diff --git a/ReleaseNotes b/ReleaseNotes index 032a72770..327f91676 100644 --- a/ReleaseNotes +++ b/ReleaseNotes @@ -76,15 +76,27 @@ Changes in version 0.2.8.6 - 2015-08-02 rather than the more aggressive client retry count. Fixes part of ticket 18809. - o Major bugfixes (compilation): - - Repair hardened builds under the clang compiler. Previously, our - use of _FORTIFY_SOURCE would conflict with clang's address - sanitizer. Fixes bug 14821; bugfix on 0.2.5.4-alpha. - o Major bugfixes (dns proxy mode, crash): - Avoid crashing when running as a DNS proxy. Fixes bug 16248; bugfix on 0.2.0.1-alpha. Patch from "cypherpunks". + o Major bugfixes (ed25519, voting): + - Actually enable support for authorities to match routers by their + Ed25519 identities. Previously, the code had been written, but + some debugging code that had accidentally been left in the + codebase made it stay turned off. Fixes bug 17702; bugfix + on 0.2.7.2-alpha. + - When collating votes by Ed25519 identities, authorities now + include a "NoEdConsensus" flag if the ed25519 value (or lack + thereof) for a server does not reflect the majority consensus. + Related to bug 17668; bugfix on 0.2.7.2-alpha. + - When generating a vote with keypinning disabled, never include two + entries for the same ed25519 identity. This bug was causing + authorities to generate votes that they could not parse when a + router violated key pinning by changing its RSA identity but + keeping its Ed25519 identity. Fixes bug 17668; fixes part of bug + 18318. Bugfix on 0.2.7.2-alpha. + o Major bugfixes (key management): - If OpenSSL fails to generate an RSA key, do not retain a dangling pointer to the previous (uninitialized) key value. The impact here @@ -106,6 +118,9 @@ Changes in version 0.2.8.6 - 2015-08-02 cause a compiler warning, thereby making other checks fail, and needlessly disabling compiler-hardening support. Fixes one case of bug 18841; bugfix on 0.2.3.17-beta. Patch from "trudokal". + - Repair hardened builds under the clang compiler. Previously, our + use of _FORTIFY_SOURCE would conflict with clang's address + sanitizer. Fixes bug 14821; bugfix on 0.2.5.4-alpha. o Major bugfixes (security, pointers): - Avoid a difficult-to-trigger heap corruption attack when extending @@ -122,23 +137,6 @@ Changes in version 0.2.8.6 - 2015-08-02 by nickname, and one such relay is found, but it is not officially Named. Fixes bug 19203; bugfix on 0.2.3.1-alpha. - o Major bugfixes (voting): - - Actually enable support for authorities to match routers by their - Ed25519 identities. Previously, the code had been written, but - some debugging code that had accidentally been left in the - codebase made it stay turned off. Fixes bug 17702; bugfix - on 0.2.7.2-alpha. - - When collating votes by Ed25519 identities, authorities now - include a "NoEdConsensus" flag if the ed25519 value (or lack - thereof) for a server does not reflect the majority consensus. - Related to bug 17668; bugfix on 0.2.7.2-alpha. - - When generating a vote with keypinning disabled, never include two - entries for the same ed25519 identity. This bug was causing - authorities to generate votes that they could not parse when a - router violated key pinning by changing its RSA identity but - keeping its Ed25519 identity. Fixes bug 17668; fixes part of bug - 18318. Bugfix on 0.2.7.2-alpha. - o Minor features (accounting): - Added two modes to the AccountingRule option: One for limiting only the number of bytes sent ("AccountingRule out"), and one for @@ -149,6 +147,10 @@ Changes in version 0.2.8.6 - 2015-08-02 - Make Tor survive errors involving connections without a corresponding event object. Previously we'd fail with an assertion; now we produce a log message. Related to bug 16248. + - Use tor_snprintf() and tor_vsnprintf() even in external and low- + level code, to harden against accidental failures to NUL- + terminate. Part of ticket 17852. Patch from jsturgix. Found + with Flawfinder. o Minor features (build): - Detect systems with FreeBSD-derived kernels (such as GNU/kFreeBSD) @@ -158,12 +160,10 @@ Changes in version 0.2.8.6 - 2015-08-02 force "make dist" to depend on "make check". Closes ticket 17893; patch from "cypherpunks". - Tor now builds once again with the recent OpenSSL 1.1 development - branch (tested against 1.1.0-pre5 and 1.1.0-pre6-dev). - - Tor now builds successfully with the recent OpenSSL 1.1 - development branch, and with the latest LibreSSL. Closes tickets - 17549, 17921, and 17984. - - Tor now again builds with the recent OpenSSL 1.1 development - branch (tested against 1.1.0-pre6-dev). Closes ticket 19499. + branch (tested against 1.1.0-pre5 and 1.1.0-pre6-dev). We have been + tracking OpenSSL 1.1 development as it has progressed, and fixing + numerous compatibility issues as they arose. See tickets + 17549, 17921, 17984, 19499, and 18286. - When building manual pages, set the timezone to "UTC", so that the output is reproducible. Fixes bug 19558; bugfix on 0.2.2.9-alpha. Patch from intrigeri. @@ -173,12 +173,6 @@ Changes in version 0.2.8.6 - 2015-08-02 encrypted begindir connection for directory requests. Resolves ticket 18483. Patch by teor. - o Minor features (code hardening): - - Use tor_snprintf() and tor_vsnprintf() even in external and low- - level code, to harden against accidental failures to NUL- - terminate. Part of ticket 17852. Patch from jsturgix. Found - with Flawfinder. - o Minor features (controller): - Add 'GETINFO exit-policy/reject-private/[default,relay]', so controllers can examine the the reject rules added by @@ -249,7 +243,7 @@ Changes in version 0.2.8.6 - 2015-08-02 - routerset_parse now accepts IPv6 literal addresses. Fixes bug 17060; bugfix on 0.2.1.3-alpha. Patch by teor. - o Minor features (linux seccomp2 sandbox): + o Minor features (Linux seccomp2 sandbox): - Reject attempts to change our Address with "Sandbox 1" enabled. Changing Address with Sandbox turned on would never actually work, but previously it would fail in strange and confusing ways. Found @@ -387,28 +381,6 @@ Changes in version 0.2.8.6 - 2015-08-02 - When libscrypt.h is found, but no libscrypt library can be linked, treat libscrypt as absent. Fixes bug 19161; bugfix on 0.2.6.1-alpha. - - o Minor bugfixes (client, bootstrap): - - Count receipt of new microdescriptors as progress towards - bootstrapping. Previously, with EntryNodes set, Tor might not - successfully repopulate the guard set on bootstrapping. Fixes bug - 16825; bugfix on 0.2.3.1-alpha. - - o Minor bugfixes (code correctness): - - Assert that allocated memory held by the reputation code is freed - according to its internal counters. Fixes bug 17753; bugfix - on 0.1.1.1-alpha. - - Assert when the TLS contexts fail to initialize. Fixes bug 17683; - bugfix on 0.0.6. - - Update to the latest version of Trunnel, which tries harder to - avoid generating code that can invoke memcpy(p,NULL,0). Bug found - by clang address sanitizer. Fixes bug 18373; bugfix - on 0.2.7.2-alpha. - - When closing an entry connection, generate a warning if we should - have sent an end cell for it but we haven't. Fixes bug 17876; - bugfix on 0.2.3.2-alpha. - - o Minor bugfixes (compilation): - Cause the unit tests to compile correctly on mingw64 versions that lack sscanf. Fixes bug 19213; bugfix on 0.2.7.1-alpha. - Don't try to use the pthread_condattr_setclock() function unless @@ -428,6 +400,34 @@ Changes in version 0.2.8.6 - 2015-08-02 Fixes bug 17924; bugfix on 0.2.4.1-alpha. - Replace usage of 'INLINE' with 'inline'. Fixes bug 17804; bugfix on 0.0.2pre8. + - Remove an #endif from configure.ac so that we correctly detect the + presence of in6_addr.s6_addr32. Fixes bug 17923; bugfix + on 0.2.0.13-alpha. + + o Minor bugfixes (client, bootstrap): + - Count receipt of new microdescriptors as progress towards + bootstrapping. Previously, with EntryNodes set, Tor might not + successfully repopulate the guard set on bootstrapping. Fixes bug + 16825; bugfix on 0.2.3.1-alpha. + + o Minor bugfixes (code correctness): + - Fix a bad memory handling bug that would occur if we had queued a + cell on a channel's incoming queue. Fortunately, we can't actually + queue a cell like that as our code is constructed today, but it's + best to avoid this kind of error, even if there isn't any code + that triggers it today. Fixes bug 18570; bugfix on 0.2.4.4-alpha. + - Assert that allocated memory held by the reputation code is freed + according to its internal counters. Fixes bug 17753; bugfix + on 0.1.1.1-alpha. + - Assert when the TLS contexts fail to initialize. Fixes bug 17683; + bugfix on 0.0.6. + - Update to the latest version of Trunnel, which tries harder to + avoid generating code that can invoke memcpy(p,NULL,0). Bug found + by clang address sanitizer. Fixes bug 18373; bugfix + on 0.2.7.2-alpha. + - When closing an entry connection, generate a warning if we should + have sent an end cell for it but we haven't. Fixes bug 17876; + bugfix on 0.2.3.2-alpha. o Minor bugfixes (configuration): - Fix a tiny memory leak when parsing a port configuration ending in @@ -444,30 +444,16 @@ Changes in version 0.2.8.6 - 2015-08-02 consensus..." when not caching consensuses. Fixes bug 18920; bugfix on 0.2.2.6-alpha. - o Minor bugfixes (correctness): - - Fix a bad memory handling bug that would occur if we had queued a - cell on a channel's incoming queue. Fortunately, we can't actually - queue a cell like that as our code is constructed today, but it's - best to avoid this kind of error, even if there isn't any code - that triggers it today. Fixes bug 18570; bugfix on 0.2.4.4-alpha. - o Minor bugfixes (crypto): - Check the return value of HMAC() and assert on failure. Fixes bug 17658; bugfix on 0.2.3.6-alpha. Patch by teor. - o Minor bugfixes (crypto, portability): - - Tor now builds again with the recent OpenSSL 1.1 development - branch (tested against 1.1.0-pre4 and 1.1.0-pre5-dev). Closes - ticket 18286. - o Minor bugfixes (directories): - When fetching extrainfo documents, compare their SHA256 digests and Ed25519 signing key certificates with the routerinfo that led us to fetch them, rather than with the most recent routerinfo. Otherwise we generate many spurious warnings about mismatches. Fixes bug 17150; bugfix on 0.2.7.2-alpha. - - o Minor bugfixes (directory): - When generating a URL for a directory server on an IPv6 address, wrap the IPv6 address in square brackets. Fixes bug 18051; bugfix on 0.2.3.9-alpha. Patch from Malek. @@ -488,8 +474,6 @@ Changes in version 0.2.8.6 - 2015-08-02 - Mark fallbacks as "too busy" when they return a 503 response, rather than just marking authorities. Fixes bug 17572; bugfix on 0.2.4.7-alpha. Patch by teor. - - o Minor bugfixes (fallback directory mirrors): - When requesting extrainfo descriptors from a trusted directory server, check whether it is an authority or a fallback directory which supports extrainfo descriptors. Fixes bug 18489; bugfix on @@ -519,7 +503,7 @@ Changes in version 0.2.8.6 - 2015-08-02 - Update the limits in max_dl_per_request for IPv6 address length. Fixes bug 17573; bugfix on 0.2.1.5-alpha. - o Minor bugfixes (linux seccomp2 sandbox): + o Minor bugfixes (Linux seccomp2 sandbox): - Allow more syscalls when running with "Sandbox 1" enabled: sysinfo, getsockopt(SO_SNDBUF), and setsockopt(SO_SNDBUFFORCE). On some systems, these are required for Tor to start. Fixes bug @@ -555,6 +539,9 @@ Changes in version 0.2.8.6 - 2015-08-02 - When we can't generate a signing key because OfflineMasterKey is set, do not imply that we should have been able to load it. Fixes bug 18133; bugfix on 0.2.7.2-alpha. + - When logging a malformed hostname received through socks4, scrub + it if SafeLogging says we should. Fixes bug 17419; bugfix + on 0.1.1.16-rc. o Minor bugfixes (memory safety): - Avoid freeing an uninitialized pointer when opening a socket fails @@ -579,11 +566,6 @@ Changes in version 0.2.8.6 - 2015-08-02 Fixes bug 19150; bugfix on 0.2.1.1-alpha. Bug found by Guido Vranken. - o Minor bugfixes (portability): - - Remove an #endif from configure.ac so that we correctly detect the - presence of in6_addr.s6_addr32. Fixes bug 17923; bugfix - on 0.2.0.13-alpha. - o Minor bugfixes (private directory): - Prevent a race condition when creating private directories. Fixes part of bug 17852; bugfix on 0.0.2pre13. Part of ticket 17852. @@ -605,17 +587,12 @@ Changes in version 0.2.8.6 - 2015-08-02 then refuse to send any cells to a private address. Fixes bugs 17674 and 8976; bugfix on 0.2.3.21-rc. Patch by teor. - o Minor bugfixes (safe logging): - - When logging a malformed hostname received through socks4, scrub - it if SafeLogging says we should. Fixes bug 17419; bugfix - on 0.1.1.16-rc. - o Minor bugfixes (security, hidden services): - Prevent hidden services connecting to client-supplied rendezvous addresses that are reserved as internal or multicast. Fixes bug 8976; bugfix on 0.2.3.21-rc. Patch by dgoulet and teor. - o Minor bugfixes (statistics code): + o Minor bugfixes (statistics): - Consistently check for overflow in round_*_to_next_multiple_of functions, and add unit tests with additional and maximal values. Fixes part of bug 13192; bugfix on 0.2.2.1-alpha. @@ -624,8 +601,6 @@ Changes in version 0.2.8.6 - 2015-08-02 conversion warnings using round and trunc. Add unit tests for edge cases with maximal values. Fixes part of bug 13192; bugfix on 0.2.6.2-alpha. - - o Minor bugfixes (statistics): - We now include consensus downloads via IPv6 in our directory- request statistics. Fixes bug 18460; bugfix on 0.2.3.14-alpha. @@ -660,8 +635,6 @@ Changes in version 0.2.8.6 - 2015-08-02 - When correcting a corrupt 'struct tm' value, fill in the tm_wday field. Otherwise, our unit tests crash on Windows. Fixes bug 18977; bugfix on 0.2.2.25-alpha. - - o Minor bugfixes (time parsing): - Avoid overflow in tor_timegm when parsing dates in and after 2038 on platforms with 32-bit time_t. Fixes bug 18479; bugfix on 0.0.2pre14. Patch by teor.