diff options
Diffstat (limited to 'ChangeLog')
| -rw-r--r-- | ChangeLog | 816 |
1 files changed, 814 insertions, 2 deletions
@@ -1,3 +1,815 @@ +Changes in version 0.2.5.1-alpha - 2013-10-02 + Tor 0.2.5.1-alpha introduces experimental support for syscall sandboxing + on Linux, allows bridges that offer pluggable transports to report usage + statistics, fixes many issues to make testing easier, and provides + a pile of minor features and bugfixes that have been waiting for a + release of the new branch. + + This is the first alpha release in a new series, so expect there to + be bugs. Users who would rather test out a more stable branch should + stay with 0.2.4.x for now. + + o Major features (security): + - Use the seccomp2 syscall filtering facility on Linux to limit + which system calls Tor can invoke. This is an experimental, + Linux-only feature to provide defense-in-depth against unknown + attacks. To try turning it on, set "Sandbox 1" in your torrc + file. Please be ready to report bugs. We hope to add support + for better sandboxing in the future, including more fine-grained + filters, better division of responsibility, and support for more + platforms. This work has been done by Cristian-Matei Toader for + Google Summer of Code. + - Re-enable TLS 1.1 and 1.2 when built with OpenSSL 1.0.1e or later. + Resolves ticket 6055. (OpenSSL before 1.0.1 didn't have TLS 1.1 or + 1.2, and OpenSSL from 1.0.1 through 1.0.1d had bugs that prevented + renegotiation from working with TLS 1.1 or 1.2, so we had disabled + them to solve bug 6033.) + + o Major features (other): + - Add support for passing arguments to managed pluggable transport + proxies. Implements ticket 3594. + - Bridges now track GeoIP information and the number of their users + even when pluggable transports are in use, and report usage + statistics in their extra-info descriptors. Resolves tickets 4773 + and 5040. + - Make testing Tor networks bootstrap better: lower directory fetch + retry schedules and maximum interval without directory requests, + and raise maximum download tries. Implements ticket 6752. + - Add make target 'test-network' to run tests on a Chutney network. + Implements ticket 8530. + - The ntor handshake is now on-by-default, no matter what the + directory authorities recommend. Implements ticket 8561. + + o Major bugfixes: + - Instead of writing destroy cells directly to outgoing connection + buffers, queue them and intersperse them with other outgoing cells. + This can prevent a set of resource starvation conditions where too + many pending destroy cells prevent data cells from actually getting + delivered. Reported by "oftc_must_be_destroyed". Fixes bug 7912; + bugfix on 0.2.0.1-alpha. + - If we are unable to save a microdescriptor to the journal, do not + drop it from memory and then reattempt downloading it. Fixes bug + 9645; bugfix on 0.2.2.6-alpha. + - The new channel code sometimes lost track of in-progress circuits, + causing long-running clients to stop building new circuits. The + fix is to always call circuit_n_chan_done(chan, 0) from + channel_closed(). Fixes bug 9776; bugfix on 0.2.4.17-rc. + + o Build features: + - Tor now builds each source file in two modes: a mode that avoids + exposing identifiers needlessly, and another mode that exposes + more identifiers for testing. This lets the compiler do better at + optimizing the production code, while enabling us to take more + radical measures to let the unit tests test things. + - The production builds no longer include functions used only in + the unit tests; all functions exposed from a module only for + unit-testing are now static in production builds. + - Add an --enable-coverage configuration option to make the unit + tests (and a new src/or/tor-cov target) to build with gcov test + coverage support. + + o Testing: + - We now have rudimentary function mocking support that our unit + tests can use to test functions in isolation. Function mocking + lets the tests temporarily replace a function's dependencies with + stub functions, so that the tests can check the function without + invoking the other functions it calls. + - Add more unit tests for the <circid,channel>->circuit map, and + the destroy-cell-tracking code to fix bug 7912. + - Unit tests for failing cases of the TAP onion handshake. + - More unit tests for address-manipulation functions. + + o Minor features (protecting client timestamps): + - Clients no longer send timestamps in their NETINFO cells. These were + not used for anything, and they provided one small way for clients + to be distinguished from each other as they moved from network to + network or behind NAT. Implements part of proposal 222. + - Clients now round timestamps in INTRODUCE cells down to the nearest + 10 minutes. If a new Support022HiddenServices option is set to 0, or + if it's set to "auto" and the feature is disabled in the consensus, + the timestamp is sent as 0 instead. Implements part of proposal 222. + - Stop sending timestamps in AUTHENTICATE cells. This is not such + a big deal from a security point of view, but it achieves no actual + good purpose, and isn't needed. Implements part of proposal 222. + - Reduce down accuracy of timestamps in hidden service descriptors. + Implements part of proposal 222. + + o Minor features (config options): + - Config (torrc) lines now handle fingerprints which are missing + their initial '$'. Resolves ticket 4341; improvement over 0.0.9pre5. + - Support a --dump-config option to print some or all of the + configured options. Mainly useful for debugging the command-line + option parsing code. Helps resolve ticket 4647. + - Raise awareness of safer logging: notify user of potentially + unsafe config options, like logging more verbosely than severity + "notice" or setting SafeLogging to 0. Resolves ticket 5584. + - Add a new configuration option TestingV3AuthVotingStartOffset + that bootstraps a network faster by changing the timing for + consensus votes. Addresses ticket 8532. + - Add a new torrc option "ServerTransportOptions" that allows + bridge operators to pass configuration parameters to their + pluggable transports. Resolves ticket 8929. + - The config (torrc) file now accepts bandwidth and space limits in + bits as well as bytes. (Anywhere that you can say "2 Kilobytes", + you can now say "16 kilobits", and so on.) Resolves ticket 9214. + Patch by CharlieB. + + o Minor features (build): + - Add support for `--library-versions` flag. Implements ticket 6384. + - Return the "unexpected sendme" warnings to a warn severity, but make + them rate limited, to help diagnose ticket 8093. + - Detect a missing asciidoc, and warn the user about it, during + configure rather than at build time. Fixes issue 6506. Patch from + Arlo Breault. + + o Minor features (other): + - Use the SOCK_NONBLOCK socket type, if supported, to open nonblocking + sockets in a single system call. Implements ticket 5129. + - Log current accounting state (bytes sent and received + remaining + time for the current accounting period) in the relay's heartbeat + message. Implements ticket 5526; patch from Peter Retzlaff. + - Implement the TRANSPORT_LAUNCHED control port event that + notifies controllers about new launched pluggable + transports. Resolves ticket 5609. + - If we're using the pure-C 32-bit curve25519_donna implementation + of curve25519, build it with the -fomit-frame-pointer option to + make it go faster on register-starved hosts. This improves our + handshake performance by about 6% on i386 hosts without nacl. + Closes ticket 8109. + - Update to the September 4 2013 Maxmind GeoLite Country database. + + o Minor bugfixes: + - Set the listen() backlog limit to the largest actually supported + on the system, not to the value in a header file. Fixes bug 9716; + bugfix on every released Tor. + - No longer accept malformed http headers when parsing urls from + headers. Now we reply with Bad Request ("400"). Fixes bug 2767; + bugfix on 0.0.6pre1. + - In munge_extrainfo_into_routerinfo(), check the return value of + memchr(). This would have been a serious issue if we ever passed + it a non-extrainfo. Fixes bug 8791; bugfix on 0.2.0.6-alpha. Patch + from Arlo Breault. + - On the chance that somebody manages to build Tor on a + platform where time_t is unsigned, correct the way that + microdesc_add_to_cache() handles negative time arguments. + Fixes bug 8042; bugfix on 0.2.3.1-alpha. + - Reject relative control socket paths and emit a warning. Previously, + single-component control socket paths would be rejected, but Tor + would not log why it could not validate the config. Fixes bug 9258; + bugfix on 0.2.3.16-alpha. + + o Minor bugfixes (command line): + - Use a single command-line parser for parsing torrc options on the + command line and for finding special command-line options to avoid + inconsistent behavior for torrc option arguments that have the same + names as command-line options. Fixes bugs 4647 and 9578; bugfix on + 0.0.9pre5. + - No longer allow 'tor --hash-password' with no arguments. Fixes bug + 9573; bugfix on 0.0.9pre5. + + o Minor fixes (build, auxiliary programs): + - Stop preprocessing the "torify" script with autoconf, since + it no longer refers to LOCALSTATEDIR. Fixes bug 5505; patch + from Guilhem. + - The tor-fw-helper program now follows the standard convention and + exits with status code "0" on success. Fixes bug 9030; bugfix on + 0.2.3.1-alpha. Patch by Arlo Breault. + - Corrected ./configure advice for what openssl dev package you should + install on Debian. Fixes bug 9207; bugfix on 0.2.0.1-alpha. + + o Minor code improvements: + - Remove constants and tests for PKCS1 padding; it's insecure and + shouldn't be used for anything new. Fixes bug 8792; patch + from Arlo Breault. + - Remove instances of strcpy() from the unit tests. They weren't + hurting anything, since they were only in the unit tests, but it's + embarassing to have strcpy() in the code at all, and some analysis + tools don't like it. Fixes bug 8790; bugfix on 0.2.3.6-alpha and + 0.2.3.8-alpha. Patch from Arlo Breault. + + o Removed features: + - Remove migration code from when we renamed the "cached-routers" + file to "cached-descriptors" back in 0.2.0.8-alpha. This + incidentally resolves ticket 6502 by cleaning up the related code + a bit. Patch from Akshay Hebbar. + + o Code simplification and refactoring: + - Extract the common duplicated code for creating a subdirectory + of the data directory and writing to a file in it. Fixes ticket + 4282; patch from Peter Retzlaff. + - Since OpenSSL 0.9.7, the i2d_*() functions support allocating output + buffer. Avoid calling twice: i2d_RSAPublicKey(), i2d_DHparams(), + i2d_X509(), and i2d_PublicKey(). Resolves ticket 5170. + - Add a set of accessor functions for the circuit timeout data + structure. Fixes ticket 6153; patch from "piet". + - Clean up exit paths from connection_listener_new(). Closes ticket + 8789. Patch from Arlo Breault. + - Since we rely on OpenSSL 0.9.8 now, we can use EVP_PKEY_cmp() + and drop our own custom pkey_eq() implementation. Fixes bug 9043. + - Use a doubly-linked list to implement the global circuit list. + Resolves ticket 9108. Patch from Marek Majkowski. + - Remove contrib/id_to_fp.c since it wasn't used anywhere. + + +Changes in version 0.2.4.17-rc - 2013-09-05 + Tor 0.2.4.17-rc is the third release candidate for the Tor 0.2.4.x + series. It adds an emergency step to help us tolerate the massive + influx of users: 0.2.4 clients using the new (faster and safer) "NTor" + circuit-level handshakes now effectively jump the queue compared to + the 0.2.3 clients using "TAP" handshakes. This release also fixes a + big bug hindering bridge reachability tests. + + o Major features: + - Relays now process the new "NTor" circuit-level handshake requests + with higher priority than the old "TAP" circuit-level handshake + requests. We still process some TAP requests to not totally starve + 0.2.3 clients when NTor becomes popular. A new consensus parameter + "NumNTorsPerTAP" lets us tune the balance later if we need to. + Implements ticket 9574. + + o Major bugfixes: + - If the circuit build timeout logic is disabled (via the consensus, + or because we are an authority), then don't build testing circuits. + Fixes bug 9657; bugfix on 0.2.2.14-alpha. + - Bridges now send AUTH_CHALLENGE cells during their v3 handshakes; + previously they did not, which prevented them from receiving + successful connections from relays for self-test or bandwidth + testing. Also, when a relay is extending a circuit to a bridge, + it needs to send a NETINFO cell, even when the bridge hasn't sent + an AUTH_CHALLENGE cell. Fixes bug 9546; bugfix on 0.2.3.6-alpha. + - If the time to download the next old-style networkstatus is in + the future, do not decline to consider whether to download the + next microdescriptor networkstatus. Fixes bug 9564; bugfix on + 0.2.3.14-alpha. + + o Minor bugfixes: + - Avoid double-closing the listener socket in our socketpair() + replacement (used on Windows) in the case where the addresses on + our opened sockets don't match what we expected. Fixes bug 9400; + bugfix on 0.0.2pre7. Found by Coverity. + + o Minor fixes (config options): + - Avoid overflows when the user sets MaxCircuitDirtiness to a + ridiculously high value, by imposing a (ridiculously high) 30-day + maximum on MaxCircuitDirtiness. + - Fix the documentation of HeartbeatPeriod to say that the heartbeat + message is logged at notice, not at info. + - Warn and fail if a server is configured not to advertise any + ORPorts at all. (We need *something* to put in our descriptor, + or we just won't work.) + + o Minor features: + - Track how many "TAP" and "NTor" circuit handshake requests we get, + and how many we complete, and log it every hour to help relay + operators follow trends in network load. Addresses ticket 9658. + - Update to the August 7 2013 Maxmind GeoLite Country database. + + +Changes in version 0.2.4.16-rc - 2013-08-10 + Tor 0.2.4.16-rc is the second release candidate for the Tor 0.2.4.x + series. It fixes several crash bugs in the 0.2.4 branch. + + o Major bugfixes: + - Fix a bug in the voting algorithm that could yield incorrect results + when a non-naming authority declared too many flags. Fixes bug 9200; + bugfix on 0.2.0.3-alpha. + - Fix an uninitialized read that could in some cases lead to a remote + crash while parsing INTRODUCE2 cells. Bugfix on 0.2.4.1-alpha. + Anybody running a hidden service on the experimental 0.2.4.x + branch should upgrade. (This is, so far as we know, unrelated to + the recent news.) + - Avoid an assertion failure when processing DNS replies without the + answer types we expected. Fixes bug 9337; bugfix on 0.2.4.7-alpha. + - Avoid a crash when using --hash-password. Fixes bug 9295; bugfix on + 0.2.4.15-rc. Found by stem integration tests. + + o Minor bugfixes: + - Fix an invalid memory read that occured when a pluggable + transport proxy failed its configuration protocol. + Fixes bug 9288; bugfix on 0.2.4.1-alpha. + - When evaluating whether to use a connection that we haven't + decided is canonical using a recent link protocol version, + decide that it's canonical only if it used address _does_ + match the desired address. Fixes bug 9309; bugfix on + 0.2.4.4-alpha. Reported by skruffy. + - Make the default behavior of NumDirectoryGuards be to track + NumEntryGuards. Now a user who changes only NumEntryGuards will get + the behavior she expects. Fixes bug 9354; bugfix on 0.2.4.8-alpha. + - Fix a spurious compilation warning with some older versions of + GCC on FreeBSD. Fixes bug 9254; bugfix on 0.2.4.14-alpha. + + o Minor features: + - Update to the July 3 2013 Maxmind GeoLite Country database. + + +Changes in version 0.2.4.15-rc - 2013-07-01 + Tor 0.2.4.15-rc is the first release candidate for the Tor 0.2.4.x + series. It fixes a few smaller bugs, but generally appears stable. + Please test it and let us know whether it is! + + o Major bugfixes: + - When receiving a new configuration file via the control port's + LOADCONF command, do not treat the defaults file as absent. + Fixes bug 9122; bugfix on 0.2.3.9-alpha. + + o Minor features: + - Issue a warning when running with the bufferevents backend enabled. + It's still not stable, and people should know that they're likely + to hit unexpected problems. Closes ticket 9147. + + +Changes in version 0.2.4.14-alpha - 2013-06-18 + Tor 0.2.4.14-alpha fixes a pair of client guard enumeration problems + present in 0.2.4.13-alpha. + + o Major bugfixes: + - When we have too much memory queued in circuits (according to a new + MaxMemInCellQueues option), close the circuits consuming the most + memory. This prevents us from running out of memory as a relay if + circuits fill up faster than they can be drained. Fixes bug 9063; + bugfix on the 54th commit of Tor. This bug is a further fix beyond + bug 6252, whose fix was merged into 0.2.3.21-rc. + + This change also fixes an earlier approach taken in 0.2.4.13-alpha, + where we tried to solve this issue simply by imposing an upper limit + on the number of queued cells for a single circuit. That approach + proved to be problematic, since there are ways to provoke clients to + send a number of cells in excess of any such reasonable limit. Fixes + bug 9072; bugfix on 0.2.4.13-alpha. + + - Limit hidden service descriptors to at most ten introduction + points, to slow one kind of guard enumeration. Fixes bug 9002; + bugfix on 0.1.1.11-alpha. + + +Changes in version 0.2.4.13-alpha - 2013-06-14 + Tor 0.2.4.13-alpha fixes a variety of potential remote crash + vulnerabilities, makes socks5 username/password circuit isolation + actually actually work (this time for sure!), and cleans up a bunch + of other issues in preparation for a release candidate. + + o Major bugfixes (robustness): + - Close any circuit that has too many cells queued on it. Fixes + bug 9063; bugfix on the 54th commit of Tor. This bug is a further + fix beyond bug 6252, whose fix was merged into 0.2.3.21-rc. + - Prevent the get_freelists() function from running off the end of + the list of freelists if it somehow gets an unrecognized + allocation. Fixes bug 8844; bugfix on 0.2.0.16-alpha. Reported by + eugenis. + - Avoid an assertion failure on OpenBSD (and perhaps other BSDs) + when an exit connection with optimistic data succeeds immediately + rather than returning EINPROGRESS. Fixes bug 9017; bugfix on + 0.2.3.1-alpha. + - Fix a directory authority crash bug when building a consensus + using an older consensus as its basis. Fixes bug 8833. Bugfix + on 0.2.4.12-alpha. + + o Major bugfixes: + - Avoid a memory leak where we would leak a consensus body when we + find that a consensus which we couldn't previously verify due to + missing certificates is now verifiable. Fixes bug 8719; bugfix + on 0.2.0.10-alpha. + - We used to always request authority certificates by identity digest, + meaning we'd get the newest one even when we wanted one with a + different signing key. Then we would complain about being given + a certificate we already had, and never get the one we really + wanted. Now we use the "fp-sk/" resource as well as the "fp/" + resource to request the one we want. Fixes bug 5595; bugfix on + 0.2.0.8-alpha. + - Follow the socks5 protocol when offering username/password + authentication. The fix for bug 8117 exposed this bug, and it + turns out real-world applications like Pidgin do care. Bugfix on + 0.2.3.2-alpha; fixes bug 8879. + - Prevent failures on Windows Vista and later when rebuilding the + microdescriptor cache. Diagnosed by Robert Ransom. Fixes bug 8822; + bugfix on 0.2.4.12-alpha. + + o Minor bugfixes: + - Fix an impossible buffer overrun in the AES unit tests. Fixes + bug 8845; bugfix on 0.2.0.7-alpha. Found by eugenis. + - If for some reason we fail to write a microdescriptor while + rebuilding the cache, do not let the annotations from that + microdescriptor linger in the cache file, and do not let the + microdescriptor stay recorded as present in its old location. + Fixes bug 9047; bugfix on 0.2.2.6-alpha. + - Fix a memory leak that would occur whenever a configuration + option changed. Fixes bug 8718; bugfix on 0.2.3.3-alpha. + - Paste the description for PathBias parameters from the man + page into or.h, so the code documents them too. Fixes bug 7982; + bugfix on 0.2.3.17-beta and 0.2.4.8-alpha. + - Relays now treat a changed IPv6 ORPort as sufficient reason to + publish an updated descriptor. Fixes bug 6026; bugfix on + 0.2.4.1-alpha. + - When launching a resolve request on behalf of an AF_UNIX control + socket, omit the address field of the new entry connection, used in + subsequent controller events, rather than letting tor_dup_addr() + set it to "<unknown address type>". Fixes bug 8639; bugfix on + 0.2.4.12-alpha. + + o Minor bugfixes (log messages): + - Fix a scaling issue in the path bias accounting code that + resulted in "Bug:" log messages from either + pathbias_scale_close_rates() or pathbias_count_build_success(). + This represents a bugfix on a previous bugfix: the original fix + attempted in 0.2.4.10-alpha was incomplete. Fixes bug 8235; bugfix + on 0.2.4.1-alpha. + - Give a less useless error message when the user asks for an IPv4 + address on an IPv6-only port, or vice versa. Fixes bug 8846; bugfix + on 0.2.4.7-alpha. + + o Minor features: + - Downgrade "unexpected SENDME" warnings to protocol-warn for 0.2.4.x, + to tolerate bug 8093 for now. + - Add an "ignoring-advertised-bws" boolean to the flag-threshold lines + in directory authority votes to describe whether they have enough + measured bandwidths to ignore advertised (relay descriptor) + bandwidth claims. Resolves ticket 8711. + - Update to the June 5 2013 Maxmind GeoLite Country database. + + o Removed documentation: + - Remove some of the older contents of doc/ as obsolete; move others + to torspec.git. Fixes bug 8965. + + o Code simplification and refactoring: + - Avoid using character buffers when constructing most directory + objects: this approach was unwieldy and error-prone. Instead, + build smartlists of strings, and concatenate them when done. + + +Changes in version 0.2.4.12-alpha - 2013-04-18 + Tor 0.2.4.12-alpha moves Tor forward on several fronts: it starts the + process for lengthening the guard rotation period, makes directory + authority opinions in the consensus a bit less gameable, makes socks5 + username/password circuit isolation actually work, and fixes a wide + variety of other issues. + + o Major features: + - Raise the default time that a client keeps an entry guard from + "1-2 months" to "2-3 months", as suggested by Tariq Elahi's WPES + 2012 paper. (We would make it even longer, but we need better client + load balancing first.) Also, make the guard lifetime controllable + via a new GuardLifetime torrc option and a GuardLifetime consensus + parameter. Start of a fix for bug 8240; bugfix on 0.1.1.11-alpha. + - Directory authorities now prefer using measured bandwidths to + advertised ones when computing flags and thresholds. Resolves + ticket 8273. + - Directory authorities that have more than a threshold number + of relays with measured bandwidths now treat relays with unmeasured + bandwidths as having bandwidth 0. Resolves ticket 8435. + + o Major bugfixes (assert / resource use): + - Avoid a bug where our response to TLS renegotiation under certain + network conditions could lead to a busy-loop, with 100% CPU + consumption. Fixes bug 5650; bugfix on 0.2.0.16-alpha. + - Avoid an assertion when we discover that we'd like to write a cell + onto a closing connection: just discard the cell. Fixes another + case of bug 7350; bugfix on 0.2.4.4-alpha. + + o Major bugfixes (client-side privacy): + - When we mark a circuit as unusable for new circuits, have it + continue to be unusable for new circuits even if MaxCircuitDirtiness + is increased too much at the wrong time, or the system clock jumps + backwards. Fixes bug 6174; bugfix on 0.0.2pre26. + - If ClientDNSRejectInternalAddresses ("do not believe DNS queries + which have resolved to internal addresses") is set, apply that + rule to IPv6 as well. Fixes bug 8475; bugfix on 0.2.0.7-alpha. + - When an exit relay rejects a stream with reason "exit policy", but + we only know an exit policy summary (e.g. from the microdesc + consensus) for it, do not mark the relay as useless for all exiting. + Instead, mark just the circuit as unsuitable for that particular + address. Fixes part of bug 7582; bugfix on 0.2.3.2-alpha. + - Allow applications to get proper stream isolation with + IsolateSOCKSAuth. Many SOCKS5 clients that want to offer + username/password authentication also offer "no authentication". Tor + had previously preferred "no authentication", so the applications + never actually sent Tor their auth details. Now Tor selects + username/password authentication if it's offered. You can disable + this behavior on a per-SOCKSPort basis via PreferSOCKSNoAuth. Fixes + bug 8117; bugfix on 0.2.3.3-alpha. + + o Major bugfixes (other): + - When unable to find any working directory nodes to use as a + directory guard, give up rather than adding the same non-working + nodes to the directory guard list over and over. Fixes bug 8231; + bugfix on 0.2.4.8-alpha. + + o Minor features: + - Reject as invalid most directory objects containing a NUL. + Belt-and-suspender fix for bug 8037. + - In our testsuite, create temporary directories with a bit more + entropy in their name to make name collisions less likely. Fixes + bug 8638. + - Add CACHED keyword to ADDRMAP events in the control protocol + to indicate whether a DNS result will be cached or not. Resolves + ticket 8596. + - Update to the April 3 2013 Maxmind GeoLite Country database. + + o Minor features (build): + - Detect and reject attempts to build Tor with threading support + when OpenSSL has been compiled without threading support. + Fixes bug 6673. + - Clarify that when autoconf is checking for nacl, it is checking + specifically for nacl with a fast curve25519 implementation. + Fixes bug 8014. + - Warn if building on a platform with an unsigned time_t: there + are too many places where Tor currently assumes that time_t can + hold negative values. We'd like to fix them all, but probably + some will remain. + + o Minor bugfixes (build): + - Fix some bugs in tor-fw-helper-natpmp when trying to build and + run it on Windows. More bugs likely remain. Patch from Gisle Vanem. + Fixes bug 7280; bugfix on 0.2.3.1-alpha. + - Add the old src/or/micro-revision.i filename to CLEANFILES. + On the off chance that somebody has one, it will go away as soon + as they run "make clean". Fix for bug 7143; bugfix on 0.2.4.1-alpha. + - Build Tor correctly on 32-bit platforms where the compiler can build + but not run code using the "uint128_t" construction. Fixes bug 8587; + bugfix on 0.2.4.8-alpha. + - Fix compilation warning with some versions of clang that would + prefer the -Wswitch-enum compiler flag to warn about switch + statements with missing enum values, even if those switch + statements have a "default:" statement. Fixes bug 8598; bugfix + on 0.2.4.10-alpha. + + o Minor bugfixes (protocol): + - Fix the handling of a TRUNCATE cell when it arrives while the + circuit extension is in progress. Fixes bug 7947; bugfix on 0.0.7.1. + - Fix a misframing issue when reading the version numbers in a + VERSIONS cell. Previously we would recognize [00 01 00 02] as + 'version 1, version 2, and version 0x100', when it should have + only included versions 1 and 2. Fixes bug 8059; bugfix on + 0.2.0.10-alpha. Reported pseudonymously. + - Make the format and order of STREAM events for DNS lookups + consistent among the various ways to launch DNS lookups. Fixes + bug 8203; bugfix on 0.2.0.24-rc. Patch by "Desoxy." + - Correct our check for which versions of Tor support the EXTEND2 + cell. We had been willing to send it to Tor 0.2.4.7-alpha and + later, when support was really added in version 0.2.4.8-alpha. + Fixes bug 8464; bugfix on 0.2.4.8-alpha. + + o Minor bugfixes (other): + - Correctly store microdescriptors and extrainfo descriptors with + an internal NUL byte. Fixes bug 8037; bugfix on 0.2.0.1-alpha. + Bug reported by "cypherpunks". + - Increase the width of the field used to remember a connection's + link protocol version to two bytes. Harmless for now, since the + only currently recognized versions are one byte long. Reported + pseudonymously. Fixes bug 8062; bugfix on 0.2.0.10-alpha. + - If the state file's path bias counts are invalid (presumably from a + buggy Tor prior to 0.2.4.10-alpha), make them correct. Also add + additional checks and log messages to the scaling of Path Bias + counts, in case there still are remaining issues with scaling. + Should help resolve bug 8235. + - Eliminate several instances where we use "Nickname=ID" to refer to + nodes in logs. Use "Nickname (ID)" instead. (Elsewhere, we still use + "$ID=Nickname", which is also acceptable.) Fixes bug 7065. Bugfix + on 0.2.3.21-rc, 0.2.4.5-alpha, 0.2.4.8-alpha, and 0.2.4.10-alpha. + + o Minor bugfixes (syscalls): + - Always check the return values of functions fcntl() and + setsockopt(). We don't believe these are ever actually failing in + practice, but better safe than sorry. Also, checking these return + values should please analysis tools like Coverity. Patch from + 'flupzor'. Fixes bug 8206; bugfix on all versions of Tor. + - Use direct writes rather than stdio when building microdescriptor + caches, in an attempt to mitigate bug 8031, or at least make it + less common. + + o Minor bugfixes (config): + - When rejecting a configuration because we were unable to parse a + quoted string, log an actual error message. Fixes bug 7950; bugfix + on 0.2.0.16-alpha. + - Behave correctly when the user disables LearnCircuitBuildTimeout + but doesn't tell us what they would like the timeout to be. Fixes + bug 6304; bugfix on 0.2.2.14-alpha. + - When autodetecting the number of CPUs, use the number of available + CPUs in preference to the number of configured CPUs. Inform the + user if this reduces the number of available CPUs. Fixes bug 8002; + bugfix on 0.2.3.1-alpha. + - Make it an error when you set EntryNodes but disable UseGuardNodes, + since it will (surprisingly to some users) ignore EntryNodes. Fixes + bug 8180; bugfix on 0.2.3.11-alpha. + - Allow TestingTorNetworks to override the 4096-byte minimum for + the Fast threshold. Otherwise they can't bootstrap until they've + observed more traffic. Fixes bug 8508; bugfix on 0.2.4.10-alpha. + - Fix some logic errors when the user manually overrides the + PathsNeededToBuildCircuits option in torrc. Fixes bug 8599; bugfix + on 0.2.4.10-alpha. + + o Minor bugfixes (log messages to help diagnose bugs): + - If we fail to free a microdescriptor because of bug 7164, log + the filename and line number from which we tried to free it. + - Add another diagnostic to the heartbeat message: track and log + overhead that TLS is adding to the data we write. If this is + high, we are sending too little data to SSL_write at a time. + Diagnostic for bug 7707. + - Add more detail to a log message about relaxed timeouts, to help + track bug 7799. + - Warn more aggressively when flushing microdescriptors to a + microdescriptor cache fails, in an attempt to mitigate bug 8031, + or at least make it more diagnosable. + - Improve debugging output to help track down bug 8185 ("Bug: + outgoing relay cell has n_chan==NULL. Dropping.") + - Log the purpose of a path-bias testing circuit correctly. + Improves a log message from bug 8477; bugfix on 0.2.4.8-alpha. + + o Minor bugfixes (0.2.4.x log messages that were too noisy): + - Don't attempt to relax the timeout of already opened 1-hop circuits. + They might never timeout. This should eliminate some/all cases of + the relaxed timeout log message. + - Use circuit creation time for network liveness evaluation. This + should eliminate warning log messages about liveness caused + by changes in timeout evaluation. Fixes bug 6572; bugfix on + 0.2.4.8-alpha. + - Reduce a path bias length check from notice to info. The message + is triggered when creating controller circuits. Fixes bug 8196; + bugfix on 0.2.4.8-alpha. + - Fix a path state issue that triggered a notice during relay startup. + Fixes bug 8320; bugfix on 0.2.4.10-alpha. + - Reduce occurrences of warns about circuit purpose in + connection_ap_expire_building(). Fixes bug 8477; bugfix on + 0.2.4.11-alpha. + + o Minor bugfixes (pre-0.2.4.x log messages that were too noisy): + - If we encounter a write failure on a SOCKS connection before we + finish our SOCKS handshake, don't warn that we closed the + connection before we could send a SOCKS reply. Fixes bug 8427; + bugfix on 0.1.0.1-rc. + - Correctly recognize that [::1] is a loopback address. Fixes + bug 8377; bugfix on 0.2.1.3-alpha. + - Fix a directory authority warn caused when we have a large amount + of badexit bandwidth. Fixes bug 8419; bugfix on 0.2.2.10-alpha. + - Don't log inappropriate heartbeat messages when hibernating: a + hibernating node is _expected_ to drop out of the consensus, + decide it isn't bootstrapped, and so forth. Fixes bug 7302; + bugfix on 0.2.3.1-alpha. + - Don't complain about bootstrapping problems while hibernating. + These complaints reflect a general code problem, but not one + with any problematic effects (no connections are actually + opened). Fixes part of bug 7302; bugfix on 0.2.3.2-alpha. + + o Documentation fixes: + - Update tor-fw-helper.1.txt and tor-fw-helper.c to make option + names match. Fixes bug 7768. + - Make the torify manpage no longer refer to tsocks; torify hasn't + supported tsocks since 0.2.3.14-alpha. + - Make the tor manpage no longer reference tsocks. + - Fix the GeoIPExcludeUnknown documentation to refer to + ExcludeExitNodes rather than the currently nonexistent + ExcludeEntryNodes. Spotted by "hamahangi" on tor-talk. + + o Removed files: + - The tor-tsocks.conf is no longer distributed or installed. We + recommend that tsocks users use torsocks instead. Resolves + ticket 8290. + + +Changes in version 0.2.4.11-alpha - 2013-03-11 + Tor 0.2.4.11-alpha makes relay measurement by directory authorities + more robust, makes hidden service authentication work again, and + resolves a DPI fingerprint for Tor's SSL transport. + + o Major features (directory authorities): + - Directory authorities now support a new consensus method (17) + where they cap the published bandwidth of servers for which + insufficient bandwidth measurements exist. Fixes part of bug 2286. + - Directory authorities that set "DisableV2DirectoryInfo_ 1" no longer + serve any v2 directory information. Now we can test disabling the + old deprecated v2 directory format, and see whether doing so has + any effect on network load. Begins to fix bug 6783. + - Directory authorities now include inside each vote a statement of + the performance thresholds they used when assigning flags. + Implements ticket 8151. + + o Major bugfixes (directory authorities): + - Stop marking every relay as having been down for one hour every + time we restart a directory authority. These artificial downtimes + were messing with our Stable and Guard flag calculations. Fixes + bug 8218 (introduced by the fix for 1035). Bugfix on 0.2.2.23-alpha. + + o Major bugfixes (hidden services): + - Allow hidden service authentication to succeed again. When we + refactored the hidden service introduction code back + in 0.2.4.1-alpha, we didn't update the code that checks + whether authentication information is present, causing all + authentication checks to return "false". Fix for bug 8207; bugfix + on 0.2.4.1-alpha. Found by Coverity; this is CID 718615. + + o Minor features (relays, bridges): + - Make bridge relays check once a minute for whether their IP + address has changed, rather than only every 15 minutes. Resolves + bugs 1913 and 1992. + - Refactor resolve_my_address() so it returns the method by which we + decided our public IP address (explicitly configured, resolved from + explicit hostname, guessed from interfaces, learned by gethostname). + Now we can provide more helpful log messages when a relay guesses + its IP address incorrectly (e.g. due to unexpected lines in + /etc/hosts). Resolves ticket 2267. + - Teach bridge-using clients to avoid 0.2.2 bridges when making + microdescriptor-related dir requests, and only fall back to normal + descriptors if none of their bridges can handle microdescriptors + (as opposed to the fix in ticket 4013, which caused them to fall + back to normal descriptors if *any* of their bridges preferred + them). Resolves ticket 4994. + - Randomize the lifetime of our SSL link certificate, so censors can't + use the static value for filtering Tor flows. Resolves ticket 8443; + related to ticket 4014 which was included in 0.2.2.33. + + o Minor features (portability): + - Tweak the curve25519-donna*.c implementations to tolerate systems + that lack stdint.h. Fixes bug 3894; bugfix on 0.2.4.8-alpha. + - Use Ville Laurikari's implementation of AX_CHECK_SIGN() to determine + the signs of types during autoconf. This is better than our old + approach, which didn't work when cross-compiling. + - Detect the sign of enum values, rather than assuming that MSC is the + only compiler where enum types are all signed. Fixes bug 7727; + bugfix on 0.2.4.10-alpha. + + o Minor features (other): + - Say "KBytes" rather than "KB" in the man page (for various values + of K), to further reduce confusion about whether Tor counts in + units of memory or fractions of units of memory. Resolves ticket 7054. + - Clear the high bit on curve25519 public keys before passing them to + our backend, in case we ever wind up using a backend that doesn't do + so itself. If we used such a backend, and *didn't* clear the high bit, + we could wind up in a situation where users with such backends would + be distinguishable from users without. Fixes bug 8121; bugfix on + 0.2.4.8-alpha. + - Update to the March 6 2013 Maxmind GeoLite Country database. + + o Minor bugfixes (clients): + - When we receive a RELAY_END cell with the reason DONE, or with no + reason, before receiving a RELAY_CONNECTED cell, report the SOCKS + status as "connection refused". Previously we reported these cases + as success but then immediately closed the connection. Fixes bug + 7902; bugfix on 0.1.0.1-rc. Reported by "oftc_must_be_destroyed". + - Downgrade an assertion in connection_ap_expire_beginning to an + LD_BUG message. The fix for bug 8024 should prevent this message + from displaying, but just in case, a warn that we can diagnose + is better than more assert crashes. Fixes bug 8065; bugfix on + 0.2.4.8-alpha. + - Lower path use bias thresholds to .80 for notice and .60 for warn. + Also make the rate limiting flags for the path use bias log messages + independent from the original path bias flags. Fixes bug 8161; + bugfix on 0.2.4.10-alpha. + + o Minor bugfixes (relays): + - Stop trying to resolve our hostname so often (e.g. every time we + think about doing a directory fetch). Now we reuse the cached + answer in some cases. Fixes bugs 1992 (bugfix on 0.2.0.20-rc) + and 2410 (bugfix on 0.1.2.2-alpha). + - Stop sending a stray "(null)" in some cases for the server status + "EXTERNAL_ADDRESS" controller event. Resolves bug 8200; bugfix + on 0.1.2.6-alpha. + - When choosing which stream on a formerly stalled circuit to wake + first, make better use of the platform's weak RNG. Previously, + we had been using the % ("modulo") operator to try to generate a + 1/N chance of picking each stream, but this behaves badly with + many platforms' choice of weak RNG. Fixes bug 7801; bugfix on + 0.2.2.20-alpha. + - Use our own weak RNG when we need a weak RNG. Windows's rand() and + Irix's random() only return 15 bits; Solaris's random() returns more + bits but its RAND_MAX says it only returns 15, and so on. Motivated + by the fix for bug 7801; bugfix on 0.2.2.20-alpha. + + o Minor bugfixes (directory authorities): + - Directory authorities now use less space when formatting identical + microdescriptor lines in directory votes. Fixes bug 8158; bugfix + on 0.2.4.1-alpha. + + o Minor bugfixes (memory leaks spotted by Coverity -- bug 7816): + - Avoid leaking memory if we fail to compute a consensus signature + or we generate a consensus we can't parse. Bugfix on 0.2.0.5-alpha. + - Fix a memory leak when receiving headers from an HTTPS proxy. Bugfix + on 0.2.1.1-alpha. + - Fix a memory leak during safe-cookie controller authentication. + Bugfix on 0.2.3.13-alpha. + - Avoid memory leak of IPv6 policy content if we fail to format it into + a router descriptor. Bugfix on 0.2.4.7-alpha. + + o Minor bugfixes (other code correctness issues): + - Avoid a crash if we fail to generate an extrainfo descriptor. + Fixes bug 8208; bugfix on 0.2.3.16-alpha. Found by Coverity; + this is CID 718634. + - When detecting the largest possible file descriptor (in order to + close all file descriptors when launching a new program), actually + use _SC_OPEN_MAX. The old code for doing this was very, very broken. + Fixes bug 8209; bugfix on 0.2.3.1-alpha. Found by Coverity; this + is CID 743383. + - Fix a copy-and-paste error when adding a missing A1 to a routerset + because of GeoIPExcludeUnknown. Fix for Coverity CID 980650. + Bugfix on 0.2.4.10-alpha. + - Fix an impossible-to-trigger integer overflow when estimating how + long our onionskin queue would take. (This overflow would require us + to accept 4 million onionskins before processing 100 of them.) Fixes + bug 8210; bugfix on 0.2.4.10-alpha. + + o Code simplification and refactoring: + - Add a wrapper function for the common "log a message with a + rate-limit" case. + + Changes in version 0.2.4.10-alpha - 2013-02-04 Tor 0.2.4.10-alpha adds defenses at the directory authority level from certain attacks that flood the network with relays; changes the queue @@ -976,7 +1788,7 @@ Changes in version 0.2.4.1-alpha - 2012-09-05 o Minor features (code security and spec conformance): - Clear keys and key-derived material left on the stack in rendservice.c and rendclient.c. Check return value of - crypto_pk_write_private_key_to_string() in end_service_load_keys(). + crypto_pk_write_private_key_to_string() in rend_service_load_keys(). These fixes should make us more forward-secure against cold-boot attacks and the like. Fixes bug 2385. - Reject EXTEND cells sent to nonexistent streams. According to the @@ -3321,7 +4133,7 @@ Changes in version 0.2.3.4-alpha - 2011-09-13 by an attacker who controls both an introduction point and a rendezvous point, and who uses the malleability of AES-CTR to alter the encrypted g^x portion of the INTRODUCE1 cell. We think - that these attacks is infeasible (requiring the attacker to send + that these attacks are infeasible (requiring the attacker to send on the order of zettabytes of altered cells in a short interval), but we'd rather block them off in case there are any classes of this attack that we missed. Reported by Willem Pinckaers. |