ChangeLog

Changes in version 0.4.6.3-rc - 2021-05-10
  Tor 0.4.6.3-rc is the first release candidate in its series. It fixes
  a few small bugs from previous versions, and adds a better error
  message when trying to use (no longer supported) v2 onion services.

  Though we anticipate that we'll be doing a bit more clean-up between
  now and the stable release, we expect that our remaining changes will
  be fairly simple. There will likely be at least one more release
  candidate before 0.4.6.x is stable.

  o Major bugfixes (onion service, control port):
    - Make the ADD_ONION command properly configure client authorization.
      Before this fix, the created onion failed to add the client(s).
      Fixes bug 40378; bugfix on 0.4.6.1-alpha.

  o Minor features (compatibility, Linux seccomp sandbox):
    - Add a workaround to enable the Linux sandbox to work correctly
      with Glibc 2.33. This version of Glibc has started using the
      fstatat() system call, which previously our sandbox did not allow.
      Closes ticket 40382; see the ticket for a discussion of trade-offs.

  o Minor features (compilation):
    - Make the autoconf script build correctly with autoconf versions
      2.70 and later. Closes part of ticket 40335.

  o Minor features (geoip data):
    - Update the geoip files to match the IPFire Location Database, as
      retrieved on 2021/05/07.

  o Minor features (onion services):
    - Add a warning message when trying to connect to (no longer
      supported) v2 onion services. Closes ticket 40373.

  o Minor bugfixes (build, cross-compilation):
    - Allow a custom "ar" for cross-compilation. Our previous build
      script had used the $AR environment variable in most places, but
      it missed one. Fixes bug 40369; bugfix on 0.4.5.1-alpha.

  o Minor bugfixes (compiler warnings):
    - Fix an indentation problem that led to a warning from GCC 11.1.1.
      Fixes bug 40380; bugfix on 0.3.0.1-alpha.

  o Minor bugfixes (logging, relay):
    - Emit a warning if an Address is found to be internal and tor can't
      use it. Fixes bug 40290; bugfix on 0.4.5.1-alpha.

  o Minor bugfixes (onion service, client, memory leak):
    - Fix a bug where an expired cached descriptor could get overwritten
      with a new one without freeing it, leading to a memory leak. Fixes
      bug 40356; bugfix on 0.3.5.1-alpha.


Changes in version 0.4.6.2-alpha - 2021-04-15
  Tor 0.4.6.2-alpha is the second alpha in its series. It fixes several
  small bugs in previous releases, and solves other issues that had
  enabled denial-of-service attacks and affected integration with
  other tools.

  o Minor features (client):
    - Clients now check whether their streams are attempting to re-enter
      the Tor network (i.e. to send Tor traffic over Tor), and close
      them preemptively if they think exit relays will refuse them for
      this reason. See ticket 2667 for details. Closes ticket 40271.

  o Minor features (command line):
    - Add long format name "--torrc-file" equivalent to the existing
      command-line option "-f". Closes ticket 40324. Patch by
      Daniel Pinto.

  o Minor features (dormant mode):
    - Add a new 'DormantTimeoutEnabled' option to allow coarse-grained
      control over whether the client ever becomes dormant from
      inactivity. Most people won't need this. Closes ticket 40228.

  o Minor features (fallback directory list):
    - Regenerate the list of fallback directories to contain a new set
      of 200 relays. Closes ticket 40265.

  o Minor features (geoip data):
    - Update the geoip files to match the IPFire Location Database, as
      retrieved on 2021/04/13.

  o Minor features (logging):
    - Edit heartbeat log messages so that more of them begin with the
      string "Heartbeat: ". Closes ticket 40322; patch
      from 'cypherpunks'.

  o Minor bugfixes (bridge, pluggable transport):
    - Fix a regression that made it impossible start Tor using a bridge
      line with a transport name and no fingerprint. Fixes bug 40360;
      bugfix on 0.4.5.4-rc.

  o Minor bugfixes (channel, DoS):
    - Fix a non-fatal BUG() message due to a too-early free of a string,
      when listing a client connection from the DoS defenses subsystem.
      Fixes bug 40345; bugfix on 0.4.3.4-rc.

  o Minor bugfixes (compilation):
    - Fix a compilation warning about unused functions when building
      with a libc that lacks the GLOB_ALTDIRFUNC constant. Fixes bug
      40354; bugfix on 0.4.5.1-alpha. Patch by Daniel Pinto.

  o Minor bugfixes (configuration):
    - Fix pattern-matching for directories on all platforms when using
      %include options in configuration files. This patch also fixes
      compilation on musl libc based systems. Fixes bug 40141; bugfix
      on 0.4.5.1-alpha.

  o Minor bugfixes (relay):
    - Move the "overload-general" line from extrainfo to the server
      descriptor. Fixes bug 40364; bugfix on 0.4.6.1-alpha.

  o Minor bugfixes (testing, BSD):
    - Fix pattern-matching errors when patterns expand to invalid paths
      on BSD systems. Fixes bug 40318; bugfix on 0.4.5.1-alpha. Patch by
      Daniel Pinto.

  o Documentation (manual):
    - Move the ServerTransport* options to the "SERVER OPTIONS" section.
      Closes issue 40331.
    - Indicate that the HiddenServiceStatistics option also applies to
      bridges. Closes ticket 40346.
    - Move the description of BridgeRecordUsageByCountry to the section
      "STATISTICS OPTIONS". Closes ticket 40323.


Changes in version 0.4.6.1-alpha - 2021-03-18
  Tor 0.4.6.1-alpha is the first alpha release in the 0.4.6.x series. It
  improves client circuit performance, adds missing features, and
  improves some of our DoS handling and statistics reporting. It also
  includes numerous smaller bugfixes.

  Below are the changes since 0.4.5.7. (Note that this release DOES
  include the fixes for the security bugs already fixed in 0.4.5.7.)

  o Major features (control port, onion services):
    - Add controller support for creating version 3 onion services with
      client authorization. Previously, only v2 onion services could be
      created with client authorization. Closes ticket 40084. Patch by
      Neel Chauhan.

  o Major features (directory authority):
    - When voting on a relay with a Sybil-like appearance, add the Sybil
      flag when clearing out the other flags. This lets a relay operator
      know why their relay hasn't been included in the consensus. Closes
      ticket 40255. Patch by Neel Chauhan.

  o Major features (metrics):
    - Relays now report how overloaded they are in their extrainfo
      documents. This information is controlled with the
      OverloadStatistics torrc option, and it will be used to improve
      decisions about the network's load balancing. Implements proposal
      328; closes ticket 40222.

  o Major features (relay, denial of service):
    - Add a new DoS subsystem feature to control the rate of client
      connections for relays. Closes ticket 40253.

  o Major features (statistics):
    - Relays now publish statistics about the number of v3 onion
      services and volume of v3 onion service traffic, in the same
      manner they already do for v2 onions. Closes ticket 23126.

  o Major bugfixes (circuit build timeout):
    - Improve the accuracy of our circuit build timeout calculation for
      60%, 70%, and 80% build rates for various guard choices. We now
      use a maximum likelihood estimator for Pareto parameters of the
      circuit build time distribution, instead of a "right-censored
      estimator". This causes clients to ignore circuits that never
      finish building in their timeout calculations. Previously, clients
      were counting such unfinished circuits as having the highest
      possible build time value, when in reality these circuits most
      likely just contain relays that are offline. We also now wait a
      bit longer to let circuits complete for measurement purposes,
      lower the minimum possible effective timeout from 1.5 seconds to
      10ms, and increase the resolution of the circuit build time
      histogram from 50ms bin widths to 10ms bin widths. Additionally,
      we alter our estimate Xm by taking the maximum of the top 10 most
      common build time values of the 10ms histogram, and compute Xm as
      the average of these. Fixes bug 40168; bugfix on 0.2.2.14-alpha.
    - Remove max_time calculation and associated warning from circuit
      build timeout 'alpha' parameter estimation, as this is no longer
      needed by our new estimator from 40168. Fixes bug 34088; bugfix
      on 0.2.2.9-alpha.

  o Major bugfixes (signing key):
    - In the tor-gencert utility, give an informative error message if
      the passphrase given in `--create-identity-key` is too short.
      Fixes bug 40189; bugfix on 0.2.0.1-alpha. Patch by Neel Chauhan.

  o Minor features (bridge):
    - We now announce the URL to Tor's new bridge status at
      https://bridges.torproject.org/ when Tor is configured to run as a
      bridge relay. Closes ticket 30477.

  o Minor features (build system):
    - New "make lsp" command to auto generate the compile_commands.json
      file used by the ccls server. The "bear" program is needed for
      this. Closes ticket 40227.

  o Minor features (command-line interface):
    - Add build informations to `tor --version` in order to ease
      reproducible builds. Closes ticket 32102.
    - When parsing command-line flags that take an optional argument,
      treat the argument as absent if it would start with a '-'
      character. Arguments in that form are not intelligible for any of
      our optional-argument flags. Closes ticket 40223.
    - Allow a relay operator to list the ed25519 keys on the command
      line by adding the `rsa` and `ed25519` arguments to the
      --list-fingerprint flag to show the respective RSA and ed25519
      relay fingerprint. Closes ticket 33632. Patch by Neel Chauhan.

  o Minor features (control port, stream handling):
    - Add the stream ID to the event line in the ADDRMAP control event.
      Closes ticket 40249. Patch by Neel Chauhan.

  o Minor features (dormant mode):
    - Add a new 'DormantTimeoutEnabled' option for coarse-grained
      control over whether the client can become dormant from
      inactivity. Most people won't need this. Closes ticket 40228.

  o Minor features (logging):
    - Change the DoS subsystem heartbeat line format to be more clear on
      what has been detected/rejected, and which option is disabled (if
      any). Closes ticket 40308.
    - In src/core/mainloop/mainloop.c and src/core/mainloop/connection.c,
      put brackets around IPv6 addresses in log messages. Closes ticket
      40232. Patch by Neel Chauhan.

  o Minor features (performance, windows):
    - Use SRWLocks to implement locking on Windows. Replaces the
      "critical section" locking implementation with the faster
      SRWLocks, available since Windows Vista. Closes ticket 17927.
      Patch by Daniel Pinto.

  o Minor features (protocol, proxy support, defense in depth):
    - Close HAProxy connections if they somehow manage to send us data
      before we start reading. Closes another case of ticket 40017.

  o Minor features (tests, portability):
    - Port the hs_build_address.py test script to work with recent
      versions of python. Closes ticket 40213. Patch from
      Samanta Navarro.

  o Minor features (vote document):
    - Add a "stats" line to directory authority votes, to report various
      statistics that authorities compute about the relays. This will
      help us diagnose the network better. Closes ticket 40314.

  o Minor bugfixes (build):
    - The configure script now shows whether or not lzma and zstd have
      been used, not just if the enable flag was passed in. Fixes bug
      40236; bugfix on 0.4.3.1-alpha.

  o Minor bugfixes (compatibility):
    - Fix a failure in the test cases when running on the "hppa"
      architecture, along with a related test that might fail on other
      architectures in the future. Fixes bug 40274; bugfix
      on 0.2.5.1-alpha.

  o Minor bugfixes (controller):
    - Fix a "BUG" warning that would appear when a controller chooses
      the first hop for a circuit, and that circuit completes. Fixes bug
      40285; bugfix on 0.3.2.1-alpha.

  o Minor bugfixes (directory authorities, voting):
    - Add a new consensus method (31) to support any future changes that
      authorities decide to make to the value of bwweightscale or
      maxunmeasuredbw. Previously, there was a bug that prevented the
      authorities from parsing these consensus parameters correctly under
      most circumstances. Fixes bug 19011; bugfix on 0.2.2.10-alpha.

  o Minor bugfixes (ipv6):
    - Allow non-SOCKSPorts to disable IPv4, IPv6, and PreferIPv4. Some
      rare configurations might break, but in this case you can disable
      NoIPv4Traffic and NoIPv6Traffic as needed. Fixes bug 33607; bugfix
      on 0.4.1.1-alpha. Patch by Neel Chauhan.

  o Minor bugfixes (key generation):
    - Do not require a valid torrc when using the `--keygen` argument to
      generate a signing key. This allows us to generate keys on systems
      or users which may not run Tor. Fixes bug 40235; bugfix on
      0.2.7.2-alpha. Patch by Neel Chauhan.

  o Minor bugfixes (onion services, logging):
    - Downgrade the severity of a few rendezvous circuit-related
      warnings from warning to info. Fixes bug 40207; bugfix on
      0.3.2.1-alpha. Patch by Neel Chauhan.

  o Minor bugfixes (relay):
    - Reduce the compression level for data streaming from HIGH to LOW.
      This should reduce the CPU and memory burden for directory caches.
      Fixes bug 40301; bugfix on 0.3.5.1-alpha.

  o Code simplification and refactoring:
    - Remove the orconn_ext_or_id_map structure and related functions.
      (Nothing outside of unit tests used them.) Closes ticket 33383.
      Patch by Neel Chauhan.

  o Removed features:
    - As of this release, Tor no longer supports the old v2 onion
      services. They were deprecated last July for security, and support
      will be removed entirely later this year. We strongly encourage
      everybody to migrate to v3 onion services. For more information,
      see https://blog.torproject.org/v2-deprecation-timeline . Closes
      ticket 40266. (NOTE: We accidentally released an earlier version
      of the 0.4.6.1-alpha changelog without this entry. Sorry for
      the confusion!)

  o Code simplification and refactoring (metrics, DoS):
    - Move the DoS subsystem into the subsys manager, including its
      configuration options. Closes ticket 40261.

  o Removed features (relay):
    - Because DirPorts are only used on authorities, relays no longer
      advertise them. Similarly, self-testing for DirPorts has been
      disabled, since an unreachable DirPort is no reason for a relay
      not to advertise itself. (Configuring a DirPort will still work,
      for now.) Closes ticket 40282.


Changes in version 0.3.5.14 - 2021-03-16
  Tor 0.3.5.14 backports fixes for two important denial-of-service bugs
  in earlier versions of Tor.

  One of these vulnerabilities (TROVE-2021-001) would allow an attacker
  who can send directory data to a Tor instance to force that Tor
  instance to consume huge amounts of CPU. This is easiest to exploit
  against authorities, since anybody can upload to them, but directory
  caches could also exploit this vulnerability against relays or clients
  when they download. The other vulnerability (TROVE-2021-002) only
  affects directory authorities, and would allow an attacker to remotely
  crash the authority with an assertion failure. Patches have already
  been provided to the authority operators, to help ensure
  network stability.

  We recommend that everybody upgrade to one of the releases that fixes
  these issues (0.3.5.14, 0.4.4.8, or 0.4.5.7) as they become available
  to you.

  This release also updates our GeoIP data source, and fixes a
  compatibility issue.

  o Major bugfixes (security, denial of service, backport from 0.4.5.7):
    - Disable the dump_desc() function that we used to dump unparseable
      information to disk. It was called incorrectly in several places,
      in a way that could lead to excessive CPU usage. Fixes bug 40286;
      bugfix on 0.2.2.1-alpha. This bug is also tracked as TROVE-2021-
      001 and CVE-2021-28089.
    - Fix a bug in appending detached signatures to a pending consensus
      document that could be used to crash a directory authority. Fixes
      bug 40316; bugfix on 0.2.2.6-alpha. Tracked as TROVE-2021-002
      and CVE-2021-28090.

  o Minor features (geoip data, backport from 0.4.5.7):
    - We have switched geoip data sources. Previously we shipped IP-to-
      country mappings from Maxmind's GeoLite2, but in 2019 they changed
      their licensing terms, so we were unable to update them after that
      point. We now ship geoip files based on the IPFire Location
      Database instead. (See https://location.ipfire.org/ for more
      information). This release updates our geoip files to match the
      IPFire Location Database as retrieved on 2021/03/12. Closes
      ticket 40224.

  o Removed features (mallinfo deprecated, backport from 0.4.5.7):
    - Remove mallinfo() usage entirely. Libc 2.33+ now deprecates it.
      Closes ticket 40309.


Changes in version 0.4.4.8 - 2021-03-16
  Tor 0.4.4.8 backports fixes for two important denial-of-service bugs
  in earlier versions of Tor.

  One of these vulnerabilities (TROVE-2021-001) would allow an attacker
  who can send directory data to a Tor instance to force that Tor
  instance to consume huge amounts of CPU. This is easiest to exploit
  against authorities, since anybody can upload to them, but directory
  caches could also exploit this vulnerability against relays or clients
  when they download. The other vulnerability (TROVE-2021-002) only
  affects directory authorities, and would allow an attacker to remotely
  crash the authority with an assertion failure. Patches have already
  been provided to the authority operators, to help ensure
  network stability.

  We recommend that everybody upgrade to one of the releases that fixes
  these issues (0.3.5.14, 0.4.4.8, or 0.4.5.7) as they become available
  to you.

  This release also updates our GeoIP data source, and fixes a
  compatibility issue.

  o Major bugfixes (security, denial of service, backport from 0.4.5.7):
    - Disable the dump_desc() function that we used to dump unparseable
      information to disk. It was called incorrectly in several places,
      in a way that could lead to excessive CPU usage. Fixes bug 40286;
      bugfix on 0.2.2.1-alpha. This bug is also tracked as TROVE-2021-
      001 and CVE-2021-28089.
    - Fix a bug in appending detached signatures to a pending consensus
      document that could be used to crash a directory authority. Fixes
      bug 40316; bugfix on 0.2.2.6-alpha. Tracked as TROVE-2021-002
      and CVE-2021-28090.

  o Minor features (geoip data, backport from 0.4.5.7):
    - We have switched geoip data sources. Previously we shipped IP-to-
      country mappings from Maxmind's GeoLite2, but in 2019 they changed
      their licensing terms, so we were unable to update them after that
      point. We now ship geoip files based on the IPFire Location
      Database instead. (See https://location.ipfire.org/ for more
      information). This release updates our geoip files to match the
      IPFire Location Database as retrieved on 2021/03/12. Closes
      ticket 40224.

  o Removed features (mallinfo deprecated, backport from 0.4.5.7):
    - Remove mallinfo() usage entirely. Libc 2.33+ now deprecates it.
      Closes ticket 40309.


Changes in version 0.4.5.7 - 2021-03-16
  Tor 0.4.5.7 fixes two important denial-of-service bugs in earlier
  versions of Tor.

  One of these vulnerabilities (TROVE-2021-001) would allow an attacker
  who can send directory data to a Tor instance to force that Tor
  instance to consume huge amounts of CPU. This is easiest to exploit
  against authorities, since anybody can upload to them, but directory
  caches could also exploit this vulnerability against relays or clients
  when they download. The other vulnerability (TROVE-2021-002) only
  affects directory authorities, and would allow an attacker to remotely
  crash the authority with an assertion failure. Patches have already
  been provided to the authority operators, to help ensure
  network stability.

  We recommend that everybody upgrade to one of the releases that fixes
  these issues (0.3.5.14, 0.4.4.8, or 0.4.5.7) as they become available
  to you.

  This release also updates our GeoIP data source, and fixes a few
  smaller bugs in earlier releases.

  o Major bugfixes (security, denial of service):
    - Disable the dump_desc() function that we used to dump unparseable
      information to disk. It was called incorrectly in several places,
      in a way that could lead to excessive CPU usage. Fixes bug 40286;
      bugfix on 0.2.2.1-alpha. This bug is also tracked as TROVE-2021-
      001 and CVE-2021-28089.
    - Fix a bug in appending detached signatures to a pending consensus
      document that could be used to crash a directory authority. Fixes
      bug 40316; bugfix on 0.2.2.6-alpha. Tracked as TROVE-2021-002
      and CVE-2021-28090.

  o Minor features (geoip data):
    - We have switched geoip data sources. Previously we shipped IP-to-
      country mappings from Maxmind's GeoLite2, but in 2019 they changed
      their licensing terms, so we were unable to update them after that
      point. We now ship geoip files based on the IPFire Location
      Database instead. (See https://location.ipfire.org/ for more
      information). This release updates our geoip files to match the
      IPFire Location Database as retrieved on 2021/03/12. Closes
      ticket 40224.

  o Minor bugfixes (directory authority):
    - Now that exit relays don't allow exit connections to directory
      authority DirPorts (to prevent network reentry), disable
      authorities' reachability self test on the DirPort. Fixes bug
      40287; bugfix on 0.4.5.5-rc.

  o Minor bugfixes (documentation):
    - Fix a formatting error in the documentation for
      VirtualAddrNetworkIPv6. Fixes bug 40256; bugfix on 0.2.9.4-alpha.

  o Minor bugfixes (Linux, relay):
    - Fix a bug in determining total available system memory that would
      have been triggered if the format of Linux's /proc/meminfo file
      had ever changed to include "MemTotal:" in the middle of a line.
      Fixes bug 40315; bugfix on 0.2.5.4-alpha.

  o Minor bugfixes (metrics port):
    - Fix a BUG() warning on the MetricsPort for an internal missing
      handler. Fixes bug 40295; bugfix on 0.4.5.1-alpha.

  o Minor bugfixes (onion service):
    - Remove a harmless BUG() warning when reloading tor configured with
      onion services. Fixes bug 40334; bugfix on 0.4.5.1-alpha.

  o Minor bugfixes (portability):
    - Fix a non-portable usage of "==" with "test" in the configure
      script. Fixes bug 40298; bugfix on 0.4.5.1-alpha.

  o Minor bugfixes (relay):
    - Remove a spammy log notice falsely claiming that the IPv4/v6
      address was missing. Fixes bug 40300; bugfix on 0.4.5.1-alpha.
    - Do not query the address cache early in the boot process when
      deciding if a relay needs to fetch early directory information
      from an authority. This bug resulted in a relay falsely believing
      it didn't have an address and thus triggering an authority fetch
      at each boot. Related to our fix for 40300.

  o Removed features (mallinfo deprecated):
    - Remove mallinfo() usage entirely. Libc 2.33+ now deprecates it.
      Closes ticket 40309.


Changes in version 0.4.5.6 - 2021-02-15
  The Tor 0.4.5.x release series is dedicated to the memory of Karsten
  Loesing (1979-2020), Tor developer, cypherpunk, husband, and father.
  Karsten is best known for creating the Tor metrics portal and leading
  the metrics team, but he was involved in Tor from the early days. For
  example, while he was still a student he invented and implemented the
  v2 onion service directory design, and he also served as an ambassador
  to the many German researchers working in the anonymity field. We
  loved him and respected him for his patience, his consistency, and his
  welcoming approach to growing our community.

  This release series introduces significant improvements in relay IPv6
  address discovery, a new "MetricsPort" mechanism for relay operators
  to measure performance, LTTng support, build system improvements to
  help when using Tor as a static library, and significant bugfixes
  related to Windows relay performance. It also includes numerous
  smaller features and bugfixes.

  Below are the changes since 0.4.4.4-rc. For a complete list of changes
  since 0.4.4.7, see the ReleaseNotes file.

  o Major bugfixes (IPv6, relay):
    - Fix a bug that prevented a relay from publishing its descriptor if
      an auto-discovered IPv6 that was found unreachable. Fixes bug
      40279; bugfix on 0.4.5.1-alpha.

  o Minor features (protocol versions):
    - Stop claiming to support the "DirCache=1" subprotocol version.
      Technically, we stopped supporting this subprotocol back in
      0.4.5.1-alpha, but we needed to wait for the authorities to stop
      listing it as "required" before we could drop it from the list.
      Closes ticket 40221.

  o Minor bugfixes (logging):
    - Avoid a spurious log message about missing subprotocol versions,
      when the consensus that we're reading from is older than the
      current release. Previously we had made this message nonfatal, but
      in practice, it is never relevant when the consensus is older than
      the current release. Fixes bug 40281; bugfix on 0.4.0.1-alpha.

  o Minor bugfixes (metrics port):
    - Fix a bug warning when a metrics port socket was unexpectedly
      closed. Fixes bug 40257; bugfix on 0.4.5.1-alpha

  o Minor bugfixes (relay):
    - Allow relays to have a RFC1918 address if PublishServerDescriptor
      is set to 0 and AssumeReachable is set to 1. This is to support
      the use case of a bridge on a local network, exposed via a
      pluggable transport. Fixes bug 40208; bugfix on 0.4.5.1-alpha.

  o Minor bugfixes (relay, config):
    - Fix a problem in the removal of duplicate ORPorts from the
      internal port list when loading the config file. We were removing
      the wrong ports, breaking valid torrc uses cases for multiple
      ORPorts of the same address family. Fixes bug 40289; bugfix
      on 0.4.5.1-alpha.


Changes in version 0.4.4.7 - 2021-02-03
  Tor 0.4.4.7 backports numerous bugfixes from later releases,
  including one that made v3 onion services more susceptible to
  denial-of-service attacks, and a feature that makes some kinds of
  DoS attacks harder to perform.

  o Major bugfixes (onion service v3, backport from 0.4.5.3-rc):
    - Stop requiring a live consensus for v3 clients and services, and
      allow a "reasonably live" consensus instead. This allows v3 onion
      services to work even if the authorities fail to generate a
      consensus for more than 2 hours in a row. Fixes bug 40237; bugfix
      on 0.3.5.1-alpha.

  o Major feature (exit, backport from 0.4.5.5-rc):
    - Re-entry into the network is now denied at the Exit level to all
      relays' ORPorts and authorities' ORPorts and DirPorts. This change
      should help mitgate a set of denial-of-service attacks. Closes
      ticket 2667.

  o Minor feature (build system, backport from 0.4.5.4-rc):
    - New "make lsp" command to generate the compile_commands.json file
      used by the ccls language server. The "bear" program is needed for
      this. Closes ticket 40227.

  o Minor features (compilation, backport from 0.4.5.2-rc):
    - Disable deprecation warnings when building with OpenSSL 3.0.0 or
      later. There are a number of APIs newly deprecated in OpenSSL
      3.0.0 that Tor still requires. (A later version of Tor will try to
      stop depending on these APIs.) Closes ticket 40165.

  o Minor features (crypto, backport from 0.4.5.3-rc):
    - Fix undefined behavior on our Keccak library. The bug only
      appeared on platforms with 32-byte CPU cache lines (e.g. armv5tel)
      and would result in wrong digests. Fixes bug 40210; bugfix on
      0.2.8.1-alpha. Thanks to Bernhard Übelacker, Arnd Bergmann and
      weasel for diagnosing this.

  o Minor bugfixes (compatibility, backport from 0.4.5.1-rc):
    - Strip '\r' characters when reading text files on Unix platforms.
      This should resolve an issue where a relay operator migrates a
      relay from Windows to Unix, but does not change the line ending of
      Tor's various state files to match the platform, and the CRLF line
      endings from Windows end up leaking into other files such as the
      extra-info document. Fixes bug 33781; bugfix on 0.0.9pre5.

  o Minor bugfixes (compilation, backport from 0.4.5.3-rc):
    - Fix a compilation warning about unreachable fallthrough
      annotations when building with "--enable-all-bugs-are-fatal" on
      some compilers. Fixes bug 40241; bugfix on 0.3.5.4-alpha.

  o Minor bugfixes (SOCKS5, backport from 0.4.5.3-rc):
    - Handle partial SOCKS5 messages correctly. Previously, our code
      would send an incorrect error message if it got a SOCKS5 request
      that wasn't complete. Fixes bug 40190; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (testing, backport from 0.4.5.2-alpha):
    - Fix the `config/parse_tcp_proxy_line` test so that it works
      correctly on systems where the DNS provider hijacks invalid
      queries. Fixes part of bug 40179; bugfix on 0.4.3.1-alpha.
    - Fix our Python reference-implementation for the v3 onion service
      handshake so that it works correctly with the version of hashlib
      provided by Python 3.9. Fixes part of bug 40179; bugfix
      on 0.3.1.6-rc.
    - Fix the `tortls/openssl/log_one_error` test to work with OpenSSL
      3.0.0. Fixes bug 40170; bugfix on 0.2.8.1-alpha.


Changes in version 0.4.3.8 - 2021-02-03
  Tor 0.4.3.8 backports numerous bugfixes from later releases,
  including one that made v3 onion services more susceptible to
  denial-of-service attacks, and a feature that makes some kinds of
  DoS attacks harder to perform.

  Note that this is, in all likelihood, the last release of Tor 0.4.3.x,
  which will reach end-of-life on 15 Feb 2021.

  o Major bugfixes (onion service v3, backport from 0.4.5.3-rc):
    - Stop requiring a live consensus for v3 clients and services, and
      allow a "reasonably live" consensus instead. This allows v3 onion
      services to work even if the authorities fail to generate a
      consensus for more than 2 hours in a row. Fixes bug 40237; bugfix
      on 0.3.5.1-alpha.

  o Major bugfixes (stats, onion services, backport from 0.4.4.5):
    - Fix a bug where we were undercounting the Tor network's total
      onion service traffic, by ignoring any traffic originating from
      clients. Now we count traffic from both clients and services.
      Fixes bug 40117; bugfix on 0.2.6.2-alpha.

  o Major feature (exit, backport from 0.4.5.5-rc):
    - Re-entry into the network is now denied at the Exit level to all
      relays' ORPorts and authorities' ORPorts and DirPorts. This change
      should help mitgate a set of denial-of-service attacks. Closes
      ticket 2667.

  o Minor feature (build system, backport from 0.4.5.4-rc):
    - New "make lsp" command to generate the compile_commands.json file
      used by the ccls language server. The "bear" program is needed for
      this. Closes ticket 40227.

  o Minor features (compilation, backport from 0.4.5.2-rc):
    - Disable deprecation warnings when building with OpenSSL 3.0.0 or
      later. There are a number of APIs newly deprecated in OpenSSL
      3.0.0 that Tor still requires. (A later version of Tor will try to
      stop depending on these APIs.) Closes ticket 40165.

  o Minor features (crypto, backport from 0.4.5.3-rc):
    - Fix undefined behavior on our Keccak library. The bug only
      appeared on platforms with 32-byte CPU cache lines (e.g. armv5tel)
      and would result in wrong digests. Fixes bug 40210; bugfix on
      0.2.8.1-alpha. Thanks to Bernhard Übelacker, Arnd Bergmann and
      weasel for diagnosing this.

  o Minor bugfixes (compatibility, backport from 0.4.5.1-rc):
    - Strip '\r' characters when reading text files on Unix platforms.
      This should resolve an issue where a relay operator migrates a
      relay from Windows to Unix, but does not change the line ending of
      Tor's various state files to match the platform, and the CRLF line
      endings from Windows end up leaking into other files such as the
      extra-info document. Fixes bug 33781; bugfix on 0.0.9pre5.

  o Minor bugfixes (compilation, backport from 0.4.5.1-rc):
    - Resolve a compilation warning that could occur in
      test_connection.c. Fixes bug 40113; bugfix on 0.2.9.3-alpha.

  o Minor bugfixes (compilation, backport from 0.4.5.3-rc):
    - Fix a compilation warning about unreachable fallthrough
      annotations when building with "--enable-all-bugs-are-fatal" on
      some compilers. Fixes bug 40241; bugfix on 0.3.5.4-alpha.

  o Minor bugfixes (SOCKS5, backport from 0.4.5.3-rc):
    - Handle partial SOCKS5 messages correctly. Previously, our code
      would send an incorrect error message if it got a SOCKS5 request
      that wasn't complete. Fixes bug 40190; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (testing, backport from 0.4.5.2-alpha):
    - Fix the `config/parse_tcp_proxy_line` test so that it works
      correctly on systems where the DNS provider hijacks invalid
      queries. Fixes part of bug 40179; bugfix on 0.4.3.1-alpha.
    - Fix our Python reference-implementation for the v3 onion service
      handshake so that it works correctly with the version of hashlib
      provided by Python 3.9. Fixes part of bug 40179; bugfix
      on 0.3.1.6-rc.
    - Fix the `tortls/openssl/log_one_error` test to work with OpenSSL
      3.0.0. Fixes bug 40170; bugfix on 0.2.8.1-alpha.


Changes in version 0.3.5.13 - 2020-02-03
  Tor 0.3.5.13 backports numerous bugfixes from later releases,
  including one that made v3 onion services more susceptible to
  denial-of-service attacks, and a feature that makes some kinds of
  DoS attacks harder to perform.

  o Major bugfixes (onion service v3, backport from 0.4.5.3-rc):
    - Stop requiring a live consensus for v3 clients and services, and
      allow a "reasonably live" consensus instead. This allows v3 onion
      services to work even if the authorities fail to generate a
      consensus for more than 2 hours in a row. Fixes bug 40237; bugfix
      on 0.3.5.1-alpha.

  o Major bugfixes (stats, onion services, backport from 0.4.4.5):
    - Fix a bug where we were undercounting the Tor network's total
      onion service traffic, by ignoring any traffic originating from
      clients. Now we count traffic from both clients and services.
      Fixes bug 40117; bugfix on 0.2.6.2-alpha.

  o Major feature (exit, backport from 0.4.5.5-rc):
    - Re-entry into the network is now denied at the Exit level to all
      relays' ORPorts and authorities' ORPorts and DirPorts. This change
      should help mitgate a set of denial-of-service attacks. Closes
      ticket 2667.

  o Minor feature (build system, backport from 0.4.5.4-rc):
    - New "make lsp" command to generate the compile_commands.json file
      used by the ccls language server. The "bear" program is needed for
      this. Closes ticket 40227.

  o Minor features (compilation, backport from 0.4.5.2-rc):
    - Disable deprecation warnings when building with OpenSSL 3.0.0 or
      later. There are a number of APIs newly deprecated in OpenSSL
      3.0.0 that Tor still requires. (A later version of Tor will try to
      stop depending on these APIs.) Closes ticket 40165.

  o Minor features (crypto, backport from 0.4.5.3-rc):
    - Fix undefined behavior on our Keccak library. The bug only
      appeared on platforms with 32-byte CPU cache lines (e.g. armv5tel)
      and would result in wrong digests. Fixes bug 40210; bugfix on
      0.2.8.1-alpha. Thanks to Bernhard Übelacker, Arnd Bergmann and
      weasel for diagnosing this.

  o Minor bugfixes (compatibility, backport from 0.4.5.1-rc):
    - Strip '\r' characters when reading text files on Unix platforms.
      This should resolve an issue where a relay operator migrates a
      relay from Windows to Unix, but does not change the line ending of
      Tor's various state files to match the platform, and the CRLF line
      endings from Windows end up leaking into other files such as the
      extra-info document. Fixes bug 33781; bugfix on 0.0.9pre5.

  o Minor bugfixes (compilation, backport from 0.4.5.1-rc):
    - Resolve a compilation warning that could occur in
      test_connection.c. Fixes bug 40113; bugfix on 0.2.9.3-alpha.

  o Minor bugfixes (compilation, backport from 0.4.5.3-rc):
    - Fix a compilation warning about unreachable fallthrough
      annotations when building with "--enable-all-bugs-are-fatal" on
      some compilers. Fixes bug 40241; bugfix on 0.3.5.4-alpha.

  o Minor bugfixes (SOCKS5, backport from 0.4.5.3-rc):
    - Handle partial SOCKS5 messages correctly. Previously, our code
      would send an incorrect error message if it got a SOCKS5 request
      that wasn't complete. Fixes bug 40190; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (testing, backport from 0.4.5.2-alpha):
    - Fix our Python reference-implementation for the v3 onion service
      handshake so that it works correctly with the version of hashlib
      provided by Python 3.9. Fixes part of bug 40179; bugfix
      on 0.3.1.6-rc.
    - Fix the `tortls/openssl/log_one_error` test to work with OpenSSL
      3.0.0. Fixes bug 40170; bugfix on 0.2.8.1-alpha.


Changes in version 0.4.5.5-rc - 2021-02-01
  Tor 0.4.5.5-rc is the third release candidate in its series. We're
  coming closer and closer to a stable release series. This release
  fixes an annoyance with address detection code, and somewhat mitigates
  an ongoing denial-of-service attack.

  We anticipate no more code changes between this and the stable
  release, though of course that could change.

  o Major feature (exit):
    - Re-entry into the network is now denied at the Exit level to all
      relays' ORPorts and authorities' ORPorts and DirPorts. This change
      should help mitgate a set of denial-of-service attacks. Closes
      ticket 2667.

  o Minor bugfixes (relay, configuration):
    - Don't attempt to discover our address (IPv4 or IPv6) if no ORPort
      for it can be found in the configuration. Fixes bug 40254; bugfix
      on 0.4.5.1-alpha.


Changes in version 0.4.5.4-rc - 2021-01-22
  Tor 0.4.5.4-rc is the second release candidate in its series. It fixes
  several bugs present in previous releases.

  We expect that the stable release will be the same, or almost the
  same, as this release candidate, unless serious bugs are found.

  o Major bugfixes (authority, IPv6):
    - Do not consider multiple relays in the same IPv6 /64 network to be
      sybils. Fixes bug 40243; bugfix on 0.4.5.1-alpha.

  o Major bugfixes (directory cache, performance, windows):
    - Limit the number of items in the consensus diff cache to 64 on
      Windows. We hope this will mitigate an issue where Windows relay
      operators reported Tor using 100% CPU, while we investigate better
      solutions. Fixes bug 24857; bugfix on 0.3.1.1-alpha.

  o Minor feature (build system):
    - New "make lsp" command to generate the compile_commands.json file
      used by the ccls language server. The "bear" program is needed for
      this. Closes ticket 40227.

  o Minor features (authority, logging):
    - Log more information for directory authority operators during the
      consensus voting process, and while processing relay descriptors.
      Closes ticket 40245.
    - Reject obsolete router/extrainfo descriptors earlier and more
      quietly, to avoid spamming the logs. Fixes bug 40238; bugfix
      on 0.4.5.1-alpha.

  o Minor bugfixes (compilation):
    - Fix another warning about unreachable fallthrough annotations when
      building with "--enable-all-bugs-are-fatal" on some compilers.
      Fixes bug 40241; bugfix on 0.4.5.3-rc.
    - Change the linker flag ordering in our library search code so that
      it works for compilers that need the libraries to be listed in the
      right order. Fixes bug 33624; bugfix on 0.1.1.0-alpha.

  o Minor bugfixes (config, bridge):
    - Don't initiate a connection to a bridge configured to use a
      missing transport. This change reverts an earlier fix that would
      try to avoid such situations during configuration chcecking, but
      which doesn't work with DisableNetwork. Fixes bug 40106; bugfix
      on 0.4.5.1-alpha.

  o Minor bugfixes (onion services):
    - Avoid a non-fatal assertion in certain edge-cases when
      establishing a circuit to an onion service. Fixes bug 32666;
      bugfix on 0.3.0.3-alpha.

  o Minor bugfixes (relay):
    - If we were unable to build our descriptor, don't mark it as having
      been advertised. Also remove an harmless BUG(). Fixes bug 40231;
      bugfix on 0.4.5.1-alpha.


Changes in version 0.4.5.3-rc - 2021-01-12
  Tor 0.4.5.3-rc is the first release candidate in its series. It fixes
  several bugs, including one that broke onion services on certain older
  ARM CPUs, and another that made v3 onion services less reliable.

  Though we anticipate that we'll be doing a bit more clean-up between
  now and the stable release, we expect that our remaining changes will
  be fairly simple. There will be at least one more release candidate
  before 0.4.5.x is stable.

  o Major bugfixes (onion service v3):
    - Stop requiring a live consensus for v3 clients and services, and
      allow a "reasonably live" consensus instead. This allows v3 onion
      services to work even if the authorities fail to generate a
      consensus for more than 2 hours in a row. Fixes bug 40237; bugfix
      on 0.3.5.1-alpha.

  o Minor features (crypto):
    - Fix undefined behavior on our Keccak library. The bug only
      appeared on platforms with 32-byte CPU cache lines (e.g. armv5tel)
      and would result in wrong digests. Fixes bug 40210; bugfix on
      0.2.8.1-alpha. Thanks to Bernhard Übelacker, Arnd Bergmann and
      weasel for diagnosing this.

  o Minor features (documentation):
    - Mention the "!badexit" directive that can appear in an authority's
      approved-routers file, and update the description of the
      "!invalid" directive. Closes ticket 40188.

  o Minor bugfixes (compilation):
    - Fix a compilation warning about unreachable fallthrough
      annotations when building with "--enable-all-bugs-are-fatal" on
      some compilers. Fixes bug 40241; bugfix on 0.3.5.4-alpha.
    - Fix the "--enable-static-tor" switch to properly set the "-static"
      compile option onto the tor binary only. Fixes bug 40111; bugfix
      on 0.2.3.1-alpha.

  o Minor bugfixes (config, bridge):
    - Really fix the case where torrc has a missing ClientTransportPlugin
      but is configured with a Bridge line and UseBridges. Previously,
      we didn't look at the managed proxy list and thus would fail for
      the "exec" case. Fixes bug 40106; bugfix on 0.4.5.1-alpha.

  o Minor bugfixes (logging, relay):
    - Log our address as reported by the directory authorities, if none
      was configured or detected before. Fixes bug 40201; bugfix
      on 0.4.5.1-alpha.
    - When a launching bandwidth testing circuit, don't incorrectly call
      it a reachability test, or trigger a "CHECKING_REACHABILITY"
      control event. Fixes bug 40205; bugfix on 0.4.5.1-alpha.

  o Minor bugfixes (relay, statistics):
    - Report the correct connection statistics in our extrainfo
      documents. Previously there was a problem in the file loading
      function which would wrongly truncate a state file, causing the
      wrong information to be reported. Fixes bug 40226; bugfix
      on 0.4.5.1-alpha.

  o Minor bugfixes (SOCKS5):
    - Handle partial SOCKS5 messages correctly. Previously, our code
      would send an incorrect error message if it got a SOCKS5 request
      that wasn't complete. Fixes bug 40190; bugfix on 0.3.5.1-alpha.


Changes in version 0.4.5.2-alpha - 2020-11-23
  Tor 0.4.5.2-alpha is the second alpha release in the 0.4.5.x series.
  It fixes several bugs present in earlier releases, including one that
  made it impractical to run relays on Windows. It also adds a few small
  safety features to improve Tor's behavior in the presence of strange
  compile-time options, misbehaving proxies, and future versions
  of OpenSSL.

  o Major bugfixes (relay, windows):
    - Fix a bug in our implementation of condition variables on Windows.
      Previously, a relay on Windows would use 100% CPU after running
      for some time. Because of this change, Tor now require Windows
      Vista or later to build and run. Fixes bug 30187; bugfix on
      0.2.6.3-alpha. (This bug became more serious in 0.3.1.1-alpha with
      the introduction of consensus diffs.) Patch by Daniel Pinto.

  o Minor features (compilation):
    - Disable deprecation warnings when building with OpenSSL 3.0.0 or
      later. There are a number of APIs newly deprecated in OpenSSL
      3.0.0 that Tor still requires. (A later version of Tor will try to
      stop depending on these APIs.) Closes ticket 40165.

  o Minor features (protocol, proxy support, defense in depth):
    - Respond more deliberately to misbehaving proxies that leave
      leftover data on their connections, so as to make Tor even less
      likely to allow the proxies to pass their data off as having come
      from a relay. Closes ticket 40017.

  o Minor features (safety):
    - Log a warning at startup if Tor is built with compile-time options
      that are likely to make it less stable or reliable. Closes
      ticket 18888.

  o Minor bugfixes (circuit, handshake):
    - In the v3 handshaking code, use connection_or_change_state() to
      change the state. Previously, we changed the state directly, but
      this did not pass the state change to the pubsub or channel
      objects, potentially leading to bugs. Fixes bug 32880; bugfix on
      0.2.3.6-alpha. Patch by Neel Chauhan.

  o Minor bugfixes (compilation):
    - Use the correct 'ranlib' program when building libtor.a.
      Previously we used the default ranlib, which broke some kinds of
      cross-compilation. Fixes bug 40172; bugfix on 0.4.5.1-alpha.
    - Remove a duplicate typedef in metrics_store.c. Fixes bug 40177;
      bugfix on 0.4.5.1-alpha.
    - When USDT tracing is enabled, and STAP_PROBEV() is missing, don't
      attempt to build. Linux supports that macro but not the BSDs.
      Fixes bug 40174; bugfix on 0.4.5.1-alpha.

  o Minor bugfixes (configuration):
    - Exit Tor on a misconfiguration when the Bridge line is configured
      to use a transport but no corresponding ClientTransportPlugin can
      be found. Prior to this fix, Tor would attempt to connect to the
      bridge directly without using the transport, making it easier for
      adversaries to notice the bridge. Fixes bug 25528; bugfix
      on 0.2.6.1-alpha.
    - Fix an issue where an ORPort was compared with other kinds of
      ports, when it should have been only checked against other
      ORPorts. This bug would lead to "DirPort auto" getting ignored.
      Fixes bug 40195; bugfix on 0.4.5.1-alpha.
    - Fix a bug where a second non-ORPort with a variant family (ex:
      SocksPort [::1]:9050) would be ignored due to a configuration
      parsing error. Fixes bug 40183; bugfix on 0.4.5.1-alpha.

  o Minor bugfixes (crash, relay, signing key):
    - Avoid assertion failures when we run Tor from the command line
      with `--key-expiration sign`, but an ORPort is not set. Fixes bug
      40015; bugfix on 0.3.2.1-alpha. Patch by Neel Chauhan.

  o Minor bugfixes (logging):
    - Remove trailing whitespace from control event log messages. Fixes
      bug 32178; bugfix on 0.1.1.1-alpha. Based on a patch by
      Amadeusz Pawlik.
    - Turn warning-level log message about SENDME failure into a debug-
      level message. (This event can happen naturally, and is no reason
      for concern). Fixes bug 40142; bugfix on 0.4.1.1-alpha.