sarah
/
tor
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

fold in some new changelog stanzas

This commit is contained in:
Roger Dingledine 2012-01-07 07:42:07 -05:00
parent 19c372daf0
commit 36721e940d
24 changed files with 148 additions and 177 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

150
ChangeLog
View File

@ -1,4 +1,150 @@
Changes in version 0.2.3.11-alpha - 201?-??-??
Changes in version 0.2.3.11-alpha - 2012-01-0?
o Major features:
- Now that Tor 0.2.0.x is completely deprecated, enable the final
part of "Proposal 110: Avoiding infinite length circuits" by
refusing all circuit-extend requests that do not use a relay_early
cell. This change helps Tor resist a class of denial-of-service
attacks by limiting the maximum circuit length.
- Adjust the number of introduction points that a hidden service
will try to maintain based on how long its introduction points
remain in use and how many introductions they handle. Fixes
part of bug 3825.
- Try to use system facilities for enumerating local interface
addresses, before falling back to our old approach (which was
binding a UDP socket, and calling getsockname() on it). That
approach was scaring OS X users whose draconian firewall
software warned about binding to UDP sockets, regardless of
whether packets were sent. Now we try to use getifaddrs(),
SIOCGIFCONF, or GetAdaptersAddresses(), depending on what the
system supports. Resolves ticket 1827.
o Major security workaround:
- When building or running with any version of OpenSSL earlier
than 0.9.8s or 1.0.0f, disable SSLv3 support. These OpenSSL
versions have a bug (CVE-2011-4576) in which their block cipher
padding includes uninitialized data, potentially leaking sensitive
information to any peer with whom they make a SSLv3 connection. Tor
does not use SSL v3 by default, but a hostile client or server
could force an SSLv3 connection in order to gain information that
they shouldn't have been able to get. The best solution here is to
upgrade to OpenSSL 0.9.8s or 1.0.0f (or later). But when building
or running with a non-upgraded OpenSSL, we disable SSLv3 entirely
to make sure that the bug can't happen.
o Major bugfixes:
- Correct our replacements for the timeradd() and timersub() functions
on platforms that lack them (for example, Windows). The timersub()
function is used when expiring circuits, while timeradd() is
currently unused. Bug report and patch by Vektor. Bugfix on
0.2.2.24-alpha and 0.2.3.1-alpha; fixes bug 4778.
- Do not use OpenSSL 1.0.0's counter mode: it has a critical bug
that was fixed in OpenSSL 1.0.0a. Fixes bug 4779; bugfix on
Tor 0.2.3.9-alpha. Found by Pascal.
o Minor features:
- Directory servers now reject versions of Tor older than 0.2.1.30,
and Tor versions between 0.2.2.1-alpha and 0.2.2.20-alpha
(inclusive). These versions accounted for only a small fraction of
the Tor network, and have numerous known security issues. Resolves
issue 4788.
- Use absolute path names when reporting the torrc filename in the
control protocol, so a controller can more easily find the torrc
file. Resolves bug 1101.
- If EntryNodes are given, but UseEntryGuards is set to 0, warn that
EntryNodes will have no effect. Resolves issue 2571.
- Extend the control protocol to report flags that control a circuit's
path selection in CIRC events and in replies to 'GETINFO
circuit-status'. Implements part of ticket 2411.
- Extend the control protocol to report the hidden service address
and current state of a hidden-service-related circuit in CIRC
events and in replies to 'GETINFO circuit-status'. Implements part
of ticket 2411.
- Update to the January 3 2012 Maxmind GeoLite Country database.
o Minor bugfixes (hidden services):
- Don't close hidden service client circuits which have almost
finished connecting to their destination when they reach
the normal circuit-build timeout. Previously, we would close
introduction circuits which are waiting for an acknowledgement
from the introduction point, and rendezvous circuits which have
been specified in an INTRODUCE1 cell sent to a hidden service,
after the normal CBT. Now, we mark them as 'timed out', and launch
another rendezvous attempt in parallel. This behavior change can
be disabled using the new CloseHSClientCircuitsImmediatelyOnTimeout
option. Fixes part of bug 1297.
- Don't close hidden-service-side rendezvous circuits when they
reach the normal circuit-build timeout. This behaviour change can
be disabled using the new
CloseHSServiceRendCircuitsImmediatelyOnTimeout option. Fixes the
remaining part of bug 1297.
- Make sure we never mark the wrong rendezvous circuit as having
had its introduction cell acknowleged by the introduction-point
relay. Previously, when we received an INTRODUCE_ACK cell on a
client-side hidden-service introduction circuit, we might have
marked a rendezvous circuit other than the one we specified in
the INTRODUCE1 cell as INTRO_ACKED, which would have produced
a warning message and interfered with the hidden service
connection-establishment process. Bugfix on 0.2.3.3-alpha, when we
added the stream-isolation feature which might cause Tor to open
multiple rendezvous circuits for the same hidden service. Fixes
bug 4759.
- Don't trigger an assertion failure when we mark a new client-side
hidden-service introduction circuit for close during the process
of creating it. Bugfix on 0.2.3.6-alpha. Fixes bug 4796; reported
by murb.
o Minor bugfixes (other):
- Fix null-pointer access that could occur if TLS allocation failed.
Fixes bug 4531; bugfix on 0.2.0.20-rc. Found by "troll_un". This was
erroneously listed as fixed in 0.2.3.9-alpha, but the fix had
accidentally been reverted.
- Fix an assertion failure when, while running with bufferevents, a
connection finishes connecting after it is marked for close, but
before it is closed. Fixes bug 4697; bugfix on 0.2.3.1-alpha.
- Older Linux kernels erroneously respond to strange nmap behavior
by having accept() return successfully with a zero-length
socket. When this happens, just close the connection. Previously,
we would try harder to learn the remote address: but there was
no such remote address to learn, and our method for trying to
learn it was incorrect. Fixes bugs 1240, 4745, and 4747. Bugfix
on 0.1.0.3-rc. Reported and diagnosed by "r1eo".
- test_util_spawn_background_ok() hardcoded the expected value
for ENOENT to 2. This isn't portable as error numbers are
platform specific, and particularly the hurd has ENOENT at
0x40000002. Construct expected string at runtime, using the correct
value for ENOENT. Fixes bug 4733; bugfix on 0.2.3.1-alpha.
- Correctly spell "connect" in a log message on failure to create a
controlsocket. Fixes bug 4803; bugfix on 0.2.2.26-beta and
0.2.3.2-alpha.
- During configure, search for library containing cos function as
libm lives in libcore on some platforms (BeOS/Haiku).
Linking against libm was hard-coded before. Bugfix on
0.2.2.2-alpha; fixes the first part of bug 4727. Patch and
analysis by Martin Hebnes Pedersen.
- Preprocessor directives should not be put inside the arguments
of a macro. This would break compilation with GCC releases prior
to version 3.3. We would never recommend such an old GCC
version, but it is apparently required for binary compatibility
on some platforms (namely, certain builds of Haiku). Bugfix on
0.2.3.3-alpha; fixes the other part of bug 4727. Patch and
analysis by Martin Hebnes Pedersen.
- Feature removal:
- When sending or relaying a RELAY_EARLY cell, we used to convert
it to a RELAY cell if the connection was using the v1 link
protocol. This was a workaround for older versions of Tor, which
didn't handle RELAY_EARLY cells properly. Now that all supported
versions can handle RELAY_EARLY cells, and now that we're enforcing
the "no RELAY_EXTEND commands except in RELAY_EARLY cells" rule,
remove this workaround. Addresses bug 4786.
o Code simplifications and refactoring:
- During configure, detect when we're building with clang version
3.0 or lower and disable the -Wnormalized=id and -Woverride-init
CFLAGS. clang doesn't support them yet.
- Use OpenSSL's built-in SSL_state_string_long() instead of our
own homebrewed ssl_state_to_string() replacement. Patch from
Emile Snyder. Fixes bug 4653.
Changes in version 0.2.3.10-alpha - 2011-12-16
@ -786,7 +932,7 @@ Changes in version 0.2.1.31 - 2011-10-26
circuit EXTEND request. Now relays can protect clients from the
CVE-2011-2768 issue even if the clients haven't upgraded yet.
- Bridges now refuse CREATE or CREATE_FAST cells on OR connections
that they initiated. Relays could distinguish incoming bridge
that they initiated. Relays could distinguish incoming bridge
connections from client connections, creating another avenue for
enumerating bridges. Fixes CVE-2011-2769. Bugfix on 0.2.0.3-alpha.
Found by "frosty_un".

3
changes/bug1101
View File

@ -1,3 +0,0 @@
o Minor features:
- Use absolute path names when reporting the torrc filename, so
that a controller can more easily find it. Resolves bug 1101.

8
changes/bug1240
View File

@ -1,8 +0,0 @@
o Minor bugfixes:
- When running with an older Linux kernel that erroneously responds
to strange nmap behavior by having accept() return successfully
with a zero-length socket, just close the connection. Previously,
we would try harder to learn the remote address: but there was no
such remote address to learn, and our method for trying to learn
it was incorrect. Fixes bugs #1240, #4745, and #4747. Bugfix on
0.1.0.3-rc. Reported and diagnosed by "r1eo".

20
changes/bug1297b
View File

@ -1,20 +0,0 @@
o Minor bugfixes:
- Don't close hidden service client circuits which have almost
finished connecting to their destination when they reach the
normal circuit-build timeout. Previously, we would close
introduction circuits which are waiting for an acknowledgement
from the introduction-point relay and rendezvous circuits which
have been specified in an INTRODUCE1 cell sent to a hidden
service after the normal CBT; now, we mark them as 'timed out',
and launch another rendezvous attempt in parallel. This
behaviour change can be disabled using the new
CloseHSClientCircuitsImmediatelyOnTimeout option. Fixes part of
bug 1297.
- Don't close hidden-service-side rendezvous circuits when they
reach the normal circuit-build timeout. Previously, we would
close them. This behaviour change can be disabled using the new
CloseHSServiceRendCircuitsImmediatelyOnTimeout option. Fixes
the remaining part of bug 1297.

9
changes/bug1827
View File

@ -1,9 +0,0 @@
- Minor features:
- Try to use system facilities for enumerating local interface
addresses, before falling back to our old approach (which was
binding a UDP socket, and calling getsockname() on it). That
approach was confusing people whose draconian firewall software
didn't like binding to UDP sockets, regardless of whether
packets were sent. Now we try to use getifaddrs(), SIOCGIFCONF,
or GetAdaptersAddresses(), depending on what the system
supports. Resolves ticket #1827.

3
changes/bug2571
View File

@ -1,3 +0,0 @@
- Minor features:
- If EntryNodes are given, but UseEntryGuards is set to 0, warn that
EntryNodes will have no effect. Resolves issue 2571.

7
changes/bug3825b
View File

@ -1,7 +0,0 @@
o Major features:
- Adjust the number of introduction points that a hidden service
will try to maintain based on how long its introduction points
remain in use and how many introductions they handle. Fixes
part of bug 3825.

5
changes/bug4531_take2
View File

@ -1,5 +0,0 @@
o Minor bugfixes:
- Fix null-pointer access that could occur if TLS allocation failed.
Fixes bug 4531; bugfix on 0.2.0.20-rc. Found by "troll_un". This was
erroneously listed as fixed in 0.2.3.9-alpha, but the fix had
accidentally been reverted.

4
changes/bug4653
View File

@ -1,4 +0,0 @@
o Code simplification and refactoring:
- Use OpenSSL's built-in SSL_state_string_long() instead of our
own homebrewed ssl_state_to_string() replacement. Patch from
Emile Snyder. Fixes bug 4653.

5
changes/bug4697
View File

@ -1,5 +0,0 @@
o Minor bugfixes:
- Fix an assertion failure when, while running with bufferevents, a
connection finishes connecting after it is marked for close, but
before it is closed. Fix for bug 4697; Bugfix on 0.2.3.1-alpha.

6
changes/bug4733
View File

@ -1,6 +0,0 @@
o Minor fix:
test_util_spawn_background_ok() hardcoded the expected value
for ENOENT to 2. This isn't portable as error numbers are
platform specific, and particularly the hurd has ENOENT at
0x40000002. Construct expected string at runtime, using the
correct value for ENOENT (closes: #4733). Bugfix on 0.2.3.1-alpha.

14
changes/bug4759
View File

@ -1,14 +0,0 @@
o Minor bugfixes:
- Make sure we never mark the wrong rendezvous circuit as having
had its introduction cell acknowleged by the introduction-point
relay. Previously, when we received an INTRODUCE_ACK cell on a
client-side hidden-service introduction circuit, we might have
marked a rendezvous circuit other than the one we specified in
the INTRODUCE1 cell as INTRO_ACKED, which would have produced a
warning message and interfered with the hidden service
connection-establishment process. Bugfix on 0.2.3.3-alpha, when
the stream-isolation feature which might cause Tor to open
multiple rendezvous circuits for the same hidden service was
added. Fixes bug 4759.

4
changes/bug4779
View File

@ -1,4 +0,0 @@
o Minor bugfixes:
- Do not use OpenSSL 1.0.0's counter mode: it has a critical bug
that was fixed in OpenSSL 1.0.0a. Fixes bug 4779; bugfix on
Tor 0.2.3.9-alpha. Found by Pascal.

9
changes/bug4786
View File

@ -1,9 +0,0 @@
- Feature removal:
- When sending or relaying a RELAY_EARLY cell, we used to convert
it to a RELAY cell if the connection was using the v1 link
protocol. This was a workaround for older versions of Tor, which
didn't handle RELAY_EARLY cells properly. Now that all supported
versions can handle RELAY_EARLY cells, and now that we're
enforcing the "no RELAY_EXTEND commands except in RELAY_EARLY
cells" rule, we're removing this workaround. Addresses bug 4786.

6
changes/bug4788
View File

@ -1,6 +0,0 @@
o Minor features (directory server):
- Directory servers now reject versions of Tor older than 0.2.1.30,
and Tor versions between 0.2.2.1-alpha and 0.2.2.20-alpha
(inclusive). These versions accounted for only a small fraction of
the Tor network, and have numerous known security issues. Resolves
issue #4788.

7
changes/bug4796
View File

@ -1,7 +0,0 @@
o Minor bugfixes:
- Don't exit with an assertion failure when we mark a new
client-side hidden-service introduction circuit for close during
the process of creating it. Bugfix on 0.2.3.6-alpha. Fixes bug
4796; reported by murb.

4
changes/bug4803
View File

@ -1,4 +0,0 @@
o Minor bugfixes:
- Correctly spell "connect" in a log message when creating a controlsocket
fails. Fixes bug 4803; bugfix on 0.2.2.26-beta/0.2.3.2-alpha.

13
changes/bug4822
View File

@ -1,13 +0,0 @@
o Major security workaround:
- When building or running with any version of OpenSSL earlier
than 0.9.8s or 1.0.0f, disable SSLv3 support. These versions had
a bug (CVE-2011-4576) in which their block cipher padding
included uninitialized data, potentially leaking sensitive
information to any peer with whom they made a SSLv3
connection. Tor does not use SSL v3 by default, but a hostile
client or server could force an SSLv3 connection in order to
gain information that they shouldn't have been able to get. The
best solution here is to upgrade to OpenSSL 0.9.8s or 1.0.0f (or
later). But when building or running with a non-upgraded
OpenSSL, we should instead make sure that the bug can't happen
by disabling SSLv3 entirely.

5
changes/clang_30_options
View File

@ -1,5 +0,0 @@
o Code simplifications and refactoring:
- During configure, detect when we're building with clang version 3.0 or
lower and disable the -Wnormalized=id and -Woverride-init CFLAGS.
clang doesn't support them yet.

12
changes/feature2411
View File

@ -1,12 +0,0 @@
o Minor features:
- Report flags that control a circuit's path selection to
controllers in CIRC events and in replies to 'GETINFO
circuit-status'. Implements part of ticket 2411.
- Report the hidden service address and current state of a
hidden-service-related circuit to controllers in CIRC events and
in replies to 'GETINFO circuit-status'. Implements part of
ticket 2411.

3
changes/geoip-january2012
View File

@ -1,3 +0,0 @@
o Minor features:
- Update to the January 3 2012 Maxmind GeoLite Country database.

14
changes/portability_01_haiku
View File

@ -1,14 +0,0 @@
o Minor buxfixes:
- During configure, search for library containing cos function as
libm lives in libcore on some platforms (BeOS/Haiku).
Linking against libm was hard-coded before. Bugfix on
0.2.2.2-alpha, fixes the first part of bug 4727. Patch and
analysis by Martin Hebnes Pedersen.
- Preprocessor directives should not be put inside the arguments
of a macro. This would break compilation with GCC releases prior
to version 3.3. We would never recommend such an old GCC
version, but it is apparently required for binary compatibility
on some platforms (namely, certain builds of Haiku). Bugfix on
0.2.3.3-alpha, fixes the other part of bug 4727. Patch and
analysis by Martin Hebnes Pedersen.

7
changes/prop110
View File

@ -1,7 +0,0 @@
o Major features:
- Now that Tor 0.2.0.x is completely deprecated, we can enable the
final part of "Proposal 110: Avoiding infinite length circuits"
by refusing all circuit-extend requests that do not appear in a
"relay_early" cell. This change helps Tor to resist a class of
denial-of-service attacks by limiting the maximum circuit length.

7
changes/timersub_bug
View File

@ -1,7 +0,0 @@
o Major bugfixes:
- Provide correct replacements for the timeradd() and timersub() functions
for platforms that lack them (for example, windows). The timersub()
function is used when expiring circuits, timeradd() is currently unused.
Patch written by Vektor, who also reported the bug. Thanks! Bugfix
on 0.2.2.24-alpha/0.2.3.1-alpha, fixes bug 4778.