Compare commits
205 Commits
master
...
release-0.
Author | SHA1 | Date |
---|---|---|
Nick Mathewson | 14ec62f064 | |
Nick Mathewson | 432620e44e | |
Roger Dingledine | f3b53391e8 | |
Nick Mathewson | 79bee260ee | |
Nick Mathewson | e8edd97c1c | |
Nick Mathewson | e935e27676 | |
Nick Mathewson | 34d418009d | |
Nick Mathewson | a15009bd38 | |
Nick Mathewson | 7e1102ff25 | |
Nick Mathewson | a1243864f2 | |
Nick Mathewson | 4b14ff45fd | |
Nick Mathewson | fb4307bf22 | |
Nick Mathewson | 7a55efbd59 | |
Nick Mathewson | 31e69ac222 | |
Nick Mathewson | 3abd57fa0a | |
Nick Mathewson | ecb51bf9f3 | |
Nick Mathewson | 65fd973754 | |
Nick Mathewson | 677789b680 | |
Nick Mathewson | a6f21a61d1 | |
Nick Mathewson | bc250fcabd | |
Nick Mathewson | 955a7f52d3 | |
Nick Mathewson | 70bd4aae67 | |
Nick Mathewson | 6170f87e01 | |
Nick Mathewson | 7dbaaba3d2 | |
Nick Mathewson | 109c555e9d | |
Nick Mathewson | 36154c13f4 | |
Nick Mathewson | 75b544d64d | |
Nick Mathewson | 2f397236b2 | |
Nick Mathewson | 4b067f8b12 | |
Nick Mathewson | 38b7885c90 | |
Nick Mathewson | 4a03851e42 | |
Nick Mathewson | 2d42648eaf | |
Nick Mathewson | 31cc63deb6 | |
Nick Mathewson | 8231cc868e | |
Nick Mathewson | a9769b78f0 | |
Nick Mathewson | 499bdd81a7 | |
Nick Mathewson | bc8b5fb559 | |
Nick Mathewson | 43d44c04ff | |
Nick Mathewson | 3acf6cafbb | |
Nick Mathewson | 1c56181983 | |
Nick Mathewson | 434942ea59 | |
Nick Mathewson | cc17922645 | |
Nick Mathewson | 7e664bf74f | |
Nick Mathewson | 4bfbce9de7 | |
Nick Mathewson | 6a35e7d69a | |
Nick Mathewson | 3fda19ef24 | |
Nick Mathewson | 1a877693da | |
Nick Mathewson | 2a24ce9656 | |
Nick Mathewson | 9e81221c96 | |
Nick Mathewson | cb3c1f2e54 | |
Nick Mathewson | 67127dca57 | |
Nick Mathewson | f5e37b2eb6 | |
Nick Mathewson | 90716e3f9c | |
Nick Mathewson | 1a4876587e | |
Nick Mathewson | df37b93336 | |
Nick Mathewson | a877241e6c | |
Nick Mathewson | 2485f8dea4 | |
Nick Mathewson | c35416ab8f | |
Nick Mathewson | 8dc3b5ff3a | |
Nick Mathewson | da2daa8e5e | |
Nick Mathewson | 3d7f134bea | |
Nick Mathewson | 6b629d3095 | |
Nick Mathewson | 677bebda70 | |
Nick Mathewson | 03eb2037d1 | |
Nick Mathewson | 698334eee7 | |
Nick Mathewson | c9b4ddc882 | |
Nick Mathewson | 4bfc355799 | |
Nick Mathewson | b1267114cf | |
Nick Mathewson | 7e96767825 | |
Nick Mathewson | dbea64aab6 | |
Nick Mathewson | 01d6e23f76 | |
Nick Mathewson | 9e8b762fce | |
Nick Mathewson | 02c5ca6ace | |
Nick Mathewson | e985afa43c | |
Nick Mathewson | b70f303207 | |
Nick Mathewson | ece3e77066 | |
Nick Mathewson | 971d634b63 | |
Nick Mathewson | 474d4006ab | |
Nick Mathewson | ea6f3e329d | |
Nick Mathewson | 58474f7bb1 | |
Nick Mathewson | 5ff2d8d770 | |
Nick Mathewson | efba81e3bb | |
Roger Dingledine | 0d172c1182 | |
Nick Mathewson | 8edc0be74b | |
Nick Mathewson | c7c043d2b6 | |
Nick Mathewson | 1a070767de | |
Nick Mathewson | 99b4f86833 | |
Nick Mathewson | fd46d8d0ad | |
Nick Mathewson | 11336cfa09 | |
Nick Mathewson | 63b84335dc | |
Nick Mathewson | afacaa02a5 | |
Nick Mathewson | 9be4b91760 | |
Nick Mathewson | 0d1a2e366a | |
Nick Mathewson | 29e23e62c9 | |
Nick Mathewson | 88642bbdc7 | |
Nick Mathewson | 2a7cad9572 | |
Nick Mathewson | c2b64ad096 | |
Nick Mathewson | 748f0abc2d | |
Nick Mathewson | 2824413f40 | |
Nick Mathewson | 64c88c7199 | |
Nick Mathewson | 4f8a0ed62d | |
Nick Mathewson | 0f105d69fc | |
Nick Mathewson | 2b48b5363f | |
Nick Mathewson | 304e2151ac | |
Nick Mathewson | 6ff333f627 | |
Nick Mathewson | 0834f4d93d | |
Nick Mathewson | 4c015d9fe4 | |
Nick Mathewson | 37fba82c15 | |
Nick Mathewson | dc9f2cdf73 | |
Nick Mathewson | dd5ca25055 | |
Nick Mathewson | 706e6893d1 | |
Nick Mathewson | 58f974818c | |
Nick Mathewson | 2cfb7b0413 | |
Nick Mathewson | a14ff6b9c7 | |
Nick Mathewson | d77e827693 | |
Nick Mathewson | ca554b22f8 | |
Nick Mathewson | fdd13697d5 | |
Nick Mathewson | 4fc402496e | |
Nick Mathewson | 68ec14dc18 | |
Nick Mathewson | cd084c2036 | |
Nick Mathewson | 0c7a540ba2 | |
Nick Mathewson | 92d45086f5 | |
Nick Mathewson | bc30d30534 | |
Nick Mathewson | 19e01f0cbc | |
Nick Mathewson | fe12c9756a | |
Nick Mathewson | e0d1ab4172 | |
Nick Mathewson | 87012d076e | |
Nick Mathewson | 26f5da96b2 | |
Nick Mathewson | c66ce3419d | |
Nick Mathewson | 9eb17cb7ba | |
Nick Mathewson | c981cd4311 | |
Nick Mathewson | 500975da96 | |
Nick Mathewson | 1e715efb77 | |
Nick Mathewson | 9a9d32fabc | |
Nick Mathewson | fa72612540 | |
Nick Mathewson | 36806e9830 | |
Nick Mathewson | d084d3246b | |
Nick Mathewson | d499a5a708 | |
Roger Dingledine | 8ecb170c17 | |
Nick Mathewson | 0fc65a33f7 | |
Nick Mathewson | e4b68abd5a | |
Nick Mathewson | c6365055a1 | |
Nick Mathewson | b9be385fd6 | |
Nick Mathewson | e343cb8f63 | |
Nick Mathewson | 1bd83c2ec8 | |
Nick Mathewson | 9096454492 | |
Nick Mathewson | e74229efc4 | |
Nick Mathewson | 41a3eaf2fc | |
Nick Mathewson | 9afa661924 | |
Nick Mathewson | cf92667b9f | |
Nick Mathewson | 330ccb699e | |
Nick Mathewson | b2e1910017 | |
Nick Mathewson | 00aeecb397 | |
Nick Mathewson | b9826ba451 | |
Nick Mathewson | 066904e758 | |
Nick Mathewson | 2367b1ed31 | |
Nick Mathewson | 01c5d4583f | |
Nick Mathewson | 7d1e47559a | |
Nick Mathewson | 349a92bf3f | |
Nick Mathewson | 8473424ede | |
Nick Mathewson | ab8013391e | |
Nick Mathewson | 08d933a794 | |
Nick Mathewson | a71552268d | |
Nick Mathewson | 5ea9a48ae7 | |
Nick Mathewson | 4bd9c53237 | |
Nick Mathewson | a8c388b0e2 | |
Nick Mathewson | ad90a136b2 | |
Nick Mathewson | 55aafbf7ba | |
Nick Mathewson | 6a8c1667df | |
Nick Mathewson | 57deb20f35 | |
Nick Mathewson | 7cbda1181d | |
Nick Mathewson | 940308f493 | |
Roger Dingledine | edbf6a62aa | |
Nick Mathewson | c5b16c1413 | |
Nick Mathewson | 388b1d0fab | |
Nick Mathewson | c99fec4999 | |
Nick Mathewson | d37bc72873 | |
Nick Mathewson | 04714df9cc | |
Nick Mathewson | e50da3327f | |
Nick Mathewson | b4b2459de0 | |
Nick Mathewson | 94752b3fa6 | |
Nick Mathewson | 059c441d27 | |
Nick Mathewson | 6d6cd2060f | |
Nick Mathewson | 0c8eebd90c | |
Nick Mathewson | 89ed93e468 | |
Nick Mathewson | bd432bbac5 | |
Nick Mathewson | d05780c1bb | |
Nick Mathewson | 8c9b5bfb8c | |
Nick Mathewson | 6bc1632b72 | |
Nick Mathewson | ed10b34efe | |
Nick Mathewson | 3d966f57a4 | |
Nick Mathewson | 6688091928 | |
Nick Mathewson | 33652fce62 | |
Nick Mathewson | aed642a4b2 | |
Nick Mathewson | 588be5b028 | |
Nick Mathewson | 8a8b5d590e | |
Nick Mathewson | 0f47507fe2 | |
Nick Mathewson | c5bb554e77 | |
Nick Mathewson | 68181dc263 | |
Nick Mathewson | a99ca9313a | |
Nick Mathewson | dbd4b2be5d | |
Nick Mathewson | 080bcfa239 | |
Nick Mathewson | 023d756bfc | |
Nick Mathewson | 325549d2e7 | |
Nick Mathewson | 5a65695149 |
716
ChangeLog
716
ChangeLog
|
@ -1,3 +1,719 @@
|
||||||
|
Changes in version 0.3.2.10 - 2018-03-03
|
||||||
|
Tor 0.3.2.10 is the second stable release in the 0.3.2 series. It
|
||||||
|
backports a number of bugfixes, including important fixes for security
|
||||||
|
issues.
|
||||||
|
|
||||||
|
It includes an important security fix for a remote crash attack
|
||||||
|
against directory authorities, tracked as TROVE-2018-001.
|
||||||
|
|
||||||
|
Additionally, it backports a fix for a bug whose severity we have
|
||||||
|
upgraded: Bug 24700, which was fixed in 0.3.3.2-alpha, can be remotely
|
||||||
|
triggered in order to crash relays with a use-after-free pattern. As
|
||||||
|
such, we are now tracking that bug as TROVE-2018-002 and
|
||||||
|
CVE-2018-0491, and backporting it to earlier releases. This bug
|
||||||
|
affected versions 0.3.2.1-alpha through 0.3.2.9, as well as version
|
||||||
|
0.3.3.1-alpha.
|
||||||
|
|
||||||
|
This release also backports our new system for improved resistance to
|
||||||
|
denial-of-service attacks against relays.
|
||||||
|
|
||||||
|
This release also fixes several minor bugs and annoyances from
|
||||||
|
earlier releases.
|
||||||
|
|
||||||
|
Relays running 0.3.2.x SHOULD upgrade to one of the versions released
|
||||||
|
today, for the fix to TROVE-2018-002. Directory authorities should
|
||||||
|
also upgrade. (Relays on earlier versions might want to update too for
|
||||||
|
the DoS mitigations.)
|
||||||
|
|
||||||
|
o Major bugfixes (denial-of-service, directory authority, backport from 0.3.3.3-alpha):
|
||||||
|
- Fix a protocol-list handling bug that could be used to remotely crash
|
||||||
|
directory authorities with a null-pointer exception. Fixes bug 25074;
|
||||||
|
bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2018-001 and
|
||||||
|
CVE-2018-0490.
|
||||||
|
|
||||||
|
o Major bugfixes (scheduler, KIST, denial-of-service, backport from 0.3.3.2-alpha):
|
||||||
|
- Avoid adding the same channel twice in the KIST scheduler pending
|
||||||
|
list, which could lead to remote denial-of-service use-after-free
|
||||||
|
attacks against relays. Fixes bug 24700; bugfix on 0.3.2.1-alpha.
|
||||||
|
|
||||||
|
o Major features (denial-of-service mitigation, backport from 0.3.3.2-alpha):
|
||||||
|
- Give relays some defenses against the recent network overload. We
|
||||||
|
start with three defenses (default parameters in parentheses).
|
||||||
|
First: if a single client address makes too many concurrent
|
||||||
|
connections (>100), hang up on further connections. Second: if a
|
||||||
|
single client address makes circuits too quickly (more than 3 per
|
||||||
|
second, with an allowed burst of 90) while also having too many
|
||||||
|
connections open (3), refuse new create cells for the next while
|
||||||
|
(1-2 hours). Third: if a client asks to establish a rendezvous
|
||||||
|
point to you directly, ignore the request. These defenses can be
|
||||||
|
manually controlled by new torrc options, but relays will also
|
||||||
|
take guidance from consensus parameters, so there's no need to
|
||||||
|
configure anything manually. Implements ticket 24902.
|
||||||
|
|
||||||
|
o Major bugfixes (onion services, retry behavior, backport from 0.3.3.1-alpha):
|
||||||
|
- Fix an "off by 2" error in counting rendezvous failures on the
|
||||||
|
onion service side. While we thought we would stop the rendezvous
|
||||||
|
attempt after one failed circuit, we were actually making three
|
||||||
|
circuit attempts before giving up. Now switch to a default of 2,
|
||||||
|
and allow the consensus parameter "hs_service_max_rdv_failures" to
|
||||||
|
override. Fixes bug 24895; bugfix on 0.0.6.
|
||||||
|
- New-style (v3) onion services now obey the "max rendezvous circuit
|
||||||
|
attempts" logic. Previously they would make as many rendezvous
|
||||||
|
circuit attempts as they could fit in the MAX_REND_TIMEOUT second
|
||||||
|
window before giving up. Fixes bug 24894; bugfix on 0.3.2.1-alpha.
|
||||||
|
|
||||||
|
o Major bugfixes (protocol versions, backport from 0.3.3.2-alpha):
|
||||||
|
- Add Link protocol version 5 to the supported protocols list. Fixes
|
||||||
|
bug 25070; bugfix on 0.3.1.1-alpha.
|
||||||
|
|
||||||
|
o Major bugfixes (relay, backport from 0.3.3.1-alpha):
|
||||||
|
- Fix a set of false positives where relays would consider
|
||||||
|
connections to other relays as being client-only connections (and
|
||||||
|
thus e.g. deserving different link padding schemes) if those
|
||||||
|
relays fell out of the consensus briefly. Now we look only at the
|
||||||
|
initial handshake and whether the connection authenticated as a
|
||||||
|
relay. Fixes bug 24898; bugfix on 0.3.1.1-alpha.
|
||||||
|
|
||||||
|
o Major bugfixes (scheduler, consensus, backport from 0.3.3.2-alpha):
|
||||||
|
- The scheduler subsystem was failing to promptly notice changes in
|
||||||
|
consensus parameters, making it harder to switch schedulers
|
||||||
|
network-wide. Fixes bug 24975; bugfix on 0.3.2.1-alpha.
|
||||||
|
|
||||||
|
o Minor features (denial-of-service avoidance, backport from 0.3.3.2-alpha):
|
||||||
|
- Make our OOM handler aware of the geoip client history cache so it
|
||||||
|
doesn't fill up the memory. This check is important for IPv6 and
|
||||||
|
our DoS mitigation subsystem. Closes ticket 25122.
|
||||||
|
|
||||||
|
o Minor features (compatibility, OpenSSL, backport from 0.3.3.3-alpha):
|
||||||
|
- Tor will now support TLS1.3 once OpenSSL 1.1.1 is released.
|
||||||
|
Previous versions of Tor would not have worked with OpenSSL 1.1.1,
|
||||||
|
since they neither disabled TLS 1.3 nor enabled any of the
|
||||||
|
ciphersuites it requires. Now we enable the TLS 1.3 ciphersuites.
|
||||||
|
Closes ticket 24978.
|
||||||
|
|
||||||
|
o Minor features (geoip):
|
||||||
|
- Update geoip and geoip6 to the February 7 2018 Maxmind GeoLite2
|
||||||
|
Country database.
|
||||||
|
|
||||||
|
o Minor features (logging, diagnostic, backport from 0.3.3.2-alpha):
|
||||||
|
- When logging a failure to create an onion service's descriptor,
|
||||||
|
also log what the problem with the descriptor was. Diagnostic
|
||||||
|
for ticket 24972.
|
||||||
|
|
||||||
|
o Minor bugfix (channel connection, backport from 0.3.3.2-alpha):
|
||||||
|
- Use the actual observed address of an incoming relay connection,
|
||||||
|
not the canonical address of the relay from its descriptor, when
|
||||||
|
making decisions about how to handle the incoming connection.
|
||||||
|
Fixes bug 24952; bugfix on 0.2.4.11-alpha. Patch by "ffmancera".
|
||||||
|
|
||||||
|
o Minor bugfixes (denial-of-service, backport from 0.3.3.3-alpha):
|
||||||
|
- Fix a possible crash on malformed consensus. If a consensus had
|
||||||
|
contained an unparseable protocol line, it could have made clients
|
||||||
|
and relays crash with a null-pointer exception. To exploit this
|
||||||
|
issue, however, an attacker would need to be able to subvert the
|
||||||
|
directory authority system. Fixes bug 25251; bugfix on
|
||||||
|
0.2.9.4-alpha. Also tracked as TROVE-2018-004.
|
||||||
|
|
||||||
|
o Minor bugfix (directory authority, backport from 0.3.3.2-alpha):
|
||||||
|
- Directory authorities, when refusing a descriptor from a rejected
|
||||||
|
relay, now explicitly tell the relay (in its logs) to set a valid
|
||||||
|
ContactInfo address and contact the bad-relays@ mailing list.
|
||||||
|
Fixes bug 25170; bugfix on 0.2.9.1.
|
||||||
|
|
||||||
|
o Minor bugfixes (build, rust, backport from 0.3.3.1-alpha):
|
||||||
|
- When building with Rust on OSX, link against libresolv, to work
|
||||||
|
around the issue at https://github.com/rust-lang/rust/issues/46797.
|
||||||
|
Fixes bug 24652; bugfix on 0.3.1.1-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (onion services, backport from 0.3.3.2-alpha):
|
||||||
|
- Remove a BUG() statement when a client fetches an onion descriptor
|
||||||
|
that has a lower revision counter than the one in its cache. This
|
||||||
|
can happen in normal circumstances due to HSDir desync. Fixes bug
|
||||||
|
24976; bugfix on 0.3.2.1-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (logging, backport from 0.3.3.2-alpha):
|
||||||
|
- Don't treat inability to store a cached consensus object as a bug:
|
||||||
|
it can happen normally when we are out of disk space. Fixes bug
|
||||||
|
24859; bugfix on 0.3.1.1-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (performance, fragile-hardening, backport from 0.3.3.1-alpha):
|
||||||
|
- Improve the performance of our consensus-diff application code
|
||||||
|
when Tor is built with the --enable-fragile-hardening option set.
|
||||||
|
Fixes bug 24826; bugfix on 0.3.1.1-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (OSX, backport from 0.3.3.1-alpha):
|
||||||
|
- Don't exit the Tor process if setrlimit() fails to change the file
|
||||||
|
limit (which can happen sometimes on some versions of OSX). Fixes
|
||||||
|
bug 21074; bugfix on 0.0.9pre5.
|
||||||
|
|
||||||
|
o Minor bugfixes (spec conformance, backport from 0.3.3.3-alpha):
|
||||||
|
- Forbid "-0" as a protocol version. Fixes part of bug 25249; bugfix on
|
||||||
|
0.2.9.4-alpha.
|
||||||
|
- Forbid UINT32_MAX as a protocol version. Fixes part of bug 25249;
|
||||||
|
bugfix on 0.2.9.4-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (testing, backport from 0.3.3.1-alpha):
|
||||||
|
- Fix a memory leak in the scheduler/loop_kist unit test. Fixes bug
|
||||||
|
25005; bugfix on 0.3.2.7-rc.
|
||||||
|
|
||||||
|
o Minor bugfixes (v3 onion services, backport from 0.3.3.2-alpha):
|
||||||
|
- Look at the "HSRend" protocol version, not the "HSDir" protocol
|
||||||
|
version, when deciding whether a consensus entry can support the
|
||||||
|
v3 onion service protocol as a rendezvous point. Fixes bug 25105;
|
||||||
|
bugfix on 0.3.2.1-alpha.
|
||||||
|
|
||||||
|
o Code simplification and refactoring (backport from 0.3.3.3-alpha):
|
||||||
|
- Update the "rust dependencies" submodule to be a project-level
|
||||||
|
repository, rather than a user repository. Closes ticket 25323.
|
||||||
|
|
||||||
|
o Documentation (backport from 0.3.3.1-alpha)
|
||||||
|
- Document that operators who run more than one relay or bridge are
|
||||||
|
expected to set MyFamily and ContactInfo correctly. Closes
|
||||||
|
ticket 24526.
|
||||||
|
|
||||||
|
|
||||||
|
Changes in version 0.3.2.9 - 2018-01-09
|
||||||
|
Tor 0.3.2.9 is the first stable release in the 0.3.2 series.
|
||||||
|
|
||||||
|
The 0.3.2 series includes our long-anticipated new onion service
|
||||||
|
design, with numerous security features. (For more information, see
|
||||||
|
our blog post at https://blog.torproject.org/fall-harvest.) We also
|
||||||
|
have a new circuit scheduler algorithm for improved performance on
|
||||||
|
relays everywhere (see https://blog.torproject.org/kist-and-tell),
|
||||||
|
along with many smaller features and bugfixes.
|
||||||
|
|
||||||
|
Per our stable release policy, we plan to support each stable release
|
||||||
|
series for at least the next nine months, or for three months after
|
||||||
|
the first stable release of the next series: whichever is longer. If
|
||||||
|
you need a release with long-term support, we recommend that you stay
|
||||||
|
with the 0.2.9 series.
|
||||||
|
|
||||||
|
Below is a list of the changes since 0.3.2.8-rc. For a list of all
|
||||||
|
changes since 0.3.1, see the ReleaseNotes file.
|
||||||
|
|
||||||
|
o Minor features (fallback directory mirrors):
|
||||||
|
- The fallback directory list has been re-generated based on the
|
||||||
|
current status of the network. Tor uses fallback directories to
|
||||||
|
bootstrap when it doesn't yet have up-to-date directory
|
||||||
|
information. Closes ticket 24801.
|
||||||
|
- Make the default DirAuthorityFallbackRate 0.1, so that clients
|
||||||
|
prefer to bootstrap from fallback directory mirrors. This is a
|
||||||
|
follow-up to 24679, which removed weights from the default
|
||||||
|
fallbacks. Implements ticket 24681.
|
||||||
|
|
||||||
|
o Minor features (geoip):
|
||||||
|
- Update geoip and geoip6 to the January 5 2018 Maxmind GeoLite2
|
||||||
|
Country database.
|
||||||
|
|
||||||
|
o Minor bugfixes (address selection):
|
||||||
|
- When the fascist_firewall_choose_address_ functions don't find a
|
||||||
|
reachable address, set the returned address to the null address
|
||||||
|
and port. This is a precautionary measure, because some callers do
|
||||||
|
not check the return value. Fixes bug 24736; bugfix
|
||||||
|
on 0.2.8.2-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (compilation):
|
||||||
|
- Resolve a few shadowed-variable warnings in the onion service
|
||||||
|
code. Fixes bug 24634; bugfix on 0.3.2.1-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (portability, msvc):
|
||||||
|
- Fix a bug in the bit-counting parts of our timing-wheel code on
|
||||||
|
MSVC. (Note that MSVC is still not a supported build platform, due
|
||||||
|
to cyptographic timing channel risks.) Fixes bug 24633; bugfix
|
||||||
|
on 0.2.9.1-alpha.
|
||||||
|
|
||||||
|
|
||||||
|
Changes in version 0.3.2.8-rc - 2017-12-21
|
||||||
|
Tor 0.3.2.8-rc fixes a pair of bugs in the KIST and KISTLite
|
||||||
|
schedulers that had led servers under heavy load to overload their
|
||||||
|
outgoing connections. All relay operators running earlier 0.3.2.x
|
||||||
|
versions should upgrade. This version also includes a mitigation for
|
||||||
|
over-full DESTROY queues leading to out-of-memory conditions: if it
|
||||||
|
works, we will soon backport it to earlier release series.
|
||||||
|
|
||||||
|
This is the second release candidate in the 0.3.2 series. If we find
|
||||||
|
no new bugs or regression here, then the first stable 0.3.2 release
|
||||||
|
will be nearly identical to this.
|
||||||
|
|
||||||
|
o Major bugfixes (KIST, scheduler):
|
||||||
|
- The KIST scheduler did not correctly account for data already
|
||||||
|
enqueued in each connection's send socket buffer, particularly in
|
||||||
|
cases when the TCP/IP congestion window was reduced between
|
||||||
|
scheduler calls. This situation lead to excessive per-connection
|
||||||
|
buffering in the kernel, and a potential memory DoS. Fixes bug
|
||||||
|
24665; bugfix on 0.3.2.1-alpha.
|
||||||
|
|
||||||
|
o Minor features (geoip):
|
||||||
|
- Update geoip and geoip6 to the December 6 2017 Maxmind GeoLite2
|
||||||
|
Country database.
|
||||||
|
|
||||||
|
o Minor bugfixes (hidden service v3):
|
||||||
|
- Bump hsdir_spread_store parameter from 3 to 4 in order to increase
|
||||||
|
the probability of reaching a service for a client missing
|
||||||
|
microdescriptors. Fixes bug 24425; bugfix on 0.3.2.1-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (memory usage):
|
||||||
|
- When queuing DESTROY cells on a channel, only queue the circuit-id
|
||||||
|
and reason fields: not the entire 514-byte cell. This fix should
|
||||||
|
help mitigate any bugs or attacks that fill up these queues, and
|
||||||
|
free more RAM for other uses. Fixes bug 24666; bugfix
|
||||||
|
on 0.2.5.1-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (scheduler, KIST):
|
||||||
|
- Use a sane write limit for KISTLite when writing onto a connection
|
||||||
|
buffer instead of using INT_MAX and shoving as much as it can.
|
||||||
|
Because the OOM handler cleans up circuit queues, we are better
|
||||||
|
off at keeping them in that queue instead of the connection's
|
||||||
|
buffer. Fixes bug 24671; bugfix on 0.3.2.1-alpha.
|
||||||
|
|
||||||
|
|
||||||
|
Changes in version 0.3.2.7-rc - 2017-12-14
|
||||||
|
Tor 0.3.2.7-rc fixes various bugs in earlier versions of Tor,
|
||||||
|
including some that could affect reliability or correctness.
|
||||||
|
|
||||||
|
This is the first release candidate in the 0.3.2 series. If we find no
|
||||||
|
new bugs or regression here, then the first stable 0.3.2. release will
|
||||||
|
be nearly identical to this.
|
||||||
|
|
||||||
|
o Major bugfixes (circuit prediction):
|
||||||
|
- Fix circuit prediction logic so that a client doesn't treat a port
|
||||||
|
as being "handled" by a circuit if that circuit already has
|
||||||
|
isolation settings on it. This change should make Tor clients more
|
||||||
|
responsive by improving their chances of having a pre-created
|
||||||
|
circuit ready for use when a request arrives. Fixes bug 18859;
|
||||||
|
bugfix on 0.2.3.3-alpha.
|
||||||
|
|
||||||
|
o Minor features (logging):
|
||||||
|
- Provide better warnings when the getrandom() syscall fails. Closes
|
||||||
|
ticket 24500.
|
||||||
|
|
||||||
|
o Minor features (portability):
|
||||||
|
- Tor now compiles correctly on arm64 with libseccomp-dev installed.
|
||||||
|
(It doesn't yet work with the sandbox enabled.) Closes
|
||||||
|
ticket 24424.
|
||||||
|
|
||||||
|
o Minor bugfixes (bridge clients, bootstrap):
|
||||||
|
- Retry directory downloads when we get our first bridge descriptor
|
||||||
|
during bootstrap or while reconnecting to the network. Keep
|
||||||
|
retrying every time we get a bridge descriptor, until we have a
|
||||||
|
reachable bridge. Fixes part of bug 24367; bugfix on 0.2.0.3-alpha.
|
||||||
|
- Stop delaying bridge descriptor fetches when we have cached bridge
|
||||||
|
descriptors. Instead, only delay bridge descriptor fetches when we
|
||||||
|
have at least one reachable bridge. Fixes part of bug 24367;
|
||||||
|
bugfix on 0.2.0.3-alpha.
|
||||||
|
- Stop delaying directory fetches when we have cached bridge
|
||||||
|
descriptors. Instead, only delay bridge descriptor fetches when
|
||||||
|
all our bridges are definitely unreachable. Fixes part of bug
|
||||||
|
24367; bugfix on 0.2.0.3-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (compilation):
|
||||||
|
- Fix a signed/unsigned comparison warning introduced by our fix to
|
||||||
|
TROVE-2017-009. Fixes bug 24480; bugfix on 0.2.5.16.
|
||||||
|
|
||||||
|
o Minor bugfixes (correctness):
|
||||||
|
- Fix several places in our codebase where a C compiler would be
|
||||||
|
likely to eliminate a check, based on assuming that undefined
|
||||||
|
behavior had not happened elsewhere in the code. These cases are
|
||||||
|
usually a sign of redundant checking or dubious arithmetic. Found
|
||||||
|
by Georg Koppen using the "STACK" tool from Wang, Zeldovich,
|
||||||
|
Kaashoek, and Solar-Lezama. Fixes bug 24423; bugfix on various
|
||||||
|
Tor versions.
|
||||||
|
|
||||||
|
o Minor bugfixes (onion service v3):
|
||||||
|
- Fix a race where an onion service would launch a new intro circuit
|
||||||
|
after closing an old one, but fail to register it before freeing
|
||||||
|
the previously closed circuit. This bug was making the service
|
||||||
|
unable to find the established intro circuit and thus not upload
|
||||||
|
its descriptor, thus making a service unavailable for up to 24
|
||||||
|
hours. Fixes bug 23603; bugfix on 0.3.2.1-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (scheduler, KIST):
|
||||||
|
- Properly set the scheduler state of an unopened channel in the
|
||||||
|
KIST scheduler main loop. This prevents a harmless but annoying
|
||||||
|
log warning. Fixes bug 24502; bugfix on 0.3.2.4-alpha.
|
||||||
|
- Avoid a possible integer overflow when computing the available
|
||||||
|
space on the TCP buffer of a channel. This had no security
|
||||||
|
implications; but could make KIST allow too many cells on a
|
||||||
|
saturated connection. Fixes bug 24590; bugfix on 0.3.2.1-alpha.
|
||||||
|
- Downgrade to "info" a harmless warning about the monotonic time
|
||||||
|
moving backwards: This can happen on platform not supporting
|
||||||
|
monotonic time. Fixes bug 23696; bugfix on 0.3.2.1-alpha.
|
||||||
|
|
||||||
|
|
||||||
|
Changes in version 0.3.2.6-alpha - 2017-12-01
|
||||||
|
This version of Tor is the latest in the 0.3.2 alpha series. It
|
||||||
|
includes fixes for several important security issues. All Tor users
|
||||||
|
should upgrade to this release, or to one of the other releases coming
|
||||||
|
out today.
|
||||||
|
|
||||||
|
o Major bugfixes (security):
|
||||||
|
- Fix a denial of service bug where an attacker could use a
|
||||||
|
malformed directory object to cause a Tor instance to pause while
|
||||||
|
OpenSSL would try to read a passphrase from the terminal. (Tor
|
||||||
|
instances run without a terminal, which is the case for most Tor
|
||||||
|
packages, are not impacted.) Fixes bug 24246; bugfix on every
|
||||||
|
version of Tor. Also tracked as TROVE-2017-011 and CVE-2017-8821.
|
||||||
|
Found by OSS-Fuzz as testcase 6360145429790720.
|
||||||
|
- Fix a denial of service issue where an attacker could crash a
|
||||||
|
directory authority using a malformed router descriptor. Fixes bug
|
||||||
|
24245; bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2017-010
|
||||||
|
and CVE-2017-8820.
|
||||||
|
- When checking for replays in the INTRODUCE1 cell data for a
|
||||||
|
(legacy) onion service, correctly detect replays in the RSA-
|
||||||
|
encrypted part of the cell. We were previously checking for
|
||||||
|
replays on the entire cell, but those can be circumvented due to
|
||||||
|
the malleability of Tor's legacy hybrid encryption. This fix helps
|
||||||
|
prevent a traffic confirmation attack. Fixes bug 24244; bugfix on
|
||||||
|
0.2.4.1-alpha. This issue is also tracked as TROVE-2017-009
|
||||||
|
and CVE-2017-8819.
|
||||||
|
|
||||||
|
o Major bugfixes (security, onion service v2):
|
||||||
|
- Fix a use-after-free error that could crash v2 Tor onion services
|
||||||
|
when they failed to open circuits while expiring introduction
|
||||||
|
points. Fixes bug 24313; bugfix on 0.2.7.2-alpha. This issue is
|
||||||
|
also tracked as TROVE-2017-013 and CVE-2017-8823.
|
||||||
|
|
||||||
|
o Major bugfixes (security, relay):
|
||||||
|
- When running as a relay, make sure that we never build a path
|
||||||
|
through ourselves, even in the case where we have somehow lost the
|
||||||
|
version of our descriptor appearing in the consensus. Fixes part
|
||||||
|
of bug 21534; bugfix on 0.2.0.1-alpha. This issue is also tracked
|
||||||
|
as TROVE-2017-012 and CVE-2017-8822.
|
||||||
|
- When running as a relay, make sure that we never choose ourselves
|
||||||
|
as a guard. Fixes part of bug 21534; bugfix on 0.3.0.1-alpha. This
|
||||||
|
issue is also tracked as TROVE-2017-012 and CVE-2017-8822.
|
||||||
|
|
||||||
|
o Minor feature (relay statistics):
|
||||||
|
- Change relay bandwidth reporting stats interval from 4 hours to 24
|
||||||
|
hours in order to reduce the efficiency of guard discovery
|
||||||
|
attacks. Fixes ticket 23856.
|
||||||
|
|
||||||
|
o Minor features (directory authority):
|
||||||
|
- Add an IPv6 address for the "bastet" directory authority. Closes
|
||||||
|
ticket 24394.
|
||||||
|
|
||||||
|
o Minor bugfixes (client):
|
||||||
|
- By default, do not enable storage of client-side DNS values. These
|
||||||
|
values were unused by default previously, but they should not have
|
||||||
|
been cached at all. Fixes bug 24050; bugfix on 0.2.6.3-alpha.
|
||||||
|
|
||||||
|
|
||||||
|
Changes in version 0.3.2.5-alpha - 2017-11-22
|
||||||
|
Tor 0.3.2.5-alpha is the fifth alpha release in the 0.3.2.x series. It
|
||||||
|
fixes several stability and reliability bugs, including a fix for
|
||||||
|
intermittent bootstrapping failures that some people have been seeing
|
||||||
|
since the 0.3.0.x series.
|
||||||
|
|
||||||
|
Please test this alpha out -- many of these fixes will soon be
|
||||||
|
backported to stable Tor versions if no additional bugs are found
|
||||||
|
in them.
|
||||||
|
|
||||||
|
o Major bugfixes (bootstrapping):
|
||||||
|
- Fetch descriptors aggressively whenever we lack enough to build
|
||||||
|
circuits, regardless of how many descriptors we are missing.
|
||||||
|
Previously, we would delay launching the fetch when we had fewer
|
||||||
|
than 15 missing descriptors, even if some of those descriptors
|
||||||
|
were blocking circuits from building. Fixes bug 23985; bugfix on
|
||||||
|
0.1.1.11-alpha. The effects of this bug became worse in
|
||||||
|
0.3.0.3-alpha, when we began treating missing descriptors from our
|
||||||
|
primary guards as a reason to delay circuits.
|
||||||
|
- Don't try fetching microdescriptors from relays that have failed
|
||||||
|
to deliver them in the past. Fixes bug 23817; bugfix
|
||||||
|
on 0.3.0.1-alpha.
|
||||||
|
|
||||||
|
o Minor features (directory authority):
|
||||||
|
- Make the "Exit" flag assignment only depend on whether the exit
|
||||||
|
policy allows connections to ports 80 and 443. Previously relays
|
||||||
|
would get the Exit flag if they allowed connections to one of
|
||||||
|
these ports and also port 6667. Resolves ticket 23637.
|
||||||
|
|
||||||
|
o Minor features (geoip):
|
||||||
|
- Update geoip and geoip6 to the November 6 2017 Maxmind GeoLite2
|
||||||
|
Country database.
|
||||||
|
|
||||||
|
o Minor features (linux seccomp2 sandbox):
|
||||||
|
- Update the sandbox rules so that they should now work correctly
|
||||||
|
with Glibc 2.26. Closes ticket 24315.
|
||||||
|
|
||||||
|
o Minor features (logging):
|
||||||
|
- Downgrade a pair of log messages that could occur when an exit's
|
||||||
|
resolver gave us an unusual (but not forbidden) response. Closes
|
||||||
|
ticket 24097.
|
||||||
|
- Improve the message we log when re-enabling circuit build timeouts
|
||||||
|
after having received a consensus. Closes ticket 20963.
|
||||||
|
|
||||||
|
o Minor bugfixes (compilation):
|
||||||
|
- Fix a memory leak warning in one of the libevent-related
|
||||||
|
configuration tests that could occur when manually specifying
|
||||||
|
-fsanitize=address. Fixes bug 24279; bugfix on 0.3.0.2-alpha.
|
||||||
|
Found and patched by Alex Xu.
|
||||||
|
- When detecting OpenSSL on Windows from our configure script, make
|
||||||
|
sure to try linking with the ws2_32 library. Fixes bug 23783;
|
||||||
|
bugfix on 0.3.2.2-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (control port, linux seccomp2 sandbox):
|
||||||
|
- Avoid a crash when attempting to use the seccomp2 sandbox together
|
||||||
|
with the OwningControllerProcess feature. Fixes bug 24198; bugfix
|
||||||
|
on 0.2.5.1-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (control port, onion services):
|
||||||
|
- Report "FAILED" instead of "UPLOAD_FAILED" "FAILED" for the
|
||||||
|
HS_DESC event when a service is not able to upload a descriptor.
|
||||||
|
Fixes bug 24230; bugfix on 0.2.7.1-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (directory cache):
|
||||||
|
- Recover better from empty or corrupt files in the consensus cache
|
||||||
|
directory. Fixes bug 24099; bugfix on 0.3.1.1-alpha.
|
||||||
|
- When a consensus diff calculation is only partially successful,
|
||||||
|
only record the successful parts as having succeeded. Partial
|
||||||
|
success can happen if (for example) one compression method fails
|
||||||
|
but the others succeed. Previously we misrecorded all the
|
||||||
|
calculations as having succeeded, which would later cause a
|
||||||
|
nonfatal assertion failure. Fixes bug 24086; bugfix
|
||||||
|
on 0.3.1.1-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (logging):
|
||||||
|
- Only log once if we notice that KIST support is gone. Fixes bug
|
||||||
|
24158; bugfix on 0.3.2.1-alpha.
|
||||||
|
- Suppress a log notice when relay descriptors arrive. We already
|
||||||
|
have a bootstrap progress for this so no need to log notice
|
||||||
|
everytime tor receives relay descriptors. Microdescriptors behave
|
||||||
|
the same. Fixes bug 23861; bugfix on 0.2.8.2-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (network layer):
|
||||||
|
- When closing a connection via close_connection_immediately(), we
|
||||||
|
mark it as "not blocked on bandwidth", to prevent later calls from
|
||||||
|
trying to unblock it, and give it permission to read. This fixes a
|
||||||
|
backtrace warning that can happen on relays under various
|
||||||
|
circumstances. Fixes bug 24167; bugfix on 0.1.0.1-rc.
|
||||||
|
|
||||||
|
o Minor bugfixes (onion services):
|
||||||
|
- The introduction circuit was being timed out too quickly while
|
||||||
|
waiting for the rendezvous circuit to complete. Keep the intro
|
||||||
|
circuit around longer instead of timing out and reopening new ones
|
||||||
|
constantly. Fixes bug 23681; bugfix on 0.2.4.8-alpha.
|
||||||
|
- Rename the consensus parameter "hsdir-interval" to "hsdir_interval"
|
||||||
|
so it matches dir-spec.txt. Fixes bug 24262; bugfix
|
||||||
|
on 0.3.1.1-alpha.
|
||||||
|
- Silence a warning about failed v3 onion descriptor uploads that
|
||||||
|
can happen naturally under certain edge cases. Fixes part of bug
|
||||||
|
23662; bugfix on 0.3.2.1-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (tests):
|
||||||
|
- Fix a memory leak in one of the bridge-distribution test cases.
|
||||||
|
Fixes bug 24345; bugfix on 0.3.2.3-alpha.
|
||||||
|
- Fix a bug in our fuzzing mock replacement for crypto_pk_checksig(),
|
||||||
|
to correctly handle cases where a caller gives it an RSA key of
|
||||||
|
under 160 bits. (This is not actually a bug in Tor itself, but
|
||||||
|
rather in our fuzzing code.) Fixes bug 24247; bugfix on
|
||||||
|
0.3.0.3-alpha. Found by OSS-Fuzz as issue 4177.
|
||||||
|
|
||||||
|
o Documentation:
|
||||||
|
- Add notes in man page regarding OS support for the various
|
||||||
|
scheduler types. Attempt to use less jargon in the scheduler
|
||||||
|
section. Closes ticket 24254.
|
||||||
|
|
||||||
|
|
||||||
|
Changes in version 0.3.2.4-alpha - 2017-11-08
|
||||||
|
Tor 0.3.2.4-alpha is the fourth alpha release in the 0.3.2.x series.
|
||||||
|
It fixes several stability and reliability bugs, especially including
|
||||||
|
a major reliability issue that has been plaguing fast exit relays in
|
||||||
|
recent months.
|
||||||
|
|
||||||
|
o Major bugfixes (exit relays, DNS):
|
||||||
|
- Fix an issue causing DNS to fail on high-bandwidth exit nodes,
|
||||||
|
making them nearly unusable. Fixes bugs 21394 and 18580; bugfix on
|
||||||
|
0.1.2.2-alpha, which introduced eventdns. Thanks to Dhalgren for
|
||||||
|
identifying and finding a workaround to this bug and to Moritz,
|
||||||
|
Arthur Edelstein, and Roger for helping to track it down and
|
||||||
|
analyze it.
|
||||||
|
|
||||||
|
o Major bugfixes (scheduler, channel):
|
||||||
|
- Stop processing scheduled channels if they closed while flushing
|
||||||
|
cells. This can happen if the write on the connection fails
|
||||||
|
leading to the channel being closed while in the scheduler loop.
|
||||||
|
Fixes bug 23751; bugfix on 0.3.2.1-alpha.
|
||||||
|
|
||||||
|
o Minor features (logging, scheduler):
|
||||||
|
- Introduce a SCHED_BUG() function to log extra information about
|
||||||
|
the scheduler state if we ever catch a bug in the scheduler.
|
||||||
|
Closes ticket 23753.
|
||||||
|
|
||||||
|
o Minor features (removed deprecations):
|
||||||
|
- The ClientDNSRejectInternalAddresses flag can once again be set in
|
||||||
|
non-testing Tor networks, so long as they do not use the default
|
||||||
|
directory authorities. This change also removes the deprecation of
|
||||||
|
this flag from 0.2.9.2-alpha. Closes ticket 21031.
|
||||||
|
|
||||||
|
o Minor features (testing):
|
||||||
|
- Our fuzzing tests now test the encrypted portions of v3 onion
|
||||||
|
service descriptors. Implements more of 21509.
|
||||||
|
|
||||||
|
o Minor bugfixes (directory client):
|
||||||
|
- On failure to download directory information, delay retry attempts
|
||||||
|
by a random amount based on the "decorrelated jitter" algorithm.
|
||||||
|
Our previous delay algorithm tended to produce extra-long delays
|
||||||
|
too easily. Fixes bug 23816; bugfix on 0.2.9.1-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (IPv6, v3 single onion services):
|
||||||
|
- Remove buggy code for IPv6-only v3 single onion services, and
|
||||||
|
reject attempts to configure them. This release supports IPv4,
|
||||||
|
dual-stack, and IPv6-only v3 onion services; and IPv4 and dual-
|
||||||
|
stack v3 single onion services. Fixes bug 23820; bugfix
|
||||||
|
on 0.3.2.1-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (logging, relay):
|
||||||
|
- Give only a protocol warning when the ed25519 key is not
|
||||||
|
consistent between the descriptor and microdescriptor of a relay.
|
||||||
|
This can happen, for instance, if the relay has been flagged
|
||||||
|
NoEdConsensus. Fixes bug 24025; bugfix on 0.3.2.1-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (manpage, onion service):
|
||||||
|
- Document that the HiddenServiceNumIntroductionPoints option is
|
||||||
|
0-10 for v2 services and 0-20 for v3 services. Fixes bug 24115;
|
||||||
|
bugfix on 0.3.2.1-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (memory leaks):
|
||||||
|
- Fix a minor memory leak at exit in the KIST scheduler. This bug
|
||||||
|
should have no user-visible impact. Fixes bug 23774; bugfix
|
||||||
|
on 0.3.2.1-alpha.
|
||||||
|
- Fix a memory leak when decrypting a badly formatted v3 onion
|
||||||
|
service descriptor. Fixes bug 24150; bugfix on 0.3.2.1-alpha.
|
||||||
|
Found by OSS-Fuzz; this is OSS-Fuzz issue 3994.
|
||||||
|
|
||||||
|
o Minor bugfixes (onion services):
|
||||||
|
- Cache some needed onion service client information instead of
|
||||||
|
constantly computing it over and over again. Fixes bug 23623;
|
||||||
|
bugfix on 0.3.2.1-alpha.
|
||||||
|
- Properly retry HSv3 descriptor fetches when missing required
|
||||||
|
directory information. Fixes bug 23762; bugfix on 0.3.2.1-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (path selection):
|
||||||
|
- When selecting relays by bandwidth, avoid a rounding error that
|
||||||
|
could sometimes cause load to be imbalanced incorrectly.
|
||||||
|
Previously, we would always round upwards; now, we round towards
|
||||||
|
the nearest integer. This had the biggest effect when a relay's
|
||||||
|
weight adjustments should have given it weight 0, but it got
|
||||||
|
weight 1 instead. Fixes bug 23318; bugfix on 0.2.4.3-alpha.
|
||||||
|
- When calculating the fraction of nodes that have descriptors, and
|
||||||
|
all nodes in the network have zero bandwidths, count the number of
|
||||||
|
nodes instead. Fixes bug 23318; bugfix on 0.2.4.10-alpha.
|
||||||
|
- Actually log the total bandwidth in compute_weighted_bandwidths().
|
||||||
|
Fixes bug 24170; bugfix on 0.2.4.3-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (relay, crash):
|
||||||
|
- Avoid a crash when transitioning from client mode to bridge mode.
|
||||||
|
Previously, we would launch the worker threads whenever our
|
||||||
|
"public server" mode changed, but not when our "server" mode
|
||||||
|
changed. Fixes bug 23693; bugfix on 0.2.6.3-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (testing):
|
||||||
|
- Fix a spurious fuzzing-only use of an uninitialized value. Found
|
||||||
|
by Brian Carpenter. Fixes bug 24082; bugfix on 0.3.0.3-alpha.
|
||||||
|
- Test that IPv6-only clients can use microdescriptors when running
|
||||||
|
"make test-network-all". Requires chutney master 61c28b9 or later.
|
||||||
|
Closes ticket 24109.
|
||||||
|
|
||||||
|
|
||||||
|
Changes in version 0.3.2.3-alpha - 2017-10-27
|
||||||
|
Tor 0.3.2.3-alpha is the third release in the 0.3.2 series. It fixes
|
||||||
|
numerous small bugs in earlier versions of 0.3.2.x, and adds a new
|
||||||
|
directory authority, Bastet.
|
||||||
|
|
||||||
|
o Directory authority changes:
|
||||||
|
- Add "Bastet" as a ninth directory authority to the default list.
|
||||||
|
Closes ticket 23910.
|
||||||
|
- The directory authority "Longclaw" has changed its IP address.
|
||||||
|
Closes ticket 23592.
|
||||||
|
|
||||||
|
o Minor features (bridge):
|
||||||
|
- Bridge relays can now set the BridgeDistribution config option to
|
||||||
|
add a "bridge-distribution-request" line to their bridge
|
||||||
|
descriptor, which tells BridgeDB how they'd like their bridge
|
||||||
|
address to be given out. (Note that as of Oct 2017, BridgeDB does
|
||||||
|
not yet implement this feature.) As a side benefit, this feature
|
||||||
|
provides a way to distinguish bridge descriptors from non-bridge
|
||||||
|
descriptors. Implements tickets 18329.
|
||||||
|
|
||||||
|
o Minor features (client, entry guards):
|
||||||
|
- Improve log messages when missing descriptors for primary guards.
|
||||||
|
Resolves ticket 23670.
|
||||||
|
|
||||||
|
o Minor features (geoip):
|
||||||
|
- Update geoip and geoip6 to the October 4 2017 Maxmind GeoLite2
|
||||||
|
Country database.
|
||||||
|
|
||||||
|
o Minor bugfixes (bridge):
|
||||||
|
- Overwrite the bridge address earlier in the process of retrieving
|
||||||
|
its descriptor, to make sure we reach it on the configured
|
||||||
|
address. Fixes bug 20532; bugfix on 0.2.0.10-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (documentation):
|
||||||
|
- Document better how to read gcov, and what our gcov postprocessing
|
||||||
|
scripts do. Fixes bug 23739; bugfix on 0.2.9.1-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (entry guards):
|
||||||
|
- Tor now updates its guard state when it reads a consensus
|
||||||
|
regardless of whether it's missing descriptors. That makes tor use
|
||||||
|
its primary guards to fetch descriptors in some edge cases where
|
||||||
|
it would previously have used fallback directories. Fixes bug
|
||||||
|
23862; bugfix on 0.3.0.1-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (hidden service client):
|
||||||
|
- When handling multiple SOCKS request for the same .onion address,
|
||||||
|
only fetch the service descriptor once.
|
||||||
|
- When a descriptor fetch fails with a non-recoverable error, close
|
||||||
|
all pending SOCKS requests for that .onion. Fixes bug 23653;
|
||||||
|
bugfix on 0.3.2.1-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (hidden service):
|
||||||
|
- Always regenerate missing hidden service public key files. Prior
|
||||||
|
to this, if the public key was deleted from disk, it wouldn't get
|
||||||
|
recreated. Fixes bug 23748; bugfix on 0.3.2.2-alpha. Patch
|
||||||
|
from "cathugger".
|
||||||
|
- Make sure that we have a usable ed25519 key when the intro point
|
||||||
|
relay supports ed25519 link authentication. Fixes bug 24002;
|
||||||
|
bugfix on 0.3.2.1-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (hidden service, v2):
|
||||||
|
- When reloading configured hidden services, copy all information
|
||||||
|
from the old service object. Previously, some data was omitted,
|
||||||
|
causing delays in descriptor upload, and other bugs. Fixes bug
|
||||||
|
23790; bugfix on 0.2.1.9-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (memory safety, defensive programming):
|
||||||
|
- Clear the target address when node_get_prim_orport() returns
|
||||||
|
early. Fixes bug 23874; bugfix on 0.2.8.2-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (relay):
|
||||||
|
- Avoid a BUG warning when receiving a dubious CREATE cell while an
|
||||||
|
option transition is in progress. Fixes bug 23952; bugfix
|
||||||
|
on 0.3.2.1-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (testing):
|
||||||
|
- Adjust the GitLab CI configuration to more closely match that of
|
||||||
|
Travis CI. Fixes bug 23757; bugfix on 0.3.2.2-alpha.
|
||||||
|
- Prevent scripts/test/coverage from attempting to move gcov output
|
||||||
|
to the root directory. Fixes bug 23741; bugfix on 0.2.5.1-alpha.
|
||||||
|
- When running unit tests as root, skip a test that would fail
|
||||||
|
because it expects a permissions error. This affects some
|
||||||
|
continuous integration setups. Fixes bug 23758; bugfix
|
||||||
|
on 0.3.2.2-alpha.
|
||||||
|
- Stop unconditionally mirroring the tor repository in GitLab CI.
|
||||||
|
This prevented developers from enabling GitLab CI on master. Fixes
|
||||||
|
bug 23755; bugfix on 0.3.2.2-alpha.
|
||||||
|
- Fix the hidden service v3 descriptor decoding fuzzing to use the
|
||||||
|
latest decoding API correctly. Fixes bug 21509; bugfix
|
||||||
|
on 0.3.2.1-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (warnings):
|
||||||
|
- When we get an HTTP request on a SOCKS port, tell the user about
|
||||||
|
the new HTTPTunnelPort option. Previously, we would give a "Tor is
|
||||||
|
not an HTTP Proxy" message, which stopped being true when
|
||||||
|
HTTPTunnelPort was introduced. Fixes bug 23678; bugfix
|
||||||
|
on 0.3.2.1-alpha.
|
||||||
|
|
||||||
|
|
||||||
Changes in version 0.3.2.2-alpha - 2017-09-29
|
Changes in version 0.3.2.2-alpha - 2017-09-29
|
||||||
Tor 0.3.2.2-alpha is the second release in the 0.3.2 series. This
|
Tor 0.3.2.2-alpha is the second release in the 0.3.2 series. This
|
||||||
release fixes several minor bugs in the new scheduler and next-
|
release fixes several minor bugs in the new scheduler and next-
|
||||||
|
|
909
ReleaseNotes
909
ReleaseNotes
|
@ -2,6 +2,915 @@ This document summarizes new features and bugfixes in each stable release
|
||||||
of Tor. If you want to see more detailed descriptions of the changes in
|
of Tor. If you want to see more detailed descriptions of the changes in
|
||||||
each development snapshot, see the ChangeLog file.
|
each development snapshot, see the ChangeLog file.
|
||||||
|
|
||||||
|
Changes in version 0.3.2.10 - 2018-03-03
|
||||||
|
Tor 0.3.2.10 is the second stable release in the 0.3.2 series. It
|
||||||
|
backports a number of bugfixes, including important fixes for security
|
||||||
|
issues.
|
||||||
|
|
||||||
|
It includes an important security fix for a remote crash attack
|
||||||
|
against directory authorities, tracked as TROVE-2018-001.
|
||||||
|
|
||||||
|
Additionally, it backports a fix for a bug whose severity we have
|
||||||
|
upgraded: Bug 24700, which was fixed in 0.3.3.2-alpha, can be remotely
|
||||||
|
triggered in order to crash relays with a use-after-free pattern. As
|
||||||
|
such, we are now tracking that bug as TROVE-2018-002 and
|
||||||
|
CVE-2018-0491, and backporting it to earlier releases. This bug
|
||||||
|
affected versions 0.3.2.1-alpha through 0.3.2.9, as well as version
|
||||||
|
0.3.3.1-alpha.
|
||||||
|
|
||||||
|
This release also backports our new system for improved resistance to
|
||||||
|
denial-of-service attacks against relays.
|
||||||
|
|
||||||
|
This release also fixes several minor bugs and annoyances from
|
||||||
|
earlier releases.
|
||||||
|
|
||||||
|
Relays running 0.3.2.x SHOULD upgrade to one of the versions released
|
||||||
|
today, for the fix to TROVE-2018-002. Directory authorities should
|
||||||
|
also upgrade. (Relays on earlier versions might want to update too for
|
||||||
|
the DoS mitigations.)
|
||||||
|
|
||||||
|
o Major bugfixes (denial-of-service, directory authority, backport from 0.3.3.3-alpha):
|
||||||
|
- Fix a protocol-list handling bug that could be used to remotely crash
|
||||||
|
directory authorities with a null-pointer exception. Fixes bug 25074;
|
||||||
|
bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2018-001 and
|
||||||
|
CVE-2018-0490.
|
||||||
|
|
||||||
|
o Major bugfixes (scheduler, KIST, denial-of-service, backport from 0.3.3.2-alpha):
|
||||||
|
- Avoid adding the same channel twice in the KIST scheduler pending
|
||||||
|
list, which could lead to remote denial-of-service use-after-free
|
||||||
|
attacks against relays. Fixes bug 24700; bugfix on 0.3.2.1-alpha.
|
||||||
|
|
||||||
|
o Major features (denial-of-service mitigation, backport from 0.3.3.2-alpha):
|
||||||
|
- Give relays some defenses against the recent network overload. We
|
||||||
|
start with three defenses (default parameters in parentheses).
|
||||||
|
First: if a single client address makes too many concurrent
|
||||||
|
connections (>100), hang up on further connections. Second: if a
|
||||||
|
single client address makes circuits too quickly (more than 3 per
|
||||||
|
second, with an allowed burst of 90) while also having too many
|
||||||
|
connections open (3), refuse new create cells for the next while
|
||||||
|
(1-2 hours). Third: if a client asks to establish a rendezvous
|
||||||
|
point to you directly, ignore the request. These defenses can be
|
||||||
|
manually controlled by new torrc options, but relays will also
|
||||||
|
take guidance from consensus parameters, so there's no need to
|
||||||
|
configure anything manually. Implements ticket 24902.
|
||||||
|
|
||||||
|
o Major bugfixes (onion services, retry behavior, backport from 0.3.3.1-alpha):
|
||||||
|
- Fix an "off by 2" error in counting rendezvous failures on the
|
||||||
|
onion service side. While we thought we would stop the rendezvous
|
||||||
|
attempt after one failed circuit, we were actually making three
|
||||||
|
circuit attempts before giving up. Now switch to a default of 2,
|
||||||
|
and allow the consensus parameter "hs_service_max_rdv_failures" to
|
||||||
|
override. Fixes bug 24895; bugfix on 0.0.6.
|
||||||
|
- New-style (v3) onion services now obey the "max rendezvous circuit
|
||||||
|
attempts" logic. Previously they would make as many rendezvous
|
||||||
|
circuit attempts as they could fit in the MAX_REND_TIMEOUT second
|
||||||
|
window before giving up. Fixes bug 24894; bugfix on 0.3.2.1-alpha.
|
||||||
|
|
||||||
|
o Major bugfixes (protocol versions, backport from 0.3.3.2-alpha):
|
||||||
|
- Add Link protocol version 5 to the supported protocols list. Fixes
|
||||||
|
bug 25070; bugfix on 0.3.1.1-alpha.
|
||||||
|
|
||||||
|
o Major bugfixes (relay, backport from 0.3.3.1-alpha):
|
||||||
|
- Fix a set of false positives where relays would consider
|
||||||
|
connections to other relays as being client-only connections (and
|
||||||
|
thus e.g. deserving different link padding schemes) if those
|
||||||
|
relays fell out of the consensus briefly. Now we look only at the
|
||||||
|
initial handshake and whether the connection authenticated as a
|
||||||
|
relay. Fixes bug 24898; bugfix on 0.3.1.1-alpha.
|
||||||
|
|
||||||
|
o Major bugfixes (scheduler, consensus, backport from 0.3.3.2-alpha):
|
||||||
|
- The scheduler subsystem was failing to promptly notice changes in
|
||||||
|
consensus parameters, making it harder to switch schedulers
|
||||||
|
network-wide. Fixes bug 24975; bugfix on 0.3.2.1-alpha.
|
||||||
|
|
||||||
|
o Minor features (denial-of-service avoidance, backport from 0.3.3.2-alpha):
|
||||||
|
- Make our OOM handler aware of the geoip client history cache so it
|
||||||
|
doesn't fill up the memory. This check is important for IPv6 and
|
||||||
|
our DoS mitigation subsystem. Closes ticket 25122.
|
||||||
|
|
||||||
|
o Minor features (compatibility, OpenSSL, backport from 0.3.3.3-alpha):
|
||||||
|
- Tor will now support TLS1.3 once OpenSSL 1.1.1 is released.
|
||||||
|
Previous versions of Tor would not have worked with OpenSSL 1.1.1,
|
||||||
|
since they neither disabled TLS 1.3 nor enabled any of the
|
||||||
|
ciphersuites it requires. Now we enable the TLS 1.3 ciphersuites.
|
||||||
|
Closes ticket 24978.
|
||||||
|
|
||||||
|
o Minor features (geoip):
|
||||||
|
- Update geoip and geoip6 to the February 7 2018 Maxmind GeoLite2
|
||||||
|
Country database.
|
||||||
|
|
||||||
|
o Minor features (logging, diagnostic, backport from 0.3.3.2-alpha):
|
||||||
|
- When logging a failure to create an onion service's descriptor,
|
||||||
|
also log what the problem with the descriptor was. Diagnostic
|
||||||
|
for ticket 24972.
|
||||||
|
|
||||||
|
o Minor bugfix (channel connection, backport from 0.3.3.2-alpha):
|
||||||
|
- Use the actual observed address of an incoming relay connection,
|
||||||
|
not the canonical address of the relay from its descriptor, when
|
||||||
|
making decisions about how to handle the incoming connection.
|
||||||
|
Fixes bug 24952; bugfix on 0.2.4.11-alpha. Patch by "ffmancera".
|
||||||
|
|
||||||
|
o Minor bugfixes (denial-of-service, backport from 0.3.3.3-alpha):
|
||||||
|
- Fix a possible crash on malformed consensus. If a consensus had
|
||||||
|
contained an unparseable protocol line, it could have made clients
|
||||||
|
and relays crash with a null-pointer exception. To exploit this
|
||||||
|
issue, however, an attacker would need to be able to subvert the
|
||||||
|
directory authority system. Fixes bug 25251; bugfix on
|
||||||
|
0.2.9.4-alpha. Also tracked as TROVE-2018-004.
|
||||||
|
|
||||||
|
o Minor bugfix (directory authority, backport from 0.3.3.2-alpha):
|
||||||
|
- Directory authorities, when refusing a descriptor from a rejected
|
||||||
|
relay, now explicitly tell the relay (in its logs) to set a valid
|
||||||
|
ContactInfo address and contact the bad-relays@ mailing list.
|
||||||
|
Fixes bug 25170; bugfix on 0.2.9.1.
|
||||||
|
|
||||||
|
o Minor bugfixes (build, rust, backport from 0.3.3.1-alpha):
|
||||||
|
- When building with Rust on OSX, link against libresolv, to work
|
||||||
|
around the issue at https://github.com/rust-lang/rust/issues/46797.
|
||||||
|
Fixes bug 24652; bugfix on 0.3.1.1-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (onion services, backport from 0.3.3.2-alpha):
|
||||||
|
- Remove a BUG() statement when a client fetches an onion descriptor
|
||||||
|
that has a lower revision counter than the one in its cache. This
|
||||||
|
can happen in normal circumstances due to HSDir desync. Fixes bug
|
||||||
|
24976; bugfix on 0.3.2.1-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (logging, backport from 0.3.3.2-alpha):
|
||||||
|
- Don't treat inability to store a cached consensus object as a bug:
|
||||||
|
it can happen normally when we are out of disk space. Fixes bug
|
||||||
|
24859; bugfix on 0.3.1.1-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (performance, fragile-hardening, backport from 0.3.3.1-alpha):
|
||||||
|
- Improve the performance of our consensus-diff application code
|
||||||
|
when Tor is built with the --enable-fragile-hardening option set.
|
||||||
|
Fixes bug 24826; bugfix on 0.3.1.1-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (OSX, backport from 0.3.3.1-alpha):
|
||||||
|
- Don't exit the Tor process if setrlimit() fails to change the file
|
||||||
|
limit (which can happen sometimes on some versions of OSX). Fixes
|
||||||
|
bug 21074; bugfix on 0.0.9pre5.
|
||||||
|
|
||||||
|
o Minor bugfixes (spec conformance, backport from 0.3.3.3-alpha):
|
||||||
|
- Forbid "-0" as a protocol version. Fixes part of bug 25249; bugfix on
|
||||||
|
0.2.9.4-alpha.
|
||||||
|
- Forbid UINT32_MAX as a protocol version. Fixes part of bug 25249;
|
||||||
|
bugfix on 0.2.9.4-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (testing, backport from 0.3.3.1-alpha):
|
||||||
|
- Fix a memory leak in the scheduler/loop_kist unit test. Fixes bug
|
||||||
|
25005; bugfix on 0.3.2.7-rc.
|
||||||
|
|
||||||
|
o Minor bugfixes (v3 onion services, backport from 0.3.3.2-alpha):
|
||||||
|
- Look at the "HSRend" protocol version, not the "HSDir" protocol
|
||||||
|
version, when deciding whether a consensus entry can support the
|
||||||
|
v3 onion service protocol as a rendezvous point. Fixes bug 25105;
|
||||||
|
bugfix on 0.3.2.1-alpha.
|
||||||
|
|
||||||
|
o Code simplification and refactoring (backport from 0.3.3.3-alpha):
|
||||||
|
- Update the "rust dependencies" submodule to be a project-level
|
||||||
|
repository, rather than a user repository. Closes ticket 25323.
|
||||||
|
|
||||||
|
o Documentation (backport from 0.3.3.1-alpha)
|
||||||
|
- Document that operators who run more than one relay or bridge are
|
||||||
|
expected to set MyFamily and ContactInfo correctly. Closes
|
||||||
|
ticket 24526.
|
||||||
|
|
||||||
|
|
||||||
|
Changes in version 0.3.2.9 - 2018-01-09
|
||||||
|
Tor 0.3.2.9 is the first stable release in the 0.3.2 series.
|
||||||
|
|
||||||
|
The 0.3.2 series includes our long-anticipated new onion service
|
||||||
|
design, with numerous security features. (For more information, see
|
||||||
|
our blog post at https://blog.torproject.org/fall-harvest.) We also
|
||||||
|
have a new circuit scheduler algorithm for improved performance on
|
||||||
|
relays everywhere (see https://blog.torproject.org/kist-and-tell),
|
||||||
|
along with many smaller features and bugfixes.
|
||||||
|
|
||||||
|
Per our stable release policy, we plan to support each stable release
|
||||||
|
series for at least the next nine months, or for three months after
|
||||||
|
the first stable release of the next series: whichever is longer. If
|
||||||
|
you need a release with long-term support, we recommend that you stay
|
||||||
|
with the 0.2.9 series.
|
||||||
|
|
||||||
|
Below is a list of the changes since 0.3.1.7. For a list of all
|
||||||
|
changes since 0.3.2.8-rc, see the ChangeLog file.
|
||||||
|
|
||||||
|
o Directory authority changes:
|
||||||
|
- Add "Bastet" as a ninth directory authority to the default list.
|
||||||
|
Closes ticket 23910.
|
||||||
|
- The directory authority "Longclaw" has changed its IP address.
|
||||||
|
Closes ticket 23592.
|
||||||
|
- Remove longclaw's IPv6 address, as it will soon change. Authority
|
||||||
|
IPv6 addresses were originally added in 0.2.8.1-alpha. This leaves
|
||||||
|
3/8 directory authorities with IPv6 addresses, but there are also
|
||||||
|
52 fallback directory mirrors with IPv6 addresses. Resolves 19760.
|
||||||
|
- Add an IPv6 address for the "bastet" directory authority. Closes
|
||||||
|
ticket 24394.
|
||||||
|
|
||||||
|
o Major features (next-generation onion services):
|
||||||
|
- Tor now supports the next-generation onion services protocol for
|
||||||
|
clients and services! As part of this release, the core of
|
||||||
|
proposal 224 has been implemented and is available for
|
||||||
|
experimentation and testing by our users. This newer version of
|
||||||
|
onion services ("v3") features many improvements over the legacy
|
||||||
|
system, including:
|
||||||
|
|
||||||
|
a) Better crypto (replaced SHA1/DH/RSA1024
|
||||||
|
with SHA3/ed25519/curve25519)
|
||||||
|
|
||||||
|
b) Improved directory protocol, leaking much less information to
|
||||||
|
directory servers.
|
||||||
|
|
||||||
|
c) Improved directory protocol, with smaller surface for
|
||||||
|
targeted attacks.
|
||||||
|
|
||||||
|
d) Better onion address security against impersonation.
|
||||||
|
|
||||||
|
e) More extensible introduction/rendezvous protocol.
|
||||||
|
|
||||||
|
f) A cleaner and more modular codebase.
|
||||||
|
|
||||||
|
You can identify a next-generation onion address by its length:
|
||||||
|
they are 56 characters long, as in
|
||||||
|
"4acth47i6kxnvkewtm6q7ib2s3ufpo5sqbsnzjpbi7utijcltosqemad.onion".
|
||||||
|
|
||||||
|
In the future, we will release more options and features for v3
|
||||||
|
onion services, but we first need a testing period, so that the
|
||||||
|
current codebase matures and becomes more robust. Planned features
|
||||||
|
include: offline keys, advanced client authorization, improved
|
||||||
|
guard algorithms, and statistics. For full details, see
|
||||||
|
proposal 224.
|
||||||
|
|
||||||
|
Legacy ("v2") onion services will still work for the foreseeable
|
||||||
|
future, and will remain the default until this new codebase gets
|
||||||
|
tested and hardened. Service operators who want to experiment with
|
||||||
|
the new system can use the 'HiddenServiceVersion 3' torrc
|
||||||
|
directive along with the regular onion service configuration
|
||||||
|
options. For more information, see our blog post at
|
||||||
|
"https://blog.torproject.org/fall-harvest". Enjoy!
|
||||||
|
|
||||||
|
o Major feature (scheduler, channel):
|
||||||
|
- Tor now uses new schedulers to decide which circuits should
|
||||||
|
deliver cells first, in order to improve congestion at relays. The
|
||||||
|
first type is called "KIST" ("Kernel Informed Socket Transport"),
|
||||||
|
and is only available on Linux-like systems: it uses feedback from
|
||||||
|
the kernel to prevent the kernel's TCP buffers from growing too
|
||||||
|
full. The second new scheduler type is called "KISTLite": it
|
||||||
|
behaves the same as KIST, but runs on systems without kernel
|
||||||
|
support for inspecting TCP implementation details. The old
|
||||||
|
scheduler is still available, under the name "Vanilla". To change
|
||||||
|
the default scheduler preference order, use the new "Schedulers"
|
||||||
|
option. (The default preference order is "KIST,KISTLite,Vanilla".)
|
||||||
|
|
||||||
|
Matt Traudt implemented KIST, based on research by Rob Jansen,
|
||||||
|
John Geddes, Christ Wacek, Micah Sherr, and Paul Syverson. For
|
||||||
|
more information, see the design paper at
|
||||||
|
http://www.robgjansen.com/publications/kist-sec2014.pdf and the
|
||||||
|
followup implementation paper at https://arxiv.org/abs/1709.01044.
|
||||||
|
Closes ticket 12541. For more information, see our blog post at
|
||||||
|
"https://blog.torproject.org/kist-and-tell".
|
||||||
|
|
||||||
|
o Major bugfixes (security, general):
|
||||||
|
- Fix a denial of service bug where an attacker could use a
|
||||||
|
malformed directory object to cause a Tor instance to pause while
|
||||||
|
OpenSSL would try to read a passphrase from the terminal. (Tor
|
||||||
|
instances run without a terminal, which is the case for most Tor
|
||||||
|
packages, are not impacted.) Fixes bug 24246; bugfix on every
|
||||||
|
version of Tor. Also tracked as TROVE-2017-011 and CVE-2017-8821.
|
||||||
|
Found by OSS-Fuzz as testcase 6360145429790720.
|
||||||
|
|
||||||
|
o Major bugfixes (security, directory authority):
|
||||||
|
- Fix a denial of service issue where an attacker could crash a
|
||||||
|
directory authority using a malformed router descriptor. Fixes bug
|
||||||
|
24245; bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2017-010
|
||||||
|
and CVE-2017-8820.
|
||||||
|
|
||||||
|
o Major bugfixes (security, onion service v2):
|
||||||
|
- Fix a use-after-free error that could crash v2 Tor onion services
|
||||||
|
when they failed to open circuits while expiring introduction
|
||||||
|
points. Fixes bug 24313; bugfix on 0.2.7.2-alpha. This issue is
|
||||||
|
also tracked as TROVE-2017-013 and CVE-2017-8823.
|
||||||
|
- When checking for replays in the INTRODUCE1 cell data for a
|
||||||
|
(legacy) onion service, correctly detect replays in the RSA-
|
||||||
|
encrypted part of the cell. We were previously checking for
|
||||||
|
replays on the entire cell, but those can be circumvented due to
|
||||||
|
the malleability of Tor's legacy hybrid encryption. This fix helps
|
||||||
|
prevent a traffic confirmation attack. Fixes bug 24244; bugfix on
|
||||||
|
0.2.4.1-alpha. This issue is also tracked as TROVE-2017-009
|
||||||
|
and CVE-2017-8819.
|
||||||
|
|
||||||
|
o Major bugfixes (security, relay):
|
||||||
|
- When running as a relay, make sure that we never build a path
|
||||||
|
through ourselves, even in the case where we have somehow lost the
|
||||||
|
version of our descriptor appearing in the consensus. Fixes part
|
||||||
|
of bug 21534; bugfix on 0.2.0.1-alpha. This issue is also tracked
|
||||||
|
as TROVE-2017-012 and CVE-2017-8822.
|
||||||
|
- When running as a relay, make sure that we never choose ourselves
|
||||||
|
as a guard. Fixes part of bug 21534; bugfix on 0.3.0.1-alpha. This
|
||||||
|
issue is also tracked as TROVE-2017-012 and CVE-2017-8822.
|
||||||
|
|
||||||
|
o Major bugfixes (bootstrapping):
|
||||||
|
- Fetch descriptors aggressively whenever we lack enough to build
|
||||||
|
circuits, regardless of how many descriptors we are missing.
|
||||||
|
Previously, we would delay launching the fetch when we had fewer
|
||||||
|
than 15 missing descriptors, even if some of those descriptors
|
||||||
|
were blocking circuits from building. Fixes bug 23985; bugfix on
|
||||||
|
0.1.1.11-alpha. The effects of this bug became worse in
|
||||||
|
0.3.0.3-alpha, when we began treating missing descriptors from our
|
||||||
|
primary guards as a reason to delay circuits.
|
||||||
|
- Don't try fetching microdescriptors from relays that have failed
|
||||||
|
to deliver them in the past. Fixes bug 23817; bugfix
|
||||||
|
on 0.3.0.1-alpha.
|
||||||
|
|
||||||
|
o Major bugfixes (circuit prediction):
|
||||||
|
- Fix circuit prediction logic so that a client doesn't treat a port
|
||||||
|
as being "handled" by a circuit if that circuit already has
|
||||||
|
isolation settings on it. This change should make Tor clients more
|
||||||
|
responsive by improving their chances of having a pre-created
|
||||||
|
circuit ready for use when a request arrives. Fixes bug 18859;
|
||||||
|
bugfix on 0.2.3.3-alpha.
|
||||||
|
|
||||||
|
o Major bugfixes (exit relays, DNS):
|
||||||
|
- Fix an issue causing DNS to fail on high-bandwidth exit nodes,
|
||||||
|
making them nearly unusable. Fixes bugs 21394 and 18580; bugfix on
|
||||||
|
0.1.2.2-alpha, which introduced eventdns. Thanks to Dhalgren for
|
||||||
|
identifying and finding a workaround to this bug and to Moritz,
|
||||||
|
Arthur Edelstein, and Roger for helping to track it down and
|
||||||
|
analyze it.
|
||||||
|
|
||||||
|
o Major bugfixes (relay, crash, assertion failure):
|
||||||
|
- Fix a timing-based assertion failure that could occur when the
|
||||||
|
circuit out-of-memory handler freed a connection's output buffer.
|
||||||
|
Fixes bug 23690; bugfix on 0.2.6.1-alpha.
|
||||||
|
|
||||||
|
o Major bugfixes (usability, control port):
|
||||||
|
- Report trusted clock skew indications as bootstrap errors, so
|
||||||
|
controllers can more easily alert users when their clocks are
|
||||||
|
wrong. Fixes bug 23506; bugfix on 0.1.2.6-alpha.
|
||||||
|
|
||||||
|
o Minor features (bridge):
|
||||||
|
- Bridge relays can now set the BridgeDistribution config option to
|
||||||
|
add a "bridge-distribution-request" line to their bridge
|
||||||
|
descriptor, which tells BridgeDB how they'd like their bridge
|
||||||
|
address to be given out. (Note that as of Oct 2017, BridgeDB does
|
||||||
|
not yet implement this feature.) As a side benefit, this feature
|
||||||
|
provides a way to distinguish bridge descriptors from non-bridge
|
||||||
|
descriptors. Implements tickets 18329.
|
||||||
|
- When handling the USERADDR command on an ExtOrPort, warn when the
|
||||||
|
transports provides a USERADDR with no port. In a future version,
|
||||||
|
USERADDR commands of this format may be rejected. Detects problems
|
||||||
|
related to ticket 23080.
|
||||||
|
|
||||||
|
o Minor features (bug detection):
|
||||||
|
- Log a warning message with a stack trace for any attempt to call
|
||||||
|
get_options() during option validation. This pattern has caused
|
||||||
|
subtle bugs in the past. Closes ticket 22281.
|
||||||
|
|
||||||
|
o Minor features (build, compilation):
|
||||||
|
- The "check-changes" feature is now part of the "make check" tests;
|
||||||
|
we'll use it to try to prevent misformed changes files from
|
||||||
|
accumulating. Closes ticket 23564.
|
||||||
|
- Tor builds should now fail if there are any mismatches between the
|
||||||
|
C type representing a configuration variable and the C type the
|
||||||
|
data-driven parser uses to store a value there. Previously, we
|
||||||
|
needed to check these by hand, which sometimes led to mistakes.
|
||||||
|
Closes ticket 23643.
|
||||||
|
|
||||||
|
o Minor features (client):
|
||||||
|
- You can now use Tor as a tunneled HTTP proxy: use the new
|
||||||
|
HTTPTunnelPort option to open a port that accepts HTTP CONNECT
|
||||||
|
requests. Closes ticket 22407.
|
||||||
|
- Add an extra check to make sure that we always use the newer guard
|
||||||
|
selection code for picking our guards. Closes ticket 22779.
|
||||||
|
- When downloading (micro)descriptors, don't split the list into
|
||||||
|
multiple requests unless we want at least 32 descriptors.
|
||||||
|
Previously, we split at 4, not 32, which led to significant
|
||||||
|
overhead in HTTP request size and degradation in compression
|
||||||
|
performance. Closes ticket 23220.
|
||||||
|
- Improve log messages when missing descriptors for primary guards.
|
||||||
|
Resolves ticket 23670.
|
||||||
|
|
||||||
|
o Minor features (command line):
|
||||||
|
- Add a new commandline option, --key-expiration, which prints when
|
||||||
|
the current signing key is going to expire. Implements ticket
|
||||||
|
17639; patch by Isis Lovecruft.
|
||||||
|
|
||||||
|
o Minor features (control port):
|
||||||
|
- If an application tries to use the control port as an HTTP proxy,
|
||||||
|
respond with a meaningful "This is the Tor control port" message,
|
||||||
|
and log the event. Closes ticket 1667. Patch from Ravi
|
||||||
|
Chandra Padmala.
|
||||||
|
- Provide better error message for GETINFO desc/(id|name) when not
|
||||||
|
fetching router descriptors. Closes ticket 5847. Patch by
|
||||||
|
Kevin Butler.
|
||||||
|
- Add GETINFO "{desc,md}/download-enabled", to inform the controller
|
||||||
|
whether Tor will try to download router descriptors and
|
||||||
|
microdescriptors respectively. Closes ticket 22684.
|
||||||
|
- Added new GETINFO targets "ip-to-country/{ipv4,ipv6}-available",
|
||||||
|
so controllers can tell whether the geoip databases are loaded.
|
||||||
|
Closes ticket 23237.
|
||||||
|
- Adds a timestamp field to the CIRC_BW and STREAM_BW bandwidth
|
||||||
|
events. Closes ticket 19254. Patch by "DonnchaC".
|
||||||
|
|
||||||
|
o Minor features (development support):
|
||||||
|
- Developers can now generate a call-graph for Tor using the
|
||||||
|
"calltool" python program, which post-processes object dumps. It
|
||||||
|
should work okay on many Linux and OSX platforms, and might work
|
||||||
|
elsewhere too. To run it, install calltool from
|
||||||
|
https://gitweb.torproject.org/user/nickm/calltool.git and run
|
||||||
|
"make callgraph". Closes ticket 19307.
|
||||||
|
|
||||||
|
o Minor features (directory authority):
|
||||||
|
- Make the "Exit" flag assignment only depend on whether the exit
|
||||||
|
policy allows connections to ports 80 and 443. Previously relays
|
||||||
|
would get the Exit flag if they allowed connections to one of
|
||||||
|
these ports and also port 6667. Resolves ticket 23637.
|
||||||
|
|
||||||
|
o Minor features (ed25519):
|
||||||
|
- Add validation function to checks for torsion components in
|
||||||
|
ed25519 public keys, used by prop224 client-side code. Closes
|
||||||
|
ticket 22006. Math help by Ian Goldberg.
|
||||||
|
|
||||||
|
o Minor features (exit relay, DNS):
|
||||||
|
- Improve the clarity and safety of the log message from evdns when
|
||||||
|
receiving an apparently spoofed DNS reply. Closes ticket 3056.
|
||||||
|
|
||||||
|
o Minor features (fallback directory mirrors):
|
||||||
|
- The fallback directory list has been re-generated based on the
|
||||||
|
current status of the network. Tor uses fallback directories to
|
||||||
|
bootstrap when it doesn't yet have up-to-date directory
|
||||||
|
information. Closes ticket 24801.
|
||||||
|
- Make the default DirAuthorityFallbackRate 0.1, so that clients
|
||||||
|
prefer to bootstrap from fallback directory mirrors. This is a
|
||||||
|
follow-up to 24679, which removed weights from the default
|
||||||
|
fallbacks. Implements ticket 24681.
|
||||||
|
|
||||||
|
o Minor features (geoip):
|
||||||
|
- Update geoip and geoip6 to the January 5 2018 Maxmind GeoLite2
|
||||||
|
Country database.
|
||||||
|
|
||||||
|
o Minor features (integration, hardening):
|
||||||
|
- Add a new NoExec option to prevent Tor from running other
|
||||||
|
programs. When this option is set to 1, Tor will never try to run
|
||||||
|
another program, regardless of the settings of
|
||||||
|
PortForwardingHelper, ClientTransportPlugin, or
|
||||||
|
ServerTransportPlugin. Once NoExec is set, it cannot be disabled
|
||||||
|
without restarting Tor. Closes ticket 22976.
|
||||||
|
|
||||||
|
o Minor features (linux seccomp2 sandbox):
|
||||||
|
- Update the sandbox rules so that they should now work correctly
|
||||||
|
with Glibc 2.26. Closes ticket 24315.
|
||||||
|
|
||||||
|
o Minor features (logging):
|
||||||
|
- Provide better warnings when the getrandom() syscall fails. Closes
|
||||||
|
ticket 24500.
|
||||||
|
- Downgrade a pair of log messages that could occur when an exit's
|
||||||
|
resolver gave us an unusual (but not forbidden) response. Closes
|
||||||
|
ticket 24097.
|
||||||
|
- Improve the message we log when re-enabling circuit build timeouts
|
||||||
|
after having received a consensus. Closes ticket 20963.
|
||||||
|
- Log more circuit information whenever we are about to try to
|
||||||
|
package a relay cell on a circuit with a nonexistent n_chan.
|
||||||
|
Attempt to diagnose ticket 8185.
|
||||||
|
- Improve info-level log identification of particular circuits, to
|
||||||
|
help with debugging. Closes ticket 23645.
|
||||||
|
- Improve the warning message for specifying a relay by nickname.
|
||||||
|
The previous message implied that nickname registration was still
|
||||||
|
part of the Tor network design, which it isn't. Closes
|
||||||
|
ticket 20488.
|
||||||
|
- If the sandbox filter fails to load, suggest to the user that
|
||||||
|
their kernel might not support seccomp2. Closes ticket 23090.
|
||||||
|
|
||||||
|
o Minor features (onion service, circuit, logging):
|
||||||
|
- Improve logging of many callsite in the circuit subsystem to print
|
||||||
|
the circuit identifier(s).
|
||||||
|
- Log when we cleanup an intro point from a service so we know when
|
||||||
|
and for what reason it happened. Closes ticket 23604.
|
||||||
|
|
||||||
|
o Minor features (portability):
|
||||||
|
- Tor now compiles correctly on arm64 with libseccomp-dev installed.
|
||||||
|
(It doesn't yet work with the sandbox enabled.) Closes
|
||||||
|
ticket 24424.
|
||||||
|
- Check at configure time whether uint8_t is the same type as
|
||||||
|
unsigned char. Lots of existing code already makes this
|
||||||
|
assumption, and there could be strict aliasing issues if the
|
||||||
|
assumption is violated. Closes ticket 22410.
|
||||||
|
|
||||||
|
o Minor features (relay):
|
||||||
|
- When choosing which circuits can be expired as unused, consider
|
||||||
|
circuits from clients even if those clients used regular CREATE
|
||||||
|
cells to make them; and do not consider circuits from relays even
|
||||||
|
if they were made with CREATE_FAST. Part of ticket 22805.
|
||||||
|
- Reject attempts to use relative file paths when RunAsDaemon is
|
||||||
|
set. Previously, Tor would accept these, but the directory-
|
||||||
|
changing step of RunAsDaemon would give strange and/or confusing
|
||||||
|
results. Closes ticket 22731.
|
||||||
|
|
||||||
|
o Minor features (relay statistics):
|
||||||
|
- Change relay bandwidth reporting stats interval from 4 hours to 24
|
||||||
|
hours in order to reduce the efficiency of guard discovery
|
||||||
|
attacks. Fixes ticket 23856.
|
||||||
|
|
||||||
|
o Minor features (reverted deprecations):
|
||||||
|
- The ClientDNSRejectInternalAddresses flag can once again be set in
|
||||||
|
non-testing Tor networks, so long as they do not use the default
|
||||||
|
directory authorities. This change also removes the deprecation of
|
||||||
|
this flag from 0.2.9.2-alpha. Closes ticket 21031.
|
||||||
|
|
||||||
|
o Minor features (robustness):
|
||||||
|
- Change several fatal assertions when flushing buffers into non-
|
||||||
|
fatal assertions, to prevent any recurrence of 23690.
|
||||||
|
|
||||||
|
o Minor features (startup, safety):
|
||||||
|
- When configured to write a PID file, Tor now exits if it is unable
|
||||||
|
to do so. Previously, it would warn and continue. Closes
|
||||||
|
ticket 20119.
|
||||||
|
|
||||||
|
o Minor features (static analysis):
|
||||||
|
- The BUG() macro has been changed slightly so that Coverity no
|
||||||
|
longer complains about dead code if the bug is impossible. Closes
|
||||||
|
ticket 23054.
|
||||||
|
|
||||||
|
o Minor features (testing):
|
||||||
|
- Our fuzzing tests now test the encrypted portions of v3 onion
|
||||||
|
service descriptors. Implements more of 21509.
|
||||||
|
- Add a unit test to make sure that our own generated platform
|
||||||
|
string will be accepted by directory authorities. Closes
|
||||||
|
ticket 22109.
|
||||||
|
- The default chutney network tests now include tests for the v3
|
||||||
|
onion service design. Make sure you have the latest version of
|
||||||
|
chutney if you want to run these. Closes ticket 22437.
|
||||||
|
- Add a unit test to verify that we can parse a hardcoded v2 onion
|
||||||
|
service descriptor. Closes ticket 15554.
|
||||||
|
|
||||||
|
o Minor bugfixes (address selection):
|
||||||
|
- When the fascist_firewall_choose_address_ functions don't find a
|
||||||
|
reachable address, set the returned address to the null address
|
||||||
|
and port. This is a precautionary measure, because some callers do
|
||||||
|
not check the return value. Fixes bug 24736; bugfix
|
||||||
|
on 0.2.8.2-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (bootstrapping):
|
||||||
|
- When warning about state file clock skew, report the correct
|
||||||
|
direction for the detected skew. Fixes bug 23606; bugfix
|
||||||
|
on 0.2.8.1-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (bridge clients, bootstrap):
|
||||||
|
- Retry directory downloads when we get our first bridge descriptor
|
||||||
|
during bootstrap or while reconnecting to the network. Keep
|
||||||
|
retrying every time we get a bridge descriptor, until we have a
|
||||||
|
reachable bridge. Fixes part of bug 24367; bugfix on 0.2.0.3-alpha.
|
||||||
|
- Stop delaying bridge descriptor fetches when we have cached bridge
|
||||||
|
descriptors. Instead, only delay bridge descriptor fetches when we
|
||||||
|
have at least one reachable bridge. Fixes part of bug 24367;
|
||||||
|
bugfix on 0.2.0.3-alpha.
|
||||||
|
- Stop delaying directory fetches when we have cached bridge
|
||||||
|
descriptors. Instead, only delay bridge descriptor fetches when
|
||||||
|
all our bridges are definitely unreachable. Fixes part of bug
|
||||||
|
24367; bugfix on 0.2.0.3-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (bridge):
|
||||||
|
- Overwrite the bridge address earlier in the process of retrieving
|
||||||
|
its descriptor, to make sure we reach it on the configured
|
||||||
|
address. Fixes bug 20532; bugfix on 0.2.0.10-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (build, compilation):
|
||||||
|
- Fix a compilation warning when building with zstd support on
|
||||||
|
32-bit platforms. Fixes bug 23568; bugfix on 0.3.1.1-alpha. Found
|
||||||
|
and fixed by Andreas Stieger.
|
||||||
|
- When searching for OpenSSL, don't accept any OpenSSL library that
|
||||||
|
lacks TLSv1_1_method(): Tor doesn't build with those versions.
|
||||||
|
Additionally, look in /usr/local/opt/openssl, if it's present.
|
||||||
|
These changes together repair the default build on OSX systems
|
||||||
|
with Homebrew installed. Fixes bug 23602; bugfix on 0.2.7.2-alpha.
|
||||||
|
- Fix a signed/unsigned comparison warning introduced by our fix to
|
||||||
|
TROVE-2017-009. Fixes bug 24480; bugfix on 0.2.5.16.
|
||||||
|
- Fix a memory leak warning in one of the libevent-related
|
||||||
|
configuration tests that could occur when manually specifying
|
||||||
|
-fsanitize=address. Fixes bug 24279; bugfix on 0.3.0.2-alpha.
|
||||||
|
Found and patched by Alex Xu.
|
||||||
|
- Fix unused-variable warnings in donna's Curve25519 SSE2 code.
|
||||||
|
Fixes bug 22895; bugfix on 0.2.7.2-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (certificate handling):
|
||||||
|
- Fix a time handling bug in Tor certificates set to expire after
|
||||||
|
the year 2106. Fixes bug 23055; bugfix on 0.3.0.1-alpha. Found by
|
||||||
|
Coverity as CID 1415728.
|
||||||
|
|
||||||
|
o Minor bugfixes (client):
|
||||||
|
- By default, do not enable storage of client-side DNS values. These
|
||||||
|
values were unused by default previously, but they should not have
|
||||||
|
been cached at all. Fixes bug 24050; bugfix on 0.2.6.3-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (client, usability):
|
||||||
|
- Refrain from needlessly rejecting SOCKS5-with-hostnames and
|
||||||
|
SOCKS4a requests that contain IP address strings, even when
|
||||||
|
SafeSocks in enabled, as this prevents user from connecting to
|
||||||
|
known IP addresses without relying on DNS for resolving. SafeSocks
|
||||||
|
still rejects SOCKS connections that connect to IP addresses when
|
||||||
|
those addresses are _not_ encoded as hostnames. Fixes bug 22461;
|
||||||
|
bugfix on Tor 0.2.6.2-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (code correctness):
|
||||||
|
- Call htons() in extend_cell_format() for encoding a 16-bit value.
|
||||||
|
Previously we used ntohs(), which happens to behave the same on
|
||||||
|
all the platforms we support, but which isn't really correct.
|
||||||
|
Fixes bug 23106; bugfix on 0.2.4.8-alpha.
|
||||||
|
- For defense-in-depth, make the controller's write_escaped_data()
|
||||||
|
function robust to extremely long inputs. Fixes bug 19281; bugfix
|
||||||
|
on 0.1.1.1-alpha. Reported by Guido Vranken.
|
||||||
|
- Fix several places in our codebase where a C compiler would be
|
||||||
|
likely to eliminate a check, based on assuming that undefined
|
||||||
|
behavior had not happened elsewhere in the code. These cases are
|
||||||
|
usually a sign of redundant checking or dubious arithmetic. Found
|
||||||
|
by Georg Koppen using the "STACK" tool from Wang, Zeldovich,
|
||||||
|
Kaashoek, and Solar-Lezama. Fixes bug 24423; bugfix on various
|
||||||
|
Tor versions.
|
||||||
|
|
||||||
|
o Minor bugfixes (compression):
|
||||||
|
- Handle a pathological case when decompressing Zstandard data when
|
||||||
|
the output buffer size is zero. Fixes bug 23551; bugfix
|
||||||
|
on 0.3.1.1-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (consensus expiry):
|
||||||
|
- Check for adequate directory information correctly. Previously, Tor
|
||||||
|
would reconsider whether it had sufficient directory information
|
||||||
|
every 2 minutes. Fixes bug 23091; bugfix on 0.2.0.19-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (control port, linux seccomp2 sandbox):
|
||||||
|
- Avoid a crash when attempting to use the seccomp2 sandbox together
|
||||||
|
with the OwningControllerProcess feature. Fixes bug 24198; bugfix
|
||||||
|
on 0.2.5.1-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (control port, onion services):
|
||||||
|
- Report "FAILED" instead of "UPLOAD_FAILED" "FAILED" for the
|
||||||
|
HS_DESC event when a service is not able to upload a descriptor.
|
||||||
|
Fixes bug 24230; bugfix on 0.2.7.1-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (directory cache):
|
||||||
|
- Recover better from empty or corrupt files in the consensus cache
|
||||||
|
directory. Fixes bug 24099; bugfix on 0.3.1.1-alpha.
|
||||||
|
- When a consensus diff calculation is only partially successful,
|
||||||
|
only record the successful parts as having succeeded. Partial
|
||||||
|
success can happen if (for example) one compression method fails
|
||||||
|
but the others succeed. Previously we misrecorded all the
|
||||||
|
calculations as having succeeded, which would later cause a
|
||||||
|
nonfatal assertion failure. Fixes bug 24086; bugfix
|
||||||
|
on 0.3.1.1-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (directory client):
|
||||||
|
- On failure to download directory information, delay retry attempts
|
||||||
|
by a random amount based on the "decorrelated jitter" algorithm.
|
||||||
|
Our previous delay algorithm tended to produce extra-long delays
|
||||||
|
too easily. Fixes bug 23816; bugfix on 0.2.9.1-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (directory protocol):
|
||||||
|
- Directory servers now include a "Date:" http header for response
|
||||||
|
codes other than 200. Clients starting with a skewed clock and a
|
||||||
|
recent consensus were getting "304 Not modified" responses from
|
||||||
|
directory authorities, so without the Date header, the client
|
||||||
|
would never hear about a wrong clock. Fixes bug 23499; bugfix
|
||||||
|
on 0.0.8rc1.
|
||||||
|
- Make clients wait for 6 seconds before trying to download a
|
||||||
|
consensus from an authority. Fixes bug 17750; bugfix
|
||||||
|
on 0.2.8.1-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (documentation):
|
||||||
|
- Document better how to read gcov, and what our gcov postprocessing
|
||||||
|
scripts do. Fixes bug 23739; bugfix on 0.2.9.1-alpha.
|
||||||
|
- Fix manpage to not refer to the obsolete (and misspelled)
|
||||||
|
UseEntryGuardsAsDirectoryGuards parameter in the description of
|
||||||
|
NumDirectoryGuards. Fixes bug 23611; bugfix on 0.2.4.8-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (DoS-resistance):
|
||||||
|
- If future code asks if there are any running bridges, without
|
||||||
|
checking if bridges are enabled, log a BUG warning rather than
|
||||||
|
crashing. Fixes bug 23524; bugfix on 0.3.0.1-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (entry guards):
|
||||||
|
- Tor now updates its guard state when it reads a consensus
|
||||||
|
regardless of whether it's missing descriptors. That makes tor use
|
||||||
|
its primary guards to fetch descriptors in some edge cases where
|
||||||
|
it would previously have used fallback directories. Fixes bug
|
||||||
|
23862; bugfix on 0.3.0.1-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (format strictness):
|
||||||
|
- Restrict several data formats to decimal. Previously, the
|
||||||
|
BuildTimeHistogram entries in the state file, the "bw=" entries in
|
||||||
|
the bandwidth authority file, and the process IDs passed to the
|
||||||
|
__OwningControllerProcess option could all be specified in hex or
|
||||||
|
octal as well as in decimal. This was not an intentional feature.
|
||||||
|
Fixes bug 22802; bugfixes on 0.2.2.1-alpha, 0.2.2.2-alpha,
|
||||||
|
and 0.2.2.28-beta.
|
||||||
|
|
||||||
|
o Minor bugfixes (heartbeat):
|
||||||
|
- If we fail to write a heartbeat message, schedule a retry for the
|
||||||
|
minimum heartbeat interval number of seconds in the future. Fixes
|
||||||
|
bug 19476; bugfix on 0.2.3.1-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (logging):
|
||||||
|
- Suppress a log notice when relay descriptors arrive. We already
|
||||||
|
have a bootstrap progress for this so no need to log notice
|
||||||
|
everytime tor receives relay descriptors. Microdescriptors behave
|
||||||
|
the same. Fixes bug 23861; bugfix on 0.2.8.2-alpha.
|
||||||
|
- Remove duplicate log messages regarding opening non-local
|
||||||
|
SocksPorts upon parsing config and opening listeners at startup.
|
||||||
|
Fixes bug 4019; bugfix on 0.2.3.3-alpha.
|
||||||
|
- Use a more comprehensible log message when telling the user
|
||||||
|
they've excluded every running exit node. Fixes bug 7890; bugfix
|
||||||
|
on 0.2.2.25-alpha.
|
||||||
|
- When logging the number of descriptors we intend to download per
|
||||||
|
directory request, do not log a number higher than then the number
|
||||||
|
of descriptors we're fetching in total. Fixes bug 19648; bugfix
|
||||||
|
on 0.1.1.8-alpha.
|
||||||
|
- When warning about a directory owned by the wrong user, log the
|
||||||
|
actual name of the user owning the directory. Previously, we'd log
|
||||||
|
the name of the process owner twice. Fixes bug 23487; bugfix
|
||||||
|
on 0.2.9.1-alpha.
|
||||||
|
- Fix some messages on unexpected errors from the seccomp2 library.
|
||||||
|
Fixes bug 22750; bugfix on 0.2.5.1-alpha. Patch from "cypherpunks".
|
||||||
|
- The tor specification says hop counts are 1-based, so fix two log
|
||||||
|
messages that mistakenly logged 0-based hop counts. Fixes bug
|
||||||
|
18982; bugfix on 0.2.6.2-alpha and 0.2.4.5-alpha. Patch by teor.
|
||||||
|
Credit to Xiaofan Li for reporting this issue.
|
||||||
|
|
||||||
|
o Minor bugfixes (logging, relay shutdown, annoyance):
|
||||||
|
- When a circuit is marked for close, do not attempt to package any
|
||||||
|
cells for channels on that circuit. Previously, we would detect
|
||||||
|
this condition lower in the call stack, when we noticed that the
|
||||||
|
circuit had no attached channel, and log an annoying message.
|
||||||
|
Fixes bug 8185; bugfix on 0.2.5.4-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (memory safety, defensive programming):
|
||||||
|
- Clear the target address when node_get_prim_orport() returns
|
||||||
|
early. Fixes bug 23874; bugfix on 0.2.8.2-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (memory usage):
|
||||||
|
- When queuing DESTROY cells on a channel, only queue the circuit-id
|
||||||
|
and reason fields: not the entire 514-byte cell. This fix should
|
||||||
|
help mitigate any bugs or attacks that fill up these queues, and
|
||||||
|
free more RAM for other uses. Fixes bug 24666; bugfix
|
||||||
|
on 0.2.5.1-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (network layer):
|
||||||
|
- When closing a connection via close_connection_immediately(), we
|
||||||
|
mark it as "not blocked on bandwidth", to prevent later calls from
|
||||||
|
trying to unblock it, and give it permission to read. This fixes a
|
||||||
|
backtrace warning that can happen on relays under various
|
||||||
|
circumstances. Fixes bug 24167; bugfix on 0.1.0.1-rc.
|
||||||
|
|
||||||
|
o Minor bugfixes (onion services):
|
||||||
|
- The introduction circuit was being timed out too quickly while
|
||||||
|
waiting for the rendezvous circuit to complete. Keep the intro
|
||||||
|
circuit around longer instead of timing out and reopening new ones
|
||||||
|
constantly. Fixes bug 23681; bugfix on 0.2.4.8-alpha.
|
||||||
|
- Rename the consensus parameter "hsdir-interval" to "hsdir_interval"
|
||||||
|
so it matches dir-spec.txt. Fixes bug 24262; bugfix
|
||||||
|
on 0.3.1.1-alpha.
|
||||||
|
- When handling multiple SOCKS request for the same .onion address,
|
||||||
|
only fetch the service descriptor once.
|
||||||
|
- Avoid a possible double close of a circuit by the intro point on
|
||||||
|
error of sending the INTRO_ESTABLISHED cell. Fixes bug 23610;
|
||||||
|
bugfix on 0.3.0.1-alpha.
|
||||||
|
- When reloading configured onion services, copy all information
|
||||||
|
from the old service object. Previously, some data was omitted,
|
||||||
|
causing delays in descriptor upload, and other bugs. Fixes bug
|
||||||
|
23790; bugfix on 0.2.1.9-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (path selection):
|
||||||
|
- When selecting relays by bandwidth, avoid a rounding error that
|
||||||
|
could sometimes cause load to be imbalanced incorrectly.
|
||||||
|
Previously, we would always round upwards; now, we round towards
|
||||||
|
the nearest integer. This had the biggest effect when a relay's
|
||||||
|
weight adjustments should have given it weight 0, but it got
|
||||||
|
weight 1 instead. Fixes bug 23318; bugfix on 0.2.4.3-alpha.
|
||||||
|
- When calculating the fraction of nodes that have descriptors, and
|
||||||
|
all nodes in the network have zero bandwidths, count the number of
|
||||||
|
nodes instead. Fixes bug 23318; bugfix on 0.2.4.10-alpha.
|
||||||
|
- Actually log the total bandwidth in compute_weighted_bandwidths().
|
||||||
|
Fixes bug 24170; bugfix on 0.2.4.3-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (portability):
|
||||||
|
- Stop using the PATH_MAX variable, which is not defined on GNU
|
||||||
|
Hurd. Fixes bug 23098; bugfix on 0.3.1.1-alpha.
|
||||||
|
- Fix a bug in the bit-counting parts of our timing-wheel code on
|
||||||
|
MSVC. (Note that MSVC is still not a supported build platform, due
|
||||||
|
to cyptographic timing channel risks.) Fixes bug 24633; bugfix
|
||||||
|
on 0.2.9.1-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (relay):
|
||||||
|
- When uploading our descriptor for the first time after startup,
|
||||||
|
report the reason for uploading as "Tor just started" rather than
|
||||||
|
leaving it blank. Fixes bug 22885; bugfix on 0.2.3.4-alpha.
|
||||||
|
- Avoid unnecessary calls to directory_fetches_from_authorities() on
|
||||||
|
relays, to prevent spurious address resolutions and descriptor
|
||||||
|
rebuilds. This is a mitigation for bug 21789. Fixes bug 23470;
|
||||||
|
bugfix on in 0.2.8.1-alpha.
|
||||||
|
- Avoid a crash when transitioning from client mode to bridge mode.
|
||||||
|
Previously, we would launch the worker threads whenever our
|
||||||
|
"public server" mode changed, but not when our "server" mode
|
||||||
|
changed. Fixes bug 23693; bugfix on 0.2.6.3-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (testing):
|
||||||
|
- Fix a spurious fuzzing-only use of an uninitialized value. Found
|
||||||
|
by Brian Carpenter. Fixes bug 24082; bugfix on 0.3.0.3-alpha.
|
||||||
|
- Test that IPv6-only clients can use microdescriptors when running
|
||||||
|
"make test-network-all". Requires chutney master 61c28b9 or later.
|
||||||
|
Closes ticket 24109.
|
||||||
|
- Prevent scripts/test/coverage from attempting to move gcov output
|
||||||
|
to the root directory. Fixes bug 23741; bugfix on 0.2.5.1-alpha.
|
||||||
|
- Capture and detect several "Result does not fit" warnings in unit
|
||||||
|
tests on platforms with 32-bit time_t. Fixes bug 21800; bugfix
|
||||||
|
on 0.2.9.3-alpha.
|
||||||
|
- Fix additional channelpadding unit test failures by using mocked
|
||||||
|
time instead of actual time for all tests. Fixes bug 23608; bugfix
|
||||||
|
on 0.3.1.1-alpha.
|
||||||
|
- Fix a bug in our fuzzing mock replacement for crypto_pk_checksig(),
|
||||||
|
to correctly handle cases where a caller gives it an RSA key of
|
||||||
|
under 160 bits. (This is not actually a bug in Tor itself, but
|
||||||
|
rather in our fuzzing code.) Fixes bug 24247; bugfix on
|
||||||
|
0.3.0.3-alpha. Found by OSS-Fuzz as issue 4177.
|
||||||
|
- Fix a broken unit test for the OutboundAddress option: the parsing
|
||||||
|
function was never returning an error on failure. Fixes bug 23366;
|
||||||
|
bugfix on 0.3.0.3-alpha.
|
||||||
|
- Fix a signed-integer overflow in the unit tests for
|
||||||
|
dir/download_status_random_backoff, which was untriggered until we
|
||||||
|
fixed bug 17750. Fixes bug 22924; bugfix on 0.2.9.1-alpha.
|
||||||
|
|
||||||
|
o Minor bugfixes (usability, control port):
|
||||||
|
- Stop making an unnecessary routerlist check in NETINFO clock skew
|
||||||
|
detection; this was preventing clients from reporting NETINFO clock
|
||||||
|
skew to controllers. Fixes bug 23532; bugfix on 0.2.4.4-alpha.
|
||||||
|
|
||||||
|
o Code simplification and refactoring:
|
||||||
|
- Remove various ways of testing circuits and connections for
|
||||||
|
"clientness"; instead, favor channel_is_client(). Part of
|
||||||
|
ticket 22805.
|
||||||
|
- Extract the code for handling newly-open channels into a separate
|
||||||
|
function from the general code to handle channel state
|
||||||
|
transitions. This change simplifies our callgraph, reducing the
|
||||||
|
size of the largest strongly connected component by roughly a
|
||||||
|
factor of two. Closes ticket 22608.
|
||||||
|
- Remove dead code for largely unused statistics on the number of
|
||||||
|
times we've attempted various public key operations. Fixes bug
|
||||||
|
19871; bugfix on 0.1.2.4-alpha. Fix by Isis Lovecruft.
|
||||||
|
- Remove several now-obsolete functions for asking about old
|
||||||
|
variants directory authority status. Closes ticket 22311; patch
|
||||||
|
from "huyvq".
|
||||||
|
- Remove some of the code that once supported "Named" and "Unnamed"
|
||||||
|
routers. Authorities no longer vote for these flags. Closes
|
||||||
|
ticket 22215.
|
||||||
|
- Rename the obsolete malleable hybrid_encrypt functions used in TAP
|
||||||
|
and old hidden services, to indicate that they aren't suitable for
|
||||||
|
new protocols or formats. Closes ticket 23026.
|
||||||
|
- Replace our STRUCT_OFFSET() macro with offsetof(). Closes ticket
|
||||||
|
22521. Patch from Neel Chauhan.
|
||||||
|
- Split the enormous circuit_send_next_onion_skin() function into
|
||||||
|
multiple subfunctions. Closes ticket 22804.
|
||||||
|
- Split the portions of the buffer.c module that handle particular
|
||||||
|
protocols into separate modules. Part of ticket 23149.
|
||||||
|
- Use our test macros more consistently, to produce more useful
|
||||||
|
error messages when our unit tests fail. Add coccinelle patches to
|
||||||
|
allow us to re-check for test macro uses. Closes ticket 22497.
|
||||||
|
|
||||||
|
o Deprecated features:
|
||||||
|
- The ReachableDirAddresses and ClientPreferIPv6DirPort options are
|
||||||
|
now deprecated; they do not apply to relays, and they have had no
|
||||||
|
effect on clients since 0.2.8.x. Closes ticket 19704.
|
||||||
|
- Deprecate HTTPProxy/HTTPProxyAuthenticator config options. They
|
||||||
|
only applies to direct unencrypted HTTP connections to your
|
||||||
|
directory server, which your Tor probably isn't using. Closes
|
||||||
|
ticket 20575.
|
||||||
|
|
||||||
|
o Documentation:
|
||||||
|
- Add notes in man page regarding OS support for the various
|
||||||
|
scheduler types. Attempt to use less jargon in the scheduler
|
||||||
|
section. Closes ticket 24254.
|
||||||
|
- Clarify that the Address option is entirely about setting an
|
||||||
|
advertised IPv4 address. Closes ticket 18891.
|
||||||
|
- Clarify the manpage's use of the term "address" to clarify what
|
||||||
|
kind of address is intended. Closes ticket 21405.
|
||||||
|
- Document that onion service subdomains are allowed, and ignored.
|
||||||
|
Closes ticket 18736.
|
||||||
|
- Clarify in the manual that "Sandbox 1" is only supported on Linux
|
||||||
|
kernels. Closes ticket 22677.
|
||||||
|
- Document all values of PublishServerDescriptor in the manpage.
|
||||||
|
Closes ticket 15645.
|
||||||
|
- Improve the documentation for the directory port part of the
|
||||||
|
DirAuthority line. Closes ticket 20152.
|
||||||
|
- Restore documentation for the authorities' "approved-routers"
|
||||||
|
file. Closes ticket 21148.
|
||||||
|
|
||||||
|
o Removed features:
|
||||||
|
- The AllowDotExit option has been removed as unsafe. It has been
|
||||||
|
deprecated since 0.2.9.2-alpha. Closes ticket 23426.
|
||||||
|
- The ClientDNSRejectInternalAddresses flag can no longer be set on
|
||||||
|
non-testing networks. It has been deprecated since 0.2.9.2-alpha.
|
||||||
|
Closes ticket 21031.
|
||||||
|
- The controller API no longer includes an AUTHDIR_NEWDESCS event:
|
||||||
|
nobody was using it any longer. Closes ticket 22377.
|
||||||
|
|
||||||
|
|
||||||
Changes in version 0.2.8.15 - 2017-09-18
|
Changes in version 0.2.8.15 - 2017-09-18
|
||||||
Tor 0.2.8.15 backports a collection of bugfixes from later
|
Tor 0.2.8.15 backports a collection of bugfixes from later
|
||||||
Tor series.
|
Tor series.
|
||||||
|
|
|
@ -1,4 +0,0 @@
|
||||||
o Minor features (directory authority):
|
|
||||||
- Add an IPv6 address for the "bastet" directory authority.
|
|
||||||
Closes ticket 24394.
|
|
||||||
|
|
|
@ -1,7 +0,0 @@
|
||||||
o Major bugfixes (circuit prediction):
|
|
||||||
- Fix circuit prediction logic so that a client doesn't treat a stream as
|
|
||||||
being "handled" by a circuit if that circuit already has isolation
|
|
||||||
settings on it that might make it incompatible with the stream. This
|
|
||||||
change should make Tor clients more responsive by improving their
|
|
||||||
chances of having a pre-created circuit ready for use when a new client
|
|
||||||
request arrives. Fixes bug 18859; bugfix on 0.2.3.3-alpha.
|
|
|
@ -1,4 +0,0 @@
|
||||||
o Minor bugfixes (bridges):
|
|
||||||
- Overwrite the bridge address earlier in the process of directly
|
|
||||||
retrieving its descriptor, to make sure we reach it on the configured
|
|
||||||
address. Fixes bug 20532; bugfix on 0.2.0.10-alpha.
|
|
|
@ -1,4 +0,0 @@
|
||||||
o Minor features (logging):
|
|
||||||
- Improve the message we log when re-enabling circuit build timeouts
|
|
||||||
after having received a consensus. Closes ticket 20963.
|
|
||||||
|
|
|
@ -1,4 +0,0 @@
|
||||||
o Minor bugfixes (portability):
|
|
||||||
- Don't exit the Tor process if setrlimit() fails to change the file
|
|
||||||
limit (which can happen sometimes on some versions of OSX). Fixes
|
|
||||||
bug 21074; bugfix on 0.0.9pre5.
|
|
|
@ -1,9 +0,0 @@
|
||||||
o Major bugfixes (Exit nodes):
|
|
||||||
- Fix an issue causing high-bandwidth exit nodes to fail a majority
|
|
||||||
or all of their DNS requests, making them basically unsuitable for
|
|
||||||
regular usage in Tor circuits. The problem is related to
|
|
||||||
libevent's DNS handling, but we can work around it in Tor. Fixes
|
|
||||||
bugs 21394 and 18580; bugfix on 0.1.2.2-alpha which introduced
|
|
||||||
eventdns. Credit goes to Dhalgren for identifying and finding a
|
|
||||||
workaround to this bug and to gamambel, arthuredelstein and
|
|
||||||
arma in helping to track it down and analyze it.
|
|
|
@ -1,3 +0,0 @@
|
||||||
o Minor bugfixes (hidden service v3, fuzzing):
|
|
||||||
- Fix the hidden service v3 descriptor decoding fuzzing to use the latest
|
|
||||||
decoding API correctly. Fixes bug 21509; bugfix on 0.3.2.1-alpha.
|
|
|
@ -1,11 +0,0 @@
|
||||||
o Minor bugfixes (path selection):
|
|
||||||
- When selecting relays by bandwidth, avoid a rounding error that
|
|
||||||
could sometimes cause load to be imbalanced incorrectly. Previously,
|
|
||||||
we would always round upwards; now, we round towards the nearest
|
|
||||||
integer. This had the biggest effect when a relay's weight adjustments
|
|
||||||
should have given it weight 0, but it got weight 1 instead.
|
|
||||||
Fixes bug 23318; bugfix on 0.2.4.3-alpha.
|
|
||||||
- When calculating the fraction of nodes that have descriptors, and all
|
|
||||||
all nodes in the network have zero bandwidths, count the number of nodes
|
|
||||||
instead.
|
|
||||||
Fixes bug 23318; bugfix on 0.2.4.10-alpha.
|
|
|
@ -1,7 +0,0 @@
|
||||||
o Minor bugfixes (hidden service v3):
|
|
||||||
- Fix a race between the circuit close and free where the service would
|
|
||||||
launch a new intro circuit after the close, and then fail to register it
|
|
||||||
before the free of the previously closed circuit. This was making the
|
|
||||||
service unable to find the established intro circuit and thus not upload
|
|
||||||
its descriptor. It can make a service unavailable for up to 24 hours.
|
|
||||||
Fixes bug 23603; bugfix on 0.3.2.1-alpha.
|
|
|
@ -1,4 +0,0 @@
|
||||||
o Minor bugfixes (onion services):
|
|
||||||
- Cache some needed onion service client information instead of
|
|
||||||
continuously computing it over and over again. Fixes bug 23623; bugfix
|
|
||||||
on 0.3.2.1-alpha.
|
|
|
@ -1,7 +0,0 @@
|
||||||
o Minor bugfixes (hidden service client):
|
|
||||||
- When getting multiple SOCKS request for the same .onion address, don't
|
|
||||||
trigger multiple descriptor fetches.
|
|
||||||
- When the descriptor fetch fails with an internal error, no more HSDir to
|
|
||||||
query or we aren't allowed to fetch (FetchHidServDescriptors 0), close
|
|
||||||
all pending SOCKS request for that .onion. Fixes bug 23653; bugfix on
|
|
||||||
0.3.2.1-alpha.
|
|
|
@ -1,4 +0,0 @@
|
||||||
o Minor bugfixes (onion services):
|
|
||||||
- Silence a warning about failed v3 onion descriptor uploads since it can
|
|
||||||
happen naturally under certain edge-cases. Fixes part of bug 23662;
|
|
||||||
bugfix on 0.3.2.1-alpha.
|
|
|
@ -1,3 +0,0 @@
|
||||||
o Minor features (entry guards):
|
|
||||||
- Improve logs issued when we are missing descriptors of primary guards.
|
|
||||||
Resolves ticket 23670.
|
|
|
@ -1,7 +0,0 @@
|
||||||
o Minor bugfixes (warnings):
|
|
||||||
- When we get an HTTP request on a SOCKS port, tell the user about
|
|
||||||
the new HTTPTunnelPort option. Previously, we would give a
|
|
||||||
"Tor is not an HTTP Proxy" message, which stopped being true when
|
|
||||||
HTTPTunnelPort was introduced. Fixes bug 23678; bugfix on
|
|
||||||
0.3.2.1-alpha.
|
|
||||||
|
|
|
@ -1,5 +0,0 @@
|
||||||
o Minor bugfixes (hidden service client):
|
|
||||||
- The introduction circuit was being timed out too quickly while waiting
|
|
||||||
for the rendezvous circuit to complete. Keep the intro circuit around
|
|
||||||
longer instead of timing out and reopening new ones constantly. Fixes
|
|
||||||
bug 23681; bugfix on 0.2.4.8-alpha.
|
|
|
@ -1,6 +0,0 @@
|
||||||
o Minor bugfixes (relay, crash):
|
|
||||||
- Avoid a crash when transitioning from client mode to bridge mode.
|
|
||||||
Previously, we would launch the worker threads whenever our "public
|
|
||||||
server" mode changed, but not when our "server" mode changed.
|
|
||||||
Fixes bug 23693; bugfix on 0.2.6.3-alpha.
|
|
||||||
|
|
|
@ -1,5 +0,0 @@
|
||||||
o Minor bugfix (KIST scheduler):
|
|
||||||
- Downgrade a warning to log info when the monotonic time diff is
|
|
||||||
negative. This can happen on platform not supporting monotonic time. The
|
|
||||||
scheduler recovers from this without any problem. Fixes bug 23696;
|
|
||||||
bugfix on 0.3.2.1-alpha.
|
|
|
@ -1,3 +0,0 @@
|
||||||
o Minor bugfixes (documentation):
|
|
||||||
- Document better how to read gcov and what our postprocessing scripts do.
|
|
||||||
Fixes bug 23739; bugfix on 0.2.9.1-alpha.
|
|
|
@ -1,4 +0,0 @@
|
||||||
o Minor bugfixes (testing):
|
|
||||||
- Prevent scripts/test/coverage from attempting to move gcov
|
|
||||||
output to the root directory. Fixes bug 23741; bugfix on
|
|
||||||
0.2.5.1-alpha.
|
|
|
@ -1,5 +0,0 @@
|
||||||
o Minor bugfixes (hidden service):
|
|
||||||
- Always make sure the hidden service generate the public key file if it
|
|
||||||
is missing. Prior to this, if the public key was deleted from disk, it
|
|
||||||
wouldn't get recreated. Fixes bug 23748; bugfix on 0.3.2.2-alpha.
|
|
||||||
Patch from "cathugger".
|
|
|
@ -1,6 +0,0 @@
|
||||||
o Minor bugfixes (scheduler, channel):
|
|
||||||
- Ignore channels that have been closed while flushing cells. This can
|
|
||||||
happen if the write on the connection fails leading to the channel being
|
|
||||||
closed while in the scheduler loop. This is not a complete fix, it is a
|
|
||||||
bandaid until we are able to refactor those interactions. Fixes bug
|
|
||||||
23751; bugfix on 0.3.2.1-alpha.
|
|
|
@ -1,4 +0,0 @@
|
||||||
o Minor features (logging, scheduler):
|
|
||||||
- Introduce a SCHED_BUG() function to log extra information about the
|
|
||||||
scheduler state if we ever catch a bug in the scheduler. Closes ticket
|
|
||||||
23753.
|
|
|
@ -1,4 +0,0 @@
|
||||||
o Minor bugfixes (testing):
|
|
||||||
- Stop unconditionally mirroring the tor repository in GitLab CI.
|
|
||||||
This prevented developers from enabling GitLab CI on master.
|
|
||||||
Fixes bug 23755; bugfix on 0.3.2.2-alpha.
|
|
|
@ -1,4 +0,0 @@
|
||||||
o Minor bugfixes (testing):
|
|
||||||
- Adjust the GitLab CI configuration to more closely match that of Travis
|
|
||||||
CI. Fixes bug 23757; bugfix on 0.3.2.2-alpha.
|
|
||||||
|
|
|
@ -1,4 +0,0 @@
|
||||||
o Minor bugfixes (testing):
|
|
||||||
- Skip a test that would fail if run as root (because it expects a
|
|
||||||
permissions error). This affects some continuous integration setups.
|
|
||||||
Fixes bug 23758; bugfix on 0.3.2.2-alpha.
|
|
|
@ -1,4 +0,0 @@
|
||||||
o Minor bugfixes (hidden service v3):
|
|
||||||
- Properly retry HSv3 descriptor fetches in the case where we were initially
|
|
||||||
missing required directory information. Fixes bug 23762; bugfix on
|
|
||||||
0.3.2.1-alpha.
|
|
|
@ -1,4 +0,0 @@
|
||||||
o Minor bugfixes (memory leak):
|
|
||||||
- Fix a minor memory-leak-at-exit in the KIST scheduler. This
|
|
||||||
bug should have no user-visible impact. Fixes bug 23774;
|
|
||||||
bugfix on 0.3.2.1-alpha.
|
|
|
@ -1,5 +0,0 @@
|
||||||
o Minor bugfixes (compilation, windows):
|
|
||||||
- When detecting OpenSSL on Windows from our configure script, make sure
|
|
||||||
to try linking with the ws2_32 library. Fixes bug 23783; bugfix on
|
|
||||||
0.3.2.2-alpha.
|
|
||||||
|
|
|
@ -1,6 +0,0 @@
|
||||||
o Minor bugfixes (hidden service v2):
|
|
||||||
- When reloading tor (HUP) configured with hidden service(s), some
|
|
||||||
information weren't copy to the new service object. One problem with
|
|
||||||
this was that tor would wait at least the RendPostPeriod time before
|
|
||||||
uploading the descriptor if the reload happened before the descriptor
|
|
||||||
needed to be published. Fixes bug 23790; bugfix on 0.2.1.9-alpha.
|
|
|
@ -1,6 +0,0 @@
|
||||||
o Minor bugfixes (directory client):
|
|
||||||
- On failure to download directory information, delay retry attempts
|
|
||||||
by a random amount based on the "decorrelated jitter" algorithm.
|
|
||||||
Our previous delay algorithm tended to produce extra-long delays too
|
|
||||||
easily. Fixes bug 23816; bugfix on 0.2.9.1-alpha.
|
|
||||||
|
|
|
@ -1,3 +0,0 @@
|
||||||
o Minor bugfixes (descriptors):
|
|
||||||
- Don't try fetching microdescriptors from relays that have failed to
|
|
||||||
deliver them in the past. Fixes bug 23817; bugfix on 0.3.0.1-alpha.
|
|
|
@ -1,5 +0,0 @@
|
||||||
o Minor bugfixes (IPv6, v3 single onion services):
|
|
||||||
- Remove buggy code for IPv6-only v3 single onion services, and reject
|
|
||||||
attempts to configure them. This release supports IPv4, dual-stack, and
|
|
||||||
IPv6-only v3 hidden services; and IPv4 and dual-stack v3 single onion
|
|
||||||
services. Fixes bug 23820; bugfix on 0.3.2.1-alpha.
|
|
|
@ -1,5 +0,0 @@
|
||||||
o Minor bugfixes (logging, relay):
|
|
||||||
- Suppress a log notice when relay descriptors arrive. We already have a
|
|
||||||
bootstrap progress for this so no need to log notice everytime tor
|
|
||||||
receives relay descriptors. Microdescriptors behave the same. Fixes bug
|
|
||||||
23861; bugfix on 0.2.8.2-alpha.
|
|
|
@ -1,5 +0,0 @@
|
||||||
o Minor bugfixes (entry guards):
|
|
||||||
- Tor now updates its guard state when it reads a consensus regardless of
|
|
||||||
whether it's missing descriptors. That makes tor use its primary guards
|
|
||||||
to fetch descriptors in some edge cases where it would have used fallback
|
|
||||||
directories in the past. Fixes bug 23862; bugfix on 0.3.0.1-alpha.
|
|
|
@ -1,3 +0,0 @@
|
||||||
o Minor bugfixes (memory safety):
|
|
||||||
- Clear the address when node_get_prim_orport() returns early.
|
|
||||||
Fixes bug 23874; bugfix on 0.2.8.2-alpha.
|
|
|
@ -1,4 +0,0 @@
|
||||||
o Minor bugfixes (relay):
|
|
||||||
- Avoid a BUG warning when receiving a dubious CREATE cell while
|
|
||||||
an option transition is in progress. Fixes bug 23952; bugfix on
|
|
||||||
0.3.2.1-alpha.
|
|
|
@ -1,9 +0,0 @@
|
||||||
o Minor bugfixes (bootstrapping):
|
|
||||||
- Fetch descriptors aggressively whenever we lack enough
|
|
||||||
to build circuits, regardless of how many descriptors we are missing.
|
|
||||||
Previously, we would delay launching the fetch when we had fewer than
|
|
||||||
15 missing descriptors, even if some of those descriptors were
|
|
||||||
blocking circuits from building. Fixes bug 23985; bugfix on
|
|
||||||
0.1.1.11-alpha. The effects of this bug became worse in 0.3.0.3-alpha,
|
|
||||||
when we began treating missing descriptors from our primary guards
|
|
||||||
as a reason to delay circuits.
|
|
|
@ -1,5 +0,0 @@
|
||||||
o Minor bugfixes (hidden service):
|
|
||||||
- Make sure that we have a usable ed25519 key when the intro point relay
|
|
||||||
does support ed25519 link authentication. We do check for an empty key
|
|
||||||
when the relay does not support it so this makes it nice and symmetric.
|
|
||||||
Fixes bug 24002; bugfix on 0.3.2.1-alpha.
|
|
|
@ -1,5 +0,0 @@
|
||||||
o Minor bugfixes (logging, relay):
|
|
||||||
- Downgrade a warning to a protocol warning in the case the ed25519 key is
|
|
||||||
not consistent between the descriptor and micro descriptor of a relay.
|
|
||||||
This can happen for instance if the relay has been flagged
|
|
||||||
NoEdConsensus. Fixes bug 24025; bugfix on 0.3.2.1-alpha.
|
|
|
@ -1,5 +0,0 @@
|
||||||
o Minor bugfixes (client):
|
|
||||||
- By default, do not enable storage of client-side DNS values.
|
|
||||||
These values were unused by default previously, but they should
|
|
||||||
not have been cached at all. Fixes bug 24050; bugfix on
|
|
||||||
0.2.6.3-alpha.
|
|
|
@ -1,3 +0,0 @@
|
||||||
o Minor bugfixes (testing):
|
|
||||||
- Fix a spurious fuzzing-only use of an uninitialized value.
|
|
||||||
Found by Brian Carpenter. Fixes bug 24082; bugfix on 0.3.0.3-alpha.
|
|
|
@ -1,7 +0,0 @@
|
||||||
o Minor bugfixes (directory cache):
|
|
||||||
- When a consensus diff calculation is only partially successful, only
|
|
||||||
record the successful parts as having succeeded. Partial success
|
|
||||||
can happen if (for example) one compression method fails but
|
|
||||||
the others succeed. Previously we misrecorded all the calculations as
|
|
||||||
having succeeded, which would later cause a nonfatal assertion failure.
|
|
||||||
Fixes bug 24086; bugfix on 0.3.1.1-alpha.
|
|
|
@ -1,4 +0,0 @@
|
||||||
o Minor bugfixes (directory cache):
|
|
||||||
- Recover better from empty or corrupt files in the consensus cache
|
|
||||||
directory. Fixes bug 24099; bugfix on 0.3.1.1-alpha.
|
|
||||||
|
|
|
@ -1,4 +0,0 @@
|
||||||
o Minor bugfixes (manpage, hidden service):
|
|
||||||
- Mention that the HiddenServiceNumIntroductionPoints option is 0-10 for
|
|
||||||
v2 service and 0-20 for v3 service. Fixes bug 24115; bugfix on
|
|
||||||
0.3.2.1-alpha.
|
|
|
@ -1,4 +0,0 @@
|
||||||
o Minor bugfixes (v3 onion services):
|
|
||||||
- Fix a memory leak when decrypting a badly formatted v3 onion
|
|
||||||
service descriptor. Fixes bug 24150; bugfix on 0.3.2.1-alpha.
|
|
||||||
Found by OSS-Fuzz; this is OSS-Fuzz issue 3994.
|
|
|
@ -1,7 +0,0 @@
|
||||||
o Minor bugfixes (network layer):
|
|
||||||
- When closing a connection via close_connection_immediately(), we
|
|
||||||
mark it as "not blocked on bandwidth", to prevent later calls
|
|
||||||
from trying to unblock it, and give it permission to read. This
|
|
||||||
fixes a backtrace warning that can happen on relays under various
|
|
||||||
circumstances. Fixes bug 24167; bugfix on 0.1.0.1-rc.
|
|
||||||
|
|
|
@ -1,3 +0,0 @@
|
||||||
o Minor bugfixes (path selection):
|
|
||||||
- Actually log the total bandwidth in compute_weighted_bandwidths().
|
|
||||||
Fixes bug 24170; bugfix on 0.2.4.3-alpha.
|
|
|
@ -1,4 +0,0 @@
|
||||||
o Minor bugfixes (controller, linux seccomp2 sandbox):
|
|
||||||
- Avoid a crash when attempting to use the seccomp2 sandbox
|
|
||||||
together with the OwningControllerProcess feature.
|
|
||||||
Fixes bug 24198; bugfix on 0.2.5.1-alpha.
|
|
|
@ -1,4 +0,0 @@
|
||||||
o Minor bugfixes (control port, hidden service):
|
|
||||||
- Control port was reporting the action "UPLOAD_FAILED" instead of
|
|
||||||
"FAILED" for the HS_DESC event when a service was not able to upload a
|
|
||||||
descriptor. Fixes bug 24230; bugfix on 0.2.7.1-alpha.
|
|
|
@ -1,6 +0,0 @@
|
||||||
o Minor bugfixes (fuzzing):
|
|
||||||
- Fix a bug in our fuzzing mock replacement for crypto_pk_checksig(), to
|
|
||||||
correctly handle cases where a caller gives it an RSA key of under 160
|
|
||||||
bits. (This is not actually a bug in Tor itself, but wrather in our
|
|
||||||
fuzzing code.) Fixes bug 24247; bugfix on 0.3.0.3-alpha.
|
|
||||||
Found by OSS-Fuzz as issue 4177.
|
|
|
@ -1,3 +0,0 @@
|
||||||
o Minor bugfixes (hidden service):
|
|
||||||
- Fix the consensus parameter "hsdir-interval" to "hsdir_interval" so it
|
|
||||||
matches the dir-spec.txt. Fixes bug 24262; bugfix on 0.3.1.1-alpha.
|
|
|
@ -1,5 +0,0 @@
|
||||||
o Minor bugfixes (compilation, hardening):
|
|
||||||
- Fix a memory leak warning in one of the libevent-related
|
|
||||||
configuration tests that could occur when manually specifying
|
|
||||||
-fsanitize=address. Fixes bug 24279; bugfix on 0.3.0.2-alpha.
|
|
||||||
Found and patched by Alex Xu.
|
|
|
@ -1,5 +0,0 @@
|
||||||
o Major bugfixes (security, hidden service v2):
|
|
||||||
- Fix a use-after-free error that could crash v2 Tor hidden services
|
|
||||||
when it failed to open circuits while expiring introductions
|
|
||||||
points. Fixes bug 24313; bugfix on 0.2.7.2-alpha. This
|
|
||||||
issue is also tracked as TROVE-2017-013 and CVE-2017-8823.
|
|
|
@ -1,3 +0,0 @@
|
||||||
o Minor bugfixes (tests):
|
|
||||||
- Fix a unit test in one of the bridge-distribution test cases.
|
|
||||||
Fixes bug 24345; bugfix on 0.3.2.3-alpha.
|
|
|
@ -1,13 +0,0 @@
|
||||||
o Minor bugfixes (bridge clients, bootstrap):
|
|
||||||
- Retry directory downloads when we get our first bridge descriptor
|
|
||||||
during bootstrap or while reconnecting to the network. Keep retrying
|
|
||||||
every time we get a bridge descriptor, until we have a reachable bridge.
|
|
||||||
Fixes bug 24367; bugfix on 0.2.0.3-alpha.
|
|
||||||
- Stop delaying bridge descriptor fetches when we have cached bridge
|
|
||||||
descriptors. Instead, only delay bridge descriptor fetches when we
|
|
||||||
have at least one reachable bridge.
|
|
||||||
Fixes bug 24367; bugfix on 0.2.0.3-alpha.
|
|
||||||
- Stop delaying directory fetches when we have cached bridge descriptors.
|
|
||||||
Instead, only delay bridge descriptor fetches when all our bridges are
|
|
||||||
definitely unreachable.
|
|
||||||
Fixes bug 24367; bugfix on 0.2.0.3-alpha.
|
|
|
@ -1,3 +0,0 @@
|
||||||
o Minor features (portability):
|
|
||||||
- Tor now compiles correctly on arm64 with libseccomp-dev installed.
|
|
||||||
(It doesn't yet work with the sandbox enabled.) Closes ticket 24424.
|
|
|
@ -1,3 +0,0 @@
|
||||||
o Minor bugfixes (compilation):
|
|
||||||
- Fix a signed/unsigned comparison warning introduced by our
|
|
||||||
fix to TROVE-2017-009. Fixes bug 24480; bugfix on 0.2.5.16.
|
|
|
@ -1,4 +0,0 @@
|
||||||
o Minor bugfixes (scheduler):
|
|
||||||
- Properly set the scheduler state of an unopened channel in the KIST
|
|
||||||
scheduler main loop. This prevents a harmless but annoying log warning.
|
|
||||||
Fixes bug 24502; bugfix on 0.3.2.4-alpha.
|
|
|
@ -1,4 +0,0 @@
|
||||||
o Documentation:
|
|
||||||
- Document that operators who run more than one relay or bridge are
|
|
||||||
expected to set MyFamily and ContactInfo correctly. Closes ticket
|
|
||||||
24526.
|
|
|
@ -1,5 +0,0 @@
|
||||||
o Minor bugfixes (scheduler, KIST):
|
|
||||||
- Avoid a possible integer overflow when computing the available space on
|
|
||||||
the TCP buffer of a channel. This has no security implications but can
|
|
||||||
make KIST not behave properly by allowing more cells on a already
|
|
||||||
saturated connection. Fixes bug 24590; bugfix on 0.3.2.1-alpha.
|
|
|
@ -1,5 +0,0 @@
|
||||||
o Minor bugfixes (portability, msvc):
|
|
||||||
- Fix a bug in the bit-counting parts of our timing-wheel code on
|
|
||||||
MSVC. (Note that MSVC is still not a supported build platform,
|
|
||||||
due to cyptographic timing channel risks.) Fixes bug 24633;
|
|
||||||
bugfix on 0.2.9.1-alpha.
|
|
|
@ -1,3 +0,0 @@
|
||||||
o Minor bugfixes (compilation):
|
|
||||||
- Resolve a few shadowed-variable warnings in the onion service code.
|
|
||||||
Fixes bug 24634; bugfix on 0.3.2.1-alpha.
|
|
|
@ -1,6 +0,0 @@
|
||||||
o Minor bugfixes (build, compatibility, rust, OSX):
|
|
||||||
|
|
||||||
- When building with Rust on OSX, link against libresolv, to
|
|
||||||
work around the issue at
|
|
||||||
https://github.com/rust-lang/rust/issues/46797. Fixes bug
|
|
||||||
24652; bugfix on 0.3.1.1-alpha.
|
|
|
@ -1,6 +0,0 @@
|
||||||
o Major bugfixes (KIST, scheduler):
|
|
||||||
- The KIST scheduler did not correctly account for data already enqueued
|
|
||||||
in each connection's send socket buffer, particularly in cases when the
|
|
||||||
TCP/IP congestion window was reduced between scheduler calls. This
|
|
||||||
situation lead to excessive per-connection buffering in the kernel, and
|
|
||||||
a potential memory DoS. Fixes bug 24665; bugfix on 0.3.2.1-alpha.
|
|
|
@ -1,7 +0,0 @@
|
||||||
o Minor bugfixes (memory usage):
|
|
||||||
|
|
||||||
- When queuing DESTROY cells on a channel, only queue the
|
|
||||||
circuit-id and reason fields: not the entire 514-byte
|
|
||||||
cell. This fix should help mitigate any bugs or attacks that
|
|
||||||
fill up these queues, and free more RAM for other uses. Fixes
|
|
||||||
bug 24666; bugfix on 0.2.5.1-alpha.
|
|
|
@ -1,6 +0,0 @@
|
||||||
o Minor bugfixes (scheduler, KIST):
|
|
||||||
- Use a sane write limit for KISTLite when writing onto a connection
|
|
||||||
buffer instead of using INT_MAX and shoving as much as it can. Because
|
|
||||||
the OOM handler cleans up circuit queues, we are better off at keeping
|
|
||||||
them in that queue instead of the connection's buffer. Fixes bug 24671;
|
|
||||||
bugfix on 0.3.2.1-alpha.
|
|
|
@ -1,4 +0,0 @@
|
||||||
o Minor bugfixes (scheduler, KIST):
|
|
||||||
- Avoid adding the same channel twice in the KIST scheduler pending list
|
|
||||||
wasting CPU cycles at handling the same channel twice. Fixes bug 24700;
|
|
||||||
bugfix on 0.3.2.1-alpha.
|
|
|
@ -1,6 +0,0 @@
|
||||||
o Minor bugfixes (address selection):
|
|
||||||
- When the fascist_firewall_choose_address_ functions don't find a
|
|
||||||
reachable address, set the returned address to the null address and port.
|
|
||||||
This is a precautionary measure, because some callers do not check the
|
|
||||||
return value.
|
|
||||||
Fixes bug 24736; bugfix on 0.2.8.2-alpha.
|
|
|
@ -1,4 +0,0 @@
|
||||||
o Minor bugfixes (performance, fragile-hardening):
|
|
||||||
- Improve the performance of our consensus-diff application code when Tor
|
|
||||||
is built with the --enable-fragile-hardening option set. Fixes bug
|
|
||||||
24826; bugfix on 0.3.1.1-alpha.
|
|
|
@ -1,4 +0,0 @@
|
||||||
o Minor bugfixes (logging):
|
|
||||||
- Don't treat inability to store a cached consensus object as a
|
|
||||||
bug: it can happen normally when we are out of disk space.
|
|
||||||
Fixes bug 24859; bugfix on 0.3.1.1-alpha.
|
|
|
@ -1,5 +0,0 @@
|
||||||
o Major bugfixes (v3 onion services):
|
|
||||||
- New-style (v3) onion services now obey the "max rendezvous circuit
|
|
||||||
attempts" logic. Previously they would make as many rendezvous
|
|
||||||
circuit attempts as they could fit in the MAX_REND_TIMEOUT second
|
|
||||||
window before giving up. Fixes bug 24894; bugfix on 0.3.2.1-alpha.
|
|
|
@ -1,8 +0,0 @@
|
||||||
o Major bugfixes (onion services):
|
|
||||||
- Fix an "off by 2" error in counting rendezvous failures on the onion
|
|
||||||
service side. While we thought we would stop the rendezvous attempt
|
|
||||||
after one failed circuit, we were actually making three circuit attempts
|
|
||||||
before giving up. Now switch to a default of 2, and allow the consensus
|
|
||||||
parameter "hs_service_max_rdv_failures" to override. Fixes bug 24895;
|
|
||||||
bugfix on 0.0.6.
|
|
||||||
|
|
|
@ -1,8 +0,0 @@
|
||||||
o Major bugfixes (relays):
|
|
||||||
- Fix a set of false positives where relays would consider connections
|
|
||||||
to other relays as being client-only connections (and thus e.g.
|
|
||||||
deserving different link padding schemes) if those relays fell out
|
|
||||||
of the consensus briefly. Now we look only at the initial handshake
|
|
||||||
and whether the connection authenticated as a relay. Fixes bug
|
|
||||||
24898; bugfix on 0.3.1.1-alpha.
|
|
||||||
|
|
|
@ -1,5 +0,0 @@
|
||||||
o Minor bugfix (channel connection):
|
|
||||||
- The accurate address of a connection is real_addr, not the addr member.
|
|
||||||
TLS Channel remote address is now real_addr content instead of addr
|
|
||||||
member. Fixes bug 24952; bugfix on 707c1e2e26 in 0.2.4.11-alpha.
|
|
||||||
Patch by "ffmancera".
|
|
|
@ -1,4 +0,0 @@
|
||||||
o Minor features (logging, diagnostic):
|
|
||||||
- When logging a failure to check a hidden service's certificate,
|
|
||||||
also log what the problem with the certificate was. Diagnostic
|
|
||||||
for ticket 24972.
|
|
|
@ -1,6 +0,0 @@
|
||||||
o Major bugfixes (scheduler, consensus):
|
|
||||||
- A logic in the code was preventing the scheduler subystem to properly
|
|
||||||
make a decision based on the latest consensus when it arrives. This lead
|
|
||||||
to the scheduler failing to notice any consensus parameters that might
|
|
||||||
have changed between consensuses. Fixes bug 24975; bugfix on
|
|
||||||
0.3.2.1-alpha.
|
|
|
@ -1,5 +0,0 @@
|
||||||
o Minor bugfixes (hidden service v3 client):
|
|
||||||
- Remove a BUG() statement which can be triggered in normal circumstances
|
|
||||||
where a client fetches a descriptor that has a lower revision counter
|
|
||||||
than the one in its cache. This can happen due to HSDir desync. Fixes
|
|
||||||
bug 24976; bugfix on 0.3.2.1-alpha.
|
|
|
@ -1,7 +0,0 @@
|
||||||
o Minor features (compatibility, OpenSSL):
|
|
||||||
- Tor will now support TLS1.3 once OpenSSL 1.1.1 is released.
|
|
||||||
Previous versions of Tor would not have worked with OpenSSL
|
|
||||||
1.1.1, since they neither disabled TLS 1.3 nor enabled any of the
|
|
||||||
ciphersuites it requires. Here we enable the TLS 1.3 ciphersuites.
|
|
||||||
Closes ticket 24978.
|
|
||||||
|
|
|
@ -1,4 +0,0 @@
|
||||||
o Minor bugfixes (unit tests):
|
|
||||||
- Fix a memory leak in the scheduler/loop_kist unit test. Fixes bug
|
|
||||||
25005; bugfix on 0.3.2.7-rc.
|
|
||||||
|
|
|
@ -1,3 +0,0 @@
|
||||||
o Major bugfixes (protocol versions):
|
|
||||||
- Add Link protocol version 5 to the supported protocols list.
|
|
||||||
Fixes bug 25070; bugfix on 0.3.1.1-alpha.
|
|
|
@ -1,5 +0,0 @@
|
||||||
o Minor bugfixes (v3 onion services):
|
|
||||||
- Look at the "HSRend" protocol version, not the "HSDir" protocol
|
|
||||||
version, when deciding whether a consensus entry can support
|
|
||||||
the v3 onion service protocol as a rendezvous point.
|
|
||||||
Fixes bug 25105; bugfix on 0.3.2.1-alpha.
|
|
|
@ -1,4 +0,0 @@
|
||||||
o Minor bugfixes (DoS mitigation):
|
|
||||||
- Make sure we don't modify consensus parameters if we aren't a public
|
|
||||||
relay when a new consensus arrives. Fixes bug 25223; bugfix on
|
|
||||||
0.3.3.2-alpha.
|
|
|
@ -1,3 +0,0 @@
|
||||||
o Minor bugfixes (spec conformance):
|
|
||||||
- Forbid "-0" as a protocol version. Fixes part of bug 25249; bugfix on
|
|
||||||
0.2.9.4-alpha.
|
|
|
@ -1,3 +0,0 @@
|
||||||
o Minor bugfixes (spec conformance):
|
|
||||||
- Forbid UINT32_MAX as a protocol version. Fixes part of bug 25249;
|
|
||||||
bugfix on 0.2.9.4-alpha.
|
|
|
@ -1,9 +0,0 @@
|
||||||
o Minor features (bridge):
|
|
||||||
- Bridge relays can now set the BridgeDistribution config option to
|
|
||||||
add a "bridge-distribution-request" line to their bridge descriptor,
|
|
||||||
which tells BridgeDB how they'd like their bridge address to be
|
|
||||||
given out. (Note that as of Oct 2017, BridgeDB does not yet implement
|
|
||||||
this feature.) As a side benefit, this feature provides a way
|
|
||||||
to distinguish bridge descriptors from non-bridge descriptors.
|
|
||||||
Implements tickets 18329.
|
|
||||||
|
|
|
@ -1,4 +0,0 @@
|
||||||
o Minor features (geoip):
|
|
||||||
- Update geoip and geoip6 to the November 6 2017 Maxmind GeoLite2
|
|
||||||
Country database.
|
|
||||||
|
|
|
@ -1,4 +0,0 @@
|
||||||
o Minor features (geoip):
|
|
||||||
- Update geoip and geoip6 to the December 6 2017 Maxmind GeoLite2
|
|
||||||
Country database.
|
|
||||||
|
|
|
@ -1,4 +0,0 @@
|
||||||
o Minor features (geoip):
|
|
||||||
- Update geoip and geoip6 to the January 5 2018 Maxmind GeoLite2
|
|
||||||
Country database.
|
|
||||||
|
|
|
@ -1,4 +0,0 @@
|
||||||
o Minor features (geoip):
|
|
||||||
- Update geoip and geoip6 to the February 7 2018 Maxmind GeoLite2
|
|
||||||
Country database.
|
|
||||||
|
|
|
@ -1,4 +0,0 @@
|
||||||
o Minor features (geoip):
|
|
||||||
- Update geoip and geoip6 to the October 4 2017 Maxmind GeoLite2
|
|
||||||
Country database.
|
|
||||||
|
|
|
@ -1,3 +0,0 @@
|
||||||
o Minor features (testing):
|
|
||||||
- Our fuzzing tests now test the encrypted portions of the
|
|
||||||
v3 hidden service descriptors. Implements more of 21509.
|
|
|
@ -1,3 +0,0 @@
|
||||||
o Directory authority changes:
|
|
||||||
- The directory authority "Longclaw" has changed its IP address.
|
|
||||||
Closes ticket 23592.
|
|
|
@ -1,7 +0,0 @@
|
||||||
o Minor bugfixes (correctness):
|
|
||||||
- Fix several places in our codebase where a C compiler would be likely
|
|
||||||
to eliminate a check, based on assuming that undefined behavior had not
|
|
||||||
happened elsewhere in the code. These cases are usually a sign of
|
|
||||||
redundant checking, or dubious arithmetic. Found by Georg Koppen using
|
|
||||||
the "STACK" tool from Wang, Zeldovich, Kaashoek, and
|
|
||||||
Solar-Lezama. Fixes bug 24423; bugfix on various Tor versions.
|
|
|
@ -1,7 +0,0 @@
|
||||||
o Minor features (removed deprecations):
|
|
||||||
- The ClientDNSRejectInternalAddresses flag can once again be set in
|
|
||||||
non-testing Tor networks, so long as they do not use the default
|
|
||||||
directory authorities.
|
|
||||||
This change also removes the deprecation of this
|
|
||||||
flag in 0.2.9.2-alpha. Closes ticket 21031.
|
|
||||||
|
|
|
@ -1,5 +0,0 @@
|
||||||
o Minor features (directory authority):
|
|
||||||
- Make the "Exit" flag assignment only depend on whether the exit
|
|
||||||
policy allows connections to ports 80 and 443. Previously relays
|
|
||||||
would get the Exit flag if they allowed connections to one of
|
|
||||||
these ports and also port 6667. Resolves ticket 23637.
|
|
|
@ -1,4 +0,0 @@
|
||||||
o Minor feature (relay statistics):
|
|
||||||
- Change relay bandwidth reporting stats interval from 4 hours to 24 hours
|
|
||||||
in order to reduce the efficiency of guard discovery attacks. Fixes
|
|
||||||
ticket 23856.
|
|
|
@ -1,3 +0,0 @@
|
||||||
o Directory authority changes:
|
|
||||||
- Add bastet as a ninth directory authority to the default list. Closes
|
|
||||||
ticket 23910.
|
|
|
@ -1,4 +0,0 @@
|
||||||
o Minor features (logging):
|
|
||||||
- Downgrade a pair of log messages that could occur when an exit's
|
|
||||||
resolver gave us an unusual (but not forbidden) response.
|
|
||||||
Closes ticket 24097.
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue