Merge remote-tracking branch 'origin/maint-0.2.3' into release-0.2.3

We should still make sure mlp approves it.

ChangeLog

@@ -1,3 +1,392 @@
+Changes in version 0.2.3.26 - 2013-0?-??
+
+  o Major bugfixes:
+    - Reject bogus create and relay cells with 0 circuit ID or 0 stream
+      ID: these could be used to create unexpected streams and circuits
+      which would count as "present" to some parts of Tor but "absent"
+      to others, leading to zombie circuits and streams or to a bandwidth
+      denial-of-service. Fixes bug 7889; bugfix on every released version
+      of Tor. Reported by "oftc_must_be_destroyed".
+
+  o Minor bugfixes:
+    - Avoid a crash if we fail to generate an extrainfo descriptor.
+      Fixes bug 8208; bugfix on 0.2.3.16-alpha. Found by Coverity;
+      this is CID 718634.
+    - Correctly recognize that [::1] is a loopback address. Fixes
+      bug 8377; bugfix on 0.2.1.3-alpha.
+
+  o Minor features:
+    - Update to the April 3 2013 Maxmind GeoLite Country database.
+
+
+Changes in version 0.2.3.25 - 2012-11-19
+  The Tor 0.2.3 release series is dedicated to the memory of Len "rabbi"
+  Sassaman (1980-2011), a long-time cypherpunk, anonymity researcher,
+  Mixmaster maintainer, Pynchon Gate co-designer, CodeCon organizer,
+  programmer, and friend. Unstinting in his dedication to the cause of
+  freedom, he inspired and helped many of us as we began our work on
+  anonymity, and inspires us still. Please honor his memory by writing
+  software to protect people's freedoms, and by helping others to do so.
+
+  Tor 0.2.3.25, the first stable release in the 0.2.3 branch, features
+  significantly reduced directory overhead (via microdescriptors),
+  enormous crypto performance improvements for fast relays on new
+  enough hardware, a new v3 TLS handshake protocol that can better
+  resist fingerprinting, support for protocol obfuscation plugins (aka
+  pluggable transports), better scalability for hidden services, IPv6
+  support for bridges, performance improvements like allowing clients
+  to skip the first round-trip on the circuit ("optimistic data") and
+  refilling token buckets more often, a new "stream isolation" design
+  to isolate different applications on different circuits, and many
+  stability, security, and privacy fixes.
+
+  o Major bugfixes:
+    - Tor tries to wipe potentially sensitive data after using it, so
+      that if some subsequent security failure exposes Tor's memory,
+      the damage will be limited. But we had a bug where the compiler
+      was eliminating these wipe operations when it decided that the
+      memory was no longer visible to a (correctly running) program,
+      hence defeating our attempt at defense in depth. We fix that
+      by using OpenSSL's OPENSSL_cleanse() operation, which a compiler
+      is unlikely to optimize away. Future versions of Tor may use
+      a less ridiculously heavy approach for this. Fixes bug 7352.
+      Reported in an article by Andrey Karpov.
+
+  o Minor bugfixes:
+    - Fix a harmless bug when opting against publishing a relay descriptor
+      because DisableNetwork is set. Fixes bug 7464; bugfix on
+      0.2.3.9-alpha.
+
+
+Changes in version 0.2.3.24-rc - 2012-10-25
+  Tor 0.2.3.24-rc fixes two important security vulnerabilities that
+  could lead to remotely triggerable relay crashes, and fixes
+  a major bug that was preventing clients from choosing suitable exit
+  nodes.
+
+  o Major bugfixes (security):
+    - Fix a group of remotely triggerable assertion failures related to
+      incorrect link protocol negotiation. Found, diagnosed, and fixed
+      by "some guy from France". Fix for CVE-2012-2250; bugfix on
+      0.2.3.6-alpha.
+    - Fix a denial of service attack by which any directory authority
+      could crash all the others, or by which a single v2 directory
+      authority could crash everybody downloading v2 directory
+      information. Fixes bug 7191; bugfix on 0.2.0.10-alpha.
+
+  o Major bugfixes:
+    - When parsing exit policy summaries from microdescriptors, we had
+      previously been ignoring the last character in each one, so that
+      "accept 80,443,8080" would be treated by clients as indicating
+      a node that allows access to ports 80, 443, and 808. That would
+      lead to clients attempting connections that could never work,
+      and ignoring exit nodes that would support their connections. Now
+      clients parse these exit policy summaries correctly. Fixes bug 7192;
+      bugfix on 0.2.3.1-alpha.
+
+  o Minor bugfixes:
+    - Clients now consider the ClientRejectInternalAddresses config option
+      when using a microdescriptor consensus stanza to decide whether
+      an exit relay would allow exiting to an internal address. Fixes
+      bug 7190; bugfix on 0.2.3.1-alpha.
+
+
+Changes in version 0.2.3.23-rc - 2012-10-20
+  Tor 0.2.3.23-rc adds a new v3 directory authority, fixes a privacy
+  vulnerability introduced by a change in OpenSSL, and fixes a variety
+  of smaller bugs in preparation for the release.
+
+  o New directory authorities:
+    - Add Faravahar (run by Sina Rabbani) as the ninth v3 directory
+      authority. Closes ticket 5749.
+
+  o Major bugfixes (security/privacy):
+    - Disable TLS session tickets. OpenSSL's implementation was giving
+      our TLS session keys the lifetime of our TLS context objects, when
+      perfect forward secrecy would want us to discard anything that
+      could decrypt a link connection as soon as the link connection
+      was closed. Fixes bug 7139; bugfix on all versions of Tor linked
+      against OpenSSL 1.0.0 or later. Found by Florent Daignière.
+    - Discard extraneous renegotiation attempts once the V3 link
+      protocol has been initiated. Failure to do so left us open to
+      a remotely triggerable assertion failure. Fixes CVE-2012-2249;
+      bugfix on 0.2.3.6-alpha. Reported by "some guy from France".
+
+  o Major bugfixes:
+    - Fix a possible crash bug when checking for deactivated circuits
+      in connection_or_flush_from_first_active_circuit(). Fixes bug 6341;
+      bugfix on 0.2.2.7-alpha. Bug report and fix received pseudonymously.
+
+  o Minor bugfixes (on 0.2.3.x):
+    - Fix two cases in src/or/transports.c where we were calling
+      fmt_addr() twice in a parameter list. Bug found by David
+      Fifield. Fixes bug 7014; bugfix on 0.2.3.9-alpha.
+    - Convert an assert in the pathbias code to a log message. The assert
+      appears to only be triggerable by Tor2Web mode. Fixes bug 6866;
+      bugfix on 0.2.3.17-beta.
+    - Fix memory leaks whenever we logged any message about the "path
+      bias" detection. Fixes bug 7022; bugfix on 0.2.3.21-rc.
+
+  o Minor bugfixes (on 0.2.2.x and earlier):
+    - Don't serve or accept v2 hidden service descriptors over a relay's
+      DirPort. It's never correct to do so, and disabling it might
+      make it more annoying to exploit any bugs that turn up in the
+      descriptor-parsing code. Fixes bug 7149.
+    - When relays refuse a "create" cell because their queue of pending
+      create cells is too big (typically because their cpu can't keep up
+      with the arrival rate), send back reason "resource limit" rather
+      than reason "internal", so network measurement scripts can get a
+      more accurate picture. Bugfix on 0.1.1.11-alpha; fixes bug 7037.
+    - Correct file sizes when reading binary files on Cygwin, to avoid
+      a bug where Tor would fail to read its state file. Fixes bug 6844;
+      bugfix on 0.1.2.7-alpha.
+    - Avoid undefined behaviour when parsing the list of supported
+      rendezvous/introduction protocols in a hidden service descriptor.
+      Previously, Tor would have confused (as-yet-unused) protocol version
+      numbers greater than 32 with lower ones on many platforms. Fixes
+      bug 6827; bugfix on 0.2.0.10-alpha. Found by George Kadianakis.
+
+  o Documentation fixes:
+    - Clarify that hidden services are TCP only. Fixes bug 6024.
+
+
+Changes in version 0.2.3.22-rc - 2012-09-11
+  Tor 0.2.3.22-rc fixes another opportunity for a remotely triggerable
+  assertion.
+
+  o Security fixes:
+    - Fix an assertion failure in tor_timegm() that could be triggered
+      by a badly formatted directory object. Bug found by fuzzing with
+      Radamsa. Fixes bug 6811; bugfix on 0.2.0.20-rc.
+
+  o Minor bugfixes:
+    - Avoid segfault when starting up having run with an extremely old
+      version of Tor and parsing its state file. Fixes bug 6801; bugfix
+      on 0.2.2.23-alpha.
+
+
+Changes in version 0.2.2.39 - 2012-09-11
+  Tor 0.2.2.39 fixes two more opportunities for remotely triggerable
+  assertions.
+
+  o Security fixes:
+    - Fix an assertion failure in tor_timegm() that could be triggered
+      by a badly formatted directory object. Bug found by fuzzing with
+      Radamsa. Fixes bug 6811; bugfix on 0.2.0.20-rc.
+    - Do not crash when comparing an address with port value 0 to an
+      address policy. This bug could have been used to cause a remote
+      assertion failure by or against directory authorities, or to
+      allow some applications to crash clients. Fixes bug 6690; bugfix
+      on 0.2.1.10-alpha.
+
+
+Changes in version 0.2.3.21-rc - 2012-09-05
+  Tor 0.2.3.21-rc is the fourth release candidate for the Tor 0.2.3.x
+  series. It fixes a trio of potential security bugs, fixes a bug where
+  we were leaving some of the fast relays out of the microdescriptor
+  consensus, resumes interpreting "ORPort 0" and "DirPort 0" correctly,
+  and cleans up other smaller issues.
+
+  o Major bugfixes (security):
+    - Tear down the circuit if we get an unexpected SENDME cell. Clients
+      could use this trick to make their circuits receive cells faster
+      than our flow control would have allowed, or to gum up the network,
+      or possibly to do targeted memory denial-of-service attacks on
+      entry nodes. Fixes bug 6252. Bugfix on the 54th commit on Tor --
+      from July 2002, before the release of Tor 0.0.0. We had committed
+      this patch previously, but we had to revert it because of bug 6271.
+      Now that 6271 is fixed, this patch appears to work.
+    - Reject any attempt to extend to an internal address. Without
+      this fix, a router could be used to probe addresses on an internal
+      network to see whether they were accepting connections. Fixes bug
+      6710; bugfix on 0.0.8pre1.
+    - Do not crash when comparing an address with port value 0 to an
+      address policy. This bug could have been used to cause a remote
+      assertion failure by or against directory authorities, or to
+      allow some applications to crash clients. Fixes bug 6690; bugfix
+      on 0.2.1.10-alpha.
+
+  o Major bugfixes:
+    - Remove the upper bound on microdescriptor length. We were hitting
+      the limit for routers with complex exit policies or family
+      declarations, causing clients to not use them. Fixes the first
+      piece of bug 6404; fix on 0.2.2.6-alpha.
+    - Detect "ORPort 0" as meaning, uniformly, that we're not running
+      as a relay. Previously, some of our code would treat the presence
+      of any ORPort line as meaning that we should act like a relay,
+      even though our new listener code would correctly not open any
+      ORPorts for ORPort 0. Similar bugs in other Port options are also
+      fixed. Fixes the first half of bug 6507; bugfix on 0.2.3.3-alpha.
+
+  o Minor bugfixes:
+    - Avoid a pair of double-free and use-after-mark bugs that can
+      occur with certain timings in canceled and re-received DNS
+      requests. Fixes bug 6472; bugfix on 0.0.7rc1.
+    - Fix build and 64-bit compile warnings from --enable-openbsd-malloc.
+      Fixes bug 6379. Bugfix on 0.2.0.20-rc.
+    - Allow one-hop directory fetching circuits the full "circuit build
+      timeout" period, rather than just half of it, before failing them
+      and marking the relay down. This fix should help reduce cases where
+      clients declare relays (or worse, bridges) unreachable because
+      the TLS handshake takes a few seconds to complete. Fixes bug 6743;
+      bugfix on 0.2.2.2-alpha, where we changed the timeout from a static
+      30 seconds.
+    - Authorities no longer include any router in their microdescriptor
+      consensuses for which they couldn't generate or agree on a
+      microdescriptor. Fixes the second piece of bug 6404; fix on
+      0.2.2.6-alpha.
+    - Detect and reject attempts to specify both "FooPort" and
+      "FooPort 0" in the same configuration domain. (It's still okay
+      to have a FooPort in your configuration file, and use "FooPort 0"
+      on the command line to disable it.) Fixes the second half of bug
+      6507; bugfix on 0.2.3.3-alpha.
+    - Make wildcarded addresses (that is, ones beginning with "*.") work
+      when provided via the controller's MapAddress command. Previously,
+      they were accepted, but we never actually noticed that they were
+      wildcards. Fixes bug 6244; bugfix on 0.2.3.9-alpha.
+    - Avoid crashing on a malformed state file where EntryGuardPathBias
+      precedes EntryGuard. Fixes bug 6774; bugfix on 0.2.3.17-beta.
+    - Add a (probably redundant) memory clear between iterations of
+      the router status voting loop, to prevent future coding errors
+      where data might leak between iterations of the loop. Resolves
+      ticket 6514.
+
+  o Minor bugfixes (log messages):
+    - Downgrade "set buildtimeout to low value" messages to "info"
+      severity; they were never an actual problem, there was never
+      anything reasonable to do about them, and they tended to spam logs
+      from time to time. Fixes bug 6251; bugfix on 0.2.2.2-alpha.
+    - Downgrade path-bias warning messages to "info". We'll try to get
+      them working better in 0.2.4. Add internal circuit construction
+      state to protect against the noisy warn message "Unexpectedly high
+      circuit_successes". Also add some additional rate-limited notice
+      messages to help determine the root cause of the warn. Fixes bug
+      6475. Bugfix against 0.2.3.17-beta.
+    - Move log message when unable to find a microdesc in a routerstatus
+      entry to parse time. Previously we'd spam this warning every time
+      we tried to figure out which microdescriptors to download. Fixes
+      the third piece of bug 6404; fix on 0.2.3.18-rc.
+
+  o Minor features:
+    - Consider new, removed or changed IPv6 OR ports a non-cosmetic
+      change when the authority is deciding whether to accept a newly
+      uploaded descriptor. Implements ticket 6423.
+    - Add missing documentation for consensus and microdesc files.
+      Resolves ticket 6732.
+
+
+Changes in version 0.2.2.38 - 2012-08-12
+  Tor 0.2.2.38 fixes a remotely triggerable crash bug, and fixes a timing
+  attack that could in theory leak path information.
+
+  o Security fixes:
+    - Avoid an uninitialized memory read when reading a vote or consensus
+      document that has an unrecognized flavor name. This read could
+      lead to a remote crash bug. Fixes bug 6530; bugfix on 0.2.2.6-alpha.
+    - Try to leak less information about what relays a client is
+      choosing to a side-channel attacker. Previously, a Tor client would
+      stop iterating through the list of available relays as soon as it
+      had chosen one, thus finishing a little earlier when it picked
+      a router earlier in the list. If an attacker can recover this
+      timing information (nontrivial but not proven to be impossible),
+      they could learn some coarse-grained information about which relays
+      a client was picking (middle nodes in particular are likelier to
+      be affected than exits). The timing attack might be mitigated by
+      other factors (see bug 6537 for some discussion), but it's best
+      not to take chances. Fixes bug 6537; bugfix on 0.0.8rc1.
+
+
+Changes in version 0.2.3.20-rc - 2012-08-05
+  Tor 0.2.3.20-rc is the third release candidate for the Tor 0.2.3.x
+  series. It fixes a pair of code security bugs and a potential anonymity
+  issue, updates our RPM spec files, and cleans up other smaller issues.
+
+  o Security fixes:
+    - Avoid read-from-freed-memory and double-free bugs that could occur
+      when a DNS request fails while launching it. Fixes bug 6480;
+      bugfix on 0.2.0.1-alpha.
+    - Avoid an uninitialized memory read when reading a vote or consensus
+      document that has an unrecognized flavor name. This read could
+      lead to a remote crash bug. Fixes bug 6530; bugfix on 0.2.2.6-alpha.
+    - Try to leak less information about what relays a client is
+      choosing to a side-channel attacker. Previously, a Tor client would
+      stop iterating through the list of available relays as soon as it
+      had chosen one, thus finishing a little earlier when it picked
+      a router earlier in the list. If an attacker can recover this
+      timing information (nontrivial but not proven to be impossible),
+      they could learn some coarse-grained information about which relays
+      a client was picking (middle nodes in particular are likelier to
+      be affected than exits). The timing attack might be mitigated by
+      other factors (see bug 6537 for some discussion), but it's best
+      not to take chances. Fixes bug 6537; bugfix on 0.0.8rc1.
+
+  o Minor features:
+    - Try to make the warning when giving an obsolete SOCKSListenAddress
+      a little more useful.
+    - Terminate active server managed proxies if Tor stops being a
+      relay. Addresses parts of bug 6274; bugfix on 0.2.3.6-alpha.
+    - Provide a better error message about possible OSX Asciidoc failure
+      reasons. Fixes bug 6436.
+    - Warn when Tor is configured to use accounting in a way that can
+      link a hidden service to some other hidden service or public
+      address. Resolves ticket 6490.
+
+  o Minor bugfixes:
+    - Check return value of fputs() when writing authority certificate
+      file. Fixes Coverity issue 709056; bugfix on 0.2.0.1-alpha.
+    - Ignore ServerTransportPlugin lines when Tor is not configured as
+      a relay. Fixes bug 6274; bugfix on 0.2.3.6-alpha.
+    - When disabling guards for having too high a proportion of failed
+      circuits, make sure to look at each guard. Fixes bug 6397; bugfix
+      on 0.2.3.17-beta.
+
+  o Packaging (RPM):
+    - Update our default RPM spec files to work with mock and rpmbuild
+      on RHEL/Fedora. They have an updated set of dependencies and
+      conflicts, a fix for an ancient typo when creating the "_tor"
+      user, and better instructions. Thanks to Ondrej Mikle for the
+      patch series. Fixes bug 6043.
+
+  o Testing:
+    - Make it possible to set the TestingTorNetwork configuration
+      option using AlternateDirAuthority and AlternateBridgeAuthority
+      as an alternative to setting DirServer. Addresses ticket 6377.
+
+  o Documentation:
+    - Clarify the documentation for the Alternate*Authority options.
+      Fixes bug 6387.
+    - Fix some typos in the manpages. Patch from A. Costa. Fixes bug 6500.
+
+  o Code simplification and refactoring:
+    - Do not use SMARTLIST_FOREACH for any loop whose body exceeds
+      10 lines. Also, don't nest them. Doing so in the past has
+      led to hard-to-debug code. The new style is to use the
+      SMARTLIST_FOREACH_{BEGIN,END} pair. Addresses issue 6400.
+
+
+Changes in version 0.2.3.19-rc - 2012-07-06
+  Tor 0.2.3.19-rc is the second release candidate for the Tor 0.2.3.x
+  series. It fixes the compile on Windows, reverts to a GeoIP database
+  that isn't as broken, and fixes a flow control bug that has been around
+  since the beginning of Tor.
+
+  o Major bugfixes:
+    - Fix a bug handling SENDME cells on nonexistent streams that could
+      result in bizarre window values. Report and patch contributed
+      pseudonymously. Fixes part of bug 6271. This bug was introduced
+      before the first Tor release, in svn commit r152.
+    - Revert to the May 1 2012 Maxmind GeoLite Country database. In the
+      June 2012 database, Maxmind marked many Tor relays as country "A1",
+      which will cause risky behavior for clients that set EntryNodes
+      or ExitNodes. Addresses bug 6334; bugfix on 0.2.3.17-beta.
+    - Instead of ENOBUFS on Windows, say WSAENOBUFS. Fixes compilation
+      on Windows. Fixes bug 6296; bugfix on 0.2.3.18-rc.
+
+  o Minor bugfixes:
+    - Fix wrong TCP port range in parse_port_range(). Fixes bug 6218;
+      bugfix on 0.2.1.10-alpha.
+
+
 Changes in version 0.2.3.18-rc - 2012-06-28
   Tor 0.2.3.18-rc is the first release candidate for the Tor 0.2.3.x
   series. It fixes a few smaller bugs, but generally appears stable.
@@ -225,7 +614,7 @@ Changes in version 0.2.3.16-alpha - 2012-06-05
       indefinitely. Fixes bug 5380; bugfix on 0.2.1.14-rc.
     - When fetching a bridge descriptor from a bridge authority,
       always do so anonymously, whether we have been able to open
-      circuits or not. Partial fix for bug 1938; bugfix on 2.0.7-alpha.
+      circuits or not. Partial fix for bug 1938; bugfix on 0.2.0.7-alpha.
       This behavior makes it *safer* to use UpdateBridgesFromAuthority,
       but we'll need to wait for bug 6010 before it's actually usable.
 

changes/bug6024

@@ -1,2 +0,0 @@
-  o Documentation fixes:
-    - Clarify that hidden services are TCP only. Fixes bug 6024.

changes/bug6043

@@ -1,6 +0,0 @@
-  o Packaging (RPM):
-    - Our default RPM spec files have been updated to work with mock
-      and rpmbuild on RHEL/Fedora. They have an updated set of
-      dependencies and conflicts, a fix for an ancient typo when creating
-      the "_tor" user, and better instructions. Thanks to Ondrej
-      Mikle for the patch series; fix for bug 6043.

changes/bug6218

@@ -1,3 +0,0 @@
-  o Minor bugfixes:
-    - Fix wrong TCP port range in parse_port_range(). Fixes bug 6218;
-      bugfix on 0.2.1.10-alpha.

changes/bug6244_part_c

@@ -1,6 +0,0 @@
-  o Major bugfixes (controller):
-    - Make wildcarded addresses (that is, ones beginning with *.) work when
-      provided via the controller's MapAddress command.  Previously, they
-      were accepted, but we never actually noticed that they were wildcards.
-      Fix for bug 6244; bugfix on 0.2.3.9-alpha.
-

changes/bug6251

@@ -1,6 +0,0 @@
-  o Minor bugfixes:
-    - Downgrade "set buildtimeout to low value" messages to INFO
-      severity; they were never an actual problem, there was never
-      anything reasonable to do about them, and they tended to spam
-      logs from time to time. Fix for bug 6251; bugfix on
-      0.2.2.2-alpha.

changes/bug6252_again

@@ -1,11 +0,0 @@
-  o Security fixes:
-    - Tear down the circuit if we get an unexpected SENDME cell. Clients
-      could use this trick to make their circuits receive cells faster
-      than our flow control would have allowed, or to gum up the network,
-      or possibly to do targeted memory denial-of-service attacks on
-      entry nodes. Fixes bug 6252. Bugfix on the 54th commit on Tor --
-      from July 2002, before the release of Tor 0.0.0.  We had committed
-      this patch previously, but we had to revert it because of bug 6271.
-      Now that 6271 is fixed, this appears to work.
-
-

changes/bug6271

@@ -1,7 +0,0 @@
-   o Major bugfixes
-
-     - Fix a bug handling SENDME cells on nonexistent streams that
-       could result in bizarre window values. Report and patch
-       contributed pseudymously.  Fixes part of bug 6271. This bug
-       was introduced before the first Tor release, in svn commit
-       r152.

changes/bug6274

@@ -1,3 +0,0 @@
- o Minor bugfixes:
-   - Ignore ServerTransportPlugin lines when Tor is not configured as
-     a relay. Fixes bug 6274; bugfix on 0.2.3.6-alpha.

changes/bug6274_2

@@ -1,3 +0,0 @@
- o Minor features:
-   - Terminate active server managed proxies if Tor stops being a
-     relay. Addresses parts of bug 6274; bugfix on 0.2.3.6-alpha.

changes/bug6296

@@ -1,4 +0,0 @@
-   o Minor bugfixes:
-
-     - Instead of ENOBUFS on Windows, say WSAENOBUFS. Fixes
-       compilation on Windows.  Fixes bug 6296; bugfix on 0.2.3.18-rc.

changes/bug6341

@@ -1,5 +0,0 @@
-  o Major bugfixes:
-    - Fix a possible crash bug when checking for deactivated circuits
-      in connection_or_flush_from_first_active_circuit(). Fixes bug 
-      6341; bugfix on 0.2.2.7-alpha. Bug report and fix received
-      pseudonymously.

changes/bug6377

@@ -1,4 +0,0 @@
- o Testing:
-   - Make it possible to set the TestingTorNetwork configuration
-     option using AlternateDirAuthority and AlternateBridgeAuthority
-     as an alternative to setting DirServer.

changes/bug6379

@@ -1,6 +0,0 @@
-  o Minor bugfixes:
-    - Fix build warnings from --enable-openbsd-malloc with gcc warnings
-      enabled. Fixes bug 6379.
-    - Fix 64-bit warnings from --enable-openbsd-malloc. Fixes bug 6379.
-      Bugfix on 0.2.0.20-rc.
-

changes/bug6387

@@ -1,3 +0,0 @@
-  o Documentation:
-    - Clarify the documentation for the Alternate*Authority options.
-      Fixes bug 6387.

changes/bug6397

@@ -1,4 +0,0 @@
-  o Major bugfixes:
-    - When disabling guards for having too high a proportion of failed
-      circuits, make sure to look at each guard. Fix for bug 6397; bugfix
-      on 0.2.3.17-beta.

changes/bug6404

@@ -1,16 +0,0 @@
-  o Minor bugfixes:
-
-    - Remove the maximum length of microdescriptor we are willing to
-      generate. Occasionally this is needed for routers
-      with complex policies or family declarations. Partial fix for
-      bug 6404; fix on 0.2.2.6-alpha.
-
-    - Authorities no longer include any router in their
-      microdescriptor consensuses for which they couldn't generate or
-      agree on a microdescriptor.  Partial fix for bug 6404; fix on
-      0.2.2.6-alpha.
-
-    - Move log message when unable to find a microdesc in a
-      routerstatus entry to parse time. Previously we'd spam this
-      warning every time we tried to figure out which microdescriptors
-      to download. Partial fix for bug 6404; fix on 0.2.3.18-rc.

changes/bug6423

@@ -1,3 +0,0 @@
- o Minor features:
-   - Consider new, removed or changed IPv6 OR ports a non cosmetic
-     change.

changes/bug6436

@@ -1,3 +0,0 @@
-  o Minor features:
-    - Provide a better error message about possible OSX Asciidoc failure
-      reasons. Fix for bug 6436.

changes/bug6472

@@ -1,4 +0,0 @@
-  o Minor bugfixes:
-    - Avoid a pair of double-free and use-after-mark bugs that can
-      occur with certain timings in canceled and re-received DNS
-      requests. Fix for bug 6472; bugfix on 0.0.7rc1.

changes/bug6475

@@ -1,6 +0,0 @@
-  o Minor bugfixes:
-     - Add internal circuit construction state to protect against
-       the noisy warn message "Unexpectedly high circuit_successes".
-       Also add some additional rate-limited notice messages to help
-       determine the root cause of the warn. Fixes bug 6475.
-       Bugfix against 0.2.3.17-beta.

changes/bug6480

@@ -1,5 +0,0 @@
-  o Major bugfixes:
-    - Avoid read-from-freed-RAM bug and related double-free bug that
-      could occur when a DNS request fails while launching it.  Fixes
-      bug 6480; bugfix on 0.2.0.1-alpha.
-

changes/bug6490

@@ -1,4 +0,0 @@
-  o Minor features:
-    - Warn when Tor is configured to use accounting in a way that will
-      link a hidden service to some other hidden service or public
-      address. Fix for bug 6490.

changes/bug6500

@@ -1,2 +0,0 @@
-  o Minor bugfixes:
-    - Fix some typos in the manpages. Patch from A. Costa. Fixes bug 6500.

changes/bug6507

@@ -1,15 +0,0 @@
-  o Major bugfixes:
-    - Detect 'ORPort 0' as meaning, uniformly, that we're not running
-      as a server. Previously, some of our code would treat the
-      presence of any ORPort line as meaning that we should act like a
-      server, even though our new listener code would correctly not
-      open any ORPorts for ORPort 0. Similar bugs in other Port
-      options are also fixed. Fixes bug 6507; bugfix on 0.2.3.3-alpha.
-
-  o Minor features:
-
-    - Detect and reject attempts to specify both 'FooPort' and
-      'FooPort 0' in the same configuration domain.  (It's still okay
-      to have a FooPort in your configuration file,and use 'FooPort 0'
-      on the command line to disable it.) Fixes another case of
-      bug6507; bugfix on 0.2.3.3-alpha.

changes/bug6514

@@ -1,5 +0,0 @@
-  o Minor bugfixes:
-    - Add a (probably redundant) memory clear between iterations of
-      the router status voting loop, to prevent future coding errors
-      where data might leak between iterations of the loop. Resolves
-      ticket 6514.

changes/bug6530

@@ -1,5 +0,0 @@
-  o Major security fixes:
-    - Avoid a read of uninitializd RAM when reading a vote or consensus
-      document with an unrecognized flavor name. This could lead to a
-      remote crash bug. Fixes bug 6530; bugfix on 0.2.2.6-alpha.
-      

changes/bug6690

@@ -1,7 +0,0 @@
-  o Major bugfixes (security):
-    - Do not crash when comparing an address with port value 0 to an
-      address policy. This bug could have been used to cause a remote
-      assertion failure by or against directory authorities, or to
-      allow some applications to crash clients. Fixes bug 6690; bugfix
-      on 0.2.1.10-alpha.
-

changes/bug6710

@@ -1,6 +0,0 @@
-  o Major bugfixes (security):
-    - Reject any attempt to extend to an internal address. Without
-      this fix, a router could be used to probe addresses on an
-      internal network to see whether they were accepting
-      connections. Fix for bug 6710; bugfix on 0.0.8pre1.
-

changes/bug6732

@@ -1,3 +0,0 @@
-  o Documentation:
-    - Add missing documentation for consensus and microdesc files. Fix for
-      bug 6732.

changes/bug6743

@@ -1,9 +0,0 @@
-  o Minor bugfixes:
-    - Allow one-hop directory fetching circuits the full "circuit build
-      timeout" period, rather than just half of it, before failing them
-      and marking the relay down. This fix should help reduce cases where
-      clients declare relays (or worse, bridges) unreachable because
-      the TLS handshake takes a few seconds to complete. Fixes bug 6743;
-      bugfix on 0.2.2.2-alpha, where we changed the timeout from a static
-      30 seconds.
-

changes/bug6774

@@ -1,4 +0,0 @@
-  o Minor bugfixes:
-    - Avoid crashing on a malformed state file where EntryGuardPathBias
-      precedes EntryGuard. Fix for bug 6774; bugfix on 0.2.3.17-beta.
-

changes/bug6801

@@ -1,5 +0,0 @@
-  o Minor bugfixes:
-    - Avoid segfault when starting up having run with an extremely old
-      version of Tor and parsing its state file. Fixes bug 6801; bugfix on
-      0.2.2.23-alpha.
-

changes/bug6811

@@ -1,5 +0,0 @@
-  o Major security fixes:
-    - Fix an assertion failure in tor_timegm that could be triggered
-      by a badly formatted directory object.  Bug found by fuzzing with
-      Radamsa. Fixes bug 6811; bugfix on 0.2.0.20-rc.
-      

changes/bug6827

@@ -1,9 +0,0 @@
-  o Minor bugfixes:
-
-    - Avoid undefined behaviour when parsing the list of supported
-      rendezvous/introduction protocols in a hidden service
-      descriptor.  Previously, Tor would have confused (as-yet-unused)
-      protocol version numbers greater than 32 with lower ones on many
-      platforms.  Fixes bug 6827; bugfix on 0.2.0.10-alpha; found by
-      George Kadianakis.
-

changes/bug6844

@@ -1,4 +0,0 @@
-  o Minor bugfixes:
-   - Correct file sizes when reading binary files on
-     Cygwin, to avoid a bug where Tor would fail to read its state file.
-     Fixes bug 6844; bugfix on 0.1.2.7-alpha.

changes/bug6866

@@ -1,4 +0,0 @@
-  o Minor bugfixes:
-    - Convert an assert in the pathbias code to a log message. Assert
-      appears to only be triggerable by Tor2Web mode. Fixes bug 6866;
-      bugfix on 0.2.3.17-beta.

changes/bug7014

@@ -1,5 +0,0 @@
-  o Minor bugfixes:
-    - Fix two cases in src/or/transports.c where we were calling
-      fmt_addr() twice in a parameter list. Bug found by David
-      Fifield. Fixes bug 7014; bugfix on 0.2.3.9-alpha.
-

changes/bug7022

@@ -1,3 +0,0 @@
-  o Minor bugfixes:
-    - Fix memory leaks whenever we logged any message about the "path
-      bias" detection. Fixes bug 7022; bugfix on 0.2.3.21-rc.

changes/bug7037

@@ -1,6 +0,0 @@
-  o Minor bugfixes:
-    - When relays refuse a "create" cell because their queue of pending
-      create cells is too big (typically because their cpu can't keep up
-      with the arrival rate), send back reason "resource limit" rather
-      than reason "internal", so network measurement scripts can get a
-      more accurate picture. Bugfix on 0.1.1.11-alpha; fixes bug 7037.

changes/bug7139

@@ -1,9 +0,0 @@
-  o Major bugfixes (security):
-
-    - Disable TLS session tickets.  OpenSSL's implementation were giving
-      our TLS session keys the lifetime of our TLS context objects, when
-      perfect forward secrecy would want us to discard anything that
-      could decrypt a link connection as soon as the link connection was
-      closed.  Fixes bug 7139; bugfix on all versions of Tor linked
-      against OpenSSL 1.0.0 or later. Found by "nextgens".
-

changes/bug7190

@@ -1,6 +0,0 @@
-  o Minor bugfixes:
-    - Clients now consider the ClientRejectInternalAddresses config option
-      when using a microdescriptor consensus stanza to decide whether
-      an exit relay would allow exiting to an internal address. Fixes
-      bug 7190; bugfix on 0.2.3.1-alpha.
-

changes/bug7191

@@ -1,5 +0,0 @@
-  o Major bugfixes:
-    - Fix a denial of service attack by which any directory authority
-      could crash all the others, or by which a single v2 directory
-      authority could crash everybody downloading v2 directory
-      information. Fixes bug 7191; bugfix on 0.2.0.10-alpha. 

changes/bug7192

@@ -1,10 +0,0 @@
-  o Major bugfixes:
-    - When parsing exit policy summaries from microdescriptors, we had
-      previously been ignoring the last character in each one, so that
-      "accept 80,443,8080" would be treated by clients as indicating a
-      node that allows access to ports 80, 443, and 808. That would lead
-      to clients attempting connections that could never work, and
-      ignoring exit nodes that would support their connections. Now clients
-      parse these exit policy summaries correctly. Fixes bug 7192;
-      bugfix on 0.2.3.1-alpha.
-

changes/bug7352

@@ -1,12 +0,0 @@
-  o Major bugfixes:
-    - Tor tries to wipe potentially sensitive data after using it, so
-      that if some subsequent security failure exposes Tor's memory,
-      the damage will be limited. But we had a bug where the compiler
-      was eliminating these wipe operations when it decided that the
-      memory was no longer visible to a (correctly running) program,
-      hence defeating our attempt at defense in depth. We fix that
-      by using OpenSSL's OPENSSL_cleanse() operation, which a compiler
-      is unlikely to optimize away. Future versions of Tor may use
-      a less ridiculously heavy approach for this. Fixes bug 7352.
-      Reported in an article by Andrey Karpov.
-

changes/bug7464

@@ -1,4 +0,0 @@
-  o Minor bugfixes:
-    - Fix a harmless bug when opting against publishing a relay descriptor
-      because DisableNetwork is set. Fixes bug 7464; bugfix on
-      0.2.3.9-alpha.

changes/bug7889

@@ -1,8 +0,0 @@
-  o Major bugfixes:
-    - Reject bogus create and relay cells with 0 circuit ID or 0 stream
-      ID: these could be used to create unexpected streams and circuits
-      which would count as "present" to some parts of Tor but "absent"
-      to others, leading to zombie circuits and streams or to a
-      bandwidth DOS. Fixes bug 7889; bugfix on every released version of
-      Tor. Reported by "oftc_must_be_destroyed".
-

changes/bug8208

@@ -1,4 +0,0 @@
-  o Minor bugfixes:
-    - Avoid a crash if we fail to generate an extrinfo descriptor.
-      Fixes bug 8208; bugfix on 0.2.3.16-alpha. Found by Coverity;
-      this is CID 718634.

changes/bug8377

@@ -1,3 +0,0 @@
-  o Minor bugfixes:
-    - Correctly recognize that [::1] is a loopback address. Fixes bug #8377;
-      bugfix on 0.2.1.3-alpha.

changes/cov709056

@@ -1,4 +0,0 @@
-  o Minor bugfixes:
-    - Check return value of fputs() when writing authority certificate
-      file. Fixes Coverity issue 709056; bugfix on 0.2.0.1-alpha.
-

changes/cve-2012-2249

@@ -1,5 +0,0 @@
-  o Major bugfixes (security):
-    - Discard extraneous renegotiation attempts once the V3 link
-      protocol has been initiated. Failure to do so left us open to
-      a remotely triggerable assertion failure. Fixes CVE-2012-2249;
-      bugfix on 0.2.3.6-alpha. Reported by "some guy from France".

changes/dirserv-BUGGY-a

@@ -1,7 +0,0 @@
-  o Minor bugfixes:
-
-    - Don't serve or accept v2 hidden service descriptors over a
-      relay's DirPort. It's never correct to do so, and disabling it
-      might make it more annoying to exploit any bugs that turn up in the
-      descriptor-parsing code. Fixes bug 7149.
-

changes/disable_pathbias_messages

@@ -1,3 +0,0 @@
-  o Disabeled features
-    - Downgrade path-bias warning messages to INFO. We'll try to get them
-      working better in 0.2.4. Fixes bug 6475; bugfix on 0.2.3.17-beta.

changes/geoip-apr2013

@@ -1,3 +0,0 @@
-  o Minor features:
-    - Update to the April 3 2013 Maxmind GeoLite Country database.
-

changes/geoip-dec2012

@@ -1,3 +0,0 @@
-  o Minor features:
-    - Update to the December 5 2012 Maxmind GeoLite Country database.
-

changes/geoip-feb2013

@@ -1,3 +0,0 @@
-  o Minor features:
-    - Update to the February 6 2013 Maxmind GeoLite Country database.
-

changes/geoip-jan2013

@@ -1,3 +0,0 @@
-  o Minor features:
-    - Update to the January 2 2013 Maxmind GeoLite Country database.
-

changes/geoip-mar2013

@@ -1,3 +0,0 @@
-  o Minor features:
-    - Update to the March 6 2013 Maxmind GeoLite Country database.
-

changes/geoip-nov2012

@@ -1,3 +0,0 @@
-  o Minor features:
-    - Update to the November 7 2012 Maxmind GeoLite Country database.
-

changes/link_negotiation_assert

@@ -1,6 +0,0 @@
-  o Major bugfixs (security):
-    - Fix a group of remotely triggerable assertion failures related to
-      incorrect link protocol negotiation. Found, diagnosed, and fixed
-      by "some guy from France." Fix for CVE-2012-2250; bugfix on
-      0.2.3.6-alpha.
-

changes/pathsel-BUGGY-a

@@ -1,14 +0,0 @@
-  o Security fixes:
-
-    - Try to leak less information about what relays a client is
-      choosing to a side-channel attacker.  Previously, a Tor client
-      would stop iterating through the list of available relays as
-      soon as it had chosen one, thus finishing a little earlier
-      when it picked a router earlier in the list.  If an attacker
-      can recover this timing information (nontrivial but not
-      proven to be impossible), they could learn some coarse-
-      grained information about which relays a client was picking
-      (middle nodes in particular are likelier to be affected than
-      exits).  The timing attack might be mitigated by other factors
-      (see bug #6537 for some discussion), but it's best not to
-      take chances.  Fixes bug 6537; bugfix on 0.0.8rc1.

changes/port_doc

@@ -1,3 +0,0 @@
-  o Minor features (usability):
-    - Try to make the warning when giving an obsolete SOCKSListenAddress
-      a littel more useful.

changes/revert-geoip-may2012

@@ -1,6 +0,0 @@
-  o Major bugfixes:
-    - Revert to the May 1 2012 Maxmind GeoLite Country database. In the
-      June 2012 database, Maxmind marked many Tor relays as country "A1",
-      which will cause risky behavior for clients that set EntryNodes
-      or ExitNodes. Addresses bug 6334; bugfix on 0.2.3.17-beta.
-

changes/smartlist_foreach

@@ -1,8 +0,0 @@
-  o Code simplification and refactoring:
-    - Do not use SMARTLIST_FOREACH for any loop whose body exceeds
-      10 lines. Doing so in the past has led to hard-to-debug code.
-      The new style is to use the SMARTLIST_FOREACH_{BEGIN,END} pair.
-      Issue 6400.
-    - Do not nest SMARTLIST_FOREACH blocks within one another. Any
-      nested block ought to be using SMARTLIST_FOREACH_{BEGIN,END}.
-      Issue 6400.

changes/ticket5749

@@ -1,3 +0,0 @@
-  o New directory authorities:
-    - Add Faravahar (run by Sina Rabbani) as the ninth v3 directory
-      authority. Closes ticket 5749.

configure.in

@@ -4,7 +4,7 @@ dnl Copyright (c) 2007-2012, The Tor Project, Inc.
 dnl See LICENSE for licensing information
 
 AC_INIT
-AM_INIT_AUTOMAKE(tor, 0.2.3.18-rc-dev)
+AM_INIT_AUTOMAKE(tor, 0.2.3.25)
 AM_CONFIG_HEADER(orconfig.h)
 
 AC_CANONICAL_HOST

contrib/tor-mingw.nsi.in

@@ -8,7 +8,7 @@
 !include "LogicLib.nsh"
 !include "FileFunc.nsh"
 !insertmacro GetParameters
-!define VERSION "0.2.3.18-rc-dev"
+!define VERSION "0.2.3.25"
 !define INSTALLER "tor-${VERSION}-win32.exe"
 !define WEBSITE "https://www.torproject.org/"
 !define LICENSE "LICENSE"

src/win32/orconfig.h

@@ -232,7 +232,7 @@
 #define USING_TWOS_COMPLEMENT
 
 /* Version number of package */
-#define VERSION "0.2.3.18-rc-dev"
+#define VERSION "0.2.3.25"