and tor_addr_is_null(). Closes ticket 33679. Patch + by MrSquanchee. + - Allow clients and relays to send dual-stack and IPv6-only EXTEND2 + cells. Parse dual-stack and IPv6-only EXTEND2 cells on relays. + Closes ticket 33901. + + o Minor features (linux seccomp2 sandbox, portability): + - Allow Tor to build on platforms where it doesn't know how to + report which syscall caused the linux seccomp2 sandbox to fail. + This change should make the sandbox code more portable to less + common Linux architectures. Closes ticket 34382. + - Permit the unlinkat() syscall, which some Libc implementations use + to implement unlink(). Closes ticket 33346. + + o Minor features (logging): + - When trying to find our own address, add debug-level logging to + report the sources of candidate addresses. Closes ticket 32888. + + o Minor features (onion service client, SOCKS5): + - Add 3 new SocksPort ExtendedErrors (F2, F3, F7) that reports back + new type of onion service connection failures. The semantics of + these error codes are documented in proposal 309. Closes + ticket 32542. + + o Minor features (onion service v3): + - If a service cannot upload its descriptor(s), log why at INFO + level. Closes ticket 33400; bugfix on 0.3.2.1-alpha. + + o Minor features (python scripts): + - Stop assuming that /usr/bin/python exists. Instead of using a + hardcoded path in scripts that still use Python 2, use + /usr/bin/env, similarly to the scripts that use Python 3. Fixes + bug 33192; bugfix on 0.4.2. + + o Minor features (testing, architecture): + - Our test scripts now double-check that subsystem initialization + order is consistent with the inter-module dependencies established + by our .may_include files. Implements ticket 31634. + - Initialize all subsystems at the beginning of our unit test + harness, to avoid crashes due to uninitialized subsystems. Follow- + up from ticket 33316. + - Our "make check" target now runs the unit tests in 8 parallel + chunks. Doing this speeds up hardened CI builds by more than a + factor of two. Closes ticket 40098. + + o Minor features (v3 onion services): + - Add v3 onion service status to the dumpstats() call which is + triggered by a SIGUSR1 signal. Previously, we only did v2 onion + services. Closes ticket 24844. Patch by Neel Chauhan. + + o Minor features (windows): + - Add support for console control signals like Ctrl+C in Windows. + Closes ticket 34211. Patch from Damon Harris (TheDcoder). + + o Minor bugfixes (control port, onion service): + - Consistently use 'address' in "Invalid v3 address" response to + ONION_CLIENT_AUTH commands. Previously, we would sometimes say + 'addr'. Fixes bug 40005; bugfix on 0.4.3.1-alpha. + + o Minor bugfixes (correctness, buffers): + - Fix a correctness bug that could cause an assertion failure if we + ever tried using the buf_move_all() function with an empty input + buffer. As far as we know, no released versions of Tor do this. + Fixes bug 40076; bugfix on 0.3.3.1-alpha. + + o Minor bugfixes (directory authorities): + - Directory authorities now reject votes that arrive too late. In + particular, once an authority has started fetching missing votes, + it no longer accepts new votes posted by other authorities. This + change helps prevent a consensus split, where only some authorities + have the late vote. Fixes bug 4631; bugfix on 0.2.0.5-alpha. + + o Minor bugfixes (git scripts): + - Stop executing the checked-out pre-commit hook from the pre-push + hook. Instead, execute the copy in the user's git directory. Fixes + bug 33284; bugfix on 0.4.1.1-alpha. + + o Minor bugfixes (initialization): + - Initialize the subsystems in our code in an order more closely + corresponding to their dependencies, so that every system is + initialized before the ones that (theoretically) depend on it. + Fixes bug 33316; bugfix on 0.4.0.1-alpha. + + o Minor bugfixes (IPv4, relay): + - Check for invalid zero IPv4 addresses and ports when sending and + receiving extend cells. Fixes bug 33900; bugfix on 0.2.4.8-alpha. + + o Minor bugfixes (IPv6, relay): + - Consider IPv6 addresses when checking if a connection is + canonical. In 17604, relays assumed that a remote relay could + consider an IPv6 connection canonical, but did not set the + canonical flag on their side of the connection. Fixes bug 33899; + bugfix on 0.3.1.1-alpha. + - Log IPv6 addresses on connections where this relay is the + responder. Previously, responding relays would replace the remote + IPv6 address with the IPv4 address from the consensus. Fixes bug + 33899; bugfix on 0.3.1.1-alpha. + + o Minor bugfixes (linux seccomp2 sandbox): + - Fix a regression on sandboxing rules for the openat() syscall. The + fix for bug 25440 fixed the problem on systems with glibc >= 2.27 + but broke with versions of glibc. We now choose a rule based on + the glibc version. Patch from Daniel Pinto. Fixes bug 27315; + bugfix on 0.3.5.11. + - Makes the seccomp sandbox allow the correct syscall for opendir + according to the running glibc version. This fixes crashes when + reloading torrc with sandbox enabled when running on glibc 2.15 to + 2.21 and 2.26. Patch from Daniel Pinto. Fixes bug 40020; bugfix + on 0.3.5.11. + + o Minor bugfixes (logging, testing): + - Make all of tor's assertion macros support the ALL_BUGS_ARE_FATAL + and DISABLE_ASSERTS_IN_UNIT_TESTS debugging modes. (IF_BUG_ONCE() + used to log a non-fatal warning, regardless of the debugging + mode.) Fixes bug 33917; bugfix on 0.2.9.1-alpha. + - Remove surprising empty line in the INFO-level log about circuit + build timeout. Fixes bug 33531; bugfix on 0.3.3.1-alpha. + + o Minor bugfixes (mainloop): + - Better guard against growing a buffer past its maximum 2GB in + size. Fixes bug 33131; bugfix on 0.3.0.4-rc. + + o Minor bugfixes (onion service v3 client): + - Remove a BUG() warning that could occur naturally. Fixes bug + 34087; bugfix on 0.3.2.1-alpha. + + o Minor bugfixes (onion service, logging): + - Fix a typo in a log message PublishHidServDescriptors is set to 0. + Fixes bug 33779; bugfix on 0.3.2.1-alpha. + + o Minor bugfixes (onion services v3): + - Avoid a non-fatal assertion failure in certain edge-cases when + opening an intro circuit as a client. Fixes bug 34084; bugfix + on 0.3.2.1-alpha. + + o Minor bugfixes (protocol versions): + - Sort tor's supported protocol version lists, as recommended by the + tor directory specification. Fixes bug 33285; bugfix + on 0.4.0.1-alpha. + + o Minor bugfixes (rate limiting, bridges, pluggable transports): + - On a bridge, treat all connections from an ExtORPort as remote by + default for the purposes of rate-limiting. Previously, bridges + would treat the connection as local unless they explicitly + received a "USERADDR" command. ExtORPort connections still count + as local if there is a USERADDR command with an explicit local + address. Fixes bug 33747; bugfix on 0.2.5.1-alpha. + + o Minor bugfixes (refactoring): + - Lift circuit_build_times_disabled() out of the + circuit_expire_building() loop, to save CPU time when there are + many circuits open. Fixes bug 33977; bugfix on 0.3.5.9. + + o Minor bugfixes (relay, self-testing): + - When starting up as a relay, if we haven't been able to verify + that we're reachable, only launch reachability tests at most once + a minute. Previously, we had been launching tests up to once a + second, which was needlessly noisy. Fixes bug 40083; bugfix + on 0.2.8.1-alpha. + + o Minor bugfixes (relay, usability): + - Adjust the rules for when to warn about having too many + connections to other relays. Previously we'd tolerate up to 1.5 + connections per relay on average. Now we tolerate more connections + for directory authorities, and raise the number of total + connections we need to see before we warn. Fixes bug 33880; bugfix + on 0.3.1.1-alpha. + + o Minor bugfixes (SOCKS, onion service client): + - Detect v3 onion service addresses of the wrong length when + returning the F6 ExtendedErrors code. Fixes bug 33873; bugfix + on 0.4.3.1-alpha. + + o Minor bugfixes (tests): + - Fix the behavior of the rend_cache/clean_v2_descs_as_dir when run + on its own. Previously, it would exit with an error. Fixes bug + 40099; bugfix on 0.2.8.1-alpha. + + o Minor bugfixes (v3 onion services): + - Remove a BUG() warning that could trigger in certain unlikely + edge-cases. Fixes bug 34086; bugfix on 0.3.2.1-alpha. + - Remove a BUG() that was causing a stacktrace when a descriptor + changed at an unexpected time. Fixes bug 28992; bugfix + on 0.3.2.1-alpha. + + o Minor bugfixes (windows): + - Fix a bug that prevented Tor from starting if its log file grew + above 2GB. Fixes bug 31036; bugfix on 0.2.1.8-alpha. + + o Code simplification and refactoring: + - Define and use a new constant TOR_ADDRPORT_BUF_LEN which is like + TOR_ADDR_BUF_LEN but includes enough space for an IP address, + brackets, separating colon, and port number. Closes ticket 33956. + Patch by Neel Chauhan. + - Merge the orconn and ocirc events into the "core" subsystem, which + manages or connections and origin circuits. Previously they were + isolated in subsystems of their own. + - Move LOG_PROTOCOL_WARN to app/config. Resolves a dependency + inversion. Closes ticket 33633. + - Move the circuit extend code to the relay module. Split the + circuit extend function into smaller functions. Closes + ticket 33633. + - Rewrite port_parse_config() to use the default port flags from + port_cfg_new(). Closes ticket 32994. Patch by MrSquanchee. + - Updated comments in 'scheduler.c' to reflect old code changes, and + simplified the scheduler channel state change code. Closes + ticket 33349. + - Refactor configuration parsing to use the new config subsystem + code. Closes ticket 33014. + - Move a series of functions related to address resolving into their + own files. Closes ticket 33789. + + o Documentation: + - Replace most http:// URLs in our code and documentation with + https:// URLs. (We have left unchanged the code in src/ext/, and + the text in LICENSE.) Closes ticket 31812. Patch from Jeremy Rand. + - Document the limitations of using %include on config files with + seccomp sandbox enabled. Fixes documentation bug 34133; bugfix on + 0.3.1.1-alpha. Patch by Daniel Pinto. + + o Removed features: + - Our "check-local" test target no longer tries to use the + Coccinelle semantic patching tool parse all the C files. While it + is a good idea to try to make sure Coccinelle works on our C + before we run a Coccinelle patch, doing so on every test run has + proven to be disruptive. You can still run this tool manually with + "make check-cocci". Closes ticket 40030. + - Remove the ClientAutoIPv6ORPort option. This option attempted to + randomly choose between IPv4 and IPv6 for client connections, and + wasn't a true implementation of Happy Eyeballs. Often, this option + failed on IPv4-only or IPv6-only connections. Closes ticket 32905. + Patch by Neel Chauhan. + - Stop shipping contrib/dist/rc.subr file, as it is not being used + on FreeBSD anymore. Closes issue 31576. + + o Testing: + - Add a basic IPv6 test to "make test-network". This test only runs + when the local machine has an IPv6 stack. Closes ticket 33300. + - Add test-network-ipv4 and test-network-ipv6 jobs to the Makefile. + These jobs run the IPv4-only and dual-stack chutney flavours from + test-network-all. Closes ticket 33280. + - Remove a redundant distcheck job. Closes ticket 33194. + - Run the test-network-ipv6 Makefile target in the Travis CI IPv6 + chutney job. This job runs on macOS, so it's a bit slow. Closes + ticket 33303. + - Sort the Travis jobs in order of speed. Putting the slowest jobs + first takes full advantage of Travis job concurrency. Closes + ticket 33194. + - Stop allowing the Chutney IPv6 Travis job to fail. This job was + previously configured to fast_finish (which requires + allow_failure), to speed up the build. Closes ticket 33195. + - Test v3 onion services to tor's mixed IPv4 chutney network. And + add a mixed IPv6 chutney network. These networks are used in the + test-network-all, test-network-ipv4, and test-network-ipv6 make + targets. Closes ticket 33334. + - Use the "bridges+hs-v23" chutney network flavour in "make test- + network". This test requires a recent version of chutney (mid- + February 2020). Closes ticket 28208. + - When a Travis chutney job fails, use chutney's new "diagnostics.sh" + tool to produce detailed diagnostic output. Closes ticket 32792. + + o Deprecated features (onion service v2): + - Add a deprecation warning for version 2 onion services. Closes + ticket 40003. + + o Documentation (manual page): + - Add cross reference links and a table of contents to the HTML tor + manual page. Closes ticket 33369. Work by Swati Thacker as part of + Google Season of Docs. + - Alphabetize the Denial of Service Mitigation Options, Directory + Authority Server Options, Hidden Service Options, and Testing + Network Options sections of the tor(1) manual page. Closes ticket + 33275. Work by Swati Thacker as part of Google Season of Docs. + - Refrain from mentioning nicknames in manpage section for MyFamily + torrc option. Resolves issue 33417. + - Updated the options set by TestingTorNetwork in the manual page. + Closes ticket 33778. + + +Changes in version 0.3.5.11 - 2020-07-09 + Tor 0.3.5.11 backports fixes from later tor releases, including several + usability, portability, and reliability fixes. + + This release also fixes TROVE-2020-001, a medium-severity denial of + service vulnerability affecting all versions of Tor when compiled with + the NSS encryption library. (This is not the default configuration.) + Using this vulnerability, an attacker could cause an affected Tor + instance to crash remotely. This issue is also tracked as CVE-2020- + 15572. Anybody running a version of Tor built with the NSS library + should upgrade to 0.3.5.11, 0.4.2.8, 0.4.3.6, or 0.4.4.2-alpha + or later. + + o Major bugfixes (NSS, security, backport from 0.4.4.2-alpha): + - Fix a crash due to an out-of-bound memory access when Tor is + compiled with NSS support. Fixes bug 33119; bugfix on + 0.3.5.1-alpha. This issue is also tracked as TROVE-2020-001 + and CVE-2020-15572. + + o Major bugfixes (DoS defenses, bridges, pluggable transport, backport from 0.4.3.4-rc): + - Fix a bug that was preventing DoS defenses from running on bridges + with a pluggable transport. Previously, the DoS subsystem was not + given the transport name of the client connection, thus failed to + find the GeoIP cache entry for that client address. Fixes bug + 33491; bugfix on 0.3.3.2-alpha. + + o Minor features (testing, backport from 0.4.3.4-rc): + - The unit tests now support a "TOR_SKIP_TESTCASES" environment + variable to specify a list of space-separated test cases that + should not be executed. We will use this to disable certain tests + that are failing on Appveyor because of mismatched OpenSSL + libraries. Part of ticket 33643. + + o Minor bugfix (CI, Windows, backport from 0.4.4.2-alpha): + - Use the correct 64-bit printf format when compiling with MINGW on + Appveyor. Fixes bug 40026; bugfix on 0.3.5.5-alpha. + + o Minor bugfix (relay, configuration, backport from 0.4.3.3-alpha): + - Warn if the ContactInfo field is not set, and tell the relay + operator that not having a ContactInfo field set might cause their + relay to get rejected in the future. Fixes bug 33361; bugfix + on 0.1.1.10-alpha. + + o Minor bugfixes (client performance, backport from 0.4.4.1-alpha): + - Resume use of preemptively-built circuits when UseEntryGuards is set + to 0. We accidentally disabled this feature with that config + setting, leading to slower load times. Fixes bug 34303; bugfix + on 0.3.3.2-alpha. + + o Minor bugfixes (compiler compatibility, backport from 0.4.3.5): + - Avoid compiler warnings from Clang 10 related to the use of GCC- + style "/* falls through */" comments. Both Clang and GCC allow + __attribute__((fallthrough)) instead, so that's what we're using + now. Fixes bug 34078; bugfix on 0.3.1.3-alpha. + + o Minor bugfixes (compiler warnings, backport from 0.4.4.2-alpha): + - Fix a compiler warning on platforms with 32-bit time_t values. + Fixes bug 40028; bugfix on 0.3.2.8-rc. + + o Minor bugfixes (embedded Tor, backport from 0.4.3.1-alpha): + - When starting Tor any time after the first time in a process, + register the thread in which it is running as the main thread. + Previously, we only did this on Windows, which could lead to bugs + like 23081 on non-Windows platforms. Fixes bug 32884; bugfix + on 0.3.3.1-alpha. + + o Minor bugfixes (key portability, backport from 0.4.3.4-rc): + - When reading PEM-encoded key data, tolerate CRLF line-endings even + if we are not running on Windows. Previously, non-Windows hosts + would reject these line-endings in certain positions, making + certain key files hard to move from one host to another. Fixes bug + 33032; bugfix on 0.3.5.1-alpha. + + o Minor bugfixes (logging, backport from 0.4.4.2-alpha): + - Downgrade a noisy log message that could occur naturally when + receiving an extrainfo document that we no longer want. Fixes bug + 16016; bugfix on 0.2.6.3-alpha. + + o Minor bugfixes (onion service v3, client, backport from 0.4.3.3-alpha): + - Remove a BUG() warning that would cause a stack trace if an onion + service descriptor was freed while we were waiting for a + rendezvous circuit to complete. Fixes bug 28992; bugfix + on 0.3.2.1-alpha. + + o Testing (CI, backport from 0.4.3.4-rc): + - In our Appveyor Windows CI, copy required DLLs to test and app + directories, before running tor's tests. This ensures that tor.exe + and test*.exe use the correct version of each DLL. This fix is not + required, but we hope it will avoid DLL search issues in future. + Fixes bug 33673; bugfix on 0.3.4.2-alpha. + - On Appveyor, skip the crypto/openssl_version test, which is + failing because of a mismatched library installation. Fix + for 33643. + + +Changes in version 0.4.2.8 - 2020-07-09 + Tor 0.4.2.8 backports various fixes from later releases, including + several that affect usability and portability. + + This release also fixes TROVE-2020-001, a medium-severity denial of + service vulnerability affecting all versions of Tor when compiled with + the NSS encryption library. (This is not the default configuration.) + Using this vulnerability, an attacker could cause an affected Tor + instance to crash remotely. This issue is also tracked as CVE-2020- + 15572. Anybody running a version of Tor built with the NSS library + should upgrade to 0.3.5.11, 0.4.2.8, 0.4.3.6, or 0.4.4.2-alpha + or later. + + o Major bugfixes (NSS, security, backport from 0.4.4.2-alpha): + - Fix a crash due to an out-of-bound memory access when Tor is + compiled with NSS support. Fixes bug 33119; bugfix on + 0.3.5.1-alpha. This issue is also tracked as TROVE-2020-001 + and CVE-2020-15572. + + o Major bugfixes (DoS defenses, bridges, pluggable transport, backport from 0.4.3.4-rc): + - Fix a bug that was preventing DoS defenses from running on bridges + with a pluggable transport. Previously, the DoS subsystem was not + given the transport name of the client connection, thus failed to + find the GeoIP cache entry for that client address. Fixes bug + 33491; bugfix on 0.3.3.2-alpha. + + o Minor feature (sendme, flow control, backport form 0.4.3.4-rc): + - Default to sending SENDME version 1 cells. (Clients are already + sending these, because of a consensus parameter telling them to do + so: this change only affects what clients would do if the + consensus didn't contain a recommendation.) Closes ticket 33623. + + o Minor features (diagnostic, backport from 0.4.3.3-alpha): + - Improve assertions and add some memory-poisoning code to try to + track down possible causes of a rare crash (32564) in the EWMA + code. Closes ticket 33290. + + o Minor features (testing, backport from 0.4.3.4-rc): + - The unit tests now support a "TOR_SKIP_TESTCASES" environment + variable to specify a list of space-separated test cases that + should not be executed. We will use this to disable certain tests + that are failing on Appveyor because of mismatched OpenSSL + libraries. Part of ticket 33643. + + o Minor bugfix (CI, Windows, backport from 0.4.4.2-alpha): + - Use the correct 64-bit printf format when compiling with MINGW on + Appveyor. Fixes bug 40026; bugfix on 0.3.5.5-alpha. + + o Minor bugfix (relay, configuration, backport from 0.4.3.3-alpha): + - Warn if the ContactInfo field is not set, and tell the relay + operator that not having a ContactInfo field set might cause their + relay to get rejected in the future. Fixes bug 33361; bugfix + on 0.1.1.10-alpha. + + o Minor bugfixes (client performance, backport from 0.4.4.1-alpha): + - Resume use of preemptively-built circuits when UseEntryGuards is set + to 0. We accidentally disabled this feature with that config + setting, leading to slower load times. Fixes bug 34303; bugfix + on 0.3.3.2-alpha. + + o Minor bugfixes (compiler compatibility, backport from 0.4.3.5): + - Avoid compiler warnings from Clang 10 related to the use of GCC- + style "/* falls through */" comments. Both Clang and GCC allow + __attribute__((fallthrough)) instead, so that's what we're using + now. Fixes bug 34078; bugfix on 0.3.1.3-alpha. + - Fix compilation warnings with GCC 10.0.1. Fixes bug 34077; bugfix + on 0.4.0.3-alpha. + + o Minor bugfixes (compiler warnings, backport from 0.4.4.2-alpha): + - Fix a compiler warning on platforms with 32-bit time_t values. + Fixes bug 40028; bugfix on 0.3.2.8-rc. + + o Minor bugfixes (controller protocol, backport from 0.4.3.2-alpha): + - When receiving "ACTIVE" or "DORMANT" signals on the control port, + report them as SIGNAL events. Previously we would log a bug + warning. Fixes bug 33104; bugfix on 0.4.0.1-alpha. + + o Minor bugfixes (embedded Tor, backport from 0.4.3.1-alpha): + - When starting Tor any time after the first time in a process, + register the thread in which it is running as the main thread. + Previously, we only did this on Windows, which could lead to bugs + like 23081 on non-Windows platforms. Fixes bug 32884; bugfix + on 0.3.3.1-alpha. + + o Minor bugfixes (key portability, backport from 0.4.3.4-rc): + - When reading PEM-encoded key data, tolerate CRLF line-endings even + if we are not running on Windows. Previously, non-Windows hosts + would reject these line-endings in certain positions, making + certain key files hard to move from one host to another. Fixes bug + 33032; bugfix on 0.3.5.1-alpha. + + o Minor bugfixes (logging, backport from 0.4.3.2-rc): + - When logging a bug, do not say "Future instances of this warning + will be silenced" unless we are actually going to silence them. + Previously we would say this whenever a BUG() check failed in the + code. Fixes bug 33095; bugfix on 0.4.1.1-alpha. + + o Minor bugfixes (logging, backport from 0.4.3.4-rc): + - Flush stderr, stdout, and file logs during shutdown, if supported + by the OS. This change helps make sure that any final logs are + recorded. Fixes bug 33087; bugfix on 0.4.1.6. + + o Minor bugfixes (logging, backport from 0.4.4.2-alpha): + - Downgrade a noisy log message that could occur naturally when + receiving an extrainfo document that we no longer want. Fixes bug + 16016; bugfix on 0.2.6.3-alpha. + + o Minor bugfixes (onion service v3, client, backport from 0.4.3.3-alpha): + - Remove a BUG() warning that would cause a stack trace if an onion + service descriptor was freed while we were waiting for a + rendezvous circuit to complete. Fixes bug 28992; bugfix + on 0.3.2.1-alpha. + + o Testing (CI, backport from 0.4.3.4-rc): + - In our Appveyor Windows CI, copy required DLLs to test and app + directories, before running tor's tests. This ensures that tor.exe + and test*.exe use the correct version of each DLL. This fix is not + required, but we hope it will avoid DLL search issues in future. + Fixes bug 33673; bugfix on 0.3.4.2-alpha. + - On Appveyor, skip the crypto/openssl_version test, which is + failing because of a mismatched library installation. Fix + for 33643. + + +Changes in version 0.4.3.6 - 2020-07-09 + Tor 0.4.3.6 backports several bugfixes from later releases, including + some affecting usability. + + This release also fixes TROVE-2020-001, a medium-severity denial of + service vulnerability affecting all versions of Tor when compiled with + the NSS encryption library. (This is not the default configuration.) + Using this vulnerability, an attacker could cause an affected Tor + instance to crash remotely. This issue is also tracked as CVE-2020- + 15572. Anybody running a version of Tor built with the NSS library + should upgrade to 0.3.5.11, 0.4.2.8, 0.4.3.6, or 0.4.4.2-alpha + or later. + + o Major bugfixes (NSS, security, backport from 0.4.4.2-alpha): + - Fix a crash due to an out-of-bound memory access when Tor is + compiled with NSS support. Fixes bug 33119; bugfix on + 0.3.5.1-alpha. This issue is also tracked as TROVE-2020-001 + and CVE-2020-15572. + + o Minor bugfix (CI, Windows, backport from 0.4.4.2-alpha): + - Use the correct 64-bit printf format when compiling with MINGW on + Appveyor. Fixes bug 40026; bugfix on 0.3.5.5-alpha. + + o Minor bugfixes (client performance, backport from 0.4.4.1-alpha): + - Resume use of preemptively-built circuits when UseEntryGuards is set + to 0. We accidentally disabled this feature with that config + setting, leading to slower load times. Fixes bug 34303; bugfix + on 0.3.3.2-alpha. + + o Minor bugfixes (compiler warnings, backport from 0.4.4.2-alpha): + - Fix a compiler warning on platforms with 32-bit time_t values. + Fixes bug 40028; bugfix on 0.3.2.8-rc. + + o Minor bugfixes (linux seccomp sandbox, nss, backport from 0.4.4.1-alpha): + - Fix a startup crash when tor is compiled with --enable-nss and + sandbox support is enabled. Fixes bug 34130; bugfix on + 0.3.5.1-alpha. Patch by Daniel Pinto. + + o Minor bugfixes (logging, backport from 0.4.4.2-alpha): + - Downgrade a noisy log message that could occur naturally when + receiving an extrainfo document that we no longer want. Fixes bug + 16016; bugfix on 0.2.6.3-alpha. + + o Minor bugfixes (manual page, backport from 0.4.4.1-alpha): + - Update the man page to reflect that MinUptimeHidServDirectoryV2 + defaults to 96 hours. Fixes bug 34299; bugfix on 0.2.6.3-alpha. + + o Minor bugfixes (onion service v3, backport from 0.4.4.1-alpha): + - Prevent an assert() that would occur when cleaning the client + descriptor cache, and attempting to close circuits for a non- + decrypted descriptor (lacking client authorization). Fixes bug + 33458; bugfix on 0.4.2.1-alpha. + + o Minor bugfixes (portability, backport from 0.4.4.1-alpha): + - Fix a portability error in the configure script, where we were + using "==" instead of "=". Fixes bug 34233; bugfix on 0.4.3.5. + + o Minor bugfixes (relays, backport from 0.4.4.1-alpha): + - Stop advertising incorrect IPv6 ORPorts in relay and bridge + descriptors, when the IPv6 port was configured as "auto". Fixes + bug 32588; bugfix on 0.2.3.9-alpha. + + o Documentation (backport from 0.4.4.1-alpha): + - Fix several doxygen warnings related to imbalanced groups. Closes + ticket 34255. + Changes in version 0.4.3.5 - 2020-05-15 Tor 0.4.3.5 is the first stable release in the 0.4.3.x series. This @@ -21460,7 +22471,7 @@ Changes in version 0.2.0.33 - 2009-01-21 - Implement the 0x20 hack to better resist DNS poisoning: set the case on outgoing DNS requests randomly, and reject responses that do not match the case correctly. This logic can be disabled with the - ServerDNSRamdomizeCase setting, if you are using one of the 0.3% + ServerDNSRandomizeCase setting, if you are using one of the 0.3% of servers that do not reliably preserve case in replies. See "Increased DNS Forgery Resistance through 0x20-Bit Encoding" for more info. |