Begin an 0.2.6.11 changelog

To build this changelog, I've gone through the entries in
release-0.2.6's changes subdirectory, and looked up the ChangeLog
entry for each.  I have not sorted them yet.

ChangeLog

@@ -1,3 +1,114 @@
+Changes in version 0.2.6.11 - 2017-03-??
+  Tor 0.2.6.11 backports a number of security fixes from later Tor
+  releases.  Anybody running Tor 0.2.6.10 or earlier should upgrade to
+  this release, if for some reason they cannot upgrade to a later
+  release series.
+
+  Note that support for Tor 0.2.6.x is ending next year: we will not issue
+  any fixes for the Tor 0.2.6.x series after 1 August 2017.  If you need
+  a Tor release series with longer-term support, we recommend Tor 0.2.9.x.
+
+  o Directory authority changes (backport from 0.2.8.5-rc):
+    - Urras is no longer a directory authority. Closes ticket 19271.
+
+  o Directory authority changes (backport from 0.2.9.2-alpha):
+    - The "Tonga" bridge authority has been retired; the new bridge
+      authority is "Bifroest". Closes tickets 19728 and 19690.
+
+  o Directory authority key updates (backport from 0.2.8.1-alpha):
+    - Update the V3 identity key for the dannenberg directory authority:
+      it was changed on 18 November 2015. Closes task 17906. Patch
+      by "teor".
+
+  o Major bugfixes (dns proxy mode, crash, backport from 0.2.8.2-alpha):
+    - Avoid crashing when running as a DNS proxy. Fixes bug 16248;
+      bugfix on 0.2.0.1-alpha. Patch from "cypherpunks".
+
+  o Minor features (bug-resistance, backport from 0.2.8.2-alpha):
+    - Make Tor survive errors involving connections without a
+      corresponding event object. Previously we'd fail with an
+      assertion; now we produce a log message. Related to bug 16248.
+
+  o Major bugfixes (security, correctness, backport from 0.2.7.4-rc):
+    - Fix an error that could cause us to read 4 bytes before the
+      beginning of an openssl string. This bug could be used to cause
+      Tor to crash on systems with unusual malloc implementations, or
+      systems with unusual hardening installed. Fixes bug 17404; bugfix
+      on 0.2.3.6-alpha.
+
+  o Major bugfixes (guard selection, backport from 0.2.7.6):
+    - Actually look at the Guard flag when selecting a new directory
+      guard. When we implemented the directory guard design, we
+      accidentally started treating all relays as if they have the Guard
+      flag during guard selection, leading to weaker anonymity and worse
+      performance. Fixes bug 17772; bugfix on 0.2.4.8-alpha. Discovered
+      by Mohsen Imani.
+
+  o Minor bugfixes (compilation, backport from 0.2.7.6)
+    - Fix a compilation warning with Clang 3.6: Do not check the
+      presence of an address which can never be NULL. Fixes bug 17781.
+
+  o Minor features (geoip):
+    - Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2
+      Country database.
+
+  o Minor features (security, memory erasure, backport from 0.2.8.1-alpha):
+    - Make memwipe() do nothing when passed a NULL pointer or buffer of
+      zero size. Check size argument to memwipe() for underflow. Fixes
+      bug 18089; bugfix on 0.2.3.25 and 0.2.4.6-alpha. Reported by "gk",
+      patch by "teor".
+
+  o Major bugfixes (security, pointers, backport from 0.2.8.2-alpha):
+    - Avoid a difficult-to-trigger heap corruption attack when extending
+      a smartlist to contain over 16GB of pointers. Fixes bug 18162;
+      bugfix on 0.1.1.11-alpha, which fixed a related bug incompletely.
+      Reported by Guido Vranken.
+
+  o Major bugfixes (security, client, DNS proxy, backport from 0.2.8.3-alpha):
+    - Stop a crash that could occur when a client running with DNSPort
+      received a query with multiple address types, and the first
+      address type was not supported. Found and fixed by Scott Dial.
+      Fixes bug 18710; bugfix on 0.2.5.4-alpha.
+
+  o Major features (security fixes, backport from 0.2.9.4-alpha):
+    - Prevent a class of security bugs caused by treating the contents
+      of a buffer chunk as if they were a NUL-terminated string. At
+      least one such bug seems to be present in all currently used
+      versions of Tor, and would allow an attacker to remotely crash
+      most Tor instances, especially those compiled with extra compiler
+      hardening. With this defense in place, such bugs can't crash Tor,
+      though we should still fix them as they occur. Closes ticket
+      20384 (TROVE-2016-10-001).
+
+  o Major bugfixes (parsing, security, backport from 0.2.9.8):
+    - Fix a bug in parsing that could cause clients to read a single
+      byte past the end of an allocated region. This bug could be used
+      to cause hardened clients (built with --enable-expensive-hardening)
+      to crash if they tried to visit a hostile hidden service. Non-
+      hardened clients are only affected depending on the details of
+      their platform's memory allocator. Fixes bug 21018; bugfix on
+      0.2.0.8-alpha. Found by using libFuzzer. Also tracked as TROVE-
+      2016-12-002 and as CVE-2016-1254.
+
+  o Major bugfixes (key management, backport from 0.2.8.3-alpha):
+    - If OpenSSL fails to generate an RSA key, do not retain a dangling
+      pointer to the previous (uninitialized) key value. The impact here
+      should be limited to a difficult-to-trigger crash, if OpenSSL is
+      running an engine that makes key generation failures possible, or
+      if OpenSSL runs out of memory. Fixes bug 19152; bugfix on
+      0.2.1.10-alpha. Found by Yuan Jochen Kang, Suman Jana, and
+      Baishakhi Ray.
+
+  o Major bugfixes (parsing, also in 0.3.0.4-rc):
+    - Fix an integer underflow bug when comparing malformed Tor versions.
+      This bug is harmless, except when Tor has been built with
+      --enable-expensive-hardening, which would turn it into a crash;
+      or on Tor 0.2.9.1-alpha through Tor 0.2.9.8, which were built with
+      -ftrapv by default.
+      Part of TROVE-2017-001. Fixes bug 21278; bugfix on
+      0.0.8pre1. Found by OSS-Fuzz.
+
+
 Changes in version 0.2.6.10 - 2015-07-12
   Tor version 0.2.6.10 fixes some significant stability and hidden
   service client bugs, bulletproofs the cryptography init process, and

changes/19271

@@ -1,2 +0,0 @@
-  o Directory authority changes:
-    - Urras is no longer a directory authority. Closes ticket 19271.

changes/bifroest

@@ -1,3 +0,0 @@
-  o Directory authority changes (also in 0.2.8.7):
-    - The "Tonga" bridge authority has been retired; the new bridge
-      authority is "Bifroest". Closes tickets 19728 and 19690.

changes/buf-sentinel

@@ -1,11 +0,0 @@
-  o Major features (security fixes):
-
-    - Prevent a class of security bugs caused by treating the contents
-      of a buffer chunk as if they were a NUL-terminated string.  At
-      least one such bug seems to be present in all currently used
-      versions of Tor, and would allow an attacker to remotely crash
-      most Tor instances, especially those compiled with extra compiler
-      hardening. With this defense in place, such bugs can't crash Tor,
-      though we should still fix them as they occur. Closes ticket 20384
-      (TROVE-2016-10-001).
-

changes/bug16248

@@ -1,8 +0,0 @@
-  o Major bugfixes (dns proxy mode, crash):
-    - Avoid crashing when running as a DNS proxy. Closes bug 16248; bugfix on
-      0.2.0.1-alpha. Patch from 'cypherpunks'.
-
-  o Minor features (bug-resistance):
-    - Make Tor survive errors involving connections without a corresponding
-      event object. Previously we'd fail with an assertion; now we produce a
-      log message. Related to bug 16248.

changes/bug17404

@@ -1,6 +0,0 @@
-  o Major bugfixes (security, correctness):
-    - Fix a programming error that could cause us to read 4 bytes before
-      the beginning of an openssl string. This could be used to provoke
-      a crash on systems with an unusual malloc implementation, or
-      systems with unsual hardening installed. Fixes bug 17404; bugfix
-      on 0.2.3.6-alpha.

changes/bug17772

@@ -1,7 +0,0 @@
-  o Major bugfixes (guard selection):
-    - Actually look at the Guard flag when selecting a new directory
-      guard. When we implemented the directory guard design, we
-      accidentally started treating all relays as if they have the Guard
-      flag during guard selection, leading to weaker anonymity and worse
-      performance. Fixes bug 17222; bugfix on 0.2.4.8-alpha. Discovered
-      by Mohsen Imani.

changes/bug17781

@@ -1,3 +0,0 @@
-  o Compilation fixes:
-    - Fix a compilation warning with Clang 3.6: Do not check the
-      presence of an address which can never be NULL. Fixes bug 17781.

changes/bug17906

@@ -1,4 +0,0 @@
-  o Minor features (authorities):
-    - Update the V3 identity key for dannenberg, it was changed on
-      18 November 2015.
-      Closes task #17906. Patch by "teor".

changes/bug18089

@@ -1,6 +0,0 @@
-  o Minor fixes (security):
-    - Make memwipe() do nothing when passed a NULL pointer
-      or zero size. Check size argument to memwipe() for underflow.
-      Closes bug #18089. Reported by "gk", patch by "teor".
-      Bugfix on 0.2.3.25 and 0.2.4.6-alpha (#7352),
-      commit 49dd5ef3 on 7 Nov 2012.

changes/bug18162

@@ -1,7 +0,0 @@
-  o Major bugfixes (security, pointers):
-
-    - Avoid a difficult-to-trigger heap corruption attack when extending
-      a smartlist to contain over 16GB of pointers. Fixes bug #18162;
-      bugfix on Tor 0.1.1.11-alpha, which fixed a related bug
-      incompletely. Reported by Guido Vranken.
-

changes/bug18710

@@ -1,6 +0,0 @@
-  o Major bugfixes (DNS proxy):
-    - Stop a crash that could occur when a client running with DNSPort
-      received a query with multiple address types, where the first
-      address type was not supported. Found and fixed by Scott Dial.
-      Fixes bug 18710; bugfix on 0.2.5.4-alpha.
-

changes/bug20384

@@ -1,10 +0,0 @@
-  o Major features (security fixes):
-    - Prevent a class of security bugs caused by treating the contents
-      of a buffer chunk as if they were a NUL-terminated string. At
-      least one such bug seems to be present in all currently used
-      versions of Tor, and would allow an attacker to remotely crash
-      most Tor instances, especially those compiled with extra compiler
-      hardening. With this defense in place, such bugs can't crash Tor,
-      though we should still fix them as they occur. Closes ticket
-      20384 (TROVE-2016-10-001).
-

changes/bug21018

@@ -1,11 +0,0 @@
-  o Major bugfixes (parsing, security):
-
-    - Fix a bug in parsing that could cause clients to read a single
-      byte past the end of an allocated region. This bug could be
-      used to cause hardened clients (built with
-      --enable-expensive-hardening) to crash if they tried to visit
-      a hostile hidden service.  Non-hardened clients are only
-      affected depending on the details of their platform's memory
-      allocator. Fixes bug 21018; bugfix on 0.2.0.8-alpha. Found by
-      using libFuzzer. Also tracked as TROVE-2016-12-002 and as
-      CVE-2016-1254.

changes/geoip-april2016

@@ -1,4 +0,0 @@
-  o Minor features:
-    - Update geoip and geoip6 to the April 5 2016 Maxmind GeoLite2
-      Country database.
-

changes/geoip-august2016

@@ -1,4 +0,0 @@
-  o Minor features:
-    - Update geoip and geoip6 to the August 2 2016 Maxmind GeoLite2
-      Country database.
-

changes/geoip-december2015

@@ -1,4 +0,0 @@
-  o Minor features:
-    - Update geoip and geoip6 to the December 1 2015 Maxmind GeoLite2
-      Country database.
-

changes/geoip-december2016

@@ -1,4 +0,0 @@
-  o Minor features:
-    - Update geoip and geoip6 to the December 7 2016 Maxmind GeoLite2
-      Country database.
-

changes/geoip-february2016

@@ -1,4 +0,0 @@
-  o Minor features:
-    - Update geoip and geoip6 to the February 2 2016 Maxmind GeoLite2
-      Country database.
-

changes/geoip-february2017

@@ -1,4 +0,0 @@
-  o Minor features:
-    - Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2
-      Country database.
-

changes/geoip-january2016

@@ -1,4 +0,0 @@
-  o Minor features:
-    - Update geoip and geoip6 to the January 5 2016 Maxmind GeoLite2
-      Country database.
-

changes/geoip-january2017

@@ -1,4 +0,0 @@
-  o Minor features:
-    - Update geoip and geoip6 to the January 4 2017 Maxmind GeoLite2
-      Country database.
-

changes/geoip-july2015

@@ -1,3 +0,0 @@
-  o Minor features:
-    - Update geoip and geoip6 to the July 8 2015 Maxmind GeoLite2 Country database.
-

changes/geoip-july2016

@@ -1,4 +0,0 @@
-  o Minor features:
-    - Update geoip and geoip6 to the July 6 2016 Maxmind GeoLite2
-      Country database.
-

changes/geoip-jun2016

@@ -1,4 +0,0 @@
-  o Minor features:
-    - Update geoip and geoip6 to the June 7 2016 Maxmind GeoLite2
-      Country database.
-

changes/geoip-march2016

@@ -1,4 +0,0 @@
-  o Minor features:
-    - Update geoip and geoip6 to the March 3 2016 Maxmind GeoLite2
-      Country database.
-

changes/geoip-may2016

@@ -1,4 +0,0 @@
-  o Minor features:
-    - Update geoip and geoip6 to the May 4 2016 Maxmind GeoLite2
-      Country database.
-

changes/geoip-november2016

@@ -1,4 +0,0 @@
-  o Minor features:
-    - Update geoip and geoip6 to the November 3 2016 Maxmind GeoLite2
-      Country database.
-

changes/geoip-october2015

@@ -1,3 +0,0 @@
-  o Minor features:
-    - Update geoip and geoip6 to the October 9 2015 Maxmind GeoLite2 Country database.
-

changes/geoip-october2016

@@ -1,4 +0,0 @@
-  o Minor features:
-    - Update geoip and geoip6 to the October 4 2016 Maxmind GeoLite2
-      Country database.
-

changes/geoip-september2015

@@ -1,3 +0,0 @@
-  o Minor features:
-    - Update geoip and geoip6 to the September 3 2015 Maxmind GeoLite2 Country database.
-

changes/geoip-september2016

@@ -1,4 +0,0 @@
-  o Minor features:
-    - Update geoip and geoip6 to the September 6 2016 Maxmind GeoLite2
-      Country database.
-

changes/rsa_init_bug

@@ -1,7 +0,0 @@
-  o Major bugfixes (key management):
-    - If OpenSSL fails to generate an RSA key, do not retain a dangling pointer
-      to the previous (uninitialized) key value. The impact here should be
-      limited to a difficult-to-trigger crash, if OpenSSL is running an
-      engine that makes key generation failures possible, or if OpenSSL runs
-      out of memory. Fixes bug 19152; bugfix on 0.2.1.10-alpha. Found by
-      Yuan Jochen Kang, Suman Jana, and Baishakhi Ray.

changes/trove-2017-001.2

@@ -1,8 +0,0 @@
-  o Major bugfixes (parsing):
-    - Fix an integer underflow bug when comparing malformed Tor versions.
-      This bug is harmless, except when Tor has been built with
-      --enable-expensive-hardening, which would turn it into a crash;
-      or on Tor 0.2.9.1-alpha through Tor 0.2.9.8, which were built with
-      -ftrapv by default.
-      Part of TROVE-2017-001. Fixes bug 21278; bugfix on
-      0.0.8pre1. Found by OSS-Fuzz.