Draft changelog for 0.3.2.10

ChangeLog

@@ -3,7 +3,37 @@ Changes in version 0.3.2.10 - 2018-03-??
   backports a number of bugfixes, including important fixes for security
   issues.
 
-  BLURB HERE.
+  It includes an important security fix for a remote crash attack
+  against directory authorities, tracked as TROVE-2018-001.
+
+  Additionally, it backports a fix for a bug whose severity we have
+  upgraded: Bug 24700, which was fixed in 0.3.3.2-alpha, can be remotely
+  triggered in order to crash relays with a use-after-free pattern. As
+  such, we are now tracking that bug as TROVE-2018-002 and
+  CVE-2018-0491, and backporting it to earlier releases.  This bug
+  affected versions 0.3.2.1-alpha through 0.3.2.9, as well as version
+  0.3.3.1-alpha.
+
+  This release also backports our new system for improved resistance to
+  denial-of-service attacks against relays.
+
+  This release also fixes several minor bugs and annoyances from
+  earlier releases.
+
+  All directory authorities should upgrade to one of the versions
+  released today.  All relays not already running Tor 0.3.3.2-alpha or
+  later should upgrade to this release.
+
+  o Major bugfixes (denial-of-service, directory authority, backport from 0.3.3.3-alpha):
+    - Fix a protocol-list handling bug that could be used to remotely crash
+      directory authorities with a null-pointer exception. Fixes bug 25074;
+      bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2018-001 and
+      CVE-2018-0490.
+
+  o Major bugfixes (scheduler, KIST, denial-of-service, backport from 0.3.3.2-alpha):
+    - Avoid adding the same channel twice in the KIST scheduler pending
+      list, which could lead to remote denial-of-service use-after-free
+      attacks against relays. Fixes bug 24700; bugfix on 0.3.2.1-alpha.
 
   o Major features (denial-of-service mitigation, backport from 0.3.3.2-alpha):
     - Give relays some defenses against the recent network overload. We
@@ -75,6 +105,14 @@ Changes in version 0.3.2.10 - 2018-03-??
       making decisions about how to handle the incoming connection.
       Fixes bug 24952; bugfix on 0.2.4.11-alpha. Patch by "ffmancera".
 
+  o Minor bugfixes (denial-of-service, backport from 0.3.3.3-alpha):
+    - Fix a possible crash on malformed consensus. If a consensus had
+      contained an unparseable protocol line, it could have made clients
+      and relays crash with a null-pointer exception. To exploit this
+      issue, however, an attacker would need to be able to subvert the
+      directory authority system. Fixes bug 25251; bugfix on
+      0.2.9.4-alpha. Also tracked as TROVE-2018-004.
+
   o Minor bugfix (directory authority, backport from 0.3.3.2-alpha):
     - Directory authorities, when refusing a descriptor from a rejected
       relay, now explicitly tell the relay (in its logs) to set a valid
@@ -86,17 +124,6 @@ Changes in version 0.3.2.10 - 2018-03-??
       around the issue at https://github.com/rust-lang/rust/issues/46797.
       Fixes bug 24652; bugfix on 0.3.1.1-alpha.
 
-
- [[[[ OMIT
-  o Minor bugfixes (DoS mitigation):
-    - Add extra safety checks when refilling the circuit creation bucket to
-      ensure we never set a value that is above the allowed burst. Fixes
-      bug 25202; bugfix on 0.3.3.2-alpha.
-    - Make sure we don't modify consensus parameters if we aren't a public
-      relay when a new consensus arrives. Fixes bug 25223; bugfix on
-      0.3.3.2-alpha.
- OMIT]]]] 
-
   o Minor bugfixes (onion services, backport from 0.3.3.2-alpha):
     - Remove a BUG() statement when a client fetches an onion descriptor
       that has a lower revision counter than the one in its cache. This
@@ -118,10 +145,11 @@ Changes in version 0.3.2.10 - 2018-03-??
       limit (which can happen sometimes on some versions of OSX). Fixes
       bug 21074; bugfix on 0.0.9pre5.
 
-  o Minor bugfixes (scheduler, KIST, backport from 0.3.3.2-alpha):
-    - Avoid adding the same channel twice in the KIST scheduler pending
-      list, which would waste CPU cycles. Fixes bug 24700; bugfix
-      on 0.3.2.1-alpha.
+  o Minor bugfixes (spec conformance, backport from 0.3.3.3-alpha):
+    - Forbid "-0" as a protocol version. Fixes part of bug 25249; bugfix on
+      0.2.9.4-alpha.
+    - Forbid UINT32_MAX as a protocol version.  Fixes part of bug 25249;
+      bugfix on 0.2.9.4-alpha.
 
   o Minor bugfixes (testing, backport from 0.3.3.1-alpha):
     - Fix a memory leak in the scheduler/loop_kist unit test. Fixes bug

changes/bug25249

@@ -1,3 +0,0 @@
-  o Minor bugfixes (spec conformance):
-    - Forbid "-0" as a protocol version. Fixes part of bug 25249; bugfix on
-      0.2.9.4-alpha.

changes/bug25249.2

@@ -1,3 +0,0 @@
-  o Minor bugfixes (spec conformance):
-    - Forbid UINT32_MAX as a protocol version.  Fixes part of bug 25249;
-      bugfix on 0.2.9.4-alpha.

changes/trove-2018-001.1

@@ -1,6 +0,0 @@
-  o Major bugfixes (denial-of-service, directory authority):
-    - Fix a protocol-list handling bug that could be used to remotely crash
-      directory authorities with a null-pointer exception. Fixes bug 25074;
-      bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2018-001.
-
-

changes/trove-2018-004

@@ -1,8 +0,0 @@
-  o Minor bugfixes (denial-of-service):
-    - Fix a possible crash on malformed consensus. If a consensus had
-      contained an unparseable protocol line, it could have made clients
-      and relays crash with a null-pointer exception. To exploit this
-      issue, however, an attacker would need to be able to subvert the
-      directory-authority system. Fixes bug 25251; bugfix on
-      0.2.9.4-alpha. Also tracked as TROVE-2018-004.
-