diff --git a/ChangeLog b/ChangeLog index 5c565fb36..e7bbe2705 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,150 @@ +Changes in version 0.2.9.15 - 2018-03-xx + Tor 0.2.9.15 backports important security and stability bugfixes from + later Tor releases. All Tor users should upgrade to this release, or + to another of the releases coming out today. + + o Major features (denial-of-service mitigation): + - Give relays some defenses against the recent network overload. We + start with three defenses (default parameters in parentheses). + First: if a single client address makes too many concurrent + connections (>100), hang up on further connections. Second: if a + single client address makes circuits too quickly (more than 3 per + second, with an allowed burst of 90) while also having too many + connections open (3), refuse new create cells for the next while + (1-2 hours). Third: if a client asks to establish a rendezvous + point to you directly, ignore the request. These defenses can be + manually controlled by new torrc options, but relays will also + take guidance from consensus parameters, so there's no need to + configure anything manually. Implements ticket 24902. + + o Major bugfixes (bootstrapping): + - Fetch descriptors aggressively whenever we lack enough to build + circuits, regardless of how many descriptors we are missing. + Previously, we would delay launching the fetch when we had fewer + than 15 missing descriptors, even if some of those descriptors + were blocking circuits from building. Fixes bug 23985; bugfix on + 0.1.1.11-alpha. The effects of this bug became worse in + 0.3.0.3-alpha, when we began treating missing descriptors from our + primary guards as a reason to delay circuits. + + o Major bugfixes (onion services, retry behavior): + - Fix an "off by 2" error in counting rendezvous failures on the + onion service side. While we thought we would stop the rendezvous + attempt after one failed circuit, we were actually making three + circuit attempts before giving up. Now switch to a default of 2, + and allow the consensus parameter "hs_service_max_rdv_failures" to + override. Fixes bug 24895; bugfix on 0.0.6. + + o Minor feature (relay statistics): + - Change relay bandwidth reporting stats interval from 4 hours to 24 + hours in order to reduce the efficiency of guard discovery + attacks. Fixes ticket 23856. + + o Minor features (compatibility, OpenSSL): + - Tor will now support TLS1.3 once OpenSSL 1.1.1 is released. + Previous versions of Tor would not have worked with OpenSSL 1.1.1, + since they neither disabled TLS 1.3 nor enabled any of the + ciphersuites it requires. Here we enable the TLS 1.3 ciphersuites. + Closes ticket 24978. + + o Minor features (denial-of-service avoidance): + - Make our OOM handler aware of the geoip client history cache so it + doesn't fill up the memory. This check is important for IPv6 and + our DoS mitigation subsystem. Closes ticket 25122. + + o Minor features (fallback directory mirrors): + - The fallback directory list has been re-generated based on the + current status of the network. Tor uses fallback directories to + bootstrap when it doesn't yet have up-to-date directory + information. Closes ticket 24801. + - Make the default DirAuthorityFallbackRate 0.1, so that clients + prefer to bootstrap from fallback directory mirrors. This is a + follow-up to 24679, which removed weights from the default + fallbacks. Implements ticket 24681. + + o Minor features (geoip): + - Update geoip and geoip6 to the February 7 2018 Maxmind GeoLite2 + Country database. + + o Minor features (linux seccomp2 sandbox): + - Update the sandbox rules so that they should now work correctly + with Glibc 2.26. Closes ticket 24315. + + o Minor bugfix (channel connection): + - Use the actual observed address of an incoming relay connection, + not the canonical address of the relay from its descriptor, when + making decisions about how to handle the incoming connection. + Fixes bug 24952; bugfix on 0.2.4.11-alpha. Patch by "ffmancera". + + o Minor bugfix (directory authority): + - Directory authorities, when refusing a descriptor from a rejected + relay, now explicitly tell the relay (in its logs) to set a valid + ContactInfo address and contact the bad-relays@ mailing list. + Fixes bug 25170; bugfix on 0.2.9.1. + + o Minor bugfixes (address selection): + - When the fascist_firewall_choose_address_ functions don't find a + reachable address, set the returned address to the null address + and port. This is a precautionary measure, because some callers do + not check the return value. Fixes bug 24736; bugfix + on 0.2.8.2-alpha. + + o Minor bugfixes (compilation): + - Fix a signed/unsigned comparison warning introduced by our fix to + TROVE-2017-009. Fixes bug 24480; bugfix on 0.2.5.16. + + o Minor bugfixes (control port, linux seccomp2 sandbox): + - Avoid a crash when attempting to use the seccomp2 sandbox together + with the OwningControllerProcess feature. Fixes bug 24198; bugfix + on 0.2.5.1-alpha. + + o Minor bugfixes (memory usage): + - When queuing DESTROY cells on a channel, only queue the circuit-id + and reason fields: not the entire 514-byte cell. This fix should + help mitigate any bugs or attacks that fill up these queues, and + free more RAM for other uses. Fixes bug 24666; bugfix + on 0.2.5.1-alpha. + + o Minor bugfixes (network layer): + - When closing a connection via close_connection_immediately(), we + mark it as "not blocked on bandwidth", to prevent later calls from + trying to unblock it, and give it permission to read. This fixes a + backtrace warning that can happen on relays under various + circumstances. Fixes bug 24167; bugfix on 0.1.0.1-rc. + + o Minor bugfixes (OSX): + - Don't exit the Tor process if setrlimit() fails to change the file + limit (which can happen sometimes on some versions of OSX). Fixes + bug 21074; bugfix on 0.0.9pre5. + + o Minor bugfixes (path selection): + - When selecting relays by bandwidth, avoid a rounding error that + could sometimes cause load to be imbalanced incorrectly. + Previously, we would always round upwards; now, we round towards + the nearest integer. This had the biggest effect when a relay's + weight adjustments should have given it weight 0, but it got + weight 1 instead. Fixes bug 23318; bugfix on 0.2.4.3-alpha. + - When calculating the fraction of nodes that have descriptors, and + all nodes in the network have zero bandwidths, count the number of + nodes instead. Fixes bug 23318; bugfix on 0.2.4.10-alpha. + - Actually log the total bandwidth in compute_weighted_bandwidths(). + Fixes bug 24170; bugfix on 0.2.4.3-alpha. + + o Minor bugfixes (portability, msvc): + - Fix a bug in the bit-counting parts of our timing-wheel code on + MSVC. (Note that MSVC is still not a supported build platform, due + to cryptographic timing channel risks.) Fixes bug 24633; bugfix + on 0.2.9.1-alpha. + + o Minor bugfixes (relay): + - Make the internal channel_is_client() function look at what sort + of connection handshake the other side used, rather than whether + the other side ever sent a create_fast cell to us. Backports part + of the fixes from bugs 22805 and 24898. + + Changes in version 0.2.9.14 - 2017-12-01 - Tor 0.3.0.13 backports important security and stability bugfixes from + Tor 0.2.9.14 backports important security and stability bugfixes from later Tor releases. All Tor users should upgrade to this release, or to another of the releases coming out today. diff --git a/ReleaseNotes b/ReleaseNotes index 3253bd2ba..e691e092b 100644 --- a/ReleaseNotes +++ b/ReleaseNotes @@ -3,7 +3,7 @@ of Tor. If you want to see more detailed descriptions of the changes in each development snapshot, see the ChangeLog file. Changes in version 0.2.9.14 - 2017-12-01 - Tor 0.3.0.13 backports important security and stability bugfixes from + Tor 0.2.9.14 backports important security and stability bugfixes from later Tor releases. All Tor users should upgrade to this release, or to another of the releases coming out today. diff --git a/changes/bug21074_downgrade b/changes/bug21074_downgrade deleted file mode 100644 index 1bc1f8523..000000000 --- a/changes/bug21074_downgrade +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (portability): - - Don't exit the Tor process if setrlimit() fails to change the file - limit (which can happen sometimes on some versions of OSX). Fixes - bug 21074; bugfix on 0.0.9pre5. diff --git a/changes/bug23318 b/changes/bug23318 deleted file mode 100644 index 7fcb8d448..000000000 --- a/changes/bug23318 +++ /dev/null @@ -1,11 +0,0 @@ - o Minor bugfixes (path selection): - - When selecting relays by bandwidth, avoid a rounding error that - could sometimes cause load to be imbalanced incorrectly. Previously, - we would always round upwards; now, we round towards the nearest - integer. This had the biggest effect when a relay's weight adjustments - should have given it weight 0, but it got weight 1 instead. - Fixes bug 23318; bugfix on 0.2.4.3-alpha. - - When calculating the fraction of nodes that have descriptors, and all - all nodes in the network have zero bandwidths, count the number of nodes - instead. - Fixes bug 23318; bugfix on 0.2.4.10-alpha. diff --git a/changes/bug23985 b/changes/bug23985 deleted file mode 100644 index 9cb593796..000000000 --- a/changes/bug23985 +++ /dev/null @@ -1,9 +0,0 @@ - o Minor bugfixes (bootstrapping): - - Fetch descriptors aggressively whenever we lack enough - to build circuits, regardless of how many descriptors we are missing. - Previously, we would delay launching the fetch when we had fewer than - 15 missing descriptors, even if some of those descriptors were - blocking circuits from building. Fixes bug 23985; bugfix on - 0.1.1.11-alpha. The effects of this bug became worse in 0.3.0.3-alpha, - when we began treating missing descriptors from our primary guards - as a reason to delay circuits. diff --git a/changes/bug24167 b/changes/bug24167 deleted file mode 100644 index fd0d87eff..000000000 --- a/changes/bug24167 +++ /dev/null @@ -1,7 +0,0 @@ - o Minor bugfixes (network layer): - - When closing a connection via close_connection_immediately(), we - mark it as "not blocked on bandwidth", to prevent later calls - from trying to unblock it, and give it permission to read. This - fixes a backtrace warning that can happen on relays under various - circumstances. Fixes bug 24167; bugfix on 0.1.0.1-rc. - diff --git a/changes/bug24170 b/changes/bug24170 deleted file mode 100644 index d3d734769..000000000 --- a/changes/bug24170 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (path selection): - - Actually log the total bandwidth in compute_weighted_bandwidths(). - Fixes bug 24170; bugfix on 0.2.4.3-alpha. diff --git a/changes/bug24198 b/changes/bug24198 deleted file mode 100644 index 679070687..000000000 --- a/changes/bug24198 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (controller, linux seccomp2 sandbox): - - Avoid a crash when attempting to use the seccomp2 sandbox - together with the OwningControllerProcess feature. - Fixes bug 24198; bugfix on 0.2.5.1-alpha. diff --git a/changes/bug24480 b/changes/bug24480 deleted file mode 100644 index 94e5b91a0..000000000 --- a/changes/bug24480 +++ /dev/null @@ -1,3 +0,0 @@ - o Minor bugfixes (compilation): - - Fix a signed/unsigned comparison warning introduced by our - fix to TROVE-2017-009. Fixes bug 24480; bugfix on 0.2.5.16. diff --git a/changes/bug24633 b/changes/bug24633 deleted file mode 100644 index 028c7cc14..000000000 --- a/changes/bug24633 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfixes (portability, msvc): - - Fix a bug in the bit-counting parts of our timing-wheel code on - MSVC. (Note that MSVC is still not a supported build platform, - due to cyptographic timing channel risks.) Fixes bug 24633; - bugfix on 0.2.9.1-alpha. diff --git a/changes/bug24666 b/changes/bug24666 deleted file mode 100644 index 830775f5f..000000000 --- a/changes/bug24666 +++ /dev/null @@ -1,7 +0,0 @@ - o Minor bugfixes (memory usage): - - - When queuing DESTROY cells on a channel, only queue the - circuit-id and reason fields: not the entire 514-byte - cell. This fix should help mitigate any bugs or attacks that - fill up these queues, and free more RAM for other uses. Fixes - bug 24666; bugfix on 0.2.5.1-alpha. diff --git a/changes/bug24736 b/changes/bug24736 deleted file mode 100644 index 632560932..000000000 --- a/changes/bug24736 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes (address selection): - - When the fascist_firewall_choose_address_ functions don't find a - reachable address, set the returned address to the null address and port. - This is a precautionary measure, because some callers do not check the - return value. - Fixes bug 24736; bugfix on 0.2.8.2-alpha. diff --git a/changes/bug24895 b/changes/bug24895 deleted file mode 100644 index 7edde94a0..000000000 --- a/changes/bug24895 +++ /dev/null @@ -1,8 +0,0 @@ - o Major bugfixes (onion services): - - Fix an "off by 2" error in counting rendezvous failures on the onion - service side. While we thought we would stop the rendezvous attempt - after one failed circuit, we were actually making three circuit attempts - before giving up. Now switch to a default of 2, and allow the consensus - parameter "hs_service_max_rdv_failures" to override. Fixes bug 24895; - bugfix on 0.0.6. - diff --git a/changes/bug24898-029 b/changes/bug24898-029 deleted file mode 100644 index b33f09384..000000000 --- a/changes/bug24898-029 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor bugfixes (relay): - - Make the internal channel_is_client() function look at what sort - of connection handshake the other side used, rather than whether - the other side ever sent a create_fast cell to us. Backports part - of the fixes from bugs 22805 and 24898. - diff --git a/changes/bug24952 b/changes/bug24952 deleted file mode 100644 index 93174c04f..000000000 --- a/changes/bug24952 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfix (channel connection): - - The accurate address of a connection is real_addr, not the addr member. - TLS Channel remote address is now real_addr content instead of addr - member. Fixes bug 24952; bugfix on 707c1e2e26 in 0.2.4.11-alpha. - Patch by "ffmancera". diff --git a/changes/bug24978 b/changes/bug24978 deleted file mode 100644 index 5dc45c744..000000000 --- a/changes/bug24978 +++ /dev/null @@ -1,7 +0,0 @@ - o Minor features (compatibility, OpenSSL): - - Tor will now support TLS1.3 once OpenSSL 1.1.1 is released. - Previous versions of Tor would not have worked with OpenSSL - 1.1.1, since they neither disabled TLS 1.3 nor enabled any of the - ciphersuites it requires. Here we enable the TLS 1.3 ciphersuites. - Closes ticket 24978. - diff --git a/changes/bug25223 b/changes/bug25223 deleted file mode 100644 index fdd556350..000000000 --- a/changes/bug25223 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (DoS mitigation): - - Make sure we don't modify consensus parameters if we aren't a public - relay when a new consensus arrives. Fixes bug 25223; bugfix on - 0.3.3.2-alpha. diff --git a/changes/geoip-2017-12-06 b/changes/geoip-2017-12-06 deleted file mode 100644 index ae4fb1149..000000000 --- a/changes/geoip-2017-12-06 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features (geoip): - - Update geoip and geoip6 to the December 6 2017 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-2018-01-05 b/changes/geoip-2018-01-05 deleted file mode 100644 index 59aba02d0..000000000 --- a/changes/geoip-2018-01-05 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features (geoip): - - Update geoip and geoip6 to the January 5 2018 Maxmind GeoLite2 - Country database. - diff --git a/changes/geoip-2018-02-07 b/changes/geoip-2018-02-07 deleted file mode 100644 index f45228fd7..000000000 --- a/changes/geoip-2018-02-07 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor features (geoip): - - Update geoip and geoip6 to the February 7 2018 Maxmind GeoLite2 - Country database. - diff --git a/changes/ticket23856 b/changes/ticket23856 deleted file mode 100644 index 049da18d0..000000000 --- a/changes/ticket23856 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor feature (relay statistics): - - Change relay bandwidth reporting stats interval from 4 hours to 24 hours - in order to reduce the efficiency of guard discovery attacks. Fixes - ticket 23856. diff --git a/changes/ticket24315 b/changes/ticket24315 deleted file mode 100644 index df34dbf41..000000000 --- a/changes/ticket24315 +++ /dev/null @@ -1,3 +0,0 @@ - o Major features (linux seccomp2 sandbox): - - Update the sandbox rules so that they should now work correctly with - Glibc 2.26. Closes ticket 24315. diff --git a/changes/ticket24681 b/changes/ticket24681 deleted file mode 100644 index cc0a42b2e..000000000 --- a/changes/ticket24681 +++ /dev/null @@ -1,6 +0,0 @@ - o Minor features (fallback directory mirrors): - - Make the default DirAuthorityFallbackRate 0.1, so that clients on the - public tor network prefer to bootstrap off fallback directory mirrors. - This is a follow-up to 24679, which removed weights from the default - fallbacks. - Implements ticket 24681. diff --git a/changes/ticket24902 b/changes/ticket24902 deleted file mode 100644 index 1a2ef95cc..000000000 --- a/changes/ticket24902 +++ /dev/null @@ -1,13 +0,0 @@ - o Major features (denial of service mitigation): - - Give relays some defenses against the recent network overload. We start - with three defenses (default parameters in parentheses). First: if a - single client address makes too many concurrent connections (>100), hang - up on further connections. Second: if a single client address makes - circuits too quickly (more than 3 per second, with an allowed burst of - 90) while also having too many connections open (3), refuse new create - cells for the next while (1-2 hours). Third: if a client asks to - establish a rendezvous point to you directly, ignore the request. These - defenses can be manually controlled by new torrc options, but relays - will also take guidance from consensus parameters, so there's no need to - configure anything manually. Implements ticket 24902. - diff --git a/changes/ticket25122 b/changes/ticket25122 deleted file mode 100644 index 2921811b2..000000000 --- a/changes/ticket25122 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor feature (geoip cache): - - Make our OOM handler aware of the geoip client history cache so it - doesn't fill up the memory which is especially important for IPv6 and - our DoS mitigation subsystem. Closes ticket 25122. diff --git a/changes/ticket25170 b/changes/ticket25170 deleted file mode 100644 index 065213940..000000000 --- a/changes/ticket25170 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor bugfix (directory authority, documentation): - - When a fingerprint or network address is marked as rejected, the - returned message by the authority now explicitly mention to set a valid - ContactInfo address and contact the bad-relays@ mailing list. Fixes bug - 25170; bugfix on 0.2.9.1. diff --git a/changes/ticket25202 b/changes/ticket25202 deleted file mode 100644 index ba64abad7..000000000 --- a/changes/ticket25202 +++ /dev/null @@ -1,4 +0,0 @@ - o Minor bugfixes (DoS mitigation): - - Add extra safety checks when refilling the circuit creation bucket to - ensure we never set a value that is above the allowed burst. Fixes - bug 25202; bugfix on 0.3.3.2-alpha. diff --git a/changes/ticket_24801 b/changes/ticket_24801 deleted file mode 100644 index f5f6c831a..000000000 --- a/changes/ticket_24801 +++ /dev/null @@ -1,5 +0,0 @@ - o Minor features (new fallback directories): - - The fallback directory list has been re-generated based on the - current status of the network. Tor uses fallback directories to - bootstrap it doesn't yet have up-to-date directory - information. Closes ticket 24801.