ReleaseNotes 1005 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157215821592160216121622163216421652166216721682169217021712172217321742175217621772178217921802181218221832184218521862187218821892190219121922193219421952196219721982199220022012202220322042205220622072208220922102211221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277227822792280228122822283228422852286228722882289229022912292229322942295229622972298229923002301230223032304230523062307230823092310231123122313231423152316231723182319232023212322232323242325232623272328232923302331233223332334233523362337233823392340234123422343234423452346234723482349235023512352235323542355235623572358235923602361236223632364236523662367236823692370237123722373237423752376237723782379238023812382238323842385238623872388238923902391239223932394239523962397239823992400240124022403240424052406240724082409241024112412241324142415241624172418241924202421242224232424242524262427242824292430243124322433243424352436243724382439244024412442244324442445244624472448244924502451245224532454245524562457245824592460246124622463246424652466246724682469247024712472247324742475247624772478247924802481248224832484248524862487248824892490249124922493249424952496249724982499250025012502250325042505250625072508250925102511251225132514251525162517251825192520252125222523252425252526252725282529253025312532253325342535253625372538253925402541254225432544254525462547254825492550255125522553255425552556255725582559256025612562256325642565256625672568256925702571257225732574257525762577257825792580258125822583258425852586258725882589259025912592259325942595259625972598259926002601260226032604260526062607260826092610261126122613261426152616261726182619262026212622262326242625262626272628262926302631263226332634263526362637263826392640264126422643264426452646264726482649265026512652265326542655265626572658265926602661266226632664266526662667266826692670267126722673267426752676267726782679268026812682268326842685268626872688268926902691269226932694269526962697269826992700270127022703270427052706270727082709271027112712271327142715271627172718271927202721272227232724272527262727272827292730273127322733273427352736273727382739274027412742274327442745274627472748274927502751275227532754275527562757275827592760276127622763276427652766276727682769277027712772277327742775277627772778277927802781278227832784278527862787278827892790279127922793279427952796279727982799280028012802280328042805280628072808280928102811281228132814281528162817281828192820282128222823282428252826282728282829283028312832283328342835283628372838283928402841284228432844284528462847284828492850285128522853285428552856285728582859286028612862286328642865286628672868286928702871287228732874287528762877287828792880288128822883288428852886288728882889289028912892289328942895289628972898289929002901290229032904290529062907290829092910291129122913291429152916291729182919292029212922292329242925292629272928292929302931293229332934293529362937293829392940294129422943294429452946294729482949295029512952295329542955295629572958295929602961296229632964296529662967296829692970297129722973297429752976297729782979298029812982298329842985298629872988298929902991299229932994299529962997299829993000300130023003300430053006300730083009301030113012301330143015301630173018301930203021302230233024302530263027302830293030303130323033303430353036303730383039304030413042304330443045304630473048304930503051305230533054305530563057305830593060306130623063306430653066306730683069307030713072307330743075307630773078307930803081308230833084308530863087308830893090309130923093309430953096309730983099310031013102310331043105310631073108310931103111311231133114311531163117311831193120312131223123312431253126312731283129313031313132313331343135313631373138313931403141314231433144314531463147314831493150315131523153315431553156315731583159316031613162316331643165316631673168316931703171317231733174317531763177317831793180318131823183318431853186318731883189319031913192319331943195319631973198319932003201320232033204320532063207320832093210321132123213321432153216321732183219322032213222322332243225322632273228322932303231323232333234323532363237323832393240324132423243324432453246324732483249325032513252325332543255325632573258325932603261326232633264326532663267326832693270327132723273327432753276327732783279328032813282328332843285328632873288328932903291329232933294329532963297329832993300330133023303330433053306330733083309331033113312331333143315331633173318331933203321332233233324332533263327332833293330333133323333333433353336333733383339334033413342334333443345334633473348334933503351335233533354335533563357335833593360336133623363336433653366336733683369337033713372337333743375337633773378337933803381338233833384338533863387338833893390339133923393339433953396339733983399340034013402340334043405340634073408340934103411341234133414341534163417341834193420342134223423342434253426342734283429343034313432343334343435343634373438343934403441344234433444344534463447344834493450345134523453345434553456345734583459346034613462346334643465346634673468346934703471347234733474347534763477347834793480348134823483348434853486348734883489349034913492349334943495349634973498349935003501350235033504350535063507350835093510351135123513351435153516351735183519352035213522352335243525352635273528352935303531353235333534353535363537353835393540354135423543354435453546354735483549355035513552355335543555355635573558355935603561356235633564356535663567356835693570357135723573357435753576357735783579358035813582358335843585358635873588358935903591359235933594359535963597359835993600360136023603360436053606360736083609361036113612361336143615361636173618361936203621362236233624362536263627362836293630363136323633363436353636363736383639364036413642364336443645364636473648364936503651365236533654365536563657365836593660366136623663366436653666366736683669367036713672367336743675367636773678367936803681368236833684368536863687368836893690369136923693369436953696369736983699370037013702370337043705370637073708370937103711371237133714371537163717371837193720372137223723372437253726372737283729373037313732373337343735373637373738373937403741374237433744374537463747374837493750375137523753375437553756375737583759376037613762376337643765376637673768376937703771377237733774377537763777377837793780378137823783378437853786378737883789379037913792379337943795379637973798379938003801380238033804380538063807380838093810381138123813381438153816381738183819382038213822382338243825382638273828382938303831383238333834383538363837383838393840384138423843384438453846384738483849385038513852385338543855385638573858385938603861386238633864386538663867386838693870387138723873387438753876387738783879388038813882388338843885388638873888388938903891389238933894389538963897389838993900390139023903390439053906390739083909391039113912391339143915391639173918391939203921392239233924392539263927392839293930393139323933393439353936393739383939394039413942394339443945394639473948394939503951395239533954395539563957395839593960396139623963396439653966396739683969397039713972397339743975397639773978397939803981398239833984398539863987398839893990399139923993399439953996399739983999400040014002400340044005400640074008400940104011401240134014401540164017401840194020402140224023402440254026402740284029403040314032403340344035403640374038403940404041404240434044404540464047404840494050405140524053405440554056405740584059406040614062406340644065406640674068406940704071407240734074407540764077407840794080408140824083408440854086408740884089409040914092409340944095409640974098409941004101410241034104410541064107410841094110411141124113411441154116411741184119412041214122412341244125412641274128412941304131413241334134413541364137413841394140414141424143414441454146414741484149415041514152415341544155415641574158415941604161416241634164416541664167416841694170417141724173417441754176417741784179418041814182418341844185418641874188418941904191419241934194419541964197419841994200420142024203420442054206420742084209421042114212421342144215421642174218421942204221422242234224422542264227422842294230423142324233423442354236423742384239424042414242424342444245424642474248424942504251425242534254425542564257425842594260426142624263426442654266426742684269427042714272427342744275427642774278427942804281428242834284428542864287428842894290429142924293429442954296429742984299430043014302430343044305430643074308430943104311431243134314431543164317431843194320432143224323432443254326432743284329433043314332433343344335433643374338433943404341434243434344434543464347434843494350435143524353435443554356435743584359436043614362436343644365436643674368436943704371437243734374437543764377437843794380438143824383438443854386438743884389439043914392439343944395439643974398439944004401440244034404440544064407440844094410441144124413441444154416441744184419442044214422442344244425442644274428442944304431443244334434443544364437443844394440444144424443444444454446444744484449445044514452445344544455445644574458445944604461446244634464446544664467446844694470447144724473447444754476447744784479448044814482448344844485448644874488448944904491449244934494449544964497449844994500450145024503450445054506450745084509451045114512451345144515451645174518451945204521452245234524452545264527452845294530453145324533453445354536453745384539454045414542454345444545454645474548454945504551455245534554455545564557455845594560456145624563456445654566456745684569457045714572457345744575457645774578457945804581458245834584458545864587458845894590459145924593459445954596459745984599460046014602460346044605460646074608460946104611461246134614461546164617461846194620462146224623462446254626462746284629463046314632463346344635463646374638463946404641464246434644464546464647464846494650465146524653465446554656465746584659466046614662466346644665466646674668466946704671467246734674467546764677467846794680468146824683468446854686468746884689469046914692469346944695469646974698469947004701470247034704470547064707470847094710471147124713471447154716471747184719472047214722472347244725472647274728472947304731473247334734473547364737473847394740474147424743474447454746474747484749475047514752475347544755475647574758475947604761476247634764476547664767476847694770477147724773477447754776477747784779478047814782478347844785478647874788478947904791479247934794479547964797479847994800480148024803480448054806480748084809481048114812481348144815481648174818481948204821482248234824482548264827482848294830483148324833483448354836483748384839484048414842484348444845484648474848484948504851485248534854485548564857485848594860486148624863486448654866486748684869487048714872487348744875487648774878487948804881488248834884488548864887488848894890489148924893489448954896489748984899490049014902490349044905490649074908490949104911491249134914491549164917491849194920492149224923492449254926492749284929493049314932493349344935493649374938493949404941494249434944494549464947494849494950495149524953495449554956495749584959496049614962496349644965496649674968496949704971497249734974497549764977497849794980498149824983498449854986498749884989499049914992499349944995499649974998499950005001500250035004500550065007500850095010501150125013501450155016501750185019502050215022502350245025502650275028502950305031503250335034503550365037503850395040504150425043504450455046504750485049505050515052505350545055505650575058505950605061506250635064506550665067506850695070507150725073507450755076507750785079508050815082508350845085508650875088508950905091509250935094509550965097509850995100510151025103510451055106510751085109511051115112511351145115511651175118511951205121512251235124512551265127512851295130513151325133513451355136513751385139514051415142514351445145514651475148514951505151515251535154515551565157515851595160516151625163516451655166516751685169517051715172517351745175517651775178517951805181518251835184518551865187518851895190519151925193519451955196519751985199520052015202520352045205520652075208520952105211521252135214521552165217521852195220522152225223522452255226522752285229523052315232523352345235523652375238523952405241524252435244524552465247524852495250525152525253525452555256525752585259526052615262526352645265526652675268526952705271527252735274527552765277527852795280528152825283528452855286528752885289529052915292529352945295529652975298529953005301530253035304530553065307530853095310531153125313531453155316531753185319532053215322532353245325532653275328532953305331533253335334533553365337533853395340534153425343534453455346534753485349535053515352535353545355535653575358535953605361536253635364536553665367536853695370537153725373537453755376537753785379538053815382538353845385538653875388538953905391539253935394539553965397539853995400540154025403540454055406540754085409541054115412541354145415541654175418541954205421542254235424542554265427542854295430543154325433543454355436543754385439544054415442544354445445544654475448544954505451545254535454545554565457545854595460546154625463546454655466546754685469547054715472547354745475547654775478547954805481548254835484548554865487548854895490549154925493549454955496549754985499550055015502550355045505550655075508550955105511551255135514551555165517551855195520552155225523552455255526552755285529553055315532553355345535553655375538553955405541554255435544554555465547554855495550555155525553555455555556555755585559556055615562556355645565556655675568556955705571557255735574557555765577557855795580558155825583558455855586558755885589559055915592559355945595559655975598559956005601560256035604560556065607560856095610561156125613561456155616561756185619562056215622562356245625562656275628562956305631563256335634563556365637563856395640564156425643564456455646564756485649565056515652565356545655565656575658565956605661566256635664566556665667566856695670567156725673567456755676567756785679568056815682568356845685568656875688568956905691569256935694569556965697569856995700570157025703570457055706570757085709571057115712571357145715571657175718571957205721572257235724572557265727572857295730573157325733573457355736573757385739574057415742574357445745574657475748574957505751575257535754575557565757575857595760576157625763576457655766576757685769577057715772577357745775577657775778577957805781578257835784578557865787578857895790579157925793579457955796579757985799580058015802580358045805580658075808580958105811581258135814581558165817581858195820582158225823582458255826582758285829583058315832583358345835583658375838583958405841584258435844584558465847584858495850585158525853585458555856585758585859586058615862586358645865586658675868586958705871587258735874587558765877587858795880588158825883588458855886588758885889589058915892589358945895589658975898589959005901590259035904590559065907590859095910591159125913591459155916591759185919592059215922592359245925592659275928592959305931593259335934593559365937593859395940594159425943594459455946594759485949595059515952595359545955595659575958595959605961596259635964596559665967596859695970597159725973597459755976597759785979598059815982598359845985598659875988598959905991599259935994599559965997599859996000600160026003600460056006600760086009601060116012601360146015601660176018601960206021602260236024602560266027602860296030603160326033603460356036603760386039604060416042604360446045604660476048604960506051605260536054605560566057605860596060606160626063606460656066606760686069607060716072607360746075607660776078607960806081608260836084608560866087608860896090609160926093609460956096609760986099610061016102610361046105610661076108610961106111611261136114611561166117611861196120612161226123612461256126612761286129613061316132613361346135613661376138613961406141614261436144614561466147614861496150615161526153615461556156615761586159616061616162616361646165616661676168616961706171617261736174617561766177617861796180618161826183618461856186618761886189619061916192619361946195619661976198619962006201620262036204620562066207620862096210621162126213621462156216621762186219622062216222622362246225622662276228622962306231623262336234623562366237623862396240624162426243624462456246624762486249625062516252625362546255625662576258625962606261626262636264626562666267626862696270627162726273627462756276627762786279628062816282628362846285628662876288628962906291629262936294629562966297629862996300630163026303630463056306630763086309631063116312631363146315631663176318631963206321632263236324632563266327632863296330633163326333633463356336633763386339634063416342634363446345634663476348634963506351635263536354635563566357635863596360636163626363636463656366636763686369637063716372637363746375637663776378637963806381638263836384638563866387638863896390639163926393639463956396639763986399640064016402640364046405640664076408640964106411641264136414641564166417641864196420642164226423642464256426642764286429643064316432643364346435643664376438643964406441644264436444644564466447644864496450645164526453645464556456645764586459646064616462646364646465646664676468646964706471647264736474647564766477647864796480648164826483648464856486648764886489649064916492649364946495649664976498649965006501650265036504650565066507650865096510651165126513651465156516651765186519652065216522652365246525652665276528652965306531653265336534653565366537653865396540654165426543654465456546654765486549655065516552655365546555655665576558655965606561656265636564656565666567656865696570657165726573657465756576657765786579658065816582658365846585658665876588658965906591659265936594659565966597659865996600660166026603660466056606660766086609661066116612661366146615661666176618661966206621662266236624662566266627662866296630663166326633663466356636663766386639664066416642664366446645664666476648664966506651665266536654665566566657665866596660666166626663666466656666666766686669667066716672667366746675667666776678667966806681668266836684668566866687668866896690669166926693669466956696669766986699670067016702670367046705670667076708670967106711671267136714671567166717671867196720672167226723672467256726672767286729673067316732673367346735673667376738673967406741674267436744674567466747674867496750675167526753675467556756675767586759676067616762676367646765676667676768676967706771677267736774677567766777677867796780678167826783678467856786678767886789679067916792679367946795679667976798679968006801680268036804680568066807680868096810681168126813681468156816681768186819682068216822682368246825682668276828682968306831683268336834683568366837683868396840684168426843684468456846684768486849685068516852685368546855685668576858685968606861686268636864686568666867686868696870687168726873687468756876687768786879688068816882688368846885688668876888688968906891689268936894689568966897689868996900690169026903690469056906690769086909691069116912691369146915691669176918691969206921692269236924692569266927692869296930693169326933693469356936693769386939694069416942694369446945694669476948694969506951695269536954695569566957695869596960696169626963696469656966696769686969697069716972697369746975697669776978697969806981698269836984698569866987698869896990699169926993699469956996699769986999700070017002700370047005700670077008700970107011701270137014701570167017701870197020702170227023702470257026702770287029703070317032703370347035703670377038703970407041704270437044704570467047704870497050705170527053705470557056705770587059706070617062706370647065706670677068706970707071707270737074707570767077707870797080708170827083708470857086708770887089709070917092709370947095709670977098709971007101710271037104710571067107710871097110711171127113711471157116711771187119712071217122712371247125712671277128712971307131713271337134713571367137713871397140714171427143714471457146714771487149715071517152715371547155715671577158715971607161716271637164716571667167716871697170717171727173717471757176717771787179718071817182718371847185718671877188718971907191719271937194719571967197719871997200720172027203720472057206720772087209721072117212721372147215721672177218721972207221722272237224722572267227722872297230723172327233723472357236723772387239724072417242724372447245724672477248724972507251725272537254725572567257725872597260726172627263726472657266726772687269727072717272727372747275727672777278727972807281728272837284728572867287728872897290729172927293729472957296729772987299730073017302730373047305730673077308730973107311731273137314731573167317731873197320732173227323732473257326732773287329733073317332733373347335733673377338733973407341734273437344734573467347734873497350735173527353735473557356735773587359736073617362736373647365736673677368736973707371737273737374737573767377737873797380738173827383738473857386738773887389739073917392739373947395739673977398739974007401740274037404740574067407740874097410741174127413741474157416741774187419742074217422742374247425742674277428742974307431743274337434743574367437743874397440744174427443744474457446744774487449745074517452745374547455745674577458745974607461746274637464746574667467746874697470747174727473747474757476747774787479748074817482748374847485748674877488748974907491749274937494749574967497749874997500750175027503750475057506750775087509751075117512751375147515751675177518751975207521752275237524752575267527752875297530753175327533753475357536753775387539754075417542754375447545754675477548754975507551755275537554755575567557755875597560756175627563756475657566756775687569757075717572757375747575757675777578757975807581758275837584758575867587758875897590759175927593759475957596759775987599760076017602760376047605760676077608760976107611761276137614761576167617761876197620762176227623762476257626762776287629763076317632763376347635763676377638763976407641764276437644764576467647764876497650765176527653765476557656765776587659766076617662766376647665766676677668766976707671767276737674767576767677767876797680768176827683768476857686768776887689769076917692769376947695769676977698769977007701770277037704770577067707770877097710771177127713771477157716771777187719772077217722772377247725772677277728772977307731773277337734773577367737773877397740774177427743774477457746774777487749775077517752775377547755775677577758775977607761776277637764776577667767776877697770777177727773777477757776777777787779778077817782778377847785778677877788778977907791779277937794779577967797779877997800780178027803780478057806780778087809781078117812781378147815781678177818781978207821782278237824782578267827782878297830783178327833783478357836783778387839784078417842784378447845784678477848784978507851785278537854785578567857785878597860786178627863786478657866786778687869787078717872787378747875787678777878787978807881788278837884788578867887788878897890789178927893789478957896789778987899790079017902790379047905790679077908790979107911791279137914791579167917791879197920792179227923792479257926792779287929793079317932793379347935793679377938793979407941794279437944794579467947794879497950795179527953795479557956795779587959796079617962796379647965796679677968796979707971797279737974797579767977797879797980798179827983798479857986798779887989799079917992799379947995799679977998799980008001800280038004800580068007800880098010801180128013801480158016801780188019802080218022802380248025802680278028802980308031803280338034803580368037803880398040804180428043804480458046804780488049805080518052805380548055805680578058805980608061806280638064806580668067806880698070807180728073807480758076807780788079808080818082808380848085808680878088808980908091809280938094809580968097809880998100810181028103810481058106810781088109811081118112811381148115811681178118811981208121812281238124812581268127812881298130813181328133813481358136813781388139814081418142814381448145814681478148814981508151815281538154815581568157815881598160816181628163816481658166816781688169817081718172817381748175817681778178817981808181818281838184818581868187818881898190819181928193819481958196819781988199820082018202820382048205820682078208820982108211821282138214821582168217821882198220822182228223822482258226822782288229823082318232823382348235823682378238823982408241824282438244824582468247824882498250825182528253825482558256825782588259826082618262826382648265826682678268826982708271827282738274827582768277827882798280828182828283828482858286828782888289829082918292829382948295829682978298829983008301830283038304830583068307830883098310831183128313831483158316831783188319832083218322832383248325832683278328832983308331833283338334833583368337833883398340834183428343834483458346834783488349835083518352835383548355835683578358835983608361836283638364836583668367836883698370837183728373837483758376837783788379838083818382838383848385838683878388838983908391839283938394839583968397839883998400840184028403840484058406840784088409841084118412841384148415841684178418841984208421842284238424842584268427842884298430843184328433843484358436843784388439844084418442844384448445844684478448844984508451845284538454845584568457845884598460846184628463846484658466846784688469847084718472847384748475847684778478847984808481848284838484848584868487848884898490849184928493849484958496849784988499850085018502850385048505850685078508850985108511851285138514851585168517851885198520852185228523852485258526852785288529853085318532853385348535853685378538853985408541854285438544854585468547854885498550855185528553855485558556855785588559856085618562856385648565856685678568856985708571857285738574857585768577857885798580858185828583858485858586858785888589859085918592859385948595859685978598859986008601860286038604860586068607860886098610861186128613861486158616861786188619862086218622862386248625862686278628862986308631863286338634863586368637863886398640864186428643864486458646864786488649865086518652865386548655865686578658865986608661866286638664866586668667866886698670867186728673867486758676867786788679868086818682868386848685868686878688868986908691869286938694869586968697869886998700870187028703870487058706870787088709871087118712871387148715871687178718871987208721872287238724872587268727872887298730873187328733873487358736873787388739874087418742874387448745874687478748874987508751875287538754875587568757875887598760876187628763876487658766876787688769877087718772877387748775877687778778877987808781878287838784878587868787878887898790879187928793879487958796879787988799880088018802880388048805880688078808880988108811881288138814881588168817881888198820882188228823882488258826882788288829883088318832883388348835883688378838883988408841884288438844884588468847884888498850885188528853885488558856885788588859886088618862886388648865886688678868886988708871887288738874887588768877887888798880888188828883888488858886888788888889889088918892889388948895889688978898889989008901890289038904890589068907890889098910891189128913891489158916891789188919892089218922892389248925892689278928892989308931893289338934893589368937893889398940894189428943894489458946894789488949895089518952895389548955895689578958895989608961896289638964896589668967896889698970897189728973897489758976897789788979898089818982898389848985898689878988898989908991899289938994899589968997899889999000900190029003900490059006900790089009901090119012901390149015901690179018901990209021902290239024902590269027902890299030903190329033903490359036903790389039904090419042904390449045904690479048904990509051905290539054905590569057905890599060906190629063906490659066906790689069907090719072907390749075907690779078907990809081908290839084908590869087908890899090909190929093909490959096909790989099910091019102910391049105910691079108910991109111911291139114911591169117911891199120912191229123912491259126912791289129913091319132913391349135913691379138913991409141914291439144914591469147914891499150915191529153915491559156915791589159916091619162916391649165916691679168916991709171917291739174917591769177917891799180918191829183918491859186918791889189919091919192919391949195919691979198919992009201920292039204920592069207920892099210921192129213921492159216921792189219922092219222922392249225922692279228922992309231923292339234923592369237923892399240924192429243924492459246924792489249925092519252925392549255925692579258925992609261926292639264926592669267926892699270927192729273927492759276927792789279928092819282928392849285928692879288928992909291929292939294929592969297929892999300930193029303930493059306930793089309931093119312931393149315931693179318931993209321932293239324932593269327932893299330933193329333933493359336933793389339934093419342934393449345934693479348934993509351935293539354935593569357935893599360936193629363936493659366936793689369937093719372937393749375937693779378937993809381938293839384938593869387938893899390939193929393939493959396939793989399940094019402940394049405940694079408940994109411941294139414941594169417941894199420942194229423942494259426942794289429943094319432943394349435943694379438943994409441944294439444944594469447944894499450945194529453945494559456945794589459946094619462946394649465946694679468946994709471947294739474947594769477947894799480948194829483948494859486948794889489949094919492949394949495949694979498949995009501950295039504950595069507950895099510951195129513951495159516951795189519952095219522952395249525952695279528952995309531953295339534953595369537953895399540954195429543954495459546954795489549955095519552955395549555955695579558955995609561956295639564956595669567956895699570957195729573957495759576957795789579958095819582958395849585958695879588958995909591959295939594959595969597959895999600960196029603960496059606960796089609961096119612961396149615961696179618961996209621962296239624962596269627962896299630963196329633963496359636963796389639964096419642964396449645964696479648964996509651965296539654965596569657965896599660966196629663966496659666966796689669967096719672967396749675967696779678967996809681968296839684968596869687968896899690969196929693969496959696969796989699970097019702970397049705970697079708970997109711971297139714971597169717971897199720972197229723972497259726972797289729973097319732973397349735973697379738973997409741974297439744974597469747974897499750975197529753975497559756975797589759976097619762976397649765976697679768976997709771977297739774977597769777977897799780978197829783978497859786978797889789979097919792979397949795979697979798979998009801980298039804980598069807980898099810981198129813981498159816981798189819982098219822982398249825982698279828982998309831983298339834983598369837983898399840984198429843984498459846984798489849985098519852985398549855985698579858985998609861986298639864986598669867986898699870987198729873987498759876987798789879988098819882988398849885988698879888988998909891989298939894989598969897989898999900990199029903990499059906990799089909991099119912991399149915991699179918991999209921992299239924992599269927992899299930993199329933993499359936993799389939994099419942994399449945994699479948994999509951995299539954995599569957995899599960996199629963996499659966996799689969997099719972997399749975997699779978997999809981998299839984998599869987998899899990999199929993999499959996999799989999100001000110002100031000410005100061000710008100091001010011100121001310014100151001610017100181001910020100211002210023100241002510026100271002810029100301003110032100331003410035100361003710038100391004010041100421004310044100451004610047100481004910050100511005210053100541005510056100571005810059100601006110062100631006410065100661006710068100691007010071100721007310074100751007610077100781007910080100811008210083100841008510086100871008810089100901009110092100931009410095100961009710098100991010010101101021010310104101051010610107101081010910110101111011210113101141011510116101171011810119101201012110122101231012410125101261012710128101291013010131101321013310134101351013610137101381013910140101411014210143101441014510146101471014810149101501015110152101531015410155101561015710158101591016010161101621016310164101651016610167101681016910170101711017210173101741017510176101771017810179101801018110182101831018410185101861018710188101891019010191101921019310194101951019610197101981019910200102011020210203102041020510206102071020810209102101021110212102131021410215102161021710218102191022010221102221022310224102251022610227102281022910230102311023210233102341023510236102371023810239102401024110242102431024410245102461024710248102491025010251102521025310254102551025610257102581025910260102611026210263102641026510266102671026810269102701027110272102731027410275102761027710278102791028010281102821028310284102851028610287102881028910290102911029210293102941029510296102971029810299103001030110302103031030410305103061030710308103091031010311103121031310314103151031610317103181031910320103211032210323103241032510326103271032810329103301033110332103331033410335103361033710338103391034010341103421034310344103451034610347103481034910350103511035210353103541035510356103571035810359103601036110362103631036410365103661036710368103691037010371103721037310374103751037610377103781037910380103811038210383103841038510386103871038810389103901039110392103931039410395103961039710398103991040010401104021040310404104051040610407104081040910410104111041210413104141041510416104171041810419104201042110422104231042410425104261042710428104291043010431104321043310434104351043610437104381043910440104411044210443104441044510446104471044810449104501045110452104531045410455104561045710458104591046010461104621046310464104651046610467104681046910470104711047210473104741047510476104771047810479104801048110482104831048410485104861048710488104891049010491104921049310494104951049610497104981049910500105011050210503105041050510506105071050810509105101051110512105131051410515105161051710518105191052010521105221052310524105251052610527105281052910530105311053210533105341053510536105371053810539105401054110542105431054410545105461054710548105491055010551105521055310554105551055610557105581055910560105611056210563105641056510566105671056810569105701057110572105731057410575105761057710578105791058010581105821058310584105851058610587105881058910590105911059210593105941059510596105971059810599106001060110602106031060410605106061060710608106091061010611106121061310614106151061610617106181061910620106211062210623106241062510626106271062810629106301063110632106331063410635106361063710638106391064010641106421064310644106451064610647106481064910650106511065210653106541065510656106571065810659106601066110662106631066410665106661066710668106691067010671106721067310674106751067610677106781067910680106811068210683106841068510686106871068810689106901069110692106931069410695106961069710698106991070010701107021070310704107051070610707107081070910710107111071210713107141071510716107171071810719107201072110722107231072410725107261072710728107291073010731107321073310734107351073610737107381073910740107411074210743107441074510746107471074810749107501075110752107531075410755107561075710758107591076010761107621076310764107651076610767107681076910770107711077210773107741077510776107771077810779107801078110782107831078410785107861078710788107891079010791107921079310794107951079610797107981079910800108011080210803108041080510806108071080810809108101081110812108131081410815108161081710818108191082010821108221082310824108251082610827108281082910830108311083210833108341083510836108371083810839108401084110842108431084410845108461084710848108491085010851108521085310854108551085610857108581085910860108611086210863108641086510866108671086810869108701087110872108731087410875108761087710878108791088010881108821088310884108851088610887108881088910890108911089210893108941089510896108971089810899109001090110902109031090410905109061090710908109091091010911109121091310914109151091610917109181091910920109211092210923109241092510926109271092810929109301093110932109331093410935109361093710938109391094010941109421094310944109451094610947109481094910950109511095210953109541095510956109571095810959109601096110962109631096410965109661096710968109691097010971109721097310974109751097610977109781097910980109811098210983109841098510986109871098810989109901099110992109931099410995109961099710998109991100011001110021100311004110051100611007110081100911010110111101211013110141101511016110171101811019110201102111022110231102411025110261102711028110291103011031110321103311034110351103611037110381103911040110411104211043110441104511046110471104811049110501105111052110531105411055110561105711058110591106011061110621106311064110651106611067110681106911070110711107211073110741107511076110771107811079110801108111082110831108411085110861108711088110891109011091110921109311094110951109611097110981109911100111011110211103111041110511106111071110811109111101111111112111131111411115111161111711118111191112011121111221112311124111251112611127111281112911130111311113211133111341113511136111371113811139111401114111142111431114411145111461114711148111491115011151111521115311154111551115611157111581115911160111611116211163111641116511166111671116811169111701117111172111731117411175111761117711178111791118011181111821118311184111851118611187111881118911190111911119211193111941119511196111971119811199112001120111202112031120411205112061120711208112091121011211112121121311214112151121611217112181121911220112211122211223112241122511226112271122811229112301123111232112331123411235112361123711238112391124011241112421124311244112451124611247112481124911250112511125211253112541125511256112571125811259112601126111262112631126411265112661126711268112691127011271112721127311274112751127611277112781127911280112811128211283112841128511286112871128811289112901129111292112931129411295112961129711298112991130011301113021130311304113051130611307113081130911310113111131211313113141131511316113171131811319113201132111322113231132411325113261132711328113291133011331113321133311334113351133611337113381133911340113411134211343113441134511346113471134811349113501135111352113531135411355113561135711358113591136011361113621136311364113651136611367113681136911370113711137211373113741137511376113771137811379113801138111382113831138411385113861138711388113891139011391113921139311394113951139611397113981139911400114011140211403114041140511406114071140811409114101141111412114131141411415114161141711418114191142011421114221142311424114251142611427114281142911430114311143211433114341143511436114371143811439114401144111442114431144411445114461144711448114491145011451114521145311454114551145611457114581145911460114611146211463114641146511466114671146811469114701147111472114731147411475114761147711478114791148011481114821148311484114851148611487114881148911490114911149211493114941149511496114971149811499115001150111502115031150411505115061150711508115091151011511115121151311514115151151611517115181151911520115211152211523115241152511526115271152811529115301153111532115331153411535115361153711538115391154011541115421154311544115451154611547115481154911550115511155211553115541155511556115571155811559115601156111562115631156411565115661156711568115691157011571115721157311574115751157611577115781157911580115811158211583115841158511586115871158811589115901159111592115931159411595115961159711598115991160011601116021160311604116051160611607116081160911610116111161211613116141161511616116171161811619116201162111622116231162411625116261162711628116291163011631116321163311634116351163611637116381163911640116411164211643116441164511646116471164811649116501165111652116531165411655116561165711658116591166011661116621166311664116651166611667116681166911670116711167211673116741167511676116771167811679116801168111682116831168411685116861168711688116891169011691116921169311694116951169611697116981169911700117011170211703117041170511706117071170811709117101171111712117131171411715117161171711718117191172011721117221172311724117251172611727117281172911730117311173211733117341173511736117371173811739117401174111742117431174411745117461174711748117491175011751117521175311754117551175611757117581175911760117611176211763117641176511766117671176811769117701177111772117731177411775117761177711778117791178011781117821178311784117851178611787117881178911790117911179211793117941179511796117971179811799118001180111802118031180411805118061180711808118091181011811118121181311814118151181611817118181181911820118211182211823118241182511826118271182811829118301183111832118331183411835118361183711838118391184011841118421184311844118451184611847118481184911850118511185211853118541185511856118571185811859118601186111862118631186411865118661186711868118691187011871118721187311874118751187611877118781187911880118811188211883118841188511886118871188811889118901189111892118931189411895118961189711898118991190011901119021190311904119051190611907119081190911910119111191211913119141191511916119171191811919119201192111922119231192411925119261192711928119291193011931119321193311934119351193611937119381193911940119411194211943119441194511946119471194811949119501195111952119531195411955119561195711958119591196011961119621196311964119651196611967119681196911970119711197211973119741197511976119771197811979119801198111982119831198411985119861198711988119891199011991119921199311994119951199611997119981199912000120011200212003120041200512006120071200812009120101201112012120131201412015120161201712018120191202012021120221202312024120251202612027120281202912030120311203212033120341203512036120371203812039120401204112042120431204412045120461204712048120491205012051120521205312054120551205612057120581205912060120611206212063120641206512066120671206812069120701207112072120731207412075120761207712078120791208012081120821208312084120851208612087120881208912090120911209212093120941209512096120971209812099121001210112102121031210412105121061210712108121091211012111121121211312114121151211612117121181211912120121211212212123121241212512126121271212812129121301213112132121331213412135121361213712138121391214012141121421214312144121451214612147121481214912150121511215212153121541215512156121571215812159121601216112162121631216412165121661216712168121691217012171121721217312174121751217612177121781217912180121811218212183121841218512186121871218812189121901219112192121931219412195121961219712198121991220012201122021220312204122051220612207122081220912210122111221212213122141221512216122171221812219122201222112222122231222412225122261222712228122291223012231122321223312234122351223612237122381223912240122411224212243122441224512246122471224812249122501225112252122531225412255122561225712258122591226012261122621226312264122651226612267122681226912270122711227212273122741227512276122771227812279122801228112282122831228412285122861228712288122891229012291122921229312294122951229612297122981229912300123011230212303123041230512306123071230812309123101231112312123131231412315123161231712318123191232012321123221232312324123251232612327123281232912330123311233212333123341233512336123371233812339123401234112342123431234412345123461234712348123491235012351123521235312354123551235612357123581235912360123611236212363123641236512366123671236812369123701237112372123731237412375123761237712378123791238012381123821238312384123851238612387123881238912390123911239212393123941239512396123971239812399124001240112402124031240412405124061240712408124091241012411124121241312414124151241612417124181241912420124211242212423124241242512426124271242812429124301243112432124331243412435124361243712438124391244012441124421244312444124451244612447124481244912450124511245212453124541245512456124571245812459124601246112462124631246412465124661246712468124691247012471124721247312474124751247612477124781247912480124811248212483124841248512486124871248812489124901249112492124931249412495124961249712498124991250012501125021250312504125051250612507125081250912510125111251212513125141251512516125171251812519125201252112522125231252412525125261252712528125291253012531125321253312534125351253612537125381253912540125411254212543125441254512546125471254812549125501255112552125531255412555125561255712558125591256012561125621256312564125651256612567125681256912570125711257212573125741257512576125771257812579125801258112582125831258412585125861258712588125891259012591125921259312594125951259612597125981259912600126011260212603126041260512606126071260812609126101261112612126131261412615126161261712618126191262012621126221262312624126251262612627126281262912630126311263212633126341263512636126371263812639126401264112642126431264412645126461264712648126491265012651126521265312654126551265612657126581265912660126611266212663126641266512666126671266812669126701267112672126731267412675126761267712678126791268012681126821268312684126851268612687126881268912690126911269212693126941269512696126971269812699127001270112702127031270412705127061270712708127091271012711127121271312714127151271612717127181271912720127211272212723127241272512726127271272812729127301273112732127331273412735127361273712738127391274012741127421274312744127451274612747127481274912750127511275212753127541275512756127571275812759127601276112762127631276412765127661276712768127691277012771127721277312774127751277612777127781277912780127811278212783127841278512786127871278812789127901279112792127931279412795127961279712798127991280012801128021280312804128051280612807128081280912810128111281212813128141281512816128171281812819128201282112822128231282412825128261282712828128291283012831128321283312834128351283612837128381283912840128411284212843128441284512846128471284812849128501285112852128531285412855128561285712858128591286012861128621286312864128651286612867128681286912870128711287212873128741287512876128771287812879128801288112882128831288412885128861288712888128891289012891128921289312894128951289612897128981289912900129011290212903129041290512906129071290812909129101291112912129131291412915129161291712918129191292012921129221292312924129251292612927129281292912930129311293212933129341293512936129371293812939129401294112942129431294412945129461294712948129491295012951129521295312954129551295612957129581295912960129611296212963129641296512966129671296812969129701297112972129731297412975129761297712978129791298012981129821298312984129851298612987129881298912990129911299212993129941299512996129971299812999130001300113002130031300413005130061300713008130091301013011130121301313014130151301613017130181301913020130211302213023130241302513026130271302813029130301303113032130331303413035130361303713038130391304013041130421304313044130451304613047130481304913050130511305213053130541305513056130571305813059130601306113062130631306413065130661306713068130691307013071130721307313074130751307613077130781307913080130811308213083130841308513086130871308813089130901309113092130931309413095130961309713098130991310013101131021310313104131051310613107131081310913110131111311213113131141311513116131171311813119131201312113122131231312413125131261312713128131291313013131131321313313134131351313613137131381313913140131411314213143131441314513146131471314813149131501315113152131531315413155131561315713158131591316013161131621316313164131651316613167131681316913170131711317213173131741317513176131771317813179131801318113182131831318413185131861318713188131891319013191131921319313194131951319613197131981319913200132011320213203132041320513206132071320813209132101321113212132131321413215132161321713218132191322013221132221322313224132251322613227132281322913230132311323213233132341323513236132371323813239132401324113242132431324413245132461324713248132491325013251132521325313254132551325613257132581325913260132611326213263132641326513266132671326813269132701327113272132731327413275132761327713278132791328013281132821328313284132851328613287132881328913290132911329213293132941329513296132971329813299133001330113302133031330413305133061330713308133091331013311133121331313314133151331613317133181331913320133211332213323133241332513326133271332813329133301333113332133331333413335133361333713338133391334013341133421334313344133451334613347133481334913350133511335213353133541335513356133571335813359133601336113362133631336413365133661336713368133691337013371133721337313374133751337613377133781337913380133811338213383133841338513386133871338813389133901339113392133931339413395133961339713398133991340013401134021340313404134051340613407134081340913410134111341213413134141341513416134171341813419134201342113422134231342413425134261342713428134291343013431134321343313434134351343613437134381343913440134411344213443134441344513446134471344813449134501345113452134531345413455134561345713458134591346013461134621346313464134651346613467134681346913470134711347213473134741347513476134771347813479134801348113482134831348413485134861348713488134891349013491134921349313494134951349613497134981349913500135011350213503135041350513506135071350813509135101351113512135131351413515135161351713518135191352013521135221352313524135251352613527135281352913530135311353213533135341353513536135371353813539135401354113542135431354413545135461354713548135491355013551135521355313554135551355613557135581355913560135611356213563135641356513566135671356813569135701357113572135731357413575135761357713578135791358013581135821358313584135851358613587135881358913590135911359213593135941359513596135971359813599136001360113602136031360413605136061360713608136091361013611136121361313614136151361613617136181361913620136211362213623136241362513626136271362813629136301363113632136331363413635136361363713638136391364013641136421364313644136451364613647136481364913650136511365213653136541365513656136571365813659136601366113662136631366413665136661366713668136691367013671136721367313674136751367613677136781367913680136811368213683136841368513686136871368813689136901369113692136931369413695136961369713698136991370013701137021370313704137051370613707137081370913710137111371213713137141371513716137171371813719137201372113722137231372413725137261372713728137291373013731137321373313734137351373613737137381373913740137411374213743137441374513746137471374813749137501375113752137531375413755137561375713758137591376013761137621376313764137651376613767137681376913770137711377213773137741377513776137771377813779137801378113782137831378413785137861378713788137891379013791137921379313794137951379613797137981379913800138011380213803138041380513806138071380813809138101381113812138131381413815138161381713818138191382013821138221382313824138251382613827138281382913830138311383213833138341383513836138371383813839138401384113842138431384413845138461384713848138491385013851138521385313854138551385613857138581385913860138611386213863138641386513866138671386813869138701387113872138731387413875138761387713878138791388013881138821388313884138851388613887138881388913890138911389213893138941389513896138971389813899139001390113902139031390413905139061390713908139091391013911139121391313914139151391613917139181391913920139211392213923139241392513926139271392813929139301393113932139331393413935139361393713938139391394013941139421394313944139451394613947139481394913950139511395213953139541395513956139571395813959139601396113962139631396413965139661396713968139691397013971139721397313974139751397613977139781397913980139811398213983139841398513986139871398813989139901399113992139931399413995139961399713998139991400014001140021400314004140051400614007140081400914010140111401214013140141401514016140171401814019140201402114022140231402414025140261402714028140291403014031140321403314034140351403614037140381403914040140411404214043140441404514046140471404814049140501405114052140531405414055140561405714058140591406014061140621406314064140651406614067140681406914070140711407214073140741407514076140771407814079140801408114082140831408414085140861408714088140891409014091140921409314094140951409614097140981409914100141011410214103141041410514106141071410814109141101411114112141131411414115141161411714118141191412014121141221412314124141251412614127141281412914130141311413214133141341413514136141371413814139141401414114142141431414414145141461414714148141491415014151141521415314154141551415614157141581415914160141611416214163141641416514166141671416814169141701417114172141731417414175141761417714178141791418014181141821418314184141851418614187141881418914190141911419214193141941419514196141971419814199142001420114202142031420414205142061420714208142091421014211142121421314214142151421614217142181421914220142211422214223142241422514226142271422814229142301423114232142331423414235142361423714238142391424014241142421424314244142451424614247142481424914250142511425214253142541425514256142571425814259142601426114262142631426414265142661426714268142691427014271142721427314274142751427614277142781427914280142811428214283142841428514286142871428814289142901429114292142931429414295142961429714298142991430014301143021430314304143051430614307143081430914310143111431214313143141431514316143171431814319143201432114322143231432414325143261432714328143291433014331143321433314334143351433614337143381433914340143411434214343143441434514346143471434814349143501435114352143531435414355143561435714358143591436014361143621436314364143651436614367143681436914370143711437214373143741437514376143771437814379143801438114382143831438414385143861438714388143891439014391143921439314394143951439614397143981439914400144011440214403144041440514406144071440814409144101441114412144131441414415144161441714418144191442014421144221442314424144251442614427144281442914430144311443214433144341443514436144371443814439144401444114442144431444414445144461444714448144491445014451144521445314454144551445614457144581445914460144611446214463144641446514466144671446814469144701447114472144731447414475144761447714478144791448014481144821448314484144851448614487144881448914490144911449214493144941449514496144971449814499145001450114502145031450414505145061450714508145091451014511145121451314514145151451614517145181451914520145211452214523145241452514526145271452814529145301453114532145331453414535145361453714538145391454014541145421454314544145451454614547145481454914550145511455214553145541455514556145571455814559145601456114562145631456414565145661456714568145691457014571145721457314574145751457614577145781457914580145811458214583145841458514586145871458814589145901459114592145931459414595145961459714598145991460014601146021460314604146051460614607146081460914610146111461214613146141461514616146171461814619146201462114622146231462414625146261462714628146291463014631146321463314634146351463614637146381463914640146411464214643146441464514646146471464814649146501465114652146531465414655146561465714658146591466014661146621466314664146651466614667146681466914670146711467214673146741467514676146771467814679146801468114682146831468414685146861468714688146891469014691146921469314694146951469614697146981469914700147011470214703147041470514706147071470814709147101471114712147131471414715147161471714718147191472014721147221472314724147251472614727147281472914730147311473214733147341473514736147371473814739147401474114742147431474414745147461474714748147491475014751147521475314754147551475614757147581475914760147611476214763147641476514766147671476814769147701477114772147731477414775147761477714778147791478014781147821478314784147851478614787147881478914790147911479214793147941479514796147971479814799148001480114802148031480414805148061480714808148091481014811148121481314814148151481614817148181481914820148211482214823148241482514826148271482814829148301483114832148331483414835148361483714838148391484014841148421484314844148451484614847148481484914850148511485214853148541485514856148571485814859148601486114862148631486414865148661486714868148691487014871148721487314874148751487614877148781487914880148811488214883148841488514886148871488814889148901489114892148931489414895148961489714898148991490014901149021490314904149051490614907149081490914910149111491214913149141491514916149171491814919149201492114922149231492414925149261492714928149291493014931149321493314934149351493614937149381493914940149411494214943149441494514946149471494814949149501495114952149531495414955149561495714958149591496014961149621496314964149651496614967149681496914970149711497214973149741497514976149771497814979149801498114982149831498414985149861498714988149891499014991149921499314994149951499614997149981499915000150011500215003150041500515006150071500815009150101501115012150131501415015150161501715018150191502015021150221502315024150251502615027150281502915030150311503215033150341503515036150371503815039150401504115042150431504415045150461504715048150491505015051150521505315054150551505615057150581505915060150611506215063150641506515066150671506815069150701507115072150731507415075150761507715078150791508015081150821508315084150851508615087150881508915090150911509215093150941509515096150971509815099151001510115102151031510415105151061510715108151091511015111151121511315114151151511615117151181511915120151211512215123151241512515126151271512815129151301513115132151331513415135151361513715138151391514015141151421514315144151451514615147151481514915150151511515215153151541515515156151571515815159151601516115162151631516415165151661516715168151691517015171151721517315174151751517615177151781517915180151811518215183151841518515186151871518815189151901519115192151931519415195151961519715198151991520015201152021520315204152051520615207152081520915210152111521215213152141521515216152171521815219152201522115222152231522415225152261522715228152291523015231152321523315234152351523615237152381523915240152411524215243152441524515246152471524815249152501525115252152531525415255152561525715258152591526015261152621526315264152651526615267152681526915270152711527215273152741527515276152771527815279152801528115282152831528415285152861528715288152891529015291152921529315294152951529615297152981529915300153011530215303153041530515306153071530815309153101531115312153131531415315153161531715318153191532015321153221532315324153251532615327153281532915330153311533215333153341533515336153371533815339153401534115342153431534415345153461534715348153491535015351153521535315354153551535615357153581535915360153611536215363153641536515366153671536815369153701537115372153731537415375153761537715378153791538015381153821538315384153851538615387153881538915390153911539215393153941539515396153971539815399154001540115402154031540415405154061540715408154091541015411154121541315414154151541615417154181541915420154211542215423154241542515426154271542815429154301543115432154331543415435154361543715438154391544015441154421544315444154451544615447154481544915450154511545215453154541545515456154571545815459154601546115462154631546415465154661546715468154691547015471154721547315474154751547615477154781547915480154811548215483154841548515486154871548815489154901549115492154931549415495154961549715498154991550015501155021550315504155051550615507155081550915510155111551215513155141551515516155171551815519155201552115522155231552415525155261552715528155291553015531155321553315534155351553615537155381553915540155411554215543155441554515546155471554815549155501555115552155531555415555155561555715558155591556015561155621556315564155651556615567155681556915570155711557215573155741557515576155771557815579155801558115582155831558415585155861558715588155891559015591155921559315594155951559615597155981559915600156011560215603156041560515606156071560815609156101561115612156131561415615156161561715618156191562015621156221562315624156251562615627156281562915630156311563215633156341563515636156371563815639156401564115642156431564415645156461564715648156491565015651156521565315654156551565615657156581565915660156611566215663156641566515666156671566815669156701567115672156731567415675156761567715678156791568015681156821568315684156851568615687156881568915690156911569215693156941569515696156971569815699157001570115702157031570415705157061570715708157091571015711157121571315714157151571615717157181571915720157211572215723157241572515726157271572815729157301573115732157331573415735157361573715738157391574015741157421574315744157451574615747157481574915750157511575215753157541575515756157571575815759157601576115762157631576415765157661576715768157691577015771157721577315774157751577615777157781577915780157811578215783157841578515786157871578815789157901579115792157931579415795157961579715798157991580015801158021580315804158051580615807158081580915810158111581215813158141581515816158171581815819158201582115822158231582415825158261582715828158291583015831158321583315834158351583615837158381583915840158411584215843158441584515846158471584815849158501585115852158531585415855158561585715858158591586015861158621586315864158651586615867158681586915870158711587215873158741587515876158771587815879158801588115882158831588415885158861588715888158891589015891158921589315894158951589615897158981589915900159011590215903159041590515906159071590815909159101591115912159131591415915159161591715918159191592015921159221592315924159251592615927159281592915930159311593215933159341593515936159371593815939159401594115942159431594415945159461594715948159491595015951159521595315954159551595615957159581595915960159611596215963159641596515966159671596815969159701597115972159731597415975159761597715978159791598015981159821598315984159851598615987159881598915990159911599215993159941599515996159971599815999160001600116002160031600416005160061600716008160091601016011160121601316014160151601616017160181601916020160211602216023160241602516026160271602816029160301603116032160331603416035160361603716038160391604016041160421604316044160451604616047160481604916050160511605216053160541605516056160571605816059160601606116062160631606416065160661606716068160691607016071160721607316074160751607616077160781607916080160811608216083160841608516086160871608816089160901609116092160931609416095160961609716098160991610016101161021610316104161051610616107161081610916110161111611216113161141611516116161171611816119161201612116122161231612416125161261612716128161291613016131161321613316134161351613616137161381613916140161411614216143161441614516146161471614816149161501615116152161531615416155161561615716158161591616016161161621616316164161651616616167161681616916170161711617216173161741617516176161771617816179161801618116182161831618416185161861618716188161891619016191161921619316194161951619616197161981619916200162011620216203162041620516206162071620816209162101621116212162131621416215162161621716218162191622016221162221622316224162251622616227162281622916230162311623216233162341623516236162371623816239162401624116242162431624416245162461624716248162491625016251162521625316254162551625616257162581625916260162611626216263162641626516266162671626816269162701627116272162731627416275162761627716278162791628016281162821628316284162851628616287162881628916290162911629216293162941629516296162971629816299163001630116302163031630416305163061630716308163091631016311163121631316314163151631616317163181631916320163211632216323163241632516326163271632816329163301633116332163331633416335163361633716338163391634016341163421634316344163451634616347163481634916350163511635216353163541635516356163571635816359163601636116362163631636416365163661636716368163691637016371163721637316374163751637616377163781637916380163811638216383163841638516386163871638816389163901639116392163931639416395163961639716398163991640016401164021640316404164051640616407164081640916410164111641216413164141641516416164171641816419164201642116422164231642416425164261642716428164291643016431164321643316434164351643616437164381643916440164411644216443164441644516446164471644816449164501645116452164531645416455164561645716458164591646016461164621646316464164651646616467164681646916470164711647216473164741647516476164771647816479164801648116482164831648416485164861648716488164891649016491164921649316494164951649616497164981649916500165011650216503165041650516506165071650816509165101651116512165131651416515165161651716518165191652016521165221652316524165251652616527165281652916530165311653216533165341653516536165371653816539165401654116542165431654416545165461654716548165491655016551165521655316554165551655616557165581655916560165611656216563165641656516566165671656816569165701657116572165731657416575165761657716578165791658016581165821658316584165851658616587165881658916590165911659216593165941659516596165971659816599166001660116602166031660416605166061660716608166091661016611166121661316614166151661616617166181661916620166211662216623166241662516626166271662816629166301663116632166331663416635166361663716638166391664016641166421664316644166451664616647166481664916650166511665216653166541665516656166571665816659166601666116662166631666416665166661666716668166691667016671166721667316674166751667616677166781667916680166811668216683166841668516686166871668816689166901669116692166931669416695166961669716698166991670016701167021670316704167051670616707167081670916710167111671216713167141671516716167171671816719167201672116722167231672416725167261672716728167291673016731167321673316734167351673616737167381673916740167411674216743167441674516746167471674816749167501675116752167531675416755167561675716758167591676016761167621676316764167651676616767167681676916770167711677216773167741677516776167771677816779167801678116782167831678416785167861678716788167891679016791167921679316794167951679616797167981679916800168011680216803168041680516806168071680816809168101681116812168131681416815168161681716818168191682016821168221682316824168251682616827168281682916830168311683216833168341683516836168371683816839168401684116842168431684416845168461684716848168491685016851168521685316854168551685616857168581685916860168611686216863168641686516866168671686816869168701687116872168731687416875168761687716878168791688016881168821688316884168851688616887168881688916890168911689216893168941689516896168971689816899169001690116902169031690416905169061690716908169091691016911169121691316914169151691616917169181691916920169211692216923169241692516926169271692816929169301693116932169331693416935169361693716938169391694016941169421694316944169451694616947169481694916950169511695216953169541695516956169571695816959169601696116962169631696416965169661696716968169691697016971169721697316974169751697616977169781697916980169811698216983169841698516986169871698816989169901699116992169931699416995169961699716998169991700017001170021700317004170051700617007170081700917010170111701217013170141701517016170171701817019170201702117022170231702417025170261702717028170291703017031170321703317034170351703617037170381703917040170411704217043170441704517046170471704817049170501705117052170531705417055170561705717058170591706017061170621706317064170651706617067170681706917070170711707217073170741707517076170771707817079170801708117082170831708417085170861708717088170891709017091170921709317094170951709617097170981709917100171011710217103171041710517106171071710817109171101711117112171131711417115171161711717118171191712017121171221712317124171251712617127171281712917130171311713217133171341713517136171371713817139171401714117142171431714417145171461714717148171491715017151171521715317154171551715617157171581715917160171611716217163171641716517166171671716817169171701717117172171731717417175171761717717178171791718017181171821718317184171851718617187171881718917190171911719217193171941719517196171971719817199172001720117202172031720417205172061720717208172091721017211172121721317214172151721617217172181721917220172211722217223172241722517226172271722817229172301723117232172331723417235172361723717238172391724017241172421724317244172451724617247172481724917250172511725217253172541725517256172571725817259172601726117262172631726417265172661726717268172691727017271172721727317274172751727617277172781727917280172811728217283172841728517286172871728817289172901729117292172931729417295172961729717298172991730017301173021730317304173051730617307173081730917310173111731217313173141731517316173171731817319173201732117322173231732417325173261732717328173291733017331173321733317334173351733617337173381733917340173411734217343173441734517346173471734817349173501735117352173531735417355173561735717358173591736017361173621736317364173651736617367173681736917370173711737217373173741737517376173771737817379173801738117382173831738417385173861738717388173891739017391173921739317394173951739617397173981739917400174011740217403174041740517406174071740817409174101741117412174131741417415174161741717418174191742017421174221742317424174251742617427174281742917430174311743217433174341743517436174371743817439174401744117442174431744417445174461744717448174491745017451174521745317454174551745617457174581745917460174611746217463174641746517466174671746817469174701747117472174731747417475174761747717478174791748017481174821748317484174851748617487174881748917490174911749217493174941749517496174971749817499175001750117502175031750417505175061750717508175091751017511175121751317514175151751617517175181751917520175211752217523175241752517526175271752817529175301753117532175331753417535175361753717538175391754017541175421754317544175451754617547175481754917550175511755217553175541755517556175571755817559175601756117562175631756417565175661756717568175691757017571175721757317574175751757617577175781757917580175811758217583175841758517586175871758817589175901759117592175931759417595175961759717598175991760017601176021760317604176051760617607176081760917610176111761217613176141761517616176171761817619176201762117622176231762417625176261762717628176291763017631176321763317634176351763617637176381763917640176411764217643176441764517646176471764817649176501765117652176531765417655176561765717658176591766017661176621766317664176651766617667176681766917670176711767217673176741767517676176771767817679176801768117682176831768417685176861768717688176891769017691176921769317694176951769617697176981769917700177011770217703177041770517706177071770817709177101771117712177131771417715177161771717718177191772017721177221772317724177251772617727177281772917730177311773217733177341773517736177371773817739177401774117742177431774417745177461774717748177491775017751177521775317754177551775617757177581775917760177611776217763177641776517766177671776817769177701777117772177731777417775177761777717778177791778017781177821778317784177851778617787177881778917790177911779217793177941779517796177971779817799178001780117802178031780417805178061780717808178091781017811178121781317814178151781617817178181781917820178211782217823178241782517826178271782817829178301783117832178331783417835178361783717838178391784017841178421784317844178451784617847178481784917850178511785217853178541785517856178571785817859178601786117862178631786417865178661786717868178691787017871178721787317874178751787617877178781787917880178811788217883178841788517886178871788817889178901789117892178931789417895178961789717898178991790017901179021790317904179051790617907179081790917910179111791217913179141791517916179171791817919179201792117922179231792417925179261792717928179291793017931179321793317934179351793617937179381793917940179411794217943179441794517946179471794817949179501795117952179531795417955179561795717958179591796017961179621796317964179651796617967179681796917970179711797217973179741797517976179771797817979179801798117982179831798417985179861798717988179891799017991179921799317994179951799617997179981799918000180011800218003180041800518006180071800818009180101801118012180131801418015180161801718018180191802018021180221802318024180251802618027180281802918030180311803218033180341803518036180371803818039180401804118042180431804418045180461804718048180491805018051180521805318054180551805618057180581805918060180611806218063180641806518066180671806818069180701807118072180731807418075180761807718078180791808018081180821808318084180851808618087180881808918090180911809218093180941809518096180971809818099181001810118102181031810418105181061810718108181091811018111181121811318114181151811618117181181811918120181211812218123181241812518126181271812818129181301813118132181331813418135181361813718138181391814018141181421814318144181451814618147181481814918150181511815218153181541815518156181571815818159181601816118162181631816418165181661816718168181691817018171181721817318174181751817618177181781817918180181811818218183181841818518186181871818818189181901819118192181931819418195181961819718198181991820018201182021820318204182051820618207182081820918210182111821218213182141821518216182171821818219182201822118222182231822418225182261822718228182291823018231182321823318234182351823618237182381823918240182411824218243182441824518246182471824818249182501825118252182531825418255182561825718258182591826018261182621826318264182651826618267182681826918270182711827218273182741827518276182771827818279182801828118282182831828418285182861828718288182891829018291182921829318294182951829618297182981829918300183011830218303183041830518306183071830818309183101831118312183131831418315183161831718318183191832018321183221832318324183251832618327183281832918330183311833218333183341833518336183371833818339183401834118342183431834418345183461834718348183491835018351183521835318354183551835618357183581835918360183611836218363183641836518366183671836818369183701837118372183731837418375183761837718378183791838018381183821838318384183851838618387183881838918390183911839218393183941839518396183971839818399184001840118402184031840418405184061840718408184091841018411184121841318414184151841618417184181841918420184211842218423184241842518426184271842818429184301843118432184331843418435184361843718438184391844018441184421844318444184451844618447184481844918450184511845218453184541845518456184571845818459184601846118462184631846418465184661846718468184691847018471184721847318474184751847618477184781847918480184811848218483184841848518486184871848818489184901849118492184931849418495184961849718498184991850018501185021850318504185051850618507185081850918510185111851218513185141851518516185171851818519185201852118522185231852418525185261852718528185291853018531185321853318534185351853618537185381853918540185411854218543185441854518546185471854818549185501855118552185531855418555185561855718558185591856018561185621856318564185651856618567185681856918570185711857218573185741857518576185771857818579185801858118582185831858418585185861858718588185891859018591185921859318594185951859618597185981859918600186011860218603186041860518606186071860818609186101861118612186131861418615186161861718618186191862018621186221862318624186251862618627186281862918630186311863218633186341863518636186371863818639186401864118642186431864418645186461864718648186491865018651186521865318654186551865618657186581865918660186611866218663186641866518666186671866818669186701867118672186731867418675186761867718678186791868018681186821868318684186851868618687186881868918690186911869218693186941869518696186971869818699187001870118702187031870418705187061870718708187091871018711187121871318714187151871618717187181871918720187211872218723187241872518726187271872818729187301873118732187331873418735187361873718738187391874018741187421874318744187451874618747187481874918750187511875218753187541875518756187571875818759187601876118762187631876418765187661876718768187691877018771187721877318774187751877618777187781877918780187811878218783187841878518786187871878818789187901879118792187931879418795187961879718798187991880018801188021880318804188051880618807188081880918810188111881218813188141881518816188171881818819188201882118822188231882418825188261882718828188291883018831188321883318834188351883618837188381883918840188411884218843188441884518846188471884818849188501885118852188531885418855188561885718858188591886018861188621886318864188651886618867188681886918870188711887218873188741887518876188771887818879188801888118882188831888418885188861888718888188891889018891188921889318894188951889618897188981889918900189011890218903189041890518906189071890818909189101891118912189131891418915189161891718918189191892018921189221892318924189251892618927189281892918930189311893218933189341893518936189371893818939189401894118942189431894418945189461894718948189491895018951189521895318954189551895618957189581895918960189611896218963189641896518966189671896818969189701897118972189731897418975189761897718978189791898018981189821898318984189851898618987189881898918990189911899218993189941899518996189971899818999190001900119002190031900419005190061900719008190091901019011190121901319014190151901619017190181901919020190211902219023190241902519026190271902819029190301903119032190331903419035190361903719038190391904019041190421904319044190451904619047190481904919050190511905219053190541905519056190571905819059190601906119062190631906419065190661906719068190691907019071190721907319074190751907619077190781907919080190811908219083190841908519086190871908819089190901909119092190931909419095190961909719098
  1. This document summarizes new features and bugfixes in each stable
  2. release of Tor. If you want to see more detailed descriptions of the
  3. changes in each development snapshot, see the ChangeLog file.
  4. Changes in version 0.3.3.8 - 2018-07-09
  5. Tor 0.3.3.8 backports several changes from the 0.3.4.x series, including
  6. fixes for a memory leak affecting directory authorities.
  7. o Major bugfixes (directory authority, backport from 0.3.4.3-alpha):
  8. - Stop leaking memory on directory authorities when planning to
  9. vote. This bug was crashing authorities by exhausting their
  10. memory. Fixes bug 26435; bugfix on 0.3.3.6.
  11. o Major bugfixes (rust, testing, backport from 0.3.4.3-alpha):
  12. - Make sure that failing tests in Rust will actually cause the build
  13. to fail: previously, they were ignored. Fixes bug 26258; bugfix
  14. on 0.3.3.4-alpha.
  15. o Minor features (compilation, backport from 0.3.4.4-rc):
  16. - When building Tor, prefer to use Python 3 over Python 2, and more
  17. recent (contemplated) versions over older ones. Closes
  18. ticket 26372.
  19. o Minor features (geoip):
  20. - Update geoip and geoip6 to the July 3 2018 Maxmind GeoLite2
  21. Country database. Closes ticket 26674.
  22. o Minor features (relay, diagnostic, backport from 0.3.4.3-alpha):
  23. - Add several checks to detect whether Tor relays are uploading
  24. their descriptors without specifying why they regenerated them.
  25. Diagnostic for ticket 25686.
  26. o Minor bugfixes (circuit path selection, backport from 0.3.4.1-alpha):
  27. - Don't count path selection failures as circuit build failures.
  28. This change should eliminate cases where Tor blames its guard or
  29. the network for situations like insufficient microdescriptors
  30. and/or overly restrictive torrc settings. Fixes bug 25705; bugfix
  31. on 0.3.3.1-alpha.
  32. o Minor bugfixes (compilation, backport from 0.3.4.4-rc):
  33. - Fix a compilation warning on some versions of GCC when building
  34. code that calls routerinfo_get_my_routerinfo() twice, assuming
  35. that the second call will succeed if the first one did. Fixes bug
  36. 26269; bugfix on 0.2.8.2-alpha.
  37. o Minor bugfixes (control port, backport from 0.3.4.4-rc):
  38. - Handle the HSADDRESS= argument to the HSPOST command properly.
  39. (Previously, this argument was misparsed and thus ignored.) Fixes
  40. bug 26523; bugfix on 0.3.3.1-alpha. Patch by "akwizgran".
  41. o Minor bugfixes (memory, correctness, backport from 0.3.4.4-rc):
  42. - Fix a number of small memory leaks identified by coverity. Fixes
  43. bug 26467; bugfix on numerous Tor versions.
  44. o Minor bugfixes (relay, backport from 0.3.4.3-alpha):
  45. - Relays now correctly block attempts to re-extend to the previous
  46. relay by Ed25519 identity. Previously they would warn in this
  47. case, but not actually reject the attempt. Fixes bug 26158; bugfix
  48. on 0.3.0.1-alpha.
  49. o Minor bugfixes (restart-in-process, backport from 0.3.4.1-alpha):
  50. - When shutting down, Tor now clears all the flags in the control.c
  51. module. This should prevent a bug where authentication cookies are
  52. not generated on restart. Fixes bug 25512; bugfix on 0.3.3.1-alpha.
  53. o Minor bugfixes (testing, compatibility, backport from 0.3.4.4-rc):
  54. - When running the hs_ntor_ref.py test, make sure only to pass
  55. strings (rather than "bytes" objects) to the Python subprocess
  56. module. Python 3 on Windows seems to require this. Fixes bug
  57. 26535; bugfix on 0.3.1.1-alpha.
  58. - When running the ntor_ref.py test, make sure only to pass strings
  59. (rather than "bytes" objects) to the Python subprocess module.
  60. Python 3 on Windows seems to require this. Fixes bug 26535; bugfix
  61. on 0.2.5.5-alpha.
  62. Changes in version 0.3.3.7 - 2018-06-12
  63. Tor 0.3.3.7 backports several changes from the 0.3.4.x series, including
  64. fixes for bugs affecting compatibility and stability.
  65. o Directory authority changes:
  66. - Add an IPv6 address for the "dannenberg" directory authority.
  67. Closes ticket 26343.
  68. o Minor features (geoip):
  69. - Update geoip and geoip6 to the June 7 2018 Maxmind GeoLite2
  70. Country database. Closes ticket 26351.
  71. o Minor bugfixes (compatibility, openssl, backport from 0.3.4.2-alpha):
  72. - Work around a change in OpenSSL 1.1.1 where return values that
  73. would previously indicate "no password" now indicate an empty
  74. password. Without this workaround, Tor instances running with
  75. OpenSSL 1.1.1 would accept descriptors that other Tor instances
  76. would reject. Fixes bug 26116; bugfix on 0.2.5.16.
  77. o Minor bugfixes (compilation, backport from 0.3.4.2-alpha):
  78. - Silence unused-const-variable warnings in zstd.h with some GCC
  79. versions. Fixes bug 26272; bugfix on 0.3.1.1-alpha.
  80. o Minor bugfixes (controller, backport from 0.3.4.2-alpha):
  81. - Improve accuracy of the BUILDTIMEOUT_SET control port event's
  82. TIMEOUT_RATE and CLOSE_RATE fields. (We were previously
  83. miscounting the total number of circuits for these field values.)
  84. Fixes bug 26121; bugfix on 0.3.3.1-alpha.
  85. o Minor bugfixes (hardening, backport from 0.3.4.2-alpha):
  86. - Prevent a possible out-of-bounds smartlist read in
  87. protover_compute_vote(). Fixes bug 26196; bugfix on 0.2.9.4-alpha.
  88. o Minor bugfixes (path selection, backport from 0.3.4.1-alpha):
  89. - Only select relays when they have the descriptors we prefer to use
  90. for them. This change fixes a bug where we could select a relay
  91. because it had _some_ descriptor, but reject it later with a
  92. nonfatal assertion error because it didn't have the exact one we
  93. wanted. Fixes bugs 25691 and 25692; bugfix on 0.3.3.4-alpha.
  94. Changes in version 0.3.3.6 - 2018-05-22
  95. Tor 0.3.3.6 is the first stable release in the 0.3.3 series. It
  96. backports several important fixes from the 0.3.4.1-alpha.
  97. The Tor 0.3.3 series includes controller support and other
  98. improvements for v3 onion services, official support for embedding Tor
  99. within other applications, and our first non-trivial module written in
  100. the Rust programming language. (Rust is still not enabled by default
  101. when building Tor.) And as usual, there are numerous other smaller
  102. bugfixes, features, and improvements.
  103. Below are the changes since 0.3.2.10. For a list of only the changes
  104. since 0.3.3.5-rc, see the ChangeLog file.
  105. o New system requirements:
  106. - When built with Rust, Tor now depends on version 0.2.39 of the
  107. libc crate. Closes tickets 25310 and 25664.
  108. o Major features (embedding):
  109. - There is now a documented stable API for programs that need to
  110. embed Tor. See tor_api.h for full documentation and known bugs.
  111. Closes ticket 23684.
  112. - Tor now has support for restarting in the same process.
  113. Controllers that run Tor using the "tor_api.h" interface can now
  114. restart Tor after Tor has exited. This support is incomplete,
  115. however: we fixed crash bugs that prevented it from working at
  116. all, but many bugs probably remain, including a possibility of
  117. security issues. Implements ticket 24581.
  118. o Major features (IPv6, directory documents):
  119. - Add consensus method 27, which adds IPv6 ORPorts to the microdesc
  120. consensus. This information makes it easier for IPv6 clients to
  121. bootstrap and choose reachable entry guards. Implements
  122. ticket 23826.
  123. - Add consensus method 28, which removes IPv6 ORPorts from
  124. microdescriptors. Now that the consensus contains IPv6 ORPorts,
  125. they are redundant in microdescs. This change will be used by Tor
  126. clients on 0.2.8.x and later. (That is to say, with all Tor
  127. clients that have IPv6 bootstrap and guard support.) Implements
  128. ticket 23828.
  129. - Expand the documentation for AuthDirHasIPv6Connectivity when it is
  130. set by different numbers of authorities. Fixes 23870
  131. on 0.2.4.1-alpha.
  132. o Major features (onion service v3, control port):
  133. - The control port now supports commands and events for v3 onion
  134. services. It is now possible to create ephemeral v3 services using
  135. ADD_ONION. Additionally, several events (HS_DESC, HS_DESC_CONTENT,
  136. CIRC and CIRC_MINOR) and commands (GETINFO, HSPOST, ADD_ONION and
  137. DEL_ONION) have been extended to support v3 onion services. Closes
  138. ticket 20699; implements proposal 284.
  139. o Major features (onion services):
  140. - Provide torrc options to pin the second and third hops of onion
  141. service circuits to a list of nodes. The option HSLayer2Guards
  142. pins the second hop, and the option HSLayer3Guards pins the third
  143. hop. These options are for use in conjunction with experiments
  144. with "vanguards" for preventing guard enumeration attacks. Closes
  145. ticket 13837.
  146. - When v3 onion service clients send introduce cells, they now
  147. include the IPv6 address of the rendezvous point, if it has one.
  148. Current v3 onion services running 0.3.2 ignore IPv6 addresses, but
  149. in future Tor versions, IPv6-only v3 single onion services will be
  150. able to use IPv6 addresses to connect directly to the rendezvous
  151. point. Closes ticket 23577. Patch by Neel Chauhan.
  152. o Major features (relay):
  153. - Implement an option, ReducedExitPolicy, to allow an Tor exit relay
  154. operator to use a more reasonable ("reduced") exit policy, rather
  155. than the default one. If you want to run an exit node without
  156. thinking too hard about which ports to allow, this one is for you.
  157. Closes ticket 13605. Patch from Neel Chauhan.
  158. o Major features (rust, portability, experimental):
  159. - Tor now ships with an optional implementation of one of its
  160. smaller modules (protover.c) in the Rust programming language. To
  161. try it out, install a Rust build environment, and configure Tor
  162. with "--enable-rust --enable-cargo-online-mode". This should not
  163. cause any user-visible changes, but should help us gain more
  164. experience with Rust, and plan future Rust integration work.
  165. Implementation by Chelsea Komlo. Closes ticket 22840.
  166. o Major bugfixes (directory authorities, security, backport from 0.3.4.1-alpha):
  167. - When directory authorities read a zero-byte bandwidth file, they
  168. would previously log a warning with the contents of an
  169. uninitialised buffer. They now log a warning about the empty file
  170. instead. Fixes bug 26007; bugfix on 0.2.2.1-alpha.
  171. o Major bugfixes (security, directory authority, denial-of-service):
  172. - Fix a bug that could have allowed an attacker to force a directory
  173. authority to use up all its RAM by passing it a maliciously
  174. crafted protocol versions string. Fixes bug 25517; bugfix on
  175. 0.2.9.4-alpha. This issue is also tracked as TROVE-2018-005.
  176. o Major bugfixes (crash, backport from 0.3.4.1-alpha):
  177. - Avoid a rare assertion failure in the circuit build timeout code
  178. if we fail to allow any circuits to actually complete. Fixes bug
  179. 25733; bugfix on 0.2.2.2-alpha.
  180. o Major bugfixes (netflow padding):
  181. - Stop adding unneeded channel padding right after we finish
  182. flushing to a connection that has been trying to flush for many
  183. seconds. Instead, treat all partial or complete flushes as
  184. activity on the channel, which will defer the time until we need
  185. to add padding. This fix should resolve confusing and scary log
  186. messages like "Channel padding timeout scheduled 221453ms in the
  187. past." Fixes bug 22212; bugfix on 0.3.1.1-alpha.
  188. o Major bugfixes (networking):
  189. - Tor will no longer reject IPv6 address strings from Tor Browser
  190. when they are passed as hostnames in SOCKS5 requests. Fixes bug
  191. 25036, bugfix on Tor 0.3.1.2.
  192. o Major bugfixes (onion service, backport from 0.3.4.1-alpha):
  193. - Correctly detect when onion services get disabled after HUP. Fixes
  194. bug 25761; bugfix on 0.3.2.1.
  195. o Major bugfixes (performance, load balancing):
  196. - Directory authorities no longer vote in favor of the Guard flag
  197. for relays without directory support. Starting in Tor
  198. 0.3.0.1-alpha, clients have been avoiding using such relays in the
  199. Guard position, leading to increasingly broken load balancing for
  200. the 5%-or-so of Guards that don't advertise directory support.
  201. Fixes bug 22310; bugfix on 0.3.0.6.
  202. o Major bugfixes (relay):
  203. - If we have failed to connect to a relay and received a connection
  204. refused, timeout, or similar error (at the TCP level), do not try
  205. that same address/port again for 60 seconds after the failure has
  206. occurred. Fixes bug 24767; bugfix on 0.0.6.
  207. o Major bugfixes (relay, denial of service, backport from 0.3.4.1-alpha):
  208. - Impose a limit on circuit cell queue size. The limit can be
  209. controlled by a consensus parameter. Fixes bug 25226; bugfix
  210. on 0.2.4.14-alpha.
  211. o Minor features (cleanup):
  212. - Tor now deletes the CookieAuthFile and ExtORPortCookieAuthFile
  213. when it stops. Closes ticket 23271.
  214. o Minor features (compatibility, backport from 0.3.4.1-alpha):
  215. - Avoid some compilation warnings with recent versions of LibreSSL.
  216. Closes ticket 26006.
  217. o Minor features (config options):
  218. - Change the way the default value for MaxMemInQueues is calculated.
  219. We now use 40% of the hardware RAM if the system has 8 GB RAM or
  220. more. Otherwise we use the former value of 75%. Closes
  221. ticket 24782.
  222. o Minor features (continuous integration):
  223. - Update the Travis CI configuration to use the stable Rust channel,
  224. now that we have decided to require that. Closes ticket 25714.
  225. o Minor features (continuous integration, backport from 0.3.4.1-alpha):
  226. - Our .travis.yml configuration now includes support for testing the
  227. results of "make distcheck". (It's not uncommon for "make check"
  228. to pass but "make distcheck" to fail.) Closes ticket 25814.
  229. - Our Travis CI configuration now integrates with the Coveralls
  230. coverage analysis tool. Closes ticket 25818.
  231. o Minor features (defensive programming):
  232. - Most of the functions in Tor that free objects have been replaced
  233. with macros that free the objects and set the corresponding
  234. pointers to NULL. This change should help prevent a large class of
  235. dangling pointer bugs. Closes ticket 24337.
  236. - Where possible, the tor_free() macro now only evaluates its input
  237. once. Part of ticket 24337.
  238. - Check that microdesc ed25519 ids are non-zero in
  239. node_get_ed25519_id() before returning them. Implements ticket
  240. 24001, patch by "aruna1234".
  241. o Minor features (directory authority):
  242. - When directory authorities are unable to add signatures to a
  243. pending consensus, log the reason why. Closes ticket 24849.
  244. o Minor features (embedding):
  245. - Tor can now start with a preauthenticated control connection
  246. created by the process that launched it. This feature is meant for
  247. use by programs that want to launch and manage a Tor process
  248. without allowing other programs to manage it as well. For more
  249. information, see the __OwningControllerFD option documented in
  250. control-spec.txt. Closes ticket 23900.
  251. - On most errors that would cause Tor to exit, it now tries to
  252. return from the tor_main() function, rather than calling the
  253. system exit() function. Most users won't notice a difference here,
  254. but it should be significant for programs that run Tor inside a
  255. separate thread: they should now be able to survive Tor's exit
  256. conditions rather than having Tor shut down the entire process.
  257. Closes ticket 23848.
  258. - Applications that want to embed Tor can now tell Tor not to
  259. register any of its own POSIX signal handlers, using the
  260. __DisableSignalHandlers option. Closes ticket 24588.
  261. o Minor features (fallback directory list):
  262. - Avoid selecting fallbacks that change their IP addresses too
  263. often. Select more fallbacks by ignoring the Guard flag, and
  264. allowing lower cutoffs for the Running and V2Dir flags. Also allow
  265. a lower bandwidth, and a higher number of fallbacks per operator
  266. (5% of the list). Implements ticket 24785.
  267. - Update the fallback whitelist and blacklist based on opt-ins and
  268. relay changes. Closes tickets 22321, 24678, 22527, 24135,
  269. and 24695.
  270. o Minor features (fallback directory mirror configuration):
  271. - Add a nickname to each fallback in a C comment. This makes it
  272. easier for operators to find their relays, and allows stem to use
  273. nicknames to identify fallbacks. Implements ticket 24600.
  274. - Add a type and version header to the fallback directory mirror
  275. file. Also add a delimiter to the end of each fallback entry. This
  276. helps external parsers like stem and Relay Search. Implements
  277. ticket 24725.
  278. - Add an extrainfo cache flag for each fallback in a C comment. This
  279. allows stem to use fallbacks to fetch extra-info documents, rather
  280. than using authorities. Implements ticket 22759.
  281. - Add the generateFallbackDirLine.py script for automatically
  282. generating fallback directory mirror lines from relay fingerprints.
  283. No more typos! Add the lookupFallbackDirContact.py script for
  284. automatically looking up operator contact info from relay
  285. fingerprints. Implements ticket 24706, patch by teor and atagar.
  286. - Reject any fallback directory mirror that serves an expired
  287. consensus. Implements ticket 20942, patch by "minik".
  288. - Remove commas and equals signs from external string inputs to the
  289. fallback list. This avoids format confusion attacks. Implements
  290. ticket 24726.
  291. - Remove the "weight=10" line from fallback directory mirror
  292. entries. Ticket 24681 will maintain the current fallback weights
  293. by changing Tor's default fallback weight to 10. Implements
  294. ticket 24679.
  295. - Stop logging excessive information about fallback netblocks.
  296. Implements ticket 24791.
  297. o Minor features (forward-compatibility):
  298. - If a relay supports some link authentication protocol that we do
  299. not recognize, then include that relay's ed25519 key when telling
  300. other relays to extend to it. Previously, we treated future
  301. versions as if they were too old to support ed25519 link
  302. authentication. Closes ticket 20895.
  303. o Minor features (geoip):
  304. - Update geoip and geoip6 to the May 1 2018 Maxmind GeoLite2 Country
  305. database. Closes ticket 26104.
  306. o Minor features (heartbeat):
  307. - Add onion service information to our heartbeat logs, displaying
  308. stats about the activity of configured onion services. Closes
  309. ticket 24896.
  310. o Minor features (instrumentation, development):
  311. - Add the MainloopStats option to allow developers to get
  312. instrumentation information from the main event loop via the
  313. heartbeat messages. We hope to use this to improve Tor's behavior
  314. when it's trying to sleep. Closes ticket 24605.
  315. o Minor features (IPv6):
  316. - Make IPv6-only clients wait for microdescs for relays, even if we
  317. were previously using descriptors (or were using them as a bridge)
  318. and have a cached descriptor for them. Implements ticket 23827.
  319. - When a consensus has IPv6 ORPorts, make IPv6-only clients use
  320. them, rather than waiting to download microdescriptors. Implements
  321. ticket 23827.
  322. o Minor features (log messages):
  323. - Improve log message in the out-of-memory handler to include
  324. information about memory usage from the different compression
  325. backends. Closes ticket 25372.
  326. - Improve a warning message that happens when we fail to re-parse an
  327. old router because of an expired certificate. Closes ticket 20020.
  328. - Make the log more quantitative when we hit MaxMemInQueues
  329. threshold exposing some values. Closes ticket 24501.
  330. o Minor features (logging):
  331. - Clarify the log messages produced when getrandom() or a related
  332. entropy-generation mechanism gives an error. Closes ticket 25120.
  333. - Added support for the Android logging subsystem. Closes
  334. ticket 24362.
  335. o Minor features (performance):
  336. - Support predictive circuit building for onion service circuits
  337. with multiple layers of guards. Closes ticket 23101.
  338. - Use stdatomic.h where available, rather than mutexes, to implement
  339. atomic_counter_t. Closes ticket 23953.
  340. o Minor features (performance, 32-bit):
  341. - Improve performance on 32-bit systems by avoiding 64-bit division
  342. when calculating the timestamp in milliseconds for channel padding
  343. computations. Implements ticket 24613.
  344. - Improve performance on 32-bit systems by avoiding 64-bit division
  345. when timestamping cells and buffer chunks for OOM calculations.
  346. Implements ticket 24374.
  347. o Minor features (performance, OSX, iOS):
  348. - Use the mach_approximate_time() function (when available) to
  349. implement coarse monotonic time. Having a coarse time function
  350. should avoid a large number of system calls, and improve
  351. performance slightly, especially under load. Closes ticket 24427.
  352. o Minor features (performance, windows):
  353. - Improve performance on Windows Vista and Windows 7 by adjusting
  354. TCP send window size according to the recommendation from
  355. SIO_IDEAL_SEND_BACKLOG_QUERY. Closes ticket 22798. Patch
  356. from Vort.
  357. o Minor features (sandbox):
  358. - Explicitly permit the poll() system call when the Linux
  359. seccomp2-based sandbox is enabled: apparently, some versions of
  360. libc use poll() when calling getpwnam(). Closes ticket 25313.
  361. o Minor features (storage, configuration):
  362. - Users can store cached directory documents somewhere other than
  363. the DataDirectory by using the CacheDirectory option. Similarly,
  364. the storage location for relay's keys can be overridden with the
  365. KeyDirectory option. Closes ticket 22703.
  366. o Minor features (testing):
  367. - Add a "make test-rust" target to run the rust tests only. Closes
  368. ticket 25071.
  369. o Minor features (testing, debugging, embedding):
  370. - For development purposes, Tor now has a mode in which it runs for
  371. a few seconds, then stops, and starts again without exiting the
  372. process. This mode is meant to help us debug various issues with
  373. ticket 23847. To use this feature, compile with
  374. --enable-restart-debugging, and set the TOR_DEBUG_RESTART
  375. environment variable. This is expected to crash a lot, and is
  376. really meant for developers only. It will likely be removed in a
  377. future release. Implements ticket 24583.
  378. o Minor bugfixes (build, rust):
  379. - Fix output of autoconf checks to display success messages for Rust
  380. dependencies and a suitable rustc compiler version. Fixes bug
  381. 24612; bugfix on 0.3.1.3-alpha.
  382. - Don't pass the --quiet option to cargo: it seems to suppress some
  383. errors, which is not what we want to do when building. Fixes bug
  384. 24518; bugfix on 0.3.1.7.
  385. - Build correctly when building from outside Tor's source tree with
  386. the TOR_RUST_DEPENDENCIES option set. Fixes bug 22768; bugfix
  387. on 0.3.1.7.
  388. o Minor bugfixes (C correctness):
  389. - Fix a very unlikely (impossible, we believe) null pointer
  390. dereference. Fixes bug 25629; bugfix on 0.2.9.15. Found by
  391. Coverity; this is CID 1430932.
  392. o Minor bugfixes (channel, client):
  393. - Better identify client connection when reporting to the geoip
  394. client cache. Fixes bug 24904; bugfix on 0.3.1.7.
  395. o Minor bugfixes (circuit, cannibalization):
  396. - Don't cannibalize preemptively-built circuits if we no longer
  397. recognize their first hop. This situation can happen if our Guard
  398. relay went off the consensus after the circuit was created. Fixes
  399. bug 24469; bugfix on 0.0.6.
  400. o Minor bugfixes (client, backport from 0.3.4.1-alpha):
  401. - Don't consider Tor running as a client if the ControlPort is open,
  402. but no actual client ports are open. Fixes bug 26062; bugfix
  403. on 0.2.9.4-alpha.
  404. o Minor bugfixes (compilation):
  405. - Fix a C99 compliance issue in our configuration script that caused
  406. compilation issues when compiling Tor with certain versions of
  407. xtools. Fixes bug 25474; bugfix on 0.3.2.5-alpha.
  408. o Minor bugfixes (controller):
  409. - Restore the correct operation of the RESOLVE command, which had
  410. been broken since we added the ability to enable/disable DNS on
  411. specific listener ports. Fixes bug 25617; bugfix on 0.2.9.3-alpha.
  412. - Avoid a (nonfatal) assertion failure when extending a one-hop
  413. circuit from the controller to become a multihop circuit. Fixes
  414. bug 24903; bugfix on 0.2.5.2-alpha.
  415. o Minor bugfixes (correctness):
  416. - Remove a nonworking, unnecessary check to see whether a circuit
  417. hop's identity digest was set when the circuit failed. Fixes bug
  418. 24927; bugfix on 0.2.4.4-alpha.
  419. o Minor bugfixes (correctness, client, backport from 0.3.4.1-alpha):
  420. - Upon receiving a malformed connected cell, stop processing the
  421. cell immediately. Previously we would mark the connection for
  422. close, but continue processing the cell as if the connection were
  423. open. Fixes bug 26072; bugfix on 0.2.4.7-alpha.
  424. o Minor bugfixes (directory authorities, IPv6):
  425. - When creating a routerstatus (vote) from a routerinfo (descriptor),
  426. set the IPv6 address to the unspecified IPv6 address, and
  427. explicitly initialize the port to zero. Fixes bug 24488; bugfix
  428. on 0.2.4.1-alpha.
  429. o Minor bugfixes (documentation):
  430. - Document that the PerConnBW{Rate,Burst} options will fall back to
  431. their corresponding consensus parameters only if those parameters
  432. are set. Previously we had claimed that these values would always
  433. be set in the consensus. Fixes bug 25296; bugfix on 0.2.2.7-alpha.
  434. o Minor bugfixes (documentation, backport from 0.3.4.1-alpha):
  435. - Stop saying in the manual that clients cache ipv4 dns answers from
  436. exit relays. We haven't used them since 0.2.6.3-alpha, and in
  437. ticket 24050 we stopped even caching them as of 0.3.2.6-alpha, but
  438. we forgot to say so in the man page. Fixes bug 26052; bugfix
  439. on 0.3.2.6-alpha.
  440. o Minor bugfixes (exit relay DNS retries):
  441. - Re-attempt timed-out DNS queries 3 times before failure, since our
  442. timeout is 5 seconds for them, but clients wait 10-15. Also allow
  443. slightly more timeouts per resolver when an exit has multiple
  444. resolvers configured. Fixes bug 21394; bugfix on 0.3.1.9.
  445. o Minor bugfixes (fallback directory mirrors):
  446. - Make updateFallbackDirs.py search harder for python. (Some OSs
  447. don't put it in /usr/bin.) Fixes bug 24708; bugfix
  448. on 0.2.8.1-alpha.
  449. o Minor bugfixes (hibernation, bandwidth accounting, shutdown):
  450. - When hibernating, close connections normally and allow them to
  451. flush. Fixes bug 23571; bugfix on 0.2.4.7-alpha. Also fixes
  452. bug 7267.
  453. - Do not attempt to launch self-reachability tests when entering
  454. hibernation. Fixes a case of bug 12062; bugfix on 0.0.9pre5.
  455. - Resolve several bugs related to descriptor fetching on bridge
  456. clients with bandwidth accounting enabled. (This combination is
  457. not recommended!) Fixes a case of bug 12062; bugfix
  458. on 0.2.0.3-alpha.
  459. - When hibernating, do not attempt to launch DNS checks. Fixes a
  460. case of bug 12062; bugfix on 0.1.2.2-alpha.
  461. - When hibernating, do not try to upload or download descriptors.
  462. Fixes a case of bug 12062; bugfix on 0.0.9pre5.
  463. o Minor bugfixes (IPv6, bridges):
  464. - Tor now always sets IPv6 preferences for bridges. Fixes bug 24573;
  465. bugfix on 0.2.8.2-alpha.
  466. - Tor now sets IPv6 address in the routerstatus as well as in the
  467. router descriptors when updating addresses for a bridge. Closes
  468. ticket 24572; bugfix on 0.2.4.5-alpha. Patch by "ffmancera".
  469. o Minor bugfixes (Linux seccomp2 sandbox):
  470. - When running with the sandbox enabled, reload configuration files
  471. correctly even when %include was used. Previously we would crash.
  472. Fixes bug 22605; bugfix on 0.3.1. Patch from Daniel Pinto.
  473. o Minor bugfixes (Linux seccomp2 sandbox, backport from 0.3.4.1-alpha):
  474. - Allow the nanosleep() system call, which glibc uses to implement
  475. sleep() and usleep(). Fixes bug 24969; bugfix on 0.2.5.1-alpha.
  476. o Minor bugfixes (logging):
  477. - Fix a (mostly harmless) race condition when invoking
  478. LOG_PROTOCOL_WARN message from a subthread while the torrc options
  479. are changing. Fixes bug 23954; bugfix on 0.1.1.9-alpha.
  480. o Minor bugfixes (man page, SocksPort):
  481. - Remove dead code from the old "SocksSocket" option, and rename
  482. SocksSocketsGroupWritable to UnixSocksGroupWritable. The old
  483. option still works, but is deprecated. Fixes bug 24343; bugfix
  484. on 0.2.6.3.
  485. o Minor bugfixes (memory leaks):
  486. - Avoid possible at-exit memory leaks related to use of Libevent's
  487. event_base_once() function. (This function tends to leak memory if
  488. the event_base is closed before the event fires.) Fixes bug 24584;
  489. bugfix on 0.2.8.1-alpha.
  490. - Fix a harmless memory leak in tor-resolve. Fixes bug 24582; bugfix
  491. on 0.2.1.1-alpha.
  492. o Minor bugfixes (network IPv6 test):
  493. - Tor's test scripts now check if "ping -6 ::1" works when the user
  494. runs "make test-network-all". Fixes bug 24677; bugfix on
  495. 0.2.9.3-alpha. Patch by "ffmancera".
  496. o Minor bugfixes (networking):
  497. - string_is_valid_hostname() will not consider IP strings to be
  498. valid hostnames. Fixes bug 25055; bugfix on Tor 0.2.5.5.
  499. o Minor bugfixes (onion service v3):
  500. - Avoid an assertion failure when the next onion service descriptor
  501. rotation type is out of sync with the consensus's valid-after
  502. time. Instead, log a warning message with extra information, so we
  503. can better hunt down the cause of this assertion. Fixes bug 25306;
  504. bugfix on 0.3.2.1-alpha.
  505. o Minor bugfixes (onion service, backport from 0.3.4.1-alpha):
  506. - Fix a memory leak when a v3 onion service is configured and gets a
  507. SIGHUP signal. Fixes bug 25901; bugfix on 0.3.2.1-alpha.
  508. - When parsing the descriptor signature, look for the token plus an
  509. extra white-space at the end. This is more correct but also will
  510. allow us to support new fields that might start with "signature".
  511. Fixes bug 26069; bugfix on 0.3.0.1-alpha.
  512. o Minor bugfixes (onion services):
  513. - If we are configured to offer a single onion service, don't log
  514. long-term established one hop rendezvous points in the heartbeat.
  515. Fixes bug 25116; bugfix on 0.2.9.6-rc.
  516. o Minor bugfixes (performance):
  517. - Reduce the number of circuits that will be opened at once during
  518. the circuit build timeout phase. This is done by increasing the
  519. idle timeout to 3 minutes, and lowering the maximum number of
  520. concurrent learning circuits to 10. Fixes bug 24769; bugfix
  521. on 0.3.1.1-alpha.
  522. - Avoid calling protocol_list_supports_protocol() from inside tight
  523. loops when running with cached routerinfo_t objects. Instead,
  524. summarize the relevant protocols as flags in the routerinfo_t, as
  525. we do for routerstatus_t objects. This change simplifies our code
  526. a little, and saves a large amount of short-term memory allocation
  527. operations. Fixes bug 25008; bugfix on 0.2.9.4-alpha.
  528. o Minor bugfixes (performance, timeouts):
  529. - Consider circuits for timeout as soon as they complete a hop. This
  530. is more accurate than applying the timeout in
  531. circuit_expire_building() because that function is only called
  532. once per second, which is now too slow for typical timeouts on the
  533. current network. Fixes bug 23114; bugfix on 0.2.2.2-alpha.
  534. - Use onion service circuits (and other circuits longer than 3 hops)
  535. to calculate a circuit build timeout. Previously, Tor only
  536. calculated its build timeout based on circuits that planned to be
  537. exactly 3 hops long. With this change, we include measurements
  538. from all circuits at the point where they complete their third
  539. hop. Fixes bug 23100; bugfix on 0.2.2.2-alpha.
  540. o Minor bugfixes (relay, crash, backport from 0.3.4.1-alpha):
  541. - Avoid a crash when running with DirPort set but ORPort tuned off.
  542. Fixes a case of bug 23693; bugfix on 0.3.1.1-alpha.
  543. o Minor bugfixes (Rust FFI):
  544. - Fix a minor memory leak which would happen whenever the C code
  545. would call the Rust implementation of
  546. protover_get_supported_protocols(). This was due to the C version
  547. returning a static string, whereas the Rust version newly allocated
  548. a CString to pass across the FFI boundary. Consequently, the C
  549. code was not expecting to need to free() what it was given. Fixes
  550. bug 25127; bugfix on 0.3.2.1-alpha.
  551. o Minor bugfixes (spelling):
  552. - Use the "misspell" tool to detect and fix typos throughout the
  553. source code. Fixes bug 23650; bugfix on various versions of Tor.
  554. Patch from Deepesh Pathak.
  555. o Minor bugfixes (testing):
  556. - Avoid intermittent test failures due to a test that had relied on
  557. onion service introduction point creation finishing within 5
  558. seconds of real clock time. Fixes bug 25450; bugfix
  559. on 0.3.1.3-alpha.
  560. - Give out Exit flags in bootstrapping networks. Fixes bug 24137;
  561. bugfix on 0.2.3.1-alpha.
  562. o Minor bugfixes (unit test, monotonic time):
  563. - Increase a constant (1msec to 10msec) in the monotonic time test
  564. that makes sure the nsec/usec/msec times read are synchronized.
  565. This change was needed to accommodate slow systems like armel or
  566. when the clock_gettime() is not a VDSO on the running kernel.
  567. Fixes bug 25113; bugfix on 0.2.9.1.
  568. o Code simplification and refactoring:
  569. - Move the list of default directory authorities to its own file.
  570. Closes ticket 24854. Patch by "beastr0".
  571. - Remove the old (deterministic) directory retry logic entirely:
  572. We've used exponential backoff exclusively for some time. Closes
  573. ticket 23814.
  574. - Remove the unused nodelist_recompute_all_hsdir_indices(). Closes
  575. ticket 25108.
  576. - Remove a series of counters used to track circuit extend attempts
  577. and connection status but that in reality we aren't using for
  578. anything other than stats logged by a SIGUSR1 signal. Closes
  579. ticket 25163.
  580. - Remove /usr/athena from search path in configure.ac. Closes
  581. ticket 24363.
  582. - Remove duplicate code in node_has_curve25519_onion_key() and
  583. node_get_curve25519_onion_key(), and add a check for a zero
  584. microdesc curve25519 onion key. Closes ticket 23966, patch by
  585. "aruna1234" and teor.
  586. - Rewrite channel_rsa_id_group_set_badness to reduce temporary
  587. memory allocations with large numbers of OR connections (e.g.
  588. relays). Closes ticket 24119.
  589. - Separate the function that deletes ephemeral files when Tor
  590. stops gracefully.
  591. - Small changes to Tor's buf_t API to make it suitable for use as a
  592. general-purpose safe string constructor. Closes ticket 22342.
  593. - Switch -Wnormalized=id to -Wnormalized=nfkc in configure.ac to
  594. avoid source code identifier confusion. Closes ticket 24467.
  595. - The tor_git_revision[] constant no longer needs to be redeclared
  596. by everything that links against the rest of Tor. Done as part of
  597. ticket 23845, to simplify our external API.
  598. - We make extend_info_from_node() use node_get_curve25519_onion_key()
  599. introduced in ticket 23577 to access the curve25519 public keys
  600. rather than accessing it directly. Closes ticket 23760. Patch by
  601. Neel Chauhan.
  602. - Add a function to log channels' scheduler state changes to aid
  603. debugging efforts. Closes ticket 24531.
  604. o Documentation:
  605. - Improved the documentation of AccountingStart parameter. Closes
  606. ticket 23635.
  607. - Update the documentation for "Log" to include the current list of
  608. logging domains. Closes ticket 25378.
  609. - Add documentation on how to build tor with Rust dependencies
  610. without having to be online. Closes ticket 22907; bugfix
  611. on 0.3.0.3-alpha.
  612. - Clarify the behavior of RelayBandwidth{Rate,Burst} with client
  613. traffic. Closes ticket 24318.
  614. - Document that OutboundBindAddress doesn't apply to DNS requests.
  615. Closes ticket 22145. Patch from Aruna Maurya.
  616. o Code simplification and refactoring (channels):
  617. - Remove the incoming and outgoing channel queues. These were never
  618. used, but still took up a step in our fast path.
  619. - The majority of the channel unit tests have been rewritten and the
  620. code coverage has now been raised to 83.6% for channel.c. Closes
  621. ticket 23709.
  622. - Remove other dead code from the channel subsystem: All together,
  623. this cleanup has removed more than 1500 lines of code overall and
  624. adding very little except for unit test.
  625. o Code simplification and refactoring (circuit rendezvous):
  626. - Split the client-side rendezvous circuit lookup into two
  627. functions: one that returns only established circuits and another
  628. that returns all kinds of circuits. Closes ticket 23459.
  629. o Code simplification and refactoring (controller):
  630. - Make most of the variables in networkstatus_getinfo_by_purpose()
  631. const. Implements ticket 24489.
  632. o Documentation (backport from 0.3.4.1-alpha):
  633. - Correct an IPv6 error in the documentation for ExitPolicy. Closes
  634. ticket 25857. Patch from "CTassisF".
  635. o Documentation (man page):
  636. - The HiddenServiceVersion torrc option accepts only one number:
  637. either version 2 or 3. Closes ticket 25026; bugfix
  638. on 0.3.2.2-alpha.
  639. o Documentation (manpage, denial of service):
  640. - Provide more detail about the denial-of-service options, by
  641. listing each mitigation and explaining how they relate. Closes
  642. ticket 25248.
  643. Changes in version 0.3.1.10 - 2018-03-03
  644. Tor 0.3.1.10 backports a number of bugfixes, including important fixes for
  645. security issues.
  646. It includes an important security fix for a remote crash attack
  647. against directory authorities, tracked as TROVE-2018-001.
  648. This release also backports our new system for improved resistance to
  649. denial-of-service attacks against relays.
  650. This release also fixes several minor bugs and annoyances from
  651. earlier releases.
  652. All directory authorities should upgrade to one of the versions
  653. released today. Relays running 0.3.1.x may wish to update to one of
  654. the versions released today, for the DoS mitigations.
  655. Please note: according to our release calendar, Tor 0.3.1 will no
  656. longer be supported after 1 July 2018. If you will be running Tor
  657. after that date, you should make sure to plan to upgrade to the latest
  658. stable version, or downgrade to 0.2.9 (which will receive long-term
  659. support).
  660. o Major bugfixes (denial-of-service, directory authority, backport from 0.3.3.3-alpha):
  661. - Fix a protocol-list handling bug that could be used to remotely crash
  662. directory authorities with a null-pointer exception. Fixes bug 25074;
  663. bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2018-001 and
  664. CVE-2018-0490.
  665. o Major features (denial-of-service mitigation, backport from 0.3.3.2-alpha):
  666. - Give relays some defenses against the recent network overload. We
  667. start with three defenses (default parameters in parentheses).
  668. First: if a single client address makes too many concurrent
  669. connections (>100), hang up on further connections. Second: if a
  670. single client address makes circuits too quickly (more than 3 per
  671. second, with an allowed burst of 90) while also having too many
  672. connections open (3), refuse new create cells for the next while
  673. (1-2 hours). Third: if a client asks to establish a rendezvous
  674. point to you directly, ignore the request. These defenses can be
  675. manually controlled by new torrc options, but relays will also
  676. take guidance from consensus parameters, so there's no need to
  677. configure anything manually. Implements ticket 24902.
  678. o Minor features (linux seccomp2 sandbox, backport from 0.3.2.5-alpha):
  679. - Update the sandbox rules so that they should now work correctly
  680. with Glibc 2.26. Closes ticket 24315.
  681. o Major bugfixes (onion services, retry behavior, backport from 0.3.3.1-alpha):
  682. - Fix an "off by 2" error in counting rendezvous failures on the
  683. onion service side. While we thought we would stop the rendezvous
  684. attempt after one failed circuit, we were actually making three
  685. circuit attempts before giving up. Now switch to a default of 2,
  686. and allow the consensus parameter "hs_service_max_rdv_failures" to
  687. override. Fixes bug 24895; bugfix on 0.0.6.
  688. o Major bugfixes (protocol versions, backport from 0.3.3.2-alpha):
  689. - Add Link protocol version 5 to the supported protocols list. Fixes
  690. bug 25070; bugfix on 0.3.1.1-alpha.
  691. o Major bugfixes (relay, backport from 0.3.3.1-alpha):
  692. - Fix a set of false positives where relays would consider
  693. connections to other relays as being client-only connections (and
  694. thus e.g. deserving different link padding schemes) if those
  695. relays fell out of the consensus briefly. Now we look only at the
  696. initial handshake and whether the connection authenticated as a
  697. relay. Fixes bug 24898; bugfix on 0.3.1.1-alpha.
  698. o Minor features (denial-of-service avoidance, backport from 0.3.3.2-alpha):
  699. - Make our OOM handler aware of the geoip client history cache so it
  700. doesn't fill up the memory. This check is important for IPv6 and
  701. our DoS mitigation subsystem. Closes ticket 25122.
  702. o Minor feature (relay statistics, backport from 0.3.2.6-alpha):
  703. - Change relay bandwidth reporting stats interval from 4 hours to 24
  704. hours in order to reduce the efficiency of guard discovery
  705. attacks. Fixes ticket 23856.
  706. o Minor features (compatibility, OpenSSL, backport from 0.3.3.3-alpha):
  707. - Tor will now support TLS1.3 once OpenSSL 1.1.1 is released.
  708. Previous versions of Tor would not have worked with OpenSSL 1.1.1,
  709. since they neither disabled TLS 1.3 nor enabled any of the
  710. ciphersuites it requires. Now we enable the TLS 1.3 ciphersuites.
  711. Closes ticket 24978.
  712. o Minor features (fallback directory mirrors, backport from 0.3.2.9):
  713. - The fallback directory list has been re-generated based on the
  714. current status of the network. Tor uses fallback directories to
  715. bootstrap when it doesn't yet have up-to-date directory
  716. information. Closes ticket 24801.
  717. - Make the default DirAuthorityFallbackRate 0.1, so that clients
  718. prefer to bootstrap from fallback directory mirrors. This is a
  719. follow-up to 24679, which removed weights from the default
  720. fallbacks. Implements ticket 24681.
  721. o Minor features (geoip):
  722. - Update geoip and geoip6 to the February 7 2018 Maxmind GeoLite2
  723. Country database.
  724. o Minor bugfix (channel connection, backport from 0.3.3.2-alpha):
  725. - Use the actual observed address of an incoming relay connection,
  726. not the canonical address of the relay from its descriptor, when
  727. making decisions about how to handle the incoming connection.
  728. Fixes bug 24952; bugfix on 0.2.4.11-alpha. Patch by "ffmancera".
  729. o Minor bugfix (directory authority, backport from 0.3.3.2-alpha):
  730. - Directory authorities, when refusing a descriptor from a rejected
  731. relay, now explicitly tell the relay (in its logs) to set a valid
  732. ContactInfo address and contact the bad-relays@ mailing list.
  733. Fixes bug 25170; bugfix on 0.2.9.1.
  734. o Minor bugfixes (address selection, backport from 0.3.2.9):
  735. - When the fascist_firewall_choose_address_ functions don't find a
  736. reachable address, set the returned address to the null address
  737. and port. This is a precautionary measure, because some callers do
  738. not check the return value. Fixes bug 24736; bugfix
  739. on 0.2.8.2-alpha.
  740. o Major bugfixes (bootstrapping, backport from 0.3.2.5-alpha):
  741. - Fetch descriptors aggressively whenever we lack enough to build
  742. circuits, regardless of how many descriptors we are missing.
  743. Previously, we would delay launching the fetch when we had fewer
  744. than 15 missing descriptors, even if some of those descriptors
  745. were blocking circuits from building. Fixes bug 23985; bugfix on
  746. 0.1.1.11-alpha. The effects of this bug became worse in
  747. 0.3.0.3-alpha, when we began treating missing descriptors from our
  748. primary guards as a reason to delay circuits.
  749. - Don't try fetching microdescriptors from relays that have failed
  750. to deliver them in the past. Fixes bug 23817; bugfix
  751. on 0.3.0.1-alpha.
  752. o Minor bugfixes (compilation, backport from 0.3.2.7-rc):
  753. - Fix a signed/unsigned comparison warning introduced by our fix to
  754. TROVE-2017-009. Fixes bug 24480; bugfix on 0.2.5.16.
  755. o Minor bugfixes (control port, linux seccomp2 sandbox, backport from 0.3.2.5-alpha):
  756. - Avoid a crash when attempting to use the seccomp2 sandbox together
  757. with the OwningControllerProcess feature. Fixes bug 24198; bugfix
  758. on 0.2.5.1-alpha.
  759. o Minor bugfixes (denial-of-service, backport from 0.3.3.3-alpha):
  760. - Fix a possible crash on malformed consensus. If a consensus had
  761. contained an unparseable protocol line, it could have made clients
  762. and relays crash with a null-pointer exception. To exploit this
  763. issue, however, an attacker would need to be able to subvert the
  764. directory authority system. Fixes bug 25251; bugfix on
  765. 0.2.9.4-alpha. Also tracked as TROVE-2018-004.
  766. o Minor bugfixes (directory cache, backport from 0.3.2.5-alpha):
  767. - Recover better from empty or corrupt files in the consensus cache
  768. directory. Fixes bug 24099; bugfix on 0.3.1.1-alpha.
  769. - When a consensus diff calculation is only partially successful,
  770. only record the successful parts as having succeeded. Partial
  771. success can happen if (for example) one compression method fails
  772. but the others succeed. Previously we misrecorded all the
  773. calculations as having succeeded, which would later cause a
  774. nonfatal assertion failure. Fixes bug 24086; bugfix
  775. on 0.3.1.1-alpha.
  776. o Minor bugfixes (entry guards, backport from 0.3.2.3-alpha):
  777. - Tor now updates its guard state when it reads a consensus
  778. regardless of whether it's missing descriptors. That makes tor use
  779. its primary guards to fetch descriptors in some edge cases where
  780. it would previously have used fallback directories. Fixes bug
  781. 23862; bugfix on 0.3.0.1-alpha.
  782. o Minor bugfixes (logging, backport from 0.3.3.2-alpha):
  783. - Don't treat inability to store a cached consensus object as a bug:
  784. it can happen normally when we are out of disk space. Fixes bug
  785. 24859; bugfix on 0.3.1.1-alpha.
  786. o Minor bugfixes (memory usage, backport from 0.3.2.8-rc):
  787. - When queuing DESTROY cells on a channel, only queue the circuit-id
  788. and reason fields: not the entire 514-byte cell. This fix should
  789. help mitigate any bugs or attacks that fill up these queues, and
  790. free more RAM for other uses. Fixes bug 24666; bugfix
  791. on 0.2.5.1-alpha.
  792. o Minor bugfixes (network layer, backport from 0.3.2.5-alpha):
  793. - When closing a connection via close_connection_immediately(), we
  794. mark it as "not blocked on bandwidth", to prevent later calls from
  795. trying to unblock it, and give it permission to read. This fixes a
  796. backtrace warning that can happen on relays under various
  797. circumstances. Fixes bug 24167; bugfix on 0.1.0.1-rc.
  798. o Minor bugfixes (path selection, backport from 0.3.2.4-alpha):
  799. - When selecting relays by bandwidth, avoid a rounding error that
  800. could sometimes cause load to be imbalanced incorrectly.
  801. Previously, we would always round upwards; now, we round towards
  802. the nearest integer. This had the biggest effect when a relay's
  803. weight adjustments should have given it weight 0, but it got
  804. weight 1 instead. Fixes bug 23318; bugfix on 0.2.4.3-alpha.
  805. - When calculating the fraction of nodes that have descriptors, and
  806. all nodes in the network have zero bandwidths, count the number of
  807. nodes instead. Fixes bug 23318; bugfix on 0.2.4.10-alpha.
  808. - Actually log the total bandwidth in compute_weighted_bandwidths().
  809. Fixes bug 24170; bugfix on 0.2.4.3-alpha.
  810. o Minor bugfixes (performance, fragile-hardening, backport from 0.3.3.1-alpha):
  811. - Improve the performance of our consensus-diff application code
  812. when Tor is built with the --enable-fragile-hardening option set.
  813. Fixes bug 24826; bugfix on 0.3.1.1-alpha.
  814. o Minor bugfixes (OSX, backport from 0.3.3.1-alpha):
  815. - Don't exit the Tor process if setrlimit() fails to change the file
  816. limit (which can happen sometimes on some versions of OSX). Fixes
  817. bug 21074; bugfix on 0.0.9pre5.
  818. o Minor bugfixes (portability, msvc, backport from 0.3.2.9):
  819. - Fix a bug in the bit-counting parts of our timing-wheel code on
  820. MSVC. (Note that MSVC is still not a supported build platform, due
  821. to cyptographic timing channel risks.) Fixes bug 24633; bugfix
  822. on 0.2.9.1-alpha.
  823. o Minor bugfixes (relay, partial backport):
  824. - Make the internal channel_is_client() function look at what sort
  825. of connection handshake the other side used, rather than whether
  826. the other side ever sent a create_fast cell to us. Backports part
  827. of the fixes from bugs 22805 and 24898.
  828. o Minor bugfixes (spec conformance, backport from 0.3.3.3-alpha):
  829. - Forbid "-0" as a protocol version. Fixes part of bug 25249; bugfix on
  830. 0.2.9.4-alpha.
  831. - Forbid UINT32_MAX as a protocol version. Fixes part of bug 25249;
  832. bugfix on 0.2.9.4-alpha.
  833. o Code simplification and refactoring (backport from 0.3.3.3-alpha):
  834. - Update the "rust dependencies" submodule to be a project-level
  835. repository, rather than a user repository. Closes ticket 25323.
  836. Changes in version 0.2.9.15 - 2018-03-03
  837. Tor 0.2.9.15 backports important security and stability bugfixes from
  838. later Tor releases.
  839. It includes an important security fix for a remote crash attack
  840. against directory authorities, tracked as TROVE-2018-001.
  841. This release also backports our new system for improved resistance to
  842. denial-of-service attacks against relays.
  843. This release also fixes several minor bugs and annoyances from
  844. earlier releases.
  845. All directory authorities should upgrade to one of the versions
  846. released today. Relays running 0.2.9.x may wish to update to one of
  847. the versions released today, for the DoS mitigations.
  848. o Major bugfixes (denial-of-service, directory authority, backport from 0.3.3.3-alpha):
  849. - Fix a protocol-list handling bug that could be used to remotely crash
  850. directory authorities with a null-pointer exception. Fixes bug 25074;
  851. bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2018-001 and
  852. CVE-2018-0490.
  853. o Major features (denial-of-service mitigation):
  854. - Give relays some defenses against the recent network overload. We
  855. start with three defenses (default parameters in parentheses).
  856. First: if a single client address makes too many concurrent
  857. connections (>100), hang up on further connections. Second: if a
  858. single client address makes circuits too quickly (more than 3 per
  859. second, with an allowed burst of 90) while also having too many
  860. connections open (3), refuse new create cells for the next while
  861. (1-2 hours). Third: if a client asks to establish a rendezvous
  862. point to you directly, ignore the request. These defenses can be
  863. manually controlled by new torrc options, but relays will also
  864. take guidance from consensus parameters, so there's no need to
  865. configure anything manually. Implements ticket 24902.
  866. o Major bugfixes (bootstrapping):
  867. - Fetch descriptors aggressively whenever we lack enough to build
  868. circuits, regardless of how many descriptors we are missing.
  869. Previously, we would delay launching the fetch when we had fewer
  870. than 15 missing descriptors, even if some of those descriptors
  871. were blocking circuits from building. Fixes bug 23985; bugfix on
  872. 0.1.1.11-alpha. The effects of this bug became worse in
  873. 0.3.0.3-alpha, when we began treating missing descriptors from our
  874. primary guards as a reason to delay circuits.
  875. o Major bugfixes (onion services, retry behavior):
  876. - Fix an "off by 2" error in counting rendezvous failures on the
  877. onion service side. While we thought we would stop the rendezvous
  878. attempt after one failed circuit, we were actually making three
  879. circuit attempts before giving up. Now switch to a default of 2,
  880. and allow the consensus parameter "hs_service_max_rdv_failures" to
  881. override. Fixes bug 24895; bugfix on 0.0.6.
  882. o Minor feature (relay statistics):
  883. - Change relay bandwidth reporting stats interval from 4 hours to 24
  884. hours in order to reduce the efficiency of guard discovery
  885. attacks. Fixes ticket 23856.
  886. o Minor features (compatibility, OpenSSL):
  887. - Tor will now support TLS1.3 once OpenSSL 1.1.1 is released.
  888. Previous versions of Tor would not have worked with OpenSSL 1.1.1,
  889. since they neither disabled TLS 1.3 nor enabled any of the
  890. ciphersuites it requires. Now we enable the TLS 1.3 ciphersuites.
  891. Closes ticket 24978.
  892. o Minor features (denial-of-service avoidance):
  893. - Make our OOM handler aware of the geoip client history cache so it
  894. doesn't fill up the memory. This check is important for IPv6 and
  895. our DoS mitigation subsystem. Closes ticket 25122.
  896. o Minor features (fallback directory mirrors):
  897. - The fallback directory list has been re-generated based on the
  898. current status of the network. Tor uses fallback directories to
  899. bootstrap when it doesn't yet have up-to-date directory
  900. information. Closes ticket 24801.
  901. - Make the default DirAuthorityFallbackRate 0.1, so that clients
  902. prefer to bootstrap from fallback directory mirrors. This is a
  903. follow-up to 24679, which removed weights from the default
  904. fallbacks. Implements ticket 24681.
  905. o Minor features (geoip):
  906. - Update geoip and geoip6 to the February 7 2018 Maxmind GeoLite2
  907. Country database.
  908. o Minor features (linux seccomp2 sandbox):
  909. - Update the sandbox rules so that they should now work correctly
  910. with Glibc 2.26. Closes ticket 24315.
  911. o Minor bugfix (channel connection):
  912. - Use the actual observed address of an incoming relay connection,
  913. not the canonical address of the relay from its descriptor, when
  914. making decisions about how to handle the incoming connection.
  915. Fixes bug 24952; bugfix on 0.2.4.11-alpha. Patch by "ffmancera".
  916. o Minor bugfix (directory authority):
  917. - Directory authorities, when refusing a descriptor from a rejected
  918. relay, now explicitly tell the relay (in its logs) to set a valid
  919. ContactInfo address and contact the bad-relays@ mailing list.
  920. Fixes bug 25170; bugfix on 0.2.9.1.
  921. o Minor bugfixes (address selection):
  922. - When the fascist_firewall_choose_address_ functions don't find a
  923. reachable address, set the returned address to the null address
  924. and port. This is a precautionary measure, because some callers do
  925. not check the return value. Fixes bug 24736; bugfix
  926. on 0.2.8.2-alpha.
  927. o Minor bugfixes (compilation):
  928. - Fix a signed/unsigned comparison warning introduced by our fix to
  929. TROVE-2017-009. Fixes bug 24480; bugfix on 0.2.5.16.
  930. o Minor bugfixes (control port, linux seccomp2 sandbox):
  931. - Avoid a crash when attempting to use the seccomp2 sandbox together
  932. with the OwningControllerProcess feature. Fixes bug 24198; bugfix
  933. on 0.2.5.1-alpha.
  934. o Minor bugfixes (denial-of-service, backport from 0.3.3.3-alpha):
  935. - Fix a possible crash on malformed consensus. If a consensus had
  936. contained an unparseable protocol line, it could have made clients
  937. and relays crash with a null-pointer exception. To exploit this
  938. issue, however, an attacker would need to be able to subvert the
  939. directory authority system. Fixes bug 25251; bugfix on
  940. 0.2.9.4-alpha. Also tracked as TROVE-2018-004.
  941. o Minor bugfixes (memory usage):
  942. - When queuing DESTROY cells on a channel, only queue the circuit-id
  943. and reason fields: not the entire 514-byte cell. This fix should
  944. help mitigate any bugs or attacks that fill up these queues, and
  945. free more RAM for other uses. Fixes bug 24666; bugfix
  946. on 0.2.5.1-alpha.
  947. o Minor bugfixes (network layer):
  948. - When closing a connection via close_connection_immediately(), we
  949. mark it as "not blocked on bandwidth", to prevent later calls from
  950. trying to unblock it, and give it permission to read. This fixes a
  951. backtrace warning that can happen on relays under various
  952. circumstances. Fixes bug 24167; bugfix on 0.1.0.1-rc.
  953. o Minor bugfixes (OSX):
  954. - Don't exit the Tor process if setrlimit() fails to change the file
  955. limit (which can happen sometimes on some versions of OSX). Fixes
  956. bug 21074; bugfix on 0.0.9pre5.
  957. o Minor bugfixes (path selection):
  958. - When selecting relays by bandwidth, avoid a rounding error that
  959. could sometimes cause load to be imbalanced incorrectly.
  960. Previously, we would always round upwards; now, we round towards
  961. the nearest integer. This had the biggest effect when a relay's
  962. weight adjustments should have given it weight 0, but it got
  963. weight 1 instead. Fixes bug 23318; bugfix on 0.2.4.3-alpha.
  964. - When calculating the fraction of nodes that have descriptors, and
  965. all nodes in the network have zero bandwidths, count the number of
  966. nodes instead. Fixes bug 23318; bugfix on 0.2.4.10-alpha.
  967. - Actually log the total bandwidth in compute_weighted_bandwidths().
  968. Fixes bug 24170; bugfix on 0.2.4.3-alpha.
  969. o Minor bugfixes (portability, msvc):
  970. - Fix a bug in the bit-counting parts of our timing-wheel code on
  971. MSVC. (Note that MSVC is still not a supported build platform, due
  972. to cryptographic timing channel risks.) Fixes bug 24633; bugfix
  973. on 0.2.9.1-alpha.
  974. o Minor bugfixes (relay):
  975. - Make the internal channel_is_client() function look at what sort
  976. of connection handshake the other side used, rather than whether
  977. the other side ever sent a create_fast cell to us. Backports part
  978. of the fixes from bugs 22805 and 24898.
  979. o Minor bugfixes (spec conformance, backport from 0.3.3.3-alpha):
  980. - Forbid "-0" as a protocol version. Fixes part of bug 25249; bugfix on
  981. 0.2.9.4-alpha.
  982. - Forbid UINT32_MAX as a protocol version. Fixes part of bug 25249;
  983. bugfix on 0.2.9.4-alpha.
  984. Changes in version 0.3.2.10 - 2018-03-03
  985. Tor 0.3.2.10 is the second stable release in the 0.3.2 series. It
  986. backports a number of bugfixes, including important fixes for security
  987. issues.
  988. It includes an important security fix for a remote crash attack
  989. against directory authorities, tracked as TROVE-2018-001.
  990. Additionally, it backports a fix for a bug whose severity we have
  991. upgraded: Bug 24700, which was fixed in 0.3.3.2-alpha, can be remotely
  992. triggered in order to crash relays with a use-after-free pattern. As
  993. such, we are now tracking that bug as TROVE-2018-002 and
  994. CVE-2018-0491, and backporting it to earlier releases. This bug
  995. affected versions 0.3.2.1-alpha through 0.3.2.9, as well as version
  996. 0.3.3.1-alpha.
  997. This release also backports our new system for improved resistance to
  998. denial-of-service attacks against relays.
  999. This release also fixes several minor bugs and annoyances from
  1000. earlier releases.
  1001. Relays running 0.3.2.x SHOULD upgrade to one of the versions released
  1002. today, for the fix to TROVE-2018-002. Directory authorities should
  1003. also upgrade. (Relays on earlier versions might want to update too for
  1004. the DoS mitigations.)
  1005. o Major bugfixes (denial-of-service, directory authority, backport from 0.3.3.3-alpha):
  1006. - Fix a protocol-list handling bug that could be used to remotely crash
  1007. directory authorities with a null-pointer exception. Fixes bug 25074;
  1008. bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2018-001 and
  1009. CVE-2018-0490.
  1010. o Major bugfixes (scheduler, KIST, denial-of-service, backport from 0.3.3.2-alpha):
  1011. - Avoid adding the same channel twice in the KIST scheduler pending
  1012. list, which could lead to remote denial-of-service use-after-free
  1013. attacks against relays. Fixes bug 24700; bugfix on 0.3.2.1-alpha.
  1014. o Major features (denial-of-service mitigation, backport from 0.3.3.2-alpha):
  1015. - Give relays some defenses against the recent network overload. We
  1016. start with three defenses (default parameters in parentheses).
  1017. First: if a single client address makes too many concurrent
  1018. connections (>100), hang up on further connections. Second: if a
  1019. single client address makes circuits too quickly (more than 3 per
  1020. second, with an allowed burst of 90) while also having too many
  1021. connections open (3), refuse new create cells for the next while
  1022. (1-2 hours). Third: if a client asks to establish a rendezvous
  1023. point to you directly, ignore the request. These defenses can be
  1024. manually controlled by new torrc options, but relays will also
  1025. take guidance from consensus parameters, so there's no need to
  1026. configure anything manually. Implements ticket 24902.
  1027. o Major bugfixes (onion services, retry behavior, backport from 0.3.3.1-alpha):
  1028. - Fix an "off by 2" error in counting rendezvous failures on the
  1029. onion service side. While we thought we would stop the rendezvous
  1030. attempt after one failed circuit, we were actually making three
  1031. circuit attempts before giving up. Now switch to a default of 2,
  1032. and allow the consensus parameter "hs_service_max_rdv_failures" to
  1033. override. Fixes bug 24895; bugfix on 0.0.6.
  1034. - New-style (v3) onion services now obey the "max rendezvous circuit
  1035. attempts" logic. Previously they would make as many rendezvous
  1036. circuit attempts as they could fit in the MAX_REND_TIMEOUT second
  1037. window before giving up. Fixes bug 24894; bugfix on 0.3.2.1-alpha.
  1038. o Major bugfixes (protocol versions, backport from 0.3.3.2-alpha):
  1039. - Add Link protocol version 5 to the supported protocols list. Fixes
  1040. bug 25070; bugfix on 0.3.1.1-alpha.
  1041. o Major bugfixes (relay, backport from 0.3.3.1-alpha):
  1042. - Fix a set of false positives where relays would consider
  1043. connections to other relays as being client-only connections (and
  1044. thus e.g. deserving different link padding schemes) if those
  1045. relays fell out of the consensus briefly. Now we look only at the
  1046. initial handshake and whether the connection authenticated as a
  1047. relay. Fixes bug 24898; bugfix on 0.3.1.1-alpha.
  1048. o Major bugfixes (scheduler, consensus, backport from 0.3.3.2-alpha):
  1049. - The scheduler subsystem was failing to promptly notice changes in
  1050. consensus parameters, making it harder to switch schedulers
  1051. network-wide. Fixes bug 24975; bugfix on 0.3.2.1-alpha.
  1052. o Minor features (denial-of-service avoidance, backport from 0.3.3.2-alpha):
  1053. - Make our OOM handler aware of the geoip client history cache so it
  1054. doesn't fill up the memory. This check is important for IPv6 and
  1055. our DoS mitigation subsystem. Closes ticket 25122.
  1056. o Minor features (compatibility, OpenSSL, backport from 0.3.3.3-alpha):
  1057. - Tor will now support TLS1.3 once OpenSSL 1.1.1 is released.
  1058. Previous versions of Tor would not have worked with OpenSSL 1.1.1,
  1059. since they neither disabled TLS 1.3 nor enabled any of the
  1060. ciphersuites it requires. Now we enable the TLS 1.3 ciphersuites.
  1061. Closes ticket 24978.
  1062. o Minor features (geoip):
  1063. - Update geoip and geoip6 to the February 7 2018 Maxmind GeoLite2
  1064. Country database.
  1065. o Minor features (logging, diagnostic, backport from 0.3.3.2-alpha):
  1066. - When logging a failure to create an onion service's descriptor,
  1067. also log what the problem with the descriptor was. Diagnostic
  1068. for ticket 24972.
  1069. o Minor bugfix (channel connection, backport from 0.3.3.2-alpha):
  1070. - Use the actual observed address of an incoming relay connection,
  1071. not the canonical address of the relay from its descriptor, when
  1072. making decisions about how to handle the incoming connection.
  1073. Fixes bug 24952; bugfix on 0.2.4.11-alpha. Patch by "ffmancera".
  1074. o Minor bugfixes (denial-of-service, backport from 0.3.3.3-alpha):
  1075. - Fix a possible crash on malformed consensus. If a consensus had
  1076. contained an unparseable protocol line, it could have made clients
  1077. and relays crash with a null-pointer exception. To exploit this
  1078. issue, however, an attacker would need to be able to subvert the
  1079. directory authority system. Fixes bug 25251; bugfix on
  1080. 0.2.9.4-alpha. Also tracked as TROVE-2018-004.
  1081. o Minor bugfix (directory authority, backport from 0.3.3.2-alpha):
  1082. - Directory authorities, when refusing a descriptor from a rejected
  1083. relay, now explicitly tell the relay (in its logs) to set a valid
  1084. ContactInfo address and contact the bad-relays@ mailing list.
  1085. Fixes bug 25170; bugfix on 0.2.9.1.
  1086. o Minor bugfixes (build, rust, backport from 0.3.3.1-alpha):
  1087. - When building with Rust on OSX, link against libresolv, to work
  1088. around the issue at https://github.com/rust-lang/rust/issues/46797.
  1089. Fixes bug 24652; bugfix on 0.3.1.1-alpha.
  1090. o Minor bugfixes (onion services, backport from 0.3.3.2-alpha):
  1091. - Remove a BUG() statement when a client fetches an onion descriptor
  1092. that has a lower revision counter than the one in its cache. This
  1093. can happen in normal circumstances due to HSDir desync. Fixes bug
  1094. 24976; bugfix on 0.3.2.1-alpha.
  1095. o Minor bugfixes (logging, backport from 0.3.3.2-alpha):
  1096. - Don't treat inability to store a cached consensus object as a bug:
  1097. it can happen normally when we are out of disk space. Fixes bug
  1098. 24859; bugfix on 0.3.1.1-alpha.
  1099. o Minor bugfixes (performance, fragile-hardening, backport from 0.3.3.1-alpha):
  1100. - Improve the performance of our consensus-diff application code
  1101. when Tor is built with the --enable-fragile-hardening option set.
  1102. Fixes bug 24826; bugfix on 0.3.1.1-alpha.
  1103. o Minor bugfixes (OSX, backport from 0.3.3.1-alpha):
  1104. - Don't exit the Tor process if setrlimit() fails to change the file
  1105. limit (which can happen sometimes on some versions of OSX). Fixes
  1106. bug 21074; bugfix on 0.0.9pre5.
  1107. o Minor bugfixes (spec conformance, backport from 0.3.3.3-alpha):
  1108. - Forbid "-0" as a protocol version. Fixes part of bug 25249; bugfix on
  1109. 0.2.9.4-alpha.
  1110. - Forbid UINT32_MAX as a protocol version. Fixes part of bug 25249;
  1111. bugfix on 0.2.9.4-alpha.
  1112. o Minor bugfixes (testing, backport from 0.3.3.1-alpha):
  1113. - Fix a memory leak in the scheduler/loop_kist unit test. Fixes bug
  1114. 25005; bugfix on 0.3.2.7-rc.
  1115. o Minor bugfixes (v3 onion services, backport from 0.3.3.2-alpha):
  1116. - Look at the "HSRend" protocol version, not the "HSDir" protocol
  1117. version, when deciding whether a consensus entry can support the
  1118. v3 onion service protocol as a rendezvous point. Fixes bug 25105;
  1119. bugfix on 0.3.2.1-alpha.
  1120. o Code simplification and refactoring (backport from 0.3.3.3-alpha):
  1121. - Update the "rust dependencies" submodule to be a project-level
  1122. repository, rather than a user repository. Closes ticket 25323.
  1123. o Documentation (backport from 0.3.3.1-alpha)
  1124. - Document that operators who run more than one relay or bridge are
  1125. expected to set MyFamily and ContactInfo correctly. Closes
  1126. ticket 24526.
  1127. Changes in version 0.3.2.9 - 2018-01-09
  1128. Tor 0.3.2.9 is the first stable release in the 0.3.2 series.
  1129. The 0.3.2 series includes our long-anticipated new onion service
  1130. design, with numerous security features. (For more information, see
  1131. our blog post at https://blog.torproject.org/fall-harvest.) We also
  1132. have a new circuit scheduler algorithm for improved performance on
  1133. relays everywhere (see https://blog.torproject.org/kist-and-tell),
  1134. along with many smaller features and bugfixes.
  1135. Per our stable release policy, we plan to support each stable release
  1136. series for at least the next nine months, or for three months after
  1137. the first stable release of the next series: whichever is longer. If
  1138. you need a release with long-term support, we recommend that you stay
  1139. with the 0.2.9 series.
  1140. Below is a list of the changes since 0.3.1.7. For a list of all
  1141. changes since 0.3.2.8-rc, see the ChangeLog file.
  1142. o Directory authority changes:
  1143. - Add "Bastet" as a ninth directory authority to the default list.
  1144. Closes ticket 23910.
  1145. - The directory authority "Longclaw" has changed its IP address.
  1146. Closes ticket 23592.
  1147. - Remove longclaw's IPv6 address, as it will soon change. Authority
  1148. IPv6 addresses were originally added in 0.2.8.1-alpha. This leaves
  1149. 3/8 directory authorities with IPv6 addresses, but there are also
  1150. 52 fallback directory mirrors with IPv6 addresses. Resolves 19760.
  1151. - Add an IPv6 address for the "bastet" directory authority. Closes
  1152. ticket 24394.
  1153. o Major features (next-generation onion services):
  1154. - Tor now supports the next-generation onion services protocol for
  1155. clients and services! As part of this release, the core of
  1156. proposal 224 has been implemented and is available for
  1157. experimentation and testing by our users. This newer version of
  1158. onion services ("v3") features many improvements over the legacy
  1159. system, including:
  1160. a) Better crypto (replaced SHA1/DH/RSA1024
  1161. with SHA3/ed25519/curve25519)
  1162. b) Improved directory protocol, leaking much less information to
  1163. directory servers.
  1164. c) Improved directory protocol, with smaller surface for
  1165. targeted attacks.
  1166. d) Better onion address security against impersonation.
  1167. e) More extensible introduction/rendezvous protocol.
  1168. f) A cleaner and more modular codebase.
  1169. You can identify a next-generation onion address by its length:
  1170. they are 56 characters long, as in
  1171. "4acth47i6kxnvkewtm6q7ib2s3ufpo5sqbsnzjpbi7utijcltosqemad.onion".
  1172. In the future, we will release more options and features for v3
  1173. onion services, but we first need a testing period, so that the
  1174. current codebase matures and becomes more robust. Planned features
  1175. include: offline keys, advanced client authorization, improved
  1176. guard algorithms, and statistics. For full details, see
  1177. proposal 224.
  1178. Legacy ("v2") onion services will still work for the foreseeable
  1179. future, and will remain the default until this new codebase gets
  1180. tested and hardened. Service operators who want to experiment with
  1181. the new system can use the 'HiddenServiceVersion 3' torrc
  1182. directive along with the regular onion service configuration
  1183. options. For more information, see our blog post at
  1184. "https://blog.torproject.org/fall-harvest". Enjoy!
  1185. o Major feature (scheduler, channel):
  1186. - Tor now uses new schedulers to decide which circuits should
  1187. deliver cells first, in order to improve congestion at relays. The
  1188. first type is called "KIST" ("Kernel Informed Socket Transport"),
  1189. and is only available on Linux-like systems: it uses feedback from
  1190. the kernel to prevent the kernel's TCP buffers from growing too
  1191. full. The second new scheduler type is called "KISTLite": it
  1192. behaves the same as KIST, but runs on systems without kernel
  1193. support for inspecting TCP implementation details. The old
  1194. scheduler is still available, under the name "Vanilla". To change
  1195. the default scheduler preference order, use the new "Schedulers"
  1196. option. (The default preference order is "KIST,KISTLite,Vanilla".)
  1197. Matt Traudt implemented KIST, based on research by Rob Jansen,
  1198. John Geddes, Christ Wacek, Micah Sherr, and Paul Syverson. For
  1199. more information, see the design paper at
  1200. http://www.robgjansen.com/publications/kist-sec2014.pdf and the
  1201. followup implementation paper at https://arxiv.org/abs/1709.01044.
  1202. Closes ticket 12541. For more information, see our blog post at
  1203. "https://blog.torproject.org/kist-and-tell".
  1204. o Major bugfixes (security, general):
  1205. - Fix a denial of service bug where an attacker could use a
  1206. malformed directory object to cause a Tor instance to pause while
  1207. OpenSSL would try to read a passphrase from the terminal. (Tor
  1208. instances run without a terminal, which is the case for most Tor
  1209. packages, are not impacted.) Fixes bug 24246; bugfix on every
  1210. version of Tor. Also tracked as TROVE-2017-011 and CVE-2017-8821.
  1211. Found by OSS-Fuzz as testcase 6360145429790720.
  1212. o Major bugfixes (security, directory authority):
  1213. - Fix a denial of service issue where an attacker could crash a
  1214. directory authority using a malformed router descriptor. Fixes bug
  1215. 24245; bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2017-010
  1216. and CVE-2017-8820.
  1217. o Major bugfixes (security, onion service v2):
  1218. - Fix a use-after-free error that could crash v2 Tor onion services
  1219. when they failed to open circuits while expiring introduction
  1220. points. Fixes bug 24313; bugfix on 0.2.7.2-alpha. This issue is
  1221. also tracked as TROVE-2017-013 and CVE-2017-8823.
  1222. - When checking for replays in the INTRODUCE1 cell data for a
  1223. (legacy) onion service, correctly detect replays in the RSA-
  1224. encrypted part of the cell. We were previously checking for
  1225. replays on the entire cell, but those can be circumvented due to
  1226. the malleability of Tor's legacy hybrid encryption. This fix helps
  1227. prevent a traffic confirmation attack. Fixes bug 24244; bugfix on
  1228. 0.2.4.1-alpha. This issue is also tracked as TROVE-2017-009
  1229. and CVE-2017-8819.
  1230. o Major bugfixes (security, relay):
  1231. - When running as a relay, make sure that we never build a path
  1232. through ourselves, even in the case where we have somehow lost the
  1233. version of our descriptor appearing in the consensus. Fixes part
  1234. of bug 21534; bugfix on 0.2.0.1-alpha. This issue is also tracked
  1235. as TROVE-2017-012 and CVE-2017-8822.
  1236. - When running as a relay, make sure that we never choose ourselves
  1237. as a guard. Fixes part of bug 21534; bugfix on 0.3.0.1-alpha. This
  1238. issue is also tracked as TROVE-2017-012 and CVE-2017-8822.
  1239. o Major bugfixes (bootstrapping):
  1240. - Fetch descriptors aggressively whenever we lack enough to build
  1241. circuits, regardless of how many descriptors we are missing.
  1242. Previously, we would delay launching the fetch when we had fewer
  1243. than 15 missing descriptors, even if some of those descriptors
  1244. were blocking circuits from building. Fixes bug 23985; bugfix on
  1245. 0.1.1.11-alpha. The effects of this bug became worse in
  1246. 0.3.0.3-alpha, when we began treating missing descriptors from our
  1247. primary guards as a reason to delay circuits.
  1248. - Don't try fetching microdescriptors from relays that have failed
  1249. to deliver them in the past. Fixes bug 23817; bugfix
  1250. on 0.3.0.1-alpha.
  1251. o Major bugfixes (circuit prediction):
  1252. - Fix circuit prediction logic so that a client doesn't treat a port
  1253. as being "handled" by a circuit if that circuit already has
  1254. isolation settings on it. This change should make Tor clients more
  1255. responsive by improving their chances of having a pre-created
  1256. circuit ready for use when a request arrives. Fixes bug 18859;
  1257. bugfix on 0.2.3.3-alpha.
  1258. o Major bugfixes (exit relays, DNS):
  1259. - Fix an issue causing DNS to fail on high-bandwidth exit nodes,
  1260. making them nearly unusable. Fixes bugs 21394 and 18580; bugfix on
  1261. 0.1.2.2-alpha, which introduced eventdns. Thanks to Dhalgren for
  1262. identifying and finding a workaround to this bug and to Moritz,
  1263. Arthur Edelstein, and Roger for helping to track it down and
  1264. analyze it.
  1265. o Major bugfixes (relay, crash, assertion failure):
  1266. - Fix a timing-based assertion failure that could occur when the
  1267. circuit out-of-memory handler freed a connection's output buffer.
  1268. Fixes bug 23690; bugfix on 0.2.6.1-alpha.
  1269. o Major bugfixes (usability, control port):
  1270. - Report trusted clock skew indications as bootstrap errors, so
  1271. controllers can more easily alert users when their clocks are
  1272. wrong. Fixes bug 23506; bugfix on 0.1.2.6-alpha.
  1273. o Minor features (bridge):
  1274. - Bridge relays can now set the BridgeDistribution config option to
  1275. add a "bridge-distribution-request" line to their bridge
  1276. descriptor, which tells BridgeDB how they'd like their bridge
  1277. address to be given out. (Note that as of Oct 2017, BridgeDB does
  1278. not yet implement this feature.) As a side benefit, this feature
  1279. provides a way to distinguish bridge descriptors from non-bridge
  1280. descriptors. Implements tickets 18329.
  1281. - When handling the USERADDR command on an ExtOrPort, warn when the
  1282. transports provides a USERADDR with no port. In a future version,
  1283. USERADDR commands of this format may be rejected. Detects problems
  1284. related to ticket 23080.
  1285. o Minor features (bug detection):
  1286. - Log a warning message with a stack trace for any attempt to call
  1287. get_options() during option validation. This pattern has caused
  1288. subtle bugs in the past. Closes ticket 22281.
  1289. o Minor features (build, compilation):
  1290. - The "check-changes" feature is now part of the "make check" tests;
  1291. we'll use it to try to prevent misformed changes files from
  1292. accumulating. Closes ticket 23564.
  1293. - Tor builds should now fail if there are any mismatches between the
  1294. C type representing a configuration variable and the C type the
  1295. data-driven parser uses to store a value there. Previously, we
  1296. needed to check these by hand, which sometimes led to mistakes.
  1297. Closes ticket 23643.
  1298. o Minor features (client):
  1299. - You can now use Tor as a tunneled HTTP proxy: use the new
  1300. HTTPTunnelPort option to open a port that accepts HTTP CONNECT
  1301. requests. Closes ticket 22407.
  1302. - Add an extra check to make sure that we always use the newer guard
  1303. selection code for picking our guards. Closes ticket 22779.
  1304. - When downloading (micro)descriptors, don't split the list into
  1305. multiple requests unless we want at least 32 descriptors.
  1306. Previously, we split at 4, not 32, which led to significant
  1307. overhead in HTTP request size and degradation in compression
  1308. performance. Closes ticket 23220.
  1309. - Improve log messages when missing descriptors for primary guards.
  1310. Resolves ticket 23670.
  1311. o Minor features (command line):
  1312. - Add a new commandline option, --key-expiration, which prints when
  1313. the current signing key is going to expire. Implements ticket
  1314. 17639; patch by Isis Lovecruft.
  1315. o Minor features (control port):
  1316. - If an application tries to use the control port as an HTTP proxy,
  1317. respond with a meaningful "This is the Tor control port" message,
  1318. and log the event. Closes ticket 1667. Patch from Ravi
  1319. Chandra Padmala.
  1320. - Provide better error message for GETINFO desc/(id|name) when not
  1321. fetching router descriptors. Closes ticket 5847. Patch by
  1322. Kevin Butler.
  1323. - Add GETINFO "{desc,md}/download-enabled", to inform the controller
  1324. whether Tor will try to download router descriptors and
  1325. microdescriptors respectively. Closes ticket 22684.
  1326. - Added new GETINFO targets "ip-to-country/{ipv4,ipv6}-available",
  1327. so controllers can tell whether the geoip databases are loaded.
  1328. Closes ticket 23237.
  1329. - Adds a timestamp field to the CIRC_BW and STREAM_BW bandwidth
  1330. events. Closes ticket 19254. Patch by "DonnchaC".
  1331. o Minor features (development support):
  1332. - Developers can now generate a call-graph for Tor using the
  1333. "calltool" python program, which post-processes object dumps. It
  1334. should work okay on many Linux and OSX platforms, and might work
  1335. elsewhere too. To run it, install calltool from
  1336. https://gitweb.torproject.org/user/nickm/calltool.git and run
  1337. "make callgraph". Closes ticket 19307.
  1338. o Minor features (directory authority):
  1339. - Make the "Exit" flag assignment only depend on whether the exit
  1340. policy allows connections to ports 80 and 443. Previously relays
  1341. would get the Exit flag if they allowed connections to one of
  1342. these ports and also port 6667. Resolves ticket 23637.
  1343. o Minor features (ed25519):
  1344. - Add validation function to checks for torsion components in
  1345. ed25519 public keys, used by prop224 client-side code. Closes
  1346. ticket 22006. Math help by Ian Goldberg.
  1347. o Minor features (exit relay, DNS):
  1348. - Improve the clarity and safety of the log message from evdns when
  1349. receiving an apparently spoofed DNS reply. Closes ticket 3056.
  1350. o Minor features (fallback directory mirrors):
  1351. - The fallback directory list has been re-generated based on the
  1352. current status of the network. Tor uses fallback directories to
  1353. bootstrap when it doesn't yet have up-to-date directory
  1354. information. Closes ticket 24801.
  1355. - Make the default DirAuthorityFallbackRate 0.1, so that clients
  1356. prefer to bootstrap from fallback directory mirrors. This is a
  1357. follow-up to 24679, which removed weights from the default
  1358. fallbacks. Implements ticket 24681.
  1359. o Minor features (geoip):
  1360. - Update geoip and geoip6 to the January 5 2018 Maxmind GeoLite2
  1361. Country database.
  1362. o Minor features (integration, hardening):
  1363. - Add a new NoExec option to prevent Tor from running other
  1364. programs. When this option is set to 1, Tor will never try to run
  1365. another program, regardless of the settings of
  1366. PortForwardingHelper, ClientTransportPlugin, or
  1367. ServerTransportPlugin. Once NoExec is set, it cannot be disabled
  1368. without restarting Tor. Closes ticket 22976.
  1369. o Minor features (linux seccomp2 sandbox):
  1370. - Update the sandbox rules so that they should now work correctly
  1371. with Glibc 2.26. Closes ticket 24315.
  1372. o Minor features (logging):
  1373. - Provide better warnings when the getrandom() syscall fails. Closes
  1374. ticket 24500.
  1375. - Downgrade a pair of log messages that could occur when an exit's
  1376. resolver gave us an unusual (but not forbidden) response. Closes
  1377. ticket 24097.
  1378. - Improve the message we log when re-enabling circuit build timeouts
  1379. after having received a consensus. Closes ticket 20963.
  1380. - Log more circuit information whenever we are about to try to
  1381. package a relay cell on a circuit with a nonexistent n_chan.
  1382. Attempt to diagnose ticket 8185.
  1383. - Improve info-level log identification of particular circuits, to
  1384. help with debugging. Closes ticket 23645.
  1385. - Improve the warning message for specifying a relay by nickname.
  1386. The previous message implied that nickname registration was still
  1387. part of the Tor network design, which it isn't. Closes
  1388. ticket 20488.
  1389. - If the sandbox filter fails to load, suggest to the user that
  1390. their kernel might not support seccomp2. Closes ticket 23090.
  1391. o Minor features (onion service, circuit, logging):
  1392. - Improve logging of many callsite in the circuit subsystem to print
  1393. the circuit identifier(s).
  1394. - Log when we cleanup an intro point from a service so we know when
  1395. and for what reason it happened. Closes ticket 23604.
  1396. o Minor features (portability):
  1397. - Tor now compiles correctly on arm64 with libseccomp-dev installed.
  1398. (It doesn't yet work with the sandbox enabled.) Closes
  1399. ticket 24424.
  1400. - Check at configure time whether uint8_t is the same type as
  1401. unsigned char. Lots of existing code already makes this
  1402. assumption, and there could be strict aliasing issues if the
  1403. assumption is violated. Closes ticket 22410.
  1404. o Minor features (relay):
  1405. - When choosing which circuits can be expired as unused, consider
  1406. circuits from clients even if those clients used regular CREATE
  1407. cells to make them; and do not consider circuits from relays even
  1408. if they were made with CREATE_FAST. Part of ticket 22805.
  1409. - Reject attempts to use relative file paths when RunAsDaemon is
  1410. set. Previously, Tor would accept these, but the directory-
  1411. changing step of RunAsDaemon would give strange and/or confusing
  1412. results. Closes ticket 22731.
  1413. o Minor features (relay statistics):
  1414. - Change relay bandwidth reporting stats interval from 4 hours to 24
  1415. hours in order to reduce the efficiency of guard discovery
  1416. attacks. Fixes ticket 23856.
  1417. o Minor features (reverted deprecations):
  1418. - The ClientDNSRejectInternalAddresses flag can once again be set in
  1419. non-testing Tor networks, so long as they do not use the default
  1420. directory authorities. This change also removes the deprecation of
  1421. this flag from 0.2.9.2-alpha. Closes ticket 21031.
  1422. o Minor features (robustness):
  1423. - Change several fatal assertions when flushing buffers into non-
  1424. fatal assertions, to prevent any recurrence of 23690.
  1425. o Minor features (startup, safety):
  1426. - When configured to write a PID file, Tor now exits if it is unable
  1427. to do so. Previously, it would warn and continue. Closes
  1428. ticket 20119.
  1429. o Minor features (static analysis):
  1430. - The BUG() macro has been changed slightly so that Coverity no
  1431. longer complains about dead code if the bug is impossible. Closes
  1432. ticket 23054.
  1433. o Minor features (testing):
  1434. - Our fuzzing tests now test the encrypted portions of v3 onion
  1435. service descriptors. Implements more of 21509.
  1436. - Add a unit test to make sure that our own generated platform
  1437. string will be accepted by directory authorities. Closes
  1438. ticket 22109.
  1439. - The default chutney network tests now include tests for the v3
  1440. onion service design. Make sure you have the latest version of
  1441. chutney if you want to run these. Closes ticket 22437.
  1442. - Add a unit test to verify that we can parse a hardcoded v2 onion
  1443. service descriptor. Closes ticket 15554.
  1444. o Minor bugfixes (address selection):
  1445. - When the fascist_firewall_choose_address_ functions don't find a
  1446. reachable address, set the returned address to the null address
  1447. and port. This is a precautionary measure, because some callers do
  1448. not check the return value. Fixes bug 24736; bugfix
  1449. on 0.2.8.2-alpha.
  1450. o Minor bugfixes (bootstrapping):
  1451. - When warning about state file clock skew, report the correct
  1452. direction for the detected skew. Fixes bug 23606; bugfix
  1453. on 0.2.8.1-alpha.
  1454. o Minor bugfixes (bridge clients, bootstrap):
  1455. - Retry directory downloads when we get our first bridge descriptor
  1456. during bootstrap or while reconnecting to the network. Keep
  1457. retrying every time we get a bridge descriptor, until we have a
  1458. reachable bridge. Fixes part of bug 24367; bugfix on 0.2.0.3-alpha.
  1459. - Stop delaying bridge descriptor fetches when we have cached bridge
  1460. descriptors. Instead, only delay bridge descriptor fetches when we
  1461. have at least one reachable bridge. Fixes part of bug 24367;
  1462. bugfix on 0.2.0.3-alpha.
  1463. - Stop delaying directory fetches when we have cached bridge
  1464. descriptors. Instead, only delay bridge descriptor fetches when
  1465. all our bridges are definitely unreachable. Fixes part of bug
  1466. 24367; bugfix on 0.2.0.3-alpha.
  1467. o Minor bugfixes (bridge):
  1468. - Overwrite the bridge address earlier in the process of retrieving
  1469. its descriptor, to make sure we reach it on the configured
  1470. address. Fixes bug 20532; bugfix on 0.2.0.10-alpha.
  1471. o Minor bugfixes (build, compilation):
  1472. - Fix a compilation warning when building with zstd support on
  1473. 32-bit platforms. Fixes bug 23568; bugfix on 0.3.1.1-alpha. Found
  1474. and fixed by Andreas Stieger.
  1475. - When searching for OpenSSL, don't accept any OpenSSL library that
  1476. lacks TLSv1_1_method(): Tor doesn't build with those versions.
  1477. Additionally, look in /usr/local/opt/openssl, if it's present.
  1478. These changes together repair the default build on OSX systems
  1479. with Homebrew installed. Fixes bug 23602; bugfix on 0.2.7.2-alpha.
  1480. - Fix a signed/unsigned comparison warning introduced by our fix to
  1481. TROVE-2017-009. Fixes bug 24480; bugfix on 0.2.5.16.
  1482. - Fix a memory leak warning in one of the libevent-related
  1483. configuration tests that could occur when manually specifying
  1484. -fsanitize=address. Fixes bug 24279; bugfix on 0.3.0.2-alpha.
  1485. Found and patched by Alex Xu.
  1486. - Fix unused-variable warnings in donna's Curve25519 SSE2 code.
  1487. Fixes bug 22895; bugfix on 0.2.7.2-alpha.
  1488. o Minor bugfixes (certificate handling):
  1489. - Fix a time handling bug in Tor certificates set to expire after
  1490. the year 2106. Fixes bug 23055; bugfix on 0.3.0.1-alpha. Found by
  1491. Coverity as CID 1415728.
  1492. o Minor bugfixes (client):
  1493. - By default, do not enable storage of client-side DNS values. These
  1494. values were unused by default previously, but they should not have
  1495. been cached at all. Fixes bug 24050; bugfix on 0.2.6.3-alpha.
  1496. o Minor bugfixes (client, usability):
  1497. - Refrain from needlessly rejecting SOCKS5-with-hostnames and
  1498. SOCKS4a requests that contain IP address strings, even when
  1499. SafeSocks in enabled, as this prevents user from connecting to
  1500. known IP addresses without relying on DNS for resolving. SafeSocks
  1501. still rejects SOCKS connections that connect to IP addresses when
  1502. those addresses are _not_ encoded as hostnames. Fixes bug 22461;
  1503. bugfix on Tor 0.2.6.2-alpha.
  1504. o Minor bugfixes (code correctness):
  1505. - Call htons() in extend_cell_format() for encoding a 16-bit value.
  1506. Previously we used ntohs(), which happens to behave the same on
  1507. all the platforms we support, but which isn't really correct.
  1508. Fixes bug 23106; bugfix on 0.2.4.8-alpha.
  1509. - For defense-in-depth, make the controller's write_escaped_data()
  1510. function robust to extremely long inputs. Fixes bug 19281; bugfix
  1511. on 0.1.1.1-alpha. Reported by Guido Vranken.
  1512. - Fix several places in our codebase where a C compiler would be
  1513. likely to eliminate a check, based on assuming that undefined
  1514. behavior had not happened elsewhere in the code. These cases are
  1515. usually a sign of redundant checking or dubious arithmetic. Found
  1516. by Georg Koppen using the "STACK" tool from Wang, Zeldovich,
  1517. Kaashoek, and Solar-Lezama. Fixes bug 24423; bugfix on various
  1518. Tor versions.
  1519. o Minor bugfixes (compression):
  1520. - Handle a pathological case when decompressing Zstandard data when
  1521. the output buffer size is zero. Fixes bug 23551; bugfix
  1522. on 0.3.1.1-alpha.
  1523. o Minor bugfixes (consensus expiry):
  1524. - Check for adequate directory information correctly. Previously, Tor
  1525. would reconsider whether it had sufficient directory information
  1526. every 2 minutes. Fixes bug 23091; bugfix on 0.2.0.19-alpha.
  1527. o Minor bugfixes (control port, linux seccomp2 sandbox):
  1528. - Avoid a crash when attempting to use the seccomp2 sandbox together
  1529. with the OwningControllerProcess feature. Fixes bug 24198; bugfix
  1530. on 0.2.5.1-alpha.
  1531. o Minor bugfixes (control port, onion services):
  1532. - Report "FAILED" instead of "UPLOAD_FAILED" "FAILED" for the
  1533. HS_DESC event when a service is not able to upload a descriptor.
  1534. Fixes bug 24230; bugfix on 0.2.7.1-alpha.
  1535. o Minor bugfixes (directory cache):
  1536. - Recover better from empty or corrupt files in the consensus cache
  1537. directory. Fixes bug 24099; bugfix on 0.3.1.1-alpha.
  1538. - When a consensus diff calculation is only partially successful,
  1539. only record the successful parts as having succeeded. Partial
  1540. success can happen if (for example) one compression method fails
  1541. but the others succeed. Previously we misrecorded all the
  1542. calculations as having succeeded, which would later cause a
  1543. nonfatal assertion failure. Fixes bug 24086; bugfix
  1544. on 0.3.1.1-alpha.
  1545. o Minor bugfixes (directory client):
  1546. - On failure to download directory information, delay retry attempts
  1547. by a random amount based on the "decorrelated jitter" algorithm.
  1548. Our previous delay algorithm tended to produce extra-long delays
  1549. too easily. Fixes bug 23816; bugfix on 0.2.9.1-alpha.
  1550. o Minor bugfixes (directory protocol):
  1551. - Directory servers now include a "Date:" http header for response
  1552. codes other than 200. Clients starting with a skewed clock and a
  1553. recent consensus were getting "304 Not modified" responses from
  1554. directory authorities, so without the Date header, the client
  1555. would never hear about a wrong clock. Fixes bug 23499; bugfix
  1556. on 0.0.8rc1.
  1557. - Make clients wait for 6 seconds before trying to download a
  1558. consensus from an authority. Fixes bug 17750; bugfix
  1559. on 0.2.8.1-alpha.
  1560. o Minor bugfixes (documentation):
  1561. - Document better how to read gcov, and what our gcov postprocessing
  1562. scripts do. Fixes bug 23739; bugfix on 0.2.9.1-alpha.
  1563. - Fix manpage to not refer to the obsolete (and misspelled)
  1564. UseEntryGuardsAsDirectoryGuards parameter in the description of
  1565. NumDirectoryGuards. Fixes bug 23611; bugfix on 0.2.4.8-alpha.
  1566. o Minor bugfixes (DoS-resistance):
  1567. - If future code asks if there are any running bridges, without
  1568. checking if bridges are enabled, log a BUG warning rather than
  1569. crashing. Fixes bug 23524; bugfix on 0.3.0.1-alpha.
  1570. o Minor bugfixes (entry guards):
  1571. - Tor now updates its guard state when it reads a consensus
  1572. regardless of whether it's missing descriptors. That makes tor use
  1573. its primary guards to fetch descriptors in some edge cases where
  1574. it would previously have used fallback directories. Fixes bug
  1575. 23862; bugfix on 0.3.0.1-alpha.
  1576. o Minor bugfixes (format strictness):
  1577. - Restrict several data formats to decimal. Previously, the
  1578. BuildTimeHistogram entries in the state file, the "bw=" entries in
  1579. the bandwidth authority file, and the process IDs passed to the
  1580. __OwningControllerProcess option could all be specified in hex or
  1581. octal as well as in decimal. This was not an intentional feature.
  1582. Fixes bug 22802; bugfixes on 0.2.2.1-alpha, 0.2.2.2-alpha,
  1583. and 0.2.2.28-beta.
  1584. o Minor bugfixes (heartbeat):
  1585. - If we fail to write a heartbeat message, schedule a retry for the
  1586. minimum heartbeat interval number of seconds in the future. Fixes
  1587. bug 19476; bugfix on 0.2.3.1-alpha.
  1588. o Minor bugfixes (logging):
  1589. - Suppress a log notice when relay descriptors arrive. We already
  1590. have a bootstrap progress for this so no need to log notice
  1591. everytime tor receives relay descriptors. Microdescriptors behave
  1592. the same. Fixes bug 23861; bugfix on 0.2.8.2-alpha.
  1593. - Remove duplicate log messages regarding opening non-local
  1594. SocksPorts upon parsing config and opening listeners at startup.
  1595. Fixes bug 4019; bugfix on 0.2.3.3-alpha.
  1596. - Use a more comprehensible log message when telling the user
  1597. they've excluded every running exit node. Fixes bug 7890; bugfix
  1598. on 0.2.2.25-alpha.
  1599. - When logging the number of descriptors we intend to download per
  1600. directory request, do not log a number higher than then the number
  1601. of descriptors we're fetching in total. Fixes bug 19648; bugfix
  1602. on 0.1.1.8-alpha.
  1603. - When warning about a directory owned by the wrong user, log the
  1604. actual name of the user owning the directory. Previously, we'd log
  1605. the name of the process owner twice. Fixes bug 23487; bugfix
  1606. on 0.2.9.1-alpha.
  1607. - Fix some messages on unexpected errors from the seccomp2 library.
  1608. Fixes bug 22750; bugfix on 0.2.5.1-alpha. Patch from "cypherpunks".
  1609. - The tor specification says hop counts are 1-based, so fix two log
  1610. messages that mistakenly logged 0-based hop counts. Fixes bug
  1611. 18982; bugfix on 0.2.6.2-alpha and 0.2.4.5-alpha. Patch by teor.
  1612. Credit to Xiaofan Li for reporting this issue.
  1613. o Minor bugfixes (logging, relay shutdown, annoyance):
  1614. - When a circuit is marked for close, do not attempt to package any
  1615. cells for channels on that circuit. Previously, we would detect
  1616. this condition lower in the call stack, when we noticed that the
  1617. circuit had no attached channel, and log an annoying message.
  1618. Fixes bug 8185; bugfix on 0.2.5.4-alpha.
  1619. o Minor bugfixes (memory safety, defensive programming):
  1620. - Clear the target address when node_get_prim_orport() returns
  1621. early. Fixes bug 23874; bugfix on 0.2.8.2-alpha.
  1622. o Minor bugfixes (memory usage):
  1623. - When queuing DESTROY cells on a channel, only queue the circuit-id
  1624. and reason fields: not the entire 514-byte cell. This fix should
  1625. help mitigate any bugs or attacks that fill up these queues, and
  1626. free more RAM for other uses. Fixes bug 24666; bugfix
  1627. on 0.2.5.1-alpha.
  1628. o Minor bugfixes (network layer):
  1629. - When closing a connection via close_connection_immediately(), we
  1630. mark it as "not blocked on bandwidth", to prevent later calls from
  1631. trying to unblock it, and give it permission to read. This fixes a
  1632. backtrace warning that can happen on relays under various
  1633. circumstances. Fixes bug 24167; bugfix on 0.1.0.1-rc.
  1634. o Minor bugfixes (onion services):
  1635. - The introduction circuit was being timed out too quickly while
  1636. waiting for the rendezvous circuit to complete. Keep the intro
  1637. circuit around longer instead of timing out and reopening new ones
  1638. constantly. Fixes bug 23681; bugfix on 0.2.4.8-alpha.
  1639. - Rename the consensus parameter "hsdir-interval" to "hsdir_interval"
  1640. so it matches dir-spec.txt. Fixes bug 24262; bugfix
  1641. on 0.3.1.1-alpha.
  1642. - When handling multiple SOCKS request for the same .onion address,
  1643. only fetch the service descriptor once.
  1644. - Avoid a possible double close of a circuit by the intro point on
  1645. error of sending the INTRO_ESTABLISHED cell. Fixes bug 23610;
  1646. bugfix on 0.3.0.1-alpha.
  1647. - When reloading configured onion services, copy all information
  1648. from the old service object. Previously, some data was omitted,
  1649. causing delays in descriptor upload, and other bugs. Fixes bug
  1650. 23790; bugfix on 0.2.1.9-alpha.
  1651. o Minor bugfixes (path selection):
  1652. - When selecting relays by bandwidth, avoid a rounding error that
  1653. could sometimes cause load to be imbalanced incorrectly.
  1654. Previously, we would always round upwards; now, we round towards
  1655. the nearest integer. This had the biggest effect when a relay's
  1656. weight adjustments should have given it weight 0, but it got
  1657. weight 1 instead. Fixes bug 23318; bugfix on 0.2.4.3-alpha.
  1658. - When calculating the fraction of nodes that have descriptors, and
  1659. all nodes in the network have zero bandwidths, count the number of
  1660. nodes instead. Fixes bug 23318; bugfix on 0.2.4.10-alpha.
  1661. - Actually log the total bandwidth in compute_weighted_bandwidths().
  1662. Fixes bug 24170; bugfix on 0.2.4.3-alpha.
  1663. o Minor bugfixes (portability):
  1664. - Stop using the PATH_MAX variable, which is not defined on GNU
  1665. Hurd. Fixes bug 23098; bugfix on 0.3.1.1-alpha.
  1666. - Fix a bug in the bit-counting parts of our timing-wheel code on
  1667. MSVC. (Note that MSVC is still not a supported build platform, due
  1668. to cryptographic timing channel risks.) Fixes bug 24633; bugfix
  1669. on 0.2.9.1-alpha.
  1670. o Minor bugfixes (relay):
  1671. - When uploading our descriptor for the first time after startup,
  1672. report the reason for uploading as "Tor just started" rather than
  1673. leaving it blank. Fixes bug 22885; bugfix on 0.2.3.4-alpha.
  1674. - Avoid unnecessary calls to directory_fetches_from_authorities() on
  1675. relays, to prevent spurious address resolutions and descriptor
  1676. rebuilds. This is a mitigation for bug 21789. Fixes bug 23470;
  1677. bugfix on in 0.2.8.1-alpha.
  1678. - Avoid a crash when transitioning from client mode to bridge mode.
  1679. Previously, we would launch the worker threads whenever our
  1680. "public server" mode changed, but not when our "server" mode
  1681. changed. Fixes bug 23693; bugfix on 0.2.6.3-alpha.
  1682. o Minor bugfixes (testing):
  1683. - Fix a spurious fuzzing-only use of an uninitialized value. Found
  1684. by Brian Carpenter. Fixes bug 24082; bugfix on 0.3.0.3-alpha.
  1685. - Test that IPv6-only clients can use microdescriptors when running
  1686. "make test-network-all". Requires chutney master 61c28b9 or later.
  1687. Closes ticket 24109.
  1688. - Prevent scripts/test/coverage from attempting to move gcov output
  1689. to the root directory. Fixes bug 23741; bugfix on 0.2.5.1-alpha.
  1690. - Capture and detect several "Result does not fit" warnings in unit
  1691. tests on platforms with 32-bit time_t. Fixes bug 21800; bugfix
  1692. on 0.2.9.3-alpha.
  1693. - Fix additional channelpadding unit test failures by using mocked
  1694. time instead of actual time for all tests. Fixes bug 23608; bugfix
  1695. on 0.3.1.1-alpha.
  1696. - Fix a bug in our fuzzing mock replacement for crypto_pk_checksig(),
  1697. to correctly handle cases where a caller gives it an RSA key of
  1698. under 160 bits. (This is not actually a bug in Tor itself, but
  1699. rather in our fuzzing code.) Fixes bug 24247; bugfix on
  1700. 0.3.0.3-alpha. Found by OSS-Fuzz as issue 4177.
  1701. - Fix a broken unit test for the OutboundAddress option: the parsing
  1702. function was never returning an error on failure. Fixes bug 23366;
  1703. bugfix on 0.3.0.3-alpha.
  1704. - Fix a signed-integer overflow in the unit tests for
  1705. dir/download_status_random_backoff, which was untriggered until we
  1706. fixed bug 17750. Fixes bug 22924; bugfix on 0.2.9.1-alpha.
  1707. o Minor bugfixes (usability, control port):
  1708. - Stop making an unnecessary routerlist check in NETINFO clock skew
  1709. detection; this was preventing clients from reporting NETINFO clock
  1710. skew to controllers. Fixes bug 23532; bugfix on 0.2.4.4-alpha.
  1711. o Code simplification and refactoring:
  1712. - Remove various ways of testing circuits and connections for
  1713. "clientness"; instead, favor channel_is_client(). Part of
  1714. ticket 22805.
  1715. - Extract the code for handling newly-open channels into a separate
  1716. function from the general code to handle channel state
  1717. transitions. This change simplifies our callgraph, reducing the
  1718. size of the largest strongly connected component by roughly a
  1719. factor of two. Closes ticket 22608.
  1720. - Remove dead code for largely unused statistics on the number of
  1721. times we've attempted various public key operations. Fixes bug
  1722. 19871; bugfix on 0.1.2.4-alpha. Fix by Isis Lovecruft.
  1723. - Remove several now-obsolete functions for asking about old
  1724. variants directory authority status. Closes ticket 22311; patch
  1725. from "huyvq".
  1726. - Remove some of the code that once supported "Named" and "Unnamed"
  1727. routers. Authorities no longer vote for these flags. Closes
  1728. ticket 22215.
  1729. - Rename the obsolete malleable hybrid_encrypt functions used in TAP
  1730. and old hidden services, to indicate that they aren't suitable for
  1731. new protocols or formats. Closes ticket 23026.
  1732. - Replace our STRUCT_OFFSET() macro with offsetof(). Closes ticket
  1733. 22521. Patch from Neel Chauhan.
  1734. - Split the enormous circuit_send_next_onion_skin() function into
  1735. multiple subfunctions. Closes ticket 22804.
  1736. - Split the portions of the buffer.c module that handle particular
  1737. protocols into separate modules. Part of ticket 23149.
  1738. - Use our test macros more consistently, to produce more useful
  1739. error messages when our unit tests fail. Add coccinelle patches to
  1740. allow us to re-check for test macro uses. Closes ticket 22497.
  1741. o Deprecated features:
  1742. - The ReachableDirAddresses and ClientPreferIPv6DirPort options are
  1743. now deprecated; they do not apply to relays, and they have had no
  1744. effect on clients since 0.2.8.x. Closes ticket 19704.
  1745. - Deprecate HTTPProxy/HTTPProxyAuthenticator config options. They
  1746. only applies to direct unencrypted HTTP connections to your
  1747. directory server, which your Tor probably isn't using. Closes
  1748. ticket 20575.
  1749. o Documentation:
  1750. - Add notes in man page regarding OS support for the various
  1751. scheduler types. Attempt to use less jargon in the scheduler
  1752. section. Closes ticket 24254.
  1753. - Clarify that the Address option is entirely about setting an
  1754. advertised IPv4 address. Closes ticket 18891.
  1755. - Clarify the manpage's use of the term "address" to clarify what
  1756. kind of address is intended. Closes ticket 21405.
  1757. - Document that onion service subdomains are allowed, and ignored.
  1758. Closes ticket 18736.
  1759. - Clarify in the manual that "Sandbox 1" is only supported on Linux
  1760. kernels. Closes ticket 22677.
  1761. - Document all values of PublishServerDescriptor in the manpage.
  1762. Closes ticket 15645.
  1763. - Improve the documentation for the directory port part of the
  1764. DirAuthority line. Closes ticket 20152.
  1765. - Restore documentation for the authorities' "approved-routers"
  1766. file. Closes ticket 21148.
  1767. o Removed features:
  1768. - The AllowDotExit option has been removed as unsafe. It has been
  1769. deprecated since 0.2.9.2-alpha. Closes ticket 23426.
  1770. - The ClientDNSRejectInternalAddresses flag can no longer be set on
  1771. non-testing networks. It has been deprecated since 0.2.9.2-alpha.
  1772. Closes ticket 21031.
  1773. - The controller API no longer includes an AUTHDIR_NEWDESCS event:
  1774. nobody was using it any longer. Closes ticket 22377.
  1775. Changes in version 0.3.1.9 - 2017-12-01:
  1776. Tor 0.3.1.9 backports important security and stability fixes from the
  1777. 0.3.2 development series. All Tor users should upgrade to this
  1778. release, or to another of the releases coming out today.
  1779. o Major bugfixes (security, backport from 0.3.2.6-alpha):
  1780. - Fix a denial of service bug where an attacker could use a
  1781. malformed directory object to cause a Tor instance to pause while
  1782. OpenSSL would try to read a passphrase from the terminal. (Tor
  1783. instances run without a terminal, which is the case for most Tor
  1784. packages, are not impacted.) Fixes bug 24246; bugfix on every
  1785. version of Tor. Also tracked as TROVE-2017-011 and CVE-2017-8821.
  1786. Found by OSS-Fuzz as testcase 6360145429790720.
  1787. - Fix a denial of service issue where an attacker could crash a
  1788. directory authority using a malformed router descriptor. Fixes bug
  1789. 24245; bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2017-010
  1790. and CVE-2017-8820.
  1791. - When checking for replays in the INTRODUCE1 cell data for a
  1792. (legacy) onion service, correctly detect replays in the RSA-
  1793. encrypted part of the cell. We were previously checking for
  1794. replays on the entire cell, but those can be circumvented due to
  1795. the malleability of Tor's legacy hybrid encryption. This fix helps
  1796. prevent a traffic confirmation attack. Fixes bug 24244; bugfix on
  1797. 0.2.4.1-alpha. This issue is also tracked as TROVE-2017-009
  1798. and CVE-2017-8819.
  1799. o Major bugfixes (security, onion service v2, backport from 0.3.2.6-alpha):
  1800. - Fix a use-after-free error that could crash v2 Tor onion services
  1801. when they failed to open circuits while expiring introduction
  1802. points. Fixes bug 24313; bugfix on 0.2.7.2-alpha. This issue is
  1803. also tracked as TROVE-2017-013 and CVE-2017-8823.
  1804. o Major bugfixes (security, relay, backport from 0.3.2.6-alpha):
  1805. - When running as a relay, make sure that we never build a path
  1806. through ourselves, even in the case where we have somehow lost the
  1807. version of our descriptor appearing in the consensus. Fixes part
  1808. of bug 21534; bugfix on 0.2.0.1-alpha. This issue is also tracked
  1809. as TROVE-2017-012 and CVE-2017-8822.
  1810. - When running as a relay, make sure that we never choose ourselves
  1811. as a guard. Fixes part of bug 21534; bugfix on 0.3.0.1-alpha. This
  1812. issue is also tracked as TROVE-2017-012 and CVE-2017-8822.
  1813. o Major bugfixes (exit relays, DNS, backport from 0.3.2.4-alpha):
  1814. - Fix an issue causing DNS to fail on high-bandwidth exit nodes,
  1815. making them nearly unusable. Fixes bugs 21394 and 18580; bugfix on
  1816. 0.1.2.2-alpha, which introduced eventdns. Thanks to Dhalgren for
  1817. identifying and finding a workaround to this bug and to Moritz,
  1818. Arthur Edelstein, and Roger for helping to track it down and
  1819. analyze it.
  1820. o Minor features (bridge):
  1821. - Bridges now include notice in their descriptors that they are
  1822. bridges, and notice of their distribution status, based on their
  1823. publication settings. Implements ticket 18329. For more fine-
  1824. grained control of how a bridge is distributed, upgrade to 0.3.2.x
  1825. or later.
  1826. o Minor features (directory authority, backport from 0.3.2.6-alpha):
  1827. - Add an IPv6 address for the "bastet" directory authority. Closes
  1828. ticket 24394.
  1829. o Minor features (geoip):
  1830. - Update geoip and geoip6 to the November 6 2017 Maxmind GeoLite2
  1831. Country database.
  1832. o Minor bugfix (relay address resolution, backport from 0.3.2.1-alpha):
  1833. - Avoid unnecessary calls to directory_fetches_from_authorities() on
  1834. relays, to prevent spurious address resolutions and descriptor
  1835. rebuilds. This is a mitigation for bug 21789. Fixes bug 23470;
  1836. bugfix on in 0.2.8.1-alpha.
  1837. o Minor bugfixes (compilation, backport from 0.3.2.1-alpha):
  1838. - Fix unused variable warnings in donna's Curve25519 SSE2 code.
  1839. Fixes bug 22895; bugfix on 0.2.7.2-alpha.
  1840. o Minor bugfixes (logging, relay shutdown, annoyance, backport from 0.3.2.2-alpha):
  1841. - When a circuit is marked for close, do not attempt to package any
  1842. cells for channels on that circuit. Previously, we would detect
  1843. this condition lower in the call stack, when we noticed that the
  1844. circuit had no attached channel, and log an annoying message.
  1845. Fixes bug 8185; bugfix on 0.2.5.4-alpha.
  1846. o Minor bugfixes (onion service, backport from 0.3.2.5-alpha):
  1847. - Rename the consensus parameter "hsdir-interval" to "hsdir_interval"
  1848. so it matches dir-spec.txt. Fixes bug 24262; bugfix
  1849. on 0.3.1.1-alpha.
  1850. o Minor bugfixes (relay, crash, backport from 0.3.2.4-alpha):
  1851. - Avoid a crash when transitioning from client mode to bridge mode.
  1852. Previously, we would launch the worker threads whenever our
  1853. "public server" mode changed, but not when our "server" mode
  1854. changed. Fixes bug 23693; bugfix on 0.2.6.3-alpha.
  1855. Changes in version 0.3.0.13 - 2017-12-01
  1856. Tor 0.3.0.13 backports important security and stability bugfixes from
  1857. later Tor releases. All Tor users should upgrade to this release, or
  1858. to another of the releases coming out today.
  1859. Note: the Tor 0.3.0 series will no longer be supported after 26 Jan
  1860. 2018. If you need a release with long-term support, please stick with
  1861. the 0.2.9 series. Otherwise, please upgrade to 0.3.1 or later.
  1862. o Major bugfixes (security, backport from 0.3.2.6-alpha):
  1863. - Fix a denial of service bug where an attacker could use a
  1864. malformed directory object to cause a Tor instance to pause while
  1865. OpenSSL would try to read a passphrase from the terminal. (Tor
  1866. instances run without a terminal, which is the case for most Tor
  1867. packages, are not impacted.) Fixes bug 24246; bugfix on every
  1868. version of Tor. Also tracked as TROVE-2017-011 and CVE-2017-8821.
  1869. Found by OSS-Fuzz as testcase 6360145429790720.
  1870. - Fix a denial of service issue where an attacker could crash a
  1871. directory authority using a malformed router descriptor. Fixes bug
  1872. 24245; bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2017-010
  1873. and CVE-2017-8820.
  1874. - When checking for replays in the INTRODUCE1 cell data for a
  1875. (legacy) onion service, correctly detect replays in the RSA-
  1876. encrypted part of the cell. We were previously checking for
  1877. replays on the entire cell, but those can be circumvented due to
  1878. the malleability of Tor's legacy hybrid encryption. This fix helps
  1879. prevent a traffic confirmation attack. Fixes bug 24244; bugfix on
  1880. 0.2.4.1-alpha. This issue is also tracked as TROVE-2017-009
  1881. and CVE-2017-8819.
  1882. o Major bugfixes (security, onion service v2, backport from 0.3.2.6-alpha):
  1883. - Fix a use-after-free error that could crash v2 Tor onion services
  1884. when they failed to open circuits while expiring introduction
  1885. points. Fixes bug 24313; bugfix on 0.2.7.2-alpha. This issue is
  1886. also tracked as TROVE-2017-013 and CVE-2017-8823.
  1887. o Major bugfixes (security, relay, backport from 0.3.2.6-alpha):
  1888. - When running as a relay, make sure that we never build a path
  1889. through ourselves, even in the case where we have somehow lost the
  1890. version of our descriptor appearing in the consensus. Fixes part
  1891. of bug 21534; bugfix on 0.2.0.1-alpha. This issue is also tracked
  1892. as TROVE-2017-012 and CVE-2017-8822.
  1893. - When running as a relay, make sure that we never choose ourselves
  1894. as a guard. Fixes part of bug 21534; bugfix on 0.3.0.1-alpha. This
  1895. issue is also tracked as TROVE-2017-012 and CVE-2017-8822.
  1896. o Major bugfixes (exit relays, DNS, backport from 0.3.2.4-alpha):
  1897. - Fix an issue causing DNS to fail on high-bandwidth exit nodes,
  1898. making them nearly unusable. Fixes bugs 21394 and 18580; bugfix on
  1899. 0.1.2.2-alpha, which introduced eventdns. Thanks to Dhalgren for
  1900. identifying and finding a workaround to this bug and to Moritz,
  1901. Arthur Edelstein, and Roger for helping to track it down and
  1902. analyze it.
  1903. o Minor features (security, windows, backport from 0.3.1.1-alpha):
  1904. - Enable a couple of pieces of Windows hardening: one
  1905. (HeapEnableTerminationOnCorruption) that has been on-by-default
  1906. since Windows 8, and unavailable before Windows 7; and one
  1907. (PROCESS_DEP_DISABLE_ATL_THUNK_EMULATION) which we believe doesn't
  1908. affect us, but shouldn't do any harm. Closes ticket 21953.
  1909. o Minor features (bridge, backport from 0.3.1.9):
  1910. - Bridges now include notice in their descriptors that they are
  1911. bridges, and notice of their distribution status, based on their
  1912. publication settings. Implements ticket 18329. For more fine-
  1913. grained control of how a bridge is distributed, upgrade to 0.3.2.x
  1914. or later.
  1915. o Minor features (directory authority, backport from 0.3.2.6-alpha):
  1916. - Add an IPv6 address for the "bastet" directory authority. Closes
  1917. ticket 24394.
  1918. o Minor features (geoip):
  1919. - Update geoip and geoip6 to the November 6 2017 Maxmind GeoLite2
  1920. Country database.
  1921. o Minor bugfix (relay address resolution, backport from 0.3.2.1-alpha):
  1922. - Avoid unnecessary calls to directory_fetches_from_authorities() on
  1923. relays, to prevent spurious address resolutions and descriptor
  1924. rebuilds. This is a mitigation for bug 21789. Fixes bug 23470;
  1925. bugfix on in 0.2.8.1-alpha.
  1926. o Minor bugfixes (compilation, backport from 0.3.2.1-alpha):
  1927. - Fix unused variable warnings in donna's Curve25519 SSE2 code.
  1928. Fixes bug 22895; bugfix on 0.2.7.2-alpha.
  1929. o Minor bugfixes (logging, relay shutdown, annoyance, backport from 0.3.2.2-alpha):
  1930. - When a circuit is marked for close, do not attempt to package any
  1931. cells for channels on that circuit. Previously, we would detect
  1932. this condition lower in the call stack, when we noticed that the
  1933. circuit had no attached channel, and log an annoying message.
  1934. Fixes bug 8185; bugfix on 0.2.5.4-alpha.
  1935. o Minor bugfixes (relay, crash, backport from 0.3.2.4-alpha):
  1936. - Avoid a crash when transitioning from client mode to bridge mode.
  1937. Previously, we would launch the worker threads whenever our
  1938. "public server" mode changed, but not when our "server" mode
  1939. changed. Fixes bug 23693; bugfix on 0.2.6.3-alpha.
  1940. o Minor bugfixes (testing, backport from 0.3.1.6-rc):
  1941. - Fix an undersized buffer in test-memwipe.c. Fixes bug 23291;
  1942. bugfix on 0.2.7.2-alpha. Found and patched by Ties Stuij.
  1943. Changes in version 0.2.9.14 - 2017-12-01
  1944. Tor 0.3.0.13 backports important security and stability bugfixes from
  1945. later Tor releases. All Tor users should upgrade to this release, or
  1946. to another of the releases coming out today.
  1947. o Major bugfixes (exit relays, DNS, backport from 0.3.2.4-alpha):
  1948. - Fix an issue causing DNS to fail on high-bandwidth exit nodes,
  1949. making them nearly unusable. Fixes bugs 21394 and 18580; bugfix on
  1950. 0.1.2.2-alpha, which introduced eventdns. Thanks to Dhalgren for
  1951. identifying and finding a workaround to this bug and to Moritz,
  1952. Arthur Edelstein, and Roger for helping to track it down and
  1953. analyze it.
  1954. o Major bugfixes (security, backport from 0.3.2.6-alpha):
  1955. - Fix a denial of service bug where an attacker could use a
  1956. malformed directory object to cause a Tor instance to pause while
  1957. OpenSSL would try to read a passphrase from the terminal. (Tor
  1958. instances run without a terminal, which is the case for most Tor
  1959. packages, are not impacted.) Fixes bug 24246; bugfix on every
  1960. version of Tor. Also tracked as TROVE-2017-011 and CVE-2017-8821.
  1961. Found by OSS-Fuzz as testcase 6360145429790720.
  1962. - Fix a denial of service issue where an attacker could crash a
  1963. directory authority using a malformed router descriptor. Fixes bug
  1964. 24245; bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2017-010
  1965. and CVE-2017-8820.
  1966. - When checking for replays in the INTRODUCE1 cell data for a
  1967. (legacy) onion service, correctly detect replays in the RSA-
  1968. encrypted part of the cell. We were previously checking for
  1969. replays on the entire cell, but those can be circumvented due to
  1970. the malleability of Tor's legacy hybrid encryption. This fix helps
  1971. prevent a traffic confirmation attack. Fixes bug 24244; bugfix on
  1972. 0.2.4.1-alpha. This issue is also tracked as TROVE-2017-009
  1973. and CVE-2017-8819.
  1974. o Major bugfixes (security, onion service v2, backport from 0.3.2.6-alpha):
  1975. - Fix a use-after-free error that could crash v2 Tor onion services
  1976. when they failed to open circuits while expiring introduction
  1977. points. Fixes bug 24313; bugfix on 0.2.7.2-alpha. This issue is
  1978. also tracked as TROVE-2017-013 and CVE-2017-8823.
  1979. o Major bugfixes (security, relay, backport from 0.3.2.6-alpha):
  1980. - When running as a relay, make sure that we never build a path
  1981. through ourselves, even in the case where we have somehow lost the
  1982. version of our descriptor appearing in the consensus. Fixes part
  1983. of bug 21534; bugfix on 0.2.0.1-alpha. This issue is also tracked
  1984. as TROVE-2017-012 and CVE-2017-8822.
  1985. o Minor features (bridge, backport from 0.3.1.9):
  1986. - Bridges now include notice in their descriptors that they are
  1987. bridges, and notice of their distribution status, based on their
  1988. publication settings. Implements ticket 18329. For more fine-
  1989. grained control of how a bridge is distributed, upgrade to 0.3.2.x
  1990. or later.
  1991. o Minor features (directory authority, backport from 0.3.2.6-alpha):
  1992. - Add an IPv6 address for the "bastet" directory authority. Closes
  1993. ticket 24394.
  1994. o Minor features (geoip):
  1995. - Update geoip and geoip6 to the November 6 2017 Maxmind GeoLite2
  1996. Country database.
  1997. o Minor features (security, windows, backport from 0.3.1.1-alpha):
  1998. - Enable a couple of pieces of Windows hardening: one
  1999. (HeapEnableTerminationOnCorruption) that has been on-by-default
  2000. since Windows 8, and unavailable before Windows 7; and one
  2001. (PROCESS_DEP_DISABLE_ATL_THUNK_EMULATION) which we believe doesn't
  2002. affect us, but shouldn't do any harm. Closes ticket 21953.
  2003. o Minor bugfix (relay address resolution, backport from 0.3.2.1-alpha):
  2004. - Avoid unnecessary calls to directory_fetches_from_authorities() on
  2005. relays, to prevent spurious address resolutions and descriptor
  2006. rebuilds. This is a mitigation for bug 21789. Fixes bug 23470;
  2007. bugfix on in 0.2.8.1-alpha.
  2008. o Minor bugfixes (compilation, backport from 0.3.2.1-alpha):
  2009. - Fix unused variable warnings in donna's Curve25519 SSE2 code.
  2010. Fixes bug 22895; bugfix on 0.2.7.2-alpha.
  2011. o Minor bugfixes (logging, relay shutdown, annoyance, backport from 0.3.2.2-alpha):
  2012. - When a circuit is marked for close, do not attempt to package any
  2013. cells for channels on that circuit. Previously, we would detect
  2014. this condition lower in the call stack, when we noticed that the
  2015. circuit had no attached channel, and log an annoying message.
  2016. Fixes bug 8185; bugfix on 0.2.5.4-alpha.
  2017. o Minor bugfixes (relay, crash, backport from 0.3.2.4-alpha):
  2018. - Avoid a crash when transitioning from client mode to bridge mode.
  2019. Previously, we would launch the worker threads whenever our
  2020. "public server" mode changed, but not when our "server" mode
  2021. changed. Fixes bug 23693; bugfix on 0.2.6.3-alpha.
  2022. o Minor bugfixes (testing, backport from 0.3.1.6-rc):
  2023. - Fix an undersized buffer in test-memwipe.c. Fixes bug 23291;
  2024. bugfix on 0.2.7.2-alpha. Found and patched by Ties Stuij.
  2025. Changes in version 0.2.8.17 - 2017-12-01
  2026. Tor 0.2.8.17 backports important security and stability bugfixes from
  2027. later Tor releases. All Tor users should upgrade to this release, or
  2028. to another of the releases coming out today.
  2029. Note: the Tor 0.2.8 series will no longer be supported after 1 Jan
  2030. 2018. If you need a release with long-term support, please upgrade with
  2031. the 0.2.9 series. Otherwise, please upgrade to 0.3.1 or later.
  2032. o Major bugfixes (security, backport from 0.3.2.6-alpha):
  2033. - Fix a denial of service bug where an attacker could use a
  2034. malformed directory object to cause a Tor instance to pause while
  2035. OpenSSL would try to read a passphrase from the terminal. (Tor
  2036. instances run without a terminal, which is the case for most Tor
  2037. packages, are not impacted.) Fixes bug 24246; bugfix on every
  2038. version of Tor. Also tracked as TROVE-2017-011 and CVE-2017-8821.
  2039. Found by OSS-Fuzz as testcase 6360145429790720.
  2040. - When checking for replays in the INTRODUCE1 cell data for a
  2041. (legacy) onion service, correctly detect replays in the RSA-
  2042. encrypted part of the cell. We were previously checking for
  2043. replays on the entire cell, but those can be circumvented due to
  2044. the malleability of Tor's legacy hybrid encryption. This fix helps
  2045. prevent a traffic confirmation attack. Fixes bug 24244; bugfix on
  2046. 0.2.4.1-alpha. This issue is also tracked as TROVE-2017-009
  2047. and CVE-2017-8819.
  2048. o Major bugfixes (security, onion service v2, backport from 0.3.2.6-alpha):
  2049. - Fix a use-after-free error that could crash v2 Tor onion services
  2050. when they failed to open circuits while expiring introduction
  2051. points. Fixes bug 24313; bugfix on 0.2.7.2-alpha. This issue is
  2052. also tracked as TROVE-2017-013 and CVE-2017-8823.
  2053. o Major bugfixes (security, relay, backport from 0.3.2.6-alpha):
  2054. - When running as a relay, make sure that we never build a path through
  2055. ourselves, even in the case where we have somehow lost the version of
  2056. our descriptor appearing in the consensus. Fixes part of bug 21534;
  2057. bugfix on 0.2.0.1-alpha. This issue is also tracked as TROVE-2017-012
  2058. and CVE-2017-8822.
  2059. o Minor features (bridge, backport from 0.3.1.9):
  2060. - Bridges now include notice in their descriptors that they are
  2061. bridges, and notice of their distribution status, based on their
  2062. publication settings. Implements ticket 18329. For more fine-
  2063. grained control of how a bridge is distributed, upgrade to 0.3.2.x
  2064. or later.
  2065. o Minor features (directory authority, backport from 0.3.2.6-alpha):
  2066. - Add an IPv6 address for the "bastet" directory authority. Closes
  2067. ticket 24394.
  2068. o Minor features (geoip):
  2069. - Update geoip and geoip6 to the November 6 2017 Maxmind GeoLite2
  2070. Country database.
  2071. o Minor bugfixes (testing, backport from 0.3.1.6-rc):
  2072. - Fix an undersized buffer in test-memwipe.c. Fixes bug 23291;
  2073. bugfix on 0.2.7.2-alpha. Found and patched by Ties Stuij.
  2074. Changes in version 0.2.5.16 - 2017-12-01
  2075. Tor 0.2.5.13 backports important security and stability bugfixes from
  2076. later Tor releases. All Tor users should upgrade to this release, or
  2077. to another of the releases coming out today.
  2078. Note: the Tor 0.2.5 series will no longer be supported after 1 May
  2079. 2018. If you need a release with long-term support, please upgrade to
  2080. the 0.2.9 series. Otherwise, please upgrade to 0.3.1 or later.
  2081. o Major bugfixes (security, backport from 0.3.2.6-alpha):
  2082. - Fix a denial of service bug where an attacker could use a
  2083. malformed directory object to cause a Tor instance to pause while
  2084. OpenSSL would try to read a passphrase from the terminal. (Tor
  2085. instances run without a terminal, which is the case for most Tor
  2086. packages, are not impacted.) Fixes bug 24246; bugfix on every
  2087. version of Tor. Also tracked as TROVE-2017-011 and CVE-2017-8821.
  2088. Found by OSS-Fuzz as testcase 6360145429790720.
  2089. - When checking for replays in the INTRODUCE1 cell data for a
  2090. (legacy) onion service, correctly detect replays in the RSA-
  2091. encrypted part of the cell. We were previously checking for
  2092. replays on the entire cell, but those can be circumvented due to
  2093. the malleability of Tor's legacy hybrid encryption. This fix helps
  2094. prevent a traffic confirmation attack. Fixes bug 24244; bugfix on
  2095. 0.2.4.1-alpha. This issue is also tracked as TROVE-2017-009
  2096. and CVE-2017-8819.
  2097. o Major bugfixes (security, relay, backport from 0.3.2.6-alpha):
  2098. - When running as a relay, make sure that we never build a path
  2099. through ourselves, even in the case where we have somehow lost the
  2100. version of our descriptor appearing in the consensus. Fixes part
  2101. of bug 21534; bugfix on 0.2.0.1-alpha. This issue is also tracked
  2102. as TROVE-2017-012 and CVE-2017-8822.
  2103. o Minor features (bridge, backport from 0.3.1.9):
  2104. - Bridges now include notice in their descriptors that they are
  2105. bridges, and notice of their distribution status, based on their
  2106. publication settings. Implements ticket 18329. For more fine-
  2107. grained control of how a bridge is distributed, upgrade to 0.3.2.x
  2108. or later.
  2109. o Minor features (geoip):
  2110. - Update geoip and geoip6 to the November 6 2017 Maxmind GeoLite2
  2111. Country database.
  2112. Changes in version 0.2.5.15 - 2017-10-25
  2113. Tor 0.2.5.15 backports a collection of bugfixes from later Tor release
  2114. series. It also adds a new directory authority, Bastet.
  2115. Note: the Tor 0.2.5 series will no longer be supported after 1 May
  2116. 2018. If you need a release with long-term support, please upgrade to
  2117. the 0.2.9 series. Otherwise, please upgrade to 0.3.1 or later.
  2118. o Directory authority changes:
  2119. - Add "Bastet" as a ninth directory authority to the default list.
  2120. Closes ticket 23910.
  2121. - The directory authority "Longclaw" has changed its IP address.
  2122. Closes ticket 23592.
  2123. o Major bugfixes (openbsd, denial-of-service, backport from 0.3.1.5-alpha):
  2124. - Avoid an assertion failure bug affecting our implementation of
  2125. inet_pton(AF_INET6) on certain OpenBSD systems whose strtol()
  2126. handling of "0xx" differs from what we had expected. Fixes bug
  2127. 22789; bugfix on 0.2.3.8-alpha. Also tracked as TROVE-2017-007.
  2128. o Minor features (geoip):
  2129. - Update geoip and geoip6 to the October 4 2017 Maxmind GeoLite2
  2130. Country database.
  2131. o Minor bugfixes (defensive programming, undefined behavior, backport from 0.3.1.4-alpha):
  2132. - Fix a memset() off the end of an array when packing cells. This
  2133. bug should be harmless in practice, since the corrupted bytes are
  2134. still in the same structure, and are always padding bytes,
  2135. ignored, or immediately overwritten, depending on compiler
  2136. behavior. Nevertheless, because the memset()'s purpose is to make
  2137. sure that any other cell-handling bugs can't expose bytes to the
  2138. network, we need to fix it. Fixes bug 22737; bugfix on
  2139. 0.2.4.11-alpha. Fixes CID 1401591.
  2140. o Build features (backport from 0.3.1.5-alpha):
  2141. - Tor's repository now includes a Travis Continuous Integration (CI)
  2142. configuration file (.travis.yml). This is meant to help new
  2143. developers and contributors who fork Tor to a Github repository be
  2144. better able to test their changes, and understand what we expect
  2145. to pass. To use this new build feature, you must fork Tor to your
  2146. Github account, then go into the "Integrations" menu in the
  2147. repository settings for your fork and enable Travis, then push
  2148. your changes. Closes ticket 22636.
  2149. Changes in version 0.2.8.16 - 2017-10-25
  2150. Tor 0.2.8.16 backports a collection of bugfixes from later Tor release
  2151. series, including a bugfix for a crash issue that had affected relays
  2152. under memory pressure. It also adds a new directory authority, Bastet.
  2153. Note: the Tor 0.2.8 series will no longer be supported after 1 Jan
  2154. 2018. If you need a release with long-term support, please stick with
  2155. the 0.2.9 series. Otherwise, please upgrade to 0.3.1 or later.
  2156. o Directory authority changes:
  2157. - Add "Bastet" as a ninth directory authority to the default list.
  2158. Closes ticket 23910.
  2159. - The directory authority "Longclaw" has changed its IP address.
  2160. Closes ticket 23592.
  2161. o Major bugfixes (relay, crash, assertion failure, backport from 0.3.2.2-alpha):
  2162. - Fix a timing-based assertion failure that could occur when the
  2163. circuit out-of-memory handler freed a connection's output buffer.
  2164. Fixes bug 23690; bugfix on 0.2.6.1-alpha.
  2165. o Minor features (directory authorities, backport from 0.3.2.2-alpha):
  2166. - Remove longclaw's IPv6 address, as it will soon change. Authority
  2167. IPv6 addresses were originally added in 0.2.8.1-alpha. This leaves
  2168. 3/8 directory authorities with IPv6 addresses, but there are also
  2169. 52 fallback directory mirrors with IPv6 addresses. Resolves 19760.
  2170. o Minor features (geoip):
  2171. - Update geoip and geoip6 to the October 4 2017 Maxmind GeoLite2
  2172. Country database.
  2173. Changes in version 0.2.9.13 - 2017-10-25
  2174. Tor 0.2.9.13 backports a collection of bugfixes from later Tor release
  2175. series, including a bugfix for a crash issue that had affected relays
  2176. under memory pressure. It also adds a new directory authority, Bastet.
  2177. o Directory authority changes:
  2178. - Add "Bastet" as a ninth directory authority to the default list.
  2179. Closes ticket 23910.
  2180. - The directory authority "Longclaw" has changed its IP address.
  2181. Closes ticket 23592.
  2182. o Major bugfixes (relay, crash, assertion failure, backport from 0.3.2.2-alpha):
  2183. - Fix a timing-based assertion failure that could occur when the
  2184. circuit out-of-memory handler freed a connection's output buffer.
  2185. Fixes bug 23690; bugfix on 0.2.6.1-alpha.
  2186. o Minor features (directory authorities, backport from 0.3.2.2-alpha):
  2187. - Remove longclaw's IPv6 address, as it will soon change. Authority
  2188. IPv6 addresses were originally added in 0.2.8.1-alpha. This leaves
  2189. 3/8 directory authorities with IPv6 addresses, but there are also
  2190. 52 fallback directory mirrors with IPv6 addresses. Resolves 19760.
  2191. o Minor features (geoip):
  2192. - Update geoip and geoip6 to the October 4 2017 Maxmind GeoLite2
  2193. Country database.
  2194. o Minor bugfixes (directory authority, backport from 0.3.1.5-alpha):
  2195. - When a directory authority rejects a descriptor or extrainfo with
  2196. a given digest, mark that digest as undownloadable, so that we do
  2197. not attempt to download it again over and over. We previously
  2198. tried to avoid downloading such descriptors by other means, but we
  2199. didn't notice if we accidentally downloaded one anyway. This
  2200. behavior became problematic in 0.2.7.2-alpha, when authorities
  2201. began pinning Ed25519 keys. Fixes bug 22349; bugfix
  2202. on 0.2.1.19-alpha.
  2203. o Minor bugfixes (memory safety, backport from 0.3.2.3-alpha):
  2204. - Clear the address when node_get_prim_orport() returns early.
  2205. Fixes bug 23874; bugfix on 0.2.8.2-alpha.
  2206. o Minor bugfixes (Windows service, backport from 0.3.1.6-rc):
  2207. - When running as a Windows service, set the ID of the main thread
  2208. correctly. Failure to do so made us fail to send log messages to
  2209. the controller in 0.2.1.16-rc, slowed down controller event
  2210. delivery in 0.2.7.3-rc and later, and crash with an assertion
  2211. failure in 0.3.1.1-alpha. Fixes bug 23081; bugfix on 0.2.1.6-alpha.
  2212. Patch and diagnosis from "Vort".
  2213. Changes in version 0.3.0.12 - 2017-10-25
  2214. Tor 0.3.0.12 backports a collection of bugfixes from later Tor release
  2215. series, including a bugfix for a crash issue that had affected relays
  2216. under memory pressure. It also adds a new directory authority, Bastet.
  2217. Note: the Tor 0.3.0 series will no longer be supported after 26 Jan
  2218. 2018. If you need a release with long-term support, please stick with
  2219. the 0.2.9 series. Otherwise, please upgrade to 0.3.1 or later.
  2220. o Directory authority changes:
  2221. - Add "Bastet" as a ninth directory authority to the default list.
  2222. Closes ticket 23910.
  2223. - The directory authority "Longclaw" has changed its IP address.
  2224. Closes ticket 23592.
  2225. o Major bugfixes (relay, crash, assertion failure, backport from 0.3.2.2-alpha):
  2226. - Fix a timing-based assertion failure that could occur when the
  2227. circuit out-of-memory handler freed a connection's output buffer.
  2228. Fixes bug 23690; bugfix on 0.2.6.1-alpha.
  2229. o Minor features (directory authorities, backport from 0.3.2.2-alpha):
  2230. - Remove longclaw's IPv6 address, as it will soon change. Authority
  2231. IPv6 addresses were originally added in 0.2.8.1-alpha. This leaves
  2232. 3/8 directory authorities with IPv6 addresses, but there are also
  2233. 52 fallback directory mirrors with IPv6 addresses. Resolves 19760.
  2234. o Minor features (geoip):
  2235. - Update geoip and geoip6 to the October 4 2017 Maxmind GeoLite2
  2236. Country database.
  2237. o Minor bugfixes (directory authority, backport from 0.3.1.5-alpha):
  2238. - When a directory authority rejects a descriptor or extrainfo with
  2239. a given digest, mark that digest as undownloadable, so that we do
  2240. not attempt to download it again over and over. We previously
  2241. tried to avoid downloading such descriptors by other means, but we
  2242. didn't notice if we accidentally downloaded one anyway. This
  2243. behavior became problematic in 0.2.7.2-alpha, when authorities
  2244. began pinning Ed25519 keys. Fixes bug 22349; bugfix
  2245. on 0.2.1.19-alpha.
  2246. o Minor bugfixes (hidden service, relay, backport from 0.3.2.2-alpha):
  2247. - Avoid a possible double close of a circuit by the intro point on
  2248. error of sending the INTRO_ESTABLISHED cell. Fixes bug 23610;
  2249. bugfix on 0.3.0.1-alpha.
  2250. o Minor bugfixes (memory safety, backport from 0.3.2.3-alpha):
  2251. - Clear the address when node_get_prim_orport() returns early.
  2252. Fixes bug 23874; bugfix on 0.2.8.2-alpha.
  2253. o Minor bugfixes (Windows service, backport from 0.3.1.6-rc):
  2254. - When running as a Windows service, set the ID of the main thread
  2255. correctly. Failure to do so made us fail to send log messages to
  2256. the controller in 0.2.1.16-rc, slowed down controller event
  2257. delivery in 0.2.7.3-rc and later, and crash with an assertion
  2258. failure in 0.3.1.1-alpha. Fixes bug 23081; bugfix on 0.2.1.6-alpha.
  2259. Patch and diagnosis from "Vort".
  2260. Changes in version 0.3.1.8 - 2017-10-25
  2261. Tor 0.3.1.8 is the second stable release in the 0.3.1 series.
  2262. It includes several bugfixes, including a bugfix for a crash issue
  2263. that had affected relays under memory pressure. It also adds
  2264. a new directory authority, Bastet.
  2265. o Directory authority changes:
  2266. - Add "Bastet" as a ninth directory authority to the default list.
  2267. Closes ticket 23910.
  2268. - The directory authority "Longclaw" has changed its IP address.
  2269. Closes ticket 23592.
  2270. o Major bugfixes (relay, crash, assertion failure, backport from 0.3.2.2-alpha):
  2271. - Fix a timing-based assertion failure that could occur when the
  2272. circuit out-of-memory handler freed a connection's output buffer.
  2273. Fixes bug 23690; bugfix on 0.2.6.1-alpha.
  2274. o Minor features (directory authorities, backport from 0.3.2.2-alpha):
  2275. - Remove longclaw's IPv6 address, as it will soon change. Authority
  2276. IPv6 addresses were originally added in 0.2.8.1-alpha. This leaves
  2277. 3/8 directory authorities with IPv6 addresses, but there are also
  2278. 52 fallback directory mirrors with IPv6 addresses. Resolves 19760.
  2279. o Minor features (geoip):
  2280. - Update geoip and geoip6 to the October 4 2017 Maxmind GeoLite2
  2281. Country database.
  2282. o Minor bugfixes (compilation, backport from 0.3.2.2-alpha):
  2283. - Fix a compilation warning when building with zstd support on
  2284. 32-bit platforms. Fixes bug 23568; bugfix on 0.3.1.1-alpha. Found
  2285. and fixed by Andreas Stieger.
  2286. o Minor bugfixes (compression, backport from 0.3.2.2-alpha):
  2287. - Handle a pathological case when decompressing Zstandard data when
  2288. the output buffer size is zero. Fixes bug 23551; bugfix
  2289. on 0.3.1.1-alpha.
  2290. o Minor bugfixes (directory authority, backport from 0.3.2.1-alpha):
  2291. - Remove the length limit on HTTP status lines that authorities can
  2292. send in their replies. Fixes bug 23499; bugfix on 0.3.1.6-rc.
  2293. o Minor bugfixes (hidden service, relay, backport from 0.3.2.2-alpha):
  2294. - Avoid a possible double close of a circuit by the intro point on
  2295. error of sending the INTRO_ESTABLISHED cell. Fixes bug 23610;
  2296. bugfix on 0.3.0.1-alpha.
  2297. o Minor bugfixes (memory safety, backport from 0.3.2.3-alpha):
  2298. - Clear the address when node_get_prim_orport() returns early.
  2299. Fixes bug 23874; bugfix on 0.2.8.2-alpha.
  2300. o Minor bugfixes (unit tests, backport from 0.3.2.2-alpha):
  2301. - Fix additional channelpadding unit test failures by using mocked
  2302. time instead of actual time for all tests. Fixes bug 23608; bugfix
  2303. on 0.3.1.1-alpha.
  2304. Changes in version 0.2.8.15 - 2017-09-18
  2305. Tor 0.2.8.15 backports a collection of bugfixes from later
  2306. Tor series.
  2307. Most significantly, it includes a fix for TROVE-2017-008, a
  2308. security bug that affects hidden services running with the
  2309. SafeLogging option disabled. For more information, see
  2310. https://trac.torproject.org/projects/tor/ticket/23490
  2311. Note that Tor 0.2.8.x will no longer be supported after 1 Jan
  2312. 2018. We suggest that you upgrade to the latest stable release if
  2313. possible. If you can't, we recommend that you upgrade at least to
  2314. 0.2.9, which will be supported until 2020.
  2315. o Major bugfixes (openbsd, denial-of-service, backport from 0.3.1.5-alpha):
  2316. - Avoid an assertion failure bug affecting our implementation of
  2317. inet_pton(AF_INET6) on certain OpenBSD systems whose strtol()
  2318. handling of "0xx" differs from what we had expected. Fixes bug
  2319. 22789; bugfix on 0.2.3.8-alpha. Also tracked as TROVE-2017-007.
  2320. o Minor features:
  2321. - Update geoip and geoip6 to the September 6 2017 Maxmind GeoLite2
  2322. Country database.
  2323. o Minor bugfixes (compilation, mingw, backport from 0.3.1.1-alpha):
  2324. - Backport a fix for an "unused variable" warning that appeared
  2325. in some versions of mingw. Fixes bug 22838; bugfix on
  2326. 0.2.8.1-alpha.
  2327. o Minor bugfixes (defensive programming, undefined behavior, backport from 0.3.1.4-alpha):
  2328. - Fix a memset() off the end of an array when packing cells. This
  2329. bug should be harmless in practice, since the corrupted bytes are
  2330. still in the same structure, and are always padding bytes,
  2331. ignored, or immediately overwritten, depending on compiler
  2332. behavior. Nevertheless, because the memset()'s purpose is to make
  2333. sure that any other cell-handling bugs can't expose bytes to the
  2334. network, we need to fix it. Fixes bug 22737; bugfix on
  2335. 0.2.4.11-alpha. Fixes CID 1401591.
  2336. o Build features (backport from 0.3.1.5-alpha):
  2337. - Tor's repository now includes a Travis Continuous Integration (CI)
  2338. configuration file (.travis.yml). This is meant to help new
  2339. developers and contributors who fork Tor to a Github repository be
  2340. better able to test their changes, and understand what we expect
  2341. to pass. To use this new build feature, you must fork Tor to your
  2342. Github account, then go into the "Integrations" menu in the
  2343. repository settings for your fork and enable Travis, then push
  2344. your changes. Closes ticket 22636.
  2345. Changes in version 0.2.9.12 - 2017-09-18
  2346. Tor 0.2.9.12 backports a collection of bugfixes from later
  2347. Tor series.
  2348. Most significantly, it includes a fix for TROVE-2017-008, a
  2349. security bug that affects hidden services running with the
  2350. SafeLogging option disabled. For more information, see
  2351. https://trac.torproject.org/projects/tor/ticket/23490
  2352. o Major features (security, backport from 0.3.0.2-alpha):
  2353. - Change the algorithm used to decide DNS TTLs on client and server
  2354. side, to better resist DNS-based correlation attacks like the
  2355. DefecTor attack of Greschbach, Pulls, Roberts, Winter, and
  2356. Feamster. Now relays only return one of two possible DNS TTL
  2357. values, and clients are willing to believe DNS TTL values up to 3
  2358. hours long. Closes ticket 19769.
  2359. o Major bugfixes (crash, directory connections, backport from 0.3.0.5-rc):
  2360. - Fix a rare crash when sending a begin cell on a circuit whose
  2361. linked directory connection had already been closed. Fixes bug
  2362. 21576; bugfix on 0.2.9.3-alpha. Reported by Alec Muffett.
  2363. o Major bugfixes (DNS, backport from 0.3.0.2-alpha):
  2364. - Fix a bug that prevented exit nodes from caching DNS records for
  2365. more than 60 seconds. Fixes bug 19025; bugfix on 0.2.4.7-alpha.
  2366. o Major bugfixes (linux TPROXY support, backport from 0.3.1.1-alpha):
  2367. - Fix a typo that had prevented TPROXY-based transparent proxying
  2368. from working under Linux. Fixes bug 18100; bugfix on 0.2.6.3-alpha.
  2369. Patch from "d4fq0fQAgoJ".
  2370. o Major bugfixes (openbsd, denial-of-service, backport from 0.3.1.5-alpha):
  2371. - Avoid an assertion failure bug affecting our implementation of
  2372. inet_pton(AF_INET6) on certain OpenBSD systems whose strtol()
  2373. handling of "0xx" differs from what we had expected. Fixes bug
  2374. 22789; bugfix on 0.2.3.8-alpha. Also tracked as TROVE-2017-007.
  2375. o Minor features (code style, backport from 0.3.1.3-alpha):
  2376. - Add "Falls through" comments to our codebase, in order to silence
  2377. GCC 7's -Wimplicit-fallthrough warnings. Patch from Andreas
  2378. Stieger. Closes ticket 22446.
  2379. o Minor features (geoip):
  2380. - Update geoip and geoip6 to the September 6 2017 Maxmind GeoLite2
  2381. Country database.
  2382. o Minor bugfixes (bandwidth accounting, backport from 0.3.1.1-alpha):
  2383. - Roll over monthly accounting at the configured hour and minute,
  2384. rather than always at 00:00. Fixes bug 22245; bugfix on 0.0.9rc1.
  2385. Found by Andrey Karpov with PVS-Studio.
  2386. o Minor bugfixes (compilation, backport from 0.3.1.5-alpha):
  2387. - Suppress -Wdouble-promotion warnings with clang 4.0. Fixes bug 22915;
  2388. bugfix on 0.2.8.1-alpha.
  2389. - Fix warnings when building with libscrypt and openssl scrypt support
  2390. on Clang. Fixes bug 22916; bugfix on 0.2.7.2-alpha.
  2391. - When building with certain versions the mingw C header files, avoid
  2392. float-conversion warnings when calling the C functions isfinite(),
  2393. isnan(), and signbit(). Fixes bug 22801; bugfix on 0.2.8.1-alpha.
  2394. o Minor bugfixes (compilation, backport from 0.3.1.7):
  2395. - Avoid compiler warnings in the unit tests for running tor_sscanf()
  2396. with wide string outputs. Fixes bug 15582; bugfix on 0.2.6.2-alpha.
  2397. o Minor bugfixes (compilation, mingw, backport from 0.3.1.1-alpha):
  2398. - Backport a fix for an "unused variable" warning that appeared
  2399. in some versions of mingw. Fixes bug 22838; bugfix on
  2400. 0.2.8.1-alpha.
  2401. o Minor bugfixes (controller, backport from 0.3.1.7):
  2402. - Do not crash when receiving a HSPOST command with an empty body.
  2403. Fixes part of bug 22644; bugfix on 0.2.7.1-alpha.
  2404. - Do not crash when receiving a POSTDESCRIPTOR command with an
  2405. empty body. Fixes part of bug 22644; bugfix on 0.2.0.1-alpha.
  2406. o Minor bugfixes (coverity build support, backport from 0.3.1.5-alpha):
  2407. - Avoid Coverity build warnings related to our BUG() macro. By
  2408. default, Coverity treats BUG() as the Linux kernel does: an
  2409. instant abort(). We need to override that so our BUG() macro
  2410. doesn't prevent Coverity from analyzing functions that use it.
  2411. Fixes bug 23030; bugfix on 0.2.9.1-alpha.
  2412. o Minor bugfixes (defensive programming, undefined behavior, backport from 0.3.1.4-alpha):
  2413. - Fix a memset() off the end of an array when packing cells. This
  2414. bug should be harmless in practice, since the corrupted bytes are
  2415. still in the same structure, and are always padding bytes,
  2416. ignored, or immediately overwritten, depending on compiler
  2417. behavior. Nevertheless, because the memset()'s purpose is to make
  2418. sure that any other cell-handling bugs can't expose bytes to the
  2419. network, we need to fix it. Fixes bug 22737; bugfix on
  2420. 0.2.4.11-alpha. Fixes CID 1401591.
  2421. o Minor bugfixes (file limits, osx, backport from 0.3.1.5-alpha):
  2422. - When setting the maximum number of connections allowed by the OS,
  2423. always allow some extra file descriptors for other files. Fixes
  2424. bug 22797; bugfix on 0.2.0.10-alpha.
  2425. o Minor bugfixes (linux seccomp2 sandbox, backport from 0.3.1.5-alpha):
  2426. - Avoid a sandbox failure when trying to re-bind to a socket and
  2427. mark it as IPv6-only. Fixes bug 20247; bugfix on 0.2.5.1-alpha.
  2428. o Minor bugfixes (linux seccomp2 sandbox, backport from 0.3.1.4-alpha):
  2429. - Permit the fchmod system call, to avoid crashing on startup when
  2430. starting with the seccomp2 sandbox and an unexpected set of
  2431. permissions on the data directory or its contents. Fixes bug
  2432. 22516; bugfix on 0.2.5.4-alpha.
  2433. o Minor bugfixes (relay, backport from 0.3.0.5-rc):
  2434. - Avoid a double-marked-circuit warning that could happen when we
  2435. receive DESTROY cells under heavy load. Fixes bug 20059; bugfix
  2436. on 0.1.0.1-rc.
  2437. o Minor bugfixes (voting consistency, backport from 0.3.1.1-alpha):
  2438. - Reject version numbers with non-numeric prefixes (such as +, -, or
  2439. whitespace). Disallowing whitespace prevents differential version
  2440. parsing between POSIX-based and Windows platforms. Fixes bug 21507
  2441. and part of 21508; bugfix on 0.0.8pre1.
  2442. o Build features (backport from 0.3.1.5-alpha):
  2443. - Tor's repository now includes a Travis Continuous Integration (CI)
  2444. configuration file (.travis.yml). This is meant to help new
  2445. developers and contributors who fork Tor to a Github repository be
  2446. better able to test their changes, and understand what we expect
  2447. to pass. To use this new build feature, you must fork Tor to your
  2448. Github account, then go into the "Integrations" menu in the
  2449. repository settings for your fork and enable Travis, then push
  2450. your changes. Closes ticket 22636.
  2451. Changes in version 0.3.0.11 - 2017-09-18
  2452. Tor 0.3.0.11 backports a collection of bugfixes from Tor the 0.3.1
  2453. series.
  2454. Most significantly, it includes a fix for TROVE-2017-008, a
  2455. security bug that affects hidden services running with the
  2456. SafeLogging option disabled. For more information, see
  2457. https://trac.torproject.org/projects/tor/ticket/23490
  2458. o Minor features (code style, backport from 0.3.1.7):
  2459. - Add "Falls through" comments to our codebase, in order to silence
  2460. GCC 7's -Wimplicit-fallthrough warnings. Patch from Andreas
  2461. Stieger. Closes ticket 22446.
  2462. o Minor features:
  2463. - Update geoip and geoip6 to the September 6 2017 Maxmind GeoLite2
  2464. Country database.
  2465. o Minor bugfixes (compilation, backport from 0.3.1.7):
  2466. - Avoid compiler warnings in the unit tests for calling tor_sscanf()
  2467. with wide string outputs. Fixes bug 15582; bugfix on 0.2.6.2-alpha.
  2468. o Minor bugfixes (controller, backport from 0.3.1.7):
  2469. - Do not crash when receiving a HSPOST command with an empty body.
  2470. Fixes part of bug 22644; bugfix on 0.2.7.1-alpha.
  2471. - Do not crash when receiving a POSTDESCRIPTOR command with an empty
  2472. body. Fixes part of bug 22644; bugfix on 0.2.0.1-alpha.
  2473. o Minor bugfixes (file limits, osx, backport from 0.3.1.5-alpha):
  2474. - When setting the maximum number of connections allowed by the OS,
  2475. always allow some extra file descriptors for other files. Fixes
  2476. bug 22797; bugfix on 0.2.0.10-alpha.
  2477. o Minor bugfixes (logging, relay, backport from 0.3.1.6-rc):
  2478. - Remove a forgotten debugging message when an introduction point
  2479. successfully establishes a hidden service prop224 circuit with
  2480. a client.
  2481. - Change three other log_warn() for an introduction point to
  2482. protocol warnings, because they can be failure from the network
  2483. and are not relevant to the operator. Fixes bug 23078; bugfix on
  2484. 0.3.0.1-alpha and 0.3.0.2-alpha.
  2485. Changes in version 0.3.1.7 - 2017-09-18
  2486. Tor 0.3.1.7 is the first stable release in the 0.3.1 series.
  2487. With the 0.3.1 series, Tor now serves and downloads directory
  2488. information in more compact formats, to save on bandwidth overhead. It
  2489. also contains a new padding system to resist netflow-based traffic
  2490. analysis, and experimental support for building parts of Tor in Rust
  2491. (though no parts of Tor are in Rust yet). There are also numerous
  2492. small features, bugfixes on earlier release series, and groundwork for
  2493. the hidden services revamp of 0.3.2.
  2494. This release also includes a fix for TROVE-2017-008, a security bug
  2495. that affects hidden services running with the SafeLogging option
  2496. disabled. For more information, see
  2497. https://trac.torproject.org/projects/tor/ticket/23490
  2498. Per our stable release policy, we plan to support each stable release
  2499. series for at least the next nine months, or for three months after
  2500. the first stable release of the next series: whichever is longer. If
  2501. you need a release with long-term support, we recommend that you stay
  2502. with the 0.2.9 series.
  2503. Below is a list of the changes since 0.3.0. For a list of all
  2504. changes since 0.3.1.6-rc, see the ChangeLog file.
  2505. o New dependencies:
  2506. - To build with zstd and lzma support, Tor now requires the
  2507. pkg-config tool at build time.
  2508. o Major bugfixes (security, hidden services, loggging):
  2509. - Fix a bug where we could log uninitialized stack when a certain
  2510. hidden service error occurred while SafeLogging was disabled.
  2511. Fixes bug #23490; bugfix on 0.2.7.2-alpha.
  2512. This is also tracked as TROVE-2017-008 and CVE-2017-0380.
  2513. o Major features (build system, continuous integration):
  2514. - Tor's repository now includes a Travis Continuous Integration (CI)
  2515. configuration file (.travis.yml). This is meant to help new
  2516. developers and contributors who fork Tor to a Github repository be
  2517. better able to test their changes, and understand what we expect
  2518. to pass. To use this new build feature, you must fork Tor to your
  2519. Github account, then go into the "Integrations" menu in the
  2520. repository settings for your fork and enable Travis, then push
  2521. your changes. Closes ticket 22636.
  2522. o Major features (directory protocol):
  2523. - Tor relays and authorities can now serve clients an abbreviated
  2524. version of the consensus document, containing only the changes
  2525. since an older consensus document that the client holds. Clients
  2526. now request these documents when available. When both client and
  2527. server use this new protocol, they will use far less bandwidth (up
  2528. to 94% less) to keep the client's consensus up-to-date. Implements
  2529. proposal 140; closes ticket 13339. Based on work by Daniel Martí.
  2530. - Tor can now compress directory traffic with lzma or with zstd
  2531. compression algorithms, which can deliver better bandwidth
  2532. performance. Because lzma is computationally expensive, it's only
  2533. used for documents that can be compressed once and served many
  2534. times. Support for these algorithms requires that tor is built
  2535. with the libzstd and/or liblzma libraries available. Implements
  2536. proposal 278; closes ticket 21662.
  2537. - Relays now perform the more expensive compression operations, and
  2538. consensus diff generation, in worker threads. This separation
  2539. avoids delaying the main thread when a new consensus arrives.
  2540. o Major features (experimental):
  2541. - Tor can now build modules written in Rust. To turn this on, pass
  2542. the "--enable-rust" flag to the configure script. It's not time to
  2543. get excited yet: currently, there is no actual Rust functionality
  2544. beyond some simple glue code, and a notice at startup to tell you
  2545. that Rust is running. Still, we hope that programmers and
  2546. packagers will try building Tor with Rust support, so that we can
  2547. find issues and solve portability problems. Closes ticket 22106.
  2548. o Major features (traffic analysis resistance):
  2549. - Connections between clients and relays now send a padding cell in
  2550. each direction every 1.5 to 9.5 seconds (tunable via consensus
  2551. parameters). This padding will not resist specialized
  2552. eavesdroppers, but it should be enough to make many ISPs' routine
  2553. network flow logging less useful in traffic analysis against
  2554. Tor users.
  2555. Padding is negotiated using Tor's link protocol, so both relays
  2556. and clients must upgrade for this to take effect. Clients may
  2557. still send padding despite the relay's version by setting
  2558. ConnectionPadding 1 in torrc, and may disable padding by setting
  2559. ConnectionPadding 0 in torrc. Padding may be minimized for mobile
  2560. users with the torrc option ReducedConnectionPadding. Implements
  2561. Proposal 251 and Section 2 of Proposal 254; closes ticket 16861.
  2562. - Relays will publish 24 hour totals of padding and non-padding cell
  2563. counts to their extra-info descriptors, unless PaddingStatistics 0
  2564. is set in torrc. These 24 hour totals are also rounded to
  2565. multiples of 10000.
  2566. o Major bugfixes (hidden service, relay, security):
  2567. - Fix a remotely triggerable assertion failure when a hidden service
  2568. handles a malformed BEGIN cell. Fixes bug 22493, tracked as
  2569. TROVE-2017-004 and as CVE-2017-0375; bugfix on 0.3.0.1-alpha.
  2570. - Fix a remotely triggerable assertion failure caused by receiving a
  2571. BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug
  2572. 22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix
  2573. on 0.2.2.1-alpha.
  2574. o Major bugfixes (path selection, security):
  2575. - When choosing which guard to use for a circuit, avoid the exit's
  2576. family along with the exit itself. Previously, the new guard
  2577. selection logic avoided the exit, but did not consider its family.
  2578. Fixes bug 22753; bugfix on 0.3.0.1-alpha. Tracked as TROVE-2017-
  2579. 006 and CVE-2017-0377.
  2580. o Major bugfixes (connection usage):
  2581. - We use NETINFO cells to try to determine if both relays involved
  2582. in a connection will agree on the canonical status of that
  2583. connection. We prefer the connections where this is the case for
  2584. extend cells, and try to close connections where relays disagree
  2585. on their canonical status early. Also, we now prefer the oldest
  2586. valid connection for extend cells. These two changes should reduce
  2587. the number of long-term connections that are kept open between
  2588. relays. Fixes bug 17604; bugfix on 0.2.5.5-alpha.
  2589. - Relays now log hourly statistics (look for
  2590. "channel_check_for_duplicates" lines) on the total number of
  2591. connections to other relays. If the number of connections per
  2592. relay is unexpectedly large, this log message is at notice level.
  2593. Otherwise it is at info.
  2594. o Major bugfixes (entry guards):
  2595. - When starting with an old consensus, do not add new entry guards
  2596. unless the consensus is "reasonably live" (under 1 day old). Fixes
  2597. one root cause of bug 22400; bugfix on 0.3.0.1-alpha.
  2598. - Don't block bootstrapping when a primary bridge is offline and we
  2599. can't get its descriptor. Fixes bug 22325; fixes one case of bug
  2600. 21969; bugfix on 0.3.0.3-alpha.
  2601. o Major bugfixes (linux TPROXY support):
  2602. - Fix a typo that had prevented TPROXY-based transparent proxying
  2603. from working under Linux. Fixes bug 18100; bugfix on 0.2.6.3-alpha.
  2604. Patch from "d4fq0fQAgoJ".
  2605. o Major bugfixes (openbsd, denial-of-service):
  2606. - Avoid an assertion failure bug affecting our implementation of
  2607. inet_pton(AF_INET6) on certain OpenBSD systems whose strtol()
  2608. handling of "0xx" differs from what we had expected. Fixes bug
  2609. 22789; bugfix on 0.2.3.8-alpha. Also tracked as TROVE-2017-007.
  2610. o Major bugfixes (relay, link handshake):
  2611. - When performing the v3 link handshake on a TLS connection, report
  2612. that we have the x509 certificate that we actually used on that
  2613. connection, even if we have changed certificates since that
  2614. connection was first opened. Previously, we would claim to have
  2615. used our most recent x509 link certificate, which would sometimes
  2616. make the link handshake fail. Fixes one case of bug 22460; bugfix
  2617. on 0.2.3.6-alpha.
  2618. o Major bugfixes (relays, key management):
  2619. - Regenerate link and authentication certificates whenever the key
  2620. that signs them changes; also, regenerate link certificates
  2621. whenever the signed key changes. Previously, these processes were
  2622. only weakly coupled, and we relays could (for minutes to hours)
  2623. wind up with an inconsistent set of keys and certificates, which
  2624. other relays would not accept. Fixes two cases of bug 22460;
  2625. bugfix on 0.3.0.1-alpha.
  2626. - When sending an Ed25519 signing->link certificate in a CERTS cell,
  2627. send the certificate that matches the x509 certificate that we
  2628. used on the TLS connection. Previously, there was a race condition
  2629. if the TLS context rotated after we began the TLS handshake but
  2630. before we sent the CERTS cell. Fixes a case of bug 22460; bugfix
  2631. on 0.3.0.1-alpha.
  2632. o Minor features (security, windows):
  2633. - Enable a couple of pieces of Windows hardening: one
  2634. (HeapEnableTerminationOnCorruption) that has been on-by-default
  2635. since Windows 8, and unavailable before Windows 7; and one
  2636. (PROCESS_DEP_DISABLE_ATL_THUNK_EMULATION) which we believe doesn't
  2637. affect us, but shouldn't do any harm. Closes ticket 21953.
  2638. o Minor features (bridge authority):
  2639. - Add "fingerprint" lines to the networkstatus-bridges file produced
  2640. by bridge authorities. Closes ticket 22207.
  2641. o Minor features (code style):
  2642. - Add "Falls through" comments to our codebase, in order to silence
  2643. GCC 7's -Wimplicit-fallthrough warnings. Patch from Andreas
  2644. Stieger. Closes ticket 22446.
  2645. o Minor features (config options):
  2646. - Allow "%include" directives in torrc configuration files. These
  2647. directives import the settings from other files, or from all the
  2648. files in a directory. Closes ticket 1922. Code by Daniel Pinto.
  2649. - Make SAVECONF return an error when overwriting a torrc that has
  2650. includes. Using SAVECONF with the FORCE option will allow it to
  2651. overwrite torrc even if includes are used. Related to ticket 1922.
  2652. - Add "GETINFO config-can-saveconf" to tell controllers if SAVECONF
  2653. will work without the FORCE option. Related to ticket 1922.
  2654. o Minor features (controller):
  2655. - Warn the first time that a controller requests data in the long-
  2656. deprecated 'GETINFO network-status' format. Closes ticket 21703.
  2657. o Minor features (defaults):
  2658. - The default value for UseCreateFast is now 0: clients which
  2659. haven't yet received a consensus document will now use a proper
  2660. ntor handshake to talk to their directory servers whenever they
  2661. can. Closes ticket 21407.
  2662. - Onion key rotation and expiry intervals are now defined as a
  2663. network consensus parameter, per proposal 274. The default
  2664. lifetime of an onion key is increased from 7 to 28 days. Old onion
  2665. keys will expire after 7 days by default. This change will make
  2666. consensus diffs much smaller, and save significant bandwidth.
  2667. Closes ticket 21641.
  2668. o Minor features (defensive programming):
  2669. - Create a pair of consensus parameters, nf_pad_tor2web and
  2670. nf_pad_single_onion, to disable netflow padding in the consensus
  2671. for non-anonymous connections in case the overhead is high. Closes
  2672. ticket 17857.
  2673. o Minor features (diagnostic):
  2674. - Add a stack trace to the bug warnings that can be logged when
  2675. trying to send an outgoing relay cell with n_chan == 0. Diagnostic
  2676. attempt for bug 23105.
  2677. - Add logging messages to try to diagnose a rare bug that seems to
  2678. generate RSA->Ed25519 cross-certificates dated in the 1970s. We
  2679. think this is happening because of incorrect system clocks, but
  2680. we'd like to know for certain. Diagnostic for bug 22466.
  2681. - Avoid an assertion failure, and log a better error message, when
  2682. unable to remove a file from the consensus cache on Windows.
  2683. Attempts to mitigate and diagnose bug 22752.
  2684. o Minor features (directory authority):
  2685. - Improve the message that authorities report to relays that present
  2686. RSA/Ed25519 keypairs that conflict with previously pinned keys.
  2687. Closes ticket 22348.
  2688. o Minor features (directory cache, consensus diff):
  2689. - Add a new MaxConsensusAgeForDiffs option to allow directory cache
  2690. operators with low-resource environments to adjust the number of
  2691. consensuses they'll store and generate diffs from. Most cache
  2692. operators should leave it unchanged. Helps to work around
  2693. bug 22883.
  2694. o Minor features (fallback directory list):
  2695. - Update the fallback directory mirror whitelist and blacklist based
  2696. on operator emails. Closes task 21121.
  2697. - Replace the 177 fallbacks originally introduced in Tor 0.2.9.8 in
  2698. December 2016 (of which ~126 were still functional) with a list of
  2699. 151 fallbacks (32 new, 119 unchanged, 58 removed) generated in May
  2700. 2017. Resolves ticket 21564.
  2701. o Minor features (geoip):
  2702. - Update geoip and geoip6 to the September 6 2017 Maxmind GeoLite2
  2703. Country database.
  2704. o Minor features (hidden services, logging):
  2705. - Log a message when a hidden service descriptor has fewer
  2706. introduction points than specified in
  2707. HiddenServiceNumIntroductionPoints. Closes tickets 21598.
  2708. - Log a message when a hidden service reaches its introduction point
  2709. circuit limit, and when that limit is reset. Follow up to ticket
  2710. 21594; closes ticket 21622.
  2711. - Warn user if multiple entries in EntryNodes and at least one
  2712. HiddenService are used together. Pinning EntryNodes along with a
  2713. hidden service can be possibly harmful; for instance see ticket
  2714. 14917 or 21155. Closes ticket 21155.
  2715. o Minor features (linux seccomp2 sandbox):
  2716. - We now have a document storage backend compatible with the Linux
  2717. seccomp2 sandbox. This backend is used for consensus documents and
  2718. diffs between them; in the long term, we'd like to use it for
  2719. unparseable directory material too. Closes ticket 21645
  2720. - Increase the maximum allowed size passed to mprotect(PROT_WRITE)
  2721. from 1MB to 16MB. This was necessary with the glibc allocator in
  2722. order to allow worker threads to allocate more memory -- which in
  2723. turn is necessary because of our new use of worker threads for
  2724. compression. Closes ticket 22096.
  2725. o Minor features (logging):
  2726. - Log files are no longer created world-readable by default.
  2727. (Previously, most distributors would store the logs in a non-
  2728. world-readable location to prevent inappropriate access. This
  2729. change is an extra precaution.) Closes ticket 21729; patch
  2730. from toralf.
  2731. o Minor features (performance):
  2732. - Our Keccak (SHA-3) implementation now accesses memory more
  2733. efficiently, especially on little-endian systems. Closes
  2734. ticket 21737.
  2735. - Add an O(1) implementation of channel_find_by_global_id(), to
  2736. speed some controller functions.
  2737. o Minor features (relay, configuration):
  2738. - The MyFamily option may now be repeated as many times as desired,
  2739. for relays that want to configure large families. Closes ticket
  2740. 4998; patch by Daniel Pinto.
  2741. o Minor features (relay, performance):
  2742. - Always start relays with at least two worker threads, to prevent
  2743. priority inversion on slow tasks. Part of the fix for bug 22883.
  2744. - Allow background work to be queued with different priorities, so
  2745. that a big pile of slow low-priority jobs will not starve out
  2746. higher priority jobs. This lays the groundwork for a fix for
  2747. bug 22883.
  2748. o Minor features (safety):
  2749. - Add an explicit check to extrainfo_parse_entry_from_string() for
  2750. NULL inputs. We don't believe this can actually happen, but it may
  2751. help silence a warning from the Clang analyzer. Closes
  2752. ticket 21496.
  2753. o Minor features (testing):
  2754. - Add more tests for compression backend initialization. Closes
  2755. ticket 22286.
  2756. - Add a "--disable-memory-sentinels" feature to help with fuzzing.
  2757. When Tor is compiled with this option, we disable a number of
  2758. redundant memory-safety failsafes that are intended to stop bugs
  2759. from becoming security issues. This makes it easier to hunt for
  2760. bugs that would be security issues without the failsafes turned
  2761. on. Closes ticket 21439.
  2762. - Add a general event-tracing instrumentation support to Tor. This
  2763. subsystem will enable developers and researchers to add fine-
  2764. grained instrumentation to their Tor instances, for use when
  2765. examining Tor network performance issues. There are no trace
  2766. events yet, and event-tracing is off by default unless enabled at
  2767. compile time. Implements ticket 13802.
  2768. - Improve our version parsing tests: add tests for typical version
  2769. components, add tests for invalid versions, including numeric
  2770. range and non-numeric prefixes. Unit tests 21278, 21450, and
  2771. 21507. Partially implements 21470.
  2772. o Minor bugfixes (bandwidth accounting):
  2773. - Roll over monthly accounting at the configured hour and minute,
  2774. rather than always at 00:00. Fixes bug 22245; bugfix on 0.0.9rc1.
  2775. Found by Andrey Karpov with PVS-Studio.
  2776. o Minor bugfixes (code correctness):
  2777. - Accurately identify client connections by their lack of peer
  2778. authentication. This means that we bail out earlier if asked to
  2779. extend to a client. Follow-up to 21407. Fixes bug 21406; bugfix
  2780. on 0.2.4.23.
  2781. o Minor bugfixes (compilation warnings):
  2782. - Suppress -Wdouble-promotion warnings with clang 4.0. Fixes bug
  2783. 22915; bugfix on 0.2.8.1-alpha.
  2784. - Fix warnings when building with libscrypt and openssl scrypt
  2785. support on Clang. Fixes bug 22916; bugfix on 0.2.7.2-alpha.
  2786. - When building with certain versions of the mingw C header files,
  2787. avoid float-conversion warnings when calling the C functions
  2788. isfinite(), isnan(), and signbit(). Fixes bug 22801; bugfix
  2789. on 0.2.8.1-alpha.
  2790. o Minor bugfixes (compilation):
  2791. - Avoid compiler warnings in the unit tests for calling tor_sscanf()
  2792. with wide string outputs. Fixes bug 15582; bugfix on 0.2.6.2-alpha.
  2793. o Minor bugfixes (compression):
  2794. - When spooling compressed data to an output buffer, don't try to
  2795. spool more data when there is no more data to spool and we are not
  2796. trying to flush the input. Previously, we would sometimes launch
  2797. compression requests with nothing to do, which interferes with our
  2798. 22672 checks. Fixes bug 22719; bugfix on 0.2.0.16-alpha.
  2799. o Minor bugfixes (configuration):
  2800. - Do not crash when starting with LearnCircuitBuildTimeout 0. Fixes
  2801. bug 22252; bugfix on 0.2.9.3-alpha.
  2802. o Minor bugfixes (connection lifespan):
  2803. - Allow more control over how long TLS connections are kept open:
  2804. unify CircuitIdleTimeout and PredictedPortsRelevanceTime into a
  2805. single option called CircuitsAvailableTimeout. Also, allow the
  2806. consensus to control the default values for both this preference
  2807. and the lifespan of relay-to-relay connections. Fixes bug 17592;
  2808. bugfix on 0.2.5.5-alpha.
  2809. - Increase the initial circuit build timeout testing frequency, to
  2810. help ensure that ReducedConnectionPadding clients finish learning
  2811. a timeout before their orconn would expire. The initial testing
  2812. rate was set back in the days of TAP and before the Tor Browser
  2813. updater, when we had to be much more careful about new clients
  2814. making lots of circuits. With this change, a circuit build timeout
  2815. is learned in about 15-20 minutes, instead of 100-120 minutes.
  2816. o Minor bugfixes (controller):
  2817. - Do not crash when receiving a HSPOST command with an empty body.
  2818. Fixes part of bug 22644; bugfix on 0.2.7.1-alpha.
  2819. - Do not crash when receiving a POSTDESCRIPTOR command with an empty
  2820. body. Fixes part of bug 22644; bugfix on 0.2.0.1-alpha.
  2821. - GETINFO onions/current and onions/detached no longer respond with
  2822. 551 on empty lists. Fixes bug 21329; bugfix on 0.2.7.1-alpha.
  2823. - Trigger HS descriptor events on the control port when the client
  2824. fails to pick a hidden service directory for a hidden service.
  2825. This can happen if all the hidden service directories are in
  2826. ExcludeNodes, or they have all been queried within the last 15
  2827. minutes. Fixes bug 22042; bugfix on 0.2.5.2-alpha.
  2828. o Minor bugfixes (correctness):
  2829. - Avoid undefined behavior when parsing IPv6 entries from the geoip6
  2830. file. Fixes bug 22490; bugfix on 0.2.4.6-alpha.
  2831. o Minor bugfixes (coverity build support):
  2832. - Avoid Coverity build warnings related to our BUG() macro. By
  2833. default, Coverity treats BUG() as the Linux kernel does: an
  2834. instant abort(). We need to override that so our BUG() macro
  2835. doesn't prevent Coverity from analyzing functions that use it.
  2836. Fixes bug 23030; bugfix on 0.2.9.1-alpha.
  2837. o Minor bugfixes (defensive programming):
  2838. - Detect and break out of infinite loops in our compression code. We
  2839. don't think that any such loops exist now, but it's best to be
  2840. safe. Closes ticket 22672.
  2841. - Fix a memset() off the end of an array when packing cells. This
  2842. bug should be harmless in practice, since the corrupted bytes are
  2843. still in the same structure, and are always padding bytes,
  2844. ignored, or immediately overwritten, depending on compiler
  2845. behavior. Nevertheless, because the memset()'s purpose is to make
  2846. sure that any other cell-handling bugs can't expose bytes to the
  2847. network, we need to fix it. Fixes bug 22737; bugfix on
  2848. 0.2.4.11-alpha. Fixes CID 1401591.
  2849. o Minor bugfixes (directory authority):
  2850. - When a directory authority rejects a descriptor or extrainfo with
  2851. a given digest, mark that digest as undownloadable, so that we do
  2852. not attempt to download it again over and over. We previously
  2853. tried to avoid downloading such descriptors by other means, but we
  2854. didn't notice if we accidentally downloaded one anyway. This
  2855. behavior became problematic in 0.2.7.2-alpha, when authorities
  2856. began pinning Ed25519 keys. Fixes bug 22349; bugfix
  2857. on 0.2.1.19-alpha.
  2858. - When rejecting a router descriptor for running an obsolete version
  2859. of Tor without ntor support, warn about the obsolete tor version,
  2860. not the missing ntor key. Fixes bug 20270; bugfix on 0.2.9.3-alpha.
  2861. - Prevent the shared randomness subsystem from asserting when
  2862. initialized by a bridge authority with an incomplete configuration
  2863. file. Fixes bug 21586; bugfix on 0.2.9.8.
  2864. o Minor bugfixes (error reporting, windows):
  2865. - When formatting Windows error messages, use the English format to
  2866. avoid codepage issues. Fixes bug 22520; bugfix on 0.1.2.8-alpha.
  2867. Patch from "Vort".
  2868. o Minor bugfixes (exit-side DNS):
  2869. - Fix an untriggerable assertion that checked the output of a
  2870. libevent DNS error, so that the assertion actually behaves as
  2871. expected. Fixes bug 22244; bugfix on 0.2.0.20-rc. Found by Andrey
  2872. Karpov using PVS-Studio.
  2873. o Minor bugfixes (fallback directories):
  2874. - Make the usage example in updateFallbackDirs.py actually work, and
  2875. explain what it does. Fixes bug 22270; bugfix on 0.3.0.3-alpha.
  2876. - Decrease the guard flag average required to be a fallback. This
  2877. allows us to keep relays that have their guard flag removed when
  2878. they restart. Fixes bug 20913; bugfix on 0.2.8.1-alpha.
  2879. - Decrease the minimum number of fallbacks to 100. Fixes bug 20913;
  2880. bugfix on 0.2.8.1-alpha.
  2881. - Make sure fallback directory mirrors have the same address, port,
  2882. and relay identity key for at least 30 days before they are
  2883. selected. Fixes bug 20913; bugfix on 0.2.8.1-alpha.
  2884. o Minor bugfixes (file limits, osx):
  2885. - When setting the maximum number of connections allowed by the OS,
  2886. always allow some extra file descriptors for other files. Fixes
  2887. bug 22797; bugfix on 0.2.0.10-alpha.
  2888. o Minor bugfixes (hidden services):
  2889. - Increase the number of circuits that a service is allowed to
  2890. open over a specific period of time. The value was lower than it
  2891. should be (8 vs 12) in the normal case of 3 introduction points.
  2892. Fixes bug 22159; bugfix on 0.3.0.5-rc.
  2893. - Fix a BUG warning during HSv3 descriptor decoding that could be
  2894. cause by a specially crafted descriptor. Fixes bug 23233; bugfix
  2895. on 0.3.0.1-alpha. Bug found by "haxxpop".
  2896. - Stop printing a cryptic warning when a hidden service gets a
  2897. request to connect to a virtual port that it hasn't configured.
  2898. Fixes bug 16706; bugfix on 0.2.6.3-alpha.
  2899. - Simplify hidden service descriptor creation by using an existing
  2900. flag to check if an introduction point is established. Fixes bug
  2901. 21599; bugfix on 0.2.7.2-alpha.
  2902. o Minor bugfixes (link handshake):
  2903. - Lower the lifetime of the RSA->Ed25519 cross-certificate to six
  2904. months, and regenerate it when it is within one month of expiring.
  2905. Previously, we had generated this certificate at startup with a
  2906. ten-year lifetime, but that could lead to weird behavior when Tor
  2907. was started with a grossly inaccurate clock. Mitigates bug 22466;
  2908. mitigation on 0.3.0.1-alpha.
  2909. o Minor bugfixes (linux seccomp2 sandbox):
  2910. - Avoid a sandbox failure when trying to re-bind to a socket and
  2911. mark it as IPv6-only. Fixes bug 20247; bugfix on 0.2.5.1-alpha.
  2912. - Permit the fchmod system call, to avoid crashing on startup when
  2913. starting with the seccomp2 sandbox and an unexpected set of
  2914. permissions on the data directory or its contents. Fixes bug
  2915. 22516; bugfix on 0.2.5.4-alpha.
  2916. o Minor bugfixes (logging):
  2917. - When decompressing, do not warn if we fail to decompress using a
  2918. compression method that we merely guessed. Fixes part of bug
  2919. 22670; bugfix on 0.1.1.14-alpha.
  2920. - When decompressing, treat mismatch between content-encoding and
  2921. actual compression type as a protocol warning. Fixes part of bug
  2922. 22670; bugfix on 0.1.1.9-alpha.
  2923. - Downgrade "assigned_to_cpuworker failed" message to info-level
  2924. severity. In every case that can reach it, either a better warning
  2925. has already been logged, or no warning is warranted. Fixes bug
  2926. 22356; bugfix on 0.2.6.3-alpha.
  2927. - Log a better message when a directory authority replies to an
  2928. upload with an unexpected status code. Fixes bug 11121; bugfix
  2929. on 0.1.0.1-rc.
  2930. - Downgrade a log statement about unexpected relay cells from "bug"
  2931. to "protocol warning", because there is at least one use case
  2932. where it can be triggered by a buggy tor implementation. Fixes bug
  2933. 21293; bugfix on 0.1.1.14-alpha.
  2934. o Minor bugfixes (logging, relay):
  2935. - Remove a forgotten debugging message when an introduction point
  2936. successfully establishes a hidden service prop224 circuit with
  2937. a client.
  2938. - Change three other log_warn() for an introduction point to
  2939. protocol warnings, because they can be failure from the network
  2940. and are not relevant to the operator. Fixes bug 23078; bugfix on
  2941. 0.3.0.1-alpha and 0.3.0.2-alpha.
  2942. o Minor bugfixes (relay):
  2943. - Inform the geoip and rephist modules about all requests, even on
  2944. relays that are only fetching microdescriptors. Fixes a bug
  2945. related to 21585; bugfix on 0.3.0.1-alpha.
  2946. o Minor bugfixes (memory leaks):
  2947. - Fix a small memory leak at exit from the backtrace handler code.
  2948. Fixes bug 21788; bugfix on 0.2.5.2-alpha. Patch from Daniel Pinto.
  2949. - When directory authorities reject a router descriptor due to
  2950. keypinning, free the router descriptor rather than leaking the
  2951. memory. Fixes bug 22370; bugfix on 0.2.7.2-alpha.
  2952. - Fix a small memory leak when validating a configuration that uses
  2953. two or more AF_UNIX sockets for the same port type. Fixes bug
  2954. 23053; bugfix on 0.2.6.3-alpha. This is CID 1415725.
  2955. o Minor bugfixes (process behavior):
  2956. - When exiting because of an error, always exit with a nonzero exit
  2957. status. Previously, we would fail to report an error in our exit
  2958. status in cases related to __OwningControllerProcess failure,
  2959. lockfile contention, and Ed25519 key initialization. Fixes bug
  2960. 22720; bugfix on versions 0.2.1.6-alpha, 0.2.2.28-beta, and
  2961. 0.2.7.2-alpha respectively. Reported by "f55jwk4f"; patch
  2962. from "huyvq".
  2963. o Minor bugfixes (robustness, error handling):
  2964. - Improve our handling of the cases where OpenSSL encounters a
  2965. memory error while encoding keys and certificates. We haven't
  2966. observed these errors in the wild, but if they do happen, we now
  2967. detect and respond better. Fixes bug 19418; bugfix on all versions
  2968. of Tor. Reported by Guido Vranken.
  2969. o Minor bugfixes (testing):
  2970. - Fix an undersized buffer in test-memwipe.c. Fixes bug 23291;
  2971. bugfix on 0.2.7.2-alpha. Found and patched by Ties Stuij.
  2972. - Use unbuffered I/O for utility functions around the
  2973. process_handle_t type. This fixes unit test failures reported on
  2974. OpenBSD and FreeBSD. Fixes bug 21654; bugfix on 0.2.3.1-alpha.
  2975. - Make display of captured unit test log messages consistent. Fixes
  2976. bug 21510; bugfix on 0.2.9.3-alpha.
  2977. - Make test-network.sh always call chutney's test-network.sh.
  2978. Previously, this only worked on systems which had bash installed,
  2979. due to some bash-specific code in the script. Fixes bug 19699;
  2980. bugfix on 0.3.0.4-rc. Follow-up to ticket 21581.
  2981. - Fix a memory leak in the link-handshake/certs_ok_ed25519 test.
  2982. Fixes bug 22803; bugfix on 0.3.0.1-alpha.
  2983. - The unit tests now pass on systems where localhost is misconfigured
  2984. to some IPv4 address other than 127.0.0.1. Fixes bug 6298; bugfix
  2985. on 0.0.9pre2.
  2986. o Minor bugfixes (voting consistency):
  2987. - Reject version numbers with non-numeric prefixes (such as +, -, or
  2988. whitespace). Disallowing whitespace prevents differential version
  2989. parsing between POSIX-based and Windows platforms. Fixes bug 21507
  2990. and part of 21508; bugfix on 0.0.8pre1.
  2991. o Minor bugfixes (Windows service):
  2992. - When running as a Windows service, set the ID of the main thread
  2993. correctly. Failure to do so made us fail to send log messages to
  2994. the controller in 0.2.1.16-rc, slowed down controller event
  2995. delivery in 0.2.7.3-rc and later, and crash with an assertion
  2996. failure in 0.3.1.1-alpha. Fixes bug 23081; bugfix on 0.2.1.6-alpha.
  2997. Patch and diagnosis from "Vort".
  2998. o Minor bugfixes (windows, relay):
  2999. - Resolve "Failure from drain_fd: No error" warnings on Windows
  3000. relays. Fixes bug 21540; bugfix on 0.2.6.3-alpha.
  3001. o Code simplification and refactoring:
  3002. - Break up the 630-line function connection_dir_client_reached_eof()
  3003. into a dozen smaller functions. This change should help
  3004. maintainability and readability of the client directory code.
  3005. - Isolate our use of the openssl headers so that they are only
  3006. included from our crypto wrapper modules, and from tests that
  3007. examine those modules' internals. Closes ticket 21841.
  3008. - Simplify our API to launch directory requests, making it more
  3009. extensible and less error-prone. Now it's easier to add extra
  3010. headers to directory requests. Closes ticket 21646.
  3011. - Our base64 decoding functions no longer overestimate the output
  3012. space that they need when parsing unpadded inputs. Closes
  3013. ticket 17868.
  3014. - Remove unused "ROUTER_ADDED_NOTIFY_GENERATOR" internal value.
  3015. Resolves ticket 22213.
  3016. - The logic that directory caches use to spool request to clients,
  3017. serving them one part at a time so as not to allocate too much
  3018. memory, has been refactored for consistency. Previously there was
  3019. a separate spooling implementation per type of spoolable data. Now
  3020. there is one common spooling implementation, with extensible data
  3021. types. Closes ticket 21651.
  3022. - Tor's compression module now supports multiple backends. Part of
  3023. the implementation for proposal 278; closes ticket 21663.
  3024. o Documentation:
  3025. - Add a manpage description for the key-pinning-journal file. Closes
  3026. ticket 22347.
  3027. - Correctly note that bandwidth accounting values are stored in the
  3028. state file, and the bw_accounting file is now obsolete. Closes
  3029. ticket 16082.
  3030. - Document more of the files in the Tor data directory, including
  3031. cached-extrainfo, secret_onion_key{,_ntor}.old, hidserv-stats,
  3032. approved-routers, sr-random, and diff-cache. Found while fixing
  3033. ticket 22347.
  3034. - Clarify the manpage for the (deprecated) torify script. Closes
  3035. ticket 6892.
  3036. - Clarify the behavior of the KeepAliveIsolateSOCKSAuth sub-option.
  3037. Closes ticket 21873.
  3038. - Correct documentation about the default DataDirectory value.
  3039. Closes ticket 21151.
  3040. - Document the default behavior of NumEntryGuards and
  3041. NumDirectoryGuards correctly. Fixes bug 21715; bugfix
  3042. on 0.3.0.1-alpha.
  3043. - Document key=value pluggable transport arguments for Bridge lines
  3044. in torrc. Fixes bug 20341; bugfix on 0.2.5.1-alpha.
  3045. - Note that bandwidth-limiting options don't affect TCP headers or
  3046. DNS. Closes ticket 17170.
  3047. o Removed features (configuration options, all in ticket 22060):
  3048. - These configuration options are now marked Obsolete, and no longer
  3049. have any effect: AllowInvalidNodes, AllowSingleHopCircuits,
  3050. AllowSingleHopExits, ExcludeSingleHopRelays, FastFirstHopPK,
  3051. TLSECGroup, WarnUnsafeSocks. They were first marked as deprecated
  3052. in 0.2.9.2-alpha and have now been removed. The previous default
  3053. behavior is now always chosen; the previous (less secure) non-
  3054. default behavior is now unavailable.
  3055. - CloseHSClientCircuitsImmediatelyOnTimeout and
  3056. CloseHSServiceRendCircuitsImmediatelyOnTimeout were deprecated in
  3057. 0.2.9.2-alpha and now have been removed. HS circuits never close
  3058. on circuit build timeout; they have a longer timeout period.
  3059. - {Control,DNS,Dir,Socks,Trans,NATD,OR}ListenAddress were deprecated
  3060. in 0.2.9.2-alpha and now have been removed. Use the ORPort option
  3061. (and others) to configure listen-only and advertise-only addresses.
  3062. o Removed features (tools):
  3063. - We've removed the tor-checkkey tool from src/tools. Long ago, we
  3064. used it to help people detect RSA keys that were generated by
  3065. versions of Debian affected by CVE-2008-0166. But those keys have
  3066. been out of circulation for ages, and this tool is no longer
  3067. required. Closes ticket 21842.
  3068. Changes in version 0.3.0.10 - 2017-08-02
  3069. Tor 0.3.0.10 backports a collection of small-to-medium bugfixes
  3070. from the current Tor alpha series. OpenBSD users and TPROXY users
  3071. should upgrade; others are probably okay sticking with 0.3.0.9.
  3072. o Major features (build system, continuous integration, backport from 0.3.1.5-alpha):
  3073. - Tor's repository now includes a Travis Continuous Integration (CI)
  3074. configuration file (.travis.yml). This is meant to help new
  3075. developers and contributors who fork Tor to a Github repository be
  3076. better able to test their changes, and understand what we expect
  3077. to pass. To use this new build feature, you must fork Tor to your
  3078. Github account, then go into the "Integrations" menu in the
  3079. repository settings for your fork and enable Travis, then push
  3080. your changes. Closes ticket 22636.
  3081. o Major bugfixes (linux TPROXY support, backport from 0.3.1.1-alpha):
  3082. - Fix a typo that had prevented TPROXY-based transparent proxying
  3083. from working under Linux. Fixes bug 18100; bugfix on 0.2.6.3-alpha.
  3084. Patch from "d4fq0fQAgoJ".
  3085. o Major bugfixes (openbsd, denial-of-service, backport from 0.3.1.5-alpha):
  3086. - Avoid an assertion failure bug affecting our implementation of
  3087. inet_pton(AF_INET6) on certain OpenBSD systems whose strtol()
  3088. handling of "0xbar" differs from what we had expected. Fixes bug
  3089. 22789; bugfix on 0.2.3.8-alpha. Also tracked as TROVE-2017-007.
  3090. o Minor features (backport from 0.3.1.5-alpha):
  3091. - Update geoip and geoip6 to the July 4 2017 Maxmind GeoLite2
  3092. Country database.
  3093. o Minor bugfixes (bandwidth accounting, backport from 0.3.1.2-alpha):
  3094. - Roll over monthly accounting at the configured hour and minute,
  3095. rather than always at 00:00. Fixes bug 22245; bugfix on 0.0.9rc1.
  3096. Found by Andrey Karpov with PVS-Studio.
  3097. o Minor bugfixes (compilation warnings, backport from 0.3.1.5-alpha):
  3098. - Suppress -Wdouble-promotion warnings with clang 4.0. Fixes bug 22915;
  3099. bugfix on 0.2.8.1-alpha.
  3100. - Fix warnings when building with libscrypt and openssl scrypt
  3101. support on Clang. Fixes bug 22916; bugfix on 0.2.7.2-alpha.
  3102. - When building with certain versions of the mingw C header files,
  3103. avoid float-conversion warnings when calling the C functions
  3104. isfinite(), isnan(), and signbit(). Fixes bug 22801; bugfix
  3105. on 0.2.8.1-alpha.
  3106. o Minor bugfixes (compilation, mingw, backport from 0.3.1.1-alpha):
  3107. - Backport a fix for an "unused variable" warning that appeared
  3108. in some versions of mingw. Fixes bug 22838; bugfix on
  3109. 0.2.8.1-alpha.
  3110. o Minor bugfixes (coverity build support, backport from 0.3.1.5-alpha):
  3111. - Avoid Coverity build warnings related to our BUG() macro. By
  3112. default, Coverity treats BUG() as the Linux kernel does: an
  3113. instant abort(). We need to override that so our BUG() macro
  3114. doesn't prevent Coverity from analyzing functions that use it.
  3115. Fixes bug 23030; bugfix on 0.2.9.1-alpha.
  3116. o Minor bugfixes (directory authority, backport from 0.3.1.1-alpha):
  3117. - When rejecting a router descriptor for running an obsolete version
  3118. of Tor without ntor support, warn about the obsolete tor version,
  3119. not the missing ntor key. Fixes bug 20270; bugfix on 0.2.9.3-alpha.
  3120. o Minor bugfixes (linux seccomp2 sandbox, backport from 0.3.1.5-alpha):
  3121. - Avoid a sandbox failure when trying to re-bind to a socket and
  3122. mark it as IPv6-only. Fixes bug 20247; bugfix on 0.2.5.1-alpha.
  3123. o Minor bugfixes (unit tests, backport from 0.3.1.5-alpha)
  3124. - Fix a memory leak in the link-handshake/certs_ok_ed25519 test.
  3125. Fixes bug 22803; bugfix on 0.3.0.1-alpha.
  3126. Changes in version 0.3.0.9 - 2017-06-29
  3127. Tor 0.3.0.9 fixes a path selection bug that would allow a client
  3128. to use a guard that was in the same network family as a chosen exit
  3129. relay. This is a security regression; all clients running earlier
  3130. versions of 0.3.0.x or 0.3.1.x should upgrade to 0.3.0.9 or
  3131. 0.3.1.4-alpha.
  3132. This release also backports several other bugfixes from the 0.3.1.x
  3133. series.
  3134. o Major bugfixes (path selection, security, backport from 0.3.1.4-alpha):
  3135. - When choosing which guard to use for a circuit, avoid the exit's
  3136. family along with the exit itself. Previously, the new guard
  3137. selection logic avoided the exit, but did not consider its family.
  3138. Fixes bug 22753; bugfix on 0.3.0.1-alpha. Tracked as TROVE-2017-
  3139. 006 and CVE-2017-0377.
  3140. o Major bugfixes (entry guards, backport from 0.3.1.1-alpha):
  3141. - Don't block bootstrapping when a primary bridge is offline and we
  3142. can't get its descriptor. Fixes bug 22325; fixes one case of bug
  3143. 21969; bugfix on 0.3.0.3-alpha.
  3144. o Major bugfixes (entry guards, backport from 0.3.1.4-alpha):
  3145. - When starting with an old consensus, do not add new entry guards
  3146. unless the consensus is "reasonably live" (under 1 day old). Fixes
  3147. one root cause of bug 22400; bugfix on 0.3.0.1-alpha.
  3148. o Minor features (geoip):
  3149. - Update geoip and geoip6 to the June 8 2017 Maxmind GeoLite2
  3150. Country database.
  3151. o Minor bugfixes (voting consistency, backport from 0.3.1.1-alpha):
  3152. - Reject version numbers with non-numeric prefixes (such as +, -, or
  3153. whitespace). Disallowing whitespace prevents differential version
  3154. parsing between POSIX-based and Windows platforms. Fixes bug 21507
  3155. and part of 21508; bugfix on 0.0.8pre1.
  3156. o Minor bugfixes (linux seccomp2 sandbox, backport from 0.3.1.4-alpha):
  3157. - Permit the fchmod system call, to avoid crashing on startup when
  3158. starting with the seccomp2 sandbox and an unexpected set of
  3159. permissions on the data directory or its contents. Fixes bug
  3160. 22516; bugfix on 0.2.5.4-alpha.
  3161. o Minor bugfixes (defensive programming, backport from 0.3.1.4-alpha):
  3162. - Fix a memset() off the end of an array when packing cells. This
  3163. bug should be harmless in practice, since the corrupted bytes are
  3164. still in the same structure, and are always padding bytes,
  3165. ignored, or immediately overwritten, depending on compiler
  3166. behavior. Nevertheless, because the memset()'s purpose is to make
  3167. sure that any other cell-handling bugs can't expose bytes to the
  3168. network, we need to fix it. Fixes bug 22737; bugfix on
  3169. 0.2.4.11-alpha. Fixes CID 1401591.
  3170. Changes in version 0.3.0.8 - 2017-06-08
  3171. Tor 0.3.0.8 fixes a pair of bugs that would allow an attacker to
  3172. remotely crash a hidden service with an assertion failure. Anyone
  3173. running a hidden service should upgrade to this version, or to some
  3174. other version with fixes for TROVE-2017-004 and TROVE-2017-005.
  3175. Tor 0.3.0.8 also includes fixes for several key management bugs
  3176. that sometimes made relays unreliable, as well as several other
  3177. bugfixes described below.
  3178. o Major bugfixes (hidden service, relay, security, backport
  3179. from 0.3.1.3-alpha):
  3180. - Fix a remotely triggerable assertion failure when a hidden service
  3181. handles a malformed BEGIN cell. Fixes bug 22493, tracked as
  3182. TROVE-2017-004 and as CVE-2017-0375; bugfix on 0.3.0.1-alpha.
  3183. - Fix a remotely triggerable assertion failure caused by receiving a
  3184. BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug
  3185. 22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix
  3186. on 0.2.2.1-alpha.
  3187. o Major bugfixes (relay, link handshake, backport from 0.3.1.3-alpha):
  3188. - When performing the v3 link handshake on a TLS connection, report
  3189. that we have the x509 certificate that we actually used on that
  3190. connection, even if we have changed certificates since that
  3191. connection was first opened. Previously, we would claim to have
  3192. used our most recent x509 link certificate, which would sometimes
  3193. make the link handshake fail. Fixes one case of bug 22460; bugfix
  3194. on 0.2.3.6-alpha.
  3195. o Major bugfixes (relays, key management, backport from 0.3.1.3-alpha):
  3196. - Regenerate link and authentication certificates whenever the key
  3197. that signs them changes; also, regenerate link certificates
  3198. whenever the signed key changes. Previously, these processes were
  3199. only weakly coupled, and we relays could (for minutes to hours)
  3200. wind up with an inconsistent set of keys and certificates, which
  3201. other relays would not accept. Fixes two cases of bug 22460;
  3202. bugfix on 0.3.0.1-alpha.
  3203. - When sending an Ed25519 signing->link certificate in a CERTS cell,
  3204. send the certificate that matches the x509 certificate that we
  3205. used on the TLS connection. Previously, there was a race condition
  3206. if the TLS context rotated after we began the TLS handshake but
  3207. before we sent the CERTS cell. Fixes a case of bug 22460; bugfix
  3208. on 0.3.0.1-alpha.
  3209. o Major bugfixes (hidden service v3, backport from 0.3.1.1-alpha):
  3210. - Stop rejecting v3 hidden service descriptors because their size
  3211. did not match an old padding rule. Fixes bug 22447; bugfix on
  3212. tor-0.3.0.1-alpha.
  3213. o Minor features (fallback directory list, backport from 0.3.1.3-alpha):
  3214. - Replace the 177 fallbacks originally introduced in Tor 0.2.9.8 in
  3215. December 2016 (of which ~126 were still functional) with a list of
  3216. 151 fallbacks (32 new, 119 unchanged, 58 removed) generated in May
  3217. 2017. Resolves ticket 21564.
  3218. o Minor bugfixes (configuration, backport from 0.3.1.1-alpha):
  3219. - Do not crash when starting with LearnCircuitBuildTimeout 0. Fixes
  3220. bug 22252; bugfix on 0.2.9.3-alpha.
  3221. o Minor bugfixes (correctness, backport from 0.3.1.3-alpha):
  3222. - Avoid undefined behavior when parsing IPv6 entries from the geoip6
  3223. file. Fixes bug 22490; bugfix on 0.2.4.6-alpha.
  3224. o Minor bugfixes (link handshake, backport from 0.3.1.3-alpha):
  3225. - Lower the lifetime of the RSA->Ed25519 cross-certificate to six
  3226. months, and regenerate it when it is within one month of expiring.
  3227. Previously, we had generated this certificate at startup with a
  3228. ten-year lifetime, but that could lead to weird behavior when Tor
  3229. was started with a grossly inaccurate clock. Mitigates bug 22466;
  3230. mitigation on 0.3.0.1-alpha.
  3231. o Minor bugfixes (memory leak, directory authority, backport from
  3232. 0.3.1.2-alpha):
  3233. - When directory authorities reject a router descriptor due to
  3234. keypinning, free the router descriptor rather than leaking the
  3235. memory. Fixes bug 22370; bugfix on 0.2.7.2-alpha.
  3236. Changes in version 0.2.9.11 - 2017-06-08
  3237. Tor 0.2.9.11 backports a fix for a bug that would allow an attacker to
  3238. remotely crash a hidden service with an assertion failure. Anyone
  3239. running a hidden service should upgrade to this version, or to some
  3240. other version with fixes for TROVE-2017-005. (Versions before 0.3.0
  3241. are not affected by TROVE-2017-004.)
  3242. Tor 0.2.9.11 also backports fixes for several key management bugs
  3243. that sometimes made relays unreliable, as well as several other
  3244. bugfixes described below.
  3245. o Major bugfixes (hidden service, relay, security, backport
  3246. from 0.3.1.3-alpha):
  3247. - Fix a remotely triggerable assertion failure caused by receiving a
  3248. BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug
  3249. 22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix
  3250. on 0.2.2.1-alpha.
  3251. o Major bugfixes (relay, link handshake, backport from 0.3.1.3-alpha):
  3252. - When performing the v3 link handshake on a TLS connection, report
  3253. that we have the x509 certificate that we actually used on that
  3254. connection, even if we have changed certificates since that
  3255. connection was first opened. Previously, we would claim to have
  3256. used our most recent x509 link certificate, which would sometimes
  3257. make the link handshake fail. Fixes one case of bug 22460; bugfix
  3258. on 0.2.3.6-alpha.
  3259. o Minor features (fallback directory list, backport from 0.3.1.3-alpha):
  3260. - Replace the 177 fallbacks originally introduced in Tor 0.2.9.8 in
  3261. December 2016 (of which ~126 were still functional) with a list of
  3262. 151 fallbacks (32 new, 119 unchanged, 58 removed) generated in May
  3263. 2017. Resolves ticket 21564.
  3264. o Minor features (future-proofing, backport from 0.3.0.7):
  3265. - Tor no longer refuses to download microdescriptors or descriptors if
  3266. they are listed as "published in the future". This change will
  3267. eventually allow us to stop listing meaningful "published" dates
  3268. in microdescriptor consensuses, and thereby allow us to reduce the
  3269. resources required to download consensus diffs by over 50%.
  3270. Implements part of ticket 21642; implements part of proposal 275.
  3271. o Minor features (directory authorities, backport from 0.3.0.4-rc)
  3272. - Directory authorities now reject relays running versions
  3273. 0.2.9.1-alpha through 0.2.9.4-alpha, because those relays
  3274. suffer from bug 20499 and don't keep their consensus cache
  3275. up-to-date. Resolves ticket 20509.
  3276. o Minor features (geoip):
  3277. - Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2
  3278. Country database.
  3279. o Minor bugfixes (control port, backport from 0.3.0.6):
  3280. - The GETINFO extra-info/digest/<digest> command was broken because
  3281. of a wrong base16 decode return value check, introduced when
  3282. refactoring that API. Fixes bug 22034; bugfix on 0.2.9.1-alpha.
  3283. o Minor bugfixes (correctness, backport from 0.3.1.3-alpha):
  3284. - Avoid undefined behavior when parsing IPv6 entries from the geoip6
  3285. file. Fixes bug 22490; bugfix on 0.2.4.6-alpha.
  3286. o Minor bugfixes (Linux seccomp2 sandbox, backport from 0.3.0.7):
  3287. - The getpid() system call is now permitted under the Linux seccomp2
  3288. sandbox, to avoid crashing with versions of OpenSSL (and other
  3289. libraries) that attempt to learn the process's PID by using the
  3290. syscall rather than the VDSO code. Fixes bug 21943; bugfix
  3291. on 0.2.5.1-alpha.
  3292. o Minor bugfixes (memory leak, directory authority, backport
  3293. from 0.3.1.2-alpha):
  3294. - When directory authorities reject a router descriptor due to
  3295. keypinning, free the router descriptor rather than leaking the
  3296. memory. Fixes bug 22370; bugfix on 0.2.7.2-alpha.
  3297. Changes in version 0.2.8.14 - 2017-06-08
  3298. Tor 0.2.7.8 backports a fix for a bug that would allow an attacker to
  3299. remotely crash a hidden service with an assertion failure. Anyone
  3300. running a hidden service should upgrade to this version, or to some
  3301. other version with fixes for TROVE-2017-005. (Versions before 0.3.0
  3302. are not affected by TROVE-2017-004.)
  3303. o Major bugfixes (hidden service, relay, security):
  3304. - Fix a remotely triggerable assertion failure caused by receiving a
  3305. BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug
  3306. 22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix
  3307. on 0.2.2.1-alpha.
  3308. o Minor features (geoip):
  3309. - Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2
  3310. Country database.
  3311. o Minor features (fallback directory list, backport from 0.3.1.3-alpha):
  3312. - Replace the 177 fallbacks originally introduced in Tor 0.2.9.8 in
  3313. December 2016 (of which ~126 were still functional) with a list of
  3314. 151 fallbacks (32 new, 119 unchanged, 58 removed) generated in May
  3315. 2017. Resolves ticket 21564.
  3316. o Minor bugfixes (correctness):
  3317. - Avoid undefined behavior when parsing IPv6 entries from the geoip6
  3318. file. Fixes bug 22490; bugfix on 0.2.4.6-alpha.
  3319. Changes in version 0.2.7.8 - 2017-06-08
  3320. Tor 0.2.7.8 backports a fix for a bug that would allow an attacker to
  3321. remotely crash a hidden service with an assertion failure. Anyone
  3322. running a hidden service should upgrade to this version, or to some
  3323. other version with fixes for TROVE-2017-005. (Versions before 0.3.0
  3324. are not affected by TROVE-2017-004.)
  3325. o Major bugfixes (hidden service, relay, security):
  3326. - Fix a remotely triggerable assertion failure caused by receiving a
  3327. BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug
  3328. 22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix
  3329. on 0.2.2.1-alpha.
  3330. o Minor features (geoip):
  3331. - Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2
  3332. Country database.
  3333. o Minor bugfixes (correctness):
  3334. - Avoid undefined behavior when parsing IPv6 entries from the geoip6
  3335. file. Fixes bug 22490; bugfix on 0.2.4.6-alpha.
  3336. Changes in version 0.2.6.12 - 2017-06-08
  3337. Tor 0.2.6.12 backports a fix for a bug that would allow an attacker to
  3338. remotely crash a hidden service with an assertion failure. Anyone
  3339. running a hidden service should upgrade to this version, or to some
  3340. other version with fixes for TROVE-2017-005. (Versions before 0.3.0
  3341. are not affected by TROVE-2017-004.)
  3342. o Major bugfixes (hidden service, relay, security):
  3343. - Fix a remotely triggerable assertion failure caused by receiving a
  3344. BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug
  3345. 22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix
  3346. on 0.2.2.1-alpha.
  3347. o Minor features (geoip):
  3348. - Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2
  3349. Country database.
  3350. o Minor bugfixes (correctness):
  3351. - Avoid undefined behavior when parsing IPv6 entries from the geoip6
  3352. file. Fixes bug 22490; bugfix on 0.2.4.6-alpha.
  3353. Changes in version 0.2.5.14 - 2017-06-08
  3354. Tor 0.2.5.14 backports a fix for a bug that would allow an attacker to
  3355. remotely crash a hidden service with an assertion failure. Anyone
  3356. running a hidden service should upgrade to this version, or to some
  3357. other version with fixes for TROVE-2017-005. (Versions before 0.3.0
  3358. are not affected by TROVE-2017-004.)
  3359. o Major bugfixes (hidden service, relay, security):
  3360. - Fix a remotely triggerable assertion failure caused by receiving a
  3361. BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug
  3362. 22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix
  3363. on 0.2.2.1-alpha.
  3364. o Minor features (geoip):
  3365. - Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2
  3366. Country database.
  3367. o Minor bugfixes (correctness):
  3368. - Avoid undefined behavior when parsing IPv6 entries from the geoip6
  3369. file. Fixes bug 22490; bugfix on 0.2.4.6-alpha.
  3370. Changes in version 0.2.4.29 - 2017-06-08
  3371. Tor 0.2.4.29 backports a fix for a bug that would allow an attacker to
  3372. remotely crash a hidden service with an assertion failure. Anyone
  3373. running a hidden service should upgrade to this version, or to some
  3374. other version with fixes for TROVE-2017-005. (Versions before 0.3.0
  3375. are not affected by TROVE-2017-004.)
  3376. o Major bugfixes (hidden service, relay, security):
  3377. - Fix a remotely triggerable assertion failure caused by receiving a
  3378. BEGIN_DIR cell on a hidden service rendezvous circuit. Fixes bug
  3379. 22494, tracked as TROVE-2017-005 and CVE-2017-0376; bugfix
  3380. on 0.2.2.1-alpha.
  3381. o Minor features (geoip):
  3382. - Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2
  3383. Country database.
  3384. o Minor bugfixes (correctness):
  3385. - Avoid undefined behavior when parsing IPv6 entries from the geoip6
  3386. file. Fixes bug 22490; bugfix on 0.2.4.6-alpha.
  3387. Changes in version 0.3.0.7 - 2017-05-15
  3388. Tor 0.3.0.7 fixes a medium-severity security bug in earlier versions
  3389. of Tor 0.3.0.x, where an attacker could cause a Tor relay process
  3390. to exit. Relays running earlier versions of Tor 0.3.0.x should upgrade;
  3391. clients are not affected.
  3392. o Major bugfixes (hidden service directory, security):
  3393. - Fix an assertion failure in the hidden service directory code, which
  3394. could be used by an attacker to remotely cause a Tor relay process to
  3395. exit. Relays running earlier versions of Tor 0.3.0.x should upgrade.
  3396. should upgrade. This security issue is tracked as TROVE-2017-002.
  3397. Fixes bug 22246; bugfix on 0.3.0.1-alpha.
  3398. o Minor features:
  3399. - Update geoip and geoip6 to the May 2 2017 Maxmind GeoLite2
  3400. Country database.
  3401. o Minor features (future-proofing):
  3402. - Tor no longer refuses to download microdescriptors or descriptors
  3403. if they are listed as "published in the future". This change will
  3404. eventually allow us to stop listing meaningful "published" dates
  3405. in microdescriptor consensuses, and thereby allow us to reduce the
  3406. resources required to download consensus diffs by over 50%.
  3407. Implements part of ticket 21642; implements part of proposal 275.
  3408. o Minor bugfixes (Linux seccomp2 sandbox):
  3409. - The getpid() system call is now permitted under the Linux seccomp2
  3410. sandbox, to avoid crashing with versions of OpenSSL (and other
  3411. libraries) that attempt to learn the process's PID by using the
  3412. syscall rather than the VDSO code. Fixes bug 21943; bugfix
  3413. on 0.2.5.1-alpha.
  3414. Changes in version 0.3.0.6 - 2017-04-26
  3415. Tor 0.3.0.6 is the first stable release of the Tor 0.3.0 series.
  3416. With the 0.3.0 series, clients and relays now use Ed25519 keys to
  3417. authenticate their link connections to relays, rather than the old
  3418. RSA1024 keys that they used before. (Circuit crypto has been
  3419. Curve25519-authenticated since 0.2.4.8-alpha.) We have also replaced
  3420. the guard selection and replacement algorithm to behave more robustly
  3421. in the presence of unreliable networks, and to resist guard-
  3422. capture attacks.
  3423. This series also includes numerous other small features and bugfixes,
  3424. along with more groundwork for the upcoming hidden-services revamp.
  3425. Per our stable release policy, we plan to support the Tor 0.3.0
  3426. release series for at least the next nine months, or for three months
  3427. after the first stable release of the 0.3.1 series: whichever is
  3428. longer. If you need a release with long-term support, we recommend
  3429. that you stay with the 0.2.9 series.
  3430. Below are the changes since 0.2.9.10. For a list of only the changes
  3431. since 0.3.0.5-rc, see the ChangeLog file.
  3432. o Major features (directory authority, security):
  3433. - The default for AuthDirPinKeys is now 1: directory authorities
  3434. will reject relays where the RSA identity key matches a previously
  3435. seen value, but the Ed25519 key has changed. Closes ticket 18319.
  3436. o Major features (guard selection algorithm):
  3437. - Tor's guard selection algorithm has been redesigned from the
  3438. ground up, to better support unreliable networks and restrictive
  3439. sets of entry nodes, and to better resist guard-capture attacks by
  3440. hostile local networks. Implements proposal 271; closes
  3441. ticket 19877.
  3442. o Major features (next-generation hidden services):
  3443. - Relays can now handle v3 ESTABLISH_INTRO cells as specified by
  3444. prop224 aka "Next Generation Hidden Services". Service and clients
  3445. don't use this functionality yet. Closes ticket 19043. Based on
  3446. initial code by Alec Heifetz.
  3447. - Relays now support the HSDir version 3 protocol, so that they can
  3448. can store and serve v3 descriptors. This is part of the next-
  3449. generation onion service work detailed in proposal 224. Closes
  3450. ticket 17238.
  3451. o Major features (protocol, ed25519 identity keys):
  3452. - Clients now support including Ed25519 identity keys in the EXTEND2
  3453. cells they generate. By default, this is controlled by a consensus
  3454. parameter, currently disabled. You can turn this feature on for
  3455. testing by setting ExtendByEd25519ID in your configuration. This
  3456. might make your traffic appear different than the traffic
  3457. generated by other users, however. Implements part of ticket
  3458. 15056; part of proposal 220.
  3459. - Relays now understand requests to extend to other relays by their
  3460. Ed25519 identity keys. When an Ed25519 identity key is included in
  3461. an EXTEND2 cell, the relay will only extend the circuit if the
  3462. other relay can prove ownership of that identity. Implements part
  3463. of ticket 15056; part of proposal 220.
  3464. - Relays now use Ed25519 to prove their Ed25519 identities and to
  3465. one another, and to clients. This algorithm is faster and more
  3466. secure than the RSA-based handshake we've been doing until now.
  3467. Implements the second big part of proposal 220; Closes
  3468. ticket 15055.
  3469. o Major features (security):
  3470. - Change the algorithm used to decide DNS TTLs on client and server
  3471. side, to better resist DNS-based correlation attacks like the
  3472. DefecTor attack of Greschbach, Pulls, Roberts, Winter, and
  3473. Feamster. Now relays only return one of two possible DNS TTL
  3474. values, and clients are willing to believe DNS TTL values up to 3
  3475. hours long. Closes ticket 19769.
  3476. o Major bugfixes (client, onion service, also in 0.2.9.9):
  3477. - Fix a client-side onion service reachability bug, where multiple
  3478. socks requests to an onion service (or a single slow request)
  3479. could cause us to mistakenly mark some of the service's
  3480. introduction points as failed, and we cache that failure so
  3481. eventually we run out and can't reach the service. Also resolves a
  3482. mysterious "Remote server sent bogus reason code 65021" log
  3483. warning. The bug was introduced in ticket 17218, where we tried to
  3484. remember the circuit end reason as a uint16_t, which mangled
  3485. negative values. Partially fixes bug 21056 and fixes bug 20307;
  3486. bugfix on 0.2.8.1-alpha.
  3487. o Major bugfixes (crash, directory connections):
  3488. - Fix a rare crash when sending a begin cell on a circuit whose
  3489. linked directory connection had already been closed. Fixes bug
  3490. 21576; bugfix on 0.2.9.3-alpha. Reported by Alec Muffett.
  3491. o Major bugfixes (directory authority):
  3492. - During voting, when marking a relay as a probable sybil, do not
  3493. clear its BadExit flag: sybils can still be bad in other ways
  3494. too. (We still clear the other flags.) Fixes bug 21108; bugfix
  3495. on 0.2.0.13-alpha.
  3496. o Major bugfixes (DNS):
  3497. - Fix a bug that prevented exit nodes from caching DNS records for
  3498. more than 60 seconds. Fixes bug 19025; bugfix on 0.2.4.7-alpha.
  3499. o Major bugfixes (IPv6 Exits):
  3500. - Stop rejecting all IPv6 traffic on Exits whose exit policy rejects
  3501. any IPv6 addresses. Instead, only reject a port over IPv6 if the
  3502. exit policy rejects that port on more than an IPv6 /16 of
  3503. addresses. This bug was made worse by 17027 in 0.2.8.1-alpha,
  3504. which rejected a relay's own IPv6 address by default. Fixes bug
  3505. 21357; bugfix on commit 004f3f4e53 in 0.2.4.7-alpha.
  3506. o Major bugfixes (parsing):
  3507. - Fix an integer underflow bug when comparing malformed Tor
  3508. versions. This bug could crash Tor when built with
  3509. --enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor
  3510. 0.2.9.8, which were built with -ftrapv by default. In other cases
  3511. it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix
  3512. on 0.0.8pre1. Found by OSS-Fuzz.
  3513. - When parsing a malformed content-length field from an HTTP
  3514. message, do not read off the end of the buffer. This bug was a
  3515. potential remote denial-of-service attack against Tor clients and
  3516. relays. A workaround was released in October 2016, to prevent this
  3517. bug from crashing Tor. This is a fix for the underlying issue,
  3518. which should no longer matter (if you applied the earlier patch).
  3519. Fixes bug 20894; bugfix on 0.2.0.16-alpha. Bug found by fuzzing
  3520. using AFL (http://lcamtuf.coredump.cx/afl/).
  3521. o Major bugfixes (scheduler):
  3522. - Actually compare circuit policies in ewma_cmp_cmux(). This bug
  3523. caused the channel scheduler to behave more or less randomly,
  3524. rather than preferring channels with higher-priority circuits.
  3525. Fixes bug 20459; bugfix on 0.2.6.2-alpha.
  3526. o Major bugfixes (security, also in 0.2.9.9):
  3527. - Downgrade the "-ftrapv" option from "always on" to "only on when
  3528. --enable-expensive-hardening is provided." This hardening option,
  3529. like others, can turn survivable bugs into crashes--and having it
  3530. on by default made a (relatively harmless) integer overflow bug
  3531. into a denial-of-service bug. Fixes bug 21278 (TROVE-2017-001);
  3532. bugfix on 0.2.9.1-alpha.
  3533. o Minor feature (client):
  3534. - Enable IPv6 traffic on the SocksPort by default. To disable this,
  3535. a user will have to specify "NoIPv6Traffic". Closes ticket 21269.
  3536. o Minor feature (fallback scripts):
  3537. - Add a check_existing mode to updateFallbackDirs.py, which checks
  3538. if fallbacks in the hard-coded list are working. Closes ticket
  3539. 20174. Patch by haxxpop.
  3540. o Minor feature (protocol versioning):
  3541. - Add new protocol version for proposal 224. HSIntro now advertises
  3542. version "3-4" and HSDir version "1-2". Fixes ticket 20656.
  3543. o Minor features (ciphersuite selection):
  3544. - Allow relays to accept a wider range of ciphersuites, including
  3545. chacha20-poly1305 and AES-CCM. Closes the other part of 15426.
  3546. - Clients now advertise a list of ciphersuites closer to the ones
  3547. preferred by Firefox. Closes part of ticket 15426.
  3548. o Minor features (controller):
  3549. - Add "GETINFO sr/current" and "GETINFO sr/previous" keys, to expose
  3550. shared-random values to the controller. Closes ticket 19925.
  3551. - When HSFETCH arguments cannot be parsed, say "Invalid argument"
  3552. rather than "unrecognized." Closes ticket 20389; patch from
  3553. Ivan Markin.
  3554. o Minor features (controller, configuration):
  3555. - Each of the *Port options, such as SocksPort, ORPort, ControlPort,
  3556. and so on, now comes with a __*Port variant that will not be saved
  3557. to the torrc file by the controller's SAVECONF command. This
  3558. change allows TorBrowser to set up a single-use domain socket for
  3559. each time it launches Tor. Closes ticket 20956.
  3560. - The GETCONF command can now query options that may only be
  3561. meaningful in context-sensitive lists. This allows the controller
  3562. to query the mixed SocksPort/__SocksPort style options introduced
  3563. in feature 20956. Implements ticket 21300.
  3564. o Minor features (diagnostic, directory client):
  3565. - Warn when we find an unexpected inconsistency in directory
  3566. download status objects. Prevents some negative consequences of
  3567. bug 20593.
  3568. o Minor features (directory authorities):
  3569. - Directory authorities now reject descriptors that claim to be
  3570. malformed versions of Tor. Helps prevent exploitation of
  3571. bug 21278.
  3572. - Reject version numbers with components that exceed INT32_MAX.
  3573. Otherwise 32-bit and 64-bit platforms would behave inconsistently.
  3574. Fixes bug 21450; bugfix on 0.0.8pre1.
  3575. o Minor features (directory authority):
  3576. - Add a new authority-only AuthDirTestEd25519LinkKeys option (on by
  3577. default) to control whether authorities should try to probe relays
  3578. by their Ed25519 link keys. This option will go away in a few
  3579. releases--unless we encounter major trouble in our ed25519 link
  3580. protocol rollout, in which case it will serve as a safety option.
  3581. o Minor features (directory cache):
  3582. - Relays and bridges will now refuse to serve the consensus they
  3583. have if they know it is too old for a client to use. Closes
  3584. ticket 20511.
  3585. o Minor features (ed25519 link handshake):
  3586. - Advertise support for the ed25519 link handshake using the
  3587. subprotocol-versions mechanism, so that clients can tell which
  3588. relays can identity themselves by Ed25519 ID. Closes ticket 20552.
  3589. o Minor features (entry guards):
  3590. - Add UseEntryGuards to TEST_OPTIONS_DEFAULT_VALUES in order to not
  3591. break regression tests.
  3592. - Require UseEntryGuards when UseBridges is set, in order to make
  3593. sure bridges aren't bypassed. Resolves ticket 20502.
  3594. o Minor features (fallback directories):
  3595. - Allow 3 fallback relays per operator, which is safe now that we
  3596. are choosing 200 fallback relays. Closes ticket 20912.
  3597. - Annotate updateFallbackDirs.py with the bandwidth and consensus
  3598. weight for each candidate fallback. Closes ticket 20878.
  3599. - Display the relay fingerprint when downloading consensuses from
  3600. fallbacks. Closes ticket 20908.
  3601. - Exclude relays affected by bug 20499 from the fallback list.
  3602. Exclude relays from the fallback list if they are running versions
  3603. known to be affected by bug 20499, or if in our tests they deliver
  3604. a stale consensus (i.e. one that expired more than 24 hours ago).
  3605. Closes ticket 20539.
  3606. - Make it easier to change the output sort order of fallbacks.
  3607. Closes ticket 20822.
  3608. - Reduce the minimum fallback bandwidth to 1 MByte/s. Part of
  3609. ticket 18828.
  3610. - Require fallback directories to have the same address and port for
  3611. 7 days (now that we have enough relays with this stability).
  3612. Relays whose OnionOO stability timer is reset on restart by bug
  3613. 18050 should upgrade to Tor 0.2.8.7 or later, which has a fix for
  3614. this issue. Closes ticket 20880; maintains short-term fix
  3615. in 0.2.8.2-alpha.
  3616. - Require fallbacks to have flags for 90% of the time (weighted
  3617. decaying average), rather than 95%. This allows at least 73% of
  3618. clients to bootstrap in the first 5 seconds without contacting an
  3619. authority. Part of ticket 18828.
  3620. - Select 200 fallback directories for each release. Closes
  3621. ticket 20881.
  3622. o Minor features (fingerprinting resistance, authentication):
  3623. - Extend the length of RSA keys used for TLS link authentication to
  3624. 2048 bits. (These weren't used for forward secrecy; for forward
  3625. secrecy, we used P256.) Closes ticket 13752.
  3626. o Minor features (geoip):
  3627. - Update geoip and geoip6 to the April 4 2017 Maxmind GeoLite2
  3628. Country database.
  3629. o Minor features (geoip, also in 0.2.9.9):
  3630. - Update geoip and geoip6 to the January 4 2017 Maxmind GeoLite2
  3631. Country database.
  3632. o Minor features (infrastructure):
  3633. - Implement smartlist_add_strdup() function. Replaces the use of
  3634. smartlist_add(sl, tor_strdup(str)). Closes ticket 20048.
  3635. o Minor features (linting):
  3636. - Enhance the changes file linter to warn on Tor versions that are
  3637. prefixed with "tor-". Closes ticket 21096.
  3638. o Minor features (logging):
  3639. - In several places, describe unset ed25519 keys as "<unset>",
  3640. rather than the scary "AAAAAAAA...AAA". Closes ticket 21037.
  3641. o Minor features (portability, compilation):
  3642. - Autoconf now checks to determine if OpenSSL structures are opaque,
  3643. instead of explicitly checking for OpenSSL version numbers. Part
  3644. of ticket 21359.
  3645. - Support building with recent LibreSSL code that uses opaque
  3646. structures. Closes ticket 21359.
  3647. o Minor features (relay):
  3648. - We now allow separation of exit and relay traffic to different
  3649. source IP addresses, using the OutboundBindAddressExit and
  3650. OutboundBindAddressOR options respectively. Closes ticket 17975.
  3651. Written by Michael Sonntag.
  3652. o Minor features (reliability, crash):
  3653. - Try better to detect problems in buffers where they might grow (or
  3654. think they have grown) over 2 GB in size. Diagnostic for
  3655. bug 21369.
  3656. o Minor features (testing):
  3657. - During 'make test-network-all', if tor logs any warnings, ask
  3658. chutney to output them. Requires a recent version of chutney with
  3659. the 21572 patch. Implements 21570.
  3660. o Minor bugfix (control protocol):
  3661. - The reply to a "GETINFO config/names" request via the control
  3662. protocol now spells the type "Dependent" correctly. This is a
  3663. breaking change in the control protocol. (The field seems to be
  3664. ignored by the most common known controllers.) Fixes bug 18146;
  3665. bugfix on 0.1.1.4-alpha.
  3666. - The GETINFO extra-info/digest/<digest> command was broken because
  3667. of a wrong base16 decode return value check, introduced when
  3668. refactoring that API. Fixes bug 22034; bugfix on 0.2.9.1-alpha.
  3669. o Minor bugfix (logging):
  3670. - Don't recommend the use of Tor2web in non-anonymous mode.
  3671. Recommending Tor2web is a bad idea because the client loses all
  3672. anonymity. Tor2web should only be used in specific cases by users
  3673. who *know* and understand the issues. Fixes bug 21294; bugfix
  3674. on 0.2.9.3-alpha.
  3675. o Minor bugfixes (bug resilience):
  3676. - Fix an unreachable size_t overflow in base64_decode(). Fixes bug
  3677. 19222; bugfix on 0.2.0.9-alpha. Found by Guido Vranken; fixed by
  3678. Hans Jerry Illikainen.
  3679. o Minor bugfixes (build):
  3680. - Replace obsolete Autoconf macros with their modern equivalent and
  3681. prevent similar issues in the future. Fixes bug 20990; bugfix
  3682. on 0.1.0.1-rc.
  3683. o Minor bugfixes (certificate expiration time):
  3684. - Avoid using link certificates that don't become valid till some
  3685. time in the future. Fixes bug 21420; bugfix on 0.2.4.11-alpha
  3686. o Minor bugfixes (client):
  3687. - Always recover from failures in extend_info_from_node(), in an
  3688. attempt to prevent any recurrence of bug 21242. Fixes bug 21372;
  3689. bugfix on 0.2.3.1-alpha.
  3690. - When clients that use bridges start up with a cached consensus on
  3691. disk, they were ignoring it and downloading a new one. Now they
  3692. use the cached one. Fixes bug 20269; bugfix on 0.2.3.12-alpha.
  3693. o Minor bugfixes (code correctness):
  3694. - Repair a couple of (unreachable or harmless) cases of the risky
  3695. comparison-by-subtraction pattern that caused bug 21278.
  3696. o Minor bugfixes (config):
  3697. - Don't assert on startup when trying to get the options list and
  3698. LearnCircuitBuildTimeout is set to 0: we are currently parsing the
  3699. options so of course they aren't ready yet. Fixes bug 21062;
  3700. bugfix on 0.2.9.3-alpha.
  3701. o Minor bugfixes (configuration):
  3702. - Accept non-space whitespace characters after the severity level in
  3703. the `Log` option. Fixes bug 19965; bugfix on 0.2.1.1-alpha.
  3704. - Support "TByte" and "TBytes" units in options given in bytes.
  3705. "TB", "terabyte(s)", "TBit(s)" and "terabit(s)" were already
  3706. supported. Fixes bug 20622; bugfix on 0.2.0.14-alpha.
  3707. o Minor bugfixes (configure, autoconf):
  3708. - Rename the configure option --enable-expensive-hardening to
  3709. --enable-fragile-hardening. Expensive hardening makes the tor
  3710. daemon abort when some kinds of issues are detected. Thus, it
  3711. makes tor more at risk of remote crashes but safer against RCE or
  3712. heartbleed bug category. We now try to explain this issue in a
  3713. message from the configure script. Fixes bug 21290; bugfix
  3714. on 0.2.5.4-alpha.
  3715. o Minor bugfixes (consensus weight):
  3716. - Add new consensus method that initializes bw weights to 1 instead
  3717. of 0. This prevents a zero weight from making it all the way to
  3718. the end (happens in small testing networks) and causing an error.
  3719. Fixes bug 14881; bugfix on 0.2.2.17-alpha.
  3720. o Minor bugfixes (crash prevention):
  3721. - Fix an (currently untriggerable, but potentially dangerous) crash
  3722. bug when base32-encoding inputs whose sizes are not a multiple of
  3723. 5. Fixes bug 21894; bugfix on 0.2.9.1-alpha.
  3724. o Minor bugfixes (dead code):
  3725. - Remove a redundant check for PidFile changes at runtime in
  3726. options_transition_allowed(): this check is already performed
  3727. regardless of whether the sandbox is active. Fixes bug 21123;
  3728. bugfix on 0.2.5.4-alpha.
  3729. o Minor bugfixes (descriptors):
  3730. - Correctly recognise downloaded full descriptors as valid, even
  3731. when using microdescriptors as circuits. This affects clients with
  3732. FetchUselessDescriptors set, and may affect directory authorities.
  3733. Fixes bug 20839; bugfix on 0.2.3.2-alpha.
  3734. o Minor bugfixes (directory mirrors):
  3735. - Allow relays to use directory mirrors without a DirPort: these
  3736. relays need to be contacted over their ORPorts using a begindir
  3737. connection. Fixes one case of bug 20711; bugfix on 0.2.8.2-alpha.
  3738. - Clarify the message logged when a remote relay is unexpectedly
  3739. missing an ORPort or DirPort: users were confusing this with a
  3740. local port. Fixes another case of bug 20711; bugfix
  3741. on 0.2.8.2-alpha.
  3742. o Minor bugfixes (directory system):
  3743. - Bridges and relays now use microdescriptors (like clients do)
  3744. rather than old-style router descriptors. Now bridges will blend
  3745. in with clients in terms of the circuits they build. Fixes bug
  3746. 6769; bugfix on 0.2.3.2-alpha.
  3747. - Download all consensus flavors, descriptors, and authority
  3748. certificates when FetchUselessDescriptors is set, regardless of
  3749. whether tor is a directory cache or not. Fixes bug 20667; bugfix
  3750. on all recent tor versions.
  3751. o Minor bugfixes (documentation):
  3752. - Update the tor manual page to document every option that can not
  3753. be changed while tor is running. Fixes bug 21122.
  3754. o Minor bugfixes (ed25519 certificates):
  3755. - Correctly interpret ed25519 certificates that would expire some
  3756. time after 19 Jan 2038. Fixes bug 20027; bugfix on 0.2.7.2-alpha.
  3757. o Minor bugfixes (fallback directories):
  3758. - Avoid checking fallback candidates' DirPorts if they are down in
  3759. OnionOO. When a relay operator has multiple relays, this
  3760. prioritizes relays that are up over relays that are down. Fixes
  3761. bug 20926; bugfix on 0.2.8.3-alpha.
  3762. - Stop failing when OUTPUT_COMMENTS is True in updateFallbackDirs.py.
  3763. Fixes bug 20877; bugfix on 0.2.8.3-alpha.
  3764. - Stop failing when a relay has no uptime data in
  3765. updateFallbackDirs.py. Fixes bug 20945; bugfix on 0.2.8.1-alpha.
  3766. o Minor bugfixes (hidden service):
  3767. - Clean up the code for expiring intro points with no associated
  3768. circuits. It was causing, rarely, a service with some expiring
  3769. introduction points to not open enough additional introduction
  3770. points. Fixes part of bug 21302; bugfix on 0.2.7.2-alpha.
  3771. - Resolve two possible underflows which could lead to creating and
  3772. closing a lot of introduction point circuits in a non-stop loop.
  3773. Fixes bug 21302; bugfix on 0.2.7.2-alpha.
  3774. - Stop setting the torrc option HiddenServiceStatistics to "0" just
  3775. because we're not a bridge or relay. Instead, we preserve whatever
  3776. value the user set (or didn't set). Fixes bug 21150; bugfix
  3777. on 0.2.6.2-alpha.
  3778. o Minor bugfixes (hidden services):
  3779. - Make hidden services check for failed intro point connections,
  3780. even when they have exceeded their intro point creation limit.
  3781. Fixes bug 21596; bugfix on 0.2.7.2-alpha. Reported by Alec Muffett.
  3782. - Make hidden services with 8 to 10 introduction points check for
  3783. failed circuits immediately after startup. Previously, they would
  3784. wait for 5 minutes before performing their first checks. Fixes bug
  3785. 21594; bugfix on 0.2.3.9-alpha. Reported by Alec Muffett.
  3786. - Stop ignoring misconfigured hidden services. Instead, refuse to
  3787. start tor until the misconfigurations have been corrected. Fixes
  3788. bug 20559; bugfix on multiple commits in 0.2.7.1-alpha
  3789. and earlier.
  3790. o Minor bugfixes (IPv6):
  3791. - Make IPv6-using clients try harder to find an IPv6 directory
  3792. server. Fixes bug 20999; bugfix on 0.2.8.2-alpha.
  3793. - When IPv6 addresses have not been downloaded yet (microdesc
  3794. consensus documents don't list relay IPv6 addresses), use hard-
  3795. coded addresses for authorities, fallbacks, and configured
  3796. bridges. Now IPv6-only clients can use microdescriptors. Fixes bug
  3797. 20996; bugfix on b167e82 from 19608 in 0.2.8.5-alpha.
  3798. o Minor bugfixes (memory leak at exit):
  3799. - Fix a small harmless memory leak at exit of the previously unused
  3800. RSA->Ed identity cross-certificate. Fixes bug 17779; bugfix
  3801. on 0.2.7.2-alpha.
  3802. o Minor bugfixes (onion services):
  3803. - Allow the number of introduction points to be as low as 0, rather
  3804. than as low as 3. Fixes bug 21033; bugfix on 0.2.7.2-alpha.
  3805. o Minor bugfixes (portability):
  3806. - Use "OpenBSD" compiler macro instead of "OPENBSD" or "__OpenBSD__".
  3807. It is supported by OpenBSD itself, and also by most OpenBSD
  3808. variants (such as Bitrig). Fixes bug 20980; bugfix
  3809. on 0.1.2.1-alpha.
  3810. o Minor bugfixes (portability, also in 0.2.9.9):
  3811. - Avoid crashing when Tor is built using headers that contain
  3812. CLOCK_MONOTONIC_COARSE, but then tries to run on an older kernel
  3813. without CLOCK_MONOTONIC_COARSE. Fixes bug 21035; bugfix
  3814. on 0.2.9.1-alpha.
  3815. - Fix Libevent detection on platforms without Libevent 1 headers
  3816. installed. Fixes bug 21051; bugfix on 0.2.9.1-alpha.
  3817. o Minor bugfixes (relay):
  3818. - Avoid a double-marked-circuit warning that could happen when we
  3819. receive DESTROY cells under heavy load. Fixes bug 20059; bugfix
  3820. on 0.1.0.1-rc.
  3821. - Honor DataDirectoryGroupReadable when tor is a relay. Previously,
  3822. initializing the keys would reset the DataDirectory to 0700
  3823. instead of 0750 even if DataDirectoryGroupReadable was set to 1.
  3824. Fixes bug 19953; bugfix on 0.0.2pre16. Patch by "redfish".
  3825. o Minor bugfixes (testing):
  3826. - Fix Raspbian build issues related to missing socket errno in
  3827. test_util.c. Fixes bug 21116; bugfix on 0.2.8.2. Patch by "hein".
  3828. - Remove undefined behavior from the backtrace generator by removing
  3829. its signal handler. Fixes bug 21026; bugfix on 0.2.5.2-alpha.
  3830. - Use bash in src/test/test-network.sh. This ensures we reliably
  3831. call chutney's newer tools/test-network.sh when available. Fixes
  3832. bug 21562; bugfix on 0.2.9.1-alpha.
  3833. o Minor bugfixes (tor-resolve):
  3834. - The tor-resolve command line tool now rejects hostnames over 255
  3835. characters in length. Previously, it would silently truncate them,
  3836. which could lead to bugs. Fixes bug 21280; bugfix on 0.0.9pre5.
  3837. Patch by "junglefowl".
  3838. o Minor bugfixes (unit tests):
  3839. - Allow the unit tests to pass even when DNS lookups of bogus
  3840. addresses do not fail as expected. Fixes bug 20862 and 20863;
  3841. bugfix on unit tests introduced in 0.2.8.1-alpha
  3842. through 0.2.9.4-alpha.
  3843. o Minor bugfixes (util):
  3844. - When finishing writing a file to disk, if we were about to replace
  3845. the file with the temporary file created before and we fail to
  3846. replace it, remove the temporary file so it doesn't stay on disk.
  3847. Fixes bug 20646; bugfix on 0.2.0.7-alpha. Patch by fk.
  3848. o Minor bugfixes (Windows services):
  3849. - Be sure to initialize the monotonic time subsystem before using
  3850. it, even when running as an NT service. Fixes bug 21356; bugfix
  3851. on 0.2.9.1-alpha.
  3852. o Minor bugfixes (Windows):
  3853. - Check for getpagesize before using it to mmap files. This fixes
  3854. compilation in some MinGW environments. Fixes bug 20530; bugfix on
  3855. 0.1.2.1-alpha. Reported by "ice".
  3856. o Code simplification and refactoring:
  3857. - Abolish all global guard context in entrynodes.c; replace with new
  3858. guard_selection_t structure as preparation for proposal 271.
  3859. Closes ticket 19858.
  3860. - Extract magic numbers in circuituse.c into defined variables.
  3861. - Introduce rend_service_is_ephemeral() that tells if given onion
  3862. service is ephemeral. Replace unclear NULL-checkings for service
  3863. directory with this function. Closes ticket 20526.
  3864. - Refactor circuit_is_available_for_use to remove unnecessary check.
  3865. - Refactor circuit_predict_and_launch_new for readability and
  3866. testability. Closes ticket 18873.
  3867. - Refactor code to manipulate global_origin_circuit_list into
  3868. separate functions. Closes ticket 20921.
  3869. - Refactor large if statement in purpose_needs_anonymity to use
  3870. switch statement instead. Closes part of ticket 20077.
  3871. - Refactor the hashing API to return negative values for errors, as
  3872. is done as throughout the codebase. Closes ticket 20717.
  3873. - Remove data structures that were used to index or_connection
  3874. objects by their RSA identity digests. These structures are fully
  3875. redundant with the similar structures used in the
  3876. channel abstraction.
  3877. - Remove duplicate code in the channel_write_*cell() functions.
  3878. Closes ticket 13827; patch from Pingl.
  3879. - Remove redundant behavior of is_sensitive_dir_purpose, refactor to
  3880. use only purpose_needs_anonymity. Closes part of ticket 20077.
  3881. - The code to generate and parse EXTEND and EXTEND2 cells has been
  3882. replaced with code automatically generated by the
  3883. "trunnel" utility.
  3884. o Documentation (formatting):
  3885. - Clean up formatting of tor.1 man page and HTML doc, where <pre>
  3886. blocks were incorrectly appearing. Closes ticket 20885.
  3887. o Documentation (man page):
  3888. - Clarify many options in tor.1 and add some min/max values for
  3889. HiddenService options. Closes ticket 21058.
  3890. o Documentation:
  3891. - Change '1' to 'weight_scale' in consensus bw weights calculation
  3892. comments, as that is reality. Closes ticket 20273. Patch
  3893. from pastly.
  3894. - Clarify that when ClientRejectInternalAddresses is enabled (which
  3895. is the default), multicast DNS hostnames for machines on the local
  3896. network (of the form *.local) are also rejected. Closes
  3897. ticket 17070.
  3898. - Correct the value for AuthDirGuardBWGuarantee in the manpage, from
  3899. 250 KBytes to 2 MBytes. Fixes bug 20435; bugfix on 0.2.5.6-alpha.
  3900. - Include the "TBits" unit in Tor's man page. Fixes part of bug
  3901. 20622; bugfix on 0.2.5.1-alpha.
  3902. - Small fixes to the fuzzing documentation. Closes ticket 21472.
  3903. - Stop the man page from incorrectly stating that HiddenServiceDir
  3904. must already exist. Fixes 20486.
  3905. - Update the description of the directory server options in the
  3906. manual page, to clarify that a relay no longer needs to set
  3907. DirPort in order to be a directory cache. Closes ticket 21720.
  3908. o Removed features:
  3909. - The AuthDirMaxServersPerAuthAddr option no longer exists: The same
  3910. limit for relays running on a single IP applies to authority IP
  3911. addresses as well as to non-authority IP addresses. Closes
  3912. ticket 20960.
  3913. - The UseDirectoryGuards torrc option no longer exists: all users
  3914. that use entry guards will also use directory guards. Related to
  3915. proposal 271; implements part of ticket 20831.
  3916. o Testing:
  3917. - Add tests for networkstatus_compute_bw_weights_v10.
  3918. - Add unit tests circuit_predict_and_launch_new.
  3919. - Extract dummy_origin_circuit_new so it can be used by other
  3920. test functions.
  3921. - New unit tests for tor_htonll(). Closes ticket 19563. Patch
  3922. from "overcaffeinated".
  3923. - Perform the coding style checks when running the tests and fail
  3924. when coding style violations are found. Closes ticket 5500.
  3925. Changes in version 0.2.8.13 - 2017-03-03
  3926. Tor 0.2.8.13 backports a security fix from later Tor
  3927. releases. Anybody running Tor 0.2.8.12 or earlier should upgrade to this
  3928. this release, if for some reason they cannot upgrade to a later
  3929. release series, and if they build Tor with the --enable-expensive-hardening
  3930. option.
  3931. Note that support for Tor 0.2.8.x is ending next year: we will not issue
  3932. any fixes for the Tor 0.2.8.x series after 1 Jan 2018. If you need
  3933. a Tor release series with longer-term support, we recommend Tor 0.2.9.x.
  3934. o Major bugfixes (parsing, backported from 0.3.0.4-rc):
  3935. - Fix an integer underflow bug when comparing malformed Tor
  3936. versions. This bug could crash Tor when built with
  3937. --enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor
  3938. 0.2.9.8, which were built with -ftrapv by default. In other cases
  3939. it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix
  3940. on 0.0.8pre1. Found by OSS-Fuzz.
  3941. o Minor features (geoip):
  3942. - Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2
  3943. Country database.
  3944. Changes in version 0.2.7.7 - 2017-03-03
  3945. Tor 0.2.7.7 backports a number of security fixes from later Tor
  3946. releases. Anybody running Tor 0.2.7.6 or earlier should upgrade to
  3947. this release, if for some reason they cannot upgrade to a later
  3948. release series.
  3949. Note that support for Tor 0.2.7.x is ending this year: we will not issue
  3950. any fixes for the Tor 0.2.7.x series after 1 August 2017. If you need
  3951. a Tor release series with longer-term support, we recommend Tor 0.2.9.x.
  3952. o Directory authority changes (backport from 0.2.8.5-rc):
  3953. - Urras is no longer a directory authority. Closes ticket 19271.
  3954. o Directory authority changes (backport from 0.2.9.2-alpha):
  3955. - The "Tonga" bridge authority has been retired; the new bridge
  3956. authority is "Bifroest". Closes tickets 19728 and 19690.
  3957. o Directory authority key updates (backport from 0.2.8.1-alpha):
  3958. - Update the V3 identity key for the dannenberg directory authority:
  3959. it was changed on 18 November 2015. Closes task 17906. Patch
  3960. by "teor".
  3961. o Major bugfixes (parsing, security, backport from 0.2.9.8):
  3962. - Fix a bug in parsing that could cause clients to read a single
  3963. byte past the end of an allocated region. This bug could be used
  3964. to cause hardened clients (built with --enable-expensive-hardening)
  3965. to crash if they tried to visit a hostile hidden service. Non-
  3966. hardened clients are only affected depending on the details of
  3967. their platform's memory allocator. Fixes bug 21018; bugfix on
  3968. 0.2.0.8-alpha. Found by using libFuzzer. Also tracked as TROVE-
  3969. 2016-12-002 and as CVE-2016-1254.
  3970. o Major bugfixes (security, client, DNS proxy, backport from 0.2.8.3-alpha):
  3971. - Stop a crash that could occur when a client running with DNSPort
  3972. received a query with multiple address types, and the first
  3973. address type was not supported. Found and fixed by Scott Dial.
  3974. Fixes bug 18710; bugfix on 0.2.5.4-alpha.
  3975. - Prevent a class of security bugs caused by treating the contents
  3976. of a buffer chunk as if they were a NUL-terminated string. At
  3977. least one such bug seems to be present in all currently used
  3978. versions of Tor, and would allow an attacker to remotely crash
  3979. most Tor instances, especially those compiled with extra compiler
  3980. hardening. With this defense in place, such bugs can't crash Tor,
  3981. though we should still fix them as they occur. Closes ticket
  3982. 20384 (TROVE-2016-10-001).
  3983. o Major bugfixes (security, pointers, backport from 0.2.8.2-alpha):
  3984. - Avoid a difficult-to-trigger heap corruption attack when extending
  3985. a smartlist to contain over 16GB of pointers. Fixes bug 18162;
  3986. bugfix on 0.1.1.11-alpha, which fixed a related bug incompletely.
  3987. Reported by Guido Vranken.
  3988. o Major bugfixes (dns proxy mode, crash, backport from 0.2.8.2-alpha):
  3989. - Avoid crashing when running as a DNS proxy. Fixes bug 16248;
  3990. bugfix on 0.2.0.1-alpha. Patch from "cypherpunks".
  3991. o Major bugfixes (key management, backport from 0.2.8.3-alpha):
  3992. - If OpenSSL fails to generate an RSA key, do not retain a dangling
  3993. pointer to the previous (uninitialized) key value. The impact here
  3994. should be limited to a difficult-to-trigger crash, if OpenSSL is
  3995. running an engine that makes key generation failures possible, or
  3996. if OpenSSL runs out of memory. Fixes bug 19152; bugfix on
  3997. 0.2.1.10-alpha. Found by Yuan Jochen Kang, Suman Jana, and
  3998. Baishakhi Ray.
  3999. o Major bugfixes (parsing, backported from 0.3.0.4-rc):
  4000. - Fix an integer underflow bug when comparing malformed Tor
  4001. versions. This bug could crash Tor when built with
  4002. --enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor
  4003. 0.2.9.8, which were built with -ftrapv by default. In other cases
  4004. it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix
  4005. on 0.0.8pre1. Found by OSS-Fuzz.
  4006. o Minor features (security, memory erasure, backport from 0.2.8.1-alpha):
  4007. - Make memwipe() do nothing when passed a NULL pointer or buffer of
  4008. zero size. Check size argument to memwipe() for underflow. Fixes
  4009. bug 18089; bugfix on 0.2.3.25 and 0.2.4.6-alpha. Reported by "gk",
  4010. patch by "teor".
  4011. o Minor features (bug-resistance, backport from 0.2.8.2-alpha):
  4012. - Make Tor survive errors involving connections without a
  4013. corresponding event object. Previously we'd fail with an
  4014. assertion; now we produce a log message. Related to bug 16248.
  4015. o Minor features (geoip):
  4016. - Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2
  4017. Country database.
  4018. Changes in version 0.2.6.11 - 2017-03-03
  4019. Tor 0.2.6.11 backports a number of security fixes from later Tor
  4020. releases. Anybody running Tor 0.2.6.10 or earlier should upgrade to
  4021. this release, if for some reason they cannot upgrade to a later
  4022. release series.
  4023. Note that support for Tor 0.2.6.x is ending this year: we will not issue
  4024. any fixes for the Tor 0.2.6.x series after 1 August 2017. If you need
  4025. a Tor release series with longer-term support, we recommend Tor 0.2.9.x.
  4026. o Directory authority changes (backport from 0.2.8.5-rc):
  4027. - Urras is no longer a directory authority. Closes ticket 19271.
  4028. o Directory authority changes (backport from 0.2.9.2-alpha):
  4029. - The "Tonga" bridge authority has been retired; the new bridge
  4030. authority is "Bifroest". Closes tickets 19728 and 19690.
  4031. o Directory authority key updates (backport from 0.2.8.1-alpha):
  4032. - Update the V3 identity key for the dannenberg directory authority:
  4033. it was changed on 18 November 2015. Closes task 17906. Patch
  4034. by "teor".
  4035. o Major features (security fixes, backport from 0.2.9.4-alpha):
  4036. - Prevent a class of security bugs caused by treating the contents
  4037. of a buffer chunk as if they were a NUL-terminated string. At
  4038. least one such bug seems to be present in all currently used
  4039. versions of Tor, and would allow an attacker to remotely crash
  4040. most Tor instances, especially those compiled with extra compiler
  4041. hardening. With this defense in place, such bugs can't crash Tor,
  4042. though we should still fix them as they occur. Closes ticket
  4043. 20384 (TROVE-2016-10-001).
  4044. o Major bugfixes (parsing, security, backport from 0.2.9.8):
  4045. - Fix a bug in parsing that could cause clients to read a single
  4046. byte past the end of an allocated region. This bug could be used
  4047. to cause hardened clients (built with --enable-expensive-hardening)
  4048. to crash if they tried to visit a hostile hidden service. Non-
  4049. hardened clients are only affected depending on the details of
  4050. their platform's memory allocator. Fixes bug 21018; bugfix on
  4051. 0.2.0.8-alpha. Found by using libFuzzer. Also tracked as TROVE-
  4052. 2016-12-002 and as CVE-2016-1254.
  4053. o Major bugfixes (security, client, DNS proxy, backport from 0.2.8.3-alpha):
  4054. - Stop a crash that could occur when a client running with DNSPort
  4055. received a query with multiple address types, and the first
  4056. address type was not supported. Found and fixed by Scott Dial.
  4057. Fixes bug 18710; bugfix on 0.2.5.4-alpha.
  4058. o Major bugfixes (security, correctness, backport from 0.2.7.4-rc):
  4059. - Fix an error that could cause us to read 4 bytes before the
  4060. beginning of an openssl string. This bug could be used to cause
  4061. Tor to crash on systems with unusual malloc implementations, or
  4062. systems with unusual hardening installed. Fixes bug 17404; bugfix
  4063. on 0.2.3.6-alpha.
  4064. o Major bugfixes (security, pointers, backport from 0.2.8.2-alpha):
  4065. - Avoid a difficult-to-trigger heap corruption attack when extending
  4066. a smartlist to contain over 16GB of pointers. Fixes bug 18162;
  4067. bugfix on 0.1.1.11-alpha, which fixed a related bug incompletely.
  4068. Reported by Guido Vranken.
  4069. o Major bugfixes (dns proxy mode, crash, backport from 0.2.8.2-alpha):
  4070. - Avoid crashing when running as a DNS proxy. Fixes bug 16248;
  4071. bugfix on 0.2.0.1-alpha. Patch from "cypherpunks".
  4072. o Major bugfixes (guard selection, backport from 0.2.7.6):
  4073. - Actually look at the Guard flag when selecting a new directory
  4074. guard. When we implemented the directory guard design, we
  4075. accidentally started treating all relays as if they have the Guard
  4076. flag during guard selection, leading to weaker anonymity and worse
  4077. performance. Fixes bug 17772; bugfix on 0.2.4.8-alpha. Discovered
  4078. by Mohsen Imani.
  4079. o Major bugfixes (key management, backport from 0.2.8.3-alpha):
  4080. - If OpenSSL fails to generate an RSA key, do not retain a dangling
  4081. pointer to the previous (uninitialized) key value. The impact here
  4082. should be limited to a difficult-to-trigger crash, if OpenSSL is
  4083. running an engine that makes key generation failures possible, or
  4084. if OpenSSL runs out of memory. Fixes bug 19152; bugfix on
  4085. 0.2.1.10-alpha. Found by Yuan Jochen Kang, Suman Jana, and
  4086. Baishakhi Ray.
  4087. o Major bugfixes (parsing, backported from 0.3.0.4-rc):
  4088. - Fix an integer underflow bug when comparing malformed Tor
  4089. versions. This bug could crash Tor when built with
  4090. --enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor
  4091. 0.2.9.8, which were built with -ftrapv by default. In other cases
  4092. it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix
  4093. on 0.0.8pre1. Found by OSS-Fuzz.
  4094. o Minor features (security, memory erasure, backport from 0.2.8.1-alpha):
  4095. - Make memwipe() do nothing when passed a NULL pointer or buffer of
  4096. zero size. Check size argument to memwipe() for underflow. Fixes
  4097. bug 18089; bugfix on 0.2.3.25 and 0.2.4.6-alpha. Reported by "gk",
  4098. patch by "teor".
  4099. o Minor features (bug-resistance, backport from 0.2.8.2-alpha):
  4100. - Make Tor survive errors involving connections without a
  4101. corresponding event object. Previously we'd fail with an
  4102. assertion; now we produce a log message. Related to bug 16248.
  4103. o Minor features (geoip):
  4104. - Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2
  4105. Country database.
  4106. o Minor bugfixes (compilation, backport from 0.2.7.6):
  4107. - Fix a compilation warning with Clang 3.6: Do not check the
  4108. presence of an address which can never be NULL. Fixes bug 17781.
  4109. Changes in version 0.2.5.13 - 2017-03-03
  4110. Tor 0.2.5.13 backports a number of security fixes from later Tor
  4111. releases. Anybody running Tor 0.2.5.13 or earlier should upgrade to
  4112. this release, if for some reason they cannot upgrade to a later
  4113. release series.
  4114. Note that support for Tor 0.2.5.x is ending next year: we will not issue
  4115. any fixes for the Tor 0.2.5.x series after 1 May 2018. If you need
  4116. a Tor release series with longer-term support, we recommend Tor 0.2.9.x.
  4117. o Directory authority changes (backport from 0.2.8.5-rc):
  4118. - Urras is no longer a directory authority. Closes ticket 19271.
  4119. o Directory authority changes (backport from 0.2.9.2-alpha):
  4120. - The "Tonga" bridge authority has been retired; the new bridge
  4121. authority is "Bifroest". Closes tickets 19728 and 19690.
  4122. o Directory authority key updates (backport from 0.2.8.1-alpha):
  4123. - Update the V3 identity key for the dannenberg directory authority:
  4124. it was changed on 18 November 2015. Closes task 17906. Patch
  4125. by "teor".
  4126. o Major features (security fixes, backport from 0.2.9.4-alpha):
  4127. - Prevent a class of security bugs caused by treating the contents
  4128. of a buffer chunk as if they were a NUL-terminated string. At
  4129. least one such bug seems to be present in all currently used
  4130. versions of Tor, and would allow an attacker to remotely crash
  4131. most Tor instances, especially those compiled with extra compiler
  4132. hardening. With this defense in place, such bugs can't crash Tor,
  4133. though we should still fix them as they occur. Closes ticket
  4134. 20384 (TROVE-2016-10-001).
  4135. o Major bugfixes (parsing, security, backport from 0.2.9.8):
  4136. - Fix a bug in parsing that could cause clients to read a single
  4137. byte past the end of an allocated region. This bug could be used
  4138. to cause hardened clients (built with --enable-expensive-hardening)
  4139. to crash if they tried to visit a hostile hidden service. Non-
  4140. hardened clients are only affected depending on the details of
  4141. their platform's memory allocator. Fixes bug 21018; bugfix on
  4142. 0.2.0.8-alpha. Found by using libFuzzer. Also tracked as TROVE-
  4143. 2016-12-002 and as CVE-2016-1254.
  4144. o Major bugfixes (security, client, DNS proxy, backport from 0.2.8.3-alpha):
  4145. - Stop a crash that could occur when a client running with DNSPort
  4146. received a query with multiple address types, and the first
  4147. address type was not supported. Found and fixed by Scott Dial.
  4148. Fixes bug 18710; bugfix on 0.2.5.4-alpha.
  4149. o Major bugfixes (security, correctness, backport from 0.2.7.4-rc):
  4150. - Fix an error that could cause us to read 4 bytes before the
  4151. beginning of an openssl string. This bug could be used to cause
  4152. Tor to crash on systems with unusual malloc implementations, or
  4153. systems with unusual hardening installed. Fixes bug 17404; bugfix
  4154. on 0.2.3.6-alpha.
  4155. o Major bugfixes (security, pointers, backport from 0.2.8.2-alpha):
  4156. - Avoid a difficult-to-trigger heap corruption attack when extending
  4157. a smartlist to contain over 16GB of pointers. Fixes bug 18162;
  4158. bugfix on 0.1.1.11-alpha, which fixed a related bug incompletely.
  4159. Reported by Guido Vranken.
  4160. o Major bugfixes (dns proxy mode, crash, backport from 0.2.8.2-alpha):
  4161. - Avoid crashing when running as a DNS proxy. Fixes bug 16248;
  4162. bugfix on 0.2.0.1-alpha. Patch from "cypherpunks".
  4163. o Major bugfixes (guard selection, backport from 0.2.7.6):
  4164. - Actually look at the Guard flag when selecting a new directory
  4165. guard. When we implemented the directory guard design, we
  4166. accidentally started treating all relays as if they have the Guard
  4167. flag during guard selection, leading to weaker anonymity and worse
  4168. performance. Fixes bug 17772; bugfix on 0.2.4.8-alpha. Discovered
  4169. by Mohsen Imani.
  4170. o Major bugfixes (key management, backport from 0.2.8.3-alpha):
  4171. - If OpenSSL fails to generate an RSA key, do not retain a dangling
  4172. pointer to the previous (uninitialized) key value. The impact here
  4173. should be limited to a difficult-to-trigger crash, if OpenSSL is
  4174. running an engine that makes key generation failures possible, or
  4175. if OpenSSL runs out of memory. Fixes bug 19152; bugfix on
  4176. 0.2.1.10-alpha. Found by Yuan Jochen Kang, Suman Jana, and
  4177. Baishakhi Ray.
  4178. o Major bugfixes (parsing, backported from 0.3.0.4-rc):
  4179. - Fix an integer underflow bug when comparing malformed Tor
  4180. versions. This bug could crash Tor when built with
  4181. --enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor
  4182. 0.2.9.8, which were built with -ftrapv by default. In other cases
  4183. it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix
  4184. on 0.0.8pre1. Found by OSS-Fuzz.
  4185. o Minor features (security, memory erasure, backport from 0.2.8.1-alpha):
  4186. - Make memwipe() do nothing when passed a NULL pointer or buffer of
  4187. zero size. Check size argument to memwipe() for underflow. Fixes
  4188. bug 18089; bugfix on 0.2.3.25 and 0.2.4.6-alpha. Reported by "gk",
  4189. patch by "teor".
  4190. o Minor features (bug-resistance, backport from 0.2.8.2-alpha):
  4191. - Make Tor survive errors involving connections without a
  4192. corresponding event object. Previously we'd fail with an
  4193. assertion; now we produce a log message. Related to bug 16248.
  4194. o Minor features (geoip):
  4195. - Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2
  4196. Country database.
  4197. o Minor bugfixes (compilation, backport from 0.2.7.6):
  4198. - Fix a compilation warning with Clang 3.6: Do not check the
  4199. presence of an address which can never be NULL. Fixes bug 17781.
  4200. o Minor bugfixes (crypto error-handling, backport from 0.2.7.2-alpha):
  4201. - Check for failures from crypto_early_init, and refuse to continue.
  4202. A previous typo meant that we could keep going with an
  4203. uninitialized crypto library, and would have OpenSSL initialize
  4204. its own PRNG. Fixes bug 16360; bugfix on 0.2.5.2-alpha, introduced
  4205. when implementing ticket 4900. Patch by "teor".
  4206. o Minor bugfixes (hidden service, backport from 0.2.7.1-alpha):
  4207. - Fix an out-of-bounds read when parsing invalid INTRODUCE2 cells on
  4208. a client authorized hidden service. Fixes bug 15823; bugfix
  4209. on 0.2.1.6-alpha.
  4210. Changes in version 0.2.4.28 - 2017-03-03
  4211. Tor 0.2.4.28 backports a number of security fixes from later Tor
  4212. releases. Anybody running Tor 0.2.4.27 or earlier should upgrade to
  4213. this release, if for some reason they cannot upgrade to a later
  4214. release series.
  4215. Note that support for Tor 0.2.4.x is ending soon: we will not issue
  4216. any fixes for the Tor 0.2.4.x series after 1 August 2017. If you need
  4217. a Tor release series with long-term support, we recommend Tor 0.2.9.x.
  4218. o Directory authority changes (backport from 0.2.8.5-rc):
  4219. - Urras is no longer a directory authority. Closes ticket 19271.
  4220. o Directory authority changes (backport from 0.2.9.2-alpha):
  4221. - The "Tonga" bridge authority has been retired; the new bridge
  4222. authority is "Bifroest". Closes tickets 19728 and 19690.
  4223. o Directory authority key updates (backport from 0.2.8.1-alpha):
  4224. - Update the V3 identity key for the dannenberg directory authority:
  4225. it was changed on 18 November 2015. Closes task 17906. Patch
  4226. by "teor".
  4227. o Major features (security fixes, backport from 0.2.9.4-alpha):
  4228. - Prevent a class of security bugs caused by treating the contents
  4229. of a buffer chunk as if they were a NUL-terminated string. At
  4230. least one such bug seems to be present in all currently used
  4231. versions of Tor, and would allow an attacker to remotely crash
  4232. most Tor instances, especially those compiled with extra compiler
  4233. hardening. With this defense in place, such bugs can't crash Tor,
  4234. though we should still fix them as they occur. Closes ticket
  4235. 20384 (TROVE-2016-10-001).
  4236. o Major bugfixes (parsing, security, backport from 0.2.9.8):
  4237. - Fix a bug in parsing that could cause clients to read a single
  4238. byte past the end of an allocated region. This bug could be used
  4239. to cause hardened clients (built with --enable-expensive-hardening)
  4240. to crash if they tried to visit a hostile hidden service. Non-
  4241. hardened clients are only affected depending on the details of
  4242. their platform's memory allocator. Fixes bug 21018; bugfix on
  4243. 0.2.0.8-alpha. Found by using libFuzzer. Also tracked as TROVE-
  4244. 2016-12-002 and as CVE-2016-1254.
  4245. o Major bugfixes (security, correctness, backport from 0.2.7.4-rc):
  4246. - Fix an error that could cause us to read 4 bytes before the
  4247. beginning of an openssl string. This bug could be used to cause
  4248. Tor to crash on systems with unusual malloc implementations, or
  4249. systems with unusual hardening installed. Fixes bug 17404; bugfix
  4250. on 0.2.3.6-alpha.
  4251. o Major bugfixes (security, pointers, backport from 0.2.8.2-alpha):
  4252. - Avoid a difficult-to-trigger heap corruption attack when extending
  4253. a smartlist to contain over 16GB of pointers. Fixes bug 18162;
  4254. bugfix on 0.1.1.11-alpha, which fixed a related bug incompletely.
  4255. Reported by Guido Vranken.
  4256. o Major bugfixes (dns proxy mode, crash, backport from 0.2.8.2-alpha):
  4257. - Avoid crashing when running as a DNS proxy. Fixes bug 16248;
  4258. bugfix on 0.2.0.1-alpha. Patch from "cypherpunks".
  4259. o Major bugfixes (guard selection, backport from 0.2.7.6):
  4260. - Actually look at the Guard flag when selecting a new directory
  4261. guard. When we implemented the directory guard design, we
  4262. accidentally started treating all relays as if they have the Guard
  4263. flag during guard selection, leading to weaker anonymity and worse
  4264. performance. Fixes bug 17772; bugfix on 0.2.4.8-alpha. Discovered
  4265. by Mohsen Imani.
  4266. o Major bugfixes (key management, backport from 0.2.8.3-alpha):
  4267. - If OpenSSL fails to generate an RSA key, do not retain a dangling
  4268. pointer to the previous (uninitialized) key value. The impact here
  4269. should be limited to a difficult-to-trigger crash, if OpenSSL is
  4270. running an engine that makes key generation failures possible, or
  4271. if OpenSSL runs out of memory. Fixes bug 19152; bugfix on
  4272. 0.2.1.10-alpha. Found by Yuan Jochen Kang, Suman Jana, and
  4273. Baishakhi Ray.
  4274. o Major bugfixes (parsing, backported from 0.3.0.4-rc):
  4275. - Fix an integer underflow bug when comparing malformed Tor
  4276. versions. This bug could crash Tor when built with
  4277. --enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor
  4278. 0.2.9.8, which were built with -ftrapv by default. In other cases
  4279. it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix
  4280. on 0.0.8pre1. Found by OSS-Fuzz.
  4281. o Minor features (security, memory erasure, backport from 0.2.8.1-alpha):
  4282. - Make memwipe() do nothing when passed a NULL pointer or buffer of
  4283. zero size. Check size argument to memwipe() for underflow. Fixes
  4284. bug 18089; bugfix on 0.2.3.25 and 0.2.4.6-alpha. Reported by "gk",
  4285. patch by "teor".
  4286. o Minor features (bug-resistance, backport from 0.2.8.2-alpha):
  4287. - Make Tor survive errors involving connections without a
  4288. corresponding event object. Previously we'd fail with an
  4289. assertion; now we produce a log message. Related to bug 16248.
  4290. o Minor features (DoS-resistance, backport from 0.2.7.1-alpha):
  4291. - Make it harder for attackers to overload hidden services with
  4292. introductions, by blocking multiple introduction requests on the
  4293. same circuit. Resolves ticket 15515.
  4294. o Minor features (geoip):
  4295. - Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2
  4296. Country database.
  4297. o Minor bugfixes (compilation, backport from 0.2.7.6):
  4298. - Fix a compilation warning with Clang 3.6: Do not check the
  4299. presence of an address which can never be NULL. Fixes bug 17781.
  4300. o Minor bugfixes (hidden service, backport from 0.2.7.1-alpha):
  4301. - Fix an out-of-bounds read when parsing invalid INTRODUCE2 cells on
  4302. a client authorized hidden service. Fixes bug 15823; bugfix
  4303. on 0.2.1.6-alpha.
  4304. Changes in version 0.2.9.10 - 2017-03-01
  4305. Tor 0.2.9.10 backports a security fix from later Tor release. It also
  4306. includes fixes for some major issues affecting directory authorities,
  4307. LibreSSL compatibility, and IPv6 correctness.
  4308. The Tor 0.2.9.x release series is now marked as a long-term-support
  4309. series. We intend to backport security fixes to 0.2.9.x until at
  4310. least January of 2020.
  4311. o Major bugfixes (directory authority, 0.3.0.3-alpha):
  4312. - During voting, when marking a relay as a probable sybil, do not
  4313. clear its BadExit flag: sybils can still be bad in other ways
  4314. too. (We still clear the other flags.) Fixes bug 21108; bugfix
  4315. on 0.2.0.13-alpha.
  4316. o Major bugfixes (IPv6 Exits, backport from 0.3.0.3-alpha):
  4317. - Stop rejecting all IPv6 traffic on Exits whose exit policy rejects
  4318. any IPv6 addresses. Instead, only reject a port over IPv6 if the
  4319. exit policy rejects that port on more than an IPv6 /16 of
  4320. addresses. This bug was made worse by 17027 in 0.2.8.1-alpha,
  4321. which rejected a relay's own IPv6 address by default. Fixes bug
  4322. 21357; bugfix on commit 004f3f4e53 in 0.2.4.7-alpha.
  4323. o Major bugfixes (parsing, also in 0.3.0.4-rc):
  4324. - Fix an integer underflow bug when comparing malformed Tor
  4325. versions. This bug could crash Tor when built with
  4326. --enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor
  4327. 0.2.9.8, which were built with -ftrapv by default. In other cases
  4328. it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix
  4329. on 0.0.8pre1. Found by OSS-Fuzz.
  4330. o Minor features (directory authorities, also in 0.3.0.4-rc):
  4331. - Directory authorities now reject descriptors that claim to be
  4332. malformed versions of Tor. Helps prevent exploitation of
  4333. bug 21278.
  4334. - Reject version numbers with components that exceed INT32_MAX.
  4335. Otherwise 32-bit and 64-bit platforms would behave inconsistently.
  4336. Fixes bug 21450; bugfix on 0.0.8pre1.
  4337. o Minor features (geoip):
  4338. - Update geoip and geoip6 to the February 8 2017 Maxmind GeoLite2
  4339. Country database.
  4340. o Minor features (portability, compilation, backport from 0.3.0.3-alpha):
  4341. - Autoconf now checks to determine if OpenSSL structures are opaque,
  4342. instead of explicitly checking for OpenSSL version numbers. Part
  4343. of ticket 21359.
  4344. - Support building with recent LibreSSL code that uses opaque
  4345. structures. Closes ticket 21359.
  4346. o Minor bugfixes (code correctness, also in 0.3.0.4-rc):
  4347. - Repair a couple of (unreachable or harmless) cases of the risky
  4348. comparison-by-subtraction pattern that caused bug 21278.
  4349. o Minor bugfixes (tor-resolve, backport from 0.3.0.3-alpha):
  4350. - The tor-resolve command line tool now rejects hostnames over 255
  4351. characters in length. Previously, it would silently truncate them,
  4352. which could lead to bugs. Fixes bug 21280; bugfix on 0.0.9pre5.
  4353. Patch by "junglefowl".
  4354. Changes in version 0.2.9.9 - 2017-01-23
  4355. Tor 0.2.9.9 fixes a denial-of-service bug where an attacker could
  4356. cause relays and clients to crash, even if they were not built with
  4357. the --enable-expensive-hardening option. This bug affects all 0.2.9.x
  4358. versions, and also affects 0.3.0.1-alpha: all relays running an affected
  4359. version should upgrade.
  4360. This release also resolves a client-side onion service reachability
  4361. bug, and resolves a pair of small portability issues.
  4362. o Major bugfixes (security):
  4363. - Downgrade the "-ftrapv" option from "always on" to "only on when
  4364. --enable-expensive-hardening is provided." This hardening option,
  4365. like others, can turn survivable bugs into crashes -- and having
  4366. it on by default made a (relatively harmless) integer overflow bug
  4367. into a denial-of-service bug. Fixes bug 21278 (TROVE-2017-001);
  4368. bugfix on 0.2.9.1-alpha.
  4369. o Major bugfixes (client, onion service):
  4370. - Fix a client-side onion service reachability bug, where multiple
  4371. socks requests to an onion service (or a single slow request)
  4372. could cause us to mistakenly mark some of the service's
  4373. introduction points as failed, and we cache that failure so
  4374. eventually we run out and can't reach the service. Also resolves a
  4375. mysterious "Remote server sent bogus reason code 65021" log
  4376. warning. The bug was introduced in ticket 17218, where we tried to
  4377. remember the circuit end reason as a uint16_t, which mangled
  4378. negative values. Partially fixes bug 21056 and fixes bug 20307;
  4379. bugfix on 0.2.8.1-alpha.
  4380. o Minor features (geoip):
  4381. - Update geoip and geoip6 to the January 4 2017 Maxmind GeoLite2
  4382. Country database.
  4383. o Minor bugfixes (portability):
  4384. - Avoid crashing when Tor is built using headers that contain
  4385. CLOCK_MONOTONIC_COARSE, but then tries to run on an older kernel
  4386. without CLOCK_MONOTONIC_COARSE. Fixes bug 21035; bugfix
  4387. on 0.2.9.1-alpha.
  4388. - Fix Libevent detection on platforms without Libevent 1 headers
  4389. installed. Fixes bug 21051; bugfix on 0.2.9.1-alpha.
  4390. Changes in version 0.2.8.12 - 2016-12-19
  4391. Tor 0.2.8.12 backports a fix for a medium-severity issue (bug 21018
  4392. below) where Tor clients could crash when attempting to visit a
  4393. hostile hidden service. Clients are recommended to upgrade as packages
  4394. become available for their systems.
  4395. It also includes an updated list of fallback directories, backported
  4396. from 0.2.9.
  4397. Now that the Tor 0.2.9 series is stable, only major bugfixes will be
  4398. backported to 0.2.8 in the future.
  4399. o Major bugfixes (parsing, security, backported from 0.2.9.8):
  4400. - Fix a bug in parsing that could cause clients to read a single
  4401. byte past the end of an allocated region. This bug could be used
  4402. to cause hardened clients (built with --enable-expensive-hardening)
  4403. to crash if they tried to visit a hostile hidden service. Non-
  4404. hardened clients are only affected depending on the details of
  4405. their platform's memory allocator. Fixes bug 21018; bugfix on
  4406. 0.2.0.8-alpha. Found by using libFuzzer. Also tracked as TROVE-
  4407. 2016-12-002 and as CVE-2016-1254.
  4408. o Minor features (fallback directory list, backported from 0.2.9.8):
  4409. - Replace the 81 remaining fallbacks of the 100 originally
  4410. introduced in Tor 0.2.8.3-alpha in March 2016, with a list of 177
  4411. fallbacks (123 new, 54 existing, 27 removed) generated in December
  4412. 2016. Resolves ticket 20170.
  4413. o Minor features (geoip, backported from 0.2.9.7-rc):
  4414. - Update geoip and geoip6 to the December 7 2016 Maxmind GeoLite2
  4415. Country database.
  4416. Changes in version 0.2.9.8 - 2016-12-19
  4417. Tor 0.2.9.8 is the first stable release of the Tor 0.2.9 series.
  4418. The Tor 0.2.9 series makes mandatory a number of security features
  4419. that were formerly optional. It includes support for a new shared-
  4420. randomness protocol that will form the basis for next generation
  4421. hidden services, includes a single-hop hidden service mode for
  4422. optimizing .onion services that don't actually want to be hidden,
  4423. tries harder not to overload the directory authorities with excessive
  4424. downloads, and supports a better protocol versioning scheme for
  4425. improved compatibility with other implementations of the Tor protocol.
  4426. And of course, there are numerous other bugfixes and improvements.
  4427. This release also includes a fix for a medium-severity issue (bug
  4428. 21018 below) where Tor clients could crash when attempting to visit a
  4429. hostile hidden service. Clients are recommended to upgrade as packages
  4430. become available for their systems.
  4431. Below are listed the changes since Tor 0.2.8.11. For a list of
  4432. changes since 0.2.9.7-rc, see the ChangeLog file.
  4433. o New system requirements:
  4434. - When building with OpenSSL, Tor now requires version 1.0.1 or
  4435. later. OpenSSL 1.0.0 and earlier are no longer supported by the
  4436. OpenSSL team, and should not be used. Closes ticket 20303.
  4437. - Tor now requires Libevent version 2.0.10-stable or later. Older
  4438. versions of Libevent have less efficient backends for several
  4439. platforms, and lack the DNS code that we use for our server-side
  4440. DNS support. This implements ticket 19554.
  4441. - Tor now requires zlib version 1.2 or later, for security,
  4442. efficiency, and (eventually) gzip support. (Back when we started,
  4443. zlib 1.1 and zlib 1.0 were still found in the wild. 1.2 was
  4444. released in 2003. We recommend the latest version.)
  4445. o Deprecated features:
  4446. - A number of DNS-cache-related sub-options for client ports are now
  4447. deprecated for security reasons, and may be removed in a future
  4448. version of Tor. (We believe that client-side DNS caching is a bad
  4449. idea for anonymity, and you should not turn it on.) The options
  4450. are: CacheDNS, CacheIPv4DNS, CacheIPv6DNS, UseDNSCache,
  4451. UseIPv4Cache, and UseIPv6Cache.
  4452. - A number of options are deprecated for security reasons, and may
  4453. be removed in a future version of Tor. The options are:
  4454. AllowDotExit, AllowInvalidNodes, AllowSingleHopCircuits,
  4455. AllowSingleHopExits, ClientDNSRejectInternalAddresses,
  4456. CloseHSClientCircuitsImmediatelyOnTimeout,
  4457. CloseHSServiceRendCircuitsImmediatelyOnTimeout,
  4458. ExcludeSingleHopRelays, FastFirstHopPK, TLSECGroup,
  4459. UseNTorHandshake, and WarnUnsafeSocks.
  4460. - The *ListenAddress options are now deprecated as unnecessary: the
  4461. corresponding *Port options should be used instead. These options
  4462. may someday be removed. The affected options are:
  4463. ControlListenAddress, DNSListenAddress, DirListenAddress,
  4464. NATDListenAddress, ORListenAddress, SocksListenAddress,
  4465. and TransListenAddress.
  4466. o Major bugfixes (parsing, security, new since 0.2.9.7-rc):
  4467. - Fix a bug in parsing that could cause clients to read a single
  4468. byte past the end of an allocated region. This bug could be used
  4469. to cause hardened clients (built with --enable-expensive-hardening)
  4470. to crash if they tried to visit a hostile hidden service. Non-
  4471. hardened clients are only affected depending on the details of
  4472. their platform's memory allocator. Fixes bug 21018; bugfix on
  4473. 0.2.0.8-alpha. Found by using libFuzzer. Also tracked as TROVE-
  4474. 2016-12-002 and as CVE-2016-1254.
  4475. o Major features (build, hardening):
  4476. - Tor now builds with -ftrapv by default on compilers that support
  4477. it. This option detects signed integer overflow (which C forbids),
  4478. and turns it into a hard-failure. We do not apply this option to
  4479. code that needs to run in constant time to avoid side-channels;
  4480. instead, we use -fwrapv in that code. Closes ticket 17983.
  4481. - When --enable-expensive-hardening is selected, stop applying the
  4482. clang/gcc sanitizers to code that needs to run in constant time.
  4483. Although we are aware of no introduced side-channels, we are not
  4484. able to prove that there are none. Related to ticket 17983.
  4485. o Major features (circuit building, security):
  4486. - Authorities, relays, and clients now require ntor keys in all
  4487. descriptors, for all hops (except for rare hidden service protocol
  4488. cases), for all circuits, and for all other roles. Part of
  4489. ticket 19163.
  4490. - Authorities, relays, and clients only use ntor, except for
  4491. rare cases in the hidden service protocol. Part of ticket 19163.
  4492. o Major features (compilation):
  4493. - Our big list of extra GCC warnings is now enabled by default when
  4494. building with GCC (or with anything like Clang that claims to be
  4495. GCC-compatible). To make all warnings into fatal compilation
  4496. errors, pass --enable-fatal-warnings to configure. Closes
  4497. ticket 19044.
  4498. - Use the Autoconf macro AC_USE_SYSTEM_EXTENSIONS to automatically
  4499. turn on C and POSIX extensions. (Previously, we attempted to do
  4500. this on an ad hoc basis.) Closes ticket 19139.
  4501. o Major features (directory authorities, hidden services):
  4502. - Directory authorities can now perform the shared randomness
  4503. protocol specified by proposal 250. Using this protocol, directory
  4504. authorities generate a global fresh random value every day. In the
  4505. future, this value will be used by hidden services to select
  4506. HSDirs. This release implements the directory authority feature;
  4507. the hidden service side will be implemented in the future as part
  4508. of proposal 224. Resolves ticket 16943; implements proposal 250.
  4509. o Major features (downloading, random exponential backoff):
  4510. - When we fail to download an object from a directory service, wait
  4511. for an (exponentially increasing) randomized amount of time before
  4512. retrying, rather than a fixed interval as we did before. This
  4513. prevents a group of Tor instances from becoming too synchronized,
  4514. or a single Tor instance from becoming too predictable, in its
  4515. download schedule. Closes ticket 15942.
  4516. o Major features (resource management):
  4517. - Tor can now notice it is about to run out of sockets, and
  4518. preemptively close connections of lower priority. (This feature is
  4519. off by default for now, since the current prioritizing method is
  4520. yet not mature enough. You can enable it by setting
  4521. "DisableOOSCheck 0", but watch out: it might close some sockets
  4522. you would rather have it keep.) Closes ticket 18640.
  4523. o Major features (single-hop "hidden" services):
  4524. - Add experimental HiddenServiceSingleHopMode and
  4525. HiddenServiceNonAnonymousMode options. When both are set to 1,
  4526. every hidden service on that Tor instance becomes a non-anonymous
  4527. Single Onion Service. Single Onions make one-hop (direct)
  4528. connections to their introduction and rendezvous points. One-hop
  4529. circuits make Single Onion servers easily locatable, but clients
  4530. remain location-anonymous. This is compatible with the existing
  4531. hidden service implementation, and works on the current Tor
  4532. network without any changes to older relays or clients. Implements
  4533. proposal 260, completes ticket 17178. Patch by teor and asn.
  4534. o Major features (subprotocol versions):
  4535. - Tor directory authorities now vote on a set of recommended
  4536. "subprotocol versions", and on a set of required subprotocol
  4537. versions. Clients and relays that lack support for a _required_
  4538. subprotocol version will not start; those that lack support for a
  4539. _recommended_ subprotocol version will warn the user to upgrade.
  4540. This change allows compatible implementations of the Tor protocol(s)
  4541. to exist without pretending to be 100% bug-compatible with
  4542. particular releases of Tor itself. Closes ticket 19958; implements
  4543. part of proposal 264.
  4544. o Major bugfixes (circuit building):
  4545. - Hidden service client-to-intro-point and service-to-rendezvous-
  4546. point circuits use the TAP key supplied by the protocol, to avoid
  4547. epistemic attacks. Fixes bug 19163; bugfix on 0.2.4.18-rc.
  4548. o Major bugfixes (download scheduling):
  4549. - Avoid resetting download status for consensuses hourly, since we
  4550. already have another, smarter retry mechanism. Fixes bug 8625;
  4551. bugfix on 0.2.0.9-alpha.
  4552. - If a consensus expires while we are waiting for certificates to
  4553. download, stop waiting for certificates.
  4554. - If we stop waiting for certificates less than a minute after we
  4555. started downloading them, do not consider the certificate download
  4556. failure a separate failure. Fixes bug 20533; bugfix
  4557. on 0.2.0.9-alpha.
  4558. - When using exponential backoff in test networks, use a lower
  4559. exponent, so the delays do not vary as much. This helps test
  4560. networks bootstrap consistently. Fixes bug 20597; bugfix on 20499.
  4561. o Major bugfixes (exit policies):
  4562. - Avoid disclosing exit outbound bind addresses, configured port
  4563. bind addresses, and local interface addresses in relay descriptors
  4564. by default under ExitPolicyRejectPrivate. Instead, only reject
  4565. these (otherwise unlisted) addresses if
  4566. ExitPolicyRejectLocalInterfaces is set. Fixes bug 18456; bugfix on
  4567. 0.2.7.2-alpha. Patch by teor.
  4568. o Major bugfixes (hidden services):
  4569. - Allow Tor clients with appropriate controllers to work with
  4570. FetchHidServDescriptors set to 0. Previously, this option also
  4571. disabled descriptor cache lookup, thus breaking hidden services
  4572. entirely. Fixes bug 18704; bugfix on 0.2.0.20-rc. Patch by "twim".
  4573. - Clients now require hidden services to include the TAP keys for
  4574. their intro points in the hidden service descriptor. This prevents
  4575. an inadvertent upgrade to ntor, which a malicious hidden service
  4576. could use to distinguish clients by consensus version. Fixes bug
  4577. 20012; bugfix on 0.2.4.8-alpha. Patch by teor.
  4578. o Major bugfixes (relay, resolver, logging):
  4579. - For relays that don't know their own address, avoid attempting a
  4580. local hostname resolve for each descriptor we download. This
  4581. will cut down on the number of "Success: chose address 'x.x.x.x'"
  4582. log lines, and also avoid confusing clock jumps if the resolver
  4583. is slow. Fixes bugs 20423 and 20610; bugfix on 0.2.8.1-alpha.
  4584. o Minor features (port flags):
  4585. - Add new flags to the *Port options to give finer control over which
  4586. requests are allowed. The flags are NoDNSRequest, NoOnionTraffic,
  4587. and the synthetic flag OnionTrafficOnly, which is equivalent to
  4588. NoDNSRequest, NoIPv4Traffic, and NoIPv6Traffic. Closes enhancement
  4589. 18693; patch by "teor".
  4590. o Minor features (build, hardening):
  4591. - Detect and work around a libclang_rt problem that would prevent
  4592. clang from finding __mulodi4() on some 32-bit platforms, and thus
  4593. keep -ftrapv from linking on those systems. Closes ticket 19079.
  4594. - When building on a system without runtime support for the runtime
  4595. hardening options, try to log a useful warning at configuration
  4596. time, rather than an incomprehensible warning at link time. If
  4597. expensive hardening was requested, this warning becomes an error.
  4598. Closes ticket 18895.
  4599. o Minor features (client, directory):
  4600. - Since authorities now omit all routers that lack the Running and
  4601. Valid flags, we assume that any relay listed in the consensus must
  4602. have those flags. Closes ticket 20001; implements part of
  4603. proposal 272.
  4604. o Minor features (code safety):
  4605. - In our integer-parsing functions, ensure that the maximum value we
  4606. allow is no smaller than the minimum value. Closes ticket 19063;
  4607. patch from "U+039b".
  4608. o Minor features (compilation, portability):
  4609. - Compile correctly on MacOS 10.12 (aka "Sierra"). Closes
  4610. ticket 20241.
  4611. o Minor features (config):
  4612. - Warn users when descriptor and port addresses are inconsistent.
  4613. Mitigates bug 13953; patch by teor.
  4614. o Minor features (controller):
  4615. - Allow controllers to configure basic client authorization on
  4616. hidden services when they create them with the ADD_ONION controller
  4617. command. Implements ticket 15588. Patch by "special".
  4618. - Fire a STATUS_SERVER controller event whenever the hibernation
  4619. status changes between "awake"/"soft"/"hard". Closes ticket 18685.
  4620. - Implement new GETINFO queries for all downloads that use
  4621. download_status_t to schedule retries. This allows controllers to
  4622. examine the schedule for pending downloads. Closes ticket 19323.
  4623. o Minor features (development tools, etags):
  4624. - Teach the "make tags" Makefile target how to correctly find
  4625. "MOCK_IMPL" function definitions. Patch from nherring; closes
  4626. ticket 16869.
  4627. o Minor features (directory authority):
  4628. - After voting, if the authorities decide that a relay is not
  4629. "Valid", they no longer include it in the consensus at all. Closes
  4630. ticket 20002; implements part of proposal 272.
  4631. - Directory authorities now only give the Guard flag to a relay if
  4632. they are also giving it the Stable flag. This change allows us to
  4633. simplify path selection for clients. It should have minimal effect
  4634. in practice, since >99% of Guards already have the Stable flag.
  4635. Implements ticket 18624.
  4636. - Directory authorities now write their v3-status-votes file out to
  4637. disk earlier in the consensus process, so we have a record of the
  4638. votes even if we abort the consensus process. Resolves
  4639. ticket 19036.
  4640. o Minor features (fallback directory list, new since 0.2.9.7-rc):
  4641. - Replace the 81 remaining fallbacks of the 100 originally
  4642. introduced in Tor 0.2.8.3-alpha in March 2016, with a list of 177
  4643. fallbacks (123 new, 54 existing, 27 removed) generated in December
  4644. 2016. Resolves ticket 20170.
  4645. o Minor features (hidden service):
  4646. - Stop being so strict about the payload length of "rendezvous1"
  4647. cells. We used to be locked in to the "TAP" handshake length, and
  4648. now we can handle better handshakes like "ntor". Resolves
  4649. ticket 18998.
  4650. o Minor features (infrastructure, time):
  4651. - Tor now includes an improved timer backend, so that we can
  4652. efficiently support tens or hundreds of thousands of concurrent
  4653. timers, as will be needed for some of our planned anti-traffic-
  4654. analysis work. This code is based on William Ahern's "timeout.c"
  4655. project, which implements a "tickless hierarchical timing wheel".
  4656. Closes ticket 18365.
  4657. - Tor now uses the operating system's monotonic timers (where
  4658. available) for internal fine-grained timing. Previously we would
  4659. look at the system clock, and then attempt to compensate for the
  4660. clock running backwards. Closes ticket 18908.
  4661. o Minor features (logging):
  4662. - Add a set of macros to check nonfatal assertions, for internal
  4663. use. Migrating more of our checks to these should help us avoid
  4664. needless crash bugs. Closes ticket 18613.
  4665. - Provide a more useful warning message when configured with an
  4666. invalid Nickname. Closes ticket 18300; patch from "icanhasaccount".
  4667. - When dumping unparseable router descriptors, optionally store them
  4668. in separate files, named by digest, up to a configurable size
  4669. limit. You can change the size limit by setting the
  4670. MaxUnparseableDescSizeToLog option, and disable this feature by
  4671. setting that option to 0. Closes ticket 18322.
  4672. o Minor features (performance):
  4673. - Change the "optimistic data" extension from "off by default" to
  4674. "on by default". The default was ordinarily overridden by a
  4675. consensus option, but when clients were bootstrapping for the
  4676. first time, they would not have a consensus to get the option
  4677. from. Changing this default saves a round-trip during startup.
  4678. Closes ticket 18815.
  4679. o Minor features (relay, usability):
  4680. - When the directory authorities refuse a bad relay's descriptor,
  4681. encourage the relay operator to contact us. Many relay operators
  4682. won't notice this line in their logs, but it's a win if even a few
  4683. learn why we don't like what their relay was doing. Resolves
  4684. ticket 18760.
  4685. o Minor features (security, TLS):
  4686. - Servers no longer support clients that lack AES ciphersuites.
  4687. (3DES is no longer considered an acceptable cipher.) We believe
  4688. that no such Tor clients currently exist, since Tor has required
  4689. OpenSSL 0.9.7 or later since 2009. Closes ticket 19998.
  4690. o Minor features (testing):
  4691. - Disable memory protections on OpenBSD when performing our unit
  4692. tests for memwipe(). The test deliberately invokes undefined
  4693. behavior, and the OpenBSD protections interfere with this. Patch
  4694. from "rubiate". Closes ticket 20066.
  4695. - Move the test-network.sh script to chutney, and modify tor's test-
  4696. network.sh to call the (newer) chutney version when available.
  4697. Resolves ticket 19116. Patch by teor.
  4698. - Use the lcov convention for marking lines as unreachable, so that
  4699. we don't count them when we're generating test coverage data.
  4700. Update our coverage tools to understand this convention. Closes
  4701. ticket 16792.
  4702. - Our link-handshake unit tests now check that when invalid
  4703. handshakes fail, they fail with the error messages we expected.
  4704. - Our unit testing code that captures log messages no longer
  4705. prevents them from being written out if the user asked for them
  4706. (by passing --debug or --info or --notice or --warn to the "test"
  4707. binary). This change prevents us from missing unexpected log
  4708. messages simply because we were looking for others. Related to
  4709. ticket 19999.
  4710. - The unit tests now log all warning messages with the "BUG" flag.
  4711. Previously, they only logged errors by default. This change will
  4712. help us make our testing code more correct, and make sure that we
  4713. only hit this code when we mean to. In the meantime, however,
  4714. there will be more warnings in the unit test logs than before.
  4715. This is preparatory work for ticket 19999.
  4716. - The unit tests now treat any failure of a "tor_assert_nonfatal()"
  4717. assertion as a test failure.
  4718. - We've done significant work to make the unit tests run faster.
  4719. o Minor features (testing, ipv6):
  4720. - Add the hs-ipv6 chutney target to make test-network-all's IPv6
  4721. tests. Remove bridges+hs, as it's somewhat redundant. This
  4722. requires a recent chutney version that supports IPv6 clients,
  4723. relays, and authorities. Closes ticket 20069; patch by teor.
  4724. - Add the single-onion and single-onion-ipv6 chutney targets to
  4725. "make test-network-all". This requires a recent chutney version
  4726. with the single onion network flavors (git c72a652 or later).
  4727. Closes ticket 20072; patch by teor.
  4728. o Minor features (Tor2web):
  4729. - Make Tor2web clients respect ReachableAddresses. This feature was
  4730. inadvertently enabled in 0.2.8.6, then removed by bugfix 19973 on
  4731. 0.2.8.7. Implements feature 20034. Patch by teor.
  4732. o Minor features (unix domain sockets):
  4733. - When configuring a unix domain socket for a SocksPort,
  4734. ControlPort, or Hidden service, you can now wrap the address in
  4735. quotes, using C-style escapes inside the quotes. This allows unix
  4736. domain socket paths to contain spaces. Resolves ticket 18753.
  4737. o Minor features (user interface):
  4738. - Tor now supports the ability to declare options deprecated, so
  4739. that we can recommend that people stop using them. Previously, this
  4740. was done in an ad-hoc way. There is a new --list-deprecated-options
  4741. command-line option to list all of the deprecated options. Closes
  4742. ticket 19820.
  4743. o Minor features (virtual addresses):
  4744. - Increase the maximum number of bits for the IPv6 virtual network
  4745. prefix from 16 to 104. In this way, the condition for address
  4746. allocation is less restrictive. Closes ticket 20151; feature
  4747. on 0.2.4.7-alpha.
  4748. o Minor bug fixes (circuits):
  4749. - Use the CircuitBuildTimeout option whenever
  4750. LearnCircuitBuildTimeout is disabled. Previously, we would respect
  4751. the option when a user disabled it, but not when it was disabled
  4752. because some other option was set. Fixes bug 20073; bugfix on
  4753. 0.2.4.12-alpha. Patch by teor.
  4754. o Minor bugfixes (build):
  4755. - The current Git revision when building from a local repository is
  4756. now detected correctly when using git worktrees. Fixes bug 20492;
  4757. bugfix on 0.2.3.9-alpha.
  4758. o Minor bugfixes (relay address discovery):
  4759. - Stop reordering IP addresses returned by the OS. This makes it
  4760. more likely that Tor will guess the same relay IP address every
  4761. time. Fixes issue 20163; bugfix on 0.2.7.1-alpha, ticket 17027.
  4762. Reported by René Mayrhofer, patch by "cypherpunks".
  4763. o Minor bugfixes (memory allocation):
  4764. - Change how we allocate memory for large chunks on buffers, to
  4765. avoid a (currently impossible) integer overflow, and to waste less
  4766. space when allocating unusually large chunks. Fixes bug 20081;
  4767. bugfix on 0.2.0.16-alpha. Issue identified by Guido Vranken.
  4768. o Minor bugfixes (bootstrap):
  4769. - Remember the directory server we fetched the consensus or previous
  4770. certificates from, and use it to fetch future authority
  4771. certificates. This change improves bootstrapping performance.
  4772. Fixes bug 18963; bugfix on 0.2.8.1-alpha.
  4773. o Minor bugfixes (circuits):
  4774. - Make sure extend_info_from_router() is only called on servers.
  4775. Fixes bug 19639; bugfix on 0.2.8.1-alpha.
  4776. o Minor bugfixes (client, fascistfirewall):
  4777. - Avoid spurious warnings when ReachableAddresses or FascistFirewall
  4778. is set. Fixes bug 20306; bugfix on 0.2.8.2-alpha.
  4779. o Minor bugfixes (client, unix domain sockets):
  4780. - Disable IsolateClientAddr when using AF_UNIX backed SocksPorts as
  4781. the client address is meaningless. Fixes bug 20261; bugfix
  4782. on 0.2.6.3-alpha.
  4783. o Minor bugfixes (code style):
  4784. - Fix an integer signedness conversion issue in the case conversion
  4785. tables. Fixes bug 19168; bugfix on 0.2.1.11-alpha.
  4786. o Minor bugfixes (compilation):
  4787. - Build correctly on versions of libevent2 without support for
  4788. evutil_secure_rng_add_bytes(). Fixes bug 19904; bugfix
  4789. on 0.2.5.4-alpha.
  4790. - When building with Clang, use a full set of GCC warnings.
  4791. (Previously, we included only a subset, because of the way we
  4792. detected them.) Fixes bug 19216; bugfix on 0.2.0.1-alpha.
  4793. - Detect Libevent2 functions correctly on systems that provide
  4794. libevent2, but where libevent1 is linked with -levent. Fixes bug
  4795. 19904; bugfix on 0.2.2.24-alpha. Patch from Rubiate.
  4796. - Run correctly when built on Windows build environments that
  4797. require _vcsprintf(). Fixes bug 20560; bugfix on 0.2.2.11-alpha.
  4798. o Minor bugfixes (configuration):
  4799. - When parsing quoted configuration values from the torrc file,
  4800. handle Windows line endings correctly. Fixes bug 19167; bugfix on
  4801. 0.2.0.16-alpha. Patch from "Pingl".
  4802. o Minor bugfixes (directory authority):
  4803. - Authorities now sort the "package" lines in their votes, for ease
  4804. of debugging. (They are already sorted in consensus documents.)
  4805. Fixes bug 18840; bugfix on 0.2.6.3-alpha.
  4806. - Die with a more useful error when the operator forgets to place
  4807. the authority_signing_key file into the keys directory. This
  4808. avoids an uninformative assert & traceback about having an invalid
  4809. key. Fixes bug 20065; bugfix on 0.2.0.1-alpha.
  4810. - When allowing private addresses, mark Exits that only exit to
  4811. private locations as such. Fixes bug 20064; bugfix
  4812. on 0.2.2.9-alpha.
  4813. - When parsing a detached signature, make sure we use the length of
  4814. the digest algorithm instead of a hardcoded DIGEST256_LEN in
  4815. order to avoid comparing bytes out-of-bounds with a smaller digest
  4816. length such as SHA1. Fixes bug 19066; bugfix on 0.2.2.6-alpha.
  4817. o Minor bugfixes (getpass):
  4818. - Defensively fix a non-triggerable heap corruption at do_getpass()