Merge branch 'maint-0.2.6' into release-0.2.6

To build this changelog, I've gone through the entries in
release-0.2.6's changes subdirectory, and looked up the ChangeLog
entry for each.  I have not sorted them yet.

ChangeLog

@@ -1,5 +1,517 @@
-Changes in version 0.2.6.4-?? - 2015-0?-??
+Changes in version 0.2.6.12 - 2017-06-08
+  Tor 0.2.6.12 backports a fix for a bug that would allow an attacker to
+  remotely crash a hidden service with an assertion failure. Anyone
+  running a hidden service should upgrade to this version, or to some
+  other version with fixes for TROVE-2017-005.  (Versions before 0.3.0
+  are not affected by TROVE-2017-004.)
 
+  o Major bugfixes (hidden service, relay, security):
+    - Fix a remotely triggerable assertion failure caused by receiving a
+      BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug
+      22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix
+      on 0.2.2.1-alpha.
+
+  o Minor features (geoip):
+    - Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2
+      Country database.
+
+  o Minor bugfixes (correctness):
+    - Avoid undefined behavior when parsing IPv6 entries from the geoip6
+      file. Fixes bug 22490; bugfix on 0.2.4.6-alpha.
+
+
+Changes in version 0.2.6.11 - 2017-03-03
+  Tor 0.2.6.11 backports a number of security fixes from later Tor
+  releases.  Anybody running Tor 0.2.6.10 or earlier should upgrade to
+  this release, if for some reason they cannot upgrade to a later
+  release series.
+
+  Note that support for Tor 0.2.6.x is ending this year: we will not issue
+  any fixes for the Tor 0.2.6.x series after 1 August 2017.  If you need
+  a Tor release series with longer-term support, we recommend Tor 0.2.9.x.
+
+  o Directory authority changes (backport from 0.2.8.5-rc):
+    - Urras is no longer a directory authority. Closes ticket 19271.
+
+  o Directory authority changes (backport from 0.2.9.2-alpha):
+    - The "Tonga" bridge authority has been retired; the new bridge
+      authority is "Bifroest". Closes tickets 19728 and 19690.
+
+  o Directory authority key updates (backport from 0.2.8.1-alpha):
+    - Update the V3 identity key for the dannenberg directory authority:
+      it was changed on 18 November 2015. Closes task 17906. Patch
+      by "teor".
+
+  o Major features (security fixes, backport from 0.2.9.4-alpha):
+    - Prevent a class of security bugs caused by treating the contents
+      of a buffer chunk as if they were a NUL-terminated string. At
+      least one such bug seems to be present in all currently used
+      versions of Tor, and would allow an attacker to remotely crash
+      most Tor instances, especially those compiled with extra compiler
+      hardening. With this defense in place, such bugs can't crash Tor,
+      though we should still fix them as they occur. Closes ticket
+      20384 (TROVE-2016-10-001).
+
+  o Major bugfixes (parsing, security, backport from 0.2.9.8):
+    - Fix a bug in parsing that could cause clients to read a single
+      byte past the end of an allocated region. This bug could be used
+      to cause hardened clients (built with --enable-expensive-hardening)
+      to crash if they tried to visit a hostile hidden service. Non-
+      hardened clients are only affected depending on the details of
+      their platform's memory allocator. Fixes bug 21018; bugfix on
+      0.2.0.8-alpha. Found by using libFuzzer. Also tracked as TROVE-
+      2016-12-002 and as CVE-2016-1254.
+
+  o Major bugfixes (security, client, DNS proxy, backport from 0.2.8.3-alpha):
+    - Stop a crash that could occur when a client running with DNSPort
+      received a query with multiple address types, and the first
+      address type was not supported. Found and fixed by Scott Dial.
+      Fixes bug 18710; bugfix on 0.2.5.4-alpha.
+
+  o Major bugfixes (security, correctness, backport from 0.2.7.4-rc):
+    - Fix an error that could cause us to read 4 bytes before the
+      beginning of an openssl string. This bug could be used to cause
+      Tor to crash on systems with unusual malloc implementations, or
+      systems with unusual hardening installed. Fixes bug 17404; bugfix
+      on 0.2.3.6-alpha.
+
+  o Major bugfixes (security, pointers, backport from 0.2.8.2-alpha):
+    - Avoid a difficult-to-trigger heap corruption attack when extending
+      a smartlist to contain over 16GB of pointers. Fixes bug 18162;
+      bugfix on 0.1.1.11-alpha, which fixed a related bug incompletely.
+      Reported by Guido Vranken.
+
+  o Major bugfixes (dns proxy mode, crash, backport from 0.2.8.2-alpha):
+    - Avoid crashing when running as a DNS proxy. Fixes bug 16248;
+      bugfix on 0.2.0.1-alpha. Patch from "cypherpunks".
+
+  o Major bugfixes (guard selection, backport from 0.2.7.6):
+    - Actually look at the Guard flag when selecting a new directory
+      guard. When we implemented the directory guard design, we
+      accidentally started treating all relays as if they have the Guard
+      flag during guard selection, leading to weaker anonymity and worse
+      performance. Fixes bug 17772; bugfix on 0.2.4.8-alpha. Discovered
+      by Mohsen Imani.
+
+  o Major bugfixes (key management, backport from 0.2.8.3-alpha):
+    - If OpenSSL fails to generate an RSA key, do not retain a dangling
+      pointer to the previous (uninitialized) key value. The impact here
+      should be limited to a difficult-to-trigger crash, if OpenSSL is
+      running an engine that makes key generation failures possible, or
+      if OpenSSL runs out of memory. Fixes bug 19152; bugfix on
+      0.2.1.10-alpha. Found by Yuan Jochen Kang, Suman Jana, and
+      Baishakhi Ray.
+
+  o Major bugfixes (parsing, backported from 0.3.0.4-rc):
+    - Fix an integer underflow bug when comparing malformed Tor
+      versions. This bug could crash Tor when built with
+      --enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor
+      0.2.9.8, which were built with -ftrapv by default. In other cases
+      it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix
+      on 0.0.8pre1. Found by OSS-Fuzz.
+
+  o Minor features (security, memory erasure, backport from 0.2.8.1-alpha):
+    - Make memwipe() do nothing when passed a NULL pointer or buffer of
+      zero size. Check size argument to memwipe() for underflow. Fixes
+      bug 18089; bugfix on 0.2.3.25 and 0.2.4.6-alpha. Reported by "gk",
+      patch by "teor".
+
+  o Minor features (bug-resistance, backport from 0.2.8.2-alpha):
+    - Make Tor survive errors involving connections without a
+      corresponding event object. Previously we'd fail with an
+      assertion; now we produce a log message. Related to bug 16248.
+
+  o Minor features (geoip):
+    - Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2
+      Country database.
+
+  o Minor bugfixes (compilation, backport from 0.2.7.6):
+    - Fix a compilation warning with Clang 3.6: Do not check the
+      presence of an address which can never be NULL. Fixes bug 17781.
+
+
+Changes in version 0.2.6.10 - 2015-07-12
+  Tor version 0.2.6.10 fixes some significant stability and hidden
+  service client bugs, bulletproofs the cryptography init process, and
+  fixes a bug when using the sandbox code with some older versions of
+  Linux. Everyone running an older version, especially an older version
+  of 0.2.6, should upgrade.
+
+  o Major bugfixes (hidden service clients, stability):
+    - Stop refusing to store updated hidden service descriptors on a
+      client. This reverts commit 9407040c59218 (which indeed fixed bug
+      14219, but introduced a major hidden service reachability
+      regression detailed in bug 16381). This is a temporary fix since
+      we can live with the minor issue in bug 14219 (it just results in
+      some load on the network) but the regression of 16381 is too much
+      of a setback. First-round fix for bug 16381; bugfix
+      on 0.2.6.3-alpha.
+
+  o Major bugfixes (stability):
+    - Stop crashing with an assertion failure when parsing certain kinds
+      of malformed or truncated microdescriptors. Fixes bug 16400;
+      bugfix on 0.2.6.1-alpha. Found by "torkeln"; fix based on a patch
+      by "cypherpunks_backup".
+    - Stop random client-side assertion failures that could occur when
+      connecting to a busy hidden service, or connecting to a hidden
+      service while a NEWNYM is in progress. Fixes bug 16013; bugfix
+      on 0.1.0.1-rc.
+
+  o Minor features (geoip):
+    - Update geoip to the June 3 2015 Maxmind GeoLite2 Country database.
+    - Update geoip6 to the June 3 2015 Maxmind GeoLite2 Country database.
+
+  o Minor bugfixes (crypto error-handling):
+    - Check for failures from crypto_early_init, and refuse to continue.
+      A previous typo meant that we could keep going with an
+      uninitialized crypto library, and would have OpenSSL initialize
+      its own PRNG. Fixes bug 16360; bugfix on 0.2.5.2-alpha, introduced
+      when implementing ticket 4900. Patch by "teor".
+
+  o Minor bugfixes (Linux seccomp2 sandbox):
+    - Allow pipe() and pipe2() syscalls in the seccomp2 sandbox: we need
+      these when eventfd2() support is missing. Fixes bug 16363; bugfix
+      on 0.2.6.3-alpha. Patch from "teor".
+
+
+Changes in version 0.2.6.9 - 2015-06-11
+  Tor 0.2.6.9 fixes a regression in the circuit isolation code, increases the
+  requirements for receiving an HSDir flag, and addresses some other small
+  bugs in the systemd and sandbox code. Clients using circuit isolation
+  should upgrade; all directory authorities should upgrade.
+
+  o Major bugfixes (client-side privacy):
+    - Properly separate out each SOCKSPort when applying stream
+      isolation. The error occurred because each port's session group was
+      being overwritten by a default value when the listener connection
+      was initialized. Fixes bug 16247; bugfix on 0.2.6.3-alpha. Patch
+      by "jojelino".
+
+  o Minor feature (directory authorities, security):
+    - The HSDir flag given by authorities now requires the Stable flag.
+      For the current network, this results in going from 2887 to 2806
+      HSDirs. Also, it makes it harder for an attacker to launch a sybil
+      attack by raising the effort for a relay to become Stable which
+      takes at the very least 7 days to do so and by keeping the 96
+      hours uptime requirement for HSDir. Implements ticket 8243.
+
+  o Minor bugfixes (compilation):
+    - Build with --enable-systemd correctly when libsystemd is
+      installed, but systemd is not. Fixes bug 16164; bugfix on
+      0.2.6.3-alpha. Patch from Peter Palfrader.
+
+  o Minor bugfixes (Linux seccomp2 sandbox):
+    - Fix sandboxing to work when running as a relaymby renaming of
+      secret_id_key, and allowing the eventfd2 and futex syscalls. Fixes
+      bug 16244; bugfix on 0.2.6.1-alpha. Patch by Peter Palfrader.
+    - Allow systemd connections to work with the Linux seccomp2 sandbox
+      code. Fixes bug 16212; bugfix on 0.2.6.2-alpha. Patch by
+      Peter Palfrader.
+
+  o Minor bugfixes (tests):
+    - Fix a crash in the unit tests when built with MSVC2013. Fixes bug
+      16030; bugfix on 0.2.6.2-alpha. Patch from "NewEraCracker".
+
+
+Changes in version 0.2.6.8 - 2015-05-21
+  Tor 0.2.6.8 fixes a bit of dodgy code in parsing INTRODUCE2 cells, and
+  fixes an authority-side bug in assigning the HSDir flag. All directory
+  authorities should upgrade.
+
+  o Major bugfixes (hidden services, backport from 0.2.7.1-alpha):
+    - Revert commit that made directory authorities assign the HSDir
+      flag to relay without a DirPort; this was bad because such relays
+      can't handle BEGIN_DIR cells. Fixes bug 15850; bugfix
+      on tor-0.2.6.3-alpha.
+
+  o Minor bugfixes (hidden service, backport from 0.2.7.1-alpha):
+    - Fix an out-of-bounds read when parsing invalid INTRODUCE2 cells on
+      a client authorized hidden service. Fixes bug 15823; bugfix
+      on 0.2.1.6-alpha.
+
+  o Minor features (geoip):
+    - Update geoip to the April 8 2015 Maxmind GeoLite2 Country database.
+    - Update geoip6 to the April 8 2015 Maxmind GeoLite2
+      Country database.
+
+Changes in version 0.2.6.7 - 2015-04-06
+  Tor 0.2.6.7 fixes two security issues that could be used by an
+  attacker to crash hidden services, or crash clients visiting hidden
+  services. Hidden services should upgrade as soon as possible; clients
+  should upgrade whenever packages become available.
+
+  This release also contains two simple improvements to make hidden
+  services a bit less vulnerable to denial-of-service attacks.
+
+  o Major bugfixes (security, hidden service):
+    - Fix an issue that would allow a malicious client to trigger an
+      assertion failure and halt a hidden service. Fixes bug 15600;
+      bugfix on 0.2.1.6-alpha. Reported by "disgleirio".
+    - Fix a bug that could cause a client to crash with an assertion
+      failure when parsing a malformed hidden service descriptor. Fixes
+      bug 15601; bugfix on 0.2.1.5-alpha. Found by "DonnchaC".
+
+  o Minor features (DoS-resistance, hidden service):
+    - Introduction points no longer allow multiple INTRODUCE1 cells to
+      arrive on the same circuit. This should make it more expensive for
+      attackers to overwhelm hidden services with introductions.
+      Resolves ticket 15515.
+    - Decrease the amount of reattempts that a hidden service performs
+      when its rendezvous circuits fail. This reduces the computational
+      cost for running a hidden service under heavy load. Resolves
+      ticket 11447.
+
+
+Changes in version 0.2.6.6 - 2015-03-24
+  Tor 0.2.6.6 is the first stable release in the 0.2.6 series.
+
+  It adds numerous safety, security, correctness, and performance
+  improvements. Client programs can be configured to use more kinds of
+  sockets, AutomapHosts works better, the multithreading backend is
+  improved, cell transmission is refactored, test coverage is much
+  higher, more denial-of-service attacks are handled, guard selection is
+  improved to handle long-term guards better, pluggable transports
+  should work a bit better, and some annoying hidden service performance
+  bugs should be addressed.
+
+  o Minor bugfixes (portability):
+    - Use the correct datatype in the SipHash-2-4 function to prevent
+      compilers from assuming any sort of alignment. Fixes bug 15436;
+      bugfix on 0.2.5.3-alpha.
+
+
+Changes in version 0.2.6.5-rc - 2015-03-18
+  Tor 0.2.6.5-rc is the second and (hopefully) last release candidate in
+  the 0.2.6. It fixes a small number of bugs found in 0.2.6.4-rc.
+
+  o Major bugfixes (client):
+    - Avoid crashing when making certain configuration option changes on
+      clients. Fixes bug 15245; bugfix on 0.2.6.3-alpha. Reported
+      by "anonym".
+
+  o Major bugfixes (pluggable transports):
+    - Initialize the extended OR Port authentication cookie before
+      launching pluggable transports. This prevents a race condition
+      that occured when server-side pluggable transports would cache the
+      authentication cookie before it has been (re)generated. Fixes bug
+      15240; bugfix on 0.2.5.1-alpha.
+
+  o Major bugfixes (portability):
+    - Do not crash on startup when running on Solaris. Fixes a bug
+      related to our fix for 9495; bugfix on 0.2.6.1-alpha. Reported
+      by "ruebezahl".
+
+  o Minor features (heartbeat):
+    - On relays, report how many connections we negotiated using each
+      version of the Tor link protocols. This information will let us
+      know if removing support for very old versions of the Tor
+      protocols is harming the network. Closes ticket 15212.
+
+  o Code simplification and refactoring:
+    - Refactor main loop to extract the 'loop' part. This makes it
+      easier to run Tor under Shadow. Closes ticket 15176.
+
+
+Changes in version 0.2.5.11 - 2015-03-17
+  Tor 0.2.5.11 is the second stable release in the 0.2.5 series.
+
+  It backports several bugfixes from the 0.2.6 branch, including a
+  couple of medium-level security fixes for relays and exit nodes.
+  It also updates the list of directory authorities.
+
+  o Directory authority changes:
+    - Remove turtles as a directory authority.
+    - Add longclaw as a new (v3) directory authority. This implements
+      ticket 13296. This keeps the directory authority count at 9.
+    - The directory authority Faravahar has a new IP address. This
+      closes ticket 14487.
+
+  o Major bugfixes (crash, OSX, security):
+    - Fix a remote denial-of-service opportunity caused by a bug in
+      OSX's _strlcat_chk() function. Fixes bug 15205; bug first appeared
+      in OSX 10.9.
+
+  o Major bugfixes (relay, stability, possible security):
+    - Fix a bug that could lead to a relay crashing with an assertion
+      failure if a buffer of exactly the wrong layout was passed to
+      buf_pullup() at exactly the wrong time. Fixes bug 15083; bugfix on
+      0.2.0.10-alpha. Patch from 'cypherpunks'.
+    - Do not assert if the 'data' pointer on a buffer is advanced to the
+      very end of the buffer; log a BUG message instead. Only assert if
+      it is past that point. Fixes bug 15083; bugfix on 0.2.0.10-alpha.
+
+  o Major bugfixes (exit node stability):
+    - Fix an assertion failure that could occur under high DNS load.
+      Fixes bug 14129; bugfix on Tor 0.0.7rc1. Found by "jowr";
+      diagnosed and fixed by "cypherpunks".
+
+  o Major bugfixes (Linux seccomp2 sandbox):
+    - Upon receiving sighup with the seccomp2 sandbox enabled, do not
+      crash during attempts to call wait4. Fixes bug 15088; bugfix on
+      0.2.5.1-alpha. Patch from "sanic".
+
+  o Minor features (controller):
+    - New "GETINFO bw-event-cache" to get information about recent
+      bandwidth events. Closes ticket 14128. Useful for controllers to
+      get recent bandwidth history after the fix for ticket 13988.
+
+  o Minor features (geoip):
+    - Update geoip to the March 3 2015 Maxmind GeoLite2 Country database.
+    - Update geoip6 to the March 3 2015 Maxmind GeoLite2
+      Country database.
+
+  o Minor bugfixes (client, automapping):
+    - Avoid crashing on torrc lines for VirtualAddrNetworkIPv[4|6] when
+      no value follows the option. Fixes bug 14142; bugfix on
+      0.2.4.7-alpha. Patch by "teor".
+    - Fix a memory leak when using AutomapHostsOnResolve. Fixes bug
+      14195; bugfix on 0.1.0.1-rc.
+
+  o Minor bugfixes (compilation):
+    - Build without warnings with the stock OpenSSL srtp.h header, which
+      has a duplicate declaration of SSL_get_selected_srtp_profile().
+      Fixes bug 14220; this is OpenSSL's bug, not ours.
+
+  o Minor bugfixes (directory authority):
+    - Allow directory authorities to fetch more data from one another if
+      they find themselves missing lots of votes. Previously, they had
+      been bumping against the 10 MB queued data limit. Fixes bug 14261;
+      bugfix on 0.1.2.5-alpha.
+    - Enlarge the buffer to read bwauth generated files to avoid an
+      issue when parsing the file in dirserv_read_measured_bandwidths().
+      Fixes bug 14125; bugfix on 0.2.2.1-alpha.
+
+  o Minor bugfixes (statistics):
+    - Increase period over which bandwidth observations are aggregated
+      from 15 minutes to 4 hours. Fixes bug 13988; bugfix on 0.0.8pre1.
+
+  o Minor bugfixes (preventative security, C safety):
+    - When reading a hexadecimal, base-32, or base-64 encoded value from
+      a string, always overwrite the whole output buffer. This prevents
+      some bugs where we would look at (but fortunately, not reveal)
+      uninitialized memory on the stack. Fixes bug 14013; bugfix on all
+      versions of Tor.
+
+
+Changes in version 0.2.4.26 - 2015-03-17
+  Tor 0.2.4.26 includes an updated list of directory authorities.  It
+  also backports a couple of stability and security bugfixes from 0.2.5
+  and beyond.
+
+  o Directory authority changes:
+    - Remove turtles as a directory authority.
+    - Add longclaw as a new (v3) directory authority. This implements
+      ticket 13296. This keeps the directory authority count at 9.
+    - The directory authority Faravahar has a new IP address. This
+      closes ticket 14487.
+
+  o Major bugfixes (exit node stability, also in 0.2.6.3-alpha):
+    - Fix an assertion failure that could occur under high DNS load.
+      Fixes bug 14129; bugfix on Tor 0.0.7rc1. Found by "jowr";
+      diagnosed and fixed by "cypherpunks".
+
+  o Major bugfixes (relay, stability, possible security, also in 0.2.6.4-rc):
+    - Fix a bug that could lead to a relay crashing with an assertion
+      failure if a buffer of exactly the wrong layout was passed to
+      buf_pullup() at exactly the wrong time. Fixes bug 15083; bugfix on
+      0.2.0.10-alpha. Patch from 'cypherpunks'.
+    - Do not assert if the 'data' pointer on a buffer is advanced to the
+      very end of the buffer; log a BUG message instead. Only assert if
+      it is past that point. Fixes bug 15083; bugfix on 0.2.0.10-alpha.
+
+  o Minor features (geoip):
+    - Update geoip to the March 3 2015 Maxmind GeoLite2 Country database.
+    - Update geoip6 to the March 3 2015 Maxmind GeoLite2
+      Country database.
+
+
+Changes in version 0.2.6.4-rc - 2015-03-09
+  Tor 0.2.6.4-alpha fixes an issue in the directory code that an
+  attacker might be able to use in order to crash certain Tor
+  directories. It also resolves some minor issues left over from, or
+  introduced in, Tor 0.2.6.3-alpha or earlier.
+
+  o Major bugfixes (crash, OSX, security):
+    - Fix a remote denial-of-service opportunity caused by a bug in
+      OSX's _strlcat_chk() function. Fixes bug 15205; bug first appeared
+      in OSX 10.9.
+
+  o Major bugfixes (relay, stability, possible security):
+    - Fix a bug that could lead to a relay crashing with an assertion
+      failure if a buffer of exactly the wrong layout is passed to
+      buf_pullup() at exactly the wrong time. Fixes bug 15083; bugfix on
+      0.2.0.10-alpha. Patch from "cypherpunks".
+    - Do not assert if the 'data' pointer on a buffer is advanced to the
+      very end of the buffer; log a BUG message instead. Only assert if
+      it is past that point. Fixes bug 15083; bugfix on 0.2.0.10-alpha.
+
+  o Major bugfixes (FreeBSD IPFW transparent proxy):
+    - Fix address detection with FreeBSD transparent proxies, when
+      "TransProxyType ipfw" is in use. Fixes bug 15064; bugfix
+      on 0.2.5.4-alpha.
+
+  o Major bugfixes (Linux seccomp2 sandbox):
+    - Pass IPPROTO_TCP rather than 0 to socket(), so that the Linux
+      seccomp2 sandbox doesn't fail. Fixes bug 14989; bugfix
+      on 0.2.6.3-alpha.
+    - Allow AF_UNIX hidden services to be used with the seccomp2
+      sandbox. Fixes bug 15003; bugfix on 0.2.6.3-alpha.
+    - Upon receiving sighup with the seccomp2 sandbox enabled, do not
+      crash during attempts to call wait4. Fixes bug 15088; bugfix on
+      0.2.5.1-alpha. Patch from "sanic".
+
+  o Minor features (controller):
+    - Messages about problems in the bootstrap process now include
+      information about the server we were trying to connect to when we
+      noticed the problem. Closes ticket 15006.
+
+  o Minor features (geoip):
+    - Update geoip to the March 3 2015 Maxmind GeoLite2 Country database.
+    - Update geoip6 to the March 3 2015 Maxmind GeoLite2
+      Country database.
+
+  o Minor features (logs):
+    - Quiet some log messages in the heartbeat and at startup. Closes
+      ticket 14950.
+
+  o Minor bugfixes (certificate handling):
+    - If an authority operator accidentally makes a signing certificate
+      with a future publication time, do not discard its real signing
+      certificates. Fixes bug 11457; bugfix on 0.2.0.3-alpha.
+    - Remove any old authority certificates that have been superseded
+      for at least two days. Previously, we would keep superseded
+      certificates until they expired, if they were published close in
+      time to the certificate that superseded them. Fixes bug 11454;
+      bugfix on 0.2.1.8-alpha.
+
+  o Minor bugfixes (compilation):
+    - Fix a compilation warning on s390. Fixes bug 14988; bugfix
+      on 0.2.5.2-alpha.
+    - Fix a compilation warning on FreeBSD. Fixes bug 15151; bugfix
+      on 0.2.6.2-alpha.
+
+  o Minor bugfixes (testing):
+    - Fix endianness issues in unit test for resolve_my_address() to
+      have it pass on big endian systems. Fixes bug 14980; bugfix on
+      Tor 0.2.6.3-alpha.
+    - Avoid a side-effect in a tor_assert() in the unit tests. Fixes bug
+      15188; bugfix on 0.1.2.3-alpha. Patch from Tom van der Woerdt.
+    - When running the new 'make test-stem' target, use the configured
+      python binary. Fixes bug 15037; bugfix on 0.2.6.3-alpha. Patch
+      from "cypherpunks".
+    - When running the zero-length-keys tests, do not use the default
+      torrc file. Fixes bug 15033; bugfix on 0.2.6.3-alpha. Reported
+      by "reezer".
+
+  o Directory authority IP change:
+    - The directory authority Faravahar has a new IP address. This
+      closes ticket 14487.
+
+  o Removed code:
+    - Remove some lingering dead code that once supported mempools.
+      Mempools were disabled by default in 0.2.5, and removed entirely
+      in 0.2.6.3-alpha. Closes more of ticket 14848; patch
+      by "cypherpunks".
 
 
 Changes in version 0.2.6.3-alpha - 2015-02-19
@@ -49,6 +561,13 @@ Changes in version 0.2.6.3-alpha - 2015-02-19
       notified of updates and their correct digests. Implements proposal
       227. Closes ticket 10395.
 
+  o Major features (guards):
+    - Introduce the Guardfraction feature to improves load balancing on
+      guard nodes. Specifically, it aims to reduce the traffic gap that
+      guard nodes experience when they first get the Guard flag. This is
+      a required step if we want to increase the guard lifetime to 9
+      months or greater.  Closes ticket 9321.
+
   o Major features (performance):
     - Make the CPU worker implementation more efficient by avoiding the
       kernel and lengthening pipelines. The original implementation used

changes/15188

@@ -1,3 +0,0 @@
-  o Minor bugfixes (testing):
-    - Avoid a side-effect in a tor_assert() in the unit tests. Fixes bug
-      15188; bugfix on 0.1.2.3-alpha. Patch from Tom van der Woerdt.

changes/19271

@@ -1,2 +0,0 @@
-  o Directory authority changes:
-    - Urras is no longer a directory authority. Closes ticket 19271.

changes/bifroest

@@ -1,3 +0,0 @@
-  o Directory authority changes (also in 0.2.8.7):
-    - The "Tonga" bridge authority has been retired; the new bridge
-      authority is "Bifroest". Closes tickets 19728 and 19690.

changes/buf-sentinel

@@ -1,11 +0,0 @@
-  o Major features (security fixes):
-
-    - Prevent a class of security bugs caused by treating the contents
-      of a buffer chunk as if they were a NUL-terminated string.  At
-      least one such bug seems to be present in all currently used
-      versions of Tor, and would allow an attacker to remotely crash
-      most Tor instances, especially those compiled with extra compiler
-      hardening. With this defense in place, such bugs can't crash Tor,
-      though we should still fix them as they occur. Closes ticket 20384
-      (TROVE-2016-10-001).
-

changes/bug11447

@@ -1,5 +0,0 @@
-  o Minor features (DoS-resistance):
-    - Decrease the amount of reattempts that a hidden service is
-      willing to perform when its rendezvous circuits fail. This
-      reduces the computational cost for hidden service under heavy
-      load. Resolves ticket #11447.

changes/bug11454

@@ -1,6 +0,0 @@
-  o Minor bugfixes (certificate handling):
-    - Remove any old authority certificates that have been superseded
-      for at least two days.  Previously, we would keep superseded
-      certificates until they expired, if they were published close
-      in time to the certificate that superseded them.
-      Fixes bug 11454; bugfix on 0.2.1.8-alpha.

changes/bug11457

@@ -1,5 +0,0 @@
-  o Minor bugfixes (certificate handling):
-    - If an authority operator accidentally makes a signing certificate with
-      a future publication time, do not discard its real signing
-      certificates. Fixes bug 11457; bugfix on 0.2.0.3-alpha.
-

changes/bug14848_redux

@@ -1,5 +0,0 @@
-  o Removed code:
-    - Remove some lingering dead code that once supported mempools. Mempools
-      were disabled by default in 0.2.5, and removed entirely in
-      0.2.6.3-alpha. Closes more of ticket 14848; patch by "cypherpunks".
-

changes/bug14950

@@ -1,3 +0,0 @@
-  o Minor features (logs):
-    - Quiet some log messages in the heartbeat and at startup. Closes
-      ticket 14950.

changes/bug14980

@@ -1,4 +0,0 @@
-  o Minor bugfixes (testing):
-    - Fix endianness issues in unit test for resolve_my_address() to
-      have it pass on big endian systems. Fixes bug 14980; bugfix on
-      Tor 0.2.6.3-alpha.

changes/bug14988

@@ -1,4 +0,0 @@
-  o Minor bugfixes (compilation):
-    - Fix a compilation warning on s390. Fixes bug 14988; bugfix on
-      0.2.5.2-alpha.
-

changes/bug14989

@@ -1,4 +0,0 @@
-  o Major bugfixes (Linux seccomp2 sandbox):
-    - Pass IPPROTO_TCP rather than 0 to socket(), so that the
-      Linux seccomp2 sandbox doesn't fail. Fixes bug 14989;
-      bugfix on 0.2.6.3-alpha.

changes/bug15003

@@ -1,3 +0,0 @@
-  o Major bugfixes (linux seccomp2 sandbox):
-    - Allow AF_UNIX hidden services to be used with the seccomp2 sandbox.
-      Fixes bug 15003; bugfix on 0.2.6.3-alpha.

changes/bug15033

@@ -1,4 +0,0 @@
-  o Minor bugfixes (tests):
-    - When running the zero-length-keys check, do not use the default
-      torrc file. Fixes bug 15033; bugfix on 0.2.6.3-alpha. Reported
-      by "reezer".

changes/bug15037

@@ -1,4 +0,0 @@
-  o Minor bugfixes (testing):
-    - When running the new 'make test-stem' target, use the configured
-      python binary. Fixes bug 15037; bugfix on 0.2.6.3-alpha. Patch
-      from "cypherpunks".

changes/bug15064

@@ -1,4 +0,0 @@
-  o Major bugfixes (FreeBSD IPFW transparent proxy):
-    - Fix address detection with FreeBSD transparent proxies,
-      when "TransProxyType ipfw" is in use.
-      Fixes bug 15064; bugfix on 0.2.5.4-alpha.

changes/bug15083

@@ -1,10 +0,0 @@
-  o Major bugfixes (relay, stability, possible security):
-    - Fix a bug that could lead to a relay crashing with an assertion
-      failure if a buffer of exactly the wrong layout was passed
-      to buf_pullup() at exactly the wrong time. Fixes bug 15083;
-      bugfix on 0.2.0.10-alpha. Patch from 'cypherpunks'.
-
-    - Do not assert if the 'data' pointer on a buffer is advanced to the very
-      end of the buffer; log a BUG message instead.  Only assert if it is
-      past that point. Fixes bug 15083; bugfix on 0.2.0.10-alpha.
-

changes/bug15088

@@ -1,4 +0,0 @@
-  o Minor bugfixes (Linux seccomp2 sandbox):
-    - Upon receiving sighup, do not crash during attempts to call
-      wait4. Fixes bug 15088; bugfix on 0.2.5.1-alpha. Patch from
-      "sanic".

changes/bug15151

@@ -1,3 +0,0 @@
-  o Minor bugfixes (compilation):
-    - Fix a compilation warning on FreeBSD. Fixes bug 15151; bugfix on
-      0.2.6.2-alpha.

changes/bug15205

@@ -1,5 +0,0 @@
-  o Major bugfixes (crash, OSX, security):
-    - Fix a remote denial-of-service opportunity caused by a bug
-      in OSX's _strlcat_chk() function. Fixes bug 15205; bug first
-      appeared in OSX 10.9. 
-      

changes/bug15240

@@ -1,6 +0,0 @@
-  o Minor bugfixes (pluggable transports):
-    - Initialize the extended OR Port authentication cookie before launching
-      pluggable transports. This prevents a race condition that occured when
-      server-side pluggable transports would cache the authentication cookie
-      before it has been (re)generated. Fixes bug 15240; bugfix on
-      0.2.5.1-alpha.

changes/bug15245

@@ -1,5 +0,0 @@
-  o Major bugfixes:
-    - Avoid crashing when making certain configuration option changes
-      on clients. Fixes bug 15245; bugfix on 0.2.6.3-alpha. Reported
-      by "anonym".
-

changes/bug15436

@@ -1,4 +0,0 @@
-  o Minor bugfixes (portability):
-    - Use the correct datatype in the SipHash-2-4 function to prevent compilers
-      from assuming any sort of alignment.  Fixes bug 15436; bugfix on
-      0.2.5.3-alpha.

changes/bug15515

@@ -1,4 +0,0 @@
-  o Minor features (DoS-resistance):
-    - Make it harder for attackers to overwhelm hidden services with
-      introductions, by blocking multiple introduction requests on the
-      same circuit. Resolves ticket #15515.

changes/bug15600

@@ -1,5 +0,0 @@
-  o Major bugfixes (security, hidden service):
-    - Fix an issue that would allow a malicious client to trigger
-      an assertion failure and halt a hidden service. Fixes
-      bug 15600; bugfix on 0.2.1.6-alpha. Reported by "skruffy".
-

changes/bug15601

@@ -1,4 +0,0 @@
-  o Major bugfixes (security, hidden service):
-    - Fix a bug that could cause a client to crash with an assertion
-      failure when parsing a malformed hidden service descriptor.
-      Fixes bug 15601; bugfix on 0.2.1.5-alpha. Found by "DonnCha".

changes/bug15823

@@ -1,4 +0,0 @@
-  o Minor bugfixes (hidden service):
-    - Fix an out-of-bounds read when parsing invalid INTRODUCE2 cells
-      on a client authorized hidden service. Fixes bug 15823; bugfix
-      on 0.2.1.6-alpha.

changes/bug15850

@@ -1,4 +0,0 @@
-  o Major bugfix
-    - Revert commit that made directory authority assign the HSDir flag to
-      relay without a DirPort which is bad because relay can't handle
-      BEGIN_DIR cells. Fixes #15850. Bugfix on tor-0.2.6.3-alpha;

changes/bug16013

@@ -1,5 +0,0 @@
-  o Major bugfixes (hidden service, stability):
-    - Stop randomly crashing with an assertion failure when connecting to a
-      busy hidden service, or connecting to a hidden service while a NEWNYM
-      is in progress. Fixes bug 16013; bugfix on 0.1.0.1-rc.
-

changes/bug16030

@@ -1,3 +0,0 @@
-  o Minor bugfixes (tests):
-    - Fix a crash in the unit tests on MSVC2013.  Fixes bug 16030; bugfix on
-      0.2.6.2-alpha.  Patch from "NewEraCracker".

changes/bug16164

@@ -1,4 +0,0 @@
-  o Minor bugfixes (compilation):
-    - Build with --enable-systemd correctly when libsystemd is installed,
-      but systemd is not. Fixes bug 16164, bugfix on 0.2.6.3-alpha. Patch
-      from Peter Palfrader.

changes/bug16212

@@ -1,5 +0,0 @@
-  o Minor bugfixes (sandbox, systemd):
-    - Allow systemd connections to work with the Linux seccomp2 sandbox
-      code.  Fixes bug 16212; bugfix on 0.2.6.2-alpha.
-      Patch by Peter Palfrader.
-

changes/bug16244

@@ -1,7 +0,0 @@
-  o Minor bugfixes (sandbox, relay):
-    - Fix sandboxing to work when running as a relay again.  This
-      includes correctly allowing renaming secret_id_key and
-      allowing the eventfd2 and futex syscalls.
-      Fixes bug 16244; bugfix on 0.2.6.1-alpha.
-      Patch by Peter Palfrader.
-

changes/bug16247

@@ -1,5 +0,0 @@
-  o Minor bugfixes (client-side privacy):
-    - Properly separate out each SOCKSPort when applying stream isolation.
-      The error occured because each port's session group was being
-      overwritten by a default value. Fixes bug 16247; bugfix on
-      0.2.6.3-alpha. Patch by "jojelino".

changes/bug16248

@@ -1,8 +0,0 @@
-  o Major bugfixes (dns proxy mode, crash):
-    - Avoid crashing when running as a DNS proxy. Closes bug 16248; bugfix on
-      0.2.0.1-alpha. Patch from 'cypherpunks'.
-
-  o Minor features (bug-resistance):
-    - Make Tor survive errors involving connections without a corresponding
-      event object. Previously we'd fail with an assertion; now we produce a
-      log message. Related to bug 16248.

changes/bug16360-failed-crypto-early-init

@@ -1,7 +0,0 @@
-  o Minor bugfixes (crypto error-handling):
-    - If crypto_early_init fails, a typo in a return value from tor_init
-      means that tor_main continues running, rather than returning
-      an error value.
-      Fixes bug 16360; bugfix on d3fb846d8c98 in 0.2.5.2-alpha,
-      introduced when implementing #4900.
-      Patch by "teor".

changes/bug16363

@@ -1,4 +0,0 @@
-  o Minor bugfixes (Linux seccomp2 sandbox):
-    - Allow pipe() and pipe2() syscalls; we need these when eventfd2()
-      support is missing. Fixes bug 16363; bugfix on 0.2.6.3-alpha.
-      Patch from "teor".

changes/bug16381

@@ -1,13 +0,0 @@
-  o Major bugfix (Hidden service client)
-    - Revert commit 9407040c592184e05e45a3c1a00739c2dd302288 of bug #14219
-      that indeed fixed an issue but introduced a major hidden service
-      reachability regression detailed in bug #16381. This is a temporary
-      fix since we can live with the minor issue in #14219 but the
-      regression introduced is too much of a set back.
-
-      To be clear, #14219 bug just results in some load on the network, and
-      some delay for the client when visiting a hidden service that will
-      ultimately fail.
-
-      This is only a bandaid for #16381 thus it does _not_ fixes it. bugfix
-      on tor-0.2.6.3-alpha~138.

changes/bug16400

@@ -1,5 +0,0 @@
-  o Major bugfixes:
-   - Do not crash with an assertion error when parsing certain kinds
-     of malformed or truncated microdescriptors. Fixes bug 16400;
-     bugfix on 0.2.6.1-alpha. Found by "torkeln"; fix based on a patch by
-     "cypherpunks_backup".

changes/bug17404

@@ -1,6 +0,0 @@
-  o Major bugfixes (security, correctness):
-    - Fix a programming error that could cause us to read 4 bytes before
-      the beginning of an openssl string. This could be used to provoke
-      a crash on systems with an unusual malloc implementation, or
-      systems with unsual hardening installed. Fixes bug 17404; bugfix
-      on 0.2.3.6-alpha.

changes/bug17772

@@ -1,7 +0,0 @@
-  o Major bugfixes (guard selection):
-    - Actually look at the Guard flag when selecting a new directory
-      guard. When we implemented the directory guard design, we
-      accidentally started treating all relays as if they have the Guard
-      flag during guard selection, leading to weaker anonymity and worse
-      performance. Fixes bug 17222; bugfix on 0.2.4.8-alpha. Discovered
-      by Mohsen Imani.

changes/bug17781

@@ -1,3 +0,0 @@
-  o Compilation fixes:
-    - Fix a compilation warning with Clang 3.6: Do not check the
-      presence of an address which can never be NULL. Fixes bug 17781.

changes/bug17906

@@ -1,4 +0,0 @@
-  o Minor features (authorities):
-    - Update the V3 identity key for dannenberg, it was changed on
-      18 November 2015.
-      Closes task #17906. Patch by "teor".

changes/bug18089

@@ -1,6 +0,0 @@
-  o Minor fixes (security):
-    - Make memwipe() do nothing when passed a NULL pointer
-      or zero size. Check size argument to memwipe() for underflow.
-      Closes bug #18089. Reported by "gk", patch by "teor".
-      Bugfix on 0.2.3.25 and 0.2.4.6-alpha (#7352),
-      commit 49dd5ef3 on 7 Nov 2012.

changes/bug18162

@@ -1,7 +0,0 @@
-  o Major bugfixes (security, pointers):
-
-    - Avoid a difficult-to-trigger heap corruption attack when extending
-      a smartlist to contain over 16GB of pointers. Fixes bug #18162;
-      bugfix on Tor 0.1.1.11-alpha, which fixed a related bug
-      incompletely. Reported by Guido Vranken.
-

changes/bug18710

@@ -1,6 +0,0 @@
-  o Major bugfixes (DNS proxy):
-    - Stop a crash that could occur when a client running with DNSPort
-      received a query with multiple address types, where the first
-      address type was not supported. Found and fixed by Scott Dial.
-      Fixes bug 18710; bugfix on 0.2.5.4-alpha.
-

changes/bug20384

@@ -1,10 +0,0 @@
-  o Major features (security fixes):
-    - Prevent a class of security bugs caused by treating the contents
-      of a buffer chunk as if they were a NUL-terminated string. At
-      least one such bug seems to be present in all currently used
-      versions of Tor, and would allow an attacker to remotely crash
-      most Tor instances, especially those compiled with extra compiler
-      hardening. With this defense in place, such bugs can't crash Tor,
-      though we should still fix them as they occur. Closes ticket
-      20384 (TROVE-2016-10-001).
-

changes/bug21018

@@ -1,11 +0,0 @@
-  o Major bugfixes (parsing, security):
-
-    - Fix a bug in parsing that could cause clients to read a single
-      byte past the end of an allocated region. This bug could be
-      used to cause hardened clients (built with
-      --enable-expensive-hardening) to crash if they tried to visit
-      a hostile hidden service.  Non-hardened clients are only
-      affected depending on the details of their platform's memory
-      allocator. Fixes bug 21018; bugfix on 0.2.0.8-alpha. Found by
-      using libFuzzer. Also tracked as TROVE-2016-12-002 and as
-      CVE-2016-1254.

changes/bug22490

@@ -1,3 +0,0 @@
-  o Minor bugfixes (correctness):
-    - Avoid undefined behavior when parsing IPv6 entries from the geoip6
-      file. Fixes bug 22490; bugfix on 0.2.4.6-alpha.

changes/bug9495_redux

@@ -1,4 +0,0 @@
-  o Major bugfixes (portability):
-    - Do not crash on startup when running on Solaris. Fixes a bug
-      related to our fix for 9495; bugfix on 0.2.6.1-alpha. Reported
-      by "ruebezahl".

changes/feature15006

@@ -1,4 +0,0 @@
-  o Minor features (controller):
-    - Messages about problems in the bootstrap process now include
-      information about the server we were trying to connect to when we
-      noticed the problem. Closes ticket 15006.

changes/geoip-april2015

@@ -1,3 +0,0 @@
-  o Minor features:
-    - Update geoip to the April 8 2015 Maxmind GeoLite2 Country database.
-

changes/geoip-april2016

@@ -1,4 +0,0 @@
-  o Minor features:
-    - Update geoip and geoip6 to the April 5 2016 Maxmind GeoLite2
-      Country database.
-

changes/geoip-april2017

@@ -1,4 +0,0 @@
-  o Minor features:
-    - Update geoip and geoip6 to the April 4 2017 Maxmind GeoLite2
-      Country database.
-

changes/geoip-august2016

@@ -1,4 +0,0 @@
-  o Minor features:
-    - Update geoip and geoip6 to the August 2 2016 Maxmind GeoLite2
-      Country database.
-

changes/geoip-december2015

@@ -1,4 +0,0 @@
-  o Minor features:
-    - Update geoip and geoip6 to the December 1 2015 Maxmind GeoLite2
-      Country database.
-

changes/geoip-december2016

@@ -1,4 +0,0 @@
-  o Minor features:
-    - Update geoip and geoip6 to the December 7 2016 Maxmind GeoLite2
-      Country database.
-

changes/geoip-february2016

@@ -1,4 +0,0 @@
-  o Minor features:
-    - Update geoip and geoip6 to the February 2 2016 Maxmind GeoLite2
-      Country database.
-

changes/geoip-february2017

@@ -1,4 +0,0 @@
-  o Minor features:
-    - Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2
-      Country database.
-

changes/geoip-january2016

@@ -1,4 +0,0 @@
-  o Minor features:
-    - Update geoip and geoip6 to the January 5 2016 Maxmind GeoLite2
-      Country database.
-

changes/geoip-january2017

@@ -1,4 +0,0 @@
-  o Minor features:
-    - Update geoip and geoip6 to the January 4 2017 Maxmind GeoLite2
-      Country database.
-

changes/geoip-july2015

@@ -1,3 +0,0 @@
-  o Minor features:
-    - Update geoip and geoip6 to the July 8 2015 Maxmind GeoLite2 Country database.
-

changes/geoip-july2016

@@ -1,4 +0,0 @@
-  o Minor features:
-    - Update geoip and geoip6 to the July 6 2016 Maxmind GeoLite2
-      Country database.
-

changes/geoip-jun2016

@@ -1,4 +0,0 @@
-  o Minor features:
-    - Update geoip and geoip6 to the June 7 2016 Maxmind GeoLite2
-      Country database.
-

changes/geoip-june2015

@@ -1,3 +0,0 @@
-  o Minor features:
-    - Update geoip to the June 3 2015 Maxmind GeoLite2 Country database.
-

changes/geoip-march2015

@@ -1,3 +0,0 @@
-  o Minor features:
-    - Update geoip to the March 3 2015 Maxmind GeoLite2 Country database.
-

changes/geoip-march2016

@@ -1,4 +0,0 @@
-  o Minor features:
-    - Update geoip and geoip6 to the March 3 2016 Maxmind GeoLite2
-      Country database.
-

changes/geoip-march2017

@@ -1,4 +0,0 @@
-  o Minor features:
-    - Update geoip and geoip6 to the March 7 2017 Maxmind GeoLite2
-      Country database.
-

changes/geoip-may2016

@@ -1,4 +0,0 @@
-  o Minor features:
-    - Update geoip and geoip6 to the May 4 2016 Maxmind GeoLite2
-      Country database.
-

changes/geoip-may2017

@@ -1,4 +0,0 @@
-  o Minor features:
-    - Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2
-      Country database.
-

changes/geoip-november2016

@@ -1,4 +0,0 @@
-  o Minor features:
-    - Update geoip and geoip6 to the November 3 2016 Maxmind GeoLite2
-      Country database.
-

changes/geoip-october2015

@@ -1,3 +0,0 @@
-  o Minor features:
-    - Update geoip and geoip6 to the October 9 2015 Maxmind GeoLite2 Country database.
-

changes/geoip-october2016

@@ -1,4 +0,0 @@
-  o Minor features:
-    - Update geoip and geoip6 to the October 4 2016 Maxmind GeoLite2
-      Country database.
-

changes/geoip-september2015

@@ -1,3 +0,0 @@
-  o Minor features:
-    - Update geoip and geoip6 to the September 3 2015 Maxmind GeoLite2 Country database.
-

changes/geoip-september2016

@@ -1,4 +0,0 @@
-  o Minor features:
-    - Update geoip and geoip6 to the September 6 2016 Maxmind GeoLite2
-      Country database.
-

changes/geoip6-april2015

@@ -1,2 +0,0 @@
-  o Minor features:
-    - Update geoip6 to the April 8 2015 Maxmind GeoLite2 Country database.

changes/geoip6-june2015

@@ -1,3 +0,0 @@
-  o Minor features:
-    - Update geoip6 to the June 3 2015 Maxmind GeoLite2 Country database.
-

changes/geoip6-march2015

@@ -1,3 +0,0 @@
-  o Minor features:
-    - Update geoip6 to the March 3 2015 Maxmind GeoLite2 Country database.
-

changes/rsa_init_bug

@@ -1,7 +0,0 @@
-  o Major bugfixes (key management):
-    - If OpenSSL fails to generate an RSA key, do not retain a dangling pointer
-      to the previous (uninitialized) key value. The impact here should be
-      limited to a difficult-to-trigger crash, if OpenSSL is running an
-      engine that makes key generation failures possible, or if OpenSSL runs
-      out of memory. Fixes bug 19152; bugfix on 0.2.1.10-alpha. Found by
-      Yuan Jochen Kang, Suman Jana, and Baishakhi Ray.

changes/ticket14487

@@ -1,3 +0,0 @@
-  o Directory authority IP change:
-    - The directory authority Faravahar has a new IP address. Closes
-      ticket 14487.

changes/ticket15176

@@ -1,3 +0,0 @@
-  o Code simplification and refactoring:
-    - Refactor main loop to extract the 'loop' part.  This makes it easier
-      to run Tor under Shadow. Closes ticket 15176.

changes/ticket15212

@@ -1,6 +0,0 @@
-  o Minor features (heartbeat):
-
-    - On relays, report how many connections we negotiated using each
-      version of the Tor link protocols. This information will let us
-      know if removing support for very old versions of the Tor
-      protocols is harming the network. Closes ticket 15212.

changes/ticket8243

@@ -1,7 +0,0 @@
-  o Minor feature:
-    - The HSDir flag given by authorities now requires the Stable flag. For
-      the current network, this results in going from 2887 to 2806 HSDirs.
-      Also, it makes it harder for an attacker to launch a sybil attack by
-      raising the effort for a relay to become Stable which takes at the
-      very least 7 days to do so and by keeping the 96 hours uptime
-      requirement for HSDir. Implements ticket #8243.

changes/trove-2017-001.2

@@ -1,8 +0,0 @@
-  o Major bugfixes (parsing):
-    - Fix an integer underflow bug when comparing malformed Tor versions.
-      This bug is harmless, except when Tor has been built with
-      --enable-expensive-hardening, which would turn it into a crash;
-      or on Tor 0.2.9.1-alpha through Tor 0.2.9.8, which were built with
-      -ftrapv by default.
-      Part of TROVE-2017-001. Fixes bug 21278; bugfix on
-      0.0.8pre1. Found by OSS-Fuzz.

changes/trove-2017-005

@@ -1,7 +0,0 @@
-  o Major bugfixes (hidden service, relay, security):
-    - Fix an assertion failure caused by receiving a BEGIN_DIR cell on
-      a hidden service rendezvous circuit. Fixes bug 22494, tracked as
-      TROVE-2017-005 and CVE-2017-0376; bugfix on 0.2.2.1-alpha. Found
-      by armadev.
-
-

src/win32/orconfig.h

@@ -235,7 +235,6 @@
 #define VERSION "0.2.6.12-dev"
 
 
-
 #define HAVE_STRUCT_SOCKADDR_IN6
 #define HAVE_STRUCT_IN6_ADDR
 #define RSHIFT_DOES_SIGN_EXTEND