diff options
Diffstat (limited to 'ChangeLog')
| -rw-r--r-- | ChangeLog | 314 |
1 files changed, 313 insertions, 1 deletions
@@ -1,4 +1,316 @@ -Changes in version 0.2.5.5-alpha - 2014-05-?? +Changes in version 0.2.5.5-alpha - 2014-06-?? + Write a blurb here. + + o Major bugfixes (security, OOM, new since 0.2.5.4-alpha, also in 0.2.4.22): + - Fix a memory leak that could occur if a microdescriptor parse + fails during the tokenizing step. This bug could enable a memory + exhaustion attack by directory servers. Fixes bug 11649; bugfix + on 0.2.2.6-alpha. + + o Major bugfixes (relay): + - When uploading to the directory authorities, use a direct dirport + connection if we are a uploading an ordinary, non-anonymous + directory object. Previously, relays would used tunnel connections + under a fairly wide variety of circumstances. Fixes bug 11469; + bugfix on 0.2.4.3-alpha. + + o Major bugfixes (security, directory authorities): + - Directory authorities now include a digest of each relay's + identity key as a part of its microdescriptor. + + This is a workaround for bug #11743 (reported by "cypherpunks"), + where Tor clients do not support receiving multiple + microdescriptors with the same SHA256 digest in the same + consensus. When clients receive a consensus like this, they only + use one of the relays. Without this fix, a hostile relay could + selectively disable some client use of target relays by + constucting a router descriptor with a different identity and the + same microdescriptor parameters and getting the authorities to + list it in a microdescriptor consensus. This fix prevents an + attacker from causing a microdescriptor collision, because the + router's identity is not forgeable. + + o Minor features (diagnostic): + - When logging a warning because of bug #7164, additionally check + the hash table for consistency (as proposed on ticket #11737). + This may help diagnose bug #7164. + - When we log a heartbeat, log how many one-hop circuits we have + that are at least 30 minutes old, and log status information about + a few of them. This is an attempt to track down bug 8387. + - When we encounter an unexpected CR in text that we're trying to + write to a file on Windows, log the name of the file. Should help + diagnosing bug 11233. + - Give more specific warnings when we notice at the client side that + an onion handshake has failed. Fixes ticket 9635. + + o Minor features (security, memory management)): + - Add configure options controlling allocator tricks like mempools + and freelists, and turn them off by default; on most platforms + malloc is reasonable enough for this not to be necessary, and a + similar feature in OpenSSL exacerbated Heartbleed. Fixes + bug #11476. + + o Minor features (security): + - Apply the secure SipHash-2-4 function to the hash table mapping + circuit IDs and channels to circuits. We missed this one when we + were converting all the other hash functions to use SipHash back + in 0.2.5.3-alpha. Resolves ticket 11750. + + o Minor features (build): + - The configure script has a --disable-seccomp option to turn off + support for libseccomp on systems that have it, in case it (or + Tor's use of it) is broken. Resolves ticket 11628. + + o Minor bugfixes (configuration, security, new since 0.2.5.4-alpha, also in 0.2.4.22): + - When running a hidden service, do not allow TunneledDirConns 0; + this will keep the hidden service from running, and also + make it publish its descriptors directly over HTTP. Fixes bug 10849; + bugfix on 0.2.1.1-alpha. + + o Minor bugfixes (compilation): + - Fix compilation of test_status.c when building with MVSC. Bugfix + on 0.2.5.4-alpha. Patch from Gisle Vanem. + - Resolve GCC complaints on OpenBSD about discarding constness in + TO_{ORIGIN,OR}_CIRCUIT functions. Fixes part of bug 11633; bugfix + on 0.1.1.23. Patch from Dana Koch. + - Resolve clang complaints on OpenBSD with -Wshorten-64-to-32 due to + treatment of long and time_t as comparable types. Fixes part of + bug 11633. Patch from Dana Koch. + - Make Tor compile correctly with --disable-buf-freelists. Fixes bug + 11623; bugfix on 0.2.5.3-alpha. + - When deciding whether to build the 64-bit curve25519 + implementation, detect platforms where we can compile 128-bit + arithmetic but cannot link it. Fixes bug 11729; bugfix on + 0.2.4.8-alpha. Patch from "conradev". + - Fix compilation when DNS_CACHE_DEBUG is enabled. Fixes bug 11761; + bugfix on 0.2.3.13-alpha. Found by "cypherpunks". + + o Minor bugfixes (Directory server): + - When sending a compressed set of descriptors or microdescriptors, + make sure to finalize the zlib stream. Previously, we would write + all the compressed data, but if the last descriptor we wanted to + send was missing or too old, we would not mark the stream as + finished. This caused problems for decompression tools. Fixes bug + 11648; bugfix on 0.1.1.23. + + o Minor bugfixes (dmalloc): + - Fix compilation with dmalloc. Fixes bug 11605; bugfix + on 0.2.4.10-alpha. + + o Minor bugfixes (documentation): + - Correct the documenation so that it lists the correct directories + for the stats files. (They are in a subdirectory called "stats", + not "status".) + + o Minor bugfixes (Linux seccomp sandbox): + - Make the seccomp sandbox code compile with ARM linux. Fixes bug + 11622; bugfix on 0.2.5.1-alpha. + - Avoid crashing when re-opening listener ports with the seccomp + sandbox active. Fixes bug 12115; bugfix on 0.2.5.1-alpha. + - Avoid crashing with the seccomp sandbox enabled along with + ConstrainedSockets. Fixes bug 12139; bugfix on 0.2.5.1-alpha. + - When we receive a SIGHUP with the sandbox enabled, correctly + support rotating our log files. Fixes bug 12032; bugfix + on 0.2.5.1-alpha. + - Avoid crash when running with sandboxing enabled and + DirReqStatistics not disabled. Fixes bug 12035; bugfix + on 0.2.5.1-alpha. + - Fix a "BUG" warning when trying to write bridge-stats files with + the Linux syscall sandbox filter enabled. Fixes bug 12041; bugfix + on 0.2.5.1-alpha. + - Prevent the sandbox from crashing on startup when run with the + --enable-expensive-hardening configuration option. Fixes bug + 11477; bugfix on 0.2.5.4-alpha. + - When running with DirPortFrontPage and Sandbox both enabled, + reload the DirPortFrontPage correctly when restarting. Fixes bug + 12028; bugfix on 0.2.5.1-alpha. + - Don't try to enable the sandbox when using the Tor binary to check + its configuration, hash a passphrase, or so on. Doing so was + crashing on startup for some users. Fixes bug 11609; bugfix + on 0.2.5.1-alpha. + - Avoid warnings when running with sandboxing and node statistics + enabled at the same time. Fixes part of 12064; bugfix on + 0.2.5.1-alpha. Patch from Michael Wolf. + - Avoid warnings when running with sandboxing enabled at the same + time as cookie authentication, hidden services or directory + authority voting. Fixes part of 12064; bugfix on 0.2.5.1-alpha. + - Do not allow options which would require us to call exec to be + enabled along with the seccomp2 sandbox: they will inevitably + crash. Fix for bug 12043; bugfix on 0.2.5.1-alpha. + - Handle failures in getpwnam()/getpwuid() when running with the + User option set and the Linux syscall sandbox enabled. Fixes bug + 11946; bugfix on 0.2.5.1-alpha. + + o Minor bugfixes (pluggable transports): + - Enable the ExtORPortCookieAuthFile option, to allow changing the + default location of the authentication token for the extended OR + Port as used by sever-side pluggable transports. We had + implemented this option before, but the code to make it settable + had been omitted. Fixes bug 11635; bugfix on 0.2.5.1-alpha. + - Avoid another 60-second delay when starting Tor in a pluggable- + transport-using configuration when we already have cached + descriptors for our bridges. Fixes bug 11965; bugfix + on 0.2.3.6-alpha. + + o Minor bugfixes (testing): + - The Python parts of the test scripts now work on Python 3 as well + as Python 2, so systems where '/usr/bin/python' is Python 3 will + no longer have the tests break. Fixes bug 11608; bugfix + on 0.2.5.2-alpha. + - When looking for versions of python that we could run the tests + with, check for "python2.7" and "python3.3"; previously we were + only looking for "python", "python2", and "python3". Patch from + Dana Koch. Fixes bug 11632; bugfix on 0.2.5.2-alpha. + - Fix all valgrind warnings produced by the unit tests. There were + over a thousand memory leak warnings previously, mostly produced + by forgetting to free things in the unit test code. Fixes bug + 11618, bugfixes on many versions of Tor. + + o Minor bugfixes (tor-fw-helper): + - Give a correct log message when tor-fw-helper fails to launch. + (Previously, we would say something like "tor-fw-helper sent us a + string we could not parse".) Fixes bug 9781; bugfix + on 0.2.4.2-alpha. + + o Minor bugfixes (relay, threading): + - Check return code on spawn_func() in cpuworker code, so that we + don't think we've spawned a nonworking cpuworker and write junk to + it forever. Fix related to bug 4345; bugfix on all released Tor + versions. Found by "skruffy". + - Use a pthread_attr to make sure that spawn_func() cannot return an + error while at the same time launching a thread. Fix related to + bug 4345; bugfix on all released Tor versions. Reported + by "cypherpunks". + + o Minor bugfixes (relay, oom prevention): + - Correctly detect the total available system memory. We tried to do + this in 0.2.5.4-alpha, but the code was set up to always return an + error value, even on success. Fixes bug 11805; bugfix + on 0.2.5.4-alpha. + + o Minor bugfixes (logging): + - Fix a misformatted log message about delayed directory fetches. + Fixes bug 11654; bugfix on 0.2.5.3-alpha. + + o Distribution: + - Include a tor.service file in contrib/dist for use with systemd. + Some distributions will be able to use this file unmodified; + others will need to tweak it, or write their own. Patch from Jamie + Nguyen; resolves ticket 8368. + + o Documentation: + - Clean up several option names in the manpage to match their real + names, add the missing documentation for a couple of testing and + directory authority options, remove the documentation for a + V2-directory fetching option that no longer exists. Resolves + ticket 11634. + + o Package cleanup: + - The contrib directory has been sorted and tidy. Before, it was an + unsorted dumping ground for useful and not-so-useful things. Now, + it has been divided based on functionality, and the items which + seemed to be nonfunctional or useless have been removed. Resolves + ticket 8966; based on patches from "rl1987". + + o Removed code: + - Remove /tor/dbg-stability.txt URL that was meant to help debug WFU + and MTBF calculations, but that nobody was using. Fixes #11742. + - The TunnelDirConns and PreferTunnelledDirConns options no longer + exist; tunneled directory connections have been available since + 0.1.2.5-alpha, and turning them off is not a good idea. This is a + brute-force fix for 10849, where "TunnelDirConns 0" would break + hidden services. + + +Changes in version 0.2.4.22 - 2014-05-16 + Tor 0.2.4.22 backports numerous high-priority fixes from the Tor 0.2.5 + alpha release series. These include blocking all authority signing + keys that may have been affected by the OpenSSL "heartbleed" bug, + choosing a far more secure set of TLS ciphersuites by default, closing + a couple of memory leaks that could be used to run a target relay out + of RAM, and several others. + + o Major features (security, backport from 0.2.5.4-alpha): + - Block authority signing keys that were used on authorities + vulnerable to the "heartbleed" bug in OpenSSL (CVE-2014-0160). (We + don't have any evidence that these keys _were_ compromised; we're + doing this to be prudent.) Resolves ticket 11464. + + o Major bugfixes (security, OOM): + - Fix a memory leak that could occur if a microdescriptor parse + fails during the tokenizing step. This bug could enable a memory + exhaustion attack by directory servers. Fixes bug 11649; bugfix + on 0.2.2.6-alpha. + + o Major bugfixes (TLS cipher selection, backport from 0.2.5.4-alpha): + - The relay ciphersuite list is now generated automatically based on + uniform criteria, and includes all OpenSSL ciphersuites with + acceptable strength and forward secrecy. Previously, we had left + some perfectly fine ciphersuites unsupported due to omission or + typo. Resolves bugs 11513, 11492, 11498, 11499. Bugs reported by + 'cypherpunks'. Bugfix on 0.2.4.8-alpha. + - Relays now trust themselves to have a better view than clients of + which TLS ciphersuites are better than others. (Thanks to bug + 11513, the relay list is now well-considered, whereas the client + list has been chosen mainly for anti-fingerprinting purposes.) + Relays prefer: AES over 3DES; then ECDHE over DHE; then GCM over + CBC; then SHA384 over SHA256 over SHA1; and last, AES256 over + AES128. Resolves ticket 11528. + - Clients now try to advertise the same list of ciphersuites as + Firefox 28. This change enables selection of (fast) GCM + ciphersuites, disables some strange old ciphers, and stops + advertising the ECDH (not to be confused with ECDHE) ciphersuites. + Resolves ticket 11438. + + o Minor bugfixes (configuration, security): + - When running a hidden service, do not allow TunneledDirConns 0: + trying to set that option together with a hidden service would + otherwise prevent the hidden service from running, and also make + it publish its descriptors directly over HTTP. Fixes bug 10849; + bugfix on 0.2.1.1-alpha. + + o Minor bugfixes (controller, backport from 0.2.5.4-alpha): + - Avoid sending a garbage value to the controller when a circuit is + cannibalized. Fixes bug 11519; bugfix on 0.2.3.11-alpha. + + o Minor bugfixes (exit relay, backport from 0.2.5.4-alpha): + - Stop leaking memory when we successfully resolve a PTR record. + Fixes bug 11437; bugfix on 0.2.4.7-alpha. + + o Minor bugfixes (bridge client, backport from 0.2.5.4-alpha): + - Avoid 60-second delays in the bootstrapping process when Tor is + launching for a second time while using bridges. Fixes bug 9229; + bugfix on 0.2.0.3-alpha. + + o Minor bugfixes (relays and bridges, backport from 0.2.5.4-alpha): + - Give the correct URL in the warning message when trying to run a + relay on an ancient version of Windows. Fixes bug 9393. + + o Minor bugfixes (compilation): + - Fix a compilation error when compiling with --disable-curve25519. + Fixes bug 9700; bugfix on 0.2.4.17-rc. + + o Minor bugfixes: + - Downgrade the warning severity for the the "md was still + referenced 1 node(s)" warning. Tor 0.2.5.4-alpha has better code + for trying to diagnose this bug, and the current warning in + earlier versions of tor achieves nothing useful. Addresses warning + from bug 7164. + + o Minor features (log verbosity, backport from 0.2.5.4-alpha): + - When we run out of usable circuit IDs on a channel, log only one + warning for the whole channel, and describe how many circuits + there were on the channel. Fixes part of ticket 11553. + + o Minor features (security, backport from 0.2.5.4-alpha): + - Decrease the lower limit of MaxMemInCellQueues to 256 MBytes (but + leave the default at 8GBytes), to better support Raspberry Pi + users. Fixes bug 9686; bugfix on 0.2.4.14-alpha. + + o Documentation (backport from 0.2.5.4-alpha): + - Correctly document that we search for a system torrc file before + looking in ~/.torrc. Fixes documentation side of 9213; bugfix on + 0.2.3.18-rc. Changes in version 0.2.5.4-alpha - 2014-04-25 |