diff options
Diffstat (limited to 'ChangeLog')
| -rw-r--r-- | ChangeLog | 778 |
1 files changed, 776 insertions, 2 deletions
@@ -1,3 +1,753 @@ +Changes in version 0.2.4.5-alpha - 2012-10-25 + Tor 0.2.4.5-alpha comes hard at the heels of 0.2.4.4-alpha, to fix + two important security vulnerabilities that could lead to remotely + triggerable relay crashes, fix a major bug that was preventing clients + from choosing suitable exit nodes, and refactor some of our code. + + o Major bugfixes (security, also in 0.2.3.24-rc): + - Fix a group of remotely triggerable assertion failures related to + incorrect link protocol negotiation. Found, diagnosed, and fixed + by "some guy from France". Fix for CVE-2012-2250; bugfix on + 0.2.3.6-alpha. + - Fix a denial of service attack by which any directory authority + could crash all the others, or by which a single v2 directory + authority could crash everybody downloading v2 directory + information. Fixes bug 7191; bugfix on 0.2.0.10-alpha. + + o Major bugfixes (also in 0.2.3.24-rc): + - When parsing exit policy summaries from microdescriptors, we had + previously been ignoring the last character in each one, so that + "accept 80,443,8080" would be treated by clients as indicating + a node that allows access to ports 80, 443, and 808. That would + lead to clients attempting connections that could never work, + and ignoring exit nodes that would support their connections. Now + clients parse these exit policy summaries correctly. Fixes bug 7192; + bugfix on 0.2.3.1-alpha. + + o Minor bugfixes (also in 0.2.3.24-rc): + - Clients now consider the ClientRejectInternalAddresses config option + when using a microdescriptor consensus stanza to decide whether + an exit relay would allow exiting to an internal address. Fixes + bug 7190; bugfix on 0.2.3.1-alpha. + + o Minor bugfixes: + - Only disable TLS session ticket support when running as a TLS + server. Now clients will blend better with regular Firefox + connections. Fixes bug 7189; bugfix on Tor 0.2.3.23-rc. + + o Code simplification and refactoring: + - Start using OpenBSD's implementation of queue.h (originally by + Niels Provos). + - Move the entry node code from circuitbuild.c to its own file. + - Move the circuit build timeout tracking code from circuitbuild.c + to its own file. + + +Changes in version 0.2.3.24-rc - 2012-10-25 + Tor 0.2.3.24-rc fixes two important security vulnerabilities that + could lead to remotely triggerable relay crashes, and fixes + a major bug that was preventing clients from choosing suitable exit + nodes. + + o Major bugfixes (security): + - Fix a group of remotely triggerable assertion failures related to + incorrect link protocol negotiation. Found, diagnosed, and fixed + by "some guy from France". Fix for CVE-2012-2250; bugfix on + 0.2.3.6-alpha. + - Fix a denial of service attack by which any directory authority + could crash all the others, or by which a single v2 directory + authority could crash everybody downloading v2 directory + information. Fixes bug 7191; bugfix on 0.2.0.10-alpha. + + o Major bugfixes: + - When parsing exit policy summaries from microdescriptors, we had + previously been ignoring the last character in each one, so that + "accept 80,443,8080" would be treated by clients as indicating + a node that allows access to ports 80, 443, and 808. That would + lead to clients attempting connections that could never work, + and ignoring exit nodes that would support their connections. Now + clients parse these exit policy summaries correctly. Fixes bug 7192; + bugfix on 0.2.3.1-alpha. + + o Minor bugfixes: + - Clients now consider the ClientRejectInternalAddresses config option + when using a microdescriptor consensus stanza to decide whether + an exit relay would allow exiting to an internal address. Fixes + bug 7190; bugfix on 0.2.3.1-alpha. + + +Changes in version 0.2.4.4-alpha - 2012-10-20 + Tor 0.2.4.4-alpha adds a new v3 directory authority, fixes a privacy + vulnerability introduced by a change in OpenSSL, fixes a remotely + triggerable assert, and adds new channel_t and circuitmux_t abstractions + that will make it easier to test new connection transport and cell + scheduling algorithms. + + o New directory authorities (also in 0.2.3.23-rc): + - Add Faravahar (run by Sina Rabbani) as the ninth v3 directory + authority. Closes ticket 5749. + + o Major bugfixes (security/privacy, also in 0.2.3.23-rc): + - Disable TLS session tickets. OpenSSL's implementation was giving + our TLS session keys the lifetime of our TLS context objects, when + perfect forward secrecy would want us to discard anything that + could decrypt a link connection as soon as the link connection + was closed. Fixes bug 7139; bugfix on all versions of Tor linked + against OpenSSL 1.0.0 or later. Found by Florent Daignière. + - Discard extraneous renegotiation attempts once the V3 link + protocol has been initiated. Failure to do so left us open to + a remotely triggerable assertion failure. Fixes CVE-2012-2249; + bugfix on 0.2.3.6-alpha. Reported by "some guy from France". + + o Internal abstraction features: + - Introduce new channel_t abstraction between circuits and + or_connection_t to allow for implementing alternate OR-to-OR + transports. A channel_t is an abstract object which can either be a + cell-bearing channel, which is responsible for authenticating and + handshaking with the remote OR and transmitting cells to and from + it, or a listening channel, which spawns new cell-bearing channels + at the request of remote ORs. Implements part of ticket 6465. + - Also new is the channel_tls_t subclass of channel_t, adapting it + to the existing or_connection_t code. The V2/V3 protocol handshaking + code which formerly resided in command.c has been moved below the + channel_t abstraction layer and may be found in channeltls.c now. + Implements the rest of ticket 6465. + - Introduce new circuitmux_t storing the queue of circuits for + a channel; this encapsulates and abstracts the queue logic and + circuit selection policy, and allows the latter to be overridden + easily by switching out a policy object. The existing EWMA behavior + is now implemented as a circuitmux_policy_t. Resolves ticket 6816. + + o Required libraries: + - Tor now requires OpenSSL 0.9.8 or later. OpenSSL 1.0.0 or later is + strongly recommended. + + o Minor features: + - Warn users who run hidden services on a Tor client with + UseEntryGuards disabled that their hidden services will be + vulnerable to http://freehaven.net/anonbib/#hs-attack06 (the + attack which motivated Tor to support entry guards in the first + place). Resolves ticket 6889. + - Tor now builds correctly on Bitrig, an OpenBSD fork. Patch from + dhill. Resolves ticket 6982. + - Option OutboundBindAddress can be specified multiple times and + accepts IPv6 addresses. Resolves ticket 6876. + + o Minor bugfixes (also in 0.2.3.23-rc): + - Don't serve or accept v2 hidden service descriptors over a + relay's DirPort. It's never correct to do so, and disabling it + might make it more annoying to exploit any bugs that turn up in the + descriptor-parsing code. Fixes bug 7149. + - Fix two cases in src/or/transports.c where we were calling + fmt_addr() twice in a parameter list. Bug found by David + Fifield. Fixes bug 7014; bugfix on 0.2.3.9-alpha. + - Fix memory leaks whenever we logged any message about the "path + bias" detection. Fixes bug 7022; bugfix on 0.2.3.21-rc. + - When relays refuse a "create" cell because their queue of pending + create cells is too big (typically because their cpu can't keep up + with the arrival rate), send back reason "resource limit" rather + than reason "internal", so network measurement scripts can get a + more accurate picture. Fixes bug 7037; bugfix on 0.1.1.11-alpha. + + o Minor bugfixes: + - Command-line option "--version" implies "--quiet". Fixes bug 6997. + - Free some more still-in-use memory at exit, to make hunting for + memory leaks easier. Resolves bug 7029. + - When a Tor client gets a "truncated" relay cell, the first byte of + its payload specifies why the circuit was truncated. We were + ignoring this 'reason' byte when tearing down the circuit, resulting + in the controller not being told why the circuit closed. Now we + pass the reason from the truncated cell to the controller. Bugfix + on 0.1.2.3-alpha; fixes bug 7039. + - Downgrade "Failed to hand off onionskin" messages to "debug" + severity, since they're typically redundant with the "Your computer + is too slow" messages. Fixes bug 7038; bugfix on 0.2.2.16-alpha. + - Make clients running with IPv6 bridges connect over IPv6 again, + even without setting new config options ClientUseIPv6 and + ClientPreferIPv6ORPort. Fixes bug 6757; bugfix on 0.2.4.1-alpha. + - Use square brackets around IPv6 addresses in numerous places + that needed them, including log messages, HTTPS CONNECT proxy + requests, TransportProxy statefile entries, and pluggable transport + extra-info lines. Fixes bug 7011; patch by David Fifield. + + o Code refactoring and cleanup: + - Source files taken from other packages now reside in src/ext; + previously they were scattered around the rest of Tor. + - Avoid use of reserved identifiers in our C code. The C standard + doesn't like us declaring anything that starts with an + underscore, so let's knock it off before we get in trouble. Fix + for bug 1031; bugfix on the first Tor commit. + + +Changes in version 0.2.3.23-rc - 2012-10-20 + Tor 0.2.3.23-rc adds a new v3 directory authority, fixes a privacy + vulnerability introduced by a change in OpenSSL, and fixes a variety + of smaller bugs in preparation for the release. + + o New directory authorities: + - Add Faravahar (run by Sina Rabbani) as the ninth v3 directory + authority. Closes ticket 5749. + + o Major bugfixes (security/privacy): + - Disable TLS session tickets. OpenSSL's implementation was giving + our TLS session keys the lifetime of our TLS context objects, when + perfect forward secrecy would want us to discard anything that + could decrypt a link connection as soon as the link connection + was closed. Fixes bug 7139; bugfix on all versions of Tor linked + against OpenSSL 1.0.0 or later. Found by Florent Daignière. + - Discard extraneous renegotiation attempts once the V3 link + protocol has been initiated. Failure to do so left us open to + a remotely triggerable assertion failure. Fixes CVE-2012-2249; + bugfix on 0.2.3.6-alpha. Reported by "some guy from France". + + o Major bugfixes: + - Fix a possible crash bug when checking for deactivated circuits + in connection_or_flush_from_first_active_circuit(). Fixes bug 6341; + bugfix on 0.2.2.7-alpha. Bug report and fix received pseudonymously. + + o Minor bugfixes (on 0.2.3.x): + - Fix two cases in src/or/transports.c where we were calling + fmt_addr() twice in a parameter list. Bug found by David + Fifield. Fixes bug 7014; bugfix on 0.2.3.9-alpha. + - Convert an assert in the pathbias code to a log message. The assert + appears to only be triggerable by Tor2Web mode. Fixes bug 6866; + bugfix on 0.2.3.17-beta. + - Fix memory leaks whenever we logged any message about the "path + bias" detection. Fixes bug 7022; bugfix on 0.2.3.21-rc. + + o Minor bugfixes (on 0.2.2.x and earlier): + - Don't serve or accept v2 hidden service descriptors over a relay's + DirPort. It's never correct to do so, and disabling it might + make it more annoying to exploit any bugs that turn up in the + descriptor-parsing code. Fixes bug 7149. + - When relays refuse a "create" cell because their queue of pending + create cells is too big (typically because their cpu can't keep up + with the arrival rate), send back reason "resource limit" rather + than reason "internal", so network measurement scripts can get a + more accurate picture. Bugfix on 0.1.1.11-alpha; fixes bug 7037. + - Correct file sizes when reading binary files on Cygwin, to avoid + a bug where Tor would fail to read its state file. Fixes bug 6844; + bugfix on 0.1.2.7-alpha. + - Avoid undefined behaviour when parsing the list of supported + rendezvous/introduction protocols in a hidden service descriptor. + Previously, Tor would have confused (as-yet-unused) protocol version + numbers greater than 32 with lower ones on many platforms. Fixes + bug 6827; bugfix on 0.2.0.10-alpha. Found by George Kadianakis. + + o Documentation fixes: + - Clarify that hidden services are TCP only. Fixes bug 6024. + + +Changes in version 0.2.4.3-alpha - 2012-09-22 + Tor 0.2.4.3-alpha fixes another opportunity for a remotely triggerable + assertion, resumes letting relays test reachability of their DirPort, + and cleans up a bunch of smaller bugs. + + o Security fixes: + - Fix an assertion failure in tor_timegm() that could be triggered + by a badly formatted directory object. Bug found by fuzzing with + Radamsa. Fixes bug 6811; bugfix on 0.2.0.20-rc. + + o Major bugfixes: + - Fix a possible crash bug when checking for deactivated circuits + in connection_or_flush_from_first_active_circuit(). Fixes bug 6341; + bugfix on 0.2.2.7-alpha. Bug report and fix received pseudonymously. + - Allow routers to detect that their own DirPorts are running. When + we removed support for versions_supports_begindir, we also + accidentally removed the mechanism we used to self-test our + DirPort. Diagnosed with help from kargig. Fixes bugs 6814 and 6815; + bugfix on 0.2.4.2-alpha. + + o Security features: + - Switch to a completely time-invariant approach for picking nodes + weighted by bandwidth. Our old approach would run through the + part of the loop after it had made its choice slightly slower + than it ran through the part of the loop before it had made its + choice. Addresses ticket 6538. + - Disable the use of Guard nodes when in Tor2WebMode. Guard usage + by tor2web clients allows hidden services to identity tor2web + clients through their repeated selection of the same rendezvous + and introduction point circuit endpoints (their guards). Resolves + ticket 6888. + + o Minor features: + - Enable Tor to read configuration, state, and key information from + a FIFO. Previously Tor would only read from files with a positive + stat.st_size. Code from meejah; fixes bug 6044. + + o Minor bugfixes: + - Correct file sizes when reading binary files on Cygwin, to avoid + a bug where Tor would fail to read its state file. Fixes bug 6844; + bugfix on 0.1.2.7-alpha. + - Correctly handle votes with more than 31 flags. Fixes bug 6853; + bugfix on 0.2.0.3-alpha. + - When complaining about a client port on a public address, log + which address we're complaining about. Fixes bug 4020; bugfix on + 0.2.3.3-alpha. Patch by Tom Fitzhenry. + - Convert an assert in the pathbias code to a log message. The assert + appears to only be triggerable by Tor2Web mode. Fixes bug 6866; + bugfix on 0.2.3.17-beta. + - Our new buildsystem was overzealous about rebuilding manpages: it + would rebuild them all whenever any one of them changed. Now our + dependency checking should be correct. Fixes bug 6843; bugfix on + 0.2.4.1-alpha. + - Don't do reachability testing over IPv6 unless AuthDirPublishIPv6 + is set. Fixes bug 6880. Bugfix on 0.2.4.1-alpha. + - Correct log printout about which address family is preferred + when connecting to a bridge with both an IPv4 and IPv6 OR port. + Fixes bug 6884; bugfix on 0.2.4.1-alpha. + + o Minor bugfixes (code cleanliness): + - Fix round_to_power_of_2() so it doesn't invoke undefined behavior + with large values. This situation was untriggered, but nevertheless + incorrect. Fixes bug 6831; bugfix on 0.2.0.1-alpha. + - Reject consensus votes with more than 64 known-flags. We aren't even + close to that limit yet, and our code doesn't handle it correctly. + Fixes bug 6833; bugfix on 0.2.0.1-alpha. + - Avoid undefined behaviour when parsing the list of supported + rendezvous/introduction protocols in a hidden service descriptor. + Previously, Tor would have confused (as-yet-unused) protocol version + numbers greater than 32 with lower ones on many platforms. Fixes + bug 6827; bugfix on 0.2.0.10-alpha. Found by George Kadianakis. + - Fix handling of rendezvous client authorization types over 8. + Fixes bug 6861; bugfix on 0.2.1.5-alpha. + - Fix building with older versions of GCC (2.95, for one) that don't + like preprocessor directives inside macro arguments. Found by + grarpamp. Fixes bug 6842; bugfix on 0.2.4.2-alpha. + - Switch weighted node selection rule from using a list of doubles + to using a list of int64_t. This change should make the process + slightly easier to debug and maintain. Needed to finish ticket 6538. + + o Code simplification and refactoring: + - Move the generic "config" code into a new file, and have "config.c" + hold only torrc- and state-related code. Resolves ticket 6823. + - Move the core of our "choose a weighted element at random" logic + into its own function, and give it unit tests. Now the logic is + testable, and a little less fragile too. + - Removed the testing_since field of node_t, which hasn't been used + for anything since 0.2.0.9-alpha. + + o Documentation fixes: + - Clarify that hidden services are TCP only. Fixes bug 6024. + - Resolve a typo in torrc.sample.in. Fixes bug 6819; bugfix on + 0.2.3.14-alpha. + + +Changes in version 0.2.3.22-rc - 2012-09-11 + Tor 0.2.3.22-rc fixes another opportunity for a remotely triggerable + assertion. + + o Security fixes: + - Fix an assertion failure in tor_timegm() that could be triggered + by a badly formatted directory object. Bug found by fuzzing with + Radamsa. Fixes bug 6811; bugfix on 0.2.0.20-rc. + + o Minor bugfixes: + - Avoid segfault when starting up having run with an extremely old + version of Tor and parsing its state file. Fixes bug 6801; bugfix + on 0.2.2.23-alpha. + + +Changes in version 0.2.2.39 - 2012-09-11 + Tor 0.2.2.39 fixes two more opportunities for remotely triggerable + assertions. + + o Security fixes: + - Fix an assertion failure in tor_timegm() that could be triggered + by a badly formatted directory object. Bug found by fuzzing with + Radamsa. Fixes bug 6811; bugfix on 0.2.0.20-rc. + - Do not crash when comparing an address with port value 0 to an + address policy. This bug could have been used to cause a remote + assertion failure by or against directory authorities, or to + allow some applications to crash clients. Fixes bug 6690; bugfix + on 0.2.1.10-alpha. + + +Changes in version 0.2.4.2-alpha - 2012-09-10 + Tor 0.2.4.2-alpha enables port forwarding for pluggable transports, + raises the default rate limiting even more, and makes the bootstrapping + log messages less noisy. + + o Major features: + - Automatically forward the TCP ports of pluggable transport + proxies using tor-fw-helper if PortForwarding is enabled. Implements + ticket 4567. + + o Major bugfixes: + - Raise the default BandwidthRate/BandwidthBurst values from 5MB/10MB + to 1GB/1GB. The previous defaults were intended to be "basically + infinite", but it turns out they're now limiting our 100mbit+ + relays and bridges. Fixes bug 6605; bugfix on 0.2.0.10-alpha (the + last time we raised it). + + o Minor features: + - Detect when we're running with a version of OpenSSL other than the + one we compiled with. This has occasionally given people hard-to- + track-down errors. + - Log fewer lines at level "notice" about our OpenSSL and Libevent + versions and capabilities when everything is going right. Resolves + part of ticket 6736. + - Directory authorities no long accept descriptors for any version of + Tor before 0.2.2.35, or for any 0.2.3 release before 0.2.3.10-alpha. + These versions are insecure, unsupported, or both. Implements + ticket 6789. + + o Minor bugfixes: + - Rename the (internal-use-only) UsingTestingNetworkDefaults option + to start with a triple-underscore so the controller won't touch it. + Patch by Meejah. Fixes bug 3155. Bugfix on 0.2.2.23-alpha. + - Avoid segfault when starting up having run with an extremely old + version of Tor and parsing its state file. Fixes bug 6801; bugfix + on 0.2.2.23-alpha. + - Rename the (testing-use-only) _UseFilteringSSLBufferevents option + so it doesn't start with _. Fixes bug 3155. Bugfix on 0.2.3.1-alpha. + - Don't follow the NULL pointer if microdescriptor generation fails. + (This does not appear to be triggerable, but it's best to be safe.) + Found by "f. tp.". Fixes bug 6797; bugfix on 0.2.4.1-alpha. + - Fix mis-declared dependencies on src/common/crypto.c and + src/or/tor_main.c that could break out-of-tree builds under some + circumstances. Fixes bug 6778; bugfix on 0.2.4.1-alpha. + - Avoid a warning when building common_sha1.i out of tree. Fixes bug + 6778; bugfix on 0.2.4.1-alpha. + - Fix a harmless (in this case) build warning for implicitly + converting a strlen() to an int. Bugfix on 0.2.4.1-alpha. + + o Removed features: + - Now that all versions before 0.2.2.x are disallowed, we no longer + need to work around their missing features. Thus we can remove a + bunch of compatibility code. + + o Code refactoring: + - Tweak tor-fw-helper to accept an arbitrary amount of arbitrary + TCP ports to forward. In the past it only accepted two ports: + the ORPort and the DirPort. + + +Changes in version 0.2.4.1-alpha - 2012-09-05 + Tor 0.2.4.1-alpha lets bridges publish their pluggable transports to + bridgedb; lets relays use IPv6 addresses and directory authorities + advertise them; and switches to a cleaner build interface. + + This is the first alpha release in a new series, so expect there to + be bugs. Users who would rather test out a more stable branch should + stay with 0.2.3.x for now. + + o Major features (bridges): + - Bridges now report the pluggable transports they support to the + bridge authority, so it can pass the supported transports on to + bridgedb and/or eventually do reachability testing. Implements + ticket 3589. + + o Major features (IPv6): + - Bridge authorities now accept IPv6 bridge addresses and include + them in network status documents. Implements ticket 5534. + - Clients who set "ClientUseIPv6 1" may connect to entry nodes over + IPv6. Set "ClientPreferIPv6ORPort 1" to make this even more likely + to happen. Implements ticket 5535. + - All kind of relays, not just bridges, can now advertise an IPv6 + OR port. Implements ticket 6362. + - Directory authorities vote on IPv6 OR ports using the new consensus + method 14. Implements ticket 6363. + + o Major features (build): + - Switch to a nonrecursive Makefile structure. Now instead of each + Makefile.am invoking other Makefile.am's, there is a master + Makefile.am that includes the others. This change makes our build + process slightly more maintainable, and improves parallelism for + building with make -j. Original patch by Stewart Smith; various + fixes by Jim Meyering. + - Where available, we now use automake's "silent" make rules by + default, so that warnings are easier to spot. You can get the old + behavior with "make V=1". Patch by Stewart Smith for ticket 6522. + + o Minor features (code security and spec conformance): + - Clear keys and key-derived material left on the stack in + rendservice.c and rendclient.c. Check return value of + crypto_pk_write_private_key_to_string() in end_service_load_keys(). + These fixes should make us more forward-secure against cold-boot + attacks and the like. Fixes bug 2385. + - Reject EXTEND cells sent to nonexistent streams. According to the + spec, an EXTEND cell sent to _any_ nonzero stream ID is invalid, but + we were only checking for stream IDs that were currently in use. + Found while hunting for more instances of bug 6271. Bugfix on + 0.0.2pre8, which introduced incremental circuit construction. + + o Minor features (streamlining); + - No longer include the "opt" prefix when generating routerinfos + or v2 directories: it has been needless since Tor 0.1.2. Closes + ticket 5124. + - Remove some now-needless code that tried to aggressively flush + OR connections as data was added to them. Since 0.2.0.1-alpha, our + cell queue logic has saved us from the failure mode that this code + was supposed to prevent. Removing this code will limit the number + of baroque control flow paths through Tor's network logic. Reported + pseudonymously on IRC. Fixes bug 6468; bugfix on 0.2.0.1-alpha. + + o Minor features (controller): + - Add a "GETINFO signal/names" control port command. Implements + ticket 3842. + - Provide default values for all options via "GETINFO config/defaults". + Implements ticket 4971. + + o Minor features (IPv6): + - New config option "AuthDirHasIPv6Connectivity 1" that directory + authorities should set if they have IPv6 connectivity and want to + do reachability tests for IPv6 relays. Implements feature 5974. + - A relay with an IPv6 OR port now sends that address in NETINFO + cells (in addition to its other address). Implements ticket 6364. + + o Minor features (log messages): + - Omit the first heartbeat log message, because it never has anything + useful to say, and it clutters up the bootstrapping messages. + Resolves ticket 6758. + - Don't log about reloading the microdescriptor cache at startup. Our + bootstrap warnings are supposed to tell the user when there's a + problem, and our bootstrap notices say when there isn't. Resolves + ticket 6759; bugfix on 0.2.2.6-alpha. + - Don't log "I learned some more directory information" when we're + reading cached directory information. Reserve it for when new + directory information arrives in response to a fetch. Resolves + ticket 6760. + - Prevent rounding error in path bias counts when scaling + them down, and use the correct scale factor default. Also demote + some path bias related log messages down a level and make others + less scary sounding. Fixes bug 6647. Bugfix against 0.2.3.17-beta. + - We no longer warn so much when generating manpages from their + asciidoc source. + + o Code simplifications and refactoring: + - Enhance our internal sscanf replacement so that we can eliminate + the last remaining uses of the system sscanf. (Though those uses + of sscanf were safe, sscanf itself is generally error prone, so + we want to eliminate when we can.) Fixes ticket 4195 and Coverity + CID 448. + - Move ipv6_preferred from routerinfo_t to node_t. Addresses bug 4620. + - Move last_reachable and testing_since from routerinfo_t to node_t. + Implements ticket 5529. + - Add replaycache_t structure, functions and unit tests, then refactor + rend_service_introduce() to be more clear to read, improve, debug, + and test. Resolves bug 6177. + - Finally remove support for malloc_good_size and malloc_usable_size. + We had hoped that these functions would let us eke a little more + memory out of our malloc implementation. Unfortunately, the only + implementations that provided these functions are also ones that + are already efficient about not overallocation: they never got us + more than 7 or so bytes per allocation. Removing them saves us a + little code complexity and a nontrivial amount of build complexity. + + o New requirements: + - Tor maintainers now require Automake version 1.9 or later to build + Tor from the Git repository. (Automake is not required when building + from a source distribution.) + + +Changes in version 0.2.3.21-rc - 2012-09-05 + Tor 0.2.3.21-rc is the fourth release candidate for the Tor 0.2.3.x + series. It fixes a trio of potential security bugs, fixes a bug where + we were leaving some of the fast relays out of the microdescriptor + consensus, resumes interpreting "ORPort 0" and "DirPort 0" correctly, + and cleans up other smaller issues. + + o Major bugfixes (security): + - Tear down the circuit if we get an unexpected SENDME cell. Clients + could use this trick to make their circuits receive cells faster + than our flow control would have allowed, or to gum up the network, + or possibly to do targeted memory denial-of-service attacks on + entry nodes. Fixes bug 6252. Bugfix on the 54th commit on Tor -- + from July 2002, before the release of Tor 0.0.0. We had committed + this patch previously, but we had to revert it because of bug 6271. + Now that 6271 is fixed, this patch appears to work. + - Reject any attempt to extend to an internal address. Without + this fix, a router could be used to probe addresses on an internal + network to see whether they were accepting connections. Fixes bug + 6710; bugfix on 0.0.8pre1. + - Do not crash when comparing an address with port value 0 to an + address policy. This bug could have been used to cause a remote + assertion failure by or against directory authorities, or to + allow some applications to crash clients. Fixes bug 6690; bugfix + on 0.2.1.10-alpha. + + o Major bugfixes: + - Remove the upper bound on microdescriptor length. We were hitting + the limit for routers with complex exit policies or family + declarations, causing clients to not use them. Fixes the first + piece of bug 6404; fix on 0.2.2.6-alpha. + - Detect "ORPort 0" as meaning, uniformly, that we're not running + as a relay. Previously, some of our code would treat the presence + of any ORPort line as meaning that we should act like a relay, + even though our new listener code would correctly not open any + ORPorts for ORPort 0. Similar bugs in other Port options are also + fixed. Fixes the first half of bug 6507; bugfix on 0.2.3.3-alpha. + + o Minor bugfixes: + - Avoid a pair of double-free and use-after-mark bugs that can + occur with certain timings in canceled and re-received DNS + requests. Fixes bug 6472; bugfix on 0.0.7rc1. + - Fix build and 64-bit compile warnings from --enable-openbsd-malloc. + Fixes bug 6379. Bugfix on 0.2.0.20-rc. + - Allow one-hop directory fetching circuits the full "circuit build + timeout" period, rather than just half of it, before failing them + and marking the relay down. This fix should help reduce cases where + clients declare relays (or worse, bridges) unreachable because + the TLS handshake takes a few seconds to complete. Fixes bug 6743; + bugfix on 0.2.2.2-alpha, where we changed the timeout from a static + 30 seconds. + - Authorities no longer include any router in their microdescriptor + consensuses for which they couldn't generate or agree on a + microdescriptor. Fixes the second piece of bug 6404; fix on + 0.2.2.6-alpha. + - Detect and reject attempts to specify both "FooPort" and + "FooPort 0" in the same configuration domain. (It's still okay + to have a FooPort in your configuration file, and use "FooPort 0" + on the command line to disable it.) Fixes the second half of bug + 6507; bugfix on 0.2.3.3-alpha. + - Make wildcarded addresses (that is, ones beginning with "*.") work + when provided via the controller's MapAddress command. Previously, + they were accepted, but we never actually noticed that they were + wildcards. Fixes bug 6244; bugfix on 0.2.3.9-alpha. + - Avoid crashing on a malformed state file where EntryGuardPathBias + precedes EntryGuard. Fix for bug 6774; bugfix on 0.2.3.17-beta. + - Add a (probably redundant) memory clear between iterations of + the router status voting loop, to prevent future coding errors + where data might leak between iterations of the loop. Resolves + ticket 6514. + + o Minor bugfixes (log messages): + - Downgrade "set buildtimeout to low value" messages to "info" + severity; they were never an actual problem, there was never + anything reasonable to do about them, and they tended to spam logs + from time to time. Fixes bug 6251; bugfix on 0.2.2.2-alpha. + - Downgrade path-bias warning messages to "info". We'll try to get + them working better in 0.2.4. Add internal circuit construction + state to protect against the noisy warn message "Unexpectedly high + circuit_successes". Also add some additional rate-limited notice + messages to help determine the root cause of the warn. Fixes bug + 6475. Bugfix against 0.2.3.17-beta. + - Move log message when unable to find a microdesc in a routerstatus + entry to parse time. Previously we'd spam this warning every time + we tried to figure out which microdescriptors to download. Fixes + the third piece of bug 6404; fix on 0.2.3.18-rc. + + o Minor features: + - Consider new, removed or changed IPv6 OR ports a non-cosmetic + change when the authority is deciding whether to accept a newly + uploaded descriptor. Implements ticket 6423. + - Add missing documentation for consensus and microdesc files. + Resolves ticket 6732. + + +Changes in version 0.2.2.38 - 2012-08-12 + Tor 0.2.2.38 fixes a remotely triggerable crash bug, and fixes a timing + attack that could in theory leak path information. + + o Security fixes: + - Avoid an uninitialized memory read when reading a vote or consensus + document that has an unrecognized flavor name. This read could + lead to a remote crash bug. Fixes bug 6530; bugfix on 0.2.2.6-alpha. + - Try to leak less information about what relays a client is + choosing to a side-channel attacker. Previously, a Tor client would + stop iterating through the list of available relays as soon as it + had chosen one, thus finishing a little earlier when it picked + a router earlier in the list. If an attacker can recover this + timing information (nontrivial but not proven to be impossible), + they could learn some coarse-grained information about which relays + a client was picking (middle nodes in particular are likelier to + be affected than exits). The timing attack might be mitigated by + other factors (see bug 6537 for some discussion), but it's best + not to take chances. Fixes bug 6537; bugfix on 0.0.8rc1. + + +Changes in version 0.2.3.20-rc - 2012-08-05 + Tor 0.2.3.20-rc is the third release candidate for the Tor 0.2.3.x + series. It fixes a pair of code security bugs and a potential anonymity + issue, updates our RPM spec files, and cleans up other smaller issues. + + o Security fixes: + - Avoid read-from-freed-memory and double-free bugs that could occur + when a DNS request fails while launching it. Fixes bug 6480; + bugfix on 0.2.0.1-alpha. + - Avoid an uninitialized memory read when reading a vote or consensus + document that has an unrecognized flavor name. This read could + lead to a remote crash bug. Fixes bug 6530; bugfix on 0.2.2.6-alpha. + - Try to leak less information about what relays a client is + choosing to a side-channel attacker. Previously, a Tor client would + stop iterating through the list of available relays as soon as it + had chosen one, thus finishing a little earlier when it picked + a router earlier in the list. If an attacker can recover this + timing information (nontrivial but not proven to be impossible), + they could learn some coarse-grained information about which relays + a client was picking (middle nodes in particular are likelier to + be affected than exits). The timing attack might be mitigated by + other factors (see bug 6537 for some discussion), but it's best + not to take chances. Fixes bug 6537; bugfix on 0.0.8rc1. + + o Minor features: + - Try to make the warning when giving an obsolete SOCKSListenAddress + a little more useful. + - Terminate active server managed proxies if Tor stops being a + relay. Addresses parts of bug 6274; bugfix on 0.2.3.6-alpha. + - Provide a better error message about possible OSX Asciidoc failure + reasons. Fixes bug 6436. + - Warn when Tor is configured to use accounting in a way that can + link a hidden service to some other hidden service or public + address. Resolves ticket 6490. + + o Minor bugfixes: + - Check return value of fputs() when writing authority certificate + file. Fixes Coverity issue 709056; bugfix on 0.2.0.1-alpha. + - Ignore ServerTransportPlugin lines when Tor is not configured as + a relay. Fixes bug 6274; bugfix on 0.2.3.6-alpha. + - When disabling guards for having too high a proportion of failed + circuits, make sure to look at each guard. Fixes bug 6397; bugfix + on 0.2.3.17-beta. + + o Packaging (RPM): + - Update our default RPM spec files to work with mock and rpmbuild + on RHEL/Fedora. They have an updated set of dependencies and + conflicts, a fix for an ancient typo when creating the "_tor" + user, and better instructions. Thanks to Ondrej Mikle for the + patch series. Fixes bug 6043. + + o Testing: + - Make it possible to set the TestingTorNetwork configuration + option using AlternateDirAuthority and AlternateBridgeAuthority + as an alternative to setting DirServer. Addresses ticket 6377. + + o Documentation: + - Clarify the documentation for the Alternate*Authority options. + Fixes bug 6387. + - Fix some typos in the manpages. Patch from A. Costa. Fixes bug 6500. + + o Code simplification and refactoring: + - Do not use SMARTLIST_FOREACH for any loop whose body exceeds + 10 lines. Also, don't nest them. Doing so in the past has + led to hard-to-debug code. The new style is to use the + SMARTLIST_FOREACH_{BEGIN,END} pair. Addresses issue 6400. + + +Changes in version 0.2.3.19-rc - 2012-07-06 + Tor 0.2.3.19-rc is the second release candidate for the Tor 0.2.3.x + series. It fixes the compile on Windows, reverts to a GeoIP database + that isn't as broken, and fixes a flow control bug that has been around + since the beginning of Tor. + + o Major bugfixes: + - Fix a bug handling SENDME cells on nonexistent streams that could + result in bizarre window values. Report and patch contributed + pseudonymously. Fixes part of bug 6271. This bug was introduced + before the first Tor release, in svn commit r152. + - Revert to the May 1 2012 Maxmind GeoLite Country database. In the + June 2012 database, Maxmind marked many Tor relays as country "A1", + which will cause risky behavior for clients that set EntryNodes + or ExitNodes. Addresses bug 6334; bugfix on 0.2.3.17-beta. + - Instead of ENOBUFS on Windows, say WSAENOBUFS. Fixes compilation + on Windows. Fixes bug 6296; bugfix on 0.2.3.18-rc. + + o Minor bugfixes: + - Fix wrong TCP port range in parse_port_range(). Fixes bug 6218; + bugfix on 0.2.1.10-alpha. + + Changes in version 0.2.3.18-rc - 2012-06-28 Tor 0.2.3.18-rc is the first release candidate for the Tor 0.2.3.x series. It fixes a few smaller bugs, but generally appears stable. @@ -225,7 +975,7 @@ Changes in version 0.2.3.16-alpha - 2012-06-05 indefinitely. Fixes bug 5380; bugfix on 0.2.1.14-rc. - When fetching a bridge descriptor from a bridge authority, always do so anonymously, whether we have been able to open - circuits or not. Partial fix for bug 1938; bugfix on 2.0.7-alpha. + circuits or not. Partial fix for bug 1938; bugfix on 0.2.0.7-alpha. This behavior makes it *safer* to use UpdateBridgesFromAuthority, but we'll need to wait for bug 6010 before it's actually usable. @@ -955,7 +1705,8 @@ Changes in version 0.2.3.11-alpha - 2012-01-22 FastFlagMaxThreshold) to control the range of allowable bandwidths for the Fast directory flag. These allow authorities to run experiments on appropriate requirements for being a "Fast" node. - The AuthDirFastGuarantee config value still applies. + The AuthDirFastGuarantee config value still applies. Implements + ticket 3946. - Document the GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays directory authority option (introduced in Tor 0.2.2.34). @@ -1270,6 +2021,29 @@ Changes in version 0.2.2.35 - 2011-12-16 by removing an absolute path from makensis.exe command. +Changes in version 0.2.1.32 - 2011-12-16 + Tor 0.2.1.32 backports important security and privacy fixes for + oldstable. This release is intended only for package maintainers and + others who cannot use the 0.2.2 stable series. All others should be + using Tor 0.2.2.x or newer. + + The Tor 0.2.1.x series will reach formal end-of-life some time in + early 2012; we will stop releasing patches for it then. + + o Major bugfixes (also included in 0.2.2.x): + - Correctly sanity-check that we don't underflow on a memory + allocation (and then assert) for hidden service introduction + point decryption. Bug discovered by Dan Rosenberg. Fixes bug 4410; + bugfix on 0.2.1.5-alpha. + - Fix a heap overflow bug that could occur when trying to pull + data into the first chunk of a buffer, when that chunk had + already had some data drained from it. Fixes CVE-2011-2778; + bugfix on 0.2.0.16-alpha. Reported by "Vektor". + + o Minor features: + - Update to the December 6 2011 Maxmind GeoLite Country database. + + Changes in version 0.2.3.9-alpha - 2011-12-08 Tor 0.2.3.9-alpha introduces initial IPv6 support for bridges, adds a "DisableNetwork" security feature that bundles can use to avoid |