Changes in version 0.4.5.8 - 2021-05-10
Tor 0.4.5.8 fixes several bugs in earlier version, backporting fixes
from the 0.4.6.x series.
o Minor features (compatibility, Linux seccomp sandbox, backport from 0.4.6.3-rc):
- Add a workaround to enable the Linux sandbox to work correctly
with Glibc 2.33. This version of Glibc has started using the
fstatat() system call, which previously our sandbox did not allow.
Closes ticket 40382; see the ticket for a discussion of trade-offs.
o Minor features (compilation, backport from 0.4.6.3-rc):
- Make the autoconf script build correctly with autoconf versions
2.70 and later. Closes part of ticket 40335.
o Minor features (fallback directory list, backport from 0.4.6.2-alpha):
- Regenerate the list of fallback directories to contain a new set
of 200 relays. Closes ticket 40265.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2021/05/07.
o Minor features (onion services):
- Add warning message when connecting to now deprecated v2 onion
services. As announced, Tor 0.4.5.x is the last series that will
support v2 onions. Closes ticket 40373.
o Minor bugfixes (bridge, pluggable transport, backport from 0.4.6.2-alpha):
- Fix a regression that made it impossible start Tor using a bridge
line with a transport name and no fingerprint. Fixes bug 40360;
bugfix on 0.4.5.4-rc.
o Minor bugfixes (build, cross-compilation, backport from 0.4.6.3-rc):
- Allow a custom "ar" for cross-compilation. Our previous build
script had used the $AR environment variable in most places, but
it missed one. Fixes bug 40369; bugfix on 0.4.5.1-alpha.
o Minor bugfixes (channel, DoS, backport from 0.4.6.2-alpha):
- Fix a non-fatal BUG() message due to a too-early free of a string,
when listing a client connection from the DoS defenses subsystem.
Fixes bug 40345; bugfix on 0.4.3.4-rc.
o Minor bugfixes (compiler warnings, backport from 0.4.6.3-rc):
- Fix an indentation problem that led to a warning from GCC 11.1.1.
Fixes bug 40380; bugfix on 0.3.0.1-alpha.
o Minor bugfixes (controller, backport from 0.4.6.1-alpha):
- Fix a "BUG" warning that would appear when a controller chooses
the first hop for a circuit, and that circuit completes. Fixes bug
40285; bugfix on 0.3.2.1-alpha.
o Minor bugfixes (onion service, client, memory leak, backport from 0.4.6.3-rc):
- Fix a bug where an expired cached descriptor could get overwritten
with a new one without freeing it, leading to a memory leak. Fixes
bug 40356; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (testing, BSD, backport from 0.4.6.2-alpha):
- Fix pattern-matching errors when patterns expand to invalid paths
on BSD systems. Fixes bug 40318; bugfix on 0.4.5.1-alpha. Patch by
Daniel Pinto.
Tor 0.4.5.7 fixes two important denial-of-service bugs in earlier
versions of Tor.
One of these vulnerabilities (TROVE-2021-001) would allow an attacker
who can send directory data to a Tor instance to force that Tor
instance to consume huge amounts of CPU. This is easiest to exploit
against authorities, since anybody can upload to them, but directory
caches could also exploit this vulnerability against relays or clients
when they download. The other vulnerability (TROVE-2021-002) only
affects directory authorities, and would allow an attacker to remotely
crash the authority with an assertion failure. Patches have already
been provided to the authority operators, to help ensure
network stability.
We recommend that everybody upgrade to one of the releases that fixes
these issues (0.3.5.14, 0.4.4.8, or 0.4.5.7) as they become available
to you.
This release also updates our GeoIP data source, and fixes a few
smaller bugs in earlier releases.
o Major bugfixes (security, denial of service):
- Disable the dump_desc() function that we used to dump unparseable
information to disk. It was called incorrectly in several places,
in a way that could lead to excessive CPU usage. Fixes bug 40286;
bugfix on 0.2.2.1-alpha. This bug is also tracked as TROVE-2021-
001 and CVE-2021-28089.
- Fix a bug in appending detached signatures to a pending consensus
document that could be used to crash a directory authority. Fixes
bug 40316; bugfix on 0.2.2.6-alpha. Tracked as TROVE-2021-002
and CVE-2021-28090.
o Minor features (geoip data):
- We have switched geoip data sources. Previously we shipped IP-to-
country mappings from Maxmind's GeoLite2, but in 2019 they changed
their licensing terms, so we were unable to update them after that
point. We now ship geoip files based on the IPFire Location
Database instead. (See https://location.ipfire.org/ for more
information). This release updates our geoip files to match the
IPFire Location Database as retrieved on 2021/03/12. Closes
ticket 40224.
o Minor bugfixes (directory authority):
- Now that exit relays don't allow exit connections to directory
authority DirPorts (to prevent network reentry), disable
authorities' reachability self test on the DirPort. Fixes bug
40287; bugfix on 0.4.5.5-rc.
o Minor bugfixes (documentation):
- Fix a formatting error in the documentation for
VirtualAddrNetworkIPv6. Fixes bug 40256; bugfix on 0.2.9.4-alpha.
o Minor bugfixes (Linux, relay):
- Fix a bug in determining total available system memory that would
have been triggered if the format of Linux's /proc/meminfo file
had ever changed to include "MemTotal:" in the middle of a line.
Fixes bug 40315; bugfix on 0.2.5.4-alpha.
o Minor bugfixes (metrics port):
- Fix a BUG() warning on the MetricsPort for an internal missing
handler. Fixes bug 40295; bugfix on 0.4.5.1-alpha.
o Minor bugfixes (onion service):
- Remove a harmless BUG() warning when reloading tor configured with
onion services. Fixes bug 40334; bugfix on 0.4.5.1-alpha.
o Minor bugfixes (portability):
- Fix a non-portable usage of "==" with "test" in the configure
script. Fixes bug 40298; bugfix on 0.4.5.1-alpha.
o Minor bugfixes (relay):
- Remove a spammy log notice falsely claiming that the IPv4/v6
address was missing. Fixes bug 40300; bugfix on 0.4.5.1-alpha.
- Do not query the address cache early in the boot process when
deciding if a relay needs to fetch early directory information
from an authority. This bug resulted in a relay falsely believing
it didn't have an address and thus triggering an authority fetch
at each boot. Related to our fix for 40300.
o Removed features (mallinfo deprecated):
- Remove mallinfo() usage entirely. Libc 2.33+ now deprecates it.
Closes ticket 40309.
Changes in version 0.4.5.6 - 2021-02-15
The Tor 0.4.5.x release series is dedicated to the memory of Karsten
Loesing (1979-2020), Tor developer, cypherpunk, husband, and father.
Karsten is best known for creating the Tor metrics portal and leading
the metrics team, but he was involved in Tor from the early days. For
example, while he was still a student he invented and implemented the
v2 onion service directory design, and he also served as an ambassador
to the many German researchers working in the anonymity field. We
loved him and respected him for his patience, his consistency, and his
welcoming approach to growing our community.
This release series introduces significant improvements in relay IPv6
address discovery, a new "MetricsPort" mechanism for relay operators
to measure performance, LTTng support, build system improvements to
help when using Tor as a static library, and significant bugfixes
related to Windows relay performance. It also includes numerous
smaller features and bugfixes.
Changes in version 0.4.4.7 - 2021-02-03
Tor 0.4.4.7 backports numerous bugfixes from later releases,
including one that made v3 onion services more susceptible to
denial-of-service attacks, and a feature that makes some kinds of
DoS attacks harder to perform.
o Major bugfixes (onion service v3, backport from 0.4.5.3-rc):
- Stop requiring a live consensus for v3 clients and services, and
allow a "reasonably live" consensus instead. This allows v3 onion
services to work even if the authorities fail to generate a
consensus for more than 2 hours in a row. Fixes bug 40237; bugfix
on 0.3.5.1-alpha.
o Major feature (exit, backport from 0.4.5.5-rc):
- Re-entry into the network is now denied at the Exit level to all
relays' ORPorts and authorities' ORPorts and DirPorts. This change
should help mitgate a set of denial-of-service attacks. Closes
ticket 2667.
o Minor feature (build system, backport from 0.4.5.4-rc):
- New "make lsp" command to generate the compile_commands.json file
used by the ccls language server. The "bear" program is needed for
this. Closes ticket 40227.
o Minor features (compilation, backport from 0.4.5.2-rc):
- Disable deprecation warnings when building with OpenSSL 3.0.0 or
later. There are a number of APIs newly deprecated in OpenSSL
3.0.0 that Tor still requires. (A later version of Tor will try to
stop depending on these APIs.) Closes ticket 40165.
o Minor features (crypto, backport from 0.4.5.3-rc):
- Fix undefined behavior on our Keccak library. The bug only
appeared on platforms with 32-byte CPU cache lines (e.g. armv5tel)
and would result in wrong digests. Fixes bug 40210; bugfix on
0.2.8.1-alpha. Thanks to Bernhard Übelacker, Arnd Bergmann and
weasel for diagnosing this.
o Minor bugfixes (compatibility, backport from 0.4.5.1-rc):
- Strip '\r' characters when reading text files on Unix platforms.
This should resolve an issue where a relay operator migrates a
relay from Windows to Unix, but does not change the line ending of
Tor's various state files to match the platform, and the CRLF line
endings from Windows end up leaking into other files such as the
extra-info document. Fixes bug 33781; bugfix on 0.0.9pre5.
o Minor bugfixes (compilation, backport from 0.4.5.3-rc):
- Fix a compilation warning about unreachable fallthrough
annotations when building with "--enable-all-bugs-are-fatal" on
some compilers. Fixes bug 40241; bugfix on 0.3.5.4-alpha.
o Minor bugfixes (SOCKS5, backport from 0.4.5.3-rc):
- Handle partial SOCKS5 messages correctly. Previously, our code
would send an incorrect error message if it got a SOCKS5 request
that wasn't complete. Fixes bug 40190; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (testing, backport from 0.4.5.2-alpha):
- Fix the `config/parse_tcp_proxy_line` test so that it works
correctly on systems where the DNS provider hijacks invalid
queries. Fixes part of bug 40179; bugfix on 0.4.3.1-alpha.
- Fix our Python reference-implementation for the v3 onion service
handshake so that it works correctly with the version of hashlib
provided by Python 3.9. Fixes part of bug 40179; bugfix
on 0.3.1.6-rc.
- Fix the `tortls/openssl/log_one_error` test to work with OpenSSL
3.0.0. Fixes bug 40170; bugfix on 0.2.8.1-alpha.
Disable rust option since it currently doesn't work.
Changes in version 0.4.4.6 - 2020-11-12
Tor 0.4.4.6 is the second stable release in the 0.4.4.x series. It
backports fixes from later releases, including a fix for TROVE-2020-
005, a security issue that could be used, under certain cases, by an
adversary to observe traffic patterns on a limited number of circuits
intended for a different relay.
o Major bugfixes (security, backport from 0.4.5.1-alpha):
- When completing a channel, relays now check more thoroughly to
make sure that it matches any pending circuits before attaching
those circuits. Previously, address correctness and Ed25519
identities were not checked in this case, but only when extending
circuits on an existing channel. Fixes bug 40080; bugfix on
0.2.7.2-alpha. Resolves TROVE-2020-005.
o Minor features (directory authorities, backport from 0.4.5.1-alpha):
- Authorities now list a different set of protocols as required and
recommended. These lists have been chosen so that only truly
recommended and/or required protocols are included, and so that
clients using 0.2.9 or later will continue to work (even though
they are not supported), whereas only relays running 0.3.5 or
later will meet the requirements. Closes ticket 40162.
- Make it possible to specify multiple ConsensusParams torrc lines.
Now directory authority operators can for example put the main
ConsensusParams config in one torrc file and then add to it from a
different torrc file. Closes ticket 40164.
o Minor features (subprotocol versions, backport from 0.4.5.1-alpha):
- Tor no longer allows subprotocol versions larger than 63.
Previously version numbers up to UINT32_MAX were allowed, which
significantly complicated our code. Implements proposal 318;
closes ticket 40133.
o Minor features (tests, v2 onion services, backport from 0.4.5.1-alpha):
- Fix a rendezvous cache unit test that was triggering an underflow
on the global rend cache allocation. Fixes bug 40125; bugfix
on 0.2.8.1-alpha.
- Fix another rendezvous cache unit test that was triggering an
underflow on the global rend cache allocation. Fixes bug 40126;
bugfix on 0.2.8.1-alpha.
o Minor bugfixes (compilation, backport from 0.4.5.1-alpha):
- Fix compiler warnings that would occur when building with
"--enable-all-bugs-are-fatal" and "--disable-module-relay" at the
same time. Fixes bug 40129; bugfix on 0.4.4.1-alpha.
- Resolve a compilation warning that could occur in
test_connection.c. Fixes bug 40113; bugfix on 0.2.9.3-alpha.
o Minor bugfixes (logging, backport from 0.4.5.1-alpha):
- Remove a debug logging statement that uselessly spammed the logs.
Fixes bug 40135; bugfix on 0.3.5.0-alpha.
o Minor bugfixes (relay configuration, crash, backport from 0.4.5.1-alpha):
- Avoid a fatal assert() when failing to create a listener
connection for an address that was in use. Fixes bug 40073; bugfix
on 0.3.5.1-alpha.
o Minor bugfixes (v2 onion services, backport from 0.4.5.1-alpha):
- For HSFETCH commands on v2 onion services addresses, check the
length of bytes decoded, not the base32 length. Fixes bug 34400;
bugfix on 0.4.1.1-alpha. Patch by Neel Chauhan.
backtrace(3) does not work on netbsd-9 ending up in a SIGSEGV and tor
process hanging forever (a simple way to reproduce without configuring
tor is just invoking tor via `tor --version').
Workaround for PR port-evbarm/55669.
PKGREVISION++
Changes in version 0.4.4.5 - 2020-09-15
Tor 0.4.4.5 is the first stable release in the 0.4.4.x series. This
series improves our guard selection algorithms, adds v3 onion balance
support, improves the amount of code that can be disabled when running
without relay support, and includes numerous small bugfixes and
enhancements. It also lays the ground for some IPv6 features that
we'll be developing more in the next (0.4.5) series.
Per our support policy, we support each stable release series for nine
months after its first stable release, or three months after the first
stable release of the next series: whichever is longer. This means
that 0.4.4.x will be supported until around June 2021--or later, if
0.4.5.x is later than anticipated.
Note also that support for 0.4.2.x has just ended; support for 0.4.3
will continue until Feb 15, 2021. We still plan to continue supporting
0.3.5.x, our long-term stable series, until Feb 2022.
o Major features (Proposal 310, performance + security):
- Implements Proposal 310, "Bandaid on guard selection". Proposal
310 solves load-balancing issues with older versions of the guard
selection algorithm, and improves its security. Under this new
algorithm, a newly selected guard never becomes Primary unless all
previously sampled guards are unreachable. Implements
recommendation from 32088. (Proposal 310 is linked to the CLAPS
project researching optimal client location-aware path selections.
This project is a collaboration between the UCLouvain Crypto Group,
the U.S. Naval Research Laboratory, and Princeton University.)
o Major features (fallback directory list):
- Replace the 148 fallback directories originally included in Tor
0.4.1.4-rc (of which around 105 are still functional) with a list
of 144 fallbacks generated in July 2020. Closes ticket 40061.
o Major features (IPv6, relay):
- Consider IPv6-only EXTEND2 cells valid on relays. Log a protocol
warning if the IPv4 or IPv6 address is an internal address, and
internal addresses are not allowed. But continue to use the other
address, if it is valid. Closes ticket 33817.
- If a relay can extend over IPv4 and IPv6, and both addresses are
provided, it chooses between them uniformly at random. Closes
ticket 33817.
- Re-use existing IPv6 connections for circuit extends. Closes
ticket 33817.
- Relays may extend circuits over IPv6, if the relay has an IPv6
ORPort, and the client supplies the other relay's IPv6 ORPort in
the EXTEND2 cell. IPv6 extends will be used by the relay IPv6
ORPort self-tests in 33222. Closes ticket 33817.
o Major features (v3 onion services):
- Allow v3 onion services to act as OnionBalance backend instances,
by using the HiddenServiceOnionBalanceInstance torrc option.
Closes ticket 32709.
o Major bugfixes (NSS):
- When running with NSS enabled, make sure that NSS knows to expect
nonblocking sockets. Previously, we set our TCP sockets as
nonblocking, but did not tell NSS, which in turn could lead to
unexpected blocking behavior. Fixes bug 40035; bugfix
on 0.3.5.1-alpha.
o Major bugfixes (onion services, DoS):
- Correct handling of parameters for the onion service DoS defense.
Previously, the consensus parameters for the onion service DoS
defenses were overwriting the parameters set by the service
operator using HiddenServiceEnableIntroDoSDefense. Fixes bug
40109; bugfix on 0.4.2.1-alpha.
o Major bugfixes (stats, onion services):
- Fix a bug where we were undercounting the Tor network's total
onion service traffic, by ignoring any traffic originating from
clients. Now we count traffic from both clients and services.
Fixes bug 40117; bugfix on 0.2.6.2-alpha.
o Minor features (security):
- Channels using obsolete versions of the Tor link protocol are no
longer allowed to circumvent address-canonicity checks. (This is
only a minor issue, since such channels have no way to set ed25519
keys, and therefore should always be rejected for circuits that
specify ed25519 identities.) Closes ticket 40081.
o Minor features (bootstrap reporting):
- Report more detailed reasons for bootstrap failure when the
failure happens due to a TLS error. Previously we would just call
these errors "MISC" when they happened during read, and "DONE"
when they happened during any other TLS operation. Closes
ticket 32622.
o Minor features (client-only compilation):
- Disable more code related to the ext_orport protocol when
compiling without support for relay mode. Closes ticket 33368.
- Disable more of our self-testing code when support for relay mode
is disabled. Closes ticket 33370.
- Most server-side DNS code is now disabled when building without
support for relay mode. Closes ticket 33366.
o Minor features (code safety):
- Check for failures of tor_inet_ntop() and tor_inet_ntoa()
functions in DNS and IP address processing code, and adjust
codepaths to make them less likely to crash entire Tor instances.
Resolves issue 33788.
o Minor features (continuous integration):
- Run unit-test and integration test (Stem, Chutney) jobs with
ALL_BUGS_ARE_FATAL macro being enabled on Travis and Appveyor.
Resolves ticket 32143.
o Minor features (control port):
- If a ClientName was specified in ONION_CLIENT_AUTH_ADD for an
onion service, display it when we use ONION_CLIENT_AUTH_VIEW.
Closes ticket 40089. Patch by Neel Chauhan.
- Return a descriptive error message from the 'GETINFO status/fresh-
relay-descs' command on the control port. Previously, we returned
a generic error of "Error generating descriptor". Closes ticket
32873. Patch by Neel Chauhan.
o Minor features (defense in depth):
- Wipe more data from connection address fields before returning
them to the memory heap. Closes ticket 6198.
o Minor features (denial-of-service memory limiter):
- Allow the user to configure even lower values for the
MaxMemInQueues parameter. Relays now enforce a minimum of 64 MB,
when previously the minimum was 256 MB. On clients, there is no
minimum. Relays and clients will both warn if the value is set so
low that Tor is likely to stop working. Closes ticket 24308.
o Minor features (developer tooling):
- Add a script to help check the alphabetical ordering of option
names in the manual page. Closes ticket 33339.
- Refrain from listing all .a files that are generated by the Tor
build in .gitignore. Add a single wildcard *.a entry that covers
all of them for present and future. Closes ticket 33642.
- Add a script ("git-install-tools.sh") to install git hooks and
helper scripts. Closes ticket 33451.
o Minor features (directory authority):
- Authorities now recommend the protocol versions that are supported
by Tor 0.3.5 and later. (Earlier versions of Tor have been
deprecated since January of this year.) This recommendation will
cause older clients and relays to give a warning on startup, or
when they download a consensus directory. Closes ticket 32696.
o Minor features (directory authority, shared random):
- Refactor more authority-only parts of the shared-random scheduling
code to reside in the dirauth module, and to be disabled when
compiling with --disable-module-dirauth. Closes ticket 33436.
o Minor features (directory):
- Remember the number of bytes we have downloaded for each directory
purpose while bootstrapping, and while fully bootstrapped. Log
this information as part of the heartbeat message. Closes
ticket 32720.
o Minor features (entry guards):
- Reinstate support for GUARD NEW/UP/DOWN control port events.
Closes ticket 40001.
o Minor features (IPv6 support):
- Adds IPv6 support to tor_addr_is_valid(). Adds tests for the above
changes and tor_addr_is_null(). Closes ticket 33679. Patch
by MrSquanchee.
- Allow clients and relays to send dual-stack and IPv6-only EXTEND2
cells. Parse dual-stack and IPv6-only EXTEND2 cells on relays.
Closes ticket 33901.
o Minor features (linux seccomp2 sandbox, portability):
- Allow Tor to build on platforms where it doesn't know how to
report which syscall caused the linux seccomp2 sandbox to fail.
This change should make the sandbox code more portable to less
common Linux architectures. Closes ticket 34382.
- Permit the unlinkat() syscall, which some Libc implementations use
to implement unlink(). Closes ticket 33346.
o Minor features (logging):
- When trying to find our own address, add debug-level logging to
report the sources of candidate addresses. Closes ticket 32888.
o Minor features (onion service client, SOCKS5):
- Add 3 new SocksPort ExtendedErrors (F2, F3, F7) that reports back
new type of onion service connection failures. The semantics of
these error codes are documented in proposal 309. Closes
ticket 32542.
o Minor features (onion service v3):
- If a service cannot upload its descriptor(s), log why at INFO
level. Closes ticket 33400; bugfix on 0.3.2.1-alpha.
o Minor features (python scripts):
- Stop assuming that /usr/bin/python exists. Instead of using a
hardcoded path in scripts that still use Python 2, use
/usr/bin/env, similarly to the scripts that use Python 3. Fixes
bug 33192; bugfix on 0.4.2.
o Minor features (testing, architecture):
- Our test scripts now double-check that subsystem initialization
order is consistent with the inter-module dependencies established
by our .may_include files. Implements ticket 31634.
- Initialize all subsystems at the beginning of our unit test
harness, to avoid crashes due to uninitialized subsystems. Follow-
up from ticket 33316.
- Our "make check" target now runs the unit tests in 8 parallel
chunks. Doing this speeds up hardened CI builds by more than a
factor of two. Closes ticket 40098.
o Minor features (v3 onion services):
- Add v3 onion service status to the dumpstats() call which is
triggered by a SIGUSR1 signal. Previously, we only did v2 onion
services. Closes ticket 24844. Patch by Neel Chauhan.
o Minor features (windows):
- Add support for console control signals like Ctrl+C in Windows.
Closes ticket 34211. Patch from Damon Harris (TheDcoder).
o Minor bugfixes (control port, onion service):
- Consistently use 'address' in "Invalid v3 address" response to
ONION_CLIENT_AUTH commands. Previously, we would sometimes say
'addr'. Fixes bug 40005; bugfix on 0.4.3.1-alpha.
o Minor bugfixes (correctness, buffers):
- Fix a correctness bug that could cause an assertion failure if we
ever tried using the buf_move_all() function with an empty input
buffer. As far as we know, no released versions of Tor do this.
Fixes bug 40076; bugfix on 0.3.3.1-alpha.
o Minor bugfixes (directory authorities):
- Directory authorities now reject votes that arrive too late. In
particular, once an authority has started fetching missing votes,
it no longer accepts new votes posted by other authorities. This
change helps prevent a consensus split, where only some authorities
have the late vote. Fixes bug 4631; bugfix on 0.2.0.5-alpha.
o Minor bugfixes (git scripts):
- Stop executing the checked-out pre-commit hook from the pre-push
hook. Instead, execute the copy in the user's git directory. Fixes
bug 33284; bugfix on 0.4.1.1-alpha.
o Minor bugfixes (initialization):
- Initialize the subsystems in our code in an order more closely
corresponding to their dependencies, so that every system is
initialized before the ones that (theoretically) depend on it.
Fixes bug 33316; bugfix on 0.4.0.1-alpha.
o Minor bugfixes (IPv4, relay):
- Check for invalid zero IPv4 addresses and ports when sending and
receiving extend cells. Fixes bug 33900; bugfix on 0.2.4.8-alpha.
o Minor bugfixes (IPv6, relay):
- Consider IPv6 addresses when checking if a connection is
canonical. In 17604, relays assumed that a remote relay could
consider an IPv6 connection canonical, but did not set the
canonical flag on their side of the connection. Fixes bug 33899;
bugfix on 0.3.1.1-alpha.
- Log IPv6 addresses on connections where this relay is the
responder. Previously, responding relays would replace the remote
IPv6 address with the IPv4 address from the consensus. Fixes bug
33899; bugfix on 0.3.1.1-alpha.
o Minor bugfixes (linux seccomp2 sandbox):
- Fix a regression on sandboxing rules for the openat() syscall. The
fix for bug 25440 fixed the problem on systems with glibc >= 2.27
but broke with versions of glibc. We now choose a rule based on
the glibc version. Patch from Daniel Pinto. Fixes bug 27315;
bugfix on 0.3.5.11.
- Makes the seccomp sandbox allow the correct syscall for opendir
according to the running glibc version. This fixes crashes when
reloading torrc with sandbox enabled when running on glibc 2.15 to
2.21 and 2.26. Patch from Daniel Pinto. Fixes bug 40020; bugfix
on 0.3.5.11.
o Minor bugfixes (logging, testing):
- Make all of tor's assertion macros support the ALL_BUGS_ARE_FATAL
and DISABLE_ASSERTS_IN_UNIT_TESTS debugging modes. (IF_BUG_ONCE()
used to log a non-fatal warning, regardless of the debugging
mode.) Fixes bug 33917; bugfix on 0.2.9.1-alpha.
- Remove surprising empty line in the INFO-level log about circuit
build timeout. Fixes bug 33531; bugfix on 0.3.3.1-alpha.
o Minor bugfixes (mainloop):
- Better guard against growing a buffer past its maximum 2GB in
size. Fixes bug 33131; bugfix on 0.3.0.4-rc.
o Minor bugfixes (onion service v3 client):
- Remove a BUG() warning that could occur naturally. Fixes bug
34087; bugfix on 0.3.2.1-alpha.
o Minor bugfixes (onion service, logging):
- Fix a typo in a log message PublishHidServDescriptors is set to 0.
Fixes bug 33779; bugfix on 0.3.2.1-alpha.
o Minor bugfixes (onion services v3):
- Avoid a non-fatal assertion failure in certain edge-cases when
opening an intro circuit as a client. Fixes bug 34084; bugfix
on 0.3.2.1-alpha.
o Minor bugfixes (protocol versions):
- Sort tor's supported protocol version lists, as recommended by the
tor directory specification. Fixes bug 33285; bugfix
on 0.4.0.1-alpha.
o Minor bugfixes (rate limiting, bridges, pluggable transports):
- On a bridge, treat all connections from an ExtORPort as remote by
default for the purposes of rate-limiting. Previously, bridges
would treat the connection as local unless they explicitly
received a "USERADDR" command. ExtORPort connections still count
as local if there is a USERADDR command with an explicit local
address. Fixes bug 33747; bugfix on 0.2.5.1-alpha.
o Minor bugfixes (refactoring):
- Lift circuit_build_times_disabled() out of the
circuit_expire_building() loop, to save CPU time when there are
many circuits open. Fixes bug 33977; bugfix on 0.3.5.9.
o Minor bugfixes (relay, self-testing):
- When starting up as a relay, if we haven't been able to verify
that we're reachable, only launch reachability tests at most once
a minute. Previously, we had been launching tests up to once a
second, which was needlessly noisy. Fixes bug 40083; bugfix
on 0.2.8.1-alpha.
o Minor bugfixes (relay, usability):
- Adjust the rules for when to warn about having too many
connections to other relays. Previously we'd tolerate up to 1.5
connections per relay on average. Now we tolerate more connections
for directory authorities, and raise the number of total
connections we need to see before we warn. Fixes bug 33880; bugfix
on 0.3.1.1-alpha.
o Minor bugfixes (SOCKS, onion service client):
- Detect v3 onion service addresses of the wrong length when
returning the F6 ExtendedErrors code. Fixes bug 33873; bugfix
on 0.4.3.1-alpha.
o Minor bugfixes (tests):
- Fix the behavior of the rend_cache/clean_v2_descs_as_dir when run
on its own. Previously, it would exit with an error. Fixes bug
40099; bugfix on 0.2.8.1-alpha.
o Minor bugfixes (v3 onion services):
- Remove a BUG() warning that could trigger in certain unlikely
edge-cases. Fixes bug 34086; bugfix on 0.3.2.1-alpha.
- Remove a BUG() that was causing a stacktrace when a descriptor
changed at an unexpected time. Fixes bug 28992; bugfix
on 0.3.2.1-alpha.
o Minor bugfixes (windows):
- Fix a bug that prevented Tor from starting if its log file grew
above 2GB. Fixes bug 31036; bugfix on 0.2.1.8-alpha.
o Code simplification and refactoring:
- Define and use a new constant TOR_ADDRPORT_BUF_LEN which is like
TOR_ADDR_BUF_LEN but includes enough space for an IP address,
brackets, separating colon, and port number. Closes ticket 33956.
Patch by Neel Chauhan.
- Merge the orconn and ocirc events into the "core" subsystem, which
manages or connections and origin circuits. Previously they were
isolated in subsystems of their own.
- Move LOG_PROTOCOL_WARN to app/config. Resolves a dependency
inversion. Closes ticket 33633.
- Move the circuit extend code to the relay module. Split the
circuit extend function into smaller functions. Closes
ticket 33633.
- Rewrite port_parse_config() to use the default port flags from
port_cfg_new(). Closes ticket 32994. Patch by MrSquanchee.
- Updated comments in 'scheduler.c' to reflect old code changes, and
simplified the scheduler channel state change code. Closes
ticket 33349.
- Refactor configuration parsing to use the new config subsystem
code. Closes ticket 33014.
- Move a series of functions related to address resolving into their
own files. Closes ticket 33789.
o Documentation:
- Replace most http:// URLs in our code and documentation with
https:// URLs. (We have left unchanged the code in src/ext/, and
the text in LICENSE.) Closes ticket 31812. Patch from Jeremy Rand.
- Document the limitations of using %include on config files with
seccomp sandbox enabled. Fixes documentation bug 34133; bugfix on
0.3.1.1-alpha. Patch by Daniel Pinto.
o Removed features:
- Our "check-local" test target no longer tries to use the
Coccinelle semantic patching tool parse all the C files. While it
is a good idea to try to make sure Coccinelle works on our C
before we run a Coccinelle patch, doing so on every test run has
proven to be disruptive. You can still run this tool manually with
"make check-cocci". Closes ticket 40030.
- Remove the ClientAutoIPv6ORPort option. This option attempted to
randomly choose between IPv4 and IPv6 for client connections, and
wasn't a true implementation of Happy Eyeballs. Often, this option
failed on IPv4-only or IPv6-only connections. Closes ticket 32905.
Patch by Neel Chauhan.
- Stop shipping contrib/dist/rc.subr file, as it is not being used
on FreeBSD anymore. Closes issue 31576.
o Testing:
- Add a basic IPv6 test to "make test-network". This test only runs
when the local machine has an IPv6 stack. Closes ticket 33300.
- Add test-network-ipv4 and test-network-ipv6 jobs to the Makefile.
These jobs run the IPv4-only and dual-stack chutney flavours from
test-network-all. Closes ticket 33280.
- Remove a redundant distcheck job. Closes ticket 33194.
- Run the test-network-ipv6 Makefile target in the Travis CI IPv6
chutney job. This job runs on macOS, so it's a bit slow. Closes
ticket 33303.
- Sort the Travis jobs in order of speed. Putting the slowest jobs
first takes full advantage of Travis job concurrency. Closes
ticket 33194.
- Stop allowing the Chutney IPv6 Travis job to fail. This job was
previously configured to fast_finish (which requires
allow_failure), to speed up the build. Closes ticket 33195.
- Test v3 onion services to tor's mixed IPv4 chutney network. And
add a mixed IPv6 chutney network. These networks are used in the
test-network-all, test-network-ipv4, and test-network-ipv6 make
targets. Closes ticket 33334.
- Use the "bridges+hs-v23" chutney network flavour in "make test-
network". This test requires a recent version of chutney (mid-
February 2020). Closes ticket 28208.
- When a Travis chutney job fails, use chutney's new "diagnostics.sh"
tool to produce detailed diagnostic output. Closes ticket 32792.
o Deprecated features (onion service v2):
- Add a deprecation warning for version 2 onion services. Closes
ticket 40003.
o Documentation (manual page):
- Add cross reference links and a table of contents to the HTML tor
manual page. Closes ticket 33369. Work by Swati Thacker as part of
Google Season of Docs.
- Alphabetize the Denial of Service Mitigation Options, Directory
Authority Server Options, Hidden Service Options, and Testing
Network Options sections of the tor(1) manual page. Closes ticket
33275. Work by Swati Thacker as part of Google Season of Docs.
- Refrain from mentioning nicknames in manpage section for MyFamily
torrc option. Resolves issue 33417.
- Updated the options set by TestingTorNetwork in the manual page.
Closes ticket 33778.
pkgsrc changes:
- Remove patch-configure: applied upstream
Changes:
Changes in version 0.4.3.6 - 2020-07-09
Tor 0.4.3.6 backports several bugfixes from later releases, including
some affecting usability.
This release also fixes TROVE-2020-001, a medium-severity denial of
service vulnerability affecting all versions of Tor when compiled with
the NSS encryption library. (This is not the default configuration.)
Using this vulnerability, an attacker could cause an affected Tor
instance to crash remotely. This issue is also tracked as CVE-2020-
15572. Anybody running a version of Tor built with the NSS library
should upgrade to 0.3.5.11, 0.4.2.8, 0.4.3.6, or 0.4.4.2-alpha
or later.
o Major bugfixes (NSS, security, backport from 0.4.4.2-alpha):
- Fix a crash due to an out-of-bound memory access when Tor is
compiled with NSS support. Fixes bug 33119; bugfix on
0.3.5.1-alpha. This issue is also tracked as TROVE-2020-001
and CVE-2020-15572.
o Minor bugfix (CI, Windows, backport from 0.4.4.2-alpha):
- Use the correct 64-bit printf format when compiling with MINGW on
Appveyor. Fixes bug 40026; bugfix on 0.3.5.5-alpha.
o Minor bugfixes (client performance, backport from 0.4.4.1-alpha):
- Resume use of preemptively-built circuits when UseEntryGuards is set
to 0. We accidentally disabled this feature with that config
setting, leading to slower load times. Fixes bug 34303; bugfix
on 0.3.3.2-alpha.
o Minor bugfixes (compiler warnings, backport from 0.4.4.2-alpha):
- Fix a compiler warning on platforms with 32-bit time_t values.
Fixes bug 40028; bugfix on 0.3.2.8-rc.
o Minor bugfixes (linux seccomp sandbox, nss, backport from 0.4.4.1-alpha):
- Fix a startup crash when tor is compiled with --enable-nss and
sandbox support is enabled. Fixes bug 34130; bugfix on
0.3.5.1-alpha. Patch by Daniel Pinto.
o Minor bugfixes (logging, backport from 0.4.4.2-alpha):
- Downgrade a noisy log message that could occur naturally when
receiving an extrainfo document that we no longer want. Fixes bug
16016; bugfix on 0.2.6.3-alpha.
o Minor bugfixes (manual page, backport from 0.4.4.1-alpha):
- Update the man page to reflect that MinUptimeHidServDirectoryV2
defaults to 96 hours. Fixes bug 34299; bugfix on 0.2.6.3-alpha.
o Minor bugfixes (onion service v3, backport from 0.4.4.1-alpha):
- Prevent an assert() that would occur when cleaning the client
descriptor cache, and attempting to close circuits for a non-
decrypted descriptor (lacking client authorization). Fixes bug
33458; bugfix on 0.4.2.1-alpha.
o Minor bugfixes (portability, backport from 0.4.4.1-alpha):
- Fix a portability error in the configure script, where we were
using "==" instead of "=". Fixes bug 34233; bugfix on 0.4.3.5.
o Minor bugfixes (relays, backport from 0.4.4.1-alpha):
- Stop advertising incorrect IPv6 ORPorts in relay and bridge
descriptors, when the IPv6 port was configured as "auto". Fixes
bug 32588; bugfix on 0.2.3.9-alpha.
o Documentation (backport from 0.4.4.1-alpha):
- Fix several doxygen warnings related to imbalanced groups. Closes
ticket 34255.
This allows rust-bin and rust to coexist in bulk builds (for testing, etc),
but the packages still may not be installed at the same time.
rust.mk as a solution for picking the correct rust variant was suggested
by gdt@. It is intended to be included directly by packages that do not
use cargo.mk, and indirectly by packages that do use cargo.mk.
rust.mk provides one user-settable variable:
RUST_TYPE
as before, whether to bootstrap rust from source or use
official binaries. may be "src" or "bin"
And two package-settable variables:
RUST_REQ
the minimum version of Rust required by the package.
defaults to "1.20.0"
RUST_RUNTIME
whether Rust is a runtime dependency, may be "yes" or "no"
Changes in version 0.4.3.5 - 2020-05-15
Tor 0.4.3.5 is the first stable release in the 0.4.3.x series. This
series adds support for building without relay code enabled, and
implements functionality needed for OnionBalance with v3 onion
services. It includes significant refactoring of our configuration and
controller functionality, and fixes numerous smaller bugs and
performance issues.
Per our support policy, we support each stable release series for nine
months after its first stable release, or three months after the first
stable release of the next series: whichever is longer. This means
that 0.4.3.x will be supported until around February 2021--later, if
0.4.4.x is later than anticipated.
Note also that support for 0.4.1.x is about to end on May 20 of this
year; 0.4.2.x will be supported until September 15. We still plan to
continue supporting 0.3.5.x, our long-term stable series, until
Feb 2022.
Below are the changes since 0.4.2.6. For a list of only the changes
since 0.4.3.4-rc, see the ChangeLog file.
o New system requirements:
- When building Tor, you now need to have Python 3 in order to run
the integration tests. (Python 2 is officially unsupported
upstream, as of 1 Jan 2020.) Closes ticket 32608.
o Major features (build system):
- The relay code can now be disabled using the --disable-module-relay
configure option. When this option is set, we also disable the
dirauth module. Closes ticket 32123.
- When Tor is compiled --disable-module-relay, we also omit the code
used to act as a directory cache. Closes ticket 32487.
o Major features (directory authority, ed25519):
- Add support for banning a relay's ed25519 keys in the approved-
routers file. This will help us migrate away from RSA keys in the
future. Previously, only RSA keys could be banned in approved-
routers. Resolves ticket 22029. Patch by Neel Chauhan.
o Major features (onion services):
- New control port commands to manage client-side onion service
authorization credentials. The ONION_CLIENT_AUTH_ADD command adds
a credential, ONION_CLIENT_AUTH_REMOVE deletes a credential, and
ONION_CLIENT_AUTH_VIEW lists the credentials. Closes ticket 30381.
- Introduce a new SocksPort flag, ExtendedErrors, to support more
detailed error codes in information for applications that support
them. Closes ticket 30382; implements proposal 304.
o Major features (proxy):
- In addition to its current supported proxy types (HTTP CONNECT,
SOCKS4, and SOCKS5), Tor can now make its OR connections through a
HAProxy server. A new torrc option was added to specify the
address/port of the server: TCPProxy <protocol> <host>:<port>.
Currently the only supported protocol for the option is haproxy.
Closes ticket 31518. Patch done by Suphanat Chunhapanya (haxxpop).
o Major bugfixes (security, denial-of-service):
- Fix a denial-of-service bug that could be used by anyone to
consume a bunch of CPU on any Tor relay or authority, or by
directories to consume a bunch of CPU on clients or hidden
services. Because of the potential for CPU consumption to
introduce observable timing patterns, we are treating this as a
high-severity security issue. Fixes bug 33119; bugfix on
0.2.1.5-alpha. Found by OSS-Fuzz. We are also tracking this issue
as TROVE-2020-002 and CVE-2020-10592.
o Major bugfixes (circuit padding, memory leak):
- Avoid a remotely triggered memory leak in the case that a circuit
padding machine is somehow negotiated twice on the same circuit.
Fixes bug 33619; bugfix on 0.4.0.1-alpha. Found by Tobias Pulls.
This is also tracked as TROVE-2020-004 and CVE-2020-10593.
o Major bugfixes (directory authority):
- Directory authorities will now send a 503 (not enough bandwidth)
code to clients when under bandwidth pressure. Known relays and
other authorities will always be answered regardless of the
bandwidth situation. Fixes bug 33029; bugfix on 0.1.2.5-alpha.
o Major bugfixes (DoS defenses, bridges, pluggable transport):
- Fix a bug that was preventing DoS defenses from running on bridges
with a pluggable transport. Previously, the DoS subsystem was not
given the transport name of the client connection, thus failed to
find the GeoIP cache entry for that client address. Fixes bug
33491; bugfix on 0.3.3.2-alpha.
o Major bugfixes (networking):
- Correctly handle IPv6 addresses in SOCKS5 RESOLVE_PTR requests,
and accept strings as well as binary addresses. Fixes bug 32315;
bugfix on 0.3.5.1-alpha.
o Major bugfixes (onion service):
- Report HS circuit failure back into the HS subsystem so we take
appropriate action with regards to the client introduction point
failure cache. This improves reachability of onion services, since
now clients notice failing introduction circuits properly. Fixes
bug 32020; bugfix on 0.3.2.1-alpha.
o Minor feature (heartbeat, onion service):
- Add the DoS INTRODUCE2 defenses counter to the heartbeat DoS
message. Closes ticket 31371.
o Minor feature (sendme, flow control):
- Default to sending SENDME version 1 cells. (Clients are already
sending these, because of a consensus parameter telling them to do
so: this change only affects what clients would do if the
consensus didn't contain a recommendation.) Closes ticket 33623.
o Minor features (best practices tracker):
- Practracker now supports a --regen-overbroad option to regenerate
the exceptions file, but only to revise exceptions to be _less_
tolerant of best-practices violations. Closes ticket 32372.
o Minor features (configuration validation):
- Configuration validation can now be done by per-module callbacks,
rather than a global validation function. This will let us reduce
the size of config.c and some of its more cumbersome functions.
Closes ticket 31241.
o Minor features (configuration):
- If a configured hardware crypto accelerator in AccelName is
prefixed with "!", Tor now exits when it cannot be found. Closes
ticket 32406.
- We now use flag-driven logic to warn about obsolete configuration
fields, so that we can include their names. In 0.4.2, we used a
special type, which prevented us from generating good warnings.
Implements ticket 32404.
o Minor features (configure, build system):
- Output a list of enabled/disabled features at the end of the
configure process in a pleasing way. Closes ticket 31373.
o Minor features (continuous integration):
- Run Doxygen Makefile target on Travis, so we can learn about
regressions in our internal documentation. Closes ticket 32455.
- Stop allowing failures on the Travis CI stem tests job. It looks
like all the stem hangs we were seeing before are now fixed.
Closes ticket 33075.
o Minor features (controller):
- Add stream isolation data to STREAM event. Closes ticket 19859.
- Implement a new GETINFO command to fetch microdescriptor
consensus. Closes ticket 31684.
o Minor features (debugging, directory system):
- Don't crash when we find a non-guard with a guard-fraction value
set. Instead, log a bug warning, in an attempt to figure out how
this happened. Diagnostic for ticket 32868.
o Minor features (defense in depth):
- Add additional checks around tor_vasprintf() usage, in case the
function returns an error. Patch by Tobias Stoeckmann. Fixes
ticket 31147.
o Minor features (developer tools):
- Remove the 0.2.9.x series branches from git scripts (git-merge-
forward.sh, git-pull-all.sh, git-push-all.sh, git-setup-dirs.sh).
Closes ticket 32772.
- Add a check_cocci_parse.sh script that checks that new code is
parseable by Coccinelle. Add an exceptions file for unparseable
files, and run the script from travis CI. Closes ticket 31919.
- Call the check_cocci_parse.sh script from a 'check-cocci' Makefile
target. Closes ticket 31919.
- Add a rename_c_identifiers.py tool to rename a bunch of C
identifiers at once, and generate a well-formed commit message
describing the change. This should help with refactoring. Closes
ticket 32237.
- Add some scripts in "scripts/coccinelle" to invoke the Coccinelle
semantic patching tool with the correct flags. These flags are
fairly easy to forget, and these scripts should help us use
Coccinelle more effectively in the future. Closes ticket 31705.
o Minor features (diagnostic):
- Improve assertions and add some memory-poisoning code to try to
track down possible causes of a rare crash (32564) in the EWMA
code. Closes ticket 33290.
o Minor features (directory authorities):
- Directory authorities now reject descriptors from relays running
Tor versions from the 0.2.9 and 0.4.0 series. The 0.3.5 series is
still allowed. Resolves ticket 32672. Patch by Neel Chauhan.
o Minor features (Doxygen):
- Update Doxygen configuration file to a more recent template (from
1.8.15). Closes ticket 32110.
- "make doxygen" now works with out-of-tree builds. Closes
ticket 32113.
- Make sure that doxygen outputs documentation for all of our C
files. Previously, some were missing @file declarations, causing
them to be ignored. Closes ticket 32307.
- Our "make doxygen" target now respects --enable-fatal-warnings by
default, and does not warn about items that are missing
documentation. To warn about missing documentation, run configure
with the "--enable-missing-doc-warnings" flag: doing so suspends
fatal warnings for doxygen. Closes ticket 32385.
o Minor features (git scripts):
- Add TOR_EXTRA_CLONE_ARGS to git-setup-dirs.sh for git clone
customisation. Closes ticket 32347.
- Add git-setup-dirs.sh, which sets up an upstream git repository
and worktrees for tor maintainers. Closes ticket 29603.
- Add TOR_EXTRA_REMOTE_* to git-setup-dirs.sh for a custom extra
remote. Closes ticket 32347.
- Call the check_cocci_parse.sh script from the git commit and push
hooks. Closes ticket 31919.
- Make git-push-all.sh skip unchanged branches when pushing to
upstream. The script already skipped unchanged test branches.
Closes ticket 32216.
- Make git-setup-dirs.sh create a master symlink in the worktree
directory. Closes ticket 32347.
- Skip unmodified source files when doing some existing git hook
checks. Related to ticket 31919.
o Minor features (IPv6, client):
- Make Tor clients tell dual-stack exits that they prefer IPv6
connections. This change is equivalent to setting the PreferIPv6
flag on SOCKSPorts (and most other listener ports). Tor Browser
has been setting this flag for some time, and we want to remove a
client distinguisher at exits. Closes ticket 32637.
o Minor features (portability, android):
- When building for Android, disable some tests that depend on $HOME
and/or pwdb, which Android doesn't have. Closes ticket 32825.
Patch from Hans-Christoph Steiner.
o Minor features (relay modularity):
- Split the relay and server pluggable transport config code into
separate files in the relay module. Disable this code when the
relay module is disabled. Closes part of ticket 32213.
- When the relay module is disabled, reject attempts to set the
ORPort, DirPort, DirCache, BridgeRelay, ExtORPort, or
ServerTransport* options, rather than ignoring the values of these
options. Closes part of ticket 32213.
- When the relay module is disabled, change the default config so
that DirCache is 0, and ClientOnly is 1. Closes ticket 32410.
o Minor features (release tools):
- Port our ChangeLog formatting and sorting tools to Python 3.
Closes ticket 32704.
o Minor features (testing):
- The unit tests now support a "TOR_SKIP_TESTCASES" environment
variable to specify a list of space-separated test cases that
should not be executed. We will use this to disable certain tests
that are failing on Appveyor because of mismatched OpenSSL
libraries. Part of ticket 33643.
- Detect some common failure cases for test_parseconf.sh in
src/test/conf_failures. Closes ticket 32451.
- Allow test_parseconf.sh to test expected log outputs for successful
configs, as well as failed configs. Closes ticket 32451.
- The test_parseconf.sh script now supports result variants for any
combination of the optional libraries lzma, nss, and zstd. Closes
ticket 32397.
- When running the unit tests on Android, create temporary files in
a subdirectory of /data/local/tmp. Closes ticket 32172. Based on a
patch from Hans-Christoph Steiner.
o Minor features (usability):
- Include more information when failing to parse a configuration
value. This should make it easier to tell what's going wrong when
a configuration file doesn't parse. Closes ticket 33460.
o Minor bugfix (relay, configuration):
- Warn if the ContactInfo field is not set, and tell the relay
operator that not having a ContactInfo field set might cause their
relay to get rejected in the future. Fixes bug 33361; bugfix
on 0.1.1.10-alpha.
o Minor bugfixes (bridges):
- Lowercase the configured value of BridgeDistribution before adding
it to the descriptor. Fixes bug 32753; bugfix on 0.3.2.3-alpha.
o Minor bugfixes (build system):
- Fix "make autostyle" for out-of-tree builds. Fixes bug 32370;
bugfix on 0.4.1.2-alpha.
o Minor bugfixes (compiler compatibility):
- Avoid compiler warnings from Clang 10 related to the use of GCC-
style "/* falls through */" comments. Both Clang and GCC allow
__attribute__((fallthrough)) instead, so that's what we're using
now. Fixes bug 34078; bugfix on 0.3.1.3-alpha.
- Fix compilation warnings with GCC 10.0.1. Fixes bug 34077; bugfix
on 0.4.0.3-alpha.
o Minor bugfixes (configuration handling):
- Make control_event_conf_changed() take in a config_line_t instead
of a smartlist of alternating key/value entries. Fixes bug 31531;
bugfix on 0.2.3.3-alpha. Patch by Neel Chauhan.
- Check for multiplication overflow when parsing memory units inside
configuration. Fixes bug 30920; bugfix on 0.0.9rc1.
- When dumping the configuration, stop adding a trailing space after
the option name when there is no option value. This issue only
affects options that accept an empty value or list. (Most options
reject empty values, or delete the entire line from the dumped
options.) Fixes bug 32352; bugfix on 0.0.9pre6.
- Avoid changing the user's value of HardwareAccel as stored by
SAVECONF, when AccelName is set but HardwareAccel is not. Fixes
bug 32382; bugfix on 0.2.2.1-alpha.
- When creating a KeyDirectory with the same location as the
DataDirectory (not recommended), respect the DataDirectory's
group-readable setting if one has not been set for the
KeyDirectory. Fixes bug 27992; bugfix on 0.3.3.1-alpha.
o Minor bugfixes (continuous integration):
- Remove the buggy and unused mirroring job. Fixes bug 33213; bugfix
on 0.3.2.2-alpha.
o Minor bugfixes (controller protocol):
- When receiving "ACTIVE" or "DORMANT" signals on the control port,
report them as SIGNAL events. Previously we would log a bug
warning. Fixes bug 33104; bugfix on 0.4.0.1-alpha.
o Minor bugfixes (controller):
- In routerstatus_has_changed(), check all the fields that are
output over the control port. Fixes bug 20218; bugfix
on 0.1.1.11-alpha.
o Minor bugfixes (developer tools):
- Allow paths starting with ./ in scripts/add_c_file.py. Fixes bug
31336; bugfix on 0.4.1.2-alpha.
o Minor bugfixes (dirauth module):
- Split the dirauth config code into a separate file in the dirauth
module. Disable this code when the dirauth module is disabled.
Closes ticket 32213.
- When the dirauth module is disabled, reject attempts to set the
AuthoritativeDir option, rather than ignoring the value of the
option. Fixes bug 32213; bugfix on 0.3.4.1-alpha.
o Minor bugfixes (embedded Tor):
- When starting Tor any time after the first time in a process,
register the thread in which it is running as the main thread.
Previously, we only did this on Windows, which could lead to bugs
like 23081 on non-Windows platforms. Fixes bug 32884; bugfix
on 0.3.3.1-alpha.
o Minor bugfixes (git scripts):
- Avoid sleeping before the last push in git-push-all.sh. Closes
ticket 32216.
- Forward all unrecognised arguments in git-push-all.sh to git push.
Closes ticket 32216.
o Minor bugfixes (key portability):
- When reading PEM-encoded key data, tolerate CRLF line-endings even
if we are not running on Windows. Previously, non-Windows hosts
would reject these line-endings in certain positions, making
certain key files hard to move from one host to another. Fixes bug
33032; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (logging):
- Stop truncating IPv6 addresses and ports in channel and connection
logs. Fixes bug 33918; bugfix on 0.2.4.4-alpha.
- Flush stderr, stdout, and file logs during shutdown, if supported
by the OS. This change helps make sure that any final logs are
recorded. Fixes bug 33087; bugfix on 0.4.1.6.
- Stop closing stderr and stdout during shutdown. Closing these file
descriptors can hide sanitiser logs. Fixes bug 33087; bugfix
on 0.4.1.6.
- If we encounter a bug when flushing a buffer to a TLS connection,
only log the bug once per invocation of the Tor process.
Previously we would log with every occurrence, which could cause
us to run out of disk space. Fixes bug 33093; bugfix
on 0.3.2.2-alpha.
- When logging a bug, do not say "Future instances of this warning
will be silenced" unless we are actually going to silence them.
Previously we would say this whenever a BUG() check failed in the
code. Fixes bug 33095; bugfix on 0.4.1.1-alpha.
o Minor bugfixes (onion services v2):
- Move a series of v2 onion service warnings to protocol-warning
level because they can all be triggered remotely by a malformed
request. Fixes bug 32706; bugfix on 0.1.1.14-alpha.
- When sending the INTRO cell for a v2 Onion Service, look at the
failure cache alongside timeout values to check if the intro point
is marked as failed. Previously, we only looked at the relay
timeout values. Fixes bug 25568; bugfix on 0.2.7.3-rc. Patch by
Neel Chauhan.
o Minor bugfixes (onion services v3):
- Remove a BUG() warning that would cause a stack trace if an onion
service descriptor was freed while we were waiting for a
rendezvous circuit to complete. Fixes bug 28992; bugfix
on 0.3.2.1-alpha.
- Relax severity of a log message that can appear naturally when
decoding onion service descriptors as a relay. Also add some
diagnostics to debug any future bugs in that area. Fixes bug
31669; bugfix on 0.3.0.1-alpha.
- Fix an assertion failure that could result from a corrupted
ADD_ONION control port command. Found by Saibato. Fixes bug 33137;
bugfix on 0.3.3.1-alpha. This issue is also tracked
as TROVE-2020-003.
- Properly handle the client rendezvous circuit timeout. Previously
Tor would sometimes timeout a rendezvous circuit awaiting the
introduction ACK, and find itself unable to re-establish all
circuits because the rendezvous circuit timed out too early. Fixes
bug 32021; bugfix on 0.3.2.1-alpha.
o Minor bugfixes (onion services):
- Do not rely on a "circuit established" flag for intro circuits but
instead always query the HS circuit map. This is to avoid sync
issue with that flag and the map. Fixes bug 32094; bugfix
on 0.3.2.1-alpha.
o Minor bugfixes (onion services, all):
- In cancel_descriptor_fetches(), use
connection_list_by_type_purpose() instead of
connection_list_by_type_state(). Fixes bug 32639; bugfix on
0.3.2.1-alpha. Patch by Neel Chauhan.
o Minor bugfixes (pluggable transports):
- When receiving a message on standard error from a pluggable
transport, log it at info level, rather than as a warning. Fixes
bug 33005; bugfix on 0.4.0.1-alpha.
o Minor bugfixes (rust, build):
- Fix a syntax warning given by newer versions of Rust that was
creating problems for our continuous integration. Fixes bug 33212;
bugfix on 0.3.5.1-alpha.
o Minor bugfixes (scripts):
- Fix update_versions.py for out-of-tree builds. Fixes bug 32371;
bugfix on 0.4.0.1-alpha.
o Minor bugfixes (testing):
- Use the same code to find the tor binary in all of our test
scripts. This change makes sure we are always using the coverage
binary when coverage is enabled. Fixes bug 32368; bugfix
on 0.2.7.3-rc.
- Stop ignoring "tor --dump-config" errors in test_parseconf.sh.
Fixes bug 32468; bugfix on 0.4.2.1-alpha.
- Our option-validation tests no longer depend on specially
configured non-default, non-passing sets of options. Previously,
the tests had been written to assume that options would _not_ be
set to their defaults, which led to needless complexity and
verbosity. Fixes bug 32175; bugfix on 0.2.8.1-alpha.
o Minor bugfixes (TLS bug handling):
- When encountering a bug in buf_read_from_tls(), return a "MISC"
error code rather than "WANTWRITE". This change might help avoid
some CPU-wasting loops if the bug is ever triggered. Bug reported
by opara. Fixes bug 32673; bugfix on 0.3.0.4-alpha.
o Deprecated features:
- Deprecate the ClientAutoIPv6ORPort option. This option was not
true "Happy Eyeballs", and often failed on connections that
weren't reliably dual-stack. Closes ticket 32942. Patch by
Neel Chauhan.
o Documentation:
- Provide a quickstart guide for a Circuit Padding Framework, and
documentation for researchers to implement and study circuit
padding machines. Closes ticket 28804.
- Add documentation in 'HelpfulTools.md' to describe how to build a
tag file. Closes ticket 32779.
- Create a high-level description of the long-term software
architecture goals. Closes ticket 32206.
- Describe the --dump-config command in the manual page. Closes
ticket 32467.
- Unite coding advice from this_not_that.md in torguts repo into our
coding standards document. Resolves ticket 31853.
o Removed features:
- Our Doxygen configuration no longer generates LaTeX output. The
reference manual produced by doing this was over 4000 pages long,
and generally unusable. Closes ticket 32099.
- The option "TestingEstimatedDescriptorPropagationTime" is now
marked as obsolete. It has had no effect since 0.3.0.7, when
clients stopped rejecting consensuses "from the future". Closes
ticket 32807.
- We no longer support consensus methods before method 28; these
methods were only used by authorities running versions of Tor that
are now at end-of-life. In effect, this means that clients,
relays, and authorities now assume that authorities will be
running version 0.3.5.x or later. Closes ticket 32695.
o Testing:
- Avoid conflicts between the fake sockets in tor's unit tests, and
real file descriptors. Resolves issues running unit tests with
GitHub Actions, where the process that embeds or launches the
tests has already opened a large number of file descriptors. Fixes
bug 33782; bugfix on 0.2.8.1-alpha. Found and fixed by
Putta Khunchalee.
- Add more test cases for tor's UTF-8 validation function. Also,
check the arguments passed to the function for consistency. Closes
ticket 32845.
- Improve test coverage for relay and dirauth config code, focusing
on option validation and normalization. Closes ticket 32213.
- Improve the consistency of test_parseconf.sh output, and run all
the tests, even if one fails. Closes ticket 32213.
- Run the practracker unit tests in the pre-commit git hook. Closes
ticket 32609.
o Code simplification and refactoring (channel):
- Channel layer had a variable length cell handler that was not used
and thus removed. Closes ticket 32892.
o Code simplification and refactoring (configuration):
- Immutability is now implemented as a flag on individual
configuration options rather than as part of the option-transition
checking code. Closes ticket 32344.
- Instead of keeping a list of configuration options to check for
relative paths, check all the options whose type is "FILENAME".
Solves part of ticket 32339.
- Our default log (which ordinarily sends NOTICE-level messages to
standard output) is now handled in a more logical manner.
Previously, we replaced the configured log options if they were
empty. Now, we interpret an empty set of log options as meaning
"use the default log". Closes ticket 31999.
- Remove some unused arguments from the options_validate() function,
to simplify our code and tests. Closes ticket 32187.
- Simplify the options_validate() code so that it looks at the
default options directly, rather than taking default options as an
argument. This change lets us simplify its interface. Closes
ticket 32185.
- Use our new configuration architecture to move most authority-
related options to the directory authority module. Closes
ticket 32806.
- When parsing the command line, handle options that determine our
"quiet level" and our mode of operation (e.g., --dump-config and
so on) all in one table. Closes ticket 32003.
o Code simplification and refactoring (controller):
- Create a new abstraction for formatting control protocol reply
lines based on key-value pairs. Refactor some existing control
protocol code to take advantage of this. Closes ticket 30984.
- Create a helper function that can fetch network status or
microdesc consensuses. Closes ticket 31684.
o Code simplification and refactoring (dirauth modularization):
- Remove the last remaining HAVE_MODULE_DIRAUTH inside a function.
Closes ticket 32163.
- Replace some confusing identifiers in process_descs.c. Closes
ticket 29826.
- Simplify some relay and dirauth config code. Closes ticket 32213.
o Code simplification and refactoring (mainloop):
- Simplify the ip_address_changed() function by removing redundant
checks. Closes ticket 33091.
o Code simplification and refactoring (misc):
- Make all the structs we declare follow the same naming convention
of ending with "_t". Closes ticket 32415.
- Move and rename some configuration-related code for clarity.
Closes ticket 32304.
- Our include.am files are now broken up by subdirectory.
Previously, src/core/include.am covered all of the subdirectories
in "core", "feature", and "app". Closes ticket 32137.
- Remove underused NS*() macros from test code: they make our tests
more confusing, especially for code-formatting tools. Closes
ticket 32887.
o Code simplification and refactoring (relay modularization):
- Disable relay_periodic when the relay module is disabled. Closes
ticket 32244.
- Disable relay_sys when the relay module is disabled. Closes
ticket 32245.
o Code simplification and refactoring (tool support):
- Add numerous missing dependencies to our include files, so that
they can be included in different reasonable orders and still
compile. Addresses part of ticket 32764.
- Fix some parts of our code that were difficult for Coccinelle to
parse. Related to ticket 31705.
- Fix some small issues in our code that prevented automatic
formatting tools from working. Addresses part of ticket 32764.
o Documentation (manpage):
- Alphabetize the Server and Directory server sections of the tor
manpage. Also split Statistics options into their own section of
the manpage. Closes ticket 33188. Work by Swati Thacker as part of
Google Season of Docs.
- Document the __OwningControllerProcess torrc option and specify
its polling interval. Resolves issue 32971.
- Split "Circuit Timeout" options and "Node Selection" options into
their own sections of the tor manpage. Closes tickets 32928 and
32929. Work by Swati Thacker as part of Google Season of Docs.
- Alphabetize the Client Options section of the tor manpage. Closes
ticket 32846.
- Alphabetize the General Options section of the tor manpage. Closes
ticket 32708.
- In the tor(1) manpage, reword and improve formatting of the
COMMAND-LINE OPTIONS and DESCRIPTION sections. Closes ticket
32277. Based on work by Swati Thacker as part of Google Season
of Docs.
- In the tor(1) manpage, reword and improve formatting of the FILES,
SEE ALSO, and BUGS sections. Closes ticket 32176. Based on work by
Swati Thacker as part of Google Season of Docs.
o Testing (Appveyor CI):
- In our Appveyor Windows CI, copy required DLLs to test and app
directories, before running tor's tests. This ensures that tor.exe
and test*.exe use the correct version of each DLL. This fix is not
required, but we hope it will avoid DLL search issues in future.
Fixes bug 33673; bugfix on 0.3.4.2-alpha.
- On Appveyor, skip the crypto/openssl_version test, which is
failing because of a mismatched library installation. Fix
for 33643.
o Testing (circuit, EWMA):
- Add unit tests for circuitmux and EWMA subsystems. Closes
ticket 32196.
o Testing (Travis CI):
- Remove a redundant distcheck job. Closes ticket 33194.
- Sort the Travis jobs in order of speed: putting the slowest jobs
first takes full advantage of Travis job concurrency. Closes
ticket 33194.
- Stop allowing the Chutney IPv6 Travis job to fail. This job was
previously configured to fast_finish (which requires
allow_failure), to speed up the build. Closes ticket 33195.
- When a Travis chutney job fails, use chutney's new "diagnostics.sh"
tool to produce detailed diagnostic output. Closes ticket 32792.
Changes in version 0.4.2.7 - 2020-03-18
This is the third stable release in the 0.4.2.x series. It backports
numerous fixes from later releases, including a fix for TROVE-2020-
002, a major denial-of-service vulnerability that affected all
released Tor instances since 0.2.1.5-alpha. Using this vulnerability,
an attacker could cause Tor instances to consume a huge amount of CPU,
disrupting their operations for several seconds or minutes. This
attack could be launched by anybody against a relay, or by a directory
cache against any client that had connected to it. The attacker could
launch this attack as much as they wanted, thereby disrupting service
or creating patterns that could aid in traffic analysis. This issue
was found by OSS-Fuzz, and is also tracked as CVE-2020-10592.
We do not have reason to believe that this attack is currently being
exploited in the wild, but nonetheless we advise everyone to upgrade
as soon as packages are available.
o Major bugfixes (security, denial-of-service, backport from 0.4.3.3-alpha):
- Fix a denial-of-service bug that could be used by anyone to
consume a bunch of CPU on any Tor relay or authority, or by
directories to consume a bunch of CPU on clients or hidden
services. Because of the potential for CPU consumption to
introduce observable timing patterns, we are treating this as a
high-severity security issue. Fixes bug 33119; bugfix on
0.2.1.5-alpha. Found by OSS-Fuzz. We are also tracking this issue
as TROVE-2020-002 and CVE-2020-10592.
o Major bugfixes (circuit padding, memory leak, backport from 0.4.3.3-alpha):
- Avoid a remotely triggered memory leak in the case that a circuit
padding machine is somehow negotiated twice on the same circuit.
Fixes bug 33619; bugfix on 0.4.0.1-alpha. Found by Tobias Pulls.
This is also tracked as TROVE-2020-004 and CVE-2020-10593.
o Major bugfixes (directory authority, backport from 0.4.3.3-alpha):
- Directory authorities will now send a 503 (not enough bandwidth)
code to clients when under bandwidth pressure. Known relays and
other authorities will always be answered regardless of the
bandwidth situation. Fixes bug 33029; bugfix on 0.1.2.5-alpha.
o Minor features (continuous integration, backport from 0.4.3.2-alpha):
- Stop allowing failures on the Travis CI stem tests job. It looks
like all the stem hangs we were seeing before are now fixed.
Closes ticket 33075.
o Minor bugfixes (bridges, backport from 0.4.3.1-alpha):
- Lowercase the configured value of BridgeDistribution before adding
it to the descriptor. Fixes bug 32753; bugfix on 0.3.2.3-alpha.
o Minor bugfixes (logging, backport from 0.4.3.2-alpha):
- If we encounter a bug when flushing a buffer to a TLS connection,
only log the bug once per invocation of the Tor process.
Previously we would log with every occurrence, which could cause
us to run out of disk space. Fixes bug 33093; bugfix
on 0.3.2.2-alpha.
o Minor bugfixes (onion services v3, backport from 0.4.3.3-alpha):
- Fix an assertion failure that could result from a corrupted
ADD_ONION control port command. Found by Saibato. Fixes bug 33137;
bugfix on 0.3.3.1-alpha. This issue is also tracked
as TROVE-2020-003.
o Minor bugfixes (rust, build, backport from 0.4.3.2-alpha):
- Fix a syntax warning given by newer versions of Rust that was
creating problems for our continuous integration. Fixes bug 33212;
bugfix on 0.3.5.1-alpha.
o Testing (Travis CI, backport from 0.4.3.3-alpha):
- Remove a redundant distcheck job. Closes ticket 33194.
- Sort the Travis jobs in order of speed: putting the slowest jobs
first takes full advantage of Travis job concurrency. Closes
ticket 33194.
- Stop allowing the Chutney IPv6 Travis job to fail. This job was
previously configured to fast_finish (which requires
allow_failure), to speed up the build. Closes ticket 33195.
- When a Travis chutney job fails, use chutney's new "diagnostics.sh"
tool to produce detailed diagnostic output. Closes ticket 32792.
Changes:
0.4.2.6
-------
This is the second stable release in the 0.4.2.x series. It backports
several bugfixes from 0.4.3.1-alpha, including some that had affected
the Linux seccomp2 sandbox or Windows services. If you're running with
one of those configurations, you'll probably want to upgrade;
otherwise, you should be fine with 0.4.2.5.
o Major bugfixes (linux seccomp sandbox, backport from 0.4.3.1-alpha):
- Correct how we use libseccomp. Particularly, stop assuming that
rules are applied in a particular order or that more rules are
processed after the first match. Neither is the case! In
libseccomp <2.4.0 this lead to some rules having no effect.
libseccomp 2.4.0 changed how rules are generated, leading to a
different ordering, which in turn led to a fatal crash during
startup. Fixes bug 29819; bugfix on 0.2.5.1-alpha. Patch by
Peter Gerber.
- Fix crash when reloading logging configuration while the
experimental sandbox is enabled. Fixes bug 32841; bugfix on
0.4.1.7. Patch by Peter Gerber.
o Minor bugfixes (correctness checks, backport from 0.4.3.1-alpha):
- Use GCC/Clang's printf-checking feature to make sure that
tor_assertf() arguments are correctly typed. Fixes bug 32765;
bugfix on 0.4.1.1-alpha.
o Minor bugfixes (logging, crash, backport from 0.4.3.1-alpha):
- Avoid a possible crash when trying to log a (fatal) assertion
failure about mismatched magic numbers in configuration objects.
Fixes bug 32771; bugfix on 0.4.2.1-alpha.
o Minor bugfixes (testing, backport from 0.4.3.1-alpha):
- When TOR_DISABLE_PRACTRACKER is set, do not apply it to the
test_practracker.sh script. Doing so caused a test failure. Fixes
bug 32705; bugfix on 0.4.2.1-alpha.
- When TOR_DISABLE_PRACTRACKER is set, log a notice to stderr when
skipping practracker checks. Fixes bug 32705; bugfix
on 0.4.2.1-alpha.
o Minor bugfixes (windows service, backport from 0.4.3.1-alpha):
- Initialize the publish/subscribe system when running as a windows
service. Fixes bug 32778; bugfix on 0.4.1.1-alpha.
o Testing (backport from 0.4.3.1-alpha):
- Turn off Tor's Sandbox in Chutney jobs, and run those jobs on
Ubuntu Bionic. Turning off the Sandbox is a work-around, until we
fix the sandbox errors in 32722. Closes ticket 32240.
- Re-enable the Travis CI macOS Chutney build, but don't let it
prevent the Travis job from finishing. (The Travis macOS jobs are
slow, so we don't want to have it delay the whole CI process.)
Closes ticket 32629.
o Testing (continuous integration, backport from 0.4.3.1-alpha):
- Use zstd in our Travis Linux builds. Closes ticket 32242.
pkglint -r --network --only "migrate"
As a side-effect of migrating the homepages, pkglint also fixed a few
indentations in unrelated lines. These and the new homepages have been
checked manually.
Changelog:
Changes in version 0.4.2.5 - 2019-12-09
This is the first stable release in the 0.4.2.x series. This series
improves reliability and stability, and includes several stability and
correctness improvements for onion services. It also fixes many smaller
bugs present in previous series.
Per our support policy, we will support the 0.4.2.x series for nine
months, or until three months after the release of a stable 0.4.3.x:
whichever is longer. If you need longer-term support, please stick
with 0.3.5.x, which will we plan to support until Feb 2022.
Per our support policy, we will support the 0.4.2.x series for nine
months, or until three months after the release of a stable 0.4.3.x:
whichever is longer. If you need longer-term support, please stick
with 0.3.5.x, which will we plan to support until Feb 2022.
Below are the changes since 0.4.1.4-rc. For a complete list of changes
since 0.4.1.5, see the ReleaseNotes file.
o Minor features (geoip):
- Update geoip and geoip6 to the December 3 2019 Maxmind GeoLite2
Country database. Closes ticket 32685.
o Testing:
- Require C99 standards-conforming code in Travis CI, but allow GNU
gcc extensions. Also activates clang's -Wtypedef-redefinition
warnings. Build some jobs with -std=gnu99, and some jobs without.
Closes ticket 32500.
Changes in version 0.4.2.4-rc - 2019-11-15
Tor 0.4.2.4-rc is the first release candidate in its series. It fixes
several bugs from earlier versions, including a few that would result in
stack traces or incorrect behavior.
o Minor features (build system):
- Make pkg-config use --prefix when cross-compiling, if
PKG_CONFIG_PATH is not set. Closes ticket 32191.
o Minor features (geoip):
- Update geoip and geoip6 to the November 6 2019 Maxmind GeoLite2
Country database. Closes ticket 32440.
o Minor bugfixes (client, onion service v3):
- Fix a BUG() assertion that occurs within a very small race window
between when a client intro circuit opens and when its descriptor
gets cleaned up from the cache. The circuit is now closed early,
which will trigger a re-fetch of the descriptor and continue the
connection. Fixes bug 28970; bugfix on 0.3.2.1-alpha.
o Minor bugfixes (code quality):
- Fix "make check-includes" so it runs correctly on out-of-tree
builds. Fixes bug 31335; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (configuration):
- Log the option name when skipping an obsolete option. Fixes bug
32295; bugfix on 0.4.2.1-alpha.
o Minor bugfixes (crash):
- When running Tor with an option like --verify-config or
--dump-config that does not start the event loop, avoid crashing
if we try to exit early because of an error. Fixes bug 32407;
bugfix on 0.3.3.1-alpha.
o Minor bugfixes (directory):
- When checking if a directory connection is anonymous, test if the
circuit was marked for close before looking at its channel. This
avoids a BUG() stacktrace if the circuit was previously closed.
Fixes bug 31958; bugfix on 0.4.2.1-alpha.
o Minor bugfixes (shellcheck):
- Fix minor shellcheck errors in the git-*.sh scripts. Fixes bug
32402; bugfix on 0.4.2.1-alpha.
- Start checking most scripts for shellcheck errors again. Fixes bug
32402; bugfix on 0.4.2.1-alpha.
o Testing (continuous integration):
- Use Ubuntu Bionic images for our Travis CI builds, so we can get a
recent version of coccinelle. But leave chutney on Ubuntu Trusty,
until we can fix some Bionic permissions issues (see ticket
32240). Related to ticket 31919.
- Install the mingw OpenSSL package in Appveyor. This makes sure
that the OpenSSL headers and libraries match in Tor's Appveyor
builds. (This bug was triggered by an Appveyor image update.)
Fixes bug 32449; bugfix on 0.3.5.6-rc.
- In Travis, use Xcode 11.2 on macOS 10.14. Closes ticket 32241.
Changes in version 0.4.2.3-alpha - 2019-10-24
This release fixes several bugs from the previous alpha release, and
from earlier versions of Tor.
o Major bugfixes (relay):
- Relays now respect their AccountingMax bandwidth again. When
relays entered "soft" hibernation (which typically starts when
we've hit 90% of our AccountingMax), we had stopped checking
whether we should enter hard hibernation. Soft hibernation refuses
new connections and new circuits, but the existing circuits can
continue, meaning that relays could have exceeded their configured
AccountingMax. Fixes bug 32108; bugfix on 0.4.0.1-alpha.
o Major bugfixes (v3 onion services):
- Onion services now always use the exact number of intro points
configured with the HiddenServiceNumIntroductionPoints option (or
fewer if nodes are excluded). Before, a service could sometimes
pick more intro points than configured. Fixes bug 31548; bugfix
on 0.3.2.1-alpha.
o Minor feature (onion services, control port):
- The ADD_ONION command's keyword "BEST" now defaults to ED25519-V3
(v3) onion services. Previously it defaulted to RSA1024 (v2).
Closes ticket 29669.
o Minor features (testing):
- When running tests that attempt to look up hostnames, replace the
libc name lookup functions with ones that do not actually touch
the network. This way, the tests complete more quickly in the
presence of a slow or missing DNS resolver. Closes ticket 31841.
o Minor features (testing, continuous integration):
- Disable all but one Travis CI macOS build, to mitigate slow
scheduling of Travis macOS jobs. Closes ticket 32177.
- Run the chutney IPv6 networks as part of Travis CI. Closes
ticket 30860.
- Simplify the Travis CI build matrix, and optimise for build time.
Closes ticket 31859.
- Use Windows Server 2019 instead of Windows Server 2016 in our
Appveyor builds. Closes ticket 32086.
o Minor bugfixes (build system):
- Interpret "--disable-module-dirauth=no" correctly. Fixes bug
32124; bugfix on 0.3.4.1-alpha.
- Interpret "--with-tcmalloc=no" correctly. Fixes bug 32124; bugfix
on 0.2.0.20-rc.
- Stop failing when jemalloc is requested, but tcmalloc is not
found. Fixes bug 32124; bugfix on 0.3.5.1-alpha.
- When pkg-config is not installed, or a library that depends on
pkg-config is not found, tell the user what to do to fix the
problem. Fixes bug 31922; bugfix on 0.3.1.1-alpha.
o Minor bugfixes (connections):
- Avoid trying to read data from closed connections, which can cause
needless loops in Libevent and infinite loops in Shadow. Fixes bug
30344; bugfix on 0.1.1.1-alpha.
o Minor bugfixes (error handling):
- Always lock the backtrace buffer before it is used. Fixes bug
31734; bugfix on 0.2.5.3-alpha.
o Minor bugfixes (mainloop, periodic events, in-process API):
- Reset the periodic events' "enabled" flag when Tor is shut down
cleanly. Previously, this flag was left on, which caused periodic
events not to be re-enabled when Tor was relaunched in-process
with tor_api.h after a shutdown. Fixes bug 32058; bugfix
on 0.3.3.1-alpha.
o Minor bugfixes (process management):
- Remove overly strict assertions that triggered when a pluggable
transport failed to launch. Fixes bug 31091; bugfix
on 0.4.0.1-alpha.
- Remove an assertion in the Unix process backend. This assertion
would trigger when we failed to find the executable for a child
process. Fixes bug 31810; bugfix on 0.4.0.1-alpha.
o Minor bugfixes (testing):
- Avoid intermittent test failures due to a test that had relied on
inconsistent timing sources. Fixes bug 31995; bugfix
on 0.3.1.3-alpha.
- When testing port rebinding, don't busy-wait for tor to log.
Instead, actually sleep for a short time before polling again.
Also improve the formatting of control commands and log messages.
Fixes bug 31837; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (tls, logging):
- Log bugs about the TLS read buffer's length only once, rather than
filling the logs with similar warnings. Fixes bug 31939; bugfix
on 0.3.0.4-rc.
o Minor bugfixes (v3 onion services):
- Fix an implicit conversion from ssize_t to size_t discovered by
Coverity. Fixes bug 31682; bugfix on 0.4.2.1-alpha.
- Fix a memory leak in an unlikely error code path when encoding HS
DoS establish intro extension cell. Fixes bug 32063; bugfix
on 0.4.2.1-alpha.
- When cleaning up intro circuits for a v3 onion service, don't
remove circuits that have an established or pending circuit, even
if they ran out of retries. This way, we don't remove a circuit on
its last retry. Fixes bug 31652; bugfix on 0.3.2.1-alpha.
o Documentation:
- Correct the description of "GuardLifetime". Fixes bug 31189;
bugfix on 0.3.0.1-alpha.
- Make clear in the man page, in both the bandwidth section and the
AccountingMax section, that Tor counts in powers of two, not
powers of ten: 1 GByte is 1024*1024*1024 bytes, not one billion
bytes. Resolves ticket 32106.
Changes in version 0.4.2.2-alpha - 2019-10-07
This release fixes several bugs from the previous alpha release, and
from earlier versions. It also includes a change in authorities, so
that they begin to reject the currently unsupported release series.
o Major features (directory authorities):
- Directory authorities now reject relays running all currently
deprecated release series. The currently supported release series
are: 0.2.9, 0.3.5, 0.4.0, 0.4.1, and 0.4.2. Closes ticket 31549.
o Major bugfixes (embedded Tor):
- Avoid a possible crash when restarting Tor in embedded mode and
enabling a different set of publish/subscribe messages. Fixes bug
31898; bugfix on 0.4.1.1-alpha.
o Major bugfixes (torrc parsing):
- Stop ignoring torrc options after an %include directive, when the
included directory ends with a file that does not contain any
config options (but does contain comments or whitespace). Fixes
bug 31408; bugfix on 0.3.1.1-alpha.
o Minor features (auto-formatting scripts):
- When annotating C macros, never generate a line that our check-
spaces script would reject. Closes ticket 31759.
- When annotating C macros, try to remove cases of double-negation.
Closes ticket 31779.
o Minor features (continuous integration):
- When building on Appveyor and Travis, pass the "-k" flag to make,
so that we are informed of all compilation failures, not just the
first one or two. Closes ticket 31372.
o Minor features (geoip):
- Update geoip and geoip6 to the October 1 2019 Maxmind GeoLite2
Country database. Closes ticket 31931.
o Minor features (maintenance scripts):
- Add a Coccinelle script to detect bugs caused by incrementing or
decrementing a variable inside a call to log_debug(). Since
log_debug() is a macro whose arguments are conditionally
evaluated, it is usually an error to do this. One such bug was
30628, in which SENDME cells were miscounted by a decrement
operator inside a log_debug() call. Closes ticket 30743.
o Minor features (onion services v3):
- Assist users who try to setup v2 client authorization in v3 onion
services by pointing them to the right documentation. Closes
ticket 28966.
o Minor bugfixes (Appveyor continuous integration):
- Avoid spurious errors when Appveyor CI fails before the install
step. Fixes bug 31884; bugfix on 0.3.4.2-alpha.
o Minor bugfixes (best practices tracker):
- When listing overbroad exceptions, do not also list problems, and
do not list insufficiently broad exceptions. Fixes bug 31338;
bugfix on 0.4.2.1-alpha.
o Minor bugfixes (controller protocol):
- Fix the MAPADDRESS controller command to accept one or more
arguments. Previously, it required two or more arguments, and
ignored the first. Fixes bug 31772; bugfix on 0.4.1.1-alpha.
o Minor bugfixes (logging):
- Add a missing check for HAVE_PTHREAD_H, because the backtrace code
uses mutexes. Fixes bug 31614; bugfix on 0.2.5.2-alpha.
- Disable backtrace signal handlers when shutting down tor. Fixes
bug 31614; bugfix on 0.2.5.2-alpha.
- Rate-limit our the logging message about the obsolete .exit
notation. Previously, there was no limit on this warning, which
could potentially be triggered many times by a hostile website.
Fixes bug 31466; bugfix on 0.2.2.1-alpha.
- When initialising log domain masks, only set known log domains.
Fixes bug 31854; bugfix on 0.2.1.1-alpha.
o Minor bugfixes (logging, protocol violations):
- Do not log a nonfatal assertion failure when receiving a VERSIONS
cell on a connection using the obsolete v1 link protocol. Log a
protocol_warn instead. Fixes bug 31107; bugfix on 0.2.4.4-alpha.
o Minor bugfixes (modules):
- Explain what the optional Directory Authority module is, and what
happens when it is disabled. Fixes bug 31825; bugfix
on 0.3.4.1-alpha.
o Minor bugfixes (multithreading):
- Avoid some undefined behaviour when freeing mutexes. Fixes bug
31736; bugfix on 0.0.7.
o Minor bugfixes (relay):
- Avoid crashing when starting with a corrupt keys directory where
the old ntor key and the new ntor key are identical. Fixes bug
30916; bugfix on 0.2.4.8-alpha.
o Minor bugfixes (tests, SunOS):
- Avoid a map_anon_nofork test failure due to a signed/unsigned
integer comparison. Fixes bug 31897; bugfix on 0.4.1.1-alpha.
o Code simplification and refactoring:
- Refactor connection_control_process_inbuf() to reduce the size of
a practracker exception. Closes ticket 31840.
- Refactor the microdescs_parse_from_string() function into smaller
pieces, for better comprehensibility. Closes ticket 31675.
- Use SEVERITY_MASK_IDX() to find the LOG_* mask indexes in the unit
tests and fuzzers, rather than using hard-coded values. Closes
ticket 31334.
- Interface for function `decrypt_desc_layer` cleaned up. Closes
ticket 31589.
o Documentation:
- Document the signal-safe logging behaviour in the tor man page.
Also add some comments to the relevant functions. Closes
ticket 31839.
- Explain why we can't destroy the backtrace buffer mutex. Explain
why we don't need to destroy the log mutex. Closes ticket 31736.
- The Tor source code repository now includes a (somewhat dated)
description of Tor's modular architecture, in doc/HACKING/design.
This is based on the old "tor-guts.git" repository, which we are
adopting and superseding. Closes ticket 31849.
Notable changes in version 0.4.1.6 - 2019-09-19
This release backports several bugfixes to improve stability and
correctness. Anyone experiencing build problems or crashes with 0.4.1.5,
or experiencing reliability issues with single onion services, should
upgrade.
o Major bugfixes (crash, Linux, Android, backport from 0.4.2.1-alpha):
- Tolerate systems (including some Android installations) where
madvise and MADV_DONTDUMP are available at build-time, but not at
run time. Previously, these systems would notice a failed syscall
and abort. Fixes bug 31570; bugfix on 0.4.1.1-alpha.
- Tolerate systems (including some Linux installations) where
madvise and/or MADV_DONTFORK are available at build-time, but not
at run time. Previously, these systems would notice a failed
syscall and abort. Fixes bug 31696; bugfix on 0.4.1.1-alpha.
o Minor bugfixes (controller protocol):
- Fix the MAPADDRESS controller command to accept one or more
arguments. Previously, it required two or more arguments, and ignored
the first. Fixes bug 31772; bugfix on 0.4.1.1-alpha.
o Minor bugfixes (guards, backport from 0.4.2.1-alpha):
- When tor is missing descriptors for some primary entry guards,
make the log message less alarming. It's normal for descriptors to
expire, as long as tor fetches new ones soon after. Fixes bug
31657; bugfix on 0.3.3.1-alpha.
o Minor bugfixes (logging, backport from 0.4.2.1-alpha):
- Change log level of message "Hash of session info was not as
expected" to LOG_PROTOCOL_WARN. Fixes bug 12399; bugfix
on 0.1.1.10-alpha.
o Minor bugfixes (v2 single onion services, backport from 0.4.2.1-alpha):
- Always retry v2 single onion service intro and rend circuits with
a 3-hop path. Previously, v2 single onion services used a 3-hop
path when rendezvous circuits were retried after a remote or
delayed failure, but a 1-hop path for immediate retries. Fixes bug
23818; bugfix on 0.2.9.3-alpha.
o Minor bugfixes (v3 single onion services, backport from 0.4.2.1-alpha):
- Always retry v3 single onion service intro and rend circuits with
a 3-hop path. Previously, v3 single onion services used a 3-hop
path when rend circuits were retried after a remote or delayed
failure, but a 1-hop path for immediate retries. Fixes bug 23818;
bugfix on 0.3.2.1-alpha.
- Make v3 single onion services fall back to a 3-hop intro, when all
intro points are unreachable via a 1-hop path. Previously, v3
single onion services failed when all intro nodes were unreachable
via a 1-hop path. Fixes bug 23507; bugfix on 0.3.2.1-alpha.
Multiple people report build failures surrounding micro-revision.i,
and the leading (but not particularly strong) theory is that it's a
BSD make bug. Use gmake to avoid this, at least for now.
Changes in version 0.4.1.5 - 2019-08-20
This is the first stable release in the 0.4.1.x series. This series
adds experimental circuit-level padding, authenticated SENDME cells to
defend against certain attacks, and several performance improvements
to save on CPU consumption. It fixes bugs in bootstrapping and v3
onion services. It also includes numerous smaller features and
bugfixes on earlier versions.
Changes in version 0.4.0.5 - 2019-05-02
This is the first stable release in the 0.4.0.x series. It contains
improvements for power management and bootstrap reporting, as well as
preliminary backend support for circuit padding to prevent some kinds
of traffic analysis. It also continues our work in refactoring Tor for
long-term maintainability.
Per our support policy, we will support the 0.4.0.x series for nine
months, or until three months after the release of a stable 0.4.1.x:
whichever is longer. If you need longer-term support, please stick
with 0.3.5.x, which will we plan to support until Feb 2022.
Below are the changes since 0.3.5.7. For a complete list of changes
since 0.4.0.4-rc, see the ChangeLog file.
o Major features (battery management, client, dormant mode):
- When Tor is running as a client, and it is unused for a long time,
it can now enter a "dormant" state. When Tor is dormant, it avoids
network and CPU activity until it is reawoken either by a user
request or by a controller command. For more information, see the
configuration options starting with "Dormant". Implements tickets
2149 and 28335.
- The client's memory of whether it is "dormant", and how long it
has spent idle, persists across invocations. Implements
ticket 28624.
- There is a DormantOnFirstStartup option that integrators can use
if they expect that in many cases, Tor will be installed but
not used.
o Major features (bootstrap reporting):
- When reporting bootstrap progress, report the first connection
uniformly, regardless of whether it's a connection for building
application circuits. This allows finer-grained reporting of early
progress than previously possible, with the improvements of ticket
27169. Closes tickets 27167 and 27103. Addresses ticket 27308.
- When reporting bootstrap progress, treat connecting to a proxy or
pluggable transport as separate from having successfully used that
proxy or pluggable transport to connect to a relay. Closes tickets
27100 and 28884.
o Major features (circuit padding):
- Implement preliminary support for the circuit padding portion of
Proposal 254. The implementation supports Adaptive Padding (aka
WTF-PAD) state machines for use between experimental clients and
relays. Support is also provided for APE-style state machines that
use probability distributions instead of histograms to specify
inter-packet delay. At the moment, Tor does not provide any
padding state machines that are used in normal operation: for now,
this feature exists solely for experimentation. Closes
ticket 28142.
o Major features (refactoring):
- Tor now uses an explicit list of its own subsystems when
initializing and shutting down. Previously, these systems were
managed implicitly in various places throughout the codebase.
(There may still be some subsystems using the old system.) Closes
ticket 28330.
o Major bugfixes (cell scheduler, KIST, security):
- Make KIST consider the outbuf length when computing what it can
put in the outbuf. Previously, KIST acted as though the outbuf
were empty, which could lead to the outbuf becoming too full. It
is possible that an attacker could exploit this bug to cause a Tor
client or relay to run out of memory and crash. Fixes bug 29168;
bugfix on 0.3.2.1-alpha. This issue is also being tracked as
TROVE-2019-001 and CVE-2019-8955.
o Major bugfixes (networking):
- Gracefully handle empty username/password fields in SOCKS5
username/password auth messsage and allow SOCKS5 handshake to
continue. Previously, we had rejected these handshakes, breaking
certain applications. Fixes bug 29175; bugfix on 0.3.5.1-alpha.
o Major bugfixes (NSS, relay):
- When running with NSS, disable TLS 1.2 ciphersuites that use
SHA384 for their PRF. Due to an NSS bug, the TLS key exporters for
these ciphersuites don't work -- which caused relays to fail to
handshake with one another when these ciphersuites were enabled.
Fixes bug 29241; bugfix on 0.3.5.1-alpha.
o Major bugfixes (windows, startup):
- When reading a consensus file from disk, detect whether it was
written in text mode, and re-read it in text mode if so. Always
write consensus files in binary mode so that we can map them into
memory later. Previously, we had written in text mode, which
confused us when we tried to map the file on windows. Fixes bug
28614; bugfix on 0.4.0.1-alpha.
o Minor features (address selection):
- Treat the subnet 100.64.0.0/10 as public for some purposes;
private for others. This subnet is the RFC 6598 (Carrier Grade
NAT) IP range, and is deployed by many ISPs as an alternative to
RFC 1918 that does not break existing internal networks. Tor now
blocks SOCKS and control ports on these addresses and warns users
if client ports or ExtORPorts are listening on a RFC 6598 address.
Closes ticket 28525. Patch by Neel Chauhan.
o Minor features (bandwidth authority):
- Make bandwidth authorities ignore relays that are reported in the
bandwidth file with the flag "vote=0". This change allows us to
report unmeasured relays for diagnostic reasons without including
their bandwidth in the bandwidth authorities' vote. Closes
ticket 29806.
- When a directory authority is using a bandwidth file to obtain the
bandwidth values that will be included in the next vote, serve
this bandwidth file at /tor/status-vote/next/bandwidth. Closes
ticket 21377.
o Minor features (bootstrap reporting):
- When reporting bootstrap progress, stop distinguishing between
situations where only internal paths are available and situations
where external paths are available. Previously, Tor would often
erroneously report that it had only internal paths. Closes
ticket 27402.
o Minor features (compilation):
- Compile correctly when OpenSSL is built with engine support
disabled, or with deprecated APIs disabled. Closes ticket 29026.
Patches from "Mangix".
o Minor features (continuous integration):
- On Travis Rust builds, cleanup Rust registry and refrain from
caching the "target/" directory to speed up builds. Resolves
issue 29962.
- Log Python version during each Travis CI job. Resolves
issue 28551.
- In Travis, tell timelimit to use stem's backtrace signals, and
launch python directly from timelimit, so python receives the
signals from timelimit, rather than make. Closes ticket 30117.
o Minor features (controller):
- Add a DROPOWNERSHIP command to undo the effects of TAKEOWNERSHIP.
Implements ticket 28843.
o Minor features (developer tooling):
- Check that bugfix versions in changes files look like Tor versions
from the versions spec. Warn when bugfixes claim to be on a future
release. Closes ticket 27761.
- Provide a git pre-commit hook that disallows commiting if we have
any failures in our code and changelog formatting checks. It is
now available in scripts/maint/pre-commit.git-hook. Implements
feature 28976.
- Provide a git hook script to prevent "fixup!" and "squash!"
commits from ending up in the master branch, as scripts/main/pre-
push.git-hook. Closes ticket 27993.
o Minor features (diagnostic):
- Add more diagnostic log messages in an attempt to solve the issue
of NUL bytes appearing in a microdescriptor cache. Related to
ticket 28223.
o Minor features (directory authority):
- When a directory authority is using a bandwidth file to obtain
bandwidth values, include the digest of that file in the vote.
Closes ticket 26698.
- Directory authorities support a new consensus algorithm, under
which the family lines in microdescriptors are encoded in a
canonical form. This change makes family lines more compressible
in transit, and on the client. Closes ticket 28266; implements
proposal 298.
o Minor features (directory authority, relay):
- Authorities now vote on a "StaleDesc" flag to indicate that a
relay's descriptor is so old that the relay should upload again
soon. Relays treat this flag as a signal to upload a new
descriptor. This flag will eventually let us remove the
'published' date from routerstatus entries, and make our consensus
diffs much smaller. Closes ticket 26770; implements proposal 293.
o Minor features (dormant mode):
- Add a DormantCanceledByStartup option to tell Tor that it should
treat a startup event as cancelling any previous dormant state.
Integrators should use this option with caution: it should only be
used if Tor is being started because of something that the user
did, and not if Tor is being automatically started in the
background. Closes ticket 29357.
o Minor features (fallback directory mirrors):
- Update the fallback whitelist based on operator opt-ins and opt-
outs. Closes ticket 24805, patch by Phoul.
o Minor features (FreeBSD):
- On FreeBSD-based systems, warn relay operators if the
"net.inet.ip.random_id" sysctl (IP ID randomization) is disabled.
Closes ticket 28518.
o Minor features (geoip):
- Update geoip and geoip6 to the April 2 2019 Maxmind GeoLite2
Country database. Closes ticket 29992.
o Minor features (HTTP standards compliance):
- Stop sending the header "Content-type: application/octet-stream"
along with transparently compressed documents: this confused
browsers. Closes ticket 28100.
o Minor features (IPv6):
- We add an option ClientAutoIPv6ORPort, to make clients randomly
prefer a node's IPv4 or IPv6 ORPort. The random preference is set
every time a node is loaded from a new consensus or bridge config.
We expect that this option will enable clients to bootstrap more
quickly without having to determine whether they support IPv4,
IPv6, or both. Closes ticket 27490. Patch by Neel Chauhan.
- When using addrs_in_same_network_family(), avoid choosing circuit
paths that pass through the same IPv6 subnet more than once.
Previously, we only checked IPv4 subnets. Closes ticket 24393.
Patch by Neel Chauhan.
o Minor features (log messages):
- Improve log message in v3 onion services that could print out
negative revision counters. Closes ticket 27707. Patch
by "ffmancera".
o Minor features (memory usage):
- Save memory by storing microdescriptor family lists with a more
compact representation. Closes ticket 27359.
- Tor clients now use mmap() to read consensus files from disk, so
that they no longer need keep the full text of a consensus in
memory when parsing it or applying a diff. Closes ticket 27244.
o Minor features (NSS, diagnostic):
- Try to log an error from NSS (if there is any) and a more useful
description of our situation if we are using NSS and a call to
SSL_ExportKeyingMaterial() fails. Diagnostic for ticket 29241.
o Minor features (parsing):
- Directory authorities now validate that router descriptors and
ExtraInfo documents are in a valid subset of UTF-8, and reject
them if they are not. Closes ticket 27367.
o Minor features (performance):
- Cache the results of summarize_protocol_flags(), so that we don't
have to parse the same protocol-versions string over and over.
This should save us a huge number of malloc calls on startup, and
may reduce memory fragmentation with some allocators. Closes
ticket 27225.
- Remove a needless memset() call from get_token_arguments, thereby
speeding up the tokenization of directory objects by about 20%.
Closes ticket 28852.
- Replace parse_short_policy() with a faster implementation, to
improve microdescriptor parsing time. Closes ticket 28853.
- Speed up directory parsing a little by avoiding use of the non-
inlined strcmp_len() function. Closes ticket 28856.
- Speed up microdescriptor parsing by about 30%, to help improve
startup time. Closes ticket 28839.
o Minor features (pluggable transports):
- Add support for emitting STATUS updates to Tor's control port from
a pluggable transport process. Closes ticket 28846.
- Add support for logging to Tor's logging subsystem from a
pluggable transport process. Closes ticket 28180.
o Minor features (process management):
- Add a new process API for handling child processes. This new API
allows Tor to have bi-directional communication with child
processes on both Unix and Windows. Closes ticket 28179.
- Use the subsystem manager to initialize and shut down the process
module. Closes ticket 28847.
o Minor features (relay):
- When listing relay families, list them in canonical form including
the relay's own identity, and try to give a more useful set of
warnings. Part of ticket 28266 and proposal 298.
o Minor features (required protocols):
- Before exiting because of a missing required protocol, Tor will
now check the publication time of the consensus, and not exit
unless the consensus is newer than the Tor program's own release
date. Previously, Tor would not check the consensus publication
time, and so might exit because of a missing protocol that might
no longer be required in a current consensus. Implements proposal
297; closes ticket 27735.
o Minor features (testing):
- Treat all unexpected ERR and BUG messages as test failures. Closes
ticket 28668.
- Allow a HeartbeatPeriod of less than 30 minutes in testing Tor
networks. Closes ticket 28840. Patch by Rob Jansen.
- Use the approx_time() function when setting the "Expires" header
in directory replies, to make them more testable. Needed for
ticket 30001.
o Minor bugfixes (security):
- Fix a potential double free bug when reading huge bandwidth files.
The issue is not exploitable in the current Tor network because
the vulnerable code is only reached when directory authorities
read bandwidth files, but bandwidth files come from a trusted
source (usually the authorities themselves). Furthermore, the
issue is only exploitable in rare (non-POSIX) 32-bit architectures,
which are not used by any of the current authorities. Fixes bug
30040; bugfix on 0.3.5.1-alpha. Bug found and fixed by
Tobias Stoeckmann.
- Verify in more places that we are not about to create a buffer
with more than INT_MAX bytes, to avoid possible OOB access in the
event of bugs. Fixes bug 30041; bugfix on 0.2.0.16. Found and
fixed by Tobias Stoeckmann.
o Minor bugfix (continuous integration):
- Reset coverage state on disk after Travis CI has finished. This
should prevent future coverage merge errors from causing the test
suite for the "process" subsystem to fail. The process subsystem
was introduced in 0.4.0.1-alpha. Fixes bug 29036; bugfix
on 0.2.9.15.
- Terminate test-stem if it takes more than 9.5 minutes to run.
(Travis terminates the job after 10 minutes of no output.)
Diagnostic for 29437. Fixes bug 30011; bugfix on 0.3.5.4-alpha.
o Minor bugfixes (build, compatibility, rust):
- Update Cargo.lock file to match the version made by the latest
version of Rust, so that "make distcheck" will pass again. Fixes
bug 29244; bugfix on 0.3.3.4-alpha.
o Minor bugfixes (C correctness):
- Fix an unlikely memory leak in consensus_diff_apply(). Fixes bug
29824; bugfix on 0.3.1.1-alpha. This is Coverity warning
CID 1444119.
o Minor bugfixes (client, clock skew):
- Bootstrap successfully even when Tor's clock is behind the clocks
on the authorities. Fixes bug 28591; bugfix on 0.2.0.9-alpha.
- Select guards even if the consensus has expired, as long as the
consensus is still reasonably live. Fixes bug 24661; bugfix
on 0.3.0.1-alpha.
o Minor bugfixes (compilation):
- Fix compilation warnings in test_circuitpadding.c. Fixes bug
29169; bugfix on 0.4.0.1-alpha.
- Silence a compiler warning in test-memwipe.c on OpenBSD. Fixes bug
29145; bugfix on 0.2.9.3-alpha. Patch from Kris Katterjohn.
- Compile correctly on OpenBSD; previously, we were missing some
headers required in order to detect it properly. Fixes bug 28938;
bugfix on 0.3.5.1-alpha. Patch from Kris Katterjohn.
o Minor bugfixes (directory clients):
- Mark outdated dirservers when Tor only has a reasonably live
consensus. Fixes bug 28569; bugfix on 0.3.2.5-alpha.
o Minor bugfixes (directory mirrors):
- Even when a directory mirror's clock is behind the clocks on the
authorities, we now allow the mirror to serve "future"
consensuses. Fixes bug 28654; bugfix on 0.3.0.1-alpha.
o Minor bugfixes (DNS):
- Gracefully handle an empty or absent resolve.conf file by falling
back to using "localhost" as a DNS server (and hoping it works).
Previously, we would just stop running as an exit. Fixes bug
21900; bugfix on 0.2.1.10-alpha.
o Minor bugfixes (documentation):
- Describe the contents of the v3 onion service client authorization
files correctly: They hold public keys, not private keys. Fixes
bug 28979; bugfix on 0.3.5.1-alpha. Spotted by "Felixix".
o Minor bugfixes (guards):
- In count_acceptable_nodes(), the minimum number is now one bridge
or guard node, and two non-guard nodes for a circuit. Previously,
we had added up the sum of all nodes with a descriptor, but that
could cause us to build failing circuits when we had either too
many bridges or not enough guard nodes. Fixes bug 25885; bugfix on
0.3.6.1-alpha. Patch by Neel Chauhan.
o Minor bugfixes (IPv6):
- Fix tor_ersatz_socketpair on IPv6-only systems. Previously, the
IPv6 socket was bound using an address family of AF_INET instead
of AF_INET6. Fixes bug 28995; bugfix on 0.3.5.1-alpha. Patch from
Kris Katterjohn.
o Minor bugfixes (linux seccomp sandbox):
- Fix startup crash when experimental sandbox support is enabled.
Fixes bug 29150; bugfix on 0.4.0.1-alpha. Patch by Peter Gerber.
o Minor bugfixes (logging):
- Correct a misleading error message when IPv4Only or IPv6Only is
used but the resolved address can not be interpreted as an address
of the specified IP version. Fixes bug 13221; bugfix on
0.2.3.9-alpha. Patch from Kris Katterjohn.
- Log the correct port number for listening sockets when "auto" is
used to let Tor pick the port number. Previously, port 0 was
logged instead of the actual port number. Fixes bug 29144; bugfix
on 0.3.5.1-alpha. Patch from Kris Katterjohn.
- Stop logging a BUG() warning when Tor is waiting for exit
descriptors. Fixes bug 28656; bugfix on 0.3.5.1-alpha.
- Avoid logging that we are relaxing a circuit timeout when that
timeout is fixed. Fixes bug 28698; bugfix on 0.2.4.7-alpha.
- Log more information at "warning" level when unable to read a
private key; log more information at "info" level when unable to
read a public key. We had warnings here before, but they were lost
during our NSS work. Fixes bug 29042; bugfix on 0.3.5.1-alpha.
- Rework rep_hist_log_link_protocol_counts() to iterate through all
link protocol versions when logging incoming/outgoing connection
counts. Tor no longer skips version 5, and we won't have to
remember to update this function when new link protocol version is
developed. Fixes bug 28920; bugfix on 0.2.6.10.
o Minor bugfixes (memory management):
- Refactor the shared random state's memory management so that it
actually takes ownership of the shared random value pointers.
Fixes bug 29706; bugfix on 0.2.9.1-alpha.
- Stop leaking parts of the shared random state in the shared-random
unit tests. Fixes bug 29599; bugfix on 0.2.9.1-alpha.
o Minor bugfixes (misc):
- The amount of total available physical memory is now determined
using the sysctl identifier HW_PHYSMEM (rather than HW_USERMEM)
when it is defined and a 64-bit variant is not available. Fixes
bug 28981; bugfix on 0.2.5.4-alpha. Patch from Kris Katterjohn.
o Minor bugfixes (networking):
- Introduce additional checks into tor_addr_parse() to reject
certain incorrect inputs that previously were not detected. Fixes
bug 23082; bugfix on 0.2.0.10-alpha.
o Minor bugfixes (onion service v3, client):
- Stop logging a "BUG()" warning and stacktrace when we find a SOCKS
connection waiting for a descriptor that we actually have in the
cache. It turns out that this can actually happen, though it is
rare. Now, tor will recover and retry the descriptor. Fixes bug
28669; bugfix on 0.3.2.4-alpha.
o Minor bugfixes (onion services):
- Avoid crashing if ClientOnionAuthDir (incorrectly) contains more
than one private key for a hidden service. Fixes bug 29040; bugfix
on 0.3.5.1-alpha.
- In hs_cache_store_as_client() log an HSDesc we failed to parse at
"debug" level. Tor used to log it as a warning, which caused very
long log lines to appear for some users. Fixes bug 29135; bugfix
on 0.3.2.1-alpha.
- Stop logging "Tried to establish rendezvous on non-OR circuit..."
as a warning. Instead, log it as a protocol warning, because there
is nothing that relay operators can do to fix it. Fixes bug 29029;
bugfix on 0.2.5.7-rc.
o Minor bugfixes (periodic events):
- Refrain from calling routerlist_remove_old_routers() from
check_descriptor_callback(). Instead, create a new hourly periodic
event. Fixes bug 27929; bugfix on 0.2.8.1-alpha.
o Minor bugfixes (pluggable transports):
- Make sure that data is continously read from standard output and
standard error pipes of a pluggable transport child-process, to
avoid deadlocking when a pipe's buffer is full. Fixes bug 26360;
bugfix on 0.2.3.6-alpha.
o Minor bugfixes (rust):
- Abort on panic in all build profiles, instead of potentially
unwinding into C code. Fixes bug 27199; bugfix on 0.3.3.1-alpha.
o Minor bugfixes (scheduler):
- When re-adding channels to the pending list, check the correct
channel's sched_heap_idx. This issue has had no effect in mainline
Tor, but could have led to bugs down the road in improved versions
of our circuit scheduling code. Fixes bug 29508; bugfix
on 0.3.2.10.
o Minor bugfixes (shellcheck):
- Look for scripts in their correct locations during "make
shellcheck". Previously we had looked in the wrong place during
out-of-tree builds. Fixes bug 30263; bugfix on 0.4.0.1-alpha.
o Minor bugfixes (single onion services):
- Allow connections to single onion services to remain idle without
being disconnected. Previously, relays acting as rendezvous points
for single onion services were mistakenly closing idle rendezvous
circuits after 60 seconds, thinking that they were unused
directory-fetching circuits that had served their purpose. Fixes
bug 29665; bugfix on 0.2.1.26.
o Minor bugfixes (stats):
- When ExtraInfoStatistics is 0, stop including PaddingStatistics in
relay and bridge extra-info documents. Fixes bug 29017; bugfix
on 0.3.1.1-alpha.
o Minor bugfixes (testing):
- Backport the 0.3.4 src/test/test-network.sh to 0.2.9. We need a
recent test-network.sh to use new chutney features in CI. Fixes
bug 29703; bugfix on 0.2.9.1-alpha.
- Fix a test failure on Windows caused by an unexpected "BUG"
warning in our tests for tor_gmtime_r(-1). Fixes bug 29922; bugfix
on 0.2.9.3-alpha.
- Downgrade some LOG_ERR messages in the address/* tests to
warnings. The LOG_ERR messages were occurring when we had no
configured network. We were failing the unit tests, because we
backported 28668 to 0.3.5.8, but did not backport 29530. Fixes bug
29530; bugfix on 0.3.5.8.
- Fix our gcov wrapper script to look for object files at the
correct locations. Fixes bug 29435; bugfix on 0.3.5.1-alpha.
- Decrease the false positive rate of stochastic probability
distribution tests. Fixes bug 29693; bugfix on 0.4.0.1-alpha.
- Fix intermittent failures on an adaptive padding test. Fixes one
case of bug 29122; bugfix on 0.4.0.1-alpha.
- Disable an unstable circuit-padding test that was failing
intermittently because of an ill-defined small histogram. Such
histograms will be allowed again after 29298 is implemented. Fixes
a second case of bug 29122; bugfix on 0.4.0.1-alpha.
- Detect and suppress "bug" warnings from the util/time test on
Windows. Fixes bug 29161; bugfix on 0.2.9.3-alpha.
- Do not log an error-level message if we fail to find an IPv6
network interface from the unit tests. Fixes bug 29160; bugfix
on 0.2.7.3-rc.
- Instead of relying on hs_free_all() to clean up all onion service
objects in test_build_descriptors(), we now deallocate them one by
one. This lets Coverity know that we are not leaking memory there
and fixes CID 1442277. Fixes bug 28989; bugfix on 0.3.5.1-alpha.
- Check the time in the "Expires" header using approx_time(). Fixes
bug 30001; bugfix on 0.4.0.4-rc.
o Minor bugfixes (TLS protocol):
- When classifying a client's selection of TLS ciphers, if the
client ciphers are not yet available, do not cache the result.
Previously, we had cached the unavailability of the cipher list
and never looked again, which in turn led us to assume that the
client only supported the ancient V1 link protocol. This, in turn,
was causing Stem integration tests to stall in some cases. Fixes
bug 30021; bugfix on 0.2.4.8-alpha.
o Minor bugfixes (UI):
- Lower log level of unlink() errors during bootstrap. Fixes bug
29930; bugfix on 0.4.0.1-alpha.
o Minor bugfixes (usability):
- Stop saying "Your Guard ..." in pathbias_measure_{use,close}_rate().
Some users took this phrasing to mean that the mentioned guard was
under their control or responsibility, which it is not. Fixes bug
28895; bugfix on Tor 0.3.0.1-alpha.
o Minor bugfixes (Windows, CI):
- Skip the Appveyor 32-bit Windows Server 2016 job, and 64-bit
Windows Server 2012 R2 job. The remaining 2 jobs still provide
coverage of 64/32-bit, and Windows Server 2016/2012 R2. Also set
fast_finish, so failed jobs terminate the build immediately. Fixes
bug 29601; bugfix on 0.3.5.4-alpha.
o Code simplification and refactoring:
- Introduce a connection_dir_buf_add() helper function that detects
whether compression is in use, and adds a string accordingly.
Resolves issue 28816.
- Refactor handle_get_next_bandwidth() to use
connection_dir_buf_add(). Implements ticket 29897.
- Reimplement NETINFO cell parsing and generation to rely on
trunnel-generated wire format handling code. Closes ticket 27325.
- Remove unnecessary unsafe code from the Rust macro "cstr!". Closes
ticket 28077.
- Rework SOCKS wire format handling to rely on trunnel-generated
parsing/generation code. Resolves ticket 27620.
- Split out bootstrap progress reporting from control.c into a
separate file. Part of ticket 27402.
- The .may_include files that we use to describe our directory-by-
directory dependency structure now describe a noncircular
dependency graph over the directories that they cover. Our
checkIncludes.py tool now enforces this noncircularity. Closes
ticket 28362.
o Documentation:
- Clarify that Tor performs stream isolation among *Port listeners
by default. Resolves issue 29121.
- In the manpage entry describing MapAddress torrc setting, use
example IP addresses from ranges specified for use in documentation
by RFC 5737. Resolves issue 28623.
- Mention that you cannot add a new onion service if Tor is already
running with Sandbox enabled. Closes ticket 28560.
- Improve ControlPort documentation. Mention that it accepts
address:port pairs, and can be used multiple times. Closes
ticket 28805.
- Document the exact output of "tor --version". Closes ticket 28889.
o Removed features:
- Remove the old check-tor script. Resolves issue 29072.
- Stop responding to the 'GETINFO status/version/num-concurring' and
'GETINFO status/version/num-versioning' control port commands, as
those were deprecated back in 0.2.0.30. Also stop listing them in
output of 'GETINFO info/names'. Resolves ticket 28757.
- The scripts used to generate and maintain the list of fallback
directories have been extracted into a new "fallback-scripts"
repository. Closes ticket 27914.
o Testing:
- Run shellcheck for scripts in the in scripts/ directory. Closes
ticket 28058.
- Add unit tests for tokenize_string() and get_next_token()
functions. Resolves ticket 27625.
o Code simplification and refactoring (onion service v3):
- Consolidate the authorized client descriptor cookie computation
code from client and service into one function. Closes
ticket 27549.
o Code simplification and refactoring (shell scripts):
- Cleanup scan-build.sh to silence shellcheck warnings. Closes
ticket 28007.
- Fix issues that shellcheck found in chutney-git-bisect.sh.
Resolves ticket 28006.
- Fix issues that shellcheck found in updateRustDependencies.sh.
Resolves ticket 28012.
- Fix shellcheck warnings in cov-diff script. Resolves issue 28009.
- Fix shellcheck warnings in run_calltool.sh. Resolves ticket 28011.
- Fix shellcheck warnings in run_trunnel.sh. Resolves issue 28010.
- Fix shellcheck warnings in scripts/test/coverage. Resolves
issue 28008.
The upstream Makefile.in fails to express a dependency. However,
instead of the usual situation where a -j1 build works and a parallel
build sometimes fails, the -j1 build reliably fails and a -j4 or -j10
occasionally works.
Changes in version 0.3.5.8:
Tor 0.3.5.8 backports serveral fixes from later releases, including fixes
for an annoying SOCKS-parsing bug that affected users in earlier 0.3.5.x
releases.
It also includes a fix for a medium-severity security bug affecting Tor
0.3.2.1-alpha and later. All Tor instances running an affected release
should upgrade to 0.3.3.12, 0.3.4.11, 0.3.5.8, or 0.4.0.2-alpha.
o Major bugfixes (cell scheduler, KIST, security):
- Make KIST consider the outbuf length when computing what it can
put in the outbuf. Previously, KIST acted as though the outbuf
were empty, which could lead to the outbuf becoming too full. It
is possible that an attacker could exploit this bug to cause a Tor
client or relay to run out of memory and crash. Fixes bug 29168;
bugfix on 0.3.2.1-alpha. This issue is also being tracked as
TROVE-2019-001 and CVE-2019-8955.
o Major bugfixes (networking, backport from 0.4.0.2-alpha):
- Gracefully handle empty username/password fields in SOCKS5
username/password auth messsage and allow SOCKS5 handshake to
continue. Previously, we had rejected these handshakes, breaking
certain applications. Fixes bug 29175; bugfix on 0.3.5.1-alpha.
o Minor features (compilation, backport from 0.4.0.2-alpha):
- Compile correctly when OpenSSL is built with engine support
disabled, or with deprecated APIs disabled. Closes ticket 29026.
Patches from "Mangix".
o Minor features (geoip):
- Update geoip and geoip6 to the February 5 2019 Maxmind GeoLite2
Country database. Closes ticket 29478.
o Minor features (testing, backport from 0.4.0.2-alpha):
- Treat all unexpected ERR and BUG messages as test failures. Closes
ticket 28668.
o Minor bugfixes (onion service v3, client, backport from 0.4.0.1-alpha):
- Stop logging a "BUG()" warning and stacktrace when we find a SOCKS
connection waiting for a descriptor that we actually have in the
cache. It turns out that this can actually happen, though it is
rare. Now, tor will recover and retry the descriptor. Fixes bug
28669; bugfix on 0.3.2.4-alpha.
o Minor bugfixes (IPv6, backport from 0.4.0.1-alpha):
- Fix tor_ersatz_socketpair on IPv6-only systems. Previously, the
IPv6 socket was bound using an address family of AF_INET instead
of AF_INET6. Fixes bug 28995; bugfix on 0.3.5.1-alpha. Patch from
Kris Katterjohn.
o Minor bugfixes (build, compatibility, rust, backport from 0.4.0.2-alpha):
- Update Cargo.lock file to match the version made by the latest
version of Rust, so that "make distcheck" will pass again. Fixes
bug 29244; bugfix on 0.3.3.4-alpha.
o Minor bugfixes (client, clock skew, backport from 0.4.0.1-alpha):
- Select guards even if the consensus has expired, as long as the
consensus is still reasonably live. Fixes bug 24661; bugfix
on 0.3.0.1-alpha.
o Minor bugfixes (compilation, backport from 0.4.0.1-alpha):
- Compile correctly on OpenBSD; previously, we were missing some
headers required in order to detect it properly. Fixes bug 28938;
bugfix on 0.3.5.1-alpha. Patch from Kris Katterjohn.
o Minor bugfixes (documentation, backport from 0.4.0.2-alpha):
- Describe the contents of the v3 onion service client authorization
files correctly: They hold public keys, not private keys. Fixes
bug 28979; bugfix on 0.3.5.1-alpha. Spotted by "Felixix".
o Minor bugfixes (logging, backport from 0.4.0.1-alpha):
- Rework rep_hist_log_link_protocol_counts() to iterate through all
link protocol versions when logging incoming/outgoing connection
counts. Tor no longer skips version 5, and we won't have to
remember to update this function when new link protocol version is
developed. Fixes bug 28920; bugfix on 0.2.6.10.
o Minor bugfixes (logging, backport from 0.4.0.2-alpha):
- Log more information at "warning" level when unable to read a
private key; log more information at "info" level when unable to
read a public key. We had warnings here before, but they were lost
during our NSS work. Fixes bug 29042; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (misc, backport from 0.4.0.2-alpha):
- The amount of total available physical memory is now determined
using the sysctl identifier HW_PHYSMEM (rather than HW_USERMEM)
when it is defined and a 64-bit variant is not available. Fixes
bug 28981; bugfix on 0.2.5.4-alpha. Patch from Kris Katterjohn.
o Minor bugfixes (onion services, backport from 0.4.0.2-alpha):
- Avoid crashing if ClientOnionAuthDir (incorrectly) contains more
than one private key for a hidden service. Fixes bug 29040; bugfix
on 0.3.5.1-alpha.
- In hs_cache_store_as_client() log an HSDesc we failed to parse at
"debug" level. Tor used to log it as a warning, which caused very
long log lines to appear for some users. Fixes bug 29135; bugfix
on 0.3.2.1-alpha.
- Stop logging "Tried to establish rendezvous on non-OR circuit..."
as a warning. Instead, log it as a protocol warning, because there
is nothing that relay operators can do to fix it. Fixes bug 29029;
bugfix on 0.2.5.7-rc.
o Minor bugfixes (tests, directory clients, backport from 0.4.0.1-alpha):
- Mark outdated dirservers when Tor only has a reasonably live
consensus. Fixes bug 28569; bugfix on 0.3.2.5-alpha.
o Minor bugfixes (tests, backport from 0.4.0.2-alpha):
- Detect and suppress "bug" warnings from the util/time test on
Windows. Fixes bug 29161; bugfix on 0.2.9.3-alpha.
- Do not log an error-level message if we fail to find an IPv6
network interface from the unit tests. Fixes bug 29160; bugfix
on 0.2.7.3-rc.
o Minor bugfixes (usability, backport from 0.4.0.1-alpha):
- Stop saying "Your Guard ..." in pathbias_measure_{use,close}_rate().
Some users took this phrasing to mean that the mentioned guard was
under their control or responsibility, which it is not. Fixes bug
28895; bugfix on Tor 0.3.0.1-alpha.
Changes in version 0.3.5.7:
Tor 0.3.5.7 is the first stable release in its series; it includes
compilation and portability fixes, and a fix for a severe problem
affecting directory caches.
The Tor 0.3.5 series includes several new features and performance
improvements, including client authorization for v3 onion services,
cleanups to bootstrap reporting, support for improved bandwidth-
measurement tools, experimental support for NSS in place of OpenSSL,
and much more. It also begins a full reorganization of Tor's code
layout, for improved modularity and maintainability in the future.
Finally, there is the usual set of performance improvements and
bugfixes that we try to do in every release series.
There are a couple of changes in the 0.3.5 that may affect
compatibility. First, the default version for newly created onion
services is now v3. Use the HiddenServiceVersion option if you want to
override this. Second, some log messages related to bootstrapping have
changed; if you use stem, you may need to update to the latest version
so it will recognize them.
We have designated 0.3.5 as a "long-term support" (LTS) series: we
will continue to patch major bugs in typical configurations of 0.3.5
until at least 1 Feb 2022. (We do not plan to provide long-term
support for embedding, Rust support, NSS support, running a directory
authority, or unsupported platforms. For these, you will need to stick
with the latest stable release.)
Tor 0.3.4.9 is the second stable release in its series; it backports
numerous fixes, including a fix for a bandwidth management bug that
was causing memory exhaustion on relays. Anyone running an earlier
version of Tor 0.3.4.9 should upgrade.
o Major bugfixes (compilation, backport from 0.3.5.3-alpha):
- Fix compilation on ARM (and other less-used CPUs) when compiling
with OpenSSL before 1.1. Fixes bug 27781; bugfix on 0.3.4.1-alpha.
o Major bugfixes (mainloop, bootstrap, backport from 0.3.5.3-alpha):
- Make sure Tor bootstraps and works properly if only the
ControlPort is set. Prior to this fix, Tor would only bootstrap
when a client port was set (Socks, Trans, NATD, DNS or HTTPTunnel
port). Fixes bug 27849; bugfix on 0.3.4.1-alpha.
o Major bugfixes (relay, backport from 0.3.5.3-alpha):
- When our write bandwidth limit is exhausted, stop writing on the
connection. Previously, we had a typo in the code that would make
us stop reading instead, leading to relay connections being stuck
indefinitely and consuming kernel RAM. Fixes bug 28089; bugfix
on 0.3.4.1-alpha.
o Major bugfixes (restart-in-process, backport from 0.3.5.1-alpha):
- Fix a use-after-free error that could be caused by passing Tor an
impossible set of options that would fail during options_act().
Fixes bug 27708; bugfix on 0.3.3.1-alpha.
o Minor features (continuous integration, backport from 0.3.5.1-alpha):
- Don't do a distcheck with --disable-module-dirauth in Travis.
Implements ticket 27252.
- Only run one online rust build in Travis, to reduce network
errors. Skip offline rust builds on Travis for Linux gcc, because
they're redundant. Implements ticket 27252.
- Skip gcc on OSX in Travis CI, because it's rarely used. Skip a
duplicate hardening-off build in Travis on Tor 0.2.9. Skip gcc on
Linux with default settings, because all the non-default builds
use gcc on Linux. Implements ticket 27252.
o Minor features (continuous integration, backport from 0.3.5.3-alpha):
- Use the Travis Homebrew addon to install packages on macOS during
Travis CI. The package list is the same, but the Homebrew addon
does not do a `brew update` by default. Implements ticket 27738.
o Minor features (geoip):
- Update geoip and geoip6 to the October 9 2018 Maxmind GeoLite2
Country database. Closes ticket 27991.
o Minor bugfixes (32-bit OSX and iOS, timing, backport from 0.3.5.2-alpha):
- Fix an integer overflow bug in our optimized 32-bit millisecond-
difference algorithm for 32-bit Apple platforms. Previously, it
would overflow when calculating the difference between two times
more than 47 days apart. Fixes part of bug 27139; bugfix
on 0.3.4.1-alpha.
- Improve the precision of our 32-bit millisecond difference
algorithm for 32-bit Apple platforms. Fixes part of bug 27139;
bugfix on 0.3.4.1-alpha.
- Relax the tolerance on the mainloop/update_time_jumps test when
running on 32-bit Apple platforms. Fixes part of bug 27139; bugfix
on 0.3.4.1-alpha.
o Minor bugfixes (C correctness, to appear in 0.3.5.4-alpha):
- Avoid undefined behavior in an end-of-string check when parsing
the BEGIN line in a directory object. Fixes bug 28202; bugfix
on 0.2.0.3-alpha.
o Minor bugfixes (CI, appveyor, to appear in 0.3.5.4-alpha):
- Only install the necessary mingw packages during our appveyor
builds. This change makes the build a little faster, and prevents
a conflict with a preinstalled mingw openssl that appveyor now
ships. Fixes bugs 27943 and 27765; bugfix on 0.3.4.2-alpha.
o Minor bugfixes (code safety, backport from 0.3.5.3-alpha):
- Rewrite our assertion macros so that they no longer suppress the
compiler's -Wparentheses warnings. Fixes bug 27709; bugfix
o Minor bugfixes (continuous integration, backport from 0.3.5.1-alpha):
- Stop reinstalling identical packages in our Windows CI. Fixes bug
27464; bugfix on 0.3.4.1-alpha.
o Minor bugfixes (directory authority, to appear in 0.3.5.4-alpha):
- Log additional info when we get a relay that shares an ed25519 ID
with a different relay, instead making a BUG() warning. Fixes bug
27800; bugfix on 0.3.2.1-alpha.
o Minor bugfixes (directory connection shutdown, backport from 0.3.5.1-alpha):
- Avoid a double-close when shutting down a stalled directory
connection. Fixes bug 26896; bugfix on 0.3.4.1-alpha.
o Minor bugfixes (HTTP tunnel, backport from 0.3.5.1-alpha):
- Fix a bug warning when closing an HTTP tunnel connection due to an
HTTP request we couldn't handle. Fixes bug 26470; bugfix
on 0.3.2.1-alpha.
o Minor bugfixes (netflow padding, backport from 0.3.5.1-alpha):
- Ensure circuitmux queues are empty before scheduling or sending
padding. Fixes bug 25505; bugfix on 0.3.1.1-alpha.
o Minor bugfixes (onion service v3, backport from 0.3.5.1-alpha):
- When the onion service directory can't be created or has the wrong
permissions, do not log a stack trace. Fixes bug 27335; bugfix
on 0.3.2.1-alpha.
o Minor bugfixes (onion service v3, backport from 0.3.5.2-alpha):
- Close all SOCKS request (for the same .onion) if the newly fetched
descriptor is unusable. Before that, we would close only the first
one leaving the other hanging and let to time out by themselves.
Fixes bug 27410; bugfix on 0.3.2.1-alpha.
o Minor bugfixes (onion service v3, backport from 0.3.5.3-alpha):
- When selecting a v3 rendezvous point, don't only look at the
protover, but also check whether the curve25519 onion key is
present. This way we avoid picking a relay that supports the v3
rendezvous but for which we don't have the microdescriptor. Fixes
bug 27797; bugfix on 0.3.2.1-alpha.
o Minor bugfixes (protover, backport from 0.3.5.3-alpha):
- Reject protocol names containing bytes other than alphanumeric
characters and hyphens ([A-Za-z0-9-]). Fixes bug 27316; bugfix
on 0.2.9.4-alpha.
o Minor bugfixes (rust, backport from 0.3.5.1-alpha):
- Compute protover votes correctly in the rust version of the
protover code. Previously, the protover rewrite in 24031 allowed
repeated votes from the same voter for the same protocol version
to be counted multiple times in protover_compute_vote(). Fixes bug
27649; bugfix on 0.3.3.5-rc.
- Reject protover names that contain invalid characters. Fixes bug
27687; bugfix on 0.3.3.1-alpha.
o Minor bugfixes (rust, backport from 0.3.5.2-alpha):
- protover_all_supported() would attempt to allocate up to 16GB on
some inputs, leading to a potential memory DoS. Fixes bug 27206;
bugfix on 0.3.3.5-rc.
o Minor bugfixes (rust, directory authority, to appear in 0.3.5.4-alpha):
- Fix an API mismatch in the rust implementation of
protover_compute_vote(). This bug could have caused crashes on any
directory authorities running Tor with Rust (which we do not yet
recommend). Fixes bug 27741; bugfix on 0.3.3.6.
o Minor bugfixes (rust, to appear in 0.3.5.4-alpha):
- Fix a potential null dereference in protover_all_supported(). Add
a test for it. Fixes bug 27804; bugfix on 0.3.3.1-alpha.
- Return a string that can be safely freed by C code, not one
created by the rust allocator, in protover_all_supported(). Fixes
bug 27740; bugfix on 0.3.3.1-alpha.
o Minor bugfixes (testing, backport from 0.3.5.1-alpha):
- If a unit test running in a subprocess exits abnormally or with a
nonzero status code, treat the test as having failed, even if the
test reported success. Without this fix, memory leaks don't cause
the tests to fail, even with LeakSanitizer. Fixes bug 27658;
bugfix on 0.2.2.4-alpha.
o Minor bugfixes (testing, backport from 0.3.5.3-alpha):
- Make the hs_service tests use the same time source when creating
the introduction point and when testing it. Now tests work better
on very slow systems like ARM or Travis. Fixes bug 27810; bugfix
on 0.3.2.1-alpha.
o Minor bugfixes (testing, to appear in 0.3.5.4-alpha):
- Treat backtrace test failures as expected on BSD-derived systems
(NetBSD, OpenBSD, and macOS/Darwin) until we solve bug 17808.
(FreeBSD failures have been treated as expected since 18204 in
0.2.8.) Fixes bug 27948; bugfix on 0.2.5.2-alpha.
Tor 0.3.4.8 is the first stable release in its series; it includes
compilation and portability fixes.
The Tor 0.3.4 series includes improvements for running Tor in
low-power and embedded environments, which should help performance in
general. We've begun work on better modularity, and included preliminary
changes on the directory authority side to accommodate a new bandwidth
measurement system. We've also integrated more continuous-integration
systems into our development process, and made corresponding changes to
Tor's testing infrastructure. Finally, we've continued to refine
our anti-denial-of-service code.
Below are the changes since 0.3.4.7-rc. For a complete list of changes
since 0.3.3.9, see the ReleaseNotes file.
o Minor features (compatibility):
- Tell OpenSSL to maintain backward compatibility with previous
RSA1024/DH1024 users in Tor. With OpenSSL 1.1.1-pre6, these
ciphers are disabled by default. Closes ticket 27344.
o Minor features (continuous integration):
- Log the compiler path and version during Appveyor builds.
Implements ticket 27449.
- Show config.log and test-suite.log after failed Appveyor builds.
Also upload the zipped full logs as a build artifact. Implements
ticket 27430.
o Minor bugfixes (compilation):
- Silence a spurious compiler warning on the GetAdaptersAddresses
function pointer cast. This issue is already fixed by 26481 in
0.3.5 and later, by removing the lookup and cast. Fixes bug 27465;
bugfix on 0.2.3.11-alpha.
- Stop calling SetProcessDEPPolicy() on 64-bit Windows. It is not
supported, and always fails. Some compilers warn about the
function pointer cast on 64-bit Windows. Fixes bug 27461; bugfix
on 0.2.2.23-alpha.
o Minor bugfixes (continuous integration):
- Disable gcc hardening in Appveyor Windows 64-bit builds. As of
August 29 2018, Appveyor images come with gcc 8.2.0 by default.
Executables compiled for 64-bit Windows with this version of gcc
crash when Tor's --enable-gcc-hardening flag is set. Fixes bug
27460; bugfix on 0.3.4.1-alpha.
- When a Travis build fails, and showing a log fails, keep trying to
show the other logs. Fixes bug 27453; bugfix on 0.3.4.7-rc.
- When we use echo in Travis, don't pass a --flag as the first
argument. Fixes bug 27418; bugfix on 0.3.4.7-rc.
o Minor bugfixes (onion services):
- Silence a spurious compiler warning in
rend_client_send_introduction(). Fixes bug 27463; bugfix
on 0.1.1.2-alpha.
o Minor bugfixes (testing, chutney):
- When running make test-network-all, use the mixed+hs-v2 network.
(A previous fix to chutney removed v3 onion services from the
mixed+hs-v23 network, so seeing "mixed+hs-v23" in tests is
confusing.) Fixes bug 27345; bugfix on 0.3.2.1-alpha.
- Before running make test-network-all, delete old logs and test
result files, to avoid spurious failures. Fixes bug 27295; bugfix
on 0.2.7.3-rc.
Changes in version 0.3.3.9 - 2018-07-13
Tor 0.3.3.9 moves to a new bridge authority, meaning people running
bridge relays should upgrade.
o Directory authority changes:
- The "Bifroest" bridge authority has been retired; the new bridge
authority is "Serge", and it is operated by George from the
TorBSD project. Closes ticket 26771.
Changes in version 0.3.3.8:
Tor 0.3.3.8 backports several changes from the 0.3.4.x series, including
fixes for a memory leak affecting directory authorities.
o Major bugfixes (directory authority, backport from 0.3.4.3-alpha):
- Stop leaking memory on directory authorities when planning to
vote. This bug was crashing authorities by exhausting their
memory. Fixes bug 26435; bugfix on 0.3.3.6.
o Major bugfixes (rust, testing, backport from 0.3.4.3-alpha):
- Make sure that failing tests in Rust will actually cause the build
to fail: previously, they were ignored. Fixes bug 26258; bugfix
on 0.3.3.4-alpha.
o Minor features (compilation, backport from 0.3.4.4-rc):
- When building Tor, prefer to use Python 3 over Python 2, and more
recent (contemplated) versions over older ones. Closes
ticket 26372.
o Minor features (geoip):
- Update geoip and geoip6 to the July 3 2018 Maxmind GeoLite2
Country database. Closes ticket 26674.
o Minor features (relay, diagnostic, backport from 0.3.4.3-alpha):
- Add several checks to detect whether Tor relays are uploading
their descriptors without specifying why they regenerated them.
Diagnostic for ticket 25686.
o Minor bugfixes (circuit path selection, backport from 0.3.4.1-alpha):
- Don't count path selection failures as circuit build failures.
This change should eliminate cases where Tor blames its guard or
the network for situations like insufficient microdescriptors
and/or overly restrictive torrc settings. Fixes bug 25705; bugfix
on 0.3.3.1-alpha.
o Minor bugfixes (compilation, backport from 0.3.4.4-rc):
- Fix a compilation warning on some versions of GCC when building
code that calls routerinfo_get_my_routerinfo() twice, assuming
that the second call will succeed if the first one did. Fixes bug
26269; bugfix on 0.2.8.2-alpha.
o Minor bugfixes (control port, backport from 0.3.4.4-rc):
- Handle the HSADDRESS= argument to the HSPOST command properly.
(Previously, this argument was misparsed and thus ignored.) Fixes
bug 26523; bugfix on 0.3.3.1-alpha. Patch by "akwizgran".
o Minor bugfixes (memory, correctness, backport from 0.3.4.4-rc):
- Fix a number of small memory leaks identified by coverity. Fixes
bug 26467; bugfix on numerous Tor versions.
o Minor bugfixes (relay, backport from 0.3.4.3-alpha):
- Relays now correctly block attempts to re-extend to the previous
relay by Ed25519 identity. Previously they would warn in this
case, but not actually reject the attempt. Fixes bug 26158; bugfix
on 0.3.0.1-alpha.
o Minor bugfixes (restart-in-process, backport from 0.3.4.1-alpha):
- When shutting down, Tor now clears all the flags in the control.c
module. This should prevent a bug where authentication cookies are
not generated on restart. Fixes bug 25512; bugfix on 0.3.3.1-alpha.
o Minor bugfixes (testing, compatibility, backport from 0.3.4.4-rc):
- When running the hs_ntor_ref.py test, make sure only to pass
strings (rather than "bytes" objects) to the Python subprocess
module. Python 3 on Windows seems to require this. Fixes bug
26535; bugfix on 0.3.1.1-alpha.
- When running the ntor_ref.py test, make sure only to pass strings
(rather than "bytes" objects) to the Python subprocess module.
Python 3 on Windows seems to require this. Fixes bug 26535; bugfix
on 0.2.5.5-alpha.
Changes in version 0.3.3.7 - 2018-06-12
Tor 0.3.3.7 backports several changes from the 0.3.4.x series, including
fixes for bugs affecting compatibility and stability.
o Directory authority changes:
- Add an IPv6 address for the "dannenberg" directory authority.
Closes ticket 26343.
o Minor features (geoip):
- Update geoip and geoip6 to the June 7 2018 Maxmind GeoLite2
Country database. Closes ticket 26351.
o Minor bugfixes (compatibility, openssl, backport from 0.3.4.2-alpha):
- Work around a change in OpenSSL 1.1.1 where return values that
would previously indicate "no password" now indicate an empty
password. Without this workaround, Tor instances running with
OpenSSL 1.1.1 would accept descriptors that other Tor instances
would reject. Fixes bug 26116; bugfix on 0.2.5.16.
o Minor bugfixes (compilation, backport from 0.3.4.2-alpha):
- Silence unused-const-variable warnings in zstd.h with some GCC
versions. Fixes bug 26272; bugfix on 0.3.1.1-alpha.
o Minor bugfixes (controller, backport from 0.3.4.2-alpha):
- Improve accuracy of the BUILDTIMEOUT_SET control port event's
TIMEOUT_RATE and CLOSE_RATE fields. (We were previously
miscounting the total number of circuits for these field values.)
Fixes bug 26121; bugfix on 0.3.3.1-alpha.
o Minor bugfixes (hardening, backport from 0.3.4.2-alpha):
- Prevent a possible out-of-bounds smartlist read in
protover_compute_vote(). Fixes bug 26196; bugfix on 0.2.9.4-alpha.
o Minor bugfixes (path selection, backport from 0.3.4.1-alpha):
- Only select relays when they have the descriptors we prefer to use
for them. This change fixes a bug where we could select a relay
because it had _some_ descriptor, but reject it later with a
nonfatal assertion error because it didn't have the exact one we
wanted. Fixes bugs 25691 and 25692; bugfix on 0.3.3.4-alpha.
Changes in version 0.3.3.6 - 2018-05-22
Tor 0.3.3.6 is the first stable release in the 0.3.3 series. It
backports several important fixes from the 0.3.4.1-alpha.
The Tor 0.3.3 series includes controller support and other
improvements for v3 onion services, official support for embedding Tor
within other applications, and our first non-trivial module written in
the Rust programming language. (Rust is still not enabled by default
when building Tor.) And as usual, there are numerous other smaller
bugfixes, features, and improvements.
Below are the changes since 0.3.2.10. For a list of only the changes
since 0.3.3.5-rc, see the ChangeLog file.
o New system requirements:
- When built with Rust, Tor now depends on version 0.2.39 of the
libc crate. Closes tickets 25310 and 25664.
o Major features (embedding):
- There is now a documented stable API for programs that need to
embed Tor. See tor_api.h for full documentation and known bugs.
Closes ticket 23684.
- Tor now has support for restarting in the same process.
Controllers that run Tor using the "tor_api.h" interface can now
restart Tor after Tor has exited. This support is incomplete,
however: we fixed crash bugs that prevented it from working at
all, but many bugs probably remain, including a possibility of
security issues. Implements ticket 24581.
o Major features (IPv6, directory documents):
- Add consensus method 27, which adds IPv6 ORPorts to the microdesc
consensus. This information makes it easier for IPv6 clients to
bootstrap and choose reachable entry guards. Implements
ticket 23826.
- Add consensus method 28, which removes IPv6 ORPorts from
microdescriptors. Now that the consensus contains IPv6 ORPorts,
they are redundant in microdescs. This change will be used by Tor
clients on 0.2.8.x and later. (That is to say, with all Tor
clients that have IPv6 bootstrap and guard support.) Implements
ticket 23828.
- Expand the documentation for AuthDirHasIPv6Connectivity when it is
set by different numbers of authorities. Fixes 23870
on 0.2.4.1-alpha.
o Major features (onion service v3, control port):
- The control port now supports commands and events for v3 onion
services. It is now possible to create ephemeral v3 services using
ADD_ONION. Additionally, several events (HS_DESC, HS_DESC_CONTENT,
CIRC and CIRC_MINOR) and commands (GETINFO, HSPOST, ADD_ONION and
DEL_ONION) have been extended to support v3 onion services. Closes
ticket 20699; implements proposal 284.
o Major features (onion services):
- Provide torrc options to pin the second and third hops of onion
service circuits to a list of nodes. The option HSLayer2Guards
pins the second hop, and the option HSLayer3Guards pins the third
hop. These options are for use in conjunction with experiments
with "vanguards" for preventing guard enumeration attacks. Closes
ticket 13837.
- When v3 onion service clients send introduce cells, they now
include the IPv6 address of the rendezvous point, if it has one.
Current v3 onion services running 0.3.2 ignore IPv6 addresses, but
in future Tor versions, IPv6-only v3 single onion services will be
able to use IPv6 addresses to connect directly to the rendezvous
point. Closes ticket 23577. Patch by Neel Chauhan.
o Major features (relay):
- Implement an option, ReducedExitPolicy, to allow an Tor exit relay
operator to use a more reasonable ("reduced") exit policy, rather
than the default one. If you want to run an exit node without
thinking too hard about which ports to allow, this one is for you.
Closes ticket 13605. Patch from Neel Chauhan.
o Major features (rust, portability, experimental):
- Tor now ships with an optional implementation of one of its
smaller modules (protover.c) in the Rust programming language. To
try it out, install a Rust build environment, and configure Tor
with "--enable-rust --enable-cargo-online-mode". This should not
cause any user-visible changes, but should help us gain more
experience with Rust, and plan future Rust integration work.
Implementation by Chelsea Komlo. Closes ticket 22840.
o Major bugfixes (directory authorities, security, backport from 0.3.4.1-alpha):
- When directory authorities read a zero-byte bandwidth file, they
would previously log a warning with the contents of an
uninitialised buffer. They now log a warning about the empty file
instead. Fixes bug 26007; bugfix on 0.2.2.1-alpha.
o Major bugfixes (security, directory authority, denial-of-service):
- Fix a bug that could have allowed an attacker to force a directory
authority to use up all its RAM by passing it a maliciously
crafted protocol versions string. Fixes bug 25517; bugfix on
0.2.9.4-alpha. This issue is also tracked as TROVE-2018-005.
o Major bugfixes (crash, backport from 0.3.4.1-alpha):
- Avoid a rare assertion failure in the circuit build timeout code
if we fail to allow any circuits to actually complete. Fixes bug
25733; bugfix on 0.2.2.2-alpha.
o Major bugfixes (netflow padding):
- Stop adding unneeded channel padding right after we finish
flushing to a connection that has been trying to flush for many
seconds. Instead, treat all partial or complete flushes as
activity on the channel, which will defer the time until we need
to add padding. This fix should resolve confusing and scary log
messages like "Channel padding timeout scheduled 221453ms in the
past." Fixes bug 22212; bugfix on 0.3.1.1-alpha.
o Major bugfixes (networking):
- Tor will no longer reject IPv6 address strings from Tor Browser
when they are passed as hostnames in SOCKS5 requests. Fixes bug
25036, bugfix on Tor 0.3.1.2.
o Major bugfixes (onion service, backport from 0.3.4.1-alpha):
- Correctly detect when onion services get disabled after HUP. Fixes
bug 25761; bugfix on 0.3.2.1.
o Major bugfixes (performance, load balancing):
- Directory authorities no longer vote in favor of the Guard flag
for relays without directory support. Starting in Tor
0.3.0.1-alpha, clients have been avoiding using such relays in the
Guard position, leading to increasingly broken load balancing for
the 5%-or-so of Guards that don't advertise directory support.
Fixes bug 22310; bugfix on 0.3.0.6.
o Major bugfixes (relay):
- If we have failed to connect to a relay and received a connection
refused, timeout, or similar error (at the TCP level), do not try
that same address/port again for 60 seconds after the failure has
occurred. Fixes bug 24767; bugfix on 0.0.6.
o Major bugfixes (relay, denial of service, backport from 0.3.4.1-alpha):
- Impose a limit on circuit cell queue size. The limit can be
controlled by a consensus parameter. Fixes bug 25226; bugfix
on 0.2.4.14-alpha.
o Minor features (cleanup):
- Tor now deletes the CookieAuthFile and ExtORPortCookieAuthFile
when it stops. Closes ticket 23271.
o Minor features (compatibility, backport from 0.3.4.1-alpha):
- Avoid some compilation warnings with recent versions of LibreSSL.
Closes ticket 26006.
o Minor features (config options):
- Change the way the default value for MaxMemInQueues is calculated.
We now use 40% of the hardware RAM if the system has 8 GB RAM or
more. Otherwise we use the former value of 75%. Closes
ticket 24782.
o Minor features (continuous integration):
- Update the Travis CI configuration to use the stable Rust channel,
now that we have decided to require that. Closes ticket 25714.
o Minor features (continuous integration, backport from 0.3.4.1-alpha):
- Our .travis.yml configuration now includes support for testing the
results of "make distcheck". (It's not uncommon for "make check"
to pass but "make distcheck" to fail.) Closes ticket 25814.
- Our Travis CI configuration now integrates with the Coveralls
coverage analysis tool. Closes ticket 25818.
o Minor features (defensive programming):
- Most of the functions in Tor that free objects have been replaced
with macros that free the objects and set the corresponding
pointers to NULL. This change should help prevent a large class of
dangling pointer bugs. Closes ticket 24337.
- Where possible, the tor_free() macro now only evaluates its input
once. Part of ticket 24337.
- Check that microdesc ed25519 ids are non-zero in
node_get_ed25519_id() before returning them. Implements ticket
24001, patch by "aruna1234".
o Minor features (directory authority):
- When directory authorities are unable to add signatures to a
pending consensus, log the reason why. Closes ticket 24849.
o Minor features (embedding):
- Tor can now start with a preauthenticated control connection
created by the process that launched it. This feature is meant for
use by programs that want to launch and manage a Tor process
without allowing other programs to manage it as well. For more
information, see the __OwningControllerFD option documented in
control-spec.txt. Closes ticket 23900.
- On most errors that would cause Tor to exit, it now tries to
return from the tor_main() function, rather than calling the
system exit() function. Most users won't notice a difference here,
but it should be significant for programs that run Tor inside a
separate thread: they should now be able to survive Tor's exit
conditions rather than having Tor shut down the entire process.
Closes ticket 23848.
- Applications that want to embed Tor can now tell Tor not to
register any of its own POSIX signal handlers, using the
__DisableSignalHandlers option. Closes ticket 24588.
o Minor features (fallback directory list):
- Avoid selecting fallbacks that change their IP addresses too
often. Select more fallbacks by ignoring the Guard flag, and
allowing lower cutoffs for the Running and V2Dir flags. Also allow
a lower bandwidth, and a higher number of fallbacks per operator
(5% of the list). Implements ticket 24785.
- Update the fallback whitelist and blacklist based on opt-ins and
relay changes. Closes tickets 22321, 24678, 22527, 24135,
and 24695.
o Minor features (fallback directory mirror configuration):
- Add a nickname to each fallback in a C comment. This makes it
easier for operators to find their relays, and allows stem to use
nicknames to identify fallbacks. Implements ticket 24600.
- Add a type and version header to the fallback directory mirror
file. Also add a delimiter to the end of each fallback entry. This
helps external parsers like stem and Relay Search. Implements
ticket 24725.
- Add an extrainfo cache flag for each fallback in a C comment. This
allows stem to use fallbacks to fetch extra-info documents, rather
than using authorities. Implements ticket 22759.
- Add the generateFallbackDirLine.py script for automatically
generating fallback directory mirror lines from relay fingerprints.
No more typos! Add the lookupFallbackDirContact.py script for
automatically looking up operator contact info from relay
fingerprints. Implements ticket 24706, patch by teor and atagar.
- Reject any fallback directory mirror that serves an expired
consensus. Implements ticket 20942, patch by "minik".
- Remove commas and equals signs from external string inputs to the
fallback list. This avoids format confusion attacks. Implements
ticket 24726.
- Remove the "weight=10" line from fallback directory mirror
entries. Ticket 24681 will maintain the current fallback weights
by changing Tor's default fallback weight to 10. Implements
ticket 24679.
- Stop logging excessive information about fallback netblocks.
Implements ticket 24791.
o Minor features (forward-compatibility):
- If a relay supports some link authentication protocol that we do
not recognize, then include that relay's ed25519 key when telling
other relays to extend to it. Previously, we treated future
versions as if they were too old to support ed25519 link
authentication. Closes ticket 20895.
o Minor features (geoip):
- Update geoip and geoip6 to the May 1 2018 Maxmind GeoLite2 Country
database. Closes ticket 26104.
o Minor features (heartbeat):
- Add onion service information to our heartbeat logs, displaying
stats about the activity of configured onion services. Closes
ticket 24896.
o Minor features (instrumentation, development):
- Add the MainloopStats option to allow developers to get
instrumentation information from the main event loop via the
heartbeat messages. We hope to use this to improve Tor's behavior
when it's trying to sleep. Closes ticket 24605.
o Minor features (IPv6):
- Make IPv6-only clients wait for microdescs for relays, even if we
were previously using descriptors (or were using them as a bridge)
and have a cached descriptor for them. Implements ticket 23827.
- When a consensus has IPv6 ORPorts, make IPv6-only clients use
them, rather than waiting to download microdescriptors. Implements
ticket 23827.
o Minor features (log messages):
- Improve log message in the out-of-memory handler to include
information about memory usage from the different compression
backends. Closes ticket 25372.
- Improve a warning message that happens when we fail to re-parse an
old router because of an expired certificate. Closes ticket 20020.
- Make the log more quantitative when we hit MaxMemInQueues
threshold exposing some values. Closes ticket 24501.
o Minor features (logging):
- Clarify the log messages produced when getrandom() or a related
entropy-generation mechanism gives an error. Closes ticket 25120.
- Added support for the Android logging subsystem. Closes
ticket 24362.
o Minor features (performance):
- Support predictive circuit building for onion service circuits
with multiple layers of guards. Closes ticket 23101.
- Use stdatomic.h where available, rather than mutexes, to implement
atomic_counter_t. Closes ticket 23953.
o Minor features (performance, 32-bit):
- Improve performance on 32-bit systems by avoiding 64-bit division
when calculating the timestamp in milliseconds for channel padding
computations. Implements ticket 24613.
- Improve performance on 32-bit systems by avoiding 64-bit division
when timestamping cells and buffer chunks for OOM calculations.
Implements ticket 24374.
o Minor features (performance, OSX, iOS):
- Use the mach_approximate_time() function (when available) to
implement coarse monotonic time. Having a coarse time function
should avoid a large number of system calls, and improve
performance slightly, especially under load. Closes ticket 24427.
o Minor features (performance, windows):
- Improve performance on Windows Vista and Windows 7 by adjusting
TCP send window size according to the recommendation from
SIO_IDEAL_SEND_BACKLOG_QUERY. Closes ticket 22798. Patch
from Vort.
o Minor features (sandbox):
- Explicitly permit the poll() system call when the Linux
seccomp2-based sandbox is enabled: apparently, some versions of
libc use poll() when calling getpwnam(). Closes ticket 25313.
o Minor features (storage, configuration):
- Users can store cached directory documents somewhere other than
the DataDirectory by using the CacheDirectory option. Similarly,
the storage location for relay's keys can be overridden with the
KeyDirectory option. Closes ticket 22703.
o Minor features (testing):
- Add a "make test-rust" target to run the rust tests only. Closes
ticket 25071.
o Minor features (testing, debugging, embedding):
- For development purposes, Tor now has a mode in which it runs for
a few seconds, then stops, and starts again without exiting the
process. This mode is meant to help us debug various issues with
ticket 23847. To use this feature, compile with
--enable-restart-debugging, and set the TOR_DEBUG_RESTART
environment variable. This is expected to crash a lot, and is
really meant for developers only. It will likely be removed in a
future release. Implements ticket 24583.
o Minor bugfixes (build, rust):
- Fix output of autoconf checks to display success messages for Rust
dependencies and a suitable rustc compiler version. Fixes bug
24612; bugfix on 0.3.1.3-alpha.
- Don't pass the --quiet option to cargo: it seems to suppress some
errors, which is not what we want to do when building. Fixes bug
24518; bugfix on 0.3.1.7.
- Build correctly when building from outside Tor's source tree with
the TOR_RUST_DEPENDENCIES option set. Fixes bug 22768; bugfix
on 0.3.1.7.
o Minor bugfixes (C correctness):
- Fix a very unlikely (impossible, we believe) null pointer
dereference. Fixes bug 25629; bugfix on 0.2.9.15. Found by
Coverity; this is CID 1430932.
o Minor bugfixes (channel, client):
- Better identify client connection when reporting to the geoip
client cache. Fixes bug 24904; bugfix on 0.3.1.7.
o Minor bugfixes (circuit, cannibalization):
- Don't cannibalize preemptively-built circuits if we no longer
recognize their first hop. This situation can happen if our Guard
relay went off the consensus after the circuit was created. Fixes
bug 24469; bugfix on 0.0.6.
o Minor bugfixes (client, backport from 0.3.4.1-alpha):
- Don't consider Tor running as a client if the ControlPort is open,
but no actual client ports are open. Fixes bug 26062; bugfix
on 0.2.9.4-alpha.
o Minor bugfixes (compilation):
- Fix a C99 compliance issue in our configuration script that caused
compilation issues when compiling Tor with certain versions of
xtools. Fixes bug 25474; bugfix on 0.3.2.5-alpha.
o Minor bugfixes (controller):
- Restore the correct operation of the RESOLVE command, which had
been broken since we added the ability to enable/disable DNS on
specific listener ports. Fixes bug 25617; bugfix on 0.2.9.3-alpha.
- Avoid a (nonfatal) assertion failure when extending a one-hop
circuit from the controller to become a multihop circuit. Fixes
bug 24903; bugfix on 0.2.5.2-alpha.
o Minor bugfixes (correctness):
- Remove a nonworking, unnecessary check to see whether a circuit
hop's identity digest was set when the circuit failed. Fixes bug
24927; bugfix on 0.2.4.4-alpha.
o Minor bugfixes (correctness, client, backport from 0.3.4.1-alpha):
- Upon receiving a malformed connected cell, stop processing the
cell immediately. Previously we would mark the connection for
close, but continue processing the cell as if the connection were
open. Fixes bug 26072; bugfix on 0.2.4.7-alpha.
o Minor bugfixes (directory authorities, IPv6):
- When creating a routerstatus (vote) from a routerinfo (descriptor),
set the IPv6 address to the unspecified IPv6 address, and
explicitly initialize the port to zero. Fixes bug 24488; bugfix
on 0.2.4.1-alpha.
o Minor bugfixes (documentation):
- Document that the PerConnBW{Rate,Burst} options will fall back to
their corresponding consensus parameters only if those parameters
are set. Previously we had claimed that these values would always
be set in the consensus. Fixes bug 25296; bugfix on 0.2.2.7-alpha.
o Minor bugfixes (documentation, backport from 0.3.4.1-alpha):
- Stop saying in the manual that clients cache ipv4 dns answers from
exit relays. We haven't used them since 0.2.6.3-alpha, and in
ticket 24050 we stopped even caching them as of 0.3.2.6-alpha, but
we forgot to say so in the man page. Fixes bug 26052; bugfix
on 0.3.2.6-alpha.
o Minor bugfixes (exit relay DNS retries):
- Re-attempt timed-out DNS queries 3 times before failure, since our
timeout is 5 seconds for them, but clients wait 10-15. Also allow
slightly more timeouts per resolver when an exit has multiple
resolvers configured. Fixes bug 21394; bugfix on 0.3.1.9.
o Minor bugfixes (fallback directory mirrors):
- Make updateFallbackDirs.py search harder for python. (Some OSs
don't put it in /usr/bin.) Fixes bug 24708; bugfix
on 0.2.8.1-alpha.
o Minor bugfixes (hibernation, bandwidth accounting, shutdown):
- When hibernating, close connections normally and allow them to
flush. Fixes bug 23571; bugfix on 0.2.4.7-alpha. Also fixes
bug 7267.
- Do not attempt to launch self-reachability tests when entering
hibernation. Fixes a case of bug 12062; bugfix on 0.0.9pre5.
- Resolve several bugs related to descriptor fetching on bridge
clients with bandwidth accounting enabled. (This combination is
not recommended!) Fixes a case of bug 12062; bugfix
on 0.2.0.3-alpha.
- When hibernating, do not attempt to launch DNS checks. Fixes a
case of bug 12062; bugfix on 0.1.2.2-alpha.
- When hibernating, do not try to upload or download descriptors.
Fixes a case of bug 12062; bugfix on 0.0.9pre5.
o Minor bugfixes (IPv6, bridges):
- Tor now always sets IPv6 preferences for bridges. Fixes bug 24573;
bugfix on 0.2.8.2-alpha.
- Tor now sets IPv6 address in the routerstatus as well as in the
router descriptors when updating addresses for a bridge. Closes
ticket 24572; bugfix on 0.2.4.5-alpha. Patch by "ffmancera".
o Minor bugfixes (Linux seccomp2 sandbox):
- When running with the sandbox enabled, reload configuration files
correctly even when %include was used. Previously we would crash.
Fixes bug 22605; bugfix on 0.3.1. Patch from Daniel Pinto.
o Minor bugfixes (Linux seccomp2 sandbox, backport from 0.3.4.1-alpha):
- Allow the nanosleep() system call, which glibc uses to implement
sleep() and usleep(). Fixes bug 24969; bugfix on 0.2.5.1-alpha.
o Minor bugfixes (logging):
- Fix a (mostly harmless) race condition when invoking
LOG_PROTOCOL_WARN message from a subthread while the torrc options
are changing. Fixes bug 23954; bugfix on 0.1.1.9-alpha.
o Minor bugfixes (man page, SocksPort):
- Remove dead code from the old "SocksSocket" option, and rename
SocksSocketsGroupWritable to UnixSocksGroupWritable. The old
option still works, but is deprecated. Fixes bug 24343; bugfix
on 0.2.6.3.
o Minor bugfixes (memory leaks):
- Avoid possible at-exit memory leaks related to use of Libevent's
event_base_once() function. (This function tends to leak memory if
the event_base is closed before the event fires.) Fixes bug 24584;
bugfix on 0.2.8.1-alpha.
- Fix a harmless memory leak in tor-resolve. Fixes bug 24582; bugfix
on 0.2.1.1-alpha.
o Minor bugfixes (network IPv6 test):
- Tor's test scripts now check if "ping -6 ::1" works when the user
runs "make test-network-all". Fixes bug 24677; bugfix on
0.2.9.3-alpha. Patch by "ffmancera".
o Minor bugfixes (networking):
- string_is_valid_hostname() will not consider IP strings to be
valid hostnames. Fixes bug 25055; bugfix on Tor 0.2.5.5.
o Minor bugfixes (onion service v3):
- Avoid an assertion failure when the next onion service descriptor
rotation type is out of sync with the consensus's valid-after
time. Instead, log a warning message with extra information, so we
can better hunt down the cause of this assertion. Fixes bug 25306;
bugfix on 0.3.2.1-alpha.
o Minor bugfixes (onion service, backport from 0.3.4.1-alpha):
- Fix a memory leak when a v3 onion service is configured and gets a
SIGHUP signal. Fixes bug 25901; bugfix on 0.3.2.1-alpha.
- When parsing the descriptor signature, look for the token plus an
extra white-space at the end. This is more correct but also will
allow us to support new fields that might start with "signature".
Fixes bug 26069; bugfix on 0.3.0.1-alpha.
o Minor bugfixes (onion services):
- If we are configured to offer a single onion service, don't log
long-term established one hop rendezvous points in the heartbeat.
Fixes bug 25116; bugfix on 0.2.9.6-rc.
o Minor bugfixes (performance):
- Reduce the number of circuits that will be opened at once during
the circuit build timeout phase. This is done by increasing the
idle timeout to 3 minutes, and lowering the maximum number of
concurrent learning circuits to 10. Fixes bug 24769; bugfix
on 0.3.1.1-alpha.
- Avoid calling protocol_list_supports_protocol() from inside tight
loops when running with cached routerinfo_t objects. Instead,
summarize the relevant protocols as flags in the routerinfo_t, as
we do for routerstatus_t objects. This change simplifies our code
a little, and saves a large amount of short-term memory allocation
operations. Fixes bug 25008; bugfix on 0.2.9.4-alpha.
o Minor bugfixes (performance, timeouts):
- Consider circuits for timeout as soon as they complete a hop. This
is more accurate than applying the timeout in
circuit_expire_building() because that function is only called
once per second, which is now too slow for typical timeouts on the
current network. Fixes bug 23114; bugfix on 0.2.2.2-alpha.
- Use onion service circuits (and other circuits longer than 3 hops)
to calculate a circuit build timeout. Previously, Tor only
calculated its build timeout based on circuits that planned to be
exactly 3 hops long. With this change, we include measurements
from all circuits at the point where they complete their third
hop. Fixes bug 23100; bugfix on 0.2.2.2-alpha.
o Minor bugfixes (relay, crash, backport from 0.3.4.1-alpha):
- Avoid a crash when running with DirPort set but ORPort tuned off.
Fixes a case of bug 23693; bugfix on 0.3.1.1-alpha.
o Minor bugfixes (Rust FFI):
- Fix a minor memory leak which would happen whenever the C code
would call the Rust implementation of
protover_get_supported_protocols(). This was due to the C version
returning a static string, whereas the Rust version newly allocated
a CString to pass accross the FFI boundary. Consequently, the C
code was not expecting to need to free() what it was given. Fixes
bug 25127; bugfix on 0.3.2.1-alpha.
o Minor bugfixes (spelling):
- Use the "misspell" tool to detect and fix typos throughout the
source code. Fixes bug 23650; bugfix on various versions of Tor.
Patch from Deepesh Pathak.
o Minor bugfixes (testing):
- Avoid intermittent test failures due to a test that had relied on
onion service introduction point creation finishing within 5
seconds of real clock time. Fixes bug 25450; bugfix
on 0.3.1.3-alpha.
- Give out Exit flags in bootstrapping networks. Fixes bug 24137;
bugfix on 0.2.3.1-alpha.
o Minor bugfixes (unit test, monotonic time):
- Increase a constant (1msec to 10msec) in the monotonic time test
that makes sure the nsec/usec/msec times read are synchronized.
This change was needed to accommodate slow systems like armel or
when the clock_gettime() is not a VDSO on the running kernel.
Fixes bug 25113; bugfix on 0.2.9.1.
o Code simplification and refactoring:
- Move the list of default directory authorities to its own file.
Closes ticket 24854. Patch by "beastr0".
- Remove the old (deterministic) directory retry logic entirely:
We've used exponential backoff exclusively for some time. Closes
ticket 23814.
- Remove the unused nodelist_recompute_all_hsdir_indices(). Closes
ticket 25108.
- Remove a series of counters used to track circuit extend attempts
and connection status but that in reality we aren't using for
anything other than stats logged by a SIGUSR1 signal. Closes
ticket 25163.
- Remove /usr/athena from search path in configure.ac. Closes
ticket 24363.
- Remove duplicate code in node_has_curve25519_onion_key() and
node_get_curve25519_onion_key(), and add a check for a zero
microdesc curve25519 onion key. Closes ticket 23966, patch by
"aruna1234" and teor.
- Rewrite channel_rsa_id_group_set_badness to reduce temporary
memory allocations with large numbers of OR connections (e.g.
relays). Closes ticket 24119.
- Separate the function that deletes ephemeral files when Tor
stops gracefully.
- Small changes to Tor's buf_t API to make it suitable for use as a
general-purpose safe string constructor. Closes ticket 22342.
- Switch -Wnormalized=id to -Wnormalized=nfkc in configure.ac to
avoid source code identifier confusion. Closes ticket 24467.
- The tor_git_revision[] constant no longer needs to be redeclared
by everything that links against the rest of Tor. Done as part of
ticket 23845, to simplify our external API.
- We make extend_info_from_node() use node_get_curve25519_onion_key()
introduced in ticket 23577 to access the curve25519 public keys
rather than accessing it directly. Closes ticket 23760. Patch by
Neel Chauhan.
- Add a function to log channels' scheduler state changes to aid
debugging efforts. Closes ticket 24531.
o Documentation:
- Improved the documentation of AccountingStart parameter. Closes
ticket 23635.
- Update the documentation for "Log" to include the current list of
logging domains. Closes ticket 25378.
- Add documentation on how to build tor with Rust dependencies
without having to be online. Closes ticket 22907; bugfix
on 0.3.0.3-alpha.
- Clarify the behavior of RelayBandwidth{Rate,Burst} with client
traffic. Closes ticket 24318.
- Document that OutboundBindAddress doesn't apply to DNS requests.
Closes ticket 22145. Patch from Aruna Maurya.
o Code simplification and refactoring (channels):
- Remove the incoming and outgoing channel queues. These were never
used, but still took up a step in our fast path.
- The majority of the channel unit tests have been rewritten and the
code coverage has now been raised to 83.6% for channel.c. Closes
ticket 23709.
- Remove other dead code from the channel subsystem: All together,
this cleanup has removed more than 1500 lines of code overall and
adding very little except for unit test.
o Code simplification and refactoring (circuit rendezvous):
- Split the client-side rendezvous circuit lookup into two
functions: one that returns only established circuits and another
that returns all kinds of circuits. Closes ticket 23459.
o Code simplification and refactoring (controller):
- Make most of the variables in networkstatus_getinfo_by_purpose()
const. Implements ticket 24489.
o Documentation (backport from 0.3.4.1-alpha):
- Correct an IPv6 error in the documentation for ExitPolicy. Closes
ticket 25857. Patch from "CTassisF".
o Documentation (man page):
- The HiddenServiceVersion torrc option accepts only one number:
either version 2 or 3. Closes ticket 25026; bugfix
on 0.3.2.2-alpha.
o Documentation (manpage, denial of service):
- Provide more detail about the denial-of-service options, by
listing each mitigation and explaining how they relate. Closes
ticket 25248.
Changes in version 0.3.2.10 - 2018-03-03
Tor 0.3.2.10 is the second stable release in the 0.3.2 series. It
backports a number of bugfixes, including important fixes for security
issues.
It includes an important security fix for a remote crash attack
against directory authorities, tracked as TROVE-2018-001.
Additionally, it backports a fix for a bug whose severity we have
upgraded: Bug 24700, which was fixed in 0.3.3.2-alpha, can be remotely
triggered in order to crash relays with a use-after-free pattern. As
such, we are now tracking that bug as TROVE-2018-002 and
CVE-2018-0491, and backporting it to earlier releases. This bug
affected versions 0.3.2.1-alpha through 0.3.2.9, as well as version
0.3.3.1-alpha.
This release also backports our new system for improved resistance to
denial-of-service attacks against relays.
This release also fixes several minor bugs and annoyances from
earlier releases.
Relays running 0.3.2.x SHOULD upgrade to one of the versions released
today, for the fix to TROVE-2018-002. Directory authorities should
also upgrade. (Relays on earlier versions might want to update too for
the DoS mitigations.)
Tor 0.3.2.9 is the first stable release in the 0.3.2 series.
The 0.3.2 series includes our long-anticipated new onion service
design, with numerous security features. (For more information, see
our blog post at https://blog.torproject.org/fall-harvest.) We also
have a new circuit scheduler algorithm for improved performance on
relays everywhere (see https://blog.torproject.org/kist-and-tell),
along with many smaller features and bugfixes.
Changes in version 0.3.1.9 - 2017-12-01:
Tor 0.3.1.9 backports important security and stability fixes from the
0.3.2 development series. All Tor users should upgrade to this
release, or to another of the releases coming out today.
o Major bugfixes (security, backport from 0.3.2.6-alpha):
- Fix a denial of service bug where an attacker could use a
malformed directory object to cause a Tor instance to pause while
OpenSSL would try to read a passphrase from the terminal. (Tor
instances run without a terminal, which is the case for most Tor
packages, are not impacted.) Fixes bug 24246; bugfix on every
version of Tor. Also tracked as TROVE-2017-011 and CVE-2017-8821.
Found by OSS-Fuzz as testcase 6360145429790720.
- Fix a denial of service issue where an attacker could crash a
directory authority using a malformed router descriptor. Fixes bug
24245; bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2017-010
and CVE-2017-8820.
- When checking for replays in the INTRODUCE1 cell data for a
(legacy) onion service, correctly detect replays in the RSA-
encrypted part of the cell. We were previously checking for
replays on the entire cell, but those can be circumvented due to
the malleability of Tor's legacy hybrid encryption. This fix helps
prevent a traffic confirmation attack. Fixes bug 24244; bugfix on
0.2.4.1-alpha. This issue is also tracked as TROVE-2017-009
and CVE-2017-8819.
o Major bugfixes (security, onion service v2, backport from 0.3.2.6-alpha):
- Fix a use-after-free error that could crash v2 Tor onion services
when they failed to open circuits while expiring introduction
points. Fixes bug 24313; bugfix on 0.2.7.2-alpha. This issue is
also tracked as TROVE-2017-013 and CVE-2017-8823.
o Major bugfixes (security, relay, backport from 0.3.2.6-alpha):
- When running as a relay, make sure that we never build a path
through ourselves, even in the case where we have somehow lost the
version of our descriptor appearing in the consensus. Fixes part
of bug 21534; bugfix on 0.2.0.1-alpha. This issue is also tracked
as TROVE-2017-012 and CVE-2017-8822.
- When running as a relay, make sure that we never choose ourselves
as a guard. Fixes part of bug 21534; bugfix on 0.3.0.1-alpha. This
issue is also tracked as TROVE-2017-012 and CVE-2017-8822.
o Major bugfixes (exit relays, DNS, backport from 0.3.2.4-alpha):
- Fix an issue causing DNS to fail on high-bandwidth exit nodes,
making them nearly unusable. Fixes bugs 21394 and 18580; bugfix on
0.1.2.2-alpha, which introduced eventdns. Thanks to Dhalgren for
identifying and finding a workaround to this bug and to Moritz,
Arthur Edelstein, and Roger for helping to track it down and
analyze it.
o Minor features (bridge):
- Bridges now include notice in their descriptors that they are
bridges, and notice of their distribution status, based on their
publication settings. Implements ticket 18329. For more fine-
grained control of how a bridge is distributed, upgrade to 0.3.2.x
or later.
o Minor features (directory authority, backport from 0.3.2.6-alpha):
- Add an IPv6 address for the "bastet" directory authority. Closes
ticket 24394.
o Minor features (geoip):
- Update geoip and geoip6 to the November 6 2017 Maxmind GeoLite2
Country database.
o Minor bugfix (relay address resolution, backport from 0.3.2.1-alpha):
- Avoid unnecessary calls to directory_fetches_from_authorities() on
relays, to prevent spurious address resolutions and descriptor
rebuilds. This is a mitigation for bug 21789. Fixes bug 23470;
bugfix on in 0.2.8.1-alpha.
o Minor bugfixes (compilation, backport from 0.3.2.1-alpha):
- Fix unused variable warnings in donna's Curve25519 SSE2 code.
Fixes bug 22895; bugfix on 0.2.7.2-alpha.
o Minor bugfixes (logging, relay shutdown, annoyance, backport from 0.3.2.2-alpha):
- When a circuit is marked for close, do not attempt to package any
cells for channels on that circuit. Previously, we would detect
this condition lower in the call stack, when we noticed that the
circuit had no attached channel, and log an annoying message.
Fixes bug 8185; bugfix on 0.2.5.4-alpha.
o Minor bugfixes (onion service, backport from 0.3.2.5-alpha):
- Rename the consensus parameter "hsdir-interval" to "hsdir_interval"
so it matches dir-spec.txt. Fixes bug 24262; bugfix
on 0.3.1.1-alpha.
o Minor bugfixes (relay, crash, backport from 0.3.2.4-alpha):
- Avoid a crash when transitioning from client mode to bridge mode.
Previously, we would launch the worker threads whenever our
"public server" mode changed, but not when our "server" mode
changed. Fixes bug 23693; bugfix on 0.2.6.3-alpha.
Changes in version 0.3.1.8:
Tor 0.3.1.7 is the second stable release in the 0.3.1 series.
It includes several bugfixes, including a bugfix for a crash issue
that had affected relays under memory pressure. It also adds
a new directory authority, Bastet.
o Directory authority changes:
- Add "Bastet" as a ninth directory authority to the default list.
- The directory authority "Longclaw" has changed its IP address.
o Major bugfixes (relay, crash, assertion failure, backport from 0.3.2.2-alpha):
- Fix a timing-based assertion failure that could occur when the
circuit out-of-memory handler freed a connection's output buffer.
o Minor features (directory authorities, backport from 0.3.2.2-alpha):
- Remove longclaw's IPv6 address, as it will soon change. Authority
IPv6 addresses were originally added in 0.2.8.1-alpha. This leaves
3/8 directory authorities with IPv6 addresses, but there are also
52 fallback directory mirrors with IPv6 addresses.
o Minor features (geoip):
- Update geoip and geoip6 to the October 4 2017 Maxmind GeoLite2
Country database.
o Minor bugfixes (compilation, backport from 0.3.2.2-alpha):
- Fix a compilation warning when building with zstd support on
32-bit platforms.
o Minor bugfixes (compression, backport from 0.3.2.2-alpha):
- Handle a pathological case when decompressing Zstandard data when
the output buffer size is zero.
o Minor bugfixes (directory authority, backport from 0.3.2.1-alpha):
- Remove the length limit on HTTP status lines that authorities can
send in their replies.
o Minor bugfixes (hidden service, relay, backport from 0.3.2.2-alpha):
- Avoid a possible double close of a circuit by the intro point on
error of sending the INTRO_ESTABLISHED cell.
o Minor bugfixes (memory safety, backport from 0.3.2.3-alpha):
- Clear the address when node_get_prim_orport() returns early.
o Minor bugfixes (unit tests, backport from 0.3.2.2-alpha):
- Fix additional channelpadding unit test failures by using mocked
time instead of actual time for all tests.
Changes in version 0.3.0.11 - 2017-09-18
Tor 0.3.0.11 backports a collection of bugfixes from Tor the 0.3.1
series.
Most significantly, it includes a fix for TROVE-2017-008, a
security bug that affects hidden services running with the
SafeLogging option disabled. For more information, see
https://trac.torproject.org/projects/tor/ticket/23490
o Minor features (code style, backport from 0.3.1.7):
- Add "Falls through" comments to our codebase, in order to silence
GCC 7's -Wimplicit-fallthrough warnings. Patch from Andreas
Stieger. Closes ticket 22446.
o Minor features:
- Update geoip and geoip6 to the September 6 2017 Maxmind GeoLite2
Country database.
o Minor bugfixes (compilation, backport from 0.3.1.7):
- Avoid compiler warnings in the unit tests for calling tor_sscanf()
with wide string outputs. Fixes bug 15582; bugfix on 0.2.6.2-alpha.
o Minor bugfixes (controller, backport from 0.3.1.7):
- Do not crash when receiving a HSPOST command with an empty body.
Fixes part of bug 22644; bugfix on 0.2.7.1-alpha.
- Do not crash when receiving a POSTDESCRIPTOR command with an empty
body. Fixes part of bug 22644; bugfix on 0.2.0.1-alpha.
o Minor bugfixes (file limits, osx, backport from 0.3.1.5-alpha):
- When setting the maximum number of connections allowed by the OS,
always allow some extra file descriptors for other files. Fixes
bug 22797; bugfix on 0.2.0.10-alpha.
o Minor bugfixes (logging, relay, backport from 0.3.1.6-rc):
- Remove a forgotten debugging message when an introduction point
successfully establishes a hidden service prop224 circuit with
a client.
- Change three other log_warn() for an introduction point to
protocol warnings, because they can be failure from the network
and are not relevant to the operator. Fixes bug 23078; bugfix on
0.3.0.1-alpha and 0.3.0.2-alpha.
Changes in version 0.3.0.10 - 2017-08-02
Tor 0.3.0.10 backports a collection of small-to-medium bugfixes
from the current Tor alpha series. OpenBSD users and TPROXY users
should upgrade; others are probably okay sticking with 0.3.0.9.
o Major features (build system, continuous integration, backport from 0.3.1.5-alpha):
- Tor's repository now includes a Travis Continuous Integration (CI)
configuration file (.travis.yml). This is meant to help new
developers and contributors who fork Tor to a Github repository be
better able to test their changes, and understand what we expect
to pass. To use this new build feature, you must fork Tor to your
Github account, then go into the "Integrations" menu in the
repository settings for your fork and enable Travis, then push
your changes. Closes ticket 22636.
o Major bugfixes (linux TPROXY support, backport from 0.3.1.1-alpha):
- Fix a typo that had prevented TPROXY-based transparent proxying
from working under Linux. Fixes bug 18100; bugfix on 0.2.6.3-alpha.
Patch from "d4fq0fQAgoJ".
o Major bugfixes (openbsd, denial-of-service, backport from 0.3.1.5-alpha):
- Avoid an assertion failure bug affecting our implementation of
inet_pton(AF_INET6) on certain OpenBSD systems whose strtol()
handling of "0xfoo" differs from what we had expected. Fixes bug
22789; bugfix on 0.2.3.8-alpha. Also tracked as TROVE-2017-007.
o Minor features (backport from 0.3.1.5-alpha):
- Update geoip and geoip6 to the July 4 2017 Maxmind GeoLite2
Country database.
o Minor bugfixes (bandwidth accounting, backport from 0.3.1.2-alpha):
- Roll over monthly accounting at the configured hour and minute,
rather than always at 00:00. Fixes bug 22245; bugfix on 0.0.9rc1.
Found by Andrey Karpov with PVS-Studio.
o Minor bugfixes (compilation warnings, backport from 0.3.1.5-alpha):
- Suppress -Wdouble-promotion warnings with clang 4.0. Fixes bug 22915;
bugfix on 0.2.8.1-alpha.
- Fix warnings when building with libscrypt and openssl scrypt
support on Clang. Fixes bug 22916; bugfix on 0.2.7.2-alpha.
- When building with certain versions of the mingw C header files,
avoid float-conversion warnings when calling the C functions
isfinite(), isnan(), and signbit(). Fixes bug 22801; bugfix
on 0.2.8.1-alpha.
o Minor bugfixes (compilation, mingw, backport from 0.3.1.1-alpha):
- Backport a fix for an "unused variable" warning that appeared
in some versions of mingw. Fixes bug 22838; bugfix on
0.2.8.1-alpha.
o Minor bugfixes (coverity build support, backport from 0.3.1.5-alpha):
- Avoid Coverity build warnings related to our BUG() macro. By
default, Coverity treats BUG() as the Linux kernel does: an
instant abort(). We need to override that so our BUG() macro
doesn't prevent Coverity from analyzing functions that use it.
Fixes bug 23030; bugfix on 0.2.9.1-alpha.
o Minor bugfixes (directory authority, backport from 0.3.1.1-alpha):
- When rejecting a router descriptor for running an obsolete version
of Tor without ntor support, warn about the obsolete tor version,
not the missing ntor key. Fixes bug 20270; bugfix on 0.2.9.3-alpha.
o Minor bugfixes (linux seccomp2 sandbox, backport from 0.3.1.5-alpha):
- Avoid a sandbox failure when trying to re-bind to a socket and
mark it as IPv6-only. Fixes bug 20247; bugfix on 0.2.5.1-alpha.
o Minor bugfixes (unit tests, backport from 0.3.1.5-alpha)
- Fix a memory leak in the link-handshake/certs_ok_ed25519 test.
Fixes bug 22803; bugfix on 0.3.0.1-alpha.
Changes in version 0.3.0.9 - 2017-06-29
Tor 0.3.0.9 fixes a path selection bug that would allow a client
to use a guard that was in the same network family as a chosen exit
relay. This is a security regression; all clients running earlier
versions of 0.3.0.x or 0.3.1.x should upgrade to 0.3.0.9 or
0.3.1.4-alpha.
This release also backports several other bugfixes from the 0.3.1.x
series.
o Major bugfixes (path selection, security, backport from 0.3.1.4-alpha):
- When choosing which guard to use for a circuit, avoid the exit's
family along with the exit itself. Previously, the new guard
selection logic avoided the exit, but did not consider its family.
Fixes bug 22753; bugfix on 0.3.0.1-alpha. Tracked as TROVE-2016-
006 and CVE-2017-0377.
o Major bugfixes (entry guards, backport from 0.3.1.1-alpha):
- Don't block bootstrapping when a primary bridge is offline and we
can't get its descriptor. Fixes bug 22325; fixes one case of bug
21969; bugfix on 0.3.0.3-alpha.
o Major bugfixes (entry guards, backport from 0.3.1.4-alpha):
- When starting with an old consensus, do not add new entry guards
unless the consensus is "reasonably live" (under 1 day old). Fixes
one root cause of bug 22400; bugfix on 0.3.0.1-alpha.
o Minor features (geoip):
- Update geoip and geoip6 to the June 8 2017 Maxmind GeoLite2
Country database.
o Minor bugfixes (voting consistency, backport from 0.3.1.1-alpha):
- Reject version numbers with non-numeric prefixes (such as +, -, or
whitespace). Disallowing whitespace prevents differential version
parsing between POSIX-based and Windows platforms. Fixes bug 21507
and part of 21508; bugfix on 0.0.8pre1.
o Minor bugfixes (linux seccomp2 sandbox, backport from 0.3.1.4-alpha):
- Permit the fchmod system call, to avoid crashing on startup when
starting with the seccomp2 sandbox and an unexpected set of
permissions on the data directory or its contents. Fixes bug
22516; bugfix on 0.2.5.4-alpha.
o Minor bugfixes (defensive programming, backport from 0.3.1.4-alpha):
- Fix a memset() off the end of an array when packing cells. This
bug should be harmless in practice, since the corrupted bytes are
still in the same structure, and are always padding bytes,
ignored, or immediately overwritten, depending on compiler
behavior. Nevertheless, because the memset()'s purpose is to make
sure that any other cell-handling bugs can't expose bytes to the
network, we need to fix it. Fixes bug 22737; bugfix on
0.2.4.11-alpha. Fixes CID 1401591.
wiz
ryoon
leot
nia
rillig
jperkin
ng0
alnsn
gdt
adam