From 565c9d436f52467d004c351eacfab5db8c17ac83 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Wed, 18 Jun 2014 11:49:50 -0400 Subject: Edit 0.2.5.5-alpha changelog for terseness and grammar. --- ChangeLog | 135 ++++++++++++++++++++++++++++++-------------------------------- 1 file changed, 66 insertions(+), 69 deletions(-) diff --git a/ChangeLog b/ChangeLog index cddd5adbf..a2067249d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,23 +1,22 @@ Changes in version 0.2.5.5-alpha - 2014-06-1? - Write a blurb here. + Tor 0.2.5.5-alpha fixes a wide variety of remaining issues in the Tor + 0.2.5.x release series, including a couple of DoS issues, some performance + regressions, and a large number of bugs affecting the Linux + seccomp2 sandbox code, and various other bugfixes. It also adds diagnostic + bugfixes for a few tricky issues that we're trying to track down. o Major features (security, traffic analysis resistance): - - Increase the base amount of time that a canonical connection (one - that we have made to a known OR) is allowed to stay idle from 3 - minutes to 15 minutes. This leaks less information about when - circuits have closed, and avoids unnecessary overhead from - renegotiating connections. Part of a fix for ticket 6799. - - Instead of closing connections after they have been idle for a - fixed interval, randomly add up to 50% to each connection's - maximum timeout. This makes it harder to tell when the last - circuit closed by looking at when a connection closes. Part of a - fix for ticket 6799. - - Base connection idleness tests on the actual time elapsed since - the connection last had circuits, not on the time when we last - added non-padding. This change also makes it harder for an - observer to tell when the last circuit closed by looking at when a - connection closes. Part of a fix for ticket 6799. Incidentally - fixes bug 12023; bugfix on 0.2.5.1-alpha. + - Several major improvements to the algorithm used to decide + when to close TLS connections. Previous versions of Tor closed connections + at a fixed interval after the last time a non-padding cell was sent + over the connection, regardless of the target of the connection. Now, + we randomize the intervals by adding up to 50% of their base value, + we measure the length of time since connection last had at least one + circuit, and we we allow connections to known ORs to remain open a + little longer (15 minutes instead of 3 minutes minimum). These changes + should improve Tor's resistance against some kinds of traffic analysis, + and lower some overhead from needlessly closed connections. Fixes + ticket 6799. Incidentally fixes ticket 12023; bugfix on 0.2.5.1-alpha. o Major bugfixes (security, OOM, new since 0.2.5.4-alpha, also in 0.2.4.22): - Fix a memory leak that could occur if a microdescriptor parse @@ -25,23 +24,11 @@ Changes in version 0.2.5.5-alpha - 2014-06-1? exhaustion attack by directory servers. Fixes bug 11649; bugfix on 0.2.2.6-alpha. - o Major bugfixes (relay): - - When uploading to the directory authorities, use a direct dirport - connection if we are a uploading an ordinary, non-anonymous - directory object. Previously, relays would used tunnel connections - under a fairly wide variety of circumstances. Fixes bug 11469; - bugfix on 0.2.4.3-alpha. - - When a circuit accidentally has the same circuit ID for its - forward and reverse direction, correctly detect the direction of - cells using that circuit. Previously, this would have made roughly - one circuit in a million non-functional. Fixes bug 12195; this is - a bugfix on every version of Tor. - o Major bugfixes (security, directory authorities): - Directory authorities now include a digest of each relay's identity key as a part of its microdescriptor. - This is a workaround for bug #11743 (reported by "cypherpunks"), + This is a workaround for bug 11743 (reported by "cypherpunks"), where Tor clients do not support receiving multiple microdescriptors with the same SHA256 digest in the same consensus. When clients receive a consensus like this, they only @@ -53,36 +40,49 @@ Changes in version 0.2.5.5-alpha - 2014-06-1? attacker from causing a microdescriptor collision, because the router's identity is not forgeable. + o Major bugfixes (relay): + - Use a direct dirport connection when uploading non-anonymous descriptors to the directory authorities. + object. Previously, relays would incorrectly use tunnel connections + under a fairly wide variety of circumstances. Fixes bug 11469; bugfix + on 0.2.4.3-alpha. + - When a circuit accidentally has the same circuit ID for its + forward and reverse direction, correctly detect the direction of + cells using that circuit. Previously, this bug made roughly + one circuit in a million non-functional. Fixes bug 12195; this is + a bugfix on every version of Tor. + o Major bugfixes (client, pluggable transports): - When managing pluggable transports, use OS notification facilities - to learn if they have crashed, and do not attempt to kill any - process that has already exited. Fix for bug 8746; bugfix + to learn if they have crashed, and don't attempt to kill any + process that has already exited. Fixes bug 8746; bugfix on 0.2.3.6-alpha. o Minor features (diagnostic): - - When logging a warning because of bug #7164, additionally check - the hash table for consistency (as proposed on ticket #11737). - This may help diagnose bug #7164. + - When logging a warning because of bug 7164, additionally check + the hash table for consistency (as proposed on ticket 11737). + This may help diagnose bug 7164. - When we log a heartbeat, log how many one-hop circuits we have that are at least 30 minutes old, and log status information about a few of them. This is an attempt to track down bug 8387. - - When we encounter an unexpected CR in text that we're trying to - write to a file on Windows, log the name of the file. Should help + - When encountering an unexpected CR while writing text to a + file on Windows, log the name of the file. Should help diagnosing bug 11233. - - Give more specific warnings when we notice at the client side that + - Give more specific warnings when a client notices that an onion handshake has failed. Fixes ticket 9635. - Add significant new logging code to attempt to diagnose bug 12184, where relays seem to run out of available circuit IDs. - - Improve the diagnostic log message for bug #8387 even further to + - Improve the diagnostic log message for bug 8387 even further to try to improve our odds of figuring out why one-hop directory circuits sometimes do not get closed. o Minor features (security, memory management): - - Add configure options controlling allocator tricks like mempools - and freelists, and turn them off by default; on most platforms - malloc is reasonable enough for this not to be necessary, and a - similar feature in OpenSSL exacerbated Heartbleed. Fixes - bug #11476. + - Memory allocation tricks (mempools and buffer freelists) + are now disabled by default. You can turn them back on with + --enable-mempools and --enable-buf-freelists respectively. + We're disabling these features because malloc performance is good + enough on most platforms, and a + similar feature in OpenSSL exacerbated exploitation of the Heartbleed + attack. Resolves ticket 11476. o Minor features (security): - Apply the secure SipHash-2-4 function to the hash table mapping @@ -99,21 +99,22 @@ Changes in version 0.2.5.5-alpha - 2014-06-1? - Update geoip and geoip6 to the June 4 2014 Maxmind GeoLite2 Country database. - o Minor bugfixes (configuration, security, new since 0.2.5.4-alpha, also in 0.2.4.22): + o Minor bugfixes (security, new since 0.2.5.4-alpha, also in 0.2.4.22): - When running a hidden service, do not allow TunneledDirConns 0; this will keep the hidden service from running, and also make it publish its descriptors directly over HTTP. Fixes bug 10849; bugfix on 0.2.1.1-alpha. o Minor bugfixes (performance): - - Do not recompute whether we have sufficient information to build - circuits every time we make a successful connection. Previously, - we would forget our cached value for this flag every time we + - Avoid a bug where every successful connection made us recompute the + flag telling us whether we have sufficient information to build + circuits. Previously, + we would forget our cached value successfully opened a channel (or marked a router as running or not running for any other reason), regardless of whether we had previously believed the router to be running. This forced us to - run a fairly expensive update operation with relatively high - frequency. Fixes bug 12170; bugfix on 0.1.2.1-alpha. + run an expensive update operation far too often. + Fixes bug 12170; bugfix on 0.1.2.1-alpha. - Avoid using tor_memeq() for checking relay cell integrity. This removes a possible performance bottleneck. Fixes part of bug 12169; bugfix on 0.2.1.31. @@ -135,6 +136,8 @@ Changes in version 0.2.5.5-alpha - 2014-06-1? 0.2.4.8-alpha. Patch from "conradev". - Fix compilation when DNS_CACHE_DEBUG is enabled. Fixes bug 11761; bugfix on 0.2.3.13-alpha. Found by "cypherpunks". + - Fix compilation with dmalloc. Fixes bug 11605; bugfix + on 0.2.4.10-alpha. o Minor bugfixes (Directory server): - When sending a compressed set of descriptors or microdescriptors, @@ -144,17 +147,8 @@ Changes in version 0.2.5.5-alpha - 2014-06-1? finished. This caused problems for decompression tools. Fixes bug 11648; bugfix on 0.1.1.23. - o Minor bugfixes (dmalloc): - - Fix compilation with dmalloc. Fixes bug 11605; bugfix - on 0.2.4.10-alpha. - - o Minor bugfixes (documentation): - - Correct the documenation so that it lists the correct directories - for the stats files. (They are in a subdirectory called "stats", - not "status".) - o Minor bugfixes (Linux seccomp sandbox): - - Make the seccomp sandbox code compile with ARM linux. Fixes bug + - Make the seccomp sandbox code compile under ARM linux. Fixes bug 11622; bugfix on 0.2.5.1-alpha. - Avoid crashing when re-opening listener ports with the seccomp sandbox active. Fixes bug 12115; bugfix on 0.2.5.1-alpha. @@ -185,9 +179,9 @@ Changes in version 0.2.5.5-alpha - 2014-06-1? - Avoid warnings when running with sandboxing enabled at the same time as cookie authentication, hidden services or directory authority voting. Fixes part of 12064; bugfix on 0.2.5.1-alpha. - - Do not allow options which would require us to call exec to be - enabled along with the seccomp2 sandbox: they will inevitably - crash. Fix for bug 12043; bugfix on 0.2.5.1-alpha. + - Do not allow options that require calls to exec to be + enabled alongside the seccomp2 sandbox: they will inevitably + crash. Fixes bug 12043; bugfix on 0.2.5.1-alpha. - Handle failures in getpwnam()/getpwuid() when running with the User option set and the Linux syscall sandbox enabled. Fixes bug 11946; bugfix on 0.2.5.1-alpha. @@ -213,7 +207,7 @@ Changes in version 0.2.5.5-alpha - 2014-06-1? - Avoid "Tried to open a socket with DisableNetwork set" warnings when starting a client with bridges configured and DisableNetwork set. (Tor launcher starts Tor with DisableNetwork set the first - time.) Fixes bug 10405; bugfix on 0.2.3.9-alpha. + time it runs.) Fixes bug 10405; bugfix on 0.2.3.9-alpha. o Minor bugfixes (testing): - The Python parts of the test scripts now work on Python 3 as well @@ -261,15 +255,15 @@ Changes in version 0.2.5.5-alpha - 2014-06-1? v2 link handshake. Fixes bug 12227; bugfix on 0.2.4.8-alpha. Found by "starlight". - When rejecting DATA cells for stream_id zero, still count them - against the circuit's deliver window so that we don't get fail to - send a SENDME. Fix for bug 11246; bugfix on 0.2.4.10-alpha. + against the circuit's deliver window so that we don't fail to + send a SENDME. Fixes bug 11246; bugfix on 0.2.4.10-alpha. o Minor bugfixes (logging): - Fix a misformatted log message about delayed directory fetches. Fixes bug 11654; bugfix on 0.2.5.3-alpha. - Squelch a spurious LD_BUG message "No origin circuit for successful SOCKS stream" in certain hidden service failure cases; - fixes bug #10616. + fixes bug 10616. o Distribution: - Include a tor.service file in contrib/dist for use with systemd. @@ -283,14 +277,17 @@ Changes in version 0.2.5.5-alpha - 2014-06-1? directory authority options, remove the documentation for a V2-directory fetching option that no longer exists. Resolves ticket 11634. + - Correct the documenation so that it lists the correct directory + for the stats files. (They are in a subdirectory called "stats", + not "status".) - In the manpage, move more authority-only options into the directory authority section so that operators of regular directory caches don't get confused. o Package cleanup: - - The contrib directory has been sorted and tidy. Before, it was an + - The contrib directory has been sorted and tidied. Before, it was an unsorted dumping ground for useful and not-so-useful things. Now, - it has been divided based on functionality, and the items which + it is divided based on functionality, and the items which seemed to be nonfunctional or useless have been removed. Resolves ticket 8966; based on patches from "rl1987". -- cgit v1.2.3