Compare commits
205 Commits
master
...
release-0.
Author | SHA1 | Date |
---|---|---|
Nick Mathewson | 14ec62f064 | |
Nick Mathewson | 432620e44e | |
Roger Dingledine | f3b53391e8 | |
Nick Mathewson | 79bee260ee | |
Nick Mathewson | e8edd97c1c | |
Nick Mathewson | e935e27676 | |
Nick Mathewson | 34d418009d | |
Nick Mathewson | a15009bd38 | |
Nick Mathewson | 7e1102ff25 | |
Nick Mathewson | a1243864f2 | |
Nick Mathewson | 4b14ff45fd | |
Nick Mathewson | fb4307bf22 | |
Nick Mathewson | 7a55efbd59 | |
Nick Mathewson | 31e69ac222 | |
Nick Mathewson | 3abd57fa0a | |
Nick Mathewson | ecb51bf9f3 | |
Nick Mathewson | 65fd973754 | |
Nick Mathewson | 677789b680 | |
Nick Mathewson | a6f21a61d1 | |
Nick Mathewson | bc250fcabd | |
Nick Mathewson | 955a7f52d3 | |
Nick Mathewson | 70bd4aae67 | |
Nick Mathewson | 6170f87e01 | |
Nick Mathewson | 7dbaaba3d2 | |
Nick Mathewson | 109c555e9d | |
Nick Mathewson | 36154c13f4 | |
Nick Mathewson | 75b544d64d | |
Nick Mathewson | 2f397236b2 | |
Nick Mathewson | 4b067f8b12 | |
Nick Mathewson | 38b7885c90 | |
Nick Mathewson | 4a03851e42 | |
Nick Mathewson | 2d42648eaf | |
Nick Mathewson | 31cc63deb6 | |
Nick Mathewson | 8231cc868e | |
Nick Mathewson | a9769b78f0 | |
Nick Mathewson | 499bdd81a7 | |
Nick Mathewson | bc8b5fb559 | |
Nick Mathewson | 43d44c04ff | |
Nick Mathewson | 3acf6cafbb | |
Nick Mathewson | 1c56181983 | |
Nick Mathewson | 434942ea59 | |
Nick Mathewson | cc17922645 | |
Nick Mathewson | 7e664bf74f | |
Nick Mathewson | 4bfbce9de7 | |
Nick Mathewson | 6a35e7d69a | |
Nick Mathewson | 3fda19ef24 | |
Nick Mathewson | 1a877693da | |
Nick Mathewson | 2a24ce9656 | |
Nick Mathewson | 9e81221c96 | |
Nick Mathewson | cb3c1f2e54 | |
Nick Mathewson | 67127dca57 | |
Nick Mathewson | f5e37b2eb6 | |
Nick Mathewson | 90716e3f9c | |
Nick Mathewson | 1a4876587e | |
Nick Mathewson | df37b93336 | |
Nick Mathewson | a877241e6c | |
Nick Mathewson | 2485f8dea4 | |
Nick Mathewson | c35416ab8f | |
Nick Mathewson | 8dc3b5ff3a | |
Nick Mathewson | da2daa8e5e | |
Nick Mathewson | 3d7f134bea | |
Nick Mathewson | 6b629d3095 | |
Nick Mathewson | 677bebda70 | |
Nick Mathewson | 03eb2037d1 | |
Nick Mathewson | 698334eee7 | |
Nick Mathewson | c9b4ddc882 | |
Nick Mathewson | 4bfc355799 | |
Nick Mathewson | b1267114cf | |
Nick Mathewson | 7e96767825 | |
Nick Mathewson | dbea64aab6 | |
Nick Mathewson | 01d6e23f76 | |
Nick Mathewson | 9e8b762fce | |
Nick Mathewson | 02c5ca6ace | |
Nick Mathewson | e985afa43c | |
Nick Mathewson | b70f303207 | |
Nick Mathewson | ece3e77066 | |
Nick Mathewson | 971d634b63 | |
Nick Mathewson | 474d4006ab | |
Nick Mathewson | ea6f3e329d | |
Nick Mathewson | 58474f7bb1 | |
Nick Mathewson | 5ff2d8d770 | |
Nick Mathewson | efba81e3bb | |
Roger Dingledine | 0d172c1182 | |
Nick Mathewson | 8edc0be74b | |
Nick Mathewson | c7c043d2b6 | |
Nick Mathewson | 1a070767de | |
Nick Mathewson | 99b4f86833 | |
Nick Mathewson | fd46d8d0ad | |
Nick Mathewson | 11336cfa09 | |
Nick Mathewson | 63b84335dc | |
Nick Mathewson | afacaa02a5 | |
Nick Mathewson | 9be4b91760 | |
Nick Mathewson | 0d1a2e366a | |
Nick Mathewson | 29e23e62c9 | |
Nick Mathewson | 88642bbdc7 | |
Nick Mathewson | 2a7cad9572 | |
Nick Mathewson | c2b64ad096 | |
Nick Mathewson | 748f0abc2d | |
Nick Mathewson | 2824413f40 | |
Nick Mathewson | 64c88c7199 | |
Nick Mathewson | 4f8a0ed62d | |
Nick Mathewson | 0f105d69fc | |
Nick Mathewson | 2b48b5363f | |
Nick Mathewson | 304e2151ac | |
Nick Mathewson | 6ff333f627 | |
Nick Mathewson | 0834f4d93d | |
Nick Mathewson | 4c015d9fe4 | |
Nick Mathewson | 37fba82c15 | |
Nick Mathewson | dc9f2cdf73 | |
Nick Mathewson | dd5ca25055 | |
Nick Mathewson | 706e6893d1 | |
Nick Mathewson | 58f974818c | |
Nick Mathewson | 2cfb7b0413 | |
Nick Mathewson | a14ff6b9c7 | |
Nick Mathewson | d77e827693 | |
Nick Mathewson | ca554b22f8 | |
Nick Mathewson | fdd13697d5 | |
Nick Mathewson | 4fc402496e | |
Nick Mathewson | 68ec14dc18 | |
Nick Mathewson | cd084c2036 | |
Nick Mathewson | 0c7a540ba2 | |
Nick Mathewson | 92d45086f5 | |
Nick Mathewson | bc30d30534 | |
Nick Mathewson | 19e01f0cbc | |
Nick Mathewson | fe12c9756a | |
Nick Mathewson | e0d1ab4172 | |
Nick Mathewson | 87012d076e | |
Nick Mathewson | 26f5da96b2 | |
Nick Mathewson | c66ce3419d | |
Nick Mathewson | 9eb17cb7ba | |
Nick Mathewson | c981cd4311 | |
Nick Mathewson | 500975da96 | |
Nick Mathewson | 1e715efb77 | |
Nick Mathewson | 9a9d32fabc | |
Nick Mathewson | fa72612540 | |
Nick Mathewson | 36806e9830 | |
Nick Mathewson | d084d3246b | |
Nick Mathewson | d499a5a708 | |
Roger Dingledine | 8ecb170c17 | |
Nick Mathewson | 0fc65a33f7 | |
Nick Mathewson | e4b68abd5a | |
Nick Mathewson | c6365055a1 | |
Nick Mathewson | b9be385fd6 | |
Nick Mathewson | e343cb8f63 | |
Nick Mathewson | 1bd83c2ec8 | |
Nick Mathewson | 9096454492 | |
Nick Mathewson | e74229efc4 | |
Nick Mathewson | 41a3eaf2fc | |
Nick Mathewson | 9afa661924 | |
Nick Mathewson | cf92667b9f | |
Nick Mathewson | 330ccb699e | |
Nick Mathewson | b2e1910017 | |
Nick Mathewson | 00aeecb397 | |
Nick Mathewson | b9826ba451 | |
Nick Mathewson | 066904e758 | |
Nick Mathewson | 2367b1ed31 | |
Nick Mathewson | 01c5d4583f | |
Nick Mathewson | 7d1e47559a | |
Nick Mathewson | 349a92bf3f | |
Nick Mathewson | 8473424ede | |
Nick Mathewson | ab8013391e | |
Nick Mathewson | 08d933a794 | |
Nick Mathewson | a71552268d | |
Nick Mathewson | 5ea9a48ae7 | |
Nick Mathewson | 4bd9c53237 | |
Nick Mathewson | a8c388b0e2 | |
Nick Mathewson | ad90a136b2 | |
Nick Mathewson | 55aafbf7ba | |
Nick Mathewson | 6a8c1667df | |
Nick Mathewson | 57deb20f35 | |
Nick Mathewson | 7cbda1181d | |
Nick Mathewson | 940308f493 | |
Roger Dingledine | edbf6a62aa | |
Nick Mathewson | c5b16c1413 | |
Nick Mathewson | 388b1d0fab | |
Nick Mathewson | c99fec4999 | |
Nick Mathewson | d37bc72873 | |
Nick Mathewson | 04714df9cc | |
Nick Mathewson | e50da3327f | |
Nick Mathewson | b4b2459de0 | |
Nick Mathewson | 94752b3fa6 | |
Nick Mathewson | 059c441d27 | |
Nick Mathewson | 6d6cd2060f | |
Nick Mathewson | 0c8eebd90c | |
Nick Mathewson | 89ed93e468 | |
Nick Mathewson | bd432bbac5 | |
Nick Mathewson | d05780c1bb | |
Nick Mathewson | 8c9b5bfb8c | |
Nick Mathewson | 6bc1632b72 | |
Nick Mathewson | ed10b34efe | |
Nick Mathewson | 3d966f57a4 | |
Nick Mathewson | 6688091928 | |
Nick Mathewson | 33652fce62 | |
Nick Mathewson | aed642a4b2 | |
Nick Mathewson | 588be5b028 | |
Nick Mathewson | 8a8b5d590e | |
Nick Mathewson | 0f47507fe2 | |
Nick Mathewson | c5bb554e77 | |
Nick Mathewson | 68181dc263 | |
Nick Mathewson | a99ca9313a | |
Nick Mathewson | dbd4b2be5d | |
Nick Mathewson | 080bcfa239 | |
Nick Mathewson | 023d756bfc | |
Nick Mathewson | 325549d2e7 | |
Nick Mathewson | 5a65695149 |
716
ChangeLog
716
ChangeLog
|
@ -1,3 +1,719 @@
|
|||
Changes in version 0.3.2.10 - 2018-03-03
|
||||
Tor 0.3.2.10 is the second stable release in the 0.3.2 series. It
|
||||
backports a number of bugfixes, including important fixes for security
|
||||
issues.
|
||||
|
||||
It includes an important security fix for a remote crash attack
|
||||
against directory authorities, tracked as TROVE-2018-001.
|
||||
|
||||
Additionally, it backports a fix for a bug whose severity we have
|
||||
upgraded: Bug 24700, which was fixed in 0.3.3.2-alpha, can be remotely
|
||||
triggered in order to crash relays with a use-after-free pattern. As
|
||||
such, we are now tracking that bug as TROVE-2018-002 and
|
||||
CVE-2018-0491, and backporting it to earlier releases. This bug
|
||||
affected versions 0.3.2.1-alpha through 0.3.2.9, as well as version
|
||||
0.3.3.1-alpha.
|
||||
|
||||
This release also backports our new system for improved resistance to
|
||||
denial-of-service attacks against relays.
|
||||
|
||||
This release also fixes several minor bugs and annoyances from
|
||||
earlier releases.
|
||||
|
||||
Relays running 0.3.2.x SHOULD upgrade to one of the versions released
|
||||
today, for the fix to TROVE-2018-002. Directory authorities should
|
||||
also upgrade. (Relays on earlier versions might want to update too for
|
||||
the DoS mitigations.)
|
||||
|
||||
o Major bugfixes (denial-of-service, directory authority, backport from 0.3.3.3-alpha):
|
||||
- Fix a protocol-list handling bug that could be used to remotely crash
|
||||
directory authorities with a null-pointer exception. Fixes bug 25074;
|
||||
bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2018-001 and
|
||||
CVE-2018-0490.
|
||||
|
||||
o Major bugfixes (scheduler, KIST, denial-of-service, backport from 0.3.3.2-alpha):
|
||||
- Avoid adding the same channel twice in the KIST scheduler pending
|
||||
list, which could lead to remote denial-of-service use-after-free
|
||||
attacks against relays. Fixes bug 24700; bugfix on 0.3.2.1-alpha.
|
||||
|
||||
o Major features (denial-of-service mitigation, backport from 0.3.3.2-alpha):
|
||||
- Give relays some defenses against the recent network overload. We
|
||||
start with three defenses (default parameters in parentheses).
|
||||
First: if a single client address makes too many concurrent
|
||||
connections (>100), hang up on further connections. Second: if a
|
||||
single client address makes circuits too quickly (more than 3 per
|
||||
second, with an allowed burst of 90) while also having too many
|
||||
connections open (3), refuse new create cells for the next while
|
||||
(1-2 hours). Third: if a client asks to establish a rendezvous
|
||||
point to you directly, ignore the request. These defenses can be
|
||||
manually controlled by new torrc options, but relays will also
|
||||
take guidance from consensus parameters, so there's no need to
|
||||
configure anything manually. Implements ticket 24902.
|
||||
|
||||
o Major bugfixes (onion services, retry behavior, backport from 0.3.3.1-alpha):
|
||||
- Fix an "off by 2" error in counting rendezvous failures on the
|
||||
onion service side. While we thought we would stop the rendezvous
|
||||
attempt after one failed circuit, we were actually making three
|
||||
circuit attempts before giving up. Now switch to a default of 2,
|
||||
and allow the consensus parameter "hs_service_max_rdv_failures" to
|
||||
override. Fixes bug 24895; bugfix on 0.0.6.
|
||||
- New-style (v3) onion services now obey the "max rendezvous circuit
|
||||
attempts" logic. Previously they would make as many rendezvous
|
||||
circuit attempts as they could fit in the MAX_REND_TIMEOUT second
|
||||
window before giving up. Fixes bug 24894; bugfix on 0.3.2.1-alpha.
|
||||
|
||||
o Major bugfixes (protocol versions, backport from 0.3.3.2-alpha):
|
||||
- Add Link protocol version 5 to the supported protocols list. Fixes
|
||||
bug 25070; bugfix on 0.3.1.1-alpha.
|
||||
|
||||
o Major bugfixes (relay, backport from 0.3.3.1-alpha):
|
||||
- Fix a set of false positives where relays would consider
|
||||
connections to other relays as being client-only connections (and
|
||||
thus e.g. deserving different link padding schemes) if those
|
||||
relays fell out of the consensus briefly. Now we look only at the
|
||||
initial handshake and whether the connection authenticated as a
|
||||
relay. Fixes bug 24898; bugfix on 0.3.1.1-alpha.
|
||||
|
||||
o Major bugfixes (scheduler, consensus, backport from 0.3.3.2-alpha):
|
||||
- The scheduler subsystem was failing to promptly notice changes in
|
||||
consensus parameters, making it harder to switch schedulers
|
||||
network-wide. Fixes bug 24975; bugfix on 0.3.2.1-alpha.
|
||||
|
||||
o Minor features (denial-of-service avoidance, backport from 0.3.3.2-alpha):
|
||||
- Make our OOM handler aware of the geoip client history cache so it
|
||||
doesn't fill up the memory. This check is important for IPv6 and
|
||||
our DoS mitigation subsystem. Closes ticket 25122.
|
||||
|
||||
o Minor features (compatibility, OpenSSL, backport from 0.3.3.3-alpha):
|
||||
- Tor will now support TLS1.3 once OpenSSL 1.1.1 is released.
|
||||
Previous versions of Tor would not have worked with OpenSSL 1.1.1,
|
||||
since they neither disabled TLS 1.3 nor enabled any of the
|
||||
ciphersuites it requires. Now we enable the TLS 1.3 ciphersuites.
|
||||
Closes ticket 24978.
|
||||
|
||||
o Minor features (geoip):
|
||||
- Update geoip and geoip6 to the February 7 2018 Maxmind GeoLite2
|
||||
Country database.
|
||||
|
||||
o Minor features (logging, diagnostic, backport from 0.3.3.2-alpha):
|
||||
- When logging a failure to create an onion service's descriptor,
|
||||
also log what the problem with the descriptor was. Diagnostic
|
||||
for ticket 24972.
|
||||
|
||||
o Minor bugfix (channel connection, backport from 0.3.3.2-alpha):
|
||||
- Use the actual observed address of an incoming relay connection,
|
||||
not the canonical address of the relay from its descriptor, when
|
||||
making decisions about how to handle the incoming connection.
|
||||
Fixes bug 24952; bugfix on 0.2.4.11-alpha. Patch by "ffmancera".
|
||||
|
||||
o Minor bugfixes (denial-of-service, backport from 0.3.3.3-alpha):
|
||||
- Fix a possible crash on malformed consensus. If a consensus had
|
||||
contained an unparseable protocol line, it could have made clients
|
||||
and relays crash with a null-pointer exception. To exploit this
|
||||
issue, however, an attacker would need to be able to subvert the
|
||||
directory authority system. Fixes bug 25251; bugfix on
|
||||
0.2.9.4-alpha. Also tracked as TROVE-2018-004.
|
||||
|
||||
o Minor bugfix (directory authority, backport from 0.3.3.2-alpha):
|
||||
- Directory authorities, when refusing a descriptor from a rejected
|
||||
relay, now explicitly tell the relay (in its logs) to set a valid
|
||||
ContactInfo address and contact the bad-relays@ mailing list.
|
||||
Fixes bug 25170; bugfix on 0.2.9.1.
|
||||
|
||||
o Minor bugfixes (build, rust, backport from 0.3.3.1-alpha):
|
||||
- When building with Rust on OSX, link against libresolv, to work
|
||||
around the issue at https://github.com/rust-lang/rust/issues/46797.
|
||||
Fixes bug 24652; bugfix on 0.3.1.1-alpha.
|
||||
|
||||
o Minor bugfixes (onion services, backport from 0.3.3.2-alpha):
|
||||
- Remove a BUG() statement when a client fetches an onion descriptor
|
||||
that has a lower revision counter than the one in its cache. This
|
||||
can happen in normal circumstances due to HSDir desync. Fixes bug
|
||||
24976; bugfix on 0.3.2.1-alpha.
|
||||
|
||||
o Minor bugfixes (logging, backport from 0.3.3.2-alpha):
|
||||
- Don't treat inability to store a cached consensus object as a bug:
|
||||
it can happen normally when we are out of disk space. Fixes bug
|
||||
24859; bugfix on 0.3.1.1-alpha.
|
||||
|
||||
o Minor bugfixes (performance, fragile-hardening, backport from 0.3.3.1-alpha):
|
||||
- Improve the performance of our consensus-diff application code
|
||||
when Tor is built with the --enable-fragile-hardening option set.
|
||||
Fixes bug 24826; bugfix on 0.3.1.1-alpha.
|
||||
|
||||
o Minor bugfixes (OSX, backport from 0.3.3.1-alpha):
|
||||
- Don't exit the Tor process if setrlimit() fails to change the file
|
||||
limit (which can happen sometimes on some versions of OSX). Fixes
|
||||
bug 21074; bugfix on 0.0.9pre5.
|
||||
|
||||
o Minor bugfixes (spec conformance, backport from 0.3.3.3-alpha):
|
||||
- Forbid "-0" as a protocol version. Fixes part of bug 25249; bugfix on
|
||||
0.2.9.4-alpha.
|
||||
- Forbid UINT32_MAX as a protocol version. Fixes part of bug 25249;
|
||||
bugfix on 0.2.9.4-alpha.
|
||||
|
||||
o Minor bugfixes (testing, backport from 0.3.3.1-alpha):
|
||||
- Fix a memory leak in the scheduler/loop_kist unit test. Fixes bug
|
||||
25005; bugfix on 0.3.2.7-rc.
|
||||
|
||||
o Minor bugfixes (v3 onion services, backport from 0.3.3.2-alpha):
|
||||
- Look at the "HSRend" protocol version, not the "HSDir" protocol
|
||||
version, when deciding whether a consensus entry can support the
|
||||
v3 onion service protocol as a rendezvous point. Fixes bug 25105;
|
||||
bugfix on 0.3.2.1-alpha.
|
||||
|
||||
o Code simplification and refactoring (backport from 0.3.3.3-alpha):
|
||||
- Update the "rust dependencies" submodule to be a project-level
|
||||
repository, rather than a user repository. Closes ticket 25323.
|
||||
|
||||
o Documentation (backport from 0.3.3.1-alpha)
|
||||
- Document that operators who run more than one relay or bridge are
|
||||
expected to set MyFamily and ContactInfo correctly. Closes
|
||||
ticket 24526.
|
||||
|
||||
|
||||
Changes in version 0.3.2.9 - 2018-01-09
|
||||
Tor 0.3.2.9 is the first stable release in the 0.3.2 series.
|
||||
|
||||
The 0.3.2 series includes our long-anticipated new onion service
|
||||
design, with numerous security features. (For more information, see
|
||||
our blog post at https://blog.torproject.org/fall-harvest.) We also
|
||||
have a new circuit scheduler algorithm for improved performance on
|
||||
relays everywhere (see https://blog.torproject.org/kist-and-tell),
|
||||
along with many smaller features and bugfixes.
|
||||
|
||||
Per our stable release policy, we plan to support each stable release
|
||||
series for at least the next nine months, or for three months after
|
||||
the first stable release of the next series: whichever is longer. If
|
||||
you need a release with long-term support, we recommend that you stay
|
||||
with the 0.2.9 series.
|
||||
|
||||
Below is a list of the changes since 0.3.2.8-rc. For a list of all
|
||||
changes since 0.3.1, see the ReleaseNotes file.
|
||||
|
||||
o Minor features (fallback directory mirrors):
|
||||
- The fallback directory list has been re-generated based on the
|
||||
current status of the network. Tor uses fallback directories to
|
||||
bootstrap when it doesn't yet have up-to-date directory
|
||||
information. Closes ticket 24801.
|
||||
- Make the default DirAuthorityFallbackRate 0.1, so that clients
|
||||
prefer to bootstrap from fallback directory mirrors. This is a
|
||||
follow-up to 24679, which removed weights from the default
|
||||
fallbacks. Implements ticket 24681.
|
||||
|
||||
o Minor features (geoip):
|
||||
- Update geoip and geoip6 to the January 5 2018 Maxmind GeoLite2
|
||||
Country database.
|
||||
|
||||
o Minor bugfixes (address selection):
|
||||
- When the fascist_firewall_choose_address_ functions don't find a
|
||||
reachable address, set the returned address to the null address
|
||||
and port. This is a precautionary measure, because some callers do
|
||||
not check the return value. Fixes bug 24736; bugfix
|
||||
on 0.2.8.2-alpha.
|
||||
|
||||
o Minor bugfixes (compilation):
|
||||
- Resolve a few shadowed-variable warnings in the onion service
|
||||
code. Fixes bug 24634; bugfix on 0.3.2.1-alpha.
|
||||
|
||||
o Minor bugfixes (portability, msvc):
|
||||
- Fix a bug in the bit-counting parts of our timing-wheel code on
|
||||
MSVC. (Note that MSVC is still not a supported build platform, due
|
||||
to cyptographic timing channel risks.) Fixes bug 24633; bugfix
|
||||
on 0.2.9.1-alpha.
|
||||
|
||||
|
||||
Changes in version 0.3.2.8-rc - 2017-12-21
|
||||
Tor 0.3.2.8-rc fixes a pair of bugs in the KIST and KISTLite
|
||||
schedulers that had led servers under heavy load to overload their
|
||||
outgoing connections. All relay operators running earlier 0.3.2.x
|
||||
versions should upgrade. This version also includes a mitigation for
|
||||
over-full DESTROY queues leading to out-of-memory conditions: if it
|
||||
works, we will soon backport it to earlier release series.
|
||||
|
||||
This is the second release candidate in the 0.3.2 series. If we find
|
||||
no new bugs or regression here, then the first stable 0.3.2 release
|
||||
will be nearly identical to this.
|
||||
|
||||
o Major bugfixes (KIST, scheduler):
|
||||
- The KIST scheduler did not correctly account for data already
|
||||
enqueued in each connection's send socket buffer, particularly in
|
||||
cases when the TCP/IP congestion window was reduced between
|
||||
scheduler calls. This situation lead to excessive per-connection
|
||||
buffering in the kernel, and a potential memory DoS. Fixes bug
|
||||
24665; bugfix on 0.3.2.1-alpha.
|
||||
|
||||
o Minor features (geoip):
|
||||
- Update geoip and geoip6 to the December 6 2017 Maxmind GeoLite2
|
||||
Country database.
|
||||
|
||||
o Minor bugfixes (hidden service v3):
|
||||
- Bump hsdir_spread_store parameter from 3 to 4 in order to increase
|
||||
the probability of reaching a service for a client missing
|
||||
microdescriptors. Fixes bug 24425; bugfix on 0.3.2.1-alpha.
|
||||
|
||||
o Minor bugfixes (memory usage):
|
||||
- When queuing DESTROY cells on a channel, only queue the circuit-id
|
||||
and reason fields: not the entire 514-byte cell. This fix should
|
||||
help mitigate any bugs or attacks that fill up these queues, and
|
||||
free more RAM for other uses. Fixes bug 24666; bugfix
|
||||
on 0.2.5.1-alpha.
|
||||
|
||||
o Minor bugfixes (scheduler, KIST):
|
||||
- Use a sane write limit for KISTLite when writing onto a connection
|
||||
buffer instead of using INT_MAX and shoving as much as it can.
|
||||
Because the OOM handler cleans up circuit queues, we are better
|
||||
off at keeping them in that queue instead of the connection's
|
||||
buffer. Fixes bug 24671; bugfix on 0.3.2.1-alpha.
|
||||
|
||||
|
||||
Changes in version 0.3.2.7-rc - 2017-12-14
|
||||
Tor 0.3.2.7-rc fixes various bugs in earlier versions of Tor,
|
||||
including some that could affect reliability or correctness.
|
||||
|
||||
This is the first release candidate in the 0.3.2 series. If we find no
|
||||
new bugs or regression here, then the first stable 0.3.2. release will
|
||||
be nearly identical to this.
|
||||
|
||||
o Major bugfixes (circuit prediction):
|
||||
- Fix circuit prediction logic so that a client doesn't treat a port
|
||||
as being "handled" by a circuit if that circuit already has
|
||||
isolation settings on it. This change should make Tor clients more
|
||||
responsive by improving their chances of having a pre-created
|
||||
circuit ready for use when a request arrives. Fixes bug 18859;
|
||||
bugfix on 0.2.3.3-alpha.
|
||||
|
||||
o Minor features (logging):
|
||||
- Provide better warnings when the getrandom() syscall fails. Closes
|
||||
ticket 24500.
|
||||
|
||||
o Minor features (portability):
|
||||
- Tor now compiles correctly on arm64 with libseccomp-dev installed.
|
||||
(It doesn't yet work with the sandbox enabled.) Closes
|
||||
ticket 24424.
|
||||
|
||||
o Minor bugfixes (bridge clients, bootstrap):
|
||||
- Retry directory downloads when we get our first bridge descriptor
|
||||
during bootstrap or while reconnecting to the network. Keep
|
||||
retrying every time we get a bridge descriptor, until we have a
|
||||
reachable bridge. Fixes part of bug 24367; bugfix on 0.2.0.3-alpha.
|
||||
- Stop delaying bridge descriptor fetches when we have cached bridge
|
||||
descriptors. Instead, only delay bridge descriptor fetches when we
|
||||
have at least one reachable bridge. Fixes part of bug 24367;
|
||||
bugfix on 0.2.0.3-alpha.
|
||||
- Stop delaying directory fetches when we have cached bridge
|
||||
descriptors. Instead, only delay bridge descriptor fetches when
|
||||
all our bridges are definitely unreachable. Fixes part of bug
|
||||
24367; bugfix on 0.2.0.3-alpha.
|
||||
|
||||
o Minor bugfixes (compilation):
|
||||
- Fix a signed/unsigned comparison warning introduced by our fix to
|
||||
TROVE-2017-009. Fixes bug 24480; bugfix on 0.2.5.16.
|
||||
|
||||
o Minor bugfixes (correctness):
|
||||
- Fix several places in our codebase where a C compiler would be
|
||||
likely to eliminate a check, based on assuming that undefined
|
||||
behavior had not happened elsewhere in the code. These cases are
|
||||
usually a sign of redundant checking or dubious arithmetic. Found
|
||||
by Georg Koppen using the "STACK" tool from Wang, Zeldovich,
|
||||
Kaashoek, and Solar-Lezama. Fixes bug 24423; bugfix on various
|
||||
Tor versions.
|
||||
|
||||
o Minor bugfixes (onion service v3):
|
||||
- Fix a race where an onion service would launch a new intro circuit
|
||||
after closing an old one, but fail to register it before freeing
|
||||
the previously closed circuit. This bug was making the service
|
||||
unable to find the established intro circuit and thus not upload
|
||||
its descriptor, thus making a service unavailable for up to 24
|
||||
hours. Fixes bug 23603; bugfix on 0.3.2.1-alpha.
|
||||
|
||||
o Minor bugfixes (scheduler, KIST):
|
||||
- Properly set the scheduler state of an unopened channel in the
|
||||
KIST scheduler main loop. This prevents a harmless but annoying
|
||||
log warning. Fixes bug 24502; bugfix on 0.3.2.4-alpha.
|
||||
- Avoid a possible integer overflow when computing the available
|
||||
space on the TCP buffer of a channel. This had no security
|
||||
implications; but could make KIST allow too many cells on a
|
||||
saturated connection. Fixes bug 24590; bugfix on 0.3.2.1-alpha.
|
||||
- Downgrade to "info" a harmless warning about the monotonic time
|
||||
moving backwards: This can happen on platform not supporting
|
||||
monotonic time. Fixes bug 23696; bugfix on 0.3.2.1-alpha.
|
||||
|
||||
|
||||
Changes in version 0.3.2.6-alpha - 2017-12-01
|
||||
This version of Tor is the latest in the 0.3.2 alpha series. It
|
||||
includes fixes for several important security issues. All Tor users
|
||||
should upgrade to this release, or to one of the other releases coming
|
||||
out today.
|
||||
|
||||
o Major bugfixes (security):
|
||||
- Fix a denial of service bug where an attacker could use a
|
||||
malformed directory object to cause a Tor instance to pause while
|
||||
OpenSSL would try to read a passphrase from the terminal. (Tor
|
||||
instances run without a terminal, which is the case for most Tor
|
||||
packages, are not impacted.) Fixes bug 24246; bugfix on every
|
||||
version of Tor. Also tracked as TROVE-2017-011 and CVE-2017-8821.
|
||||
Found by OSS-Fuzz as testcase 6360145429790720.
|
||||
- Fix a denial of service issue where an attacker could crash a
|
||||
directory authority using a malformed router descriptor. Fixes bug
|
||||
24245; bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2017-010
|
||||
and CVE-2017-8820.
|
||||
- When checking for replays in the INTRODUCE1 cell data for a
|
||||
(legacy) onion service, correctly detect replays in the RSA-
|
||||
encrypted part of the cell. We were previously checking for
|
||||
replays on the entire cell, but those can be circumvented due to
|
||||
the malleability of Tor's legacy hybrid encryption. This fix helps
|
||||
prevent a traffic confirmation attack. Fixes bug 24244; bugfix on
|
||||
0.2.4.1-alpha. This issue is also tracked as TROVE-2017-009
|
||||
and CVE-2017-8819.
|
||||
|
||||
o Major bugfixes (security, onion service v2):
|
||||
- Fix a use-after-free error that could crash v2 Tor onion services
|
||||
when they failed to open circuits while expiring introduction
|
||||
points. Fixes bug 24313; bugfix on 0.2.7.2-alpha. This issue is
|
||||
also tracked as TROVE-2017-013 and CVE-2017-8823.
|
||||
|
||||
o Major bugfixes (security, relay):
|
||||
- When running as a relay, make sure that we never build a path
|
||||
through ourselves, even in the case where we have somehow lost the
|
||||
version of our descriptor appearing in the consensus. Fixes part
|
||||
of bug 21534; bugfix on 0.2.0.1-alpha. This issue is also tracked
|
||||
as TROVE-2017-012 and CVE-2017-8822.
|
||||
- When running as a relay, make sure that we never choose ourselves
|
||||
as a guard. Fixes part of bug 21534; bugfix on 0.3.0.1-alpha. This
|
||||
issue is also tracked as TROVE-2017-012 and CVE-2017-8822.
|
||||
|
||||
o Minor feature (relay statistics):
|
||||
- Change relay bandwidth reporting stats interval from 4 hours to 24
|
||||
hours in order to reduce the efficiency of guard discovery
|
||||
attacks. Fixes ticket 23856.
|
||||
|
||||
o Minor features (directory authority):
|
||||
- Add an IPv6 address for the "bastet" directory authority. Closes
|
||||
ticket 24394.
|
||||
|
||||
o Minor bugfixes (client):
|
||||
- By default, do not enable storage of client-side DNS values. These
|
||||
values were unused by default previously, but they should not have
|
||||
been cached at all. Fixes bug 24050; bugfix on 0.2.6.3-alpha.
|
||||
|
||||
|
||||
Changes in version 0.3.2.5-alpha - 2017-11-22
|
||||
Tor 0.3.2.5-alpha is the fifth alpha release in the 0.3.2.x series. It
|
||||
fixes several stability and reliability bugs, including a fix for
|
||||
intermittent bootstrapping failures that some people have been seeing
|
||||
since the 0.3.0.x series.
|
||||
|
||||
Please test this alpha out -- many of these fixes will soon be
|
||||
backported to stable Tor versions if no additional bugs are found
|
||||
in them.
|
||||
|
||||
o Major bugfixes (bootstrapping):
|
||||
- Fetch descriptors aggressively whenever we lack enough to build
|
||||
circuits, regardless of how many descriptors we are missing.
|
||||
Previously, we would delay launching the fetch when we had fewer
|
||||
than 15 missing descriptors, even if some of those descriptors
|
||||
were blocking circuits from building. Fixes bug 23985; bugfix on
|
||||
0.1.1.11-alpha. The effects of this bug became worse in
|
||||
0.3.0.3-alpha, when we began treating missing descriptors from our
|
||||
primary guards as a reason to delay circuits.
|
||||
- Don't try fetching microdescriptors from relays that have failed
|
||||
to deliver them in the past. Fixes bug 23817; bugfix
|
||||
on 0.3.0.1-alpha.
|
||||
|
||||
o Minor features (directory authority):
|
||||
- Make the "Exit" flag assignment only depend on whether the exit
|
||||
policy allows connections to ports 80 and 443. Previously relays
|
||||
would get the Exit flag if they allowed connections to one of
|
||||
these ports and also port 6667. Resolves ticket 23637.
|
||||
|
||||
o Minor features (geoip):
|
||||
- Update geoip and geoip6 to the November 6 2017 Maxmind GeoLite2
|
||||
Country database.
|
||||
|
||||
o Minor features (linux seccomp2 sandbox):
|
||||
- Update the sandbox rules so that they should now work correctly
|
||||
with Glibc 2.26. Closes ticket 24315.
|
||||
|
||||
o Minor features (logging):
|
||||
- Downgrade a pair of log messages that could occur when an exit's
|
||||
resolver gave us an unusual (but not forbidden) response. Closes
|
||||
ticket 24097.
|
||||
- Improve the message we log when re-enabling circuit build timeouts
|
||||
after having received a consensus. Closes ticket 20963.
|
||||
|
||||
o Minor bugfixes (compilation):
|
||||
- Fix a memory leak warning in one of the libevent-related
|
||||
configuration tests that could occur when manually specifying
|
||||
-fsanitize=address. Fixes bug 24279; bugfix on 0.3.0.2-alpha.
|
||||
Found and patched by Alex Xu.
|
||||
- When detecting OpenSSL on Windows from our configure script, make
|
||||
sure to try linking with the ws2_32 library. Fixes bug 23783;
|
||||
bugfix on 0.3.2.2-alpha.
|
||||
|
||||
o Minor bugfixes (control port, linux seccomp2 sandbox):
|
||||
- Avoid a crash when attempting to use the seccomp2 sandbox together
|
||||
with the OwningControllerProcess feature. Fixes bug 24198; bugfix
|
||||
on 0.2.5.1-alpha.
|
||||
|
||||
o Minor bugfixes (control port, onion services):
|
||||
- Report "FAILED" instead of "UPLOAD_FAILED" "FAILED" for the
|
||||
HS_DESC event when a service is not able to upload a descriptor.
|
||||
Fixes bug 24230; bugfix on 0.2.7.1-alpha.
|
||||
|
||||
o Minor bugfixes (directory cache):
|
||||
- Recover better from empty or corrupt files in the consensus cache
|
||||
directory. Fixes bug 24099; bugfix on 0.3.1.1-alpha.
|
||||
- When a consensus diff calculation is only partially successful,
|
||||
only record the successful parts as having succeeded. Partial
|
||||
success can happen if (for example) one compression method fails
|
||||
but the others succeed. Previously we misrecorded all the
|
||||
calculations as having succeeded, which would later cause a
|
||||
nonfatal assertion failure. Fixes bug 24086; bugfix
|
||||
on 0.3.1.1-alpha.
|
||||
|
||||
o Minor bugfixes (logging):
|
||||
- Only log once if we notice that KIST support is gone. Fixes bug
|
||||
24158; bugfix on 0.3.2.1-alpha.
|
||||
- Suppress a log notice when relay descriptors arrive. We already
|
||||
have a bootstrap progress for this so no need to log notice
|
||||
everytime tor receives relay descriptors. Microdescriptors behave
|
||||
the same. Fixes bug 23861; bugfix on 0.2.8.2-alpha.
|
||||
|
||||
o Minor bugfixes (network layer):
|
||||
- When closing a connection via close_connection_immediately(), we
|
||||
mark it as "not blocked on bandwidth", to prevent later calls from
|
||||
trying to unblock it, and give it permission to read. This fixes a
|
||||
backtrace warning that can happen on relays under various
|
||||
circumstances. Fixes bug 24167; bugfix on 0.1.0.1-rc.
|
||||
|
||||
o Minor bugfixes (onion services):
|
||||
- The introduction circuit was being timed out too quickly while
|
||||
waiting for the rendezvous circuit to complete. Keep the intro
|
||||
circuit around longer instead of timing out and reopening new ones
|
||||
constantly. Fixes bug 23681; bugfix on 0.2.4.8-alpha.
|
||||
- Rename the consensus parameter "hsdir-interval" to "hsdir_interval"
|
||||
so it matches dir-spec.txt. Fixes bug 24262; bugfix
|
||||
on 0.3.1.1-alpha.
|
||||
- Silence a warning about failed v3 onion descriptor uploads that
|
||||
can happen naturally under certain edge cases. Fixes part of bug
|
||||
23662; bugfix on 0.3.2.1-alpha.
|
||||
|
||||
o Minor bugfixes (tests):
|
||||
- Fix a memory leak in one of the bridge-distribution test cases.
|
||||
Fixes bug 24345; bugfix on 0.3.2.3-alpha.
|
||||
- Fix a bug in our fuzzing mock replacement for crypto_pk_checksig(),
|
||||
to correctly handle cases where a caller gives it an RSA key of
|
||||
under 160 bits. (This is not actually a bug in Tor itself, but
|
||||
rather in our fuzzing code.) Fixes bug 24247; bugfix on
|
||||
0.3.0.3-alpha. Found by OSS-Fuzz as issue 4177.
|
||||
|
||||
o Documentation:
|
||||
- Add notes in man page regarding OS support for the various
|
||||
scheduler types. Attempt to use less jargon in the scheduler
|
||||
section. Closes ticket 24254.
|
||||
|
||||
|
||||
Changes in version 0.3.2.4-alpha - 2017-11-08
|
||||
Tor 0.3.2.4-alpha is the fourth alpha release in the 0.3.2.x series.
|
||||
It fixes several stability and reliability bugs, especially including
|
||||
a major reliability issue that has been plaguing fast exit relays in
|
||||
recent months.
|
||||
|
||||
o Major bugfixes (exit relays, DNS):
|
||||
- Fix an issue causing DNS to fail on high-bandwidth exit nodes,
|
||||
making them nearly unusable. Fixes bugs 21394 and 18580; bugfix on
|
||||
0.1.2.2-alpha, which introduced eventdns. Thanks to Dhalgren for
|
||||
identifying and finding a workaround to this bug and to Moritz,
|
||||
Arthur Edelstein, and Roger for helping to track it down and
|
||||
analyze it.
|
||||
|
||||
o Major bugfixes (scheduler, channel):
|
||||
- Stop processing scheduled channels if they closed while flushing
|
||||
cells. This can happen if the write on the connection fails
|
||||
leading to the channel being closed while in the scheduler loop.
|
||||
Fixes bug 23751; bugfix on 0.3.2.1-alpha.
|
||||
|
||||
o Minor features (logging, scheduler):
|
||||
- Introduce a SCHED_BUG() function to log extra information about
|
||||
the scheduler state if we ever catch a bug in the scheduler.
|
||||
Closes ticket 23753.
|
||||
|
||||
o Minor features (removed deprecations):
|
||||
- The ClientDNSRejectInternalAddresses flag can once again be set in
|
||||
non-testing Tor networks, so long as they do not use the default
|
||||
directory authorities. This change also removes the deprecation of
|
||||
this flag from 0.2.9.2-alpha. Closes ticket 21031.
|
||||
|
||||
o Minor features (testing):
|
||||
- Our fuzzing tests now test the encrypted portions of v3 onion
|
||||
service descriptors. Implements more of 21509.
|
||||
|
||||
o Minor bugfixes (directory client):
|
||||
- On failure to download directory information, delay retry attempts
|
||||
by a random amount based on the "decorrelated jitter" algorithm.
|
||||
Our previous delay algorithm tended to produce extra-long delays
|
||||
too easily. Fixes bug 23816; bugfix on 0.2.9.1-alpha.
|
||||
|
||||
o Minor bugfixes (IPv6, v3 single onion services):
|
||||
- Remove buggy code for IPv6-only v3 single onion services, and
|
||||
reject attempts to configure them. This release supports IPv4,
|
||||
dual-stack, and IPv6-only v3 onion services; and IPv4 and dual-
|
||||
stack v3 single onion services. Fixes bug 23820; bugfix
|
||||
on 0.3.2.1-alpha.
|
||||
|
||||
o Minor bugfixes (logging, relay):
|
||||
- Give only a protocol warning when the ed25519 key is not
|
||||
consistent between the descriptor and microdescriptor of a relay.
|
||||
This can happen, for instance, if the relay has been flagged
|
||||
NoEdConsensus. Fixes bug 24025; bugfix on 0.3.2.1-alpha.
|
||||
|
||||
o Minor bugfixes (manpage, onion service):
|
||||
- Document that the HiddenServiceNumIntroductionPoints option is
|
||||
0-10 for v2 services and 0-20 for v3 services. Fixes bug 24115;
|
||||
bugfix on 0.3.2.1-alpha.
|
||||
|
||||
o Minor bugfixes (memory leaks):
|
||||
- Fix a minor memory leak at exit in the KIST scheduler. This bug
|
||||
should have no user-visible impact. Fixes bug 23774; bugfix
|
||||
on 0.3.2.1-alpha.
|
||||
- Fix a memory leak when decrypting a badly formatted v3 onion
|
||||
service descriptor. Fixes bug 24150; bugfix on 0.3.2.1-alpha.
|
||||
Found by OSS-Fuzz; this is OSS-Fuzz issue 3994.
|
||||
|
||||
o Minor bugfixes (onion services):
|
||||
- Cache some needed onion service client information instead of
|
||||
constantly computing it over and over again. Fixes bug 23623;
|
||||
bugfix on 0.3.2.1-alpha.
|
||||
- Properly retry HSv3 descriptor fetches when missing required
|
||||
directory information. Fixes bug 23762; bugfix on 0.3.2.1-alpha.
|
||||
|
||||
o Minor bugfixes (path selection):
|
||||
- When selecting relays by bandwidth, avoid a rounding error that
|
||||
could sometimes cause load to be imbalanced incorrectly.
|
||||
Previously, we would always round upwards; now, we round towards
|
||||
the nearest integer. This had the biggest effect when a relay's
|
||||
weight adjustments should have given it weight 0, but it got
|
||||
weight 1 instead. Fixes bug 23318; bugfix on 0.2.4.3-alpha.
|
||||
- When calculating the fraction of nodes that have descriptors, and
|
||||
all nodes in the network have zero bandwidths, count the number of
|
||||
nodes instead. Fixes bug 23318; bugfix on 0.2.4.10-alpha.
|
||||
- Actually log the total bandwidth in compute_weighted_bandwidths().
|
||||
Fixes bug 24170; bugfix on 0.2.4.3-alpha.
|
||||
|
||||
o Minor bugfixes (relay, crash):
|
||||
- Avoid a crash when transitioning from client mode to bridge mode.
|
||||
Previously, we would launch the worker threads whenever our
|
||||
"public server" mode changed, but not when our "server" mode
|
||||
changed. Fixes bug 23693; bugfix on 0.2.6.3-alpha.
|
||||
|
||||
o Minor bugfixes (testing):
|
||||
- Fix a spurious fuzzing-only use of an uninitialized value. Found
|
||||
by Brian Carpenter. Fixes bug 24082; bugfix on 0.3.0.3-alpha.
|
||||
- Test that IPv6-only clients can use microdescriptors when running
|
||||
"make test-network-all". Requires chutney master 61c28b9 or later.
|
||||
Closes ticket 24109.
|
||||
|
||||
|
||||
Changes in version 0.3.2.3-alpha - 2017-10-27
|
||||
Tor 0.3.2.3-alpha is the third release in the 0.3.2 series. It fixes
|
||||
numerous small bugs in earlier versions of 0.3.2.x, and adds a new
|
||||
directory authority, Bastet.
|
||||
|
||||
o Directory authority changes:
|
||||
- Add "Bastet" as a ninth directory authority to the default list.
|
||||
Closes ticket 23910.
|
||||
- The directory authority "Longclaw" has changed its IP address.
|
||||
Closes ticket 23592.
|
||||
|
||||
o Minor features (bridge):
|
||||
- Bridge relays can now set the BridgeDistribution config option to
|
||||
add a "bridge-distribution-request" line to their bridge
|
||||
descriptor, which tells BridgeDB how they'd like their bridge
|
||||
address to be given out. (Note that as of Oct 2017, BridgeDB does
|
||||
not yet implement this feature.) As a side benefit, this feature
|
||||
provides a way to distinguish bridge descriptors from non-bridge
|
||||
descriptors. Implements tickets 18329.
|
||||
|
||||
o Minor features (client, entry guards):
|
||||
- Improve log messages when missing descriptors for primary guards.
|
||||
Resolves ticket 23670.
|
||||
|
||||
o Minor features (geoip):
|
||||
- Update geoip and geoip6 to the October 4 2017 Maxmind GeoLite2
|
||||
Country database.
|
||||
|
||||
o Minor bugfixes (bridge):
|
||||
- Overwrite the bridge address earlier in the process of retrieving
|
||||
its descriptor, to make sure we reach it on the configured
|
||||
address. Fixes bug 20532; bugfix on 0.2.0.10-alpha.
|
||||
|
||||
o Minor bugfixes (documentation):
|
||||
- Document better how to read gcov, and what our gcov postprocessing
|
||||
scripts do. Fixes bug 23739; bugfix on 0.2.9.1-alpha.
|
||||
|
||||
o Minor bugfixes (entry guards):
|
||||
- Tor now updates its guard state when it reads a consensus
|
||||
regardless of whether it's missing descriptors. That makes tor use
|
||||
its primary guards to fetch descriptors in some edge cases where
|
||||
it would previously have used fallback directories. Fixes bug
|
||||
23862; bugfix on 0.3.0.1-alpha.
|
||||
|
||||
o Minor bugfixes (hidden service client):
|
||||
- When handling multiple SOCKS request for the same .onion address,
|
||||
only fetch the service descriptor once.
|
||||
- When a descriptor fetch fails with a non-recoverable error, close
|
||||
all pending SOCKS requests for that .onion. Fixes bug 23653;
|
||||
bugfix on 0.3.2.1-alpha.
|
||||
|
||||
o Minor bugfixes (hidden service):
|
||||
- Always regenerate missing hidden service public key files. Prior
|
||||
to this, if the public key was deleted from disk, it wouldn't get
|
||||
recreated. Fixes bug 23748; bugfix on 0.3.2.2-alpha. Patch
|
||||
from "cathugger".
|
||||
- Make sure that we have a usable ed25519 key when the intro point
|
||||
relay supports ed25519 link authentication. Fixes bug 24002;
|
||||
bugfix on 0.3.2.1-alpha.
|
||||
|
||||
o Minor bugfixes (hidden service, v2):
|
||||
- When reloading configured hidden services, copy all information
|
||||
from the old service object. Previously, some data was omitted,
|
||||
causing delays in descriptor upload, and other bugs. Fixes bug
|
||||
23790; bugfix on 0.2.1.9-alpha.
|
||||
|
||||
o Minor bugfixes (memory safety, defensive programming):
|
||||
- Clear the target address when node_get_prim_orport() returns
|
||||
early. Fixes bug 23874; bugfix on 0.2.8.2-alpha.
|
||||
|
||||
o Minor bugfixes (relay):
|
||||
- Avoid a BUG warning when receiving a dubious CREATE cell while an
|
||||
option transition is in progress. Fixes bug 23952; bugfix
|
||||
on 0.3.2.1-alpha.
|
||||
|
||||
o Minor bugfixes (testing):
|
||||
- Adjust the GitLab CI configuration to more closely match that of
|
||||
Travis CI. Fixes bug 23757; bugfix on 0.3.2.2-alpha.
|
||||
- Prevent scripts/test/coverage from attempting to move gcov output
|
||||
to the root directory. Fixes bug 23741; bugfix on 0.2.5.1-alpha.
|
||||
- When running unit tests as root, skip a test that would fail
|
||||
because it expects a permissions error. This affects some
|
||||
continuous integration setups. Fixes bug 23758; bugfix
|
||||
on 0.3.2.2-alpha.
|
||||
- Stop unconditionally mirroring the tor repository in GitLab CI.
|
||||
This prevented developers from enabling GitLab CI on master. Fixes
|
||||
bug 23755; bugfix on 0.3.2.2-alpha.
|
||||
- Fix the hidden service v3 descriptor decoding fuzzing to use the
|
||||
latest decoding API correctly. Fixes bug 21509; bugfix
|
||||
on 0.3.2.1-alpha.
|
||||
|
||||
o Minor bugfixes (warnings):
|
||||
- When we get an HTTP request on a SOCKS port, tell the user about
|
||||
the new HTTPTunnelPort option. Previously, we would give a "Tor is
|
||||
not an HTTP Proxy" message, which stopped being true when
|
||||
HTTPTunnelPort was introduced. Fixes bug 23678; bugfix
|
||||
on 0.3.2.1-alpha.
|
||||
|
||||
|
||||
Changes in version 0.3.2.2-alpha - 2017-09-29
|
||||
Tor 0.3.2.2-alpha is the second release in the 0.3.2 series. This
|
||||
release fixes several minor bugs in the new scheduler and next-
|
||||
|
|
909
ReleaseNotes
909
ReleaseNotes
|
@ -2,6 +2,915 @@ This document summarizes new features and bugfixes in each stable release
|
|||
of Tor. If you want to see more detailed descriptions of the changes in
|
||||
each development snapshot, see the ChangeLog file.
|
||||
|
||||
Changes in version 0.3.2.10 - 2018-03-03
|
||||
Tor 0.3.2.10 is the second stable release in the 0.3.2 series. It
|
||||
backports a number of bugfixes, including important fixes for security
|
||||
issues.
|
||||
|
||||
It includes an important security fix for a remote crash attack
|
||||
against directory authorities, tracked as TROVE-2018-001.
|
||||
|
||||
Additionally, it backports a fix for a bug whose severity we have
|
||||
upgraded: Bug 24700, which was fixed in 0.3.3.2-alpha, can be remotely
|
||||
triggered in order to crash relays with a use-after-free pattern. As
|
||||
such, we are now tracking that bug as TROVE-2018-002 and
|
||||
CVE-2018-0491, and backporting it to earlier releases. This bug
|
||||
affected versions 0.3.2.1-alpha through 0.3.2.9, as well as version
|
||||
0.3.3.1-alpha.
|
||||
|
||||
This release also backports our new system for improved resistance to
|
||||
denial-of-service attacks against relays.
|
||||
|
||||
This release also fixes several minor bugs and annoyances from
|
||||
earlier releases.
|
||||
|
||||
Relays running 0.3.2.x SHOULD upgrade to one of the versions released
|
||||
today, for the fix to TROVE-2018-002. Directory authorities should
|
||||
also upgrade. (Relays on earlier versions might want to update too for
|
||||
the DoS mitigations.)
|
||||
|
||||
o Major bugfixes (denial-of-service, directory authority, backport from 0.3.3.3-alpha):
|
||||
- Fix a protocol-list handling bug that could be used to remotely crash
|
||||
directory authorities with a null-pointer exception. Fixes bug 25074;
|
||||
bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2018-001 and
|
||||
CVE-2018-0490.
|
||||
|
||||
o Major bugfixes (scheduler, KIST, denial-of-service, backport from 0.3.3.2-alpha):
|
||||
- Avoid adding the same channel twice in the KIST scheduler pending
|
||||
list, which could lead to remote denial-of-service use-after-free
|
||||
attacks against relays. Fixes bug 24700; bugfix on 0.3.2.1-alpha.
|
||||
|
||||
o Major features (denial-of-service mitigation, backport from 0.3.3.2-alpha):
|
||||
- Give relays some defenses against the recent network overload. We
|
||||
start with three defenses (default parameters in parentheses).
|
||||
First: if a single client address makes too many concurrent
|
||||
connections (>100), hang up on further connections. Second: if a
|
||||
single client address makes circuits too quickly (more than 3 per
|
||||
second, with an allowed burst of 90) while also having too many
|
||||
connections open (3), refuse new create cells for the next while
|
||||
(1-2 hours). Third: if a client asks to establish a rendezvous
|
||||
point to you directly, ignore the request. These defenses can be
|
||||
manually controlled by new torrc options, but relays will also
|
||||
take guidance from consensus parameters, so there's no need to
|
||||
configure anything manually. Implements ticket 24902.
|
||||
|
||||
o Major bugfixes (onion services, retry behavior, backport from 0.3.3.1-alpha):
|
||||
- Fix an "off by 2" error in counting rendezvous failures on the
|
||||
onion service side. While we thought we would stop the rendezvous
|
||||
attempt after one failed circuit, we were actually making three
|
||||
circuit attempts before giving up. Now switch to a default of 2,
|
||||
and allow the consensus parameter "hs_service_max_rdv_failures" to
|
||||
override. Fixes bug 24895; bugfix on 0.0.6.
|
||||
- New-style (v3) onion services now obey the "max rendezvous circuit
|
||||
attempts" logic. Previously they would make as many rendezvous
|
||||
circuit attempts as they could fit in the MAX_REND_TIMEOUT second
|
||||
window before giving up. Fixes bug 24894; bugfix on 0.3.2.1-alpha.
|
||||
|
||||
o Major bugfixes (protocol versions, backport from 0.3.3.2-alpha):
|
||||
- Add Link protocol version 5 to the supported protocols list. Fixes
|
||||
bug 25070; bugfix on 0.3.1.1-alpha.
|
||||
|
||||
o Major bugfixes (relay, backport from 0.3.3.1-alpha):
|
||||
- Fix a set of false positives where relays would consider
|
||||
connections to other relays as being client-only connections (and
|
||||
thus e.g. deserving different link padding schemes) if those
|
||||
relays fell out of the consensus briefly. Now we look only at the
|
||||
initial handshake and whether the connection authenticated as a
|
||||
relay. Fixes bug 24898; bugfix on 0.3.1.1-alpha.
|
||||
|
||||
o Major bugfixes (scheduler, consensus, backport from 0.3.3.2-alpha):
|
||||
- The scheduler subsystem was failing to promptly notice changes in
|
||||
consensus parameters, making it harder to switch schedulers
|
||||
network-wide. Fixes bug 24975; bugfix on 0.3.2.1-alpha.
|
||||
|
||||
o Minor features (denial-of-service avoidance, backport from 0.3.3.2-alpha):
|
||||
- Make our OOM handler aware of the geoip client history cache so it
|
||||
doesn't fill up the memory. This check is important for IPv6 and
|
||||
our DoS mitigation subsystem. Closes ticket 25122.
|
||||
|
||||
o Minor features (compatibility, OpenSSL, backport from 0.3.3.3-alpha):
|
||||
- Tor will now support TLS1.3 once OpenSSL 1.1.1 is released.
|
||||
Previous versions of Tor would not have worked with OpenSSL 1.1.1,
|
||||
since they neither disabled TLS 1.3 nor enabled any of the
|
||||
ciphersuites it requires. Now we enable the TLS 1.3 ciphersuites.
|
||||
Closes ticket 24978.
|
||||
|
||||
o Minor features (geoip):
|
||||
- Update geoip and geoip6 to the February 7 2018 Maxmind GeoLite2
|
||||
Country database.
|
||||
|
||||
o Minor features (logging, diagnostic, backport from 0.3.3.2-alpha):
|
||||
- When logging a failure to create an onion service's descriptor,
|
||||
also log what the problem with the descriptor was. Diagnostic
|
||||
for ticket 24972.
|
||||
|
||||
o Minor bugfix (channel connection, backport from 0.3.3.2-alpha):
|
||||
- Use the actual observed address of an incoming relay connection,
|
||||
not the canonical address of the relay from its descriptor, when
|
||||
making decisions about how to handle the incoming connection.
|
||||
Fixes bug 24952; bugfix on 0.2.4.11-alpha. Patch by "ffmancera".
|
||||
|
||||
o Minor bugfixes (denial-of-service, backport from 0.3.3.3-alpha):
|
||||
- Fix a possible crash on malformed consensus. If a consensus had
|
||||
contained an unparseable protocol line, it could have made clients
|
||||
and relays crash with a null-pointer exception. To exploit this
|
||||
issue, however, an attacker would need to be able to subvert the
|
||||
directory authority system. Fixes bug 25251; bugfix on
|
||||
0.2.9.4-alpha. Also tracked as TROVE-2018-004.
|
||||
|
||||
o Minor bugfix (directory authority, backport from 0.3.3.2-alpha):
|
||||
- Directory authorities, when refusing a descriptor from a rejected
|
||||
relay, now explicitly tell the relay (in its logs) to set a valid
|
||||
ContactInfo address and contact the bad-relays@ mailing list.
|
||||
Fixes bug 25170; bugfix on 0.2.9.1.
|
||||
|
||||
o Minor bugfixes (build, rust, backport from 0.3.3.1-alpha):
|
||||
- When building with Rust on OSX, link against libresolv, to work
|
||||
around the issue at https://github.com/rust-lang/rust/issues/46797.
|
||||
Fixes bug 24652; bugfix on 0.3.1.1-alpha.
|
||||
|
||||
o Minor bugfixes (onion services, backport from 0.3.3.2-alpha):
|
||||
- Remove a BUG() statement when a client fetches an onion descriptor
|
||||
that has a lower revision counter than the one in its cache. This
|
||||
can happen in normal circumstances due to HSDir desync. Fixes bug
|
||||
24976; bugfix on 0.3.2.1-alpha.
|
||||
|
||||
o Minor bugfixes (logging, backport from 0.3.3.2-alpha):
|
||||
- Don't treat inability to store a cached consensus object as a bug:
|
||||
it can happen normally when we are out of disk space. Fixes bug
|
||||
24859; bugfix on 0.3.1.1-alpha.
|
||||
|
||||
o Minor bugfixes (performance, fragile-hardening, backport from 0.3.3.1-alpha):
|
||||
- Improve the performance of our consensus-diff application code
|
||||
when Tor is built with the --enable-fragile-hardening option set.
|
||||
Fixes bug 24826; bugfix on 0.3.1.1-alpha.
|
||||
|
||||
o Minor bugfixes (OSX, backport from 0.3.3.1-alpha):
|
||||
- Don't exit the Tor process if setrlimit() fails to change the file
|
||||
limit (which can happen sometimes on some versions of OSX). Fixes
|
||||
bug 21074; bugfix on 0.0.9pre5.
|
||||
|
||||
o Minor bugfixes (spec conformance, backport from 0.3.3.3-alpha):
|
||||
- Forbid "-0" as a protocol version. Fixes part of bug 25249; bugfix on
|
||||
0.2.9.4-alpha.
|
||||
- Forbid UINT32_MAX as a protocol version. Fixes part of bug 25249;
|
||||
bugfix on 0.2.9.4-alpha.
|
||||
|
||||
o Minor bugfixes (testing, backport from 0.3.3.1-alpha):
|
||||
- Fix a memory leak in the scheduler/loop_kist unit test. Fixes bug
|
||||
25005; bugfix on 0.3.2.7-rc.
|
||||
|
||||
o Minor bugfixes (v3 onion services, backport from 0.3.3.2-alpha):
|
||||
- Look at the "HSRend" protocol version, not the "HSDir" protocol
|
||||
version, when deciding whether a consensus entry can support the
|
||||
v3 onion service protocol as a rendezvous point. Fixes bug 25105;
|
||||
bugfix on 0.3.2.1-alpha.
|
||||
|
||||
o Code simplification and refactoring (backport from 0.3.3.3-alpha):
|
||||
- Update the "rust dependencies" submodule to be a project-level
|
||||
repository, rather than a user repository. Closes ticket 25323.
|
||||
|
||||
o Documentation (backport from 0.3.3.1-alpha)
|
||||
- Document that operators who run more than one relay or bridge are
|
||||
expected to set MyFamily and ContactInfo correctly. Closes
|
||||
ticket 24526.
|
||||
|
||||
|
||||
Changes in version 0.3.2.9 - 2018-01-09
|
||||
Tor 0.3.2.9 is the first stable release in the 0.3.2 series.
|
||||
|
||||
The 0.3.2 series includes our long-anticipated new onion service
|
||||
design, with numerous security features. (For more information, see
|
||||
our blog post at https://blog.torproject.org/fall-harvest.) We also
|
||||
have a new circuit scheduler algorithm for improved performance on
|
||||
relays everywhere (see https://blog.torproject.org/kist-and-tell),
|
||||
along with many smaller features and bugfixes.
|
||||
|
||||
Per our stable release policy, we plan to support each stable release
|
||||
series for at least the next nine months, or for three months after
|
||||
the first stable release of the next series: whichever is longer. If
|
||||
you need a release with long-term support, we recommend that you stay
|
||||
with the 0.2.9 series.
|
||||
|
||||
Below is a list of the changes since 0.3.1.7. For a list of all
|
||||
changes since 0.3.2.8-rc, see the ChangeLog file.
|
||||
|
||||
o Directory authority changes:
|
||||
- Add "Bastet" as a ninth directory authority to the default list.
|
||||
Closes ticket 23910.
|
||||
- The directory authority "Longclaw" has changed its IP address.
|
||||
Closes ticket 23592.
|
||||
- Remove longclaw's IPv6 address, as it will soon change. Authority
|
||||
IPv6 addresses were originally added in 0.2.8.1-alpha. This leaves
|
||||
3/8 directory authorities with IPv6 addresses, but there are also
|
||||
52 fallback directory mirrors with IPv6 addresses. Resolves 19760.
|
||||
- Add an IPv6 address for the "bastet" directory authority. Closes
|
||||
ticket 24394.
|
||||
|
||||
o Major features (next-generation onion services):
|
||||
- Tor now supports the next-generation onion services protocol for
|
||||
clients and services! As part of this release, the core of
|
||||
proposal 224 has been implemented and is available for
|
||||
experimentation and testing by our users. This newer version of
|
||||
onion services ("v3") features many improvements over the legacy
|
||||
system, including:
|
||||
|
||||
a) Better crypto (replaced SHA1/DH/RSA1024
|
||||
with SHA3/ed25519/curve25519)
|
||||
|
||||
b) Improved directory protocol, leaking much less information to
|
||||
directory servers.
|
||||
|
||||
c) Improved directory protocol, with smaller surface for
|
||||
targeted attacks.
|
||||
|
||||
d) Better onion address security against impersonation.
|
||||
|
||||
e) More extensible introduction/rendezvous protocol.
|
||||
|
||||
f) A cleaner and more modular codebase.
|
||||
|
||||
You can identify a next-generation onion address by its length:
|
||||
they are 56 characters long, as in
|
||||
"4acth47i6kxnvkewtm6q7ib2s3ufpo5sqbsnzjpbi7utijcltosqemad.onion".
|
||||
|
||||
In the future, we will release more options and features for v3
|
||||
onion services, but we first need a testing period, so that the
|
||||
current codebase matures and becomes more robust. Planned features
|
||||
include: offline keys, advanced client authorization, improved
|
||||
guard algorithms, and statistics. For full details, see
|
||||
proposal 224.
|
||||
|
||||
Legacy ("v2") onion services will still work for the foreseeable
|
||||
future, and will remain the default until this new codebase gets
|
||||
tested and hardened. Service operators who want to experiment with
|
||||
the new system can use the 'HiddenServiceVersion 3' torrc
|
||||
directive along with the regular onion service configuration
|
||||
options. For more information, see our blog post at
|
||||
"https://blog.torproject.org/fall-harvest". Enjoy!
|
||||
|
||||
o Major feature (scheduler, channel):
|
||||
- Tor now uses new schedulers to decide which circuits should
|
||||
deliver cells first, in order to improve congestion at relays. The
|
||||
first type is called "KIST" ("Kernel Informed Socket Transport"),
|
||||
and is only available on Linux-like systems: it uses feedback from
|
||||
the kernel to prevent the kernel's TCP buffers from growing too
|
||||
full. The second new scheduler type is called "KISTLite": it
|
||||
behaves the same as KIST, but runs on systems without kernel
|
||||
support for inspecting TCP implementation details. The old
|
||||
scheduler is still available, under the name "Vanilla". To change
|
||||
the default scheduler preference order, use the new "Schedulers"
|
||||
option. (The default preference order is "KIST,KISTLite,Vanilla".)
|
||||
|
||||
Matt Traudt implemented KIST, based on research by Rob Jansen,
|
||||
John Geddes, Christ Wacek, Micah Sherr, and Paul Syverson. For
|
||||
more information, see the design paper at
|
||||
http://www.robgjansen.com/publications/kist-sec2014.pdf and the
|
||||
followup implementation paper at https://arxiv.org/abs/1709.01044.
|
||||
Closes ticket 12541. For more information, see our blog post at
|
||||
"https://blog.torproject.org/kist-and-tell".
|
||||
|
||||
o Major bugfixes (security, general):
|
||||
- Fix a denial of service bug where an attacker could use a
|
||||
malformed directory object to cause a Tor instance to pause while
|
||||
OpenSSL would try to read a passphrase from the terminal. (Tor
|
||||
instances run without a terminal, which is the case for most Tor
|
||||
packages, are not impacted.) Fixes bug 24246; bugfix on every
|
||||
version of Tor. Also tracked as TROVE-2017-011 and CVE-2017-8821.
|
||||
Found by OSS-Fuzz as testcase 6360145429790720.
|
||||
|
||||
o Major bugfixes (security, directory authority):
|
||||
- Fix a denial of service issue where an attacker could crash a
|
||||
directory authority using a malformed router descriptor. Fixes bug
|
||||
24245; bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2017-010
|
||||
and CVE-2017-8820.
|
||||
|
||||
o Major bugfixes (security, onion service v2):
|
||||
- Fix a use-after-free error that could crash v2 Tor onion services
|
||||
when they failed to open circuits while expiring introduction
|
||||
points. Fixes bug 24313; bugfix on 0.2.7.2-alpha. This issue is
|
||||
also tracked as TROVE-2017-013 and CVE-2017-8823.
|
||||
- When checking for replays in the INTRODUCE1 cell data for a
|
||||
(legacy) onion service, correctly detect replays in the RSA-
|
||||
encrypted part of the cell. We were previously checking for
|
||||
replays on the entire cell, but those can be circumvented due to
|
||||
the malleability of Tor's legacy hybrid encryption. This fix helps
|
||||
prevent a traffic confirmation attack. Fixes bug 24244; bugfix on
|
||||
0.2.4.1-alpha. This issue is also tracked as TROVE-2017-009
|
||||
and CVE-2017-8819.
|
||||
|
||||
o Major bugfixes (security, relay):
|
||||
- When running as a relay, make sure that we never build a path
|
||||
through ourselves, even in the case where we have somehow lost the
|
||||
version of our descriptor appearing in the consensus. Fixes part
|
||||
of bug 21534; bugfix on 0.2.0.1-alpha. This issue is also tracked
|
||||
as TROVE-2017-012 and CVE-2017-8822.
|
||||
- When running as a relay, make sure that we never choose ourselves
|
||||
as a guard. Fixes part of bug 21534; bugfix on 0.3.0.1-alpha. This
|
||||
issue is also tracked as TROVE-2017-012 and CVE-2017-8822.
|
||||
|
||||
o Major bugfixes (bootstrapping):
|
||||
- Fetch descriptors aggressively whenever we lack enough to build
|
||||
circuits, regardless of how many descriptors we are missing.
|
||||
Previously, we would delay launching the fetch when we had fewer
|
||||
than 15 missing descriptors, even if some of those descriptors
|
||||
were blocking circuits from building. Fixes bug 23985; bugfix on
|
||||
0.1.1.11-alpha. The effects of this bug became worse in
|
||||
0.3.0.3-alpha, when we began treating missing descriptors from our
|
||||
primary guards as a reason to delay circuits.
|
||||
- Don't try fetching microdescriptors from relays that have failed
|
||||
to deliver them in the past. Fixes bug 23817; bugfix
|
||||
on 0.3.0.1-alpha.
|
||||
|
||||
o Major bugfixes (circuit prediction):
|
||||
- Fix circuit prediction logic so that a client doesn't treat a port
|
||||
as being "handled" by a circuit if that circuit already has
|
||||
isolation settings on it. This change should make Tor clients more
|
||||
responsive by improving their chances of having a pre-created
|
||||
circuit ready for use when a request arrives. Fixes bug 18859;
|
||||
bugfix on 0.2.3.3-alpha.
|
||||
|
||||
o Major bugfixes (exit relays, DNS):
|
||||
- Fix an issue causing DNS to fail on high-bandwidth exit nodes,
|
||||
making them nearly unusable. Fixes bugs 21394 and 18580; bugfix on
|
||||
0.1.2.2-alpha, which introduced eventdns. Thanks to Dhalgren for
|
||||
identifying and finding a workaround to this bug and to Moritz,
|
||||
Arthur Edelstein, and Roger for helping to track it down and
|
||||
analyze it.
|
||||
|
||||
o Major bugfixes (relay, crash, assertion failure):
|
||||
- Fix a timing-based assertion failure that could occur when the
|
||||
circuit out-of-memory handler freed a connection's output buffer.
|
||||
Fixes bug 23690; bugfix on 0.2.6.1-alpha.
|
||||
|
||||
o Major bugfixes (usability, control port):
|
||||
- Report trusted clock skew indications as bootstrap errors, so
|
||||
controllers can more easily alert users when their clocks are
|
||||
wrong. Fixes bug 23506; bugfix on 0.1.2.6-alpha.
|
||||
|
||||
o Minor features (bridge):
|
||||
- Bridge relays can now set the BridgeDistribution config option to
|
||||
add a "bridge-distribution-request" line to their bridge
|
||||
descriptor, which tells BridgeDB how they'd like their bridge
|
||||
address to be given out. (Note that as of Oct 2017, BridgeDB does
|
||||
not yet implement this feature.) As a side benefit, this feature
|
||||
provides a way to distinguish bridge descriptors from non-bridge
|
||||
descriptors. Implements tickets 18329.
|
||||
- When handling the USERADDR command on an ExtOrPort, warn when the
|
||||
transports provides a USERADDR with no port. In a future version,
|
||||
USERADDR commands of this format may be rejected. Detects problems
|
||||
related to ticket 23080.
|
||||
|
||||
o Minor features (bug detection):
|
||||
- Log a warning message with a stack trace for any attempt to call
|
||||
get_options() during option validation. This pattern has caused
|
||||
subtle bugs in the past. Closes ticket 22281.
|
||||
|
||||
o Minor features (build, compilation):
|
||||
- The "check-changes" feature is now part of the "make check" tests;
|
||||
we'll use it to try to prevent misformed changes files from
|
||||
accumulating. Closes ticket 23564.
|
||||
- Tor builds should now fail if there are any mismatches between the
|
||||
C type representing a configuration variable and the C type the
|
||||
data-driven parser uses to store a value there. Previously, we
|
||||
needed to check these by hand, which sometimes led to mistakes.
|
||||
Closes ticket 23643.
|
||||
|
||||
o Minor features (client):
|
||||
- You can now use Tor as a tunneled HTTP proxy: use the new
|
||||
HTTPTunnelPort option to open a port that accepts HTTP CONNECT
|
||||
requests. Closes ticket 22407.
|
||||
- Add an extra check to make sure that we always use the newer guard
|
||||
selection code for picking our guards. Closes ticket 22779.
|
||||
- When downloading (micro)descriptors, don't split the list into
|
||||
multiple requests unless we want at least 32 descriptors.
|
||||
Previously, we split at 4, not 32, which led to significant
|
||||
overhead in HTTP request size and degradation in compression
|
||||
performance. Closes ticket 23220.
|
||||
- Improve log messages when missing descriptors for primary guards.
|
||||
Resolves ticket 23670.
|
||||
|
||||
o Minor features (command line):
|
||||
- Add a new commandline option, --key-expiration, which prints when
|
||||
the current signing key is going to expire. Implements ticket
|
||||
17639; patch by Isis Lovecruft.
|
||||
|
||||
o Minor features (control port):
|
||||
- If an application tries to use the control port as an HTTP proxy,
|
||||
respond with a meaningful "This is the Tor control port" message,
|
||||
and log the event. Closes ticket 1667. Patch from Ravi
|
||||
Chandra Padmala.
|
||||
- Provide better error message for GETINFO desc/(id|name) when not
|
||||
fetching router descriptors. Closes ticket 5847. Patch by
|
||||
Kevin Butler.
|
||||
- Add GETINFO "{desc,md}/download-enabled", to inform the controller
|
||||
whether Tor will try to download router descriptors and
|
||||
microdescriptors respectively. Closes ticket 22684.
|
||||
- Added new GETINFO targets "ip-to-country/{ipv4,ipv6}-available",
|
||||
so controllers can tell whether the geoip databases are loaded.
|
||||
Closes ticket 23237.
|
||||
- Adds a timestamp field to the CIRC_BW and STREAM_BW bandwidth
|
||||
events. Closes ticket 19254. Patch by "DonnchaC".
|
||||
|
||||
o Minor features (development support):
|
||||
- Developers can now generate a call-graph for Tor using the
|
||||
"calltool" python program, which post-processes object dumps. It
|
||||
should work okay on many Linux and OSX platforms, and might work
|
||||
elsewhere too. To run it, install calltool from
|
||||
https://gitweb.torproject.org/user/nickm/calltool.git and run
|
||||
"make callgraph". Closes ticket 19307.
|
||||
|
||||
o Minor features (directory authority):
|
||||
- Make the "Exit" flag assignment only depend on whether the exit
|
||||
policy allows connections to ports 80 and 443. Previously relays
|
||||
would get the Exit flag if they allowed connections to one of
|
||||
these ports and also port 6667. Resolves ticket 23637.
|
||||
|
||||
o Minor features (ed25519):
|
||||
- Add validation function to checks for torsion components in
|
||||
ed25519 public keys, used by prop224 client-side code. Closes
|
||||
ticket 22006. Math help by Ian Goldberg.
|
||||
|
||||
o Minor features (exit relay, DNS):
|
||||
- Improve the clarity and safety of the log message from evdns when
|
||||
receiving an apparently spoofed DNS reply. Closes ticket 3056.
|
||||
|
||||
o Minor features (fallback directory mirrors):
|
||||
- The fallback directory list has been re-generated based on the
|
||||
current status of the network. Tor uses fallback directories to
|
||||
bootstrap when it doesn't yet have up-to-date directory
|
||||
information. Closes ticket 24801.
|
||||
- Make the default DirAuthorityFallbackRate 0.1, so that clients
|
||||
prefer to bootstrap from fallback directory mirrors. This is a
|
||||
follow-up to 24679, which removed weights from the default
|
||||
fallbacks. Implements ticket 24681.
|
||||
|
||||
o Minor features (geoip):
|
||||
- Update geoip and geoip6 to the January 5 2018 Maxmind GeoLite2
|
||||
Country database.
|
||||
|
||||
o Minor features (integration, hardening):
|
||||
- Add a new NoExec option to prevent Tor from running other
|
||||
programs. When this option is set to 1, Tor will never try to run
|
||||
another program, regardless of the settings of
|
||||
PortForwardingHelper, ClientTransportPlugin, or
|
||||
ServerTransportPlugin. Once NoExec is set, it cannot be disabled
|
||||
without restarting Tor. Closes ticket 22976.
|
||||
|
||||
o Minor features (linux seccomp2 sandbox):
|
||||
- Update the sandbox rules so that they should now work correctly
|
||||
with Glibc 2.26. Closes ticket 24315.
|
||||
|
||||
o Minor features (logging):
|
||||
- Provide better warnings when the getrandom() syscall fails. Closes
|
||||
ticket 24500.
|
||||
- Downgrade a pair of log messages that could occur when an exit's
|
||||
resolver gave us an unusual (but not forbidden) response. Closes
|
||||
ticket 24097.
|
||||
- Improve the message we log when re-enabling circuit build timeouts
|
||||
after having received a consensus. Closes ticket 20963.
|
||||
- Log more circuit information whenever we are about to try to
|
||||
package a relay cell on a circuit with a nonexistent n_chan.
|
||||
Attempt to diagnose ticket 8185.
|
||||
- Improve info-level log identification of particular circuits, to
|
||||
help with debugging. Closes ticket 23645.
|
||||
- Improve the warning message for specifying a relay by nickname.
|
||||
The previous message implied that nickname registration was still
|
||||
part of the Tor network design, which it isn't. Closes
|
||||
ticket 20488.
|
||||
- If the sandbox filter fails to load, suggest to the user that
|
||||
their kernel might not support seccomp2. Closes ticket 23090.
|
||||
|
||||
o Minor features (onion service, circuit, logging):
|
||||
- Improve logging of many callsite in the circuit subsystem to print
|
||||
the circuit identifier(s).
|
||||
- Log when we cleanup an intro point from a service so we know when
|
||||
and for what reason it happened. Closes ticket 23604.
|
||||
|
||||
o Minor features (portability):
|
||||
- Tor now compiles correctly on arm64 with libseccomp-dev installed.
|
||||
(It doesn't yet work with the sandbox enabled.) Closes
|
||||
ticket 24424.
|
||||
- Check at configure time whether uint8_t is the same type as
|
||||
unsigned char. Lots of existing code already makes this
|
||||
assumption, and there could be strict aliasing issues if the
|
||||
assumption is violated. Closes ticket 22410.
|
||||
|
||||
o Minor features (relay):
|
||||
- When choosing which circuits can be expired as unused, consider
|
||||
circuits from clients even if those clients used regular CREATE
|
||||
cells to make them; and do not consider circuits from relays even
|
||||
if they were made with CREATE_FAST. Part of ticket 22805.
|
||||
- Reject attempts to use relative file paths when RunAsDaemon is
|
||||
set. Previously, Tor would accept these, but the directory-
|
||||
changing step of RunAsDaemon would give strange and/or confusing
|
||||
results. Closes ticket 22731.
|
||||
|
||||
o Minor features (relay statistics):
|
||||
- Change relay bandwidth reporting stats interval from 4 hours to 24
|
||||
hours in order to reduce the efficiency of guard discovery
|
||||
attacks. Fixes ticket 23856.
|
||||
|
||||
o Minor features (reverted deprecations):
|
||||
- The ClientDNSRejectInternalAddresses flag can once again be set in
|
||||
non-testing Tor networks, so long as they do not use the default
|
||||
directory authorities. This change also removes the deprecation of
|
||||
this flag from 0.2.9.2-alpha. Closes ticket 21031.
|
||||
|
||||
o Minor features (robustness):
|
||||
- Change several fatal assertions when flushing buffers into non-
|
||||
fatal assertions, to prevent any recurrence of 23690.
|
||||
|
||||
o Minor features (startup, safety):
|
||||
- When configured to write a PID file, Tor now exits if it is unable
|
||||
to do so. Previously, it would warn and continue. Closes
|
||||
ticket 20119.
|
||||
|
||||
o Minor features (static analysis):
|
||||
- The BUG() macro has been changed slightly so that Coverity no
|
||||
longer complains about dead code if the bug is impossible. Closes
|
||||
ticket 23054.
|
||||
|
||||
o Minor features (testing):
|
||||
- Our fuzzing tests now test the encrypted portions of v3 onion
|
||||
service descriptors. Implements more of 21509.
|
||||
- Add a unit test to make sure that our own generated platform
|
||||
string will be accepted by directory authorities. Closes
|
||||
ticket 22109.
|
||||
- The default chutney network tests now include tests for the v3
|
||||
onion service design. Make sure you have the latest version of
|
||||
chutney if you want to run these. Closes ticket 22437.
|
||||
- Add a unit test to verify that we can parse a hardcoded v2 onion
|
||||
service descriptor. Closes ticket 15554.
|
||||
|
||||
o Minor bugfixes (address selection):
|
||||
- When the fascist_firewall_choose_address_ functions don't find a
|
||||
reachable address, set the returned address to the null address
|
||||
and port. This is a precautionary measure, because some callers do
|
||||
not check the return value. Fixes bug 24736; bugfix
|
||||
on 0.2.8.2-alpha.
|
||||
|
||||
o Minor bugfixes (bootstrapping):
|
||||
- When warning about state file clock skew, report the correct
|
||||
direction for the detected skew. Fixes bug 23606; bugfix
|
||||
on 0.2.8.1-alpha.
|
||||
|
||||
o Minor bugfixes (bridge clients, bootstrap):
|
||||
- Retry directory downloads when we get our first bridge descriptor
|
||||
during bootstrap or while reconnecting to the network. Keep
|
||||
retrying every time we get a bridge descriptor, until we have a
|
||||
reachable bridge. Fixes part of bug 24367; bugfix on 0.2.0.3-alpha.
|
||||
- Stop delaying bridge descriptor fetches when we have cached bridge
|
||||
descriptors. Instead, only delay bridge descriptor fetches when we
|
||||
have at least one reachable bridge. Fixes part of bug 24367;
|
||||
bugfix on 0.2.0.3-alpha.
|
||||
- Stop delaying directory fetches when we have cached bridge
|
||||
descriptors. Instead, only delay bridge descriptor fetches when
|
||||
all our bridges are definitely unreachable. Fixes part of bug
|
||||
24367; bugfix on 0.2.0.3-alpha.
|
||||
|
||||
o Minor bugfixes (bridge):
|
||||
- Overwrite the bridge address earlier in the process of retrieving
|
||||
its descriptor, to make sure we reach it on the configured
|
||||
address. Fixes bug 20532; bugfix on 0.2.0.10-alpha.
|
||||
|
||||
o Minor bugfixes (build, compilation):
|
||||
- Fix a compilation warning when building with zstd support on
|
||||
32-bit platforms. Fixes bug 23568; bugfix on 0.3.1.1-alpha. Found
|
||||
and fixed by Andreas Stieger.
|
||||
- When searching for OpenSSL, don't accept any OpenSSL library that
|
||||
lacks TLSv1_1_method(): Tor doesn't build with those versions.
|
||||
Additionally, look in /usr/local/opt/openssl, if it's present.
|
||||
These changes together repair the default build on OSX systems
|
||||
with Homebrew installed. Fixes bug 23602; bugfix on 0.2.7.2-alpha.
|
||||
- Fix a signed/unsigned comparison warning introduced by our fix to
|
||||
TROVE-2017-009. Fixes bug 24480; bugfix on 0.2.5.16.
|
||||
- Fix a memory leak warning in one of the libevent-related
|
||||
configuration tests that could occur when manually specifying
|
||||
-fsanitize=address. Fixes bug 24279; bugfix on 0.3.0.2-alpha.
|
||||
Found and patched by Alex Xu.
|
||||
- Fix unused-variable warnings in donna's Curve25519 SSE2 code.
|
||||
Fixes bug 22895; bugfix on 0.2.7.2-alpha.
|
||||
|
||||
o Minor bugfixes (certificate handling):
|
||||
- Fix a time handling bug in Tor certificates set to expire after
|
||||
the year 2106. Fixes bug 23055; bugfix on 0.3.0.1-alpha. Found by
|
||||
Coverity as CID 1415728.
|
||||
|
||||
o Minor bugfixes (client):
|
||||
- By default, do not enable storage of client-side DNS values. These
|
||||
values were unused by default previously, but they should not have
|
||||
been cached at all. Fixes bug 24050; bugfix on 0.2.6.3-alpha.
|
||||
|
||||
o Minor bugfixes (client, usability):
|
||||
- Refrain from needlessly rejecting SOCKS5-with-hostnames and
|
||||
SOCKS4a requests that contain IP address strings, even when
|
||||
SafeSocks in enabled, as this prevents user from connecting to
|
||||
known IP addresses without relying on DNS for resolving. SafeSocks
|
||||
still rejects SOCKS connections that connect to IP addresses when
|
||||
those addresses are _not_ encoded as hostnames. Fixes bug 22461;
|
||||
bugfix on Tor 0.2.6.2-alpha.
|
||||
|
||||
o Minor bugfixes (code correctness):
|
||||
- Call htons() in extend_cell_format() for encoding a 16-bit value.
|
||||
Previously we used ntohs(), which happens to behave the same on
|
||||
all the platforms we support, but which isn't really correct.
|
||||
Fixes bug 23106; bugfix on 0.2.4.8-alpha.
|
||||
- For defense-in-depth, make the controller's write_escaped_data()
|
||||
function robust to extremely long inputs. Fixes bug 19281; bugfix
|
||||
on 0.1.1.1-alpha. Reported by Guido Vranken.
|
||||
- Fix several places in our codebase where a C compiler would be
|
||||
likely to eliminate a check, based on assuming that undefined
|
||||
behavior had not happened elsewhere in the code. These cases are
|
||||
usually a sign of redundant checking or dubious arithmetic. Found
|
||||
by Georg Koppen using the "STACK" tool from Wang, Zeldovich,
|
||||
Kaashoek, and Solar-Lezama. Fixes bug 24423; bugfix on various
|
||||
Tor versions.
|
||||
|
||||
o Minor bugfixes (compression):
|
||||
- Handle a pathological case when decompressing Zstandard data when
|
||||
the output buffer size is zero. Fixes bug 23551; bugfix
|
||||
on 0.3.1.1-alpha.
|
||||
|
||||
o Minor bugfixes (consensus expiry):
|
||||
- Check for adequate directory information correctly. Previously, Tor
|
||||
would reconsider whether it had sufficient directory information
|
||||
every 2 minutes. Fixes bug 23091; bugfix on 0.2.0.19-alpha.
|
||||
|
||||
o Minor bugfixes (control port, linux seccomp2 sandbox):
|
||||
- Avoid a crash when attempting to use the seccomp2 sandbox together
|
||||
with the OwningControllerProcess feature. Fixes bug 24198; bugfix
|
||||
on 0.2.5.1-alpha.
|
||||
|
||||
o Minor bugfixes (control port, onion services):
|
||||
- Report "FAILED" instead of "UPLOAD_FAILED" "FAILED" for the
|
||||
HS_DESC event when a service is not able to upload a descriptor.
|
||||
Fixes bug 24230; bugfix on 0.2.7.1-alpha.
|
||||
|
||||
o Minor bugfixes (directory cache):
|
||||
- Recover better from empty or corrupt files in the consensus cache
|
||||
directory. Fixes bug 24099; bugfix on 0.3.1.1-alpha.
|
||||
- When a consensus diff calculation is only partially successful,
|
||||
only record the successful parts as having succeeded. Partial
|
||||
success can happen if (for example) one compression method fails
|
||||
but the others succeed. Previously we misrecorded all the
|
||||
calculations as having succeeded, which would later cause a
|
||||
nonfatal assertion failure. Fixes bug 24086; bugfix
|
||||
on 0.3.1.1-alpha.
|
||||
|
||||
o Minor bugfixes (directory client):
|
||||
- On failure to download directory information, delay retry attempts
|
||||
by a random amount based on the "decorrelated jitter" algorithm.
|
||||
Our previous delay algorithm tended to produce extra-long delays
|
||||
too easily. Fixes bug 23816; bugfix on 0.2.9.1-alpha.
|
||||
|
||||
o Minor bugfixes (directory protocol):
|
||||
- Directory servers now include a "Date:" http header for response
|
||||
codes other than 200. Clients starting with a skewed clock and a
|
||||
recent consensus were getting "304 Not modified" responses from
|
||||
directory authorities, so without the Date header, the client
|
||||
would never hear about a wrong clock. Fixes bug 23499; bugfix
|
||||
on 0.0.8rc1.
|
||||
- Make clients wait for 6 seconds before trying to download a
|
||||
consensus from an authority. Fixes bug 17750; bugfix
|
||||
on 0.2.8.1-alpha.
|
||||
|
||||
o Minor bugfixes (documentation):
|
||||
- Document better how to read gcov, and what our gcov postprocessing
|
||||
scripts do. Fixes bug 23739; bugfix on 0.2.9.1-alpha.
|
||||
- Fix manpage to not refer to the obsolete (and misspelled)
|
||||
UseEntryGuardsAsDirectoryGuards parameter in the description of
|
||||
NumDirectoryGuards. Fixes bug 23611; bugfix on 0.2.4.8-alpha.
|
||||
|
||||
o Minor bugfixes (DoS-resistance):
|
||||
- If future code asks if there are any running bridges, without
|
||||
checking if bridges are enabled, log a BUG warning rather than
|
||||
crashing. Fixes bug 23524; bugfix on 0.3.0.1-alpha.
|
||||
|
||||
o Minor bugfixes (entry guards):
|
||||
- Tor now updates its guard state when it reads a consensus
|
||||
regardless of whether it's missing descriptors. That makes tor use
|
||||
its primary guards to fetch descriptors in some edge cases where
|
||||
it would previously have used fallback directories. Fixes bug
|
||||
23862; bugfix on 0.3.0.1-alpha.
|
||||
|
||||
o Minor bugfixes (format strictness):
|
||||
- Restrict several data formats to decimal. Previously, the
|
||||
BuildTimeHistogram entries in the state file, the "bw=" entries in
|
||||
the bandwidth authority file, and the process IDs passed to the
|
||||
__OwningControllerProcess option could all be specified in hex or
|
||||
octal as well as in decimal. This was not an intentional feature.
|
||||
Fixes bug 22802; bugfixes on 0.2.2.1-alpha, 0.2.2.2-alpha,
|
||||
and 0.2.2.28-beta.
|
||||
|
||||
o Minor bugfixes (heartbeat):
|
||||
- If we fail to write a heartbeat message, schedule a retry for the
|
||||
minimum heartbeat interval number of seconds in the future. Fixes
|
||||
bug 19476; bugfix on 0.2.3.1-alpha.
|
||||
|
||||
o Minor bugfixes (logging):
|
||||
- Suppress a log notice when relay descriptors arrive. We already
|
||||
have a bootstrap progress for this so no need to log notice
|
||||
everytime tor receives relay descriptors. Microdescriptors behave
|
||||
the same. Fixes bug 23861; bugfix on 0.2.8.2-alpha.
|
||||
- Remove duplicate log messages regarding opening non-local
|
||||
SocksPorts upon parsing config and opening listeners at startup.
|
||||
Fixes bug 4019; bugfix on 0.2.3.3-alpha.
|
||||
- Use a more comprehensible log message when telling the user
|
||||
they've excluded every running exit node. Fixes bug 7890; bugfix
|
||||
on 0.2.2.25-alpha.
|
||||
- When logging the number of descriptors we intend to download per
|
||||
directory request, do not log a number higher than then the number
|
||||
of descriptors we're fetching in total. Fixes bug 19648; bugfix
|
||||
on 0.1.1.8-alpha.
|
||||
- When warning about a directory owned by the wrong user, log the
|
||||
actual name of the user owning the directory. Previously, we'd log
|
||||
the name of the process owner twice. Fixes bug 23487; bugfix
|
||||
on 0.2.9.1-alpha.
|
||||
- Fix some messages on unexpected errors from the seccomp2 library.
|
||||
Fixes bug 22750; bugfix on 0.2.5.1-alpha. Patch from "cypherpunks".
|
||||
- The tor specification says hop counts are 1-based, so fix two log
|
||||
messages that mistakenly logged 0-based hop counts. Fixes bug
|
||||
18982; bugfix on 0.2.6.2-alpha and 0.2.4.5-alpha. Patch by teor.
|
||||
Credit to Xiaofan Li for reporting this issue.
|
||||
|
||||
o Minor bugfixes (logging, relay shutdown, annoyance):
|
||||
- When a circuit is marked for close, do not attempt to package any
|
||||
cells for channels on that circuit. Previously, we would detect
|
||||
this condition lower in the call stack, when we noticed that the
|
||||
circuit had no attached channel, and log an annoying message.
|
||||
Fixes bug 8185; bugfix on 0.2.5.4-alpha.
|
||||
|
||||
o Minor bugfixes (memory safety, defensive programming):
|
||||
- Clear the target address when node_get_prim_orport() returns
|
||||
early. Fixes bug 23874; bugfix on 0.2.8.2-alpha.
|
||||
|
||||
o Minor bugfixes (memory usage):
|
||||
- When queuing DESTROY cells on a channel, only queue the circuit-id
|
||||
and reason fields: not the entire 514-byte cell. This fix should
|
||||
help mitigate any bugs or attacks that fill up these queues, and
|
||||
free more RAM for other uses. Fixes bug 24666; bugfix
|
||||
on 0.2.5.1-alpha.
|
||||
|
||||
o Minor bugfixes (network layer):
|
||||
- When closing a connection via close_connection_immediately(), we
|
||||
mark it as "not blocked on bandwidth", to prevent later calls from
|
||||
trying to unblock it, and give it permission to read. This fixes a
|
||||
backtrace warning that can happen on relays under various
|
||||
circumstances. Fixes bug 24167; bugfix on 0.1.0.1-rc.
|
||||
|
||||
o Minor bugfixes (onion services):
|
||||
- The introduction circuit was being timed out too quickly while
|
||||
waiting for the rendezvous circuit to complete. Keep the intro
|
||||
circuit around longer instead of timing out and reopening new ones
|
||||
constantly. Fixes bug 23681; bugfix on 0.2.4.8-alpha.
|
||||
- Rename the consensus parameter "hsdir-interval" to "hsdir_interval"
|
||||
so it matches dir-spec.txt. Fixes bug 24262; bugfix
|
||||
on 0.3.1.1-alpha.
|
||||
- When handling multiple SOCKS request for the same .onion address,
|
||||
only fetch the service descriptor once.
|
||||
- Avoid a possible double close of a circuit by the intro point on
|
||||
error of sending the INTRO_ESTABLISHED cell. Fixes bug 23610;
|
||||
bugfix on 0.3.0.1-alpha.
|
||||
- When reloading configured onion services, copy all information
|
||||
from the old service object. Previously, some data was omitted,
|
||||
causing delays in descriptor upload, and other bugs. Fixes bug
|
||||
23790; bugfix on 0.2.1.9-alpha.
|
||||
|
||||
o Minor bugfixes (path selection):
|
||||
- When selecting relays by bandwidth, avoid a rounding error that
|
||||
could sometimes cause load to be imbalanced incorrectly.
|
||||
Previously, we would always round upwards; now, we round towards
|
||||
the nearest integer. This had the biggest effect when a relay's
|
||||
weight adjustments should have given it weight 0, but it got
|
||||
weight 1 instead. Fixes bug 23318; bugfix on 0.2.4.3-alpha.
|
||||
- When calculating the fraction of nodes that have descriptors, and
|
||||
all nodes in the network have zero bandwidths, count the number of
|
||||
nodes instead. Fixes bug 23318; bugfix on 0.2.4.10-alpha.
|
||||
- Actually log the total bandwidth in compute_weighted_bandwidths().
|
||||
Fixes bug 24170; bugfix on 0.2.4.3-alpha.
|
||||
|
||||
o Minor bugfixes (portability):
|
||||
- Stop using the PATH_MAX variable, which is not defined on GNU
|
||||
Hurd. Fixes bug 23098; bugfix on 0.3.1.1-alpha.
|
||||
- Fix a bug in the bit-counting parts of our timing-wheel code on
|
||||
MSVC. (Note that MSVC is still not a supported build platform, due
|
||||
to cyptographic timing channel risks.) Fixes bug 24633; bugfix
|
||||
on 0.2.9.1-alpha.
|
||||
|
||||
o Minor bugfixes (relay):
|
||||
- When uploading our descriptor for the first time after startup,
|
||||
report the reason for uploading as "Tor just started" rather than
|
||||
leaving it blank. Fixes bug 22885; bugfix on 0.2.3.4-alpha.
|
||||
- Avoid unnecessary calls to directory_fetches_from_authorities() on
|
||||
relays, to prevent spurious address resolutions and descriptor
|
||||
rebuilds. This is a mitigation for bug 21789. Fixes bug 23470;
|
||||
bugfix on in 0.2.8.1-alpha.
|
||||
- Avoid a crash when transitioning from client mode to bridge mode.
|
||||
Previously, we would launch the worker threads whenever our
|
||||
"public server" mode changed, but not when our "server" mode
|
||||
changed. Fixes bug 23693; bugfix on 0.2.6.3-alpha.
|
||||
|
||||
o Minor bugfixes (testing):
|
||||
- Fix a spurious fuzzing-only use of an uninitialized value. Found
|
||||
by Brian Carpenter. Fixes bug 24082; bugfix on 0.3.0.3-alpha.
|
||||
- Test that IPv6-only clients can use microdescriptors when running
|
||||
"make test-network-all". Requires chutney master 61c28b9 or later.
|
||||
Closes ticket 24109.
|
||||
- Prevent scripts/test/coverage from attempting to move gcov output
|
||||
to the root directory. Fixes bug 23741; bugfix on 0.2.5.1-alpha.
|
||||
- Capture and detect several "Result does not fit" warnings in unit
|
||||
tests on platforms with 32-bit time_t. Fixes bug 21800; bugfix
|
||||
on 0.2.9.3-alpha.
|
||||
- Fix additional channelpadding unit test failures by using mocked
|
||||
time instead of actual time for all tests. Fixes bug 23608; bugfix
|
||||
on 0.3.1.1-alpha.
|
||||
- Fix a bug in our fuzzing mock replacement for crypto_pk_checksig(),
|
||||
to correctly handle cases where a caller gives it an RSA key of
|
||||
under 160 bits. (This is not actually a bug in Tor itself, but
|
||||
rather in our fuzzing code.) Fixes bug 24247; bugfix on
|
||||
0.3.0.3-alpha. Found by OSS-Fuzz as issue 4177.
|
||||
- Fix a broken unit test for the OutboundAddress option: the parsing
|
||||
function was never returning an error on failure. Fixes bug 23366;
|
||||
bugfix on 0.3.0.3-alpha.
|
||||
- Fix a signed-integer overflow in the unit tests for
|
||||
dir/download_status_random_backoff, which was untriggered until we
|
||||
fixed bug 17750. Fixes bug 22924; bugfix on 0.2.9.1-alpha.
|
||||
|
||||
o Minor bugfixes (usability, control port):
|
||||
- Stop making an unnecessary routerlist check in NETINFO clock skew
|
||||
detection; this was preventing clients from reporting NETINFO clock
|
||||
skew to controllers. Fixes bug 23532; bugfix on 0.2.4.4-alpha.
|
||||
|
||||
o Code simplification and refactoring:
|
||||
- Remove various ways of testing circuits and connections for
|
||||
"clientness"; instead, favor channel_is_client(). Part of
|
||||
ticket 22805.
|
||||
- Extract the code for handling newly-open channels into a separate
|
||||
function from the general code to handle channel state
|
||||
transitions. This change simplifies our callgraph, reducing the
|
||||
size of the largest strongly connected component by roughly a
|
||||
factor of two. Closes ticket 22608.
|
||||
- Remove dead code for largely unused statistics on the number of
|
||||
times we've attempted various public key operations. Fixes bug
|
||||
19871; bugfix on 0.1.2.4-alpha. Fix by Isis Lovecruft.
|
||||
- Remove several now-obsolete functions for asking about old
|
||||
variants directory authority status. Closes ticket 22311; patch
|
||||
from "huyvq".
|
||||
- Remove some of the code that once supported "Named" and "Unnamed"
|
||||
routers. Authorities no longer vote for these flags. Closes
|
||||
ticket 22215.
|
||||
- Rename the obsolete malleable hybrid_encrypt functions used in TAP
|
||||
and old hidden services, to indicate that they aren't suitable for
|
||||
new protocols or formats. Closes ticket 23026.
|
||||
- Replace our STRUCT_OFFSET() macro with offsetof(). Closes ticket
|
||||
22521. Patch from Neel Chauhan.
|
||||
- Split the enormous circuit_send_next_onion_skin() function into
|
||||
multiple subfunctions. Closes ticket 22804.
|
||||
- Split the portions of the buffer.c module that handle particular
|
||||
protocols into separate modules. Part of ticket 23149.
|
||||
- Use our test macros more consistently, to produce more useful
|
||||
error messages when our unit tests fail. Add coccinelle patches to
|
||||
allow us to re-check for test macro uses. Closes ticket 22497.
|
||||
|
||||
o Deprecated features:
|
||||
- The ReachableDirAddresses and ClientPreferIPv6DirPort options are
|
||||
now deprecated; they do not apply to relays, and they have had no
|
||||
effect on clients since 0.2.8.x. Closes ticket 19704.
|
||||
- Deprecate HTTPProxy/HTTPProxyAuthenticator config options. They
|
||||
only applies to direct unencrypted HTTP connections to your
|
||||
directory server, which your Tor probably isn't using. Closes
|
||||
ticket 20575.
|
||||
|
||||
o Documentation:
|
||||
- Add notes in man page regarding OS support for the various
|
||||
scheduler types. Attempt to use less jargon in the scheduler
|
||||
section. Closes ticket 24254.
|
||||
- Clarify that the Address option is entirely about setting an
|
||||
advertised IPv4 address. Closes ticket 18891.
|
||||
- Clarify the manpage's use of the term "address" to clarify what
|
||||
kind of address is intended. Closes ticket 21405.
|
||||
- Document that onion service subdomains are allowed, and ignored.
|
||||
Closes ticket 18736.
|
||||
- Clarify in the manual that "Sandbox 1" is only supported on Linux
|
||||
kernels. Closes ticket 22677.
|
||||
- Document all values of PublishServerDescriptor in the manpage.
|
||||
Closes ticket 15645.
|
||||
- Improve the documentation for the directory port part of the
|
||||
DirAuthority line. Closes ticket 20152.
|
||||
- Restore documentation for the authorities' "approved-routers"
|
||||
file. Closes ticket 21148.
|
||||
|
||||
o Removed features:
|
||||
- The AllowDotExit option has been removed as unsafe. It has been
|
||||
deprecated since 0.2.9.2-alpha. Closes ticket 23426.
|
||||
- The ClientDNSRejectInternalAddresses flag can no longer be set on
|
||||
non-testing networks. It has been deprecated since 0.2.9.2-alpha.
|
||||
Closes ticket 21031.
|
||||
- The controller API no longer includes an AUTHDIR_NEWDESCS event:
|
||||
nobody was using it any longer. Closes ticket 22377.
|
||||
|
||||
|
||||
Changes in version 0.2.8.15 - 2017-09-18
|
||||
Tor 0.2.8.15 backports a collection of bugfixes from later
|
||||
Tor series.
|
||||
|
|
|
@ -1,4 +0,0 @@
|
|||
o Minor features (directory authority):
|
||||
- Add an IPv6 address for the "bastet" directory authority.
|
||||
Closes ticket 24394.
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
o Major bugfixes (circuit prediction):
|
||||
- Fix circuit prediction logic so that a client doesn't treat a stream as
|
||||
being "handled" by a circuit if that circuit already has isolation
|
||||
settings on it that might make it incompatible with the stream. This
|
||||
change should make Tor clients more responsive by improving their
|
||||
chances of having a pre-created circuit ready for use when a new client
|
||||
request arrives. Fixes bug 18859; bugfix on 0.2.3.3-alpha.
|
|
@ -1,4 +0,0 @@
|
|||
o Minor bugfixes (bridges):
|
||||
- Overwrite the bridge address earlier in the process of directly
|
||||
retrieving its descriptor, to make sure we reach it on the configured
|
||||
address. Fixes bug 20532; bugfix on 0.2.0.10-alpha.
|
|
@ -1,4 +0,0 @@
|
|||
o Minor features (logging):
|
||||
- Improve the message we log when re-enabling circuit build timeouts
|
||||
after having received a consensus. Closes ticket 20963.
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
o Minor bugfixes (portability):
|
||||
- Don't exit the Tor process if setrlimit() fails to change the file
|
||||
limit (which can happen sometimes on some versions of OSX). Fixes
|
||||
bug 21074; bugfix on 0.0.9pre5.
|
|
@ -1,9 +0,0 @@
|
|||
o Major bugfixes (Exit nodes):
|
||||
- Fix an issue causing high-bandwidth exit nodes to fail a majority
|
||||
or all of their DNS requests, making them basically unsuitable for
|
||||
regular usage in Tor circuits. The problem is related to
|
||||
libevent's DNS handling, but we can work around it in Tor. Fixes
|
||||
bugs 21394 and 18580; bugfix on 0.1.2.2-alpha which introduced
|
||||
eventdns. Credit goes to Dhalgren for identifying and finding a
|
||||
workaround to this bug and to gamambel, arthuredelstein and
|
||||
arma in helping to track it down and analyze it.
|
|
@ -1,3 +0,0 @@
|
|||
o Minor bugfixes (hidden service v3, fuzzing):
|
||||
- Fix the hidden service v3 descriptor decoding fuzzing to use the latest
|
||||
decoding API correctly. Fixes bug 21509; bugfix on 0.3.2.1-alpha.
|
|
@ -1,11 +0,0 @@
|
|||
o Minor bugfixes (path selection):
|
||||
- When selecting relays by bandwidth, avoid a rounding error that
|
||||
could sometimes cause load to be imbalanced incorrectly. Previously,
|
||||
we would always round upwards; now, we round towards the nearest
|
||||
integer. This had the biggest effect when a relay's weight adjustments
|
||||
should have given it weight 0, but it got weight 1 instead.
|
||||
Fixes bug 23318; bugfix on 0.2.4.3-alpha.
|
||||
- When calculating the fraction of nodes that have descriptors, and all
|
||||
all nodes in the network have zero bandwidths, count the number of nodes
|
||||
instead.
|
||||
Fixes bug 23318; bugfix on 0.2.4.10-alpha.
|
|
@ -1,7 +0,0 @@
|
|||
o Minor bugfixes (hidden service v3):
|
||||
- Fix a race between the circuit close and free where the service would
|
||||
launch a new intro circuit after the close, and then fail to register it
|
||||
before the free of the previously closed circuit. This was making the
|
||||
service unable to find the established intro circuit and thus not upload
|
||||
its descriptor. It can make a service unavailable for up to 24 hours.
|
||||
Fixes bug 23603; bugfix on 0.3.2.1-alpha.
|
|
@ -1,4 +0,0 @@
|
|||
o Minor bugfixes (onion services):
|
||||
- Cache some needed onion service client information instead of
|
||||
continuously computing it over and over again. Fixes bug 23623; bugfix
|
||||
on 0.3.2.1-alpha.
|
|
@ -1,7 +0,0 @@
|
|||
o Minor bugfixes (hidden service client):
|
||||
- When getting multiple SOCKS request for the same .onion address, don't
|
||||
trigger multiple descriptor fetches.
|
||||
- When the descriptor fetch fails with an internal error, no more HSDir to
|
||||
query or we aren't allowed to fetch (FetchHidServDescriptors 0), close
|
||||
all pending SOCKS request for that .onion. Fixes bug 23653; bugfix on
|
||||
0.3.2.1-alpha.
|
|
@ -1,4 +0,0 @@
|
|||
o Minor bugfixes (onion services):
|
||||
- Silence a warning about failed v3 onion descriptor uploads since it can
|
||||
happen naturally under certain edge-cases. Fixes part of bug 23662;
|
||||
bugfix on 0.3.2.1-alpha.
|
|
@ -1,3 +0,0 @@
|
|||
o Minor features (entry guards):
|
||||
- Improve logs issued when we are missing descriptors of primary guards.
|
||||
Resolves ticket 23670.
|
|
@ -1,7 +0,0 @@
|
|||
o Minor bugfixes (warnings):
|
||||
- When we get an HTTP request on a SOCKS port, tell the user about
|
||||
the new HTTPTunnelPort option. Previously, we would give a
|
||||
"Tor is not an HTTP Proxy" message, which stopped being true when
|
||||
HTTPTunnelPort was introduced. Fixes bug 23678; bugfix on
|
||||
0.3.2.1-alpha.
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
o Minor bugfixes (hidden service client):
|
||||
- The introduction circuit was being timed out too quickly while waiting
|
||||
for the rendezvous circuit to complete. Keep the intro circuit around
|
||||
longer instead of timing out and reopening new ones constantly. Fixes
|
||||
bug 23681; bugfix on 0.2.4.8-alpha.
|
|
@ -1,6 +0,0 @@
|
|||
o Minor bugfixes (relay, crash):
|
||||
- Avoid a crash when transitioning from client mode to bridge mode.
|
||||
Previously, we would launch the worker threads whenever our "public
|
||||
server" mode changed, but not when our "server" mode changed.
|
||||
Fixes bug 23693; bugfix on 0.2.6.3-alpha.
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
o Minor bugfix (KIST scheduler):
|
||||
- Downgrade a warning to log info when the monotonic time diff is
|
||||
negative. This can happen on platform not supporting monotonic time. The
|
||||
scheduler recovers from this without any problem. Fixes bug 23696;
|
||||
bugfix on 0.3.2.1-alpha.
|
|
@ -1,3 +0,0 @@
|
|||
o Minor bugfixes (documentation):
|
||||
- Document better how to read gcov and what our postprocessing scripts do.
|
||||
Fixes bug 23739; bugfix on 0.2.9.1-alpha.
|
|
@ -1,4 +0,0 @@
|
|||
o Minor bugfixes (testing):
|
||||
- Prevent scripts/test/coverage from attempting to move gcov
|
||||
output to the root directory. Fixes bug 23741; bugfix on
|
||||
0.2.5.1-alpha.
|
|
@ -1,5 +0,0 @@
|
|||
o Minor bugfixes (hidden service):
|
||||
- Always make sure the hidden service generate the public key file if it
|
||||
is missing. Prior to this, if the public key was deleted from disk, it
|
||||
wouldn't get recreated. Fixes bug 23748; bugfix on 0.3.2.2-alpha.
|
||||
Patch from "cathugger".
|
|
@ -1,6 +0,0 @@
|
|||
o Minor bugfixes (scheduler, channel):
|
||||
- Ignore channels that have been closed while flushing cells. This can
|
||||
happen if the write on the connection fails leading to the channel being
|
||||
closed while in the scheduler loop. This is not a complete fix, it is a
|
||||
bandaid until we are able to refactor those interactions. Fixes bug
|
||||
23751; bugfix on 0.3.2.1-alpha.
|
|
@ -1,4 +0,0 @@
|
|||
o Minor features (logging, scheduler):
|
||||
- Introduce a SCHED_BUG() function to log extra information about the
|
||||
scheduler state if we ever catch a bug in the scheduler. Closes ticket
|
||||
23753.
|
|
@ -1,4 +0,0 @@
|
|||
o Minor bugfixes (testing):
|
||||
- Stop unconditionally mirroring the tor repository in GitLab CI.
|
||||
This prevented developers from enabling GitLab CI on master.
|
||||
Fixes bug 23755; bugfix on 0.3.2.2-alpha.
|
|
@ -1,4 +0,0 @@
|
|||
o Minor bugfixes (testing):
|
||||
- Adjust the GitLab CI configuration to more closely match that of Travis
|
||||
CI. Fixes bug 23757; bugfix on 0.3.2.2-alpha.
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
o Minor bugfixes (testing):
|
||||
- Skip a test that would fail if run as root (because it expects a
|
||||
permissions error). This affects some continuous integration setups.
|
||||
Fixes bug 23758; bugfix on 0.3.2.2-alpha.
|
|
@ -1,4 +0,0 @@
|
|||
o Minor bugfixes (hidden service v3):
|
||||
- Properly retry HSv3 descriptor fetches in the case where we were initially
|
||||
missing required directory information. Fixes bug 23762; bugfix on
|
||||
0.3.2.1-alpha.
|
|
@ -1,4 +0,0 @@
|
|||
o Minor bugfixes (memory leak):
|
||||
- Fix a minor memory-leak-at-exit in the KIST scheduler. This
|
||||
bug should have no user-visible impact. Fixes bug 23774;
|
||||
bugfix on 0.3.2.1-alpha.
|
|
@ -1,5 +0,0 @@
|
|||
o Minor bugfixes (compilation, windows):
|
||||
- When detecting OpenSSL on Windows from our configure script, make sure
|
||||
to try linking with the ws2_32 library. Fixes bug 23783; bugfix on
|
||||
0.3.2.2-alpha.
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
o Minor bugfixes (hidden service v2):
|
||||
- When reloading tor (HUP) configured with hidden service(s), some
|
||||
information weren't copy to the new service object. One problem with
|
||||
this was that tor would wait at least the RendPostPeriod time before
|
||||
uploading the descriptor if the reload happened before the descriptor
|
||||
needed to be published. Fixes bug 23790; bugfix on 0.2.1.9-alpha.
|
|
@ -1,6 +0,0 @@
|
|||
o Minor bugfixes (directory client):
|
||||
- On failure to download directory information, delay retry attempts
|
||||
by a random amount based on the "decorrelated jitter" algorithm.
|
||||
Our previous delay algorithm tended to produce extra-long delays too
|
||||
easily. Fixes bug 23816; bugfix on 0.2.9.1-alpha.
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
o Minor bugfixes (descriptors):
|
||||
- Don't try fetching microdescriptors from relays that have failed to
|
||||
deliver them in the past. Fixes bug 23817; bugfix on 0.3.0.1-alpha.
|
|
@ -1,5 +0,0 @@
|
|||
o Minor bugfixes (IPv6, v3 single onion services):
|
||||
- Remove buggy code for IPv6-only v3 single onion services, and reject
|
||||
attempts to configure them. This release supports IPv4, dual-stack, and
|
||||
IPv6-only v3 hidden services; and IPv4 and dual-stack v3 single onion
|
||||
services. Fixes bug 23820; bugfix on 0.3.2.1-alpha.
|
|
@ -1,5 +0,0 @@
|
|||
o Minor bugfixes (logging, relay):
|
||||
- Suppress a log notice when relay descriptors arrive. We already have a
|
||||
bootstrap progress for this so no need to log notice everytime tor
|
||||
receives relay descriptors. Microdescriptors behave the same. Fixes bug
|
||||
23861; bugfix on 0.2.8.2-alpha.
|
|
@ -1,5 +0,0 @@
|
|||
o Minor bugfixes (entry guards):
|
||||
- Tor now updates its guard state when it reads a consensus regardless of
|
||||
whether it's missing descriptors. That makes tor use its primary guards
|
||||
to fetch descriptors in some edge cases where it would have used fallback
|
||||
directories in the past. Fixes bug 23862; bugfix on 0.3.0.1-alpha.
|
|
@ -1,3 +0,0 @@
|
|||
o Minor bugfixes (memory safety):
|
||||
- Clear the address when node_get_prim_orport() returns early.
|
||||
Fixes bug 23874; bugfix on 0.2.8.2-alpha.
|
|
@ -1,4 +0,0 @@
|
|||
o Minor bugfixes (relay):
|
||||
- Avoid a BUG warning when receiving a dubious CREATE cell while
|
||||
an option transition is in progress. Fixes bug 23952; bugfix on
|
||||
0.3.2.1-alpha.
|
|
@ -1,9 +0,0 @@
|
|||
o Minor bugfixes (bootstrapping):
|
||||
- Fetch descriptors aggressively whenever we lack enough
|
||||
to build circuits, regardless of how many descriptors we are missing.
|
||||
Previously, we would delay launching the fetch when we had fewer than
|
||||
15 missing descriptors, even if some of those descriptors were
|
||||
blocking circuits from building. Fixes bug 23985; bugfix on
|
||||
0.1.1.11-alpha. The effects of this bug became worse in 0.3.0.3-alpha,
|
||||
when we began treating missing descriptors from our primary guards
|
||||
as a reason to delay circuits.
|
|
@ -1,5 +0,0 @@
|
|||
o Minor bugfixes (hidden service):
|
||||
- Make sure that we have a usable ed25519 key when the intro point relay
|
||||
does support ed25519 link authentication. We do check for an empty key
|
||||
when the relay does not support it so this makes it nice and symmetric.
|
||||
Fixes bug 24002; bugfix on 0.3.2.1-alpha.
|
|
@ -1,5 +0,0 @@
|
|||
o Minor bugfixes (logging, relay):
|
||||
- Downgrade a warning to a protocol warning in the case the ed25519 key is
|
||||
not consistent between the descriptor and micro descriptor of a relay.
|
||||
This can happen for instance if the relay has been flagged
|
||||
NoEdConsensus. Fixes bug 24025; bugfix on 0.3.2.1-alpha.
|
|
@ -1,5 +0,0 @@
|
|||
o Minor bugfixes (client):
|
||||
- By default, do not enable storage of client-side DNS values.
|
||||
These values were unused by default previously, but they should
|
||||
not have been cached at all. Fixes bug 24050; bugfix on
|
||||
0.2.6.3-alpha.
|
|
@ -1,3 +0,0 @@
|
|||
o Minor bugfixes (testing):
|
||||
- Fix a spurious fuzzing-only use of an uninitialized value.
|
||||
Found by Brian Carpenter. Fixes bug 24082; bugfix on 0.3.0.3-alpha.
|
|
@ -1,7 +0,0 @@
|
|||
o Minor bugfixes (directory cache):
|
||||
- When a consensus diff calculation is only partially successful, only
|
||||
record the successful parts as having succeeded. Partial success
|
||||
can happen if (for example) one compression method fails but
|
||||
the others succeed. Previously we misrecorded all the calculations as
|
||||
having succeeded, which would later cause a nonfatal assertion failure.
|
||||
Fixes bug 24086; bugfix on 0.3.1.1-alpha.
|
|
@ -1,4 +0,0 @@
|
|||
o Minor bugfixes (directory cache):
|
||||
- Recover better from empty or corrupt files in the consensus cache
|
||||
directory. Fixes bug 24099; bugfix on 0.3.1.1-alpha.
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
o Minor bugfixes (manpage, hidden service):
|
||||
- Mention that the HiddenServiceNumIntroductionPoints option is 0-10 for
|
||||
v2 service and 0-20 for v3 service. Fixes bug 24115; bugfix on
|
||||
0.3.2.1-alpha.
|
|
@ -1,4 +0,0 @@
|
|||
o Minor bugfixes (v3 onion services):
|
||||
- Fix a memory leak when decrypting a badly formatted v3 onion
|
||||
service descriptor. Fixes bug 24150; bugfix on 0.3.2.1-alpha.
|
||||
Found by OSS-Fuzz; this is OSS-Fuzz issue 3994.
|
|
@ -1,7 +0,0 @@
|
|||
o Minor bugfixes (network layer):
|
||||
- When closing a connection via close_connection_immediately(), we
|
||||
mark it as "not blocked on bandwidth", to prevent later calls
|
||||
from trying to unblock it, and give it permission to read. This
|
||||
fixes a backtrace warning that can happen on relays under various
|
||||
circumstances. Fixes bug 24167; bugfix on 0.1.0.1-rc.
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
o Minor bugfixes (path selection):
|
||||
- Actually log the total bandwidth in compute_weighted_bandwidths().
|
||||
Fixes bug 24170; bugfix on 0.2.4.3-alpha.
|
|
@ -1,4 +0,0 @@
|
|||
o Minor bugfixes (controller, linux seccomp2 sandbox):
|
||||
- Avoid a crash when attempting to use the seccomp2 sandbox
|
||||
together with the OwningControllerProcess feature.
|
||||
Fixes bug 24198; bugfix on 0.2.5.1-alpha.
|
|
@ -1,4 +0,0 @@
|
|||
o Minor bugfixes (control port, hidden service):
|
||||
- Control port was reporting the action "UPLOAD_FAILED" instead of
|
||||
"FAILED" for the HS_DESC event when a service was not able to upload a
|
||||
descriptor. Fixes bug 24230; bugfix on 0.2.7.1-alpha.
|
|
@ -1,6 +0,0 @@
|
|||
o Minor bugfixes (fuzzing):
|
||||
- Fix a bug in our fuzzing mock replacement for crypto_pk_checksig(), to
|
||||
correctly handle cases where a caller gives it an RSA key of under 160
|
||||
bits. (This is not actually a bug in Tor itself, but wrather in our
|
||||
fuzzing code.) Fixes bug 24247; bugfix on 0.3.0.3-alpha.
|
||||
Found by OSS-Fuzz as issue 4177.
|
|
@ -1,3 +0,0 @@
|
|||
o Minor bugfixes (hidden service):
|
||||
- Fix the consensus parameter "hsdir-interval" to "hsdir_interval" so it
|
||||
matches the dir-spec.txt. Fixes bug 24262; bugfix on 0.3.1.1-alpha.
|
|
@ -1,5 +0,0 @@
|
|||
o Minor bugfixes (compilation, hardening):
|
||||
- Fix a memory leak warning in one of the libevent-related
|
||||
configuration tests that could occur when manually specifying
|
||||
-fsanitize=address. Fixes bug 24279; bugfix on 0.3.0.2-alpha.
|
||||
Found and patched by Alex Xu.
|
|
@ -1,5 +0,0 @@
|
|||
o Major bugfixes (security, hidden service v2):
|
||||
- Fix a use-after-free error that could crash v2 Tor hidden services
|
||||
when it failed to open circuits while expiring introductions
|
||||
points. Fixes bug 24313; bugfix on 0.2.7.2-alpha. This
|
||||
issue is also tracked as TROVE-2017-013 and CVE-2017-8823.
|
|
@ -1,3 +0,0 @@
|
|||
o Minor bugfixes (tests):
|
||||
- Fix a unit test in one of the bridge-distribution test cases.
|
||||
Fixes bug 24345; bugfix on 0.3.2.3-alpha.
|
|
@ -1,13 +0,0 @@
|
|||
o Minor bugfixes (bridge clients, bootstrap):
|
||||
- Retry directory downloads when we get our first bridge descriptor
|
||||
during bootstrap or while reconnecting to the network. Keep retrying
|
||||
every time we get a bridge descriptor, until we have a reachable bridge.
|
||||
Fixes bug 24367; bugfix on 0.2.0.3-alpha.
|
||||
- Stop delaying bridge descriptor fetches when we have cached bridge
|
||||
descriptors. Instead, only delay bridge descriptor fetches when we
|
||||
have at least one reachable bridge.
|
||||
Fixes bug 24367; bugfix on 0.2.0.3-alpha.
|
||||
- Stop delaying directory fetches when we have cached bridge descriptors.
|
||||
Instead, only delay bridge descriptor fetches when all our bridges are
|
||||
definitely unreachable.
|
||||
Fixes bug 24367; bugfix on 0.2.0.3-alpha.
|
|
@ -1,3 +0,0 @@
|
|||
o Minor features (portability):
|
||||
- Tor now compiles correctly on arm64 with libseccomp-dev installed.
|
||||
(It doesn't yet work with the sandbox enabled.) Closes ticket 24424.
|
|
@ -1,3 +0,0 @@
|
|||
o Minor bugfixes (compilation):
|
||||
- Fix a signed/unsigned comparison warning introduced by our
|
||||
fix to TROVE-2017-009. Fixes bug 24480; bugfix on 0.2.5.16.
|
|
@ -1,4 +0,0 @@
|
|||
o Minor bugfixes (scheduler):
|
||||
- Properly set the scheduler state of an unopened channel in the KIST
|
||||
scheduler main loop. This prevents a harmless but annoying log warning.
|
||||
Fixes bug 24502; bugfix on 0.3.2.4-alpha.
|
|
@ -1,4 +0,0 @@
|
|||
o Documentation:
|
||||
- Document that operators who run more than one relay or bridge are
|
||||
expected to set MyFamily and ContactInfo correctly. Closes ticket
|
||||
24526.
|
|
@ -1,5 +0,0 @@
|
|||
o Minor bugfixes (scheduler, KIST):
|
||||
- Avoid a possible integer overflow when computing the available space on
|
||||
the TCP buffer of a channel. This has no security implications but can
|
||||
make KIST not behave properly by allowing more cells on a already
|
||||
saturated connection. Fixes bug 24590; bugfix on 0.3.2.1-alpha.
|
|
@ -1,5 +0,0 @@
|
|||
o Minor bugfixes (portability, msvc):
|
||||
- Fix a bug in the bit-counting parts of our timing-wheel code on
|
||||
MSVC. (Note that MSVC is still not a supported build platform,
|
||||
due to cyptographic timing channel risks.) Fixes bug 24633;
|
||||
bugfix on 0.2.9.1-alpha.
|
|
@ -1,3 +0,0 @@
|
|||
o Minor bugfixes (compilation):
|
||||
- Resolve a few shadowed-variable warnings in the onion service code.
|
||||
Fixes bug 24634; bugfix on 0.3.2.1-alpha.
|
|
@ -1,6 +0,0 @@
|
|||
o Minor bugfixes (build, compatibility, rust, OSX):
|
||||
|
||||
- When building with Rust on OSX, link against libresolv, to
|
||||
work around the issue at
|
||||
https://github.com/rust-lang/rust/issues/46797. Fixes bug
|
||||
24652; bugfix on 0.3.1.1-alpha.
|
|
@ -1,6 +0,0 @@
|
|||
o Major bugfixes (KIST, scheduler):
|
||||
- The KIST scheduler did not correctly account for data already enqueued
|
||||
in each connection's send socket buffer, particularly in cases when the
|
||||
TCP/IP congestion window was reduced between scheduler calls. This
|
||||
situation lead to excessive per-connection buffering in the kernel, and
|
||||
a potential memory DoS. Fixes bug 24665; bugfix on 0.3.2.1-alpha.
|
|
@ -1,7 +0,0 @@
|
|||
o Minor bugfixes (memory usage):
|
||||
|
||||
- When queuing DESTROY cells on a channel, only queue the
|
||||
circuit-id and reason fields: not the entire 514-byte
|
||||
cell. This fix should help mitigate any bugs or attacks that
|
||||
fill up these queues, and free more RAM for other uses. Fixes
|
||||
bug 24666; bugfix on 0.2.5.1-alpha.
|
|
@ -1,6 +0,0 @@
|
|||
o Minor bugfixes (scheduler, KIST):
|
||||
- Use a sane write limit for KISTLite when writing onto a connection
|
||||
buffer instead of using INT_MAX and shoving as much as it can. Because
|
||||
the OOM handler cleans up circuit queues, we are better off at keeping
|
||||
them in that queue instead of the connection's buffer. Fixes bug 24671;
|
||||
bugfix on 0.3.2.1-alpha.
|
|
@ -1,4 +0,0 @@
|
|||
o Minor bugfixes (scheduler, KIST):
|
||||
- Avoid adding the same channel twice in the KIST scheduler pending list
|
||||
wasting CPU cycles at handling the same channel twice. Fixes bug 24700;
|
||||
bugfix on 0.3.2.1-alpha.
|
|
@ -1,6 +0,0 @@
|
|||
o Minor bugfixes (address selection):
|
||||
- When the fascist_firewall_choose_address_ functions don't find a
|
||||
reachable address, set the returned address to the null address and port.
|
||||
This is a precautionary measure, because some callers do not check the
|
||||
return value.
|
||||
Fixes bug 24736; bugfix on 0.2.8.2-alpha.
|
|
@ -1,4 +0,0 @@
|
|||
o Minor bugfixes (performance, fragile-hardening):
|
||||
- Improve the performance of our consensus-diff application code when Tor
|
||||
is built with the --enable-fragile-hardening option set. Fixes bug
|
||||
24826; bugfix on 0.3.1.1-alpha.
|
|
@ -1,4 +0,0 @@
|
|||
o Minor bugfixes (logging):
|
||||
- Don't treat inability to store a cached consensus object as a
|
||||
bug: it can happen normally when we are out of disk space.
|
||||
Fixes bug 24859; bugfix on 0.3.1.1-alpha.
|
|
@ -1,5 +0,0 @@
|
|||
o Major bugfixes (v3 onion services):
|
||||
- New-style (v3) onion services now obey the "max rendezvous circuit
|
||||
attempts" logic. Previously they would make as many rendezvous
|
||||
circuit attempts as they could fit in the MAX_REND_TIMEOUT second
|
||||
window before giving up. Fixes bug 24894; bugfix on 0.3.2.1-alpha.
|
|
@ -1,8 +0,0 @@
|
|||
o Major bugfixes (onion services):
|
||||
- Fix an "off by 2" error in counting rendezvous failures on the onion
|
||||
service side. While we thought we would stop the rendezvous attempt
|
||||
after one failed circuit, we were actually making three circuit attempts
|
||||
before giving up. Now switch to a default of 2, and allow the consensus
|
||||
parameter "hs_service_max_rdv_failures" to override. Fixes bug 24895;
|
||||
bugfix on 0.0.6.
|
||||
|
|
@ -1,8 +0,0 @@
|
|||
o Major bugfixes (relays):
|
||||
- Fix a set of false positives where relays would consider connections
|
||||
to other relays as being client-only connections (and thus e.g.
|
||||
deserving different link padding schemes) if those relays fell out
|
||||
of the consensus briefly. Now we look only at the initial handshake
|
||||
and whether the connection authenticated as a relay. Fixes bug
|
||||
24898; bugfix on 0.3.1.1-alpha.
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
o Minor bugfix (channel connection):
|
||||
- The accurate address of a connection is real_addr, not the addr member.
|
||||
TLS Channel remote address is now real_addr content instead of addr
|
||||
member. Fixes bug 24952; bugfix on 707c1e2e26 in 0.2.4.11-alpha.
|
||||
Patch by "ffmancera".
|
|
@ -1,4 +0,0 @@
|
|||
o Minor features (logging, diagnostic):
|
||||
- When logging a failure to check a hidden service's certificate,
|
||||
also log what the problem with the certificate was. Diagnostic
|
||||
for ticket 24972.
|
|
@ -1,6 +0,0 @@
|
|||
o Major bugfixes (scheduler, consensus):
|
||||
- A logic in the code was preventing the scheduler subystem to properly
|
||||
make a decision based on the latest consensus when it arrives. This lead
|
||||
to the scheduler failing to notice any consensus parameters that might
|
||||
have changed between consensuses. Fixes bug 24975; bugfix on
|
||||
0.3.2.1-alpha.
|
|
@ -1,5 +0,0 @@
|
|||
o Minor bugfixes (hidden service v3 client):
|
||||
- Remove a BUG() statement which can be triggered in normal circumstances
|
||||
where a client fetches a descriptor that has a lower revision counter
|
||||
than the one in its cache. This can happen due to HSDir desync. Fixes
|
||||
bug 24976; bugfix on 0.3.2.1-alpha.
|
|
@ -1,7 +0,0 @@
|
|||
o Minor features (compatibility, OpenSSL):
|
||||
- Tor will now support TLS1.3 once OpenSSL 1.1.1 is released.
|
||||
Previous versions of Tor would not have worked with OpenSSL
|
||||
1.1.1, since they neither disabled TLS 1.3 nor enabled any of the
|
||||
ciphersuites it requires. Here we enable the TLS 1.3 ciphersuites.
|
||||
Closes ticket 24978.
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
o Minor bugfixes (unit tests):
|
||||
- Fix a memory leak in the scheduler/loop_kist unit test. Fixes bug
|
||||
25005; bugfix on 0.3.2.7-rc.
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
o Major bugfixes (protocol versions):
|
||||
- Add Link protocol version 5 to the supported protocols list.
|
||||
Fixes bug 25070; bugfix on 0.3.1.1-alpha.
|
|
@ -1,5 +0,0 @@
|
|||
o Minor bugfixes (v3 onion services):
|
||||
- Look at the "HSRend" protocol version, not the "HSDir" protocol
|
||||
version, when deciding whether a consensus entry can support
|
||||
the v3 onion service protocol as a rendezvous point.
|
||||
Fixes bug 25105; bugfix on 0.3.2.1-alpha.
|
|
@ -1,4 +0,0 @@
|
|||
o Minor bugfixes (DoS mitigation):
|
||||
- Make sure we don't modify consensus parameters if we aren't a public
|
||||
relay when a new consensus arrives. Fixes bug 25223; bugfix on
|
||||
0.3.3.2-alpha.
|
|
@ -1,3 +0,0 @@
|
|||
o Minor bugfixes (spec conformance):
|
||||
- Forbid "-0" as a protocol version. Fixes part of bug 25249; bugfix on
|
||||
0.2.9.4-alpha.
|
|
@ -1,3 +0,0 @@
|
|||
o Minor bugfixes (spec conformance):
|
||||
- Forbid UINT32_MAX as a protocol version. Fixes part of bug 25249;
|
||||
bugfix on 0.2.9.4-alpha.
|
|
@ -1,9 +0,0 @@
|
|||
o Minor features (bridge):
|
||||
- Bridge relays can now set the BridgeDistribution config option to
|
||||
add a "bridge-distribution-request" line to their bridge descriptor,
|
||||
which tells BridgeDB how they'd like their bridge address to be
|
||||
given out. (Note that as of Oct 2017, BridgeDB does not yet implement
|
||||
this feature.) As a side benefit, this feature provides a way
|
||||
to distinguish bridge descriptors from non-bridge descriptors.
|
||||
Implements tickets 18329.
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
o Minor features (geoip):
|
||||
- Update geoip and geoip6 to the November 6 2017 Maxmind GeoLite2
|
||||
Country database.
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
o Minor features (geoip):
|
||||
- Update geoip and geoip6 to the December 6 2017 Maxmind GeoLite2
|
||||
Country database.
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
o Minor features (geoip):
|
||||
- Update geoip and geoip6 to the January 5 2018 Maxmind GeoLite2
|
||||
Country database.
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
o Minor features (geoip):
|
||||
- Update geoip and geoip6 to the February 7 2018 Maxmind GeoLite2
|
||||
Country database.
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
o Minor features (geoip):
|
||||
- Update geoip and geoip6 to the October 4 2017 Maxmind GeoLite2
|
||||
Country database.
|
||||
|
|
@ -1,3 +0,0 @@
|
|||
o Minor features (testing):
|
||||
- Our fuzzing tests now test the encrypted portions of the
|
||||
v3 hidden service descriptors. Implements more of 21509.
|
|
@ -1,3 +0,0 @@
|
|||
o Directory authority changes:
|
||||
- The directory authority "Longclaw" has changed its IP address.
|
||||
Closes ticket 23592.
|
|
@ -1,7 +0,0 @@
|
|||
o Minor bugfixes (correctness):
|
||||
- Fix several places in our codebase where a C compiler would be likely
|
||||
to eliminate a check, based on assuming that undefined behavior had not
|
||||
happened elsewhere in the code. These cases are usually a sign of
|
||||
redundant checking, or dubious arithmetic. Found by Georg Koppen using
|
||||
the "STACK" tool from Wang, Zeldovich, Kaashoek, and
|
||||
Solar-Lezama. Fixes bug 24423; bugfix on various Tor versions.
|
|
@ -1,7 +0,0 @@
|
|||
o Minor features (removed deprecations):
|
||||
- The ClientDNSRejectInternalAddresses flag can once again be set in
|
||||
non-testing Tor networks, so long as they do not use the default
|
||||
directory authorities.
|
||||
This change also removes the deprecation of this
|
||||
flag in 0.2.9.2-alpha. Closes ticket 21031.
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
o Minor features (directory authority):
|
||||
- Make the "Exit" flag assignment only depend on whether the exit
|
||||
policy allows connections to ports 80 and 443. Previously relays
|
||||
would get the Exit flag if they allowed connections to one of
|
||||
these ports and also port 6667. Resolves ticket 23637.
|
|
@ -1,4 +0,0 @@
|
|||
o Minor feature (relay statistics):
|
||||
- Change relay bandwidth reporting stats interval from 4 hours to 24 hours
|
||||
in order to reduce the efficiency of guard discovery attacks. Fixes
|
||||
ticket 23856.
|
|
@ -1,3 +0,0 @@
|
|||
o Directory authority changes:
|
||||
- Add bastet as a ninth directory authority to the default list. Closes
|
||||
ticket 23910.
|
|
@ -1,4 +0,0 @@
|
|||
o Minor features (logging):
|
||||
- Downgrade a pair of log messages that could occur when an exit's
|
||||
resolver gave us an unusual (but not forbidden) response.
|
||||
Closes ticket 24097.
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue