From 6880aaf0a98fc63ae0257686b6b9965496adbcd5 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Sun, 19 Oct 2014 12:56:12 -0400 Subject: [PATCH] Automatically sort and collate ReleaseNotes. No entries have been removed or edited or added in this commit; no section names have been changed. We may need another round of removal/editing/etc after we edit some section names. We may want to re-order items within sections. --- ReleaseNotes | 1103 +++++++++++++++++++++++--------------------------- 1 file changed, 502 insertions(+), 601 deletions(-) diff --git a/ReleaseNotes b/ReleaseNotes index f8597839d..b81b50924 100644 --- a/ReleaseNotes +++ b/ReleaseNotes @@ -1,26 +1,14 @@ - This document summarizes new features and bugfixes in each stable release of Tor. If you want to see more detailed descriptions of the changes in each development snapshot, see the ChangeLog file. -Changes in version 0.2.5.? - 2014-10-?? - o Major features (security): - - If you don't specify MaxMemInQueues yourself, Tor now tries to - pick a good value based on your total system memory. Previously, - the default was always 8 GB. You can still override the default by - setting MaxMemInQueues yourself. Resolves ticket 11396. +Changes in version 0.2.5.9 - 2014-10-2x - o Major features (relay performance): - - Speed up server-side lookups of rendezvous and introduction point - circuits by using hashtables instead of linear searches. These - functions previously accounted between 3 and 7% of CPU usage on - some busy relays. Resolves ticket 9841. - - Avoid wasting CPU when extending a circuit over a channel that is - nearly out of circuit IDs. Previously, we would do a linear scan - over possible circuit IDs before finding one or deciding that we - had exhausted our possibilities. Now, we try at most 64 random - circuit IDs before deciding that we probably won't succeed. Fixes - a possible root cause of ticket 11553. + o Deprecated versions: + - Tor 0.2.2.x has reached end-of-life; it has received no patches or + attention for some while. Directory authorities no longer accept + descriptors from relays running any version of Tor prior to Tor + 0.2.3.16-alpha. Resolves ticket 11149. o Major features (relay security, DoS-resistance): - When deciding whether we have run out of memory and we need to @@ -42,6 +30,12 @@ Changes in version 0.2.5.? - 2014-10-?? and an attacker cannot predict which entries will collide. Closes ticket 4900. + o Major features (security): + - If you don't specify MaxMemInQueues yourself, Tor now tries to + pick a good value based on your total system memory. Previously, + the default was always 8 GB. You can still override the default by + setting MaxMemInQueues yourself. Resolves ticket 11396. + o Major features (bridges): - Don't launch pluggable transport proxies if we don't have any bridges configured that would use them. Now we can list many @@ -53,6 +47,29 @@ Changes in version 0.2.5.? - 2014-10-?? to e.g. include at least one Stable bridge in its answers. Fixes bug 9859. + o Major features (relay performance): + - Speed up server-side lookups of rendezvous and introduction point + circuits by using hashtables instead of linear searches. These + functions previously accounted between 3 and 7% of CPU usage on + some busy relays. Resolves ticket 9841. + - Avoid wasting CPU when extending a circuit over a channel that is + nearly out of circuit IDs. Previously, we would do a linear scan + over possible circuit IDs before finding one or deciding that we + had exhausted our possibilities. Now, we try at most 64 random + circuit IDs before deciding that we probably won't succeed. Fixes + a possible root cause of ticket 11553. + + o Major features (seccomp2 sandbox, Linux only): + - Use the seccomp2 syscall filtering facility on Linux to limit + which system calls Tor can invoke. This is an experimental, + Linux-only feature to provide defense-in-depth against unknown + attacks. To try turning it on, set "Sandbox 1" in your torrc + file. Please be ready to report bugs. We hope to add support + for better sandboxing in the future, including more fine-grained + filters, better division of responsibility, and support for more + platforms. This work has been done by Cristian-Matei Toader for + Google Summer of Code. Resolves tickets 11351 and 11465. + o Major features (other): - Extend ORCONN controller event to include an "ID" parameter, and add four new controller event types CONN_BW, CIRC_BW, @@ -66,19 +83,6 @@ Changes in version 0.2.5.? - 2014-10-?? when a crash occurs or an assertion fails. By default, traces are dumped to stderr (if possible) and to any logs that are reporting errors. Implements ticket 9299. - - o Major features (seccomp2 sandbox, Linux only): - - Use the seccomp2 syscall filtering facility on Linux to limit - which system calls Tor can invoke. This is an experimental, - Linux-only feature to provide defense-in-depth against unknown - attacks. To try turning it on, set "Sandbox 1" in your torrc - file. Please be ready to report bugs. We hope to add support - for better sandboxing in the future, including more fine-grained - filters, better division of responsibility, and support for more - platforms. This work has been done by Cristian-Matei Toader for - Google Summer of Code. Resolves tickets 11351 and 11465. - - o Major features (other): - Add support for passing arguments to managed pluggable transport proxies. Implements ticket 3594. - Bridges now track GeoIP information and the number of their users @@ -93,54 +97,6 @@ Changes in version 0.2.5.? - 2014-10-?? - The ntor handshake is now on-by-default, no matter what the directory authorities recommend. Implements ticket 8561. - - - - o Major security fixes: - - Disable support for SSLv3. All versions of OpenSSL in use with Tor - today support TLS 1.0 or later, so we can safely turn off support - for this old (and insecure) protocol. Fixes bug 13426. - - o Minor bugfixes: - - Disable the sandbox name resolver cache when running tor-resolve: - tor-resolve doesn't use the sandbox code, and turning it on was - breaking attempts to do tor-resolve on a non-default server on - Linux. Fixes bug 13295; bugfix on 0.2.5.3-alpha. - - o Compilation fixes: - - Build and run correctly on systems like OpenBSD-current that have - patched OpenSSL to remove get_cipher_by_char and/or its - implementations. Fixes issue 13325. - - o Downgraded warnings: - - Downgrade the severity of the 'unexpected sendme cell from client' - from 'warn' to 'protocol warning'. Closes ticket 8093. - - - - o Major bugfixes (client, startup): - - Warn about attempts to run hidden services and relays in the same - process: that's probably not a good idea. Closes ticket 12908. - - o Major bugfixes (relay): - - Avoid queuing or sending destroy cells for circuit ID zero when we - fail to send a CREATE cell. Fixes bug 12848; bugfix on 0.0.8pre1. - Found and fixed by "cypherpunks". - - Fix ORPort reachability detection on relays running behind a - proxy, by correctly updating the "local" mark on the controlling - channel when changing the address of an or_connection_t after the - handshake. Fixes bug 12160; bugfix on 0.2.4.4-alpha. - - o Major bugfixes: - - Perform circuit cleanup operations even when circuit - construction operations are disabled (because the network is - disabled, or because there isn't enough directory information). - Previously, when we were not building predictive circuits, we - were not closing expired circuits either. Fixes bug 8387; bugfix on - 0.1.1.11-alpha. This bug became visible in 0.2.4.10-alpha when we - became more strict about when we have "enough directory information - to build circuits". - o Major bugfixes (security, directory authorities): - Directory authorities now include a digest of each relay's identity key as a part of its microdescriptor. @@ -157,7 +113,40 @@ Changes in version 0.2.5.? - 2014-10-?? attacker from causing a microdescriptor collision, because the router's identity is not forgeable. + o Major bugfixes: + - Perform circuit cleanup operations even when circuit + construction operations are disabled (because the network is + disabled, or because there isn't enough directory information). + Previously, when we were not building predictive circuits, we + were not closing expired circuits either. Fixes bug 8387; bugfix on + 0.1.1.11-alpha. This bug became visible in 0.2.4.10-alpha when we + became more strict about when we have "enough directory information + to build circuits". + - Instead of writing destroy cells directly to outgoing connection + buffers, queue them and intersperse them with other outgoing cells. + This can prevent a set of resource starvation conditions where too + many pending destroy cells prevent data cells from actually getting + delivered. Reported by "oftc_must_be_destroyed". Fixes bug 7912; + bugfix on 0.2.0.1-alpha. + + o Major bugfixes (client, pluggable transports): + - When managing pluggable transports, use OS notification facilities + to learn if they have crashed, and don't attempt to kill any + process that has already exited. Fixes bug 8746; bugfix + on 0.2.3.6-alpha. + + o Major bugfixes (client, startup): + - Warn about attempts to run hidden services and relays in the same + process: that's probably not a good idea. Closes ticket 12908. + o Major bugfixes (relay): + - Avoid queuing or sending destroy cells for circuit ID zero when we + fail to send a CREATE cell. Fixes bug 12848; bugfix on 0.0.8pre1. + Found and fixed by "cypherpunks". + - Fix ORPort reachability detection on relays running behind a + proxy, by correctly updating the "local" mark on the controlling + channel when changing the address of an or_connection_t after the + handshake. Fixes bug 12160; bugfix on 0.2.4.4-alpha. - Use a direct dirport connection when uploading non-anonymous descriptors to the directory authorities. Previously, relays would incorrectly use tunnel connections under a fairly wide variety of @@ -168,33 +157,25 @@ Changes in version 0.2.5.? - 2014-10-?? circuit in a million non-functional. Fixes bug 12195; this is a bugfix on every version of Tor. - o Major bugfixes (client, pluggable transports): - - When managing pluggable transports, use OS notification facilities - to learn if they have crashed, and don't attempt to kill any - process that has already exited. Fixes bug 8746; bugfix - on 0.2.3.6-alpha. + o Major security fixes: + - Disable support for SSLv3. All versions of OpenSSL in use with Tor + today support TLS 1.0 or later, so we can safely turn off support + for this old (and insecure) protocol. Fixes bug 13426. - o Major bugfixes: - - Instead of writing destroy cells directly to outgoing connection - buffers, queue them and intersperse them with other outgoing cells. - This can prevent a set of resource starvation conditions where too - many pending destroy cells prevent data cells from actually getting - delivered. Reported by "oftc_must_be_destroyed". Fixes bug 7912; - bugfix on 0.2.0.1-alpha. + o Minor features (security): + - New --enable-expensive-hardening option to enable security + hardening options that consume nontrivial amounts of CPU and + memory. Right now, this includes AddressSanitizer and UbSan, which + are supported in newer versions of GCC and Clang. Closes ticket + 11477. - - - - - - - o Minor features (bridge): - - Add an ExtORPortCookieAuthFileGroupReadable option to make the - cookie file for the ExtORPort g+r by default. - - o Minor features (geoip): - - Update geoip and geoip6 to the August 7 2014 Maxmind GeoLite2 - Country database. + o Minor features (security, memory management): + - Memory allocation tricks (mempools and buffer freelists) are now + disabled by default. You can turn them back on with + --enable-mempools and --enable-buf-freelists respectively. We're + disabling these features because malloc performance is good enough + on most platforms, and a similar feature in OpenSSL exacerbated + exploitation of the Heartbleed attack. Resolves ticket 11476. o Minor features: - Authorities now assign the Guard flag to the fastest 25% of the @@ -205,90 +186,14 @@ Changes in version 0.2.5.? - 2014-10-?? down to 1 (proposal 236) while still providing reasonable expected performance for most users. Implements ticket 12690. - o Minor features (diagnostic): - - When logging a warning because of bug 7164, additionally check the - hash table for consistency (as proposed on ticket 11737). This may - help diagnose bug 7164. - - When we log a heartbeat, log how many one-hop circuits we have - that are at least 30 minutes old, and log status information about - a few of them. This is an attempt to track down bug 8387. - - When encountering an unexpected CR while writing text to a file on - Windows, log the name of the file. Should help diagnosing - bug 11233. - - Give more specific warnings when a client notices that an onion - handshake has failed. Fixes ticket 9635. - - Add significant new logging code to attempt to diagnose bug 12184, - where relays seem to run out of available circuit IDs. - - Improve the diagnostic log message for bug 8387 even further to - try to improve our odds of figuring out why one-hop directory - circuits sometimes do not get closed. - - o Minor features (security, memory management): - - Memory allocation tricks (mempools and buffer freelists) are now - disabled by default. You can turn them back on with - --enable-mempools and --enable-buf-freelists respectively. We're - disabling these features because malloc performance is good enough - on most platforms, and a similar feature in OpenSSL exacerbated - exploitation of the Heartbleed attack. Resolves ticket 11476. - - o Minor features (build): - - The configure script has a --disable-seccomp option to turn off - support for libseccomp on systems that have it, in case it (or - Tor's use of it) is broken. Resolves ticket 11628. - - o Minor features (transparent proxy, *BSD): - - Support FreeBSD's ipfw firewall interface for TransPort ports on - FreeBSD. To enable it, set "TransProxyType ipfw". Resolves ticket - 10267; patch from "yurivict". - - Support OpenBSD's divert-to rules with the pf firewall for - transparent proxy ports. To enable it, set "TransProxyType - pf-divert". This allows Tor to run a TransPort transparent proxy - port on OpenBSD 4.4 or later without root privileges. See the - pf.conf(5) manual page for information on configuring pf to use - divert-to rules. Closes ticket 10896; patch from Dana Koch. - - o Minor features (security): - - New --enable-expensive-hardening option to enable security - hardening options that consume nontrivial amounts of CPU and - memory. Right now, this includes AddressSanitizer and UbSan, which - are supported in newer versions of GCC and Clang. Closes ticket - 11477. - - o Minor features (log verbosity): - - Demote the message that we give when a flushing connection times - out for too long from NOTICE to INFO. It was usually meaningless. - Resolves ticket 5286. - - Don't log so many notice-level bootstrapping messages at startup - about downloading descriptors. Previously, we'd log a notice - whenever we learned about more routers. Now, we only log a notice - at every 5% of progress. Fixes bug 9963. - - Warn less verbosely when receiving a malformed - ESTABLISH_RENDEZVOUS cell. Fixes ticket 11279. - - o Minor features (relay): - - If a circuit timed out for at least 3 minutes, check if we have a - new external IP address, and publish a new descriptor with the new - IP address if it changed. Resolves ticket 2454. - - o Minor features (controller): - - Make the entire exit policy available from the control port via - GETINFO exit-policy/*. Implements enhancement 7952. Patch from - "rl1987". - - Because of the fix for ticket 11396, the real limit for memory - usage may no longer match the configured MaxMemInQueues value. The - real limit is now exposed via GETINFO limits/max-mem-in-queues. - o Minor features (bridge client): - Report a more useful failure message when we can't connect to a bridge because we don't have the right pluggable transport configured. Resolves ticket 9665. Patch from Fábio J. Bertinatto. - o Minor features (diagnostic): - - Add more log messages to diagnose bug 7164, which causes - intermittent "microdesc_free() called but md was still referenced" - warnings. We now include more information, to figure out why we - might be cleaning a microdescriptor for being too old if it's - still referenced by a live node_t object. + o Minor features (bridge): + - Add an ExtORPortCookieAuthFileGroupReadable option to make the + cookie file for the ExtORPort g+r by default. o Minor features (bridges, pluggable transports): - Bridges now write the SHA1 digest of their identity key @@ -299,18 +204,6 @@ Changes in version 0.2.5.? - 2014-10-?? - Improve the message that Tor displays when running as a bridge using pluggable transports without an Extended ORPort listener. Also, log the message in the log file too. Resolves ticket 11043. - - o Minor features (other): - - Add a new option, PredictedPortsRelevanceTime, to control how long - after having received a request to connect to a given port Tor - will try to keep circuits ready in anticipation of future requests - for that port. Patch from "unixninja92"; implements ticket 9176. - - Generate a warning if any ports are listed in the SocksPolicy, - DirPolicy, AuthDirReject, AuthDirInvalid, AuthDirBadDir, or - AuthDirBadExit options. (These options only support address - ranges.) Fixes part of ticket 11108. - - o Minor features (bridges, pluggable transports): - Add threshold cutoffs to the networkstatus document created by the Bridge Authority. Fixes bug 1117. - On Windows, spawn background processes using the CREATE_NO_WINDOW @@ -318,6 +211,24 @@ Changes in version 0.2.5.? - 2014-10-?? doesn't pop up a blank console window. (In Tor Browser Bundle 2.x, Vidalia set this option for us.) Implements ticket 10297. + o Minor features (build): + - The configure script has a --disable-seccomp option to turn off + support for libseccomp on systems that have it, in case it (or + Tor's use of it) is broken. Resolves ticket 11628. + - Assume that a user using ./configure --host wants to cross-compile, + and give an error if we cannot find a properly named + tool-chain. Add a --disable-tool-name-check option to proceed + nevertheless. Addresses ticket 9869. Patch by Benedikt Gollatz. + - If we run ./configure and the compiler recognizes -fstack-protector + but the linker rejects it, warn the user about a potentially missing + libssp package. Addresses ticket 9948. Patch from Benedikt Gollatz. + - Add support for `--library-versions` flag. Implements ticket 6384. + - Return the "unexpected sendme" warnings to a warn severity, but make + them rate limited, to help diagnose ticket 8093. + - Detect a missing asciidoc, and warn the user about it, during + configure rather than at build time. Fixes issue 6506. Patch from + Arlo Breault. + o Minor features (config options and command line): - Add an --allow-missing-torrc commandline option that tells Tor to run even if the configuration file specified by -f is not available. @@ -326,41 +237,6 @@ Changes in version 0.2.5.? - 2014-10-?? See documentation for the new TransProxyType option for more details. Implementation by "thomo". Closes ticket 10582. - o Minor features (controller): - - Add a new "HS_DESC" controller event that reports activities - related to hidden service descriptors. Resolves ticket 8510. - - New "DROPGUARDS" controller command to forget all current entry - guards. Not recommended for ordinary use, since replacing guards - too frequently makes several attacks easier. Resolves ticket 9934; - patch from "ra". - - o Minor features (build): - - Assume that a user using ./configure --host wants to cross-compile, - and give an error if we cannot find a properly named - tool-chain. Add a --disable-tool-name-check option to proceed - nevertheless. Addresses ticket 9869. Patch by Benedikt Gollatz. - - If we run ./configure and the compiler recognizes -fstack-protector - but the linker rejects it, warn the user about a potentially missing - libssp package. Addresses ticket 9948. Patch from Benedikt Gollatz. - - o Minor features (testing): - - If Python is installed, "make check" now runs extra tests beyond - the unit test scripts. - - When bootstrapping a test network, sometimes very few relays get - the Guard flag. Now a new option "TestingDirAuthVoteGuard" can - specify a set of relays which should be voted Guard regardless of - their uptime or bandwidth. Addresses ticket 9206. - - o Minor features (log messages): - - When ServerTransportPlugin is set on a bridge, Tor can write more - useful statistics about bridge use in its extrainfo descriptors, - but only if the Extended ORPort ("ExtORPort") is set too. Add a - log message to inform the user in this case. Resolves ticket 9651. - - When receiving a new controller connection, log the origin address. - Resolves ticket 9698; patch from "sigpipe". - - When logging OpenSSL engine status at startup, log the status of - more engines. Fixes ticket 10043; patch from Joshua Datko. - o Minor features (config options): - Config (torrc) lines now handle fingerprints which are missing their initial '$'. Resolves ticket 4341; improvement over 0.0.9pre5. @@ -381,15 +257,101 @@ Changes in version 0.2.5.? - 2014-10-?? you can now say "16 kilobits", and so on.) Resolves ticket 9214. Patch by CharlieB. - o Minor features (build): - - Add support for `--library-versions` flag. Implements ticket 6384. - - Return the "unexpected sendme" warnings to a warn severity, but make - them rate limited, to help diagnose ticket 8093. - - Detect a missing asciidoc, and warn the user about it, during - configure rather than at build time. Fixes issue 6506. Patch from - Arlo Breault. + o Minor features (controller): + - Make the entire exit policy available from the control port via + GETINFO exit-policy/*. Implements enhancement 7952. Patch from + "rl1987". + - Because of the fix for ticket 11396, the real limit for memory + usage may no longer match the configured MaxMemInQueues value. The + real limit is now exposed via GETINFO limits/max-mem-in-queues. + - Add a new "HS_DESC" controller event that reports activities + related to hidden service descriptors. Resolves ticket 8510. + - New "DROPGUARDS" controller command to forget all current entry + guards. Not recommended for ordinary use, since replacing guards + too frequently makes several attacks easier. Resolves ticket 9934; + patch from "ra". + + o Minor features (diagnostic): + - When logging a warning because of bug 7164, additionally check the + hash table for consistency (as proposed on ticket 11737). This may + help diagnose bug 7164. + - When we log a heartbeat, log how many one-hop circuits we have + that are at least 30 minutes old, and log status information about + a few of them. This is an attempt to track down bug 8387. + - When encountering an unexpected CR while writing text to a file on + Windows, log the name of the file. Should help diagnosing + bug 11233. + - Give more specific warnings when a client notices that an onion + handshake has failed. Fixes ticket 9635. + - Add significant new logging code to attempt to diagnose bug 12184, + where relays seem to run out of available circuit IDs. + - Improve the diagnostic log message for bug 8387 even further to + try to improve our odds of figuring out why one-hop directory + circuits sometimes do not get closed. + - Add more log messages to diagnose bug 7164, which causes + intermittent "microdesc_free() called but md was still referenced" + warnings. We now include more information, to figure out why we + might be cleaning a microdescriptor for being too old if it's + still referenced by a live node_t object. + + o Minor features (geoip): + - Update geoip and geoip6 to the August 7 2014 Maxmind GeoLite2 + Country database. + + o Minor features (log messages): + - When ServerTransportPlugin is set on a bridge, Tor can write more + useful statistics about bridge use in its extrainfo descriptors, + but only if the Extended ORPort ("ExtORPort") is set too. Add a + log message to inform the user in this case. Resolves ticket 9651. + - When receiving a new controller connection, log the origin address. + Resolves ticket 9698; patch from "sigpipe". + - When logging OpenSSL engine status at startup, log the status of + more engines. Fixes ticket 10043; patch from Joshua Datko. + + o Minor features (log verbosity): + - Demote the message that we give when a flushing connection times + out for too long from NOTICE to INFO. It was usually meaningless. + Resolves ticket 5286. + - Don't log so many notice-level bootstrapping messages at startup + about downloading descriptors. Previously, we'd log a notice + whenever we learned about more routers. Now, we only log a notice + at every 5% of progress. Fixes bug 9963. + - Warn less verbosely when receiving a malformed + ESTABLISH_RENDEZVOUS cell. Fixes ticket 11279. + + o Minor features (relay): + - If a circuit timed out for at least 3 minutes, check if we have a + new external IP address, and publish a new descriptor with the new + IP address if it changed. Resolves ticket 2454. + + o Minor features (testing): + - If Python is installed, "make check" now runs extra tests beyond + the unit test scripts. + - When bootstrapping a test network, sometimes very few relays get + the Guard flag. Now a new option "TestingDirAuthVoteGuard" can + specify a set of relays which should be voted Guard regardless of + their uptime or bandwidth. Addresses ticket 9206. + + o Minor features (transparent proxy, *BSD): + - Support FreeBSD's ipfw firewall interface for TransPort ports on + FreeBSD. To enable it, set "TransProxyType ipfw". Resolves ticket + 10267; patch from "yurivict". + - Support OpenBSD's divert-to rules with the pf firewall for + transparent proxy ports. To enable it, set "TransProxyType + pf-divert". This allows Tor to run a TransPort transparent proxy + port on OpenBSD 4.4 or later without root privileges. See the + pf.conf(5) manual page for information on configuring pf to use + divert-to rules. Closes ticket 10896; patch from Dana Koch. o Minor features (other): + - Add a new option, PredictedPortsRelevanceTime, to control how long + after having received a request to connect to a given port Tor + will try to keep circuits ready in anticipation of future requests + for that port. Patch from "unixninja92"; implements ticket 9176. + - Generate a warning if any ports are listed in the SocksPolicy, + DirPolicy, AuthDirReject, AuthDirInvalid, AuthDirBadDir, or + AuthDirBadExit options. (These options only support address + ranges.) Fixes part of ticket 11108. - Use the SOCK_NONBLOCK socket type, if supported, to open nonblocking sockets in a single system call. Implements ticket 5129. - Log current accounting state (bytes sent and received + remaining @@ -404,72 +366,29 @@ Changes in version 0.2.5.? - 2014-10-?? handshake performance by about 6% on i386 hosts without nacl. Closes ticket 8109. - - - - - - - - - o Minor bugfixes (logging): - - Downgrade "Unexpected onionskin length after decryption" warning - to a protocol-warn, since there's nothing relay operators can do - about a client that sends them a malformed create cell. Resolves - bug 12996; bugfix on 0.0.6rc1. - - Log more specific warnings when we get an ESTABLISH_RENDEZVOUS - cell on a cannibalized or non-OR circuit. Resolves ticket 12997. - - When logging information about an EXTEND2 or EXTENDED2 cell, log - their names correctly. Fixes part of bug 12700; bugfix - on 0.2.4.8-alpha. - - When logging information about a relay cell whose command we don't - recognize, log its command as an integer. Fixes part of bug 12700; - bugfix on 0.2.1.10-alpha. - - Escape all strings from the directory connection before logging - them. Fixes bug 13071; bugfix on 0.1.1.15. Patch from "teor". - - o Minor bugfixes (compilation): - - In routerlist_assert_ok(), don't take the address of a - routerinfo's cache_info member unless that routerinfo is non-NULL. - Fixes bug 13096; bugfix on 0.1.1.9-alpha. Patch by "teor". - - Fix a large number of false positive warnings from the clang - analyzer static analysis tool. This should make real warnings - easier for clang analyzer to find. Patch from "teor". Closes - ticket 13036. - o Minor bugfixes: + - Disable the sandbox name resolver cache when running tor-resolve: + tor-resolve doesn't use the sandbox code, and turning it on was + breaking attempts to do tor-resolve on a non-default server on + Linux. Fixes bug 13295; bugfix on 0.2.5.3-alpha. - Compile correctly with builds and forks of OpenSSL (such as LibreSSL) that disable compression. Fixes bug 12602; bugfix on 0.2.1.1-alpha. Patch from "dhill". - - o Minor bugfixes (performance): - - Avoid a bug where every successful connection made us recompute - the flag telling us whether we have sufficient information to - build circuits. Previously, we would forget our cached value - whenever we successfully opened a channel (or marked a router as - running or not running for any other reason), regardless of - whether we had previously believed the router to be running. This - forced us to run an expensive update operation far too often. - Fixes bug 12170; bugfix on 0.1.2.1-alpha. - - Avoid using tor_memeq() for checking relay cell integrity. This - removes a possible performance bottleneck. Fixes part of bug - 12169; bugfix on 0.2.1.31. - - o Minor bugfixes (compilation): - - Resolve GCC complaints on OpenBSD about discarding constness in - TO_{ORIGIN,OR}_CIRCUIT functions. Fixes part of bug 11633; bugfix - on 0.1.1.23. Patch from Dana Koch. - - Resolve clang complaints on OpenBSD with -Wshorten-64-to-32 due to - treatment of long and time_t as comparable types. Fixes part of - bug 11633. Patch from Dana Koch. - - When deciding whether to build the 64-bit curve25519 - implementation, detect platforms where we can compile 128-bit - arithmetic but cannot link it. Fixes bug 11729; bugfix on - 0.2.4.8-alpha. Patch from "conradev". - - Fix compilation when DNS_CACHE_DEBUG is enabled. Fixes bug 11761; - bugfix on 0.2.3.13-alpha. Found by "cypherpunks". - - Fix compilation with dmalloc. Fixes bug 11605; bugfix - on 0.2.4.10-alpha. + - No longer accept malformed http headers when parsing urls from + headers. Now we reply with Bad Request ("400"). Fixes bug 2767; + bugfix on 0.0.6pre1. + - In munge_extrainfo_into_routerinfo(), check the return value of + memchr(). This would have been a serious issue if we ever passed + it a non-extrainfo. Fixes bug 8791; bugfix on 0.2.0.6-alpha. Patch + from Arlo Breault. + - On the chance that somebody manages to build Tor on a + platform where time_t is unsigned, correct the way that + microdesc_add_to_cache() handles negative time arguments. + Fixes bug 8042; bugfix on 0.2.3.1-alpha. + - Reject relative control socket paths and emit a warning. Previously, + single-component control socket paths would be rejected, but Tor + would not log why it could not validate the config. Fixes bug 9258; + bugfix on 0.2.3.16-alpha. o Minor bugfixes (Directory server): - When sending a compressed set of descriptors or microdescriptors, @@ -479,53 +398,52 @@ Changes in version 0.2.5.? - 2014-10-?? finished. This caused problems for decompression tools. Fixes bug 11648; bugfix on 0.1.1.23. - o Minor bugfixes (pluggable transports): - - Avoid another 60-second delay when starting Tor in a pluggable- - transport-using configuration when we already have cached - descriptors for our bridges. Fixes bug 11965; bugfix - on 0.2.3.6-alpha. + o Minor bugfixes (bridge client): + - Stop accepting bridge lines containing hostnames. Doing so would + cause clients to perform DNS requests on the hostnames, which was + not sensible behavior. Fixes bug 10801; bugfix on 0.2.0.1-alpha. + + o Minor bugfixes (bridges): + - Avoid potential crashes or bad behavior when launching a + server-side managed proxy with ORPort or ExtORPort temporarily + disabled. Fixes bug 9650; bugfix on 0.2.3.16-alpha. + - Fix a bug where the first connection works to a bridge that uses a + pluggable transport with client-side parameters, but we don't send + the client-side parameters on subsequent connections. (We don't + use any pluggable transports with client-side parameters yet, + but ScrambleSuit will soon become the first one.) Fixes bug 9162; + bugfix on 0.2.0.3-alpha. Based on a patch from "rl1987". + + o Minor bugfixes (build): + - Restore the ability to compile Tor with V2_HANDSHAKE_SERVER + turned off (that is, without support for v2 link handshakes). Fixes + bug 4677; bugfix on 0.2.3.2-alpha. Patch from "piet". o Minor bugfixes (client): - Avoid "Tried to open a socket with DisableNetwork set" warnings when starting a client with bridges configured and DisableNetwork set. (Tor launcher starts Tor with DisableNetwork set the first time it runs.) Fixes bug 10405; bugfix on 0.2.3.9-alpha. - - o Minor bugfixes (testing): - - Fix all valgrind warnings produced by the unit tests. There were - over a thousand memory leak warnings previously, mostly produced - by forgetting to free things in the unit test code. Fixes bug - 11618, bugfixes on many versions of Tor. - - o Minor bugfixes (tor-fw-helper): - - Give a correct log message when tor-fw-helper fails to launch. - (Previously, we would say something like "tor-fw-helper sent us a - string we could not parse".) Fixes bug 9781; bugfix - on 0.2.4.2-alpha. - - o Minor bugfixes (relay, threading): - - Check return code on spawn_func() in cpuworker code, so that we - don't think we've spawned a nonworking cpuworker and write junk to - it forever. Fix related to bug 4345; bugfix on all released Tor - versions. Found by "skruffy". - - Use a pthread_attr to make sure that spawn_func() cannot return an - error while at the same time launching a thread. Fix related to - bug 4345; bugfix on all released Tor versions. Reported - by "cypherpunks". - - o Minor bugfixes (relay, other): - - We now drop CREATE cells for already-existent circuit IDs and for - zero-valued circuit IDs, regardless of other factors that might - otherwise have called for DESTROY cells. Fixes bug 12191; bugfix - on 0.0.8pre1. - - When rejecting DATA cells for stream_id zero, still count them - against the circuit's deliver window so that we don't fail to send - a SENDME. Fixes bug 11246; bugfix on 0.2.4.10-alpha. - - o Minor bugfixes (logging): - - Squelch a spurious LD_BUG message "No origin circuit for - successful SOCKS stream" in certain hidden service failure cases; - fixes bug 10616. + - Improve the log message when we can't connect to a hidden service + because all of the hidden service directory nodes hosting its + descriptor are excluded. Improves on our fix for bug 10722, which + was a bugfix on 0.2.0.10-alpha. + - Raise a control port warning when we fail to connect to all of + our bridges. Previously, we didn't inform the controller, and + the bootstrap process would stall. Fixes bug 11069; bugfix on + 0.2.1.2-alpha. + - Exit immediately when a process-owning controller exits. + Previously, tor relays would wait for a little while after their + controller exited, as if they had gotten an INT signal -- but this + was problematic, since there was no feedback for the user. To do a + clean shutdown, controllers should send an INT signal and give Tor + a chance to clean up. Fixes bug 10449; bugfix on 0.2.2.28-beta. + - Stop attempting to connect to bridges before our pluggable + transports are configured (harmless but resulted in some erroneous + log messages). Fixes bug 11156; bugfix on 0.2.3.2-alpha. + - Fix connections to IPv6 addresses over SOCKS5. Previously, we were + generating incorrect SOCKS5 responses, and confusing client + applications. Fixes bug 10987; bugfix on 0.2.4.7-alpha. o Minor bugfixes (client, DNSPort): - When using DNSPort, try to respond to AAAA requests with AAAA @@ -538,11 +456,6 @@ Changes in version 0.2.5.? - 2014-10-?? hope. Fixes bug 10268; bugfix on 0.2.0.1-alpha. Original patch from "epoch". - o Minor bugfixes (bridge client): - - Stop accepting bridge lines containing hostnames. Doing so would - cause clients to perform DNS requests on the hostnames, which was - not sensible behavior. Fixes bug 10801; bugfix on 0.2.0.1-alpha. - o Minor bugfixes (client, logging during bootstrap): - Only report the first fatal bootstrap error on a given OR connection. This stops us from telling the controller bogus error @@ -562,31 +475,94 @@ Changes in version 0.2.5.? - 2014-10-?? out from under the channel layer. Fixes bug 11306; bugfix on 0.2.4.4-alpha. - o Minor bugfixes (bridges): - - Avoid potential crashes or bad behavior when launching a - server-side managed proxy with ORPort or ExtORPort temporarily - disabled. Fixes bug 9650; bugfix on 0.2.3.16-alpha. + o Minor bugfixes (code correctness): + - Previously we used two temporary files when writing descriptors to + disk; now we only use one. Fixes bug 1376. + - Remove an erroneous (but impossible and thus harmless) pointer + comparison that would have allowed compilers to skip a bounds + check in channeltls.c. Fixes bugs 10313 and 9980; bugfix on + 0.2.0.10-alpha. Noticed by Jared L Wong and David Fifield. + - Fix an always-true assertion in pluggable transports code so it + actually checks what it was trying to check. Fixes bug 10046; + bugfix on 0.2.3.9-alpha. Found by "dcb". - o Minor bugfixes (platform-specific): - - When dumping a malformed directory object to disk, save it in - binary mode on Windows, not text mode. Fixes bug 11342; bugfix on - 0.2.2.1-alpha. - - Don't report failures from make_socket_reuseable() on incoming - sockets on OSX: this can happen when incoming connections close - early. Fixes bug 10081. + o Minor bugfixes (command line): + - Use a single command-line parser for parsing torrc options on the + command line and for finding special command-line options to avoid + inconsistent behavior for torrc option arguments that have the same + names as command-line options. Fixes bugs 4647 and 9578; bugfix on + 0.0.9pre5. + - No longer allow 'tor --hash-password' with no arguments. Fixes bug + 9573; bugfix on 0.0.9pre5. - o Minor bugfixes (trivial memory leaks): - - Fix a small memory leak when signing a directory object. Fixes bug - 11275; bugfix on 0.2.4.13-alpha. - - Resolve some memory leaks found by coverity in the unit tests, on - exit in tor-gencert, and on a failure to compute digests for our - own keys when generating a v3 networkstatus vote. These leaks - should never have affected anyone in practice. + o Minor bugfixes (compilation): + - In routerlist_assert_ok(), don't take the address of a + routerinfo's cache_info member unless that routerinfo is non-NULL. + Fixes bug 13096; bugfix on 0.1.1.9-alpha. Patch by "teor". + - Fix a large number of false positive warnings from the clang + analyzer static analysis tool. This should make real warnings + easier for clang analyzer to find. Patch from "teor". Closes + ticket 13036. + - Resolve GCC complaints on OpenBSD about discarding constness in + TO_{ORIGIN,OR}_CIRCUIT functions. Fixes part of bug 11633; bugfix + on 0.1.1.23. Patch from Dana Koch. + - Resolve clang complaints on OpenBSD with -Wshorten-64-to-32 due to + treatment of long and time_t as comparable types. Fixes part of + bug 11633. Patch from Dana Koch. + - When deciding whether to build the 64-bit curve25519 + implementation, detect platforms where we can compile 128-bit + arithmetic but cannot link it. Fixes bug 11729; bugfix on + 0.2.4.8-alpha. Patch from "conradev". + - Fix compilation when DNS_CACHE_DEBUG is enabled. Fixes bug 11761; + bugfix on 0.2.3.13-alpha. Found by "cypherpunks". + - Fix compilation with dmalloc. Fixes bug 11605; bugfix + on 0.2.4.10-alpha. + + o Minor bugfixes (controller and command-line): + - If changing a config option via "setconf" fails in a recoverable + way, we used to nonetheless write our new control ports to the + file described by the "ControlPortWriteToFile" option. Now we only + write out that file if we successfully switch to the new config + option. Fixes bug 5605; bugfix on 0.2.2.26-beta. Patch from "Ryman". o Minor bugfixes (hidden service): - Only retry attempts to connect to a chosen rendezvous point 8 times, not 30. Fixes bug 4241; bugfix on 0.1.0.1-rc. + o Minor bugfixes (log messages): + - Fix a bug where clients using bridges would report themselves + as 50% bootstrapped even without a live consensus document. + Fixes bug 9922; bugfix on 0.2.1.1-alpha. + - Suppress a warning where, if there's only one directory authority + in the network, we would complain that votes and signatures cannot + be uploaded to other directory authorities. Fixes bug 10842; + bugfix on 0.2.2.26-beta. + - Report bootstrapping progress correctly when we're downloading + microdescriptors. We had updated our "do we have enough microdescs + to begin building circuits?" logic most recently in 0.2.4.10-alpha + (see bug 5956), but we left the bootstrap status event logic at + "how far through getting 1/4 of them are we?" Fixes bug 9958; + bugfix on 0.2.2.36, which is where they diverged (see bug 5343). + + o Minor bugfixes (logging): + - Downgrade "Unexpected onionskin length after decryption" warning + to a protocol-warn, since there's nothing relay operators can do + about a client that sends them a malformed create cell. Resolves + bug 12996; bugfix on 0.0.6rc1. + - Log more specific warnings when we get an ESTABLISH_RENDEZVOUS + cell on a cannibalized or non-OR circuit. Resolves ticket 12997. + - When logging information about an EXTEND2 or EXTENDED2 cell, log + their names correctly. Fixes part of bug 12700; bugfix + on 0.2.4.8-alpha. + - When logging information about a relay cell whose command we don't + recognize, log its command as an integer. Fixes part of bug 12700; + bugfix on 0.2.1.10-alpha. + - Escape all strings from the directory connection before logging + them. Fixes bug 13071; bugfix on 0.1.1.15. Patch from "teor". + - Squelch a spurious LD_BUG message "No origin circuit for + successful SOCKS stream" in certain hidden service failure cases; + fixes bug 10616. + o Minor bugfixes (misc code correctness): - Fix various instances of undefined behavior in channeltls.c, tor_memmem(), and eventdns.c that would cause us to construct @@ -612,48 +588,6 @@ Changes in version 0.2.5.? - 2014-10-?? from the rest of the program. Fixes bug 8793; bugfixes on many, many tor versions. - o Minor bugfixes (client): - - Improve the log message when we can't connect to a hidden service - because all of the hidden service directory nodes hosting its - descriptor are excluded. Improves on our fix for bug 10722, which - was a bugfix on 0.2.0.10-alpha. - - Raise a control port warning when we fail to connect to all of - our bridges. Previously, we didn't inform the controller, and - the bootstrap process would stall. Fixes bug 11069; bugfix on - 0.2.1.2-alpha. - - Exit immediately when a process-owning controller exits. - Previously, tor relays would wait for a little while after their - controller exited, as if they had gotten an INT signal -- but this - was problematic, since there was no feedback for the user. To do a - clean shutdown, controllers should send an INT signal and give Tor - a chance to clean up. Fixes bug 10449; bugfix on 0.2.2.28-beta. - - Stop attempting to connect to bridges before our pluggable - transports are configured (harmless but resulted in some erroneous - log messages). Fixes bug 11156; bugfix on 0.2.3.2-alpha. - - Fix connections to IPv6 addresses over SOCKS5. Previously, we were - generating incorrect SOCKS5 responses, and confusing client - applications. Fixes bug 10987; bugfix on 0.2.4.7-alpha. - - o Minor bugfixes (relays and bridges): - - Avoid crashing on a malformed resolv.conf file when running a - relay using Libevent 1. Fixes bug 8788; bugfix on 0.1.1.23. - - Non-exit relays no longer launch mock DNS requests to check for - DNS hijacking. This has been unnecessary since 0.2.1.7-alpha, when - non-exit relays stopped servicing DNS requests. Fixes bug 965; - bugfix on 0.2.1.7-alpha. Patch from Matt Pagan. - - Bridges now report complete directory request statistics. Related - to bug 5824; bugfix on 0.2.2.1-alpha. - - Bridges now never collect statistics that were designed for - relays. Fixes bug 5824; bugfix on 0.2.3.8-alpha. - - o Minor bugfixes (bridges): - - Fix a bug where the first connection works to a bridge that uses a - pluggable transport with client-side parameters, but we don't send - the client-side parameters on subsequent connections. (We don't - use any pluggable transports with client-side parameters yet, - but ScrambleSuit will soon become the first one.) Fixes bug 9162; - bugfix on 0.2.0.3-alpha. Based on a patch from "rl1987". - o Minor bugfixes (node selection): - If ExcludeNodes is set, consider non-excluded hidden service directory servers before excluded ones. Do not consider excluded @@ -667,23 +601,32 @@ Changes in version 0.2.5.? - 2014-10-?? bootstrap so long as ExitNodes includes nodes which can exit to some port. Fixes bug 10543; bugfix on 0.2.4.10-alpha. - o Minor bugfixes (controller and command-line): - - If changing a config option via "setconf" fails in a recoverable - way, we used to nonetheless write our new control ports to the - file described by the "ControlPortWriteToFile" option. Now we only - write out that file if we successfully switch to the new config - option. Fixes bug 5605; bugfix on 0.2.2.26-beta. Patch from "Ryman". + o Minor bugfixes (performance): + - Avoid a bug where every successful connection made us recompute + the flag telling us whether we have sufficient information to + build circuits. Previously, we would forget our cached value + whenever we successfully opened a channel (or marked a router as + running or not running for any other reason), regardless of + whether we had previously believed the router to be running. This + forced us to run an expensive update operation far too often. + Fixes bug 12170; bugfix on 0.1.2.1-alpha. + - Avoid using tor_memeq() for checking relay cell integrity. This + removes a possible performance bottleneck. Fixes part of bug + 12169; bugfix on 0.2.1.31. - o Minor bugfixes (code correctness): - - Previously we used two temporary files when writing descriptors to - disk; now we only use one. Fixes bug 1376. - - Remove an erroneous (but impossible and thus harmless) pointer - comparison that would have allowed compilers to skip a bounds - check in channeltls.c. Fixes bugs 10313 and 9980; bugfix on - 0.2.0.10-alpha. Noticed by Jared L Wong and David Fifield. - - Fix an always-true assertion in pluggable transports code so it - actually checks what it was trying to check. Fixes bug 10046; - bugfix on 0.2.3.9-alpha. Found by "dcb". + o Minor bugfixes (platform-specific): + - When dumping a malformed directory object to disk, save it in + binary mode on Windows, not text mode. Fixes bug 11342; bugfix on + 0.2.2.1-alpha. + - Don't report failures from make_socket_reuseable() on incoming + sockets on OSX: this can happen when incoming connections close + early. Fixes bug 10081. + + o Minor bugfixes (pluggable transports): + - Avoid another 60-second delay when starting Tor in a pluggable- + transport-using configuration when we already have cached + descriptors for our bridges. Fixes bug 11965; bugfix + on 0.2.3.6-alpha. o Minor bugfixes (protocol correctness): - When receiving a VERSIONS cell with an odd number of bytes, close @@ -691,51 +634,56 @@ Changes in version 0.2.5.? - 2014-10-?? 10365; bugfix on 0.2.0.10-alpha. Spotted by "bobnomnom"; fix by "rl1987". - o Minor bugfixes (build): - - Restore the ability to compile Tor with V2_HANDSHAKE_SERVER - turned off (that is, without support for v2 link handshakes). Fixes - bug 4677; bugfix on 0.2.3.2-alpha. Patch from "piet". + o Minor bugfixes (relay, other): + - We now drop CREATE cells for already-existent circuit IDs and for + zero-valued circuit IDs, regardless of other factors that might + otherwise have called for DESTROY cells. Fixes bug 12191; bugfix + on 0.0.8pre1. + - When rejecting DATA cells for stream_id zero, still count them + against the circuit's deliver window so that we don't fail to send + a SENDME. Fixes bug 11246; bugfix on 0.2.4.10-alpha. - o Minor bugfixes (log messages): - - Fix a bug where clients using bridges would report themselves - as 50% bootstrapped even without a live consensus document. - Fixes bug 9922; bugfix on 0.2.1.1-alpha. - - Suppress a warning where, if there's only one directory authority - in the network, we would complain that votes and signatures cannot - be uploaded to other directory authorities. Fixes bug 10842; - bugfix on 0.2.2.26-beta. - - Report bootstrapping progress correctly when we're downloading - microdescriptors. We had updated our "do we have enough microdescs - to begin building circuits?" logic most recently in 0.2.4.10-alpha - (see bug 5956), but we left the bootstrap status event logic at - "how far through getting 1/4 of them are we?" Fixes bug 9958; - bugfix on 0.2.2.36, which is where they diverged (see bug 5343). + o Minor bugfixes (relay, threading): + - Check return code on spawn_func() in cpuworker code, so that we + don't think we've spawned a nonworking cpuworker and write junk to + it forever. Fix related to bug 4345; bugfix on all released Tor + versions. Found by "skruffy". + - Use a pthread_attr to make sure that spawn_func() cannot return an + error while at the same time launching a thread. Fix related to + bug 4345; bugfix on all released Tor versions. Reported + by "cypherpunks". - o Minor bugfixes: - - No longer accept malformed http headers when parsing urls from - headers. Now we reply with Bad Request ("400"). Fixes bug 2767; - bugfix on 0.0.6pre1. - - In munge_extrainfo_into_routerinfo(), check the return value of - memchr(). This would have been a serious issue if we ever passed - it a non-extrainfo. Fixes bug 8791; bugfix on 0.2.0.6-alpha. Patch - from Arlo Breault. - - On the chance that somebody manages to build Tor on a - platform where time_t is unsigned, correct the way that - microdesc_add_to_cache() handles negative time arguments. - Fixes bug 8042; bugfix on 0.2.3.1-alpha. - - Reject relative control socket paths and emit a warning. Previously, - single-component control socket paths would be rejected, but Tor - would not log why it could not validate the config. Fixes bug 9258; - bugfix on 0.2.3.16-alpha. + o Minor bugfixes (relays and bridges): + - Avoid crashing on a malformed resolv.conf file when running a + relay using Libevent 1. Fixes bug 8788; bugfix on 0.1.1.23. + - Non-exit relays no longer launch mock DNS requests to check for + DNS hijacking. This has been unnecessary since 0.2.1.7-alpha, when + non-exit relays stopped servicing DNS requests. Fixes bug 965; + bugfix on 0.2.1.7-alpha. Patch from Matt Pagan. + - Bridges now report complete directory request statistics. Related + to bug 5824; bugfix on 0.2.2.1-alpha. + - Bridges now never collect statistics that were designed for + relays. Fixes bug 5824; bugfix on 0.2.3.8-alpha. - o Minor bugfixes (command line): - - Use a single command-line parser for parsing torrc options on the - command line and for finding special command-line options to avoid - inconsistent behavior for torrc option arguments that have the same - names as command-line options. Fixes bugs 4647 and 9578; bugfix on - 0.0.9pre5. - - No longer allow 'tor --hash-password' with no arguments. Fixes bug - 9573; bugfix on 0.0.9pre5. + o Minor bugfixes (testing): + - Fix all valgrind warnings produced by the unit tests. There were + over a thousand memory leak warnings previously, mostly produced + by forgetting to free things in the unit test code. Fixes bug + 11618, bugfixes on many versions of Tor. + + o Minor bugfixes (tor-fw-helper): + - Give a correct log message when tor-fw-helper fails to launch. + (Previously, we would say something like "tor-fw-helper sent us a + string we could not parse".) Fixes bug 9781; bugfix + on 0.2.4.2-alpha. + + o Minor bugfixes (trivial memory leaks): + - Fix a small memory leak when signing a directory object. Fixes bug + 11275; bugfix on 0.2.4.13-alpha. + - Resolve some memory leaks found by coverity in the unit tests, on + exit in tor-gencert, and on a failure to compute digests for our + own keys when generating a v3 networkstatus vote. These leaks + should never have affected anyone in practice. o Minor fixes (build, auxiliary programs): - Stop preprocessing the "torify" script with autoconf, since @@ -747,87 +695,6 @@ Changes in version 0.2.5.? - 2014-10-?? - Corrected ./configure advice for what openssl dev package you should install on Debian. Fixes bug 9207; bugfix on 0.2.0.1-alpha. - - - - - - o Documentation: - - Adjust the URLs in the README to refer to the new locations of - several documents on the website. Fixes bug 12830. Patch from - Matt Pagan. - - Document 'reject6' and 'accept6' ExitPolicy entries. Resolves - ticket 12878. - - o Documentation: - - Clean up several option names in the manpage to match their real - names, add the missing documentation for a couple of testing and - directory authority options, remove the documentation for a - V2-directory fetching option that no longer exists. Resolves - ticket 11634. - - Correct the documenation so that it lists the correct directory - for the stats files. (They are in a subdirectory called "stats", - not "status".) - - In the manpage, move more authority-only options into the - directory authority section so that operators of regular directory - caches don't get confused. - - o Documentation: - - Fix the layout of the SOCKSPort flags in the manpage. Fixes bug - 11061; bugfix on 0.2.4.7-alpha. - - Resolve warnings from Doxygen. - - o Documentation: - - Document in the manpage that "KBytes" may also be written as - "kilobytes" or "KB", that "Kbits" may also be written as - "kilobits", and so forth. Closes ticket 9222. - - Document that the ClientOnly config option overrides ORPort. - Our old explanation made ClientOnly sound as though it did - nothing at all. Resolves bug 9059. - - Explain that SocksPolicy, DirPolicy, and similar options don't - take port arguments. Fixes the other part of ticket 11108. - - Fix a comment about the rend_server_descriptor_t.protocols field - to more accurately describe its range. Also, make that field - unsigned, to more accurately reflect its usage. Fixes bug 9099; - bugfix on 0.2.1.5-alpha. - - Fix the manpage's description of HiddenServiceAuthorizeClient: - the maximum client name length is 16, not 19. Fixes bug 11118; - bugfix on 0.2.1.6-alpha. - - o Documentation (man page) fixes: - - Update manpage to describe some of the files you can expect to - find in Tor's DataDirectory. Addresses ticket 9839. - - - - - - - - - - - o Code simplifications and refactoring: - - Remove constants and tests for PKCS1 padding; it's insecure and - shouldn't be used for anything new. Fixes bug 8792; patch - from Arlo Breault. - - Remove instances of strcpy() from the unit tests. They weren't - hurting anything, since they were only in the unit tests, but it's - embarassing to have strcpy() in the code at all, and some analysis - tools don't like it. Fixes bug 8790; bugfix on 0.2.3.6-alpha and - 0.2.3.8-alpha. Patch from Arlo Breault. - - o Code simplifications and refactoring: - - Remove is_internal_IP() function. Resolves ticket 4645. - - Remove unused function circuit_dump_by_chan from circuitlist.c. - Closes issue 9107; patch from "marek". - - Change our use of the ENUM_BF macro to avoid declarations that - confuse Doxygen. - - o Code simplifications and refactoring: - - Get rid of router->address, since in all cases it was just the - string representation of router->addr. Resolves ticket 5528. - o Code simplification and refactoring: - Remove some old fallback code designed to keep Tor clients working in a network with only two working relays. Elsewhere in the code we @@ -835,8 +702,6 @@ Changes in version 0.2.5.? - 2014-10-?? much point in keeping it around. Addresses ticket 9926. - Reject 0-length EXTEND2 cells more explicitly. Fixes bug 10536; bugfix on 0.2.4.8-alpha. Reported by "cypherpunks". - - o Code simplification and refactoring: - Extract the common duplicated code for creating a subdirectory of the data directory and writing to a file in it. Fixes ticket 4282; patch from Peter Retzlaff. @@ -853,21 +718,27 @@ Changes in version 0.2.5.? - 2014-10-?? Resolves ticket 9108. Patch from Marek Majkowski. - Remove contrib/id_to_fp.c since it wasn't used anywhere. + o Code simplifications and refactoring: + - Remove constants and tests for PKCS1 padding; it's insecure and + shouldn't be used for anything new. Fixes bug 8792; patch + from Arlo Breault. + - Remove instances of strcpy() from the unit tests. They weren't + hurting anything, since they were only in the unit tests, but it's + embarassing to have strcpy() in the code at all, and some analysis + tools don't like it. Fixes bug 8790; bugfix on 0.2.3.6-alpha and + 0.2.3.8-alpha. Patch from Arlo Breault. + - Remove is_internal_IP() function. Resolves ticket 4645. + - Remove unused function circuit_dump_by_chan from circuitlist.c. + Closes issue 9107; patch from "marek". + - Change our use of the ENUM_BF macro to avoid declarations that + confuse Doxygen. + - Get rid of router->address, since in all cases it was just the + string representation of router->addr. Resolves ticket 5528. - - - - o Distribution (systemd): - - Verify configuration file via ExecStartPre in the systemd unit - file. Patch from intrigeri; resolves ticket 12730. - - Explicitly disable RunAsDaemon in the systemd unit file. Our - current systemd unit uses "Type = simple", so systemd does not - expect tor to fork. If the user has "RunAsDaemon 1" in their - torrc, then things won't work as expected. This is e.g. the case - on Debian (and derivatives), since there we pass "--defaults-torrc - /usr/share/tor/tor-service-defaults-torrc" (that contains - "RunAsDaemon 1") by default. Patch by intrigeri; resolves - ticket 12731. + o Compilation fixes: + - Build and run correctly on systems like OpenBSD-current that have + patched OpenSSL to remove get_cipher_by_char and/or its + implementations. Fixes issue 13325. o Distribution: - Include a tor.service file in contrib/dist for use with systemd. @@ -875,6 +746,46 @@ Changes in version 0.2.5.? - 2014-10-?? others will need to tweak it, or write their own. Patch from Jamie Nguyen; resolves ticket 8368. + o Documentation: + - Adjust the URLs in the README to refer to the new locations of + several documents on the website. Fixes bug 12830. Patch from + Matt Pagan. + - Document 'reject6' and 'accept6' ExitPolicy entries. Resolves + ticket 12878. + - Clean up several option names in the manpage to match their real + names, add the missing documentation for a couple of testing and + directory authority options, remove the documentation for a + V2-directory fetching option that no longer exists. Resolves + ticket 11634. + - Correct the documenation so that it lists the correct directory + for the stats files. (They are in a subdirectory called "stats", + not "status".) + - In the manpage, move more authority-only options into the + directory authority section so that operators of regular directory + caches don't get confused. + - Fix the layout of the SOCKSPort flags in the manpage. Fixes bug + 11061; bugfix on 0.2.4.7-alpha. + - Resolve warnings from Doxygen. + - Document in the manpage that "KBytes" may also be written as + "kilobytes" or "KB", that "Kbits" may also be written as + "kilobits", and so forth. Closes ticket 9222. + - Document that the ClientOnly config option overrides ORPort. + Our old explanation made ClientOnly sound as though it did + nothing at all. Resolves bug 9059. + - Explain that SocksPolicy, DirPolicy, and similar options don't + take port arguments. Fixes the other part of ticket 11108. + - Fix a comment about the rend_server_descriptor_t.protocols field + to more accurately describe its range. Also, make that field + unsigned, to more accurately reflect its usage. Fixes bug 9099; + bugfix on 0.2.1.5-alpha. + - Fix the manpage's description of HiddenServiceAuthorizeClient: + the maximum client name length is 16, not 19. Fixes bug 11118; + bugfix on 0.2.1.6-alpha. + + o Downgraded warnings: + - Downgrade the severity of the 'unexpected sendme cell from client' + from 'warn' to 'protocol warning'. Closes ticket 8093. + o Package cleanup: - The contrib directory has been sorted and tidied. Before, it was an unsorted dumping ground for useful and not-so-useful things. @@ -882,27 +793,6 @@ Changes in version 0.2.5.? - 2014-10-?? seemed to be nonfunctional or useless have been removed. Resolves ticket 8966; based on patches from "rl1987". - - - - - - - o Removed code: - - Remove /tor/dbg-stability.txt URL that was meant to help debug WFU - and MTBF calculations, but that nobody was using. Fixes bug 11742. - - The TunnelDirConns and PreferTunnelledDirConns options no longer - exist; tunneled directory connections have been available since - 0.1.2.5-alpha, and turning them off is not a good idea. This is a - brute-force fix for 10849, where "TunnelDirConns 0" would break - hidden services. - o Removed code: - - Remove all code for the long unused v1 directory protocol. - Resolves ticket 11070. - o Removed code: - - Remove all remaining code related to version-0 hidden service - descriptors: they have not been in use since 0.2.2.1-alpha. Fixes - the rest of bug 10841. o Removed code and features: - Clients now reject any directory authority certificates lacking a dir-key-crosscert element. These have been included since @@ -917,16 +807,27 @@ Changes in version 0.2.5.? - 2014-10-?? authorities since 0.2.2.1-alpha, when we stopped uploading or downloading v0 hidden service descriptors. Fixes bug 10881; also part of a fix for bug 10841. + + o Removed code: + - Remove /tor/dbg-stability.txt URL that was meant to help debug WFU + and MTBF calculations, but that nobody was using. Fixes bug 11742. + - The TunnelDirConns and PreferTunnelledDirConns options no longer + exist; tunneled directory connections have been available since + 0.1.2.5-alpha, and turning them off is not a good idea. This is a + brute-force fix for 10849, where "TunnelDirConns 0" would break + hidden services. + - Remove all code for the long unused v1 directory protocol. + Resolves ticket 11070. + - Remove all remaining code related to version-0 hidden service + descriptors: they have not been in use since 0.2.2.1-alpha. Fixes + the rest of bug 10841. + o Removed features: - Remove migration code from when we renamed the "cached-routers" file to "cached-descriptors" back in 0.2.0.8-alpha. This incidentally resolves ticket 6502 by cleaning up the related code a bit. Patch from Akshay Hebbar. - - - - o Test infrastructure: - Tor now builds each source file in two modes: a mode that avoids exposing identifiers needlessly, and another mode that exposes @@ -959,27 +860,27 @@ Changes in version 0.2.5.? - 2014-10-?? - Unit tests for failing cases of the TAP onion handshake. - More unit tests for address-manipulation functions. - - - - - - - - This release marks end-of-life for Tor 0.2.2.x; those Tor versions - have accumulated many known flaws; everyone should upgrade. - - o Deprecated versions: - - Tor 0.2.2.x has reached end-of-life; it has received no patches or - attention for some while. Directory authorities no longer accept - descriptors from relays running any version of Tor prior to Tor - 0.2.3.16-alpha. Resolves ticket 11149. - o Tool changes: - Make the "tor-gencert" tool used by directory authority operators create 2048-bit signing keys by default (rather than 1024-bit, since 1024-bit is uncomfortably small these days). Addresses ticket 10324. + o Distribution (systemd): + - Verify configuration file via ExecStartPre in the systemd unit + file. Patch from intrigeri; resolves ticket 12730. + - Explicitly disable RunAsDaemon in the systemd unit file. Our + current systemd unit uses "Type = simple", so systemd does not + expect tor to fork. If the user has "RunAsDaemon 1" in their + torrc, then things won't work as expected. This is e.g. the case + on Debian (and derivatives), since there we pass "--defaults-torrc + /usr/share/tor/tor-service-defaults-torrc" (that contains + "RunAsDaemon 1") by default. Patch by intrigeri; resolves + ticket 12731. + + o Documentation (man page) fixes: + - Update manpage to describe some of the files you can expect to + find in Tor's DataDirectory. Addresses ticket 9839. + Changes in version 0.2.4.24 - 2014-09-22 Tor 0.2.4.24 fixes a bug that affects consistency and speed when