|
|
@@ -3,6 +3,598 @@ of Tor. If you want to see more detailed descriptions of the changes in
|
|
|
each development snapshot, see the ChangeLog file.
|
|
|
|
|
|
|
|
|
+Changes in version 0.3.0.6 - 2017-04-26
|
|
|
+ Tor 0.3.0.6 is the first stable release of the Tor 0.3.0 series.
|
|
|
+
|
|
|
+ With the 0.3.0 series, clients and relays now use Ed25519 keys to
|
|
|
+ authenticate their link connections to relays, rather than the old
|
|
|
+ RSA1024 keys that they used before. (Circuit crypto has been
|
|
|
+ Curve25519-authenticated since 0.2.4.8-alpha.) We have also replaced
|
|
|
+ the guard selection and replacement algorithm to behave more robustly
|
|
|
+ in the presence of unreliable networks, and to resist guard-
|
|
|
+ capture attacks.
|
|
|
+
|
|
|
+ This series also includes numerous other small features and bugfixes,
|
|
|
+ along with more groundwork for the upcoming hidden-services revamp.
|
|
|
+
|
|
|
+ Per our stable release policy, we plan to support the Tor 0.3.0
|
|
|
+ release series for at least the next nine months, or for three months
|
|
|
+ after the first stable release of the 0.3.1 series: whichever is
|
|
|
+ longer. If you need a release with long-term support, we recommend
|
|
|
+ that you stay with the 0.2.9 series.
|
|
|
+
|
|
|
+ Below are the changes since 0.2.9.10. For a list of only the changes
|
|
|
+ since 0.3.0.5-rc, see the ChangeLog file.
|
|
|
+
|
|
|
+ o Major features (directory authority, security):
|
|
|
+ - The default for AuthDirPinKeys is now 1: directory authorities
|
|
|
+ will reject relays where the RSA identity key matches a previously
|
|
|
+ seen value, but the Ed25519 key has changed. Closes ticket 18319.
|
|
|
+
|
|
|
+ o Major features (guard selection algorithm):
|
|
|
+ - Tor's guard selection algorithm has been redesigned from the
|
|
|
+ ground up, to better support unreliable networks and restrictive
|
|
|
+ sets of entry nodes, and to better resist guard-capture attacks by
|
|
|
+ hostile local networks. Implements proposal 271; closes
|
|
|
+ ticket 19877.
|
|
|
+
|
|
|
+ o Major features (next-generation hidden services):
|
|
|
+ - Relays can now handle v3 ESTABLISH_INTRO cells as specified by
|
|
|
+ prop224 aka "Next Generation Hidden Services". Service and clients
|
|
|
+ don't use this functionality yet. Closes ticket 19043. Based on
|
|
|
+ initial code by Alec Heifetz.
|
|
|
+ - Relays now support the HSDir version 3 protocol, so that they can
|
|
|
+ can store and serve v3 descriptors. This is part of the next-
|
|
|
+ generation onion service work detailled in proposal 224. Closes
|
|
|
+ ticket 17238.
|
|
|
+
|
|
|
+ o Major features (protocol, ed25519 identity keys):
|
|
|
+ - Clients now support including Ed25519 identity keys in the EXTEND2
|
|
|
+ cells they generate. By default, this is controlled by a consensus
|
|
|
+ parameter, currently disabled. You can turn this feature on for
|
|
|
+ testing by setting ExtendByEd25519ID in your configuration. This
|
|
|
+ might make your traffic appear different than the traffic
|
|
|
+ generated by other users, however. Implements part of ticket
|
|
|
+ 15056; part of proposal 220.
|
|
|
+ - Relays now understand requests to extend to other relays by their
|
|
|
+ Ed25519 identity keys. When an Ed25519 identity key is included in
|
|
|
+ an EXTEND2 cell, the relay will only extend the circuit if the
|
|
|
+ other relay can prove ownership of that identity. Implements part
|
|
|
+ of ticket 15056; part of proposal 220.
|
|
|
+ - Relays now use Ed25519 to prove their Ed25519 identities and to
|
|
|
+ one another, and to clients. This algorithm is faster and more
|
|
|
+ secure than the RSA-based handshake we've been doing until now.
|
|
|
+ Implements the second big part of proposal 220; Closes
|
|
|
+ ticket 15055.
|
|
|
+
|
|
|
+ o Major features (security):
|
|
|
+ - Change the algorithm used to decide DNS TTLs on client and server
|
|
|
+ side, to better resist DNS-based correlation attacks like the
|
|
|
+ DefecTor attack of Greschbach, Pulls, Roberts, Winter, and
|
|
|
+ Feamster. Now relays only return one of two possible DNS TTL
|
|
|
+ values, and clients are willing to believe DNS TTL values up to 3
|
|
|
+ hours long. Closes ticket 19769.
|
|
|
+
|
|
|
+ o Major bugfixes (client, onion service, also in 0.2.9.9):
|
|
|
+ - Fix a client-side onion service reachability bug, where multiple
|
|
|
+ socks requests to an onion service (or a single slow request)
|
|
|
+ could cause us to mistakenly mark some of the service's
|
|
|
+ introduction points as failed, and we cache that failure so
|
|
|
+ eventually we run out and can't reach the service. Also resolves a
|
|
|
+ mysterious "Remote server sent bogus reason code 65021" log
|
|
|
+ warning. The bug was introduced in ticket 17218, where we tried to
|
|
|
+ remember the circuit end reason as a uint16_t, which mangled
|
|
|
+ negative values. Partially fixes bug 21056 and fixes bug 20307;
|
|
|
+ bugfix on 0.2.8.1-alpha.
|
|
|
+
|
|
|
+ o Major bugfixes (crash, directory connections):
|
|
|
+ - Fix a rare crash when sending a begin cell on a circuit whose
|
|
|
+ linked directory connection had already been closed. Fixes bug
|
|
|
+ 21576; bugfix on 0.2.9.3-alpha. Reported by Alec Muffett.
|
|
|
+
|
|
|
+ o Major bugfixes (directory authority):
|
|
|
+ - During voting, when marking a relay as a probable sybil, do not
|
|
|
+ clear its BadExit flag: sybils can still be bad in other ways
|
|
|
+ too. (We still clear the other flags.) Fixes bug 21108; bugfix
|
|
|
+ on 0.2.0.13-alpha.
|
|
|
+
|
|
|
+ o Major bugfixes (DNS):
|
|
|
+ - Fix a bug that prevented exit nodes from caching DNS records for
|
|
|
+ more than 60 seconds. Fixes bug 19025; bugfix on 0.2.4.7-alpha.
|
|
|
+
|
|
|
+ o Major bugfixes (IPv6 Exits):
|
|
|
+ - Stop rejecting all IPv6 traffic on Exits whose exit policy rejects
|
|
|
+ any IPv6 addresses. Instead, only reject a port over IPv6 if the
|
|
|
+ exit policy rejects that port on more than an IPv6 /16 of
|
|
|
+ addresses. This bug was made worse by 17027 in 0.2.8.1-alpha,
|
|
|
+ which rejected a relay's own IPv6 address by default. Fixes bug
|
|
|
+ 21357; bugfix on commit 004f3f4e53 in 0.2.4.7-alpha.
|
|
|
+
|
|
|
+ o Major bugfixes (parsing):
|
|
|
+ - Fix an integer underflow bug when comparing malformed Tor
|
|
|
+ versions. This bug could crash Tor when built with
|
|
|
+ --enable-expensive-hardening, or on Tor 0.2.9.1-alpha through Tor
|
|
|
+ 0.2.9.8, which were built with -ftrapv by default. In other cases
|
|
|
+ it was harmless. Part of TROVE-2017-001. Fixes bug 21278; bugfix
|
|
|
+ on 0.0.8pre1. Found by OSS-Fuzz.
|
|
|
+ - When parsing a malformed content-length field from an HTTP
|
|
|
+ message, do not read off the end of the buffer. This bug was a
|
|
|
+ potential remote denial-of-service attack against Tor clients and
|
|
|
+ relays. A workaround was released in October 2016, to prevent this
|
|
|
+ bug from crashing Tor. This is a fix for the underlying issue,
|
|
|
+ which should no longer matter (if you applied the earlier patch).
|
|
|
+ Fixes bug 20894; bugfix on 0.2.0.16-alpha. Bug found by fuzzing
|
|
|
+ using AFL (http://lcamtuf.coredump.cx/afl/).
|
|
|
+
|
|
|
+ o Major bugfixes (scheduler):
|
|
|
+ - Actually compare circuit policies in ewma_cmp_cmux(). This bug
|
|
|
+ caused the channel scheduler to behave more or less randomly,
|
|
|
+ rather than preferring channels with higher-priority circuits.
|
|
|
+ Fixes bug 20459; bugfix on 0.2.6.2-alpha.
|
|
|
+
|
|
|
+ o Major bugfixes (security, also in 0.2.9.9):
|
|
|
+ - Downgrade the "-ftrapv" option from "always on" to "only on when
|
|
|
+ --enable-expensive-hardening is provided." This hardening option,
|
|
|
+ like others, can turn survivable bugs into crashes--and having it
|
|
|
+ on by default made a (relatively harmless) integer overflow bug
|
|
|
+ into a denial-of-service bug. Fixes bug 21278 (TROVE-2017-001);
|
|
|
+ bugfix on 0.2.9.1-alpha.
|
|
|
+
|
|
|
+ o Minor feature (client):
|
|
|
+ - Enable IPv6 traffic on the SocksPort by default. To disable this,
|
|
|
+ a user will have to specify "NoIPv6Traffic". Closes ticket 21269.
|
|
|
+
|
|
|
+ o Minor feature (fallback scripts):
|
|
|
+ - Add a check_existing mode to updateFallbackDirs.py, which checks
|
|
|
+ if fallbacks in the hard-coded list are working. Closes ticket
|
|
|
+ 20174. Patch by haxxpop.
|
|
|
+
|
|
|
+ o Minor feature (protocol versioning):
|
|
|
+ - Add new protocol version for proposal 224. HSIntro now advertises
|
|
|
+ version "3-4" and HSDir version "1-2". Fixes ticket 20656.
|
|
|
+
|
|
|
+ o Minor features (ciphersuite selection):
|
|
|
+ - Allow relays to accept a wider range of ciphersuites, including
|
|
|
+ chacha20-poly1305 and AES-CCM. Closes the other part of 15426.
|
|
|
+ - Clients now advertise a list of ciphersuites closer to the ones
|
|
|
+ preferred by Firefox. Closes part of ticket 15426.
|
|
|
+
|
|
|
+ o Minor features (controller):
|
|
|
+ - Add "GETINFO sr/current" and "GETINFO sr/previous" keys, to expose
|
|
|
+ shared-random values to the controller. Closes ticket 19925.
|
|
|
+ - When HSFETCH arguments cannot be parsed, say "Invalid argument"
|
|
|
+ rather than "unrecognized." Closes ticket 20389; patch from
|
|
|
+ Ivan Markin.
|
|
|
+
|
|
|
+ o Minor features (controller, configuration):
|
|
|
+ - Each of the *Port options, such as SocksPort, ORPort, ControlPort,
|
|
|
+ and so on, now comes with a __*Port variant that will not be saved
|
|
|
+ to the torrc file by the controller's SAVECONF command. This
|
|
|
+ change allows TorBrowser to set up a single-use domain socket for
|
|
|
+ each time it launches Tor. Closes ticket 20956.
|
|
|
+ - The GETCONF command can now query options that may only be
|
|
|
+ meaningful in context-sensitive lists. This allows the controller
|
|
|
+ to query the mixed SocksPort/__SocksPort style options introduced
|
|
|
+ in feature 20956. Implements ticket 21300.
|
|
|
+
|
|
|
+ o Minor features (diagnostic, directory client):
|
|
|
+ - Warn when we find an unexpected inconsistency in directory
|
|
|
+ download status objects. Prevents some negative consequences of
|
|
|
+ bug 20593.
|
|
|
+
|
|
|
+ o Minor features (directory authorities):
|
|
|
+ - Directory authorities now reject descriptors that claim to be
|
|
|
+ malformed versions of Tor. Helps prevent exploitation of
|
|
|
+ bug 21278.
|
|
|
+ - Reject version numbers with components that exceed INT32_MAX.
|
|
|
+ Otherwise 32-bit and 64-bit platforms would behave inconsistently.
|
|
|
+ Fixes bug 21450; bugfix on 0.0.8pre1.
|
|
|
+
|
|
|
+ o Minor features (directory authority):
|
|
|
+ - Add a new authority-only AuthDirTestEd25519LinkKeys option (on by
|
|
|
+ default) to control whether authorities should try to probe relays
|
|
|
+ by their Ed25519 link keys. This option will go away in a few
|
|
|
+ releases--unless we encounter major trouble in our ed25519 link
|
|
|
+ protocol rollout, in which case it will serve as a safety option.
|
|
|
+
|
|
|
+ o Minor features (directory cache):
|
|
|
+ - Relays and bridges will now refuse to serve the consensus they
|
|
|
+ have if they know it is too old for a client to use. Closes
|
|
|
+ ticket 20511.
|
|
|
+
|
|
|
+ o Minor features (ed25519 link handshake):
|
|
|
+ - Advertise support for the ed25519 link handshake using the
|
|
|
+ subprotocol-versions mechanism, so that clients can tell which
|
|
|
+ relays can identity themselves by Ed25519 ID. Closes ticket 20552.
|
|
|
+
|
|
|
+ o Minor features (entry guards):
|
|
|
+ - Add UseEntryGuards to TEST_OPTIONS_DEFAULT_VALUES in order to not
|
|
|
+ break regression tests.
|
|
|
+ - Require UseEntryGuards when UseBridges is set, in order to make
|
|
|
+ sure bridges aren't bypassed. Resolves ticket 20502.
|
|
|
+
|
|
|
+ o Minor features (fallback directories):
|
|
|
+ - Allow 3 fallback relays per operator, which is safe now that we
|
|
|
+ are choosing 200 fallback relays. Closes ticket 20912.
|
|
|
+ - Annotate updateFallbackDirs.py with the bandwidth and consensus
|
|
|
+ weight for each candidate fallback. Closes ticket 20878.
|
|
|
+ - Display the relay fingerprint when downloading consensuses from
|
|
|
+ fallbacks. Closes ticket 20908.
|
|
|
+ - Exclude relays affected by bug 20499 from the fallback list.
|
|
|
+ Exclude relays from the fallback list if they are running versions
|
|
|
+ known to be affected by bug 20499, or if in our tests they deliver
|
|
|
+ a stale consensus (i.e. one that expired more than 24 hours ago).
|
|
|
+ Closes ticket 20539.
|
|
|
+ - Make it easier to change the output sort order of fallbacks.
|
|
|
+ Closes ticket 20822.
|
|
|
+ - Reduce the minimum fallback bandwidth to 1 MByte/s. Part of
|
|
|
+ ticket 18828.
|
|
|
+ - Require fallback directories to have the same address and port for
|
|
|
+ 7 days (now that we have enough relays with this stability).
|
|
|
+ Relays whose OnionOO stability timer is reset on restart by bug
|
|
|
+ 18050 should upgrade to Tor 0.2.8.7 or later, which has a fix for
|
|
|
+ this issue. Closes ticket 20880; maintains short-term fix
|
|
|
+ in 0.2.8.2-alpha.
|
|
|
+ - Require fallbacks to have flags for 90% of the time (weighted
|
|
|
+ decaying average), rather than 95%. This allows at least 73% of
|
|
|
+ clients to bootstrap in the first 5 seconds without contacting an
|
|
|
+ authority. Part of ticket 18828.
|
|
|
+ - Select 200 fallback directories for each release. Closes
|
|
|
+ ticket 20881.
|
|
|
+
|
|
|
+ o Minor features (fingerprinting resistence, authentication):
|
|
|
+ - Extend the length of RSA keys used for TLS link authentication to
|
|
|
+ 2048 bits. (These weren't used for forward secrecy; for forward
|
|
|
+ secrecy, we used P256.) Closes ticket 13752.
|
|
|
+
|
|
|
+ o Minor features (geoip):
|
|
|
+ - Update geoip and geoip6 to the April 4 2017 Maxmind GeoLite2
|
|
|
+ Country database.
|
|
|
+
|
|
|
+ o Minor features (geoip, also in 0.2.9.9):
|
|
|
+ - Update geoip and geoip6 to the January 4 2017 Maxmind GeoLite2
|
|
|
+ Country database.
|
|
|
+
|
|
|
+ o Minor features (infrastructure):
|
|
|
+ - Implement smartlist_add_strdup() function. Replaces the use of
|
|
|
+ smartlist_add(sl, tor_strdup(str)). Closes ticket 20048.
|
|
|
+
|
|
|
+ o Minor features (linting):
|
|
|
+ - Enhance the changes file linter to warn on Tor versions that are
|
|
|
+ prefixed with "tor-". Closes ticket 21096.
|
|
|
+
|
|
|
+ o Minor features (logging):
|
|
|
+ - In several places, describe unset ed25519 keys as "<unset>",
|
|
|
+ rather than the scary "AAAAAAAA...AAA". Closes ticket 21037.
|
|
|
+
|
|
|
+ o Minor features (portability, compilation):
|
|
|
+ - Autoconf now checks to determine if OpenSSL structures are opaque,
|
|
|
+ instead of explicitly checking for OpenSSL version numbers. Part
|
|
|
+ of ticket 21359.
|
|
|
+ - Support building with recent LibreSSL code that uses opaque
|
|
|
+ structures. Closes ticket 21359.
|
|
|
+
|
|
|
+ o Minor features (relay):
|
|
|
+ - We now allow separation of exit and relay traffic to different
|
|
|
+ source IP addresses, using the OutboundBindAddressExit and
|
|
|
+ OutboundBindAddressOR options respectively. Closes ticket 17975.
|
|
|
+ Written by Michael Sonntag.
|
|
|
+
|
|
|
+ o Minor features (reliability, crash):
|
|
|
+ - Try better to detect problems in buffers where they might grow (or
|
|
|
+ think they have grown) over 2 GB in size. Diagnostic for
|
|
|
+ bug 21369.
|
|
|
+
|
|
|
+ o Minor features (testing):
|
|
|
+ - During 'make test-network-all', if tor logs any warnings, ask
|
|
|
+ chutney to output them. Requires a recent version of chutney with
|
|
|
+ the 21572 patch. Implements 21570.
|
|
|
+
|
|
|
+ o Minor bugfix (control protocol):
|
|
|
+ - The reply to a "GETINFO config/names" request via the control
|
|
|
+ protocol now spells the type "Dependent" correctly. This is a
|
|
|
+ breaking change in the control protocol. (The field seems to be
|
|
|
+ ignored by the most common known controllers.) Fixes bug 18146;
|
|
|
+ bugfix on 0.1.1.4-alpha.
|
|
|
+ - The GETINFO extra-info/digest/<digest> command was broken because
|
|
|
+ of a wrong base16 decode return value check, introduced when
|
|
|
+ refactoring that API. Fixes bug 22034; bugfix on 0.2.9.1-alpha.
|
|
|
+
|
|
|
+ o Minor bugfix (logging):
|
|
|
+ - Don't recommend the use of Tor2web in non-anonymous mode.
|
|
|
+ Recommending Tor2web is a bad idea because the client loses all
|
|
|
+ anonymity. Tor2web should only be used in specific cases by users
|
|
|
+ who *know* and understand the issues. Fixes bug 21294; bugfix
|
|
|
+ on 0.2.9.3-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (bug resilience):
|
|
|
+ - Fix an unreachable size_t overflow in base64_decode(). Fixes bug
|
|
|
+ 19222; bugfix on 0.2.0.9-alpha. Found by Guido Vranken; fixed by
|
|
|
+ Hans Jerry Illikainen.
|
|
|
+
|
|
|
+ o Minor bugfixes (build):
|
|
|
+ - Replace obsolete Autoconf macros with their modern equivalent and
|
|
|
+ prevent similar issues in the future. Fixes bug 20990; bugfix
|
|
|
+ on 0.1.0.1-rc.
|
|
|
+
|
|
|
+ o Minor bugfixes (certificate expiration time):
|
|
|
+ - Avoid using link certificates that don't become valid till some
|
|
|
+ time in the future. Fixes bug 21420; bugfix on 0.2.4.11-alpha
|
|
|
+
|
|
|
+ o Minor bugfixes (client):
|
|
|
+ - Always recover from failures in extend_info_from_node(), in an
|
|
|
+ attempt to prevent any recurrence of bug 21242. Fixes bug 21372;
|
|
|
+ bugfix on 0.2.3.1-alpha.
|
|
|
+ - When clients that use bridges start up with a cached consensus on
|
|
|
+ disk, they were ignoring it and downloading a new one. Now they
|
|
|
+ use the cached one. Fixes bug 20269; bugfix on 0.2.3.12-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (code correctness):
|
|
|
+ - Repair a couple of (unreachable or harmless) cases of the risky
|
|
|
+ comparison-by-subtraction pattern that caused bug 21278.
|
|
|
+
|
|
|
+ o Minor bugfixes (config):
|
|
|
+ - Don't assert on startup when trying to get the options list and
|
|
|
+ LearnCircuitBuildTimeout is set to 0: we are currently parsing the
|
|
|
+ options so of course they aren't ready yet. Fixes bug 21062;
|
|
|
+ bugfix on 0.2.9.3-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (configuration):
|
|
|
+ - Accept non-space whitespace characters after the severity level in
|
|
|
+ the `Log` option. Fixes bug 19965; bugfix on 0.2.1.1-alpha.
|
|
|
+ - Support "TByte" and "TBytes" units in options given in bytes.
|
|
|
+ "TB", "terabyte(s)", "TBit(s)" and "terabit(s)" were already
|
|
|
+ supported. Fixes bug 20622; bugfix on 0.2.0.14-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (configure, autoconf):
|
|
|
+ - Rename the configure option --enable-expensive-hardening to
|
|
|
+ --enable-fragile-hardening. Expensive hardening makes the tor
|
|
|
+ daemon abort when some kinds of issues are detected. Thus, it
|
|
|
+ makes tor more at risk of remote crashes but safer against RCE or
|
|
|
+ heartbleed bug category. We now try to explain this issue in a
|
|
|
+ message from the configure script. Fixes bug 21290; bugfix
|
|
|
+ on 0.2.5.4-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (consensus weight):
|
|
|
+ - Add new consensus method that initializes bw weights to 1 instead
|
|
|
+ of 0. This prevents a zero weight from making it all the way to
|
|
|
+ the end (happens in small testing networks) and causing an error.
|
|
|
+ Fixes bug 14881; bugfix on 0.2.2.17-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (crash prevention):
|
|
|
+ - Fix an (currently untriggerable, but potentially dangerous) crash
|
|
|
+ bug when base32-encoding inputs whose sizes are not a multiple of
|
|
|
+ 5. Fixes bug 21894; bugfix on 0.2.9.1-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (dead code):
|
|
|
+ - Remove a redundant check for PidFile changes at runtime in
|
|
|
+ options_transition_allowed(): this check is already performed
|
|
|
+ regardless of whether the sandbox is active. Fixes bug 21123;
|
|
|
+ bugfix on 0.2.5.4-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (descriptors):
|
|
|
+ - Correctly recognise downloaded full descriptors as valid, even
|
|
|
+ when using microdescriptors as circuits. This affects clients with
|
|
|
+ FetchUselessDescriptors set, and may affect directory authorities.
|
|
|
+ Fixes bug 20839; bugfix on 0.2.3.2-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (directory mirrors):
|
|
|
+ - Allow relays to use directory mirrors without a DirPort: these
|
|
|
+ relays need to be contacted over their ORPorts using a begindir
|
|
|
+ connection. Fixes one case of bug 20711; bugfix on 0.2.8.2-alpha.
|
|
|
+ - Clarify the message logged when a remote relay is unexpectedly
|
|
|
+ missing an ORPort or DirPort: users were confusing this with a
|
|
|
+ local port. Fixes another case of bug 20711; bugfix
|
|
|
+ on 0.2.8.2-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (directory system):
|
|
|
+ - Bridges and relays now use microdescriptors (like clients do)
|
|
|
+ rather than old-style router descriptors. Now bridges will blend
|
|
|
+ in with clients in terms of the circuits they build. Fixes bug
|
|
|
+ 6769; bugfix on 0.2.3.2-alpha.
|
|
|
+ - Download all consensus flavors, descriptors, and authority
|
|
|
+ certificates when FetchUselessDescriptors is set, regardless of
|
|
|
+ whether tor is a directory cache or not. Fixes bug 20667; bugfix
|
|
|
+ on all recent tor versions.
|
|
|
+
|
|
|
+ o Minor bugfixes (documentation):
|
|
|
+ - Update the tor manual page to document every option that can not
|
|
|
+ be changed while tor is running. Fixes bug 21122.
|
|
|
+
|
|
|
+ o Minor bugfixes (ed25519 certificates):
|
|
|
+ - Correctly interpret ed25519 certificates that would expire some
|
|
|
+ time after 19 Jan 2038. Fixes bug 20027; bugfix on 0.2.7.2-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (fallback directories):
|
|
|
+ - Avoid checking fallback candidates' DirPorts if they are down in
|
|
|
+ OnionOO. When a relay operator has multiple relays, this
|
|
|
+ prioritizes relays that are up over relays that are down. Fixes
|
|
|
+ bug 20926; bugfix on 0.2.8.3-alpha.
|
|
|
+ - Stop failing when OUTPUT_COMMENTS is True in updateFallbackDirs.py.
|
|
|
+ Fixes bug 20877; bugfix on 0.2.8.3-alpha.
|
|
|
+ - Stop failing when a relay has no uptime data in
|
|
|
+ updateFallbackDirs.py. Fixes bug 20945; bugfix on 0.2.8.1-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (hidden service):
|
|
|
+ - Clean up the code for expiring intro points with no associated
|
|
|
+ circuits. It was causing, rarely, a service with some expiring
|
|
|
+ introduction points to not open enough additional introduction
|
|
|
+ points. Fixes part of bug 21302; bugfix on 0.2.7.2-alpha.
|
|
|
+ - Resolve two possible underflows which could lead to creating and
|
|
|
+ closing a lot of introduction point circuits in a non-stop loop.
|
|
|
+ Fixes bug 21302; bugfix on 0.2.7.2-alpha.
|
|
|
+ - Stop setting the torrc option HiddenServiceStatistics to "0" just
|
|
|
+ because we're not a bridge or relay. Instead, we preserve whatever
|
|
|
+ value the user set (or didn't set). Fixes bug 21150; bugfix
|
|
|
+ on 0.2.6.2-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (hidden services):
|
|
|
+ - Make hidden services check for failed intro point connections,
|
|
|
+ even when they have exceeded their intro point creation limit.
|
|
|
+ Fixes bug 21596; bugfix on 0.2.7.2-alpha. Reported by Alec Muffett.
|
|
|
+ - Make hidden services with 8 to 10 introduction points check for
|
|
|
+ failed circuits immediately after startup. Previously, they would
|
|
|
+ wait for 5 minutes before performing their first checks. Fixes bug
|
|
|
+ 21594; bugfix on 0.2.3.9-alpha. Reported by Alec Muffett.
|
|
|
+ - Stop ignoring misconfigured hidden services. Instead, refuse to
|
|
|
+ start tor until the misconfigurations have been corrected. Fixes
|
|
|
+ bug 20559; bugfix on multiple commits in 0.2.7.1-alpha
|
|
|
+ and earlier.
|
|
|
+
|
|
|
+ o Minor bugfixes (IPv6):
|
|
|
+ - Make IPv6-using clients try harder to find an IPv6 directory
|
|
|
+ server. Fixes bug 20999; bugfix on 0.2.8.2-alpha.
|
|
|
+ - When IPv6 addresses have not been downloaded yet (microdesc
|
|
|
+ consensus documents don't list relay IPv6 addresses), use hard-
|
|
|
+ coded addresses for authorities, fallbacks, and configured
|
|
|
+ bridges. Now IPv6-only clients can use microdescriptors. Fixes bug
|
|
|
+ 20996; bugfix on b167e82 from 19608 in 0.2.8.5-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (memory leak at exit):
|
|
|
+ - Fix a small harmless memory leak at exit of the previously unused
|
|
|
+ RSA->Ed identity cross-certificate. Fixes bug 17779; bugfix
|
|
|
+ on 0.2.7.2-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (onion services):
|
|
|
+ - Allow the number of introduction points to be as low as 0, rather
|
|
|
+ than as low as 3. Fixes bug 21033; bugfix on 0.2.7.2-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (portability):
|
|
|
+ - Use "OpenBSD" compiler macro instead of "OPENBSD" or "__OpenBSD__".
|
|
|
+ It is supported by OpenBSD itself, and also by most OpenBSD
|
|
|
+ variants (such as Bitrig). Fixes bug 20980; bugfix
|
|
|
+ on 0.1.2.1-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (portability, also in 0.2.9.9):
|
|
|
+ - Avoid crashing when Tor is built using headers that contain
|
|
|
+ CLOCK_MONOTONIC_COARSE, but then tries to run on an older kernel
|
|
|
+ without CLOCK_MONOTONIC_COARSE. Fixes bug 21035; bugfix
|
|
|
+ on 0.2.9.1-alpha.
|
|
|
+ - Fix Libevent detection on platforms without Libevent 1 headers
|
|
|
+ installed. Fixes bug 21051; bugfix on 0.2.9.1-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (relay):
|
|
|
+ - Avoid a double-marked-circuit warning that could happen when we
|
|
|
+ receive DESTROY cells under heavy load. Fixes bug 20059; bugfix
|
|
|
+ on 0.1.0.1-rc.
|
|
|
+ - Honor DataDirectoryGroupReadable when tor is a relay. Previously,
|
|
|
+ initializing the keys would reset the DataDirectory to 0700
|
|
|
+ instead of 0750 even if DataDirectoryGroupReadable was set to 1.
|
|
|
+ Fixes bug 19953; bugfix on 0.0.2pre16. Patch by "redfish".
|
|
|
+
|
|
|
+ o Minor bugfixes (testing):
|
|
|
+ - Fix Raspbian build issues related to missing socket errno in
|
|
|
+ test_util.c. Fixes bug 21116; bugfix on 0.2.8.2. Patch by "hein".
|
|
|
+ - Remove undefined behavior from the backtrace generator by removing
|
|
|
+ its signal handler. Fixes bug 21026; bugfix on 0.2.5.2-alpha.
|
|
|
+ - Use bash in src/test/test-network.sh. This ensures we reliably
|
|
|
+ call chutney's newer tools/test-network.sh when available. Fixes
|
|
|
+ bug 21562; bugfix on 0.2.9.1-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (tor-resolve):
|
|
|
+ - The tor-resolve command line tool now rejects hostnames over 255
|
|
|
+ characters in length. Previously, it would silently truncate them,
|
|
|
+ which could lead to bugs. Fixes bug 21280; bugfix on 0.0.9pre5.
|
|
|
+ Patch by "junglefowl".
|
|
|
+
|
|
|
+ o Minor bugfixes (unit tests):
|
|
|
+ - Allow the unit tests to pass even when DNS lookups of bogus
|
|
|
+ addresses do not fail as expected. Fixes bug 20862 and 20863;
|
|
|
+ bugfix on unit tests introduced in 0.2.8.1-alpha
|
|
|
+ through 0.2.9.4-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (util):
|
|
|
+ - When finishing writing a file to disk, if we were about to replace
|
|
|
+ the file with the temporary file created before and we fail to
|
|
|
+ replace it, remove the temporary file so it doesn't stay on disk.
|
|
|
+ Fixes bug 20646; bugfix on 0.2.0.7-alpha. Patch by fk.
|
|
|
+
|
|
|
+ o Minor bugfixes (Windows services):
|
|
|
+ - Be sure to initialize the monotonic time subsystem before using
|
|
|
+ it, even when running as an NT service. Fixes bug 21356; bugfix
|
|
|
+ on 0.2.9.1-alpha.
|
|
|
+
|
|
|
+ o Minor bugfixes (Windows):
|
|
|
+ - Check for getpagesize before using it to mmap files. This fixes
|
|
|
+ compilation in some MinGW environments. Fixes bug 20530; bugfix on
|
|
|
+ 0.1.2.1-alpha. Reported by "ice".
|
|
|
+
|
|
|
+ o Code simplification and refactoring:
|
|
|
+ - Abolish all global guard context in entrynodes.c; replace with new
|
|
|
+ guard_selection_t structure as preparation for proposal 271.
|
|
|
+ Closes ticket 19858.
|
|
|
+ - Extract magic numbers in circuituse.c into defined variables.
|
|
|
+ - Introduce rend_service_is_ephemeral() that tells if given onion
|
|
|
+ service is ephemeral. Replace unclear NULL-checkings for service
|
|
|
+ directory with this function. Closes ticket 20526.
|
|
|
+ - Refactor circuit_is_available_for_use to remove unnecessary check.
|
|
|
+ - Refactor circuit_predict_and_launch_new for readability and
|
|
|
+ testability. Closes ticket 18873.
|
|
|
+ - Refactor code to manipulate global_origin_circuit_list into
|
|
|
+ separate functions. Closes ticket 20921.
|
|
|
+ - Refactor large if statement in purpose_needs_anonymity to use
|
|
|
+ switch statement instead. Closes part of ticket 20077.
|
|
|
+ - Refactor the hashing API to return negative values for errors, as
|
|
|
+ is done as throughout the codebase. Closes ticket 20717.
|
|
|
+ - Remove data structures that were used to index or_connection
|
|
|
+ objects by their RSA identity digests. These structures are fully
|
|
|
+ redundant with the similar structures used in the
|
|
|
+ channel abstraction.
|
|
|
+ - Remove duplicate code in the channel_write_*cell() functions.
|
|
|
+ Closes ticket 13827; patch from Pingl.
|
|
|
+ - Remove redundant behavior of is_sensitive_dir_purpose, refactor to
|
|
|
+ use only purpose_needs_anonymity. Closes part of ticket 20077.
|
|
|
+ - The code to generate and parse EXTEND and EXTEND2 cells has been
|
|
|
+ replaced with code automatically generated by the
|
|
|
+ "trunnel" utility.
|
|
|
+
|
|
|
+ o Documentation (formatting):
|
|
|
+ - Clean up formatting of tor.1 man page and HTML doc, where <pre>
|
|
|
+ blocks were incorrectly appearing. Closes ticket 20885.
|
|
|
+
|
|
|
+ o Documentation (man page):
|
|
|
+ - Clarify many options in tor.1 and add some min/max values for
|
|
|
+ HiddenService options. Closes ticket 21058.
|
|
|
+
|
|
|
+ o Documentation:
|
|
|
+ - Change '1' to 'weight_scale' in consensus bw weights calculation
|
|
|
+ comments, as that is reality. Closes ticket 20273. Patch
|
|
|
+ from pastly.
|
|
|
+ - Clarify that when ClientRejectInternalAddresses is enabled (which
|
|
|
+ is the default), multicast DNS hostnames for machines on the local
|
|
|
+ network (of the form *.local) are also rejected. Closes
|
|
|
+ ticket 17070.
|
|
|
+ - Correct the value for AuthDirGuardBWGuarantee in the manpage, from
|
|
|
+ 250 KBytes to 2 MBytes. Fixes bug 20435; bugfix on 0.2.5.6-alpha.
|
|
|
+ - Include the "TBits" unit in Tor's man page. Fixes part of bug
|
|
|
+ 20622; bugfix on 0.2.5.1-alpha.
|
|
|
+ - Small fixes to the fuzzing documentation. Closes ticket 21472.
|
|
|
+ - Stop the man page from incorrectly stating that HiddenServiceDir
|
|
|
+ must already exist. Fixes 20486.
|
|
|
+ - Update the description of the directory server options in the
|
|
|
+ manual page, to clarify that a relay no longer needs to set
|
|
|
+ DirPort in order to be a directory cache. Closes ticket 21720.
|
|
|
+
|
|
|
+ o Removed features:
|
|
|
+ - The AuthDirMaxServersPerAuthAddr option no longer exists: The same
|
|
|
+ limit for relays running on a single IP applies to authority IP
|
|
|
+ addresses as well as to non-authority IP addresses. Closes
|
|
|
+ ticket 20960.
|
|
|
+ - The UseDirectoryGuards torrc option no longer exists: all users
|
|
|
+ that use entry guards will also use directory guards. Related to
|
|
|
+ proposal 271; implements part of ticket 20831.
|
|
|
+
|
|
|
+ o Testing:
|
|
|
+ - Add tests for networkstatus_compute_bw_weights_v10.
|
|
|
+ - Add unit tests circuit_predict_and_launch_new.
|
|
|
+ - Extract dummy_origin_circuit_new so it can be used by other
|
|
|
+ test functions.
|
|
|
+ - New unit tests for tor_htonll(). Closes ticket 19563. Patch
|
|
|
+ from "overcaffeinated".
|
|
|
+ - Perform the coding style checks when running the tests and fail
|
|
|
+ when coding style violations are found. Closes ticket 5500.
|
|
|
+
|
|
|
+
|
|
|
Changes in version 0.2.8.13 - 2017-03-03
|
|
|
Tor 0.2.8.13 backports a security fix from later Tor
|
|
|
releases. Anybody running Tor 0.2.8.12 or earlier should upgrade to this
|
Nick Mathewson