diff --git a/changes/bug2752 b/changes/bug2752
new file mode 100644
index 000000000..b872d3374
--- /dev/null
+++ b/changes/bug2752
@@ -0,0 +1,5 @@
+  o Minor features:
+    - Tor used to limit HttpProxyAuthenticator values to 48 characters.
+    Changed the limit to 512 characters by removing base64 newlines.
+    Fixes bug 2752.  Fix by Michael Yakubovich.
+
diff --git a/changes/bug3198 b/changes/bug3198
new file mode 100644
index 000000000..29c16852e
--- /dev/null
+++ b/changes/bug3198
@@ -0,0 +1,4 @@
+  o Major bugfixes:
+    - When we configure a new bridge via the controller, don't wait up
+      to ten seconds before trying to fetch its descriptor. Bugfix on
+      0.2.0.3-alpha; fixes bug 3198 (suggested by 2355).
diff --git a/changes/bug3207 b/changes/bug3207
new file mode 100644
index 000000000..65a7dac1a
--- /dev/null
+++ b/changes/bug3207
@@ -0,0 +1,4 @@
+  o Minor bugfixes:
+    - Require that onion keys have exponent 65537 in microdescriptors too.
+      Fixes part of bug 3207; bugfix on 0.2.2.25-alpha
+
diff --git a/changes/bug3213 b/changes/bug3213
new file mode 100644
index 000000000..ab7de2d62
--- /dev/null
+++ b/changes/bug3213
@@ -0,0 +1,4 @@
+  o Major bugfixes:
+    - Fix a crash bug when changing bridges in a running Tor process.
+      Fixes bug 3213; bugfix on 0.2.2.26-beta.
+
diff --git a/src/or/circuitbuild.c b/src/or/circuitbuild.c
index 860cd2756..2f86e1fa3 100644
--- a/src/or/circuitbuild.c
+++ b/src/or/circuitbuild.c
@@ -4539,7 +4539,7 @@ get_configured_bridge_by_addr_port_digest(const tor_addr_t *addr,
           !tor_addr_compare(&bridge->addr, addr, CMP_EXACT) &&
           bridge->port == port)
         return bridge;
-      if (tor_memeq(bridge->identity, digest, DIGEST_LEN))
+      if (digest && tor_memeq(bridge->identity, digest, DIGEST_LEN))
         return bridge;
     }
   SMARTLIST_FOREACH_END(bridge);
diff --git a/src/or/config.c b/src/or/config.c
index 614fc48c3..36a8940ca 100644
--- a/src/or/config.c
+++ b/src/or/config.c
@@ -3398,8 +3398,8 @@ options_validate(or_options_t *old_options, or_options_t *options,
   }
 
   if (options->HTTPProxyAuthenticator) {
-    if (strlen(options->HTTPProxyAuthenticator) >= 48)
-      REJECT("HTTPProxyAuthenticator is too long (>= 48 chars).");
+    if (strlen(options->HTTPProxyAuthenticator) >= 512)
+      REJECT("HTTPProxyAuthenticator is too long (>= 512 chars).");
   }
 
   if (options->HTTPSProxy) { /* parse it now */
@@ -3412,8 +3412,8 @@ options_validate(or_options_t *old_options, or_options_t *options,
   }
 
   if (options->HTTPSProxyAuthenticator) {
-    if (strlen(options->HTTPSProxyAuthenticator) >= 48)
-      REJECT("HTTPSProxyAuthenticator is too long (>= 48 chars).");
+    if (strlen(options->HTTPSProxyAuthenticator) >= 512)
+      REJECT("HTTPSProxyAuthenticator is too long (>= 512 chars).");
   }
 
   if (options->Socks4Proxy) { /* parse it now */
diff --git a/src/or/connection.c b/src/or/connection.c
index 5054909df..bcdde6756 100644
--- a/src/or/connection.c
+++ b/src/or/connection.c
@@ -3232,8 +3232,17 @@ alloc_http_authenticator(const char *authenticator)
                     authenticator, authenticator_length) < 0) {
     tor_free(base64_authenticator); /* free and set to null */
   } else {
-    /* remove extra \n at end of encoding */
-    base64_authenticator[strlen(base64_authenticator) - 1] = 0;
+    int i = 0, j = 0;
+    int len = strlen(base64_authenticator);
+
+    /* remove all newline occurrences within the string */
+    for (i=0; i < len; ++i) {
+      if ('\n' != base64_authenticator[i]) {
+        base64_authenticator[j] = base64_authenticator[i];
+        ++j;
+      }
+    }
+    base64_authenticator[j]='\0';
   }
   return base64_authenticator;
 }
diff --git a/src/or/main.c b/src/or/main.c
index d700f0e7a..2c950245a 100644
--- a/src/or/main.c
+++ b/src/or/main.c
@@ -924,8 +924,6 @@ run_scheduled_events(time_t now)
   if (time_to_try_getting_descriptors < now) {
     update_router_descriptor_downloads(now);
     update_extrainfo_downloads(now);
-    if (options->UseBridges)
-      fetch_bridge_descriptors(options, now);
     if (router_have_minimum_dir_info())
       time_to_try_getting_descriptors = now + LAZY_DESCRIPTOR_RETRY_INTERVAL;
     else
@@ -938,6 +936,9 @@ run_scheduled_events(time_t now)
       now + DESCRIPTOR_FAILURE_RESET_INTERVAL;
   }
 
+  if (options->UseBridges)
+    fetch_bridge_descriptors(options, now);
+
   /** 1b. Every MAX_SSL_KEY_LIFETIME seconds, we change our TLS context. */
   if (!last_rotated_x509_certificate)
     last_rotated_x509_certificate = now;
diff --git a/src/or/routerparse.c b/src/or/routerparse.c
index be7a3fe89..ce98a47b6 100644
--- a/src/or/routerparse.c
+++ b/src/or/routerparse.c
@@ -4336,6 +4336,11 @@ microdescs_parse_from_string(const char *s, const char *eos,
     }
 
     tok = find_by_keyword(tokens, K_ONION_KEY);
+    if (!crypto_pk_public_exponent_ok(tok->key)) {
+      log_warn(LD_DIR,
+               "Relay's onion key had invalid exponent.");
+      goto next;
+    }
     md->onion_pkey = tok->key;
     tok->key = NULL;