start a new 029 changelog
created by catting all the changes/ files together, then overwriting each entry with how it was written in a later release, then running the format_changelog.py script hopefully this will save nickm a bit of time -- if not feel free to overwrite. :)
This commit is contained in:
Roger Dingledine
parent
4bc18c88df
commit
2813180ab5
147
ChangeLog
147
ChangeLog
|
|
@ -1,5 +1,150 @@
|
|||
Changes in version 0.2.9.15 - 2018-03-xx
|
||||
Tor 0.2.9.15 backports important security and stability bugfixes from
|
||||
later Tor releases. All Tor users should upgrade to this release, or
|
||||
to another of the releases coming out today.
|
||||
|
||||
o Major features (denial-of-service mitigation):
|
||||
- Give relays some defenses against the recent network overload. We
|
||||
start with three defenses (default parameters in parentheses).
|
||||
First: if a single client address makes too many concurrent
|
||||
connections (>100), hang up on further connections. Second: if a
|
||||
single client address makes circuits too quickly (more than 3 per
|
||||
second, with an allowed burst of 90) while also having too many
|
||||
connections open (3), refuse new create cells for the next while
|
||||
(1-2 hours). Third: if a client asks to establish a rendezvous
|
||||
point to you directly, ignore the request. These defenses can be
|
||||
manually controlled by new torrc options, but relays will also
|
||||
take guidance from consensus parameters, so there's no need to
|
||||
configure anything manually. Implements ticket 24902.
|
||||
|
||||
o Major bugfixes (bootstrapping):
|
||||
- Fetch descriptors aggressively whenever we lack enough to build
|
||||
circuits, regardless of how many descriptors we are missing.
|
||||
Previously, we would delay launching the fetch when we had fewer
|
||||
than 15 missing descriptors, even if some of those descriptors
|
||||
were blocking circuits from building. Fixes bug 23985; bugfix on
|
||||
0.1.1.11-alpha. The effects of this bug became worse in
|
||||
0.3.0.3-alpha, when we began treating missing descriptors from our
|
||||
primary guards as a reason to delay circuits.
|
||||
|
||||
o Major bugfixes (onion services, retry behavior):
|
||||
- Fix an "off by 2" error in counting rendezvous failures on the
|
||||
onion service side. While we thought we would stop the rendezvous
|
||||
attempt after one failed circuit, we were actually making three
|
||||
circuit attempts before giving up. Now switch to a default of 2,
|
||||
and allow the consensus parameter "hs_service_max_rdv_failures" to
|
||||
override. Fixes bug 24895; bugfix on 0.0.6.
|
||||
|
||||
o Minor feature (relay statistics):
|
||||
- Change relay bandwidth reporting stats interval from 4 hours to 24
|
||||
hours in order to reduce the efficiency of guard discovery
|
||||
attacks. Fixes ticket 23856.
|
||||
|
||||
o Minor features (compatibility, OpenSSL):
|
||||
- Tor will now support TLS1.3 once OpenSSL 1.1.1 is released.
|
||||
Previous versions of Tor would not have worked with OpenSSL 1.1.1,
|
||||
since they neither disabled TLS 1.3 nor enabled any of the
|
||||
ciphersuites it requires. Here we enable the TLS 1.3 ciphersuites.
|
||||
Closes ticket 24978.
|
||||
|
||||
o Minor features (denial-of-service avoidance):
|
||||
- Make our OOM handler aware of the geoip client history cache so it
|
||||
doesn't fill up the memory. This check is important for IPv6 and
|
||||
our DoS mitigation subsystem. Closes ticket 25122.
|
||||
|
||||
o Minor features (fallback directory mirrors):
|
||||
- The fallback directory list has been re-generated based on the
|
||||
current status of the network. Tor uses fallback directories to
|
||||
bootstrap when it doesn't yet have up-to-date directory
|
||||
information. Closes ticket 24801.
|
||||
- Make the default DirAuthorityFallbackRate 0.1, so that clients
|
||||
prefer to bootstrap from fallback directory mirrors. This is a
|
||||
follow-up to 24679, which removed weights from the default
|
||||
fallbacks. Implements ticket 24681.
|
||||
|
||||
o Minor features (geoip):
|
||||
- Update geoip and geoip6 to the February 7 2018 Maxmind GeoLite2
|
||||
Country database.
|
||||
|
||||
o Minor features (linux seccomp2 sandbox):
|
||||
- Update the sandbox rules so that they should now work correctly
|
||||
with Glibc 2.26. Closes ticket 24315.
|
||||
|
||||
o Minor bugfix (channel connection):
|
||||
- Use the actual observed address of an incoming relay connection,
|
||||
not the canonical address of the relay from its descriptor, when
|
||||
making decisions about how to handle the incoming connection.
|
||||
Fixes bug 24952; bugfix on 0.2.4.11-alpha. Patch by "ffmancera".
|
||||
|
||||
o Minor bugfix (directory authority):
|
||||
- Directory authorities, when refusing a descriptor from a rejected
|
||||
relay, now explicitly tell the relay (in its logs) to set a valid
|
||||
ContactInfo address and contact the bad-relays@ mailing list.
|
||||
Fixes bug 25170; bugfix on 0.2.9.1.
|
||||
|
||||
o Minor bugfixes (address selection):
|
||||
- When the fascist_firewall_choose_address_ functions don't find a
|
||||
reachable address, set the returned address to the null address
|
||||
and port. This is a precautionary measure, because some callers do
|
||||
not check the return value. Fixes bug 24736; bugfix
|
||||
on 0.2.8.2-alpha.
|
||||
|
||||
o Minor bugfixes (compilation):
|
||||
- Fix a signed/unsigned comparison warning introduced by our fix to
|
||||
TROVE-2017-009. Fixes bug 24480; bugfix on 0.2.5.16.
|
||||
|
||||
o Minor bugfixes (control port, linux seccomp2 sandbox):
|
||||
- Avoid a crash when attempting to use the seccomp2 sandbox together
|
||||
with the OwningControllerProcess feature. Fixes bug 24198; bugfix
|
||||
on 0.2.5.1-alpha.
|
||||
|
||||
o Minor bugfixes (memory usage):
|
||||
- When queuing DESTROY cells on a channel, only queue the circuit-id
|
||||
and reason fields: not the entire 514-byte cell. This fix should
|
||||
help mitigate any bugs or attacks that fill up these queues, and
|
||||
free more RAM for other uses. Fixes bug 24666; bugfix
|
||||
on 0.2.5.1-alpha.
|
||||
|
||||
o Minor bugfixes (network layer):
|
||||
- When closing a connection via close_connection_immediately(), we
|
||||
mark it as "not blocked on bandwidth", to prevent later calls from
|
||||
trying to unblock it, and give it permission to read. This fixes a
|
||||
backtrace warning that can happen on relays under various
|
||||
circumstances. Fixes bug 24167; bugfix on 0.1.0.1-rc.
|
||||
|
||||
o Minor bugfixes (OSX):
|
||||
- Don't exit the Tor process if setrlimit() fails to change the file
|
||||
limit (which can happen sometimes on some versions of OSX). Fixes
|
||||
bug 21074; bugfix on 0.0.9pre5.
|
||||
|
||||
o Minor bugfixes (path selection):
|
||||
- When selecting relays by bandwidth, avoid a rounding error that
|
||||
could sometimes cause load to be imbalanced incorrectly.
|
||||
Previously, we would always round upwards; now, we round towards
|
||||
the nearest integer. This had the biggest effect when a relay's
|
||||
weight adjustments should have given it weight 0, but it got
|
||||
weight 1 instead. Fixes bug 23318; bugfix on 0.2.4.3-alpha.
|
||||
- When calculating the fraction of nodes that have descriptors, and
|
||||
all nodes in the network have zero bandwidths, count the number of
|
||||
nodes instead. Fixes bug 23318; bugfix on 0.2.4.10-alpha.
|
||||
- Actually log the total bandwidth in compute_weighted_bandwidths().
|
||||
Fixes bug 24170; bugfix on 0.2.4.3-alpha.
|
||||
|
||||
o Minor bugfixes (portability, msvc):
|
||||
- Fix a bug in the bit-counting parts of our timing-wheel code on
|
||||
MSVC. (Note that MSVC is still not a supported build platform, due
|
||||
to cryptographic timing channel risks.) Fixes bug 24633; bugfix
|
||||
on 0.2.9.1-alpha.
|
||||
|
||||
o Minor bugfixes (relay):
|
||||
- Make the internal channel_is_client() function look at what sort
|
||||
of connection handshake the other side used, rather than whether
|
||||
the other side ever sent a create_fast cell to us. Backports part
|
||||
of the fixes from bugs 22805 and 24898.
|
||||
|
||||
|
||||
Changes in version 0.2.9.14 - 2017-12-01
|
||||
Tor 0.3.0.13 backports important security and stability bugfixes from
|
||||
Tor 0.2.9.14 backports important security and stability bugfixes from
|
||||
later Tor releases. All Tor users should upgrade to this release, or
|
||||
to another of the releases coming out today.
|
||||
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@ of Tor. If you want to see more detailed descriptions of the changes in
|
|||
each development snapshot, see the ChangeLog file.
|
||||
|
||||
Changes in version 0.2.9.14 - 2017-12-01
|
||||
Tor 0.3.0.13 backports important security and stability bugfixes from
|
||||
Tor 0.2.9.14 backports important security and stability bugfixes from
|
||||
later Tor releases. All Tor users should upgrade to this release, or
|
||||
to another of the releases coming out today.
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +0,0 @@
|
|||
o Minor bugfixes (portability):
|
||||
- Don't exit the Tor process if setrlimit() fails to change the file
|
||||
limit (which can happen sometimes on some versions of OSX). Fixes
|
||||
bug 21074; bugfix on 0.0.9pre5.
|
||||
|
|
@ -1,11 +0,0 @@
|
|||
o Minor bugfixes (path selection):
|
||||
- When selecting relays by bandwidth, avoid a rounding error that
|
||||
could sometimes cause load to be imbalanced incorrectly. Previously,
|
||||
we would always round upwards; now, we round towards the nearest
|
||||
integer. This had the biggest effect when a relay's weight adjustments
|
||||
should have given it weight 0, but it got weight 1 instead.
|
||||
Fixes bug 23318; bugfix on 0.2.4.3-alpha.
|
||||
- When calculating the fraction of nodes that have descriptors, and all
|
||||
all nodes in the network have zero bandwidths, count the number of nodes
|
||||
instead.
|
||||
Fixes bug 23318; bugfix on 0.2.4.10-alpha.
|
||||
|
|
@ -1,9 +0,0 @@
|
|||
o Minor bugfixes (bootstrapping):
|
||||
- Fetch descriptors aggressively whenever we lack enough
|
||||
to build circuits, regardless of how many descriptors we are missing.
|
||||
Previously, we would delay launching the fetch when we had fewer than
|
||||
15 missing descriptors, even if some of those descriptors were
|
||||
blocking circuits from building. Fixes bug 23985; bugfix on
|
||||
0.1.1.11-alpha. The effects of this bug became worse in 0.3.0.3-alpha,
|
||||
when we began treating missing descriptors from our primary guards
|
||||
as a reason to delay circuits.
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
o Minor bugfixes (network layer):
|
||||
- When closing a connection via close_connection_immediately(), we
|
||||
mark it as "not blocked on bandwidth", to prevent later calls
|
||||
from trying to unblock it, and give it permission to read. This
|
||||
fixes a backtrace warning that can happen on relays under various
|
||||
circumstances. Fixes bug 24167; bugfix on 0.1.0.1-rc.
|
||||
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
o Minor bugfixes (path selection):
|
||||
- Actually log the total bandwidth in compute_weighted_bandwidths().
|
||||
Fixes bug 24170; bugfix on 0.2.4.3-alpha.
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
o Minor bugfixes (controller, linux seccomp2 sandbox):
|
||||
- Avoid a crash when attempting to use the seccomp2 sandbox
|
||||
together with the OwningControllerProcess feature.
|
||||
Fixes bug 24198; bugfix on 0.2.5.1-alpha.
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
o Minor bugfixes (compilation):
|
||||
- Fix a signed/unsigned comparison warning introduced by our
|
||||
fix to TROVE-2017-009. Fixes bug 24480; bugfix on 0.2.5.16.
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
o Minor bugfixes (portability, msvc):
|
||||
- Fix a bug in the bit-counting parts of our timing-wheel code on
|
||||
MSVC. (Note that MSVC is still not a supported build platform,
|
||||
due to cyptographic timing channel risks.) Fixes bug 24633;
|
||||
bugfix on 0.2.9.1-alpha.
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
o Minor bugfixes (memory usage):
|
||||
|
||||
- When queuing DESTROY cells on a channel, only queue the
|
||||
circuit-id and reason fields: not the entire 514-byte
|
||||
cell. This fix should help mitigate any bugs or attacks that
|
||||
fill up these queues, and free more RAM for other uses. Fixes
|
||||
bug 24666; bugfix on 0.2.5.1-alpha.
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
o Minor bugfixes (address selection):
|
||||
- When the fascist_firewall_choose_address_ functions don't find a
|
||||
reachable address, set the returned address to the null address and port.
|
||||
This is a precautionary measure, because some callers do not check the
|
||||
return value.
|
||||
Fixes bug 24736; bugfix on 0.2.8.2-alpha.
|
||||
|
|
@ -1,8 +0,0 @@
|
|||
o Major bugfixes (onion services):
|
||||
- Fix an "off by 2" error in counting rendezvous failures on the onion
|
||||
service side. While we thought we would stop the rendezvous attempt
|
||||
after one failed circuit, we were actually making three circuit attempts
|
||||
before giving up. Now switch to a default of 2, and allow the consensus
|
||||
parameter "hs_service_max_rdv_failures" to override. Fixes bug 24895;
|
||||
bugfix on 0.0.6.
|
||||
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
o Minor bugfixes (relay):
|
||||
- Make the internal channel_is_client() function look at what sort
|
||||
of connection handshake the other side used, rather than whether
|
||||
the other side ever sent a create_fast cell to us. Backports part
|
||||
of the fixes from bugs 22805 and 24898.
|
||||
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
o Minor bugfix (channel connection):
|
||||
- The accurate address of a connection is real_addr, not the addr member.
|
||||
TLS Channel remote address is now real_addr content instead of addr
|
||||
member. Fixes bug 24952; bugfix on 707c1e2e26 in 0.2.4.11-alpha.
|
||||
Patch by "ffmancera".
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
o Minor features (compatibility, OpenSSL):
|
||||
- Tor will now support TLS1.3 once OpenSSL 1.1.1 is released.
|
||||
Previous versions of Tor would not have worked with OpenSSL
|
||||
1.1.1, since they neither disabled TLS 1.3 nor enabled any of the
|
||||
ciphersuites it requires. Here we enable the TLS 1.3 ciphersuites.
|
||||
Closes ticket 24978.
|
||||
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
o Minor bugfixes (DoS mitigation):
|
||||
- Make sure we don't modify consensus parameters if we aren't a public
|
||||
relay when a new consensus arrives. Fixes bug 25223; bugfix on
|
||||
0.3.3.2-alpha.
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
o Minor features (geoip):
|
||||
- Update geoip and geoip6 to the December 6 2017 Maxmind GeoLite2
|
||||
Country database.
|
||||
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
o Minor features (geoip):
|
||||
- Update geoip and geoip6 to the January 5 2018 Maxmind GeoLite2
|
||||
Country database.
|
||||
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
o Minor features (geoip):
|
||||
- Update geoip and geoip6 to the February 7 2018 Maxmind GeoLite2
|
||||
Country database.
|
||||
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
o Minor feature (relay statistics):
|
||||
- Change relay bandwidth reporting stats interval from 4 hours to 24 hours
|
||||
in order to reduce the efficiency of guard discovery attacks. Fixes
|
||||
ticket 23856.
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
o Major features (linux seccomp2 sandbox):
|
||||
- Update the sandbox rules so that they should now work correctly with
|
||||
Glibc 2.26. Closes ticket 24315.
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
o Minor features (fallback directory mirrors):
|
||||
- Make the default DirAuthorityFallbackRate 0.1, so that clients on the
|
||||
public tor network prefer to bootstrap off fallback directory mirrors.
|
||||
This is a follow-up to 24679, which removed weights from the default
|
||||
fallbacks.
|
||||
Implements ticket 24681.
|
||||
|
|
@ -1,13 +0,0 @@
|
|||
o Major features (denial of service mitigation):
|
||||
- Give relays some defenses against the recent network overload. We start
|
||||
with three defenses (default parameters in parentheses). First: if a
|
||||
single client address makes too many concurrent connections (>100), hang
|
||||
up on further connections. Second: if a single client address makes
|
||||
circuits too quickly (more than 3 per second, with an allowed burst of
|
||||
90) while also having too many connections open (3), refuse new create
|
||||
cells for the next while (1-2 hours). Third: if a client asks to
|
||||
establish a rendezvous point to you directly, ignore the request. These
|
||||
defenses can be manually controlled by new torrc options, but relays
|
||||
will also take guidance from consensus parameters, so there's no need to
|
||||
configure anything manually. Implements ticket 24902.
|
||||
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
o Minor feature (geoip cache):
|
||||
- Make our OOM handler aware of the geoip client history cache so it
|
||||
doesn't fill up the memory which is especially important for IPv6 and
|
||||
our DoS mitigation subsystem. Closes ticket 25122.
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
o Minor bugfix (directory authority, documentation):
|
||||
- When a fingerprint or network address is marked as rejected, the
|
||||
returned message by the authority now explicitly mention to set a valid
|
||||
ContactInfo address and contact the bad-relays@ mailing list. Fixes bug
|
||||
25170; bugfix on 0.2.9.1.
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
o Minor bugfixes (DoS mitigation):
|
||||
- Add extra safety checks when refilling the circuit creation bucket to
|
||||
ensure we never set a value that is above the allowed burst. Fixes
|
||||
bug 25202; bugfix on 0.3.3.2-alpha.
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
o Minor features (new fallback directories):
|
||||
- The fallback directory list has been re-generated based on the
|
||||
current status of the network. Tor uses fallback directories to
|
||||
bootstrap it doesn't yet have up-to-date directory
|
||||
information. Closes ticket 24801.
|
||||
Loading…
Reference in New Issue