tor/ChangeLog

Changes in version 0.3.1.3-alpha - 2017-06-08
  Tor 0.3.1.3-alpha fixes a pair of bugs that would allow an attacker to
  remotely crash a hidden service with an assertion failure. Anyone
  running a hidden service should upgrade to this version, or to some
  other version with fixes for TROVE-2017-004 and TROVE-2017-005.

  Tor 0.3.1.3-alpha also includes fixes for several key management bugs
  that sometimes made relays unreliable, as well as several other
  bugfixes described below.

  o Major bugfixes (hidden service, relay, security):
    - Fix a remotely triggerable assertion failure when a hidden service
      handles a malformed BEGIN cell. Fixes bug 22493, tracked as
      TROVE-2017-004 and as CVE-2017-0375; bugfix on 0.3.0.1-alpha.
    - Fix a remotely triggerable assertion failure caused by receiving a
      BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug
      22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix
      on 0.2.2.1-alpha.

  o Major bugfixes (relay, link handshake):
    - When performing the v3 link handshake on a TLS connection, report
      that we have the x509 certificate that we actually used on that
      connection, even if we have changed certificates since that
      connection was first opened. Previously, we would claim to have
      used our most recent x509 link certificate, which would sometimes
      make the link handshake fail. Fixes one case of bug 22460; bugfix
      on 0.2.3.6-alpha.

  o Major bugfixes (relays, key management):
    - Regenerate link and authentication certificates whenever the key
      that signs them changes; also, regenerate link certificates
      whenever the signed key changes. Previously, these processes were
      only weakly coupled, and we relays could (for minutes to hours)
      wind up with an inconsistent set of keys and certificates, which
      other relays would not accept. Fixes two cases of bug 22460;
      bugfix on 0.3.0.1-alpha.
    - When sending an Ed25519 signing->link certificate in a CERTS cell,
      send the certificate that matches the x509 certificate that we
      used on the TLS connection. Previously, there was a race condition
      if the TLS context rotated after we began the TLS handshake but
      before we sent the CERTS cell. Fixes a case of bug 22460; bugfix
      on 0.3.0.1-alpha.

  o Major bugfixes (torrc, crash):
    - Fix a crash bug when using %include in torrc. Fixes bug 22417;
      bugfix on 0.3.1.1-alpha. Patch by Daniel Pinto.

  o Minor features (code style):
    - Add "Falls through" comments to our codebase, in order to silence
      GCC 7's -Wimplicit-fallthrough warnings. Patch from Andreas
      Stieger. Closes ticket 22446.

  o Minor features (diagnostic):
    - Add logging messages to try to diagnose a rare bug that seems to
      generate RSA->Ed25519 cross-certificates dated in the 1970s. We
      think this is happening because of incorrect system clocks, but
      we'd like to know for certain. Diagnostic for bug 22466.

  o Minor bugfixes (correctness):
    - Avoid undefined behavior when parsing IPv6 entries from the geoip6
      file. Fixes bug 22490; bugfix on 0.2.4.6-alpha.

  o Minor bugfixes (directory protocol):
    - Check for libzstd >= 1.1, because older versions lack the
      necessary streaming API. Fixes bug 22413; bugfix on 0.3.1.1-alpha.

  o Minor bugfixes (link handshake):
    - Lower the lifetime of the RSA->Ed25519 cross-certificate to six
      months, and regenerate it when it is within one month of expiring.
      Previously, we had generated this certificate at startup with a
      ten-year lifetime, but that could lead to weird behavior when Tor
      was started with a grossly inaccurate clock. Mitigates bug 22466;
      mitigation on 0.3.0.1-alpha.

  o Minor bugfixes (storage directories):
    - Always check for underflows in the cached storage directory usage.
      If the usage does underflow, re-calculate it. Also, avoid a
      separate underflow when the usage is not known. Fixes bug 22424;
      bugfix on 0.3.1.1-alpha.

  o Minor bugfixes (unit tests):
    - The unit tests now pass on systems where localhost is misconfigured
      to some IPv4 address other than 127.0.0.1. Fixes bug 6298; bugfix
      on 0.0.9pre2.

  o Documentation:
    - Clarify the manpage for the (deprecated) torify script. Closes
      ticket 6892.

Changes in version 0.3.0.8 - 2017-06-08
  Tor 0.3.0.8 fixes a pair of bugs that would allow an attacker to
  remotely crash a hidden service with an assertion failure. Anyone
  running a hidden service should upgrade to this version, or to some
  other version with fixes for TROVE-2017-004 and TROVE-2017-005.

  Tor 0.3.0.8 also includes fixes for several key management bugs
  that sometimes made relays unreliable, as well as several other
  bugfixes described below.

  o Major bugfixes (hidden service, relay, security, backport
    from 0.3.1.3-alpha):
    - Fix a remotely triggerable assertion failure when a hidden service
      handles a malformed BEGIN cell. Fixes bug 22493, tracked as
      TROVE-2017-004 and as CVE-2017-0375; bugfix on 0.3.0.1-alpha.
    - Fix a remotely triggerable assertion failure caused by receiving a
      BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug
      22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix
      on 0.2.2.1-alpha.

  o Major bugfixes (relay, link handshake, backport from 0.3.1.3-alpha):
    - When performing the v3 link handshake on a TLS connection, report
      that we have the x509 certificate that we actually used on that
      connection, even if we have changed certificates since that
      connection was first opened. Previously, we would claim to have
      used our most recent x509 link certificate, which would sometimes
      make the link handshake fail. Fixes one case of bug 22460; bugfix
      on 0.2.3.6-alpha.

  o Major bugfixes (relays, key management, backport from 0.3.1.3-alpha):
    - Regenerate link and authentication certificates whenever the key
      that signs them changes; also, regenerate link certificates
      whenever the signed key changes. Previously, these processes were
      only weakly coupled, and we relays could (for minutes to hours)
      wind up with an inconsistent set of keys and certificates, which
      other relays would not accept. Fixes two cases of bug 22460;
      bugfix on 0.3.0.1-alpha.
    - When sending an Ed25519 signing->link certificate in a CERTS cell,
      send the certificate that matches the x509 certificate that we
      used on the TLS connection. Previously, there was a race condition
      if the TLS context rotated after we began the TLS handshake but
      before we sent the CERTS cell. Fixes a case of bug 22460; bugfix
      on 0.3.0.1-alpha.

  o Major bugfixes (hidden service v3, backport from 0.3.1.1-alpha):
    - Stop rejecting v3 hidden service descriptors because their size
      did not match an old padding rule. Fixes bug 22447; bugfix on
      tor-0.3.0.1-alpha.

  o Minor features (fallback directory list, backport from 0.3.1.3-alpha):
    - Replace the 177 fallbacks originally introduced in Tor 0.2.9.8 in
      December 2016 (of which ~126 were still functional) with a list of
      151 fallbacks (32 new, 119 unchanged, 58 removed) generated in May
      2017. Resolves ticket 21564.

  o Minor bugfixes (configuration, backport from 0.3.1.1-alpha):
    - Do not crash when starting with LearnCircuitBuildTimeout 0. Fixes
      bug 22252; bugfix on 0.2.9.3-alpha.

  o Minor bugfixes (correctness, backport from 0.3.1.3-alpha):
    - Avoid undefined behavior when parsing IPv6 entries from the geoip6
      file. Fixes bug 22490; bugfix on 0.2.4.6-alpha.

  o Minor bugfixes (link handshake, backport from 0.3.1.3-alpha):
    - Lower the lifetime of the RSA->Ed25519 cross-certificate to six
      months, and regenerate it when it is within one month of expiring.
      Previously, we had generated this certificate at startup with a
      ten-year lifetime, but that could lead to weird behavior when Tor
      was started with a grossly inaccurate clock. Mitigates bug 22466;
      mitigation on 0.3.0.1-alpha.

  o Minor bugfixes (memory leak, directory authority, backport from
    0.3.1.2-alpha):
    - When directory authorities reject a router descriptor due to
      keypinning, free the router descriptor rather than leaking the
      memory. Fixes bug 22370; bugfix on 0.2.7.2-alpha.


Changes in version 0.2.9.11 - 2017-06-08
  Tor 0.2.9.11 backports a fix for a bug that would allow an attacker to
  remotely crash a hidden service with an assertion failure. Anyone
  running a hidden service should upgrade to this version, or to some
  other version with fixes for TROVE-2017-005. (Versions before 0.3.0
  are not affected by TROVE-2017-004.)

  Tor 0.2.9.11 also backports fixes for several key management bugs
  that sometimes made relays unreliable, as well as several other
  bugfixes described below.

  o Major bugfixes (hidden service, relay, security, backport
    from 0.3.1.3-alpha):
    - Fix a remotely triggerable assertion failure caused by receiving a
      BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug
      22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix
      on 0.2.2.1-alpha.

  o Major bugfixes (relay, link handshake, backport from 0.3.1.3-alpha):
    - When performing the v3 link handshake on a TLS connection, report
      that we have the x509 certificate that we actually used on that
      connection, even if we have changed certificates since that
      connection was first opened. Previously, we would claim to have
      used our most recent x509 link certificate, which would sometimes
      make the link handshake fail. Fixes one case of bug 22460; bugfix
      on 0.2.3.6-alpha.

  o Minor features (fallback directory list, backport from 0.3.1.3-alpha):
    - Replace the 177 fallbacks originally introduced in Tor 0.2.9.8 in
      December 2016 (of which ~126 were still functional) with a list of
      151 fallbacks (32 new, 119 unchanged, 58 removed) generated in May
      2017. Resolves ticket 21564.

  o Minor features (future-proofing, backport from 0.3.0.7):
    - Tor no longer refuses to download microdescriptors or descriptors if
      they are listed as "published in the future".  This change will
      eventually allow us to stop listing meaningful "published" dates
      in microdescriptor consensuses, and thereby allow us to reduce the
      resources required to download consensus diffs by over 50%.
      Implements part of ticket 21642; implements part of proposal 275.

  o Minor features (directory authorities, backport from 0.3.0.4-rc)
    - Directory authorities now reject relays running versions
      0.2.9.1-alpha through 0.2.9.4-alpha, because those relays
      suffer from bug 20499 and don't keep their consensus cache
      up-to-date. Resolves ticket 20509.

  o Minor features (geoip):
    - Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2
      Country database.

  o Minor bugfixes (control port, backport from 0.3.0.6):
    - The GETINFO extra-info/digest/<digest> command was broken because
      of a wrong base16 decode return value check, introduced when
      refactoring that API. Fixes bug 22034; bugfix on 0.2.9.1-alpha.

  o Minor bugfixes (correctness, backport from 0.3.1.3-alpha):
    - Avoid undefined behavior when parsing IPv6 entries from the geoip6
      file. Fixes bug 22490; bugfix on 0.2.4.6-alpha.

  o Minor bugfixes (Linux seccomp2 sandbox, backport from 0.3.0.7):
    - The getpid() system call is now permitted under the Linux seccomp2
      sandbox, to avoid crashing with versions of OpenSSL (and other
      libraries) that attempt to learn the process's PID by using the
      syscall rather than the VDSO code. Fixes bug 21943; bugfix
      on 0.2.5.1-alpha.

  o Minor bugfixes (memory leak, directory authority, backport
    from 0.3.1.2-alpha):
    - When directory authorities reject a router descriptor due to
      keypinning, free the router descriptor rather than leaking the
      memory. Fixes bug 22370; bugfix on 0.2.7.2-alpha.

Changes in version 0.2.8.14 - 2017-06-08
  Tor 0.2.7.8 backports a fix for a bug that would allow an attacker to
  remotely crash a hidden service with an assertion failure. Anyone
  running a hidden service should upgrade to this version, or to some
  other version with fixes for TROVE-2017-005.  (Versions before 0.3.0
  are not affected by TROVE-2017-004.)

  o Major bugfixes (hidden service, relay, security):
    - Fix a remotely triggerable assertion failure caused by receiving a
      BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug
      22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix
      on 0.2.2.1-alpha.

  o Minor features (geoip):
    - Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2
      Country database.

  o Minor features (fallback directory list, backport from 0.3.1.3-alpha):
    - Replace the 177 fallbacks originally introduced in Tor 0.2.9.8 in
      December 2016 (of which ~126 were still functional) with a list of
      151 fallbacks (32 new, 119 unchanged, 58 removed) generated in May
      2017. Resolves ticket 21564.

  o Minor bugfixes (correctness):
    - Avoid undefined behavior when parsing IPv6 entries from the geoip6
      file. Fixes bug 22490; bugfix on 0.2.4.6-alpha.

Changes in version 0.2.7.8 - 2017-06-08
  Tor 0.2.7.8 backports a fix for a bug that would allow an attacker to
  remotely crash a hidden service with an assertion failure. Anyone
  running a hidden service should upgrade to this version, or to some
  other version with fixes for TROVE-2017-005.  (Versions before 0.3.0
  are not affected by TROVE-2017-004.)

  o Major bugfixes (hidden service, relay, security):
    - Fix a remotely triggerable assertion failure caused by receiving a
      BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug
      22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix
      on 0.2.2.1-alpha.

  o Minor features (geoip):
    - Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2
      Country database.

  o Minor bugfixes (correctness):
    - Avoid undefined behavior when parsing IPv6 entries from the geoip6
      file. Fixes bug 22490; bugfix on 0.2.4.6-alpha.


Changes in version 0.2.6.12 - 2017-06-08
  Tor 0.2.6.12 backports a fix for a bug that would allow an attacker to
  remotely crash a hidden service with an assertion failure. Anyone
  running a hidden service should upgrade to this version, or to some
  other version with fixes for TROVE-2017-005.  (Versions before 0.3.0
  are not affected by TROVE-2017-004.)

  o Major bugfixes (hidden service, relay, security):
    - Fix a remotely triggerable assertion failure caused by receiving a
      BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug
      22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix
      on 0.2.2.1-alpha.

  o Minor features (geoip):
    - Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2
      Country database.

  o Minor bugfixes (correctness):
    - Avoid undefined behavior when parsing IPv6 entries from the geoip6
      file. Fixes bug 22490; bugfix on 0.2.4.6-alpha.

Changes in version 0.2.5.14 - 2017-06-08
  Tor 0.2.5.14 backports a fix for a bug that would allow an attacker to
  remotely crash a hidden service with an assertion failure. Anyone
  running a hidden service should upgrade to this version, or to some
  other version with fixes for TROVE-2017-005.  (Versions before 0.3.0
  are not affected by TROVE-2017-004.)

  o Major bugfixes (hidden service, relay, security):
    - Fix a remotely triggerable assertion failure caused by receiving a
      BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug
      22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix
      on 0.2.2.1-alpha.

  o Minor features (geoip):
    - Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2
      Country database.

  o Minor bugfixes (correctness):
    - Avoid undefined behavior when parsing IPv6 entries from the geoip6
      file. Fixes bug 22490; bugfix on 0.2.4.6-alpha.

Changes in version 0.2.4.29 - 2017-06-08
  Tor 0.2.4.29 backports a fix for a bug that would allow an attacker to
  remotely crash a hidden service with an assertion failure. Anyone
  running a hidden service should upgrade to this version, or to some
  other version with fixes for TROVE-2017-005.  (Versions before 0.3.0
  are not affected by TROVE-2017-004.)

  o Major bugfixes (hidden service, relay, security):
    - Fix a remotely triggerable assertion failure caused by receiving a
      BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug
      22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix
      on 0.2.2.1-alpha.

  o Minor features (geoip):
    - Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2
      Country database.

  o Minor bugfixes (correctness):
    - Avoid undefined behavior when parsing IPv6 entries from the geoip6
      file. Fixes bug 22490; bugfix on 0.2.4.6-alpha.


Changes in version 0.3.1.2-alpha - 2017-05-26
  Tor 0.3.1.2-alpha is the second release in the 0.3.1.x series. It
  fixes a few bugs found while testing 0.3.1.1-alpha, including a
  memory corruption bug that affected relay stability.

  o Major bugfixes (crash, relay):
    - Fix a memory-corruption bug in relays that set MyFamily.
      Previously, they would double-free MyFamily elements when making
      the next descriptor or when changing their configuration. Fixes
      bug 22368; bugfix on 0.3.1.1-alpha.

  o Minor bugfixes (logging):
    - Log a better message when a directory authority replies to an
      upload with an unexpected status code. Fixes bug 11121; bugfix
      on 0.1.0.1-rc.

  o Minor bugfixes (memory leak, directory authority):
    - When directory authorities reject a router descriptor due to
      keypinning, free the router descriptor rather than leaking the
      memory. Fixes bug 22370; bugfix on 0.2.7.2-alpha.


Changes in version 0.3.1.1-alpha - 2017-05-22
  Tor 0.3.1.1-alpha is the first release in the 0.3.1.x series. It
  reduces the bandwidth usage for Tor's directory protocol, adds some
  basic padding to resist netflow-based traffic analysis and to serve as
  the basis of other padding in the future, and adds rust support to the
  build system.

  It also contains numerous other small features and improvements to
  security, correctness, and performance.

  Below are the changes since 0.3.0.7.

  o Major features (directory protocol):
    - Tor relays and authorities can now serve clients an abbreviated
      version of the consensus document, containing only the changes
      since an older consensus document that the client holds. Clients
      now request these documents when available. When both client and
      server use this new protocol, they will use far less bandwidth (up
      to 94% less) to keep the client's consensus up-to-date. Implements
      proposal 140; closes ticket 13339. Based on work by Daniel Martí.
    - Tor can now compress directory traffic with lzma or with zstd
      compression algorithms, which can deliver better bandwidth
      performance. Because lzma is computationally expensive, it's only
      used for documents that can be compressed once and served many
      times. Support for these algorithms requires that tor is built
      with the libzstd and/or liblzma libraries available. Implements
      proposal 278; closes ticket 21662.
    - Relays now perform the more expensive compression operations, and
      consensus diff generation, in worker threads. This separation
      avoids delaying the main thread when a new consensus arrives.

  o Major features (experimental):
    - Tor can now build modules written in Rust. To turn this on, pass
      the "--enable-rust" flag to the configure script. It's not time to
      get excited yet: currently, there is no actual Rust functionality
      beyond some simple glue code, and a notice at startup to tell you
      that Rust is running. Still, we hope that programmers and
      packagers will try building Tor with Rust support, so that we can
      find issues and solve portability problems. Closes ticket 22106.

  o Major features (traffic analysis resistance):
    - Connections between clients and relays now send a padding cell in
      each direction every 1.5 to 9.5 seconds (tunable via consensus
      parameters). This padding will not resist specialized
      eavesdroppers, but it should be enough to make many ISPs' routine
      network flow logging less useful in traffic analysis against
      Tor users.

      Padding is negotiated using Tor's link protocol, so both relays
      and clients must upgrade for this to take effect. Clients may
      still send padding despite the relay's version by setting
      ConnectionPadding 1 in torrc, and may disable padding by setting
      ConnectionPadding 0 in torrc. Padding may be minimized for mobile
      users with the torrc option ReducedConnectionPadding. Implements
      Proposal 251 and Section 2 of Proposal 254; closes ticket 16861.
    - Relays will publish 24 hour totals of padding and non-padding cell
      counts to their extra-info descriptors, unless PaddingStatistics 0
      is set in torrc. These 24 hour totals are also rounded to
      multiples of 10000.

  o Major bugfixes (connection usage):
    - We use NETINFO cells to try to determine if both relays involved
      in a connection will agree on the canonical status of that
      connection. We prefer the connections where this is the case for
      extend cells, and try to close connections where relays disagree
      on their canonical status early. Also, we now prefer the oldest
      valid connection for extend cells. These two changes should reduce
      the number of long-term connections that are kept open between
      relays. Fixes bug 17604; bugfix on 0.2.5.5-alpha.
    - Relays now log hourly statistics (look for
      "channel_check_for_duplicates" lines) on the total number of
      connections to other relays. If the number of connections per
      relay is unexpectedly large, this log message is at notice level.
      Otherwise it is at info.

  o Major bugfixes (entry guards):
    - Don't block bootstrapping when a primary bridge is offline and we
      can't get its descriptor. Fixes bug 22325; fixes one case of bug
      21969; bugfix on 0.3.0.3-alpha.

  o Major bugfixes (linux TPROXY support):
    - Fix a typo that had prevented TPROXY-based transparent proxying
      from working under Linux. Fixes bug 18100; bugfix on 0.2.6.3-alpha.
      Patch from "d4fq0fQAgoJ".

  o Minor features (security, windows):
    - Enable a couple of pieces of Windows hardening: one
      (HeapEnableTerminationOnCorruption) that has been on-by-default
      since Windows 8, and unavailable before Windows 7; and one
      (PROCESS_DEP_DISABLE_ATL_THUNK_EMULATION) which we believe doesn't
      affect us, but shouldn't do any harm. Closes ticket 21953.

  o Minor features (config options):
    - Allow "%include" directives in torrc configuration files. These
      directives import the settings from other files, or from all the
      files in a directory. Closes ticket 1922. Code by Daniel Pinto.
    - Make SAVECONF return an error when overwriting a torrc that has
      includes. Using SAVECONF with the FORCE option will allow it to
      overwrite torrc even if includes are used. Related to ticket 1922.
    - Add "GETINFO config-can-saveconf" to tell controllers if SAVECONF
      will work without the FORCE option. Related to ticket 1922.

  o Minor features (controller):
    - Warn the first time that a controller requests data in the long-
      deprecated 'GETINFO network-status' format. Closes ticket 21703.

  o Minor features (defaults):
    - The default value for UseCreateFast is now 0: clients which
      haven't yet received a consensus document will now use a proper
      ntor handshake to talk to their directory servers whenever they
      can. Closes ticket 21407.
    - Onion key rotation and expiry intervals are now defined as a
      network consensus parameter, per proposal 274. The default
      lifetime of an onion key is increased from 7 to 28 days. Old onion
      keys will expire after 7 days by default. This change will make
      consensus diffs much smaller, and save significant bandwidth.
      Closes ticket 21641.

  o Minor features (fallback directory list):
    - Update the fallback directory mirror whitelist and blacklist based
      on operator emails. Closes task 21121.
    - Replace the 177 fallbacks originally introduced in Tor 0.2.9.8 in
      December 2016 (of which ~126 were still functional) with a list of
      151 fallbacks (32 new, 119 unchanged, 58 removed) generated in May
      2017. Resolves ticket 21564.

  o Minor features (hidden services, logging):
    - Log a message when a hidden service descriptor has fewer
      introduction points than specified in
      HiddenServiceNumIntroductionPoints. Closes tickets 21598.
    - Log a message when a hidden service reaches its introduction point
      circuit limit, and when that limit is reset. Follow up to ticket
      21594; closes ticket 21622.
    - Warn user if multiple entries in EntryNodes and at least one
      HiddenService are used together. Pinning EntryNodes along with a
      hidden service can be possibly harmful; for instance see ticket
      14917 or 21155. Closes ticket 21155.

  o Minor features (linux seccomp2 sandbox):
    - We now have a document storage backend compatible with the Linux
      seccomp2 sandbox. This backend is used for consensus documents and
      diffs between them; in the long term, we'd like to use it for
      unparseable directory material too. Closes ticket 21645
    - Increase the maximum allowed size passed to mprotect(PROT_WRITE)
      from 1MB to 16MB. This was necessary with the glibc allocator in
      order to allow worker threads to allocate more memory -- which in
      turn is necessary because of our new use of worker threads for
      compression. Closes ticket 22096.

  o Minor features (logging):
    - Log files are no longer created world-readable by default.
      (Previously, most distributors would store the logs in a non-
      world-readable location to prevent inappropriate access. This
      change is an extra precaution.) Closes ticket 21729; patch
      from toralf.

  o Minor features (performance):
    - Our Keccak (SHA-3) implementation now accesses memory more
      efficiently, especially on little-endian systems. Closes
      ticket 21737.
    - Add an O(1) implementation of channel_find_by_global_id(), to
      speed some controller functions.

  o Minor features (relay, configuration):
    - The MyFamily option may now be repeated as many times as desired,
      for relays that want to configure large families. Closes ticket
      4998; patch by Daniel Pinto.

  o Minor features (safety):
    - Add an explicit check to extrainfo_parse_entry_from_string() for
      NULL inputs. We don't believe this can actually happen, but it may
      help silence a warning from the Clang analyzer. Closes
      ticket 21496.

  o Minor features (testing):
    - Add a "--disable-memory-sentinels" feature to help with fuzzing.
      When Tor is compiled with this option, we disable a number of
      redundant memory-safety failsafes that are intended to stop bugs
      from becoming security issues. This makes it easier to hunt for
      bugs that would be security issues without the failsafes turned
      on. Closes ticket 21439.
    - Add a general event-tracing instrumentation support to Tor. This
      subsystem will enable developers and researchers to add fine-
      grained instrumentation to their Tor instances, for use when
      examining Tor network performance issues. There are no trace
      events yet, and event-tracing is off by default unless enabled at
      compile time. Implements ticket 13802.
    - Improve our version parsing tests: add tests for typical version
      components, add tests for invalid versions, including numeric
      range and non-numeric prefixes. Unit tests 21278, 21450, and
      21507. Partially implements 21470.

  o Minor bugfixes (bandwidth accounting):
    - Roll over monthly accounting at the configured hour and minute,
      rather than always at 00:00. Fixes bug 22245; bugfix on 0.0.9rc1.
      Found by Andrey Karpov with PVS-Studio.

  o Minor bugfixes (code correctness):
    - Accurately identify client connections by their lack of peer
      authentication. This means that we bail out earlier if asked to
      extend to a client. Follow-up to 21407. Fixes bug 21406; bugfix
      on 0.2.4.23.

  o Minor bugfixes (configuration):
    - Do not crash when starting with LearnCircuitBuildTimeout 0. Fixes
      bug 22252; bugfix on 0.2.9.3-alpha.

  o Minor bugfixes (connection lifespan):
    - Allow more control over how long TLS connections are kept open:
      unify CircuitIdleTimeout and PredictedPortsRelevanceTime into a
      single option called CircuitsAvailableTimeout. Also, allow the
      consensus to control the default values for both this preference
      and the lifespan of relay-to-relay connections. Fixes bug 17592;
      bugfix on 0.2.5.5-alpha.
    - Increase the initial circuit build timeout testing frequency, to
      help ensure that ReducedConnectionPadding clients finish learning
      a timeout before their orconn would expire. The initial testing
      rate was set back in the days of TAP and before the Tor Browser
      updater, when we had to be much more careful about new clients
      making lots of circuits. With this change, a circuit build timeout
      is learned in about 15-20 minutes, instead of 100-120 minutes.

  o Minor bugfixes (controller):
    - GETINFO onions/current and onions/detached no longer respond with
      551 on empty lists. Fixes bug 21329; bugfix on 0.2.7.1-alpha.
    - Trigger HS descriptor events on the control port when the client
      fails to pick a hidden service directory for a hidden service.
      This can happen if all the hidden service directories are in
      ExcludeNodes, or they have all been queried within the last 15
      minutes. Fixes bug 22042; bugfix on 0.2.5.2-alpha.

  o Minor bugfixes (directory authority):
    - When rejecting a router descriptor for running an obsolete version
      of Tor without ntor support, warn about the obsolete tor version,
      not the missing ntor key. Fixes bug 20270; bugfix on 0.2.9.3-alpha.
    - Prevent the shared randomness subsystem from asserting when
      initialized by a bridge authority with an incomplete configuration
      file. Fixes bug 21586; bugfix on 0.2.9.8.

  o Minor bugfixes (exit-side DNS):
    - Fix an untriggerable assertion that checked the output of a
      libevent DNS error, so that the assertion actually behaves as
      expected. Fixes bug 22244; bugfix on 0.2.0.20-rc. Found by Andrey
      Karpov using PVS-Studio.

  o Minor bugfixes (fallback directories):
    - Make the usage example in updateFallbackDirs.py actually work, and
      explain what it does. Fixes bug 22270; bugfix on 0.3.0.3-alpha.
    - Decrease the guard flag average required to be a fallback. This
      allows us to keep relays that have their guard flag removed when
      they restart. Fixes bug 20913; bugfix on 0.2.8.1-alpha.
    - Decrease the minimum number of fallbacks to 100. Fixes bug 20913;
      bugfix on 0.2.8.1-alpha.
    - Make sure fallback directory mirrors have the same address, port,
      and relay identity key for at least 30 days before they are
      selected. Fixes bug 20913; bugfix on 0.2.8.1-alpha.

  o Minor bugfixes (hidden services):
    - Stop printing a cryptic warning when a hidden service gets a
      request to connect to a virtual port that it hasn't configured.
      Fixes bug 16706; bugfix on 0.2.6.3-alpha.
    - Simplify hidden service descriptor creation by using an existing
      flag to check if an introduction point is established. Fixes bug
      21599; bugfix on 0.2.7.2-alpha.

  o Minor bugfixes (memory leak):
    - Fix a small memory leak at exit from the backtrace handler code.
      Fixes bug 21788; bugfix on 0.2.5.2-alpha. Patch from Daniel Pinto.

  o Minor bugfixes (protocol, logging):
    - Downgrade a log statement about unexpected relay cells from "bug"
      to "protocol warning", because there is at least one use case
      where it can be triggered by a buggy tor implementation. Fixes bug
      21293; bugfix on 0.1.1.14-alpha.

  o Minor bugfixes (testing):
    - Use unbuffered I/O for utility functions around the
      process_handle_t type. This fixes unit test failures reported on
      OpenBSD and FreeBSD. Fixes bug 21654; bugfix on 0.2.3.1-alpha.
    - Make display of captured unit test log messages consistent. Fixes
      bug 21510; bugfix on 0.2.9.3-alpha.
    - Make test-network.sh always call chutney's test-network.sh.
      Previously, this only worked on systems which had bash installed,
      due to some bash-specific code in the script. Fixes bug 19699;
      bugfix on 0.3.0.4-rc. Follow-up to ticket 21581.

  o Minor bugfixes (voting consistency):
    - Reject version numbers with non-numeric prefixes (such as +, -, or
      whitespace). Disallowing whitespace prevents differential version
      parsing between POSIX-based and Windows platforms. Fixes bug 21507
      and part of 21508; bugfix on 0.0.8pre1.

  o Minor bugfixes (windows, relay):
    - Resolve "Failure from drain_fd: No error" warnings on Windows
      relays. Fixes bug 21540; bugfix on 0.2.6.3-alpha.

  o Code simplification and refactoring:
    - Break up the 630-line function connection_dir_client_reached_eof()
      into a dozen smaller functions. This change should help
      maintainability and readability of the client directory code.
    - Isolate our use of the openssl headers so that they are only
      included from our crypto wrapper modules, and from tests that
      examine those modules' internals. Closes ticket 21841.
    - Simplify our API to launch directory requests, making it more
      extensible and less error-prone. Now it's easier to add extra
      headers to directory requests. Closes ticket 21646.
    - Our base64 decoding functions no longer overestimate the output
      space that they need when parsing unpadded inputs. Closes
      ticket 17868.
    - Remove unused "ROUTER_ADDED_NOTIFY_GENERATOR" internal value.
      Resolves ticket 22213.
    - The logic that directory caches use to spool request to clients,
      serving them one part at a time so as not to allocate too much
      memory, has been refactored for consistency. Previously there was
      a separate spooling implementation per type of spoolable data. Now
      there is one common spooling implementation, with extensible data
      types. Closes ticket 21651.
    - Tor's compression module now supports multiple backends. Part of
      the implementation for proposal 278; closes ticket 21663.

  o Documentation:
    - Clarify the behavior of the KeepAliveIsolateSOCKSAuth sub-option.
      Closes ticket 21873.
    - Correct documentation about the default DataDirectory value.
      Closes ticket 21151.
    - Document the default behavior of NumEntryGuards and
      NumDirectoryGuards correctly. Fixes bug 21715; bugfix
      on 0.3.0.1-alpha.
    - Document key=value pluggable transport arguments for Bridge lines
      in torrc. Fixes bug 20341; bugfix on 0.2.5.1-alpha.
    - Note that bandwidth-limiting options don't affect TCP headers or
      DNS. Closes ticket 17170.

  o Removed features (configuration options, all in ticket 22060):
    - These configuration options are now marked Obsolete, and no longer
      have any effect: AllowInvalidNodes, AllowSingleHopCircuits,
      AllowSingleHopExits, ExcludeSingleHopRelays, FastFirstHopPK,
      TLSECGroup, WarnUnsafeSocks. They were first marked as deprecated
      in 0.2.9.2-alpha and have now been removed. The previous default
      behavior is now always chosen; the previous (less secure) non-
      default behavior is now unavailable.
    - CloseHSClientCircuitsImmediatelyOnTimeout and
      CloseHSServiceRendCircuitsImmediatelyOnTimeout were deprecated in
      0.2.9.2-alpha and now have been removed. HS circuits never close
      on circuit build timeout; they have a longer timeout period.
    - {Control,DNS,Dir,Socks,Trans,NATD,OR}ListenAddress were deprecated
      in 0.2.9.2-alpha and now have been removed. Use the ORPort option
      (and others) to configure listen-only and advertise-only addresses.

  o Removed features (tools):
    - We've removed the tor-checkkey tool from src/tools. Long ago, we
      used it to help people detect RSA keys that were generated by
      versions of Debian affected by CVE-2008-0166. But those keys have
      been out of circulation for ages, and this tool is no longer
      required. Closes ticket 21842.


Changes in version 0.3.0.7 - 2017-05-15
  Tor 0.3.0.7 fixes a medium-severity security bug in earlier versions
  of Tor 0.3.0.x, where an attacker could cause a Tor relay process
  to exit. Relays running earlier versions of Tor 0.3.0.x should upgrade;
  clients are not affected.

  o Major bugfixes (hidden service directory, security):
    - Fix an assertion failure in the hidden service directory code, which
      could be used by an attacker to remotely cause a Tor relay process to
      exit. Relays running earlier versions of Tor 0.3.0.x should upgrade.
      should upgrade. This security issue is tracked as TROVE-2017-002.
      Fixes bug 22246; bugfix on 0.3.0.1-alpha.

  o Minor features:
    - Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2
      Country database.

  o Minor features (future-proofing):
    - Tor no longer refuses to download microdescriptors or descriptors
      if they are listed as "published in the future". This change will
      eventually allow us to stop listing meaningful "published" dates
      in microdescriptor consensuses, and thereby allow us to reduce the
      resources required to download consensus diffs by over 50%.
      Implements part of ticket 21642; implements part of proposal 275.

  o Minor bugfixes (Linux seccomp2 sandbox):
    - The getpid() system call is now permitted under the Linux seccomp2
      sandbox, to avoid crashing with versions of OpenSSL (and other
      libraries) that attempt to learn the process's PID by using the
      syscall rather than the VDSO code. Fixes bug 21943; bugfix
      on 0.2.5.1-alpha.


Changes in version 0.3.0.6 - 2017-04-26
  Tor 0.3.0.6 is the first stable release of the Tor 0.3.0 series.

  With the 0.3.0 series, clients and relays now use Ed25519 keys to
  authenticate their link connections to relays, rather than the old
  RSA1024 keys that they used before. (Circuit crypto has been
  Curve25519-authenticated since 0.2.4.8-alpha.) We have also replaced
  the guard selection and replacement algorithm to behave more robustly
  in the presence of unreliable networks, and to resist guard-
  capture attacks.

  This series also includes numerous other small features and bugfixes,
  along with more groundwork for the upcoming hidden-services revamp.

  Per our stable release policy, we plan to support the Tor 0.3.0
  release series for at least the next nine months, or for three months
  after the first stable release of the 0.3.1 series: whichever is
  longer. If you need a release with long-term support, we recommend
  that you stay with the 0.2.9 series.

  Below are the changes since 0.3.0.5-rc. For a list of all changes
  since 0.2.9, see the ReleaseNotes file.

  o Minor features (geoip):
    - Update geoip and geoip6 to the April 4 2017 Maxmind GeoLite2
      Country database.

  o Minor bugfixes (control port):
    - The GETINFO extra-info/digest/<digest> command was broken because
      of a wrong base16 decode return value check, introduced when
      refactoring that API. Fixes bug 22034; bugfix on 0.2.9.1-alpha.

  o Minor bugfixes (crash prevention):
    - Fix a (currently untriggerable, but potentially dangerous) crash
      bug when base32-encoding inputs whose sizes are not a multiple of
      5. Fixes bug 21894; bugfix on 0.2.9.1-alpha.


Changes in version 0.3.0.5-rc - 2017-04-05
  Tor 0.3.0.5-rc fixes a few remaining bugs, large and small, in the
  0.3.0 release series.

  This is the second release candidate in the Tor 0.3.0 series, and has
  much fewer changes than the first. If we find no new bugs or
  regressions here, the first stable 0.3.0 release will be nearly
  identical to it.

  o Major bugfixes (crash, directory connections):
    - Fix a rare crash when sending a begin cell on a circuit whose
      linked directory connection had already been closed. Fixes bug
      21576; bugfix on 0.2.9.3-alpha. Reported by Alec Muffett.

  o Major bugfixes (guard selection):
    - Fix a guard selection bug where Tor would refuse to bootstrap in
      some cases if the user swapped a bridge for another bridge in
      their configuration file. Fixes bug 21771; bugfix on 0.3.0.1-alpha.
      Reported by "torvlnt33r".

  o Minor features (geoip):
    - Update geoip and geoip6 to the March 7 2017 Maxmind GeoLite2
      Country database.

  o Minor bugfix (compilation):
    - Fix a warning when compiling hs_service.c. Previously, it had no
      exported symbols when compiled for libor.a, resulting in a
      compilation warning from clang. Fixes bug 21825; bugfix
      on 0.3.0.1-alpha.

  o Minor bugfixes (hidden services):
    - Make hidden services check for failed intro point connections,
      even when they have exceeded their intro point creation limit.
      Fixes bug 21596; bugfix on 0.2.7.2-alpha. Reported by Alec Muffett.
    - Make hidden services with 8 to 10 introduction points check for
      failed circuits immediately after startup. Previously, they would
      wait for 5 minutes before performing their first checks. Fixes bug
      21594; bugfix on 0.2.3.9-alpha. Reported by Alec Muffett.

  o Minor bugfixes (memory leaks):
    - Fix a memory leak when using GETCONF on a port option. Fixes bug
      21682; bugfix on 0.3.0.3-alpha.

  o Minor bugfixes (relay):
    - Avoid a double-marked-circuit warning that could happen when we
      receive DESTROY cells under heavy load. Fixes bug 20059; bugfix
      on 0.1.0.1-rc.

  o Minor bugfixes (tests):
    - Run the entry_guard_parse_from_state_full() test with the time set
      to a specific date. (The guard state that this test was parsing
      contained guards that had expired since the test was first
      written.) Fixes bug 21799; bugfix on 0.3.0.1-alpha.

  o Documentation:
    - Update the description of the directory server options in the
      manual page, to clarify that a relay no longer needs to set
      DirPort in order to be a directory cache. Closes ticket 21720.



Changes in version 0.2.8.13 - 2017-03-03
  Tor 0.2.8.13 backports a security fix from later Tor
  releases.  Anybody running Tor 0.2.8.12 or earlier should upgrade to this
  this release, if for some reason they cannot upgrade to a later
  release series, and if they build Tor with the --enable-expensive-hardening
  option.

  Note that support for Tor 0.2.8.x is ending next year: we will not issue
  any fixes for the Tor 0.2.8.x series after 1 Jan 2018.  If you need
  a Tor release series with longer-term support, we recommend Tor 0.2.9.x.

  o Major bugfixes (parsing, backported from 0.3.0.4-rc):
    - Fix an integer underflow bug when comparing malformed Tor
      versions. This bug could crash Tor when built with
      --enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor
      0.2.9.8, which were built with -ftrapv by default. In other cases
      it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix
      on 0.0.8pre1. Found by OSS-Fuzz.

  o Minor features (geoip):
    - Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2
      Country database.


Changes in version 0.2.7.7 - 2017-03-03
  Tor 0.2.7.7 backports a number of security fixes from later Tor
  releases.  Anybody running Tor 0.2.7.6 or earlier should upgrade to
  this release, if for some reason they cannot upgrade to a later
  release series.

  Note that support for Tor 0.2.7.x is ending this year: we will not issue
  any fixes for the Tor 0.2.7.x series after 1 August 2017.  If you need
  a Tor release series with longer-term support, we recommend Tor 0.2.9.x.

  o Directory authority changes (backport from 0.2.8.5-rc):
    - Urras is no longer a directory authority. Closes ticket 19271.

  o Directory authority changes (backport from 0.2.9.2-alpha):
    - The "Tonga" bridge authority has been retired; the new bridge
      authority is "Bifroest". Closes tickets 19728 and 19690.

  o Directory authority key updates (backport from 0.2.8.1-alpha):
    - Update the V3 identity key for the dannenberg directory authority:
      it was changed on 18 November 2015. Closes task 17906. Patch
      by "teor".

  o Major bugfixes (parsing, security, backport from 0.2.9.8):
    - Fix a bug in parsing that could cause clients to read a single
      byte past the end of an allocated region. This bug could be used
      to cause hardened clients (built with --enable-expensive-hardening)
      to crash if they tried to visit a hostile hidden service. Non-
      hardened clients are only affected depending on the details of
      their platform's memory allocator. Fixes bug 21018; bugfix on
      0.2.0.8-alpha. Found by using libFuzzer. Also tracked as TROVE-
      2016-12-002 and as CVE-2016-1254.

  o Major bugfixes (security, client, DNS proxy, backport from 0.2.8.3-alpha):
    - Stop a crash that could occur when a client running with DNSPort
      received a query with multiple address types, and the first
      address type was not supported. Found and fixed by Scott Dial.
      Fixes bug 18710; bugfix on 0.2.5.4-alpha.
    - Prevent a class of security bugs caused by treating the contents
      of a buffer chunk as if they were a NUL-terminated string. At
      least one such bug seems to be present in all currently used
      versions of Tor, and would allow an attacker to remotely crash
      most Tor instances, especially those compiled with extra compiler
      hardening. With this defense in place, such bugs can't crash Tor,
      though we should still fix them as they occur. Closes ticket
      20384 (TROVE-2016-10-001).

  o Major bugfixes (security, pointers, backport from 0.2.8.2-alpha):
    - Avoid a difficult-to-trigger heap corruption attack when extending
      a smartlist to contain over 16GB of pointers. Fixes bug 18162;
      bugfix on 0.1.1.11-alpha, which fixed a related bug incompletely.
      Reported by Guido Vranken.

  o Major bugfixes (dns proxy mode, crash, backport from 0.2.8.2-alpha):
    - Avoid crashing when running as a DNS proxy. Fixes bug 16248;
      bugfix on 0.2.0.1-alpha. Patch from "cypherpunks".

  o Major bugfixes (key management, backport from 0.2.8.3-alpha):
    - If OpenSSL fails to generate an RSA key, do not retain a dangling
      pointer to the previous (uninitialized) key value. The impact here
      should be limited to a difficult-to-trigger crash, if OpenSSL is
      running an engine that makes key generation failures possible, or
      if OpenSSL runs out of memory. Fixes bug 19152; bugfix on
      0.2.1.10-alpha. Found by Yuan Jochen Kang, Suman Jana, and
      Baishakhi Ray.

  o Major bugfixes (parsing, backported from 0.3.0.4-rc):
    - Fix an integer underflow bug when comparing malformed Tor
      versions. This bug could crash Tor when built with
      --enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor
      0.2.9.8, which were built with -ftrapv by default. In other cases
      it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix
      on 0.0.8pre1. Found by OSS-Fuzz.

  o Minor features (security, memory erasure, backport from 0.2.8.1-alpha):
    - Make memwipe() do nothing when passed a NULL pointer or buffer of
      zero size. Check size argument to memwipe() for underflow. Fixes
      bug 18089; bugfix on 0.2.3.25 and 0.2.4.6-alpha. Reported by "gk",
      patch by "teor".

  o Minor features (bug-resistance, backport from 0.2.8.2-alpha):
    - Make Tor survive errors involving connections without a
      corresponding event object. Previously we'd fail with an
      assertion; now we produce a log message. Related to bug 16248.

  o Minor features (geoip):
    - Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2
      Country database.


Changes in version 0.2.6.11 - 2017-03-03
  Tor 0.2.6.11 backports a number of security fixes from later Tor
  releases.  Anybody running Tor 0.2.6.10 or earlier should upgrade to
  this release, if for some reason they cannot upgrade to a later
  release series.

  Note that support for Tor 0.2.6.x is ending this year: we will not issue
  any fixes for the Tor 0.2.6.x series after 1 August 2017.  If you need
  a Tor release series with longer-term support, we recommend Tor 0.2.9.x.

  o Directory authority changes (backport from 0.2.8.5-rc):
    - Urras is no longer a directory authority. Closes ticket 19271.

  o Directory authority changes (backport from 0.2.9.2-alpha):
    - The "Tonga" bridge authority has been retired; the new bridge
      authority is "Bifroest". Closes tickets 19728 and 19690.

  o Directory authority key updates (backport from 0.2.8.1-alpha):
    - Update the V3 identity key for the dannenberg directory authority:
      it was changed on 18 November 2015. Closes task 17906. Patch
      by "teor".

  o Major features (security fixes, backport from 0.2.9.4-alpha):
    - Prevent a class of security bugs caused by treating the contents
      of a buffer chunk as if they were a NUL-terminated string. At
      least one such bug seems to be present in all currently used
      versions of Tor, and would allow an attacker to remotely crash
      most Tor instances, especially those compiled with extra compiler
      hardening. With this defense in place, such bugs can't crash Tor,
      though we should still fix them as they occur. Closes ticket
      20384 (TROVE-2016-10-001).

  o Major bugfixes (parsing, security, backport from 0.2.9.8):
    - Fix a bug in parsing that could cause clients to read a single
      byte past the end of an allocated region. This bug could be used
      to cause hardened clients (built with --enable-expensive-hardening)
      to crash if they tried to visit a hostile hidden service. Non-
      hardened clients are only affected depending on the details of
      their platform's memory allocator. Fixes bug 21018; bugfix on
      0.2.0.8-alpha. Found by using libFuzzer. Also tracked as TROVE-
      2016-12-002 and as CVE-2016-1254.

  o Major bugfixes (security, client, DNS proxy, backport from 0.2.8.3-alpha):
    - Stop a crash that could occur when a client running with DNSPort
      received a query with multiple address types, and the first
      address type was not supported. Found and fixed by Scott Dial.
      Fixes bug 18710; bugfix on 0.2.5.4-alpha.

  o Major bugfixes (security, correctness, backport from 0.2.7.4-rc):
    - Fix an error that could cause us to read 4 bytes before the
      beginning of an openssl string. This bug could be used to cause
      Tor to crash on systems with unusual malloc implementations, or
      systems with unusual hardening installed. Fixes bug 17404; bugfix
      on 0.2.3.6-alpha.

  o Major bugfixes (security, pointers, backport from 0.2.8.2-alpha):
    - Avoid a difficult-to-trigger heap corruption attack when extending
      a smartlist to contain over 16GB of pointers. Fixes bug 18162;
      bugfix on 0.1.1.11-alpha, which fixed a related bug incompletely.
      Reported by Guido Vranken.

  o Major bugfixes (dns proxy mode, crash, backport from 0.2.8.2-alpha):
    - Avoid crashing when running as a DNS proxy. Fixes bug 16248;
      bugfix on 0.2.0.1-alpha. Patch from "cypherpunks".

  o Major bugfixes (guard selection, backport from 0.2.7.6):
    - Actually look at the Guard flag when selecting a new directory
      guard. When we implemented the directory guard design, we
      accidentally started treating all relays as if they have the Guard
      flag during guard selection, leading to weaker anonymity and worse
      performance. Fixes bug 17772; bugfix on 0.2.4.8-alpha. Discovered
      by Mohsen Imani.

  o Major bugfixes (key management, backport from 0.2.8.3-alpha):
    - If OpenSSL fails to generate an RSA key, do not retain a dangling
      pointer to the previous (uninitialized) key value. The impact here
      should be limited to a difficult-to-trigger crash, if OpenSSL is
      running an engine that makes key generation failures possible, or
      if OpenSSL runs out of memory. Fixes bug 19152; bugfix on
      0.2.1.10-alpha. Found by Yuan Jochen Kang, Suman Jana, and
      Baishakhi Ray.

  o Major bugfixes (parsing, backported from 0.3.0.4-rc):
    - Fix an integer underflow bug when comparing malformed Tor
      versions. This bug could crash Tor when built with
      --enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor
      0.2.9.8, which were built with -ftrapv by default. In other cases
      it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix
      on 0.0.8pre1. Found by OSS-Fuzz.

  o Minor features (security, memory erasure, backport from 0.2.8.1-alpha):
    - Make memwipe() do nothing when passed a NULL pointer or buffer of
      zero size. Check size argument to memwipe() for underflow. Fixes
      bug 18089; bugfix on 0.2.3.25 and 0.2.4.6-alpha. Reported by "gk",
      patch by "teor".

  o Minor features (bug-resistance, backport from 0.2.8.2-alpha):
    - Make Tor survive errors involving connections without a
      corresponding event object. Previously we'd fail with an
      assertion; now we produce a log message. Related to bug 16248.

  o Minor features (geoip):
    - Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2
      Country database.

  o Minor bugfixes (compilation, backport from 0.2.7.6):
    - Fix a compilation warning with Clang 3.6: Do not check the
      presence of an address which can never be NULL. Fixes bug 17781.


Changes in version 0.2.5.13 - 2017-03-03
  Tor 0.2.5.13 backports a number of security fixes from later Tor
  releases.  Anybody running Tor 0.2.5.13 or earlier should upgrade to
  this release, if for some reason they cannot upgrade to a later
  release series.

  Note that support for Tor 0.2.5.x is ending next year: we will not issue
  any fixes for the Tor 0.2.5.x series after 1 May 2018.  If you need
  a Tor release series with longer-term support, we recommend Tor 0.2.9.x.

  o Directory authority changes (backport from 0.2.8.5-rc):
    - Urras is no longer a directory authority. Closes ticket 19271.

  o Directory authority changes (backport from 0.2.9.2-alpha):
    - The "Tonga" bridge authority has been retired; the new bridge
      authority is "Bifroest". Closes tickets 19728 and 19690.

  o Directory authority key updates (backport from 0.2.8.1-alpha):
    - Update the V3 identity key for the dannenberg directory authority:
      it was changed on 18 November 2015. Closes task 17906. Patch
      by "teor".

  o Major features (security fixes, backport from 0.2.9.4-alpha):
    - Prevent a class of security bugs caused by treating the contents
      of a buffer chunk as if they were a NUL-terminated string. At
      least one such bug seems to be present in all currently used
      versions of Tor, and would allow an attacker to remotely crash
      most Tor instances, especially those compiled with extra compiler
      hardening. With this defense in place, such bugs can't crash Tor,
      though we should still fix them as they occur. Closes ticket
      20384 (TROVE-2016-10-001).

  o Major bugfixes (parsing, security, backport from 0.2.9.8):
    - Fix a bug in parsing that could cause clients to read a single
      byte past the end of an allocated region. This bug could be used
      to cause hardened clients (built with --enable-expensive-hardening)
      to crash if they tried to visit a hostile hidden service. Non-
      hardened clients are only affected depending on the details of
      their platform's memory allocator. Fixes bug 21018; bugfix on
      0.2.0.8-alpha. Found by using libFuzzer. Also tracked as TROVE-
      2016-12-002 and as CVE-2016-1254.

  o Major bugfixes (security, client, DNS proxy, backport from 0.2.8.3-alpha):
    - Stop a crash that could occur when a client running with DNSPort
      received a query with multiple address types, and the first
      address type was not supported. Found and fixed by Scott Dial.
      Fixes bug 18710; bugfix on 0.2.5.4-alpha.

  o Major bugfixes (security, correctness, backport from 0.2.7.4-rc):
    - Fix an error that could cause us to read 4 bytes before the
      beginning of an openssl string. This bug could be used to cause
      Tor to crash on systems with unusual malloc implementations, or
      systems with unusual hardening installed. Fixes bug 17404; bugfix
      on 0.2.3.6-alpha.

  o Major bugfixes (security, pointers, backport from 0.2.8.2-alpha):
    - Avoid a difficult-to-trigger heap corruption attack when extending
      a smartlist to contain over 16GB of pointers. Fixes bug 18162;
      bugfix on 0.1.1.11-alpha, which fixed a related bug incompletely.
      Reported by Guido Vranken.

  o Major bugfixes (dns proxy mode, crash, backport from 0.2.8.2-alpha):
    - Avoid crashing when running as a DNS proxy. Fixes bug 16248;
      bugfix on 0.2.0.1-alpha. Patch from "cypherpunks".

  o Major bugfixes (guard selection, backport from 0.2.7.6):
    - Actually look at the Guard flag when selecting a new directory
      guard. When we implemented the directory guard design, we
      accidentally started treating all relays as if they have the Guard
      flag during guard selection, leading to weaker anonymity and worse
      performance. Fixes bug 17772; bugfix on 0.2.4.8-alpha. Discovered
      by Mohsen Imani.

  o Major bugfixes (key management, backport from 0.2.8.3-alpha):
    - If OpenSSL fails to generate an RSA key, do not retain a dangling
      pointer to the previous (uninitialized) key value. The impact here
      should be limited to a difficult-to-trigger crash, if OpenSSL is
      running an engine that makes key generation failures possible, or
      if OpenSSL runs out of memory. Fixes bug 19152; bugfix on
      0.2.1.10-alpha. Found by Yuan Jochen Kang, Suman Jana, and
      Baishakhi Ray.

  o Major bugfixes (parsing, backported from 0.3.0.4-rc):
    - Fix an integer underflow bug when comparing malformed Tor
      versions. This bug could crash Tor when built with
      --enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor
      0.2.9.8, which were built with -ftrapv by default. In other cases
      it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix
      on 0.0.8pre1. Found by OSS-Fuzz.

  o Minor features (security, memory erasure, backport from 0.2.8.1-alpha):
    - Make memwipe() do nothing when passed a NULL pointer or buffer of
      zero size. Check size argument to memwipe() for underflow. Fixes
      bug 18089; bugfix on 0.2.3.25 and 0.2.4.6-alpha. Reported by "gk",
      patch by "teor".

  o Minor features (bug-resistance, backport from 0.2.8.2-alpha):
    - Make Tor survive errors involving connections without a
      corresponding event object. Previously we'd fail with an
      assertion; now we produce a log message. Related to bug 16248.

  o Minor features (geoip):
    - Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2
      Country database.

  o Minor bugfixes (compilation, backport from 0.2.7.6):
    - Fix a compilation warning with Clang 3.6: Do not check the
      presence of an address which can never be NULL. Fixes bug 17781.

  o Minor bugfixes (crypto error-handling, backport from 0.2.7.2-alpha):
    - Check for failures from crypto_early_init, and refuse to continue.
      A previous typo meant that we could keep going with an
      uninitialized crypto library, and would have OpenSSL initialize
      its own PRNG. Fixes bug 16360; bugfix on 0.2.5.2-alpha, introduced
      when implementing ticket 4900. Patch by "teor".

  o Minor bugfixes (hidden service, backport from 0.2.7.1-alpha):
    - Fix an out-of-bounds read when parsing invalid INTRODUCE2 cells on
      a client authorized hidden service. Fixes bug 15823; bugfix
      on 0.2.1.6-alpha.


Changes in version 0.2.4.28 - 2017-03-03
  Tor 0.2.4.28 backports a number of security fixes from later Tor
  releases.  Anybody running Tor 0.2.4.27 or earlier should upgrade to
  this release, if for some reason they cannot upgrade to a later
  release series.

  Note that support for Tor 0.2.4.x is ending soon: we will not issue
  any fixes for the Tor 0.2.4.x series after 1 August 2017.  If you need
  a Tor release series with long-term support, we recommend Tor 0.2.9.x.

  o Directory authority changes (backport from 0.2.8.5-rc):
    - Urras is no longer a directory authority. Closes ticket 19271.

  o Directory authority changes (backport from 0.2.9.2-alpha):
    - The "Tonga" bridge authority has been retired; the new bridge
      authority is "Bifroest". Closes tickets 19728 and 19690.

  o Directory authority key updates (backport from 0.2.8.1-alpha):
    - Update the V3 identity key for the dannenberg directory authority:
      it was changed on 18 November 2015. Closes task 17906. Patch
      by "teor".

  o Major features (security fixes, backport from 0.2.9.4-alpha):
    - Prevent a class of security bugs caused by treating the contents
      of a buffer chunk as if they were a NUL-terminated string. At
      least one such bug seems to be present in all currently used
      versions of Tor, and would allow an attacker to remotely crash
      most Tor instances, especially those compiled with extra compiler
      hardening. With this defense in place, such bugs can't crash Tor,
      though we should still fix them as they occur. Closes ticket
      20384 (TROVE-2016-10-001).

  o Major bugfixes (parsing, security, backport from 0.2.9.8):
    - Fix a bug in parsing that could cause clients to read a single
      byte past the end of an allocated region. This bug could be used
      to cause hardened clients (built with --enable-expensive-hardening)
      to crash if they tried to visit a hostile hidden service. Non-
      hardened clients are only affected depending on the details of
      their platform's memory allocator. Fixes bug 21018; bugfix on
      0.2.0.8-alpha. Found by using libFuzzer. Also tracked as TROVE-
      2016-12-002 and as CVE-2016-1254.

  o Major bugfixes (security, correctness, backport from 0.2.7.4-rc):
    - Fix an error that could cause us to read 4 bytes before the
      beginning of an openssl string. This bug could be used to cause
      Tor to crash on systems with unusual malloc implementations, or
      systems with unusual hardening installed. Fixes bug 17404; bugfix
      on 0.2.3.6-alpha.

  o Major bugfixes (security, pointers, backport from 0.2.8.2-alpha):
    - Avoid a difficult-to-trigger heap corruption attack when extending
      a smartlist to contain over 16GB of pointers. Fixes bug 18162;
      bugfix on 0.1.1.11-alpha, which fixed a related bug incompletely.
      Reported by Guido Vranken.

  o Major bugfixes (dns proxy mode, crash, backport from 0.2.8.2-alpha):
    - Avoid crashing when running as a DNS proxy. Fixes bug 16248;
      bugfix on 0.2.0.1-alpha. Patch from "cypherpunks".

  o Major bugfixes (guard selection, backport from 0.2.7.6):
    - Actually look at the Guard flag when selecting a new directory
      guard. When we implemented the directory guard design, we
      accidentally started treating all relays as if they have the Guard
      flag during guard selection, leading to weaker anonymity and worse
      performance. Fixes bug 17772; bugfix on 0.2.4.8-alpha. Discovered
      by Mohsen Imani.

  o Major bugfixes (key management, backport from 0.2.8.3-alpha):
    - If OpenSSL fails to generate an RSA key, do not retain a dangling
      pointer to the previous (uninitialized) key value. The impact here
      should be limited to a difficult-to-trigger crash, if OpenSSL is
      running an engine that makes key generation failures possible, or
      if OpenSSL runs out of memory. Fixes bug 19152; bugfix on
      0.2.1.10-alpha. Found by Yuan Jochen Kang, Suman Jana, and
      Baishakhi Ray.

  o Major bugfixes (parsing, backported from 0.3.0.4-rc):
    - Fix an integer underflow bug when comparing malformed Tor
      versions. This bug could crash Tor when built with
      --enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor
      0.2.9.8, which were built with -ftrapv by default. In other cases
      it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix
      on 0.0.8pre1. Found by OSS-Fuzz.

  o Minor features (security, memory erasure, backport from 0.2.8.1-alpha):
    - Make memwipe() do nothing when passed a NULL pointer or buffer of
      zero size. Check size argument to memwipe() for underflow. Fixes
      bug 18089; bugfix on 0.2.3.25 and 0.2.4.6-alpha. Reported by "gk",
      patch by "teor".

  o Minor features (bug-resistance, backport from 0.2.8.2-alpha):
    - Make Tor survive errors involving connections without a
      corresponding event object. Previously we'd fail with an
      assertion; now we produce a log message. Related to bug 16248.

  o Minor features (DoS-resistance, backport from 0.2.7.1-alpha):
    - Make it harder for attackers to overload hidden services with
      introductions, by blocking multiple introduction requests on the
      same circuit. Resolves ticket 15515.

  o Minor features (geoip):
    - Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2
      Country database.

  o Minor bugfixes (compilation, backport from 0.2.7.6):
    - Fix a compilation warning with Clang 3.6: Do not check the
      presence of an address which can never be NULL. Fixes bug 17781.

  o Minor bugfixes (hidden service, backport from 0.2.7.1-alpha):
    - Fix an out-of-bounds read when parsing invalid INTRODUCE2 cells on
      a client authorized hidden service. Fixes bug 15823; bugfix
      on 0.2.1.6-alpha.


Changes in version 0.3.0.4-rc - 2017-03-01
  Tor 0.3.0.4-rc fixes some remaining bugs, large and small, in the
  0.3.0 release series, and introduces a few reliability features to
  keep them from coming back.

  This is the first release candidate in the Tor 0.3.0 series. If we
  find no new bugs or regressions here, the first stable 0.3.0 release
  will be nearly identical to it.

  o Major bugfixes (bridges):
    - When the same bridge is configured multiple times with the same
      identity, but at different address:port combinations, treat those
      bridge instances as separate guards. This fix restores the ability
      of clients to configure the same bridge with multiple pluggable
      transports. Fixes bug 21027; bugfix on 0.3.0.1-alpha.

  o Major bugfixes (hidden service directory v3):
    - Stop crashing on a failed v3 hidden service descriptor lookup
      failure. Fixes bug 21471; bugfixes on tor-0.3.0.1-alpha.

  o Major bugfixes (parsing):
    - When parsing a malformed content-length field from an HTTP
      message, do not read off the end of the buffer. This bug was a
      potential remote denial-of-service attack against Tor clients and
      relays. A workaround was released in October 2016, to prevent this
      bug from crashing Tor. This is a fix for the underlying issue,
      which should no longer matter (if you applied the earlier patch).
      Fixes bug 20894; bugfix on 0.2.0.16-alpha. Bug found by fuzzing
      using AFL (http://lcamtuf.coredump.cx/afl/).
    - Fix an integer underflow bug when comparing malformed Tor
      versions. This bug could crash Tor when built with
      --enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor
      0.2.9.8, which were built with -ftrapv by default. In other cases
      it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix
      on 0.0.8pre1. Found by OSS-Fuzz.

  o Minor feature (protocol versioning):
    - Add new protocol version for proposal 224. HSIntro now advertises
      version "3-4" and HSDir version "1-2". Fixes ticket 20656.

  o Minor features (directory authorities):
    - Directory authorities now reject descriptors that claim to be
      malformed versions of Tor. Helps prevent exploitation of
      bug 21278.
    - Reject version numbers with components that exceed INT32_MAX.
      Otherwise 32-bit and 64-bit platforms would behave inconsistently.
      Fixes bug 21450; bugfix on 0.0.8pre1.
    - Directory authorities now reject relays running versions
      0.2.9.1-alpha through 0.2.9.4-alpha, because those relays
      suffer from bug 20499 and don't keep their consensus cache
      up-to-date. Resolves ticket 20509.

  o Minor features (geoip):
    - Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2
      Country database.

  o Minor features (reliability, crash):
    - Try better to detect problems in buffers where they might grow (or
      think they have grown) over 2 GB in size. Diagnostic for
      bug 21369.

  o Minor features (testing):
    - During 'make test-network-all', if tor logs any warnings, ask
      chutney to output them. Requires a recent version of chutney with
      the 21572 patch. Implements 21570.

  o Minor bugfixes (certificate expiration time):
    - Avoid using link certificates that don't become valid till some
      time in the future. Fixes bug 21420; bugfix on 0.2.4.11-alpha

  o Minor bugfixes (code correctness):
    - Repair a couple of (unreachable or harmless) cases of the risky
      comparison-by-subtraction pattern that caused bug 21278.
    - Remove a redundant check for the UseEntryGuards option from the
      options_transition_affects_guards() function. Fixes bug 21492;
      bugfix on 0.3.0.1-alpha.

  o Minor bugfixes (directory mirrors):
    - Allow relays to use directory mirrors without a DirPort: these
      relays need to be contacted over their ORPorts using a begindir
      connection. Fixes one case of bug 20711; bugfix on 0.2.8.2-alpha.
    - Clarify the message logged when a remote relay is unexpectedly
      missing an ORPort or DirPort: users were confusing this with a
      local port. Fixes another case of bug 20711; bugfix
      on 0.2.8.2-alpha.

  o Minor bugfixes (guards):
    - Don't warn about a missing guard state on timeout-measurement
      circuits: they aren't supposed to be using guards. Fixes an
      instance of bug 21007; bugfix on 0.3.0.1-alpha.
    - Silence a BUG() warning when attempting to use a guard whose
      descriptor we don't know, and make this scenario less likely to
      happen. Fixes bug 21415; bugfix on 0.3.0.1-alpha.

  o Minor bugfixes (hidden service):
    - Pass correct buffer length when encoding legacy ESTABLISH_INTRO
      cells. Previously, we were using sizeof() on a pointer, instead of
      the real destination buffer. Fortunately, that value was only used
      to double-check that there was enough room--which was already
      enforced elsewhere. Fixes bug 21553; bugfix on 0.3.0.1-alpha.

  o Minor bugfixes (testing):
    - Fix Raspbian build issues related to missing socket errno in
      test_util.c. Fixes bug 21116; bugfix on tor-0.2.8.2. Patch
      by "hein".
    - Rename "make fuzz" to "make test-fuzz-corpora", since it doesn't
      actually fuzz anything. Fixes bug 21447; bugfix on 0.3.0.3-alpha.
    - Use bash in src/test/test-network.sh. This ensures we reliably
      call chutney's newer tools/test-network.sh when available. Fixes
      bug 21562; bugfix on 0.2.9.1-alpha.

  o Documentation:
    - Small fixes to the fuzzing documentation. Closes ticket 21472.


Changes in version 0.2.9.10 - 2017-03-01
  Tor 0.2.9.10 backports a security fix from later Tor release.  It also
  includes fixes for some major issues affecting directory authorities,
  LibreSSL compatibility, and IPv6 correctness.

  The Tor 0.2.9.x release series is now marked as a long-term-support
  series.  We intend to backport security fixes to 0.2.9.x until at
  least January of 2020.

  o Major bugfixes (directory authority, 0.3.0.3-alpha):
    - During voting, when marking a relay as a probable sybil, do not
      clear its BadExit flag: sybils can still be bad in other ways
      too. (We still clear the other flags.) Fixes bug 21108; bugfix
      on 0.2.0.13-alpha.

  o Major bugfixes (IPv6 Exits, backport from 0.3.0.3-alpha):
    - Stop rejecting all IPv6 traffic on Exits whose exit policy rejects
      any IPv6 addresses. Instead, only reject a port over IPv6 if the
      exit policy rejects that port on more than an IPv6 /16 of
      addresses. This bug was made worse by 17027 in 0.2.8.1-alpha,
      which rejected a relay's own IPv6 address by default. Fixes bug
      21357; bugfix on commit 004f3f4e53 in 0.2.4.7-alpha.

  o Major bugfixes (parsing, also in 0.3.0.4-rc):
    - Fix an integer underflow bug when comparing malformed Tor
      versions. This bug could crash Tor when built with
      --enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor
      0.2.9.8, which were built with -ftrapv by default. In other cases
      it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix
      on 0.0.8pre1. Found by OSS-Fuzz.

  o Minor features (directory authorities, also in 0.3.0.4-rc):
    - Directory authorities now reject descriptors that claim to be
      malformed versions of Tor. Helps prevent exploitation of
      bug 21278.
    - Reject version numbers with components that exceed INT32_MAX.
      Otherwise 32-bit and 64-bit platforms would behave inconsistently.
      Fixes bug 21450; bugfix on 0.0.8pre1.

  o Minor features (geoip):
    - Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2
      Country database.

  o Minor features (portability, compilation, backport from 0.3.0.3-alpha):
    - Autoconf now checks to determine if OpenSSL structures are opaque,
      instead of explicitly checking for OpenSSL version numbers. Part
      of ticket 21359.
    - Support building with recent LibreSSL code that uses opaque
      structures. Closes ticket 21359.

  o Minor bugfixes (code correctness, also in 0.3.0.4-rc):
    - Repair a couple of (unreachable or harmless) cases of the risky
      comparison-by-subtraction pattern that caused bug 21278.

  o Minor bugfixes (tor-resolve, backport from 0.3.0.3-alpha):
    - The tor-resolve command line tool now rejects hostnames over 255
      characters in length. Previously, it would silently truncate them,
      which could lead to bugs. Fixes bug 21280; bugfix on 0.0.9pre5.
      Patch by "junglefowl".


Changes in version 0.3.0.3-alpha - 2017-02-03
  Tor 0.3.0.3-alpha fixes a few significant bugs introduced over the
  0.3.0.x development series, including some that could cause
  authorities to behave badly. There is also a fix for a longstanding
  bug that could prevent IPv6 exits from working. Tor 0.3.0.3-alpha also
  includes some smaller features and bugfixes.

  The Tor 0.3.0.x release series is now in patch-freeze: no additional
  features will be considered for inclusion in 0.3.0.x. We suspect that
  some bugs will probably remain, however, and we encourage people to
  test this release.

  o Major bugfixes (directory authority):
    - During voting, when marking a relay as a probable sybil, do not
      clear its BadExit flag: sybils can still be bad in other ways
      too. (We still clear the other flags.) Fixes bug 21108; bugfix
      on 0.2.0.13-alpha.
    - When deciding whether we have just found a router to be reachable,
      do not penalize it for not having performed an Ed25519 link
      handshake if it does not claim to support an Ed25519 handshake.
      Previously, we would treat such relays as non-running. Fixes bug
      21107; bugfix on 0.3.0.1-alpha.

  o Major bugfixes (entry guards):
    - Stop trying to build circuits through entry guards for which we
      have no descriptor. Also, stop crashing in the case that we *do*
      accidentally try to build a circuit in such a state. Fixes bug
      21242; bugfix on 0.3.0.1-alpha.

  o Major bugfixes (IPv6 Exits):
    - Stop rejecting all IPv6 traffic on Exits whose exit policy rejects
      any IPv6 addresses. Instead, only reject a port over IPv6 if the
      exit policy rejects that port on more than an IPv6 /16 of
      addresses. This bug was made worse by 17027 in 0.2.8.1-alpha,
      which rejected a relay's own IPv6 address by default. Fixes bug
      21357; bugfix on commit 004f3f4e53 in 0.2.4.7-alpha.

  o Minor feature (client):
    - Enable IPv6 traffic on the SocksPort by default. To disable this,
      a user will have to specify "NoIPv6Traffic". Closes ticket 21269.

  o Minor feature (fallback scripts):
    - Add a check_existing mode to updateFallbackDirs.py, which checks
      if fallbacks in the hard-coded list are working. Closes ticket
      20174. Patch by haxxpop.

  o Minor features (ciphersuite selection):
    - Clients now advertise a list of ciphersuites closer to the ones
      preferred by Firefox. Closes part of ticket 15426.
    - Allow relays to accept a wider range of ciphersuites, including
      chacha20-poly1305 and AES-CCM. Closes the other part of 15426.

  o Minor features (controller, configuration):
    - Each of the *Port options, such as SocksPort, ORPort, ControlPort,
      and so on, now comes with a __*Port variant that will not be saved
      to the torrc file by the controller's SAVECONF command. This
      change allows TorBrowser to set up a single-use domain socket for
      each time it launches Tor. Closes ticket 20956.
    - The GETCONF command can now query options that may only be
      meaningful in context-sensitive lists. This allows the controller
      to query the mixed SocksPort/__SocksPort style options introduced
      in feature 20956. Implements ticket 21300.

  o Minor features (portability, compilation):
    - Autoconf now checks to determine if OpenSSL structures are opaque,
      instead of explicitly checking for OpenSSL version numbers. Part
      of ticket 21359.
    - Support building with recent LibreSSL code that uses opaque
      structures. Closes ticket 21359.

  o Minor features (relay):
    - We now allow separation of exit and relay traffic to different
      source IP addresses, using the OutboundBindAddressExit and
      OutboundBindAddressOR options respectively. Closes ticket 17975.
      Written by Michael Sonntag.

  o Minor bugfix (logging):
    - Don't recommend the use of Tor2web in non-anonymous mode.
      Recommending Tor2web is a bad idea because the client loses all
      anonymity. Tor2web should only be used in specific cases by users
      who *know* and understand the issues. Fixes bug 21294; bugfix
      on 0.2.9.3-alpha.

  o Minor bugfixes (client):
    - Always recover from failures in extend_info_from_node(), in an
      attempt to prevent any recurrence of bug 21242. Fixes bug 21372;
      bugfix on 0.2.3.1-alpha.

  o Minor bugfixes (client, entry guards):
    - Fix a bug warning (with backtrace) when we fail a channel that
      circuits to fallback directories on it. Fixes bug 21128; bugfix
      on 0.3.0.1-alpha.
    - Fix a spurious bug warning (with backtrace) when removing an
      expired entry guard. Fixes bug 21129; bugfix on 0.3.0.1-alpha.
    - Fix a bug of the new guard algorithm where tor could stall for up
      to 10 minutes before retrying a guard after a long period of no
      network. Fixes bug 21052; bugfix on 0.3.0.1-alpha.
    - Do not try to build circuits until we have descriptors for our
      primary entry guards. Related to fix for bug 21242.

  o Minor bugfixes (configure, autoconf):
    - Rename the configure option --enable-expensive-hardening to
      --enable-fragile-hardening. Expensive hardening makes the tor
      daemon abort when some kinds of issues are detected. Thus, it
      makes tor more at risk of remote crashes but safer against RCE or
      heartbleed bug category. We now try to explain this issue in a
      message from the configure script. Fixes bug 21290; bugfix
      on 0.2.5.4-alpha.

  o Minor bugfixes (controller):
    - Restore the (deprecated) DROPGUARDS controller command. Fixes bug
      20824; bugfix on 0.3.0.1-alpha.

  o Minor bugfixes (hidden service):
    - Clean up the code for expiring intro points with no associated
      circuits. It was causing, rarely, a service with some expiring
      introduction points to not open enough additional introduction
      points. Fixes part of bug 21302; bugfix on 0.2.7.2-alpha.
    - Stop setting the torrc option HiddenServiceStatistics to "0" just
      because we're not a bridge or relay. Instead, we preserve whatever
      value the user set (or didn't set). Fixes bug 21150; bugfix
      on 0.2.6.2-alpha.
    - Resolve two possible underflows which could lead to creating and
      closing a lot of introduction point circuits in a non-stop loop.
      Fixes bug 21302; bugfix on 0.2.7.2-alpha.

  o Minor bugfixes (portability):
    - Use "OpenBSD" compiler macro instead of "OPENBSD" or "__OpenBSD__".
      It is supported by OpenBSD itself, and also by most OpenBSD
      variants (such as Bitrig). Fixes bug 20980; bugfix
      on 0.1.2.1-alpha.
    - When mapping a file of length greater than SIZE_MAX, do not
      silently truncate its contents. This issue could occur on 32 bit
      systems with large file support and files which are larger than 4
      GB. Fixes bug 21134; bugfix on 0.3.0.1-alpha.

  o Minor bugfixes (tor-resolve):
    - The tor-resolve command line tool now rejects hostnames over 255
      characters in length. Previously, it would silently truncate them,
      which could lead to bugs. Fixes bug 21280; bugfix on 0.0.9pre5.
      Patch by "junglefowl".

  o Minor bugfixes (Windows services):
    - Be sure to initialize the monotonic time subsystem before using
      it, even when running as an NT service. Fixes bug 21356; bugfix
      on 0.2.9.1-alpha.


Changes in version 0.3.0.2-alpha - 2017-01-23
  Tor 0.3.0.2-alpha fixes a denial-of-service bug where an attacker could
  cause relays and clients to crash, even if they were not built with
  the --enable-expensive-hardening option. This bug affects all 0.2.9.x
  versions, and also affects 0.3.0.1-alpha: all relays running an affected
  version should upgrade.

  Tor 0.3.0.2-alpha also improves how exit relays and clients handle DNS
  time-to-live values, makes directory authorities enforce the 1-to-1
  mapping of relay RSA identity keys to ED25519 identity keys, fixes a
  client-side onion service reachability bug, does better at selecting
  the set of fallback directories, and more.

  o Major bugfixes (security, also in 0.2.9.9):
    - Downgrade the "-ftrapv" option from "always on" to "only on when
      --enable-expensive-hardening is provided."  This hardening option, like
      others, can turn survivable bugs into crashes--and having it on by
      default made a (relatively harmless) integer overflow bug into a
      denial-of-service bug. Fixes bug 21278 (TROVE-2017-001); bugfix on
      0.2.9.1-alpha.

  o Major features (security):
    - Change the algorithm used to decide DNS TTLs on client and server
      side, to better resist DNS-based correlation attacks like the
      DefecTor attack of Greschbach, Pulls, Roberts, Winter, and
      Feamster. Now relays only return one of two possible DNS TTL
      values, and clients are willing to believe DNS TTL values up to 3
      hours long. Closes ticket 19769.

  o Major features (directory authority, security):
    - The default for AuthDirPinKeys is now 1: directory authorities
      will reject relays where the RSA identity key matches a previously
      seen value, but the Ed25519 key has changed. Closes ticket 18319.

  o Major bugfixes (client, guard, crash):
    - In circuit_get_global_origin_list(), return the actual list of
      origin circuits. The previous version of this code returned the
      list of all the circuits, and could have caused strange bugs,
      including possible crashes. Fixes bug 21118; bugfix
      on 0.3.0.1-alpha.

  o Major bugfixes (client, onion service, also in 0.2.9.9):
    - Fix a client-side onion service reachability bug, where multiple
      socks requests to an onion service (or a single slow request)
      could cause us to mistakenly mark some of the service's
      introduction points as failed, and we cache that failure so
      eventually we run out and can't reach the service. Also resolves a
      mysterious "Remote server sent bogus reason code 65021" log
      warning. The bug was introduced in ticket 17218, where we tried to
      remember the circuit end reason as a uint16_t, which mangled
      negative values. Partially fixes bug 21056 and fixes bug 20307;
      bugfix on 0.2.8.1-alpha.

  o Major bugfixes (DNS):
    - Fix a bug that prevented exit nodes from caching DNS records for
      more than 60 seconds. Fixes bug 19025; bugfix on 0.2.4.7-alpha.

  o Minor features (controller):
    - Add "GETINFO sr/current" and "GETINFO sr/previous" keys, to expose
      shared-random values to the controller. Closes ticket 19925.

  o Minor features (entry guards):
    - Add UseEntryGuards to TEST_OPTIONS_DEFAULT_VALUES in order to not
      break regression tests.
    - Require UseEntryGuards when UseBridges is set, in order to make
      sure bridges aren't bypassed. Resolves ticket 20502.

  o Minor features (fallback directories):
    - Select 200 fallback directories for each release. Closes
      ticket 20881.
    - Allow 3 fallback relays per operator, which is safe now that we
      are choosing 200 fallback relays. Closes ticket 20912.
    - Exclude relays affected by bug 20499 from the fallback list.
      Exclude relays from the fallback list if they are running versions
      known to be affected by bug 20499, or if in our tests they deliver
      a stale consensus (i.e. one that expired more than 24 hours ago).
      Closes ticket 20539.
    - Reduce the minimum fallback bandwidth to 1 MByte/s. Part of
      ticket 18828.
    - Require fallback directories to have the same address and port for
      7 days (now that we have enough relays with this stability).
      Relays whose OnionOO stability timer is reset on restart by bug
      18050 should upgrade to Tor 0.2.8.7 or later, which has a fix for
      this issue. Closes ticket 20880; maintains short-term fix
      in 0.2.8.2-alpha.
    - Require fallbacks to have flags for 90% of the time (weighted
      decaying average), rather than 95%. This allows at least 73% of
      clients to bootstrap in the first 5 seconds without contacting an
      authority. Part of ticket 18828.
    - Annotate updateFallbackDirs.py with the bandwidth and consensus
      weight for each candidate fallback. Closes ticket 20878.
    - Make it easier to change the output sort order of fallbacks.
      Closes ticket 20822.
    - Display the relay fingerprint when downloading consensuses from
      fallbacks. Closes ticket 20908.

  o Minor features (geoip, also in 0.2.9.9):
    - Update geoip and geoip6 to the January 4 2017 Maxmind GeoLite2
      Country database.

  o Minor features (next-gen onion service directories):
    - Remove the "EnableOnionServicesV3" consensus parameter that we
      introduced in 0.3.0.1-alpha: relays are now always willing to act
      as v3 onion service directories. Resolves ticket 19899.

  o Minor features (linting):
    - Enhance the changes file linter to warn on Tor versions that are
      prefixed with "tor-". Closes ticket 21096.

  o Minor features (logging):
    - In several places, describe unset ed25519 keys as "<unset>",
      rather than the scary "AAAAAAAA...AAA". Closes ticket 21037.

  o Minor bugfix (control protocol):
    - The reply to a "GETINFO config/names" request via the control
      protocol now spells the type "Dependent" correctly. This is a
      breaking change in the control protocol. (The field seems to be
      ignored by the most common known controllers.) Fixes bug 18146;
      bugfix on 0.1.1.4-alpha.

  o Minor bugfixes (bug resilience):
    - Fix an unreachable size_t overflow in base64_decode(). Fixes bug
      19222; bugfix on 0.2.0.9-alpha. Found by Guido Vranken; fixed by
      Hans Jerry Illikainen.

  o Minor bugfixes (build):
    - Replace obsolete Autoconf macros with their modern equivalent and
      prevent similar issues in the future. Fixes bug 20990; bugfix
      on 0.1.0.1-rc.

  o Minor bugfixes (client, guards):
    - Fix bug where Tor would think that there are circuits waiting for
      better guards even though those circuits have been freed. Fixes
      bug 21142; bugfix on 0.3.0.1-alpha.

  o Minor bugfixes (config):
    - Don't assert on startup when trying to get the options list and
      LearnCircuitBuildTimeout is set to 0: we are currently parsing the
      options so of course they aren't ready yet. Fixes bug 21062;
      bugfix on 0.2.9.3-alpha.

  o Minor bugfixes (controller):
    - Make the GETINFO interface for inquiring about entry guards
      support the new guards backend. Fixes bug 20823; bugfix
      on 0.3.0.1-alpha.

  o Minor bugfixes (dead code):
    - Remove a redundant check for PidFile changes at runtime in
      options_transition_allowed(): this check is already performed
      regardless of whether the sandbox is active. Fixes bug 21123;
      bugfix on 0.2.5.4-alpha.

  o Minor bugfixes (documentation):
    - Update the tor manual page to document every option that can not
      be changed while tor is running. Fixes bug 21122.

  o Minor bugfixes (fallback directories):
    - Stop failing when a relay has no uptime data in
      updateFallbackDirs.py. Fixes bug 20945; bugfix on 0.2.8.1-alpha.
    - Avoid checking fallback candidates' DirPorts if they are down in
      OnionOO. When a relay operator has multiple relays, this
      prioritizes relays that are up over relays that are down. Fixes
      bug 20926; bugfix on 0.2.8.3-alpha.
    - Stop failing when OUTPUT_COMMENTS is True in updateFallbackDirs.py.
      Fixes bug 20877; bugfix on 0.2.8.3-alpha.

  o Minor bugfixes (guards, bootstrapping):
    - When connecting to a directory guard during bootstrap, do not mark
      the guard as successful until we receive a good-looking directory
      response from it. Fixes bug 20974; bugfix on 0.3.0.1-alpha.

  o Minor bugfixes (onion services):
    - Fix the config reload pruning of old vs new services so it
      actually works when both ephemeral and non-ephemeral services are
      configured. Fixes bug 21054; bugfix on 0.3.0.1-alpha.
    - Allow the number of introduction points to be as low as 0, rather
      than as low as 3. Fixes bug 21033; bugfix on 0.2.7.2-alpha.

  o Minor bugfixes (IPv6):
    - Make IPv6-using clients try harder to find an IPv6 directory
      server. Fixes bug 20999; bugfix on 0.2.8.2-alpha.
    - When IPv6 addresses have not been downloaded yet (microdesc
      consensus documents don't list relay IPv6 addresses), use hard-
      coded addresses for authorities, fallbacks, and configured
      bridges. Now IPv6-only clients can use microdescriptors. Fixes bug
      20996; bugfix on b167e82 from 19608 in 0.2.8.5-alpha.

  o Minor bugfixes (memory leaks):
    - Fix a memory leak when configuring hidden services. Fixes bug
      20987; bugfix on 0.3.0.1-alpha.

  o Minor bugfixes (portability, also in 0.2.9.9):
    - Avoid crashing when Tor is built using headers that contain
      CLOCK_MONOTONIC_COARSE, but then tries to run on an older kernel
      without CLOCK_MONOTONIC_COARSE. Fixes bug 21035; bugfix
      on 0.2.9.1-alpha.
    - Fix Libevent detection on platforms without Libevent 1 headers
      installed. Fixes bug 21051; bugfix on 0.2.9.1-alpha.

  o Minor bugfixes (relay):
    - Honor DataDirectoryGroupReadable when tor is a relay. Previously,
      initializing the keys would reset the DataDirectory to 0700
      instead of 0750 even if DataDirectoryGroupReadable was set to 1.
      Fixes bug 19953; bugfix on 0.0.2pre16. Patch by "redfish".

  o Minor bugfixes (testing):
    - Remove undefined behavior from the backtrace generator by removing
      its signal handler. Fixes bug 21026; bugfix on 0.2.5.2-alpha.

  o Minor bugfixes (unit tests):
    - Allow the unit tests to pass even when DNS lookups of bogus
      addresses do not fail as expected. Fixes bug 20862 and 20863;
      bugfix on unit tests introduced in 0.2.8.1-alpha
      through 0.2.9.4-alpha.

  o Code simplification and refactoring:
    - Refactor code to manipulate global_origin_circuit_list into
      separate functions. Closes ticket 20921.

  o Documentation (formatting):
    - Clean up formatting of tor.1 man page and HTML doc, where <pre>
      blocks were incorrectly appearing. Closes ticket 20885.

  o Documentation (man page):
    - Clarify many options in tor.1 and add some min/max values for
      HiddenService options. Closes ticket 21058.


Changes in version 0.2.9.9 - 2017-01-23
  Tor 0.2.9.9 fixes a denial-of-service bug where an attacker could
  cause relays and clients to crash, even if they were not built with
  the --enable-expensive-hardening option. This bug affects all 0.2.9.x
  versions, and also affects 0.3.0.1-alpha: all relays running an affected
  version should upgrade.

  This release also resolves a client-side onion service reachability
  bug, and resolves a pair of small portability issues.

  o Major bugfixes (security):
    - Downgrade the "-ftrapv" option from "always on" to "only on when
      --enable-expensive-hardening is provided." This hardening option,
      like others, can turn survivable bugs into crashes -- and having
      it on by default made a (relatively harmless) integer overflow bug
      into a denial-of-service bug. Fixes bug 21278 (TROVE-2017-001);
      bugfix on 0.2.9.1-alpha.

  o Major bugfixes (client, onion service):
    - Fix a client-side onion service reachability bug, where multiple
      socks requests to an onion service (or a single slow request)
      could cause us to mistakenly mark some of the service's
      introduction points as failed, and we cache that failure so
      eventually we run out and can't reach the service. Also resolves a
      mysterious "Remote server sent bogus reason code 65021" log
      warning. The bug was introduced in ticket 17218, where we tried to
      remember the circuit end reason as a uint16_t, which mangled
      negative values. Partially fixes bug 21056 and fixes bug 20307;
      bugfix on 0.2.8.1-alpha.

  o Minor features (geoip):
    - Update geoip and geoip6 to the January 4 2017 Maxmind GeoLite2
      Country database.

  o Minor bugfixes (portability):
    - Avoid crashing when Tor is built using headers that contain
      CLOCK_MONOTONIC_COARSE, but then tries to run on an older kernel
      without CLOCK_MONOTONIC_COARSE. Fixes bug 21035; bugfix
      on 0.2.9.1-alpha.
    - Fix Libevent detection on platforms without Libevent 1 headers
      installed. Fixes bug 21051; bugfix on 0.2.9.1-alpha.


Changes in version 0.3.0.1-alpha - 2016-12-19
  Tor 0.3.0.1-alpha is the first alpha release in the 0.3.0 development
  series. It strengthens Tor's link and circuit handshakes by
  identifying relays by their Ed25519 keys, improves the algorithm that
  clients use to choose and maintain their list of guards, and includes
  additional backend support for the next-generation hidden service
  design. It also contains numerous other small features and
  improvements to security, correctness, and performance.

  Below are the changes since 0.2.9.8.

  o Major features (guard selection algorithm):
    - Tor's guard selection algorithm has been redesigned from the
      ground up, to better support unreliable networks and restrictive
      sets of entry nodes, and to better resist guard-capture attacks by
      hostile local networks. Implements proposal 271; closes
      ticket 19877.

  o Major features (next-generation hidden services):
    - Relays can now handle v3 ESTABLISH_INTRO cells as specified by
      prop224 aka "Next Generation Hidden Services". Service and clients
      don't use this functionality yet. Closes ticket 19043. Based on
      initial code by Alec Heifetz.
    - Relays now support the HSDir version 3 protocol, so that they can
      can store and serve v3 descriptors. This is part of the next-
      generation onion service work detailled in proposal 224. Closes
      ticket 17238.

  o Major features (protocol, ed25519 identity keys):
    - Relays now use Ed25519 to prove their Ed25519 identities and to
      one another, and to clients. This algorithm is faster and more
      secure than the RSA-based handshake we've been doing until now.
      Implements the second big part of proposal 220; Closes
      ticket 15055.
    - Clients now support including Ed25519 identity keys in the EXTEND2
      cells they generate. By default, this is controlled by a consensus
      parameter, currently disabled. You can turn this feature on for
      testing by setting ExtendByEd25519ID in your configuration. This
      might make your traffic appear different than the traffic
      generated by other users, however. Implements part of ticket
      15056; part of proposal 220.
    - Relays now understand requests to extend to other relays by their
      Ed25519 identity keys. When an Ed25519 identity key is included in
      an EXTEND2 cell, the relay will only extend the circuit if the
      other relay can prove ownership of that identity. Implements part
      of ticket 15056; part of proposal 220.

  o Major bugfixes (scheduler):
    - Actually compare circuit policies in ewma_cmp_cmux(). This bug
      caused the channel scheduler to behave more or less randomly,
      rather than preferring channels with higher-priority circuits.
      Fixes bug 20459; bugfix on 0.2.6.2-alpha.

  o Minor features (controller):
    - When HSFETCH arguments cannot be parsed, say "Invalid argument"
      rather than "unrecognized." Closes ticket 20389; patch from
      Ivan Markin.

  o Minor features (diagnostic, directory client):
    - Warn when we find an unexpected inconsistency in directory
      download status objects. Prevents some negative consequences of
      bug 20593.

  o Minor features (directory authority):
    - Add a new authority-only AuthDirTestEd25519LinkKeys option (on by
      default) to control whether authorities should try to probe relays
      by their Ed25519 link keys. This option will go away in a few
      releases--unless we encounter major trouble in our ed25519 link
      protocol rollout, in which case it will serve as a safety option.

  o Minor features (directory cache):
    - Relays and bridges will now refuse to serve the consensus they
      have if they know it is too old for a client to use. Closes
      ticket 20511.

  o Minor features (ed25519 link handshake):
    - Advertise support for the ed25519 link handshake using the
      subprotocol-versions mechanism, so that clients can tell which
      relays can identity themselves by Ed25519 ID. Closes ticket 20552.

  o Minor features (fingerprinting resistence, authentication):
    - Extend the length of RSA keys used for TLS link authentication to
      2048 bits. (These weren't used for forward secrecy; for forward
      secrecy, we used P256.) Closes ticket 13752.

  o Minor features (infrastructure):
    - Implement smartlist_add_strdup() function. Replaces the use of
      smartlist_add(sl, tor_strdup(str)). Closes ticket 20048.

  o Minor bugfixes (client):
    - When clients that use bridges start up with a cached consensus on
      disk, they were ignoring it and downloading a new one. Now they
      use the cached one. Fixes bug 20269; bugfix on 0.2.3.12-alpha.

  o Minor bugfixes (configuration):
    - Accept non-space whitespace characters after the severity level in
      the `Log` option. Fixes bug 19965; bugfix on 0.2.1.1-alpha.
    - Support "TByte" and "TBytes" units in options given in bytes.
      "TB", "terabyte(s)", "TBit(s)" and "terabit(s)" were already
      supported. Fixes bug 20622; bugfix on 0.2.0.14-alpha.

  o Minor bugfixes (consensus weight):
    - Add new consensus method that initializes bw weights to 1 instead
      of 0. This prevents a zero weight from making it all the way to
      the end (happens in small testing networks) and causing an error.
      Fixes bug 14881; bugfix on 0.2.2.17-alpha.

  o Minor bugfixes (descriptors):
    - Correctly recognise downloaded full descriptors as valid, even
      when using microdescriptors as circuits. This affects clients with
      FetchUselessDescriptors set, and may affect directory authorities.
      Fixes bug 20839; bugfix on 0.2.3.2-alpha.

  o Minor bugfixes (directory system):
    - Download all consensus flavors, descriptors, and authority
      certificates when FetchUselessDescriptors is set, regardless of
      whether tor is a directory cache or not. Fixes bug 20667; bugfix
      on all recent tor versions.
    - Bridges and relays now use microdescriptors (like clients do)
      rather than old-style router descriptors. Now bridges will blend
      in with clients in terms of the circuits they build. Fixes bug
      6769; bugfix on 0.2.3.2-alpha.

  o Minor bugfixes (ed25519 certificates):
    - Correctly interpret ed25519 certificates that would expire some
      time after 19 Jan 2038. Fixes bug 20027; bugfix on 0.2.7.2-alpha.

  o Minor bugfixes (hidden services):
    - Stop ignoring misconfigured hidden services. Instead, refuse to
      start tor until the misconfigurations have been corrected. Fixes
      bug 20559; bugfix on multiple commits in 0.2.7.1-alpha
      and earlier.

  o Minor bugfixes (memory leak at exit):
    - Fix a small harmless memory leak at exit of the previously unused
      RSA->Ed identity cross-certificate. Fixes bug 17779; bugfix
      on 0.2.7.2-alpha.

  o Minor bugfixes (util):
    - When finishing writing a file to disk, if we were about to replace
      the file with the temporary file created before and we fail to
      replace it, remove the temporary file so it doesn't stay on disk.
      Fixes bug 20646; bugfix on tor-0.2.0.7-alpha. Patch by fk.

  o Minor bugfixes (Windows):
    - Check for getpagesize before using it to mmap files. This fixes
      compilation in some MinGW environments. Fixes bug 20530; bugfix on
      0.1.2.1-alpha. Reported by "ice".

  o Code simplification and refactoring:
    - Abolish all global guard context in entrynodes.c; replace with new
      guard_selection_t structure as preparation for proposal 271.
      Closes ticket 19858.
    - Introduce rend_service_is_ephemeral() that tells if given onion
      service is ephemeral. Replace unclear NULL-checkings for service
      directory with this function. Closes ticket 20526.
    - Extract magic numbers in circuituse.c into defined variables.
    - Refactor circuit_is_available_for_use to remove unnecessary check.
    - Refactor circuit_predict_and_launch_new for readability and
      testability. Closes ticket 18873.
    - Refactor large if statement in purpose_needs_anonymity to use
      switch statement instead. Closes part of ticket 20077.
    - Refactor the hashing API to return negative values for errors, as
      is done as throughout the codebase. Closes ticket 20717.
    - Remove data structures that were used to index or_connection
      objects by their RSA identity digests. These structures are fully
      redundant with the similar structures used in the
      channel abstraction.
    - Remove duplicate code in the channel_write_*cell() functions.
      Closes ticket 13827; patch from Pingl.
    - Remove redundant behavior of is_sensitive_dir_purpose, refactor to
      use only purpose_needs_anonymity. Closes part of ticket 20077.
    - The code to generate and parse EXTEND and EXTEND2 cells has been
      replaced with code automatically generated by the
      "trunnel" utility.

  o Documentation:
    - Include the "TBits" unit in Tor's man page. Fixes part of bug
      20622; bugfix on tor-0.2.5.1-alpha.
    - Change '1' to 'weight_scale' in consensus bw weights calculation
      comments, as that is reality. Closes ticket 20273. Patch
      from pastly.
    - Correct the value for AuthDirGuardBWGuarantee in the manpage, from
      250 KBytes to 2 MBytes. Fixes bug 20435; bugfix
      on tor-0.2.5.6-alpha.
    - Stop the man page from incorrectly stating that HiddenServiceDir
      must already exist. Fixes 20486.
    - Clarify that when ClientRejectInternalAddresses is enabled (which
      is the default), multicast DNS hostnames for machines on the local
      network (of the form *.local) are also rejected. Closes
      ticket 17070.

  o Removed features:
    - The AuthDirMaxServersPerAuthAddr option no longer exists: The same
      limit for relays running on a single IP applies to authority IP
      addresses as well as to non-authority IP addresses. Closes
      ticket 20960.
    - The UseDirectoryGuards torrc option no longer exists: all users
      that use entry guards will also use directory guards. Related to
      proposal 271; implements part of ticket 20831.

  o Testing:
    - New unit tests for tor_htonll(). Closes ticket 19563. Patch
      from "overcaffeinated".
    - Perform the coding style checks when running the tests and fail
      when coding style violations are found. Closes ticket 5500.
    - Add tests for networkstatus_compute_bw_weights_v10.
    - Add unit tests circuit_predict_and_launch_new.
    - Extract dummy_origin_circuit_new so it can be used by other
      test functions.


Changes in version 0.2.8.12 - 2016-12-19
  Tor 0.2.8.12 backports a fix for a medium-severity issue (bug 21018
  below) where Tor clients could crash when attempting to visit a
  hostile hidden service. Clients are recommended to upgrade as packages
  become available for their systems.

  It also includes an updated list of fallback directories, backported
  from 0.2.9.

  Now that the Tor 0.2.9 series is stable, only major bugfixes will be
  backported to 0.2.8 in the future.

  o Major bugfixes (parsing, security, backported from 0.2.9.8):
    - Fix a bug in parsing that could cause clients to read a single
      byte past the end of an allocated region. This bug could be used
      to cause hardened clients (built with --enable-expensive-hardening)
      to crash if they tried to visit a hostile hidden service. Non-
      hardened clients are only affected depending on the details of
      their platform's memory allocator. Fixes bug 21018; bugfix on
      0.2.0.8-alpha. Found by using libFuzzer. Also tracked as TROVE-
      2016-12-002 and as CVE-2016-1254.

  o Minor features (fallback directory list, backported from 0.2.9.8):
    - Replace the 81 remaining fallbacks of the 100 originally
      introduced in Tor 0.2.8.3-alpha in March 2016, with a list of 177
      fallbacks (123 new, 54 existing, 27 removed) generated in December
      2016. Resolves ticket 20170.

  o Minor features (geoip, backported from 0.2.9.7-rc):
    - Update geoip and geoip6 to the December 7 2016 Maxmind GeoLite2
      Country database.


Changes in version 0.2.9.8 - 2016-12-19
  Tor 0.2.9.8 is the first stable release of the Tor 0.2.9 series.

  The Tor 0.2.9 series makes mandatory a number of security features
  that were formerly optional. It includes support for a new shared-
  randomness protocol that will form the basis for next generation
  hidden services, includes a single-hop hidden service mode for
  optimizing .onion services that don't actually want to be hidden,
  tries harder not to overload the directory authorities with excessive
  downloads, and supports a better protocol versioning scheme for
  improved compatibility with other implementations of the Tor protocol.

  And of course, there are numerous other bugfixes and improvements.

  This release also includes a fix for a medium-severity issue (bug
  21018 below) where Tor clients could crash when attempting to visit a
  hostile hidden service. Clients are recommended to upgrade as packages
  become available for their systems.

  Below are the changes since 0.2.9.7-rc. For a list of all changes
  since 0.2.8, see the ReleaseNotes file.

  o Major bugfixes (parsing, security):
    - Fix a bug in parsing that could cause clients to read a single
      byte past the end of an allocated region. This bug could be used
      to cause hardened clients (built with --enable-expensive-hardening)
      to crash if they tried to visit a hostile hidden service. Non-
      hardened clients are only affected depending on the details of
      their platform's memory allocator. Fixes bug 21018; bugfix on
      0.2.0.8-alpha. Found by using libFuzzer. Also tracked as TROVE-
      2016-12-002 and as CVE-2016-1254.

  o Minor features (fallback directory list):
    - Replace the 81 remaining fallbacks of the 100 originally
      introduced in Tor 0.2.8.3-alpha in March 2016, with a list of 177
      fallbacks (123 new, 54 existing, 27 removed) generated in December
      2016. Resolves ticket 20170.


Changes in version 0.2.9.7-rc - 2016-12-12
  Tor 0.2.9.7-rc fixes a few small bugs remaining in Tor 0.2.9.6-rc,
  including a few that had prevented tests from passing on
  some platforms.

  o Minor features (geoip):
    - Update geoip and geoip6 to the December 7 2016 Maxmind GeoLite2
      Country database.

  o Minor bugfix (build):
    - The current Git revision when building from a local repository is
      now detected correctly when using git worktrees. Fixes bug 20492;
      bugfix on 0.2.3.9-alpha.

  o Minor bugfixes (directory authority):
    - When computing old Tor protocol line version in protover, we were
      looking at 0.2.7.5 twice instead of a specific case for
      0.2.9.1-alpha. Fixes bug 20810; bugfix on 0.2.9.4-alpha.

  o Minor bugfixes (download scheduling):
    - Resolve a "bug" warning when considering a download schedule whose
      delay had approached INT_MAX. Fixes 20875; bugfix on 0.2.9.5-alpha.

  o Minor bugfixes (logging):
    - Downgrade a harmless log message about the
      pending_entry_connections list from "warn" to "info". Mitigates
      bug 19926.

  o Minor bugfixes (memory leak):
    - Fix a small memory leak when receiving AF_UNIX connections on a
      SocksPort. Fixes bug 20716; bugfix on 0.2.6.3-alpha.
    - When moving a signed descriptor object from a source to an
      existing destination, free the allocated memory inside that
      destination object. Fixes bug 20715; bugfix on 0.2.8.3-alpha.

  o Minor bugfixes (memory leak, use-after-free, linux seccomp2 sandbox):
    - Fix a memory leak and use-after-free error when removing entries
      from the sandbox's getaddrinfo() cache. Fixes bug 20710; bugfix on
      0.2.5.5-alpha. Patch from "cypherpunks".

  o Minor bugfixes (portability):
    - Use the correct spelling of MAC_OS_X_VERSION_10_12 on configure.ac
      Fixes bug 20935; bugfix on 0.2.9.6-rc.

  o Minor bugfixes (unit tests):
    - Stop expecting NetBSD unit tests to report success for ipfw. Part
      of a fix for bug 19960; bugfix on 0.2.9.5-alpha.
    - Fix tolerances in unit tests for monotonic time comparisons
      between nanoseconds and microseconds. Previously, we accepted a 10
      us difference only, which is not realistic on every platform's
      clock_gettime(). Fixes bug 19974; bugfix on 0.2.9.1-alpha.
    - Remove a double-free in the single onion service unit test. Stop
      ignoring a return value. Make future changes less error-prone.
      Fixes bug 20864; bugfix on 0.2.9.6-rc.


Changes in version 0.2.8.11 - 2016-12-08
  Tor 0.2.8.11 backports fixes for additional portability issues that
  could prevent Tor from building correctly on OSX Sierra, or with
  OpenSSL 1.1. Affected users should upgrade; others can safely stay
  with 0.2.8.10.

  o Minor bugfixes (portability):
    - Avoid compilation errors when building on OSX Sierra. Sierra began
      to support the getentropy() and clock_gettime() APIs, but created
      a few problems in doing so. Tor 0.2.9 has a more thorough set of
      workarounds; in 0.2.8, we are just using the /dev/urandom and mach
      monotonic time interfaces. Fixes bug 20865. Bugfix
      on 0.2.8.1-alpha.

  o Minor bugfixes (portability, backport from 0.2.9.5-alpha):
    - Fix compilation with OpenSSL 1.1 and less commonly-used CPU
      architectures. Closes ticket 20588.


Changes in version 0.2.8.10 - 2016-12-02
  Tor 0.2.8.10 backports a fix for a bug that would sometimes make clients
  unusable after they left standby mode. It also backports fixes for
  a few portability issues and a small but problematic memory leak.

  o Major bugfixes (client reliability, backport from 0.2.9.5-alpha):
    - When Tor leaves standby because of a new application request, open
      circuits as needed to serve that request. Previously, we would
      potentially wait a very long time. Fixes part of bug 19969; bugfix
      on 0.2.8.1-alpha.

  o Major bugfixes (client performance, backport from 0.2.9.5-alpha):
    - Clients now respond to new application stream requests immediately
      when they arrive, rather than waiting up to one second before
      starting to handle them. Fixes part of bug 19969; bugfix
      on 0.2.8.1-alpha.

  o Minor bugfixes (portability, backport from 0.2.9.6-rc):
    - Work around a bug in the OSX 10.12 SDK that would prevent us from
      successfully targeting earlier versions of OSX. Resolves
      ticket 20235.

  o Minor bugfixes (portability, backport from 0.2.9.5-alpha):
    - Fix implicit conversion warnings under OpenSSL 1.1. Fixes bug
      20551; bugfix on 0.2.1.1-alpha.

  o Minor bugfixes (relay, backport from 0.2.9.5-alpha):
    - Work around a memory leak in OpenSSL 1.1 when encoding public
      keys. Fixes bug 20553; bugfix on 0.0.2pre8.

  o Minor features (geoip):
    - Update geoip and geoip6 to the November 3 2016 Maxmind GeoLite2
      Country database.

Changes in version 0.2.9.6-rc - 2016-12-02
  Tor 0.2.9.6-rc fixes a few remaining bugs found in the previous alpha
  version. We hope that it will be ready to become stable soon, and we
  encourage everyone to test this release. If no showstopper bugs are
  found here, the next 0.2.9 release will be stable.

  o Major bugfixes (relay, resolver, logging):
    - For relays that don't know their own address, avoid attempting a
      local hostname resolve for each descriptor we download. This
      will cut down on the number of "Success: chose address 'x.x.x.x'"
      log lines, and also avoid confusing clock jumps if the resolver
      is slow. Fixes bugs 20423 and 20610; bugfix on 0.2.8.1-alpha.

  o Minor bugfixes (client, fascistfirewall):
    - Avoid spurious warnings when ReachableAddresses or FascistFirewall
      is set. Fixes bug 20306; bugfix on 0.2.8.2-alpha.

  o Minor bugfixes (hidden services):
    - Stop ignoring the anonymity status of saved keys for hidden
      services and single onion services when first starting tor.
      Instead, refuse to start tor if any hidden service key has been
      used in a different hidden service anonymity mode. Fixes bug
      20638; bugfix on 17178 in 0.2.9.3-alpha; reported by ahf.

  o Minor bugfixes (portability):
    - Work around a bug in the OSX 10.12 SDK that would prevent us from
      successfully targeting earlier versions of OSX. Resolves
      ticket 20235.
    - Run correctly when built on Windows build environments that
      require _vcsprintf(). Fixes bug 20560; bugfix on 0.2.2.11-alpha.

  o Minor bugfixes (single onion services, Tor2web):
    - Stop complaining about long-term one-hop circuits deliberately
      created by single onion services and Tor2web. These log messages
      are intended to diagnose issue 8387, which relates to circuits
      hanging around forever for no reason. Fixes bug 20613; bugfix on
      0.2.9.1-alpha. Reported by "pastly".

  o Minor bugfixes (unit tests):
    - Stop spurious failures in the local interface address discovery
      unit tests. Fixes bug 20634; bugfix on 0.2.8.1-alpha; patch by
      Neel Chauhan.

  o Documentation:
    - Correct the minimum bandwidth value in torrc.sample, and queue a
      corresponding change for torrc.minimal. Closes ticket 20085.


Changes in version 0.2.9.5-alpha - 2016-11-08
  Tor 0.2.9.5-alpha fixes numerous bugs discovered in the previous alpha
  version. We believe one or two probably remain, and we encourage
  everyone to test this release.

  o Major bugfixes (client performance):
    - Clients now respond to new application stream requests immediately
      when they arrive, rather than waiting up to one second before
      starting to handle them. Fixes part of bug 19969; bugfix
      on 0.2.8.1-alpha.

  o Major bugfixes (client reliability):
    - When Tor leaves standby because of a new application request, open
      circuits as needed to serve that request. Previously, we would
      potentially wait a very long time. Fixes part of bug 19969; bugfix
      on 0.2.8.1-alpha.

  o Major bugfixes (download scheduling):
    - When using an exponential backoff schedule, do not give up on
      downloading just because we have failed a bunch of times. Since
      each delay is longer than the last, retrying indefinitely won't
      hurt. Fixes bug 20536; bugfix on 0.2.9.1-alpha.
    - If a consensus expires while we are waiting for certificates to
      download, stop waiting for certificates.
    - If we stop waiting for certificates less than a minute after we
      started downloading them, do not consider the certificate download
      failure a separate failure. Fixes bug 20533; bugfix
      on 0.2.0.9-alpha.
    - Remove the maximum delay on exponential-backoff scheduling. Since
      we now allow an infinite number of failures (see ticket 20536), we
      must now allow the time to grow longer on each failure. Fixes part
      of bug 20534; bugfix on 0.2.9.1-alpha.
    - Make our initial download delays closer to those from 0.2.8. Fixes
      another part of bug 20534; bugfix on 0.2.9.1-alpha.
    - When determining when to download a directory object, handle times
      after 2038 if the operating system supports them. (Someday this
      will be important!) Fixes bug 20587; bugfix on 0.2.8.1-alpha.
    - When using exponential backoff in test networks, use a lower
      exponent, so the delays do not vary as much. This helps test
      networks bootstrap consistently. Fixes bug 20597; bugfix on 20499.

  o Minor features (geoip):
    - Update geoip and geoip6 to the November 3 2016 Maxmind GeoLite2
      Country database.

  o Minor bugfixes (client directory scheduling):
    - Treat "relay too busy to answer request" as a failed request and a
      reason to back off on our retry frequency. This is safe now that
      exponential backoffs retry indefinitely, and avoids a bug where we
      would reset our download schedule erroneously. Fixes bug 20593;
      bugfix on 0.2.9.1-alpha.

  o Minor bugfixes (client, logging):
    - Remove a BUG warning in circuit_pick_extend_handshake(). Instead,
      assume all nodes support EXTEND2. Use ntor whenever a key is
      available. Fixes bug 20472; bugfix on 0.2.9.3-alpha.
    - On DNSPort, stop logging a BUG warning on a failed hostname
      lookup. Fixes bug 19869; bugfix on 0.2.9.1-alpha.

  o Minor bugfixes (hidden services):
    - When configuring hidden services, check every hidden service
      directory's permissions. Previously, we only checked the last
      hidden service. Fixes bug 20529; bugfix the work to fix 13942
      in 0.2.6.2-alpha.

  o Minor bugfixes (portability):
    - Fix compilation with OpenSSL 1.1 and less commonly-used CPU
      architectures. Closes ticket 20588.
    - Use ECDHE ciphers instead of ECDH in tortls tests. LibreSSL has
      removed the ECDH ciphers which caused the tests to fail on
      platforms which use it. Fixes bug 20460; bugfix on 0.2.8.1-alpha.
    - Fix implicit conversion warnings under OpenSSL 1.1. Fixes bug
      20551; bugfix on 0.2.1.1-alpha.

  o Minor bugfixes (relay bootstrap):
    - Ensure relays don't make multiple connections during bootstrap.
      Fixes bug 20591; bugfix on 0.2.8.1-alpha.

  o Minor bugfixes (relay):
    - Work around a memory leak in OpenSSL 1.1 when encoding public
      keys. Fixes bug 20553; bugfix on 0.0.2pre8.
    - Avoid a small memory leak when informing worker threads about
      rotated onion keys. Fixes bug 20401; bugfix on 0.2.6.3-alpha.
    - Do not try to parallelize workers more than 16x without the user
      explicitly configuring us to do so, even if we do detect more than
      16 CPU cores. Fixes bug 19968; bugfix on 0.2.3.1-alpha.

  o Minor bugfixes (single onion services):
    - Start correctly when creating a single onion service in a
      directory that did not previously exist. Fixes bug 20484; bugfix
      on 0.2.9.3-alpha.

  o Minor bugfixes (testing):
    - Avoid a unit test failure on systems with over 16 detectable CPU
      cores. Fixes bug 19968; bugfix on 0.2.3.1-alpha.

  o Documentation:
    - Clarify that setting HiddenServiceNonAnonymousMode requires you to
      also set "SOCKSPort 0". Fixes bug 20487; bugfix on 0.2.9.3-alpha.
    - Module-level documentation for several more modules. Closes
      tickets 19287 and 19290.


Changes in version 0.2.8.9 - 2016-10-17
  Tor 0.2.8.9 backports a fix for a security hole in previous versions
  of Tor that would allow a remote attacker to crash a Tor client,
  hidden service, relay, or authority. All Tor users should upgrade to
  this version, or to 0.2.9.4-alpha. Patches will be released for older
  versions of Tor.

  o Major features (security fixes, also in 0.2.9.4-alpha):
    - Prevent a class of security bugs caused by treating the contents
      of a buffer chunk as if they were a NUL-terminated string. At
      least one such bug seems to be present in all currently used
      versions of Tor, and would allow an attacker to remotely crash
      most Tor instances, especially those compiled with extra compiler
      hardening. With this defense in place, such bugs can't crash Tor,
      though we should still fix them as they occur. Closes ticket
      20384 (TROVE-2016-10-001).

  o Minor features (geoip):
    - Update geoip and geoip6 to the October 4 2016 Maxmind GeoLite2
      Country database.


Changes in version 0.2.9.4-alpha - 2016-10-17
  Tor 0.2.9.4-alpha fixes a security hole in previous versions of Tor
  that would allow a remote attacker to crash a Tor client, hidden
  service, relay, or authority. All Tor users should upgrade to this
  version, or to 0.2.8.9. Patches will be released for older versions
  of Tor.

  Tor 0.2.9.4-alpha also adds numerous small features and fix-ups to
  previous versions of Tor, including the implementation of a feature to
  future- proof the Tor ecosystem against protocol changes, some bug
  fixes necessary for Tor Browser to use unix domain sockets correctly,
  and several portability improvements. We anticipate that this will be
  the last alpha in the Tor 0.2.9 series, and that the next release will
  be a release candidate.

  o Major features (security fixes):
    - Prevent a class of security bugs caused by treating the contents
      of a buffer chunk as if they were a NUL-terminated string. At
      least one such bug seems to be present in all currently used
      versions of Tor, and would allow an attacker to remotely crash
      most Tor instances, especially those compiled with extra compiler
      hardening. With this defense in place, such bugs can't crash Tor,
      though we should still fix them as they occur. Closes ticket
      20384 (TROVE-2016-10-001).

  o Major features (subprotocol versions):
    - Tor directory authorities now vote on a set of recommended
      subprotocol versions, and on a set of required subprotocol
      versions. Clients and relays that lack support for a _required_
      subprotocol version will not start; those that lack support for a
      _recommended_ subprotocol version will warn the user to upgrade.
      Closes ticket 19958; implements part of proposal 264.
    - Tor now uses "subprotocol versions" to indicate compatibility.
      Previously, versions of Tor looked at the declared Tor version of
      a relay to tell whether they could use a given feature. Now, they
      should be able to rely on its declared subprotocol versions. This
      change allows compatible implementations of the Tor protocol(s) to
      exist without pretending to be 100% bug-compatible with particular
      releases of Tor itself. Closes ticket 19958; implements part of
      proposal 264.

  o Minor feature (fallback directories):
    - Remove broken fallbacks from the hard-coded fallback directory
      list. Closes ticket 20190; patch by teor.

  o Minor features (client, directory):
    - Since authorities now omit all routers that lack the Running and
      Valid flags, we assume that any relay listed in the consensus must
      have those flags. Closes ticket 20001; implements part of
      proposal 272.

  o Minor features (compilation, portability):
    - Compile correctly on MacOS 10.12 (aka "Sierra"). Closes
      ticket 20241.

  o Minor features (development tools, etags):
    - Teach the "make tags" Makefile target how to correctly find
      "MOCK_IMPL" function definitions. Patch from nherring; closes
      ticket 16869.

  o Minor features (geoip):
    - Update geoip and geoip6 to the October 4 2016 Maxmind GeoLite2
      Country database.

  o Minor features (unix domain sockets):
    - When configuring a unix domain socket for a SocksPort,
      ControlPort, or Hidden service, you can now wrap the address in
      quotes, using C-style escapes inside the quotes. This allows unix
      domain socket paths to contain spaces.

  o Minor features (virtual addresses):
    - Increase the maximum number of bits for the IPv6 virtual network
      prefix from 16 to 104. In this way, the condition for address
      allocation is less restrictive. Closes ticket 20151; feature
      on 0.2.4.7-alpha.

  o Minor bugfixes (address discovery):
    - Stop reordering IP addresses returned by the OS. This makes it
      more likely that Tor will guess the same relay IP address every
      time. Fixes issue 20163; bugfix on 0.2.7.1-alpha, ticket 17027.
      Reported by René Mayrhofer, patch by "cypherpunks".

  o Minor bugfixes (client, unix domain sockets):
    - Disable IsolateClientAddr when using AF_UNIX backed SocksPorts as
      the client address is meaningless. Fixes bug 20261; bugfix
      on 0.2.6.3-alpha.

  o Minor bugfixes (compilation, OpenBSD):
    - Detect Libevent2 functions correctly on systems that provide
      libevent2, but where libevent1 is linked with -levent. Fixes bug
      19904; bugfix on 0.2.2.24-alpha. Patch from Rubiate.

  o Minor bugfixes (configuration):
    - When parsing quoted configuration values from the torrc file,
      handle windows line endings correctly. Fixes bug 19167; bugfix on
      0.2.0.16-alpha. Patch from "Pingl".

  o Minor bugfixes (getpass):
    - Defensively fix a non-triggerable heap corruption at do_getpass()
      to protect ourselves from mistakes in the future. Fixes bug
      19223; bugfix on 0.2.7.3-rc. Bug found by Guido Vranken, patch
      by nherring.

  o Minor bugfixes (hidden service):
    - Allow hidden services to run on IPv6 addresses even when the
      IPv6Exit option is not set. Fixes bug 18357; bugfix
      on 0.2.4.7-alpha.

  o Documentation:
    - Add module-level internal documentation for 36 C files that
      previously didn't have a high-level overview. Closes ticket #20385.

  o Required libraries:
    - When building with OpenSSL, Tor now requires version 1.0.1 or
      later. OpenSSL 1.0.0 and earlier are no longer supported by the
      OpenSSL team, and should not be used. Closes ticket 20303.


Changes in version 0.2.9.3-alpha - 2016-09-23
  Tor 0.2.9.3-alpha adds improved support for entities that want to make
  high-performance services available through the Tor .onion mechanism
  without themselves receiving anonymity as they host those services. It
  also tries harder to ensure that all steps on a circuit are using the
  strongest crypto possible, strengthens some TLS properties, and
  resolves several bugs -- including a pair of crash bugs from the 0.2.8
  series. Anybody running an earlier version of 0.2.9.x should upgrade.

  o Major bugfixes (crash, also in 0.2.8.8):
    - Fix a complicated crash bug that could affect Tor clients
      configured to use bridges when replacing a networkstatus consensus
      in which one of their bridges was mentioned. OpenBSD users saw
      more crashes here, but all platforms were potentially affected.
      Fixes bug 20103; bugfix on 0.2.8.2-alpha.

  o Major bugfixes (relay, OOM handler, also in 0.2.8.8):
    - Fix a timing-dependent assertion failure that could occur when we
      tried to flush from a circuit after having freed its cells because
      of an out-of-memory condition. Fixes bug 20203; bugfix on
      0.2.8.1-alpha. Thanks to "cypherpunks" for help diagnosing
      this one.

  o Major features (circuit building, security):
    - Authorities, relays and clients now require ntor keys in all
      descriptors, for all hops (except for rare hidden service protocol
      cases), for all circuits, and for all other roles. Part of
      ticket 19163.
    - Tor authorities, relays, and clients only use ntor, except for
      rare cases in the hidden service protocol. Part of ticket 19163.

  o Major features (single-hop "hidden" services):
    - Add experimental HiddenServiceSingleHopMode and
      HiddenServiceNonAnonymousMode options. When both are set to 1,
      every hidden service on a Tor instance becomes a non-anonymous
      Single Onion Service. Single Onions make one-hop (direct)
      connections to their introduction and renzedvous points. One-hop
      circuits make Single Onion servers easily locatable, but clients
      remain location-anonymous. This is compatible with the existing
      hidden service implementation, and works on the current tor
      network without any changes to older relays or clients. Implements
      proposal 260, completes ticket 17178. Patch by teor and asn.

  o Major features (resource management):
    - Tor can now notice it is about to run out of sockets, and
      preemptively close connections of lower priority. (This feature is
      off by default for now, since the current prioritizing method is
      yet not mature enough. You can enable it by setting
      "DisableOOSCheck 0", but watch out: it might close some sockets
      you would rather have it keep.) Closes ticket 18640.

  o Major bugfixes (circuit building):
    - Hidden service client-to-intro-point and service-to-rendezvous-
      point circuits use the TAP key supplied by the protocol, to avoid
      epistemic attacks. Fixes bug 19163; bugfix on 0.2.4.18-rc.

  o Major bugfixes (compilation, OpenBSD):
    - Fix a Libevent-detection bug in our autoconf script that would
      prevent Tor from linking successfully on OpenBSD. Patch from
      rubiate. Fixes bug 19902; bugfix on 0.2.9.1-alpha.

  o Major bugfixes (hidden services):
    - Clients now require hidden services to include the TAP keys for
      their intro points in the hidden service descriptor. This prevents
      an inadvertent upgrade to ntor, which a malicious hidden service
      could use to distinguish clients by consensus version. Fixes bug
      20012; bugfix on 0.2.4.8-alpha. Patch by teor.

  o Minor features (security, TLS):
    - Servers no longer support clients that without AES ciphersuites.
      (3DES is no longer considered an acceptable cipher.) We believe
      that no such Tor clients currently exist, since Tor has required
      OpenSSL 0.9.7 or later since 2009. Closes ticket 19998.

  o Minor feature (fallback directories):
    - Remove 8 fallbacks that are no longer suitable, leaving 81 of the
      100 fallbacks originally introduced in Tor 0.2.8.2-alpha in March
      2016. Closes ticket 20190; patch by teor.

  o Minor features (geoip, also in 0.2.8.8):
    - Update geoip and geoip6 to the September 6 2016 Maxmind GeoLite2
      Country database.

  o Minor feature (port flags):
    - Add new flags to the *Port options to finer control over which
      requests are allowed. The flags are NoDNSRequest, NoOnionTraffic,
      and the synthetic flag OnionTrafficOnly, which is equivalent to
      NoDNSRequest, NoIPv4Traffic, and NoIPv6Traffic. Closes enhancement
      18693; patch by "teor".

  o Minor features (directory authority):
    - After voting, if the authorities decide that a relay is not
      "Valid", they no longer include it in the consensus at all. Closes
      ticket 20002; implements part of proposal 272.

  o Minor features (testing):
    - Disable memory protections on OpenBSD when performing our unit
      tests for memwipe(). The test deliberately invokes undefined
      behavior, and the OpenBSD protections interfere with this. Patch
      from "rubiate". Closes ticket 20066.

  o Minor features (testing, ipv6):
    - Add the single-onion and single-onion-ipv6 chutney targets to
      "make test-network-all". This requires a recent chutney version
      with the single onion network flavours (git c72a652 or later).
      Closes ticket 20072; patch by teor.
    - Add the hs-ipv6 chutney target to make test-network-all's IPv6
      tests. Remove bridges+hs, as it's somewhat redundant. This
      requires a recent chutney version that supports IPv6 clients,
      relays, and authorities. Closes ticket 20069; patch by teor.

  o Minor features (Tor2web):
    - Make Tor2web clients respect ReachableAddresses. This feature was
      inadvertently enabled in 0.2.8.6, then removed by bugfix 19973 on
      0.2.8.7. Implements feature 20034. Patch by teor.

  o Minor features (unit tests):
    - We've done significant work to make the unit tests run faster.
    - Our link-handshake unit tests now check that when invalid
      handshakes fail, they fail with the error messages we expected.
    - Our unit testing code that captures log messages no longer
      prevents them from being written out if the user asked for them
      (by passing --debug or --info or or --notice --warn to the "test"
      binary). This change prevents us from missing unexpected log
      messages simply because we were looking for others. Related to
      ticket 19999.
    - The unit tests now log all warning messages with the "BUG" flag.
      Previously, they only logged errors by default. This change will
      help us make our testing code more correct, and make sure that we
      only hit this code when we mean to. In the meantime, however,
      there will be more warnings in the unit test logs than before.
      This is preparatory work for ticket 19999.
    - The unit tests now treat any failure of a "tor_assert_nonfatal()"
      assertion as a test failure.

  o Minor bug fixes (circuits):
    - Use the CircuitBuildTimeout option whenever
      LearnCircuitBuildTimeout is disabled. Previously, we would respect
      the option when a user disabled it, but not when it was disabled
      because some other option was set. Fixes bug 20073; bugfix on
      0.2.4.12-alpha. Patch by teor.

  o Minor bugfixes (allocation):
    - Change how we allocate memory for large chunks on buffers, to
      avoid a (currently impossible) integer overflow, and to waste less
      space when allocating unusually large chunks. Fixes bug 20081;
      bugfix on 0.2.0.16-alpha. Issue identified by Guido Vranken.
    - Always include orconfig.h before including any other C headers.
      Sometimes, it includes macros that affect the behavior of the
      standard headers. Fixes bug 19767; bugfix on 0.2.9.1-alpha (the
      first version to use AC_USE_SYSTEM_EXTENSIONS).
    - Fix a syntax error in the IF_BUG_ONCE__() macro in non-GCC-
      compatible compilers. Fixes bug 20141; bugfix on 0.2.9.1-alpha.
      Patch from Gisle Vanem.
    - Stop trying to build with Clang 4.0's -Wthread-safety warnings.
      They apparently require a set of annotations that we aren't
      currently using, and they create false positives in our pthreads
      wrappers. Fixes bug 20110; bugfix on 0.2.9.1-alpha.

  o Minor bugfixes (directory authority):
    - Die with a more useful error when the operator forgets to place
      the authority_signing_key file into the keys directory. This
      avoids an uninformative assert & traceback about having an invalid
      key. Fixes bug 20065; bugfix on 0.2.0.1-alpha.
    - When allowing private addresses, mark Exits that only exit to
      private locations as such. Fixes bug 20064; bugfix
      on 0.2.2.9-alpha.

  o Minor bugfixes (documentation):
    - Document the default PathsNeededToBuildCircuits value that's used
      by clients when the directory authorities don't set
      min_paths_for_circs_pct. Fixes bug 20117; bugfix on 02c320916e02
      in 0.2.4.10-alpha. Patch by teor, reported by Jesse V.
    - Fix manual for the User option: it takes a username, not a UID.
      Fixes bug 19122; bugfix on 0.0.2pre16 (the first version to have
      a manpage!).

  o Minor bugfixes (hidden services):
    - Stop logging intro point details to the client log on certain
      error conditions. Fixed as part of bug 20012; bugfix on
      0.2.4.8-alpha. Patch by teor.

  o Minor bugfixes (IPv6, testing):
    - Check for IPv6 correctly on Linux when running test networks.
      Fixes bug 19905; bugfix on 0.2.7.3-rc; patch by teor.

  o Minor bugfixes (Linux seccomp2 sandbox):
    - Add permission to run the sched_yield() and sigaltstack() system
      calls, in order to support versions of Tor compiled with asan or
      ubsan code that use these calls. Now "sandbox 1" and
      "--enable-expensive-hardening" should be compatible on more
      systems. Fixes bug 20063; bugfix on 0.2.5.1-alpha.

  o Minor bugfixes (logging):
    - When logging a message from the BUG() macro, be explicit about
      what we were asserting. Previously we were confusing what we were
      asserting with what the bug was. Fixes bug 20093; bugfix
      on 0.2.9.1-alpha.
    - When we are unable to remove the bw_accounting file, do not warn
      if the reason we couldn't remove it was that it didn't exist.
      Fixes bug 19964; bugfix on 0.2.5.4-alpha. Patch from 'pastly'.

  o Minor bugfixes (option parsing):
    - Count unix sockets when counting client listeners (SOCKS, Trans,
      NATD, and DNS). This has no user-visible behaviour changes: these
      options are set once, and never read. Required for correct
      behaviour in ticket 17178. Fixes bug 19677; bugfix on
      0.2.6.3-alpha. Patch by teor.

  o Minor bugfixes (options):
    - Check the consistency of UseEntryGuards and EntryNodes more
      reliably. Fixes bug 20074; bugfix on 0.2.4.12-alpha. Patch
      by teor.
    - Stop changing the configured value of UseEntryGuards on
      authorities and Tor2web clients. Fixes bug 20074; bugfix on
      commits 51fc6799 in 0.1.1.16-rc and acda1735 in 0.2.4.3-alpha.
      Patch by teor.

  o Minor bugfixes (Tor2web):
    - Prevent Tor2web clients running hidden services, these services
      are not anonymous due to the one-hop client paths. Fixes bug
      19678. Patch by teor.

  o Minor bugfixes (unit tests):
    - Fix a shared-random unit test that was failing on big endian
      architectures due to internal representation of a integer copied
      to a buffer. The test is changed to take a full 32 bytes of data
      and use the output of a python script that make the COMMIT and
      REVEAL calculation according to the spec. Fixes bug 19977; bugfix
      on 0.2.9.1-alpha.
    - The tor_tls_server_info_callback unit test no longer crashes when
      debug-level logging is turned on. Fixes bug 20041; bugfix
      on 0.2.8.1-alpha.


Changes in version 0.2.8.8 - 2016-09-23
  Tor 0.2.8.8 fixes two crash bugs present in previous versions of the
  0.2.8.x series. Relays running 0.2.8.x should upgrade, as should users
  who select public relays as their bridges.

  o Major bugfixes (crash):
    - Fix a complicated crash bug that could affect Tor clients
      configured to use bridges when replacing a networkstatus consensus
      in which one of their bridges was mentioned. OpenBSD users saw
      more crashes here, but all platforms were potentially affected.
      Fixes bug 20103; bugfix on 0.2.8.2-alpha.

  o Major bugfixes (relay, OOM handler):
    - Fix a timing-dependent assertion failure that could occur when we
      tried to flush from a circuit after having freed its cells because
      of an out-of-memory condition. Fixes bug 20203; bugfix on
      0.2.8.1-alpha. Thanks to "cypherpunks" for help diagnosing
      this one.

  o Minor feature (fallback directories):
    - Remove 8 fallbacks that are no longer suitable, leaving 81 of the
      100 fallbacks originally introduced in Tor 0.2.8.2-alpha in March
      2016. Closes ticket 20190; patch by teor.

  o Minor features (geoip):
    - Update geoip and geoip6 to the September 6 2016 Maxmind GeoLite2
      Country database.


Changes in version 0.2.9.2-alpha - 2016-08-24
  Tor 0.2.9.2-alpha continues development of the 0.2.9 series with
  several new features and bugfixes. It also includes an important
  authority update and an important bugfix from 0.2.8.7. Everyone who
  sets the ReachableAddresses option, and all bridges, are strongly
  encouraged to upgrade to 0.2.8.7, or to 0.2.9.2-alpha.

  o Directory authority changes (also in 0.2.8.7):
    - The "Tonga" bridge authority has been retired; the new bridge
      authority is "Bifroest". Closes tickets 19728 and 19690.

  o Major bugfixes (client, security, also in 0.2.8.7):
    - Only use the ReachableAddresses option to restrict the first hop
      in a path. In earlier versions of 0.2.8.x, it would apply to
      every hop in the path, with a possible degradation in anonymity
      for anyone using an uncommon ReachableAddress setting. Fixes bug
      19973; bugfix on 0.2.8.2-alpha.

  o Major features (user interface):
    - Tor now supports the ability to declare options deprecated, so
      that we can recommend that people stop using them. Previously,
      this was done in an ad-hoc way. Closes ticket 19820.

  o Major bugfixes (directory downloads):
    - Avoid resetting download status for consensuses hourly, since we
      already have another, smarter retry mechanism. Fixes bug 8625;
      bugfix on 0.2.0.9-alpha.

  o Minor features (config):
    - Warn users when descriptor and port addresses are inconsistent.
      Mitigates bug 13953; patch by teor.

  o Minor features (geoip):
    - Update geoip and geoip6 to the August 2 2016 Maxmind GeoLite2
      Country database.

  o Minor features (user interface):
    - There is a new --list-deprecated-options command-line option to
      list all of the deprecated options. Implemented as part of
      ticket 19820.

  o Minor bugfixes (code style):
    - Fix an integer signedness conversion issue in the case conversion
      tables. Fixes bug 19168; bugfix on 0.2.1.11-alpha.

  o Minor bugfixes (compilation):
    - Build correctly on versions of libevent2 without support for
      evutil_secure_rng_add_bytes(). Fixes bug 19904; bugfix
      on 0.2.5.4-alpha.
    - Fix a compilation warning on GCC versions before 4.6. Our
      ENABLE_GCC_WARNING macro used the word "warning" as an argument,
      when it is also required as an argument to the compiler pragma.
      Fixes bug 19901; bugfix on 0.2.9.1-alpha.

  o Minor bugfixes (compilation, also in 0.2.8.7):
    - Remove an inappropriate "inline" in tortls.c that was causing
      warnings on older versions of GCC. Fixes bug 19903; bugfix
      on 0.2.8.1-alpha.

  o Minor bugfixes (fallback directories, also in 0.2.8.7):
    - Avoid logging a NULL string pointer when loading fallback
      directory information. Fixes bug 19947; bugfix on 0.2.4.7-alpha
      and 0.2.8.1-alpha. Report and patch by "rubiate".

  o Minor bugfixes (logging):
    - Log a more accurate message when we fail to dump a microdescriptor.
      Fixes bug 17758; bugfix on 0.2.2.8-alpha. Patch from Daniel Pinto.

  o Minor bugfixes (memory leak):
    - Fix a series of slow memory leaks related to parsing torrc files
      and options. Fixes bug 19466; bugfix on 0.2.1.6-alpha.

  o Deprecated features:
    - A number of DNS-cache-related sub-options for client ports are now
      deprecated for security reasons, and may be removed in a future
      version of Tor. (We believe that client-side DNS cacheing is a bad
      idea for anonymity, and you should not turn it on.) The options
      are: CacheDNS, CacheIPv4DNS, CacheIPv6DNS, UseDNSCache,
      UseIPv4Cache, and UseIPv6Cache.
    - A number of options are deprecated for security reasons, and may
      be removed in a future version of Tor. The options are:
      AllowDotExit, AllowInvalidNodes, AllowSingleHopCircuits,
      AllowSingleHopExits, ClientDNSRejectInternalAddresses,
      CloseHSClientCircuitsImmediatelyOnTimeout,
      CloseHSServiceRendCircuitsImmediatelyOnTimeout,
      ExcludeSingleHopRelays, FastFirstHopPK, TLSECGroup,
      UseNTorHandshake, and WarnUnsafeSocks.
    - The *ListenAddress options are now deprecated as unnecessary: the
      corresponding *Port options should be used instead. These options
      may someday be removed. The affected options are:
      ControlListenAddress, DNSListenAddress, DirListenAddress,
      NATDListenAddress, ORListenAddress, SocksListenAddress,
      and TransListenAddress.

  o Documentation:
    - Correct the IPv6 syntax in our documentation for the
      VirtualAddrNetworkIPv6 torrc option. Closes ticket 19743.

  o Removed code:
    - We no longer include the (dead, deprecated) bufferevent code in
      Tor. Closes ticket 19450. Based on a patch from U+039b.


Changes in version 0.2.8.7 - 2016-08-24
  Tor 0.2.8.7 fixes an important bug related to the ReachableAddresses
  option in 0.2.8.6, and replaces a retiring bridge authority. Everyone
  who sets the ReachableAddresses option, and all bridges, are strongly
  encouraged to upgrade.

  o Directory authority changes:
    - The "Tonga" bridge authority has been retired; the new bridge
      authority is "Bifroest". Closes tickets 19728 and 19690.

  o Major bugfixes (client, security):
    - Only use the ReachableAddresses option to restrict the first hop
      in a path. In earlier versions of 0.2.8.x, it would apply to
      every hop in the path, with a possible degradation in anonymity
      for anyone using an uncommon ReachableAddress setting. Fixes bug
      19973; bugfix on 0.2.8.2-alpha.

  o Minor features (geoip):
    - Update geoip and geoip6 to the August 2 2016 Maxmind GeoLite2
      Country database.

  o Minor bugfixes (compilation):
    - Remove an inappropriate "inline" in tortls.c that was causing
      warnings on older versions of GCC. Fixes bug 19903; bugfix
      on 0.2.8.1-alpha.

  o Minor bugfixes (fallback directories):
    - Avoid logging a NULL string pointer when loading fallback
      directory information. Fixes bug 19947; bugfix on 0.2.4.7-alpha
      and 0.2.8.1-alpha. Report and patch by "rubiate".


Changes in version 0.2.9.1-alpha - 2016-08-08
  Tor 0.2.9.1-alpha is the first alpha release in the 0.2.9 development
  series. It improves our support for hardened builds and compiler
  warnings, deploys some critical infrastructure for improvements to
  hidden services, includes a new timing backend that we hope to use for
  better support for traffic padding, makes it easier for programmers to
  log unexpected events, and contains other small improvements to
  security, correctness, and performance.

  Below are the changes since 0.2.8.6.

  o New system requirements:
    - Tor now requires Libevent version 2.0.10-stable or later. Older
      versions of Libevent have less efficient backends for several
      platforms, and lack the DNS code that we use for our server-side
      DNS support. This implements ticket 19554.
    - Tor now requires zlib version 1.2 or later, for security,
      efficiency, and (eventually) gzip support. (Back when we started,
      zlib 1.1 and zlib 1.0 were still found in the wild. 1.2 was
      released in 2003. We recommend the latest version.)

  o Major features (build, hardening):
    - Tor now builds with -ftrapv by default on compilers that support
      it. This option detects signed integer overflow (which C forbids),
      and turns it into a hard-failure. We do not apply this option to
      code that needs to run in constant time to avoid side-channels;
      instead, we use -fwrapv in that code. Closes ticket 17983.
    - When --enable-expensive-hardening is selected, stop applying the
      clang/gcc sanitizers to code that needs to run in constant time.
      Although we are aware of no introduced side-channels, we are not
      able to prove that there are none. Related to ticket 17983.

  o Major features (compilation):
    - Our big list of extra GCC warnings is now enabled by default when
      building with GCC (or with anything like Clang that claims to be
      GCC-compatible). To make all warnings into fatal compilation
      errors, pass --enable-fatal-warnings to configure. Closes
      ticket 19044.
    - Use the Autoconf macro AC_USE_SYSTEM_EXTENSIONS to automatically
      turn on C and POSIX extensions. (Previously, we attempted to do
      this on an ad hoc basis.) Closes ticket 19139.

  o Major features (directory authorities, hidden services):
    - Directory authorities can now perform the shared randomness
      protocol specified by proposal 250. Using this protocol, directory
      authorities generate a global fresh random value every day. In the
      future, this value will be used by hidden services to select
      HSDirs. This release implements the directory authority feature;
      the hidden service side will be implemented in the future as part
      of proposal 224. Resolves ticket 16943; implements proposal 250.

  o Major features (downloading, random exponential backoff):
    - When we fail to download an object from a directory service, wait
      for an (exponentially increasing) randomized amount of time before
      retrying, rather than a fixed interval as we did before. This
      prevents a group of Tor instances from becoming too synchronized,
      or a single Tor instance from becoming too predictable, in its
      download schedule. Closes ticket 15942.

  o Major bugfixes (exit policies):
    - Avoid disclosing exit outbound bind addresses, configured port
      bind addresses, and local interface addresses in relay descriptors
      by default under ExitPolicyRejectPrivate. Instead, only reject
      these (otherwise unlisted) addresses if
      ExitPolicyRejectLocalInterfaces is set. Fixes bug 18456; bugfix on
      0.2.7.2-alpha. Patch by teor.

  o Major bugfixes (hidden service client):
    - Allow Tor clients with appropriate controllers to work with
      FetchHidServDescriptors set to 0. Previously, this option also
      disabled descriptor cache lookup, thus breaking hidden services
      entirely. Fixes bug 18704; bugfix on 0.2.0.20-rc. Patch by "twim".

  o Minor features (build, hardening):
    - Detect and work around a libclang_rt problem that would prevent
      clang from finding __mulodi4() on some 32-bit platforms, and thus
      keep -ftrapv from linking on those systems. Closes ticket 19079.
    - When building on a system without runtime support for the runtime
      hardening options, try to log a useful warning at configuration
      time, rather than an incomprehensible warning at link time. If
      expensive hardening was requested, this warning becomes an error.
      Closes ticket 18895.

  o Minor features (code safety):
    - In our integer-parsing functions, ensure that maxiumum value we
      give is no smaller than the minimum value. Closes ticket 19063;
      patch from U+039b.

  o Minor features (controller):
    - Implement new GETINFO queries for all downloads that use
      download_status_t to schedule retries. This allows controllers to
      examine the schedule for pending downloads. Closes ticket 19323.
    - Allow controllers to configure basic client authorization on
      hidden services when they create them with the ADD_ONION control
      command. Implements ticket 15588. Patch by "special".
    - Fire a STATUS_SERVER controller event whenever the hibernation
      status changes between "awake"/"soft"/"hard". Closes ticket 18685.

  o Minor features (directory authority):
    - Directory authorities now only give the Guard flag to a relay if
      they are also giving it the Stable flag. This change allows us to
      simplify path selection for clients. It should have minimal effect
      in practice, since >99% of Guards already have the Stable flag.
      Implements ticket 18624.
    - Directory authorities now write their v3-status-votes file out to
      disk earlier in the consensus process, so we have a record of the
      votes even if we abort the consensus process. Resolves
      ticket 19036.

  o Minor features (hidden service):
    - Stop being so strict about the payload length of "rendezvous1"
      cells. We used to be locked in to the "TAP" handshake length, and
      now we can handle better handshakes like "ntor". Resolves
      ticket 18998.

  o Minor features (infrastructure, time):
    - Tor now uses the operating system's monotonic timers (where
      available) for internal fine-grained timing. Previously we would
      look at the system clock, and then attempt to compensate for the
      clock running backwards. Closes ticket 18908.
    - Tor now includes an improved timer backend, so that we can
      efficiently support tens or hundreds of thousands of concurrent
      timers, as will be needed for some of our planned anti-traffic-
      analysis work. This code is based on William Ahern's "timeout.c"
      project, which implements a "tickless hierarchical timing wheel".
      Closes ticket 18365.

  o Minor features (logging):
    - Provide a more useful warning message when configured with an
      invalid Nickname. Closes ticket 18300; patch from "icanhasaccount".
    - When dumping unparseable router descriptors, optionally store them
      in separate files, named by digest, up to a configurable size
      limit. You can change the size limit by setting the
      MaxUnparseableDescSizeToLog option, and disable this feature by
      setting that option to 0. Closes ticket 18322.
    - Add a set of macros to check nonfatal assertions, for internal
      use. Migrating more of our checks to these should help us avoid
      needless crash bugs. Closes ticket 18613.

  o Minor features (performance):
    - Changer the "optimistic data" extension from "off by default" to
      "on by default". The default was ordinarily overridden by a
      consensus option, but when clients were bootstrapping for the
      first time, they would not have a consensus to get the option
      from. Changing this default When fetching a consensus for the
      first time, use optimistic data. This saves a round-trip during
      startup. Closes ticket 18815.

  o Minor features (relay, usability):
    - When the directory authorities refuse a bad relay's descriptor,
      encourage the relay operator to contact us. Many relay operators
      won't notice this line in their logs, but it's a win if even a few
      learn why we don't like what their relay was doing. Resolves
      ticket 18760.

  o Minor features (testing):
    - Let backtrace tests work correctly under AddressSanitizer. Fixes
      part of bug 18934; bugfix on 0.2.5.2-alpha.
    - Move the test-network.sh script to chutney, and modify tor's test-
      network.sh to call the (newer) chutney version when available.
      Resolves ticket 19116. Patch by teor.
    - Use the lcov convention for marking lines as unreachable, so that
      we don't count them when we're generating test coverage data.
      Update our coverage tools to understand this convention. Closes
      ticket 16792.

  o Minor bugfixes (bootstrap):
    - Remember the directory we fetched the consensus or previous
      certificates from, and use it to fetch future authority
      certificates. This change improves bootstrapping performance.
      Fixes bug 18963; bugfix on 0.2.8.1-alpha.

  o Minor bugfixes (build):
    - The test-stem and test-network makefile targets now depend only on
      the tor binary that they are testing. Previously, they depended on
      "make all". Fixes bug 18240; bugfix on 0.2.8.2-alpha. Based on a
      patch from "cypherpunks".

  o Minor bugfixes (circuits):
    - Make sure extend_info_from_router() is only called on servers.
      Fixes bug 19639; bugfix on 0.2.8.1-alpha.

  o Minor bugfixes (compilation):
    - When building with Clang, use a full set of GCC warnings.
      (Previously, we included only a subset, because of the way we
      detected them.) Fixes bug 19216; bugfix on 0.2.0.1-alpha.

  o Minor bugfixes (directory authority):
    - Authorities now sort the "package" lines in their votes, for ease
      of debugging. (They are already sorted in consensus documents.)
      Fixes bug 18840; bugfix on 0.2.6.3-alpha.
    - When parsing a detached signature, make sure we use the length of
      the digest algorithm instead of an hardcoded DIGEST256_LEN in
      order to avoid comparing bytes out-of-bounds with a smaller digest
      length such as SHA1. Fixes bug 19066; bugfix on 0.2.2.6-alpha.

  o Minor bugfixes (documentation):
    - Document the --passphrase-fd option in the tor manpage. Fixes bug
      19504; bugfix on 0.2.7.3-rc.
    - Fix the description of the --passphrase-fd option in the
      tor-gencert manpage. The option is used to pass the number of a
      file descriptor to read the passphrase from, not to read the file
      descriptor from. Fixes bug 19505; bugfix on 0.2.0.20-alpha.

  o Minor bugfixes (ephemeral hidden service):
    - When deleting an ephemeral hidden service, close its intro points
      even if they are not completely open. Fixes bug 18604; bugfix
      on 0.2.7.1-alpha.

  o Minor bugfixes (guard selection):
    - Use a single entry guard even if the NumEntryGuards consensus
      parameter is not provided. Fixes bug 17688; bugfix
      on 0.2.5.6-alpha.
    - Don't mark guards as unreachable if connection_connect() fails.
      That function fails for local reasons, so it shouldn't reveal
      anything about the status of the guard. Fixes bug 14334; bugfix
      on 0.2.3.10-alpha.

  o Minor bugfixes (hidden service client):
    - Increase the minimum number of internal circuits we preemptively
      build from 2 to 3, so a circuit is available when a client
      connects to another onion service. Fixes bug 13239; bugfix
      on 0.1.0.1-rc.

  o Minor bugfixes (logging):
    - When logging a directory ownership mismatch, log the owning
      username correctly. Fixes bug 19578; bugfix on 0.2.2.29-beta.

  o Minor bugfixes (memory leaks):
    - Fix a small, uncommon memory leak that could occur when reading a
      truncated ed25519 key file. Fixes bug 18956; bugfix
      on 0.2.6.1-alpha.

  o Minor bugfixes (testing):
    - Allow clients to retry HSDirs much faster in test networks. Fixes
      bug 19702; bugfix on 0.2.7.1-alpha. Patch by teor.
    - Disable ASAN's detection of segmentation faults while running
      test_bt.sh, so that we can make sure that our own backtrace
      generation code works. Fixes another aspect of bug 18934; bugfix
      on 0.2.5.2-alpha. Patch from "cypherpunks".
    - Fix the test-network-all target on out-of-tree builds by using the
      correct path to the test driver script. Fixes bug 19421; bugfix
      on 0.2.7.3-rc.

  o Minor bugfixes (time):
    - Improve overflow checks in tv_udiff and tv_mdiff. Fixes bug 19483;
      bugfix on all released tor versions.
    - When computing the difference between two times in milliseconds,
      we now round to the nearest millisecond correctly. Previously, we
      could sometimes round in the wrong direction. Fixes bug 19428;
      bugfix on 0.2.2.2-alpha.

  o Minor bugfixes (user interface):
    - Display a more accurate number of suppressed messages in the log
      rate-limiter. Previously, there was a potential integer overflow
      in the counter. Now, if the number of messages hits a maximum, the
      rate-limiter doesn't count any further. Fixes bug 19435; bugfix
      on 0.2.4.11-alpha.
    - Fix a typo in the passphrase prompt for the ed25519 identity key.
      Fixes bug 19503; bugfix on 0.2.7.2-alpha.

  o Code simplification and refactoring:
    - Remove redundant declarations of the MIN macro. Closes
      ticket 18889.
    - Rename tor_dup_addr() to tor_addr_to_str_dup() to avoid confusion.
      Closes ticket 18462; patch from "icanhasaccount".
    - Split the 600-line directory_handle_command_get function into
      separate functions for different URL types. Closes ticket 16698.

  o Documentation:
    - Fix spelling of "--enable-tor2web-mode" in the manpage. Closes
      ticket 19153. Patch from "U+039b".

  o Removed features:
    - Remove support for "GET /tor/bytes.txt" DirPort request, and
      "GETINFO dir-usage" controller request, which were only available
      via a compile-time option in Tor anyway. Feature was added in
      0.2.2.1-alpha. Resolves ticket 19035.
    - There is no longer a compile-time option to disable support for
      TransPort. (If you don't want TransPort; just don't use it.) Patch
      from "U+039b". Closes ticket 19449.

  o Testing:
    - Run more workqueue tests as part of "make check". These had
      previously been implemented, but you needed to know special
      command-line options to enable them.
    - We now have unit tests for our code to reject zlib "compression
      bombs". (Fortunately, the code works fine.)


Changes in version 0.2.8.6 - 2016-08-02

  Tor 0.2.8.6 is the first stable version of the Tor 0.2.8 series.

  The Tor 0.2.8 series improves client bootstrapping performance,
  completes the authority-side implementation of improved identity
  keys for relays, and includes numerous bugfixes and performance
  improvements throughout the program. This release continues to
  improve the coverage of Tor's test suite.  For a full list of
  changes since Tor 0.2.7, see the ReleaseNotes file.

  Changes since 0.2.8.5-rc:

  o Minor features (geoip):
    - Update geoip and geoip6 to the July 6 2016 Maxmind GeoLite2
      Country database.

  o Minor bugfixes (compilation):
    - Fix a compilation warning in the unit tests on systems where char
      is signed. Fixes bug 19682; bugfix on 0.2.8.1-alpha.

  o Minor bugfixes (fallback directories):
    - Remove 1 fallback that was on the hardcoded list, then opted-out,
      leaving 89 of the 100 fallbacks originally introduced in Tor
      0.2.8.2-alpha in March 2016. Closes ticket 19782; patch by teor.

  o Minor bugfixes (Linux seccomp2 sandbox):
    - Allow more syscalls when running with "Sandbox 1" enabled:
      sysinfo, getsockopt(SO_SNDBUF), and setsockopt(SO_SNDBUFFORCE). On
      some systems, these are required for Tor to start. Fixes bug
      18397; bugfix on 0.2.5.1-alpha. Patch from Daniel Pinto.
    - Allow IPPROTO_UDP datagram sockets when running with "Sandbox 1",
      so that get_interface_address6_via_udp_socket_hack() can work.
      Fixes bug 19660; bugfix on 0.2.5.1-alpha.


Changes in version 0.2.8.5-rc - 2016-07-07
  Tor 0.2.8.5-rc is the second release candidate in the Tor 0.2.8
  series. If we find no new bugs or regressions here, the first stable
  0.2.8 release will be identical to it. It has a few small bugfixes
  against previous versions.

  o Directory authority changes:
    - Urras is no longer a directory authority. Closes ticket 19271.

  o Major bugfixes (heartbeat):
    - Fix a regression that would crash Tor when the periodic
      "heartbeat" log messages were disabled. Fixes bug 19454; bugfix on
      0.2.8.1-alpha. Reported by "kubaku".

  o Minor features (build):
    - Tor now again builds with the recent OpenSSL 1.1 development
      branch (tested against 1.1.0-pre6-dev). Closes ticket 19499.
    - When building manual pages, set the timezone to "UTC", so that the
      output is reproducible. Fixes bug 19558; bugfix on 0.2.2.9-alpha.
      Patch from intrigeri.

  o Minor bugfixes (fallback directory selection):
    - Avoid errors during fallback selection if there are no eligible
      fallbacks. Fixes bug 19480; bugfix on 0.2.8.3-alpha. Patch
      by teor.

  o Minor bugfixes (IPv6, microdescriptors):
    - Don't check node addresses when we only have a routerstatus. This
      allows IPv6-only clients to bootstrap by fetching microdescriptors
      from fallback directory mirrors. (The microdescriptor consensus
      has no IPv6 addresses in it.) Fixes bug 19608; bugfix
      on 0.2.8.2-alpha.

  o Minor bugfixes (logging):
    - Reduce pointlessly verbose log messages when directory servers
      can't be found. Fixes bug 18849; bugfix on 0.2.8.3-alpha and
      0.2.8.1-alpha. Patch by teor.
    - When a fallback directory changes its fingerprint from the hard-
      coded fingerprint, log a less severe, more explanatory log
      message. Fixes bug 18812; bugfix on 0.2.8.1-alpha. Patch by teor.

  o Minor bugfixes (Linux seccomp2 sandboxing):
    - Allow statistics to be written to disk when "Sandbox 1" is
      enabled. Fixes bugs 19556 and 19957; bugfix on 0.2.5.1-alpha and
      0.2.6.1-alpha respectively.

  o Minor bugfixes (user interface):
    - Remove a warning message "Service [scrubbed] not found after
      descriptor upload". This message appears when one uses HSPOST
      control command to upload a service descriptor. Since there is
      only a descriptor and no service, showing this message is
      pointless and confusing. Fixes bug 19464; bugfix on 0.2.7.2-alpha.

  o Fallback directory list:
    - Add a comment to the generated fallback directory list that
      explains how to comment out unsuitable fallbacks in a way that's
      compatible with the stem fallback parser.
    - Update fallback whitelist and blacklist based on relay operator
      emails. Blacklist unsuitable (non-working, over-volatile)
      fallbacks. Resolves ticket 19071. Patch by teor.
    - Remove 10 unsuitable fallbacks, leaving 90 of the 100 fallbacks
      originally introduced in Tor 0.2.8.2-alpha in March 2016. Closes
      ticket 19071; patch by teor.


Changes in version 0.2.8.4-rc - 2016-06-15
  Tor 0.2.8.4-rc is the first release candidate in the Tor 0.2.8 series.
  If we find no new bugs or regressions here, the first stable 0.2.8
  release will be identical to it. It has a few small bugfixes against
  previous versions.

  o Major bugfixes (user interface):
    - Correctly give a warning in the cases where a relay is specified
      by nickname, and one such relay is found, but it is not officially
      Named. Fixes bug 19203; bugfix on 0.2.3.1-alpha.

  o Minor features (build):
    - Tor now builds once again with the recent OpenSSL 1.1 development
      branch (tested against 1.1.0-pre5 and 1.1.0-pre6-dev).

  o Minor features (geoip):
    - Update geoip and geoip6 to the June 7 2016 Maxmind GeoLite2
      Country database.

  o Minor bugfixes (compilation):
    - Cause the unit tests to compile correctly on mingw64 versions that
      lack sscanf. Fixes bug 19213; bugfix on 0.2.7.1-alpha.

  o Minor bugfixes (downloading):
    - Predict more correctly whether we'll be downloading over HTTP when
      we determine the maximum length of a URL. This should avoid a
      "BUG" warning about the Squid HTTP proxy and its URL limits. Fixes
      bug 19191.


Changes in version 0.2.8.3-alpha - 2016-05-26
  Tor 0.2.8.3-alpha resolves several bugs, most of them introduced over
  the course of the 0.2.8 development cycle. It improves the behavior of
  directory clients, fixes several crash bugs, fixes a gap in compiler
  hardening, and allows the full integration test suite to run on
  more platforms.

  o Major bugfixes (security, client, DNS proxy):
    - Stop a crash that could occur when a client running with DNSPort
      received a query with multiple address types, and the first
      address type was not supported. Found and fixed by Scott Dial.
      Fixes bug 18710; bugfix on 0.2.5.4-alpha.

  o Major bugfixes (security, compilation):
    - Correctly detect compiler flags on systems where _FORTIFY_SOURCE
      is predefined. Previously, our use of -D_FORTIFY_SOURCE would
      cause a compiler warning, thereby making other checks fail, and
      needlessly disabling compiler-hardening support. Fixes one case of
      bug 18841; bugfix on 0.2.3.17-beta. Patch from "trudokal".

  o Major bugfixes (security, directory authorities):
    - Fix a crash and out-of-bounds write during authority voting, when
      the list of relays includes duplicate ed25519 identity keys. Fixes
      bug 19032; bugfix on 0.2.8.2-alpha.

  o Major bugfixes (client, bootstrapping):
    - Check if bootstrap consensus downloads are still needed when the
      linked connection attaches. This prevents tor making unnecessary
      begindir-style connections, which are the only directory
      connections tor clients make since the fix for 18483 was merged.
    - Fix some edge cases where consensus download connections may not
      have been closed, even though they were not needed. Related to fix
      for 18809.
    - Make relays retry consensus downloads the correct number of times,
      rather than the more aggressive client retry count. Fixes part of
      ticket 18809.
    - Stop downloading consensuses when we have a consensus, even if we
      don't have all the certificates for it yet. Fixes bug 18809;
      bugfix on 0.2.8.1-alpha. Patches by arma and teor.

  o Major bugfixes (directory mirrors):
    - Decide whether to advertise begindir support in the the same way
      we decide whether to advertise our DirPort. Allowing these
      decisions to become out-of-sync led to surprising behavior like
      advertising begindir support when hibernation made us not
      advertise a DirPort. Resolves bug 18616; bugfix on 0.2.8.1-alpha.
      Patch by teor.

  o Major bugfixes (IPv6 bridges, client):
    - Actually use IPv6 addresses when selecting directory addresses for
      IPv6 bridges. Fixes bug 18921; bugfix on 0.2.8.1-alpha. Patch
      by "teor".

  o Major bugfixes (key management):
    - If OpenSSL fails to generate an RSA key, do not retain a dangling
      pointer to the previous (uninitialized) key value. The impact here
      should be limited to a difficult-to-trigger crash, if OpenSSL is
      running an engine that makes key generation failures possible, or
      if OpenSSL runs out of memory. Fixes bug 19152; bugfix on
      0.2.1.10-alpha. Found by Yuan Jochen Kang, Suman Jana, and
      Baishakhi Ray.

  o Major bugfixes (testing):
    - Fix a bug that would block 'make test-network-all' on systems where
      IPv6 packets were lost. Fixes bug 19008; bugfix on 0.2.7.3-rc.
    - Avoid "WSANOTINITIALISED" warnings in the unit tests. Fixes bug 18668;
      bugfix on 0.2.8.1-alpha.

  o Minor features (clients):
    - Make clients, onion services, and bridge relays always use an
      encrypted begindir connection for directory requests. Resolves
      ticket 18483. Patch by "teor".

  o Minor features (fallback directory mirrors):
    - Give each fallback the same weight for client selection; restrict
      fallbacks to one per operator; report fallback directory detail
      changes when rebuilding list; add new fallback directory mirrors
      to the whitelist; and many other minor simplifications and fixes.
      Closes tasks 17905, 18749, bug 18689, and fixes part of bug 18812 on
      0.2.8.1-alpha; patch by "teor".
    - Replace the 21 fallbacks generated in January 2016 and included in
      Tor 0.2.8.1-alpha, with a list of 100 fallbacks generated in March
      2016. Closes task 17158; patch by "teor".

  o Minor features (geoip):
    - Update geoip and geoip6 to the May 4 2016 Maxmind GeoLite2
      Country database.

  o Minor bugfixes (assert, portability):
    - Fix an assertion failure in memarea.c on systems where "long" is
      shorter than the size of a pointer. Fixes bug 18716; bugfix
      on 0.2.1.1-alpha.

  o Minor bugfixes (bootstrap):
    - Consistently use the consensus download schedule for authority
      certificates. Fixes bug 18816; bugfix on 0.2.4.13-alpha.

  o Minor bugfixes (build):
    - Remove a pair of redundant AM_CONDITIONAL declarations from
      configure.ac. Fixes one final case of bug 17744; bugfix
      on 0.2.8.2-alpha.
    - Resolve warnings when building on systems that are concerned with
      signed char. Fixes bug 18728; bugfix on 0.2.7.2-alpha
      and 0.2.6.1-alpha.
    - When libscrypt.h is found, but no libscrypt library can be linked,
      treat libscrypt as absent. Fixes bug 19161; bugfix
      on 0.2.6.1-alpha.

  o Minor bugfixes (client):
    - Turn all TestingClientBootstrap* into non-testing torrc options.
      This changes simply renames them by removing "Testing" in front of
      them and they do not require TestingTorNetwork to be enabled
      anymore. Fixes bug 18481; bugfix on 0.2.8.1-alpha.
    - Make directory node selection more reliable, mainly for IPv6-only
      clients and clients with few reachable addresses. Fixes bug 18929;
      bugfix on 0.2.8.1-alpha. Patch by "teor".

  o Minor bugfixes (controller, microdescriptors):
    - Make GETINFO dir/status-vote/current/consensus conform to the
      control specification by returning "551 Could not open cached
      consensus..." when not caching consensuses. Fixes bug 18920;
      bugfix on 0.2.2.6-alpha.

  o Minor bugfixes (crypto, portability):
    - The SHA3 and SHAKE routines now produce the correct output on Big
      Endian systems. No code calls either algorithm yet, so this is
      primarily a build fix. Fixes bug 18943; bugfix on 0.2.8.1-alpha.
    - Tor now builds again with the recent OpenSSL 1.1 development
      branch (tested against 1.1.0-pre4 and 1.1.0-pre5-dev). Closes
      ticket 18286.

  o Minor bugfixes (directories):
    - When fetching extrainfo documents, compare their SHA256 digests
      and Ed25519 signing key certificates with the routerinfo that led
      us to fetch them, rather than with the most recent routerinfo.
      Otherwise we generate many spurious warnings about mismatches.
      Fixes bug 17150; bugfix on 0.2.7.2-alpha.

  o Minor bugfixes (logging):
    - When we can't generate a signing key because OfflineMasterKey is
      set, do not imply that we should have been able to load it. Fixes
      bug 18133; bugfix on 0.2.7.2-alpha.
    - Stop periodic_event_dispatch() from blasting twelve lines per
      second at loglevel debug. Fixes bug 18729; fix on 0.2.8.1-alpha.
    - When rejecting a misformed INTRODUCE2 cell, only log at
      PROTOCOL_WARN severity. Fixes bug 18761; bugfix on 0.2.8.2-alpha.

  o Minor bugfixes (pluggable transports):
    - Avoid reporting a spurious error when we decide that we don't need
      to terminate a pluggable transport because it has already exited.
      Fixes bug 18686; bugfix on 0.2.5.5-alpha.

  o Minor bugfixes (pointer arithmetic):
    - Fix a bug in memarea_alloc() that could have resulted in remote
      heap write access, if Tor had ever passed an unchecked size to
      memarea_alloc(). Fortunately, all the sizes we pass to
      memarea_alloc() are pre-checked to be less than 128 kilobytes.
      Fixes bug 19150; bugfix on 0.2.1.1-alpha. Bug found by
      Guido Vranken.

  o Minor bugfixes (relays):
    - Consider more config options when relays decide whether to
      regenerate their descriptor. Fixes more of bug 12538; bugfix
      on 0.2.8.1-alpha.
    - Resolve some edge cases where we might launch an ORPort
      reachability check even when DisableNetwork is set. Noticed while
      fixing bug 18616; bugfix on 0.2.3.9-alpha.

  o Minor bugfixes (statistics):
    - We now include consensus downloads via IPv6 in our directory-
      request statistics. Fixes bug 18460; bugfix on 0.2.3.14-alpha.

  o Minor bugfixes (testing):
    - Allow directories in small networks to bootstrap by skipping
      DirPort checks when the consensus has no exits. Fixes bug 19003;
      bugfix on 0.2.8.1-alpha. Patch by teor.
    - Fix a small memory leak that would occur when the
      TestingEnableCellStatsEvent option was turned on. Fixes bug 18673;
      bugfix on 0.2.5.2-alpha.

  o Minor bugfixes (time handling):
    - When correcting a corrupt 'struct tm' value, fill in the tm_wday
      field. Otherwise, our unit tests crash on Windows. Fixes bug
      18977; bugfix on 0.2.2.25-alpha.

  o Documentation:
    - Document the contents of the 'datadir/keys' subdirectory in the
      manual page. Closes ticket 17621.
    - Stop recommending use of nicknames to identify relays in our
      MapAddress documentation. Closes ticket 18312.


Changes in version 0.2.8.2-alpha - 2016-03-28
  Tor 0.2.8.2-alpha is the second alpha in its series. It fixes numerous
  bugs in earlier versions of Tor, including some that prevented
  authorities using Tor 0.2.7.x from running correctly. IPv6 and
  directory support should also be much improved.

  o New system requirements:
    - Tor no longer supports versions of OpenSSL with a broken
      implementation of counter mode. (This bug was present in OpenSSL
      1.0.0, and was fixed in OpenSSL 1.0.0a.) Tor still detects, but no
      longer runs with, these versions.
    - Tor no longer attempts to support platforms where the "time_t"
      type is unsigned. (To the best of our knowledge, only OpenVMS does
      this, and Tor has never actually built on OpenVMS.) Closes
      ticket 18184.
    - Tor now uses Autoconf version 2.63 or later, and Automake 1.11 or
      later (released in 2008 and 2009 respectively). If you are
      building Tor from the git repository instead of from the source
      distribution, and your tools are older than this, you will need to
      upgrade. Closes ticket 17732.

  o Major bugfixes (security, pointers):
    - Avoid a difficult-to-trigger heap corruption attack when extending
      a smartlist to contain over 16GB of pointers. Fixes bug 18162;
      bugfix on 0.1.1.11-alpha, which fixed a related bug incompletely.
      Reported by Guido Vranken.

  o Major bugfixes (bridges, pluggable transports):
    - Modify the check for OR connections to private addresses. Allow
      bridges on private addresses, including pluggable transports that
      ignore the (potentially private) address in the bridge line. Fixes
      bug 18517; bugfix on 0.2.8.1-alpha. Reported by gk, patch by teor.

  o Major bugfixes (compilation):
    - Repair hardened builds under the clang compiler. Previously, our
      use of _FORTIFY_SOURCE would conflict with clang's address
      sanitizer. Fixes bug 14821; bugfix on 0.2.5.4-alpha.

  o Major bugfixes (crash on shutdown):
    - Correctly handle detaching circuits from muxes when shutting down.
      Fixes bug 18116; bugfix on 0.2.8.1-alpha.
    - Fix an assert-on-exit bug related to counting memory usage in
      rephist.c. Fixes bug 18651; bugfix on 0.2.8.1-alpha.

  o Major bugfixes (crash on startup):
    - Fix a segfault during startup: If a Unix domain socket was
      configured as listener (such as a ControlSocket or a SocksPort
      "unix:" socket), and tor was started as root but not configured to
      switch to another user, tor would segfault while trying to string
      compare a NULL value. Fixes bug 18261; bugfix on 0.2.8.1-alpha.
      Patch by weasel.

  o Major bugfixes (dns proxy mode, crash):
    - Avoid crashing when running as a DNS proxy. Fixes bug 16248;
      bugfix on 0.2.0.1-alpha. Patch from "cypherpunks".

  o Major bugfixes (relays, bridge clients):
    - Ensure relays always allow IPv4 OR and Dir connections. Ensure
      bridge clients use the address configured in the bridge line.
      Fixes bug 18348; bugfix on 0.2.8.1-alpha. Reported by sysrqb,
      patch by teor.

  o Major bugfixes (voting):
    - Actually enable support for authorities to match routers by their
      Ed25519 identities. Previously, the code had been written, but
      some debugging code that had accidentally been left in the
      codebase made it stay turned off. Fixes bug 17702; bugfix
      on 0.2.7.2-alpha.
    - When collating votes by Ed25519 identities, authorities now
      include a "NoEdConsensus" flag if the ed25519 value (or lack
      thereof) for a server does not reflect the majority consensus.
      Related to bug 17668; bugfix on 0.2.7.2-alpha.
    - When generating a vote with keypinning disabled, never include two
      entries for the same ed25519 identity. This bug was causing
      authorities to generate votes that they could not parse when a
      router violated key pinning by changing its RSA identity but
      keeping its Ed25519 identity. Fixes bug 17668; fixes part of bug
      18318. Bugfix on 0.2.7.2-alpha.

  o Minor features (security, win32):
    - Set SO_EXCLUSIVEADDRUSE on Win32 to avoid a local port-stealing
      attack. Fixes bug 18123; bugfix on all tor versions. Patch
      by teor.

  o Minor features (bug-resistance):
    - Make Tor survive errors involving connections without a
      corresponding event object. Previously we'd fail with an
      assertion; now we produce a log message. Related to bug 16248.

  o Minor features (build):
    - Detect systems with FreeBSD-derived kernels (such as GNU/kFreeBSD)
      as having possible IPFW support. Closes ticket 18448. Patch from
      Steven Chamberlain.

  o Minor features (code hardening):
    - Use tor_snprintf() and tor_vsnprintf() even in external and low-
      level code, to harden against accidental failures to NUL-
      terminate. Part of ticket 17852. Patch from jsturgix. Found
      with Flawfinder.

  o Minor features (crypto):
    - Validate the hard-coded Diffie-Hellman parameters and ensure that
      p is a safe prime, and g is a suitable generator. Closes
      ticket 18221.

  o Minor features (geoip):
    - Update geoip and geoip6 to the March 3 2016 Maxmind GeoLite2
      Country database.

  o Minor features (hidden service directory):
    - Streamline relay-side hsdir handling: when relays consider whether
      to accept an uploaded hidden service descriptor, they no longer
      check whether they are one of the relays in the network that is
      "supposed" to handle that descriptor. Implements ticket 18332.

  o Minor features (IPv6):
    - Add ClientPreferIPv6DirPort, which is set to 0 by default. If set
      to 1, tor prefers IPv6 directory addresses.
    - Add ClientUseIPv4, which is set to 1 by default. If set to 0, tor
      avoids using IPv4 for client OR and directory connections.
    - Try harder to obey the IP version restrictions "ClientUseIPv4 0",
      "ClientUseIPv6 0", "ClientPreferIPv6ORPort", and
      "ClientPreferIPv6DirPort". Closes ticket 17840; patch by teor.

  o Minor features (linux seccomp2 sandbox):
    - Reject attempts to change our Address with "Sandbox 1" enabled.
      Changing Address with Sandbox turned on would never actually work,
      but previously it would fail in strange and confusing ways. Found
      while fixing 18548.

  o Minor features (robustness):
    - Exit immediately with an error message if the code attempts to use
      Libevent without having initialized it. This should resolve some
      frequently-made mistakes in our unit tests. Closes ticket 18241.

  o Minor features (unix domain sockets):
    - Add a new per-socket option, RelaxDirModeCheck, to allow creating
      Unix domain sockets without checking the permissions on the parent
      directory. (Tor checks permissions by default because some
      operating systems only check permissions on the parent directory.
      However, some operating systems do look at permissions on the
      socket, and tor's default check is unneeded.) Closes ticket 18458.
      Patch by weasel.

  o Minor bugfixes (exit policies, security):
    - Refresh an exit relay's exit policy when interface addresses
      change. Previously, tor only refreshed the exit policy when the
      configured external address changed. Fixes bug 18208; bugfix on
      0.2.7.3-rc. Patch by teor.

  o Minor bugfixes (security, hidden services):
    - Prevent hidden services connecting to client-supplied rendezvous
      addresses that are reserved as internal or multicast. Fixes bug
      8976; bugfix on 0.2.3.21-rc. Patch by dgoulet and teor.

  o Minor bugfixes (build):
    - Do not link the unit tests against both the testing and non-
      testing versions of the static libraries. Fixes bug 18490; bugfix
      on 0.2.7.1-alpha.
    - Avoid spurious failures from configure files related to calling
      exit(0) in TOR_SEARCH_LIBRARY. Fixes bug 18626; bugfix on
      0.2.0.1-alpha. Patch from "cypherpunks".
    - Silence spurious clang-scan warnings in the ed25519_donna code by
      explicitly initializing some objects. Fixes bug 18384; bugfix on
      0.2.7.2-alpha. Patch by teor.

  o Minor bugfixes (client, bootstrap):
    - Count receipt of new microdescriptors as progress towards
      bootstrapping. Previously, with EntryNodes set, Tor might not
      successfully repopulate the guard set on bootstrapping. Fixes bug
      16825; bugfix on 0.2.3.1-alpha.

  o Minor bugfixes (code correctness):
    - Update to the latest version of Trunnel, which tries harder to
      avoid generating code that can invoke memcpy(p,NULL,0). Bug found
      by clang address sanitizer. Fixes bug 18373; bugfix
      on 0.2.7.2-alpha.

  o Minor bugfixes (configuration):
    - Fix a tiny memory leak when parsing a port configuration ending in
      ":auto". Fixes bug 18374; bugfix on 0.2.3.3-alpha.

  o Minor bugfixes (containers):
    - If we somehow attempt to construct a heap with more than
      1073741822 elements, avoid an integer overflow when maintaining
      the heap property. Fixes bug 18296; bugfix on 0.1.2.1-alpha.

  o Minor bugfixes (correctness):
    - Fix a bad memory handling bug that would occur if we had queued a
      cell on a channel's incoming queue. Fortunately, we can't actually
      queue a cell like that as our code is constructed today, but it's
      best to avoid this kind of error, even if there isn't any code
      that triggers it today. Fixes bug 18570; bugfix on 0.2.4.4-alpha.

  o Minor bugfixes (directory):
    - When generating a URL for a directory server on an IPv6 address,
      wrap the IPv6 address in square brackets. Fixes bug 18051; bugfix
      on 0.2.3.9-alpha. Patch from Malek.

  o Minor bugfixes (fallback directory mirrors):
    - When requesting extrainfo descriptors from a trusted directory
      server, check whether it is an authority or a fallback directory
      which supports extrainfo descriptors. Fixes bug 18489; bugfix on
      0.2.4.7-alpha. Reported by atagar, patch by teor.

  o Minor bugfixes (hidden service, client):
    - Handle the case where the user makes several fast consecutive
      requests to the same .onion address. Previously, the first six
      requests would each trigger a descriptor fetch, each picking a
      directory (there are 6 overall) and the seventh one would fail
      because no directories were left, thereby triggering a close on
      all current directory connections asking for the hidden service.
      The solution here is to not close the connections if we have
      pending directory fetches. Fixes bug 15937; bugfix
      on 0.2.7.1-alpha.

  o Minor bugfixes (hidden service, control port):
    - Add the onion address to the HS_DESC event for the UPLOADED action
      both on success or failure. It was previously hardcoded with
      UNKNOWN. Fixes bug 16023; bugfix on 0.2.7.2-alpha.

  o Minor bugfixes (hidden service, directory):
    - Bridges now refuse "rendezvous2" (hidden service descriptor)
      publish attempts. Suggested by ticket 18332.

  o Minor bugfixes (linux seccomp2 sandbox):
    - Allow the setrlimit syscall, and the prlimit and prlimit64
      syscalls, which some libc implementations use under the hood.
      Fixes bug 15221; bugfix on 0.2.5.1-alpha.
    - Avoid a 10-second delay when starting as a client with "Sandbox 1"
      enabled and no DNS resolvers configured. This should help TAILS
      start up faster. Fixes bug 18548; bugfix on 0.2.5.1-alpha.
    - Fix the sandbox's interoperability with unix domain sockets under
      setuid. Fixes bug 18253; bugfix on 0.2.8.1-alpha.

  o Minor bugfixes (logging):
    - When logging information about an unparsable networkstatus vote or
      consensus, do not say "vote" when we mean consensus. Fixes bug
      18368; bugfix on 0.2.0.8-alpha.
    - Scrub service name in "unrecognized service ID" log messages.
      Fixes bug 18600; bugfix on 0.2.4.11-alpha.
    - Downgrade logs and backtraces about IP versions to info-level.
      Only log backtraces once each time tor runs. Assists in diagnosing
      bug 18351; bugfix on 0.2.8.1-alpha. Reported by sysrqb and
      Christian, patch by teor.

  o Minor bugfixes (memory safety):
    - Avoid freeing an uninitialized pointer when opening a socket fails
      in get_interface_addresses_ioctl(). Fixes bug 18454; bugfix on
      0.2.3.11-alpha. Reported by toralf and "cypherpunks", patch
      by teor.
    - Correctly duplicate addresses in get_interface_address6_list().
      Fixes bug 18454; bugfix on 0.2.8.1-alpha. Reported by toralf,
      patch by "cypherpunks".
    - Fix a memory leak in tor-gencert. Fixes part of bug 18672; bugfix
      on 0.2.0.1-alpha.
    - Fix a memory leak in "tor --list-fingerprint". Fixes part of bug
      18672; bugfix on 0.2.5.1-alpha.

  o Minor bugfixes (private directory):
    - Prevent a race condition when creating private directories. Fixes
      part of bug 17852; bugfix on 0.0.2pre13. Part of ticket 17852.
      Patch from jsturgix. Found with Flawfinder.

  o Minor bugfixes (test networks, IPv6):
    - Allow internal IPv6 addresses in descriptors in test networks.
      Fixes bug 17153; bugfix on 0.2.3.16-alpha. Patch by teor, reported
      by karsten.

  o Minor bugfixes (testing):
    - We no longer disable assertions in the unit tests when coverage is
      enabled. Instead, we require you to say --disable-asserts-in-tests
      to the configure script if you need assertions disabled in the
      unit tests (for example, if you want to perform branch coverage).
      Fixes bug 18242; bugfix on 0.2.7.1-alpha.

  o Minor bugfixes (time parsing):
    - Avoid overflow in tor_timegm when parsing dates in and after 2038
      on platforms with 32-bit time_t. Fixes bug 18479; bugfix on
      0.0.2pre14. Patch by teor.

  o Minor bugfixes (tor-gencert):
    - Correctly handle the case where an authority operator enters a
      passphrase but sends an EOF before sending a newline. Fixes bug
      17443; bugfix on 0.2.0.20-rc. Found by junglefowl.

  o Code simplification and refactoring:
    - Quote all the string interpolations in configure.ac -- even those
      which we are pretty sure can't contain spaces. Closes ticket
      17744. Patch from zerosion.
    - Remove specialized code for non-inplace AES_CTR. 99% of our AES is
      inplace, so there's no need to have a separate implementation for
      the non-inplace code. Closes ticket 18258. Patch from Malek.
    - Simplify return types for some crypto functions that can't
      actually fail. Patch from Hassan Alsibyani. Closes ticket 18259.

  o Documentation:
    - Change build messages to refer to "Fedora" instead of "Fedora
      Core", and "dnf" instead of "yum". Closes tickets 18459 and 18426.
      Patches from "icanhasaccount" and "cypherpunks".

  o Removed features:
    - We no longer maintain an internal freelist in memarea.c.
      Allocators should be good enough to make this code unnecessary,
      and it's doubtful that it ever had any performance benefit.

  o Testing:
    - Fix several warnings from clang's address sanitizer produced in
      the unit tests.
    - Treat backtrace test failures as expected on FreeBSD until we
      solve bug 17808. Closes ticket 18204.


Changes in version 0.2.8.1-alpha - 2016-02-04
  Tor 0.2.8.1-alpha is the first alpha release in its series. It
  includes numerous small features and bugfixes against previous Tor
  versions, and numerous small infrastructure improvements. The most
  notable features are a set of improvements to the directory subsystem.

  o Major features (security, Linux):
    - When Tor starts as root on Linux and is told to switch user ID, it
      can now retain the capability to bind to low ports. By default,
      Tor will do this only when it's switching user ID and some low
      ports have been configured. You can change this behavior with the
      new option KeepBindCapabilities. Closes ticket 8195.

  o Major features (directory system):
    - When bootstrapping multiple consensus downloads at a time, use the
      first one that starts downloading, and close the rest. This
      reduces failures when authorities or fallback directories are slow
      or down. Together with the code for feature 15775, this feature
      should reduces failures due to fallback churn. Implements ticket
      4483. Patch by "teor". Implements IPv4 portions of proposal 210 by
      "mikeperry" and "teor".
    - Include a trial list of 21 default fallback directories, generated
      in January 2016, based on an opt-in survey of suitable relays.
      Doing this should make clients bootstrap more quickly and reliably,
      and reduce the load on the directory authorities. Closes ticket
      15775. Patch by "teor".
      Candidates identified using an OnionOO script by "weasel", "teor",
      "gsathya", and "karsten".
    - Previously only relays that explicitly opened a directory port
      (DirPort) accepted directory requests from clients. Now all
      relays, with and without a DirPort, accept and serve tunneled
      directory requests that they receive through their ORPort. You can
      disable this behavior using the new DirCache option. Closes
      ticket 12538.

  o Major key updates:
    - Update the V3 identity key for the dannenberg directory authority:
      it was changed on 18 November 2015. Closes task 17906. Patch
      by "teor".

  o Minor features (security, clock):
    - Warn when the system clock appears to move back in time (when the
      state file was last written in the future). Tor doesn't know that
      consensuses have expired if the clock is in the past. Patch by
      "teor". Implements ticket 17188.

  o Minor features (security, exit policies):
    - ExitPolicyRejectPrivate now rejects more private addresses by
      default. Specifically, it now rejects the relay's outbound bind
      addresses (if configured), and the relay's configured port
      addresses (such as ORPort and DirPort). Fixes bug 17027; bugfix on
      0.2.0.11-alpha. Patch by "teor".

  o Minor features (security, memory erasure):
    - Set the unused entries in a smartlist to NULL. This helped catch
      a (harmless) bug, and shouldn't affect performance too much.
      Implements ticket 17026.
    - Use SecureMemoryWipe() function to securely clean memory on
      Windows. Previously we'd use OpenSSL's OPENSSL_cleanse() function.
      Implements feature 17986.
    - Use explicit_bzero or memset_s when present. Previously, we'd use
      OpenSSL's OPENSSL_cleanse() function. Closes ticket 7419; patches
      from <logan@hackers.mu> and <selven@hackers.mu>.
    - Make memwipe() do nothing when passed a NULL pointer or buffer of
      zero size. Check size argument to memwipe() for underflow. Fixes
      bug 18089; bugfix on 0.2.3.25 and 0.2.4.6-alpha. Reported by "gk",
      patch by "teor".

  o Minor features (security, RNG):
    - Adjust Tor's use of OpenSSL's RNG APIs so that they absolutely,
      positively are not allowed to fail. Previously we depended on
      internal details of OpenSSL's behavior. Closes ticket 17686.
    - Never use the system entropy output directly for anything besides
      seeding the PRNG. When we want to generate important keys, instead
      of using system entropy directly, we now hash it with the PRNG
      stream. This may help resist certain attacks based on broken OS
      entropy implementations. Closes part of ticket 17694.
    - Use modern system calls (like getentropy() or getrandom()) to
      generate strong entropy on platforms that have them. Closes
      ticket 13696.

  o Minor features (accounting):
    - Added two modes to the AccountingRule option: One for limiting
      only the number of bytes sent ("AccountingRule out"), and one for
      limiting only the number of bytes received ("AccountingRule in").
      Closes ticket 15989; patch from "unixninja92".

  o Minor features (build):
    - Since our build process now uses "make distcheck", we no longer
      force "make dist" to depend on "make check". Closes ticket 17893;
      patch from "cypherpunks."
    - Tor now builds successfully with the recent OpenSSL 1.1
      development branch, and with the latest LibreSSL. Closes tickets
      17549, 17921, and 17984.

  o Minor features (controller):
    - Adds the FallbackDir entries to 'GETINFO config/defaults'. Closes
      tickets 16774 and 17817. Patch by George Tankersley.
    - New 'GETINFO hs/service/desc/id/' command to retrieve a hidden
      service descriptor from a service's local hidden service
      descriptor cache. Closes ticket 14846.
    - Add 'GETINFO exit-policy/reject-private/[default,relay]', so
      controllers can examine the the reject rules added by
      ExitPolicyRejectPrivate. This makes it easier for stem to display
      exit policies.

  o Minor features (crypto):
    - Add SHA512 support to crypto.c. Closes ticket 17663; patch from
      George Tankersley.
    - Add SHA3 and SHAKE support to crypto.c. Closes ticket 17783.
    - When allocating a digest state object, allocate no more space than
      we actually need. Previously, we would allocate as much space as
      the state for the largest algorithm would need. This change saves
      up to 672 bytes per circuit. Closes ticket 17796.
    - Improve performance when hashing non-multiple of 8 sized buffers,
      based on Andrew Moon's public domain SipHash-2-4 implementation.
      Fixes bug 17544; bugfix on 0.2.5.3-alpha.

  o Minor features (directory downloads):
    - Wait for busy authorities and fallback directories to become non-
      busy when bootstrapping. (A similar change was made in 6c443e987d
      for directory caches chosen from the consensus.) Closes ticket
      17864; patch by "teor".
    - Add UseDefaultFallbackDirs, which enables any hard-coded fallback
      directory mirrors. The default is 1; set it to 0 to disable
      fallbacks. Implements ticket 17576. Patch by "teor".

  o Minor features (geoip):
    - Update geoip and geoip6 to the January 5 2016 Maxmind GeoLite2
      Country database.

  o Minor features (IPv6):
    - Add an argument 'ipv6=address:orport' to the DirAuthority an