ChangeLog 1.56 MB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
Changes in version 0.3.5.8 - 2019-02-21
  Tor 0.3.5.8 backports serveral fixes from later releases, including fixes
  for an annoying SOCKS-parsing bug that affected users in earlier 0.3.5.x
  releases.

  It also includes a fix for a medium-severity security bug affecting Tor
  0.3.2.1-alpha and later. All Tor instances running an affected release
  should upgrade to 0.3.3.12, 0.3.4.11, 0.3.5.8, or 0.4.0.2-alpha.

  o Major bugfixes (cell scheduler, KIST, security):
    - Make KIST consider the outbuf length when computing what it can
      put in the outbuf. Previously, KIST acted as though the outbuf
      were empty, which could lead to the outbuf becoming too full. It
      is possible that an attacker could exploit this bug to cause a Tor
      client or relay to run out of memory and crash. Fixes bug 29168;
      bugfix on 0.3.2.1-alpha. This issue is also being tracked as
      TROVE-2019-001 and CVE-2019-8955.

  o Major bugfixes (networking, backport from 0.4.0.2-alpha):
    - Gracefully handle empty username/password fields in SOCKS5
      username/password auth messsage and allow SOCKS5 handshake to
      continue. Previously, we had rejected these handshakes, breaking
      certain applications. Fixes bug 29175; bugfix on 0.3.5.1-alpha.

  o Minor features (compilation, backport from 0.4.0.2-alpha):
    - Compile correctly when OpenSSL is built with engine support
      disabled, or with deprecated APIs disabled. Closes ticket 29026.
      Patches from "Mangix".

  o Minor features (geoip):
    - Update geoip and geoip6 to the February 5 2019 Maxmind GeoLite2
      Country database. Closes ticket 29478.

  o Minor features (testing, backport from 0.4.0.2-alpha):
    - Treat all unexpected ERR and BUG messages as test failures. Closes
      ticket 28668.

  o Minor bugfixes (onion service v3, client, backport from 0.4.0.1-alpha):
    - Stop logging a "BUG()" warning and stacktrace when we find a SOCKS
      connection waiting for a descriptor that we actually have in the
      cache. It turns out that this can actually happen, though it is
      rare. Now, tor will recover and retry the descriptor. Fixes bug
      28669; bugfix on 0.3.2.4-alpha.

  o Minor bugfixes (IPv6, backport from 0.4.0.1-alpha):
    - Fix tor_ersatz_socketpair on IPv6-only systems. Previously, the
      IPv6 socket was bound using an address family of AF_INET instead
      of AF_INET6. Fixes bug 28995; bugfix on 0.3.5.1-alpha. Patch from
      Kris Katterjohn.

  o Minor bugfixes (build, compatibility, rust, backport from 0.4.0.2-alpha):
    - Update Cargo.lock file to match the version made by the latest
      version of Rust, so that "make distcheck" will pass again. Fixes
      bug 29244; bugfix on 0.3.3.4-alpha.

  o Minor bugfixes (client, clock skew, backport from 0.4.0.1-alpha):
    - Select guards even if the consensus has expired, as long as the
      consensus is still reasonably live. Fixes bug 24661; bugfix
      on 0.3.0.1-alpha.

  o Minor bugfixes (compilation, backport from 0.4.0.1-alpha):
    - Compile correctly on OpenBSD; previously, we were missing some
      headers required in order to detect it properly. Fixes bug 28938;
      bugfix on 0.3.5.1-alpha. Patch from Kris Katterjohn.

  o Minor bugfixes (documentation, backport from 0.4.0.2-alpha):
    - Describe the contents of the v3 onion service client authorization
      files correctly: They hold public keys, not private keys. Fixes
      bug 28979; bugfix on 0.3.5.1-alpha. Spotted by "Felixix".

  o Minor bugfixes (logging, backport from 0.4.0.1-alpha):
    - Rework rep_hist_log_link_protocol_counts() to iterate through all
      link protocol versions when logging incoming/outgoing connection
      counts. Tor no longer skips version 5, and we won't have to
      remember to update this function when new link protocol version is
      developed. Fixes bug 28920; bugfix on 0.2.6.10.

  o Minor bugfixes (logging, backport from 0.4.0.2-alpha):
    - Log more information at "warning" level when unable to read a
      private key; log more information at "info" level when unable to
      read a public key. We had warnings here before, but they were lost
      during our NSS work. Fixes bug 29042; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (misc, backport from 0.4.0.2-alpha):
    - The amount of total available physical memory is now determined
      using the sysctl identifier HW_PHYSMEM (rather than HW_USERMEM)
      when it is defined and a 64-bit variant is not available. Fixes
      bug 28981; bugfix on 0.2.5.4-alpha. Patch from Kris Katterjohn.

  o Minor bugfixes (onion services, backport from 0.4.0.2-alpha):
    - Avoid crashing if ClientOnionAuthDir (incorrectly) contains more
      than one private key for a hidden service. Fixes bug 29040; bugfix
      on 0.3.5.1-alpha.
    - In hs_cache_store_as_client() log an HSDesc we failed to parse at
      "debug" level. Tor used to log it as a warning, which caused very
      long log lines to appear for some users. Fixes bug 29135; bugfix
      on 0.3.2.1-alpha.
    - Stop logging "Tried to establish rendezvous on non-OR circuit..."
      as a warning. Instead, log it as a protocol warning, because there
      is nothing that relay operators can do to fix it. Fixes bug 29029;
      bugfix on 0.2.5.7-rc.

  o Minor bugfixes (tests, directory clients, backport from 0.4.0.1-alpha):
    - Mark outdated dirservers when Tor only has a reasonably live
      consensus. Fixes bug 28569; bugfix on 0.3.2.5-alpha.

  o Minor bugfixes (tests, backport from 0.4.0.2-alpha):
    - Detect and suppress "bug" warnings from the util/time test on
      Windows. Fixes bug 29161; bugfix on 0.2.9.3-alpha.
    - Do not log an error-level message if we fail to find an IPv6
      network interface from the unit tests. Fixes bug 29160; bugfix
      on 0.2.7.3-rc.

  o Minor bugfixes (usability, backport from 0.4.0.1-alpha):
    - Stop saying "Your Guard ..." in pathbias_measure_{use,close}_rate().
      Some users took this phrasing to mean that the mentioned guard was
      under their control or responsibility, which it is not. Fixes bug
      28895; bugfix on Tor 0.3.0.1-alpha.


Changes in version 0.3.4.11 - 2019-02-21
  Tor 0.3.4.11 is the third stable release in its series.  It includes
  a fix for a medium-severity security bug affecting Tor 0.3.2.1-alpha and
  later. All Tor instances running an affected release should upgrade to
  0.3.3.12, 0.3.4.11, 0.3.5.8, or 0.4.0.2-alpha.

  o Major bugfixes (cell scheduler, KIST, security):
    - Make KIST consider the outbuf length when computing what it can
      put in the outbuf. Previously, KIST acted as though the outbuf
      were empty, which could lead to the outbuf becoming too full. It
      is possible that an attacker could exploit this bug to cause a Tor
      client or relay to run out of memory and crash. Fixes bug 29168;
      bugfix on 0.3.2.1-alpha. This issue is also being tracked as
      TROVE-2019-001 and CVE-2019-8955.

  o Minor features (geoip):
    - Update geoip and geoip6 to the February 5 2019 Maxmind GeoLite2
      Country database. Closes ticket 29478.

  o Minor bugfixes (build, compatibility, rust, backport from 0.4.0.2-alpha):
    - Update Cargo.lock file to match the version made by the latest
      version of Rust, so that "make distcheck" will pass again. Fixes
      bug 29244; bugfix on 0.3.3.4-alpha.

  o Minor bugfixes (onion services, backport from 0.4.0.2-alpha):
    - Stop logging "Tried to establish rendezvous on non-OR circuit..."
      as a warning. Instead, log it as a protocol warning, because there
      is nothing that relay operators can do to fix it. Fixes bug 29029;
      bugfix on 0.2.5.7-rc.


Changes in version 0.3.3.12 - 2019-02-21
  Tor 0.3.3.12 fixes a medium-severity security bug affecting Tor
  0.3.2.1-alpha and later. All Tor instances running an affected release
  should upgrade to 0.3.3.12, 0.3.4.11, 0.3.5.8, or 0.4.0.2-alpha.

  This release marks the end of support for the Tor 0.3.3.x series. We
  recommend that users switch to either the Tor 0.3.4 series (supported
  until at least 10 June 2019), or the Tor 0.3.5 series, which will
  receive long-term support until at least 1 Feb 2022.

  o Major bugfixes (cell scheduler, KIST, security):
    - Make KIST consider the outbuf length when computing what it can
      put in the outbuf. Previously, KIST acted as though the outbuf
      were empty, which could lead to the outbuf becoming too full. It
      is possible that an attacker could exploit this bug to cause a Tor
      client or relay to run out of memory and crash. Fixes bug 29168;
      bugfix on 0.3.2.1-alpha. This issue is also being tracked as
      TROVE-2019-001 and CVE-2019-8955.

  o Minor features (geoip):
    - Update geoip and geoip6 to the February 5 2019 Maxmind GeoLite2
      Country database. Closes ticket 29478.

  o Minor bugfixes (build, compatibility, rust, backport from 0.4.0.2-alpha):
    - Update Cargo.lock file to match the version made by the latest
      version of Rust, so that "make distcheck" will pass again. Fixes
      bug 29244; bugfix on 0.3.3.4-alpha.

  o Minor bugfixes (onion services, backport from 0.4.0.2-alpha):
    - Stop logging "Tried to establish rendezvous on non-OR circuit..."
      as a warning. Instead, log it as a protocol warning, because there
      is nothing that relay operators can do to fix it. Fixes bug 29029;
      bugfix on 0.2.5.7-rc.


Changes in version 0.4.0.2-alpha - 2019-02-21
  Tor 0.4.0.2-alpha is the second alpha in its series; it fixes several
  bugs from earlier versions, including several that had broken
  backward compatibility.

  It also includes a fix for a medium-severity security bug affecting Tor
  0.3.2.1-alpha and later. All Tor instances running an affected release
  should upgrade to 0.3.3.12, 0.3.4.11, 0.3.5.8, or 0.4.0.2-alpha.

  o Major bugfixes (cell scheduler, KIST, security):
    - Make KIST consider the outbuf length when computing what it can
      put in the outbuf. Previously, KIST acted as though the outbuf
      were empty, which could lead to the outbuf becoming too full. It
      is possible that an attacker could exploit this bug to cause a Tor
      client or relay to run out of memory and crash. Fixes bug 29168;
      bugfix on 0.3.2.1-alpha. This issue is also being tracked as
      TROVE-2019-001 and CVE-2019-8955.

  o Major bugfixes (networking):
    - Gracefully handle empty username/password fields in SOCKS5
      username/password auth messsage and allow SOCKS5 handshake to
      continue. Previously, we had rejected these handshakes, breaking
      certain applications. Fixes bug 29175; bugfix on 0.3.5.1-alpha.

  o Major bugfixes (windows, startup):
    - When reading a consensus file from disk, detect whether it was
      written in text mode, and re-read it in text mode if so. Always
      write consensus files in binary mode so that we can map them into
      memory later. Previously, we had written in text mode, which
      confused us when we tried to map the file on windows. Fixes bug
      28614; bugfix on 0.4.0.1-alpha.

  o Minor features (compilation):
    - Compile correctly when OpenSSL is built with engine support
      disabled, or with deprecated APIs disabled. Closes ticket 29026.
      Patches from "Mangix".

  o Minor features (developer tooling):
    - Check that bugfix versions in changes files look like Tor versions
      from the versions spec. Warn when bugfixes claim to be on a future
      release. Closes ticket 27761.
    - Provide a git pre-commit hook that disallows commiting if we have
      any failures in our code and changelog formatting checks. It is
      now available in scripts/maint/pre-commit.git-hook. Implements
      feature 28976.

  o Minor features (directory authority):
    - When a directory authority is using a bandwidth file to obtain
      bandwidth values, include the digest of that file in the vote.
      Closes ticket 26698.

  o Minor features (geoip):
    - Update geoip and geoip6 to the February 5 2019 Maxmind GeoLite2
      Country database. Closes ticket 29478.

  o Minor features (testing):
    - Treat all unexpected ERR and BUG messages as test failures. Closes
      ticket 28668.

  o Minor bugfixes (build, compatibility, rust):
    - Update Cargo.lock file to match the version made by the latest
      version of Rust, so that "make distcheck" will pass again. Fixes
      bug 29244; bugfix on 0.3.3.4-alpha.

  o Minor bugfixes (compilation):
    - Fix compilation warnings in test_circuitpadding.c. Fixes bug
      29169; bugfix on 0.4.0.1-alpha.
    - Silence a compiler warning in test-memwipe.c on OpenBSD. Fixes bug
      29145; bugfix on 0.2.9.3-alpha. Patch from Kris Katterjohn.

  o Minor bugfixes (documentation):
    - Describe the contents of the v3 onion service client authorization
      files correctly: They hold public keys, not private keys. Fixes
      bug 28979; bugfix on 0.3.5.1-alpha. Spotted by "Felixix".

  o Minor bugfixes (linux seccomp sandbox):
    - Fix startup crash when experimental sandbox support is enabled.
      Fixes bug 29150; bugfix on 0.4.0.1-alpha. Patch by Peter Gerber.

  o Minor bugfixes (logging):
    - Avoid logging that we are relaxing a circuit timeout when that
      timeout is fixed. Fixes bug 28698; bugfix on 0.2.4.7-alpha.
    - Log more information at "warning" level when unable to read a
      private key; log more information at "info" level when unable to
      read a public key. We had warnings here before, but they were lost
      during our NSS work. Fixes bug 29042; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (misc):
    - The amount of total available physical memory is now determined
      using the sysctl identifier HW_PHYSMEM (rather than HW_USERMEM)
      when it is defined and a 64-bit variant is not available. Fixes
      bug 28981; bugfix on 0.2.5.4-alpha. Patch from Kris Katterjohn.

  o Minor bugfixes (onion services):
    - Avoid crashing if ClientOnionAuthDir (incorrectly) contains more
      than one private key for a hidden service. Fixes bug 29040; bugfix
      on 0.3.5.1-alpha.
    - In hs_cache_store_as_client() log an HSDesc we failed to parse at
      "debug" level. Tor used to log it as a warning, which caused very
      long log lines to appear for some users. Fixes bug 29135; bugfix
      on 0.3.2.1-alpha.
    - Stop logging "Tried to establish rendezvous on non-OR circuit..."
      as a warning. Instead, log it as a protocol warning, because there
      is nothing that relay operators can do to fix it. Fixes bug 29029;
      bugfix on 0.2.5.7-rc.

  o Minor bugfixes (scheduler):
    - When re-adding channels to the pending list, check the correct
      channel's sched_heap_idx. This issue has had no effect in mainline
      Tor, but could have led to bugs down the road in improved versions
      of our circuit scheduling code. Fixes bug 29508; bugfix
      on 0.3.2.10.

  o Minor bugfixes (tests):
    - Fix intermittent failures on an adaptive padding test. Fixes one
      case of bug 29122; bugfix on 0.4.0.1-alpha.
    - Disable an unstable circuit-padding test that was failing
      intermittently because of an ill-defined small histogram. Such
      histograms will be allowed again after 29298 is implemented. Fixes
      a second case of bug 29122; bugfix on 0.4.0.1-alpha.
    - Detect and suppress "bug" warnings from the util/time test on
      Windows. Fixes bug 29161; bugfix on 0.2.9.3-alpha.
    - Do not log an error-level message if we fail to find an IPv6
      network interface from the unit tests. Fixes bug 29160; bugfix
      on 0.2.7.3-rc.

  o Documentation:
    - In the manpage entry describing MapAddress torrc setting, use
      example IP addresses from ranges specified for use in documentation
      by RFC 5737. Resolves issue 28623.

  o Removed features:
    - Remove the old check-tor script. Resolves issue 29072.


322
Changes in version 0.4.0.1-alpha - 2019-01-18
Nick Mathewson's avatar
Nick Mathewson committed
323
324
325
326
327
328
  Tor 0.4.0.1-alpha is the first release in the new 0.4.0.x series. It
  introduces improved features for power and bandwidth conservation,
  more accurate reporting of bootstrap progress for user interfaces, and
  an experimental backend for an exciting new adaptive padding feature.
  There is also the usual assortment of bugfixes and minor features, all
  described below.
329
330
331
332

  o Major features (battery management, client, dormant mode):
    - When Tor is running as a client, and it is unused for a long time,
      it can now enter a "dormant" state. When Tor is dormant, it avoids
Nick Mathewson's avatar
Nick Mathewson committed
333
334
335
336
      network and CPU activity until it is reawoken either by a user
      request or by a controller command. For more information, see the
      configuration options starting with "Dormant". Implements tickets
      2149 and 28335.
337
    - The client's memory of whether it is "dormant", and how long it
338
      has spent idle, persists across invocations. Implements
339
340
341
342
343
      ticket 28624.
    - There is a DormantOnFirstStartup option that integrators can use
      if they expect that in many cases, Tor will be installed but
      not used.

Nick Mathewson's avatar
Nick Mathewson committed
344
345
346
347
348
349
350
  o Major features (bootstrap reporting):
    - When reporting bootstrap progress, report the first connection
      uniformly, regardless of whether it's a connection for building
      application circuits. This allows finer-grained reporting of early
      progress than previously possible, with the improvements of ticket
      27169. Closes tickets 27167 and 27103. Addresses ticket 27308.
    - When reporting bootstrap progress, treat connecting to a proxy or
351
352
353
      pluggable transport as separate from having successfully used that
      proxy or pluggable transport to connect to a relay. Closes tickets
      27100 and 28884.
354
355
356
357
358
359
360
361

  o Major features (circuit padding):
    - Implement preliminary support for the circuit padding portion of
      Proposal 254. The implementation supports Adaptive Padding (aka
      WTF-PAD) state machines for use between experimental clients and
      relays. Support is also provided for APE-style state machines that
      use probability distributions instead of histograms to specify
      inter-packet delay. At the moment, Tor does not provide any
Nick Mathewson's avatar
Nick Mathewson committed
362
363
      padding state machines that are used in normal operation: for now,
      this feature exists solely for experimentation. Closes
364
365
366
367
368
      ticket 28142.

  o Major features (refactoring):
    - Tor now uses an explicit list of its own subsystems when
      initializing and shutting down. Previously, these systems were
369
370
      managed implicitly in various places throughout the codebase.
      (There may still be some subsystems using the old system.) Closes
371
372
      ticket 28330.

Nick Mathewson's avatar
Nick Mathewson committed
373
  o Minor features (bootstrap reporting):
374
    - When reporting bootstrap progress, stop distinguishing between
375
376
377
378
      situations where only internal paths are available and situations
      where external paths are available. Previously, Tor would often
      erroneously report that it had only internal paths. Closes
      ticket 27402.
379

Nick Mathewson's avatar
Nick Mathewson committed
380
  o Minor features (continuous integration):
381
382
383
384
385
386
387
388
389
    - Log Python version during each Travis CI job. Resolves
      issue 28551.

  o Minor features (controller):
    - Add a DROPOWNERSHIP command to undo the effects of TAKEOWNERSHIP.
      Implements ticket 28843.

  o Minor features (developer tooling):
    - Provide a git hook script to prevent "fixup!" and "squash!"
Nick Mathewson's avatar
Nick Mathewson committed
390
391
      commits from ending up in the master branch, as scripts/main/pre-
      push.git-hook. Closes ticket 27993.
392
393
394

  o Minor features (directory authority):
    - Directory authorities support a new consensus algorithm, under
Nick Mathewson's avatar
Nick Mathewson committed
395
396
397
398
      which the family lines in microdescriptors are encoded in a
      canonical form. This change makes family lines more compressible
      in transit, and on the client. Closes ticket 28266; implements
      proposal 298.
399
400
401
402

  o Minor features (directory authority, relay):
    - Authorities now vote on a "StaleDesc" flag to indicate that a
      relay's descriptor is so old that the relay should upload again
Nick Mathewson's avatar
Nick Mathewson committed
403
404
      soon. Relays treat this flag as a signal to upload a new
      descriptor. This flag will eventually let us remove the
405
406
      'published' date from routerstatus entries, and make our consensus
      diffs much smaller. Closes ticket 26770; implements proposal 293.
407
408
409
410
411
412

  o Minor features (fallback directory mirrors):
    - Update the fallback whitelist based on operator opt-ins and opt-
      outs. Closes ticket 24805, patch by Phoul.

  o Minor features (FreeBSD):
Nick Mathewson's avatar
Nick Mathewson committed
413
414
415
    - On FreeBSD-based systems, warn relay operators if the
      "net.inet.ip.random_id" sysctl (IP ID randomization) is disabled.
      Closes ticket 28518.
416
417

  o Minor features (HTTP standards compliance):
Nick Mathewson's avatar
Nick Mathewson committed
418
419
420
    - Stop sending the header "Content-type: application/octet-stream"
      along with transparently compressed documents: this confused
      browsers. Closes ticket 28100.
421

Nick Mathewson's avatar
Nick Mathewson committed
422
423
  o Minor features (IPv6):
    - We add an option ClientAutoIPv6ORPort, to make clients randomly
424
425
      prefer a node's IPv4 or IPv6 ORPort. The random preference is set
      every time a node is loaded from a new consensus or bridge config.
Nick Mathewson's avatar
Nick Mathewson committed
426
427
428
429
430
431
432
      We expect that this option will enable clients to bootstrap more
      quickly without having to determine whether they support IPv4,
      IPv6, or both. Closes ticket 27490. Patch by Neel Chauhan.
    - When using addrs_in_same_network_family(), avoid choosing circuit
      paths that pass through the same IPv6 subnet more than once.
      Previously, we only checked IPv4 subnets. Closes ticket 24393.
      Patch by Neel Chauhan.
433
434

  o Minor features (log messages):
435
436
    - Improve log message in v3 onion services that could print out
      negative revision counters. Closes ticket 27707. Patch
Nick Mathewson's avatar
Nick Mathewson committed
437
      by "ffmancera".
438
439

  o Minor features (memory usage):
Nick Mathewson's avatar
Nick Mathewson committed
440
441
    - Save memory by storing microdescriptor family lists with a more
      compact representation. Closes ticket 27359.
442
    - Tor clients now use mmap() to read consensus files from disk, so
Nick Mathewson's avatar
Nick Mathewson committed
443
444
      that they no longer need keep the full text of a consensus in
      memory when parsing it or applying a diff. Closes ticket 27244.
445
446
447
448

  o Minor features (parsing):
    - Directory authorities now validate that router descriptors and
      ExtraInfo documents are in a valid subset of UTF-8, and reject
Nick Mathewson's avatar
Nick Mathewson committed
449
      them if they are not. Closes ticket 27367.
450
451

  o Minor features (performance):
Nick Mathewson's avatar
Nick Mathewson committed
452
    - Cache the results of summarize_protocol_flags(), so that we don't
453
454
455
456
      have to parse the same protocol-versions string over and over.
      This should save us a huge number of malloc calls on startup, and
      may reduce memory fragmentation with some allocators. Closes
      ticket 27225.
457
458
459
460
461
462
463
    - Remove a needless memset() call from get_token_arguments, thereby
      speeding up the tokenization of directory objects by about 20%.
      Closes ticket 28852.
    - Replace parse_short_policy() with a faster implementation, to
      improve microdescriptor parsing time. Closes ticket 28853.
    - Speed up directory parsing a little by avoiding use of the non-
      inlined strcmp_len() function. Closes ticket 28856.
Nick Mathewson's avatar
Nick Mathewson committed
464
    - Speed up microdescriptor parsing by about 30%, to help improve
465
466
467
468
469
470
      startup time. Closes ticket 28839.

  o Minor features (pluggable transports):
    - Add support for emitting STATUS updates to Tor's control port from
      a pluggable transport process. Closes ticket 28846.
    - Add support for logging to Tor's logging subsystem from a
471
      pluggable transport process. Closes ticket 28180.
472
473

  o Minor features (process management):
Nick Mathewson's avatar
Nick Mathewson committed
474
    - Add a new process API for handling child processes. This new API
475
476
      allows Tor to have bi-directional communication with child
      processes on both Unix and Windows. Closes ticket 28179.
Nick Mathewson's avatar
Nick Mathewson committed
477
    - Use the subsystem manager to initialize and shut down the process
478
479
480
481
482
483
484
485
      module. Closes ticket 28847.

  o Minor features (relay):
    - When listing relay families, list them in canonical form including
      the relay's own identity, and try to give a more useful set of
      warnings. Part of ticket 28266 and proposal 298.

  o Minor features (required protocols):
Nick Mathewson's avatar
Nick Mathewson committed
486
487
488
489
490
491
492
    - Before exiting because of a missing required protocol, Tor will
      now check the publication time of the consensus, and not exit
      unless the consensus is newer than the Tor program's own release
      date. Previously, Tor would not check the consensus publication
      time, and so might exit because of a missing protocol that might
      no longer be required in a current consensus. Implements proposal
      297; closes ticket 27735.
493
494

  o Minor features (testing):
Nick Mathewson's avatar
Nick Mathewson committed
495
496
497
498
499
500
501
502
503
    - Allow a HeartbeatPeriod of less than 30 minutes in testing Tor
      networks. Closes ticket 28840. Patch by Rob Jansen.

  o Minor bugfixes (client, clock skew):
    - Bootstrap successfully even when Tor's clock is behind the clocks
      on the authorities. Fixes bug 28591; bugfix on 0.2.0.9-alpha.
    - Select guards even if the consensus has expired, as long as the
      consensus is still reasonably live. Fixes bug 24661; bugfix
      on 0.3.0.1-alpha.
504
505

  o Minor bugfixes (compilation):
Nick Mathewson's avatar
Nick Mathewson committed
506
507
508
    - Compile correctly on OpenBSD; previously, we were missing some
      headers required in order to detect it properly. Fixes bug 28938;
      bugfix on 0.3.5.1-alpha. Patch from Kris Katterjohn.
509
510
511
512
513

  o Minor bugfixes (directory clients):
    - Mark outdated dirservers when Tor only has a reasonably live
      consensus. Fixes bug 28569; bugfix on 0.3.2.5-alpha.

Nick Mathewson's avatar
Nick Mathewson committed
514
515
516
517
  o Minor bugfixes (directory mirrors):
    - Even when a directory mirror's clock is behind the clocks on the
      authorities, we now allow the mirror to serve "future"
      consensuses. Fixes bug 28654; bugfix on 0.3.0.1-alpha.
518
519

  o Minor bugfixes (DNS):
Nick Mathewson's avatar
Nick Mathewson committed
520
521
522
    - Gracefully handle an empty or absent resolve.conf file by falling
      back to using "localhost" as a DNS server (and hoping it works).
      Previously, we would just stop running as an exit. Fixes bug
523
524
525
      21900; bugfix on 0.2.1.10-alpha.

  o Minor bugfixes (guards):
526
527
528
529
530
531
    - In count_acceptable_nodes(), the minimum number is now one bridge
      or guard node, and two non-guard nodes for a circuit. Previously,
      we had added up the sum of all nodes with a descriptor, but that
      could cause us to build failing circuits when we had either too
      many bridges or not enough guard nodes. Fixes bug 25885; bugfix on
      0.3.6.1-alpha. Patch by Neel Chauhan.
532
533
534
535
536
537
538
539
540
541

  o Minor bugfixes (IPv6):
    - Fix tor_ersatz_socketpair on IPv6-only systems. Previously, the
      IPv6 socket was bound using an address family of AF_INET instead
      of AF_INET6. Fixes bug 28995; bugfix on 0.3.5.1-alpha. Patch from
      Kris Katterjohn.

  o Minor bugfixes (logging):
    - Rework rep_hist_log_link_protocol_counts() to iterate through all
      link protocol versions when logging incoming/outgoing connection
Nick Mathewson's avatar
Nick Mathewson committed
542
      counts. Tor no longer skips version 5, and we won't have to
543
544
545
546
547
548
549
550
551
      remember to update this function when new link protocol version is
      developed. Fixes bug 28920; bugfix on 0.2.6.10.

  o Minor bugfixes (networking):
    - Introduce additional checks into tor_addr_parse() to reject
      certain incorrect inputs that previously were not detected. Fixes
      bug 23082; bugfix on 0.2.0.10-alpha.

  o Minor bugfixes (onion service v3, client):
552
553
554
555
556
    - Stop logging a "BUG()" warning and stacktrace when we find a SOCKS
      connection waiting for a descriptor that we actually have in the
      cache. It turns out that this can actually happen, though it is
      rare. Now, tor will recover and retry the descriptor. Fixes bug
      28669; bugfix on 0.3.2.4-alpha.
557
558
559

  o Minor bugfixes (periodic events):
    - Refrain from calling routerlist_remove_old_routers() from
560
561
      check_descriptor_callback(). Instead, create a new hourly periodic
      event. Fixes bug 27929; bugfix on 0.2.8.1-alpha.
562
563

  o Minor bugfixes (pluggable transports):
Nick Mathewson's avatar
Nick Mathewson committed
564
565
    - Make sure that data is continously read from standard output and
      standard error pipes of a pluggable transport child-process, to
566
567
      avoid deadlocking when a pipe's buffer is full. Fixes bug 26360;
      bugfix on 0.2.3.6-alpha.
568
569
570

  o Minor bugfixes (unit tests):
    - Instead of relying on hs_free_all() to clean up all onion service
Nick Mathewson's avatar
Nick Mathewson committed
571
572
573
      objects in test_build_descriptors(), we now deallocate them one by
      one. This lets Coverity know that we are not leaking memory there
      and fixes CID 1442277. Fixes bug 28989; bugfix on 0.3.5.1-alpha.
574
575

  o Minor bugfixes (usability):
Nick Mathewson's avatar
Nick Mathewson committed
576
577
578
    - Stop saying "Your Guard ..." in pathbias_measure_{use,close}_rate().
      Some users took this phrasing to mean that the mentioned guard was
      under their control or responsibility, which it is not. Fixes bug
579
580
581
582
583
      28895; bugfix on Tor 0.3.0.1-alpha.

  o Code simplification and refactoring:
    - Reimplement NETINFO cell parsing and generation to rely on
      trunnel-generated wire format handling code. Closes ticket 27325.
584
    - Remove unnecessary unsafe code from the Rust macro "cstr!". Closes
585
586
587
588
589
590
591
592
      ticket 28077.
    - Rework SOCKS wire format handling to rely on trunnel-generated
      parsing/generation code. Resolves ticket 27620.
    - Split out bootstrap progress reporting from control.c into a
      separate file. Part of ticket 27402.
    - The .may_include files that we use to describe our directory-by-
      directory dependency structure now describe a noncircular
      dependency graph over the directories that they cover. Our
Nick Mathewson's avatar
Nick Mathewson committed
593
594
      checkIncludes.py tool now enforces this noncircularity. Closes
      ticket 28362.
595
596

  o Documentation:
Nick Mathewson's avatar
Nick Mathewson committed
597
    - Mention that you cannot add a new onion service if Tor is already
598
      running with Sandbox enabled. Closes ticket 28560.
599
    - Improve ControlPort documentation. Mention that it accepts
Nick Mathewson's avatar
Nick Mathewson committed
600
      address:port pairs, and can be used multiple times. Closes
601
602
603
604
      ticket 28805.
    - Document the exact output of "tor --version". Closes ticket 28889.

  o Removed features:
Nick Mathewson's avatar
Nick Mathewson committed
605
    - Stop responding to the 'GETINFO status/version/num-concurring' and
606
607
608
609
610
611
612
613
      'GETINFO status/version/num-versioning' control port commands, as
      those were deprecated back in 0.2.0.30. Also stop listing them in
      output of 'GETINFO info/names'. Resolves ticket 28757.
    - The scripts used to generate and maintain the list of fallback
      directories have been extracted into a new "fallback-scripts"
      repository. Closes ticket 27914.

  o Testing:
Nick Mathewson's avatar
Nick Mathewson committed
614
    - Run shellcheck for scripts in the in scripts/ directory. Closes
615
      ticket 28058.
Nick Mathewson's avatar
Nick Mathewson committed
616
    - Add unit tests for tokenize_string() and get_next_token()
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
      functions. Resolves ticket 27625.

  o Code simplification and refactoring (onion service v3):
    - Consolidate the authorized client descriptor cookie computation
      code from client and service into one function. Closes
      ticket 27549.

  o Code simplification and refactoring (shell scripts):
    - Cleanup scan-build.sh to silence shellcheck warnings. Closes
      ticket 28007.
    - Fix issues that shellcheck found in chutney-git-bisect.sh.
      Resolves ticket 28006.
    - Fix issues that shellcheck found in updateRustDependencies.sh.
      Resolves ticket 28012.
    - Fix shellcheck warnings in cov-diff script. Resolves issue 28009.
    - Fix shellcheck warnings in run_calltool.sh. Resolves ticket 28011.
    - Fix shellcheck warnings in run_trunnel.sh. Resolves issue 28010.
    - Fix shellcheck warnings in scripts/test/coverage. Resolves
      issue 28008.


638
Changes in version 0.3.3.11 - 2019-01-07
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
  Tor 0.3.3.11 backports numerous fixes from later versions of Tor.
  numerous fixes, including an important fix for anyone using OpenSSL
  1.1.1. Anyone running an earlier version of Tor 0.3.3 should upgrade
  to this version, or to a later series.

  As a reminder, support the Tor 0.3.3 series will end on 22 Feb 2019.
  We anticipate that this will be the last release of Tor 0.3.3, unless
  some major bug is before then. Some time between now and then, users
  should switch to either the Tor 0.3.4 series (supported until at least
  10 June 2019), or the Tor 0.3.5 series, which will receive long-term
  support until at least 1 Feb 2022.

  o Major bugfixes (OpenSSL, portability, backport from 0.3.5.5-alpha):
    - Fix our usage of named groups when running as a TLS 1.3 client in
      OpenSSL 1.1.1. Previously, we only initialized EC groups when
      running as a relay, which caused clients to fail to negotiate TLS
      1.3 with relays. Fixes bug 28245; bugfix on 0.2.9.15 (when TLS 1.3
      support was added).

  o Major bugfixes (restart-in-process, backport from 0.3.5.1-alpha):
    - Fix a use-after-free error that could be caused by passing Tor an
      impossible set of options that would fail during options_act().
      Fixes bug 27708; bugfix on 0.3.3.1-alpha.

  o Minor features (continuous integration, backport from 0.3.5.1-alpha):
    - Only run one online rust build in Travis, to reduce network
      errors. Skip offline rust builds on Travis for Linux gcc, because
      they're redundant. Implements ticket 27252.
    - Skip gcc on OSX in Travis CI, because it's rarely used. Skip a
      duplicate hardening-off build in Travis on Tor 0.2.9. Skip gcc on
      Linux with default settings, because all the non-default builds
      use gcc on Linux. Implements ticket 27252.

  o Minor features (continuous integration, backport from 0.3.5.3-alpha):
    - Use the Travis Homebrew addon to install packages on macOS during
      Travis CI. The package list is the same, but the Homebrew addon
      does not do a `brew update` by default. Implements ticket 27738.

  o Minor features (fallback directory list, backport from 0.3.5.6-rc):
    - Replace the 150 fallbacks originally introduced in Tor
      0.3.3.1-alpha in January 2018 (of which ~115 were still
      functional), with a list of 157 fallbacks (92 new, 65 existing, 85
      removed) generated in December 2018. Closes ticket 24803.

  o Minor features (geoip):
    - Update geoip and geoip6 to the January 3 2019 Maxmind GeoLite2
      Country database. Closes ticket 29012.

  o Minor features (OpenSSL bug workaround, backport from 0.3.5.7):
    - Work around a bug in OpenSSL 1.1.1a, which prevented the TLS 1.3
      key export function from handling long labels. When this bug is
      detected, Tor will disable TLS 1.3. We recommend upgrading to a
      version of OpenSSL without this bug when it becomes available.
      Closes ticket 28973.

  o Minor bugfixes (relay statistics, backport from 0.3.5.7):
    - Update relay descriptor on bandwidth changes only when the uptime
      is smaller than 24h, in order to reduce the efficiency of guard
      discovery attacks. Fixes bug 24104; bugfix on 0.1.1.6-alpha.

  o Minor bugfixes (C correctness, backport from 0.3.5.4-alpha):
    - Avoid undefined behavior in an end-of-string check when parsing
      the BEGIN line in a directory object. Fixes bug 28202; bugfix
      on 0.2.0.3-alpha.

  o Minor bugfixes (code safety, backport from 0.3.5.3-alpha):
    - Rewrite our assertion macros so that they no longer suppress the
      compiler's -Wparentheses warnings. Fixes bug 27709; bugfix

  o Minor bugfixes (compilation, backport from 0.3.5.5-alpha):
    - Initialize a variable unconditionally in aes_new_cipher(), since
      some compilers cannot tell that we always initialize it before
      use. Fixes bug 28413; bugfix on 0.2.9.3-alpha.

  o Minor bugfixes (directory authority, backport from 0.3.5.4-alpha):
    - Log additional info when we get a relay that shares an ed25519 ID
      with a different relay, instead making a BUG() warning. Fixes bug
      27800; bugfix on 0.3.2.1-alpha.

  o Minor bugfixes (directory permissions, backport form 0.3.5.3-alpha):
    - When a user requests a group-readable DataDirectory, give it to
      them. Previously, when the DataDirectory and the CacheDirectory
      were the same, the default setting (0) for
      CacheDirectoryGroupReadable would override the setting for
      DataDirectoryGroupReadable. Fixes bug 26913; bugfix
      on 0.3.3.1-alpha.

  o Minor bugfixes (onion service v3, backport from 0.3.5.1-alpha):
    - When the onion service directory can't be created or has the wrong
      permissions, do not log a stack trace. Fixes bug 27335; bugfix
      on 0.3.2.1-alpha.

  o Minor bugfixes (onion service v3, backport from 0.3.5.2-alpha):
    - Close all SOCKS request (for the same .onion) if the newly fetched
      descriptor is unusable. Before that, we would close only the first
      one leaving the other hanging and let to time out by themselves.
      Fixes bug 27410; bugfix on 0.3.2.1-alpha.

  o Minor bugfixes (onion service v3, backport from 0.3.5.3-alpha):
    - Don't warn so loudly when Tor is unable to decode an onion
      descriptor. This can now happen as a normal use case if a client
      gets a descriptor with client authorization but the client is not
      authorized. Fixes bug 27550; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (onion service v3, backport from 0.3.5.6-rc):
    - When deleting an ephemeral onion service (DEL_ONION), do not close
      any rendezvous circuits in order to let the existing client
      connections finish by themselves or closed by the application. The
      HS v2 is doing that already so now we have the same behavior for
      all versions. Fixes bug 28619; bugfix on 0.3.3.1-alpha.

  o Minor bugfixes (HTTP tunnel):
    - Fix a bug warning when closing an HTTP tunnel connection due to
      an HTTP request we couldn't handle. Fixes bug 26470; bugfix on
      0.3.2.1-alpha.

  o Minor bugfixes (memory leaks, backport from 0.3.5.5-alpha):
    - Fix a harmless memory leak in libtorrunner.a. Fixes bug 28419;
      bugfix on 0.3.3.1-alpha. Patch from Martin Kepplinger.

  o Minor bugfixes (netflow padding, backport from 0.3.5.1-alpha):
    - Ensure circuitmux queues are empty before scheduling or sending
      padding. Fixes bug 25505; bugfix on 0.3.1.1-alpha.

  o Minor bugfixes (protover, backport from 0.3.5.3-alpha):
    - Reject protocol names containing bytes other than alphanumeric
      characters and hyphens ([A-Za-z0-9-]). Fixes bug 27316; bugfix
      on 0.2.9.4-alpha.

  o Minor bugfixes (rust, backport from 0.3.5.1-alpha):
    - Compute protover votes correctly in the rust version of the
      protover code. Previously, the protover rewrite in 24031 allowed
      repeated votes from the same voter for the same protocol version
      to be counted multiple times in protover_compute_vote(). Fixes bug
      27649; bugfix on 0.3.3.5-rc.
    - Reject protover names that contain invalid characters. Fixes bug
      27687; bugfix on 0.3.3.1-alpha.

  o Minor bugfixes (rust, backport from 0.3.5.2-alpha):
    - protover_all_supported() would attempt to allocate up to 16GB on
      some inputs, leading to a potential memory DoS. Fixes bug 27206;
      bugfix on 0.3.3.5-rc.

  o Minor bugfixes (rust, backport from 0.3.5.4-alpha):
    - Fix a potential null dereference in protover_all_supported(). Add
      a test for it. Fixes bug 27804; bugfix on 0.3.3.1-alpha.
    - Return a string that can be safely freed by C code, not one
      created by the rust allocator, in protover_all_supported(). Fixes
      bug 27740; bugfix on 0.3.3.1-alpha.
    - Fix an API mismatch in the rust implementation of
      protover_compute_vote(). This bug could have caused crashes on any
      directory authorities running Tor with Rust (which we do not yet
      recommend). Fixes bug 27741; bugfix on 0.3.3.6.

  o Minor bugfixes (testing, backport from 0.3.5.1-alpha):
    - If a unit test running in a subprocess exits abnormally or with a
      nonzero status code, treat the test as having failed, even if the
      test reported success. Without this fix, memory leaks don't cause
      the tests to fail, even with LeakSanitizer. Fixes bug 27658;
      bugfix on 0.2.2.4-alpha.

  o Minor bugfixes (testing, backport from 0.3.5.4-alpha):
    - Treat backtrace test failures as expected on BSD-derived systems
      (NetBSD, OpenBSD, and macOS/Darwin) until we solve bug 17808.
      (FreeBSD failures have been treated as expected since 18204 in
      0.2.8.) Fixes bug 27948; bugfix on 0.2.5.2-alpha.

  o Minor bugfixes (unit tests, guard selection, backport from 0.3.5.6-rc):
    - Stop leaking memory in an entry guard unit test. Fixes bug 28554;
      bugfix on 0.3.0.1-alpha.


811
Changes in version 0.3.4.10 - 2019-01-07
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
  Tor 0.3.4.9 is the second stable release in its series; it backports
  numerous fixes, including an important fix for relays, and for anyone
  using OpenSSL 1.1.1. Anyone running an  earlier version of Tor 0.3.4
  should upgrade.

  As a reminder, the Tor 0.3.4 series will be supported until 10 June
  2019. Some time between now and then, users should switch to the Tor
  0.3.5 series, which will receive long-term support until at least 1
  Feb 2022.

  o Major bugfixes (OpenSSL, portability, backport from 0.3.5.5-alpha):
    - Fix our usage of named groups when running as a TLS 1.3 client in
      OpenSSL 1.1.1. Previously, we only initialized EC groups when
      running as a relay, which caused clients to fail to negotiate TLS
      1.3 with relays. Fixes bug 28245; bugfix on 0.2.9.15 (when TLS 1.3
      support was added).

  o Major bugfixes (relay, directory, backport from 0.3.5.7):
    - Always reactivate linked connections in the main loop so long as
      any linked connection has been active. Previously, connections
      serving directory information wouldn't get reactivated after the
      first chunk of data was sent (usually 32KB), which would prevent
      clients from bootstrapping. Fixes bug 28912; bugfix on
      0.3.4.1-alpha. Patch by "cypherpunks3".

  o Minor features (continuous integration, Windows, backport from 0.3.5.6-rc):
    - Always show the configure and test logs, and upload them as build
      artifacts, when building for Windows using Appveyor CI.
      Implements 28459.

  o Minor features (controller, backport from 0.3.5.1-alpha):
    - For purposes of CIRC_BW-based dropped cell detection, track half-
      closed stream ids, and allow their ENDs, SENDMEs, DATA and path
      bias check cells to arrive without counting it as dropped until
      either the END arrives, or the windows are empty. Closes
      ticket 25573.

  o Minor features (fallback directory list, backport from 0.3.5.6-rc):
    - Replace the 150 fallbacks originally introduced in Tor
      0.3.3.1-alpha in January 2018 (of which ~115 were still
      functional), with a list of 157 fallbacks (92 new, 65 existing, 85
      removed) generated in December 2018. Closes ticket 24803.

  o Minor features (geoip):
    - Update geoip and geoip6 to the November 6 2018 Maxmind GeoLite2
      Country database. Closes ticket 28395.

  o Minor features (OpenSSL bug workaround, backport from 0.3.5.7):
    - Work around a bug in OpenSSL 1.1.1a, which prevented the TLS 1.3
      key export function from handling long labels. When this bug is
      detected, Tor will disable TLS 1.3. We recommend upgrading to a
      version of OpenSSL without this bug when it becomes available.
      Closes ticket 28973.

  o Minor bugfixes (compilation, backport from 0.3.5.5-alpha):
    - Initialize a variable unconditionally in aes_new_cipher(), since
      some compilers cannot tell that we always initialize it before
      use. Fixes bug 28413; bugfix on 0.2.9.3-alpha.

  o Minor bugfixes (connection, relay, backport from 0.3.5.5-alpha):
    - Avoid a logging a BUG() stacktrace when closing connection held
      open because the write side is rate limited but not the read side.
      Now, the connection read side is simply shut down until Tor is
      able to flush the connection and close it. Fixes bug 27750; bugfix
      on 0.3.4.1-alpha.

  o Minor bugfixes (continuous integration, Windows, backport from 0.3.5.5-alpha):
    - Manually configure the zstd compiler options, when building using
      mingw on Appveyor Windows CI. The MSYS2 mingw zstd package does
      not come with a pkg-config file. Fixes bug 28454; bugfix
      on 0.3.4.1-alpha.
    - Stop using an external OpenSSL install, and stop installing MSYS2
      packages, when building using mingw on Appveyor Windows CI. Fixes
      bug 28399; bugfix on 0.3.4.1-alpha.

  o Minor bugfixes (continuous integration, Windows, backport from 0.3.5.6-rc):
    - Explicitly specify the path to the OpenSSL library and do not
      download OpenSSL from Pacman, but instead use the library that is
      already provided by AppVeyor. Fixes bug 28574; bugfix on master.

  o Minor bugfixes (directory permissions, backport form 0.3.5.3-alpha):
    - When a user requests a group-readable DataDirectory, give it to
      them. Previously, when the DataDirectory and the CacheDirectory
      were the same, the default setting (0) for
      CacheDirectoryGroupReadable would override the setting for
      DataDirectoryGroupReadable. Fixes bug 26913; bugfix
      on 0.3.3.1-alpha.

  o Minor bugfixes (memory leaks, backport from 0.3.5.5-alpha):
    - Fix a harmless memory leak in libtorrunner.a. Fixes bug 28419;
      bugfix on 0.3.3.1-alpha. Patch from Martin Kepplinger.

  o Minor bugfixes (onion service v3, backport from 0.3.5.3-alpha):
    - Don't warn so loudly when Tor is unable to decode an onion
      descriptor. This can now happen as a normal use case if a client
      gets a descriptor with client authorization but the client is not
      authorized. Fixes bug 27550; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (onion service v3, backport from 0.3.5.6-rc):
    - When deleting an ephemeral onion service (DEL_ONION), do not close
      any rendezvous circuits in order to let the existing client
      connections finish by themselves or closed by the application. The
      HS v2 is doing that already so now we have the same behavior for
      all versions. Fixes bug 28619; bugfix on 0.3.3.1-alpha.

  o Minor bugfixes (relay statistics, backport from 0.3.5.7):
    - Update relay descriptor on bandwidth changes only when the uptime
      is smaller than 24h, in order to reduce the efficiency of guard
      discovery attacks. Fixes bug 24104; bugfix on 0.1.1.6-alpha.

  o Minor bugfixes (unit tests, guard selection, backport from 0.3.5.6-rc):
    - Stop leaking memory in an entry guard unit test. Fixes bug 28554;
      bugfix on 0.3.0.1-alpha.


Changes in version 0.3.5.7 - 2019-01-07
  Tor 0.3.5.7 is the first stable release in its series; it includes
  compilation and portability fixes, and a fix for a severe problem
  affecting directory caches.

  The Tor 0.3.5 series includes several new features and performance
  improvements, including client authorization for v3 onion services,
  cleanups to bootstrap reporting, support for improved bandwidth-
  measurement tools, experimental support for NSS in place of OpenSSL,
  and much more. It also begins a full reorganization of Tor's code
  layout, for improved modularity and maintainability in the future.
  Finally, there is the usual set of performance improvements and
  bugfixes that we try to do in every release series.

  There are a couple of changes in the 0.3.5 that may affect
  compatibility. First, the default version for newly created onion
  services is now v3. Use the HiddenServiceVersion option if you want to
  override this. Second, some log messages related to bootstrapping have
  changed; if you use stem, you may need to update to the latest version
  so it will recognize them.

  We have designated 0.3.5 as a "long-term support" (LTS) series: we
  will continue to patch major bugs in typical configurations of 0.3.5
  until at least 1 Feb 2022. (We do not plan to provide long-term
  support for embedding, Rust support, NSS support, running a directory
  authority, or unsupported platforms. For these, you will need to stick
  with the latest stable release.)

  Below are the changes since 0.3.5.6-rc. For a complete list of changes
  since 0.3.4.9, see the ReleaseNotes file.

  o Major bugfixes (relay, directory):
    - Always reactivate linked connections in the main loop so long as
      any linked connection has been active. Previously, connections
      serving directory information wouldn't get reactivated after the
      first chunk of data was sent (usually 32KB), which would prevent
      clients from bootstrapping. Fixes bug 28912; bugfix on
      0.3.4.1-alpha. Patch by "cypherpunks3".

  o Minor features (compilation):
    - When possible, place our warning flags in a separate file, to
      avoid flooding verbose build logs. Closes ticket 28924.

  o Minor features (geoip):
    - Update geoip and geoip6 to the January 3 2019 Maxmind GeoLite2
      Country database. Closes ticket 29012.

  o Minor features (OpenSSL bug workaround):
    - Work around a bug in OpenSSL 1.1.1a, which prevented the TLS 1.3
      key export function from handling long labels. When this bug is
      detected, Tor will disable TLS 1.3. We recommend upgrading to a
      version of OpenSSL without this bug when it becomes available.
      Closes ticket 28973.

  o Minor features (performance):
    - Remove about 96% of the work from the function that we run at
      startup to test our curve25519_basepoint implementation. Since
      this function has yet to find an actual failure, we now only run
      it for 8 iterations instead of 200. Based on our profile
      information, this change should save around 8% of our startup time
      on typical desktops, and may have a similar effect on other
      platforms. Closes ticket 28838.
    - Stop re-validating our hardcoded Diffie-Hellman parameters on
      every startup. Doing this wasted time and cycles, especially on
      low-powered devices. Closes ticket 28851.

  o Minor bugfixes (compilation):
    - Fix compilation for Android by adding a missing header to
      freespace.c. Fixes bug 28974; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (correctness):
    - Fix an unreached code path where we checked the value of
      "hostname" inside send_resolved_hostname_cell(). Previously, we
      used it before checking it; now we check it first. Fixes bug
      28879; bugfix on 0.1.2.7-alpha.

  o Minor bugfixes (testing):
    - Make sure that test_rebind.py actually obeys its timeout, even
      when it receives a large number of log messages. Fixes bug 28883;
      bugfix on 0.3.5.4-alpha.
    - Stop running stem's unit tests as part of "make test-stem", but
      continue to run stem's unit and online tests during "make test-
      stem-full". Fixes bug 28568; bugfix on 0.2.6.3-alpha.

  o Minor bugfixes (windows services):
    - Make Tor start correctly as an NT service again: previously it was
      broken by refactoring. Fixes bug 28612; bugfix on 0.3.5.3-alpha.

  o Code simplification and refactoring:
    - When parsing a port configuration, make it more obvious to static
      analyzer tools that we always initialize the address. Closes
      ticket 28881.


1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
Changes in version 0.3.5.6-rc - 2018-12-18
  Tor 0.3.5.6-rc fixes numerous small bugs in earlier versions of Tor.
  It is the first release candidate in the 0.3.5.x series; if no further
  huge bugs are found, our next release may be the stable 0.3.5.x.

  o Minor features (continuous integration, Windows):
    - Always show the configure and test logs, and upload them as build
      artifacts, when building for Windows using Appveyor CI.
      Implements 28459.

  o Minor features (fallback directory list):
    - Replace the 150 fallbacks originally introduced in Tor
      0.3.3.1-alpha in January 2018 (of which ~115 were still
      functional), with a list of 157 fallbacks (92 new, 65 existing, 85
      removed) generated in December 2018. Closes ticket 24803.

  o Minor features (geoip):
    - Update geoip and geoip6 to the December 5 2018 Maxmind GeoLite2
      Country database. Closes ticket 28744.

  o Minor bugfixes (compilation):
    - Add missing dependency on libgdi32.dll for tor-print-ed-signing-
      cert.exe on Windows. Fixes bug 28485; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (continuous integration, Windows):
    - Explicitly specify the path to the OpenSSL library and do not
      download OpenSSL from Pacman, but instead use the library that is
      already provided by AppVeyor. Fixes bug 28574; bugfix on master.

  o Minor bugfixes (onion service v3):
    - When deleting an ephemeral onion service (DEL_ONION), do not close
      any rendezvous circuits in order to let the existing client
      connections finish by themselves or closed by the application. The
      HS v2 is doing that already so now we have the same behavior for
      all versions. Fixes bug 28619; bugfix on 0.3.3.1-alpha.

  o Minor bugfixes (restart-in-process, boostrap):
    - Add missing resets of bootstrap tracking state when shutting down
      (regression caused by ticket 27169). Fixes bug 28524; bugfix
      on 0.3.5.1-alpha.

  o Minor bugfixes (testing):
    - Use a separate DataDirectory for the test_rebind script.
      Previously, this script would run using the default DataDirectory,
      and sometimes fail. Fixes bug 28562; bugfix on 0.3.5.1-alpha.
      Patch from Taylor R Campbell.
    - Stop leaking memory in an entry guard unit test. Fixes bug 28554;
      bugfix on 0.3.0.1-alpha.

  o Minor bugfixes (Windows):
    - Correctly identify Windows 8.1, Windows 10, and Windows Server
      2008 and later from their NT versions. Fixes bug 28096; bugfix on
      0.2.2.34; reported by Keifer Bly.
    - On recent Windows versions, the GetVersionEx() function may report
      an earlier Windows version than the running OS. To avoid user
      confusion, add "[or later]" to Tor's version string on affected
      versions of Windows. Fixes bug 28096; bugfix on 0.2.2.34; reported
      by Keifer Bly.
    - Remove Windows versions that were never supported by the
      GetVersionEx() function. Stop duplicating the latest Windows
      version in get_uname(). Fixes bug 28096; bugfix on 0.2.2.34;
      reported by Keifer Bly.

  o Testing:
    - Increase logging and tag all log entries with timestamps in
      test_rebind.py. Provides diagnostics for issue 28229.

  o Code simplification and refactoring (shared random, dirauth):
    - Change many tor_assert() to use BUG() instead. The idea is to not
      crash a dirauth but rather scream loudly with a stacktrace and let
      it continue run. The shared random subsystem is very resilient and
      if anything wrong happens with it, at worst a non coherent value
      will be put in the vote and discarded by the other authorities.
      Closes ticket 19566.

  o Documentation (onion services):
    - Document in the man page that changing ClientOnionAuthDir value or
      adding a new file in the directory will not work at runtime upon
      sending a HUP if Sandbox 1. Closes ticket 28128.
    - Note in the man page that the only real way to fully revoke an
      onion service v3 client authorization is by restarting the tor
      process. Closes ticket 28275.


1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
Changes in version 0.3.5.5-alpha - 2018-11-16
  Tor 0.3.5.5-alpha includes numerous bugfixes on earlier releases,
  including several that we hope to backport to older release series in
  the future.

  o Major bugfixes (OpenSSL, portability):
    - Fix our usage of named groups when running as a TLS 1.3 client in
      OpenSSL 1.1.1. Previously, we only initialized EC groups when
      running as a relay, which caused clients to fail to negotiate TLS
      1.3 with relays. Fixes bug 28245; bugfix on 0.2.9.15 (when TLS 1.3
      support was added).

  o Minor features (geoip):
    - Update geoip and geoip6 to the November 6 2018 Maxmind GeoLite2
      Country database. Closes ticket 28395.

  o Minor bugfixes (compilation):
    - Initialize a variable unconditionally in aes_new_cipher(), since
      some compilers cannot tell that we always initialize it before
      use. Fixes bug 28413; bugfix on 0.2.9.3-alpha.

  o Minor bugfixes (connection, relay):
    - Avoid a logging a BUG() stacktrace when closing connection held
      open because the write side is rate limited but not the read side.
      Now, the connection read side is simply shut down until Tor is
      able to flush the connection and close it. Fixes bug 27750; bugfix
      on 0.3.4.1-alpha.

  o Minor bugfixes (continuous integration, Windows):
    - Manually configure the zstd compiler options, when building using
      mingw on Appveyor Windows CI. The MSYS2 mingw zstd package does
      not come with a pkg-config file. Fixes bug 28454; bugfix
      on 0.3.4.1-alpha.
    - Stop using an external OpenSSL install, and stop installing MSYS2
      packages, when building using mingw on Appveyor Windows CI. Fixes
      bug 28399; bugfix on 0.3.4.1-alpha.

  o Minor bugfixes (documentation):
    - Make Doxygen work again after the code movement in the 0.3.5
      source tree. Fixes bug 28435; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (Linux seccomp2 sandbox):
    - Permit the "shutdown()" system call, which is apparently used by
      OpenSSL under some circumstances. Fixes bug 28183; bugfix
      on 0.2.5.1-alpha.

  o Minor bugfixes (logging):
    - Stop talking about the Named flag in log messages. Clients have
      ignored the Named flag since 0.3.2. Fixes bug 28441; bugfix
      on 0.3.2.1-alpha.

  o Minor bugfixes (memory leaks):
    - Fix a harmless memory leak in libtorrunner.a. Fixes bug 28419;
      bugfix on 0.3.3.1-alpha. Patch from Martin Kepplinger.

  o Minor bugfixes (onion services):
    - On an intro point for a version 3 onion service, stop closing
      introduction circuits on an NACK. This lets the client decide
      whether to reuse the circuit or discard it. Previously, we closed
      intro circuits when sending NACKs. Fixes bug 27841; bugfix on
      0.3.2.1-alpha. Patch by Neel Chaunan.
    - When replacing a descriptor in the client cache, make sure to
      close all client introduction circuits for the old descriptor, so
      we don't end up with unusable leftover circuits. Fixes bug 27471;
      bugfix on 0.3.2.1-alpha.


1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
Changes in version 0.3.5.4-alpha - 2018-11-08
  Tor 0.3.5.4-alpha includes numerous bugfixes on earlier versions and
  improves our continuous integration support. It continues our attempts
  to stabilize this alpha branch and build it into a foundation for an
  acceptable long-term-support release.

  o Major bugfixes (compilation, rust):
    - Rust tests can now build and run successfully with the
      --enable-fragile-hardening option enabled. Doing this currently
      requires the rust beta channel; it will be possible with stable
      rust once Rust version 1.31 is released. Patch from Alex Crichton.
      Fixes bugs 27272, 27273, and 27274. Bugfix on 0.3.1.1-alpha.

  o Major bugfixes (embedding, main loop):
    - When DisableNetwork becomes set, actually disable periodic events
      that are already enabled. (Previously, we would refrain from
      enabling new ones, but we would leave the old ones turned on.)
      Fixes bug 28348; bugfix on 0.3.4.1-alpha.

  o Minor features (continuous integration):
    - Add a Travis CI build for --enable-nss on Linux gcc. Closes
      ticket 27751.
    - Add new CI job to Travis configuration to run stem-based
      integration tests. Closes ticket 27913.

  o Minor features (Windows, continuous integration):
    - Build tor on Windows Server 2012 R2 and Windows Server 2016 using
      Appveyor's CI. Closes ticket 28318.

  o Minor bugfixes (C correctness, also in 0.3.4.9):
    - Avoid undefined behavior in an end-of-string check when parsing
      the BEGIN line in a directory object. Fixes bug 28202; bugfix
      on 0.2.0.3-alpha.

  o Minor bugfixes (compilation):
    - Fix a pair of missing headers on OpenBSD. Fixes bug 28303; bugfix
      on 0.3.5.1-alpha. Patch from Kris Katterjohn.

  o Minor bugfixes (compilation, OpenSolaris):
    - Fix compilation on OpenSolaris and its descendants by adding a
      missing include to compat_pthreads.c. Fixes bug 27963; bugfix
      on 0.3.5.1-alpha.

  o Minor bugfixes (configuration):
    - Refuse to start with relative file paths and RunAsDaemon set
      (regression from the fix for bug 22731). Fixes bug 28298; bugfix
      on 0.3.3.1-alpha.

  o Minor bugfixes (directory authority, also in 0.3.4.9):
    - Log additional info when we get a relay that shares an ed25519 ID
      with a different relay, instead of a BUG() warning with a
      backtrace. Fixes bug 27800; bugfix on 0.3.2.1-alpha.

  o Minor bugfixes (onion service v3):
    - Build the service descriptor's signing key certificate before
      uploading, so we always have a fresh one: leaving no chances for
      it to expire service side. Fixes bug 27838; bugfix
      on 0.3.2.1-alpha.

  o Minor bugfixes (onion service v3, client authorization):
    - Fix an assert() when adding a client authorization for the first
      time and then sending a HUP signal to the service. Before that,
      Tor would stop abruptly. Fixes bug 27995; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (onion services):
    - Unless we have explicitly set HiddenServiceVersion, detect the
      onion service version and then look for invalid options.
      Previously, we did the reverse, but that broke existing configs
      which were pointed to a v2 service and had options like
      HiddenServiceAuthorizeClient set. Fixes bug 28127; bugfix on
      0.3.5.1-alpha. Patch by Neel Chauhan.

  o Minor bugfixes (portability):
    - Make the OPE code (which is used for v3 onion services) run
      correctly on big-endian platforms. Fixes bug 28115; bugfix
      on 0.3.5.1-alpha.

  o Minor bugfixes (protover, rust):
    - Reject extra commas in version strings. Fixes bug 27197; bugfix
      on 0.3.3.3-alpha.

  o Minor bugfixes (relay shutdown, systemd):
    - Notify systemd of ShutdownWaitLength so it can be set to longer
      than systemd's TimeoutStopSec. In Tor's systemd service file, set
      TimeoutSec to 60 seconds to allow Tor some time to shut down.
      Fixes bug 28113; bugfix on 0.2.6.2-alpha.

  o Minor bugfixes (rust, also in 0.3.4.9):
    - Fix a potential null dereference in protover_all_supported(). Add
      a test for it. Fixes bug 27804; bugfix on 0.3.3.1-alpha.
    - Return a string that can be safely freed by C code, not one
      created by the rust allocator, in protover_all_supported(). Fixes
      bug 27740; bugfix on 0.3.3.1-alpha.

  o Minor bugfixes (rust, directory authority, also in 0.3.4.9):
    - Fix an API mismatch in the rust implementation of
      protover_compute_vote(). This bug could have caused crashes on any
      directory authorities running Tor with Rust (which we do not yet
      recommend). Fixes bug 27741; bugfix on 0.3.3.6.

  o Minor bugfixes (testing):
    - Avoid hangs and race conditions in test_rebind.py. Fixes bug
      27968; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (testing, also in 0.3.4.9):
    - Treat backtrace test failures as expected on BSD-derived systems
      (NetBSD, OpenBSD, and macOS/Darwin) until we solve bug 17808.
      (FreeBSD failures have been treated as expected since 18204 in
      0.2.8.) Fixes bug 27948; bugfix on 0.2.5.2-alpha.

  o Documentation (onion service manpage):
    - Improve HSv3 client authorization by making some options more
      explicit and detailed. Closes ticket 28026. Patch by Mike Tigas.


1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
Changes in version 0.3.4.9 - 2018-11-02
  Tor 0.3.4.9 is the second stable release in its series; it backports
  numerous fixes, including a fix for a bandwidth management bug that
  was causing memory exhaustion on relays. Anyone running an earlier
  version of Tor 0.3.4.9 should upgrade.

  o Major bugfixes (compilation, backport from 0.3.5.3-alpha):
    - Fix compilation on ARM (and other less-used CPUs) when compiling
      with OpenSSL before 1.1. Fixes bug 27781; bugfix on 0.3.4.1-alpha.

  o Major bugfixes (mainloop, bootstrap, backport from 0.3.5.3-alpha):
    - Make sure Tor bootstraps and works properly if only the
      ControlPort is set. Prior to this fix, Tor would only bootstrap
      when a client port was set (Socks, Trans, NATD, DNS or HTTPTunnel
      port). Fixes bug 27849; bugfix on 0.3.4.1-alpha.

  o Major bugfixes (relay, backport from 0.3.5.3-alpha):
    - When our write bandwidth limit is exhausted, stop writing on the
      connection. Previously, we had a typo in the code that would make
      us stop reading instead, leading to relay connections being stuck
      indefinitely and consuming kernel RAM. Fixes bug 28089; bugfix
      on 0.3.4.1-alpha.

  o Major bugfixes (restart-in-process, backport from 0.3.5.1-alpha):
    - Fix a use-after-free error that could be caused by passing Tor an
      impossible set of options that would fail during options_act().
      Fixes bug 27708; bugfix on 0.3.3.1-alpha.

  o Minor features (continuous integration, backport from 0.3.5.1-alpha):
    - Don't do a distcheck with --disable-module-dirauth in Travis.
      Implements ticket 27252.
    - Only run one online rust build in Travis, to reduce network
      errors. Skip offline rust builds on Travis for Linux gcc, because
      they're redundant. Implements ticket 27252.
    - Skip gcc on OSX in Travis CI, because it's rarely used. Skip a
      duplicate hardening-off build in Travis on Tor 0.2.9. Skip gcc on
      Linux with default settings, because all the non-default builds
      use gcc on Linux. Implements ticket 27252.

  o Minor features (continuous integration, backport from 0.3.5.3-alpha):
    - Use the Travis Homebrew addon to install packages on macOS during
      Travis CI. The package list is the same, but the Homebrew addon
      does not do a `brew update` by default. Implements ticket 27738.

  o Minor features (geoip):
    - Update geoip and geoip6 to the October 9 2018 Maxmind GeoLite2
      Country database. Closes ticket 27991.

  o Minor bugfixes (32-bit OSX and iOS, timing, backport from 0.3.5.2-alpha):
    - Fix an integer overflow bug in our optimized 32-bit millisecond-
      difference algorithm for 32-bit Apple platforms. Previously, it
      would overflow when calculating the difference between two times
      more than 47 days apart. Fixes part of bug 27139; bugfix
      on 0.3.4.1-alpha.
    - Improve the precision of our 32-bit millisecond difference
      algorithm for 32-bit Apple platforms. Fixes part of bug 27139;
      bugfix on 0.3.4.1-alpha.
    - Relax the tolerance on the mainloop/update_time_jumps test when
      running on 32-bit Apple platforms. Fixes part of bug 27139; bugfix
      on 0.3.4.1-alpha.

  o Minor bugfixes (C correctness, to appear in 0.3.5.4-alpha):
    - Avoid undefined behavior in an end-of-string check when parsing
      the BEGIN line in a directory object. Fixes bug 28202; bugfix
      on 0.2.0.3-alpha.

  o Minor bugfixes (CI, appveyor, to appear in 0.3.5.4-alpha):
    - Only install the necessary mingw packages during our appveyor
      builds. This change makes the build a little faster, and prevents
      a conflict with a preinstalled mingw openssl that appveyor now
      ships. Fixes bugs 27943 and 27765; bugfix on 0.3.4.2-alpha.

  o Minor bugfixes (code safety, backport from 0.3.5.3-alpha):
    - Rewrite our assertion macros so that they no longer suppress the
      compiler's -Wparentheses warnings. Fixes bug 27709; bugfix

  o Minor bugfixes (continuous integration, backport from 0.3.5.1-alpha):
    - Stop reinstalling identical packages in our Windows CI. Fixes bug
      27464; bugfix on 0.3.4.1-alpha.

  o Minor bugfixes (directory authority, to appear in 0.3.5.4-alpha):
    - Log additional info when we get a relay that shares an ed25519 ID
      with a different relay, instead making a BUG() warning. Fixes bug
      27800; bugfix on 0.3.2.1-alpha.

  o Minor bugfixes (directory connection shutdown, backport from 0.3.5.1-alpha):
    - Avoid a double-close when shutting down a stalled directory
      connection. Fixes bug 26896; bugfix on 0.3.4.1-alpha.

  o Minor bugfixes (HTTP tunnel, backport from 0.3.5.1-alpha):
    - Fix a bug warning when closing an HTTP tunnel connection due to an
      HTTP request we couldn't handle. Fixes bug 26470; bugfix
      on 0.3.2.1-alpha.

  o Minor bugfixes (netflow padding, backport from 0.3.5.1-alpha):
    - Ensure circuitmux queues are empty before scheduling or sending
      padding. Fixes bug 25505; bugfix on 0.3.1.1-alpha.

  o Minor bugfixes (onion service v3, backport from 0.3.5.1-alpha):
    - When the onion service directory can't be created or has the wrong
      permissions, do not log a stack trace. Fixes bug 27335; bugfix
      on 0.3.2.1-alpha.

  o Minor bugfixes (onion service v3, backport from 0.3.5.2-alpha):
    - Close all SOCKS request (for the same .onion) if the newly fetched
      descriptor is unusable. Before that, we would close only the first
      one leaving the other hanging and let to time out by themselves.
      Fixes bug 27410; bugfix on 0.3.2.1-alpha.

  o Minor bugfixes (onion service v3, backport from 0.3.5.3-alpha):
    - When selecting a v3 rendezvous point, don't only look at the
      protover, but also check whether the curve25519 onion key is
      present. This way we avoid picking a relay that supports the v3
      rendezvous but for which we don't have the microdescriptor. Fixes
      bug 27797; bugfix on 0.3.2.1-alpha.

  o Minor bugfixes (protover, backport from 0.3.5.3-alpha):
    - Reject protocol names containing bytes other than alphanumeric
      characters and hyphens ([A-Za-z0-9-]). Fixes bug 27316; bugfix
      on 0.2.9.4-alpha.

  o Minor bugfixes (rust, backport from 0.3.5.1-alpha):
    - Compute protover votes correctly in the rust version of the
      protover code. Previously, the protover rewrite in 24031 allowed
      repeated votes from the same voter for the same protocol version
      to be counted multiple times in protover_compute_vote(). Fixes bug
      27649; bugfix on 0.3.3.5-rc.
    - Reject protover names that contain invalid characters. Fixes bug
      27687; bugfix on 0.3.3.1-alpha.

  o Minor bugfixes (rust, backport from 0.3.5.2-alpha):
    - protover_all_supported() would attempt to allocate up to 16GB on
      some inputs, leading to a potential memory DoS. Fixes bug 27206;
      bugfix on 0.3.3.5-rc.

  o Minor bugfixes (rust, directory authority, to appear in 0.3.5.4-alpha):
    - Fix an API mismatch in the rust implementation of
      protover_compute_vote(). This bug could have caused crashes on any
      directory authorities running Tor with Rust (which we do not yet
      recommend). Fixes bug 27741; bugfix on 0.3.3.6.

  o Minor bugfixes (rust, to appear in 0.3.5.4-alpha):
    - Fix a potential null dereference in protover_all_supported(). Add
      a test for it. Fixes bug 27804; bugfix on 0.3.3.1-alpha.
    - Return a string that can be safely freed by C code, not one
      created by the rust allocator, in protover_all_supported(). Fixes
      bug 27740; bugfix on 0.3.3.1-alpha.

  o Minor bugfixes (testing, backport from 0.3.5.1-alpha):
    - If a unit test running in a subprocess exits abnormally or with a
      nonzero status code, treat the test as having failed, even if the
      test reported success. Without this fix, memory leaks don't cause
      the tests to fail, even with LeakSanitizer. Fixes bug 27658;
      bugfix on 0.2.2.4-alpha.

  o Minor bugfixes (testing, backport from 0.3.5.3-alpha):
    - Make the hs_service tests use the same time source when creating
      the introduction point and when testing it. Now tests work better
      on very slow systems like ARM or Travis. Fixes bug 27810; bugfix
      on 0.3.2.1-alpha.

  o Minor bugfixes (testing, to appear in 0.3.5.4-alpha):
    - Treat backtrace test failures as expected on BSD-derived systems
      (NetBSD, OpenBSD, and macOS/Darwin) until we solve bug 17808.
      (FreeBSD failures have been treated as expected since 18204 in
      0.2.8.) Fixes bug 27948; bugfix on 0.2.5.2-alpha.


1455
1456
Changes in version 0.3.5.3-alpha - 2018-10-17
  Tor 0.3.5.3-alpha fixes several bugs, mostly from previous 0.3.5.x
Nick Mathewson's avatar
Nick Mathewson committed
1457
1458
1459
1460
  versions. One important fix for relays addresses a problem with rate-
  limiting code from back in 0.3.4.x: If the fix works out, we'll be
  backporting it soon. This release is still an alpha, but we hope it's
  getting closer and closer to stability.
1461

Nick Mathewson's avatar
Nick Mathewson committed
1462
1463
1464
1465
1466
1467
  o Major features (onion services):
    - Version 3 onion services can now use the per-service
      HiddenServiceExportCircuitID option to differentiate client
      circuits. It communicates with the service by using the HAProxy
      protocol to assign virtual IP addresses to inbound client
      circuits. Closes ticket 4700. Patch by Mahrud Sayrafi.
Nick Mathewson's avatar
Nick Mathewson committed
1468

1469
  o Major bugfixes (compilation):
Nick Mathewson's avatar
Nick Mathewson committed
1470
1471
    - Fix compilation on ARM (and other less-used CPUs) when compiling
      with OpenSSL before 1.1. Fixes bug 27781; bugfix on 0.3.4.1-alpha.
1472
1473

  o Major bugfixes (initialization, crash):
Nick Mathewson's avatar
Nick Mathewson committed
1474
1475
1476
    - Fix an assertion crash that would stop Tor from starting up if it
      tried to activate a periodic event too early. Fixes bug 27861;
      bugfix on 0.3.5.1-alpha.
1477
1478

  o Major bugfixes (mainloop, bootstrap):
Nick Mathewson's avatar
Nick Mathewson committed
1479
1480
1481
1482
    - Make sure Tor bootstraps and works properly if only the
      ControlPort is set. Prior to this fix, Tor would only bootstrap
      when a client port was set (Socks, Trans, NATD, DNS or HTTPTunnel
      port). Fixes bug 27849; bugfix on 0.3.4.1-alpha.
1483

Nick Mathewson's avatar
Nick Mathewson committed
1484
1485
1486
1487
1488
1489
1490
  o Major bugfixes (relay):
    - When our write bandwidth limit is exhausted, stop writing on the
      connection. Previously, we had a typo in the code that would make
      us stop reading instead, leading to relay connections being stuck
      indefinitely and consuming kernel RAM. Fixes bug 28089; bugfix
      on 0.3.4.1-alpha.

1491
1492
  o Minor features (continuous integration):
    - Use the Travis Homebrew addon to install packages on macOS during
Nick Mathewson's avatar
Nick Mathewson committed
1493
1494
      Travis CI. The package list is the same, but the Homebrew addon
      does not do a `brew update` by default. Implements ticket 27738.
1495
    - Report what program produced the mysterious core file that we
Nick Mathewson's avatar
Nick Mathewson committed
1496
      occasionally see on Travis CI during make distcheck. Closes
1497
1498
1499
1500
1501
1502
1503
      ticket 28024.

  o Minor features (geoip):
    - Update geoip and geoip6 to the October 9 2018 Maxmind GeoLite2
      Country database. Closes ticket 27991.

  o Minor bugfixes (code safety):
Nick Mathewson's avatar
Nick Mathewson committed
1504
    - Rewrite our assertion macros so that they no longer suppress the
Nick Mathewson's avatar
Nick Mathewson committed
1505
1506
      compiler's -Wparentheses warnings. Fixes bug 27709; bugfix
      on 0.0.6.
1507
1508
1509

  o Minor bugfixes (compilation):
    - Compile the ed25519-donna code with a correct declaration of
Nick Mathewson's avatar
Nick Mathewson committed
1510
1511
1512
      crypto_strongest_rand(). Previously, we built it with one type,
      but linked it against another in the unit tests, which caused
      compilation failures with LTO enabled. This could have caused
Nick Mathewson's avatar
Nick Mathewson committed
1513
1514
      other undefined behavior in the tests. Fixes bug 27728; bugfix
      on 0.3.5.1-alpha.
1515
1516

  o Minor bugfixes (compilation, netbsd):
Nick Mathewson's avatar
Nick Mathewson committed
1517
1518
1519
1520
    - Add a missing include back into procmon.c. Fixes bug 27990; bugfix
      on 0.3.5.1-alpha.

  o Minor bugfixes (continuous integration, appveyor):
1521
    - Install only the necessary mingw packages during our appveyor
Nick Mathewson's avatar
Nick Mathewson committed
1522
1523
      builds. This change makes the build a little faster, and prevents
      a conflict with a preinstalled mingw openssl that appveyor now
1524
      ships. Fixes bugs 27765 and 27943; bugfix on 0.3.4.2-alpha.
1525
1526
1527
1528
1529

  o Minor bugfixes (directory permissions):
    - When a user requests a group-readable DataDirectory, give it to
      them. Previously, when the DataDirectory and the CacheDirectory
      were the same, the default setting (0) for
Nick Mathewson's avatar
Nick Mathewson committed
1530
      CacheDirectoryGroupReadable would override the setting for
Nick Mathewson's avatar
Nick Mathewson committed
1531
1532
      DataDirectoryGroupReadable. Fixes bug 26913; bugfix
      on 0.3.3.1-alpha.
1533
1534

  o Minor bugfixes (memory leaks):
Nick Mathewson's avatar
Nick Mathewson committed
1535
1536
    - Fix a small memory leak when calling Tor with --dump-config. Fixes
      bug 27893; bugfix on 0.3.2.1-alpha.
1537
1538

  o Minor bugfixes (networking):
Nick Mathewson's avatar
Nick Mathewson committed
1539
    - In retry_listeners_ports(), make sure that we're removing a member
Nick Mathewson's avatar
Nick Mathewson committed
1540
1541
1542
1543
1544
1545
1546
      of old_conns smartlist at most once. Fixes bug 27808; bugfix
      on 0.3.5.1-alpha.
    - Refrain from attempting socket rebinding when old and new
      listeners are in different address families. Fixes bug 27928;
      bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (onion service v3):
Nick Mathewson's avatar
Nick Mathewson committed
1547
1548
1549
    - Stop dumping a stack trace when trying to connect to an intro
      point without having a descriptor for it. Fixes bug 27774; bugfix
      on 0.3.2.1-alpha.
1550
    - Don't warn so loudly when Tor is unable to decode an onion
Nick Mathewson's avatar
Nick Mathewson committed
1551
1552
      descriptor. This can now happen as a normal use case if a client
      gets a descriptor with client authorization but the client is not
Nick Mathewson's avatar
Nick Mathewson committed
1553
      authorized. Fixes bug 27550; bugfix on 0.3.5.1-alpha.
Nick Mathewson's avatar
Nick Mathewson committed
1554
1555
1556
    - When selecting a v3 rendezvous point, don't only look at the
      protover, but also check whether the curve25519 onion key is
      present. This way we avoid picking a relay that supports the v3
Nick Mathewson's avatar
Nick Mathewson committed
1557
1558
      rendezvous but for which we don't have the microdescriptor. Fixes
      bug 27797; bugfix on 0.3.2.1-alpha.
1559
1560

  o Minor bugfixes (protover):
Nick Mathewson's avatar
Nick Mathewson committed
1561
1562
1563
    - Reject protocol names containing bytes other than alphanumeric
      characters and hyphens ([A-Za-z0-9-]). Fixes bug 27316; bugfix
      on 0.2.9.4-alpha.
1564
1565

  o Minor bugfixes (testing):
Nick Mathewson's avatar
Nick Mathewson committed
1566
1567
1568
1569
    - Make the hs_service tests use the same time source when creating
      the introduction point and when testing it. Now tests work better
      on very slow systems like ARM or Travis. Fixes bug 27810; bugfix
      on 0.3.2.1-alpha.
1570
1571
    - In test_rebind.py, check if the Python version is in the supported
      range. Fixes bug 27675; bugfix on 0.3.5.1-alpha.
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582

  o Code simplification and refactoring:
    - Divide more large Tor source files -- especially ones that span
      multiple areas of functionality -- into smaller parts, including
      onion.c and main.c. Closes ticket 26747.
    - Divide the "routerparse.c" module into separate modules for each
      group of parsed objects. Closes ticket 27924.
    - Move protover_rust.c to the same place protover.c was moved to.
      Closes ticket 27814.
    - Split directory.c into separate pieces for client, server, and
      common functionality. Closes ticket 26744.
Nick Mathewson's avatar
Nick Mathewson committed
1583
1584
1585
1586
    - Split the non-statistics-related parts from the rephist.c and
      geoip.c modules. Closes ticket 27892.
    - Split the router.c file into relay-only and shared components, to
      help with future modularization. Closes ticket 27864.
1587
1588

  o Documentation:
Nick Mathewson's avatar
Nick Mathewson committed
1589
1590
    - In the tor-resolve(1) manpage, fix the reference to socks-
      extensions.txt by adding a web URL. Resolves ticket 27853.
Nick Mathewson's avatar
Nick Mathewson committed
1591
1592
    - Mention that we require Python to be 2.7 or newer for some
      integration tests that we ship with Tor. Resolves ticket 27677.
1593
1594


Nick Mathewson's avatar
Nick Mathewson committed
1595
Changes in version 0.3.5.2-alpha - 2018-09-21
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
  Tor 0.3.5.2-alpha fixes several bugs in 0.3.5.1-alpha, including one
  that made Tor think it had run out of sockets. Anybody running a relay
  or an onion service on 0.3.5.1-alpha should upgrade.

  o Major bugfixes (relay bandwidth statistics):
    - When we close relayed circuits, report the data in the circuit
      queues as being written in our relay bandwidth stats. This
      mitigates guard discovery and other attacks that close circuits
      for the explicit purpose of noticing this discrepancy in
      statistics. Fixes bug 23512; bugfix on 0.0.8pre3.

  o Major bugfixes (socket accounting):
    - In our socket accounting code, count a socket as closed even when
      it is closed indirectly by the TLS layer. Previously, we would
      count these sockets as still in use, and incorrectly believe that
      we had run out of sockets. Fixes bug 27795; bugfix
      on 0.3.5.1-alpha.

  o Minor bugfixes (32-bit OSX and iOS, timing):
    - Fix an integer overflow bug in our optimized 32-bit millisecond-
      difference algorithm for 32-bit Apple platforms. Previously, it
      would overflow when calculating the difference between two times
      more than 47 days apart. Fixes part of bug 27139; bugfix
      on 0.3.4.1-alpha.
    - Improve the precision of our 32-bit millisecond difference
      algorithm for 32-bit Apple platforms. Fixes part of bug 27139;
      bugfix on 0.3.4.1-alpha.
    - Relax the tolerance on the mainloop/update_time_jumps test when
      running on 32-bit Apple platforms. Fixes part of bug 27139; bugfix
      on 0.3.4.1-alpha.

  o Minor bugfixes (onion service v3):
    - Close all SOCKS request (for the same .onion) if the newly fetched
      descriptor is unusable. Before that, we would close only the first
      one leaving the other hanging and let to time out by themselves.
      Fixes bug 27410; bugfix on 0.3.2.1-alpha.

  o Minor bugfixes (memory leak):
    - Fix an unlikely memory leak when trying to read a private key from
      a ridiculously large file. Fixes bug 27764; bugfix on
      0.3.5.1-alpha. This is CID 1439488.

  o Minor bugfixes (NSS):
    - Correctly detect failure to open a dummy TCP socket when stealing
      ownership of an fd from the NSS layer. Fixes bug 27782; bugfix
      on 0.3.5.1-alpha.

  o Minor bugfixes (rust):
    - protover_all_supported() would attempt to allocate up to 16GB on
      some inputs, leading to a potential memory DoS. Fixes bug 27206;
      bugfix on 0.3.3.5-rc.

  o Minor bugfixes (testing):
    - Revise the "conditionvar_timeout" test so that it succeeds even on
      heavily loaded systems where the test threads are not scheduled
      within 200 msec. Fixes bug 27073; bugfix on 0.2.6.3-alpha.

  o Code simplification and refactoring:
    - Divide the routerlist.c and dirserv.c modules into smaller parts.
      Closes ticket 27799.


Nick Mathewson's avatar
Nick Mathewson committed
1658
Changes in version 0.3.5.1-alpha - 2018-09-18
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
  Tor 0.3.5.1-alpha is the first release of the 0.3.5.x series. It adds
  client authorization for modern (v3) onion services, improves
  bootstrap reporting, begins reorganizing Tor's codebase, adds optional
  support for NSS in place of OpenSSL, and much more.

  o Major features (onion services, UI change):
    - For a newly created onion service, the default version is now 3.
      Tor still supports existing version 2 services, but the operator
      now needs to set "HiddenServiceVersion 2" in order to create a new
      version 2 service. For existing services, Tor now learns the
      version by reading the key file. Closes ticket 27215.

  o Major features (relay, UI change):
    - Relays no longer run as exits by default. If the "ExitRelay"
      option is auto (or unset), and no exit policy is specified with
      ExitPolicy or ReducedExitPolicy, we now treat ExitRelay as 0.
      Previously in this case, we allowed exit traffic and logged a
      warning message. Closes ticket 21530. Patch by Neel Chauhan.
1677
1678
    - Tor now validates that the ContactInfo config option is valid UTF-
      8 when parsing torrc. Closes ticket 27428.
1679

1680
  o Major features (bootstrap):
1681
1682
1683
1684
    - Don't report directory progress until after a connection to a
      relay or bridge has succeeded. Previously, we'd report 80%
      progress based on cached directory information when we couldn't
      even connect to the network. Closes ticket 27169.
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698

  o Major features (new code layout):
    - Nearly all of Tor's source code has been moved around into more
      logical places. The "common" directory is now divided into a set
      of libraries in "lib", and files in the "or" directory have been
      split into "core" (logic absolutely needed for onion routing),
      "feature" (independent modules in Tor), and "app" (to configure
      and invoke the rest of Tor). See doc/HACKING/CodeStructure.md for
      more information. Closes ticket 26481.

      This refactoring is not complete: although the libraries have been
      refactored to be acyclic, the main body of Tor is still too
      interconnected. We will attempt to improve this in the future.

1699
  o Major features (onion services v3):
1700
1701
1702
1703
1704
    - Implement onion service client authorization at the descriptor
      level: only authorized clients can decrypt a service's descriptor
      to find out how to contact it. A new torrc option was added to
      control this client side: ClientOnionAuthDir <path>. On the
      service side, if the "authorized_clients/" directory exists in the
Nick Mathewson's avatar
Nick Mathewson committed
1705
      onion service directory path, client configurations are read from
1706
1707
      the files within. See the manpage for more details. Closes ticket
      27547. Patch done by Suphanat Chunhapanya (haxxpop).
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
    - Improve revision counter generation in next-gen onion services.
      Onion services can now scale by hosting multiple instances on
      different hosts without synchronization between them, which was
      previously impossible because descriptors would get rejected by
      HSDirs. Addresses ticket 25552.

  o Major features (portability, cryptography, experimental, TLS):
    - Tor now has the option to compile with the NSS library instead of
      OpenSSL. This feature is experimental, and we expect that bugs may
      remain. It is mainly intended for environments where Tor's
      performance is not CPU-bound, and where NSS is already known to be
      installed. To try it out, configure Tor with the --enable-nss
1720
1721
1722
1723
      flag. Closes tickets 26631, 26815, and 26816.

      If you are experimenting with this option and using an old cached
      consensus, Tor may fail to start. To solve this, delete your
1724
1725
      "cached-consensus" and "cached-microdesc-consensus" files,
      (if present), and restart Tor.
1726
1727

  o Major bugfixes (directory authority):
1728
1729
    - Actually check that the address we get from DirAuthority
      configuration line is valid IPv4. Explicitly disallow DirAuthority
Nick Mathewson's avatar
Nick Mathewson committed
1730
      address to be a DNS hostname. Fixes bug 26488; bugfix
1731
      on 0.1.2.10-rc.
1732
1733
1734
1735
1736
1737
1738

  o Major bugfixes (restart-in-process):
    - Fix a use-after-free error that could be caused by passing Tor an
      impossible set of options that would fail during options_act().
      Fixes bug 27708; bugfix on 0.3.3.1-alpha.

  o Minor features (admin tools):
1739
1740
1741
    - Add a new --key-expiration option to print the expiration date of
      the signing cert in an ed25519_signing_cert file. Resolves
      issue 19506.
1742
1743
1744
1745

  o Minor features (build):
    - If you pass the "--enable-pic" option to configure, Tor will try
      to tell the compiler to build position-independent code suitable
1746
1747
      to link into a dynamic library. (The default remains -fPIE, for
      code suitable for a relocatable executable.) Closes ticket 23846.
1748
1749
1750
1751
1752
1753
1754
1755

  o Minor features (code correctness, testing):
    - Tor's build process now includes a "check-includes" make target to
      verify that no module of Tor relies on any headers from a higher-
      level module. We hope to use this feature over time to help
      refactor our codebase. Closes ticket 26447.

  o Minor features (code layout):
1756
1757
    - We have a new "lowest-level" error-handling API for use by code
      invoked from within the logging module. With this interface, the
1758
      logging code is no longer at risk of calling into itself if a
1759
1760
      failure occurs while it is trying to log something. Closes
      ticket 26427.
1761
1762
1763
1764
1765
1766
1767
1768

  o Minor features (compilation):
    - Tor's configure script now supports a --with-malloc= option to
      select your malloc implementation. Supported options are
      "tcmalloc", "jemalloc", "openbsd" (deprecated), and "system" (the
      default). Addresses part of ticket 20424. Based on a patch from
      Alex Xu.

1769
  o Minor features (config):
1770
    - The "auto" keyword in torrc is now case-insensitive. Closes
1771
1772
      ticket 26663.

1773
1774
1775
1776
1777
1778
1779
1780
  o Minor features (continuous integration):
    - Don't do a distcheck with --disable-module-dirauth in Travis.
      Implements ticket 27252.
    - Install libcap-dev and libseccomp2-dev so these optional
      dependencies get tested on Travis CI. Closes ticket 26560.
    - Only run one online rust build in Travis, to reduce network
      errors. Skip offline rust builds on Travis for Linux gcc, because
      they're redundant. Implements ticket 27252.
1781
1782
1783
1784
    - Skip gcc on OSX in Travis CI, because it's rarely used. Skip a
      duplicate hardening-off build in Travis on Tor 0.2.9. Skip gcc on
      Linux with default settings, because all the non-default builds
      use gcc on Linux. Implements ticket 27252.
1785
1786
1787
1788
1789
1790
1791
1792
1793

  o Minor features (controller):
    - Emit CIRC_BW events as soon as we detect that we processed an
      invalid or otherwise dropped cell on a circuit. This allows
      vanguards and other controllers to react more quickly to dropped
      cells. Closes ticket 27678.
    - For purposes of CIRC_BW-based dropped cell detection, track half-
      closed stream ids, and allow their ENDs, SENDMEs, DATA and path
      bias check cells to arrive without counting it as dropped until
Nick Mathewson's avatar
Nick Mathewson committed
1794
      either the END arrives, or the windows are empty. Closes
1795
      ticket 25573.
1796
    - Implement a 'GETINFO md/all' controller command to enable getting
Nick Mathewson's avatar
Nick Mathewson committed
1797
      all known microdescriptors. Closes ticket 8323.
1798
1799
1800
1801
1802
1803
    - The GETINFO command now support an "uptime" argument, to return
      Tor's uptime in seconds. Closes ticket 25132.

  o Minor features (denial-of-service avoidance):
    - Make our OOM handler aware of the DNS cache so that it doesn't
      fill up the memory. This check is important for our DoS mitigation
Nick Mathewson's avatar
Nick Mathewson committed
1804
      subsystem. Closes ticket 18642. Patch by Neel Chauhan.
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824

  o Minor features (development):
    - Tor's makefile now supports running the "clippy" Rust style tool
      on our Rust code. Closes ticket 22156.

  o Minor features (directory authority):
    - There is no longer an artificial upper limit on the length of
      bandwidth lines. Closes ticket 26223.
    - When a bandwidth file is used to obtain the bandwidth measurements,
      include this bandwidth file headers in the votes. Closes
      ticket 3723.
    - Improved support for networks with only a single authority or a
      single fallback directory. Patch from Gabriel Somlo. Closes
      ticket 25928.

  o Minor features (embedding API):
    - The Tor controller API now supports a function to launch Tor with
      a preconstructed owning controller FD, so that embedding
      applications don't need to manage controller ports and
      authentication. Closes ticket 24204.
1825
1826
1827
    - The Tor controller API now has a function that returns the name
      and version of the backend implementing the API. Closes
      ticket 26947.
1828
1829
1830
1831
1832
1833

  o Minor features (geoip):
    - Update geoip and geoip6 to the September 6 2018 Maxmind GeoLite2
      Country database. Closes ticket 27631.

  o Minor features (memory management):
1834
1835
1836
    - Get Libevent to use the same memory allocator as Tor, by calling
      event_set_mem_functions() during initialization. Resolves
      ticket 8415.
1837
1838
1839
1840
1841
1842

  o Minor features (memory usage):
    - When not using them, store legacy TAP public onion keys in DER-
      encoded format, rather than as expanded public keys. This should
      save several megabytes on typical clients. Closes ticket 27246.

1843
1844
  o Minor features (OpenSSL):
    - When possible, use RFC5869 HKDF implementation from OpenSSL rather
Nick Mathewson's avatar
Nick Mathewson committed
1845
      than our own. Resolves ticket 19979.
1846

1847
  o Minor features (Rust, code quality):
1848
    - Improve rust code quality in the rust protover implementation by
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
      making it more idiomatic. Includes changing an internal API to
      take &str instead of &String. Closes ticket 26492.

  o Minor features (testing):
    - Add scripts/test/chutney-git-bisect.sh, for bisecting using
      chutney. Implements ticket 27211.

  o Minor features (tor-resolve):
    - The tor-resolve utility can now be used with IPv6 SOCKS proxies.
      Side-effect of the refactoring for ticket 26526.

  o Minor features (UI):
    - Log each included configuration file or directory as we read it,
      to provide more visibility about where Tor is reading from. Patch
      from Unto Sten; closes ticket 27186.
Nick Mathewson's avatar
Nick Mathewson committed
1864
    - Lower log level of "Scheduler type KIST has been enabled" to INFO.
1865
      Closes ticket 26703.
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883

  o Minor bugfixes (bootstrap):
    - Try harder to get descriptors in non-exit test networks, by using
      the mid weight for the third hop when there are no exits. Fixes
      bug 27237; bugfix on 0.2.6.2-alpha.

  o Minor bugfixes (C correctness):
    - Avoid casting smartlist index to int implicitly, as it may trigger
      a warning (-Wshorten-64-to-32). Fixes bug 26282; bugfix on
      0.2.3.13-alpha, 0.2.7.1-alpha and 0.2.1.1-alpha.
    - Use time_t for all values in
      predicted_ports_prediction_time_remaining(). Rework the code that
      computes difference between durations/timestamps. Fixes bug 27165;
      bugfix on 0.3.1.1-alpha.

  o Minor bugfixes (client, memory usage):
    - When not running as a directory cache, there is no need to store
      the text of the current consensus networkstatus in RAM.
1884
      Previously, however, clients would store it anyway, at a cost of
1885
1886
1887
1888
      over 5 MB. Now, they do not. Fixes bug 27247; bugfix
      on 0.3.0.1-alpha.

  o Minor bugfixes (client, reachableaddresses):
Nick Mathewson's avatar
Nick Mathewson committed
1889
    - Instead of adding a "reject *:*" line to ReachableAddresses when
1890
1891
1892
      loading the configuration, add one to the policy after parsing it
      in parse_reachable_addresses(). This prevents extra "reject *.*"
      lines from accumulating on reloads. Fixes bug 20874; bugfix on
1893
      0.1.1.5-alpha. Patch by Neel Chauhan.
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929

  o Minor bugfixes (code quality):
    - Rename sandbox_getaddrinfo() and other functions to no longer
      misleadingly suggest that they are sandbox-only. Fixes bug 26525;
      bugfix on 0.2.7.1-alpha.

  o Minor bugfixes (configuration, Onion Services):
    - In rend_service_parse_port_config(), disallow any input to remain
      after address-port pair was parsed. This will catch address and
      port being whitespace-separated by mistake of the user. Fixes bug
      27044; bugfix on 0.2.9.10.

  o Minor bugfixes (continuous integration):
    - Stop reinstalling identical packages in our Windows CI. Fixes bug
      27464; bugfix on 0.3.4.1-alpha.

  o Minor bugfixes (controller):
    - Consider all routerinfo errors other than "not a server" to be
      transient for the purpose of "GETINFO exit-policy/*" controller
      request. Print stacktrace in the unlikely case of failing to
      recompute routerinfo digest. Fixes bug 27034; bugfix
      on 0.3.4.1-alpha.

  o Minor bugfixes (directory connection shutdown):
    - Avoid a double-close when shutting down a stalled directory
      connection. Fixes bug 26896; bugfix on 0.3.4.1-alpha.

  o Minor bugfixes (HTTP tunnel):
    - Fix a bug warning when closing an HTTP tunnel connection due to an
      HTTP request we couldn't handle. Fixes bug 26470; bugfix
      on 0.3.2.1-alpha.

  o Minor bugfixes (ipv6):
    - In addrs_in_same_network_family(), we choose the subnet size based
      on the IP version (IPv4 or IPv6). Previously, we chose a fixed
      subnet size of /16 for both IPv4 and IPv6 addresses. Fixes bug
1930
      15518; bugfix on 0.2.3.1-alpha. Patch by Neel Chauhan.
1931
1932
1933
1934
1935
1936

  o Minor bugfixes (logging):
    - As a precaution, do an early return from log_addr_has_changed() if
      Tor is running as client. Also, log a stack trace for debugging as
      this function should only be called when Tor runs as server. Fixes
      bug 26892; bugfix on 0.1.1.9-alpha.
1937
1938
    - Refrain from mentioning bug 21018 in the logs, as it is already
      fixed. Fixes bug 25477; bugfix on 0.2.9.8.
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949

  o Minor bugfixes (logging, documentation):
    - When SafeLogging is enabled, scrub IP address in
      channel_tls_process_netinfo_cell(). Also, add a note to manpage
      that scrubbing is not guaranteed on loglevels below Notice. Fixes
      bug 26882; bugfix on 0.2.4.10-alpha.

  o Minor bugfixes (netflow padding):
    - Ensure circuitmux queues are empty before scheduling or sending
      padding. Fixes bug 25505; bugfix on 0.3.1.1-alpha.

1950
  o Minor bugfixes (onion service v2):
1951
1952
1953
    - Log at level "info", not "warning", in the case that we do not
      have a consensus when a .onion request comes in. This can happen
      normally while bootstrapping. Fixes bug 27040; bugfix
1954
1955
1956
      on 0.2.8.2-alpha.

  o Minor bugfixes (onion service v3):
1957
1958
1959
    - When the onion service directory can't be created or has the wrong
      permissions, do not log a stack trace. Fixes bug 27335; bugfix
      on 0.3.2.1-alpha.
1960

1961
  o Minor bugfixes (OS compatibility):
1962
1963
1964
1965
    - Properly handle configuration changes that move a listener to/from
      wildcard IP address. If the first attempt to bind a socket fails,
      close the old listener and try binding the socket again. Fixes bug
      17873; bugfix on 0.0.8pre-1.
1966
1967
1968
1969
1970
1971
1972
1973

  o Minor bugfixes (performance)::
    - Rework node_is_a_configured_bridge() to no longer call
      node_get_all_orports(), which was performing too many memory
      allocations. Fixes bug 27224; bugfix on 0.2.3.9.

  o Minor bugfixes (relay statistics):
    - Update relay descriptor on bandwidth changes only when the uptime
1974
      is smaller than 24h, in order to reduce the efficiency of guard
1975
1976
      discovery attacks. Fixes bug 24104; bugfix on 0.1.1.6-alpha.

1977
  o Minor bugfixes (relays):
1978
1979
1980
1981
    - Consider the fact that we'll be making direct connections to our
      entry and guard nodes when computing the fraction of nodes that
      have their descriptors. Also, if we are using bridges and there is
      at least one bridge with a full descriptor, treat the fraction of
1982
      guards available as 100%. Fixes bug 25886; bugfix on 0.2.4.10-alpha.
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
      Patch by Neel Chauhan.
    - Update the message logged on relays when DirCache is disabled.
      Since 0.3.3.5-rc, authorities require DirCache (V2Dir) for the
      Guard flag. Fixes bug 24312; bugfix on 0.3.3.5-rc.

  o Minor bugfixes (rust, protover):
    - Compute protover votes correctly in the rust version of the
      protover code. Previously, the protover rewrite in 24031 allowed
      repeated votes from the same voter for the same protocol version
      to be counted multiple times in protover_compute_vote(). Fixes bug
      27649; bugfix on 0.3.3.5-rc.
    - Reject protover names that contain invalid characters. Fixes bug
1995
1996
1997
1998
1999
2000
2001
2002
      27687; bugfix on 0.3.3.1-alpha.

  o Minor bugfixes (testing):
    - Fix two unit tests to work when HOME environment variable is not
      set. Fixes bug 27096; bugfix on 0.2.8.1-alpha.
    - If a unit test running in a subprocess exits abnormally or with a
      nonzero status code, treat the test as having failed, even if the
      test reported success. Without this fix, memory leaks don't cause
Nick Mathewson's avatar
Nick Mathewson committed
2003
      the tests to fail, even with LeakSanitizer. Fixes bug 27658;
2004
2005
2006
2007
      bugfix on 0.2.2.4-alpha.
    - When logging a version mismatch in our openssl_version tests,
      report the actual offending version strings. Fixes bug 26152;
      bugfix on 0.2.9.1-alpha.
2008
2009
    - Fix forking tests on Windows when there is a space somewhere in
      the path. Fixes bug 26437; bugfix on 0.2.2.4-alpha.
2010
2011

  o Code simplification and refactoring:
Nick Mathewson's avatar
Nick Mathewson committed
2012
2013
    - 'updateFallbackDirs.py' now ignores the blacklist file, as it's not
      longer needed. Closes ticket 26502.
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
    - Include paths to header files within Tor are now qualified by
      directory within the top-level src directory.
    - Many structures have been removed from the centralized "or.h"
      header, and moved into their own headers. This will allow us to
      reduce the number of places in the code that rely on each
      structure's contents and layout. Closes ticket 26383.
    - Remove ATTR_NONNULL macro from codebase. Resolves ticket 26527.
    - Remove GetAdaptersAddresses_fn_t. The code that used it was
      removed as part of the 26481 refactor. Closes ticket 27467.
    - Rework Tor SOCKS server code to use Trunnel and benefit from
      autogenerated functions for parsing and generating SOCKS wire
      format. New implementation is cleaner, more maintainable and
      should be less prone to heartbleed-style vulnerabilities.
      Implements a significant fraction of ticket 3569.
    - Split sampled_guards_update_from_consensus() and
      select_entry_guard_for_circuit() into subfunctions. In
      entry_guards_update_primary() unite three smartlist enumerations
      into one and move smartlist comparison code out of the function.
      Closes ticket 21349.
    - Tor now assumes that you have standards-conformant stdint.h and
      inttypes.h headers when compiling. Closes ticket 26626.
    - Unify our bloom filter logic. Previously we had two copies of this
      code: one for routerlist filtering, and one for address set
      calculations. Closes ticket 26510.
    - Use the simpler strcmpstart() helper in
      rend_parse_v2_service_descriptor instead of strncmp(). Closes
      ticket 27630.
    - Utility functions that can perform a DNS lookup are now wholly
      separated from those that can't, in separate headers and C
      modules. Closes ticket 26526.

  o Documentation:
2046
2047
    - Copy paragraph and URL to Tor's code of conduct document from
      CONTRIBUTING to new CODE_OF_CONDUCT file. Resolves ticket 26638.
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
    - Remove old instructions from INSTALL document. Closes ticket 26588.
    - Warn users that they should not include MyFamily line(s) in their
      torrc when running Tor bridge. Closes ticket 26908.

  o Removed features:
    - Tor no longer supports building with the dmalloc library. For
      debugging memory issues, we suggest using gperftools or msan
      instead. Closes ticket 26426.
    - Tor no longer attempts to run on Windows environments without the
      GetAdaptersAddresses() function. This function has existed since
      Windows XP, which is itself already older than we support.
2059
2060
2061
2062
2063
2064
    - Remove Tor2web functionality for version 2 onion services. The
      Tor2webMode and Tor2webRendezvousPoints options are now obsolete.
      (This feature was never shipped in vanilla Tor and it was only
      possible to use this feature by building the support at compile
      time. Tor2webMode is not implemented for version 3 onion services.)
      Closes ticket 26367.
2065
2066


2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
2263
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
2301
2302
2303
2304
2305
2306
2307
2308
2309
2310
2311
2312
2313
2314
2315
2316
2317
2318
2319
2320
2321
2322
2323
2324
2325
2326
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
2347
2348
2349
2350
2351
2352
2353
2354
2355
2356
2357
2358
2359
2360
2361
2362
2363
2364
2365
2366
2367
2368
2369
2370
2371
2372
2373
2374
2375
2376
2377
2378
2379
2380
2381
2382
2383
2384
2385
2386
2387
2388
2389
2390
2391
2392
2393
2394
2395
2396
2397
2398
2399
2400
2401
2402
2403
2404
2405
2406
2407
2408
2409
2410
2411
2412
2413
2414
2415
2416
2417
2418
2419
2420
2421
2422
2423
2424
2425
2426
2427
2428
2429
2430
2431
2432
2433
2434
2435
2436
2437
2438
2439
2440
2441
2442
2443
2444
2445
2446
2447
2448
2449
2450
2451
2452
2453
2454
2455
2456
2457
2458
2459
2460
2461
2462
2463
2464
2465
2466
2467
2468
2469
2470
2471
2472
2473
2474
2475
2476
2477
2478
2479
2480
2481
2482
2483
2484
2485
2486
2487
2488
2489
2490
2491
2492
2493
2494
2495
2496
2497
2498
2499
2500
2501
2502
2503
2504
2505
2506
2507
2508
2509
2510
2511
2512
2513
2514
2515
2516
2517
2518
2519
2520
2521
2522
2523
2524
2525
2526
2527
2528
2529
2530
2531
2532
2533
2534
2535
2536
2537
2538
2539
2540
2541
2542
Changes in version 0.2.9.17 - 2018-09-10
  Tor 0.2.9.17 backports numerous bugfixes from later versions of Tor.

  o Minor features (compatibility, backport from 0.3.4.8):
    - Tell OpenSSL to maintain backward compatibility with previous
      RSA1024/DH1024 users in Tor. With OpenSSL 1.1.1-pre6, these
      ciphers are disabled by default. Closes ticket 27344.

  o Minor features (continuous integration, backport from 0.3.4.7-rc):
    - Enable macOS builds in our Travis CI configuration. Closes
      ticket 24629.
    - Install libcap-dev and libseccomp2-dev so these optional
      dependencies get tested on Travis CI. Closes ticket 26560.
    - Run asciidoc during Travis CI. Implements ticket 27087.
    - Use ccache in our Travis CI configuration. Closes ticket 26952.

  o Minor features (geoip):
    - Update geoip and geoip6 to the August 7 2018 Maxmind GeoLite2
      Country database. Closes ticket 27089.

  o Minor bugfixes (compilation, backport from 0.3.4.6-rc):
    - When compiling with --enable-openbsd-malloc or --enable-tcmalloc,
      tell the compiler not to include the system malloc implementation.
      Fixes bug 20424; bugfix on 0.2.0.20-rc.

  o Minor bugfixes (compilation, backport from 0.3.4.7-rc):
    - Silence a spurious compiler warning on the GetAdaptersAddresses
      function pointer cast. This issue is already fixed by 26481 in
      0.3.5 and later, by removing the lookup and cast. Fixes bug 27465;
      bugfix on 0.2.3.11-alpha.
    - Stop calling SetProcessDEPPolicy() on 64-bit Windows. It is not
      supported, and always fails. Some compilers warn about the
      function pointer cast on 64-bit Windows. Fixes bug 27461; bugfix
      on 0.2.2.23-alpha.

  o Minor bugfixes (compilation, windows, backport from 0.3.4.7-rc):
    - Don't link or search for pthreads when building for Windows, even
      if we are using build environment (like mingw) that provides a
      pthreads library. Fixes bug 27081; bugfix on 0.1.0.1-rc.

  o Minor bugfixes (continuous integration, backport from 0.3.4.6-rc):
    - Skip a pair of unreliable key generation tests on Windows, until
      the underlying issue in bug 26076 is resolved. Fixes bug 26830 and
      bug 26853; bugfix on 0.2.7.3-rc and 0.3.2.1-alpha respectively.

  o Minor bugfixes (continuous integration, backport from 0.3.4.7-rc):
    - Pass the module flags to distcheck configure, and log the flags
      before running configure. (Backported to 0.2.9 and later as a
      precaution.) Fixes bug 27088; bugfix on 0.3.4.1-alpha.

  o Minor bugfixes (continuous integration, backport from 0.3.4.8):
    - When a Travis build fails, and showing a log fails, keep trying to
      show the other logs. Fixes bug 27453; bugfix on 0.3.4.7-rc.
    - When we use echo in Travis, don't pass a --flag as the first
      argument. Fixes bug 27418; bugfix on 0.3.4.7-rc.

  o Minor bugfixes (directory authority, backport from 0.3.4.6-rc):
    - When voting for recommended versions, make sure that all of the
      versions are well-formed and parsable. Fixes bug 26485; bugfix
      on 0.1.1.6-alpha.

  o Minor bugfixes (linux seccomp2 sandbox, backport from 0.3.4.7-rc):
    - Fix a bug in out sandboxing rules for the openat() syscall.
      Previously, no openat() call would be permitted, which would break
      filesystem operations on recent glibc versions. Fixes bug 25440;
      bugfix on 0.2.9.15. Diagnosis and patch from Daniel Pinto.

  o Minor bugfixes (onion services, backport from 0.3.4.8):
    - Silence a spurious compiler warning in
      rend_client_send_introduction(). Fixes bug 27463; bugfix
      on 0.1.1.2-alpha.

  o Minor bugfixes (single onion services, Tor2web, backport from 0.3.4.6-rc):
    - Log a protocol warning when single onion services or Tor2web clients
      fail to authenticate direct connections to relays.
      Fixes bug 26924; bugfix on 0.2.9.1-alpha.

  o Minor bugfixes (testing, backport from 0.3.4.6-rc):
    - Disable core dumps in test_bt.sh, to avoid failures in "make
      distcheck". Fixes bug 26787; bugfix on 0.2.5.2-alpha.

  o Minor bugfixes (testing, chutney, backport from 0.3.4.8):
    - Before running make test-network-all, delete old logs and test
      result files, to avoid spurious failures. Fixes bug 27295; bugfix
      on 0.2.7.3-rc.

  o Minor bugfixes (testing, openssl compatibility, backport from 0.3.4.7-rc):
    - Our "tortls/cert_matches_key" unit test no longer relies on
      OpenSSL internals. Previously, it relied on unsupported OpenSSL
      behavior in a way that caused it to crash with OpenSSL 1.0.2p.
      Fixes bug 27226; bugfix on 0.2.5.1-alpha.

  o Minor bugfixes (Windows, compilation, backport from 0.3.4.7-rc):
    - Silence a compilation warning on MSVC 2017 and clang-cl. Fixes bug
      27185; bugfix on 0.2.2.2-alpha.


Changes in version 0.3.2.12 - 2018-09-10
  Tor 0.3.2.12 backport numerous fixes from later versions of Tor.

  o Minor features (compatibility, backport from 0.3.4.8):
    - Tell OpenSSL to maintain backward compatibility with previous
      RSA1024/DH1024 users in Tor. With OpenSSL 1.1.1-pre6, these
      ciphers are disabled by default. Closes ticket 27344.

  o Minor features (continuous integration, backport from 0.3.4.7-rc):
    - Enable macOS builds in our Travis CI configuration. Closes
      ticket 24629.
    - Install libcap-dev and libseccomp2-dev so these optional
      dependencies get tested on Travis CI. Closes ticket 26560.
    - Run asciidoc during Travis CI. Implements ticket 27087.
    - Use ccache in our Travis CI configuration. Closes ticket 26952.

  o Minor features (continuous integration, rust, backport from 0.3.4.7-rc):
    - Use cargo cache in our Travis CI configuration. Closes
      ticket 26952.

  o Minor features (controller, backport from 0.3.4.6-rc):
    - The control port now exposes the list of HTTPTunnelPorts and
      ExtOrPorts via GETINFO net/listeners/httptunnel and
      net/listeners/extor respectively. Closes ticket 26647.

  o Minor features (directory authorities, backport from 0.3.4.7-rc):
    - Authorities no longer vote to make the subprotocol version
      "LinkAuth=1" a requirement: it is unsupportable with NSS, and
      hasn't been needed since Tor 0.3.0.1-alpha. Closes ticket 27286.

  o Minor features (geoip):
    - Update geoip and geoip6 to the August 7 2018 Maxmind GeoLite2
      Country database. Closes ticket 27089.

  o Minor bugfixes (compilation, backport from 0.3.4.6-rc):
    - When compiling with --enable-openbsd-malloc or --enable-tcmalloc,
      tell the compiler not to include the system malloc implementation.
      Fixes bug 20424; bugfix on 0.2.0.20-rc.
    - Don't try to use a pragma to temporarily disable the
      -Wunused-const-variable warning if the compiler doesn't support
      it. Fixes bug 26785; bugfix on 0.3.2.11.

  o Minor bugfixes (compilation, backport from 0.3.4.7-rc):
    - Silence a spurious compiler warning on the GetAdaptersAddresses
      function pointer cast. This issue is already fixed by 26481 in
      0.3.5 and later, by removing the lookup and cast. Fixes bug 27465;
      bugfix on 0.2.3.11-alpha.
    - Stop calling SetProcessDEPPolicy() on 64-bit Windows. It is not
      supported, and always fails. Some compilers warn about the
      function pointer cast on 64-bit Windows. Fixes bug 27461; bugfix
      on 0.2.2.23-alpha.

  o Minor bugfixes (compilation, windows, backport from 0.3.4.7-rc):
    - Don't link or search for pthreads when building for Windows, even
      if we are using build environment (like mingw) that provides a
      pthreads library. Fixes bug 27081; bugfix on 0.1.0.1-rc.

  o Minor bugfixes (continuous integration, backport from 0.3.4.6-rc):
    - Skip a pair of unreliable key generation tests on Windows, until
      the underlying issue in bug 26076 is resolved. Fixes bug 26830 and
      bug 26853; bugfix on 0.2.7.3-rc and 0.3.2.1-alpha respectively.

  o Minor bugfixes (continuous integration, backport from 0.3.4.7-rc):
    - Build with zstd on macOS. Fixes bug 27090; bugfix on 0.3.1.5-alpha.
    - Pass the module flags to distcheck configure, and log the flags
      before running configure. (Backported to 0.2.9 and later as a
      precaution.) Fixes bug 27088; bugfix on 0.3.4.1-alpha.

  o Minor bugfixes (continuous integration, backport from 0.3.4.8):
    - When a Travis build fails, and showing a log fails, keep trying to
      show the other logs. Fixes bug 27453; bugfix on 0.3.4.7-rc.
    - When we use echo in Travis, don't pass a --flag as the first
      argument. Fixes bug 27418; bugfix on 0.3.4.7-rc.

  o Minor bugfixes (directory authority, backport from 0.3.4.6-rc):
    - When voting for recommended versions, make sure that all of the
      versions are well-formed and parsable. Fixes bug 26485; bugfix
      on 0.1.1.6-alpha.

  o Minor bugfixes (linux seccomp2 sandbox, backport from 0.3.4.7-rc):
    - Fix a bug in out sandboxing rules for the openat() syscall.
      Previously, no openat() call would be permitted, which would break
      filesystem operations on recent glibc versions. Fixes bug 25440;
      bugfix on 0.2.9.15. Diagnosis and patch from Daniel Pinto.

  o Minor bugfixes (logging, backport from 0.3.4.6-rc):
    - Improve the log message when connection initiators fail to
      authenticate direct connections to relays. Fixes bug 26927; bugfix
      on 0.3.0.1-alpha.

  o Minor bugfixes (onion services, backport from 0.3.4.7-rc):
    - Fix bug that causes services to not ever rotate their descriptors
      if they were getting SIGHUPed often. Fixes bug 26932; bugfix
      on 0.3.2.1-alpha.

  o Minor bugfixes (onion services, backport from 0.3.4.8):
    - Silence a spurious compiler warning in
      rend_client_send_introduction(). Fixes bug 27463; bugfix
      on 0.1.1.2-alpha.

  o Minor bugfixes (rust, backport from 0.3.4.7-rc):
    - Backport test_rust.sh from master. Fixes bug 26497; bugfix
      on 0.3.1.5-alpha.
    - Consistently use ../../.. as a fallback for $abs_top_srcdir in
      test_rust.sh. Fixes bug 27093; bugfix on 0.3.4.3-alpha.
    - Stop setting $CARGO_HOME. cargo will use the user's $CARGO_HOME, or
      $HOME/.cargo by default. Fixes bug 26497; bugfix on 0.3.1.5-alpha.

  o Minor bugfixes (single onion services, Tor2web, backport from 0.3.4.6-rc):
    - Log a protocol warning when single onion services or Tor2web clients
      fail to authenticate direct connections to relays.
      Fixes bug 26924; bugfix on 0.2.9.1-alpha.

  o Minor bugfixes (testing, backport from 0.3.4.6-rc):
    - Disable core dumps in test_bt.sh, to avoid failures in "make
      distcheck". Fixes bug 26787; bugfix on 0.2.5.2-alpha.

  o Minor bugfixes (testing, chutney, backport from 0.3.4.8):
    - When running make test-network-all, use the mixed+hs-v2 network.
      (A previous fix to chutney removed v3 onion services from the
      mixed+hs-v23 network, so seeing "mixed+hs-v23" in tests is
      confusing.) Fixes bug 27345; bugfix on 0.3.2.1-alpha.
    - Before running make test-network-all, delete old logs and test
      result files, to avoid spurious failures. Fixes bug 27295; bugfix
      on 0.2.7.3-rc.

  o Minor bugfixes (testing, openssl compatibility):
    - Our "tortls/cert_matches_key" unit test no longer relies on OpenSSL
      internals.  Previously, it relied on unsupported OpenSSL behavior in
      a way that caused it to crash with OpenSSL 1.0.2p. Fixes bug 27226;
      bugfix on 0.2.5.1-alpha.

  o Minor bugfixes (testing, openssl compatibility, backport from 0.3.4.7-rc):
    - Our "tortls/cert_matches_key" unit test no longer relies on
      OpenSSL internals. Previously, it relied on unsupported OpenSSL
      behavior in a way that caused it to crash with OpenSSL 1.0.2p.
      Fixes bug 27226; bugfix on 0.2.5.1-alpha.

  o Minor bugfixes (Windows, compilation, backport from 0.3.4.7-rc):
    - Silence a compilation warning on MSVC 2017 and clang-cl. Fixes bug
      27185; bugfix on 0.2.2.2-alpha.


Changes in version 0.3.3.10 - 2018-09-10
  Tor 0.3.3.10 backports numerous fixes from later versions of Tor.

  o Minor features (bug workaround, backport from 0.3.4.7-rc):
    - Compile correctly on systems that provide the C11 stdatomic.h
      header, but where C11 atomic functions don't actually compile.
      Closes ticket 26779; workaround for Debian issue 903709.

  o Minor features (compatibility, backport from 0.3.4.8):
    - Tell OpenSSL to maintain backward compatibility with previous
      RSA1024/DH1024 users in Tor. With OpenSSL 1.1.1-pre6, these
      ciphers are disabled by default. Closes ticket 27344.<