ChangeLog 1.83 MB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
Changes in version 0.4.5.3-rc - 2021-01-12
  Tor 0.4.5.3-rc is the first release candidate in its series. It fixes
  several bugs, including one that broke onion services on certain older
  ARM CPUs, and another that made v3 onion services less reliable.

  Though we anticipate that we'll be doing a bit more clean-up between
  now and the stable release, we expect that our remaining changes will
  be fairly simple. There will be at least one more release candidate
  before 0.4.5.x is stable.

  o Major bugfixes (onion service v3):
    - Stop requiring a live consensus for v3 clients and services, and
      allow a "reasonably live" consensus instead. This allows v3 onion
      services to work even if the authorities fail to generate a
      consensus for more than 2 hours in a row. Fixes bug 40237; bugfix
      on 0.3.5.1-alpha.

  o Minor features (crypto):
    - Fix undefined behavior on our Keccak library. The bug only
      appeared on platforms with 32-byte CPU cache lines (e.g. armv5tel)
      and would result in wrong digests. Fixes bug 40210; bugfix on
      0.2.8.1-alpha. Thanks to Bernhard Übelacker, Arnd Bergmann and
      weasel for diagnosing this.

  o Minor features (documentation):
    - Mention the "!badexit" directive that can appear in an authority's
      approved-routers file, and update the description of the
      "!invalid" directive. Closes ticket 40188.

  o Minor bugfixes (compilation):
    - Fix a compilation warning about unreachable fallthrough
      annotations when building with "--enable-all-bugs-are-fatal" on
      some compilers. Fixes bug 40241; bugfix on 0.3.5.4-alpha.
    - Fix the "--enable-static-tor" switch to properly set the "-static"
      compile option onto the tor binary only. Fixes bug 40111; bugfix
      on 0.2.3.1-alpha.

  o Minor bugfixes (config, bridge):
    - Really fix the case where torrc has a missing ClientTransportPlugin
      but is configured with a Bridge line and UseBridges. Previously,
      we didn't look at the managed proxy list and thus would fail for
      the "exec" case. Fixes bug 40106; bugfix on 0.4.5.1-alpha.

  o Minor bugfixes (logging, relay):
    - Log our address as reported by the directory authorities, if none
      was configured or detected before. Fixes bug 40201; bugfix
      on 0.4.5.1-alpha.
    - When a launching bandwidth testing circuit, don't incorrectly call
      it a reachability test, or trigger a "CHECKING_REACHABILITY"
      control event. Fixes bug 40205; bugfix on 0.4.5.1-alpha.

  o Minor bugfixes (relay, statistics):
    - Report the correct connection statistics in our extrainfo
      documents. Previously there was a problem in the file loading
      function which would wrongly truncate a state file, causing the
      wrong information to be reported. Fixes bug 40226; bugfix
      on 0.4.5.1-alpha.

  o Minor bugfixes (SOCKS5):
    - Handle partial SOCKS5 messages correctly. Previously, our code
      would send an incorrect error message if it got a SOCKS5 request
      that wasn't complete. Fixes bug 40190; bugfix on 0.3.5.1-alpha.


65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
Changes in version 0.4.5.2-alpha - 2020-11-23
  Tor 0.4.5.2-alpha is the second alpha release in the 0.4.5.x series.
  It fixes several bugs present in earlier releases, including one that
  made it impractical to run relays on Windows. It also adds a few small
  safety features to improve Tor's behavior in the presence of strange
  compile-time options, misbehaving proxies, and future versions
  of OpenSSL.

  o Major bugfixes (relay, windows):
    - Fix a bug in our implementation of condition variables on Windows.
      Previously, a relay on Windows would use 100% CPU after running
      for some time. Because of this change, Tor now require Windows
      Vista or later to build and run. Fixes bug 30187; bugfix on
      0.2.6.3-alpha. (This bug became more serious in 0.3.1.1-alpha with
      the introduction of consensus diffs.) Patch by Daniel Pinto.

  o Minor features (compilation):
    - Disable deprecation warnings when building with OpenSSL 3.0.0 or
      later. There are a number of APIs newly deprecated in OpenSSL
      3.0.0 that Tor still requires. (A later version of Tor will try to
      stop depending on these APIs.) Closes ticket 40165.

  o Minor features (protocol, proxy support, defense in depth):
    - Respond more deliberately to misbehaving proxies that leave
      leftover data on their connections, so as to make Tor even less
      likely to allow the proxies to pass their data off as having come
      from a relay. Closes ticket 40017.

  o Minor features (safety):
    - Log a warning at startup if Tor is built with compile-time options
      that are likely to make it less stable or reliable. Closes
      ticket 18888.

  o Minor bugfixes (circuit, handshake):
    - In the v3 handshaking code, use connection_or_change_state() to
      change the state. Previously, we changed the state directly, but
      this did not pass the state change to the pubsub or channel
      objects, potentially leading to bugs. Fixes bug 32880; bugfix on
      0.2.3.6-alpha. Patch by Neel Chauhan.

  o Minor bugfixes (compilation):
    - Use the correct 'ranlib' program when building libtor.a.
      Previously we used the default ranlib, which broke some kinds of
      cross-compilation. Fixes bug 40172; bugfix on 0.4.5.1-alpha.
    - Remove a duplicate typedef in metrics_store.c. Fixes bug 40177;
      bugfix on 0.4.5.1-alpha.
    - When USDT tracing is enabled, and STAP_PROBEV() is missing, don't
      attempt to build. Linux supports that macro but not the BSDs.
      Fixes bug 40174; bugfix on 0.4.5.1-alpha.

  o Minor bugfixes (configuration):
    - Exit Tor on a misconfiguration when the Bridge line is configured
      to use a transport but no corresponding ClientTransportPlugin can
      be found. Prior to this fix, Tor would attempt to connect to the
      bridge directly without using the transport, making it easier for
      adversaries to notice the bridge. Fixes bug 25528; bugfix
      on 0.2.6.1-alpha.
    - Fix an issue where an ORPort was compared with other kinds of
      ports, when it should have been only checked against other
      ORPorts. This bug would lead to "DirPort auto" getting ignored.
      Fixes bug 40195; bugfix on 0.4.5.1-alpha.
    - Fix a bug where a second non-ORPort with a variant family (ex:
      SocksPort [::1]:9050) would be ignored due to a configuration
      parsing error. Fixes bug 40183; bugfix on 0.4.5.1-alpha.

  o Minor bugfixes (crash, relay, signing key):
    - Avoid assertion failures when we run Tor from the command line
      with `--key-expiration sign`, but an ORPort is not set. Fixes bug
      40015; bugfix on 0.3.2.1-alpha. Patch by Neel Chauhan.

  o Minor bugfixes (logging):
    - Remove trailing whitespace from control event log messages. Fixes
      bug 32178; bugfix on 0.1.1.1-alpha. Based on a patch by
      Amadeusz Pawlik.
    - Turn warning-level log message about SENDME failure into a debug-
      level message. (This event can happen naturally, and is no reason
      for concern). Fixes bug 40142; bugfix on 0.4.1.1-alpha.

  o Minor bugfixes (relay, address discovery):
    - Don't trigger an IP change when no new valid IP can be found.
      Fixes bug 40071; bugfix on 0.4.5.1-alpha.
    - When attempting to discover our IP, use a simple test circuit,
      rather than a descriptor fetch: the same address information is
      present in NETINFO cells, and is better authenticated there. Fixes
      bug 40071; bugfix on 0.4.5.1-alpha.

  o Minor bugfixes (testing):
    - Fix the `config/parse_tcp_proxy_line` test so that it works
      correctly on systems where the DNS provider hijacks invalid
      queries. Fixes part of bug 40179; bugfix on 0.4.3.1-alpha.
    - Fix unit tests that used newly generated list of routers so that
      they check them with respect to the date when they were generated,
      not with respect to the current time. Fixes bug 40187; bugfix
      on 0.4.5.1-alpha.
    - Fix our Python reference-implementation for the v3 onion service
      handshake so that it works correctly with the version of hashlib
      provided by Python 3.9. Fixes part of bug 40179; bugfix
      on 0.3.1.6-rc.
    - Fix the `tortls/openssl/log_one_error` test to work with OpenSSL
      3.0.0. Fixes bug 40170; bugfix on 0.2.8.1-alpha.

  o Removed features (controller):
    - Remove the "GETINFO network-status" controller command. It has
      been deprecated since 0.3.1.1-alpha. Closes ticket 22473.


171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
Changes in version 0.4.4.6 - 2020-11-12
  Tor 0.4.4.6 is the second stable release in the 0.4.4.x series. It
  backports fixes from later releases, including a fix for TROVE-2020-
  005, a security issue that could be used, under certain cases, by an
  adversary to observe traffic patterns on a limited number of circuits
  intended for a different relay.

  o Major bugfixes (security, backport from 0.4.5.1-alpha):
    - When completing a channel, relays now check more thoroughly to
      make sure that it matches any pending circuits before attaching
      those circuits. Previously, address correctness and Ed25519
      identities were not checked in this case, but only when extending
      circuits on an existing channel. Fixes bug 40080; bugfix on
      0.2.7.2-alpha. Resolves TROVE-2020-005.

  o Minor features (directory authorities, backport from 0.4.5.1-alpha):
    - Authorities now list a different set of protocols as required and
      recommended. These lists have been chosen so that only truly
      recommended and/or required protocols are included, and so that
      clients using 0.2.9 or later will continue to work (even though
      they are not supported), whereas only relays running 0.3.5 or
      later will meet the requirements. Closes ticket 40162.
    - Make it possible to specify multiple ConsensusParams torrc lines.
      Now directory authority operators can for example put the main
      ConsensusParams config in one torrc file and then add to it from a
      different torrc file. Closes ticket 40164.

  o Minor features (subprotocol versions, backport from 0.4.5.1-alpha):
    - Tor no longer allows subprotocol versions larger than 63.
      Previously version numbers up to UINT32_MAX were allowed, which
      significantly complicated our code. Implements proposal 318;
      closes ticket 40133.

  o Minor features (tests, v2 onion services, backport from 0.4.5.1-alpha):
    - Fix a rendezvous cache unit test that was triggering an underflow
      on the global rend cache allocation. Fixes bug 40125; bugfix
      on 0.2.8.1-alpha.
    - Fix another rendezvous cache unit test that was triggering an
      underflow on the global rend cache allocation. Fixes bug 40126;
      bugfix on 0.2.8.1-alpha.

  o Minor bugfixes (compilation, backport from 0.4.5.1-alpha):
    - Fix compiler warnings that would occur when building with
      "--enable-all-bugs-are-fatal" and "--disable-module-relay" at the
      same time. Fixes bug 40129; bugfix on 0.4.4.1-alpha.
    - Resolve a compilation warning that could occur in
      test_connection.c. Fixes bug 40113; bugfix on 0.2.9.3-alpha.

  o Minor bugfixes (logging, backport from 0.4.5.1-alpha):
    - Remove a debug logging statement that uselessly spammed the logs.
      Fixes bug 40135; bugfix on 0.3.5.0-alpha.

  o Minor bugfixes (relay configuration, crash, backport from 0.4.5.1-alpha):
    - Avoid a fatal assert() when failing to create a listener
      connection for an address that was in use. Fixes bug 40073; bugfix
      on 0.3.5.1-alpha.

  o Minor bugfixes (v2 onion services, backport from 0.4.5.1-alpha):
    - For HSFETCH commands on v2 onion services addresses, check the
      length of bytes decoded, not the base32 length. Fixes bug 34400;
      bugfix on 0.4.1.1-alpha. Patch by Neel Chauhan.


Changes in version 0.4.3.7 - 2020-11-12
  Tor 0.4.3.7 backports several bugfixes from later releases. It
  includes a fix for TROVE-2020-005, a security issue that could be
  used, under certain cases, by an adversary to observe traffic patterns
  on a limited number of circuits intended for a different relay.

  Please be aware that support for the 0.4.3.x series will end on 15
Nick Mathewson's avatar
Nick Mathewson committed
241
  February 2021. Please upgrade to 0.4.4.x or 0.4.5.x before then, or
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
  downgrade to 0.3.5.x, which will be supported until at least 1
  February 2022.

  o Major features (fallback directory list, backport form 0.4.4.3-alpha):
    - Replace the 148 fallback directories originally included in Tor
      0.4.1.4-rc (of which around 105 are still functional) with a list
      of 144 fallbacks generated in July 2020. Closes ticket 40061.

  o Major bugfixes (security, backport from 0.4.5.1-alpha):
    - When completing a channel, relays now check more thoroughly to
      make sure that it matches any pending circuits before attaching
      those circuits. Previously, address correctness and Ed25519
      identities were not checked in this case, but only when extending
      circuits on an existing channel. Fixes bug 40080; bugfix on
      0.2.7.2-alpha. Resolves TROVE-2020-005.

  o Major bugfixes (NSS, backport from 0.4.4.3-alpha):
    - When running with NSS enabled, make sure that NSS knows to expect
      nonblocking sockets. Previously, we set our TCP sockets as
      nonblocking, but did not tell NSS, which in turn could lead to
      unexpected blocking behavior. Fixes bug 40035; bugfix
      on 0.3.5.1-alpha.

  o Minor features (security, backport from 0.4.4.4-rc):
    - Channels using obsolete versions of the Tor link protocol are no
      longer allowed to circumvent address-canonicity checks. (This is
      only a minor issue, since such channels have no way to set ed25519
      keys, and therefore should always be rejected for circuits that
      specify ed25519 identities.) Closes ticket 40081.

  o Minor features (subprotocol versions, backport from 0.4.5.1-alpha):
    - Tor no longer allows subprotocol versions larger than 63.
      Previously version numbers up to UINT32_MAX were allowed, which
      significantly complicated our code. Implements proposal 318;
      closes ticket 40133.

  o Minor features (tests, backport from 0.4.4.5):
    - Our "make check" target now runs the unit tests in 8 parallel
      chunks. Doing this speeds up hardened CI builds by more than a
      factor of two. Closes ticket 40098.

  o Minor features (tests, v2 onion services, backport from 0.4.5.1-alpha):
    - Fix a rendezvous cache unit test that was triggering an underflow
      on the global rend cache allocation. Fixes bug 40125; bugfix
      on 0.2.8.1-alpha.
    - Fix another rendezvous cache unit test that was triggering an
      underflow on the global rend cache allocation. Fixes bug 40126;
      bugfix on 0.2.8.1-alpha.

  o Minor bugfixes (correctness, buffers, backport from 0.4.4.4-rc):
    - Fix a correctness bug that could cause an assertion failure if we
      ever tried using the buf_move_all() function with an empty input
      buffer. As far as we know, no released versions of Tor do this.
      Fixes bug 40076; bugfix on 0.3.3.1-alpha.

  o Minor bugfixes (logging, backport from 0.4.5.1-alpha):
    - Remove a debug logging statement that uselessly spammed the logs.
      Fixes bug 40135; bugfix on 0.3.5.0-alpha.

  o Minor bugfixes (rate limiting, bridges, pluggable transports, backport from 0.4.4.4-rc):
    - On a bridge, treat all connections from an ExtORPort as remote by
      default for the purposes of rate-limiting. Previously, bridges
      would treat the connection as local unless they explicitly
      received a "USERADDR" command. ExtORPort connections still count
      as local if there is a USERADDR command with an explicit local
      address. Fixes bug 33747; bugfix on 0.2.5.1-alpha.

  o Minor bugfixes (relay configuration, crash, backport from 0.4.5.1-alpha):
    - Avoid a fatal assert() when failing to create a listener
      connection for an address that was in use. Fixes bug 40073; bugfix
      on 0.3.5.1-alpha.

  o Minor bugfixes (relay, usability, backport from 0.4.4.3-alpha):
    - Adjust the rules for when to warn about having too many
      connections to other relays. Previously we'd tolerate up to 1.5
      connections per relay on average. Now we tolerate more connections
      for directory authorities, and raise the number of total
      connections we need to see before we warn. Fixes bug 33880; bugfix
      on 0.3.1.1-alpha.

  o Minor bugfixes (tests, 0.4.4.5):
    - Fix the behavior of the rend_cache/clean_v2_descs_as_dir when run
      on its own. Previously, it would exit with an error. Fixes bug
      40099; bugfix on 0.2.8.1-alpha.

  o Minor bugfixes (v2 onion services, backport from 0.4.5.1-alpha):
    - For HSFETCH commands on v2 onion services addresses, check the
      length of bytes decoded, not the base32 length. Fixes bug 34400;
      bugfix on 0.4.1.1-alpha. Patch by Neel Chauhan.

  o Minor bugfixes (windows, backport from 0.4.4.4-rc):
    - Fix a bug that prevented Tor from starting if its log file grew
      above 2GB. Fixes bug 31036; bugfix on 0.2.1.8-alpha.

  o Deprecated features (onion service v2, backport form 0.4.4.2-alpha):
    - Add a deprecation warning for version 2 onion services. Closes
      ticket 40003.

  o Removed features (backport from 0.4.4.3-alpha):
    - Our "check-local" test target no longer tries to use the
      Coccinelle semantic patching tool parse all the C files. While it
      is a good idea to try to make sure Coccinelle works on our C
      before we run a Coccinelle patch, doing so on every test run has
      proven to be disruptive. You can still run this tool manually with
      "make check-cocci". Closes ticket 40030. ticket 40030.


Changes in version 0.3.5.12 - 2020-11-12
  Tor 0.4.3.7 backports several bugfixes from later releases. It
  includes a fix for TROVE-2020-005, a security issue that could be
  used, under certain cases, by an adversary to observe traffic patterns
  on a limited number of circuits intended for a different relay.

  o Major features (fallback directory list, backport form 0.4.4.3-alpha):
    - Replace the 148 fallback directories originally included in Tor
      0.4.1.4-rc (of which around 105 are still functional) with a list
      of 144 fallbacks generated in July 2020. Closes ticket 40061.

  o Major bugfixes (security, backport from 0.4.5.1-alpha):
    - When completing a channel, relays now check more thoroughly to
      make sure that it matches any pending circuits before attaching
      those circuits. Previously, address correctness and Ed25519
      identities were not checked in this case, but only when extending
      circuits on an existing channel. Fixes bug 40080; bugfix on
      0.2.7.2-alpha. Resolves TROVE-2020-005.

  o Major bugfixes (NSS, backport from 0.4.4.3-alpha):
    - When running with NSS enabled, make sure that NSS knows to expect
      nonblocking sockets. Previously, we set our TCP sockets as
      nonblocking, but did not tell NSS, which in turn could lead to
      unexpected blocking behavior. Fixes bug 40035; bugfix
      on 0.3.5.1-alpha.

  o Minor features (security, backport from 0.4.4.4-rc):
    - Channels using obsolete versions of the Tor link protocol are no
      longer allowed to circumvent address-canonicity checks. (This is
      only a minor issue, since such channels have no way to set ed25519
      keys, and therefore should always be rejected for circuits that
      specify ed25519 identities.) Closes ticket 40081.

  o Minor features (debugging, directory system):
    - Don't crash when we find a non-guard with a guard-fraction value
      set. Instead, log a bug warning, in an attempt to figure out how
      this happened. Diagnostic for ticket 32868.

  o Minor features (subprotocol versions, backport from 0.4.5.1-alpha):
    - Tor no longer allows subprotocol versions larger than 63.
      Previously version numbers up to UINT32_MAX were allowed, which
      significantly complicated our code. Implements proposal 318;
      closes ticket 40133.

  o Minor features (tests, backport from 0.4.4.5):
    - Our "make check" target now runs the unit tests in 8 parallel
      chunks. Doing this speeds up hardened CI builds by more than a
      factor of two. Closes ticket 40098.

  o Minor features (tests, v2 onion services, backport from 0.4.5.1-alpha):
    - Fix a rendezvous cache unit test that was triggering an underflow
      on the global rend cache allocation. Fixes bug 40125; bugfix
      on 0.2.8.1-alpha.
    - Fix another rendezvous cache unit test that was triggering an
      underflow on the global rend cache allocation. Fixes bug 40126;
      bugfix on 0.2.8.1-alpha.

  o Minor bugfixes (correctness, buffers, backport from 0.4.4.4-rc):
    - Fix a correctness bug that could cause an assertion failure if we
      ever tried using the buf_move_all() function with an empty input
      buffer. As far as we know, no released versions of Tor do this.
      Fixes bug 40076; bugfix on 0.3.3.1-alpha.

  o Minor bugfixes (logging, backport from 0.4.5.1-alpha):
    - Remove a debug logging statement that uselessly spammed the logs.
      Fixes bug 40135; bugfix on 0.3.5.0-alpha.

  o Minor bugfixes (rate limiting, bridges, pluggable transports, backport from 0.4.4.4-rc):
    - On a bridge, treat all connections from an ExtORPort as remote by
      default for the purposes of rate-limiting. Previously, bridges
      would treat the connection as local unless they explicitly
      received a "USERADDR" command. ExtORPort connections still count
      as local if there is a USERADDR command with an explicit local
      address. Fixes bug 33747; bugfix on 0.2.5.1-alpha.

  o Minor bugfixes (relay configuration, crash, backport from 0.4.5.1-alpha):
    - Avoid a fatal assert() when failing to create a listener
      connection for an address that was in use. Fixes bug 40073; bugfix
      on 0.3.5.1-alpha.

  o Minor bugfixes (relay, usability, backport from 0.4.4.3-alpha):
    - Adjust the rules for when to warn about having too many
      connections to other relays. Previously we'd tolerate up to 1.5
      connections per relay on average. Now we tolerate more connections
      for directory authorities, and raise the number of total
      connections we need to see before we warn. Fixes bug 33880; bugfix
      on 0.3.1.1-alpha.

  o Minor bugfixes (relays, backport from 0.4.4.1-alpha):
    - Stop advertising incorrect IPv6 ORPorts in relay and bridge
      descriptors, when the IPv6 port was configured as "auto". Fixes
      bug 32588; bugfix on 0.2.3.9-alpha.

  o Minor bugfixes (tests, 0.4.4.5):
    - Fix the behavior of the rend_cache/clean_v2_descs_as_dir when run
      on its own. Previously, it would exit with an error. Fixes bug
      40099; bugfix on 0.2.8.1-alpha.

  o Minor bugfixes (windows, backport from 0.4.4.4-rc):
    - Fix a bug that prevented Tor from starting if its log file grew
      above 2GB. Fixes bug 31036; bugfix on 0.2.1.8-alpha.

  o Deprecated features (onion service v2, backport form 0.4.4.2-alpha):
    - Add a deprecation warning for version 2 onion services. Closes
      ticket 40003.


456
Changes in version 0.4.5.1-alpha - 2020-11-01
Nick Mathewson's avatar
Nick Mathewson committed
457
458
  Tor 0.4.5.1-alpha is the first alpha release in the 0.4.5.x series. It
  improves support for IPv6, address discovery and self-testing, code
459
460
  metrics and tracing.

461
462
463
464
465
466
467
468
  This release also fixes TROVE-2020-005, a security issue that could be
  used, under certain cases, by an adversary to observe traffic patterns
  on a limited number of circuits intended for a different relay. To
  mount this attack, the adversary would need to actively extend
  circuits to an incorrect address, as well as compromise a relay's
  legacy RSA-1024 key. We'll be backporting this fix to other release
  series soon, after it has had some testing.

469
470
  Here are the changes since 0.4.4.5.

471
472
473
474
  o Major features (build):
    - When building Tor, first link all object files into a single
      static library. This may help with embedding Tor in other
      programs. Note that most Tor functions do not constitute a part of
475
      a stable or supported API: only those functions in tor_api.h
476
477
      should be used if embedding Tor. Closes ticket 40127.

478
  o Major features (metrics):
479
480
481
482
483
    - Introduce a new MetricsPort which exposes, through an HTTP
      interface, a series of metrics that tor collects at runtime. At
      the moment, the only supported output format is Prometheus data
      model. Closes ticket 40063. See the manual page for more
      information and security considerations.
484
  o Major features (relay, IPv6):
485
486
487
    - The torrc option Address now supports IPv6. This unifies our
      address discovery interface to support IPv4, IPv6, and hostnames.
      Closes ticket 33233.
Nick Mathewson's avatar
Nick Mathewson committed
488
489
    - Launch IPv4 and IPv6 ORPort self-test circuits on relays and
      bridges. Closes ticket 33222.
490
    - Relays now automatically bind on IPv6 for their ORPort, unless
Nick Mathewson's avatar
Nick Mathewson committed
491
      specified otherwise with the IPv4Only flag. Closes ticket 33246.
492
493
494
495
496
497
498
499
    - When a relay with IPv6 support is told to open a connection to
      another relay, and the extend cell lists both IPv4 and IPv6
      addresses, the first relay now picks randomly which address to
      use. Closes ticket 33220.
    - Relays now track their IPv6 ORPort reachability separately from
      the reachability of their IPv4 ORPort. They will not publish a
      descriptor unless _both_ ports appear to be externally reachable.
      Closes ticket 34067.
500

Nick Mathewson's avatar
Nick Mathewson committed
501
  o Major features (tracing):
502
503
504
    - Add event-tracing library support for USDT and LTTng-UST, and a
      few tracepoints in the circuit subsystem. More will come
      incrementally. This feature is compiled out by default: it needs
Nick Mathewson's avatar
Nick Mathewson committed
505
506
507
      to be enabled at configure time. See documentation in
      doc/HACKING/Tracing.md. Closes ticket 32910.

508
509
510
511
512
513
514
515
516
  o Major bugfixes (security):
    - When completing a channel, relays now check more thoroughly to
      make sure that it matches any pending circuits before attaching
      those circuits. Previously, address correctness and Ed25519
      identities were not checked in this case, but only when extending
      circuits on an existing channel. Fixes bug 40080; bugfix on
      0.2.7.2-alpha. Resolves TROVE-2020-005.

  o Major bugfixes (TLS, buffer):
Nick Mathewson's avatar
Nick Mathewson committed
517
    - When attempting to read N bytes on a TLS connection, really try to
518
519
520
521
      read all N bytes. Previously, Tor would stop reading after the
      first TLS record, which can be smaller than the N bytes requested,
      and not check for more data until the next mainloop event. Fixes
      bug 40006; bugfix on 0.1.0.5-rc.
522
523

  o Minor features (address discovery):
Nick Mathewson's avatar
Nick Mathewson committed
524
525
526
527
    - If no Address statements are found, relays now prioritize guessing
      their address by looking at the local interface instead of the
      local hostname. If the interface address can't be found, the local
      hostname is used. Closes ticket 33238.
528
529

  o Minor features (admin tools):
530
531
532
533
    - Add a new --format argument to -key-expiration option to allow
      specifying the time format of the expiration date. Adds Unix
      timestamp format support. Patch by Daniel Pinto. Closes
      ticket 30045.
534
535
536
537
538

  o Minor features (bootstrap reporting):
    - When reporting bootstrapping status on a relay, do not consider
      connections that have never been the target of an origin circuit.
      Previously, all connection failures were treated as potential
539
      bootstrapping failures, including connections that had been opened
Nick Mathewson's avatar
Nick Mathewson committed
540
      because of client requests. Closes ticket 25061.
541
542

  o Minor features (build):
Nick Mathewson's avatar
Nick Mathewson committed
543
    - When running the configure script, try to detect version
544
      mismatches between the OpenSSL headers and libraries, and suggest
Nick Mathewson's avatar
Nick Mathewson committed
545
      that the user should try "--with-openssl-dir". Closes 40138.
546
547
    - If the configure script has given any warnings, remind the user
      about them at the end of the script. Related to 40138.
Nick Mathewson's avatar
Nick Mathewson committed
548
549

  o Minor features (configuration):
550
    - Allow using wildcards (* and ?) with the %include option on
Nick Mathewson's avatar
Nick Mathewson committed
551
      configuration files. Closes ticket 25140. Patch by Daniel Pinto.
552
    - Allow the configuration options EntryNodes, ExcludeNodes,
Nick Mathewson's avatar
Nick Mathewson committed
553
554
555
      ExcludeExitNodes, ExitNodes, MiddleNodes, HSLayer2Nodes and
      HSLayer3Nodes to be specified multiple times. Closes ticket 28361.
      Patch by Daniel Pinto.
556
557

  o Minor features (control port):
558
559
    - Add a DROPTIMEOUTS command to drop circuit build timeout history
      and reset the current timeout. Closes ticket 40002.
560
    - When a stream enters the AP_CONN_STATE_CONTROLLER_WAIT status,
561
      send a control port event. Closes ticket 32190. Patch by
Nick Mathewson's avatar
Nick Mathewson committed
562
      Neel Chauhan.
563
    - Introduce GETINFO "stats/ntor/{assigned/requested}" and
564
565
566
      "stats/tap/{assigned/requested}" to get the NTor and TAP circuit
      onion handshake counts respectively. Closes ticket 28279. Patch by
      Neel Chauhan.
567

568
  o Minor features (control port, IPv6):
Nick Mathewson's avatar
Nick Mathewson committed
569
570
    - Tor relays now try to report to the controller when they are
      launching an IPv6 self-test. Closes ticket 34068.
571
572
573
574
    - Introduce "GETINFO address/v4" and "GETINFO address/v6" in the
      control port to fetch the Tor host's respective IPv4 or IPv6
      address. We keep "GETINFO address" for backwards-compatibility.
      Closes ticket 40039. Patch by Neel Chauhan.
575
576

  o Minor features (directory authorities):
577
    - Authorities now list a different set of protocols as required and
578
579
580
581
582
583
584
585
      recommended. These lists have been chosen so that only truly
      recommended and/or required protocols are included, and so that
      clients using 0.2.9 or later will continue to work (even though
      they are not supported), whereas only relays running 0.3.5 or
      later will meet the requirements. Closes ticket 40162.
    - Add a new consensus method 30 that removes the unnecessary "="
      padding from ntor-onion-key. Closes ticket 7869. Patch by
      Daniel Pinto.
586
    - Directory authorities now reject descriptors from relays running
587
588
      Tor versions from the obsolete 0.4.1 series. Resolves ticket
      34357. Patch by Neel Chauhan.
589
590
    - Make it possible to specify multiple ConsensusParams torrc lines.
      Now directory authority operators can for example put the main
Nick Mathewson's avatar
Nick Mathewson committed
591
592
      ConsensusParams config in one torrc file and then add to it from a
      different torrc file. Closes ticket 40164.
593
594
    - The AssumeReachable option no longer stops directory authorities
      from checking whether other relays are running. A new
Nick Mathewson's avatar
Nick Mathewson committed
595
596
      AuthDirTestReachability option can be used to disable these
      checks. Closes ticket 34445.
597
    - When looking for possible Sybil attacks, also consider IPv6
Nick Mathewson's avatar
Nick Mathewson committed
598
599
600
      addresses. Two routers are considered to have "the same" address
      by this metric if they are in the same /64 network. Patch from
      Maurice Pibouin. Closes ticket 7193.
601

602
  o Minor features (directory authorities, IPv6):
603
604
605
    - Make authorities add their IPv6 ORPort (if any) to the trusted
      servers list. Authorities previously added only their IPv4
      addresses. Closes ticket 32822.
606

607
608
  o Minor features (ed25519, relay):
    - Save a relay's base64-encoded ed25519 identity key to the data
Nick Mathewson's avatar
Nick Mathewson committed
609
610
      directory in a file named fingerprint-ed25519. Closes ticket
      30642. Patch by Neel Chauhan.
611
612
613

  o Minor features (heartbeat):
    - Include the total number of inbound and outbound IPv4 and IPv6
614
      connections in the heartbeat message. Closes ticket 29113.
615
616

  o Minor features (IPv6, ExcludeNodes):
617
618
    - Handle IPv6 addresses in ExcludeNodes; previously they were
      ignored. Closes ticket 34065. Patch by Neel Chauhan.
619
620

  o Minor features (logging):
621
622
623
624
625
    - Add the running glibc version to the log, and the compiled glibc
      version to the library list returned when using --library-versions.
      Patch from Daniel Pinto. Closes ticket 40047.
    - Consider an HTTP 301 response to be an error (like a 404) when
      processing a directory response. Closes ticket 40053.
Nick Mathewson's avatar
Nick Mathewson committed
626
627
    - Log directory fetch statistics as a single line. Closes
      ticket 40159.
628
629
    - Provide more complete descriptions of our connections when logging
      about them. Closes ticket 40041.
630
    - When describing a relay in the logs, we now include its ed25519
Nick Mathewson's avatar
Nick Mathewson committed
631
      identity. Closes ticket 22668.
632
633

  o Minor features (onion services):
634
635
636
    - Only overwrite an onion service's existing hostname file if its
      contents are wrong. This enables read-only onion-service
      directories. Resolves ticket 40062. Patch by Neel Chauhan.
637
638

  o Minor features (pluggable transports):
639
640
641
642
643
    - Add an OutboundBindAddressPT option to allow users to specify
      which IPv4 and IPv6 address pluggable transports should use for
      outgoing IP packets. Tor does not have a way to enforce that the
      pluggable transport honors this option, so each pluggable transport
      needs to implement support on its own. Closes ticket 5304.
644
645

  o Minor features (relay address tracking):
646
647
648
    - We now store relay addresses for OR connections in a more logical
      way. Previously we would sometimes overwrite the actual address of
      a connection with a "canonical address", and then store the "real
Nick Mathewson's avatar
Nick Mathewson committed
649
650
651
      address" elsewhere to remember it. We now track the "canonical
      address" elsewhere for the cases where we need it, and leave the
      connection's address alone. Closes ticket 33898.
652
653

  o Minor features (relay):
Nick Mathewson's avatar
Nick Mathewson committed
654
655
656
657
658
659
660
661
    - If a relay is unable to discover its address, attempt to learn it
      from the NETINFO cell. Closes ticket 40022.
    - Log immediately when launching a relay self-check. Previously we
      would try to log before launching checks, or approximately when we
      intended to launch checks, but this tended to be error-prone.
      Closes ticket 34137.

  o Minor features (relay, address discovery):
662
663
664
    - If Address option is not found in torrc, attempt to learn our
      address with the configured ORPort address if any. Closes
      ticket 33236.
665
666
667
668

  o Minor features (relay, IPv6):
    - Add an AssumeReachableIPv6 option to disable self-checking IPv6
      reachability. Closes part of ticket 33224.
669
670
671
672
    - Add new "assume-reachable" and "assume-reachable-ipv6" consensus
      parameters to be used in an emergency to tell relays that they
      should publish even if they cannot complete their ORPort self-
      checks. Closes ticket 34064 and part of 33224.
673
674
675
676
677
    - Allow relays to send IPv6-only extend cells. Closes ticket 33222.
    - Declare support for the Relay=3 subprotocol version. Closes
      ticket 33226.
    - When launching IPv6 ORPort self-test circuits, make sure that the
      second-last hop can initiate an IPv6 extend. Closes ticket 33222.
678
679

  o Minor features (specification update):
Nick Mathewson's avatar
Nick Mathewson committed
680
681
682
    - Several fields in microdescriptors, router descriptors, and
      consensus documents that were formerly optional are now required.
      Implements proposal 315; closes ticket 40132.
683

684
  o Minor features (state management):
Nick Mathewson's avatar
Nick Mathewson committed
685
686
    - When loading the state file, remove entries from the statefile
      that have been obsolete for a long time. Ordinarily Tor preserves
687
      unrecognized entries in order to keep forward-compatibility, but
688
      these entries have not actually been used in any release since
689
      before 0.3.5.x. Closes ticket 40137.
690
691

  o Minor features (statistics, ipv6):
Nick Mathewson's avatar
Nick Mathewson committed
692
693
    - Relays now publish IPv6-specific counts of single-direction versus
      bidirectional relay connections. Closes ticket 33264.
694
    - Relays now publish their IPv6 read and write statistics over time,
Nick Mathewson's avatar
Nick Mathewson committed
695
      if statistics are enabled. Closes ticket 33263.
696
697

  o Minor features (subprotocol versions):
698
699
700
701
    - Tor no longer allows subprotocol versions larger than 63.
      Previously version numbers up to UINT32_MAX were allowed, which
      significantly complicated our code. Implements proposal 318;
      closes ticket 40133.
702
    - Use the new limitations on subprotocol versions due to proposal
Nick Mathewson's avatar
Nick Mathewson committed
703
      318 to simplify our implementation. Part of ticket 40133.
704
705

  o Minor features (testing configuration):
706
707
708
    - The TestingTorNetwork option no longer implicitly sets
      AssumeReachable to 1. This change allows us to test relays' self-
      testing mechanisms, and to test authorities' relay-testing
Nick Mathewson's avatar
Nick Mathewson committed
709
      functionality. Closes ticket 34446.
710
711
712
713
714

  o Minor features (testing):
    - Added unit tests for channel_matches_target_addr_for_extend().
      Closes Ticket 33919. Patch by MrSquanchee.

715
716
717
718
719
720
721
  o Minor features (tests, v2 onion services):
    - Fix a rendezvous cache unit test that was triggering an underflow
      on the global rend cache allocation. Fixes bug 40125; bugfix
      on 0.2.8.1-alpha.
    - Fix another rendezvous cache unit test that was triggering an
      underflow on the global rend cache allocation. Fixes bug 40126;
      bugfix on 0.2.8.1-alpha.
722
723
724

  o Minor bugfixes (circuit padding):
    - When circpad_send_padding_cell_for_callback is called,
Nick Mathewson's avatar
Nick Mathewson committed
725
726
727
      `is_padding_timer_scheduled` flag was not reset. Now it is set to
      0 at the top of that function. Fixes bug 32671; bugfix
      on 0.4.0.1-alpha.
728
    - Add a per-circuit padding machine instance counter, so we can
Nick Mathewson's avatar
Nick Mathewson committed
729
      differentiate between shutdown requests for old machines on a
730
      circuit. Fixes bug 30992; bugfix on 0.4.1.1-alpha.
731
    - Add the ability to keep circuit padding machines if they match a
732
      set of circuit states or purposes. This allows us to have machines
Nick Mathewson's avatar
Nick Mathewson committed
733
734
735
736
      that start up under some conditions but don't shut down under
      others. We now use this mask to avoid starting up introduction
      circuit padding again after the machines have already completed.
      Fixes bug 32040; bugfix on 0.4.1.1-alpha.
737
738
739

  o Minor bugfixes (compatibility):
    - Strip '\r' characters when reading text files on Unix platforms.
Nick Mathewson's avatar
Nick Mathewson committed
740
741
      This should resolve an issue where a relay operator migrates a
      relay from Windows to Unix, but does not change the line ending of
742
743
      Tor's various state files to match the platform, and the CRLF line
      endings from Windows end up leaking into other files such as the
Nick Mathewson's avatar
Nick Mathewson committed
744
      extra-info document. Fixes bug 33781; bugfix on 0.0.9pre5.
745
746
747

  o Minor bugfixes (compilation):
    - Fix compiler warnings that would occur when building with
Nick Mathewson's avatar
Nick Mathewson committed
748
749
750
751
      "--enable-all-bugs-are-fatal" and "--disable-module-relay" at the
      same time. Fixes bug 40129; bugfix on 0.4.4.1-alpha.
    - Resolve a compilation warning that could occur in
      test_connection.c. Fixes bug 40113; bugfix on 0.2.9.3-alpha.
752
753

  o Minor bugfixes (configuration):
Nick Mathewson's avatar
Nick Mathewson committed
754
755
756
757
    - Fix bug where %including a pattern ending with */ would include
      files and folders (instead of folders only) in versions of glibc <
      2.19. Fixes bug 40141; bugfix on 0.4.5.0-alpha-dev. Patch by
      Daniel Pinto.
758

759
760
761
762
763
764
  o Minor bugfixes (control port):
    - Make sure we send the SOCKS request address in relay begin cells
      when a stream is attached with the purpose
      CIRCUIT_PURPOSE_CONTROLLER. Fixes bug 33124; bugfix on 0.0.5.
      Patch by Neel Chauhan.

765
  o Minor bugfixes (logging):
766
    - Remove a debug logging statement that uselessly spammed the logs.
Nick Mathewson's avatar
Nick Mathewson committed
767
768
769
770
771
772
773
      Fixes bug 40135; bugfix on 0.3.5.0-alpha.
    - When logging a rate-limited message about how many messages have
      been suppressed in the last N seconds, give an accurate value for
      N, rounded up to the nearest minute. Previously we would report
      the size of the rate-limiting interval, regardless of when the
      messages started to occur. Fixes bug 19431; bugfix
      on 0.2.2.16-alpha.
774
775

  o Minor bugfixes (relay configuration, crash):
Nick Mathewson's avatar
Nick Mathewson committed
776
777
778
    - Avoid a fatal assert() when failing to create a listener
      connection for an address that was in use. Fixes bug 40073; bugfix
      on 0.3.5.1-alpha.
779
780
781

  o Minor bugfixes (rust, protocol versions):
    - Declare support for the onion service introduction point denial of
782
      service extensions when building with Rust. Fixes bug 34248;
Nick Mathewson's avatar
Nick Mathewson committed
783
      bugfix on 0.4.2.1-alpha.
784
    - Make Rust protocol version support checks consistent with the
785
786
      undocumented error behavior of the corresponding C code. Fixes bug
      34251; bugfix on 0.3.3.5-rc.
787
788

  o Minor bugfixes (self-testing):
Nick Mathewson's avatar
Nick Mathewson committed
789
790
791
792
793
    - When receiving an incoming circuit, only accept it as evidence
      that we are reachable if the declared address of its channel is
      the same address we think that we have. Otherwise, it could be
      evidence that we're reachable on some other address. Fixes bug
      20165; bugfix on 0.1.0.1-rc.
794
795
796

  o Minor bugfixes (spec conformance):
    - Use the correct key type when generating signing->link
Nick Mathewson's avatar
Nick Mathewson committed
797
      certificates. Fixes bug 40124; bugfix on 0.2.7.2-alpha.
798

799
800
801
  o Minor bugfixes (subprotocol versions):
    - Consistently reject extra commas, instead of only rejecting
      leading commas. Fixes bug 27194; bugfix on 0.2.9.4-alpha.
Nick Mathewson's avatar
Nick Mathewson committed
802
803
804
805
806
    - In summarize_protover_flags(), treat empty strings the same as
      NULL. This prevents protocols_known from being set. Previously, we
      treated empty strings as normal strings, which led to
      protocols_known being set. Fixes bug 34232; bugfix on
      0.3.3.2-alpha. Patch by Neel Chauhan.
807
808

  o Minor bugfixes (v2 onion services):
Nick Mathewson's avatar
Nick Mathewson committed
809
    - For HSFETCH commands on v2 onion services addresses, check the
810
811
      length of bytes decoded, not the base32 length. Fixes bug 34400;
      bugfix on 0.4.1.1-alpha. Patch by Neel Chauhan.
812
813

  o Code simplification and refactoring:
814
    - Add and use a set of functions to perform down-casts on constant
815
      connection and channel pointers. Closes ticket 40046.
Nick Mathewson's avatar
Nick Mathewson committed
816
817
818
819
    - Refactor our code that logs descriptions of connections, channels,
      and the peers on them, to use a single call path. This change
      enables us to refactor the data types that they use, and eliminates
      many confusing usages of those types. Closes ticket 40041.
820
821
    - Refactor some common node selection code into a single function.
      Closes ticket 34200.
Nick Mathewson's avatar
Nick Mathewson committed
822
823
824
825
826
    - Remove the now-redundant 'outbuf_flushlen' field from our
      connection type. It was previously used for an older version of
      our rate-limiting logic. Closes ticket 33097.
    - Rename "fascist_firewall_*" identifiers to "reachable_addr_*"
      instead, for consistency with other code. Closes ticket 18106.
827
    - Rename functions about "advertised" ports which are not in fact
828
      guaranteed to return the ports that have been advertised. Closes
829
830
      ticket 40055.
    - Split implementation of several command line options from
Nick Mathewson's avatar
Nick Mathewson committed
831
832
833
834
835
836
      options_init_from_torrc into smaller isolated functions. Patch by
      Daniel Pinto. Closes ticket 40102.
    - When an extend cell is missing an IPv4 or IPv6 address, fill in
      the address from the extend info. This is similar to what was done
      in ticket 33633 for ed25519 keys. Closes ticket 33816. Patch by
      Neel Chauhan.
837
838
839

  o Deprecated features:
    - The "non-builtin" argument to the "--dump-config" command is now
Nick Mathewson's avatar
Nick Mathewson committed
840
      deprecated. When it works, it behaves the same as "short", which
841
842
      you should use instead. Closes ticket 33398.

Nick Mathewson's avatar
Nick Mathewson committed
843
844
845
846
847
848
849
850
851
852
853
854
855
  o Documentation:
    - Replace URLs from our old bugtracker so that they refer to the new
      bugtracker and wiki. Closes ticket 40101.

  o Removed features:
    - We no longer ship or build a "tor.service" file for use with
      systemd. No distribution included this script unmodified, and we
      don't have the expertise ourselves to maintain this in a way that
      all the various systemd-based distributions can use. Closes
      ticket 30797.
    - We no longer ship support for the Android logging API. Modern
      versions of Android can use the syslog API instead. Closes
      ticket 32181.
856
857
858
859
860
861
    - The "optimistic data" feature is now always on; there is no longer
      an option to disable it from the torrc file or from the consensus
      directory. Closes part of 40139.
    - The "usecreatefast" network parameter is now removed; there is no
      longer an option for authorities to turn it off. Closes part
      of 40139.
Nick Mathewson's avatar
Nick Mathewson committed
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882

  o Testing:
    - Add unit tests for bandwidth statistics manipulation functions.
      Closes ticket 33812. Patch by MrSquanchee.

  o Code simplification and refactoring (autoconf):
    - Remove autoconf checks for unused funcs and headers. Closes ticket
      31699; Patch by @bduszel

  o Code simplification and refactoring (maintainer scripts):
    - Disable by default the pre-commit hook. Use the environment
      variable TOR_EXTRA_PRE_COMMIT_CHECKS in order to run it.
      Furthermore, stop running practracker in the pre-commit hook and
      make check-local. Closes ticket 40019.

  o Code simplification and refactoring (relay address):
    - Most of IPv4 representation was using "uint32_t". It has now been
      moved to use the internal "tor_addr_t" interface instead. This is
      so we can properly integrate IPv6 along IPv4 with common
      interfaces. Closes ticket 40043.

883
  o Documentation (manual page):
884
    - Move them from doc/ to doc/man/. Closes ticket 40044.
Nick Mathewson's avatar
Nick Mathewson committed
885
886
    - Describe the status of the "Sandbox" option more accurately. It is
      no longer "experimental", but it _is_ dependent on kernel and libc
887
888
889
890
891
892
893
      versions. Closes ticket 23378.

  o Documentation (tracing):
    - Document in depth the circuit subsystem trace events in the new
      doc/tracing/EventsCircuit.md. Closes ticket 40036.


894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
Changes in version 0.4.4.5 - 2020-09-15
  Tor 0.4.4.5 is the first stable release in the 0.4.4.x series. This
  series improves our guard selection algorithms, adds v3 onion balance
  support, improves the amount of code that can be disabled when running
  without relay support, and includes numerous small bugfixes and
  enhancements. It also lays the ground for some IPv6 features that
  we'll be developing more in the next (0.4.5) series.

  Per our support policy, we support each stable release series for nine
  months after its first stable release, or three months after the first
  stable release of the next series: whichever is longer. This means
  that 0.4.4.x will be supported until around June 2021--or later, if
  0.4.5.x is later than anticipated.

  Note also that support for 0.4.2.x has just ended; support for 0.4.3
  will continue until Feb 15, 2021. We still plan to continue supporting
  0.3.5.x, our long-term stable series, until Feb 2022.

  Below are the changes since 0.4.4.4-rc. For a complete list of changes
  since 0.4.3.6, see the ReleaseNotes file.

  o Major bugfixes (onion services, DoS):
    - Correct handling of parameters for the onion service DoS defense.
      Previously, the consensus parameters for the onion service DoS
      defenses were overwriting the parameters set by the service
      operator using HiddenServiceEnableIntroDoSDefense. Fixes bug
      40109; bugfix on 0.4.2.1-alpha.

  o Major bugfixes (stats, onion services):
    - Fix a bug where we were undercounting the Tor network's total
      onion service traffic, by ignoring any traffic originating from
      clients. Now we count traffic from both clients and services.
      Fixes bug 40117; bugfix on 0.2.6.2-alpha.

  o Minor features (control port):
    - If a ClientName was specified in ONION_CLIENT_AUTH_ADD for an
      onion service, display it when we use ONION_CLIENT_AUTH_VIEW.
      Closes ticket 40089. Patch by Neel Chauhan.

  o Minor features (denial-of-service memory limiter):
    - Allow the user to configure even lower values for the
      MaxMemInQueues parameter. Relays now enforce a minimum of 64 MB,
      when previously the minimum was 256 MB. On clients, there is no
      minimum. Relays and clients will both warn if the value is set so
      low that Tor is likely to stop working. Closes ticket 24308.

  o Minor features (tests):
    - Our "make check" target now runs the unit tests in 8 parallel
      chunks. Doing this speeds up hardened CI builds by more than a
      factor of two. Closes ticket 40098.

  o Minor bugfixes (guard selection algorithm):
    - Avoid needless guard-related warning when upgrading from 0.4.3 to
      0.4.4. Fixes bug 40105; bugfix on 0.4.4.1-alpha.

  o Minor bugfixes (tests):
    - Fix the behavior of the rend_cache/clean_v2_descs_as_dir when run
      on its own. Previously, it would exit with an error. Fixes bug
      40099; bugfix on 0.2.8.1-alpha.


955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
Changes in version 0.4.4.3-alpha - 2020-07-27
  Tor 0.4.4.3-alpha fixes several annoyances in previous versions,
  including one affecting NSS users, and several affecting the Linux
  seccomp2 sandbox.

  o Major features (fallback directory list):
    - Replace the 148 fallback directories originally included in Tor
      0.4.1.4-rc (of which around 105 are still functional) with a list
      of 144 fallbacks generated in July 2020. Closes ticket 40061.

  o Major bugfixes (NSS):
    - When running with NSS enabled, make sure that NSS knows to expect
      nonblocking sockets. Previously, we set our TCP sockets as
      nonblocking, but did not tell NSS, which in turn could lead to
      unexpected blocking behavior. Fixes bug 40035; bugfix
      on 0.3.5.1-alpha.

  o Minor bugfixes (linux seccomp2 sandbox):
    - Fix a regression on sandboxing rules for the openat() syscall. The
      fix for bug 25440 fixed the problem on systems with glibc >= 2.27
      but broke with versions of glibc. We now choose a rule based on
      the glibc version. Patch from Daniel Pinto. Fixes bug 27315;
      bugfix on 0.3.5.11.
    - Makes the seccomp sandbox allow the correct syscall for opendir
      according to the running glibc version. This fixes crashes when
      reloading torrc with sandbox enabled when running on glibc 2.15 to
      2.21 and 2.26. Patch from Daniel Pinto. Fixes bug 40020; bugfix
      on 0.3.5.11.

  o Minor bugfixes (relay, usability):
    - Adjust the rules for when to warn about having too many
      connections to other relays. Previously we'd tolerate up to 1.5
      connections per relay on average. Now we tolerate more connections
      for directory authorities, and raise the number of total
      connections we need to see before we warn. Fixes bug 33880; bugfix
      on 0.3.1.1-alpha.

  o Documentation:
    - Replace most http:// URLs in our code and documentation with
      https:// URLs. (We have left unchanged the code in src/ext/, and
      the text in LICENSE.) Closes ticket 31812. Patch from Jeremy Rand.

  o Removed features:
    - Our "check-local" test target no longer tries to use the
      Coccinelle semantic patching tool parse all the C files. While it
      is a good idea to try to make sure Coccinelle works on our C
      before we run a Coccinelle patch, doing so on every test run has
      proven to be disruptive. You can still run this tool manually with
      "make check-cocci". Closes ticket 40030.


1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
Changes in version 0.3.5.11 - 2020-07-09
  Tor 0.3.5.11 backports fixes from later tor releases, including several
  usability, portability, and reliability fixes.

  This release also fixes TROVE-2020-001, a medium-severity denial of
  service vulnerability affecting all versions of Tor when compiled with
  the NSS encryption library. (This is not the default configuration.)
  Using this vulnerability, an attacker could cause an affected Tor
  instance to crash remotely. This issue is also tracked as CVE-2020-
  15572. Anybody running a version of Tor built with the NSS library
  should upgrade to 0.3.5.11, 0.4.2.8, 0.4.3.6, or 0.4.4.2-alpha
  or later.

  o Major bugfixes (NSS, security, backport from 0.4.4.2-alpha):
    - Fix a crash due to an out-of-bound memory access when Tor is
      compiled with NSS support. Fixes bug 33119; bugfix on
      0.3.5.1-alpha. This issue is also tracked as TROVE-2020-001
      and CVE-2020-15572.

  o Major bugfixes (DoS defenses, bridges, pluggable transport, backport from 0.4.3.4-rc):
    - Fix a bug that was preventing DoS defenses from running on bridges
      with a pluggable transport. Previously, the DoS subsystem was not
      given the transport name of the client connection, thus failed to
      find the GeoIP cache entry for that client address. Fixes bug
      33491; bugfix on 0.3.3.2-alpha.

  o Minor features (testing, backport from 0.4.3.4-rc):
    - The unit tests now support a "TOR_SKIP_TESTCASES" environment
      variable to specify a list of space-separated test cases that
      should not be executed. We will use this to disable certain tests
      that are failing on Appveyor because of mismatched OpenSSL
      libraries. Part of ticket 33643.

  o Minor bugfix (CI, Windows, backport from 0.4.4.2-alpha):
    - Use the correct 64-bit printf format when compiling with MINGW on
      Appveyor. Fixes bug 40026; bugfix on 0.3.5.5-alpha.

  o Minor bugfix (relay, configuration, backport from 0.4.3.3-alpha):
    - Warn if the ContactInfo field is not set, and tell the relay
      operator that not having a ContactInfo field set might cause their
      relay to get rejected in the future. Fixes bug 33361; bugfix
      on 0.1.1.10-alpha.

  o Minor bugfixes (client performance, backport from 0.4.4.1-alpha):
    - Resume use of preemptively-built circuits when UseEntryGuards is set
      to 0. We accidentally disabled this feature with that config
      setting, leading to slower load times. Fixes bug 34303; bugfix
      on 0.3.3.2-alpha.

  o Minor bugfixes (compiler compatibility, backport from 0.4.3.5):
    - Avoid compiler warnings from Clang 10 related to the use of GCC-
      style "/* falls through */" comments. Both Clang and GCC allow
      __attribute__((fallthrough)) instead, so that's what we're using
      now. Fixes bug 34078; bugfix on 0.3.1.3-alpha.

  o Minor bugfixes (compiler warnings, backport from 0.4.4.2-alpha):
    - Fix a compiler warning on platforms with 32-bit time_t values.
      Fixes bug 40028; bugfix on 0.3.2.8-rc.

  o Minor bugfixes (embedded Tor, backport from 0.4.3.1-alpha):
    - When starting Tor any time after the first time in a process,
      register the thread in which it is running as the main thread.
      Previously, we only did this on Windows, which could lead to bugs
      like 23081 on non-Windows platforms. Fixes bug 32884; bugfix
      on 0.3.3.1-alpha.

  o Minor bugfixes (key portability, backport from 0.4.3.4-rc):
    - When reading PEM-encoded key data, tolerate CRLF line-endings even
      if we are not running on Windows. Previously, non-Windows hosts
      would reject these line-endings in certain positions, making
      certain key files hard to move from one host to another. Fixes bug
      33032; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (logging, backport from 0.4.4.2-alpha):
    - Downgrade a noisy log message that could occur naturally when
      receiving an extrainfo document that we no longer want. Fixes bug
      16016; bugfix on 0.2.6.3-alpha.

  o Minor bugfixes (onion service v3, client, backport from 0.4.3.3-alpha):
    - Remove a BUG() warning that would cause a stack trace if an onion
      service descriptor was freed while we were waiting for a
      rendezvous circuit to complete. Fixes bug 28992; bugfix
      on 0.3.2.1-alpha.

  o Testing (CI, backport from 0.4.3.4-rc):
    - In our Appveyor Windows CI, copy required DLLs to test and app
      directories, before running tor's tests. This ensures that tor.exe
      and test*.exe use the correct version of each DLL. This fix is not
      required, but we hope it will avoid DLL search issues in future.
      Fixes bug 33673; bugfix on 0.3.4.2-alpha.
    - On Appveyor, skip the crypto/openssl_version test, which is
      failing because of a mismatched library installation. Fix
      for 33643.


Changes in version 0.4.2.8 - 2020-07-09
  Tor 0.4.2.8 backports various fixes from later releases, including
  several that affect usability and portability.

  This release also fixes TROVE-2020-001, a medium-severity denial of
  service vulnerability affecting all versions of Tor when compiled with
  the NSS encryption library. (This is not the default configuration.)
  Using this vulnerability, an attacker could cause an affected Tor
  instance to crash remotely. This issue is also tracked as CVE-2020-
  15572. Anybody running a version of Tor built with the NSS library
  should upgrade to 0.3.5.11, 0.4.2.8, 0.4.3.6, or 0.4.4.2-alpha
  or later.

  o Major bugfixes (NSS, security, backport from 0.4.4.2-alpha):
    - Fix a crash due to an out-of-bound memory access when Tor is
      compiled with NSS support. Fixes bug 33119; bugfix on
      0.3.5.1-alpha. This issue is also tracked as TROVE-2020-001
      and CVE-2020-15572.

  o Major bugfixes (DoS defenses, bridges, pluggable transport, backport from 0.4.3.4-rc):
    - Fix a bug that was preventing DoS defenses from running on bridges
      with a pluggable transport. Previously, the DoS subsystem was not
      given the transport name of the client connection, thus failed to
      find the GeoIP cache entry for that client address. Fixes bug
      33491; bugfix on 0.3.3.2-alpha.

  o Minor feature (sendme, flow control, backport form 0.4.3.4-rc):
    - Default to sending SENDME version 1 cells. (Clients are already
      sending these, because of a consensus parameter telling them to do
      so: this change only affects what clients would do if the
      consensus didn't contain a recommendation.) Closes ticket 33623.

  o Minor features (diagnostic, backport from 0.4.3.3-alpha):
    - Improve assertions and add some memory-poisoning code to try to
      track down possible causes of a rare crash (32564) in the EWMA
      code. Closes ticket 33290.

  o Minor features (testing, backport from 0.4.3.4-rc):
    - The unit tests now support a "TOR_SKIP_TESTCASES" environment
      variable to specify a list of space-separated test cases that
      should not be executed. We will use this to disable certain tests
      that are failing on Appveyor because of mismatched OpenSSL
      libraries. Part of ticket 33643.

  o Minor bugfix (CI, Windows, backport from 0.4.4.2-alpha):
    - Use the correct 64-bit printf format when compiling with MINGW on
      Appveyor. Fixes bug 40026; bugfix on 0.3.5.5-alpha.

  o Minor bugfix (relay, configuration, backport from 0.4.3.3-alpha):
    - Warn if the ContactInfo field is not set, and tell the relay
      operator that not having a ContactInfo field set might cause their
      relay to get rejected in the future. Fixes bug 33361; bugfix
      on 0.1.1.10-alpha.

  o Minor bugfixes (client performance, backport from 0.4.4.1-alpha):
    - Resume use of preemptively-built circuits when UseEntryGuards is set
      to 0. We accidentally disabled this feature with that config
      setting, leading to slower load times. Fixes bug 34303; bugfix
      on 0.3.3.2-alpha.

  o Minor bugfixes (compiler compatibility, backport from 0.4.3.5):
    - Avoid compiler warnings from Clang 10 related to the use of GCC-
      style "/* falls through */" comments. Both Clang and GCC allow
      __attribute__((fallthrough)) instead, so that's what we're using
      now. Fixes bug 34078; bugfix on 0.3.1.3-alpha.
    - Fix compilation warnings with GCC 10.0.1. Fixes bug 34077; bugfix
      on 0.4.0.3-alpha.

  o Minor bugfixes (compiler warnings, backport from 0.4.4.2-alpha):
    - Fix a compiler warning on platforms with 32-bit time_t values.
      Fixes bug 40028; bugfix on 0.3.2.8-rc.

  o Minor bugfixes (controller protocol, backport from 0.4.3.2-alpha):
    - When receiving "ACTIVE" or "DORMANT" signals on the control port,
      report them as SIGNAL events. Previously we would log a bug
      warning. Fixes bug 33104; bugfix on 0.4.0.1-alpha.

  o Minor bugfixes (embedded Tor, backport from 0.4.3.1-alpha):
    - When starting Tor any time after the first time in a process,
      register the thread in which it is running as the main thread.
      Previously, we only did this on Windows, which could lead to bugs
      like 23081 on non-Windows platforms. Fixes bug 32884; bugfix
      on 0.3.3.1-alpha.

  o Minor bugfixes (key portability, backport from 0.4.3.4-rc):
    - When reading PEM-encoded key data, tolerate CRLF line-endings even
      if we are not running on Windows. Previously, non-Windows hosts
      would reject these line-endings in certain positions, making
      certain key files hard to move from one host to another. Fixes bug
      33032; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (logging, backport from 0.4.3.2-rc):
    - When logging a bug, do not say "Future instances of this warning
      will be silenced" unless we are actually going to silence them.
      Previously we would say this whenever a BUG() check failed in the
      code. Fixes bug 33095; bugfix on 0.4.1.1-alpha.

  o Minor bugfixes (logging, backport from 0.4.3.4-rc):
    - Flush stderr, stdout, and file logs during shutdown, if supported
      by the OS. This change helps make sure that any final logs are
      recorded. Fixes bug 33087; bugfix on 0.4.1.6.

  o Minor bugfixes (logging, backport from 0.4.4.2-alpha):
    - Downgrade a noisy log message that could occur naturally when
      receiving an extrainfo document that we no longer want. Fixes bug
      16016; bugfix on 0.2.6.3-alpha.

  o Minor bugfixes (onion service v3, client, backport from 0.4.3.3-alpha):
    - Remove a BUG() warning that would cause a stack trace if an onion
      service descriptor was freed while we were waiting for a
      rendezvous circuit to complete. Fixes bug 28992; bugfix
      on 0.3.2.1-alpha.

  o Testing (CI, backport from 0.4.3.4-rc):
    - In our Appveyor Windows CI, copy required DLLs to test and app
      directories, before running tor's tests. This ensures that tor.exe
      and test*.exe use the correct version of each DLL. This fix is not
      required, but we hope it will avoid DLL search issues in future.
      Fixes bug 33673; bugfix on 0.3.4.2-alpha.
    - On Appveyor, skip the crypto/openssl_version test, which is
      failing because of a mismatched library installation. Fix
      for 33643.


Changes in version 0.4.3.6 - 2020-07-09
  Tor 0.4.3.6 backports several bugfixes from later releases, including
  some affecting usability.

  This release also fixes TROVE-2020-001, a medium-severity denial of
  service vulnerability affecting all versions of Tor when compiled with
  the NSS encryption library. (This is not the default configuration.)
  Using this vulnerability, an attacker could cause an affected Tor
  instance to crash remotely. This issue is also tracked as CVE-2020-
  15572. Anybody running a version of Tor built with the NSS library
  should upgrade to 0.3.5.11, 0.4.2.8, 0.4.3.6, or 0.4.4.2-alpha
  or later.

  o Major bugfixes (NSS, security, backport from 0.4.4.2-alpha):
    - Fix a crash due to an out-of-bound memory access when Tor is
      compiled with NSS support. Fixes bug 33119; bugfix on
      0.3.5.1-alpha. This issue is also tracked as TROVE-2020-001
      and CVE-2020-15572.

  o Minor bugfix (CI, Windows, backport from 0.4.4.2-alpha):
    - Use the correct 64-bit printf format when compiling with MINGW on
      Appveyor. Fixes bug 40026; bugfix on 0.3.5.5-alpha.

  o Minor bugfixes (client performance, backport from 0.4.4.1-alpha):
    - Resume use of preemptively-built circuits when UseEntryGuards is set
      to 0. We accidentally disabled this feature with that config
      setting, leading to slower load times. Fixes bug 34303; bugfix
      on 0.3.3.2-alpha.

  o Minor bugfixes (compiler warnings, backport from 0.4.4.2-alpha):
    - Fix a compiler warning on platforms with 32-bit time_t values.
      Fixes bug 40028; bugfix on 0.3.2.8-rc.

  o Minor bugfixes (linux seccomp sandbox, nss, backport from 0.4.4.1-alpha):
    - Fix a startup crash when tor is compiled with --enable-nss and
      sandbox support is enabled. Fixes bug 34130; bugfix on
      0.3.5.1-alpha. Patch by Daniel Pinto.

  o Minor bugfixes (logging, backport from 0.4.4.2-alpha):
    - Downgrade a noisy log message that could occur naturally when
      receiving an extrainfo document that we no longer want. Fixes bug
      16016; bugfix on 0.2.6.3-alpha.

  o Minor bugfixes (manual page, backport from 0.4.4.1-alpha):
    - Update the man page to reflect that MinUptimeHidServDirectoryV2
      defaults to 96 hours. Fixes bug 34299; bugfix on 0.2.6.3-alpha.

  o Minor bugfixes (onion service v3, backport from 0.4.4.1-alpha):
    - Prevent an assert() that would occur when cleaning the client
      descriptor cache, and attempting to close circuits for a non-
      decrypted descriptor (lacking client authorization). Fixes bug
      33458; bugfix on 0.4.2.1-alpha.

  o Minor bugfixes (portability, backport from 0.4.4.1-alpha):
    - Fix a portability error in the configure script, where we were
      using "==" instead of "=". Fixes bug 34233; bugfix on 0.4.3.5.

  o Minor bugfixes (relays, backport from 0.4.4.1-alpha):
    - Stop advertising incorrect IPv6 ORPorts in relay and bridge
      descriptors, when the IPv6 port was configured as "auto". Fixes
      bug 32588; bugfix on 0.2.3.9-alpha.

  o Documentation (backport from 0.4.4.1-alpha):
    - Fix several doxygen warnings related to imbalanced groups. Closes
      ticket 34255.


Changes in version 0.4.4.2-alpha - 2020-07-09
  This is the second alpha release in the 0.4.4.x series. It fixes a few
  bugs in the previous release, and solves a few usability,
  compatibility, and portability issues.

  This release also fixes TROVE-2020-001, a medium-severity denial of
  service vulnerability affecting all versions of Tor when compiled with
  the NSS encryption library. (This is not the default configuration.)
  Using this vulnerability, an attacker could cause an affected Tor
  instance to crash remotely. This issue is also tracked as CVE-2020-
  15572. Anybody running a version of Tor built with the NSS library
  should upgrade to 0.3.5.11, 0.4.2.8, 0.4.3.6, or 0.4.4.2-alpha
  or later.

  o Major bugfixes (NSS, security):
    - Fix a crash due to an out-of-bound memory access when Tor is
      compiled with NSS support. Fixes bug 33119; bugfix on
      0.3.5.1-alpha. This issue is also tracked as TROVE-2020-001
      and CVE-2020-15572.

  o Minor features (bootstrap reporting):
    - Report more detailed reasons for bootstrap failure when the
      failure happens due to a TLS error. Previously we would just call
      these errors "MISC" when they happened during read, and "DONE"
      when they happened during any other TLS operation. Closes
      ticket 32622.

  o Minor features (directory authority):
    - Authorities now recommend the protocol versions that are supported
      by Tor 0.3.5 and later. (Earlier versions of Tor have been
      deprecated since January of this year.) This recommendation will
      cause older clients and relays to give a warning on startup, or
      when they download a consensus directory. Closes ticket 32696.

  o Minor features (entry guards):
    - Reinstate support for GUARD NEW/UP/DOWN control port events.
      Closes ticket 40001.

  o Minor features (linux seccomp2 sandbox, portability):
    - Allow Tor to build on platforms where it doesn't know how to
      report which syscall caused the linux seccomp2 sandbox to fail.
      This change should make the sandbox code more portable to less
      common Linux architectures. Closes ticket 34382.
    - Permit the unlinkat() syscall, which some Libc implementations use
      to implement unlink(). Closes ticket 33346.

  o Minor bugfix (CI, Windows):
    - Use the correct 64-bit printf format when compiling with MINGW on
      Appveyor. Fixes bug 40026; bugfix on 0.3.5.5-alpha.

  o Minor bugfix (onion service v3 client):
    - Remove a BUG() warning that could occur naturally. Fixes bug
      34087; bugfix on 0.3.2.1-alpha.

  o Minor bugfix (SOCKS, onion service client):
    - Detect v3 onion service addresses of the wrong length when
      returning the F6 ExtendedErrors code. Fixes bug 33873; bugfix
      on 0.4.3.1-alpha.

  o Minor bugfixes (compiler warnings):
    - Fix a compiler warning on platforms with 32-bit time_t values.
      Fixes bug 40028; bugfix on 0.3.2.8-rc.

  o Minor bugfixes (control port, onion service):
    - Consistently use 'address' in "Invalid v3 address" response to
      ONION_CLIENT_AUTH commands. Previously, we would sometimes say
      'addr'. Fixes bug 40005; bugfix on 0.4.3.1-alpha.

  o Minor bugfixes (logging):
    - Downgrade a noisy log message that could occur naturally when
      receiving an extrainfo document that we no longer want. Fixes bug
      16016; bugfix on 0.2.6.3-alpha.

  o Minor bugfixes (onion services v3):
    - Avoid a non-fatal assertion failure in certain edge-cases when
      opening an intro circuit as a client. Fixes bug 34084; bugfix
      on 0.3.2.1-alpha.

  o Deprecated features (onion service v2):
    - Add a deprecation warning for version 2 onion services. Closes
      ticket 40003.

  o Removed features (IPv6, revert):
    - Revert the change in the default value of ClientPreferIPv6OrPort:
      it breaks the torsocks use case. The SOCKS resolve command has no
      mechanism to ask for a specific address family (v4 or v6), and so
      prioritizing IPv6 when an IPv4 address is requested on the SOCKS
      interface resulted in a failure. Tor Browser explicitly sets
      PreferIPv6, so this should not affect the majority of our users.
      Closes ticket 33796; bugfix on 0.4.4.1-alpha.


1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
Changes in version 0.4.4.1-alpha - 2020-06-16
  This is the first alpha release in the 0.4.4.x series.  It improves
  our guard selection algorithms, improves the amount of code that
  can be disabled when running without relay support, and includes numerous
  small bugfixes and enhancements.  It also lays the ground for some IPv6
  features that we'll be developing more in the next (0.4.5) series.

  Here are the changes since 0.4.3.5.

  o Major features (Proposal 310, performance + security):
    - Implements Proposal 310, "Bandaid on guard selection". Proposal
      310 solves load-balancing issues with older versions of the guard
      selection algorithm, and improves its security. Under this new
      algorithm, a newly selected guard never becomes Primary unless all
      previously sampled guards are unreachable. Implements
      recommendation from 32088. (Proposal 310 is linked to the CLAPS
      project researching optimal client location-aware path selections.
      This project is a collaboration between the UCLouvain Crypto Group,
      the U.S. Naval Research Laboratory, and Princeton University.)

  o Major features (IPv6, relay):
    - Consider IPv6-only EXTEND2 cells valid on relays. Log a protocol
      warning if the IPv4 or IPv6 address is an internal address, and
      internal addresses are not allowed. But continue to use the other
      address, if it is valid. Closes ticket 33817.
    - If a relay can extend over IPv4 and IPv6, and both addresses are
      provided, it chooses between them uniformly at random. Closes
      ticket 33817.
    - Re-use existing IPv6 connections for circuit extends. Closes
      ticket 33817.
    - Relays may extend circuits over IPv6, if the relay has an IPv6
      ORPort, and the client supplies the other relay's IPv6 ORPort in
      the EXTEND2 cell. IPv6 extends will be used by the relay IPv6
      ORPort self-tests in 33222. Closes ticket 33817.

  o Major features (v3 onion services):
    - Allow v3 onion services to act as OnionBalance backend instances,
      by using the HiddenServiceOnionBalanceInstance torrc option.
      Closes ticket 32709.

  o Minor feature (developer tools):
    - Add a script to help check the alphabetical ordering of option
      names in the manual page. Closes ticket 33339.

  o Minor feature (onion service client, SOCKS5):
    - Add 3 new SocksPort ExtendedErrors (F2, F3, F7) that reports back
      new type of onion service connection failures. The semantics of
      these error codes are documented in proposal 309. Closes
      ticket 32542.

  o Minor feature (onion service v3):
    - If a service cannot upload its descriptor(s), log why at INFO
      level. Closes ticket 33400; bugfix on 0.3.2.1-alpha.

  o Minor feature (python scripts):
    - Stop assuming that /usr/bin/python exists. Instead of using a
      hardcoded path in scripts that still use Python 2, use
      /usr/bin/env, similarly to the scripts that use Python 3. Fixes
      bug 33192; bugfix on 0.4.2.

  o Minor features (client-only compilation):
    - Disable more code related to the ext_orport protocol when
      compiling without support for relay mode. Closes ticket 33368.
    - Disable more of our self-testing code when support for relay mode
      is disabled. Closes ticket 33370.

  o Minor features (code safety):
    - Check for failures of tor_inet_ntop() and tor_inet_ntoa()
      functions in DNS and IP address processing code, and adjust
      codepaths to make them less likely to crash entire Tor instances.
      Resolves issue 33788.

  o Minor features (compilation size):
    - Most server-side DNS code is now disabled when building without
      support for relay mode. Closes ticket 33366.

  o Minor features (continuous integration):
    - Run unit-test and integration test (Stem, Chutney) jobs with
      ALL_BUGS_ARE_FATAL macro being enabled on Travis and Appveyor.
      Resolves ticket 32143.

  o Minor features (control port):
    - Return a descriptive error message from the 'GETINFO status/fresh-
      relay-descs' command on the control port. Previously, we returned
      a generic error of "Error generating descriptor". Closes ticket
      32873. Patch by Neel Chauhan.

  o Minor features (developer tooling):
    - Refrain from listing all .a files that are generated by the Tor
      build in .gitignore. Add a single wildcard *.a entry that covers
      all of them for present and future. Closes ticket 33642.
    - Add a script ("git-install-tools.sh") to install git hooks and
      helper scripts. Closes ticket 33451.

  o Minor features (directory authority, shared random):
    - Refactor more authority-only parts of the shared-random scheduling
      code to reside in the dirauth module, and to be disabled when
      compiling with --disable-module-dirauth. Closes ticket 33436.

  o Minor features (directory):
    - Remember the number of bytes we have downloaded for each directory
      purpose while bootstrapping, and while fully bootstrapped. Log
      this information as part of the heartbeat message. Closes
      ticket 32720.

  o Minor features (IPv6 support):
    - Adds IPv6 support to tor_addr_is_valid(). Adds tests for the above
      changes and tor_addr_is_null(). Closes ticket 33679. Patch
      by MrSquanchee.
    - Allow clients and relays to send dual-stack and IPv6-only EXTEND2
      cells. Parse dual-stack and IPv6-only EXTEND2 cells on relays.
      Closes ticket 33901.

  o Minor features (logging):
    - When trying to find our own address, add debug-level logging to
      report the sources of candidate addresses. Closes ticket 32888.

  o Minor features (testing, architecture):
    - Our test scripts now double-check that subsystem initialization
      order is consistent with the inter-module dependencies established
      by our .may_include files. Implements ticket 31634.
    - Initialize all subsystems at the beginning of our unit test
      harness, to avoid crashes due to uninitialized subsystems. Follow-
      up from ticket 33316.

  o Minor features (v3 onion services):
    - Add v3 onion service status to the dumpstats() call which is
      triggered by a SIGUSR1 signal. Previously, we only did v2 onion
      services. Closes ticket 24844. Patch by Neel Chauhan.

  o Minor features (windows):
    - Add support for console control signals like Ctrl+C in Windows.
      Closes ticket 34211. Patch from Damon Harris (TheDcoder).

  o Minor bugfix (onion service v3):
    - Prevent an assert() that would occur when cleaning the client
      descriptor cache, and attempting to close circuits for a non-
      decrypted descriptor (lacking client authorization). Fixes bug
      33458; bugfix on 0.4.2.1-alpha.

  o Minor bugfix (refactoring):
    - Lift circuit_build_times_disabled() out of the
      circuit_expire_building() loop, to save CPU time when there are
      many circuits open. Fixes bug 33977; bugfix on 0.3.5.9.

  o Minor bugfixes (client performance):
    - Resume use of preemptively-built circuits when UseEntryGuards is set
      to 0. We accidentally disabled this feature with that config
      setting, leading to slower load times. Fixes bug 34303; bugfix
      on 0.3.3.2-alpha.

  o Minor bugfixes (directory authorities):
    - Directory authorities now reject votes that arrive too late. In
      particular, once an authority has started fetching missing votes,
      it no longer accepts new votes posted by other authorities. This
      change helps prevent a consensus split, where only some authorities
      have the late vote. Fixes bug 4631; bugfix on 0.2.0.5-alpha.

  o Minor bugfixes (git scripts):
    - Stop executing the checked-out pre-commit hook from the pre-push
      hook. Instead, execute the copy in the user's git directory. Fixes
      bug 33284; bugfix on 0.4.1.1-alpha.

  o Minor bugfixes (initialization):
    - Initialize the subsystems in our code in an order more closely
      corresponding to their dependencies, so that every system is
      initialized before the ones that (theoretically) depend on it.
      Fixes bug 33316; bugfix on 0.4.0.1-alpha.

  o Minor bugfixes (IPv4, relay):
    - Check for invalid zero IPv4 addresses and ports when sending and
      receiving extend cells. Fixes bug 33900; bugfix on 0.2.4.8-alpha.

  o Minor bugfixes (IPv6, relay):
    - Consider IPv6 addresses when checking if a connection is
      canonical. In 17604, relays assumed that a remote relay could
      consider an IPv6 connection canonical, but did not set the
      canonical flag on their side of the connection. Fixes bug 33899;
      bugfix on 0.3.1.1-alpha.
    - Log IPv6 addresses on connections where this relay is the
      responder. Previously, responding relays would replace the remote
      IPv6 address with the IPv4 address from the consensus. Fixes bug
      33899; bugfix on 0.3.1.1-alpha.

  o Minor bugfixes (linux seccomp sandbox nss):
    - Fix a startup crash when tor is compiled with --enable-nss and
      sandbox support is enabled. Fixes bug 34130; bugfix on
      0.3.5.1-alpha. Patch by Daniel Pinto.

  o Minor bugfixes (logging, testing):
    - Make all of tor's assertion macros support the ALL_BUGS_ARE_FATAL
      and DISABLE_ASSERTS_IN_UNIT_TESTS debugging modes. (IF_BUG_ONCE()
      used to log a non-fatal warning, regardless of the debugging
      mode.) Fixes bug 33917; bugfix on 0.2.9.1-alpha.

  o Minor bugfixes (logs):
    - Remove surprising empty line in the INFO-level log about circuit
      build timeout. Fixes bug 33531; bugfix on 0.3.3.1-alpha.

  o Minor bugfixes (mainloop):
    - Better guard against growing a buffer past its maximum 2GB in
      size. Fixes bug 33131; bugfix on 0.3.0.4-rc.

  o Minor bugfixes (manual page):
    - Update the man page to reflect that MinUptimeHidServDirectoryV2
      defaults to 96 hours. Fixes bug 34299; bugfix on 0.2.6.3-alpha.

  o Minor bugfixes (onion service v3, client):
    - Remove a BUG() that was causing a stacktrace when a descriptor
      changed at an unexpected time. Fixes bug 28992; bugfix
      on 0.3.2.1-alpha.

  o Minor bugfixes (onion service, logging):
    - Fix a typo in a log message PublishHidServDescriptors is set to 0.
      Fixes bug 33779; bugfix on 0.3.2.1-alpha.

  o Minor bugfixes (portability):
    - Fix a portability error in the configure script, where we were
      using "==" instead of "=". Fixes bug 34233; bugfix on 0.4.3.5.

  o Minor bugfixes (protocol versions):
    - Sort tor's supported protocol version lists, as recommended by the
      tor directory specification. Fixes bug 33285; bugfix
      on 0.4.0.1-alpha.

  o Minor bugfixes (relays):
    - Stop advertising incorrect IPv6 ORPorts in relay and bridge
      descriptors, when the IPv6 port was configured as "auto". Fixes
      bug 32588; bugfix on 0.2.3.9-alpha.

  o Code simplification and refactoring:
    - Define and use a new constant TOR_ADDRPORT_BUF_LEN which is like
      TOR_ADDR_BUF_LEN but includes enough space for an IP address,
      brackets, separating colon, and port number. Closes ticket 33956.
      Patch by Neel Chauhan.
    - Merge the orconn and ocirc events into the "core" subsystem, which
      manages or connections and origin circuits. Previously they were
      isolated in subsystems of their own.
    - Move LOG_PROTOCOL_WARN to app/config. Resolves a dependency
      inversion. Closes ticket 33633.
    - Move the circuit extend code to the relay module. Split the
      circuit extend function into smaller functions. Closes
      ticket 33633.
    - Rewrite port_parse_config() to use the default port flags from
      port_cfg_new(). Closes ticket 32994. Patch by MrSquanchee.
    - Updated comments in 'scheduler.c' to reflect old code changes, and
      simplified the scheduler channel state change code. Closes
      ticket 33349.

  o Documentation:
    - Document the limitations of using %include on config files with
      seccomp sandbox enabled. Fixes documentation bug 34133; bugfix on
      0.3.1.1-alpha. Patch by Daniel Pinto.
    - Fix several doxygen warnings related to imbalanced groups. Closes
      ticket 34255.

  o Removed features:
    - Remove the ClientAutoIPv6ORPort option. This option attempted to
      randomly choose between IPv4 and IPv6 for client connections, and
      wasn't a true implementation of Happy Eyeballs. Often, this option
      failed on IPv4-only or IPv6-only connections. Closes ticket 32905.
      Patch by Neel Chauhan.
    - Stop shipping contrib/dist/rc.subr file, as it is not being used
      on FreeBSD anymore. Closes issue 31576.

  o Testing:
    - Add a basic IPv6 test to "make test-network". This test only runs
      when the local machine has an IPv6 stack. Closes ticket 33300.
    - Add test-network-ipv4 and test-network-ipv6 jobs to the Makefile.
      These jobs run the IPv4-only and dual-stack chutney flavours from
      test-network-all. Closes ticket 33280.
    - Remove a redundant distcheck job. Closes ticket 33194.
    - Run the test-network-ipv6 Makefile target in the Travis CI IPv6
      chutney job. This job runs on macOS, so it's a bit slow. Closes
      ticket 33303.
    - Sort the Travis jobs in order of speed. Putting the slowest jobs
      first takes full advantage of Travis job concurrency. Closes
      ticket 33194.
    - Stop allowing the Chutney IPv6 Travis job to fail. This job was
      previously configured to fast_finish (which requires
      allow_failure), to speed up the build. Closes ticket 33195.
    - Test v3 onion services to tor's mixed IPv4 chutney network. And
      add a mixed IPv6 chutney network. These networks are used in the
      test-network-all, test-network-ipv4, and test-network-ipv6 make
      targets. Closes ticket 33334.
    - Use the "bridges+hs-v23" chutney network flavour in "make test-
      network". This test requires a recent version of chutney (mid-
      February 2020). Closes ticket 28208.
    - When a Travis chutney job fails, use chutney's new "diagnostics.sh"
      tool to produce detailed diagnostic output. Closes ticket 32792.

  o Code simplification and refactoring (onion service):
    - Refactor configuration parsing to use the new config subsystem
      code. Closes ticket 33014.

  o Code simplification and refactoring (relay address):
    - Move a series of functions related to address resolving into their
      own files. Closes ticket 33789.

  o Documentation (manual page):
    - Add cross reference links and a table of contents to the HTML tor
      manual page. Closes ticket 33369. Work by Swati Thacker as part of
      Google Season of Docs.
    - Alphabetize the Denial of Service Mitigation Options, Directory
      Authority Server Options, Hidden Service Options, and Testing
      Network Options sections of the tor(1) manual page. Closes ticket
      33275. Work by Swati Thacker as part of Google Season of Docs.
    - Refrain from mentioning nicknames in manpage section for MyFamily
      torrc option. Resolves issue 33417.
    - Updated the options set by TestingTorNetwork in the manual page.
      Closes ticket 33778.


1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
Changes in version 0.4.3.5 - 2020-05-15
  Tor 0.4.3.5 is the first stable release in the 0.4.3.x series. This
  series adds support for building without relay code enabled, and
  implements functionality needed for OnionBalance with v3 onion
  services. It includes significant refactoring of our configuration and
  controller functionality, and fixes numerous smaller bugs and
  performance issues.

  Per our support policy, we support each stable release series for nine
  months after its first stable release, or three months after the first
  stable release of the next series: whichever is longer. This means
  that 0.4.3.x will be supported until around February 2021--later, if
  0.4.4.x is later than anticipated.

  Note also that support for 0.4.1.x is about to end on May 20 of this
  year; 0.4.2.x will be supported until September 15. We still plan to
  continue supporting 0.3.5.x, our long-term stable series, until
  Feb 2022.

  Below are the changes since 0.4.3.4-rc. For a complete list of changes
  since 0.4.2.6, see the ReleaseNotes file.

  o Minor bugfixes (compiler compatibility):
    - Avoid compiler warnings from Clang 10 related to the use of GCC-
      style "/* falls through */" comments. Both Clang and GCC allow
      __attribute__((fallthrough)) instead, so that's what we're using
      now. Fixes bug 34078; bugfix on 0.3.1.3-alpha.
    - Fix compilation warnings with GCC 10.0.1. Fixes bug 34077; bugfix
      on 0.4.0.3-alpha.

  o Minor bugfixes (logging):
    - Stop truncating IPv6 addresses and ports in channel and connection
      logs. Fixes bug 33918; bugfix on 0.2.4.4-alpha.
    - Fix a logic error in a log message about whether an address was
      invalid. Previously, the code would never report that onion
      addresses were onion addresses. Fixes bug 34131; bugfix
      on 0.4.3.1-alpha.


1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
Changes in version 0.4.3.4-rc - 2020-04-13
  Tor 0.4.3.4-rc is the first release candidate in its series. It fixes
  several bugs from earlier versions, including one affecting DoS
  defenses on bridges using pluggable transports.

  o Major bugfixes (DoS defenses, bridges, pluggable transport):
    - Fix a bug that was preventing DoS defenses from running on bridges
      with a pluggable transport. Previously, the DoS subsystem was not
      given the transport name of the client connection, thus failed to
      find the GeoIP cache entry for that client address. Fixes bug
      33491; bugfix on 0.3.3.2-alpha.

  o Minor feature (sendme, flow control):
    - Default to sending SENDME version 1 cells. (Clients are already
      sending these, because of a consensus parameter telling them to do
      so: this change only affects what clients would do if the
      consensus didn't contain a recommendation.) Closes ticket 33623.

  o Minor features (testing):
    - The unit tests now support a "TOR_SKIP_TESTCASES" environment
      variable to specify a list of space-separated test cases that
      should not be executed. We will use this to disable certain tests
      that are failing on Appveyor because of mismatched OpenSSL
      libraries. Part of ticket 33643.

  o Minor bugfixes (--disable-module-relay):
    - Fix an assertion failure when Tor is built without the relay
      module, and then invoked with the "User" option. Fixes bug 33668;
      bugfix on 0.4.3.1-alpha.

  o Minor bugfixes (--disable-module-relay,--disable-module-dirauth):
    - Set some output arguments in the relay and dirauth module stubs,
      to guard against future stub argument handling bugs like 33668.
      Fixes bug 33674; bugfix on 0.4.3.1-alpha.

  o Minor bugfixes (build system):
    - Correctly output the enabled module in the configure summary.
      Before that, the list shown was just plain wrong. Fixes bug 33646;
      bugfix on 0.4.3.2-alpha.

  o Minor bugfixes (client, IPv6):
    - Stop forcing all non-SocksPorts to prefer IPv6 exit connections.
      Instead, prefer IPv6 connections by default, but allow users to
      change their configs using the "NoPreferIPv6" port flag. Fixes bug
      33608; bugfix on 0.4.3.1-alpha.
    - Revert PreferIPv6 set by default on the SocksPort because it broke
      the torsocks use case. Tor doesn't have a way for an application
      to request the hostname to be resolved for a specific IP version,
      but torsocks requires that. Up until now, IPv4 was used by default
      so torsocks is expecting that, and can't handle a possible IPv6
      being returned. Fixes bug 33804; bugfix on 0.4.3.1-alpha.

  o Minor bugfixes (key portability):
    - When reading PEM-encoded key data, tolerate CRLF line-endings even
      if we are not running on Windows. Previously, non-Windows hosts
      would reject these line-endings in certain positions, making
      certain key files hard to move from one host to another. Fixes bug
      33032; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (logging):
    - Flush stderr, stdout, and file logs during shutdown, if supported
      by the OS. This change helps make sure that any final logs are
      recorded. Fixes bug 33087; bugfix on 0.4.1.6.
    - Stop closing stderr and stdout during shutdown. Closing these file
      descriptors can hide sanitiser logs. Fixes bug 33087; bugfix
      on 0.4.1.6.

  o Minor bugfixes (onion services v3):
    - Relax severity of a log message that can appear naturally when
      decoding onion service descriptors as a relay. Also add some
      diagnostics to debug any future bugs in that area. Fixes bug
      31669; bugfix on 0.3.0.1-alpha.
    - Block a client-side assertion by disallowing the registration of
      an x25519 client auth key that's all zeroes. Fixes bug 33545;
      bugfix on 0.4.3.1-alpha. Based on patch from "cypherpunks".

  o Code simplification and refactoring:
    - Disable our coding standards best practices tracker in our git
      hooks. (0.4.3 branches only.) Closes ticket 33678.

  o Testing:
    - Avoid conflicts between the fake sockets in tor's unit tests, and
      real file descriptors. Resolves issues running unit tests with
      GitHub Actions, where the process that embeds or launches the
      tests has already opened a large number of file descriptors. Fixes
      bug 33782; bugfix on 0.2.8.1-alpha. Found and fixed by
      Putta Khunchalee.

  o Testing (CI):
    - In our Appveyor Windows CI, copy required DLLs to test and app
      directories, before running tor's tests. This ensures that tor.exe
      and test*.exe use the correct version of each DLL. This fix is not
      required, but we hope it will avoid DLL search issues in future.
      Fixes bug 33673; bugfix on 0.3.4.2-alpha.
    - On Appveyor, skip the crypto/openssl_version test, which is
      failing because of a mismatched library installation. Fix
      for 33643.


1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
Changes in version 0.4.3.3-alpha - 2020-03-18
  Tor 0.4.3.3-alpha fixes several bugs in previous releases, including
  TROVE-2020-002, a major denial-of-service vulnerability that affected
  all released Tor instances since 0.2.1.5-alpha. Using this
  vulnerability, an attacker could cause Tor instances to consume a huge
  amount of CPU, disrupting their operations for several seconds or
  minutes. This attack could be launched by anybody against a relay, or
  by a directory cache against any client that had connected to it. The
  attacker could launch this attack as much as they wanted, thereby
  disrupting service or creating patterns that could aid in traffic
  analysis. This issue was found by OSS-Fuzz, and is also tracked
  as CVE-2020-10592.

  We do not have reason to believe that this attack is currently being
  exploited in the wild, but nonetheless we advise everyone to upgrade
  as soon as packages are available.

  o Major bugfixes (security, denial-of-service):
    - Fix a denial-of-service bug that could be used by anyone to
      consume a bunch of CPU on any Tor relay or authority, or by
      directories to consume a bunch of CPU on clients or hidden
      services. Because of the potential for CPU consumption to
      introduce observable timing patterns, we are treating this as a
      high-severity security issue. Fixes bug 33119; bugfix on
      0.2.1.5-alpha. Found by OSS-Fuzz. We are also tracking this issue
      as TROVE-2020-002 and CVE-2020-10592.

  o Major bugfixes (circuit padding, memory leak):
    - Avoid a remotely triggered memory leak in the case that a circuit
      padding machine is somehow negotiated twice on the same circuit.
      Fixes bug 33619; bugfix on 0.4.0.1-alpha. Found by Tobias Pulls.
      This is also tracked as TROVE-2020-004 and CVE-2020-10593.

  o Major bugfixes (directory authority):
    - Directory authorities will now send a 503 (not enough bandwidth)
      code to clients when under bandwidth pressure. Known relays and
      other authorities will always be answered regardless of the
      bandwidth situation. Fixes bug 33029; bugfix on 0.1.2.5-alpha.

  o Minor features (diagnostic):
    - Improve assertions and add some memory-poisoning code to try to
      track down possible causes of a rare crash (32564) in the EWMA
      code. Closes ticket 33290.

  o Minor features (directory authorities):
    - Directory authorities now reject descriptors from relays running
      Tor versions from the 0.2.9 and 0.4.0 series. The 0.3.5 series is
      still allowed. Resolves ticket 32672. Patch by Neel Chauhan.

  o Minor features (usability):
    - Include more information when failing to parse a configuration
      value. This should make it easier to tell what's going wrong when
      a configuration file doesn't parse. Closes ticket 33460.

  o Minor bugfix (relay, configuration):
    - Warn if the ContactInfo field is not set, and tell the relay
      operator that not having a ContactInfo field set might cause their
      relay to get rejected in the future. Fixes bug 33361; bugfix
      on 0.1.1.10-alpha.

  o Minor bugfixes (coding best practices checks):
    - Allow the "practracker" script to read unicode files when using
      Python 2. We made the script use unicode literals in 0.4.3.1-alpha,
      but didn't change the codec for opening files. Fixes bug 33374;
      bugfix on 0.4.3.1-alpha.

  o Minor bugfixes (continuous integration):
    - Remove the buggy and unused mirroring job. Fixes bug 33213; bugfix
      on 0.3.2.2-alpha.

  o Minor bugfixes (onion service v3, client):
    - Remove a BUG() warning that would cause a stack trace if an onion
      service descriptor was freed while we were waiting for a
      rendezvous circuit to complete. Fixes bug 28992; bugfix
      on 0.3.2.1-alpha.

  o Minor bugfixes (onion services v3):
    - Fix an assertion failure that could result from a corrupted
      ADD_ONION control port command. Found by Saibato. Fixes bug 33137;
      bugfix on 0.3.3.1-alpha. This issue is also tracked
      as TROVE-2020-003.

  o Documentation (manpage):
    - Alphabetize the Server and Directory server sections of the tor
      manpage. Also split Statistics options into their own section of
      the manpage. Closes ticket 33188. Work by Swati Thacker as part of
      Google Season of Docs.
    - Document the __OwningControllerProcess torrc option and specify
      its polling interval. Resolves issue 32971.

  o Testing (Travis CI):
    - Remove a redundant distcheck job. Closes ticket 33194.
    - Sort the Travis jobs in order of speed: putting the slowest jobs
      first takes full advantage of Travis job concurrency. Closes
      ticket 33194.
    - Stop allowing the Chutney IPv6 Travis job to fail. This job was
      previously configured to fast_finish (which requires
      allow_failure), to speed up the build. Closes ticket 33195.
    - When a Travis chutney job fails, use chutney's new "diagnostics.sh"
      tool to produce detailed diagnostic output. Closes ticket 32792.


Changes in version 0.4.2.7 - 2020-03-18
  This is the third stable release in the 0.4.2.x series. It backports
  numerous fixes from later releases, including a fix for TROVE-2020-
  002, a major denial-of-service vulnerability that affected all
  released Tor instances since 0.2.1.5-alpha. Using this vulnerability,
  an attacker could cause Tor instances to consume a huge amount of CPU,
  disrupting their operations for several seconds or minutes. This
  attack could be launched by anybody against a relay, or by a directory
  cache against any client that had connected to it. The attacker could
  launch this attack as much as they wanted, thereby disrupting service
  or creating patterns that could aid in traffic analysis. This issue
  was found by OSS-Fuzz, and is also tracked as CVE-2020-10592.

  We do not have reason to believe that this attack is currently being
  exploited in the wild, but nonetheless we advise everyone to upgrade
  as soon as packages are available.

  o Major bugfixes (security, denial-of-service, backport from 0.4.3.3-alpha):
    - Fix a denial-of-service bug that could be used by anyone to
      consume a bunch of CPU on any Tor relay or authority, or by
      directories to consume a bunch of CPU on clients or hidden
      services. Because of the potential for CPU consumption to
      introduce observable timing patterns, we are treating this as a
      high-severity security issue. Fixes bug 33119; bugfix on
      0.2.1.5-alpha. Found by OSS-Fuzz. We are also tracking this issue
      as TROVE-2020-002 and CVE-2020-10592.

  o Major bugfixes (circuit padding, memory leak, backport from 0.4.3.3-alpha):
    - Avoid a remotely triggered memory leak in the case that a circuit
      padding machine is somehow negotiated twice on the same circuit.
      Fixes bug 33619; bugfix on 0.4.0.1-alpha. Found by Tobias Pulls.
      This is also tracked as TROVE-2020-004 and CVE-2020-10593.

  o Major bugfixes (directory authority, backport from 0.4.3.3-alpha):
    - Directory authorities will now send a 503 (not enough bandwidth)
      code to clients when under bandwidth pressure. Known relays and
      other authorities will always be answered regardless of the
      bandwidth situation. Fixes bug 33029; bugfix on 0.1.2.5-alpha.

  o Minor features (continuous integration, backport from 0.4.3.2-alpha):
    - Stop allowing failures on the Travis CI stem tests job. It looks
      like all the stem hangs we were seeing before are now fixed.
      Closes ticket 33075.

  o Minor bugfixes (bridges, backport from 0.4.3.1-alpha):
    - Lowercase the configured value of BridgeDistribution before adding
      it to the descriptor. Fixes bug 32753; bugfix on 0.3.2.3-alpha.

  o Minor bugfixes (logging, backport from 0.4.3.2-alpha):
    - If we encounter a bug when flushing a buffer to a TLS connection,
      only log the bug once per invocation of the Tor process.
      Previously we would log with every occurrence, which could cause
      us to run out of disk space. Fixes bug 33093; bugfix
      on 0.3.2.2-alpha.

  o Minor bugfixes (onion services v3, backport from 0.4.3.3-alpha):
    - Fix an assertion failure that could result from a corrupted
      ADD_ONION control port command. Found by Saibato. Fixes bug 33137;
      bugfix on 0.3.3.1-alpha. This issue is also tracked
      as TROVE-2020-003.

  o Minor bugfixes (rust, build, backport from 0.4.3.2-alpha):
    - Fix a syntax warning given by newer versions of Rust that was
      creating problems for our continuous integration. Fixes bug 33212;
      bugfix on 0.3.5.1-alpha.

  o Testing (Travis CI, backport from 0.4.3.3-alpha):
    - Remove a redundant distcheck job. Closes ticket 33194.
    - Sort the Travis jobs in order of speed: putting the slowest jobs
      first takes full advantage of Travis job concurrency. Closes
      ticket 33194.
    - Stop allowing the Chutney IPv6 Travis job to fail. This job was
      previously configured to fast_finish (which requires
      allow_failure), to speed up the build. Closes ticket 33195.
    - When a Travis chutney job fails, use chutney's new "diagnostics.sh"
      tool to produce detailed diagnostic output. Closes ticket 32792.


Changes in version 0.4.1.9 - 2020-03-18
  Tor 0.4.1.9 backports important fixes from later Tor releases,
  including a fix for TROVE-2020-002, a major denial-of-service
  vulnerability that affected all released Tor instances since
  0.2.1.5-alpha. Using this vulnerability, an attacker could cause Tor
  instances to consume a huge amount of CPU, disrupting their operations
  for several seconds or minutes. This attack could be launched by
  anybody against a relay, or by a directory cache against any client
  that had connected to it. The attacker could launch this attack as
  much as they wanted, thereby disrupting service or creating patterns
  that could aid in traffic analysis. This issue was found by OSS-Fuzz,
  and is also tracked as CVE-2020-10592.

  We do not have reason to believe that this attack is currently being
  exploited in the wild, but nonetheless we advise everyone to upgrade
  as soon as packages are available.

  o Major bugfixes (security, denial-of-service, backport from 0.4.3.3-alpha):
    - Fix a denial-of-service bug that could be used by anyone to
      consume a bunch of CPU on any Tor relay or authority, or by
      directories to consume a bunch of CPU on clients or hidden
      services. Because of the potential for CPU consumption to
      introduce observable timing patterns, we are treating this as a
      high-severity security issue. Fixes bug 33119; bugfix on
      0.2.1.5-alpha. Found by OSS-Fuzz. We are also tracking this issue
      as TROVE-2020-002 and CVE-2020-10592.

  o Major bugfixes (circuit padding, memory leak, backport from 0.4.3.3-alpha):
    - Avoid a remotely triggered memory leak in the case that a circuit
      padding machine is somehow negotiated twice on the same circuit.
      Fixes bug 33619; bugfix on 0.4.0.1-alpha. Found by Tobias Pulls.
      This is also tracked as TROVE-2020-004 and CVE-2020-10593.

  o Minor bugfixes (bridges, backport from 0.4.3.1-alpha):
    - Lowercase the configured value of BridgeDistribution before adding
      it to the descriptor. Fixes bug 32753; bugfix on 0.3.2.3-alpha.

  o Minor bugfixes (logging, backport from 0.4.3.2-alpha):
    - If we encounter a bug when flushing a buffer to a TLS connection,
      only log the bug once per invocation of the Tor process.
      Previously we would log with every occurrence, which could cause
      us to run out of disk space. Fixes bug 33093; bugfix
      on 0.3.2.2-alpha.

  o Minor bugfixes (onion services v3, backport from 0.4.3.3-alpha):
    - Fix an assertion failure that could result from a corrupted
      ADD_ONION control port command. Found by Saibato. Fixes bug 33137;
      bugfix on 0.3.3.1-alpha. This issue is also tracked
      as TROVE-2020-003.

  o Minor bugfixes (rust, build, backport from 0.4.3.2-alpha):
    - Fix a syntax warning given by newer versions of Rust that was
      creating problems for our continuous integration. Fixes bug 33212;
      bugfix on 0.3.5.1-alpha.

  o Testing (Travis CI, backport from 0.4.3.3-alpha):
    - Remove a redundant distcheck job. Closes ticket 33194.
    - Sort the Travis jobs in order of speed: putting the slowest jobs
      first takes full advantage of Travis job concurrency. Closes
      ticket 33194.
    - Stop allowing the Chutney IPv6 Travis job to fail. This job was
      previously configured to fast_finish (which requires
      allow_failure), to speed up the build. Closes ticket 33195.
    - When a Travis chutney job fails, use chutney's new "diagnostics.sh"
      tool to produce detailed diagnostic output. Closes ticket 32792.


Changes in version 0.3.5.10 - 2020-03-18
  Tor 0.3.5.10 backports many fixes from later Tor releases, including a
  fix for TROVE-2020-002, a major denial-of-service vulnerability that
  affected all released Tor instances since 0.2.1.5-alpha. Using this
  vulnerability, an attacker could cause Tor instances to consume a huge
  amount of CPU, disrupting their operations for several seconds or
  minutes. This attack could be launched by anybody against a relay, or
  by a directory cache against any client that had connected to it. The
  attacker could launch this attack as much as they wanted, thereby
  disrupting service or creating patterns that could aid in traffic
  analysis. This issue was found by OSS-Fuzz, and is also tracked
  as CVE-2020-10592.

  We do not have reason to believe that this attack is currently being
  exploited in the wild, but nonetheless we advise everyone to upgrade
  as soon as packages are available.

  o Major bugfixes (security, denial-of-service, backport from 0.4.3.3-alpha):
    - Fix a denial-of-service bug that could be used by anyone to
      consume a bunch of CPU on any Tor relay or authority, or by
      directories to consume a bunch of CPU on clients or hidden
      services. Because of the potential for CPU consumption to
      introduce observable timing patterns, we are treating this as a
      high-severity security issue. Fixes bug 33119; bugfix on
      0.2.1.5-alpha. Found by OSS-Fuzz. We are also tracking this issue
      as TROVE-2020-002 and CVE-2020-10592.

  o Major bugfixes (linux seccomp sandbox, backport from 0.4.3.1-alpha):
    - Correct how we use libseccomp. Particularly, stop assuming that
      rules are applied in a particular order or that more rules are
      processed after the first match. Neither is the case! In
      libseccomp <2.4.0 this lead to some rules having no effect.
      libseccomp 2.4.0 changed how rules are generated, leading to a
      different ordering, which in turn led to a fatal crash during
      startup. Fixes bug 29819; bugfix on 0.2.5.1-alpha. Patch by
      Peter Gerber.

  o Minor features (continuous integration, backport from 0.4.3.2-alpha):
    - Stop allowing failures on the Travis CI stem tests job. It looks
      like all the stem hangs we were seeing before are now fixed.
      Closes ticket 33075.

  o Minor bugfixes (bridges, backport from 0.4.3.1-alpha):
    - Lowercase the configured value of BridgeDistribution before adding
      it to the descriptor. Fixes bug 32753; bugfix on 0.3.2.3-alpha.

  o Minor bugfixes (crash, backport from 0.4.2.4-rc):
    - When running Tor with an option like --verify-config or
      --dump-config that does not start the event loop, avoid crashing
      if we try to exit early because of an error. Fixes bug 32407;
      bugfix on 0.3.3.1-alpha.

  o Minor bugfixes (logging, backport from 0.4.3.2-alpha):
    - If we encounter a bug when flushing a buffer to a TLS connection,
      only log the bug once per invocation of the Tor process.
      Previously we would log with every occurrence, which could cause
      us to run out of disk space. Fixes bug 33093; bugfix
      on 0.3.2.2-alpha.

  o Minor bugfixes (onion services v3, backport from 0.4.3.3-alpha):
    - Fix an assertion failure that could result from a corrupted
      ADD_ONION control port command. Found by Saibato. Fixes bug 33137;
      bugfix on 0.3.3.1-alpha. This issue is also tracked
      as TROVE-2020-003.

  o Minor bugfixes (rust, build, backport from 0.4.3.2-alpha):
    - Fix a syntax warning given by newer versions of Rust that was
      creating problems for our continuous integration. Fixes bug 33212;
      bugfix on 0.3.5.1-alpha.

  o Testing (backport from 0.4.3.1-alpha):
    - Re-enable the Travis CI macOS Chutney build, but don't let it
      prevent the Travis job from finishing. (The Travis macOS jobs are
      slow, so we don't want to have it delay the whole CI process.)
      Closes ticket 32629.
    - Turn off Tor's Sandbox in Chutney jobs, and run those jobs on
      Ubuntu Bionic. Turning off the Sandbox is a work-around, until we
      fix the sandbox errors in 32722. Closes ticket 32240.

  o Testing (continuous integration, backport from 0.4.3.1-alpha):
    - Use zstd in our Travis Linux builds. Closes ticket 32242.

  o Testing (Travis CI, backport from 0.4.3.3-alpha):
    - Remove a redundant distcheck job. Closes ticket 33194.
    - Sort the Travis jobs in order of speed: putting the slowest jobs
      first takes full advantage of Travis job concurrency. Closes
      ticket 33194.
    - Stop allowing the Chutney IPv6 Travis job to fail. This job was
      previously configured to fast_finish (which requires
    - When a Travis chutney job fails, use chutney's new "diagnostics.sh"
      tool to produce detailed diagnostic output. Closes ticket 32792.


2175
2176
2177
2178
2179
2180
Changes in version 0.4.3.2-alpha - 2020-02-10
  This is the second stable alpha release in the Tor 0.4.3.x series. It
  fixes several bugs present in the previous alpha release. Anybody
  running the previous alpha should upgrade, and look for bugs in this
  one instead.

2181
2182
2183
2184
  o Major bugfixes (onion service client, authorization):
    - On a NEWNYM signal, purge entries from the ephemeral client
      authorization cache. The permanent ones are kept. Fixes bug 33139;
      bugfix on 0.4.3.1-alpha.
2185
2186
2187
2188
2189
2190
2191

  o Minor features (best practices tracker):
    - Practracker now supports a --regen-overbroad option to regenerate
      the exceptions file, but only to revise exceptions to be _less_
      tolerant of best-practices violations. Closes ticket 32372.

  o Minor features (continuous integration):
2192
2193
    - Run Doxygen Makefile target on Travis, so we can learn about
      regressions in our internal documentation. Closes ticket 32455.
2194
2195
2196
2197
2198
    - Stop allowing failures on the Travis CI stem tests job. It looks
      like all the stem hangs we were seeing before are now fixed.
      Closes ticket 33075.

  o Minor bugfixes (build system):
2199
2200
    - Revise configure options that were either missing or incorrect in
      the configure summary. Fixes bug 32230; bugfix on 0.4.3.1-alpha.
2201
2202
2203
2204
2205
2206
2207

  o Minor bugfixes (controller protocol):
    - Fix a memory leak introduced by refactoring of control reply
      formatting code. Fixes bug 33039; bugfix on 0.4.3.1-alpha.
    - Fix a memory leak in GETINFO responses. Fixes bug 33103; bugfix
      on 0.4.3.1-alpha.
    - When receiving "ACTIVE" or "DORMANT" signals on the control port,
2208
2209
      report them as SIGNAL events. Previously we would log a bug
      warning. Fixes bug 33104; bugfix on 0.4.0.1-alpha.
2210
2211
2212
2213
2214
2215
2216
2217

  o Minor bugfixes (logging):
    - If we encounter a bug when flushing a buffer to a TLS connection,
      only log the bug once per invocation of the Tor process.
      Previously we would log with every occurrence, which could cause
      us to run out of disk space. Fixes bug 33093; bugfix
      on 0.3.2.2-alpha.
    - When logging a bug, do not say "Future instances of this warning
2218
      will be silenced" unless we are actually going to silence them.
2219
2220
2221
2222
      Previously we would say this whenever a BUG() check failed in the
      code. Fixes bug 33095; bugfix on 0.4.1.1-alpha.

  o Minor bugfixes (onion service v2):
2223
2224
2225
    - Move a series of v2 onion service warnings to protocol-warning
      level because they can all be triggered remotely by a malformed
      request. Fixes bug 32706; bugfix on 0.1.1.14-alpha.
2226
2227
2228

  o Minor bugfixes (onion service v3, client authorization):
    - When removing client authorization credentials using the control
2229
      port, also remove the associated descriptor, so the onion service
2230
2231
      can no longer be contacted. Fixes bug 33148; bugfix
      on 0.4.3.1-alpha.
2232
2233

  o Minor bugfixes (pluggable transports):
2234
2235
2236
    - When receiving a message on standard error from a pluggable
      transport, log it at info level, rather than as a warning. Fixes
      bug 33005; bugfix on 0.4.0.1-alpha.
2237
2238

  o Minor bugfixes (rust, build):
2239
2240
2241
    - Fix a syntax warning given by newer versions of Rust that was
      creating problems for our continuous integration. Fixes bug 33212;
      bugfix on 0.3.5.1-alpha.
2242
2243

  o Minor bugfixes (TLS bug handling):
2244
    - When encountering a bug in buf_read_from_tls(), return a "MISC"
2245
2246
2247
2248
2249
2250
2251
2252
2253
      error code rather than "WANTWRITE". This change might help avoid
      some CPU-wasting loops if the bug is ever triggered. Bug reported
      by opara. Fixes bug 32673; bugfix on 0.3.0.4-alpha.

  o Code simplification and refactoring (mainloop):
    - Simplify the ip_address_changed() function by removing redundant
      checks. Closes ticket 33091.

  o Documentation (manpage):
2254
    - Split "Circuit Timeout" options and "Node Selection" options into
2255
2256
2257
2258
      their own sections of the tor manpage. Closes tickets 32928 and
      32929. Work by Swati Thacker as part of Google Season of Docs.


2259
2260
2261
2262
2263
2264
2265
2266
2267
2268
2269
Changes in version 0.4.2.6 - 2020-01-30
  This is the second stable release in the 0.4.2.x series. It backports
  several bugfixes from 0.4.3.1-alpha, including some that had affected
  the Linux seccomp2 sandbox or Windows services. If you're running with
  one of those configurations, you'll probably want to upgrade;
  otherwise, you should be fine with 0.4.2.5.

  o Major bugfixes (linux seccomp sandbox, backport from 0.4.3.1-alpha):
    - Correct how we use libseccomp. Particularly, stop assuming that
      rules are applied in a particular order or that more rules are
      processed after the first match. Neither is the case! In
Nick Mathewson's avatar
Nick Mathewson committed
2270
      libseccomp <2.4.0 this led to some rules having no effect.
2271
2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
2301
2302
2303
2304
2305
2306
2307
2308
2309
2310
2311
2312
2313
2314
2315
2316
2317
2318
2319
2320
2321
2322
2323
2324
      libseccomp 2.4.0 changed how rules are generated, leading to a
      different ordering, which in turn led to a fatal crash during
      startup. Fixes bug 29819; bugfix on 0.2.5.1-alpha. Patch by
      Peter Gerber.
    - Fix crash when reloading logging configuration while the
      experimental sandbox is enabled. Fixes bug 32841; bugfix on
      0.4.1.7. Patch by Peter Gerber.

  o Minor bugfixes (correctness checks, backport from 0.4.3.1-alpha):
    - Use GCC/Clang's printf-checking feature to make sure that
      tor_assertf() arguments are correctly typed. Fixes bug 32765;
      bugfix on 0.4.1.1-alpha.

  o Minor bugfixes (logging, crash, backport from 0.4.3.1-alpha):
    - Avoid a possible crash when trying to log a (fatal) assertion
      failure about mismatched magic numbers in configuration objects.
      Fixes bug 32771; bugfix on 0.4.2.1-alpha.

  o Minor bugfixes (testing, backport from 0.4.3.1-alpha):
    - When TOR_DISABLE_PRACTRACKER is set, do not apply it to the
      test_practracker.sh script. Doing so caused a test failure. Fixes
      bug 32705; bugfix on 0.4.2.1-alpha.
    - When TOR_DISABLE_PRACTRACKER is set, log a notice to stderr when
      skipping practracker checks. Fixes bug 32705; bugfix
      on 0.4.2.1-alpha.

  o Minor bugfixes (windows service, backport from 0.4.3.1-alpha):
    - Initialize the publish/subscribe system when running as a windows
      service. Fixes bug 32778; bugfix on 0.4.1.1-alpha.

  o Testing (backport from 0.4.3.1-alpha):
    - Turn off Tor's Sandbox in Chutney jobs, and run those jobs on
      Ubuntu Bionic. Turning off the Sandbox is a work-around, until we
      fix the sandbox errors in 32722. Closes ticket 32240.
    - Re-enable the Travis CI macOS Chutney build, but don't let it
      prevent the Travis job from finishing. (The Travis macOS jobs are
      slow, so we don't want to have it delay the whole CI process.)
      Closes ticket 32629.

  o Testing (continuous integration, backport from 0.4.3.1-alpha):
    - Use zstd in our Travis Linux builds. Closes ticket 32242.


Changes in version 0.4.1.8 - 2020-01-30
  This release backports several bugfixes from later release series,
  including some that had affected the Linux seccomp2 sandbox or Windows
  services. If you're running with one of those configurations, you'll
  probably want to upgrade; otherwise, you should be fine with your
  current version of 0.4.1.x.

  o Major bugfixes (linux seccomp sandbox, backport from 0.4.3.1-alpha):
    - Correct how we use libseccomp. Particularly, stop assuming that
      rules are applied in a particular order or that more rules are
      processed after the first match. Neither is the case! In
Nick Mathewson's avatar
Nick Mathewson committed
2325
      libseccomp <2.4.0 this led to some rules having no effect.
2326
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
2347
2348
2349
2350
2351
2352
2353
2354
2355
2356
      libseccomp 2.4.0 changed how rules are generated, leading to a
      different ordering, which in turn led to a fatal crash during
      startup. Fixes bug 29819; bugfix on 0.2.5.1-alpha. Patch by
      Peter Gerber.
    - Fix crash when reloading logging configuration while the
      experimental sandbox is enabled. Fixes bug 32841; bugfix on
      0.4.1.7. Patch by Peter Gerber.

  o Minor bugfixes (crash, backport form 0.4.2.4-rc):
    - When running Tor with an option like --verify-config or
      --dump-config that does not start the event loop, avoid crashing
      if we try to exit early because of an error. Fixes bug 32407;
      bugfix on 0.3.3.1-alpha.

  o Minor bugfixes (windows service, backport from 0.4.3.1-alpha):
    - Initialize the publish/subscribe system when running as a windows
      service. Fixes bug 32778; bugfix on 0.4.1.1-alpha.

  o Testing (backport from 0.4.3.1-alpha):
    - Turn off Tor's Sandbox in Chutney jobs, and run those jobs on
      Ubuntu Bionic. Turning off the Sandbox is a work-around, until we
      fix the sandbox errors in 32722. Closes ticket 32240.
    - Re-enable the Travis CI macOS Chutney build, but don't let it
      prevent the Travis job from finishing. (The Travis macOS jobs are
      slow, so we don't want to have it delay the whole CI process.)
      Closes ticket 32629.

  o Testing (continuous integration, backport from 0.4.3.1-alpha):
    - Use zstd in our Travis Linux builds. Closes ticket 32242.


Nick Mathewson's avatar
Nick Mathewson committed
2357
Changes in version 0.4.3.1-alpha - 2020-01-22
2358
2359
2360
2361
2362
2363
2364
  This is the first alpha release in the 0.4.3.x series. It includes
  improved support for application integration of onion services, support
  for building in a client-only mode, and newly improved internal
  documentation (online at https://src-ref.docs.torproject.org/tor/). It
  also has numerous other small bugfixes and features, as well as
  improvements to our code's internal organization that should help us
  write better code in the future.
2365

Nick Mathewson's avatar
Nick Mathewson committed
2366
2367
2368
2369
2370
  o New system requirements:
    - When building Tor, you now need to have Python 3 in order to run
      the integration tests. (Python 2 is officially unsupported
      upstream, as of 1 Jan 2020.) Closes ticket 32608.

2371
  o Major features (build system):
Nick Mathewson's avatar
Nick Mathewson committed
2372
2373
2374
2375
2376
    - The relay code can now be disabled using the --disable-module-relay
      configure option. When this option is set, we also disable the
      dirauth module. Closes ticket 32123.
    - When Tor is compiled --disable-module-relay, we also omit the code
      used to act as a directory cache. Closes ticket 32487.
2377
2378

  o Major features (directory authority, ed25519):
Nick Mathewson's avatar
Nick Mathewson committed
2379
    - Add support for banning a relay's ed25519 keys in the approved-
Nick Mathewson's avatar
Nick Mathewson committed
2380
2381
      routers file. This will help us migrate away from RSA keys in the
      future. Previously, only RSA keys could be banned in approved-
Nick Mathewson's avatar
Nick Mathewson committed
2382
      routers. Resolves ticket 22029. Patch by Neel Chauhan.
2383

Nick Mathewson's avatar
Nick Mathewson committed
2384
2385
2386
2387
2388
2389
2390
2391
2392
2393
  o Major features (onion service, controller):
    - New control port commands to manage client-side onion service
      authorization credentials. The ONION_CLIENT_AUTH_ADD command adds
      a credential, ONION_CLIENT_AUTH_REMOVE deletes a credential, and
      ONION_CLIENT_AUTH_VIEW lists the credentials. Closes ticket 30381.

  o Major features (onion service, SOCKS5):
    - Introduce a new SocksPort flag, ExtendedErrors, to support more
      detailed error codes in information for applications that support
      them. Closes ticket 30382; implements proposal 304.
2394
2395

  o Major features (proxy):
Nick Mathewson's avatar
Nick Mathewson committed
2396
2397
2398
2399
2400
    - In addition to its current supported proxy types (HTTP CONNECT,
      SOCKS4, and SOCKS5), Tor can now make its OR connections through a
      HAProxy server. A new torrc option was added to specify the
      address/port of the server: TCPProxy <protocol> <host>:<port>.
      Currently the only supported protocol for the option is haproxy.
2401
      Closes ticket 31518. Patch done by Suphanat Chunhapanya (haxxpop).
Nick Mathewson's avatar
Nick Mathewson committed
2402
2403
2404
2405
2406

  o Major bugfixes (linux seccomp sandbox):
    - Correct how we use libseccomp. Particularly, stop assuming that
      rules are applied in a particular order or that more rules are
      processed after the first match. Neither is the case! In
Nick Mathewson's avatar
Nick Mathewson committed
2407
      libseccomp <2.4.0 this led to some rules having no effect.
2408
2409
      libseccomp 2.4.0 changed how rules are generated, leading to a
      different ordering, which in turn led to a fatal crash during
Nick Mathewson's avatar
Nick Mathewson committed
2410
2411
2412
2413
2414
      startup. Fixes bug 29819; bugfix on 0.2.5.1-alpha. Patch by
      Peter Gerber.
    - Fix crash when reloading logging configuration while the
      experimental sandbox is enabled. Fixes bug 32841; bugfix on
      0.4.1.7. Patch by Peter Gerber.
2415
2416
2417
2418
2419
2420
2421

  o Major bugfixes (networking):
    - Correctly handle IPv6 addresses in SOCKS5 RESOLVE_PTR requests,
      and accept strings as well as binary addresses. Fixes bug 32315;
      bugfix on 0.3.5.1-alpha.

  o Major bugfixes (onion service):
2422
2423
2424
2425
2426
    - Report HS circuit failure back into the HS subsystem so we take
      appropriate action with regards to the client introduction point
      failure cache. This improves reachability of onion services, since
      now clients notice failing introduction circuits properly. Fixes
      bug 32020; bugfix on 0.3.2.1-alpha.
2427
2428

  o Minor feature (configure, build system):
Nick Mathewson's avatar
Nick Mathewson committed
2429
2430
    - Output a list of enabled/disabled features at the end of the
      configure process in a pleasing way. Closes ticket 31373.
2431
2432

  o Minor feature (heartbeat, onion service):
Nick Mathewson's avatar
Nick Mathewson committed
2433
2434
    - Add the DoS INTRODUCE2 defenses counter to the heartbeat DoS
      message. Closes ticket 31371.
2435
2436
2437

  o Minor features (configuration validation):
    - Configuration validation can now be done by per-module callbacks,
Nick Mathewson's avatar
Nick Mathewson committed
2438
2439
2440
      rather than a global validation function. This will let us reduce
      the size of config.c and some of its more cumbersome functions.
      Closes ticket 31241.
2441
2442

  o Minor features (configuration):
Nick Mathewson's avatar
Nick Mathewson committed
2443
    - If a configured hardware crypto accelerator in AccelName is
Nick Mathewson's avatar
Nick Mathewson committed
2444
2445
      prefixed with "!", Tor now exits when it cannot be found. Closes
      ticket 32406.
Nick Mathewson's avatar
Nick Mathewson committed
2446
    - We now use flag-driven logic to warn about obsolete configuration
Nick Mathewson's avatar
Nick Mathewson committed
2447
2448
      fields, so that we can include their names. In 0.4.2, we used a
      special type, which prevented us from generating good warnings.
2449
2450
2451
2452
      Implements ticket 32404.

  o Minor features (controller):
    - Add stream isolation data to STREAM event. Closes ticket 19859.
Nick Mathewson's avatar
Nick Mathewson committed
2453
2454
    - Implement a new GETINFO command to fetch microdescriptor
      consensus. Closes ticket 31684.
2455
2456

  o Minor features (debugging, directory system):
Nick Mathewson's avatar
Nick Mathewson committed
2457
2458
2459
    - Don't crash when we find a non-guard with a guard-fraction value
      set. Instead, log a bug warning, in an attempt to figure out how
      this happened. Diagnostic for ticket 32868.
2460
2461

  o Minor features (defense in depth):
Nick Mathewson's avatar
Nick Mathewson committed
2462
2463
    - Add additional checks around tor_vasprintf() usage, in case the
      function returns an error. Patch by Tobias Stoeckmann. Fixes
Nick Mathewson's avatar
Nick Mathewson committed
2464
      ticket 31147.
2465
2466

  o Minor features (developer tooling):
Nick Mathewson's avatar
Nick Mathewson committed
2467
    - Remove the 0.2.9.x series branches from git scripts (git-merge-
Nick Mathewson's avatar
Nick Mathewson committed
2468
2469
      forward.sh, git-pull-all.sh, git-push-all.sh, git-setup-dirs.sh).
      Closes ticket 32772.
2470
2471

  o Minor features (developer tools):
Nick Mathewson's avatar
Nick Mathewson committed
2472
2473
    - Add a check_cocci_parse.sh script that checks that new code is
      parseable by Coccinelle. Add an exceptions file for unparseable
Nick Mathewson's avatar
Nick Mathewson committed
2474
2475
2476
      files, and run the script from travis CI. Closes ticket 31919.
    - Call the check_cocci_parse.sh script from a 'check-cocci' Makefile
      target. Closes ticket 31919.
2477