sarah
/
tor
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Revise changelog verbiage; try to tighten it up.

This commit is contained in:
Nick Mathewson 2014-04-24 15:18:45 -04:00
parent 7d6562fafa
commit 12b1d64b03
1 changed files with 112 additions and 125 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

237
ChangeLog
View File

@ -2,94 +2,86 @@ Changes in version 0.2.5.4-alpha - 2014-04-??
This release includes several security and performance improvements
for clients and relays, including XXX
This release marks end-of-line for Tor 0.2.2.x; those Tor versions have
accumulated many known flaws; everyone should upgrade.
This release marks end-of-line for Tor 0.2.2.x; those Tor versions
have accumulated many known flaws; everyone should upgrade.
o Major features (security):
- Block authority signing keys that were used on an authorities
vulnerable to the "heartbleed" bug in openssl (CVE-2014-0160). (We
- Block authority signing keys that were used on authorities
vulnerable to the "heartbleed" bug in OpenSSL (CVE-2014-0160). (We
don't have any evidence that these keys _were_ compromised; we're
doing this to be prudent.) Resolves ticket 11464.
o Major features (relay performance):
- Faster server-side lookups of rendezvous and introduction point
circuits by using hashtables instead of linear searches over all
the circuits. These functions previously accounted between 3 and
7% of CPU usage on some busy relays.
- Avoid wasting cycles looking for usable circuit IDs. Previously,
when allocating a new circuit ID, we would in the worst case do a
linear scan over the entire possible range of circuit IDs before
deciding that we had exhausted our possibilities. Now, we try 64
circuit IDs at random before deciding that we probably won't
succeed. Fix for a possible root cause of ticket #11553.
- Speed up server-side lookups of rendezvous and introduction point
circuits by using hashtables instead of linear searches. These
functions previously accounted between 3 and 7% of CPU usage on
some busy relays. Resolves ticket 9841.
- Avoid wasting CPU when extending a circuit over a channel that is
nearly out of circuit IDs. Previously, we would in the worst case
do a linear scan over all possible circuit IDs before deciding
that we had exhausted our possibilities. Now, we try at most 64
random circuit IDs before deciding that we probably won't succeed.
Fix for a possible root cause of ticket #11553.
o Major features (seccomp2 sandbox):
- Refinements and improvements to the Linux seccomp2 sandbox code:
the sandbox can now run a test network for multiple hours without
crashing. (Previous crash reasons included: reseeding the OpenSSL
PRNG, seeding the Libevent PRNG, using the wrong combination of
CLOEXEC and NONBLOCK at the same place and time, having onion
keys, being an authority, receiving a HUP, or using IPv6.) The
sandbox is still experimental, and more bugs will probably turn
up. To try it, enable "Sandbox 1" on a Linux host.
- Strengthen the Linux seccomp2 sandbox code: the sandbox can now
test the arguments for rename(), and blocks _sysctl() entirely.
- When the Linux syscall sandbox finds an illegal system call, it
now tries to log a stack trace before exiting. Resolves ticket
11465.
o Major features (seccomp2 sandbox, Linux only):
- The seccomp2 sandbox can now run a test network for multiple hours
without crashing. The sandbox is still experimental, and more bugs
will probably turn up. To try it, enable "Sandbox 1" on a Linux
host.
- Strengthen sandbox code: the sandbox can now test the arguments
for rename(), and blocks _sysctl() entirely.
- When the sandbox blocks a system call, it now tries to log a stack
trace before exiting. Resolves ticket 11465.
o Major bugfixes (TLS cipher selection):
- Generate the relay's preference list for ciphersuites
automatically based on uniform criteria, and considering all
OpenSSL ciphersuites with acceptable strength and forward secrecy.
(The sort order is: prefer AES to 3DES; break ties by preferring
ECDHE to DHE; break ties by preferring GCM to CBC; break ties by
preferring SHA384 to SHA256 to SHA1; and finally, break ties by
preferring AES256 to AES128.) This resolves bugs #11513, #11492,
#11498, #11499. Bugs reported by 'cypherpunks'. Bugfix on
- The relay ciphersuite list is now generated automatically based on
uniform criteria, and includes all OpenSSL ciphersuites with
acceptable strength and forward secrecy. Previously, we had
omitted some perfectly fine ciphersuites. Resolves bugs #11513,
#11492, #11498, #11499. Bugs reported by 'cypherpunks'. Bugfix on
0.2.4.8-alpha.
- Relays now trust themselves to have a better view than clients of
which TLS ciphersuites to choose. (Thanks to #11513, the relay
list is now well-considered, whereas the client list has been
chosen mainly for anti-fingerprinting purposes.) Resolves ticket
11528.
- Update the list of TLS ciphersuites that a client advertises to
match those advertised by Firefox 28. This enables selection of
(fast) GCM ciphersuites, disables some strange old ciphers, and
disables the ECDH (not to be confused with ECDHE) ciphersuites.
Resolves ticket 11438.
which TLS ciphersuites are better than others. (Thanks to #11513,
the relay list is now well-considered, whereas the client list has
been chosen mainly for anti-fingerprinting purposes.) Relays
prefer: AES over 3DES; then ECDHE over DHE; then GCM over CBC;
then SHA384 over SHA256 over SHA1; and last, AES256 over AES128.
Resolves ticket 11528.
- Clients now try to advertise the same list of ciphersuites as
Firefox 28. This change enables selection of (fast) GCM
ciphersuites, disables some strange old ciphers, and disables the
ECDH (not to be confused with ECDHE) ciphersuites. Resolves ticket
11438.
o Major bugfixes (undefined behavior):
- Fix two instances of possible undefined behavior in channeltls.c
that could, under unlucky circumstances, have led to a pointer
overflow. Fixes bug #10363; bugfixes on 0.2.0.10-alpha and
0.2.3.6-alpha. Reported by "bobnomnom".
- Fix another possibly undefined pointer operations in tor_memmem
fallback implementation. Another case of bug #10363; bugfix on
0.1.1.1-alpha.
- Fix another possibly undefined pointer operations in the eventdns
fallback implementation. Another case of bug #10363; bugfix on
0.1.2.1-alpha.
- Use AddressSanitizer and Ubsan sanitizers (in clang-3.4) to fix
some miscellaneous errors in our tests and codebase. Fix for bug
11232. Bugfixes on versions back as far as 0.2.1.11-alpha.
- Fix various instances of undefined behavior in channeltls.c,
tor_memmem(), and eventdns.c, that would cause us to construct
pointers to memory outside an allocated object. (These invalid
pointers were not accessed, but C does not even allow them to
exist.) Fixes bug #10363; bugfixes on 0.2.0.10-alpha,
0.2.3.6-alpha, 0.1.1.1-alpha, and 0.1.2.1-alpha. Reported by
"bobnomnom".
- Use the AddressSanitizer and Ubsan sanitizers (in clang-3.4) to
fix some miscellaneous errors in our tests and codebase. Fix for
bug 11232. Bugfixes on versions back as far as 0.2.1.11-alpha.
o Minor features (Transparent proxy, *BSD):
- Support the ipfw firewall interface for transparent proxy support
on FreeBSD. To enable it, set "TransProxyType ipfw" in your torrc.
Resolves ticket 10267; patch from "yurivict".
- Support OpenBSD's divert-to rules with the pf firewall, when
"TransProxyType pf-divert" is specified. This allows Tor to run a
TransPort transparent proxy port on OpenBSD 4.4 or later without
root privileges. See the pf.conf(5) manual page for information on
configuring pf to use divert-to rules. Closes ticket 10896; patch
from Dana Koch.
- Support FreeBSD's ipfw firewall interface for TransPort ports. on
FreeBSD. To enable it, set "TransProxyType ipfw". Resolves ticket
10267; patch from "yurivict".
- Support OpenBSD's divert-to rules with the pf firewall for
transparent proxy ports. To enable it, set "TransProxyType pf-
divert". This allows Tor to run a TransPort transparent proxy port
on OpenBSD 4.4 or later without root privileges. See the
pf.conf(5) manual page for information on configuring pf to use
divert-to rules. Closes ticket 10896; patch from Dana Koch.
o Minor features (security):
- New --enable-expensive-hardening option to turn on security
- New --enable-expensive-hardening option to enable security
hardening options that consume nontrivial amounts of CPU and
memory. Right now, this includes AddressSanitizer and UbSan.
Closes ticket 11477.
memory. Right now, this includes AddressSanitizer and UbSan, which
are supported in newer versions of GCC and Clang. Closes ticket
11477.
- If you don't specify MaxMemInQueues yourself, Tor now tries to
pick a good value based on your total system memory. Previously,
the default was always 8 GB. You can still override the default by
@ -105,16 +97,14 @@ Changes in version 0.2.5.4-alpha - 2014-04-??
at every 5% of progress. Fixes bug 9963.
o Minor features (relay):
- If a circuit timed out for at least 3 minutes check if we have a
new external IP address the next time we run our routine checks.
If our IP address has changed, then publish a new descriptor with
the new IP address. Resolves ticket 2454.
- If a circuit timed out for at least 3 minutes, check if we have a
new external IP address, and publish a new descriptor with the new
IP address if it changed. Resolves ticket 2454.
- Warn less verbosely when receiving a malformed
ESTABLISH_RENDEZVOUS cell. Fixes ticket 11279.
- When we run out of usable circuit IDs on a channel, log only one
warning for the whole channel, and include a description of how
many circuits there were on the channel. Fix for part of ticket
#11553.
warning for the whole channel, and describe how many circuits
there were on the channel. Fix for part of ticket #11553.
o Minor features (controller):
- Make the entire exit policy available from the control port via
@ -131,36 +121,34 @@ Changes in version 0.2.5.4-alpha - 2014-04-??
going unnoticed. Closes ticket 8787.
o Minor features (bridge client):
- Report a failure to connect to a bridge because its transport type
has no configured pluggable transport as a new type of bootstrap
failure. Resolves ticket 9665. Patch from Fábio J. Bertinatto.
- Report a more useful failure message when we can't connect to a
bridge because we don't have the right pluggable transport
configured. Resolves ticket 9665. Patch from Fábio J. Bertinatto.
o Minor features (diagnostic):
- Try harder to diagnose a possible cause of bug 7164, which causes
- Add more log messages to diagnose bug 7164, which causes
intermittent "microdesc_free() called but md was still referenced"
warnings. We now log more information about the likely error case,
to try to figure out why we might be cleaning a microdescriptor as
old if it's still referenced by a live node_t object.
warnings. We now include more information, to figure out why we
might be cleaning a microdescriptor for being too old if it's
still referenced by a live node_t object.
o Minor bugfixes (logging):
- Log only one message when we start logging in an unsafe way.
Previously, we would log as many messages as we had problems. Fix
for #9870; bugfix on 0.2.5.1-alpha.
- Warn only once we start logging in an unsafe way. Previously, we
complain as many times we had problems. Fix for #9870; bugfix on
0.2.5.1-alpha.
- Using the Linux seccomp2 sandbox no longer prevents stack-trace
logging on crashes or errors. Fixes part 11465; bugfix on
0.2.5.1-alpha.
- Only report the first fatal bootstrap error on a given OR
connection. This prevents controllers from declaring that a
connection has failed because of "DONE" or other junk reasons.
Fixes bug 10431; bugfix on 0.2.1.1-alpha.
- Improve the warning message when trying to enable the Linux
sandbox code on a Tor built without libseccomp. Instead of saying
"Sandbox is not implemented on this platform", we now explain that
we to need be built with libseccomp. Fixes bug 11543; bugfix on
0.2.5.1-alpha.
- Avoid generating spurious warnings and failure messages when
starting with DisableNetwork enabled. Fixes bug 11200 and bug
10405; bugfix on 0.2.3.9-alpha.
connection. This stops us from telling the controller bogus error
messages like "DONE". Fixes bug 10431; bugfix on 0.2.1.1-alpha.
- Be more helpful when trying to run sandboxed on Linux without
libseccomp. Instead of saying "Sandbox is not implemented on this
platform", we now explain that we to need be built with
libseccomp. Fixes bug 11543; bugfix on 0.2.5.1-alpha.
- Avoid generating spurious warnings when starting with
DisableNetwork enabled. Fixes bug 11200 and bug 10405; bugfix on
0.2.3.9-alpha.
o Minor bugfixes (closing channels):
- If write_to_buf() in connection_write_to_buf_impl_() ever fails,
@ -169,12 +157,12 @@ Changes in version 0.2.5.4-alpha - 2014-04-??
connection_mark_for_close() directly. Fixes bug #11304; bugfix on
0.2.4.4-alpha.
- When closing all connections on setting DisableNetwork to 1, use
connection_or_close_normally() rather than closing OR connections out
from under the channel layer. Fixes bug #11306; bugfix on
connection_or_close_normally() rather than closing OR connections
out from under the channel layer. Fixes bug #11306; bugfix on
0.2.4.4-alpha.
o Minor bugfixes (controller):
- Avoid sending an garbage value to the controller when a circuit is
- Avoid sending a garbage value to the controller when a circuit is
cannibalized. Fixes bug 11519; bugfix on 0.2.3.11-alpha.
o Minor bugfixes (tor-fw-helper):
@ -187,24 +175,24 @@ Changes in version 0.2.5.4-alpha - 2014-04-??
Fixes bug 9650; bugfix on 0.2.3.16-alpha.
o Minor bugfixes (misc):
- Don't re-initialize a second set of openssl mutexes when starting
up. Fixes bug 11726; bugfix on 0.2.5.3-alpha.
o Minor bugfixes (memory leaks):
- Fix a minor memory leak that occurred when signing a directory
object. Fixes bug 11275; bugfix on 0.2.4.13-alpha.
- Don't re-initialize a second set of OpenSSL mutexes when starting
up. Previously, we'd make one set of mutexes, and then immediately
replace them with another. Fixes bug 11726; bugfix on
0.2.5.3-alpha.
o Minor bugfixes (platform-specific):
- Fix compilation on Solaris, which does not have <endian.h>. Fixes
bug 11426; bugfix on 0.2.5.3-alpha.
- When dumping a malformed directory object to disk, save it in
binary mode on windows, not text mode. Fixes bug 11342; bugfix on
binary mode on Windows, not text mode. Fixes bug 11342; bugfix on
0.2.2.1-alpha.
- When reporting a failure from make_socket_reuseable(), don't
report a warning when we get a failure from an incoming socket on
OSX. Fix for bug 10081.
- Don't report failures from make_socket_reuseable() on incoming
sockets on OSX: this can happen when incoming connections close
early. Fix for bug 10081.
o Minor bugfixes (trivial memory leaks):
- Fix a small memory leak when signing a directory object. Fixes bug
11275; bugfix on 0.2.4.13-alpha.
- Free placeholder entries in our circuit table at exit; fixes a
harmless memory leak. Fixes bug 11278; bugfix on 0.2.5.1-alpha.
- Resolve some memory leaks found by coverity in the unit tests, on
@ -217,23 +205,22 @@ Changes in version 0.2.5.4-alpha - 2014-04-??
times, not 30. Fixes bug #4241; bugfix on 0.1.0.1-rc.
o Minor bugfixes (bridge client):
- Stop accepting bridge lines containing hostnames. Doing so allowed
clients to perform DNS requests on the hostnames, which was not
sensible behavior. Fixes bug 10801; bugfix on 0.2.0.1-alpha.
- Fix a bug where a client-side Tor with pluggable transports would
take 60 seconds to bootstrap if a config re-read was triggered at
just the right timing during bootstrap. Re-fixes bug 11156; bugfix
on 0.2.5.3-alpha.
- Stop accepting bridge lines containing hostnames. Doing so would
cause clients to perform DNS requests on the hostnames, which was
not sensible behavior. Fixes bug 10801; bugfix on 0.2.0.1-alpha.
- Avoid a 60-second delay in the bootstrapping process when a Tor
client with pluggable transports re-reads its configuration at
just the wrong time. Re-fixes bug 11156; bugfix on 0.2.5.3-alpha.
- Avoid 60-second delays in the bootstrapping process when Tor is
launching for a second time while using bridges. Fixes bug 9229;
bugfix on 0.2.0.3-alpha.
o Minor bugfixes (DNS):
- When receiving a DNS query for an unsupported type, reply with no
answer rather than with a NOTIMPL error. This behavior isn't
correct either, but it will break fewer client programs, we hope.
Fixes bug 10268; bugfix on 0.2.0.1-alpha. Original patch from
"epoch".
- When receiving a DNS query for an unsupported record type, reply
with no answer rather than with a NOTIMPL error. This behavior
isn't correct either, but it will break fewer client programs, we
hope. Fixes bug 10268; bugfix on 0.2.0.1-alpha. Original patch
from "epoch".
o Minor bugfixes (exit):
- Stop leaking memory when we successfully resolve a PTR record.
@ -266,8 +253,8 @@ Changes in version 0.2.5.4-alpha - 2014-04-??
o Deprecated versions:
- Tor 0.2.2.x has reached end-of-life; it has received no patches or
attention for some while. Directory authorities no longer accept
descriptors from relays running any version of Tor prior to
Tor 0.2.3.16-alpha. Resolves ticket 11149.
descriptors from relays running any version of Tor prior to Tor
0.2.3.16-alpha. Resolves ticket 11149.
o Testing:
- New macros in test.h to simplify writing mock-functions for unit