0.2.9.8 changelog and releasenotes
This commit is contained in:
parent
49bdcfd4b6
commit
dab16f3a04
40
ChangeLog
40
ChangeLog
|
@ -1,3 +1,43 @@
|
||||||
|
Changes in version 0.2.9.8 - 2016-12-19
|
||||||
|
|
||||||
|
Tor 0.2.9.8 is the first stable release of the Tor 0.2.9 series.
|
||||||
|
|
||||||
|
The Tor 0.2.9 series makes mandatory a number of security features
|
||||||
|
that were formerly optional. It includes support for a new shared-
|
||||||
|
randomness protocol that will form the basis for next generation
|
||||||
|
hidden services, includes a single-hop hidden service mode for
|
||||||
|
optimizing .onion services that don't actually want to be hidden,
|
||||||
|
tries harder not to overload the directory authorities with excessive
|
||||||
|
downloads, and supports a better protocol versioniing scheme for
|
||||||
|
improved compatibility with other implementations of the Tor protocol.
|
||||||
|
|
||||||
|
And of course, there numerous other bugfixes and improvements.
|
||||||
|
|
||||||
|
This release also includes a fix for a medium-severity issue (bug
|
||||||
|
21018 below) where Tor clients could crash when attempting to visit a
|
||||||
|
hostile hidden service. Clients are recommended to upgrade as packages
|
||||||
|
become available for their systems.
|
||||||
|
|
||||||
|
Below are the changes since 0.2.9.7-rc. For a list of all changes
|
||||||
|
since 0.2.8, see the ReleaseNotes file.
|
||||||
|
|
||||||
|
o Major bugfixes (parsing, security):
|
||||||
|
- Fix a bug in parsing that could cause clients to read a single
|
||||||
|
byte past the end of an allocated region. This bug could be used
|
||||||
|
to cause hardened clients (built with --enable-expensive-hardening)
|
||||||
|
to crash if they tried to visit a hostile hidden service. Non-
|
||||||
|
hardened clients are only affected depending on the details of
|
||||||
|
their platform's memory allocator. Fixes bug 21018; bugfix on
|
||||||
|
0.2.0.8-alpha. Found by using libFuzzer. Also tracked as TROVE-
|
||||||
|
2016-12-002 and as CVE-2016-1254.
|
||||||
|
|
||||||
|
o Minor features (fallback directory list):
|
||||||
|
- Replace the 81 remaining fallbacks of the 100 originally
|
||||||
|
introduced in Tor 0.2.8.3-alpha in March 2016, with a list of 177
|
||||||
|
fallbacks (123 new, 54 existing, 27 removed) generated in December
|
||||||
|
2016. Resolves ticket 20170.
|
||||||
|
|
||||||
|
|
||||||
Changes in version 0.2.9.7-rc - 2016-12-12
|
Changes in version 0.2.9.7-rc - 2016-12-12
|
||||||
Tor 0.2.9.7-rc fixes a few small bugs remaining in Tor 0.2.9.6-rc,
|
Tor 0.2.9.7-rc fixes a few small bugs remaining in Tor 0.2.9.6-rc,
|
||||||
including a few that had prevented tests from passing on
|
including a few that had prevented tests from passing on
|
||||||
|
|
656
ReleaseNotes
656
ReleaseNotes
|
@ -2,6 +2,662 @@ This document summarizes new features and bugfixes in each stable release
|
||||||
of Tor. If you want to see more detailed descriptions of the changes in
|
of Tor. If you want to see more detailed descriptions of the changes in
|
||||||
each development snapshot, see the ChangeLog file.
|
each development snapshot, see the ChangeLog file.
|
||||||
|
|
||||||
|
|
||||||
|
Changes in version 0.2.9.8 - 2016-12-19
|
||||||
|
Tor 0.2.9.8 is the first stable release of the Tor 0.2.9 series.
|
||||||
|
|
||||||
|
The Tor 0.2.9 series makes mandatory a number of security features
|
||||||
|
that were formerly optional. It includes support for a new shared-
|
||||||
|
randomness protocol that will form the basis for next generation
|
||||||
|
hidden services, includes a single-hop hidden service mode for
|
||||||
|
optimizing .onion services that don't actually want to be hidden,
|
||||||
|
tries harder not to overload the directory authorities with excessive
|
||||||
|
downloads, and supports a better protocol versioniing scheme for
|
||||||
|
improved compatibility with other implementations of the Tor protocol.
|
||||||
|
|
||||||
|
And of course, there numerous other bugfixes and improvements.
|
||||||
|
|
||||||
|
This release also includes a fix for a medium-severity issue (bug
|
||||||
|
21018 below) where Tor clients could crash when attempting to visit a
|
||||||
|
hostile hidden service. Clients are recommended to upgrade as packages
|
||||||
|
become available for their systems.
|
||||||
|
|
||||||
|
Below are listed the changes since Tor 0.2.8.11. For a list of
|
||||||
|
changes since 0.2.9.7-rc, see the ChangeLog file.
|
||||||
|
|
||||||
|
o New system requirements:
|
||||||
|
- When building with OpenSSL, Tor now requires version 1.0.1 or
|
||||||
|
later. OpenSSL 1.0.0 and earlier are no longer supported by the
|
||||||
|
OpenSSL team, and should not be used. Closes ticket 20303.
|
||||||
|
- Tor now requires Libevent version 2.0.10-stable or later. Older
|
||||||
|
versions of Libevent have less efficient backends for several
|
||||||
|
platforms, and lack the DNS code that we use for our server-side
|
||||||
|
DNS support. This implements ticket 19554.
|
||||||
|
- Tor now requires zlib version 1.2 or later, for security,
|
||||||
|
efficiency, and (eventually) gzip support. (Back when we started,
|
||||||
|
zlib 1.1 and zlib 1.0 were still found in the wild. 1.2 was
|
||||||
|
released in 2003. We recommend the latest version.)
|
||||||
|
|
||||||
|
o Deprecated features:
|
||||||
|
- A number of DNS-cache-related sub-options for client ports are now
|
||||||
|
deprecated for security reasons, and may be removed in a future
|
||||||
|
version of Tor. (We believe that client-side DNS caching is a bad
|
||||||
|
idea for anonymity, and you should not turn it on.) The options
|
||||||
|
are: CacheDNS, CacheIPv4DNS, CacheIPv6DNS, UseDNSCache,
|
||||||
|
UseIPv4Cache, and UseIPv6Cache.
|
||||||
|
- A number of options are deprecated for security reasons, and may
|
||||||
|
be removed in a future version of Tor. The options are:
|
||||||
|
AllowDotExit, AllowInvalidNodes, AllowSingleHopCircuits,
|
||||||
|
AllowSingleHopExits, ClientDNSRejectInternalAddresses,
|
||||||
|
CloseHSClientCircuitsImmediatelyOnTimeout,
|
||||||
|
CloseHSServiceRendCircuitsImmediatelyOnTimeout,
|
||||||
|
ExcludeSingleHopRelays, FastFirstHopPK, TLSECGroup,
|
||||||
|
UseNTorHandshake, and WarnUnsafeSocks.
|
||||||
|
- The *ListenAddress options are now deprecated as unnecessary: the
|
||||||
|
corresponding *Port options should be used instead. These options
|
||||||
|
may someday be removed. The affected options are:
|
||||||
|
ControlListenAddress, DNSListenAddress, DirListenAddress,
|
||||||
|
NATDListenAddress, ORListenAddress, SocksListenAddress,
|
||||||
|
and TransListenAddress.
|
||||||
|
|
||||||
|
o Major bugfixes (parsing, security, new since 0.2.9.7-rc):
|
||||||
|
- Fix a bug in parsing that could cause clients to read a single
|
||||||
|
byte past the end of an allocated region. This bug could be used
|
||||||
|
to cause hardened clients (built with --enable-expensive-hardening)
|
||||||
|
to crash if they tried to visit a hostile hidden service. Non-
|
||||||
|
hardened clients are only affected depending on the details of
|
||||||
|
their platform's memory allocator. Fixes bug 21018; bugfix on
|
||||||
|
0.2.0.8-alpha. Found by using libFuzzer. Also tracked as TROVE-
|
||||||
|
2016-12-002 and as CVE-2016-1254.
|
||||||
|
|
||||||
|
o Major features (build, hardening):
|
||||||
|
- Tor now builds with -ftrapv by default on compilers that support
|
||||||
|
it. This option detects signed integer overflow (which C forbids),
|
||||||
|
and turns it into a hard-failure. We do not apply this option to
|
||||||
|
code that needs to run in constant time to avoid side-channels;
|
||||||
|
instead, we use -fwrapv in that code. Closes ticket 17983.
|
||||||
|
- When --enable-expensive-hardening is selected, stop applying the
|
||||||
|
clang/gcc sanitizers to code that needs to run in constant time.
|
||||||
|
Although we are aware of no introduced side-channels, we are not
|
||||||
|
able to prove that there are none. Related to ticket 17983.
|
||||||
|
|
||||||
|
o Major features (circuit building, security):
|
||||||
|
- Authorities, relays, and clients now require ntor keys in all
|
||||||
|
descriptors, for all hops (except for rare hidden service protocol
|
||||||
|
cases), for all circuits, and for all other roles. Part of
|
||||||
|
ticket 19163.
|
||||||
|
- Authorities, relays, and clients only use ntor, except for
|
||||||
|
rare cases in the hidden service protocol. Part of ticket 19163.
|
||||||
|
|
||||||
|
o Major features (compilation):
|
||||||
|
- Our big list of extra GCC warnings is now enabled by default when
|
||||||
|
building with GCC (or with anything like Clang that claims to be
|
||||||
|
GCC-compatible). To make all warnings into fatal compilation
|
||||||
|
errors, pass --enable-fatal-warnings to configure. Closes
|
||||||
|
ticket 19044.
|
||||||
|
- Use the Autoconf macro AC_USE_SYSTEM_EXTENSIONS to automatically
|
||||||
|
turn on C and POSIX extensions. (Previously, we attempted to do
|
||||||
|
this on an ad hoc basis.) Closes ticket 19139.
|
||||||
|
|
||||||
|
o Major features (directory authorities, hidden services):
|
||||||
|
- Directory authorities can now perform the shared randomness
|
||||||
|
protocol specified by proposal 250. Using this protocol, directory
|
||||||
|
authorities generate a global fresh random value every day. In the
|
||||||
|
future, this value will be used by hidden services to select
|
||||||
|
HSDirs. This release implements the directory authority feature;
|
||||||
|
the hidden service side will be implemented in the future as part
|
||||||
|
of proposal 224. Resolves ticket 16943; implements proposal 250.
|
||||||
|
|
||||||
|
o Major features (downloading, random exponential backoff):
|
||||||
|
- When we fail to download an object from a directory service, wait
|
||||||
|
for an (exponentially increasing) randomized amount of time before
|
||||||
|
retrying, rather than a fixed interval as we did before. This
|
||||||
|
prevents a group of Tor instances from becoming too synchronized,
|
||||||
|
or a single Tor instance from becoming too predictable, in its
|
||||||
|
download schedule. Closes ticket 15942.
|
||||||
|
|
||||||
|
o Major features (resource management):
|
||||||
|
- Tor can now notice it is about to run out of sockets, and
|
||||||
|
preemptively close connections of lower priority. (This feature is
|
||||||
|
off by default for now, since the current prioritizing method is
|
||||||
|
yet not mature enough. You can enable it by setting
|
||||||
|
"DisableOOSCheck 0", but watch out: it might close some sockets
|
||||||
|
you would rather have it keep.) Closes ticket 18640.
|
||||||
|
|
||||||
|
o Major features (single-hop "hidden" services):
|
||||||
|
- Add experimental HiddenServiceSingleHopMode and
|
||||||
|
HiddenServiceNonAnonymousMode options. When both are set to 1,
|
||||||
|
every hidden service on that Tor instance becomes a non-anonymous
|
||||||
|
Single Onion Service. Single Onions make one-hop (direct)
|
||||||
|
connections to their introduction and rendezvous points. One-hop
|
||||||
|
circuits make Single Onion servers easily locatable, but clients
|
||||||
|
remain location-anonymous. This is compatible with the existing
|
||||||
|
hidden service implementation, and works on the current Tor
|
||||||
|
network without any changes to older relays or clients. Implements
|
||||||
|
proposal 260, completes ticket 17178. Patch by teor and asn.
|
||||||
|
|
||||||
|
o Major features (subprotocol versions):
|
||||||
|
- Tor directory authorities now vote on a set of recommended
|
||||||
|
"subprotocol versions", and on a set of required subprotocol
|
||||||
|
versions. Clients and relays that lack support for a _required_
|
||||||
|
subprotocol version will not start; those that lack support for a
|
||||||
|
_recommended_ subprotocol version will warn the user to upgrade.
|
||||||
|
This change allows compatible implementations of the Tor protocol(s)
|
||||||
|
to exist without pretending to be 100% bug-compatible with
|
||||||
|
particular releases of Tor itself. Closes ticket 19958; implements
|
||||||
|
part of proposal 264.
|
||||||
|
|
||||||
|
o Major bugfixes (circuit building):
|
||||||
|
- Hidden service client-to-intro-point and service-to-rendezvous-
|
||||||
|
point circuits use the TAP key supplied by the protocol, to avoid
|
||||||
|
epistemic attacks. Fixes bug 19163; bugfix on 0.2.4.18-rc.
|
||||||
|
|
||||||
|
o Major bugfixes (download scheduling):
|
||||||
|
- Avoid resetting download status for consensuses hourly, since we
|
||||||
|
already have another, smarter retry mechanism. Fixes bug 8625;
|
||||||
|
bugfix on 0.2.0.9-alpha.
|
||||||
|
- If a consensus expires while we are waiting for certificates to
|
||||||
|
download, stop waiting for certificates.
|
||||||
|
- If we stop waiting for certificates less than a minute after we
|
||||||
|
started downloading them, do not consider the certificate download
|
||||||
|
failure a separate failure. Fixes bug 20533; bugfix
|
||||||
|
on 0.2.0.9-alpha.
|
||||||
|
- When using exponential backoff in test networks, use a lower
|
||||||
|
exponent, so the delays do not vary as much. This helps test
|
||||||
|
networks bootstrap consistently. Fixes bug 20597; bugfix on 20499.
|
||||||
|
|
||||||
|
o Major bugfixes (exit policies):
|
||||||
|
- Avoid disclosing exit outbound bind addresses, configured port
|
||||||
|
bind addresses, and local interface addresses in relay descriptors
|
||||||
|
by default under ExitPolicyRejectPrivate. Instead, only reject
|
||||||
|
these (otherwise unlisted) addresses if
|
||||||
|
ExitPolicyRejectLocalInterfaces is set. Fixes bug 18456; bugfix on
|
||||||
|
0.2.7.2-alpha. Patch by teor.
|
||||||
|
|
||||||
|
o Major bugfixes (hidden services):
|
||||||
|
- Allow Tor clients with appropriate controllers to work with
|
||||||
|
FetchHidServDescriptors set to 0. Previously, this option also
|
||||||
|
disabled descriptor cache lookup, thus breaking hidden services
|
||||||
|
entirely. Fixes bug 18704; bugfix on 0.2.0.20-rc. Patch by "twim".
|
||||||
|
- Clients now require hidden services to include the TAP keys for
|
||||||
|
their intro points in the hidden service descriptor. This prevents
|
||||||
|
an inadvertent upgrade to ntor, which a malicious hidden service
|
||||||
|
could use to distinguish clients by consensus version. Fixes bug
|
||||||
|
20012; bugfix on 0.2.4.8-alpha. Patch by teor.
|
||||||
|
|
||||||
|
o Major bugfixes (relay, resolver, logging):
|
||||||
|
- For relays that don't know their own address, avoid attempting a
|
||||||
|
local hostname resolve for each descriptor we download. This
|
||||||
|
will cut down on the number of "Success: chose address 'x.x.x.x'"
|
||||||
|
log lines, and also avoid confusing clock jumps if the resolver
|
||||||
|
is slow. Fixes bugs 20423 and 20610; bugfix on 0.2.8.1-alpha.
|
||||||
|
|
||||||
|
o Minor features (port flags):
|
||||||
|
- Add new flags to the *Port options to give finer control over which
|
||||||
|
requests are allowed. The flags are NoDNSRequest, NoOnionTraffic,
|
||||||
|
and the synthetic flag OnionTrafficOnly, which is equivalent to
|
||||||
|
NoDNSRequest, NoIPv4Traffic, and NoIPv6Traffic. Closes enhancement
|
||||||
|
18693; patch by "teor".
|
||||||
|
|
||||||
|
o Minor features (build, hardening):
|
||||||
|
- Detect and work around a libclang_rt problem that would prevent
|
||||||
|
clang from finding __mulodi4() on some 32-bit platforms, and thus
|
||||||
|
keep -ftrapv from linking on those systems. Closes ticket 19079.
|
||||||
|
- When building on a system without runtime support for the runtime
|
||||||
|
hardening options, try to log a useful warning at configuration
|
||||||
|
time, rather than an incomprehensible warning at link time. If
|
||||||
|
expensive hardening was requested, this warning becomes an error.
|
||||||
|
Closes ticket 18895.
|
||||||
|
|
||||||
|
o Minor features (client, directory):
|
||||||
|
- Since authorities now omit all routers that lack the Running and
|
||||||
|
Valid flags, we assume that any relay listed in the consensus must
|
||||||
|
have those flags. Closes ticket 20001; implements part of
|
||||||
|
proposal 272.
|
||||||
|
|
||||||
|
o Minor features (code safety):
|
||||||
|
- In our integer-parsing functions, ensure that the maximum value we
|
||||||
|
allow is no smaller than the minimum value. Closes ticket 19063;
|
||||||
|
patch from "U+039b".
|
||||||
|
|
||||||
|
o Minor features (compilation, portability):
|
||||||
|
- Compile correctly on MacOS 10.12 (aka "Sierra"). Closes
|
||||||
|
ticket 20241.
|
||||||
|
|
||||||
|
o Minor features (config):
|
||||||
|
- Warn users when descriptor and port addresses are inconsistent.
|
||||||
|
Mitigates bug 13953; patch by teor.
|
||||||
|
|
||||||
|
o Minor features (controller):
|
||||||
|
- Allow controllers to configure basic client authorization on
|
||||||
|
hidden services when they create them with the ADD_ONION controller
|
||||||
|
command. Implements ticket 15588. Patch by "special".
|
||||||
|
- Fire a STATUS_SERVER controller event whenever the hibernation
|
||||||
|
status changes between "awake"/"soft"/"hard". Closes ticket 18685.
|
||||||
|
- Implement new GETINFO queries for all downloads that use
|
||||||
|
download_status_t to schedule retries. This allows controllers to
|
||||||
|
examine the schedule for pending downloads. Closes ticket 19323.
|
||||||
|
|
||||||
|
o Minor features (development tools, etags):
|
||||||
|
- Teach the "make tags" Makefile target how to correctly find
|
||||||
|
"MOCK_IMPL" function definitions. Patch from nherring; closes
|
||||||
|
ticket 16869.
|
||||||
|
|
||||||
|
o Minor features (directory authority):
|
||||||
|
- After voting, if the authorities decide that a relay is not
|
||||||
|
"Valid", they no longer include it in the consensus at all. Closes
|
||||||
|
ticket 20002; implements part of proposal 272.
|
||||||
|
- Directory authorities now only give the Guard flag to a relay if
|
||||||
|
they are also giving it the Stable flag. This change allows us to
|
||||||
|
simplify path selection for clients. It should have minimal effect
|
||||||
|
in practice, since >99% of Guards already have the Stable flag.
|
||||||
|
Implements ticket 18624.
|
||||||
|
- Directory authorities now write their v3-status-votes file out to
|
||||||
|
disk earlier in the consensus process, so we have a record of the
|
||||||
|
votes even if we abort the consensus process. Resolves
|
||||||
|
ticket 19036.
|
||||||
|
|
||||||
|
o Minor features (fallback directory list, new since 0.2.9.7-rc):
|
||||||
|
- Replace the 81 remaining fallbacks of the 100 originally
|
||||||
|
introduced in Tor 0.2.8.3-alpha in March 2016, with a list of 177
|
||||||
|
fallbacks (123 new, 54 existing, 27 removed) generated in December
|
||||||
|
2016. Resolves ticket 20170.
|
||||||
|
|
||||||
|
o Minor features (hidden service):
|
||||||
|
- Stop being so strict about the payload length of "rendezvous1"
|
||||||
|
cells. We used to be locked in to the "TAP" handshake length, and
|
||||||
|
now we can handle better handshakes like "ntor". Resolves
|
||||||
|
ticket 18998.
|
||||||
|
|
||||||
|
o Minor features (infrastructure, time):
|
||||||
|
- Tor now includes an improved timer backend, so that we can
|
||||||
|
efficiently support tens or hundreds of thousands of concurrent
|
||||||
|
timers, as will be needed for some of our planned anti-traffic-
|
||||||
|
analysis work. This code is based on William Ahern's "timeout.c"
|
||||||
|
project, which implements a "tickless hierarchical timing wheel".
|
||||||
|
Closes ticket 18365.
|
||||||
|
- Tor now uses the operating system's monotonic timers (where
|
||||||
|
available) for internal fine-grained timing. Previously we would
|
||||||
|
look at the system clock, and then attempt to compensate for the
|
||||||
|
clock running backwards. Closes ticket 18908.
|
||||||
|
|
||||||
|
o Minor features (logging):
|
||||||
|
- Add a set of macros to check nonfatal assertions, for internal
|
||||||
|
use. Migrating more of our checks to these should help us avoid
|
||||||
|
needless crash bugs. Closes ticket 18613.
|
||||||
|
- Provide a more useful warning message when configured with an
|
||||||
|
invalid Nickname. Closes ticket 18300; patch from "icanhasaccount".
|
||||||
|
- When dumping unparseable router descriptors, optionally store them
|
||||||
|
in separate files, named by digest, up to a configurable size
|
||||||
|
limit. You can change the size limit by setting the
|
||||||
|
MaxUnparseableDescSizeToLog option, and disable this feature by
|
||||||
|
setting that option to 0. Closes ticket 18322.
|
||||||
|
|
||||||
|
o Minor features (performance):
|
||||||
|
- Change the "optimistic data" extension from "off by default" to
|
||||||
|
"on by default". The default was ordinarily overridden by a
|
||||||
|
consensus option, but when clients were bootstrapping for the
|
||||||
|
first time, they would not have a consensus to get the option
|
||||||
|
from. Changing this default saves a round-trip during startup.
|
||||||
|
Closes ticket 18815.
|
||||||
|
|
||||||
|
o Minor features (relay, usability):
|
||||||
|
- When the directory authorities refuse a bad relay's descriptor,
|
||||||
|
encourage the relay operator to contact us. Many relay operators
|
||||||
|
won't notice this line in their logs, but it's a win if even a few
|
||||||
|
learn why we don't like what their relay was doing. Resolves
|
||||||
|
ticket 18760.
|
||||||
|
|
||||||
|
o Minor features (security, TLS):
|
||||||
|
- Servers no longer support clients that lack AES ciphersuites.
|
||||||
|
(3DES is no longer considered an acceptable cipher.) We believe
|
||||||
|
that no such Tor clients currently exist, since Tor has required
|
||||||
|
OpenSSL 0.9.7 or later since 2009. Closes ticket 19998.
|
||||||
|
|
||||||
|
o Minor features (testing):
|
||||||
|
- Disable memory protections on OpenBSD when performing our unit
|
||||||
|
tests for memwipe(). The test deliberately invokes undefined
|
||||||
|
behavior, and the OpenBSD protections interfere with this. Patch
|
||||||
|
from "rubiate". Closes ticket 20066.
|
||||||
|
- Move the test-network.sh script to chutney, and modify tor's test-
|
||||||
|
network.sh to call the (newer) chutney version when available.
|
||||||
|
Resolves ticket 19116. Patch by teor.
|
||||||
|
- Use the lcov convention for marking lines as unreachable, so that
|
||||||
|
we don't count them when we're generating test coverage data.
|
||||||
|
Update our coverage tools to understand this convention. Closes
|
||||||
|
ticket 16792.
|
||||||
|
- Our link-handshake unit tests now check that when invalid
|
||||||
|
handshakes fail, they fail with the error messages we expected.
|
||||||
|
- Our unit testing code that captures log messages no longer
|
||||||
|
prevents them from being written out if the user asked for them
|
||||||
|
(by passing --debug or --info or --notice or --warn to the "test"
|
||||||
|
binary). This change prevents us from missing unexpected log
|
||||||
|
messages simply because we were looking for others. Related to
|
||||||
|
ticket 19999.
|
||||||
|
- The unit tests now log all warning messages with the "BUG" flag.
|
||||||
|
Previously, they only logged errors by default. This change will
|
||||||
|
help us make our testing code more correct, and make sure that we
|
||||||
|
only hit this code when we mean to. In the meantime, however,
|
||||||
|
there will be more warnings in the unit test logs than before.
|
||||||
|
This is preparatory work for ticket 19999.
|
||||||
|
- The unit tests now treat any failure of a "tor_assert_nonfatal()"
|
||||||
|
assertion as a test failure.
|
||||||
|
- We've done significant work to make the unit tests run faster.
|
||||||
|
|
||||||
|
o Minor features (testing, ipv6):
|
||||||
|
- Add the hs-ipv6 chutney target to make test-network-all's IPv6
|
||||||
|
tests. Remove bridges+hs, as it's somewhat redundant. This
|
||||||
|
requires a recent chutney version that supports IPv6 clients,
|
||||||
|
relays, and authorities. Closes ticket 20069; patch by teor.
|
||||||
|
- Add the single-onion and single-onion-ipv6 chutney targets to
|
||||||
|
"make test-network-all". This requires a recent chutney version
|
||||||
|
with the single onion network flavors (git c72a652 or later).
|
||||||
|
Closes ticket 20072; patch by teor.
|
||||||
|
|
||||||
|
o Minor features (Tor2web):
|
||||||
|
- Make Tor2web clients respect ReachableAddresses. This feature was
|
||||||
|
inadvertently enabled in 0.2.8.6, then removed by bugfix 19973 on
|
||||||
|
0.2.8.7. Implements feature 20034. Patch by teor.
|
||||||
|
|
||||||
|
o Minor features (unix domain sockets):
|
||||||
|
- When configuring a unix domain socket for a SocksPort,
|
||||||
|
ControlPort, or Hidden service, you can now wrap the address in
|
||||||
|
quotes, using C-style escapes inside the quotes. This allows unix
|
||||||
|
domain socket paths to contain spaces. Resolves ticket 18753.
|
||||||
|
|
||||||
|
o Minor features (user interface):
|
||||||
|
- Tor now supports the ability to declare options deprecated, so
|
||||||
|
that we can recommend that people stop using them. Previously, this
|
||||||
|
was done in an ad-hoc way. There is a new --list-deprecated-options
|
||||||
|
command-line option to list all of the deprecated options. Closes
|
||||||
|
ticket 19820.
|
||||||
|
|
||||||
|
o Minor features (virtual addresses):
|
||||||
|
- Increase the maximum number of bits for the IPv6 virtual network
|
||||||
|
prefix from 16 to 104. In this way, the condition for address
|
||||||
|
allocation is less restrictive. Closes ticket 20151; feature
|
||||||
|
on 0.2.4.7-alpha.
|
||||||
|
|
||||||
|
o Minor bug fixes (circuits):
|
||||||
|
- Use the CircuitBuildTimeout option whenever
|
||||||
|
LearnCircuitBuildTimeout is disabled. Previously, we would respect
|
||||||
|
the option when a user disabled it, but not when it was disabled
|
||||||
|
because some other option was set. Fixes bug 20073; bugfix on
|
||||||
|
0.2.4.12-alpha. Patch by teor.
|
||||||
|
|
||||||
|
o Minor bugfixes (build):
|
||||||
|
- The current Git revision when building from a local repository is
|
||||||
|
now detected correctly when using git worktrees. Fixes bug 20492;
|
||||||
|
bugfix on 0.2.3.9-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (relay address discovery):
|
||||||
|
- Stop reordering IP addresses returned by the OS. This makes it
|
||||||
|
more likely that Tor will guess the same relay IP address every
|
||||||
|
time. Fixes issue 20163; bugfix on 0.2.7.1-alpha, ticket 17027.
|
||||||
|
Reported by René Mayrhofer, patch by "cypherpunks".
|
||||||
|
|
||||||
|
o Minor bugfixes (memory allocation):
|
||||||
|
- Change how we allocate memory for large chunks on buffers, to
|
||||||
|
avoid a (currently impossible) integer overflow, and to waste less
|
||||||
|
space when allocating unusually large chunks. Fixes bug 20081;
|
||||||
|
bugfix on 0.2.0.16-alpha. Issue identified by Guido Vranken.
|
||||||
|
|
||||||
|
o Minor bugfixes (bootstrap):
|
||||||
|
- Remember the directory server we fetched the consensus or previous
|
||||||
|
certificates from, and use it to fetch future authority
|
||||||
|
certificates. This change improves bootstrapping performance.
|
||||||
|
Fixes bug 18963; bugfix on 0.2.8.1-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (circuits):
|
||||||
|
- Make sure extend_info_from_router() is only called on servers.
|
||||||
|
Fixes bug 19639; bugfix on 0.2.8.1-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (client, fascistfirewall):
|
||||||
|
- Avoid spurious warnings when ReachableAddresses or FascistFirewall
|
||||||
|
is set. Fixes bug 20306; bugfix on 0.2.8.2-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (client, unix domain sockets):
|
||||||
|
- Disable IsolateClientAddr when using AF_UNIX backed SocksPorts as
|
||||||
|
the client address is meaningless. Fixes bug 20261; bugfix
|
||||||
|
on 0.2.6.3-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (code style):
|
||||||
|
- Fix an integer signedness conversion issue in the case conversion
|
||||||
|
tables. Fixes bug 19168; bugfix on 0.2.1.11-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (compilation):
|
||||||
|
- Build correctly on versions of libevent2 without support for
|
||||||
|
evutil_secure_rng_add_bytes(). Fixes bug 19904; bugfix
|
||||||
|
on 0.2.5.4-alpha.
|
||||||
|
- When building with Clang, use a full set of GCC warnings.
|
||||||
|
(Previously, we included only a subset, because of the way we
|
||||||
|
detected them.) Fixes bug 19216; bugfix on 0.2.0.1-alpha.
|
||||||
|
- Detect Libevent2 functions correctly on systems that provide
|
||||||
|
libevent2, but where libevent1 is linked with -levent. Fixes bug
|
||||||
|
19904; bugfix on 0.2.2.24-alpha. Patch from Rubiate.
|
||||||
|
- Run correctly when built on Windows build environments that
|
||||||
|
require _vcsprintf(). Fixes bug 20560; bugfix on 0.2.2.11-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (configuration):
|
||||||
|
- When parsing quoted configuration values from the torrc file,
|
||||||
|
handle Windows line endings correctly. Fixes bug 19167; bugfix on
|
||||||
|
0.2.0.16-alpha. Patch from "Pingl".
|
||||||
|
|
||||||
|
o Minor bugfixes (directory authority):
|
||||||
|
- Authorities now sort the "package" lines in their votes, for ease
|
||||||
|
of debugging. (They are already sorted in consensus documents.)
|
||||||
|
Fixes bug 18840; bugfix on 0.2.6.3-alpha.
|
||||||
|
- Die with a more useful error when the operator forgets to place
|
||||||
|
the authority_signing_key file into the keys directory. This
|
||||||
|
avoids an uninformative assert & traceback about having an invalid
|
||||||
|
key. Fixes bug 20065; bugfix on 0.2.0.1-alpha.
|
||||||
|
- When allowing private addresses, mark Exits that only exit to
|
||||||
|
private locations as such. Fixes bug 20064; bugfix
|
||||||
|
on 0.2.2.9-alpha.
|
||||||
|
- When parsing a detached signature, make sure we use the length of
|
||||||
|
the digest algorithm instead of a hardcoded DIGEST256_LEN in
|
||||||
|
order to avoid comparing bytes out-of-bounds with a smaller digest
|
||||||
|
length such as SHA1. Fixes bug 19066; bugfix on 0.2.2.6-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (getpass):
|
||||||
|
- Defensively fix a non-triggerable heap corruption at do_getpass()
|
||||||
|
to protect ourselves from mistakes in the future. Fixes bug
|
||||||
|
19223; bugfix on 0.2.7.3-rc. Bug found by Guido Vranken, patch
|
||||||
|
by nherring.
|
||||||
|
|
||||||
|
o Minor bugfixes (guard selection):
|
||||||
|
- Don't mark guards as unreachable if connection_connect() fails.
|
||||||
|
That function fails for local reasons, so it shouldn't reveal
|
||||||
|
anything about the status of the guard. Fixes bug 14334; bugfix
|
||||||
|
on 0.2.3.10-alpha.
|
||||||
|
- Use a single entry guard even if the NumEntryGuards consensus
|
||||||
|
parameter is not provided. Fixes bug 17688; bugfix
|
||||||
|
on 0.2.5.6-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (hidden services):
|
||||||
|
- Increase the minimum number of internal circuits we preemptively
|
||||||
|
build from 2 to 3, so a circuit is available when a client
|
||||||
|
connects to another onion service. Fixes bug 13239; bugfix
|
||||||
|
on 0.1.0.1-rc.
|
||||||
|
- Allow hidden services to run on IPv6 addresses even when the
|
||||||
|
IPv6Exit option is not set. Fixes bug 18357; bugfix
|
||||||
|
on 0.2.4.7-alpha.
|
||||||
|
- Stop logging intro point details to the client log on certain
|
||||||
|
error conditions. Fixed as part of bug 20012; bugfix on
|
||||||
|
0.2.4.8-alpha. Patch by teor.
|
||||||
|
- When deleting an ephemeral hidden service, close its intro points
|
||||||
|
even if they are not completely open. Fixes bug 18604; bugfix
|
||||||
|
on 0.2.7.1-alpha.
|
||||||
|
- When configuring hidden services, check every hidden service
|
||||||
|
directory's permissions. Previously, we only checked the last
|
||||||
|
hidden service. Fixes bug 20529; bugfix on 0.2.6.2-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (IPv6, testing):
|
||||||
|
- Check for IPv6 correctly on Linux when running test networks.
|
||||||
|
Fixes bug 19905; bugfix on 0.2.7.3-rc; patch by teor.
|
||||||
|
|
||||||
|
o Minor bugfixes (Linux seccomp2 sandbox):
|
||||||
|
- Add permission to run the sched_yield() and sigaltstack() system
|
||||||
|
calls, in order to support versions of Tor compiled with asan or
|
||||||
|
ubsan code that use these calls. Now "sandbox 1" and
|
||||||
|
"--enable-expensive-hardening" should be compatible on more
|
||||||
|
systems. Fixes bug 20063; bugfix on 0.2.5.1-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (logging):
|
||||||
|
- Downgrade a harmless log message about the
|
||||||
|
pending_entry_connections list from "warn" to "info". Mitigates
|
||||||
|
bug 19926.
|
||||||
|
- Log a more accurate message when we fail to dump a microdescriptor.
|
||||||
|
Fixes bug 17758; bugfix on 0.2.2.8-alpha. Patch from Daniel Pinto.
|
||||||
|
- When logging a directory ownership mismatch, log the owning
|
||||||
|
username correctly. Fixes bug 19578; bugfix on 0.2.2.29-beta.
|
||||||
|
- When we are unable to remove the bw_accounting file, do not warn
|
||||||
|
if the reason we couldn't remove it was that it didn't exist.
|
||||||
|
Fixes bug 19964; bugfix on 0.2.5.4-alpha. Patch from pastly.
|
||||||
|
|
||||||
|
o Minor bugfixes (memory leak):
|
||||||
|
- Fix a series of slow memory leaks related to parsing torrc files
|
||||||
|
and options. Fixes bug 19466; bugfix on 0.2.1.6-alpha.
|
||||||
|
- Avoid a small memory leak when informing worker threads about
|
||||||
|
rotated onion keys. Fixes bug 20401; bugfix on 0.2.6.3-alpha.
|
||||||
|
- Fix a small memory leak when receiving AF_UNIX connections on a
|
||||||
|
SocksPort. Fixes bug 20716; bugfix on 0.2.6.3-alpha.
|
||||||
|
- When moving a signed descriptor object from a source to an
|
||||||
|
existing destination, free the allocated memory inside that
|
||||||
|
destination object. Fixes bug 20715; bugfix on 0.2.8.3-alpha.
|
||||||
|
- Fix a memory leak and use-after-free error when removing entries
|
||||||
|
from the sandbox's getaddrinfo() cache. Fixes bug 20710; bugfix on
|
||||||
|
0.2.5.5-alpha. Patch from "cypherpunks".
|
||||||
|
- Fix a small, uncommon memory leak that could occur when reading a
|
||||||
|
truncated ed25519 key file. Fixes bug 18956; bugfix
|
||||||
|
on 0.2.6.1-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (option parsing):
|
||||||
|
- Count unix sockets when counting client listeners (SOCKS, Trans,
|
||||||
|
NATD, and DNS). This has no user-visible behavior changes: these
|
||||||
|
options are set once, and never read. Required for correct
|
||||||
|
behavior in ticket 17178. Fixes bug 19677; bugfix on
|
||||||
|
0.2.6.3-alpha. Patch by teor.
|
||||||
|
|
||||||
|
o Minor bugfixes (options):
|
||||||
|
- Check the consistency of UseEntryGuards and EntryNodes more
|
||||||
|
reliably. Fixes bug 20074; bugfix on 0.2.4.12-alpha. Patch
|
||||||
|
by teor.
|
||||||
|
- Stop changing the configured value of UseEntryGuards on
|
||||||
|
authorities and Tor2web clients. Fixes bug 20074; bugfix on
|
||||||
|
commits 51fc6799 in 0.1.1.16-rc and acda1735 in 0.2.4.3-alpha.
|
||||||
|
Patch by teor.
|
||||||
|
|
||||||
|
o Minor bugfixes (relay):
|
||||||
|
- Ensure relays don't make multiple connections during bootstrap.
|
||||||
|
Fixes bug 20591; bugfix on 0.2.8.1-alpha.
|
||||||
|
- Do not try to parallelize workers more than 16x without the user
|
||||||
|
explicitly configuring us to do so, even if we do detect more than
|
||||||
|
16 CPU cores. Fixes bug 19968; bugfix on 0.2.3.1-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (testing):
|
||||||
|
- The test-stem and test-network makefile targets now depend only on
|
||||||
|
the tor binary that they are testing. Previously, they depended on
|
||||||
|
"make all". Fixes bug 18240; bugfix on 0.2.8.2-alpha. Based on a
|
||||||
|
patch from "cypherpunks".
|
||||||
|
- Allow clients to retry HSDirs much faster in test networks. Fixes
|
||||||
|
bug 19702; bugfix on 0.2.7.1-alpha. Patch by teor.
|
||||||
|
- Avoid a unit test failure on systems with over 16 detectable CPU
|
||||||
|
cores. Fixes bug 19968; bugfix on 0.2.3.1-alpha.
|
||||||
|
- Let backtrace tests work correctly under AddressSanitizer:
|
||||||
|
disable ASAN's detection of segmentation faults while running
|
||||||
|
test_bt.sh, so that we can make sure that our own backtrace
|
||||||
|
generation code works. Fixes bug 18934; bugfix
|
||||||
|
on 0.2.5.2-alpha. Patch from "cypherpunks".
|
||||||
|
- Fix the test-network-all target on out-of-tree builds by using the
|
||||||
|
correct path to the test driver script. Fixes bug 19421; bugfix
|
||||||
|
on 0.2.7.3-rc.
|
||||||
|
- Stop spurious failures in the local interface address discovery
|
||||||
|
unit tests. Fixes bug 20634; bugfix on 0.2.8.1-alpha; patch by
|
||||||
|
Neel Chauhan.
|
||||||
|
- Use ECDHE ciphers instead of ECDH in tortls tests. LibreSSL has
|
||||||
|
removed the ECDH ciphers which caused the tests to fail on
|
||||||
|
platforms which use it. Fixes bug 20460; bugfix on 0.2.8.1-alpha.
|
||||||
|
- The tor_tls_server_info_callback unit test no longer crashes when
|
||||||
|
debug-level logging is turned on. Fixes bug 20041; bugfix
|
||||||
|
on 0.2.8.1-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (time):
|
||||||
|
- Improve overflow checks in tv_udiff and tv_mdiff. Fixes bug 19483;
|
||||||
|
bugfix on all released tor versions.
|
||||||
|
- When computing the difference between two times in milliseconds,
|
||||||
|
we now round to the nearest millisecond correctly. Previously, we
|
||||||
|
could sometimes round in the wrong direction. Fixes bug 19428;
|
||||||
|
bugfix on 0.2.2.2-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (Tor2web):
|
||||||
|
- Prevent Tor2web clients from running hidden services: these services
|
||||||
|
are not anonymous due to the one-hop client paths. Fixes bug
|
||||||
|
19678. Patch by teor.
|
||||||
|
|
||||||
|
o Minor bugfixes (user interface):
|
||||||
|
- Display a more accurate number of suppressed messages in the log
|
||||||
|
rate-limiter. Previously, there was a potential integer overflow
|
||||||
|
in the counter. Now, if the number of messages hits a maximum, the
|
||||||
|
rate-limiter doesn't count any further. Fixes bug 19435; bugfix
|
||||||
|
on 0.2.4.11-alpha.
|
||||||
|
- Fix a typo in the passphrase prompt for the ed25519 identity key.
|
||||||
|
Fixes bug 19503; bugfix on 0.2.7.2-alpha.
|
||||||
|
|
||||||
|
o Code simplification and refactoring:
|
||||||
|
- Remove redundant declarations of the MIN macro. Closes
|
||||||
|
ticket 18889.
|
||||||
|
- Rename tor_dup_addr() to tor_addr_to_str_dup() to avoid confusion.
|
||||||
|
Closes ticket 18462; patch from "icanhasaccount".
|
||||||
|
- Split the 600-line directory_handle_command_get function into
|
||||||
|
separate functions for different URL types. Closes ticket 16698.
|
||||||
|
|
||||||
|
o Documentation:
|
||||||
|
- Add module-level internal documentation for 36 C files that
|
||||||
|
previously didn't have a high-level overview. Closes ticket 20385.
|
||||||
|
- Correct the IPv6 syntax in our documentation for the
|
||||||
|
VirtualAddrNetworkIPv6 torrc option. Closes ticket 19743.
|
||||||
|
- Correct the minimum bandwidth value in torrc.sample, and queue a
|
||||||
|
corresponding change for torrc.minimal. Closes ticket 20085.
|
||||||
|
- Fix spelling of "--enable-tor2web-mode" in the manpage. Closes
|
||||||
|
ticket 19153. Patch from "U+039b".
|
||||||
|
- Module-level documentation for several more modules. Closes
|
||||||
|
tickets 19287 and 19290.
|
||||||
|
- Document the --passphrase-fd option in the tor manpage. Fixes bug
|
||||||
|
19504; bugfix on 0.2.7.3-rc.
|
||||||
|
- Document the default PathsNeededToBuildCircuits value that's used
|
||||||
|
by clients when the directory authorities don't set
|
||||||
|
min_paths_for_circs_pct. Fixes bug 20117; bugfix on 0.2.4.10-alpha.
|
||||||
|
Patch by teor, reported by Jesse V.
|
||||||
|
- Fix manual for the User option: it takes a username, not a UID.
|
||||||
|
Fixes bug 19122; bugfix on 0.0.2pre16 (the first version to have
|
||||||
|
a manpage!).
|
||||||
|
- Fix the description of the --passphrase-fd option in the
|
||||||
|
tor-gencert manpage. The option is used to pass the number of a
|
||||||
|
file descriptor to read the passphrase from, not to read the file
|
||||||
|
descriptor from. Fixes bug 19505; bugfix on 0.2.0.20-alpha.
|
||||||
|
|
||||||
|
o Removed code:
|
||||||
|
- We no longer include the (dead, deprecated) bufferevent code in
|
||||||
|
Tor. Closes ticket 19450. Based on a patch from "U+039b".
|
||||||
|
|
||||||
|
o Removed features:
|
||||||
|
- Remove support for "GET /tor/bytes.txt" DirPort request, and
|
||||||
|
"GETINFO dir-usage" controller request, which were only available
|
||||||
|
via a compile-time option in Tor anyway. Feature was added in
|
||||||
|
0.2.2.1-alpha. Resolves ticket 19035.
|
||||||
|
- There is no longer a compile-time option to disable support for
|
||||||
|
TransPort. (If you don't want TransPort, just don't use it.) Patch
|
||||||
|
from "U+039b". Closes ticket 19449.
|
||||||
|
|
||||||
|
o Testing:
|
||||||
|
- Run more workqueue tests as part of "make check". These had
|
||||||
|
previously been implemented, but you needed to know special
|
||||||
|
command-line options to enable them.
|
||||||
|
- We now have unit tests for our code to reject zlib "compression
|
||||||
|
bombs". (Fortunately, the code works fine.)
|
||||||
|
|
||||||
|
|
||||||
Changes in version 0.2.8.11 - 2016-12-08
|
Changes in version 0.2.8.11 - 2016-12-08
|
||||||
Tor 0.2.8.11 backports fixes for additional portability issues that
|
Tor 0.2.8.11 backports fixes for additional portability issues that
|
||||||
could prevent Tor from building correctly on OSX Sierra, or with
|
could prevent Tor from building correctly on OSX Sierra, or with
|
||||||
|
|
642
ReleaseNotes.029
642
ReleaseNotes.029
|
@ -1,642 +0,0 @@
|
||||||
[This is a draft for the 0.2.9.x release notes. It should get folded
|
|
||||||
into the ReleaseNotes file before stable.]
|
|
||||||
|
|
||||||
Changes in version 0.2.9.8 - 2016-12-19
|
|
||||||
Tor 0.2.9.8 is the first stable release of the Tor 0.2.9 series.
|
|
||||||
|
|
||||||
The Tor 0.2.9 series makes mandatory a number of security features
|
|
||||||
that were formerly optional. It includes support for a new
|
|
||||||
shared-randomness protocol that will form the basis for next
|
|
||||||
generation hidden services, includes a single-hop hidden service
|
|
||||||
mode for optimizing .onion services that don't actually want to be
|
|
||||||
hidden, tries harder not to overload the directory authorities with
|
|
||||||
excessive downloads, and supports a better protocol versioniing
|
|
||||||
scheme for improved compatibility with other implementations of the
|
|
||||||
Tor protocol.
|
|
||||||
|
|
||||||
And of course, there numerous other bugfixes and improvements.
|
|
||||||
|
|
||||||
This release also includes a fix for a medium-severity issue (bug
|
|
||||||
21018 below) where Tor clients could crash when attempting to visit
|
|
||||||
a hostile hidden service. Clients are recommended to upgrade as
|
|
||||||
packages become available for their systems.
|
|
||||||
|
|
||||||
Below are listed the changes since Tor 0.2.8.11. For a list of
|
|
||||||
changes since 0.2.9.7-rc, see the ChangeLog file.
|
|
||||||
|
|
||||||
o New system requirements:
|
|
||||||
- When building with OpenSSL, Tor now requires version 1.0.1 or
|
|
||||||
later. OpenSSL 1.0.0 and earlier are no longer supported by the
|
|
||||||
OpenSSL team, and should not be used. Closes ticket 20303.
|
|
||||||
- Tor now requires Libevent version 2.0.10-stable or later. Older
|
|
||||||
versions of Libevent have less efficient backends for several
|
|
||||||
platforms, and lack the DNS code that we use for our server-side
|
|
||||||
DNS support. This implements ticket 19554.
|
|
||||||
- Tor now requires zlib version 1.2 or later, for security,
|
|
||||||
efficiency, and (eventually) gzip support. (Back when we started,
|
|
||||||
zlib 1.1 and zlib 1.0 were still found in the wild. 1.2 was
|
|
||||||
released in 2003. We recommend the latest version.)
|
|
||||||
|
|
||||||
o Deprecated features:
|
|
||||||
- A number of DNS-cache-related sub-options for client ports are now
|
|
||||||
deprecated for security reasons, and may be removed in a future
|
|
||||||
version of Tor. (We believe that client-side DNS caching is a bad
|
|
||||||
idea for anonymity, and you should not turn it on.) The options
|
|
||||||
are: CacheDNS, CacheIPv4DNS, CacheIPv6DNS, UseDNSCache,
|
|
||||||
UseIPv4Cache, and UseIPv6Cache.
|
|
||||||
- A number of options are deprecated for security reasons, and may
|
|
||||||
be removed in a future version of Tor. The options are:
|
|
||||||
AllowDotExit, AllowInvalidNodes, AllowSingleHopCircuits,
|
|
||||||
AllowSingleHopExits, ClientDNSRejectInternalAddresses,
|
|
||||||
CloseHSClientCircuitsImmediatelyOnTimeout,
|
|
||||||
CloseHSServiceRendCircuitsImmediatelyOnTimeout,
|
|
||||||
ExcludeSingleHopRelays, FastFirstHopPK, TLSECGroup,
|
|
||||||
UseNTorHandshake, and WarnUnsafeSocks.
|
|
||||||
- The *ListenAddress options are now deprecated as unnecessary: the
|
|
||||||
corresponding *Port options should be used instead. These options
|
|
||||||
may someday be removed. The affected options are:
|
|
||||||
ControlListenAddress, DNSListenAddress, DirListenAddress,
|
|
||||||
NATDListenAddress, ORListenAddress, SocksListenAddress,
|
|
||||||
and TransListenAddress.
|
|
||||||
|
|
||||||
o Major features (build, hardening):
|
|
||||||
- Tor now builds with -ftrapv by default on compilers that support
|
|
||||||
it. This option detects signed integer overflow (which C forbids),
|
|
||||||
and turns it into a hard-failure. We do not apply this option to
|
|
||||||
code that needs to run in constant time to avoid side-channels;
|
|
||||||
instead, we use -fwrapv in that code. Closes ticket 17983.
|
|
||||||
- When --enable-expensive-hardening is selected, stop applying the
|
|
||||||
clang/gcc sanitizers to code that needs to run in constant time.
|
|
||||||
Although we are aware of no introduced side-channels, we are not
|
|
||||||
able to prove that there are none. Related to ticket 17983.
|
|
||||||
|
|
||||||
o Major features (circuit building, security):
|
|
||||||
- Authorities, relays, and clients now require ntor keys in all
|
|
||||||
descriptors, for all hops (except for rare hidden service protocol
|
|
||||||
cases), for all circuits, and for all other roles. Part of
|
|
||||||
ticket 19163.
|
|
||||||
- Authorities, relays, and clients only use ntor, except for
|
|
||||||
rare cases in the hidden service protocol. Part of ticket 19163.
|
|
||||||
|
|
||||||
o Major features (compilation):
|
|
||||||
- Our big list of extra GCC warnings is now enabled by default when
|
|
||||||
building with GCC (or with anything like Clang that claims to be
|
|
||||||
GCC-compatible). To make all warnings into fatal compilation
|
|
||||||
errors, pass --enable-fatal-warnings to configure. Closes
|
|
||||||
ticket 19044.
|
|
||||||
- Use the Autoconf macro AC_USE_SYSTEM_EXTENSIONS to automatically
|
|
||||||
turn on C and POSIX extensions. (Previously, we attempted to do
|
|
||||||
this on an ad hoc basis.) Closes ticket 19139.
|
|
||||||
|
|
||||||
o Major features (directory authorities, hidden services):
|
|
||||||
- Directory authorities can now perform the shared randomness
|
|
||||||
protocol specified by proposal 250. Using this protocol, directory
|
|
||||||
authorities generate a global fresh random value every day. In the
|
|
||||||
future, this value will be used by hidden services to select
|
|
||||||
HSDirs. This release implements the directory authority feature;
|
|
||||||
the hidden service side will be implemented in the future as part
|
|
||||||
of proposal 224. Resolves ticket 16943; implements proposal 250.
|
|
||||||
|
|
||||||
o Major features (downloading, random exponential backoff):
|
|
||||||
- When we fail to download an object from a directory service, wait
|
|
||||||
for an (exponentially increasing) randomized amount of time before
|
|
||||||
retrying, rather than a fixed interval as we did before. This
|
|
||||||
prevents a group of Tor instances from becoming too synchronized,
|
|
||||||
or a single Tor instance from becoming too predictable, in its
|
|
||||||
download schedule. Closes ticket 15942.
|
|
||||||
|
|
||||||
o Major features (resource management):
|
|
||||||
- Tor can now notice it is about to run out of sockets, and
|
|
||||||
preemptively close connections of lower priority. (This feature is
|
|
||||||
off by default for now, since the current prioritizing method is
|
|
||||||
yet not mature enough. You can enable it by setting
|
|
||||||
"DisableOOSCheck 0", but watch out: it might close some sockets
|
|
||||||
you would rather have it keep.) Closes ticket 18640.
|
|
||||||
|
|
||||||
o Major features (single-hop "hidden" services):
|
|
||||||
- Add experimental HiddenServiceSingleHopMode and
|
|
||||||
HiddenServiceNonAnonymousMode options. When both are set to 1,
|
|
||||||
every hidden service on that Tor instance becomes a non-anonymous
|
|
||||||
Single Onion Service. Single Onions make one-hop (direct)
|
|
||||||
connections to their introduction and rendezvous points. One-hop
|
|
||||||
circuits make Single Onion servers easily locatable, but clients
|
|
||||||
remain location-anonymous. This is compatible with the existing
|
|
||||||
hidden service implementation, and works on the current Tor
|
|
||||||
network without any changes to older relays or clients. Implements
|
|
||||||
proposal 260, completes ticket 17178. Patch by teor and asn.
|
|
||||||
|
|
||||||
o Major features (subprotocol versions):
|
|
||||||
- Tor directory authorities now vote on a set of recommended
|
|
||||||
"subprotocol versions", and on a set of required subprotocol
|
|
||||||
versions. Clients and relays that lack support for a _required_
|
|
||||||
subprotocol version will not start; those that lack support for a
|
|
||||||
_recommended_ subprotocol version will warn the user to upgrade.
|
|
||||||
This change allows compatible implementations of the Tor protocol(s)
|
|
||||||
to exist without pretending to be 100% bug-compatible with
|
|
||||||
particular releases of Tor itself. Closes ticket 19958; implements
|
|
||||||
part of proposal 264.
|
|
||||||
|
|
||||||
o Major bugfixes (circuit building):
|
|
||||||
- Hidden service client-to-intro-point and service-to-rendezvous-
|
|
||||||
point circuits use the TAP key supplied by the protocol, to avoid
|
|
||||||
epistemic attacks. Fixes bug 19163; bugfix on 0.2.4.18-rc.
|
|
||||||
|
|
||||||
o Major bugfixes (download scheduling):
|
|
||||||
- Avoid resetting download status for consensuses hourly, since we
|
|
||||||
already have another, smarter retry mechanism. Fixes bug 8625;
|
|
||||||
bugfix on 0.2.0.9-alpha.
|
|
||||||
- If a consensus expires while we are waiting for certificates to
|
|
||||||
download, stop waiting for certificates.
|
|
||||||
- If we stop waiting for certificates less than a minute after we
|
|
||||||
started downloading them, do not consider the certificate download
|
|
||||||
failure a separate failure. Fixes bug 20533; bugfix
|
|
||||||
on 0.2.0.9-alpha.
|
|
||||||
- When using exponential backoff in test networks, use a lower
|
|
||||||
exponent, so the delays do not vary as much. This helps test
|
|
||||||
networks bootstrap consistently. Fixes bug 20597; bugfix on 20499.
|
|
||||||
|
|
||||||
o Major bugfixes (exit policies):
|
|
||||||
- Avoid disclosing exit outbound bind addresses, configured port
|
|
||||||
bind addresses, and local interface addresses in relay descriptors
|
|
||||||
by default under ExitPolicyRejectPrivate. Instead, only reject
|
|
||||||
these (otherwise unlisted) addresses if
|
|
||||||
ExitPolicyRejectLocalInterfaces is set. Fixes bug 18456; bugfix on
|
|
||||||
0.2.7.2-alpha. Patch by teor.
|
|
||||||
|
|
||||||
o Major bugfixes (hidden services):
|
|
||||||
- Allow Tor clients with appropriate controllers to work with
|
|
||||||
FetchHidServDescriptors set to 0. Previously, this option also
|
|
||||||
disabled descriptor cache lookup, thus breaking hidden services
|
|
||||||
entirely. Fixes bug 18704; bugfix on 0.2.0.20-rc. Patch by "twim".
|
|
||||||
- Clients now require hidden services to include the TAP keys for
|
|
||||||
their intro points in the hidden service descriptor. This prevents
|
|
||||||
an inadvertent upgrade to ntor, which a malicious hidden service
|
|
||||||
could use to distinguish clients by consensus version. Fixes bug
|
|
||||||
20012; bugfix on 0.2.4.8-alpha. Patch by teor.
|
|
||||||
|
|
||||||
o Major bugfixes (relay, resolver, logging):
|
|
||||||
- For relays that don't know their own address, avoid attempting a
|
|
||||||
local hostname resolve for each descriptor we download. This
|
|
||||||
will cut down on the number of "Success: chose address 'x.x.x.x'"
|
|
||||||
log lines, and also avoid confusing clock jumps if the resolver
|
|
||||||
is slow. Fixes bugs 20423 and 20610; bugfix on 0.2.8.1-alpha.
|
|
||||||
|
|
||||||
o Minor features (port flags):
|
|
||||||
- Add new flags to the *Port options to give finer control over which
|
|
||||||
requests are allowed. The flags are NoDNSRequest, NoOnionTraffic,
|
|
||||||
and the synthetic flag OnionTrafficOnly, which is equivalent to
|
|
||||||
NoDNSRequest, NoIPv4Traffic, and NoIPv6Traffic. Closes enhancement
|
|
||||||
18693; patch by "teor".
|
|
||||||
|
|
||||||
o Minor features (build, hardening):
|
|
||||||
- Detect and work around a libclang_rt problem that would prevent
|
|
||||||
clang from finding __mulodi4() on some 32-bit platforms, and thus
|
|
||||||
keep -ftrapv from linking on those systems. Closes ticket 19079.
|
|
||||||
- When building on a system without runtime support for the runtime
|
|
||||||
hardening options, try to log a useful warning at configuration
|
|
||||||
time, rather than an incomprehensible warning at link time. If
|
|
||||||
expensive hardening was requested, this warning becomes an error.
|
|
||||||
Closes ticket 18895.
|
|
||||||
|
|
||||||
o Minor features (client, directory):
|
|
||||||
- Since authorities now omit all routers that lack the Running and
|
|
||||||
Valid flags, we assume that any relay listed in the consensus must
|
|
||||||
have those flags. Closes ticket 20001; implements part of
|
|
||||||
proposal 272.
|
|
||||||
|
|
||||||
o Minor features (code safety):
|
|
||||||
- In our integer-parsing functions, ensure that the maximum value we
|
|
||||||
allow is no smaller than the minimum value. Closes ticket 19063;
|
|
||||||
patch from "U+039b".
|
|
||||||
|
|
||||||
o Minor features (compilation, portability):
|
|
||||||
- Compile correctly on MacOS 10.12 (aka "Sierra"). Closes
|
|
||||||
ticket 20241.
|
|
||||||
|
|
||||||
o Minor features (config):
|
|
||||||
- Warn users when descriptor and port addresses are inconsistent.
|
|
||||||
Mitigates bug 13953; patch by teor.
|
|
||||||
|
|
||||||
o Minor features (controller):
|
|
||||||
- Allow controllers to configure basic client authorization on
|
|
||||||
hidden services when they create them with the ADD_ONION controller
|
|
||||||
command. Implements ticket 15588. Patch by "special".
|
|
||||||
- Fire a STATUS_SERVER controller event whenever the hibernation
|
|
||||||
status changes between "awake"/"soft"/"hard". Closes ticket 18685.
|
|
||||||
- Implement new GETINFO queries for all downloads that use
|
|
||||||
download_status_t to schedule retries. This allows controllers to
|
|
||||||
examine the schedule for pending downloads. Closes ticket 19323.
|
|
||||||
|
|
||||||
o Minor features (development tools, etags):
|
|
||||||
- Teach the "make tags" Makefile target how to correctly find
|
|
||||||
"MOCK_IMPL" function definitions. Patch from nherring; closes
|
|
||||||
ticket 16869.
|
|
||||||
|
|
||||||
o Minor features (directory authority):
|
|
||||||
- After voting, if the authorities decide that a relay is not
|
|
||||||
"Valid", they no longer include it in the consensus at all. Closes
|
|
||||||
ticket 20002; implements part of proposal 272.
|
|
||||||
- Directory authorities now only give the Guard flag to a relay if
|
|
||||||
they are also giving it the Stable flag. This change allows us to
|
|
||||||
simplify path selection for clients. It should have minimal effect
|
|
||||||
in practice, since >99% of Guards already have the Stable flag.
|
|
||||||
Implements ticket 18624.
|
|
||||||
- Directory authorities now write their v3-status-votes file out to
|
|
||||||
disk earlier in the consensus process, so we have a record of the
|
|
||||||
votes even if we abort the consensus process. Resolves
|
|
||||||
ticket 19036.
|
|
||||||
|
|
||||||
o Minor features (hidden service):
|
|
||||||
- Stop being so strict about the payload length of "rendezvous1"
|
|
||||||
cells. We used to be locked in to the "TAP" handshake length, and
|
|
||||||
now we can handle better handshakes like "ntor". Resolves
|
|
||||||
ticket 18998.
|
|
||||||
|
|
||||||
o Minor features (infrastructure, time):
|
|
||||||
- Tor now includes an improved timer backend, so that we can
|
|
||||||
efficiently support tens or hundreds of thousands of concurrent
|
|
||||||
timers, as will be needed for some of our planned anti-traffic-
|
|
||||||
analysis work. This code is based on William Ahern's "timeout.c"
|
|
||||||
project, which implements a "tickless hierarchical timing wheel".
|
|
||||||
Closes ticket 18365.
|
|
||||||
- Tor now uses the operating system's monotonic timers (where
|
|
||||||
available) for internal fine-grained timing. Previously we would
|
|
||||||
look at the system clock, and then attempt to compensate for the
|
|
||||||
clock running backwards. Closes ticket 18908.
|
|
||||||
|
|
||||||
o Minor features (logging):
|
|
||||||
- Add a set of macros to check nonfatal assertions, for internal
|
|
||||||
use. Migrating more of our checks to these should help us avoid
|
|
||||||
needless crash bugs. Closes ticket 18613.
|
|
||||||
- Provide a more useful warning message when configured with an
|
|
||||||
invalid Nickname. Closes ticket 18300; patch from "icanhasaccount".
|
|
||||||
- When dumping unparseable router descriptors, optionally store them
|
|
||||||
in separate files, named by digest, up to a configurable size
|
|
||||||
limit. You can change the size limit by setting the
|
|
||||||
MaxUnparseableDescSizeToLog option, and disable this feature by
|
|
||||||
setting that option to 0. Closes ticket 18322.
|
|
||||||
|
|
||||||
o Minor features (performance):
|
|
||||||
- Change the "optimistic data" extension from "off by default" to
|
|
||||||
"on by default". The default was ordinarily overridden by a
|
|
||||||
consensus option, but when clients were bootstrapping for the
|
|
||||||
first time, they would not have a consensus to get the option
|
|
||||||
from. Changing this default saves a round-trip during startup.
|
|
||||||
Closes ticket 18815.
|
|
||||||
|
|
||||||
o Minor features (relay, usability):
|
|
||||||
- When the directory authorities refuse a bad relay's descriptor,
|
|
||||||
encourage the relay operator to contact us. Many relay operators
|
|
||||||
won't notice this line in their logs, but it's a win if even a few
|
|
||||||
learn why we don't like what their relay was doing. Resolves
|
|
||||||
ticket 18760.
|
|
||||||
|
|
||||||
o Minor features (security, TLS):
|
|
||||||
- Servers no longer support clients that lack AES ciphersuites.
|
|
||||||
(3DES is no longer considered an acceptable cipher.) We believe
|
|
||||||
that no such Tor clients currently exist, since Tor has required
|
|
||||||
OpenSSL 0.9.7 or later since 2009. Closes ticket 19998.
|
|
||||||
|
|
||||||
o Minor features (testing):
|
|
||||||
- Disable memory protections on OpenBSD when performing our unit
|
|
||||||
tests for memwipe(). The test deliberately invokes undefined
|
|
||||||
behavior, and the OpenBSD protections interfere with this. Patch
|
|
||||||
from "rubiate". Closes ticket 20066.
|
|
||||||
- Move the test-network.sh script to chutney, and modify tor's test-
|
|
||||||
network.sh to call the (newer) chutney version when available.
|
|
||||||
Resolves ticket 19116. Patch by teor.
|
|
||||||
- Use the lcov convention for marking lines as unreachable, so that
|
|
||||||
we don't count them when we're generating test coverage data.
|
|
||||||
Update our coverage tools to understand this convention. Closes
|
|
||||||
ticket 16792.
|
|
||||||
- Our link-handshake unit tests now check that when invalid
|
|
||||||
handshakes fail, they fail with the error messages we expected.
|
|
||||||
- Our unit testing code that captures log messages no longer
|
|
||||||
prevents them from being written out if the user asked for them
|
|
||||||
(by passing --debug or --info or --notice or --warn to the "test"
|
|
||||||
binary). This change prevents us from missing unexpected log
|
|
||||||
messages simply because we were looking for others. Related to
|
|
||||||
ticket 19999.
|
|
||||||
- The unit tests now log all warning messages with the "BUG" flag.
|
|
||||||
Previously, they only logged errors by default. This change will
|
|
||||||
help us make our testing code more correct, and make sure that we
|
|
||||||
only hit this code when we mean to. In the meantime, however,
|
|
||||||
there will be more warnings in the unit test logs than before.
|
|
||||||
This is preparatory work for ticket 19999.
|
|
||||||
- The unit tests now treat any failure of a "tor_assert_nonfatal()"
|
|
||||||
assertion as a test failure.
|
|
||||||
- We've done significant work to make the unit tests run faster.
|
|
||||||
|
|
||||||
o Minor features (testing, ipv6):
|
|
||||||
- Add the hs-ipv6 chutney target to make test-network-all's IPv6
|
|
||||||
tests. Remove bridges+hs, as it's somewhat redundant. This
|
|
||||||
requires a recent chutney version that supports IPv6 clients,
|
|
||||||
relays, and authorities. Closes ticket 20069; patch by teor.
|
|
||||||
- Add the single-onion and single-onion-ipv6 chutney targets to
|
|
||||||
"make test-network-all". This requires a recent chutney version
|
|
||||||
with the single onion network flavors (git c72a652 or later).
|
|
||||||
Closes ticket 20072; patch by teor.
|
|
||||||
|
|
||||||
o Minor features (Tor2web):
|
|
||||||
- Make Tor2web clients respect ReachableAddresses. This feature was
|
|
||||||
inadvertently enabled in 0.2.8.6, then removed by bugfix 19973 on
|
|
||||||
0.2.8.7. Implements feature 20034. Patch by teor.
|
|
||||||
|
|
||||||
o Minor features (unix domain sockets):
|
|
||||||
- When configuring a unix domain socket for a SocksPort,
|
|
||||||
ControlPort, or Hidden service, you can now wrap the address in
|
|
||||||
quotes, using C-style escapes inside the quotes. This allows unix
|
|
||||||
domain socket paths to contain spaces. Resolves ticket 18753.
|
|
||||||
|
|
||||||
o Minor features (user interface):
|
|
||||||
- Tor now supports the ability to declare options deprecated, so
|
|
||||||
that we can recommend that people stop using them. Previously, this
|
|
||||||
was done in an ad-hoc way. There is a new --list-deprecated-options
|
|
||||||
command-line option to list all of the deprecated options. Closes
|
|
||||||
ticket 19820.
|
|
||||||
|
|
||||||
o Minor features (virtual addresses):
|
|
||||||
- Increase the maximum number of bits for the IPv6 virtual network
|
|
||||||
prefix from 16 to 104. In this way, the condition for address
|
|
||||||
allocation is less restrictive. Closes ticket 20151; feature
|
|
||||||
on 0.2.4.7-alpha.
|
|
||||||
|
|
||||||
o Minor bug fixes (circuits):
|
|
||||||
- Use the CircuitBuildTimeout option whenever
|
|
||||||
LearnCircuitBuildTimeout is disabled. Previously, we would respect
|
|
||||||
the option when a user disabled it, but not when it was disabled
|
|
||||||
because some other option was set. Fixes bug 20073; bugfix on
|
|
||||||
0.2.4.12-alpha. Patch by teor.
|
|
||||||
|
|
||||||
o Minor bugfixes (build):
|
|
||||||
- The current Git revision when building from a local repository is
|
|
||||||
now detected correctly when using git worktrees. Fixes bug 20492;
|
|
||||||
bugfix on 0.2.3.9-alpha.
|
|
||||||
|
|
||||||
o Minor bugfixes (relay address discovery):
|
|
||||||
- Stop reordering IP addresses returned by the OS. This makes it
|
|
||||||
more likely that Tor will guess the same relay IP address every
|
|
||||||
time. Fixes issue 20163; bugfix on 0.2.7.1-alpha, ticket 17027.
|
|
||||||
Reported by René Mayrhofer, patch by "cypherpunks".
|
|
||||||
|
|
||||||
o Minor bugfixes (memory allocation):
|
|
||||||
- Change how we allocate memory for large chunks on buffers, to
|
|
||||||
avoid a (currently impossible) integer overflow, and to waste less
|
|
||||||
space when allocating unusually large chunks. Fixes bug 20081;
|
|
||||||
bugfix on 0.2.0.16-alpha. Issue identified by Guido Vranken.
|
|
||||||
|
|
||||||
o Minor bugfixes (bootstrap):
|
|
||||||
- Remember the directory server we fetched the consensus or previous
|
|
||||||
certificates from, and use it to fetch future authority
|
|
||||||
certificates. This change improves bootstrapping performance.
|
|
||||||
Fixes bug 18963; bugfix on 0.2.8.1-alpha.
|
|
||||||
|
|
||||||
o Minor bugfixes (circuits):
|
|
||||||
- Make sure extend_info_from_router() is only called on servers.
|
|
||||||
Fixes bug 19639; bugfix on 0.2.8.1-alpha.
|
|
||||||
|
|
||||||
o Minor bugfixes (client, fascistfirewall):
|
|
||||||
- Avoid spurious warnings when ReachableAddresses or FascistFirewall
|
|
||||||
is set. Fixes bug 20306; bugfix on 0.2.8.2-alpha.
|
|
||||||
|
|
||||||
o Minor bugfixes (client, unix domain sockets):
|
|
||||||
- Disable IsolateClientAddr when using AF_UNIX backed SocksPorts as
|
|
||||||
the client address is meaningless. Fixes bug 20261; bugfix
|
|
||||||
on 0.2.6.3-alpha.
|
|
||||||
|
|
||||||
o Minor bugfixes (code style):
|
|
||||||
- Fix an integer signedness conversion issue in the case conversion
|
|
||||||
tables. Fixes bug 19168; bugfix on 0.2.1.11-alpha.
|
|
||||||
|
|
||||||
o Minor bugfixes (compilation):
|
|
||||||
- Build correctly on versions of libevent2 without support for
|
|
||||||
evutil_secure_rng_add_bytes(). Fixes bug 19904; bugfix
|
|
||||||
on 0.2.5.4-alpha.
|
|
||||||
- When building with Clang, use a full set of GCC warnings.
|
|
||||||
(Previously, we included only a subset, because of the way we
|
|
||||||
detected them.) Fixes bug 19216; bugfix on 0.2.0.1-alpha.
|
|
||||||
- Detect Libevent2 functions correctly on systems that provide
|
|
||||||
libevent2, but where libevent1 is linked with -levent. Fixes bug
|
|
||||||
19904; bugfix on 0.2.2.24-alpha. Patch from Rubiate.
|
|
||||||
- Run correctly when built on Windows build environments that
|
|
||||||
require _vcsprintf(). Fixes bug 20560; bugfix on 0.2.2.11-alpha.
|
|
||||||
|
|
||||||
o Minor bugfixes (configuration):
|
|
||||||
- When parsing quoted configuration values from the torrc file,
|
|
||||||
handle Windows line endings correctly. Fixes bug 19167; bugfix on
|
|
||||||
0.2.0.16-alpha. Patch from "Pingl".
|
|
||||||
|
|
||||||
o Minor bugfixes (directory authority):
|
|
||||||
- Authorities now sort the "package" lines in their votes, for ease
|
|
||||||
of debugging. (They are already sorted in consensus documents.)
|
|
||||||
Fixes bug 18840; bugfix on 0.2.6.3-alpha.
|
|
||||||
- Die with a more useful error when the operator forgets to place
|
|
||||||
the authority_signing_key file into the keys directory. This
|
|
||||||
avoids an uninformative assert & traceback about having an invalid
|
|
||||||
key. Fixes bug 20065; bugfix on 0.2.0.1-alpha.
|
|
||||||
- When allowing private addresses, mark Exits that only exit to
|
|
||||||
private locations as such. Fixes bug 20064; bugfix
|
|
||||||
on 0.2.2.9-alpha.
|
|
||||||
- When parsing a detached signature, make sure we use the length of
|
|
||||||
the digest algorithm instead of a hardcoded DIGEST256_LEN in
|
|
||||||
order to avoid comparing bytes out-of-bounds with a smaller digest
|
|
||||||
length such as SHA1. Fixes bug 19066; bugfix on 0.2.2.6-alpha.
|
|
||||||
|
|
||||||
o Minor bugfixes (getpass):
|
|
||||||
- Defensively fix a non-triggerable heap corruption at do_getpass()
|
|
||||||
to protect ourselves from mistakes in the future. Fixes bug
|
|
||||||
19223; bugfix on 0.2.7.3-rc. Bug found by Guido Vranken, patch
|
|
||||||
by nherring.
|
|
||||||
|
|
||||||
o Minor bugfixes (guard selection):
|
|
||||||
- Don't mark guards as unreachable if connection_connect() fails.
|
|
||||||
That function fails for local reasons, so it shouldn't reveal
|
|
||||||
anything about the status of the guard. Fixes bug 14334; bugfix
|
|
||||||
on 0.2.3.10-alpha.
|
|
||||||
- Use a single entry guard even if the NumEntryGuards consensus
|
|
||||||
parameter is not provided. Fixes bug 17688; bugfix
|
|
||||||
on 0.2.5.6-alpha.
|
|
||||||
|
|
||||||
o Minor bugfixes (hidden services):
|
|
||||||
- Increase the minimum number of internal circuits we preemptively
|
|
||||||
build from 2 to 3, so a circuit is available when a client
|
|
||||||
connects to another onion service. Fixes bug 13239; bugfix
|
|
||||||
on 0.1.0.1-rc.
|
|
||||||
- Allow hidden services to run on IPv6 addresses even when the
|
|
||||||
IPv6Exit option is not set. Fixes bug 18357; bugfix
|
|
||||||
on 0.2.4.7-alpha.
|
|
||||||
- Stop logging intro point details to the client log on certain
|
|
||||||
error conditions. Fixed as part of bug 20012; bugfix on
|
|
||||||
0.2.4.8-alpha. Patch by teor.
|
|
||||||
- When deleting an ephemeral hidden service, close its intro points
|
|
||||||
even if they are not completely open. Fixes bug 18604; bugfix
|
|
||||||
on 0.2.7.1-alpha.
|
|
||||||
- When configuring hidden services, check every hidden service
|
|
||||||
directory's permissions. Previously, we only checked the last
|
|
||||||
hidden service. Fixes bug 20529; bugfix on 0.2.6.2-alpha.
|
|
||||||
|
|
||||||
o Minor bugfixes (IPv6, testing):
|
|
||||||
- Check for IPv6 correctly on Linux when running test networks.
|
|
||||||
Fixes bug 19905; bugfix on 0.2.7.3-rc; patch by teor.
|
|
||||||
|
|
||||||
o Minor bugfixes (Linux seccomp2 sandbox):
|
|
||||||
- Add permission to run the sched_yield() and sigaltstack() system
|
|
||||||
calls, in order to support versions of Tor compiled with asan or
|
|
||||||
ubsan code that use these calls. Now "sandbox 1" and
|
|
||||||
"--enable-expensive-hardening" should be compatible on more
|
|
||||||
systems. Fixes bug 20063; bugfix on 0.2.5.1-alpha.
|
|
||||||
|
|
||||||
o Minor bugfixes (logging):
|
|
||||||
- Downgrade a harmless log message about the
|
|
||||||
pending_entry_connections list from "warn" to "info". Mitigates
|
|
||||||
bug 19926.
|
|
||||||
- Log a more accurate message when we fail to dump a microdescriptor.
|
|
||||||
Fixes bug 17758; bugfix on 0.2.2.8-alpha. Patch from Daniel Pinto.
|
|
||||||
- When logging a directory ownership mismatch, log the owning
|
|
||||||
username correctly. Fixes bug 19578; bugfix on 0.2.2.29-beta.
|
|
||||||
- When we are unable to remove the bw_accounting file, do not warn
|
|
||||||
if the reason we couldn't remove it was that it didn't exist.
|
|
||||||
Fixes bug 19964; bugfix on 0.2.5.4-alpha. Patch from pastly.
|
|
||||||
|
|
||||||
o Minor bugfixes (memory leak):
|
|
||||||
- Fix a series of slow memory leaks related to parsing torrc files
|
|
||||||
and options. Fixes bug 19466; bugfix on 0.2.1.6-alpha.
|
|
||||||
- Avoid a small memory leak when informing worker threads about
|
|
||||||
rotated onion keys. Fixes bug 20401; bugfix on 0.2.6.3-alpha.
|
|
||||||
- Fix a small memory leak when receiving AF_UNIX connections on a
|
|
||||||
SocksPort. Fixes bug 20716; bugfix on 0.2.6.3-alpha.
|
|
||||||
- When moving a signed descriptor object from a source to an
|
|
||||||
existing destination, free the allocated memory inside that
|
|
||||||
destination object. Fixes bug 20715; bugfix on 0.2.8.3-alpha.
|
|
||||||
- Fix a memory leak and use-after-free error when removing entries
|
|
||||||
from the sandbox's getaddrinfo() cache. Fixes bug 20710; bugfix on
|
|
||||||
0.2.5.5-alpha. Patch from "cypherpunks".
|
|
||||||
- Fix a small, uncommon memory leak that could occur when reading a
|
|
||||||
truncated ed25519 key file. Fixes bug 18956; bugfix
|
|
||||||
on 0.2.6.1-alpha.
|
|
||||||
|
|
||||||
o Minor bugfixes (option parsing):
|
|
||||||
- Count unix sockets when counting client listeners (SOCKS, Trans,
|
|
||||||
NATD, and DNS). This has no user-visible behavior changes: these
|
|
||||||
options are set once, and never read. Required for correct
|
|
||||||
behavior in ticket 17178. Fixes bug 19677; bugfix on
|
|
||||||
0.2.6.3-alpha. Patch by teor.
|
|
||||||
|
|
||||||
o Minor bugfixes (options):
|
|
||||||
- Check the consistency of UseEntryGuards and EntryNodes more
|
|
||||||
reliably. Fixes bug 20074; bugfix on 0.2.4.12-alpha. Patch
|
|
||||||
by teor.
|
|
||||||
- Stop changing the configured value of UseEntryGuards on
|
|
||||||
authorities and Tor2web clients. Fixes bug 20074; bugfix on
|
|
||||||
commits 51fc6799 in 0.1.1.16-rc and acda1735 in 0.2.4.3-alpha.
|
|
||||||
Patch by teor.
|
|
||||||
|
|
||||||
o Minor bugfixes (relay):
|
|
||||||
- Ensure relays don't make multiple connections during bootstrap.
|
|
||||||
Fixes bug 20591; bugfix on 0.2.8.1-alpha.
|
|
||||||
- Do not try to parallelize workers more than 16x without the user
|
|
||||||
explicitly configuring us to do so, even if we do detect more than
|
|
||||||
16 CPU cores. Fixes bug 19968; bugfix on 0.2.3.1-alpha.
|
|
||||||
|
|
||||||
o Minor bugfixes (testing):
|
|
||||||
- The test-stem and test-network makefile targets now depend only on
|
|
||||||
the tor binary that they are testing. Previously, they depended on
|
|
||||||
"make all". Fixes bug 18240; bugfix on 0.2.8.2-alpha. Based on a
|
|
||||||
patch from "cypherpunks".
|
|
||||||
- Allow clients to retry HSDirs much faster in test networks. Fixes
|
|
||||||
bug 19702; bugfix on 0.2.7.1-alpha. Patch by teor.
|
|
||||||
- Avoid a unit test failure on systems with over 16 detectable CPU
|
|
||||||
cores. Fixes bug 19968; bugfix on 0.2.3.1-alpha.
|
|
||||||
- Let backtrace tests work correctly under AddressSanitizer:
|
|
||||||
disable ASAN's detection of segmentation faults while running
|
|
||||||
test_bt.sh, so that we can make sure that our own backtrace
|
|
||||||
generation code works. Fixes bug 18934; bugfix
|
|
||||||
on 0.2.5.2-alpha. Patch from "cypherpunks".
|
|
||||||
- Fix the test-network-all target on out-of-tree builds by using the
|
|
||||||
correct path to the test driver script. Fixes bug 19421; bugfix
|
|
||||||
on 0.2.7.3-rc.
|
|
||||||
- Stop spurious failures in the local interface address discovery
|
|
||||||
unit tests. Fixes bug 20634; bugfix on 0.2.8.1-alpha; patch by
|
|
||||||
Neel Chauhan.
|
|
||||||
- Use ECDHE ciphers instead of ECDH in tortls tests. LibreSSL has
|
|
||||||
removed the ECDH ciphers which caused the tests to fail on
|
|
||||||
platforms which use it. Fixes bug 20460; bugfix on 0.2.8.1-alpha.
|
|
||||||
- The tor_tls_server_info_callback unit test no longer crashes when
|
|
||||||
debug-level logging is turned on. Fixes bug 20041; bugfix
|
|
||||||
on 0.2.8.1-alpha.
|
|
||||||
|
|
||||||
o Minor bugfixes (time):
|
|
||||||
- Improve overflow checks in tv_udiff and tv_mdiff. Fixes bug 19483;
|
|
||||||
bugfix on all released tor versions.
|
|
||||||
- When computing the difference between two times in milliseconds,
|
|
||||||
we now round to the nearest millisecond correctly. Previously, we
|
|
||||||
could sometimes round in the wrong direction. Fixes bug 19428;
|
|
||||||
bugfix on 0.2.2.2-alpha.
|
|
||||||
|
|
||||||
o Minor bugfixes (Tor2web):
|
|
||||||
- Prevent Tor2web clients from running hidden services: these services
|
|
||||||
are not anonymous due to the one-hop client paths. Fixes bug
|
|
||||||
19678. Patch by teor.
|
|
||||||
|
|
||||||
o Minor bugfixes (user interface):
|
|
||||||
- Display a more accurate number of suppressed messages in the log
|
|
||||||
rate-limiter. Previously, there was a potential integer overflow
|
|
||||||
in the counter. Now, if the number of messages hits a maximum, the
|
|
||||||
rate-limiter doesn't count any further. Fixes bug 19435; bugfix
|
|
||||||
on 0.2.4.11-alpha.
|
|
||||||
- Fix a typo in the passphrase prompt for the ed25519 identity key.
|
|
||||||
Fixes bug 19503; bugfix on 0.2.7.2-alpha.
|
|
||||||
|
|
||||||
o Code simplification and refactoring:
|
|
||||||
- Remove redundant declarations of the MIN macro. Closes
|
|
||||||
ticket 18889.
|
|
||||||
- Rename tor_dup_addr() to tor_addr_to_str_dup() to avoid confusion.
|
|
||||||
Closes ticket 18462; patch from "icanhasaccount".
|
|
||||||
- Split the 600-line directory_handle_command_get function into
|
|
||||||
separate functions for different URL types. Closes ticket 16698.
|
|
||||||
|
|
||||||
o Documentation:
|
|
||||||
- Add module-level internal documentation for 36 C files that
|
|
||||||
previously didn't have a high-level overview. Closes ticket 20385.
|
|
||||||
- Correct the IPv6 syntax in our documentation for the
|
|
||||||
VirtualAddrNetworkIPv6 torrc option. Closes ticket 19743.
|
|
||||||
- Correct the minimum bandwidth value in torrc.sample, and queue a
|
|
||||||
corresponding change for torrc.minimal. Closes ticket 20085.
|
|
||||||
- Fix spelling of "--enable-tor2web-mode" in the manpage. Closes
|
|
||||||
ticket 19153. Patch from "U+039b".
|
|
||||||
- Module-level documentation for several more modules. Closes
|
|
||||||
tickets 19287 and 19290.
|
|
||||||
- Document the --passphrase-fd option in the tor manpage. Fixes bug
|
|
||||||
19504; bugfix on 0.2.7.3-rc.
|
|
||||||
- Document the default PathsNeededToBuildCircuits value that's used
|
|
||||||
by clients when the directory authorities don't set
|
|
||||||
min_paths_for_circs_pct. Fixes bug 20117; bugfix on 0.2.4.10-alpha.
|
|
||||||
Patch by teor, reported by Jesse V.
|
|
||||||
- Fix manual for the User option: it takes a username, not a UID.
|
|
||||||
Fixes bug 19122; bugfix on 0.0.2pre16 (the first version to have
|
|
||||||
a manpage!).
|
|
||||||
- Fix the description of the --passphrase-fd option in the
|
|
||||||
tor-gencert manpage. The option is used to pass the number of a
|
|
||||||
file descriptor to read the passphrase from, not to read the file
|
|
||||||
descriptor from. Fixes bug 19505; bugfix on 0.2.0.20-alpha.
|
|
||||||
|
|
||||||
o Removed code:
|
|
||||||
- We no longer include the (dead, deprecated) bufferevent code in
|
|
||||||
Tor. Closes ticket 19450. Based on a patch from "U+039b".
|
|
||||||
|
|
||||||
o Removed features:
|
|
||||||
- Remove support for "GET /tor/bytes.txt" DirPort request, and
|
|
||||||
"GETINFO dir-usage" controller request, which were only available
|
|
||||||
via a compile-time option in Tor anyway. Feature was added in
|
|
||||||
0.2.2.1-alpha. Resolves ticket 19035.
|
|
||||||
- There is no longer a compile-time option to disable support for
|
|
||||||
TransPort. (If you don't want TransPort, just don't use it.) Patch
|
|
||||||
from "U+039b". Closes ticket 19449.
|
|
||||||
|
|
||||||
o Testing:
|
|
||||||
- Run more workqueue tests as part of "make check". These had
|
|
||||||
previously been implemented, but you needed to know special
|
|
||||||
command-line options to enable them.
|
|
||||||
- We now have unit tests for our code to reject zlib "compression
|
|
||||||
bombs". (Fortunately, the code works fine.)
|
|
||||||
|
|
|
@ -1,11 +0,0 @@
|
||||||
o Major bugfixes (parsing, security):
|
|
||||||
|
|
||||||
- Fix a bug in parsing that could cause clients to read a single
|
|
||||||
byte past the end of an allocated region. This bug could be
|
|
||||||
used to cause hardened clients (built with
|
|
||||||
--enable-expensive-hardening) to crash if they tried to visit
|
|
||||||
a hostile hidden service. Non-hardened clients are only
|
|
||||||
affected depending on the details of their platform's memory
|
|
||||||
allocator. Fixes bug 21018; bugfix on 0.2.0.8-alpha. Found by
|
|
||||||
using libFuzzer. Also tracked as TROVE-2016-12-002 and as
|
|
||||||
CVE-2016-1254.
|
|
|
@ -1,5 +0,0 @@
|
||||||
o Minor features (fallback directory list):
|
|
||||||
- Replace the 81 remaining fallbacks of the 100 originally introduced
|
|
||||||
in Tor 0.2.8.3-alpha in March 2016, with a list of 177 fallbacks
|
|
||||||
(123 new, 54 existing, 27 removed) generated in December 2016.
|
|
||||||
Resolves ticket 20170.
|
|
Loading…
Reference in New Issue