Changes in version 0.4.8.9 - 2023-11-09
This is another security release fixing a high severity bug affecting onion
services which is tracked by TROVE-2023-006. We are also releasing a guard
major bugfix as well. If you are an onion service operator, we strongly
recommend to update as soon as possible.
o Major bugfixes (guard usage):
- When Tor excluded a guard due to temporary circuit restrictions,
it considered *additional* primary guards for potential usage by
that circuit. This could result in more than the specified number
of guards (currently 2) being used, long-term, by the tor client.
This could happen when a Guard was also selected as an Exit node,
but it was exacerbated by the Conflux guard restrictions. Both
instances have been fixed. Fixes bug 40876; bugfix
on 0.3.0.1-alpha.
o Major bugfixes (onion service, TROVE-2023-006):
- Fix a possible hard assert on a NULL pointer when recording a
failed rendezvous circuit on the service side for the MetricsPort.
Fixes bug 40883; bugfix on 0.4.8.1-alpha
o Minor features (fallbackdir):
- Regenerate fallback directories generated on November 09, 2023.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2023/11/09.
Changes in version 0.4.8.8 - 2023-11-03
We are releasing today a fix for a high security issue, TROVE-2023-004, that
is affecting relays. Also a few minor bugfixes detailed below. Please upgrade
as soon as posssible.
o Major bugfixes (TROVE-2023-004, relay):
- Mitigate an issue when Tor compiled with OpenSSL can crash during
handshake with a remote relay. Fixes bug 40874; bugfix
on 0.2.7.2-alpha.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on November 03, 2023.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2023/11/03.
o Minor bugfixes (directory authority):
- Look at the network parameter "maxunmeasuredbw" with the correct
spelling. Fixes bug 40869; bugfix on 0.4.6.1-alpha.
o Minor bugfixes (vanguards addon support):
- Count the conflux linked cell as valid when it is successfully
processed. This will quiet a spurious warn in the vanguards addon.
Fixes bug 40878; bugfix on 0.4.8.1-alpha.
Changes in version 0.4.8.7 - 2023-09-25
This version fixes a single major bug in the Conflux subsystem on the client
side. See below for more information. The upcoming Tor Browser 13 stable will
pick this up.
o Major bugfixes (conflux):
- Fix an issue that prevented us from pre-building more conflux sets
after existing sets had been used. Fixes bug 40862; bugfix
on 0.4.8.1-alpha.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on September 25, 2023.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2023/09/25.
Changes in version 0.4.8.6 - 2023-09-18
This version contains an important fix for onion service regarding congestion
control and its reliability. Apart from that, uneeded BUG warnings have been
suppressed especially about a compression bomb seen on relays. We strongly
recommend, in particular onion service operators, to upgrade as soon as
possible to this latest stable.
o Major bugfixes (onion service):
- Fix a reliability issue where services were expiring their
introduction points every consensus update. This caused
connectivity issues for clients caching the old descriptor and
intro points. Bug reported and fixed by gitlab user
@hyunsoo.kim676. Fixes bug 40858; bugfix on 0.4.7.5-alpha.
o Minor features (debugging, compression):
- Log the input and output buffer sizes when we detect a potential
compression bomb. Diagnostic for ticket 40739.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on September 18, 2023.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2023/09/18.
o Minor bugfix (defensive programming):
- Disable multiple BUG warnings of a missing relay identity key when
starting an instance of Tor compiled without relay support. Fixes
bug 40848; bugfix on 0.4.3.1-alpha.
o Minor bugfixes (bridge authority):
- When reporting a pseudo-networkstatus as a bridge authority, or
answering "ns/purpose/*" controller requests, include accurate
published-on dates from our list of router descriptors. Fixes bug
40855; bugfix on 0.4.8.1-alpha.
o Minor bugfixes (compression, zstd):
- Use less frightening language and lower the log-level of our run-
time ABI compatibility check message in our Zstd compression
subsystem. Fixes bug 40815; bugfix on 0.4.3.1-alpha.
Changes in version 0.4.8.5 - 2023-08-30
Quick second release after the first stable few days ago fixing minor
annoying bugfixes creating log BUG stacktrace. We also fix BSD compilation
failures and PoW unit test.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on August 30, 2023.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2023/08/30.
o Minor bugfix (NetBSD, compilation):
- Fix compilation issue on NetBSD by avoiding an unnecessary
dependency on "huge" page mappings in Equi-X. Fixes bug 40843;
bugfix on 0.4.8.1-alpha.
o Minor bugfix (NetBSD, testing):
- Fix test failures in "crypto/hashx" and "slow/crypto/equix" on
x86_64 and aarch64 NetBSD hosts, by adding support for
PROT_MPROTECT() flags. Fixes bug 40844; bugfix on 0.4.8.1-alpha.
o Minor bugfixes (conflux):
- Demote a relay-side warn about too many legs to ProtocolWarn, as
there are conditions that it can briefly happen during set
construction. Also add additional set logging details for all
error cases. Fixes bug 40841; bugfix on 0.4.8.1-alpha.
- Prevent non-fatal assert stacktrace caused by using conflux sets
during their teardown process. Fixes bug 40842; bugfix
on 0.4.8.1-alpha.
Changes in version 0.4.8.4 - 2023-08-23
Finally, this is the very first stable release of the 0.4.8.x series making
Proof-of-Work (prop#327) and Conflux (prop#329) available to the entire
network. Some major bugfixes since the release candidate detailed below.
o Major feature (denial of service):
- Extend DoS protection to partially opened channels and known
relays. Because re-entry is not allowed anymore, we can apply DoS
protections onto known IP namely relays. Fixes bug 40821; bugfix
on 0.3.5.1-alpha.
o Major bugfixes (conflux):
- Fix a relay-side crash caused by side effects of the fix for bug
40827. Reverts part of that fix that caused the crash and adds
additional log messages to help find the root cause. Fixes bug
40834; bugfix on 0.4.8.3-rc.
o Major bugfixes (proof of work, onion service, hashx):
- Fix a very rare buffer overflow in hashx, specific to the dynamic
compiler on aarch64 platforms. Fixes bug 40833; bugfix
on 0.4.8.2-alpha.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on August 23, 2023.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2023/08/23.
o Minor features (testing):
- All Rust code is now linted (cargo clippy) as part of GitLab CI, and
existing warnings have been fixed. - Any unit tests written in Rust now
run as part of GitLab CI.
o Minor bugfix (FreeBSD, compilation):
- Fix compilation issue on FreeBSD by properly importing
sys/param.h. Fixes bug 40825; bugfix on 0.4.8.1-alpha.
o Minor bugfixes (compression):
- Right after compression/decompression work is done, check for
errors. Before this, we would consider compression bomb before
that and then looking for errors leading to false positive on that
log warning. Fixes bug 40739; bugfix on 0.3.5.1-alpha. Patch
by "cypherpunks".
Changes in version 0.4.8.3-rc - 2023-08-04
This is the first release candidate (and likely the only) of the 0.4.8.x
series. We fixed a major conflux bugfix which was a fatal asserts on the
relay Exit side. See below for more details. Couple minor bugfixes. Until
stable, name of the game here is stabilization.
o Major bugfixes (conflux):
- Fix a relay-side assert crash caused by attempts to use a conflux
circuit between circuit close and free, such that no legs were on
the conflux set. Fixed by nulling out the stream's circuit back-
pointer when the last leg is removed. Additional checks and log
messages have been added to detect other cases. Fixes bug 40827;
bugfix on 0.4.8.1-alpha.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on August 04, 2023.
- Regenerate fallback directories generated on July 26, 2023.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2023/07/26.
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2023/08/04.
o Minor bugfixes (compilation):
- Fix all -Werror=enum-int-mismatch warnings. No behavior change.
Fixes bug 40824; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (protocol warn):
- Wrap a handful of cases where ProtocolWarning logs could emit IP
addresses. Fixes bug 40828; bugfix on 0.3.5.1-alpha.
Changes in version 0.4.8.2-alpha - 2023-07-12
This is our second alpha containing some minor bugfixes and one major bugfix
about L2 vanguard rotation. We believe this will be the last alpha before the
rc in a couple of weeks.
o Major bugfixes (vanguards):
- Rotate to a new L2 vanguard whenever an existing one loses the
Stable or Fast flag. Previously, we would leave these relays in
the L2 vanguard list but never use them, and if all of our
vanguards end up like this we wouldn't have any middle nodes left
to choose from so we would fail to make onion-related circuits.
Fixes bug 40805; bugfix on 0.4.7.1-alpha.
o Minor feature (hs):
- Fix compiler warnings in equix and hashx when building with clang.
Closes ticket 40800.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on July 12, 2023.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2023/07/12.
o Minor bugfix (congestion control):
- Reduce the accepted range of a circuit's negotiated 'cc_sendme_inc'
to be +/- 1 from the consensus parameter value. Fixes bug 40569;
bugfix on 0.4.7.4-alpha.
- Remove unused congestion control algorithms and BDP calculation
code, now that we have settled on and fully tuned Vegas. Fixes bug
40566; bugfix on 0.4.7.4-alpha.
- Update default congestion control parameters to match consensus.
Fixes bug 40709; bugfix on 0.4.7.4-alpha.
o Minor bugfixes (compilation):
- Fix "initializer is not a constant" compilation error that
manifests itself on gcc versions < 8.1 and MSVC. Fixes bug 40773;
bugfix on 0.4.8.1-alpha
o Minor bugfixes (conflux):
- Count leg launch attempts prior to attempting to launch them. This
avoids inifinite launch attempts due to internal circuit building
failures. Additionally, double-check that we have enough exits in
our consensus overall, before attempting to launch conflux sets.
Fixes bug 40811; bugfix on 0.4.8.1-alpha.
- Fix a case where we were resuming reading on edge connections that
were already marked for close. Fixes bug 40801; bugfix
on 0.4.8.1-alpha.
- Fix stream attachment order when creating conflux circuits, so
that stream attachment happens after finishing the full link
handshake, rather than upon set finalization. Fixes bug 40801;
bugfix on 0.4.8.1-alpha.
- Handle legs being closed or destroyed before computing an RTT
(resulting in warns about too many legs). Fixes bug 40810; bugfix
on 0.4.8.1-alpha.
- Remove a "BUG" warning from conflux_pick_first_leg that can be
triggered by broken or malicious clients. Fixes bug 40801; bugfix
on 0.4.8.1-alpha.
o Minor bugfixes (KIST):
- Prevent KISTSchedRunInterval from having values of 0 or 1, neither
of which work properly. Additionally, make a separate
KISTSchedRunIntervalClient parameter, so that the client and relay
KIST values can be set separately. Set the default of both to 2ms.
Fixes bug 40808; bugfix on 0.3.2.1-alpha.
Changes in version 0.4.8.1-alpha - 2023-06-01
This is the first alpha of the 0.4.8.x series. Two major features in this
version which are Conflux and onion service Proof-of-Work (PoW). There are
also many small features in particular, worth noting, the MetricsPort is now
exporting more relay and onion service metrics. Finally, there are
also numerous minor bugfixes included in this version.
o Major features (onion service, proof-of-work):
- Implement proposal 327 (Proof-Of-Work). This is aimed at thwarting
introduction flooding DoS attacks by introducing a dynamic Proof-Of-Work
protocol that occurs over introduction circuits. This introduces several
torrc options prefixed with "HiddenServicePoW" in order to control this
feature. By default, this is disabled. Closes ticket 40634.
o Major features (conflux):
- Implement Proposal 329 (conflux traffic splitting). Conflux splits
traffic across two circuits to Exits that support the protocol.
These circuits are pre-built only, which means that if the pre-
built conflux pool runs out, regular circuits will then be used.
When using conflux circuit pairs, clients choose the lower-latency
circuit to send data to the Exit. When the Exit sends data to the
client, it maximizes throughput, by fully utilizing both circuits
in a multiplexed fashion. Alternatively, clients can request that
the Exit optimize for latency when transmitting to them, by
setting the torrc option 'ConfluxClientUX latency'. Onion services
are not currently supported, but will be in arti. Many other
future optimizations will also be possible using this protocol.
Closes ticket 40593.
o Major features (dirauth):
- Directory authorities and relays now interact properly with
directory authorities if they change addresses. In the past, they
would continue to upload votes, signatures, descriptors, etc to
the hard-coded address in the configuration. Now, if the directory
authority is listed in the consensus at a different address, they
will direct queries to this new address. Implements ticket 40705.
o Minor feature (CI):
- Update CI to use Debian Bullseye for runners.
o Minor feature (client, IPv6):
- Make client able to pick IPv6 relays by default now meaning
ClientUseIPv6 option now defaults to 1. Closes ticket 40785.
o Minor feature (compilation):
- Fix returning something other than "Unknown N/A" as libc version
if we build tor on an O.S. like DragonFlyBSD, FreeBSD, OpenBSD
or NetBSD.
o Minor feature (cpuworker):
- Always use the number of threads for our CPU worker pool to the
number of core available but cap it to a minimum of 2 in case of a
single core. Fixes bug 40713; bugfix on 0.3.5.1-alpha.
o Minor feature (lzma):
- Fix compiler warnings for liblzma >= 5.3.1. Closes ticket 40741.
o Minor feature (MetricsPort, relay):
- Expose time until online keys expires on the MetricsPort. Closes
ticket 40546.
o Minor feature (MetricsPort, relay, onion service):
- Add metrics for the relay side onion service interactions counting
seen cells. Closes ticket 40797. Patch by "friendly73".
o Minor features (directory authorities):
- Directory authorities now include their AuthDirMaxServersPerAddr
config option in the consensus parameter section of their vote.
Now external tools can better predict how they will behave.
Implements ticket 40753.
o Minor features (directory authority):
- Add a new consensus method in which the "published" times on
router entries in a microdesc consensus are all set to a
meaningless fixed date. Doing this will make the download size for
compressed microdesc consensus diffs much smaller. Part of ticket
40130; implements proposal 275.
o Minor features (network documents):
- Clients and relays no longer track the "published on" time
declared for relays in any consensus documents. When reporting
this time on the control port, they instead report a fixed date in
the future. Part of ticket 40130.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on June 01, 2023.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2023/06/01.
o Minor features (hs, metrics):
- Add tor_hs_rend_circ_build_time and tor_hs_intro_circ_build_time
histograms to measure hidden service rend/intro circuit build time
durations. Part of ticket 40757.
o Minor features (metrics):
- Add a `reason` label to the HS error metrics. Closes ticket 40758.
- Add service side metrics for REND and introduction request
failures. Closes ticket 40755.
- Add support for histograms. Part of ticket 40757.
o Minor features (pluggable transports):
- Automatically restart managed Pluggable Transport processes when
their process terminate. Resolves ticket 33669.
o Minor features (portability, compilation):
- Use OpenSSL 1.1 APIs for LibreSSL, fixing LibreSSL 3.5
compatibility. Fixes issue 40630; patch by Alex Xu (Hello71).
o Minor features (relay):
- Do not warn about configuration options that may expose a non-
anonymous onion service. Closes ticket 40691.
o Minor features (relays):
- Trigger OOS when bind fails with EADDRINUSE. This improves
fairness when a large number of exit connections are requested,
and properly signals exhaustion to the network. Fixes issue 40597;
patch by Alex Xu (Hello71).
o Minor features (tests):
- Avoid needless key reinitialization with OpenSSL during unit
tests, saving significant time. Patch from Alex Xu.
o Minor bugfix (relay, logging):
- The wrong max queue cell size was used in a protocol warning
logging statement. Fixes bug 40745; bugfix on 0.4.7.1-alpha.
o Minor bugfixes (logging):
- Avoid ""double-quoting"" strings in several log messages. Fixes
bug 22723; bugfix on 0.1.2.2-alpha.
- Correct a log message when cleaning microdescriptors. Fixes bug
40619; bugfix on 0.2.5.4-alpha.
o Minor bugfixes (metrics):
- Decrement hs_intro_established_count on introduction circuit
close. Fixes bug 40751; bugfix on 0.4.7.12.
o Minor bugfixes (pluggable transports, windows):
- Remove a warning `BUG()` that could occur when attempting to
execute a non-existing pluggable transport on Windows. Fixes bug
40596; bugfix on 0.4.0.1-alpha.
o Minor bugfixes (relay):
- Remove a "BUG" warning for an acceptable race between a circuit
close and considering that circuit active. Fixes bug 40647; bugfix
on 0.3.5.1-alpha.
- Remove a harmless "Bug" log message that can happen in
relay_addr_learn_from_dirauth() on relays during startup. Finishes
fixing bug 40231. Fixes bug 40523; bugfix on 0.4.5.4-rc.
o Minor bugfixes (sandbox):
- Allow membarrier for the sandbox. And allow rt_sigprocmask when
compiled with LTTng. Fixes bug 40799; bugfix on 0.3.5.1-alpha.
- Fix sandbox support on AArch64 systems. More "*at" variants of
syscalls are now supported. Signed 32 bit syscall parameters are
checked more precisely, which should lead to lower likelihood of
breakages with future compiler and libc releases. Fixes bug 40599;
bugfix on 0.4.4.3-alpha.
o Minor bugfixes (state file):
- Avoid a segfault if the state file doesn't contains TotalBuildTimes
along CircuitBuildAbandonedCount being above 0. Fixes bug 40437;
bugfix on 0.3.5.1-alpha.
o Removed features:
- Remove the RendPostPeriod option. This was primarily used in
Version 2 Onion Services and after its deprecation isn't needed
anymore. Closes ticket 40431. Patch by Neel Chauhan.
Almost all uses, if not all of them, are wrong, according to the
semantics of BUILD_DEPENDS (packages built for target available for
use _by_ tools at build-time) and TOOL_DEPEPNDS (packages built for
host available for use _as_ tools at build-time).
No change to BUILD_DEPENDS as used correctly inside buildlink3.
As proposed on tech-pkg:
https://mail-index.netbsd.org/tech-pkg/2023/06/03/msg027632.html
Changes in version 0.4.7.8 - 2022-06-17
This version fixes several bugfixes including a High severity security issue
categorized as a Denial of Service. Everyone running an earlier version
should upgrade to this version.
o Major bugfixes (congestion control, TROVE-2022-001):
- Fix a scenario where RTT estimation can become wedged, seriously
degrading congestion control performance on all circuits. This
impacts clients, onion services, and relays, and can be triggered
remotely by a malicious endpoint. Tracked as CVE-2022-33903. Fixes
bug 40626; bugfix on 0.4.7.5-alpha.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on June 17, 2022.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2022/06/17.
o Minor bugfixes (linux seccomp2 sandbox):
- Allow the rseq system call in the sandbox. This solves a crash
issue with glibc 2.35 on Linux. Patch from pmu-ipf. Fixes bug
40601; bugfix on 0.3.5.11.
o Minor bugfixes (logging):
- Demote a harmless warn log message about finding a second hop to
from warn level to info level, if we do not have enough
descriptors yet. Leave it at notice level for other cases. Fixes
bug 40603; bugfix on 0.4.7.1-alpha.
- Demote a notice log message about "Unexpected path length" to info
level. These cases seem to happen arbitrarily, and we likely will
never find all of them before the switch to arti. Fixes bug 40612;
bugfix on 0.4.7.5-alpha.
o Minor bugfixes (relay, logging):
- Demote a harmless XOFF log message to from notice level to info
level. Fixes bug 40620; bugfix on 0.4.7.5-alpha.
Changes in version 0.4.7.7 - 2022-04-27
This is the first stable version of the 0.4.7.x series. This series includes
several major bugfixes from previous series and one massive new feature:
congestion control.
Congestion control should improve traffic speed and stability on the network
once a majority of Exit upgrade. You can find more details about it in
proposal 324 in the torspec.git repository.
For a complete list of changes since 0.4.6.10, see the ReleaseNotes file.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on April 27, 2022.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2022/04/27.
o Minor bugfixes (congestion control, client side logs):
- Demote a warn about 1-hop circuits using congestion control down to
info; Demote the 4-hop case to notice. Fixes bug 40598; bugfix on
0.4.5-alpha.
Changes in version 0.4.7.6-rc - 2022-04-07
This is the first release candidate of the 0.4.7.x series. Only one minor
bugfix went in since the last alpha couple weeks ago. We strongly recommend
anyone running an alpha version to upgrade to this version. Unless major
problems are found, the next release will finally be the stable!
o Minor features (fallbackdir):
- Regenerate fallback directories generated on April 07, 2022.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2022/04/07.
o Minor features (linux seccomp2 sandbox):
- Permit the clone3 syscall, which is apparently used in glibc-2.34
and later. Closes ticket 40590.
Changes in version 0.4.7.5-alpha - 2022-03-25
This version contains, of what we hope, the final work for congestion
control paving the way to the stable version. We expect this to be the last
alpha version of the 0.4.7.x series. Mostly minor bugfixes except one major
bugfix that changes how Tor behaves with DNS timeouts for Exit relays. As
always with an alpha, we recommend all relay operators to upgrade from
previous alpha to this one.
o Major bugfixes (onion service, congestion control):
- Fix the onion service upload case where the congestion control
parameters were not added to the right object. Fixes bug 40586;
bugfix on 0.4.7.4-alpha.
o Major bugfixes (relay, DNS):
- Lower the DNS timeout from 3 attempts at 5 seconds each to 2
attempts at 1 seconds each. Two new consensus parameters were
added to control these values. This change should improve observed
performance under DNS load; see ticket for more details. Fixes bug
40312; bugfix on 0.3.5.1-alpha.
o Minor features (control port):
- Provide congestion control fields on CIRC_BW and STREAM control
port events, for use by sbws. Closes ticket 40568.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on March 25, 2022.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2022/03/25.
o Minor bugfixes (DNSPort, dormant mode):
- A request on the DNSPort now wakes up a dormant tor. Fixes bug
40577; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (metrics port, onion service):
- Fix the metrics with a port label to be unique. Before this, all
ports of an onion service would be on the same line which violates
the Prometheus rules of unique labels. Fixes bug 40581; bugfix
on 0.4.5.1-alpha.
o Minor bugfixes (onion service congestion control):
- Avoid a non-fatal assertion failure in the case where we fail to
set up congestion control on a rendezvous circuit. This could
happen naturally if a cache entry expired at an unexpected time.
Fixes bug 40576; bugfix on 0.4.7.4-alpha.
o Minor bugfixes (onion service, client):
- Fix a rare but fatal assertion failure due to a guard subsystem
recursion triggered by the onion service client. Fixes bug 40579;
bugfix on 0.3.5.1-alpha.
o Minor bugfixes (relay, overload):
- Decide whether to signal overload based on a fraction and
assessment period of ntor handshake drops. Previously, a single
drop could trigger an overload state, which caused many false
positives. Fixes bug 40560; bugfix on 0.4.7.1-alpha.
Changes in version 0.4.7.4-alpha - 2022-02-25
This version contains the negotiation congestion control work which is the
final part needed before going stable. There are also various bugfixes
including two major ones detailed below. Last, the Exit notice page layout
has been modernized but the text is unchanged. We recommend that all relay
operators running any previous alpha upgrade to this one.
o Major features (relay, client, onion services):
- Implement RTT-based congestion control for exits and onion
services, from Proposal 324. Disabled by default. Enabled by the
'cc_alg' consensus parameter. Closes ticket 40444.
o Major bugfixes (client):
- Stop caching TCP connect failures to relays/bridges when we
initiated the connection as a client. Now we only cache connect
failures as a relay or bridge when we initiated them because of an
EXTEND request. Declining to re-attempt the client-based
connections could cause problems when we lose connectivity and try
to reconnect. Fixes bug 40499; bugfix on 0.3.3.4-alpha.
o Major bugfixes (relay, overload):
- Do not trigger a general overload on DNS timeout. Even after
fixing 40527, some code remained that triggered the overload.
Fixes bug 40564; bugfix on 0.4.7.1-alpha.
o Minor feature (authority, relay):
- Reject End-Of-Life relays running version 0.3.5.x. Closes
ticket 40559.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on February 25, 2022.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2022/02/25.
o Minor bugfix (logging):
- Update a log notice dead URL to a working one. Fixes bug 40544;
bugfix on 0.3.5.1-alpha.
o Minor bugfix (relay):
- Remove the HSDir and HSIntro onion service v2 protocol versions so
relay stop advertising that they support them. Fixes bug 40509;
bugfix on 0.3.5.17.
o Minor bugfixes (cell scheduling):
- Avoid writing empty payload with NSS write.
- Don't attempt to write 0 bytes after a cell scheduling loop. No
empty payload was put on the wire. Fixes bug 40548; bugfix
on 0.3.5.1-alpha.
o Minor bugfixes (compilation):
- Resume being able to build on old / esoteric gcc versions. Fixes
bug 40550; bugfix on 0.4.7.1-alpha.
o Minor bugfixes (compiler warnings):
- Fix couple compiler warnings on latest Ubuntu Jammy. Fixes bug
40516; bugfix on 0.3.5.1-alpha.
o Documentation:
- Provide an improved version of the tor-exit-notice.html file for
exit relays to use as a landing page. The text is unchanged, but
the page design and layout are significantly modernized, and
several links are fixed. Patch from "n_user"; closes ticket 40529.
Changes in version 0.4.6.10 - 2022-02-04
This version contains minor bugfixes but one in particular is that relays
don't advertise onion service v2 support at the protocol version level.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on February 04, 2022.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2022/02/04.
o Minor bugfix (logging):
- Update a log notice dead URL to a working one. Fixes bug 40544;
bugfix on 0.3.5.1-alpha.
o Minor bugfix (relay):
- Remove the HSDir and HSIntro onion service v2 protocol versions so
relay stop advertising that they support them. Fixes bug 40509;
bugfix on 0.3.5.17.
o Minor bugfixes (MetricsPort, Prometheus):
- Add double quotes to the label values of the onion service
metrics. Fixes bug 40552; bugfix on 0.4.5.1-alpha.
Changes in version 0.4.6.9 - 2021-12-15
This version fixes several bugs from earlier versions of Tor. One important
piece is the removal of DNS timeout metric from the overload general signal.
See below for more details.
o Major bugfixes (relay, overload):
- Don't make Tor DNS timeout trigger an overload general state.
These timeouts are different from DNS server timeout. They have to
be seen as timeout related to UX and not because of a network
problem. Fixes bug 40527; bugfix on 0.4.6.1-alpha.
o Minor feature (reproducible build):
- The repository can now build reproducible tarballs which adds the
build command "make dist-reprod" for that purpose. Closes
ticket 26299.
o Minor features (compilation):
- Give an error message if trying to build with a version of
LibreSSL known not to work with Tor. (There's an incompatibility
with LibreSSL versions 3.2.1 through 3.4.0 inclusive because of
their incompatibility with OpenSSL 1.1.1's TLSv1.3 APIs.) Closes
ticket 40511.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on December 15, 2021.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2021/12/15.
o Minor bugfixes (compilation):
- Fix our configuration logic to detect whether we had OpenSSL 3:
previously, our logic was reversed. This has no other effect than
to change whether we suppress deprecated API warnings. Fixes bug
40429; bugfix on 0.3.5.13.
o Minor bugfixes (relay):
- Reject IPv6-only DirPorts. Our reachability self-test forces
DirPorts to be IPv4, but our configuration parser allowed them to
be IPv6-only, which led to an assertion failure. Fixes bug 40494;
bugfix on 0.4.5.1-alpha.
o Documentation (man, relay):
- Missing "OverloadStatistics" in tor.1 manpage. Fixes bug 40504;
bugfix on 0.4.6.1-alpha.
Changes in version 0.4.6.8 - 2021-10-26
This version fixes several bugs from earlier versions of Tor. One
highlight is a fix on how we track DNS timeouts to report general
relay overload.
o Major bugfixes (relay, overload state):
- Relays report the general overload state for DNS timeout errors
only if X% of all DNS queries over Y seconds are errors. Before
that, it only took 1 timeout to report the overload state which
was just too low of a threshold. The X and Y values are 1% and 10
minutes respectively but they are also controlled by consensus
parameters. Fixes bug 40491; bugfix on 0.4.6.1-alpha.
o Minor features (fallbackdir):
- Regenerate fallback directories for October 2021. Closes
ticket 40493.
o Minor features (testing):
- On a testing network, relays can now use the
TestingMinTimeToReportBandwidth option to change the smallest
amount of time over which they're willing to report their observed
maximum bandwidth. Previously, this was fixed at 1 day. For
safety, values under 2 hours are only supported on testing
networks. Part of a fix for ticket 40337.
- Relays on testing networks no longer rate-limit how frequently
they are willing to report new bandwidth measurements. Part of a
fix for ticket 40337.
- Relays on testing networks now report their observed bandwidths
immediately from startup. Previously, they waited until they had
been running for a full day. Closes ticket 40337.
o Minor bugfix (onion service):
- Do not flag an HSDir as non-running in case the descriptor upload
or fetch fails. An onion service closes pending directory
connections before uploading a new descriptor which can thus lead
to wrongly flagging many relays and thus affecting circuit building
path selection. Fixes bug 40434; bugfix on 0.2.0.13-alpha.
- Improve logging when a bad HS version is given. Fixes bug 40476;
bugfix on 0.4.6.1-alpha.
o Minor bugfix (CI, onion service):
- Exclude onion service version 2 Stem tests in our CI. Fixes bug 40500;
bugfix on 0.3.2.1-alpha.
o Minor bugfixes (compatibility):
- Fix compatibility with the most recent Libevent versions, which no
longer have an evdns_set_random_bytes() function. Because this
function has been a no-op since Libevent 2.0.4-alpha, it is safe
for us to just stop calling it. Fixes bug 40371; bugfix
on 0.2.1.7-alpha.
o Minor bugfixes (onion service, TROVE-2021-008):
- Only log v2 access attempts once total, in order to not pollute
the logs with warnings and to avoid recording the times on disk
when v2 access was attempted. Note that the onion address was
_never_ logged. This counts as a Low-severity security issue.
Fixes bug 40474; bugfix on 0.4.5.8.
All checksums have been double-checked against existing RMD160 and
SHA512 hashes
Not committed (merge conflicts...):
net/radsecproxy/distinfo
The following distfiles could not be fetched (fetched conditionally?):
./net/citrix_ica/distinfo citrix_ica-10.6.115659/en.linuxx86.tar.gz
./net/djbdns/distinfo dnscache-1.05-multiple-ip.patch
./net/djbdns/distinfo djbdns-1.05-test28.diff.xz
./net/djbdns/distinfo djbdns-1.05-ignoreip2.patch
./net/djbdns/distinfo djbdns-1.05-multiip.diff
./net/djbdns/distinfo djbdns-cachestats.patch
There is something wrong in tor's makefiles which causes:
src/lib/version/git_revision.c:21:10: fatal error: micro-revision.i: No such file or directory
#include "micro-revision.i"
^~~~~~~~~~~~~~~~~~
compilation terminated.
obviously by not having built micro-revision.i when that compilation
is done. This happens reliably for some people and not for others.
This commit adds a comment with the issue in tor's bug tracker, and a
workaround that builds micro-revision.i and then does the normal
build.
No PKGREVISION as this is just a build fix, and should have zero
effect if this built anyway.
ok @wiz
Changes in version 0.4.6.7 - 2021-08-16
This version fixes several bugs from earlier versions of Tor,
including one that could lead to a denial-of-service attack. Everyone
running an earlier version, whether as a client, a relay, or an onion
service, should upgrade to Tor 0.3.5.16, 0.4.5.10, or 0.4.6.7.
o Major bugfixes (cryptography, security):
- Resolve an assertion failure caused by a behavior mismatch between
our batch-signature verification code and our single-signature
verification code. This assertion failure could be triggered
remotely, leading to a denial of service attack. We fix this issue
by disabling batch verification. Fixes bug 40078; bugfix on
0.2.6.1-alpha. This issue is also tracked as TROVE-2021-007 and
CVE-2021-38385. Found by Henry de Valence.
o Minor feature (fallbackdir):
- Regenerate fallback directories list. Close ticket 40447.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2021/08/12.
o Minor bugfix (crypto):
- Disable the unused batch verification feature of ed25519-donna.
Fixes bug 40078; bugfix on 0.2.6.1-alpha. Found by Henry
de Valence.
o Minor bugfixes (onion service):
- Send back the extended SOCKS error 0xF6 (Onion Service Invalid
Address) for a v2 onion address. Fixes bug 40421; bugfix
on 0.4.6.2-alpha.
o Minor bugfixes (relay):
- Reduce the compression level for data streaming from HIGH to LOW
in order to reduce CPU load on the directory relays. Fixes bug
40301; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (timekeeping):
- Calculate the time of day correctly on systems where the time_t
type includes leap seconds. (This is not the case on most
operating systems, but on those where it occurs, our tor_timegm
function did not correctly invert the system's gmtime function,
which could result in assertion failures when calculating voting
schedules.) Fixes bug 40383; bugfix on 0.2.0.3-alpha.
Changes in version 0.4.6.6 - 2021-06-30
Tor 0.4.6.6 makes several small fixes on 0.4.6.5, including one that
allows Tor to build correctly on older versions of GCC. You should
upgrade to this version if you were having trouble building Tor
0.4.6.5; otherwise, there is probably no need.
o Minor bugfixes (compilation):
- Fix a compilation error when trying to build Tor with a compiler
that does not support const variables in static initializers.
Fixes bug 40410; bugfix on 0.4.6.5.
- Suppress a strict-prototype warning when building with some
versions of NSS. Fixes bug 40409; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (testing):
- Enable the deterministic RNG for unit tests that covers the
address set bloomfilter-based API's. Fixes bug 40419; bugfix
on 0.3.3.2-alpha.
Changes in version 0.4.6.5 - 2021-06-14
Tor 0.4.6.5 is the first stable release in its series. The 0.4.6.x
series includes numerous features and bugfixes, including a significant
improvement to our circuit timeout algorithm that should improve
observed client performance, and a way for relays to report when they are
overloaded.
This release also includes security fixes for several security issues,
including a denial-of-service attack against onion service clients,
and another denial-of-service attack against relays. Everybody should
upgrade to one of 0.3.5.15, 0.4.4.9, 0.4.5.9, or 0.4.6.5.
o Major bugfixes (security):
- Don't allow relays to spoof RELAY_END or RELAY_RESOLVED cell on
half-closed streams. Previously, clients failed to validate which
hop sent these cells: this would allow a relay on a circuit to end
a stream that wasn't actually built with it. Fixes bug 40389;
bugfix on 0.3.5.1-alpha. This issue is also tracked as TROVE-2021-
003 and CVE-2021-34548.
o Major bugfixes (security, defense-in-depth):
- Detect more failure conditions from the OpenSSL RNG code.
Previously, we would detect errors from a missing RNG
implementation, but not failures from the RNG code itself.
Fortunately, it appears those failures do not happen in practice
when Tor is using OpenSSL's default RNG implementation. Fixes bug
40390; bugfix on 0.2.8.1-alpha. This issue is also tracked as
TROVE-2021-004. Reported by Jann Horn at Google's Project Zero.
o Major bugfixes (security, denial of service):
- Resist a hashtable-based CPU denial-of-service attack against
relays. Previously we used a naive unkeyed hash function to look
up circuits in a circuitmux object. An attacker could exploit this
to construct circuits with chosen circuit IDs, to create
collisions and make the hash table inefficient. Now we use a
SipHash construction here instead. Fixes bug 40391; bugfix on
0.2.4.4-alpha. This issue is also tracked as TROVE-2021-005 and
CVE-2021-34549. Reported by Jann Horn from Google's Project Zero.
- Fix an out-of-bounds memory access in v3 onion service descriptor
parsing. An attacker could exploit this bug by crafting an onion
service descriptor that would crash any client that tried to visit
it. Fixes bug 40392; bugfix on 0.3.0.1-alpha. This issue is also
tracked as TROVE-2021-006 and CVE-2021-34550. Reported by Sergei
Glazunov from Google's Project Zero.
o Major features (control port, onion services):
- Add controller support for creating version 3 onion services with
client authorization. Previously, only v2 onion services could be
created with client authorization. Closes ticket 40084. Patch by
Neel Chauhan.
o Major features (directory authority):
- When voting on a relay with a Sybil-like appearance, add the Sybil
flag when clearing out the other flags. This lets a relay operator
know why their relay hasn't been included in the consensus. Closes
ticket 40255. Patch by Neel Chauhan.
o Major features (metrics):
- Relays now report how overloaded they are in their extrainfo
documents. This information is controlled with the
OverloadStatistics torrc option, and it will be used to improve
decisions about the network's load balancing. Implements proposal
328; closes ticket 40222.
o Major features (relay, denial of service):
- Add a new DoS subsystem feature to control the rate of client
connections for relays. Closes ticket 40253.
o Major features (statistics):
- Relays now publish statistics about the number of v3 onion
services and volume of v3 onion service traffic, in the same
manner they already do for v2 onions. Closes ticket 23126.
o Major bugfixes (circuit build timeout):
- Improve the accuracy of our circuit build timeout calculation for
60%, 70%, and 80% build rates for various guard choices. We now
use a maximum likelihood estimator for Pareto parameters of the
circuit build time distribution, instead of a "right-censored
estimator". This causes clients to ignore circuits that never
finish building in their timeout calculations. Previously, clients
were counting such unfinished circuits as having the highest
possible build time value, when in reality these circuits most
likely just contain relays that are offline. We also now wait a
bit longer to let circuits complete for measurement purposes,
lower the minimum possible effective timeout from 1.5 seconds to
10ms, and increase the resolution of the circuit build time
histogram from 50ms bin widths to 10ms bin widths. Additionally,
we alter our estimate Xm by taking the maximum of the top 10 most
common build time values of the 10ms histogram, and compute Xm as
the average of these. Fixes bug 40168; bugfix on 0.2.2.14-alpha.
- Remove max_time calculation and associated warning from circuit
build timeout 'alpha' parameter estimation, as this is no longer
needed by our new estimator from 40168. Fixes bug 34088; bugfix
on 0.2.2.9-alpha.
o Major bugfixes (signing key):
- In the tor-gencert utility, give an informative error message if
the passphrase given in `--create-identity-key` is too short.
Fixes bug 40189; bugfix on 0.2.0.1-alpha. Patch by Neel Chauhan.
o Minor features (bridge):
- We now announce the URL to Tor's new bridge status at
https://bridges.torproject.org/ when Tor is configured to run as a
bridge relay. Closes ticket 30477.
o Minor features (build system):
- New "make lsp" command to auto generate the compile_commands.json
file used by the ccls server. The "bear" program is needed for
this. Closes ticket 40227.
o Minor features (client):
- Clients now check whether their streams are attempting to re-enter
the Tor network (i.e. to send Tor traffic over Tor), and close
them preemptively if they think exit relays will refuse them for
this reason. See ticket 2667 for details. Closes ticket 40271.
o Minor features (command line):
- Add long format name "--torrc-file" equivalent to the existing
command-line option "-f". Closes ticket 40324. Patch by
Daniel Pinto.
o Minor features (command-line interface):
- Add build informations to `tor --version` in order to ease
reproducible builds. Closes ticket 32102.
- When parsing command-line flags that take an optional argument,
treat the argument as absent if it would start with a '-'
character. Arguments in that form are not intelligible for any of
our optional-argument flags. Closes ticket 40223.
- Allow a relay operator to list the ed25519 keys on the command
line by adding the `rsa` and `ed25519` arguments to the
--list-fingerprint flag to show the respective RSA and ed25519
relay fingerprint. Closes ticket 33632. Patch by Neel Chauhan.
o Minor features (compatibility):
- Remove an assertion function related to TLS renegotiation. It was
used nowhere outside the unit tests, and it was breaking
compilation with recent alpha releases of OpenSSL 3.0.0. Closes
ticket 40399.
o Minor features (control port, stream handling):
- Add the stream ID to the event line in the ADDRMAP control event.
Closes ticket 40249. Patch by Neel Chauhan.
o Minor features (dormant mode):
- Add a new 'DormantTimeoutEnabled' option to allow coarse-grained
control over whether the client ever becomes dormant from
inactivity. Most people won't need this. Closes ticket 40228.
- Add a new 'DormantTimeoutEnabled' option for coarse-grained
control over whether the client can become dormant from
inactivity. Most people won't need this. Closes ticket 40228.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2021/06/10.
o Minor features (logging):
- Edit heartbeat log messages so that more of them begin with the
string "Heartbeat: ". Closes ticket 40322; patch
from 'cypherpunks'.
- Change the DoS subsystem heartbeat line format to be more clear on
what has been detected/rejected, and which option is disabled (if
any). Closes ticket 40308.
- In src/core/mainloop/mainloop.c and src/core/mainloop/connection.c,
put brackets around IPv6 addresses in log messages. Closes ticket
40232. Patch by Neel Chauhan.
o Minor features (logging, diagnostic):
- Log decompression failures at a higher severity level, since they
can help provide missing context for other warning messages. We
rate-limit these messages, to avoid flooding the logs if they
begin to occur frequently. Closes ticket 40175.
o Minor features (onion services):
- Add a warning message when trying to connect to (no longer
supported) v2 onion services. Closes ticket 40373.
o Minor features (performance, windows):
- Use SRWLocks to implement locking on Windows. Replaces the
"critical section" locking implementation with the faster
SRWLocks, available since Windows Vista. Closes ticket 17927.
Patch by Daniel Pinto.
o Minor features (protocol, proxy support, defense in depth):
- Close HAProxy connections if they somehow manage to send us data
before we start reading. Closes another case of ticket 40017.
o Minor features (tests, portability):
- Port the hs_build_address.py test script to work with recent
versions of python. Closes ticket 40213. Patch from
Samanta Navarro.
o Minor features (vote document):
- Add a "stats" line to directory authority votes, to report various
statistics that authorities compute about the relays. This will
help us diagnose the network better. Closes ticket 40314.
o Minor bugfixes (build):
- The configure script now shows whether or not lzma and zstd have
been used, not just if the enable flag was passed in. Fixes bug
40236; bugfix on 0.4.3.1-alpha.
o Minor bugfixes (compatibility):
- Fix a failure in the test cases when running on the "hppa"
architecture, along with a related test that might fail on other
architectures in the future. Fixes bug 40274; bugfix
on 0.2.5.1-alpha.
o Minor bugfixes (compilation):
- Fix a compilation warning about unused functions when building
with a libc that lacks the GLOB_ALTDIRFUNC constant. Fixes bug
40354; bugfix on 0.4.5.1-alpha. Patch by Daniel Pinto.
o Minor bugfixes (consensus handling):
- Avoid a set of bugs that could be caused by inconsistently
preferring an out-of-date consensus stored in a stale directory
cache over a more recent one stored on disk as the latest
consensus. Fixes bug 40375; bugfix on 0.3.1.1-alpha.
o Minor bugfixes (control, sandbox):
- Allow the control command SAVECONF to succeed when the seccomp
sandbox is enabled, and make SAVECONF keep only one backup file to
simplify implementation. Previously SAVECONF allowed a large
number of backup files, which made it incompatible with the
sandbox. Fixes bug 40317; bugfix on 0.2.5.4-alpha. Patch by
Daniel Pinto.
o Minor bugfixes (directory authorities, voting):
- Add a new consensus method (31) to support any future changes that
authorities decide to make to the value of bwweightscale or
maxunmeasuredbw. Previously, there was a bug that prevented the
authorities from parsing these consensus parameters correctly under
most circumstances. Fixes bug 19011; bugfix on 0.2.2.10-alpha.
o Minor bugfixes (ipv6):
- Allow non-SOCKSPorts to disable IPv4, IPv6, and PreferIPv4. Some
rare configurations might break, but in this case you can disable
NoIPv4Traffic and NoIPv6Traffic as needed. Fixes bug 33607; bugfix
on 0.4.1.1-alpha. Patch by Neel Chauhan.
o Minor bugfixes (key generation):
- Do not require a valid torrc when using the `--keygen` argument to
generate a signing key. This allows us to generate keys on systems
or users which may not run Tor. Fixes bug 40235; bugfix on
0.2.7.2-alpha. Patch by Neel Chauhan.
o Minor bugfixes (logging, relay):
- Emit a warning if an Address is found to be internal and tor can't
use it. Fixes bug 40290; bugfix on 0.4.5.1-alpha.
o Minor bugfixes (metrics port):
- Fix a bug that made tor try to re-bind() on an already open
MetricsPort every 60 seconds. Fixes bug 40370; bugfix
on 0.4.5.1-alpha.
o Minor bugfixes (onion services, logging):
- Downgrade the severity of a few rendezvous circuit-related
warnings from warning to info. Fixes bug 40207; bugfix on
0.3.2.1-alpha. Patch by Neel Chauhan.
o Minor bugfixes (relay):
- Reduce the compression level for data streaming from HIGH to LOW.
This should reduce the CPU and memory burden for directory caches.
Fixes bug 40301; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (testing, BSD):
- Fix pattern-matching errors when patterns expand to invalid paths
on BSD systems. Fixes bug 40318; bugfix on 0.4.5.1-alpha. Patch by
Daniel Pinto.
o Code simplification and refactoring:
- Remove the orconn_ext_or_id_map structure and related functions.
(Nothing outside of unit tests used them.) Closes ticket 33383.
Patch by Neel Chauhan.
o Removed features:
- Remove unneeded code for parsing private keys in directory
documents. This code was only used for client authentication in v2
onion services, which are now unsupported. Closes ticket 40374.
- As of this release, Tor no longer supports the old v2 onion
services. They were deprecated last July for security, and support
will be removed entirely later this year. We strongly encourage
everybody to migrate to v3 onion services. For more information,
see https://blog.torproject.org/v2-deprecation-timeline . Closes
ticket 40266. (NOTE: We accidentally released an earlier version
of the 0.4.6.1-alpha changelog without this entry. Sorry for
the confusion!)
o Code simplification and refactoring (metrics, DoS):
- Move the DoS subsystem into the subsys manager, including its
configuration options. Closes ticket 40261.
o Documentation (manual):
- Move the ServerTransport* options to the "SERVER OPTIONS" section.
Closes issue 40331.
- Indicate that the HiddenServiceStatistics option also applies to
bridges. Closes ticket 40346.
- Move the description of BridgeRecordUsageByCountry to the section
"STATISTICS OPTIONS". Closes ticket 40323.
o Removed features (relay):
- Because DirPorts are only used on authorities, relays no longer
advertise them. Similarly, self-testing for DirPorts has been
disabled, since an unreachable DirPort is no reason for a relay
not to advertise itself. (Configuring a DirPort will still work,
for now.) Closes ticket 40282.
Changes in version 0.4.5.9 - 2021-06-14
Tor 0.4.5.9 fixes several security issues, including a
denial-of-service attack against onion service clients, and another
denial-of-service attack against relays. Everybody should upgrade to
one of 0.3.5.15, 0.4.4.9, 0.4.5.9, or 0.4.6.5.
o Major bugfixes (security, backport from 0.4.6.5):
- Don't allow relays to spoof RELAY_END or RELAY_RESOLVED cell on
half-closed streams. Previously, clients failed to validate which
hop sent these cells: this would allow a relay on a circuit to end
a stream that wasn't actually built with it. Fixes bug 40389;
bugfix on 0.3.5.1-alpha. This issue is also tracked as TROVE-2021-
003 and CVE-2021-34548.
o Major bugfixes (security, defense-in-depth, backport from 0.4.6.5):
- Detect more failure conditions from the OpenSSL RNG code.
Previously, we would detect errors from a missing RNG
implementation, but not failures from the RNG code itself.
Fortunately, it appears those failures do not happen in practice
when Tor is using OpenSSL's default RNG implementation. Fixes bug
40390; bugfix on 0.2.8.1-alpha. This issue is also tracked as
TROVE-2021-004. Reported by Jann Horn at Google's Project Zero.
o Major bugfixes (security, denial of service, backport from 0.4.6.5):
- Resist a hashtable-based CPU denial-of-service attack against
relays. Previously we used a naive unkeyed hash function to look
up circuits in a circuitmux object. An attacker could exploit this
to construct circuits with chosen circuit IDs, to create
collisions and make the hash table inefficient. Now we use a
SipHash construction here instead. Fixes bug 40391; bugfix on
0.2.4.4-alpha. This issue is also tracked as TROVE-2021-005 and
CVE-2021-34549. Reported by Jann Horn from Google's Project Zero.
- Fix an out-of-bounds memory access in v3 onion service descriptor
parsing. An attacker could exploit this bug by crafting an onion
service descriptor that would crash any client that tried to visit
it. Fixes bug 40392; bugfix on 0.3.0.1-alpha. This issue is also
tracked as TROVE-2021-006 and CVE-2021-34550. Reported by Sergei
Glazunov from Google's Project Zero.
o Minor features (compatibility, backport from 0.4.6.4-rc):
- Remove an assertion function related to TLS renegotiation. It was
used nowhere outside the unit tests, and it was breaking
compilation with recent alpha releases of OpenSSL 3.0.0. Closes
ticket 40399.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2021/06/10.
o Minor bugfixes (control, sandbox, backport from 0.4.6.4-rc):
- Allow the control command SAVECONF to succeed when the seccomp
sandbox is enabled, and make SAVECONF keep only one backup file to
simplify implementation. Previously SAVECONF allowed a large
number of backup files, which made it incompatible with the
sandbox. Fixes bug 40317; bugfix on 0.2.5.4-alpha. Patch by
Daniel Pinto.
o Minor bugfixes (metrics port, backport from 0.4.6.4-rc):
- Fix a bug that made tor try to re-bind() on an already open
MetricsPort every 60 seconds. Fixes bug 40370; bugfix
on 0.4.5.1-alpha.
Changes in version 0.4.5.8 - 2021-05-10
Tor 0.4.5.8 fixes several bugs in earlier version, backporting fixes
from the 0.4.6.x series.
o Minor features (compatibility, Linux seccomp sandbox, backport from 0.4.6.3-rc):
- Add a workaround to enable the Linux sandbox to work correctly
with Glibc 2.33. This version of Glibc has started using the
fstatat() system call, which previously our sandbox did not allow.
Closes ticket 40382; see the ticket for a discussion of trade-offs.
o Minor features (compilation, backport from 0.4.6.3-rc):
- Make the autoconf script build correctly with autoconf versions
2.70 and later. Closes part of ticket 40335.
o Minor features (fallback directory list, backport from 0.4.6.2-alpha):
- Regenerate the list of fallback directories to contain a new set
of 200 relays. Closes ticket 40265.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2021/05/07.
o Minor features (onion services):
- Add warning message when connecting to now deprecated v2 onion
services. As announced, Tor 0.4.5.x is the last series that will
support v2 onions. Closes ticket 40373.
o Minor bugfixes (bridge, pluggable transport, backport from 0.4.6.2-alpha):
- Fix a regression that made it impossible start Tor using a bridge
line with a transport name and no fingerprint. Fixes bug 40360;
bugfix on 0.4.5.4-rc.
o Minor bugfixes (build, cross-compilation, backport from 0.4.6.3-rc):
- Allow a custom "ar" for cross-compilation. Our previous build
script had used the $AR environment variable in most places, but
it missed one. Fixes bug 40369; bugfix on 0.4.5.1-alpha.
o Minor bugfixes (channel, DoS, backport from 0.4.6.2-alpha):
- Fix a non-fatal BUG() message due to a too-early free of a string,
when listing a client connection from the DoS defenses subsystem.
Fixes bug 40345; bugfix on 0.4.3.4-rc.
o Minor bugfixes (compiler warnings, backport from 0.4.6.3-rc):
- Fix an indentation problem that led to a warning from GCC 11.1.1.
Fixes bug 40380; bugfix on 0.3.0.1-alpha.
o Minor bugfixes (controller, backport from 0.4.6.1-alpha):
- Fix a "BUG" warning that would appear when a controller chooses
the first hop for a circuit, and that circuit completes. Fixes bug
40285; bugfix on 0.3.2.1-alpha.
o Minor bugfixes (onion service, client, memory leak, backport from 0.4.6.3-rc):
- Fix a bug where an expired cached descriptor could get overwritten
with a new one without freeing it, leading to a memory leak. Fixes
bug 40356; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (testing, BSD, backport from 0.4.6.2-alpha):
- Fix pattern-matching errors when patterns expand to invalid paths
on BSD systems. Fixes bug 40318; bugfix on 0.4.5.1-alpha. Patch by
Daniel Pinto.
Tor 0.4.5.7 fixes two important denial-of-service bugs in earlier
versions of Tor.
One of these vulnerabilities (TROVE-2021-001) would allow an attacker
who can send directory data to a Tor instance to force that Tor
instance to consume huge amounts of CPU. This is easiest to exploit
against authorities, since anybody can upload to them, but directory
caches could also exploit this vulnerability against relays or clients
when they download. The other vulnerability (TROVE-2021-002) only
affects directory authorities, and would allow an attacker to remotely
crash the authority with an assertion failure. Patches have already
been provided to the authority operators, to help ensure
network stability.
We recommend that everybody upgrade to one of the releases that fixes
these issues (0.3.5.14, 0.4.4.8, or 0.4.5.7) as they become available
to you.
This release also updates our GeoIP data source, and fixes a few
smaller bugs in earlier releases.
o Major bugfixes (security, denial of service):
- Disable the dump_desc() function that we used to dump unparseable
information to disk. It was called incorrectly in several places,
in a way that could lead to excessive CPU usage. Fixes bug 40286;
bugfix on 0.2.2.1-alpha. This bug is also tracked as TROVE-2021-
001 and CVE-2021-28089.
- Fix a bug in appending detached signatures to a pending consensus
document that could be used to crash a directory authority. Fixes
bug 40316; bugfix on 0.2.2.6-alpha. Tracked as TROVE-2021-002
and CVE-2021-28090.
o Minor features (geoip data):
- We have switched geoip data sources. Previously we shipped IP-to-
country mappings from Maxmind's GeoLite2, but in 2019 they changed
their licensing terms, so we were unable to update them after that
point. We now ship geoip files based on the IPFire Location
Database instead. (See https://location.ipfire.org/ for more
information). This release updates our geoip files to match the
IPFire Location Database as retrieved on 2021/03/12. Closes
ticket 40224.
o Minor bugfixes (directory authority):
- Now that exit relays don't allow exit connections to directory
authority DirPorts (to prevent network reentry), disable
authorities' reachability self test on the DirPort. Fixes bug
40287; bugfix on 0.4.5.5-rc.
o Minor bugfixes (documentation):
- Fix a formatting error in the documentation for
VirtualAddrNetworkIPv6. Fixes bug 40256; bugfix on 0.2.9.4-alpha.
o Minor bugfixes (Linux, relay):
- Fix a bug in determining total available system memory that would
have been triggered if the format of Linux's /proc/meminfo file
had ever changed to include "MemTotal:" in the middle of a line.
Fixes bug 40315; bugfix on 0.2.5.4-alpha.
o Minor bugfixes (metrics port):
- Fix a BUG() warning on the MetricsPort for an internal missing
handler. Fixes bug 40295; bugfix on 0.4.5.1-alpha.
o Minor bugfixes (onion service):
- Remove a harmless BUG() warning when reloading tor configured with
onion services. Fixes bug 40334; bugfix on 0.4.5.1-alpha.
o Minor bugfixes (portability):
- Fix a non-portable usage of "==" with "test" in the configure
script. Fixes bug 40298; bugfix on 0.4.5.1-alpha.
o Minor bugfixes (relay):
- Remove a spammy log notice falsely claiming that the IPv4/v6
address was missing. Fixes bug 40300; bugfix on 0.4.5.1-alpha.
- Do not query the address cache early in the boot process when
deciding if a relay needs to fetch early directory information
from an authority. This bug resulted in a relay falsely believing
it didn't have an address and thus triggering an authority fetch
at each boot. Related to our fix for 40300.
o Removed features (mallinfo deprecated):
- Remove mallinfo() usage entirely. Libc 2.33+ now deprecates it.
Closes ticket 40309.
Changes in version 0.4.5.6 - 2021-02-15
The Tor 0.4.5.x release series is dedicated to the memory of Karsten
Loesing (1979-2020), Tor developer, cypherpunk, husband, and father.
Karsten is best known for creating the Tor metrics portal and leading
the metrics team, but he was involved in Tor from the early days. For
example, while he was still a student he invented and implemented the
v2 onion service directory design, and he also served as an ambassador
to the many German researchers working in the anonymity field. We
loved him and respected him for his patience, his consistency, and his
welcoming approach to growing our community.
This release series introduces significant improvements in relay IPv6
address discovery, a new "MetricsPort" mechanism for relay operators
to measure performance, LTTng support, build system improvements to
help when using Tor as a static library, and significant bugfixes
related to Windows relay performance. It also includes numerous
smaller features and bugfixes.
Changes in version 0.4.4.7 - 2021-02-03
Tor 0.4.4.7 backports numerous bugfixes from later releases,
including one that made v3 onion services more susceptible to
denial-of-service attacks, and a feature that makes some kinds of
DoS attacks harder to perform.
o Major bugfixes (onion service v3, backport from 0.4.5.3-rc):
- Stop requiring a live consensus for v3 clients and services, and
allow a "reasonably live" consensus instead. This allows v3 onion
services to work even if the authorities fail to generate a
consensus for more than 2 hours in a row. Fixes bug 40237; bugfix
on 0.3.5.1-alpha.
o Major feature (exit, backport from 0.4.5.5-rc):
- Re-entry into the network is now denied at the Exit level to all
relays' ORPorts and authorities' ORPorts and DirPorts. This change
should help mitgate a set of denial-of-service attacks. Closes
ticket 2667.
o Minor feature (build system, backport from 0.4.5.4-rc):
- New "make lsp" command to generate the compile_commands.json file
used by the ccls language server. The "bear" program is needed for
this. Closes ticket 40227.
o Minor features (compilation, backport from 0.4.5.2-rc):
- Disable deprecation warnings when building with OpenSSL 3.0.0 or
later. There are a number of APIs newly deprecated in OpenSSL
3.0.0 that Tor still requires. (A later version of Tor will try to
stop depending on these APIs.) Closes ticket 40165.
o Minor features (crypto, backport from 0.4.5.3-rc):
- Fix undefined behavior on our Keccak library. The bug only
appeared on platforms with 32-byte CPU cache lines (e.g. armv5tel)
and would result in wrong digests. Fixes bug 40210; bugfix on
0.2.8.1-alpha. Thanks to Bernhard Übelacker, Arnd Bergmann and
weasel for diagnosing this.
o Minor bugfixes (compatibility, backport from 0.4.5.1-rc):
- Strip '\r' characters when reading text files on Unix platforms.
This should resolve an issue where a relay operator migrates a
relay from Windows to Unix, but does not change the line ending of
Tor's various state files to match the platform, and the CRLF line
endings from Windows end up leaking into other files such as the
extra-info document. Fixes bug 33781; bugfix on 0.0.9pre5.
o Minor bugfixes (compilation, backport from 0.4.5.3-rc):
- Fix a compilation warning about unreachable fallthrough
annotations when building with "--enable-all-bugs-are-fatal" on
some compilers. Fixes bug 40241; bugfix on 0.3.5.4-alpha.
o Minor bugfixes (SOCKS5, backport from 0.4.5.3-rc):
- Handle partial SOCKS5 messages correctly. Previously, our code
would send an incorrect error message if it got a SOCKS5 request
that wasn't complete. Fixes bug 40190; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (testing, backport from 0.4.5.2-alpha):
- Fix the `config/parse_tcp_proxy_line` test so that it works
correctly on systems where the DNS provider hijacks invalid
queries. Fixes part of bug 40179; bugfix on 0.4.3.1-alpha.
- Fix our Python reference-implementation for the v3 onion service
handshake so that it works correctly with the version of hashlib
provided by Python 3.9. Fixes part of bug 40179; bugfix
on 0.3.1.6-rc.
- Fix the `tortls/openssl/log_one_error` test to work with OpenSSL
3.0.0. Fixes bug 40170; bugfix on 0.2.8.1-alpha.
Disable rust option since it currently doesn't work.
Changes in version 0.4.4.6 - 2020-11-12
Tor 0.4.4.6 is the second stable release in the 0.4.4.x series. It
backports fixes from later releases, including a fix for TROVE-2020-
005, a security issue that could be used, under certain cases, by an
adversary to observe traffic patterns on a limited number of circuits
intended for a different relay.
o Major bugfixes (security, backport from 0.4.5.1-alpha):
- When completing a channel, relays now check more thoroughly to
make sure that it matches any pending circuits before attaching
those circuits. Previously, address correctness and Ed25519
identities were not checked in this case, but only when extending
circuits on an existing channel. Fixes bug 40080; bugfix on
0.2.7.2-alpha. Resolves TROVE-2020-005.
o Minor features (directory authorities, backport from 0.4.5.1-alpha):
- Authorities now list a different set of protocols as required and
recommended. These lists have been chosen so that only truly
recommended and/or required protocols are included, and so that
clients using 0.2.9 or later will continue to work (even though
they are not supported), whereas only relays running 0.3.5 or
later will meet the requirements. Closes ticket 40162.
- Make it possible to specify multiple ConsensusParams torrc lines.
Now directory authority operators can for example put the main
ConsensusParams config in one torrc file and then add to it from a
different torrc file. Closes ticket 40164.
o Minor features (subprotocol versions, backport from 0.4.5.1-alpha):
- Tor no longer allows subprotocol versions larger than 63.
Previously version numbers up to UINT32_MAX were allowed, which
significantly complicated our code. Implements proposal 318;
closes ticket 40133.
o Minor features (tests, v2 onion services, backport from 0.4.5.1-alpha):
- Fix a rendezvous cache unit test that was triggering an underflow
on the global rend cache allocation. Fixes bug 40125; bugfix
on 0.2.8.1-alpha.
- Fix another rendezvous cache unit test that was triggering an
underflow on the global rend cache allocation. Fixes bug 40126;
bugfix on 0.2.8.1-alpha.
o Minor bugfixes (compilation, backport from 0.4.5.1-alpha):
- Fix compiler warnings that would occur when building with
"--enable-all-bugs-are-fatal" and "--disable-module-relay" at the
same time. Fixes bug 40129; bugfix on 0.4.4.1-alpha.
- Resolve a compilation warning that could occur in
test_connection.c. Fixes bug 40113; bugfix on 0.2.9.3-alpha.
o Minor bugfixes (logging, backport from 0.4.5.1-alpha):
- Remove a debug logging statement that uselessly spammed the logs.
Fixes bug 40135; bugfix on 0.3.5.0-alpha.
o Minor bugfixes (relay configuration, crash, backport from 0.4.5.1-alpha):
- Avoid a fatal assert() when failing to create a listener
connection for an address that was in use. Fixes bug 40073; bugfix
on 0.3.5.1-alpha.
o Minor bugfixes (v2 onion services, backport from 0.4.5.1-alpha):
- For HSFETCH commands on v2 onion services addresses, check the
length of bytes decoded, not the base32 length. Fixes bug 34400;
bugfix on 0.4.1.1-alpha. Patch by Neel Chauhan.
backtrace(3) does not work on netbsd-9 ending up in a SIGSEGV and tor
process hanging forever (a simple way to reproduce without configuring
tor is just invoking tor via `tor --version').
Workaround for PR port-evbarm/55669.
PKGREVISION++
Changes in version 0.4.4.5 - 2020-09-15
Tor 0.4.4.5 is the first stable release in the 0.4.4.x series. This
series improves our guard selection algorithms, adds v3 onion balance
support, improves the amount of code that can be disabled when running
without relay support, and includes numerous small bugfixes and
enhancements. It also lays the ground for some IPv6 features that
we'll be developing more in the next (0.4.5) series.
Per our support policy, we support each stable release series for nine
months after its first stable release, or three months after the first
stable release of the next series: whichever is longer. This means
that 0.4.4.x will be supported until around June 2021--or later, if
0.4.5.x is later than anticipated.
Note also that support for 0.4.2.x has just ended; support for 0.4.3
will continue until Feb 15, 2021. We still plan to continue supporting
0.3.5.x, our long-term stable series, until Feb 2022.
o Major features (Proposal 310, performance + security):
- Implements Proposal 310, "Bandaid on guard selection". Proposal
310 solves load-balancing issues with older versions of the guard
selection algorithm, and improves its security. Under this new
algorithm, a newly selected guard never becomes Primary unless all
previously sampled guards are unreachable. Implements
recommendation from 32088. (Proposal 310 is linked to the CLAPS
project researching optimal client location-aware path selections.
This project is a collaboration between the UCLouvain Crypto Group,
the U.S. Naval Research Laboratory, and Princeton University.)
o Major features (fallback directory list):
- Replace the 148 fallback directories originally included in Tor
0.4.1.4-rc (of which around 105 are still functional) with a list
of 144 fallbacks generated in July 2020. Closes ticket 40061.
o Major features (IPv6, relay):
- Consider IPv6-only EXTEND2 cells valid on relays. Log a protocol
warning if the IPv4 or IPv6 address is an internal address, and
internal addresses are not allowed. But continue to use the other
address, if it is valid. Closes ticket 33817.
- If a relay can extend over IPv4 and IPv6, and both addresses are
provided, it chooses between them uniformly at random. Closes
ticket 33817.
- Re-use existing IPv6 connections for circuit extends. Closes
ticket 33817.
- Relays may extend circuits over IPv6, if the relay has an IPv6
ORPort, and the client supplies the other relay's IPv6 ORPort in
the EXTEND2 cell. IPv6 extends will be used by the relay IPv6
ORPort self-tests in 33222. Closes ticket 33817.
o Major features (v3 onion services):
- Allow v3 onion services to act as OnionBalance backend instances,
by using the HiddenServiceOnionBalanceInstance torrc option.
Closes ticket 32709.
o Major bugfixes (NSS):
- When running with NSS enabled, make sure that NSS knows to expect
nonblocking sockets. Previously, we set our TCP sockets as
nonblocking, but did not tell NSS, which in turn could lead to
unexpected blocking behavior. Fixes bug 40035; bugfix
on 0.3.5.1-alpha.
o Major bugfixes (onion services, DoS):
- Correct handling of parameters for the onion service DoS defense.
Previously, the consensus parameters for the onion service DoS
defenses were overwriting the parameters set by the service
operator using HiddenServiceEnableIntroDoSDefense. Fixes bug
40109; bugfix on 0.4.2.1-alpha.
o Major bugfixes (stats, onion services):
- Fix a bug where we were undercounting the Tor network's total
onion service traffic, by ignoring any traffic originating from
clients. Now we count traffic from both clients and services.
Fixes bug 40117; bugfix on 0.2.6.2-alpha.
o Minor features (security):
- Channels using obsolete versions of the Tor link protocol are no
longer allowed to circumvent address-canonicity checks. (This is
only a minor issue, since such channels have no way to set ed25519
keys, and therefore should always be rejected for circuits that
specify ed25519 identities.) Closes ticket 40081.
o Minor features (bootstrap reporting):
- Report more detailed reasons for bootstrap failure when the
failure happens due to a TLS error. Previously we would just call
these errors "MISC" when they happened during read, and "DONE"
when they happened during any other TLS operation. Closes
ticket 32622.
o Minor features (client-only compilation):
- Disable more code related to the ext_orport protocol when
compiling without support for relay mode. Closes ticket 33368.
- Disable more of our self-testing code when support for relay mode
is disabled. Closes ticket 33370.
- Most server-side DNS code is now disabled when building without
support for relay mode. Closes ticket 33366.
o Minor features (code safety):
- Check for failures of tor_inet_ntop() and tor_inet_ntoa()
functions in DNS and IP address processing code, and adjust
codepaths to make them less likely to crash entire Tor instances.
Resolves issue 33788.
o Minor features (continuous integration):
- Run unit-test and integration test (Stem, Chutney) jobs with
ALL_BUGS_ARE_FATAL macro being enabled on Travis and Appveyor.
Resolves ticket 32143.
o Minor features (control port):
- If a ClientName was specified in ONION_CLIENT_AUTH_ADD for an
onion service, display it when we use ONION_CLIENT_AUTH_VIEW.
Closes ticket 40089. Patch by Neel Chauhan.
- Return a descriptive error message from the 'GETINFO status/fresh-
relay-descs' command on the control port. Previously, we returned
a generic error of "Error generating descriptor". Closes ticket
32873. Patch by Neel Chauhan.
o Minor features (defense in depth):
- Wipe more data from connection address fields before returning
them to the memory heap. Closes ticket 6198.
o Minor features (denial-of-service memory limiter):
- Allow the user to configure even lower values for the
MaxMemInQueues parameter. Relays now enforce a minimum of 64 MB,
when previously the minimum was 256 MB. On clients, there is no
minimum. Relays and clients will both warn if the value is set so
low that Tor is likely to stop working. Closes ticket 24308.
o Minor features (developer tooling):
- Add a script to help check the alphabetical ordering of option
names in the manual page. Closes ticket 33339.
- Refrain from listing all .a files that are generated by the Tor
build in .gitignore. Add a single wildcard *.a entry that covers
all of them for present and future. Closes ticket 33642.
- Add a script ("git-install-tools.sh") to install git hooks and
helper scripts. Closes ticket 33451.
o Minor features (directory authority):
- Authorities now recommend the protocol versions that are supported
by Tor 0.3.5 and later. (Earlier versions of Tor have been
deprecated since January of this year.) This recommendation will
cause older clients and relays to give a warning on startup, or
when they download a consensus directory. Closes ticket 32696.
o Minor features (directory authority, shared random):
- Refactor more authority-only parts of the shared-random scheduling
code to reside in the dirauth module, and to be disabled when
compiling with --disable-module-dirauth. Closes ticket 33436.
o Minor features (directory):
- Remember the number of bytes we have downloaded for each directory
purpose while bootstrapping, and while fully bootstrapped. Log
this information as part of the heartbeat message. Closes
ticket 32720.
o Minor features (entry guards):
- Reinstate support for GUARD NEW/UP/DOWN control port events.
Closes ticket 40001.
o Minor features (IPv6 support):
- Adds IPv6 support to tor_addr_is_valid(). Adds tests for the above
changes and tor_addr_is_null(). Closes ticket 33679. Patch
by MrSquanchee.
- Allow clients and relays to send dual-stack and IPv6-only EXTEND2
cells. Parse dual-stack and IPv6-only EXTEND2 cells on relays.
Closes ticket 33901.
o Minor features (linux seccomp2 sandbox, portability):
- Allow Tor to build on platforms where it doesn't know how to
report which syscall caused the linux seccomp2 sandbox to fail.
This change should make the sandbox code more portable to less
common Linux architectures. Closes ticket 34382.
- Permit the unlinkat() syscall, which some Libc implementations use
to implement unlink(). Closes ticket 33346.
o Minor features (logging):
- When trying to find our own address, add debug-level logging to
report the sources of candidate addresses. Closes ticket 32888.
o Minor features (onion service client, SOCKS5):
- Add 3 new SocksPort ExtendedErrors (F2, F3, F7) that reports back
new type of onion service connection failures. The semantics of
these error codes are documented in proposal 309. Closes
ticket 32542.
o Minor features (onion service v3):
- If a service cannot upload its descriptor(s), log why at INFO
level. Closes ticket 33400; bugfix on 0.3.2.1-alpha.
o Minor features (python scripts):
- Stop assuming that /usr/bin/python exists. Instead of using a
hardcoded path in scripts that still use Python 2, use
/usr/bin/env, similarly to the scripts that use Python 3. Fixes
bug 33192; bugfix on 0.4.2.
o Minor features (testing, architecture):
- Our test scripts now double-check that subsystem initialization
order is consistent with the inter-module dependencies established
by our .may_include files. Implements ticket 31634.
- Initialize all subsystems at the beginning of our unit test
harness, to avoid crashes due to uninitialized subsystems. Follow-
up from ticket 33316.
- Our "make check" target now runs the unit tests in 8 parallel
chunks. Doing this speeds up hardened CI builds by more than a
factor of two. Closes ticket 40098.
o Minor features (v3 onion services):
- Add v3 onion service status to the dumpstats() call which is
triggered by a SIGUSR1 signal. Previously, we only did v2 onion
services. Closes ticket 24844. Patch by Neel Chauhan.
o Minor features (windows):
- Add support for console control signals like Ctrl+C in Windows.
Closes ticket 34211. Patch from Damon Harris (TheDcoder).
o Minor bugfixes (control port, onion service):
- Consistently use 'address' in "Invalid v3 address" response to
ONION_CLIENT_AUTH commands. Previously, we would sometimes say
'addr'. Fixes bug 40005; bugfix on 0.4.3.1-alpha.
o Minor bugfixes (correctness, buffers):
- Fix a correctness bug that could cause an assertion failure if we
ever tried using the buf_move_all() function with an empty input
buffer. As far as we know, no released versions of Tor do this.
Fixes bug 40076; bugfix on 0.3.3.1-alpha.
o Minor bugfixes (directory authorities):
- Directory authorities now reject votes that arrive too late. In
particular, once an authority has started fetching missing votes,
it no longer accepts new votes posted by other authorities. This
change helps prevent a consensus split, where only some authorities
have the late vote. Fixes bug 4631; bugfix on 0.2.0.5-alpha.
o Minor bugfixes (git scripts):
- Stop executing the checked-out pre-commit hook from the pre-push
hook. Instead, execute the copy in the user's git directory. Fixes
bug 33284; bugfix on 0.4.1.1-alpha.
o Minor bugfixes (initialization):
- Initialize the subsystems in our code in an order more closely
corresponding to their dependencies, so that every system is
initialized before the ones that (theoretically) depend on it.
Fixes bug 33316; bugfix on 0.4.0.1-alpha.
o Minor bugfixes (IPv4, relay):
- Check for invalid zero IPv4 addresses and ports when sending and
receiving extend cells. Fixes bug 33900; bugfix on 0.2.4.8-alpha.
o Minor bugfixes (IPv6, relay):
- Consider IPv6 addresses when checking if a connection is
canonical. In 17604, relays assumed that a remote relay could
consider an IPv6 connection canonical, but did not set the
canonical flag on their side of the connection. Fixes bug 33899;
bugfix on 0.3.1.1-alpha.
- Log IPv6 addresses on connections where this relay is the
responder. Previously, responding relays would replace the remote
IPv6 address with the IPv4 address from the consensus. Fixes bug
33899; bugfix on 0.3.1.1-alpha.
o Minor bugfixes (linux seccomp2 sandbox):
- Fix a regression on sandboxing rules for the openat() syscall. The
fix for bug 25440 fixed the problem on systems with glibc >= 2.27
but broke with versions of glibc. We now choose a rule based on
the glibc version. Patch from Daniel Pinto. Fixes bug 27315;
bugfix on 0.3.5.11.
- Makes the seccomp sandbox allow the correct syscall for opendir
according to the running glibc version. This fixes crashes when
reloading torrc with sandbox enabled when running on glibc 2.15 to
2.21 and 2.26. Patch from Daniel Pinto. Fixes bug 40020; bugfix
on 0.3.5.11.
o Minor bugfixes (logging, testing):
- Make all of tor's assertion macros support the ALL_BUGS_ARE_FATAL
and DISABLE_ASSERTS_IN_UNIT_TESTS debugging modes. (IF_BUG_ONCE()
used to log a non-fatal warning, regardless of the debugging
mode.) Fixes bug 33917; bugfix on 0.2.9.1-alpha.
- Remove surprising empty line in the INFO-level log about circuit
build timeout. Fixes bug 33531; bugfix on 0.3.3.1-alpha.
o Minor bugfixes (mainloop):
- Better guard against growing a buffer past its maximum 2GB in
size. Fixes bug 33131; bugfix on 0.3.0.4-rc.
o Minor bugfixes (onion service v3 client):
- Remove a BUG() warning that could occur naturally. Fixes bug
34087; bugfix on 0.3.2.1-alpha.
o Minor bugfixes (onion service, logging):
- Fix a typo in a log message PublishHidServDescriptors is set to 0.
Fixes bug 33779; bugfix on 0.3.2.1-alpha.
o Minor bugfixes (onion services v3):
- Avoid a non-fatal assertion failure in certain edge-cases when
opening an intro circuit as a client. Fixes bug 34084; bugfix
on 0.3.2.1-alpha.
o Minor bugfixes (protocol versions):
- Sort tor's supported protocol version lists, as recommended by the
tor directory specification. Fixes bug 33285; bugfix
on 0.4.0.1-alpha.
o Minor bugfixes (rate limiting, bridges, pluggable transports):
- On a bridge, treat all connections from an ExtORPort as remote by
default for the purposes of rate-limiting. Previously, bridges
would treat the connection as local unless they explicitly
received a "USERADDR" command. ExtORPort connections still count
as local if there is a USERADDR command with an explicit local
address. Fixes bug 33747; bugfix on 0.2.5.1-alpha.
o Minor bugfixes (refactoring):
- Lift circuit_build_times_disabled() out of the
circuit_expire_building() loop, to save CPU time when there are
many circuits open. Fixes bug 33977; bugfix on 0.3.5.9.
o Minor bugfixes (relay, self-testing):
- When starting up as a relay, if we haven't been able to verify
that we're reachable, only launch reachability tests at most once
a minute. Previously, we had been launching tests up to once a
second, which was needlessly noisy. Fixes bug 40083; bugfix
on 0.2.8.1-alpha.
o Minor bugfixes (relay, usability):
- Adjust the rules for when to warn about having too many
connections to other relays. Previously we'd tolerate up to 1.5
connections per relay on average. Now we tolerate more connections
for directory authorities, and raise the number of total
connections we need to see before we warn. Fixes bug 33880; bugfix
on 0.3.1.1-alpha.
o Minor bugfixes (SOCKS, onion service client):
- Detect v3 onion service addresses of the wrong length when
returning the F6 ExtendedErrors code. Fixes bug 33873; bugfix
on 0.4.3.1-alpha.
o Minor bugfixes (tests):
- Fix the behavior of the rend_cache/clean_v2_descs_as_dir when run
on its own. Previously, it would exit with an error. Fixes bug
40099; bugfix on 0.2.8.1-alpha.
o Minor bugfixes (v3 onion services):
- Remove a BUG() warning that could trigger in certain unlikely
edge-cases. Fixes bug 34086; bugfix on 0.3.2.1-alpha.
- Remove a BUG() that was causing a stacktrace when a descriptor
changed at an unexpected time. Fixes bug 28992; bugfix
on 0.3.2.1-alpha.
o Minor bugfixes (windows):
- Fix a bug that prevented Tor from starting if its log file grew
above 2GB. Fixes bug 31036; bugfix on 0.2.1.8-alpha.
o Code simplification and refactoring:
- Define and use a new constant TOR_ADDRPORT_BUF_LEN which is like
TOR_ADDR_BUF_LEN but includes enough space for an IP address,
brackets, separating colon, and port number. Closes ticket 33956.
Patch by Neel Chauhan.
- Merge the orconn and ocirc events into the "core" subsystem, which
manages or connections and origin circuits. Previously they were
isolated in subsystems of their own.
- Move LOG_PROTOCOL_WARN to app/config. Resolves a dependency
inversion. Closes ticket 33633.
- Move the circuit extend code to the relay module. Split the
circuit extend function into smaller functions. Closes
ticket 33633.
- Rewrite port_parse_config() to use the default port flags from
port_cfg_new(). Closes ticket 32994. Patch by MrSquanchee.
- Updated comments in 'scheduler.c' to reflect old code changes, and
simplified the scheduler channel state change code. Closes
ticket 33349.
- Refactor configuration parsing to use the new config subsystem
code. Closes ticket 33014.
- Move a series of functions related to address resolving into their
own files. Closes ticket 33789.
o Documentation:
- Replace most http:// URLs in our code and documentation with
https:// URLs. (We have left unchanged the code in src/ext/, and
the text in LICENSE.) Closes ticket 31812. Patch from Jeremy Rand.
- Document the limitations of using %include on config files with
seccomp sandbox enabled. Fixes documentation bug 34133; bugfix on
0.3.1.1-alpha. Patch by Daniel Pinto.
o Removed features:
- Our "check-local" test target no longer tries to use the
Coccinelle semantic patching tool parse all the C files. While it
is a good idea to try to make sure Coccinelle works on our C
before we run a Coccinelle patch, doing so on every test run has
proven to be disruptive. You can still run this tool manually with
"make check-cocci". Closes ticket 40030.
- Remove the ClientAutoIPv6ORPort option. This option attempted to
randomly choose between IPv4 and IPv6 for client connections, and
wasn't a true implementation of Happy Eyeballs. Often, this option
failed on IPv4-only or IPv6-only connections. Closes ticket 32905.
Patch by Neel Chauhan.
- Stop shipping contrib/dist/rc.subr file, as it is not being used
on FreeBSD anymore. Closes issue 31576.
o Testing:
- Add a basic IPv6 test to "make test-network". This test only runs
when the local machine has an IPv6 stack. Closes ticket 33300.
- Add test-network-ipv4 and test-network-ipv6 jobs to the Makefile.
These jobs run the IPv4-only and dual-stack chutney flavours from
test-network-all. Closes ticket 33280.
- Remove a redundant distcheck job. Closes ticket 33194.
- Run the test-network-ipv6 Makefile target in the Travis CI IPv6
chutney job. This job runs on macOS, so it's a bit slow. Closes
ticket 33303.
- Sort the Travis jobs in order of speed. Putting the slowest jobs
first takes full advantage of Travis job concurrency. Closes
ticket 33194.
- Stop allowing the Chutney IPv6 Travis job to fail. This job was
previously configured to fast_finish (which requires
allow_failure), to speed up the build. Closes ticket 33195.
- Test v3 onion services to tor's mixed IPv4 chutney network. And
add a mixed IPv6 chutney network. These networks are used in the
test-network-all, test-network-ipv4, and test-network-ipv6 make
targets. Closes ticket 33334.
- Use the "bridges+hs-v23" chutney network flavour in "make test-
network". This test requires a recent version of chutney (mid-
February 2020). Closes ticket 28208.
- When a Travis chutney job fails, use chutney's new "diagnostics.sh"
tool to produce detailed diagnostic output. Closes ticket 32792.
o Deprecated features (onion service v2):
- Add a deprecation warning for version 2 onion services. Closes
ticket 40003.
o Documentation (manual page):
- Add cross reference links and a table of contents to the HTML tor
manual page. Closes ticket 33369. Work by Swati Thacker as part of
Google Season of Docs.
- Alphabetize the Denial of Service Mitigation Options, Directory
Authority Server Options, Hidden Service Options, and Testing
Network Options sections of the tor(1) manual page. Closes ticket
33275. Work by Swati Thacker as part of Google Season of Docs.
- Refrain from mentioning nicknames in manpage section for MyFamily
torrc option. Resolves issue 33417.
- Updated the options set by TestingTorNetwork in the manual page.
Closes ticket 33778.
pkgsrc changes:
- Remove patch-configure: applied upstream
Changes:
Changes in version 0.4.3.6 - 2020-07-09
Tor 0.4.3.6 backports several bugfixes from later releases, including
some affecting usability.
This release also fixes TROVE-2020-001, a medium-severity denial of
service vulnerability affecting all versions of Tor when compiled with
the NSS encryption library. (This is not the default configuration.)
Using this vulnerability, an attacker could cause an affected Tor
instance to crash remotely. This issue is also tracked as CVE-2020-
15572. Anybody running a version of Tor built with the NSS library
should upgrade to 0.3.5.11, 0.4.2.8, 0.4.3.6, or 0.4.4.2-alpha
or later.
o Major bugfixes (NSS, security, backport from 0.4.4.2-alpha):
- Fix a crash due to an out-of-bound memory access when Tor is
compiled with NSS support. Fixes bug 33119; bugfix on
0.3.5.1-alpha. This issue is also tracked as TROVE-2020-001
and CVE-2020-15572.
o Minor bugfix (CI, Windows, backport from 0.4.4.2-alpha):
- Use the correct 64-bit printf format when compiling with MINGW on
Appveyor. Fixes bug 40026; bugfix on 0.3.5.5-alpha.
o Minor bugfixes (client performance, backport from 0.4.4.1-alpha):
- Resume use of preemptively-built circuits when UseEntryGuards is set
to 0. We accidentally disabled this feature with that config
setting, leading to slower load times. Fixes bug 34303; bugfix
on 0.3.3.2-alpha.
o Minor bugfixes (compiler warnings, backport from 0.4.4.2-alpha):
- Fix a compiler warning on platforms with 32-bit time_t values.
Fixes bug 40028; bugfix on 0.3.2.8-rc.
o Minor bugfixes (linux seccomp sandbox, nss, backport from 0.4.4.1-alpha):
- Fix a startup crash when tor is compiled with --enable-nss and
sandbox support is enabled. Fixes bug 34130; bugfix on
0.3.5.1-alpha. Patch by Daniel Pinto.
o Minor bugfixes (logging, backport from 0.4.4.2-alpha):
- Downgrade a noisy log message that could occur naturally when
receiving an extrainfo document that we no longer want. Fixes bug
16016; bugfix on 0.2.6.3-alpha.
o Minor bugfixes (manual page, backport from 0.4.4.1-alpha):
- Update the man page to reflect that MinUptimeHidServDirectoryV2
defaults to 96 hours. Fixes bug 34299; bugfix on 0.2.6.3-alpha.
o Minor bugfixes (onion service v3, backport from 0.4.4.1-alpha):
- Prevent an assert() that would occur when cleaning the client
descriptor cache, and attempting to close circuits for a non-
decrypted descriptor (lacking client authorization). Fixes bug
33458; bugfix on 0.4.2.1-alpha.
o Minor bugfixes (portability, backport from 0.4.4.1-alpha):
- Fix a portability error in the configure script, where we were
using "==" instead of "=". Fixes bug 34233; bugfix on 0.4.3.5.
o Minor bugfixes (relays, backport from 0.4.4.1-alpha):
- Stop advertising incorrect IPv6 ORPorts in relay and bridge
descriptors, when the IPv6 port was configured as "auto". Fixes
bug 32588; bugfix on 0.2.3.9-alpha.
o Documentation (backport from 0.4.4.1-alpha):
- Fix several doxygen warnings related to imbalanced groups. Closes
ticket 34255.
This allows rust-bin and rust to coexist in bulk builds (for testing, etc),
but the packages still may not be installed at the same time.
rust.mk as a solution for picking the correct rust variant was suggested
by gdt@. It is intended to be included directly by packages that do not
use cargo.mk, and indirectly by packages that do use cargo.mk.
rust.mk provides one user-settable variable:
RUST_TYPE
as before, whether to bootstrap rust from source or use
official binaries. may be "src" or "bin"
And two package-settable variables:
RUST_REQ
the minimum version of Rust required by the package.
defaults to "1.20.0"
RUST_RUNTIME
whether Rust is a runtime dependency, may be "yes" or "no"
Changes in version 0.4.3.5 - 2020-05-15
Tor 0.4.3.5 is the first stable release in the 0.4.3.x series. This
series adds support for building without relay code enabled, and
implements functionality needed for OnionBalance with v3 onion
services. It includes significant refactoring of our configuration and
controller functionality, and fixes numerous smaller bugs and
performance issues.
Per our support policy, we support each stable release series for nine
months after its first stable release, or three months after the first
stable release of the next series: whichever is longer. This means
that 0.4.3.x will be supported until around February 2021--later, if
0.4.4.x is later than anticipated.
Note also that support for 0.4.1.x is about to end on May 20 of this
year; 0.4.2.x will be supported until September 15. We still plan to
continue supporting 0.3.5.x, our long-term stable series, until
Feb 2022.
Below are the changes since 0.4.2.6. For a list of only the changes
since 0.4.3.4-rc, see the ChangeLog file.
o New system requirements:
- When building Tor, you now need to have Python 3 in order to run
the integration tests. (Python 2 is officially unsupported
upstream, as of 1 Jan 2020.) Closes ticket 32608.
o Major features (build system):
- The relay code can now be disabled using the --disable-module-relay
configure option. When this option is set, we also disable the
dirauth module. Closes ticket 32123.
- When Tor is compiled --disable-module-relay, we also omit the code
used to act as a directory cache. Closes ticket 32487.
o Major features (directory authority, ed25519):
- Add support for banning a relay's ed25519 keys in the approved-
routers file. This will help us migrate away from RSA keys in the
future. Previously, only RSA keys could be banned in approved-
routers. Resolves ticket 22029. Patch by Neel Chauhan.
o Major features (onion services):
- New control port commands to manage client-side onion service
authorization credentials. The ONION_CLIENT_AUTH_ADD command adds
a credential, ONION_CLIENT_AUTH_REMOVE deletes a credential, and
ONION_CLIENT_AUTH_VIEW lists the credentials. Closes ticket 30381.
- Introduce a new SocksPort flag, ExtendedErrors, to support more
detailed error codes in information for applications that support
them. Closes ticket 30382; implements proposal 304.
o Major features (proxy):
- In addition to its current supported proxy types (HTTP CONNECT,
SOCKS4, and SOCKS5), Tor can now make its OR connections through a
HAProxy server. A new torrc option was added to specify the
address/port of the server: TCPProxy <protocol> <host>:<port>.
Currently the only supported protocol for the option is haproxy.
Closes ticket 31518. Patch done by Suphanat Chunhapanya (haxxpop).
o Major bugfixes (security, denial-of-service):
- Fix a denial-of-service bug that could be used by anyone to
consume a bunch of CPU on any Tor relay or authority, or by
directories to consume a bunch of CPU on clients or hidden
services. Because of the potential for CPU consumption to
introduce observable timing patterns, we are treating this as a
high-severity security issue. Fixes bug 33119; bugfix on
0.2.1.5-alpha. Found by OSS-Fuzz. We are also tracking this issue
as TROVE-2020-002 and CVE-2020-10592.
o Major bugfixes (circuit padding, memory leak):
- Avoid a remotely triggered memory leak in the case that a circuit
padding machine is somehow negotiated twice on the same circuit.
Fixes bug 33619; bugfix on 0.4.0.1-alpha. Found by Tobias Pulls.
This is also tracked as TROVE-2020-004 and CVE-2020-10593.
o Major bugfixes (directory authority):
- Directory authorities will now send a 503 (not enough bandwidth)
code to clients when under bandwidth pressure. Known relays and
other authorities will always be answered regardless of the
bandwidth situation. Fixes bug 33029; bugfix on 0.1.2.5-alpha.
o Major bugfixes (DoS defenses, bridges, pluggable transport):
- Fix a bug that was preventing DoS defenses from running on bridges
with a pluggable transport. Previously, the DoS subsystem was not
given the transport name of the client connection, thus failed to
find the GeoIP cache entry for that client address. Fixes bug
33491; bugfix on 0.3.3.2-alpha.
o Major bugfixes (networking):
- Correctly handle IPv6 addresses in SOCKS5 RESOLVE_PTR requests,
and accept strings as well as binary addresses. Fixes bug 32315;
bugfix on 0.3.5.1-alpha.
o Major bugfixes (onion service):
- Report HS circuit failure back into the HS subsystem so we take
appropriate action with regards to the client introduction point
failure cache. This improves reachability of onion services, since
now clients notice failing introduction circuits properly. Fixes
bug 32020; bugfix on 0.3.2.1-alpha.
o Minor feature (heartbeat, onion service):
- Add the DoS INTRODUCE2 defenses counter to the heartbeat DoS
message. Closes ticket 31371.
o Minor feature (sendme, flow control):
- Default to sending SENDME version 1 cells. (Clients are already
sending these, because of a consensus parameter telling them to do
so: this change only affects what clients would do if the
consensus didn't contain a recommendation.) Closes ticket 33623.
o Minor features (best practices tracker):
- Practracker now supports a --regen-overbroad option to regenerate
the exceptions file, but only to revise exceptions to be _less_
tolerant of best-practices violations. Closes ticket 32372.
o Minor features (configuration validation):
- Configuration validation can now be done by per-module callbacks,
rather than a global validation function. This will let us reduce
the size of config.c and some of its more cumbersome functions.
Closes ticket 31241.
o Minor features (configuration):
- If a configured hardware crypto accelerator in AccelName is
prefixed with "!", Tor now exits when it cannot be found. Closes
ticket 32406.
- We now use flag-driven logic to warn about obsolete configuration
fields, so that we can include their names. In 0.4.2, we used a
special type, which prevented us from generating good warnings.
Implements ticket 32404.
o Minor features (configure, build system):
- Output a list of enabled/disabled features at the end of the
configure process in a pleasing way. Closes ticket 31373.
o Minor features (continuous integration):
- Run Doxygen Makefile target on Travis, so we can learn about
regressions in our internal documentation. Closes ticket 32455.
- Stop allowing failures on the Travis CI stem tests job. It looks
like all the stem hangs we were seeing before are now fixed.
Closes ticket 33075.
o Minor features (controller):
- Add stream isolation data to STREAM event. Closes ticket 19859.
- Implement a new GETINFO command to fetch microdescriptor
consensus. Closes ticket 31684.
o Minor features (debugging, directory system):
- Don't crash when we find a non-guard with a guard-fraction value
set. Instead, log a bug warning, in an attempt to figure out how
this happened. Diagnostic for ticket 32868.
o Minor features (defense in depth):
- Add additional checks around tor_vasprintf() usage, in case the
function returns an error. Patch by Tobias Stoeckmann. Fixes
ticket 31147.
o Minor features (developer tools):
- Remove the 0.2.9.x series branches from git scripts (git-merge-
forward.sh, git-pull-all.sh, git-push-all.sh, git-setup-dirs.sh).
Closes ticket 32772.
- Add a check_cocci_parse.sh script that checks that new code is
parseable by Coccinelle. Add an exceptions file for unparseable
files, and run the script from travis CI. Closes ticket 31919.
- Call the check_cocci_parse.sh script from a 'check-cocci' Makefile
target. Closes ticket 31919.
- Add a rename_c_identifiers.py tool to rename a bunch of C
identifiers at once, and generate a well-formed commit message
describing the change. This should help with refactoring. Closes
ticket 32237.
- Add some scripts in "scripts/coccinelle" to invoke the Coccinelle
semantic patching tool with the correct flags. These flags are
fairly easy to forget, and these scripts should help us use
Coccinelle more effectively in the future. Closes ticket 31705.
o Minor features (diagnostic):
- Improve assertions and add some memory-poisoning code to try to
track down possible causes of a rare crash (32564) in the EWMA
code. Closes ticket 33290.
o Minor features (directory authorities):
- Directory authorities now reject descriptors from relays running
Tor versions from the 0.2.9 and 0.4.0 series. The 0.3.5 series is
still allowed. Resolves ticket 32672. Patch by Neel Chauhan.
o Minor features (Doxygen):
- Update Doxygen configuration file to a more recent template (from
1.8.15). Closes ticket 32110.
- "make doxygen" now works with out-of-tree builds. Closes
ticket 32113.
- Make sure that doxygen outputs documentation for all of our C
files. Previously, some were missing @file declarations, causing
them to be ignored. Closes ticket 32307.
- Our "make doxygen" target now respects --enable-fatal-warnings by
default, and does not warn about items that are missing
documentation. To warn about missing documentation, run configure
with the "--enable-missing-doc-warnings" flag: doing so suspends
fatal warnings for doxygen. Closes ticket 32385.
o Minor features (git scripts):
- Add TOR_EXTRA_CLONE_ARGS to git-setup-dirs.sh for git clone
customisation. Closes ticket 32347.
- Add git-setup-dirs.sh, which sets up an upstream git repository
and worktrees for tor maintainers. Closes ticket 29603.
- Add TOR_EXTRA_REMOTE_* to git-setup-dirs.sh for a custom extra
remote. Closes ticket 32347.
- Call the check_cocci_parse.sh script from the git commit and push
hooks. Closes ticket 31919.
- Make git-push-all.sh skip unchanged branches when pushing to
upstream. The script already skipped unchanged test branches.
Closes ticket 32216.
- Make git-setup-dirs.sh create a master symlink in the worktree
directory. Closes ticket 32347.
- Skip unmodified source files when doing some existing git hook
checks. Related to ticket 31919.
o Minor features (IPv6, client):
- Make Tor clients tell dual-stack exits that they prefer IPv6
connections. This change is equivalent to setting the PreferIPv6
flag on SOCKSPorts (and most other listener ports). Tor Browser
has been setting this flag for some time, and we want to remove a
client distinguisher at exits. Closes ticket 32637.
o Minor features (portability, android):
- When building for Android, disable some tests that depend on $HOME
and/or pwdb, which Android doesn't have. Closes ticket 32825.
Patch from Hans-Christoph Steiner.
o Minor features (relay modularity):
- Split the relay and server pluggable transport config code into
separate files in the relay module. Disable this code when the
relay module is disabled. Closes part of ticket 32213.
- When the relay module is disabled, reject attempts to set the
ORPort, DirPort, DirCache, BridgeRelay, ExtORPort, or
ServerTransport* options, rather than ignoring the values of these
options. Closes part of ticket 32213.
- When the relay module is disabled, change the default config so
that DirCache is 0, and ClientOnly is 1. Closes ticket 32410.
o Minor features (release tools):
- Port our ChangeLog formatting and sorting tools to Python 3.
Closes ticket 32704.
o Minor features (testing):
- The unit tests now support a "TOR_SKIP_TESTCASES" environment
variable to specify a list of space-separated test cases that
should not be executed. We will use this to disable certain tests
that are failing on Appveyor because of mismatched OpenSSL
libraries. Part of ticket 33643.
- Detect some common failure cases for test_parseconf.sh in
src/test/conf_failures. Closes ticket 32451.
- Allow test_parseconf.sh to test expected log outputs for successful
configs, as well as failed configs. Closes ticket 32451.
- The test_parseconf.sh script now supports result variants for any
combination of the optional libraries lzma, nss, and zstd. Closes
ticket 32397.
- When running the unit tests on Android, create temporary files in
a subdirectory of /data/local/tmp. Closes ticket 32172. Based on a
patch from Hans-Christoph Steiner.
o Minor features (usability):
- Include more information when failing to parse a configuration
value. This should make it easier to tell what's going wrong when
a configuration file doesn't parse. Closes ticket 33460.
o Minor bugfix (relay, configuration):
- Warn if the ContactInfo field is not set, and tell the relay
operator that not having a ContactInfo field set might cause their
relay to get rejected in the future. Fixes bug 33361; bugfix
on 0.1.1.10-alpha.
o Minor bugfixes (bridges):
- Lowercase the configured value of BridgeDistribution before adding
it to the descriptor. Fixes bug 32753; bugfix on 0.3.2.3-alpha.
o Minor bugfixes (build system):
- Fix "make autostyle" for out-of-tree builds. Fixes bug 32370;
bugfix on 0.4.1.2-alpha.
o Minor bugfixes (compiler compatibility):
- Avoid compiler warnings from Clang 10 related to the use of GCC-
style "/* falls through */" comments. Both Clang and GCC allow
__attribute__((fallthrough)) instead, so that's what we're using
now. Fixes bug 34078; bugfix on 0.3.1.3-alpha.
- Fix compilation warnings with GCC 10.0.1. Fixes bug 34077; bugfix
on 0.4.0.3-alpha.
o Minor bugfixes (configuration handling):
- Make control_event_conf_changed() take in a config_line_t instead
of a smartlist of alternating key/value entries. Fixes bug 31531;
bugfix on 0.2.3.3-alpha. Patch by Neel Chauhan.
- Check for multiplication overflow when parsing memory units inside
configuration. Fixes bug 30920; bugfix on 0.0.9rc1.
- When dumping the configuration, stop adding a trailing space after
the option name when there is no option value. This issue only
affects options that accept an empty value or list. (Most options
reject empty values, or delete the entire line from the dumped
options.) Fixes bug 32352; bugfix on 0.0.9pre6.
- Avoid changing the user's value of HardwareAccel as stored by
SAVECONF, when AccelName is set but HardwareAccel is not. Fixes
bug 32382; bugfix on 0.2.2.1-alpha.
- When creating a KeyDirectory with the same location as the
DataDirectory (not recommended), respect the DataDirectory's
group-readable setting if one has not been set for the
KeyDirectory. Fixes bug 27992; bugfix on 0.3.3.1-alpha.
o Minor bugfixes (continuous integration):
- Remove the buggy and unused mirroring job. Fixes bug 33213; bugfix
on 0.3.2.2-alpha.
o Minor bugfixes (controller protocol):
- When receiving "ACTIVE" or "DORMANT" signals on the control port,
report them as SIGNAL events. Previously we would log a bug
warning. Fixes bug 33104; bugfix on 0.4.0.1-alpha.
o Minor bugfixes (controller):
- In routerstatus_has_changed(), check all the fields that are
output over the control port. Fixes bug 20218; bugfix
on 0.1.1.11-alpha.
o Minor bugfixes (developer tools):
- Allow paths starting with ./ in scripts/add_c_file.py. Fixes bug
31336; bugfix on 0.4.1.2-alpha.
o Minor bugfixes (dirauth module):
- Split the dirauth config code into a separate file in the dirauth
module. Disable this code when the dirauth module is disabled.
Closes ticket 32213.
- When the dirauth module is disabled, reject attempts to set the
AuthoritativeDir option, rather than ignoring the value of the
option. Fixes bug 32213; bugfix on 0.3.4.1-alpha.
o Minor bugfixes (embedded Tor):
- When starting Tor any time after the first time in a process,
register the thread in which it is running as the main thread.
Previously, we only did this on Windows, which could lead to bugs
like 23081 on non-Windows platforms. Fixes bug 32884; bugfix
on 0.3.3.1-alpha.
o Minor bugfixes (git scripts):
- Avoid sleeping before the last push in git-push-all.sh. Closes
ticket 32216.
- Forward all unrecognised arguments in git-push-all.sh to git push.
Closes ticket 32216.
o Minor bugfixes (key portability):
- When reading PEM-encoded key data, tolerate CRLF line-endings even
if we are not running on Windows. Previously, non-Windows hosts
would reject these line-endings in certain positions, making
certain key files hard to move from one host to another. Fixes bug
33032; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (logging):
- Stop truncating IPv6 addresses and ports in channel and connection
logs. Fixes bug 33918; bugfix on 0.2.4.4-alpha.
- Flush stderr, stdout, and file logs during shutdown, if supported
by the OS. This change helps make sure that any final logs are
recorded. Fixes bug 33087; bugfix on 0.4.1.6.
- Stop closing stderr and stdout during shutdown. Closing these file
descriptors can hide sanitiser logs. Fixes bug 33087; bugfix
on 0.4.1.6.
- If we encounter a bug when flushing a buffer to a TLS connection,
only log the bug once per invocation of the Tor process.
Previously we would log with every occurrence, which could cause
us to run out of disk space. Fixes bug 33093; bugfix
on 0.3.2.2-alpha.
- When logging a bug, do not say "Future instances of this warning
will be silenced" unless we are actually going to silence them.
Previously we would say this whenever a BUG() check failed in the
code. Fixes bug 33095; bugfix on 0.4.1.1-alpha.
o Minor bugfixes (onion services v2):
- Move a series of v2 onion service warnings to protocol-warning
level because they can all be triggered remotely by a malformed
request. Fixes bug 32706; bugfix on 0.1.1.14-alpha.
- When sending the INTRO cell for a v2 Onion Service, look at the
failure cache alongside timeout values to check if the intro point
is marked as failed. Previously, we only looked at the relay
timeout values. Fixes bug 25568; bugfix on 0.2.7.3-rc. Patch by
Neel Chauhan.
o Minor bugfixes (onion services v3):
- Remove a BUG() warning that would cause a stack trace if an onion
service descriptor was freed while we were waiting for a
rendezvous circuit to complete. Fixes bug 28992; bugfix
on 0.3.2.1-alpha.
- Relax severity of a log message that can appear naturally when
decoding onion service descriptors as a relay. Also add some
diagnostics to debug any future bugs in that area. Fixes bug
31669; bugfix on 0.3.0.1-alpha.
- Fix an assertion failure that could result from a corrupted
ADD_ONION control port command. Found by Saibato. Fixes bug 33137;
bugfix on 0.3.3.1-alpha. This issue is also tracked
as TROVE-2020-003.
- Properly handle the client rendezvous circuit timeout. Previously
Tor would sometimes timeout a rendezvous circuit awaiting the
introduction ACK, and find itself unable to re-establish all
circuits because the rendezvous circuit timed out too early. Fixes
bug 32021; bugfix on 0.3.2.1-alpha.
o Minor bugfixes (onion services):
- Do not rely on a "circuit established" flag for intro circuits but
instead always query the HS circuit map. This is to avoid sync
issue with that flag and the map. Fixes bug 32094; bugfix
on 0.3.2.1-alpha.
o Minor bugfixes (onion services, all):
- In cancel_descriptor_fetches(), use
connection_list_by_type_purpose() instead of
connection_list_by_type_state(). Fixes bug 32639; bugfix on
0.3.2.1-alpha. Patch by Neel Chauhan.
o Minor bugfixes (pluggable transports):
- When receiving a message on standard error from a pluggable
transport, log it at info level, rather than as a warning. Fixes
bug 33005; bugfix on 0.4.0.1-alpha.
o Minor bugfixes (rust, build):
- Fix a syntax warning given by newer versions of Rust that was
creating problems for our continuous integration. Fixes bug 33212;
bugfix on 0.3.5.1-alpha.
o Minor bugfixes (scripts):
- Fix update_versions.py for out-of-tree builds. Fixes bug 32371;
bugfix on 0.4.0.1-alpha.
o Minor bugfixes (testing):
- Use the same code to find the tor binary in all of our test
scripts. This change makes sure we are always using the coverage
binary when coverage is enabled. Fixes bug 32368; bugfix
on 0.2.7.3-rc.
- Stop ignoring "tor --dump-config" errors in test_parseconf.sh.
Fixes bug 32468; bugfix on 0.4.2.1-alpha.
- Our option-validation tests no longer depend on specially
configured non-default, non-passing sets of options. Previously,
the tests had been written to assume that options would _not_ be
set to their defaults, which led to needless complexity and
verbosity. Fixes bug 32175; bugfix on 0.2.8.1-alpha.
o Minor bugfixes (TLS bug handling):
- When encountering a bug in buf_read_from_tls(), return a "MISC"
error code rather than "WANTWRITE". This change might help avoid
some CPU-wasting loops if the bug is ever triggered. Bug reported
by opara. Fixes bug 32673; bugfix on 0.3.0.4-alpha.
o Deprecated features:
- Deprecate the ClientAutoIPv6ORPort option. This option was not
true "Happy Eyeballs", and often failed on connections that
weren't reliably dual-stack. Closes ticket 32942. Patch by
Neel Chauhan.
o Documentation:
- Provide a quickstart guide for a Circuit Padding Framework, and
documentation for researchers to implement and study circuit
padding machines. Closes ticket 28804.
- Add documentation in 'HelpfulTools.md' to describe how to build a
tag file. Closes ticket 32779.
- Create a high-level description of the long-term software
architecture goals. Closes ticket 32206.
- Describe the --dump-config command in the manual page. Closes
ticket 32467.
- Unite coding advice from this_not_that.md in torguts repo into our
coding standards document. Resolves ticket 31853.
o Removed features:
- Our Doxygen configuration no longer generates LaTeX output. The
reference manual produced by doing this was over 4000 pages long,
and generally unusable. Closes ticket 32099.
- The option "TestingEstimatedDescriptorPropagationTime" is now
marked as obsolete. It has had no effect since 0.3.0.7, when
clients stopped rejecting consensuses "from the future". Closes
ticket 32807.
- We no longer support consensus methods before method 28; these
methods were only used by authorities running versions of Tor that
are now at end-of-life. In effect, this means that clients,
relays, and authorities now assume that authorities will be
running version 0.3.5.x or later. Closes ticket 32695.
o Testing:
- Avoid conflicts between the fake sockets in tor's unit tests, and
real file descriptors. Resolves issues running unit tests with
GitHub Actions, where the process that embeds or launches the
tests has already opened a large number of file descriptors. Fixes
bug 33782; bugfix on 0.2.8.1-alpha. Found and fixed by
Putta Khunchalee.
- Add more test cases for tor's UTF-8 validation function. Also,
check the arguments passed to the function for consistency. Closes
ticket 32845.
- Improve test coverage for relay and dirauth config code, focusing
on option validation and normalization. Closes ticket 32213.
- Improve the consistency of test_parseconf.sh output, and run all
the tests, even if one fails. Closes ticket 32213.
- Run the practracker unit tests in the pre-commit git hook. Closes
ticket 32609.
o Code simplification and refactoring (channel):
- Channel layer had a variable length cell handler that was not used
and thus removed. Closes ticket 32892.
o Code simplification and refactoring (configuration):
- Immutability is now implemented as a flag on individual
configuration options rather than as part of the option-transition
checking code. Closes ticket 32344.
- Instead of keeping a list of configuration options to check for
relative paths, check all the options whose type is "FILENAME".
Solves part of ticket 32339.
- Our default log (which ordinarily sends NOTICE-level messages to
standard output) is now handled in a more logical manner.
Previously, we replaced the configured log options if they were
empty. Now, we interpret an empty set of log options as meaning
"use the default log". Closes ticket 31999.
- Remove some unused arguments from the options_validate() function,
to simplify our code and tests. Closes ticket 32187.
- Simplify the options_validate() code so that it looks at the
default options directly, rather than taking default options as an
argument. This change lets us simplify its interface. Closes
ticket 32185.
- Use our new configuration architecture to move most authority-
related options to the directory authority module. Closes
ticket 32806.
- When parsing the command line, handle options that determine our
"quiet level" and our mode of operation (e.g., --dump-config and
so on) all in one table. Closes ticket 32003.
o Code simplification and refactoring (controller):
- Create a new abstraction for formatting control protocol reply
lines based on key-value pairs. Refactor some existing control
protocol code to take advantage of this. Closes ticket 30984.
- Create a helper function that can fetch network status or
microdesc consensuses. Closes ticket 31684.
o Code simplification and refactoring (dirauth modularization):
- Remove the last remaining HAVE_MODULE_DIRAUTH inside a function.
Closes ticket 32163.
- Replace some confusing identifiers in process_descs.c. Closes
ticket 29826.
- Simplify some relay and dirauth config code. Closes ticket 32213.
o Code simplification and refactoring (mainloop):
- Simplify the ip_address_changed() function by removing redundant
checks. Closes ticket 33091.
o Code simplification and refactoring (misc):
- Make all the structs we declare follow the same naming convention
of ending with "_t". Closes ticket 32415.
- Move and rename some configuration-related code for clarity.
Closes ticket 32304.
- Our include.am files are now broken up by subdirectory.
Previously, src/core/include.am covered all of the subdirectories
in "core", "feature", and "app". Closes ticket 32137.
- Remove underused NS*() macros from test code: they make our tests
more confusing, especially for code-formatting tools. Closes
ticket 32887.
o Code simplification and refactoring (relay modularization):
- Disable relay_periodic when the relay module is disabled. Closes
ticket 32244.
- Disable relay_sys when the relay module is disabled. Closes
ticket 32245.
o Code simplification and refactoring (tool support):
- Add numerous missing dependencies to our include files, so that
they can be included in different reasonable orders and still
compile. Addresses part of ticket 32764.
- Fix some parts of our code that were difficult for Coccinelle to
parse. Related to ticket 31705.
- Fix some small issues in our code that prevented automatic
formatting tools from working. Addresses part of ticket 32764.
o Documentation (manpage):
- Alphabetize the Server and Directory server sections of the tor
manpage. Also split Statistics options into their own section of
the manpage. Closes ticket 33188. Work by Swati Thacker as part of
Google Season of Docs.
- Document the __OwningControllerProcess torrc option and specify
its polling interval. Resolves issue 32971.
- Split "Circuit Timeout" options and "Node Selection" options into
their own sections of the tor manpage. Closes tickets 32928 and
32929. Work by Swati Thacker as part of Google Season of Docs.
- Alphabetize the Client Options section of the tor manpage. Closes
ticket 32846.
- Alphabetize the General Options section of the tor manpage. Closes
ticket 32708.
- In the tor(1) manpage, reword and improve formatting of the
COMMAND-LINE OPTIONS and DESCRIPTION sections. Closes ticket
32277. Based on work by Swati Thacker as part of Google Season
of Docs.
- In the tor(1) manpage, reword and improve formatting of the FILES,
SEE ALSO, and BUGS sections. Closes ticket 32176. Based on work by
Swati Thacker as part of Google Season of Docs.
o Testing (Appveyor CI):
- In our Appveyor Windows CI, copy required DLLs to test and app
directories, before running tor's tests. This ensures that tor.exe
and test*.exe use the correct version of each DLL. This fix is not
required, but we hope it will avoid DLL search issues in future.
Fixes bug 33673; bugfix on 0.3.4.2-alpha.
- On Appveyor, skip the crypto/openssl_version test, which is
failing because of a mismatched library installation. Fix
for 33643.
o Testing (circuit, EWMA):
- Add unit tests for circuitmux and EWMA subsystems. Closes
ticket 32196.
o Testing (Travis CI):
- Remove a redundant distcheck job. Closes ticket 33194.
- Sort the Travis jobs in order of speed: putting the slowest jobs
first takes full advantage of Travis job concurrency. Closes
ticket 33194.
- Stop allowing the Chutney IPv6 Travis job to fail. This job was
previously configured to fast_finish (which requires
allow_failure), to speed up the build. Closes ticket 33195.
- When a Travis chutney job fails, use chutney's new "diagnostics.sh"
tool to produce detailed diagnostic output. Closes ticket 32792.
Changes in version 0.4.2.7 - 2020-03-18
This is the third stable release in the 0.4.2.x series. It backports
numerous fixes from later releases, including a fix for TROVE-2020-
002, a major denial-of-service vulnerability that affected all
released Tor instances since 0.2.1.5-alpha. Using this vulnerability,
an attacker could cause Tor instances to consume a huge amount of CPU,
disrupting their operations for several seconds or minutes. This
attack could be launched by anybody against a relay, or by a directory
cache against any client that had connected to it. The attacker could
launch this attack as much as they wanted, thereby disrupting service
or creating patterns that could aid in traffic analysis. This issue
was found by OSS-Fuzz, and is also tracked as CVE-2020-10592.
We do not have reason to believe that this attack is currently being
exploited in the wild, but nonetheless we advise everyone to upgrade
as soon as packages are available.
o Major bugfixes (security, denial-of-service, backport from 0.4.3.3-alpha):
- Fix a denial-of-service bug that could be used by anyone to
consume a bunch of CPU on any Tor relay or authority, or by
directories to consume a bunch of CPU on clients or hidden
services. Because of the potential for CPU consumption to
introduce observable timing patterns, we are treating this as a
high-severity security issue. Fixes bug 33119; bugfix on
0.2.1.5-alpha. Found by OSS-Fuzz. We are also tracking this issue
as TROVE-2020-002 and CVE-2020-10592.
o Major bugfixes (circuit padding, memory leak, backport from 0.4.3.3-alpha):
- Avoid a remotely triggered memory leak in the case that a circuit
padding machine is somehow negotiated twice on the same circuit.
Fixes bug 33619; bugfix on 0.4.0.1-alpha. Found by Tobias Pulls.
This is also tracked as TROVE-2020-004 and CVE-2020-10593.
o Major bugfixes (directory authority, backport from 0.4.3.3-alpha):
- Directory authorities will now send a 503 (not enough bandwidth)
code to clients when under bandwidth pressure. Known relays and
other authorities will always be answered regardless of the
bandwidth situation. Fixes bug 33029; bugfix on 0.1.2.5-alpha.
o Minor features (continuous integration, backport from 0.4.3.2-alpha):
- Stop allowing failures on the Travis CI stem tests job. It looks
like all the stem hangs we were seeing before are now fixed.
Closes ticket 33075.
o Minor bugfixes (bridges, backport from 0.4.3.1-alpha):
- Lowercase the configured value of BridgeDistribution before adding
it to the descriptor. Fixes bug 32753; bugfix on 0.3.2.3-alpha.
o Minor bugfixes (logging, backport from 0.4.3.2-alpha):
- If we encounter a bug when flushing a buffer to a TLS connection,
only log the bug once per invocation of the Tor process.
Previously we would log with every occurrence, which could cause
us to run out of disk space. Fixes bug 33093; bugfix
on 0.3.2.2-alpha.
o Minor bugfixes (onion services v3, backport from 0.4.3.3-alpha):
- Fix an assertion failure that could result from a corrupted
ADD_ONION control port command. Found by Saibato. Fixes bug 33137;
bugfix on 0.3.3.1-alpha. This issue is also tracked
as TROVE-2020-003.
o Minor bugfixes (rust, build, backport from 0.4.3.2-alpha):
- Fix a syntax warning given by newer versions of Rust that was
creating problems for our continuous integration. Fixes bug 33212;
bugfix on 0.3.5.1-alpha.
o Testing (Travis CI, backport from 0.4.3.3-alpha):
- Remove a redundant distcheck job. Closes ticket 33194.
- Sort the Travis jobs in order of speed: putting the slowest jobs
first takes full advantage of Travis job concurrency. Closes
ticket 33194.
- Stop allowing the Chutney IPv6 Travis job to fail. This job was
previously configured to fast_finish (which requires
allow_failure), to speed up the build. Closes ticket 33195.
- When a Travis chutney job fails, use chutney's new "diagnostics.sh"
tool to produce detailed diagnostic output. Closes ticket 32792.
Changes:
0.4.2.6
-------
This is the second stable release in the 0.4.2.x series. It backports
several bugfixes from 0.4.3.1-alpha, including some that had affected
the Linux seccomp2 sandbox or Windows services. If you're running with
one of those configurations, you'll probably want to upgrade;
otherwise, you should be fine with 0.4.2.5.
o Major bugfixes (linux seccomp sandbox, backport from 0.4.3.1-alpha):
- Correct how we use libseccomp. Particularly, stop assuming that
rules are applied in a particular order or that more rules are
processed after the first match. Neither is the case! In
libseccomp <2.4.0 this lead to some rules having no effect.
libseccomp 2.4.0 changed how rules are generated, leading to a
different ordering, which in turn led to a fatal crash during
startup. Fixes bug 29819; bugfix on 0.2.5.1-alpha. Patch by
Peter Gerber.
- Fix crash when reloading logging configuration while the
experimental sandbox is enabled. Fixes bug 32841; bugfix on
0.4.1.7. Patch by Peter Gerber.
o Minor bugfixes (correctness checks, backport from 0.4.3.1-alpha):
- Use GCC/Clang's printf-checking feature to make sure that
tor_assertf() arguments are correctly typed. Fixes bug 32765;
bugfix on 0.4.1.1-alpha.
o Minor bugfixes (logging, crash, backport from 0.4.3.1-alpha):
- Avoid a possible crash when trying to log a (fatal) assertion
failure about mismatched magic numbers in configuration objects.
Fixes bug 32771; bugfix on 0.4.2.1-alpha.
o Minor bugfixes (testing, backport from 0.4.3.1-alpha):
- When TOR_DISABLE_PRACTRACKER is set, do not apply it to the
test_practracker.sh script. Doing so caused a test failure. Fixes
bug 32705; bugfix on 0.4.2.1-alpha.
- When TOR_DISABLE_PRACTRACKER is set, log a notice to stderr when
skipping practracker checks. Fixes bug 32705; bugfix
on 0.4.2.1-alpha.
o Minor bugfixes (windows service, backport from 0.4.3.1-alpha):
- Initialize the publish/subscribe system when running as a windows
service. Fixes bug 32778; bugfix on 0.4.1.1-alpha.
o Testing (backport from 0.4.3.1-alpha):
- Turn off Tor's Sandbox in Chutney jobs, and run those jobs on
Ubuntu Bionic. Turning off the Sandbox is a work-around, until we
fix the sandbox errors in 32722. Closes ticket 32240.
- Re-enable the Travis CI macOS Chutney build, but don't let it
prevent the Travis job from finishing. (The Travis macOS jobs are
slow, so we don't want to have it delay the whole CI process.)
Closes ticket 32629.
o Testing (continuous integration, backport from 0.4.3.1-alpha):
- Use zstd in our Travis Linux builds. Closes ticket 32242.
pkglint -r --network --only "migrate"
As a side-effect of migrating the homepages, pkglint also fixed a few
indentations in unrelated lines. These and the new homepages have been
checked manually.
Changelog:
Changes in version 0.4.2.5 - 2019-12-09
This is the first stable release in the 0.4.2.x series. This series
improves reliability and stability, and includes several stability and
correctness improvements for onion services. It also fixes many smaller
bugs present in previous series.
Per our support policy, we will support the 0.4.2.x series for nine
months, or until three months after the release of a stable 0.4.3.x:
whichever is longer. If you need longer-term support, please stick
with 0.3.5.x, which will we plan to support until Feb 2022.
Per our support policy, we will support the 0.4.2.x series for nine
months, or until three months after the release of a stable 0.4.3.x:
whichever is longer. If you need longer-term support, please stick
with 0.3.5.x, which will we plan to support until Feb 2022.
Below are the changes since 0.4.1.4-rc. For a complete list of changes
since 0.4.1.5, see the ReleaseNotes file.
o Minor features (geoip):
- Update geoip and geoip6 to the December 3 2019 Maxmind GeoLite2
Country database. Closes ticket 32685.
o Testing:
- Require C99 standards-conforming code in Travis CI, but allow GNU
gcc extensions. Also activates clang's -Wtypedef-redefinition
warnings. Build some jobs with -std=gnu99, and some jobs without.
Closes ticket 32500.
Changes in version 0.4.2.4-rc - 2019-11-15
Tor 0.4.2.4-rc is the first release candidate in its series. It fixes
several bugs from earlier versions, including a few that would result in
stack traces or incorrect behavior.
o Minor features (build system):
- Make pkg-config use --prefix when cross-compiling, if
PKG_CONFIG_PATH is not set. Closes ticket 32191.
o Minor features (geoip):
- Update geoip and geoip6 to the November 6 2019 Maxmind GeoLite2
Country database. Closes ticket 32440.
o Minor bugfixes (client, onion service v3):
- Fix a BUG() assertion that occurs within a very small race window
between when a client intro circuit opens and when its descriptor
gets cleaned up from the cache. The circuit is now closed early,
which will trigger a re-fetch of the descriptor and continue the
connection. Fixes bug 28970; bugfix on 0.3.2.1-alpha.
o Minor bugfixes (code quality):
- Fix "make check-includes" so it runs correctly on out-of-tree
builds. Fixes bug 31335; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (configuration):
- Log the option name when skipping an obsolete option. Fixes bug
32295; bugfix on 0.4.2.1-alpha.
o Minor bugfixes (crash):
- When running Tor with an option like --verify-config or
--dump-config that does not start the event loop, avoid crashing
if we try to exit early because of an error. Fixes bug 32407;
bugfix on 0.3.3.1-alpha.
o Minor bugfixes (directory):
- When checking if a directory connection is anonymous, test if the
circuit was marked for close before looking at its channel. This
avoids a BUG() stacktrace if the circuit was previously closed.
Fixes bug 31958; bugfix on 0.4.2.1-alpha.
o Minor bugfixes (shellcheck):
- Fix minor shellcheck errors in the git-*.sh scripts. Fixes bug
32402; bugfix on 0.4.2.1-alpha.
- Start checking most scripts for shellcheck errors again. Fixes bug
32402; bugfix on 0.4.2.1-alpha.
o Testing (continuous integration):
- Use Ubuntu Bionic images for our Travis CI builds, so we can get a
recent version of coccinelle. But leave chutney on Ubuntu Trusty,
until we can fix some Bionic permissions issues (see ticket
32240). Related to ticket 31919.
- Install the mingw OpenSSL package in Appveyor. This makes sure
that the OpenSSL headers and libraries match in Tor's Appveyor
builds. (This bug was triggered by an Appveyor image update.)
Fixes bug 32449; bugfix on 0.3.5.6-rc.
- In Travis, use Xcode 11.2 on macOS 10.14. Closes ticket 32241.
Changes in version 0.4.2.3-alpha - 2019-10-24
This release fixes several bugs from the previous alpha release, and
from earlier versions of Tor.
o Major bugfixes (relay):
- Relays now respect their AccountingMax bandwidth again. When
relays entered "soft" hibernation (which typically starts when
we've hit 90% of our AccountingMax), we had stopped checking
whether we should enter hard hibernation. Soft hibernation refuses
new connections and new circuits, but the existing circuits can
continue, meaning that relays could have exceeded their configured
AccountingMax. Fixes bug 32108; bugfix on 0.4.0.1-alpha.
o Major bugfixes (v3 onion services):
- Onion services now always use the exact number of intro points
configured with the HiddenServiceNumIntroductionPoints option (or
fewer if nodes are excluded). Before, a service could sometimes
pick more intro points than configured. Fixes bug 31548; bugfix
on 0.3.2.1-alpha.
o Minor feature (onion services, control port):
- The ADD_ONION command's keyword "BEST" now defaults to ED25519-V3
(v3) onion services. Previously it defaulted to RSA1024 (v2).
Closes ticket 29669.
o Minor features (testing):
- When running tests that attempt to look up hostnames, replace the
libc name lookup functions with ones that do not actually touch
the network. This way, the tests complete more quickly in the
presence of a slow or missing DNS resolver. Closes ticket 31841.
o Minor features (testing, continuous integration):
- Disable all but one Travis CI macOS build, to mitigate slow
scheduling of Travis macOS jobs. Closes ticket 32177.
- Run the chutney IPv6 networks as part of Travis CI. Closes
ticket 30860.
- Simplify the Travis CI build matrix, and optimise for build time.
Closes ticket 31859.
- Use Windows Server 2019 instead of Windows Server 2016 in our
Appveyor builds. Closes ticket 32086.
o Minor bugfixes (build system):
- Interpret "--disable-module-dirauth=no" correctly. Fixes bug
32124; bugfix on 0.3.4.1-alpha.
- Interpret "--with-tcmalloc=no" correctly. Fixes bug 32124; bugfix
on 0.2.0.20-rc.
- Stop failing when jemalloc is requested, but tcmalloc is not
found. Fixes bug 32124; bugfix on 0.3.5.1-alpha.
- When pkg-config is not installed, or a library that depends on
pkg-config is not found, tell the user what to do to fix the
problem. Fixes bug 31922; bugfix on 0.3.1.1-alpha.
o Minor bugfixes (connections):
- Avoid trying to read data from closed connections, which can cause
needless loops in Libevent and infinite loops in Shadow. Fixes bug
30344; bugfix on 0.1.1.1-alpha.
o Minor bugfixes (error handling):
- Always lock the backtrace buffer before it is used. Fixes bug
31734; bugfix on 0.2.5.3-alpha.
o Minor bugfixes (mainloop, periodic events, in-process API):
- Reset the periodic events' "enabled" flag when Tor is shut down
cleanly. Previously, this flag was left on, which caused periodic
events not to be re-enabled when Tor was relaunched in-process
with tor_api.h after a shutdown. Fixes bug 32058; bugfix
on 0.3.3.1-alpha.
o Minor bugfixes (process management):
- Remove overly strict assertions that triggered when a pluggable
transport failed to launch. Fixes bug 31091; bugfix
on 0.4.0.1-alpha.
- Remove an assertion in the Unix process backend. This assertion
would trigger when we failed to find the executable for a child
process. Fixes bug 31810; bugfix on 0.4.0.1-alpha.
o Minor bugfixes (testing):
- Avoid intermittent test failures due to a test that had relied on
inconsistent timing sources. Fixes bug 31995; bugfix
on 0.3.1.3-alpha.
- When testing port rebinding, don't busy-wait for tor to log.
Instead, actually sleep for a short time before polling again.
Also improve the formatting of control commands and log messages.
Fixes bug 31837; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (tls, logging):
- Log bugs about the TLS read buffer's length only once, rather than
filling the logs with similar warnings. Fixes bug 31939; bugfix
on 0.3.0.4-rc.
o Minor bugfixes (v3 onion services):
- Fix an implicit conversion from ssize_t to size_t discovered by
Coverity. Fixes bug 31682; bugfix on 0.4.2.1-alpha.
- Fix a memory leak in an unlikely error code path when encoding HS
DoS establish intro extension cell. Fixes bug 32063; bugfix
on 0.4.2.1-alpha.
- When cleaning up intro circuits for a v3 onion service, don't
remove circuits that have an established or pending circuit, even
if they ran out of retries. This way, we don't remove a circuit on
its last retry. Fixes bug 31652; bugfix on 0.3.2.1-alpha.
o Documentation:
- Correct the description of "GuardLifetime". Fixes bug 31189;
bugfix on 0.3.0.1-alpha.
- Make clear in the man page, in both the bandwidth section and the
AccountingMax section, that Tor counts in powers of two, not
powers of ten: 1 GByte is 1024*1024*1024 bytes, not one billion
bytes. Resolves ticket 32106.
Changes in version 0.4.2.2-alpha - 2019-10-07
This release fixes several bugs from the previous alpha release, and
from earlier versions. It also includes a change in authorities, so
that they begin to reject the currently unsupported release series.
o Major features (directory authorities):
- Directory authorities now reject relays running all currently
deprecated release series. The currently supported release series
are: 0.2.9, 0.3.5, 0.4.0, 0.4.1, and 0.4.2. Closes ticket 31549.
o Major bugfixes (embedded Tor):
- Avoid a possible crash when restarting Tor in embedded mode and
enabling a different set of publish/subscribe messages. Fixes bug
31898; bugfix on 0.4.1.1-alpha.
o Major bugfixes (torrc parsing):
- Stop ignoring torrc options after an %include directive, when the
included directory ends with a file that does not contain any
config options (but does contain comments or whitespace). Fixes
bug 31408; bugfix on 0.3.1.1-alpha.
o Minor features (auto-formatting scripts):
- When annotating C macros, never generate a line that our check-
spaces script would reject. Closes ticket 31759.
- When annotating C macros, try to remove cases of double-negation.
Closes ticket 31779.
o Minor features (continuous integration):
- When building on Appveyor and Travis, pass the "-k" flag to make,
so that we are informed of all compilation failures, not just the
first one or two. Closes ticket 31372.
o Minor features (geoip):
- Update geoip and geoip6 to the October 1 2019 Maxmind GeoLite2
Country database. Closes ticket 31931.
o Minor features (maintenance scripts):
- Add a Coccinelle script to detect bugs caused by incrementing or
decrementing a variable inside a call to log_debug(). Since
log_debug() is a macro whose arguments are conditionally
evaluated, it is usually an error to do this. One such bug was
30628, in which SENDME cells were miscounted by a decrement
operator inside a log_debug() call. Closes ticket 30743.
o Minor features (onion services v3):
- Assist users who try to setup v2 client authorization in v3 onion
services by pointing them to the right documentation. Closes
ticket 28966.
o Minor bugfixes (Appveyor continuous integration):
- Avoid spurious errors when Appveyor CI fails before the install
step. Fixes bug 31884; bugfix on 0.3.4.2-alpha.
o Minor bugfixes (best practices tracker):
- When listing overbroad exceptions, do not also list problems, and
do not list insufficiently broad exceptions. Fixes bug 31338;
bugfix on 0.4.2.1-alpha.
o Minor bugfixes (controller protocol):
- Fix the MAPADDRESS controller command to accept one or more
arguments. Previously, it required two or more arguments, and
ignored the first. Fixes bug 31772; bugfix on 0.4.1.1-alpha.
o Minor bugfixes (logging):
- Add a missing check for HAVE_PTHREAD_H, because the backtrace code
uses mutexes. Fixes bug 31614; bugfix on 0.2.5.2-alpha.
- Disable backtrace signal handlers when shutting down tor. Fixes
bug 31614; bugfix on 0.2.5.2-alpha.
- Rate-limit our the logging message about the obsolete .exit
notation. Previously, there was no limit on this warning, which
could potentially be triggered many times by a hostile website.
Fixes bug 31466; bugfix on 0.2.2.1-alpha.
- When initialising log domain masks, only set known log domains.
Fixes bug 31854; bugfix on 0.2.1.1-alpha.
o Minor bugfixes (logging, protocol violations):
- Do not log a nonfatal assertion failure when receiving a VERSIONS
cell on a connection using the obsolete v1 link protocol. Log a
protocol_warn instead. Fixes bug 31107; bugfix on 0.2.4.4-alpha.
o Minor bugfixes (modules):
- Explain what the optional Directory Authority module is, and what
happens when it is disabled. Fixes bug 31825; bugfix
on 0.3.4.1-alpha.
o Minor bugfixes (multithreading):
- Avoid some undefined behaviour when freeing mutexes. Fixes bug
31736; bugfix on 0.0.7.
o Minor bugfixes (relay):
- Avoid crashing when starting with a corrupt keys directory where
the old ntor key and the new ntor key are identical. Fixes bug
30916; bugfix on 0.2.4.8-alpha.
o Minor bugfixes (tests, SunOS):
- Avoid a map_anon_nofork test failure due to a signed/unsigned
integer comparison. Fixes bug 31897; bugfix on 0.4.1.1-alpha.
o Code simplification and refactoring:
- Refactor connection_control_process_inbuf() to reduce the size of
a practracker exception. Closes ticket 31840.
- Refactor the microdescs_parse_from_string() function into smaller
pieces, for better comprehensibility. Closes ticket 31675.
- Use SEVERITY_MASK_IDX() to find the LOG_* mask indexes in the unit
tests and fuzzers, rather than using hard-coded values. Closes
ticket 31334.
- Interface for function `decrypt_desc_layer` cleaned up. Closes
ticket 31589.
o Documentation:
- Document the signal-safe logging behaviour in the tor man page.
Also add some comments to the relevant functions. Closes
ticket 31839.
- Explain why we can't destroy the backtrace buffer mutex. Explain
why we don't need to destroy the log mutex. Closes ticket 31736.
- The Tor source code repository now includes a (somewhat dated)
description of Tor's modular architecture, in doc/HACKING/design.
This is based on the old "tor-guts.git" repository, which we are
adopting and superseding. Closes ticket 31849.
Notable changes in version 0.4.1.6 - 2019-09-19
This release backports several bugfixes to improve stability and
correctness. Anyone experiencing build problems or crashes with 0.4.1.5,
or experiencing reliability issues with single onion services, should
upgrade.
o Major bugfixes (crash, Linux, Android, backport from 0.4.2.1-alpha):
- Tolerate systems (including some Android installations) where
madvise and MADV_DONTDUMP are available at build-time, but not at
run time. Previously, these systems would notice a failed syscall
and abort. Fixes bug 31570; bugfix on 0.4.1.1-alpha.
- Tolerate systems (including some Linux installations) where
madvise and/or MADV_DONTFORK are available at build-time, but not
at run time. Previously, these systems would notice a failed
syscall and abort. Fixes bug 31696; bugfix on 0.4.1.1-alpha.
o Minor bugfixes (controller protocol):
- Fix the MAPADDRESS controller command to accept one or more
arguments. Previously, it required two or more arguments, and ignored
the first. Fixes bug 31772; bugfix on 0.4.1.1-alpha.
o Minor bugfixes (guards, backport from 0.4.2.1-alpha):
- When tor is missing descriptors for some primary entry guards,
make the log message less alarming. It's normal for descriptors to
expire, as long as tor fetches new ones soon after. Fixes bug
31657; bugfix on 0.3.3.1-alpha.
o Minor bugfixes (logging, backport from 0.4.2.1-alpha):
- Change log level of message "Hash of session info was not as
expected" to LOG_PROTOCOL_WARN. Fixes bug 12399; bugfix
on 0.1.1.10-alpha.
o Minor bugfixes (v2 single onion services, backport from 0.4.2.1-alpha):
- Always retry v2 single onion service intro and rend circuits with
a 3-hop path. Previously, v2 single onion services used a 3-hop
path when rendezvous circuits were retried after a remote or
delayed failure, but a 1-hop path for immediate retries. Fixes bug
23818; bugfix on 0.2.9.3-alpha.
o Minor bugfixes (v3 single onion services, backport from 0.4.2.1-alpha):
- Always retry v3 single onion service intro and rend circuits with
a 3-hop path. Previously, v3 single onion services used a 3-hop
path when rend circuits were retried after a remote or delayed
failure, but a 1-hop path for immediate retries. Fixes bug 23818;
bugfix on 0.3.2.1-alpha.
- Make v3 single onion services fall back to a 3-hop intro, when all
intro points are unreachable via a 1-hop path. Previously, v3
single onion services failed when all intro nodes were unreachable
via a 1-hop path. Fixes bug 23507; bugfix on 0.3.2.1-alpha.
wiz
riastradh
nia
gdt
ryoon
leot
rillig
jperkin
ng0
alnsn