705 changed files with 26664 additions and 71116 deletions
--- a/.appveyor.yml
+++ b/.appveyor.yml
@ -1,62 +0,0 @@
-version: 1.0.{build}
-
-clone_depth: 50
-
-environment:
-  compiler: mingw
-
-  matrix:
-  - target: i686-w64-mingw32
-    compiler_path: mingw32
-    openssl_path: /c/OpenSSL-Win32
-  - target: x86_64-w64-mingw32
-    compiler_path: mingw64
-    openssl_path: /c/OpenSSL-Win64
-
-install:
- ps: >-
-    Function Execute-Command ($commandPath)
-    {
-        & $commandPath $args 2>&1
-        if ( $LastExitCode -ne 0 ) {
-            $host.SetShouldExit( $LastExitCode )
-        }
-    }
-    Function Execute-Bash ()
-    {
-        Execute-Command 'c:\msys64\usr\bin\bash' '-e' '-c' $args
-    }
-    Execute-Command "C:\msys64\usr\bin\pacman" -Sy --noconfirm openssl-devel openssl libevent-devel libevent mingw-w64-i686-libevent mingw-w64-x86_64-libevent mingw-w64-i686-openssl mingw-w64-x86_64-openssl mingw-w64-i686-zstd mingw-w64-x86_64-zstd
-
-build_script:
- ps: >-
-    if ($env:compiler -eq "mingw") {
-            $oldpath = ${env:Path} -split ';'
-            $buildpath = @("C:\msys64\${env:compiler_path}\bin", "C:\msys64\usr\bin") + $oldpath
-            $env:Path = @($buildpath) -join ';'
-            $env:build = @("${env:APPVEYOR_BUILD_FOLDER}", $env:target) -join '\'
-            Set-Location "${env:APPVEYOR_BUILD_FOLDER}"
-            Execute-Bash 'autoreconf -i'
-            mkdir "${env:build}"
-            Set-Location "${env:build}"
-            Execute-Bash "../configure --prefix=/${env:compiler_path} --build=${env:target} --host=${env:target} --disable-asciidoc --enable-fatal-warnings --with-openssl-dir=${env:openssl_path}"
-            Execute-Bash "V=1 make -j2"
-            Execute-Bash "V=1 make -j2 install"
-     }
-
-test_script:
- ps: >-
-    if ($env:compiler -eq "mingw") {
-            $oldpath = ${env:Path} -split ';'
-            $buildpath = @("C:\msys64\${env:compiler_path}\bin") + $oldpath
-            $env:Path = $buildpath -join ';'
-            Set-Location "${env:build}"
-            Execute-Bash "VERBOSE=1 make -j2 check"
-    }
-
-on_success:
- cmd: C:\Python27\python.exe %APPVEYOR_BUILD_FOLDER%\scripts\test\appveyor-irc-notify.py irc.oftc.net:6697 tor-ci success
-
-on_failure:
- cmd: C:\Python27\python.exe %APPVEYOR_BUILD_FOLDER%\scripts\test\appveyor-irc-notify.py irc.oftc.net:6697 tor-ci failure
-
--- a/.gitignore
+++ b/.gitignore
@ -3,7 +3,6 @@
 .#*
 *~
 *.swp
-*.swo
 # C stuff
 *.o
 *.obj
@ -71,7 +70,6 @@ uptime-*.json
 /Tor*Bundle.dmg
 /tor-*-win32.exe
 /coverage_html/
-/callgraph/

 # /contrib/
 /contrib/dist/tor.sh
@ -212,7 +210,6 @@ uptime-*.json
 /src/test/fuzz/lf-fuzz-*

 # /src/tools/
-/src/tools/libtorrunner.a
 /src/tools/tor-checkkey
 /src/tools/tor-resolve
 /src/tools/tor-cov-resolve
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -1,45 +0,0 @@
-before_script:
-    - apt-get update -qq
-    - apt-get upgrade -qy
-
-build:
-  script:
-    - apt-get install -qy --fix-missing automake build-essential
-      libevent-dev libssl-dev zlib1g-dev
-      libseccomp-dev liblzma-dev libscrypt-dev
-    - ./autogen.sh
-    - ./configure --disable-asciidoc --enable-fatal-warnings
-      --disable-silent-rules
-    - make check || (e=$?; cat test-suite.log; exit $e)
-    - make install
-
-update:
-  only:
-    - schedules
-  script: 
-    - "apt-get install -y --fix-missing git openssh-client"
-    
-    # Run ssh-agent (inside the build environment)
-    - eval $(ssh-agent -s)
-
-    # Add the SSH key stored in SSH_PRIVATE_KEY variable to the agent store
-    - ssh-add <(echo "$DEPLOY_KEY")
-
-    # For Docker builds disable host key checking. Be aware that by adding that
-    # you are susceptible to man-in-the-middle attacks.
-    # WARNING: Use this only with the Docker executor, if you use it with shell
-    # you will overwrite your user's SSH config.
-    - mkdir -p ~/.ssh
-    - '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config'
-    # In order to properly check the server's host key, assuming you created the
-    # SSH_SERVER_HOSTKEYS variable previously, uncomment the following two lines
-    # instead.
-    - mkdir -p ~/.ssh
-    - '[[ -f /.dockerenv ]] && echo "$SSH_SERVER_HOSTKEYS" > ~/.ssh/known_hosts'
-    - echo "merging from torgit"
-    - git config --global user.email "labadmin@oniongit.eu"
-    - git config --global user.name "gitadmin"
-    - "mkdir tor"
-    - "cd tor" 
-    - git clone --bare https://git.torproject.org/tor.git
-    - git push --mirror git@oniongit.eu:network/tor.git
--- a/.travis.yml
+++ b/.travis.yml
@ -66,7 +66,6 @@ env:
    ## more than one entry causes unwanted matrix entries with
    ## unspecified compilers.
    - RUST_OPTIONS="--enable-rust --enable-cargo-online-mode"
-    # - RUST_OPTIONS="--enable-rust" TOR_RUST_DEPENDENCIES=true
    # - RUST_OPTIONS=""

 matrix:
@ -96,33 +95,21 @@ matrix:
  ## entry under that key outside the "include" clause.
  include:
    - compiler: gcc
-    - compiler: gcc
-      env: RUST_OPTIONS="--enable-rust" TOR_RUST_DEPENDENCIES=true
    - compiler: gcc
      env: RUST_OPTIONS=""
    - compiler: gcc
      env: COVERAGE_OPTIONS="--enable-coverage"
    - compiler: gcc
-      env: DISTCHECK="yes" RUST_OPTIONS=""
-    - compiler: gcc
-      env: DISTCHECK="yes" RUST_OPTIONS="--enable-rust --enable-cargo-online-mode"
-    - compiler: gcc
-      env: MODULES_OPTIONS="--disable-module-dirauth"
+      env: DISTCHECK="yes"
    ## The "sudo: required" forces non-containerized builds, working
    ## around a Travis CI environment issue: clang LeakAnalyzer fails
    ## because it requires ptrace and the containerized environment no
    ## longer allows ptrace.
    - compiler: clang
      sudo: required
-    - compiler: clang
-      sudo: required
-      env: RUST_OPTIONS="--enable-rust" TOR_RUST_DEPENDENCIES=true
    - compiler: clang
      sudo: required
      env: RUST_OPTIONS=""
-    - compiler: clang
-      sudo: required
-      env: MODULES_OPTIONS="--disable-module-dirauth"

 before_install:
  ## If we're on OSX, homebrew usually needs to updated first
@ -148,12 +135,10 @@ install:
  - if [[ "$RUST_OPTIONS" != "" ]]; then which cargo; fi
  - if [[ "$RUST_OPTIONS" != "" ]]; then rustc --version; fi
  - if [[ "$RUST_OPTIONS" != "" ]]; then cargo --version; fi
-  ## If we're testing rust builds in offline-mode, then set up our vendored dependencies
-  - if [[ "$TOR_RUST_DEPENDENCIES" == "true" ]]; then export TOR_RUST_DEPENDENCIES=$PWD/src/ext/rust/crates; fi

 script:
  - ./autogen.sh
-  - ./configure $RUST_OPTIONS $COVERAGE_OPTIONS $MODULES_OPTIONS --disable-asciidoc --enable-fatal-warnings --disable-silent-rules --enable-fragile-hardening
+  - ./configure $RUST_OPTIONS $COVERAGE_OPTIONS --disable-asciidoc --enable-fatal-warnings --disable-silent-rules --enable-fragile-hardening
  ## We run `make check` because that's what https://jenkins.torproject.org does.
  - if [[ "$DISTCHECK" == "" ]]; then make check; fi
  - if [[ "$DISTCHECK" != "" ]]; then make distcheck DISTCHECK_CONFIGURE_FLAGS="$RUST_OPTIONS $COVERAGE_OPTIONS --disable-asciidoc --enable-fatal-warnings --disable-silent-rules --enable-fragile-hardening"; fi
--- a/39
+++ b/39
@ -1,39 +0,0 @@
-Contributing to Tor
-------------------
-
-### Getting started
-
-Welcome!
-
-We have a bunch of documentation about how to develop Tor in the
-doc/HACKING/ directory.  We recommend that you start with
-doc/HACKING/README.1st.md , and then go from there.  It will tell
-you how to find your way around the source code, how to get
-involved with the Tor community, how to write patches, and much
-more!
-
-You don't have to be a C developer to help with Tor: have a look
-at https://www.torproject.org/getinvolved/volunteer !
-
-The Tor Project is committed to fostering a inclusive community
-where people feel safe to engage, share their points of view, and
-participate. For the latest version of our Code of Conduct, please
-see
-
-https://gitweb.torproject.org/community/policies.git/plain/code_of_conduct.txt
-
-
-
-### License issues
-
-Tor is distributed under the license terms in the LICENSE -- in
-brief, the "3-clause BSD license".  If you send us code to
-distribute with Tor, it needs to be code that we can distribute
-under those terms.  Please don't send us patches unless you agree
-to allow this.
-
-Some compatible licenses include:
-
-  - 3-clause BSD
-  - 2-clause BSD
-  - CC0 Public Domain Dedication
--- a/4453
+++ b/4453
--- a/Makefile.am
+++ b/Makefile.am
@ -26,8 +26,7 @@ TESTING_TOR_BINARY=$(top_builddir)/src/or/tor$(EXEEXT)
 endif

 if USE_RUST
-rust_ldadd=$(top_builddir)/src/rust/target/release/@TOR_RUST_STATIC_NAME@ \
-	@TOR_RUST_EXTRA_LIBS@
+rust_ldadd=$(top_builddir)/src/rust/target/release/libtor_util.a
 else
 rust_ldadd=
 endif
@ -38,7 +37,6 @@ include contrib/include.am

 EXTRA_DIST+= \
 	ChangeLog					\
-	CONTRIBUTING					\
 	INSTALL						\
 	LICENSE						\
 	Makefile.nmake					\
@ -52,14 +50,14 @@ AM_ETAGSFLAGS=--regex='{c}/MOCK_IMPL([^,]+,\W*\([a-zA-Z0-9_]+\)\W*,/\1/s'
 if COVERAGE_ENABLED
 TEST_CFLAGS=-fno-inline -fprofile-arcs -ftest-coverage
 if DISABLE_ASSERTS_IN_UNIT_TESTS
-TEST_CPPFLAGS=-DTOR_UNIT_TESTS -DTOR_COVERAGE -DDISABLE_ASSERTS_IN_UNIT_TESTS @TOR_MODULES_ALL_ENABLED@
+TEST_CPPFLAGS=-DTOR_UNIT_TESTS -DTOR_COVERAGE -DDISABLE_ASSERTS_IN_UNIT_TESTS
 else
-TEST_CPPFLAGS=-DTOR_UNIT_TESTS -DTOR_COVERAGE @TOR_MODULES_ALL_ENABLED@
+TEST_CPPFLAGS=-DTOR_UNIT_TESTS -DTOR_COVERAGE
 endif
 TEST_NETWORK_FLAGS=--coverage --hs-multi-client 1
 else
 TEST_CFLAGS=
-TEST_CPPFLAGS=-DTOR_UNIT_TESTS @TOR_MODULES_ALL_ENABLED@
+TEST_CPPFLAGS=-DTOR_UNIT_TESTS
 TEST_NETWORK_FLAGS=--hs-multi-client 1
 endif
 TEST_NETWORK_WARNING_FLAGS=--quiet --only-warnings
@ -98,7 +96,7 @@ doxygen:
 test: all
 	$(top_builddir)/src/test/test

-check-local: check-spaces check-changes
+check-local: check-spaces

 need-chutney-path:
 	@if test ! -d "$$CHUTNEY_PATH"; then \
@ -119,19 +117,17 @@ test-network: need-chutney-path $(TESTING_TOR_BINARY) src/tools/tor-gencert

 # Run all available tests using automake's test-driver
 # only run IPv6 tests if we can ping6 ::1 (localhost)
-# only run IPv6 tests if we can ping ::1 (localhost)
 # some IPv6 tests will fail without an IPv6 DNS server (see #16971 and #17011)
 # only run mixed tests if we have a tor-stable binary
-# Try the syntax for BSD ping6, Linux ping6, and Linux ping -6,
-# because they're incompatible
+# Try both the BSD and the Linux ping6 syntax, because they're incompatible
 test-network-all: need-chutney-path test-driver $(TESTING_TOR_BINARY) src/tools/tor-gencert
 	mkdir -p $(TEST_NETWORK_ALL_LOG_DIR)
 	@flavors="$(TEST_CHUTNEY_FLAVORS)"; \
-	if ping6 -q -c 1 -o ::1 >/dev/null 2>&1 || ping6 -q -c 1 -W 1 ::1 >/dev/null 2>&1 || ping -6 -c 1 -W 1 ::1 >/dev/null 2>&1; then \
-		echo "ping6 ::1 or ping ::1 succeeded, running IPv6 flavors: $(TEST_CHUTNEY_FLAVORS_IPV6)."; \
+	if ping6 -q -c 1 -o ::1 >/dev/null 2>&1 || ping6 -q -c 1 -W 1 ::1 >/dev/null 2>&1; then \
+		echo "ping6 ::1 succeeded, running IPv6 flavors: $(TEST_CHUTNEY_FLAVORS_IPV6)."; \
 		flavors="$$flavors $(TEST_CHUTNEY_FLAVORS_IPV6)"; \
 	else \
-		echo "ping6 ::1 and ping ::1 failed, skipping IPv6 flavors: $(TEST_CHUTNEY_FLAVORS_IPV6)."; \
+		echo "ping6 ::1 failed, skipping IPv6 flavors: $(TEST_CHUTNEY_FLAVORS_IPV6)."; \
 		skip_flavors="$$skip_flavors $(TEST_CHUTNEY_FLAVORS_IPV6)"; \
 	fi; \
 	if command -v tor-stable >/dev/null 2>&1; then \
@ -218,42 +214,16 @@ check-logs:
 	$(top_srcdir)/scripts/maint/checkLogs.pl \
 		$(top_srcdir)/src/*/*.[ch] | sort -n

-.PHONY: check-typos
-check-typos:
-	@if test -x "`which misspell 2>&1;true`"; then \
-		echo "Checking for Typos ..."; \
-		(misspell \
-			$(top_srcdir)/src/[^e]*/*.[ch] \
-			$(top_srcdir)/doc \
-			$(top_srcdir)/contrib \
-			$(top_srcdir)/scripts \
-			$(top_srcdir)/README \
-			$(top_srcdir)/ChangeLog \
-			$(top_srcdir)/INSTALL \
-			$(top_srcdir)/ReleaseNotes \
-			$(top_srcdir)/LICENSE); \
-	else \
-		echo "Tor can use misspell to check for typos."; \
-		echo "It seems that you don't have misspell installed."; \
-		echo "You can install the latest version of misspell here: https://github.com/client9/misspell#install"; \
-	fi
-
 .PHONY: check-changes
 check-changes:
-if USEPYTHON
 	@if test -d "$(top_srcdir)/changes"; then \
-		$(PYTHON) $(top_srcdir)/scripts/maint/lintChanges.py $(top_srcdir)/changes; \
+		$(PYTHON) $(top_srcdir)/scripts/maint/lintChanges.py $(top_srcdir)/changes/*; \
 		fi
-endif

 .PHONY: update-versions
 update-versions:
 	$(PERL) $(top_builddir)/scripts/maint/updateVersions.pl

-.PHONY: callgraph
-callgraph:
-	$(top_builddir)/scripts/maint/run_calltool.sh
-
 version:
 	@echo "Tor @VERSION@"
 	@if test -d "$(top_srcdir)/.git" && test -x "`which git 2>&1;true`"; then \
@ -271,10 +241,6 @@ clean-local:
 	rm -rf $(top_builddir)/src/rust/target
 	rm -rf $(top_builddir)/src/rust/.cargo/registry

-if USE_RUST
-distclean-local: distclean-rust
-endif
-
 # This relies on some internal details of how automake implements
 # distcheck.  We check two directories because automake-1.15 changed
 # from $(distdir)/_build to $(distdir)/_build/sub.
--- a/3
+++ b/3
@ -27,6 +27,3 @@ Frequently Asked Questions:

 To get started working on Tor development:
        See the doc/HACKING directory.
-
-Release timeline:
-         https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/CoreTorReleases
--- a/3623
+++ b/3623
--- a/changes/TROVE-2018-005
+++ b/changes/TROVE-2018-005
@ -1,6 +0,0 @@
-  o Major bugfixes (security, directory authority, denial-of-service):
-    - Fix a bug that could have allowed an attacker to force a
-      directory authority to use up all its RAM by passing it a
-      maliciously crafted protocol versions string. Fixes bug 25517;
-      bugfix on 0.2.9.4-alpha.  This issue is also tracked as
-      TROVE-2018-005.
--- a/changes/bastet_v6
+++ b/changes/bastet_v6
@ -0,0 +1,4 @@
+  o Minor features (directory authority):
+    - Add an IPv6 address for the "bastet" directory authority.
+      Closes ticket 24394.
+
--- a/changes/bug15582
+++ b/changes/bug15582
@ -0,0 +1,4 @@
+  o Minor bugfixes (compilation):
+    - Avoid compiler warnings in the unit tests for running tor_sscanf()
+      with wide string outputs. Fixes bug 15582; bugfix on 0.2.6.2-alpha.
+
--- a/changes/bug16082
+++ b/changes/bug16082
@ -0,0 +1,4 @@
+  o Documentation:
+    - Correctly note that bandwidth accounting values are stored in the
+      state file, and the bw_accounting file is now obsolete. Closes
+      ticket 16082.
--- a/changes/bug17857
+++ b/changes/bug17857
@ -0,0 +1,6 @@
+  o Minor features (defensive programming):
+    - Create a pair of consensus parameters nf_pad_tor2web and
+      nf_pad_single_onion that allow us to disable netflow padding in the
+      consensus for non-anonymous connections, in case the overhead is high.
+      Closes #17857.
+
--- a/changes/bug18329-minimal
+++ b/changes/bug18329-minimal
@ -0,0 +1,6 @@
+  o Minor features (bridge):
+    - Bridges now include notice in their descriptors that they are bridges,
+      and notice of their distribution status, based on their publication
+      settings.  Implements ticket 18329.  For more fine-grained control of
+      how a bridge is distributed, upgrade to 0.3.2.x or later.
+
--- a/changes/bug19418
+++ b/changes/bug19418
@ -0,0 +1,7 @@
+  o Minor bugfixes (robustness, error handling):
+    - Improve our handling of the cases where OpenSSL encounters a
+      memory error while encoding keys and certificates. We haven't
+      observed these happening in the wild, but if they do happen,
+      we now detect and respond better. Fixes bug 19418; bugfix
+      on all versions of Tor. Reported by Guido Vranken.
+
--- a/changes/bug20247
+++ b/changes/bug20247
@ -0,0 +1,4 @@
+  o Minor bugfixes (linux seccomp2 sandbox):
+    - Avoid a sandbox failure when trying to re-bind to a socket and mark
+      it as IPv6-only. Fixes bug 20247; bugfix on 0.2.5.1-alpha.
+
--- a/changes/bug21074_downgrade
+++ b/changes/bug21074_downgrade
@ -0,0 +1,4 @@
+  o Minor bugfixes (portability):
+    - Don't exit the Tor process if setrlimit() fails to change the file
+      limit (which can happen sometimes on some versions of OSX). Fixes
+      bug 21074; bugfix on 0.0.9pre5.
--- a/changes/bug21394
+++ b/changes/bug21394
@ -0,0 +1,9 @@
+  o Major bugfixes (Exit nodes):
+    - Fix an issue causing high-bandwidth exit nodes to fail a majority
+      or all of their DNS requests, making them basically unsuitable for
+      regular usage in Tor circuits. The problem is related to
+      libevent's DNS handling, but we can work around it in Tor. Fixes
+      bugs 21394 and 18580; bugfix on 0.1.2.2-alpha which introduced
+      eventdns. Credit goes to Dhalgren for identifying and finding a
+      workaround to this bug and to gamambel, arthuredelstein and
+      arma in helping to track it down and analyze it.
--- a/changes/bug22159
+++ b/changes/bug22159
@ -0,0 +1,7 @@
+  o Minor bugfixes (hidden service):
+    - A service is allowed to open a maximum number of circuits for a specific
+      period of time. That value was lower than it should be (8 vs 12) in the
+      normal case of 3 introduction points. Fixes bug 22159.; bugfix on
+      tor-0.3.0.5-rc.
+    - Rate limit the log if we ever go above the maximum number of allowed
+      intro circuits. Fixes bug 22159.; bugfix on tor-0.3.1.1-alpha.
--- a/changes/bug22212
+++ b/changes/bug22212
@ -0,0 +1,5 @@
+  o Minor bugfixes (netflow padding logging):
+    - Demote a warn that was caused by libevent delays to info if
+      the padding is less than 4.5 seconds late, or notice if it is more
+      (4.5 seconds is the amount of time that a netflow record might
+       be emitted after, if we chose the maximum timeout). Fixes bug #22212.
--- a/changes/bug22286
+++ b/changes/bug22286
@ -0,0 +1,3 @@
+  o Minor features (tests):
+    - Add a couple more tests for compression backend initialization.
+      Closes ticket 22286.
--- a/changes/bug22347
+++ b/changes/bug22347
@ -0,0 +1,2 @@
+  o Documentation:
+    - Add a manpage description for the key-pinning-journal file.
--- a/changes/bug22349
+++ b/changes/bug22349
@ -0,0 +1,9 @@
+  o Minor bugfixes (directory authority):
+    - When a directory authority rejects a descriptor or extrainfo with
+      a given digest, mark that digest as undownloadable, so that we
+      do not attempt to download it again over and over. We previously
+      tried to avoid downloading such descriptors by other means, but
+      we didn't notice if we accidentally downloaded one anyway. This
+      behavior became problematic in 0.2.7.2-alpha, when authorities
+      began pinning Ed25519 keys. Fixes ticket
+      22349; bugfix on 0.2.1.19-alpha.
--- a/changes/bug22356
+++ b/changes/bug22356
@ -0,0 +1,5 @@
+  o Minor bugfixes (logging, relay):
+    - Downgrade "assigned_to_cpuworker failed" message to INFO-level
+      severity. In every case that can reach it, either a better warning
+      has already been logged, or no warning is warranted. Fixes bug 22356;
+      bugfix on 0.2.6.3-alpha.
--- a/changes/bug22400_01
+++ b/changes/bug22400_01
@ -0,0 +1,4 @@
+  o Major bugfixes (entry guards):
+    - When starting with an old consensus, do not add new entry guards
+      unless the consensus is "reasonably live" (under 1 day old). Fixes
+      one root cause of bug 22400; bugfix on 0.3.0.1-alpha.
--- a/changes/bug22446
+++ b/changes/bug22446
@ -0,0 +1,4 @@
+  o Minor features (code style, backport from 0.3.1.3-alpha):
+    - Add "Falls through" comments to our codebase, in order to silence
+      GCC 7's -Wimplicit-fallthrough warnings. Patch from Andreas
+      Stieger. Closes ticket 22446.
--- a/changes/bug22502_part1
+++ b/changes/bug22502_part1
@ -0,0 +1,12 @@
+  o Major bugfixes (compression, zstd):
+    - Correctly detect a full buffer when decompessing a large
+      zstd-compressed input. Fixes bug 22628; bugfix on 0.3.1.1-alpha.
+
+  o Minor bugfixes (compression):
+    - When compressing or decompressing a buffer, check for a failure to
+      create a compression object. Fixes bug 22626; bugfix on
+      0.3.1.1-alpha.
+
+    - When decompressing a buffer, check for extra data after the end of
+      the compressed data. Fixes bug 22629; bugfix on 0.3.1.1-alpha.
+
--- a/changes/bug22516
+++ b/changes/bug22516
@ -0,0 +1,5 @@
+  o Minor bugfixes (linux seccomp2 sandbox):
+    - Permit the fchmod system call, to avoid crashing on startup when
+      starting with the seccomp2 sandbox and an unexpected set of permissions
+      on the data directory or its contents. Fixes bug 22516; bugfix on
+      0.2.5.4-alpha.
--- a/changes/bug22520
+++ b/changes/bug22520
@ -0,0 +1,5 @@
+  o Minor bugfixes (error reporting, windows):
+    - When formatting Windows error messages, use the English format
+      to avoid codepage issues. Fixes bug 22520; bugfix on
+      0.1.2.8-alpha. Patch from "Vort".
+
--- a/changes/bug22636
+++ b/changes/bug22636
@ -0,0 +1,8 @@
+ o Build features:
+   - Tor's repository now includes a Travis Continuous Integration (CI)
+     configuration file (.travis.yml). This is meant to help new developers and
+     contributors who fork Tor to a Github repository be better able to test
+     their changes, and understand what we expect to pass. To use this new build
+     feature, you must fork Tor to your Github account, then go into the
+     "Integrations" menu in the repository settings for your fork and enable
+     Travis, then push your changes.
--- a/changes/bug22644
+++ b/changes/bug22644
@ -0,0 +1,5 @@
+  o Minor bugfixes (controller):
+    - Do not crash when receiving a POSTDESCRIPTOR command with an
+      empty body. Fixes part of bug 22644; bugfix on 0.2.0.1-alpha.
+    - Do not crash when receiving a HSPOST command with an empty body.
+      Fixes part of bug 22644; bugfix on 0.2.7.1-alpha.
--- a/changes/bug22669
+++ b/changes/bug22669
@ -0,0 +1,4 @@
+  o Minor bugfixes (compression):
+    - When serving directory votes compressed with zlib,
+      do not claim to have compressed them with zstd. Fixes bug 22669;
+      bugfix on 0.3.1.1-alpha.
--- a/changes/bug22670
+++ b/changes/bug22670
@ -0,0 +1,4 @@
+  o Minor bugfixes (logging, compression):
+    - When decompressing, do not warn if we fail to decompress using a
+      compression method that we merely guessed. Fixes part of
+      bug 22670; bugfix on 0.1.1.14-alpha.
--- a/changes/bug22670_02
+++ b/changes/bug22670_02
@ -0,0 +1,4 @@
+  o Minor bugfixes (logging, compression):
+   - When decompressing, treat mismatch between content-encoding and
+      actual compression type as a protocol warning. Fixes part of bug
+      22670; bugfix on 0.1.1.9-alpha.
--- a/changes/bug22670_03
+++ b/changes/bug22670_03
@ -0,0 +1,6 @@
+  o Minor bugfixes (compression):
+    - When decompressing an object received over an anonymous directory
+      connection, if we have already successfully decompressed it using an
+      acceptable compression method, do not reject it for looking like an
+      unacceptable compression method. Fixes part of bug 22670; bugfix on
+      0.3.1.1-alpha.
--- a/changes/bug22672
+++ b/changes/bug22672
@ -0,0 +1,5 @@
+  o Minor features (compression, defensive programming):
+    - Detect and break out of infinite loops in our compression code.
+      We don't think that any such loops exist now, but it's best to be
+      safe. Closes ticket 22672.
+
--- a/changes/bug22702
+++ b/changes/bug22702
@ -0,0 +1,5 @@
+  o Major bugfixes (directory protocol):
+    - Ensure that we sent "304 Not modified" as HTTP status code when a
+      client is attempting to fetch a consensus or consensus diff that
+      matches the latest consensus we have available. Fixes bug 22702;
+      bugfix on 0.3.1.1-alpha.
--- a/changes/bug22719
+++ b/changes/bug22719
@ -0,0 +1,7 @@
+  o Minor bugfixes (compression):
+    - When spooling compressed data to an output buffer, don't try to
+      spool more data when there is no more data to spool and we are
+      not trying to flush the input. Previously, we would sometimes
+      launch compression requests with nothing to do, which interferes
+      with our 22672 checks. Fixes bug 22719; bugfix on 0.2.0.16-alpha.
+
--- a/changes/bug22720
+++ b/changes/bug22720
@ -0,0 +1,9 @@
+  o Minor bugfixes (process behavior):
+    - When exiting because of an error, always exit with a nonzero
+      exit status. Previously, we would fail to report an error in
+      our exit status in cases related to lockfile contention,
+      __OwningControllerProcess failure, and Ed25519 key
+      initialization.  Fixes bug 22720; bugfix on versions
+      0.2.1.6-alpha, 0.2.2.28-beta, and 0.2.7.2-alpha
+      respectively. Reported by "f55jwk4f"; patch from "huyvq".
+
--- a/changes/bug22737
+++ b/changes/bug22737
@ -0,0 +1,12 @@
+  o Minor bugfixes (defensive programming, undefined behavior):
+
+    - Fix a memset() off the end of an array when packing cells.  This
+      bug should be harmless in practice, since the corrupted bytes
+      are still in the same structure, and are always padding bytes,
+      ignored, or immediately overwritten, depending on compiler
+      behavior. Nevertheless, because the memset()'s purpose is to
+      make sure that any other cell-handling bugs can't expose bytes
+      to the network, we need to fix it. Fixes bug 22737; bugfix on
+      0.2.4.11-alpha. Fixes CID 1401591.
+
+
--- a/changes/bug22751
+++ b/changes/bug22751
@ -0,0 +1,5 @@
+  o Major bugfixes (compression):
+    - Fix crash in LZMA module, when the Sandbox is enabled, where
+      liblzma would allocate more than 16 MB of memory.  We solve this
+      by bumping the mprotect() limit in the Sandbox module from 16 MB
+      to 20 MB.  Fixes bug 22751; bugfix on 0.3.1.1-alpha.
--- a/changes/bug22752_simple
+++ b/changes/bug22752_simple
@ -0,0 +1,6 @@
+  o Major bugfixes (windows, directory cache):
+    - On windows, do not try to delete cached consensus documents and
+      diffs, until they unmapped from memory. Allow the diff storage
+      directory to grow larger in order to handle files that might
+      need to stay around longer.  Fixes bug 22752; bugfix on
+      0.3.1.1-alpha.
--- a/changes/bug22753
+++ b/changes/bug22753
@ -0,0 +1,7 @@
+  o Major bugfixes (path selection, security):
+    - When choosing which guard to use for a circuit, avoid the
+      exit's family along with the exit itself. Previously, the new
+      guard selection logic avoided the exit, but did not consider
+      its family.  Fixes bug 22753; bugfix on 0.3.0.1-alpha. Tracked
+      as TROVE-2016-006 and CVE-2017-0377.
+
--- a/changes/bug22789
+++ b/changes/bug22789
@ -0,0 +1,7 @@
+  o Major bugfixes (openbsd, denial-of-service):
+    - Avoid an assertion failure bug affecting our implementation of
+      inet_pton(AF_INET6) on certain OpenBSD systems whose strtol()
+      handling of "0xfoo" differs from what we had expected.
+      Fixes bug 22789; bugfix on 0.2.3.8-alpha. Also tracked as
+      TROVE-2017-007.
+
--- a/changes/bug22797
+++ b/changes/bug22797
@ -0,0 +1,4 @@
+  o Minor bugfixes (file limits):
+    - When setting the maximum number of connections allowed by the OS,
+      always allow some extra file descriptors for other files.
+      Fixes bug 22797; bugfix on 0.2.0.10-alpha.
--- a/changes/bug22801
+++ b/changes/bug22801
@ -0,0 +1,5 @@
+  o Minor bugfixes (compilation):
+    - When building with certain versions the mingw C header files, avoid
+      float-conversion warnings when calling the C functions isfinite(),
+      isnan(), and signbit(). Fixes bug 22801; bugfix on 0.2.8.1-alpha.
+
--- a/changes/bug22803
+++ b/changes/bug22803
@ -0,0 +1,3 @@
+  o Minor bugfixes (unit tests):
+    - Fix a memory leak in the link-handshake/certs_ok_ed25519 test.
+      Fixes bug 22803; bugfix on 0.3.0.1-alpha.
--- a/changes/bug22830
+++ b/changes/bug22830
@ -0,0 +1,5 @@
+ o Minor bugfixes:
+   - Fix a problem with Rust toolchains not being found when building
+     without --enable-cargo-online-mode, due to setting the $HOME
+     environment variable instead of $CARGO_HOME.  Fixes bug 22830;
+     fix by Chelsea Komlo.  Bugfix on 0.3.1.1-alpha.
--- a/changes/bug22883-config
+++ b/changes/bug22883-config
@ -0,0 +1,7 @@
+  o Minor features (directory cache, consensus diff):
+    - Add a new MaxConsensusAgeForDiffs option to allow directory cache
+      operators with low-resource environments to adjust the number of
+      consensuses they'll store and generate diffs from. Most cache operators
+      should leave it unchanged. Helps to work around bug 22883.
+
+
--- a/changes/bug22883-priority
+++ b/changes/bug22883-priority
@ -0,0 +1,8 @@
+  o Major bugfixes (relay, performance):
+
+    - Perform circuit handshake operations at a higher priority than we use
+      for consensus diff creation and compression. This should prevent
+      circuits from starving when a relay or bridge receive a new consensus,
+      especially on lower-powered machines. Fixes bug 22883; bugfix on
+      0.3.1.1-alpha.
+
--- a/changes/bug22892
+++ b/changes/bug22892
@ -0,0 +1,4 @@
+  o Minor bugfixes (compilation):
+    - Compile correctly when both openssl 1.1.0 and libscrypt are detected.
+      Previously this would cause an error. Fixes bug 22892; bugfix on 
+      0.3.1.1-alpha.
--- a/changes/bug22915
+++ b/changes/bug22915
@ -0,0 +1,3 @@
+  o Minor bugfixes (compilation warnings):
+    - Suppress -Wdouble-promotion warnings with clang 4.0. Fixes bug 22915;
+      bugfix on 0.2.8.1-alpha.
--- a/changes/bug22916_027
+++ b/changes/bug22916_027
@ -0,0 +1,3 @@
+  o Minor bugfixes (Compilation):
+    - Fix warnings when building with libscrypt and openssl scrypt support
+      on Clang. Fixes bug 22916; bugfix on 0.2.7.2-alpha.
--- a/changes/bug22927
+++ b/changes/bug22927
@ -0,0 +1,6 @@
+  o Minor bugfixes (compatibility, zstd):
+    - Write zstd epilogues correctly when the epilogue requires reallocation
+      of the output buffer, even with zstd 1.3.0. (Previously,
+      we worked on 1.2.0 and failed with 1.3.0).  Fixes bug 22927; bugfix on
+      0.3.1.1-alpha.
+
--- a/changes/bug23030_029
+++ b/changes/bug23030_029
@ -0,0 +1,7 @@
+  o Minor bugfixes (coverity builds):
+    - Avoid Coverity build warnings related to our BUG() macro. By
+      default, Coverity treats BUG() as the Linux kernel does: an
+      instant abort(). We need to override that so our BUG() macro
+      doesn't prevent Coverity from analyzing functions that use it.
+      Fixes bug 23030; bugfix on 0.2.9.1-alpha.
+
--- a/changes/bug23053
+++ b/changes/bug23053
@ -0,0 +1,5 @@
+  o Minor bugfixes (memory leak):
+    - Fix a small memory leak when validating a configuration that
+      uses two or more AF_UNIX sockets for the same port type.
+      Fixes bug 23053; bugfix on 0.2.6.3-alpha. This is CID
+      1415725.
--- a/changes/bug23071
+++ b/changes/bug23071
@ -0,0 +1,5 @@
+  o Minor bugfixes (tests):
+    - Port the hs_ntor handshake test to work correctly with recent
+      versions of the pysha3 module. Fixes bug 23071; bugfix on
+      0.3.1.1-alpha.
+
--- a/changes/bug23077
+++ b/changes/bug23077
@ -0,0 +1,4 @@
+  o Minor bugfixes (unit tests):
+    - Fix a channelpadding unit test failure on extremely slow systems
+      by using mocked time instead of actual time. Fixes bug 23077; bugfix on
+      0.3.1.1-alpha. 
--- a/changes/bug23078
+++ b/changes/bug23078
@ -0,0 +1,7 @@
+  o Minor bugfixes (logging, relay):
+    - Remove a log_warn() that has been forgotten when an introduction point
+      successfully established a hidden service prop224 circuit with a client.
+    - Three other log_warn() for an introduction point have been changed to
+      protocol warning because they can be failure from the network and are
+      not relevant to the operator. Fixes bug 23078; bugfix on
+      tor-0.3.0.1-alpha and tor-0.3.0.2-alpha.
--- a/changes/bug23081
+++ b/changes/bug23081
@ -0,0 +1,8 @@
+  o Minor bugfixes (Windows service):
+    - When running as a Windows service, set the ID of the main thread
+      correctly. Failure to do so made us fail to send log messages
+      to the controller in 0.2.1.16-rc, slowed down controller
+      event delivery in 0.2.7.3-rc and later, and crash with an assertion
+      failure in 0.3.1.1-alpha. Fixes bug 23081; bugfix on 0.2.1.6-alpha.
+      Patch and diagnosis from "Vort".
+
--- a/changes/bug23105-diagnostic
+++ b/changes/bug23105-diagnostic
@ -0,0 +1,4 @@
+  o Minor features (diagnostic):
+    - Add a stack trace to the bug warnings that can be logged when
+      trying to send an outgoing relay cell with n_chan == 0.
+      Diagnostic attempt for bug 23105.
--- a/changes/bug23139
+++ b/changes/bug23139
@ -0,0 +1,3 @@
+  o Minor bugfixes (directory cache):
+    - Fix a memory leak in the code that recovers space in the consensus
+      directory cache. Fixes bug 23139; bugfix on 0.3.1.1-alpha.
--- a/changes/bug23155
+++ b/changes/bug23155
@ -0,0 +1,4 @@
+  o Minor bugfixes (stability):
+    - Avoid crashing on double-free when unable to load or process
+      an included file. Fixes bug 23155; bugfix on 0.3.1.1-alpha.
+      Found with the clang static analyzer.
--- a/changes/bug23233
+++ b/changes/bug23233
@ -0,0 +1,4 @@
+  o Minor bugfixes (hidden service):
+    - Fix a BUG alert during HSv3 descriptor decoding that could trigger with a
+      specially crafted descriptor. Fixes bug #23233; bugfix on 0.3.0.1-alpha.
+      Bug found by "haxxpop".
--- a/changes/bug23275
+++ b/changes/bug23275
@ -0,0 +1,5 @@
+  o Minor bugfixes (relay):
+    - When a relay is not running as a directory cache, it will no longer
+      generate compressed consensuses and consensus diff information.
+      Previously, this was a waste of disk and CPU.  Fixes bug 23275;
+      bugfix on 0.3.1.1-alpha.
--- a/changes/bug23291
+++ b/changes/bug23291
@ -0,0 +1,3 @@
+  o Minor bugfixes (testing):
+    - Fix an undersized buffer in test-memwipe.c. Fixes bug 23291; bugfix on
+      0.2.7.2-alpha. Found and patched by Ties Stuij.
--- a/changes/bug23318
+++ b/changes/bug23318
@ -0,0 +1,11 @@
+  o Minor bugfixes (path selection):
+    - When selecting relays by bandwidth, avoid a rounding error that
+      could sometimes cause load to be imbalanced incorrectly. Previously,
+      we would always round upwards; now, we round towards the nearest
+      integer.  This had the biggest effect when a relay's weight adjustments
+      should have given it weight 0, but it got weight 1 instead.
+      Fixes bug 23318; bugfix on 0.2.4.3-alpha.
+    - When calculating the fraction of nodes that have descriptors, and all
+      all nodes in the network have zero bandwidths, count the number of nodes
+      instead.
+      Fixes bug 23318; bugfix on 0.2.4.10-alpha.
--- a/changes/bug23470
+++ b/changes/bug23470
@ -0,0 +1,6 @@
+  o Minor bugfix (relay address resolution):
+    - Avoid unnecessary calls to directory_fetches_from_authorities()
+      on relays. This avoids spurious address resolutions and
+      descriptor rebuilds. This is a mitigation for 21789. The original
+      bug was introduced in commit 35bbf2e as part of prop210.
+      Fixes 23470 in 0.2.8.1-alpha.
--- a/changes/bug23533
+++ b/changes/bug23533
@ -0,0 +1,4 @@
+  o Minor bugfixes (relay):
+    - Inform the geoip and rephist modules about all requests, even
+      on relays that are only fetching microdescriptors. Fixes a bug related
+      to 21585; bugfix on 0.3.0.1-alpha.
--- a/changes/bug23551
+++ b/changes/bug23551
@ -0,0 +1,3 @@
+  o Minor bugfixes (compression):
+    - Handle a pathological case when decompressing Zstandard data when the
+      output buffer size is zero. Fixes bug 23551; bugfix on 0.3.1.1-alpha.
--- a/changes/bug23568
+++ b/changes/bug23568
@ -0,0 +1,4 @@
+  o Minor bugfixes (compilation):
+    - Fix a compilation warning when building with zstd support
+      on 32-bit platforms. Fixes bug 23568; bugfix on 0.3.1.1-alpha.
+      Found and fixed by Andreas Stieger.
--- a/changes/bug23608
+++ b/changes/bug23608
@ -0,0 +1,4 @@
+  o Minor bugfixes (unit tests):
+    - Fix additional channelpadding unit test failures by using mocked time
+      instead of actual time for all tests. Fixes bug 23608;
+      bugfix on 0.3.1.1-alpha.
--- a/changes/bug23610
+++ b/changes/bug23610
@ -0,0 +1,4 @@
+  o Minor bugfixes (hidden service, relay):
+    - Avoid a possible double close of a circuit by the intro point on error
+      of sending the INTRO_ESTABLISHED cell. Fixes ticket 23610; bugfix on
+      0.3.0.1-alpha.
--- a/changes/bug23690
+++ b/changes/bug23690
@ -0,0 +1,5 @@
+  o Major bugfixes (relay, crash, assertion failure):
+    - Fix a timing-based assertion failure that could occur when the
+      circuit out-of-memory handler freed a connection's output buffer.
+      Fixes bug 23690; bugfix on 0.2.6.1-alpha.
+
--- a/changes/bug23693
+++ b/changes/bug23693
@ -0,0 +1,6 @@
+  o Minor bugfixes (relay, crash):
+    - Avoid a crash when transitioning from client mode to bridge mode.
+      Previously, we would launch the worker threads whenever our "public
+      server" mode changed, but not when our "server" mode changed.
+      Fixes bug 23693; bugfix on 0.2.6.3-alpha.
+
--- a/changes/bug23693.1
+++ b/changes/bug23693.1
@ -0,0 +1,4 @@
+  o Minor bugfixes (relay, crash):
+    - Avoid a crash when running with DirPort set but ORPort tuned off.
+      Fixes a case of bug 23693; bugfix on 0.3.1.1-alpha.
+
--- a/changes/bug23817
+++ b/changes/bug23817
@ -0,0 +1,3 @@
+  o Minor bugfixes (descriptors):
+    - Don't try fetching microdescriptors from relays that have failed to
+      deliver them in the past. Fixes bug 23817; bugfix on 0.3.0.1-alpha.
--- a/changes/bug23862
+++ b/changes/bug23862
@ -0,0 +1,5 @@
+  o Minor bugfixes (entry guards):
+    - Tor now updates its guard state when it reads a consensus regardless of
+      whether it's missing descriptors. That makes tor use its primary guards
+      to fetch descriptors in some edge cases where it would have used fallback
+      directories in the past. Fixes bug 23862; bugfix on 0.3.0.1-alpha.
--- a/changes/bug23874
+++ b/changes/bug23874
@ -0,0 +1,3 @@
+  o Minor bugfixes (memory safety):
+    - Clear the address when node_get_prim_orport() returns early.
+      Fixes bug 23874; bugfix on 0.2.8.2-alpha.
--- a/changes/bug23908
+++ b/changes/bug23908
@ -0,0 +1,3 @@
+  o Minor bugfixes (directory authority, backport from 0.3.2.1-alpha):
+    - Remove the length limit on HTTP status lines that authorities can send
+      in their replies. Fixes bug 23499; bugfix on 0.3.1.6-rc.
--- a/changes/bug23985
+++ b/changes/bug23985
@ -0,0 +1,9 @@
+  o Minor bugfixes (bootstrapping):
+    - Fetch descriptors aggressively whenever we lack enough
+      to build circuits, regardless of how many descriptors we are missing.
+      Previously, we would delay launching the fetch when we had fewer than
+      15 missing descriptors, even if some of those descriptors were
+      blocking circuits from building. Fixes bug 23985; bugfix on
+      0.1.1.11-alpha. The effects of this bug became worse in 0.3.0.3-alpha,
+      when we began treating missing descriptors from our primary guards
+      as a reason to delay circuits.
--- a/changes/bug24086
+++ b/changes/bug24086
@ -0,0 +1,7 @@
+  o Minor bugfixes (directory cache):
+    - When a consensus diff calculation is only partially successful, only
+      record the successful parts as having succeeded. Partial success
+      can happen if (for example) one compression method fails but
+      the others succeed. Previously we misrecorded all the calculations as
+      having succeeded, which would later cause a nonfatal assertion failure.
+      Fixes bug 24086; bugfix on 0.3.1.1-alpha.
--- a/changes/bug24099
+++ b/changes/bug24099
@ -0,0 +1,4 @@
+  o Minor bugfixes (directory cache):
+    - Recover better from empty or corrupt files in the consensus cache
+      directory. Fixes bug 24099; bugfix on 0.3.1.1-alpha.
+
--- a/changes/bug24167
+++ b/changes/bug24167
@ -0,0 +1,7 @@
+  o Minor bugfixes (network layer):
+    - When closing a connection via close_connection_immediately(), we
+      mark it as "not blocked on bandwidth", to prevent later calls
+      from trying to unblock it, and give it permission to read. This
+      fixes a backtrace warning that can happen on relays under various
+      circumstances. Fixes bug 24167; bugfix on 0.1.0.1-rc.
+
--- a/changes/bug24170
+++ b/changes/bug24170
@ -0,0 +1,3 @@
+  o Minor bugfixes (path selection):
+    - Actually log the total bandwidth in compute_weighted_bandwidths().
+      Fixes bug 24170; bugfix on 0.2.4.3-alpha.
--- a/changes/bug24198
+++ b/changes/bug24198
@ -0,0 +1,4 @@
+  o Minor bugfixes (controller, linux seccomp2 sandbox):
+    - Avoid a crash when attempting to use the seccomp2 sandbox
+      together with the OwningControllerProcess feature.
+      Fixes bug 24198; bugfix on 0.2.5.1-alpha.
--- a/changes/bug24262
+++ b/changes/bug24262
@ -0,0 +1,3 @@
+  o Minor bugfixes (hidden service):
+    - Fix the consensus parameter "hsdir-interval" to "hsdir_interval" so it
+      matches the dir-spec.txt. Fixes bug 24262; bugfix on 0.3.1.1-alpha.
--- a/changes/bug24313
+++ b/changes/bug24313
@ -0,0 +1,5 @@
+  o Major bugfixes (security, hidden service v2):
+    - Fix a use-after-free error that could crash v2 Tor hidden services
+      when it failed to open circuits while expiring introductions
+      points. Fixes bug 24313; bugfix on 0.2.7.2-alpha.  This
+      issue is also tracked as TROVE-2017-013 and CVE-2017-8823.
--- a/changes/bug24480
+++ b/changes/bug24480
@ -0,0 +1,3 @@
+  o Minor bugfixes (compilation):
+    - Fix a signed/unsigned comparison warning introduced by our
+      fix to TROVE-2017-009. Fixes bug 24480; bugfix on 0.2.5.16.
--- a/changes/bug24633
+++ b/changes/bug24633
@ -0,0 +1,5 @@
+  o Minor bugfixes (portability, msvc):
+    - Fix a bug in the bit-counting parts of our timing-wheel code on
+      MSVC. (Note that MSVC is still not a supported build platform,
+      due to cyptographic timing channel risks.) Fixes bug 24633;
+      bugfix on 0.2.9.1-alpha.
--- a/changes/bug24666
+++ b/changes/bug24666
@ -0,0 +1,7 @@
+  o Minor bugfixes (memory usage):
+
+    - When queuing DESTROY cells on a channel, only queue the
+      circuit-id and reason fields: not the entire 514-byte
+      cell. This fix should help mitigate any bugs or attacks that
+      fill up these queues, and free more RAM for other uses. Fixes
+      bug 24666; bugfix on 0.2.5.1-alpha.
--- a/changes/bug24736
+++ b/changes/bug24736
@ -0,0 +1,6 @@
+  o Minor bugfixes (address selection):
+    - When the fascist_firewall_choose_address_ functions don't find a
+      reachable address, set the returned address to the null address and port.
+      This is a precautionary measure, because some callers do not check the
+      return value.
+      Fixes bug 24736; bugfix on 0.2.8.2-alpha.
--- a/changes/bug24826_031
+++ b/changes/bug24826_031
@ -0,0 +1,4 @@
+  o Minor bugfixes (performance, fragile-hardening):
+    - Improve the performance of our consensus-diff application code when Tor
+      is built with the --enable-fragile-hardening option set. Fixes bug
+      24826; bugfix on  0.3.1.1-alpha.
--- a/changes/bug24854
+++ b/changes/bug24854
@ -0,0 +1,3 @@
+  o Code simplification and refactoring:
+    - Move the list of default directory authorities to their own file for
+      inclusion using the C preprocessor. Closes ticket 24854. Patch by "beastr0".
--- a/changes/bug24859
+++ b/changes/bug24859
@ -0,0 +1,4 @@
+  o Minor bugfixes (logging):
+    - Don't treat inability to store a cached consensus object as a
+      bug: it can happen normally when we are out of disk space.
+      Fixes bug 24859; bugfix on 0.3.1.1-alpha.
--- a/changes/bug24895
+++ b/changes/bug24895
@ -0,0 +1,8 @@
+  o Major bugfixes (onion services):
+    - Fix an "off by 2" error in counting rendezvous failures on the onion
+      service side. While we thought we would stop the rendezvous attempt
+      after one failed circuit, we were actually making three circuit attempts
+      before giving up. Now switch to a default of 2, and allow the consensus
+      parameter "hs_service_max_rdv_failures" to override. Fixes bug 24895;
+      bugfix on 0.0.6.
+
--- a/changes/bug24898
+++ b/changes/bug24898
@ -0,0 +1,8 @@
+  o Major bugfixes (relays):
+    - Fix a set of false positives where relays would consider connections
+      to other relays as being client-only connections (and thus e.g.
+      deserving different link padding schemes) if those relays fell out
+      of the consensus briefly. Now we look only at the initial handshake
+      and whether the connection authenticated as a relay. Fixes bug
+      24898; bugfix on 0.3.1.1-alpha.
+
--- a/changes/bug24898-029
+++ b/changes/bug24898-029
@ -0,0 +1,6 @@
+  o Minor bugfixes (relay):
+    - Make the internal channel_is_client() function look at what sort
+      of connection handshake the other side used, rather than whether
+      the other side ever sent a create_fast cell to us. Backports part
+      of the fixes from bugs 22805 and 24898.
+
--- a/changes/bug24952
+++ b/changes/bug24952
@ -0,0 +1,5 @@
+  o Minor bugfix (channel connection):
+    - The accurate address of a connection is real_addr, not the addr member.
+      TLS Channel remote address is now real_addr content instead of addr
+      member. Fixes bug 24952; bugfix on 707c1e2e26 in 0.2.4.11-alpha.
+      Patch by "ffmancera".
--- a/Show More
+++ b/Show More