Merge branch 'debian-merge' into debian

* debian-merge:
  New upstream version
  bump to 0.2.1.18
  put in the full 0.2.1 release notes
  add a changelog entry for the upcoming 0.2.1.18
  make phobos's lines start with tabs again
  added LIBS=-lrt to Makefile.am for static libevent in the tor rpms.
  forward-port the 0.2.0.35 release notes
  add blurbs for recent release candidates
  Bump version to 0.2.1.17-rc-dev

ChangeLog

@@ -1,4 +1,20 @@
+Changes in version 0.2.1.18 - 2009-07-24
+  o Build fixes:
+    - Add LIBS=-lrt to Makefile.am so the Tor RPMs use a static libevent.
+
+
 Changes in version 0.2.1.17-rc - 2009-07-07
+  Tor 0.2.1.17-rc marks the fourth -- and hopefully last -- release
+  candidate for the 0.2.1.x series. It lays the groundwork for further
+  client performance improvements, and also fixes a big bug with directory
+  authorities that were causing them to assign Guard and Stable flags
+  poorly.
+
+  The Windows bundles also finally include the geoip database that we
+  thought we'd been shipping since 0.2.0.x (oops), and the OS X bundles
+  should actually install Torbutton rather than giving you a cryptic
+  failure message (oops).
+
   o Major features:
     - Clients now use the bandwidth values in the consensus, rather than
       the bandwidth values in each relay descriptor. This approach opens
@@ -46,6 +62,9 @@ Changes in version 0.2.1.17-rc - 2009-07-07
 
 
 Changes in version 0.2.1.16-rc - 2009-06-20
+  Tor 0.2.1.16-rc speeds up performance for fast exit relays, and fixes
+  a bunch of minor bugs.
+
   o Security fixes:
     - Fix an edge case where a malicious exit relay could convince a
       controller that the client's DNS question resolves to an internal IP
@@ -92,6 +111,10 @@ Changes in version 0.2.1.16-rc - 2009-06-20
 
 
 Changes in version 0.2.1.15-rc - 2009-05-25
+  Tor 0.2.1.15-rc marks the second release candidate for the 0.2.1.x
+  series. It fixes a major bug on fast exit relays, as well as a variety
+  of more minor bugs.
+
   o Major bugfixes (on 0.2.0.x):
     - Fix a timing-dependent, allocator-dependent, DNS-related crash bug
       that would occur on some exit nodes when DNS failures and timeouts

Makefile.am

@@ -26,15 +26,14 @@ dist-rpm:
 	    mkdir $$RPM_BUILD_DIR/$$subdir;                     \
 	done;                                                   \
 	mkdir $$RPM_BUILD_DIR/SOURCES/tor-$(VERSION);           \
-        cp -R ./ $$RPM_BUILD_DIR/SOURCES/tor-$(VERSION)/;       \
+	cp -R ./ $$RPM_BUILD_DIR/SOURCES/tor-$(VERSION)/;       \
-        pushd $$RPM_BUILD_DIR/SOURCES/;                         \
+	pushd $$RPM_BUILD_DIR/SOURCES/;                         \
-        tar zcf tor-$(VERSION).tar.gz ./;                       \
+	tar zcf tor-$(VERSION).tar.gz ./;                       \
-        popd;                                                   \
+	popd;                                                   \
-        rpmbuild -ba --define "_topdir $$RPM_BUILD_DIR" tor.spec; \
+	LIBS=-lrt rpmbuild -ba --define "_topdir $$RPM_BUILD_DIR" tor.spec; \
-        mv $$RPM_BUILD_DIR/SRPMS/* .;                           \
+	mv $$RPM_BUILD_DIR/SRPMS/* .;                           \
-        mv $$RPM_BUILD_DIR/RPMS/* .;                            \
+	mv $$RPM_BUILD_DIR/RPMS/* .;                            \
-        rm -rf $$RPM_BUILD_DIR
+	rm -rf $$RPM_BUILD_DIR
-
 
 dist-osx:
 	@if [ "x$(prefix)" != 'x/Library/Tor' ]; then \

ReleaseNotes

@@ -3,6 +3,605 @@ This document summarizes new features and bugfixes in each stable release
 of Tor. If you want to see more detailed descriptions of the changes in
 each development snapshot, see the ChangeLog file.
 
+Changes in version 0.2.1.18 - 2009-07-24
+  o Major features (clients):
+    - Start sending "bootstrap phase" status events to the controller,
+      so it can keep the user informed of progress fetching directory
+      information and establishing circuits. Also inform the controller
+      if we think we're stuck at a particular bootstrap phase. Implements
+      proposal 137.
+    - Clients replace entry guards that were chosen more than a few months
+      ago. This change should significantly improve client performance,
+      especially once more people upgrade, since relays that have been
+      a guard for a long time are currently overloaded.
+    - Network status consensus documents and votes now contain bandwidth
+      information for each relay. Clients use the bandwidth values
+      in the consensus, rather than the bandwidth values in each
+      relay descriptor. This approach opens the door to more accurate
+      bandwidth estimates once the directory authorities start doing
+      active measurements. Implements part of proposal 141.
+
+  o Major features (relays):
+    - Disable and refactor some debugging checks that forced a linear scan
+      over the whole server-side DNS cache. These accounted for over 50%
+      of CPU time on a relatively busy exit node's gprof profile. Also,
+      disable some debugging checks that appeared in exit node profile
+      data. Found by Jacob.
+    - New DirPortFrontPage option that takes an html file and publishes
+      it as "/" on the DirPort. Now relay operators can provide a
+      disclaimer without needing to set up a separate webserver. There's
+      a sample disclaimer in contrib/tor-exit-notice.html.
+
+  o Major features (hidden services):
+    - Make it possible to build hidden services that only certain clients
+      are allowed to connect to. This is enforced at several points,
+      so that unauthorized clients are unable to send INTRODUCE cells
+      to the service, or even (depending on the type of authentication)
+      to learn introduction points. This feature raises the bar for
+      certain kinds of active attacks against hidden services. Design
+      and code by Karsten Loesing. Implements proposal 121.
+    - Relays now store and serve v2 hidden service descriptors by default,
+      i.e., the new default value for HidServDirectoryV2 is 1. This is
+      the last step in proposal 114, which aims to make hidden service
+      lookups more reliable.
+
+  o Major features (path selection):
+    - ExitNodes and Exclude*Nodes config options now allow you to restrict
+      by country code ("{US}") or IP address or address pattern
+      ("255.128.0.0/16"). Patch from Robert Hogan. It still needs some
+      refinement to decide what config options should take priority if
+      you ask to both use a particular node and exclude it.
+
+  o Major features (misc):
+    - When building a consensus, do not include routers that are down.
+      This cuts down 30% to 40% on consensus size. Implements proposal
+      138.
+    - New TestingTorNetwork config option to allow adjustment of
+      previously constant values that could slow bootstrapping. Implements
+      proposal 135. Patch from Karsten.
+    - Convert many internal address representations to optionally hold
+      IPv6 addresses. Generate and accept IPv6 addresses in many protocol
+      elements. Make resolver code handle nameservers located at IPv6
+      addresses.
+    - More work on making our TLS handshake blend in: modify the list
+      of ciphers advertised by OpenSSL in client mode to even more
+      closely resemble a common web browser. We cheat a little so that
+      we can advertise ciphers that the locally installed OpenSSL doesn't
+      know about.
+    - Use the TLS1 hostname extension to more closely resemble browser
+      behavior.
+
+  o Security fixes (anonymity/entropy):
+    - Never use a connection with a mismatched address to extend a
+      circuit, unless that connection is canonical. A canonical
+      connection is one whose address is authenticated by the router's
+      identity key, either in a NETINFO cell or in a router descriptor.
+    - Implement most of proposal 110: The first K cells to be sent
+      along a circuit are marked as special "early" cells; only K "early"
+      cells will be allowed. Once this code is universal, we can block
+      certain kinds of denial-of-service attack by requiring that EXTEND
+      commands must be sent using an "early" cell.
+    - Resume using OpenSSL's RAND_poll() for better (and more portable)
+      cross-platform entropy collection again. We used to use it, then
+      stopped using it because of a bug that could crash systems that
+      called RAND_poll when they had a lot of fds open. It looks like the
+      bug got fixed in late 2006. Our new behavior is to call RAND_poll()
+      at startup, and to call RAND_poll() when we reseed later only if
+      we have a non-buggy OpenSSL version.
+    - When the client is choosing entry guards, now it selects at most
+      one guard from a given relay family. Otherwise we could end up with
+      all of our entry points into the network run by the same operator.
+      Suggested by Camilo Viecco. Fix on 0.1.1.11-alpha.
+    - Do not use or believe expired v3 authority certificates. Patch
+      from Karsten. Bugfix in 0.2.0.x. Fixes bug 851.
+    - Drop begin cells to a hidden service if they come from the middle
+      of a circuit. Patch from lark.
+    - When we erroneously receive two EXTEND cells for the same circuit
+      ID on the same connection, drop the second. Patch from lark.
+    - Authorities now vote for the Stable flag for any router whose
+      weighted MTBF is at least 5 days, regardless of the mean MTBF.
+    - Clients now never report any stream end reason except 'MISC'.
+      Implements proposal 148.
+
+  o Major bugfixes (crashes):
+    - Parse dates and IPv4 addresses in a locale- and libc-independent
+      manner, to avoid platform-dependent behavior on malformed input.
+    - Fix a crash that occurs on exit nodes when a nameserver request
+      timed out. Bugfix on 0.1.2.1-alpha; our CLEAR debugging code had
+      been suppressing the bug since 0.1.2.10-alpha. Partial fix for
+      bug 929.
+    - Do not assume that a stack-allocated character array will be
+      64-bit aligned on platforms that demand that uint64_t access is
+      aligned. Possible fix for bug 604.
+    - Resolve a very rare crash bug that could occur when the user forced
+      a nameserver reconfiguration during the middle of a nameserver
+      probe. Fixes bug 526. Bugfix on 0.1.2.1-alpha.
+    - Avoid a "0 divided by 0" calculation when calculating router uptime
+      at directory authorities. Bugfix on 0.2.0.8-alpha.
+    - Fix an assertion bug in parsing policy-related options; possible fix
+      for bug 811.
+    - Rate-limit too-many-sockets messages: when they happen, they happen
+      a lot and end up filling up the disk. Resolves bug 748.
+    - Fix a race condition that could cause crashes or memory corruption
+      when running as a server with a controller listening for log
+      messages.
+    - Avoid crashing when we have a policy specified in a DirPolicy or
+      SocksPolicy or ReachableAddresses option with ports set on it,
+      and we re-load the policy. May fix bug 996.
+    - Fix an assertion failure on 64-bit platforms when we allocated
+      memory right up to the end of a memarea, then realigned the memory
+      one step beyond the end. Fixes a possible cause of bug 930.
+    - Protect the count of open sockets with a mutex, so we can't
+      corrupt it when two threads are closing or opening sockets at once.
+      Fix for bug 939. Bugfix on 0.2.0.1-alpha.
+
+  o Major bugfixes (clients):
+    - Discard router descriptors as we load them if they are more than
+      five days old. Otherwise if Tor is off for a long time and then
+      starts with cached descriptors, it will try to use the onion keys
+      in those obsolete descriptors when building circuits. Fixes bug 887.
+    - When we choose to abandon a new entry guard because we think our
+      older ones might be better, close any circuits pending on that
+      new entry guard connection. This fix should make us recover much
+      faster when our network is down and then comes back. Bugfix on
+      0.1.2.8-beta; found by lodger.
+    - When Tor clients restart after 1-5 days, they discard all their
+      cached descriptors as too old, but they still use the cached
+      consensus document. This approach is good for robustness, but
+      bad for performance: since they don't know any bandwidths, they
+      end up choosing at random rather than weighting their choice by
+      speed. Fixed by the above feature of putting bandwidths in the
+      consensus.
+
+  o Major bugfixes (relays):
+    - Relays were falling out of the networkstatus consensus for
+      part of a day if they changed their local config but the
+      authorities discarded their new descriptor as "not sufficiently
+      different". Now directory authorities accept a descriptor as changed
+      if BandwidthRate or BandwidthBurst changed. Partial fix for bug 962;
+      patch by Sebastian.
+    - Ensure that two circuits can never exist on the same connection
+      with the same circuit ID, even if one is marked for close. This
+      is conceivably a bugfix for bug 779; fixes a bug on 0.1.0.4-rc.
+    - Directory authorities were neglecting to mark relays down in their
+      internal histories if the relays fall off the routerlist without
+      ever being found unreachable. So there were relays in the histories
+      that haven't been seen for eight months, and are listed as being
+      up for eight months. This wreaked havoc on the "median wfu" and
+      "median mtbf" calculations, in turn making Guard and Stable flags
+      wrong, hurting network performance. Fixes bugs 696 and 969. Bugfix
+      on 0.2.0.6-alpha.
+
+  o Major bugfixes (hidden services):
+    - When establishing a hidden service, introduction points that
+      originate from cannibalized circuits were completely ignored
+      and not included in rendezvous service descriptors. This might
+      have been another reason for delay in making a hidden service
+      available. Bugfix from long ago (0.0.9.x?)
+
+  o Major bugfixes (memory and resource management):
+    - Fixed some memory leaks -- some quite frequent, some almost
+      impossible to trigger -- based on results from Coverity.
+    - Speed up parsing and cut down on memory fragmentation by using
+      stack-style allocations for parsing directory objects. Previously,
+      this accounted for over 40% of allocations from within Tor's code
+      on a typical directory cache.
+    - Use a Bloom filter rather than a digest-based set to track which
+      descriptors we need to keep around when we're cleaning out old
+      router descriptors. This speeds up the computation significantly,
+      and may reduce fragmentation.
+
+  o New/changed config options:
+    - Now NodeFamily and MyFamily config options allow spaces in
+      identity fingerprints, so it's easier to paste them in.
+      Suggested by Lucky Green.
+    - Allow ports 465 and 587 in the default exit policy again. We had
+      rejected them in 0.1.0.15, because back in 2005 they were commonly
+      misconfigured and ended up as spam targets. We hear they are better
+      locked down these days.
+    - Make TrackHostExit mappings expire a while after their last use, not
+      after their creation. Patch from Robert Hogan.
+    - Add an ExcludeExitNodes option so users can list a set of nodes
+      that should be be excluded from the exit node position, but
+      allowed elsewhere. Implements proposal 151.
+    - New --hush command-line option similar to --quiet. While --quiet
+      disables all logging to the console on startup, --hush limits the
+      output to messages of warning and error severity.
+    - New configure/torrc options (--enable-geoip-stats,
+      DirRecordUsageByCountry) to record how many IPs we've served
+      directory info to in each country code, how many status documents
+      total we've sent to each country code, and what share of the total
+      directory requests we should expect to see.
+    - Make outbound DNS packets respect the OutboundBindAddress setting.
+      Fixes the bug part of bug 798. Bugfix on 0.1.2.2-alpha.
+    - Allow separate log levels to be configured for different logging
+      domains. For example, this allows one to log all notices, warnings,
+      or errors, plus all memory management messages of level debug or
+      higher, with: Log [MM] debug-err [*] notice-err file /var/log/tor.
+    - Update to the "June 3 2009" ip-to-country file.
+
+  o Minor features (relays):
+    - Raise the minimum rate limiting to be a relay from 20000 bytes
+      to 20480 bytes (aka 20KB/s), to match our documentation. Also
+      update directory authorities so they always assign the Fast flag
+      to relays with 20KB/s of capacity. Now people running relays won't
+      suddenly find themselves not seeing any use, if the network gets
+      faster on average.
+    - If we're a relay and we change our IP address, be more verbose
+      about the reason that made us change. Should help track down
+      further bugs for relays on dynamic IP addresses.
+    - Exit servers can now answer resolve requests for ip6.arpa addresses.
+    - Implement most of Proposal 152: allow specialized servers to permit
+      single-hop circuits, and clients to use those servers to build
+      single-hop circuits when using a specialized controller. Patch
+      from Josh Albrecht. Resolves feature request 768.
+    - When relays do their initial bandwidth measurement, don't limit
+      to just our entry guards for the test circuits. Otherwise we tend
+      to have multiple test circuits going through a single entry guard,
+      which makes our bandwidth test less accurate. Fixes part of bug 654;
+      patch contributed by Josh Albrecht.
+
+  o Minor features (directory authorities):
+    - Try not to open more than one descriptor-downloading connection
+      to an authority at once. This should reduce load on directory
+      authorities. Fixes bug 366.
+    - Add cross-certification to newly generated certificates, so that
+      a signing key is enough information to look up a certificate. Start
+      serving certificates by <identity digest, signing key digest>
+      pairs. Implements proposal 157.
+    - When a directory authority downloads a descriptor that it then
+      immediately rejects, do not retry downloading it right away. Should
+      save some bandwidth on authorities. Fix for bug 888. Patch by
+      Sebastian Hahn.
+    - Directory authorities now serve a /tor/dbg-stability.txt URL to
+      help debug WFU and MTBF calculations.
+    - In directory authorities' approved-routers files, allow
+      fingerprints with or without space.
+
+  o Minor features (directory mirrors):
+    - When a download gets us zero good descriptors, do not notify
+      Tor that new directory information has arrived.
+    - Servers support a new URL scheme for consensus downloads that
+      allows the client to specify which authorities are trusted.
+      The server then only sends the consensus if the client will trust
+      it. Otherwise a 404 error is sent back. Clients use this
+      new scheme when the server supports it (meaning it's running
+      0.2.1.1-alpha or later). Implements proposal 134.
+
+  o Minor features (bridges):
+    - If the bridge config line doesn't specify a port, assume 443.
+      This makes bridge lines a bit smaller and easier for users to
+      understand.
+    - If we're using bridges and our network goes away, be more willing
+      to forgive our bridges and try again when we get an application
+      request.
+
+  o Minor features (hidden services):
+    - When the client launches an introduction circuit, retry with a
+      new circuit after 30 seconds rather than 60 seconds.
+    - Launch a second client-side introduction circuit in parallel
+      after a delay of 15 seconds (based on work by Christian Wilms).
+    - Hidden services start out building five intro circuits rather
+      than three, and when the first three finish they publish a service
+      descriptor using those. Now we publish our service descriptor much
+      faster after restart.
+    - Drop the requirement to have an open dir port for storing and
+      serving v2 hidden service descriptors.
+
+  o Minor features (build and packaging):
+    - On Linux, use the prctl call to re-enable core dumps when the User
+      option is set.
+    - Try to make sure that the version of Libevent we're running with
+      is binary-compatible with the one we built with. May address bug
+      897 and others.
+    - Add a new --enable-local-appdata configuration switch to change
+      the default location of the datadir on win32 from APPDATA to
+      LOCAL_APPDATA. In the future, we should migrate to LOCAL_APPDATA
+      entirely. Patch from coderman.
+    - Build correctly against versions of OpenSSL 0.9.8 or later that
+      are built without support for deprecated functions.
+    - On platforms with a maximum syslog string length, truncate syslog
+      messages to that length ourselves, rather than relying on the
+      system to do it for us.
+    - Automatically detect MacOSX versions earlier than 10.4.0, and
+      disable kqueue from inside Tor when running with these versions.
+      We previously did this from the startup script, but that was no
+      help to people who didn't use the startup script. Resolves bug 863.
+    - Build correctly when configured to build outside the main source
+      path. Patch from Michael Gold.
+    - Disable GCC's strict alias optimization by default, to avoid the
+      likelihood of its introducing subtle bugs whenever our code violates
+      the letter of C99's alias rules.
+    - Change the contrib/tor.logrotate script so it makes the new
+      logs as "_tor:_tor" rather than the default, which is generally
+      "root:wheel". Fixes bug 676, reported by Serge Koksharov.
+    - Change our header file guard macros to be less likely to conflict
+      with system headers. Adam Langley noticed that we were conflicting
+      with log.h on Android.
+    - Add a couple of extra warnings to --enable-gcc-warnings for GCC 4.3,
+      and stop using a warning that had become unfixably verbose under
+      GCC 4.3.
+    - Use a lockfile to make sure that two Tor processes are not
+      simultaneously running with the same datadir.
+    - Allow OpenSSL to use dynamic locks if it wants.
+    - Add LIBS=-lrt to Makefile.am so the Tor RPMs use a static libevent.
+
+  o Minor features (controllers):
+    - When generating circuit events with verbose nicknames for
+      controllers, try harder to look up nicknames for routers on a
+      circuit. (Previously, we would look in the router descriptors we had
+      for nicknames, but not in the consensus.) Partial fix for bug 941.
+    - New controller event NEWCONSENSUS that lists the networkstatus
+      lines for every recommended relay. Now controllers like Torflow
+      can keep up-to-date on which relays they should be using.
+    - New controller event "clients_seen" to report a geoip-based summary
+      of which countries we've seen clients from recently. Now controllers
+      like Vidalia can show bridge operators that they're actually making
+      a difference.
+    - Add a 'getinfo status/clients-seen' controller command, in case
+      controllers want to hear clients_seen events but connect late.
+    - New CONSENSUS_ARRIVED event to note when a new consensus has
+      been fetched and validated.
+    - Add an internal-use-only __ReloadTorrcOnSIGHUP option for
+      controllers to prevent SIGHUP from reloading the configuration.
+      Fixes bug 856.
+    - Return circuit purposes in response to GETINFO circuit-status.
+      Fixes bug 858.
+    - Serve the latest v3 networkstatus consensus via the control
+      port. Use "getinfo dir/status-vote/current/consensus" to fetch it.
+    - Add a "GETINFO /status/bootstrap-phase" controller option, so the
+      controller can query our current bootstrap state in case it attaches
+      partway through and wants to catch up.
+    - Provide circuit purposes along with circuit events to the controller.
+
+  o Minor features (tools):
+    - Do not have tor-resolve automatically refuse all .onion addresses;
+      if AutomapHostsOnResolve is set in your torrc, this will work fine.
+    - Add a -p option to tor-resolve for specifying the SOCKS port: some
+      people find host:port too confusing.
+    - Print the SOCKS5 error message string as well as the error code
+      when a tor-resolve request fails. Patch from Jacob.
+
+  o Minor bugfixes (memory and resource management):
+    - Clients no longer cache certificates for authorities they do not
+      recognize. Bugfix on 0.2.0.9-alpha.
+    - Do not use C's stdio library for writing to log files. This will
+      improve logging performance by a minute amount, and will stop
+      leaking fds when our disk is full. Fixes bug 861.
+    - Stop erroneous use of O_APPEND in cases where we did not in fact
+      want to re-seek to the end of a file before every last write().
+    - Fix a small alignment and memory-wasting bug on buffer chunks.
+      Spotted by rovv.
+    - Add a malloc_good_size implementation to OpenBSD_malloc_linux.c,
+      to avoid unused RAM in buffer chunks and memory pools.
+    - Reduce the default smartlist size from 32 to 16; it turns out that
+      most smartlists hold around 8-12 elements tops.
+    - Make dumpstats() log the fullness and size of openssl-internal
+      buffers.
+    - If the user has applied the experimental SSL_MODE_RELEASE_BUFFERS
+      patch to their OpenSSL, turn it on to save memory on servers. This
+      patch will (with any luck) get included in a mainline distribution
+      before too long.
+    - Fix a memory leak when v3 directory authorities load their keys
+      and cert from disk. Bugfix on 0.2.0.1-alpha.
+    - Stop using malloc_usable_size() to use more area than we had
+      actually allocated: it was safe, but made valgrind really unhappy.
+    - Make the assert_circuit_ok() function work correctly on circuits that
+      have already been marked for close.
+    - Fix uninitialized size field for memory area allocation: may improve
+      memory performance during directory parsing.
+
+  o Minor bugfixes (clients):
+    - Stop reloading the router list from disk for no reason when we
+      run out of reachable directory mirrors. Once upon a time reloading
+      it would set the 'is_running' flag back to 1 for them. It hasn't
+      done that for a long time.
+    - When we had picked an exit node for a connection, but marked it as
+      "optional", and it turned out we had no onion key for the exit,
+      stop wanting that exit and try again. This situation may not
+      be possible now, but will probably become feasible with proposal
+      158. Spotted by rovv. Fixes another case of bug 752.
+    - Fix a bug in address parsing that was preventing bridges or hidden
+      service targets from being at IPv6 addresses.
+    - Do not remove routers as too old if we do not have any consensus
+      document. Bugfix on 0.2.0.7-alpha.
+    - When an exit relay resolves a stream address to a local IP address,
+      do not just keep retrying that same exit relay over and
+      over. Instead, just close the stream. Addresses bug 872. Bugfix
+      on 0.2.0.32. Patch from rovv.
+    - Made Tor a little less aggressive about deleting expired
+      certificates. Partial fix for bug 854.
+    - Treat duplicate certificate fetches as failures, so that we do
+      not try to re-fetch an expired certificate over and over and over.
+    - Do not say we're fetching a certificate when we'll in fact skip it
+      because of a pending download.
+    - If we have correct permissions on $datadir, we complain to stdout
+      and fail to start. But dangerous permissions on
+      $datadir/cached-status/ would cause us to open a log and complain
+      there. Now complain to stdout and fail to start in both cases. Fixes
+      bug 820, reported by seeess.
+
+  o Minor bugfixes (bridges):
+    - When we made bridge authorities stop serving bridge descriptors over
+      unencrypted links, we also broke DirPort reachability testing for
+      bridges. So bridges with a non-zero DirPort were printing spurious
+      warns to their logs. Bugfix on 0.2.0.16-alpha. Fixes bug 709.
+    - Don't allow a bridge to publish its router descriptor to a
+      non-bridge directory authority. Fixes part of bug 932.
+    - When we change to or from being a bridge, reset our counts of
+      client usage by country. Fixes bug 932.
+
+  o Minor bugfixes (relays):
+    - Log correct error messages for DNS-related network errors on
+      Windows.
+    - Actually return -1 in the error case for read_bandwidth_usage().
+      Harmless bug, since we currently don't care about the return value
+      anywhere. Bugfix on 0.2.0.9-alpha.
+    - Provide a more useful log message if bug 977 (related to buffer
+      freelists) ever reappears, and do not crash right away.
+    - We were already rejecting relay begin cells with destination port
+      of 0. Now also reject extend cells with destination port or address
+      of 0. Suggested by lark.
+    - When we can't transmit a DNS request due to a network error, retry
+      it after a while, and eventually transmit a failing response to
+      the RESOLVED cell. Bugfix on 0.1.2.5-alpha.
+    - Solve a bug that kept hardware crypto acceleration from getting
+      enabled when accounting was turned on. Fixes bug 907. Bugfix on
+      0.0.9pre6.
+    - When a canonical connection appears later in our internal list
+      than a noncanonical one for a given OR ID, always use the
+      canonical one. Bugfix on 0.2.0.12-alpha. Fixes bug 805.
+      Spotted by rovv.
+    - Avoid some nasty corner cases in the logic for marking connections
+      as too old or obsolete or noncanonical for circuits. Partial
+      bugfix on bug 891.
+    - Fix another interesting corner-case of bug 891 spotted by rovv:
+      Previously, if two hosts had different amounts of clock drift, and
+      one of them created a new connection with just the wrong timing,
+      the other might decide to deprecate the new connection erroneously.
+      Bugfix on 0.1.1.13-alpha.
+    - If one win32 nameserver fails to get added, continue adding the
+      rest, and don't automatically fail.
+    - Fix a bug where an unreachable relay would establish enough
+      reachability testing circuits to do a bandwidth test -- if
+      we already have a connection to the middle hop of the testing
+      circuit, then it could establish the last hop by using the existing
+      connection. Bugfix on 0.1.2.2-alpha, exposed when we made testing
+      circuits no longer use entry guards in 0.2.1.3-alpha.
+
+  o Minor bugfixes (directory authorities):
+    - Limit uploaded directory documents to be 16M rather than 500K.
+      The directory authorities were refusing v3 consensus votes from
+      other authorities, since the votes are now 504K. Fixes bug 959;
+      bugfix on 0.0.2pre17 (where we raised it from 50K to 500K ;).
+    - Directory authorities should never send a 503 "busy" response to
+      requests for votes or keys. Bugfix on 0.2.0.8-alpha; exposed by
+      bug 959.
+    - Fix code so authorities _actually_ send back X-Descriptor-Not-New
+      headers. Bugfix on 0.2.0.10-alpha.
+
+  o Minor bugfixes (hidden services):
+    - When we can't find an intro key for a v2 hidden service descriptor,
+      fall back to the v0 hidden service descriptor and log a bug message.
+      Workaround for bug 1024.
+    - In very rare situations new hidden service descriptors were
+      published earlier than 30 seconds after the last change to the
+      service. (We currently think that a hidden service descriptor
+      that's been stable for 30 seconds is worth publishing.)
+    - If a hidden service sends us an END cell, do not consider
+      retrying the connection; just close it. Patch from rovv.
+    - If we are not using BEGIN_DIR cells, don't attempt to contact hidden
+      service directories if they have no advertised dir port. Bugfix
+      on 0.2.0.10-alpha.
+
+  o Minor bugfixes (tools):
+    - In the torify(1) manpage, mention that tsocks will leak your
+      DNS requests.
+
+  o Minor bugfixes (controllers):
+    - If the controller claimed responsibility for a stream, but that
+      stream never finished making its connection, it would live
+      forever in circuit_wait state. Now we close it after SocksTimeout
+      seconds. Bugfix on 0.1.2.7-alpha; reported by Mike Perry.
+    - Make DNS resolved controller events into "CLOSED", not
+      "FAILED". Bugfix on 0.1.2.5-alpha. Fix by Robert Hogan. Resolves
+      bug 807.
+    - The control port would close the connection before flushing long
+      replies, such as the network consensus, if a QUIT command was issued
+      before the reply had completed. Now, the control port flushes all
+      pending replies before closing the connection. Also fix a spurious
+      warning when a QUIT command is issued after a malformed or rejected
+      AUTHENTICATE command, but before the connection was closed. Patch
+      by Marcus Griep. Fixes bugs 1015 and 1016.
+    - Fix a bug that made stream bandwidth get misreported to the
+      controller.
+
+  o Deprecated and removed features:
+    - The old "tor --version --version" command, which would print out
+      the subversion "Id" of most of the source files, is now removed. It
+      turned out to be less useful than we'd expected, and harder to
+      maintain.
+    - RedirectExits has been removed. It was deprecated since
+      0.2.0.3-alpha.
+    - Finally remove deprecated "EXTENDED_FORMAT" controller feature. It
+      has been called EXTENDED_EVENTS since 0.1.2.4-alpha.
+    - Cell pools are now always enabled; --disable-cell-pools is ignored.
+    - Directory mirrors no longer fetch the v1 directory or
+      running-routers files. They are obsolete, and nobody asks for them
+      anymore. This is the first step to making v1 authorities obsolete.
+    - Take out the TestVia config option, since it was a workaround for
+      a bug that was fixed in Tor 0.1.1.21.
+    - Mark RendNodes, RendExcludeNodes, HiddenServiceNodes, and
+      HiddenServiceExcludeNodes as obsolete: they never worked properly,
+      and nobody seems to be using them. Fixes bug 754. Bugfix on
+      0.1.0.1-rc. Patch from Christian Wilms.
+    - Remove all backward-compatibility code for relays running
+      versions of Tor so old that they no longer work at all on the
+      Tor network.
+
+  o Code simplifications and refactoring:
+    - Tool-assisted documentation cleanup. Nearly every function or
+      static variable in Tor should have its own documentation now.
+    - Rename the confusing or_is_obsolete field to the more appropriate
+      is_bad_for_new_circs, and move it to or_connection_t where it
+      belongs.
+    - Move edge-only flags from connection_t to edge_connection_t: not
+      only is this better coding, but on machines of plausible alignment,
+      it should save 4-8 bytes per connection_t. "Every little bit helps."
+    - Rename ServerDNSAllowBrokenResolvConf to ServerDNSAllowBrokenConfig
+      for consistency; keep old option working for backward compatibility.
+    - Simplify the code for finding connections to use for a circuit.
+    - Revise the connection_new functions so that a more typesafe variant
+      exists. This will work better with Coverity, and let us find any
+      actual mistakes we're making here.
+    - Refactor unit testing logic so that dmalloc can be used sensibly
+      with unit tests to check for memory leaks.
+    - Move all hidden-service related fields from connection and circuit
+      structure to substructures: this way they won't eat so much memory.
+    - Squeeze 2-5% out of client performance (according to oprofile) by
+      improving the implementation of some policy-manipulation functions.
+    - Change the implementation of ExcludeNodes and ExcludeExitNodes to
+      be more efficient. Formerly it was quadratic in the number of
+      servers; now it should be linear. Fixes bug 509.
+    - Save 16-22 bytes per open circuit by moving the n_addr, n_port,
+      and n_conn_id_digest fields into a separate structure that's
+      only needed when the circuit has not yet attached to an n_conn.
+    - Optimize out calls to time(NULL) that occur for every IO operation,
+      or for every cell. On systems like Windows where time() is a
+      slow syscall, this fix will be slightly helpful.
+
+
+Changes in version 0.2.0.35 - 2009-06-24
+  o Security fix:
+    - Avoid crashing in the presence of certain malformed descriptors.
+      Found by lark, and by automated fuzzing.
+    - Fix an edge case where a malicious exit relay could convince a
+      controller that the client's DNS question resolves to an internal IP
+      address. Bug found and fixed by "optimist"; bugfix on 0.1.2.8-beta.
+
+  o Major bugfixes:
+    - Finally fix the bug where dynamic-IP relays disappear when their
+      IP address changes: directory mirrors were mistakenly telling
+      them their old address if they asked via begin_dir, so they
+      never got an accurate answer about their new address, so they
+      just vanished after a day. For belt-and-suspenders, relays that
+      don't set Address in their config now avoid using begin_dir for
+      all direct connections. Should fix bugs 827, 883, and 900.
+    - Fix a timing-dependent, allocator-dependent, DNS-related crash bug
+      that would occur on some exit nodes when DNS failures and timeouts
+      occurred in certain patterns. Fix for bug 957.
+
+  o Minor bugfixes:
+    - When starting with a cache over a few days old, do not leak
+      memory for the obsolete router descriptors in it. Bugfix on
+      0.2.0.33; fixes bug 672.
+    - Hidden service clients didn't use a cached service descriptor that
+      was older than 15 minutes, but wouldn't fetch a new one either,
+      because there was already one in the cache. Now, fetch a v2
+      descriptor unless the same descriptor was added to the cache within
+      the last 15 minutes. Fixes bug 997; reported by Marcus Griep.
+
+
 Changes in version 0.2.0.34 - 2009-02-08
   Tor 0.2.0.34 features several more security-related fixes. You should
   upgrade, especially if you run an exit relay (remote crash) or a

configure.in

@@ -5,7 +5,7 @@ dnl Copyright (c) 2007-2008, The Tor Project, Inc.
 dnl See LICENSE for licensing information
 
 AC_INIT
-AM_INIT_AUTOMAKE(tor, 0.2.1.17-rc)
+AM_INIT_AUTOMAKE(tor, 0.2.1.18)
 AM_CONFIG_HEADER(orconfig.h)
 
 AC_CANONICAL_HOST

contrib/tor-mingw.nsi.in

@@ -9,7 +9,7 @@
 !include "FileFunc.nsh"
 !insertmacro GetParameters
   
-!define VERSION "0.2.1.17-rc"
+!define VERSION "0.2.1.18"
 !define INSTALLER "tor-${VERSION}-win32.exe"
 !define WEBSITE "https://www.torproject.org/"
 !define LICENSE "LICENSE"

debian/changelog

@@ -1,3 +1,9 @@
+tor (0.2.1.18-1) unstable; urgency=low
+
+  * New upstream version.
+
+ -- Peter Palfrader <weasel@debian.org>  Sat, 25 Jul 2009 11:15:11 +0200
+
 tor (0.2.1.17-rc-1) experimental; urgency=low
 
   * New upstream version.

src/win32/orconfig.h

@@ -226,6 +226,6 @@
 #define USING_TWOS_COMPLEMENT
 
 /* Version number of package */
-#define VERSION "0.2.1.17-rc"
+#define VERSION "0.2.1.18"