ChangeLog 1.8 MB
Newer Older
1
Changes in version 0.4.5.1-alpha - 2020-10-30
Nick Mathewson's avatar
Nick Mathewson committed
2
3
  Tor 0.4.5.1-alpha is the first alpha release in the 0.4.5.x series. It
  improves support for IPv6, address discovery and self-testing, code
4
5
6
7
  metrics and tracing.

  Here are the changes since 0.4.4.5.

Nick Mathewson's avatar
Nick Mathewson committed
8
9
10
11
12
  - The "optimistic data" feature is now always on; there is no longer
  an option to disable it from the torrc file or from the consensus
  directory. Closes part of 40139. - The "usecreatefast" network
  parameter is now removed; there is no longer an option for authorities
  to turn it off. Closes part of 40139.
13
14

  o Major features (IPv6, relay):
Nick Mathewson's avatar
Nick Mathewson committed
15
16
17
18
19
    - The torrc option Address now supports IPv6. By doing so, we've
      also unified the interface to find our address to support IPv4,
      IPv6 and hostname. Closes ticket 33233.
    - Launch IPv4 and IPv6 ORPort self-test circuits on relays and
      bridges. Closes ticket 33222.
20
21

  o Major features (metrics):
Nick Mathewson's avatar
Nick Mathewson committed
22
23
24
25
    - Introduce a new MetricsPort which exposes, through an HTTP GET
      /metrics, a series of metrics that tor collects at runtime. At the
      moment, the only supported output format is Prometheus data model.
      Closes ticket 40063;
26
27

  o Major features (relay self-testing, IPv6):
Nick Mathewson's avatar
Nick Mathewson committed
28
29
30
31
    - Relays now track their IPv6 ORPort separately from the reachability
      of their IPv4 ORPort. They will not publish a descriptor unless
      _both_ ports appear to be externally reachable. Closes
      ticket 34067.
32
33

  o Major features (relay, IPv6):
Nick Mathewson's avatar
Nick Mathewson committed
34
35
    - Relays now automatically bind on IPv6 for their ORPort unless
      specified otherwise with the IPv4Only flag. Closes ticket 33246.
36
37
    - When a relay with IPv6 support opens a connection to another
      relay, and the extend cell lists both IPv4 and IPv6 addresses, the
Nick Mathewson's avatar
Nick Mathewson committed
38
      first relay now picks randomly which address to use. Closes
39
40
      ticket 33220.

Nick Mathewson's avatar
Nick Mathewson committed
41
42
43
44
45
46
47
  o Major features (tracing):
    - Add a tracing library with USDT and LTTng-UST support. Few
      tracepoints were added in the circuit subsystem. More will come
      incrementally. This feature is compiled out by default. It needs
      to be enabled at configure time. See documentation in
      doc/HACKING/Tracing.md. Closes ticket 32910.

48
  o Major bugfix (TLS, buffer):
Nick Mathewson's avatar
Nick Mathewson committed
49
50
51
52
53
54
    - When attempting to read N bytes on a TLS connection, really try to
      read those N bytes. Before that, Tor would stop reading after the
      first TLS record which can be smaller than N bytes even though
      more data was waiting on the TLS connection socket. The remaining
      data would have been read at the next mainloop event. Fixes bug
      40006; bugfix on 0.1.0.5-rc.
55
56

  o Minor features (address discovery):
Nick Mathewson's avatar
Nick Mathewson committed
57
58
59
60
    - If no Address statements are found, relays now prioritize guessing
      their address by looking at the local interface instead of the
      local hostname. If the interface address can't be found, the local
      hostname is used. Closes ticket 33238.
61
62
63

  o Minor features (admin tools):
    - Add new --format argument to -key-expiration option to allow
Nick Mathewson's avatar
Nick Mathewson committed
64
65
      specifying the time format of expiration date. Adds Unix timestamp
      format support. Patch by Daniel Pinto. Closes ticket 30045.
66
67
68

  o Minor features (authorities):
    - Authorities now list a different set of protocols as required and
Nick Mathewson's avatar
Nick Mathewson committed
69
70
71
72
73
      recommended. These lists are chosen so that only truly recommended
      and/or required protocols are included, and so that clients using
      0.2.9 or later will continue to work (even though they are not
      supported), whereas only relays running 0.3.5 or later will meet
      the requirements. Closes ticket 40162.
74
75
76
77
78

  o Minor features (bootstrap reporting):
    - When reporting bootstrapping status on a relay, do not consider
      connections that have never been the target of an origin circuit.
      Previously, all connection failures were treated as potential
Nick Mathewson's avatar
Nick Mathewson committed
79
80
      bootstrapping failures, including those that had been opened
      because of client requests. Closes ticket 25061.
81
82

  o Minor features (build):
Nick Mathewson's avatar
Nick Mathewson committed
83
84
85
86
87
    - If the configure script has given any warnings, remind the user
      about them at the end of the script. Related to 40138.
    - When running the configure script, try to detect version
      mismatches between the openssl headers and libraries, and suggest
      that the user should try "--with-openssl-dir". Closes 40138.
88
89
90
91

  o Minor features (compilation):
    - When building Tor, first link all object files into a single
      static library. This may help with embedding Tor in other
Nick Mathewson's avatar
Nick Mathewson committed
92
93
94
95
96
97
98
99
100
101
102
      programs. Note that most Tor functions do not constitute a part of
      a stable or supported API: Only those functions in tor_api.h
      should be used if embedding Tor. Closes ticket 40127.

  o Minor features (configuration):
    - Allow the using wildcards (* and ?) with the %include option on
      configuration files. Closes ticket 25140. Patch by Daniel Pinto.
    - Allows configuration options EntryNodes, ExcludeNodes,
      ExcludeExitNodes, ExitNodes, MiddleNodes, HSLayer2Nodes and
      HSLayer3Nodes to be specified multiple times. Closes ticket 28361.
      Patch by Daniel Pinto.
103
104

  o Minor features (control port):
Nick Mathewson's avatar
Nick Mathewson committed
105
106
    - Add a DROPTIMEOUTS control port command to drop circuit build
      timeout history and reset the timeout. Closes ticket 40002.
107
108
109
110
111
    - When a stream enters the AP_CONN_STATE_CONTROLLER_WAIT status,
      send a control port event CONTROLLER_WAIT. Closes ticket 32190.
      Patch by Neel Chauhan.

  o Minor features (control port, relay):
Nick Mathewson's avatar
Nick Mathewson committed
112
113
114
115
116
    - Introduce "GETINFO address/v4" and "GETINFO address/v6" in the
      control port to fetch the Tor host's respective IPv4 or IPv6
      address. We keep "GETINFO address" for backwords-compatibility
      which retains the current behavior. Closes ticket 40039. Patch by
      Neel Chauhan.
117
118
119

  o Minor features (control port, rephist):
    - Introduce GETINFO "stats/ntor/{assigned/requested}" and
Nick Mathewson's avatar
Nick Mathewson committed
120
121
122
      "stats/tap/{assigned/requested}" to get the NTorand TAP circuit
      onion handshake rephist values respectively. Closes ticket 28279.
      Patch by Neel Chauhan.
123
124

  o Minor features (controller, IPv6):
Nick Mathewson's avatar
Nick Mathewson committed
125
126
    - Tor relays now try to report to the controller when they are
      launching an IPv6 self-test. Closes ticket 34068.
127
128

  o Minor features (directory authorities):
Nick Mathewson's avatar
Nick Mathewson committed
129
130
    - Create new consensus method that removes the unecessary = padding
      from ntor-onion-key. Closes ticket 7869. Patch by Daniel Pinto.
131
132
133
134
135
136
    - Directory authorities now reject descriptors from relays running
      Tor versions from the 0.4.1 series, but still allow the 0.3.5
      series. Resolves ticket 34357. Patch by Neel Chauhan.

  o Minor features (directory authorities, IPv6):
    - Make authorities add their IPv6 ORPort (if any) to the trusted dir
Nick Mathewson's avatar
Nick Mathewson committed
137
138
139
      servers list. Authorities currently add themselves to the trusted
      dir servers list, but they only add their IPv4 address and ports
      to the list. Closes ticket 32822.
140
141
142
143

  o Minor features (directory authority):
    - Make it possible to specify multiple ConsensusParams torrc lines.
      Now directory authority operators can for example put the main
Nick Mathewson's avatar
Nick Mathewson committed
144
145
      ConsensusParams config in one torrc file and then add to it from a
      different torrc file. Closes ticket 40164.
146
147
    - The AssumeReachable option no longer stops directory authorities
      from checking whether other relays are running. A new
Nick Mathewson's avatar
Nick Mathewson committed
148
149
150
151
152
153
      AuthDirTestReachability option can be used to disable these
      checks. Closes ticket 34445.
    - When looking for possible sybil attacks, also consider IPv6
      addresses. Two routers are considered to have "the same" address
      by this metric if they are in the same /64 network. Patch from
      Maurice Pibouin. Closes ticket 7193.
154
155
156

  o Minor features (ed25519, relay):
    - Save a relay's base64-encoded ed25519 identity key to the data
Nick Mathewson's avatar
Nick Mathewson committed
157
158
      directory in a file named fingerprint-ed25519. Closes ticket
      30642. Patch by Neel Chauhan.
159
160
161
162
163
164
165

  o Minor features (heartbeat):
    - Include the total number of inbound and outbound IPv4 and IPv6
      connections in the heartbeat message . Closes ticket 29113.

  o Minor features (IPv6, ExcludeNodes):
    - Make routerset_contains_router() capable of handling IPv6
Nick Mathewson's avatar
Nick Mathewson committed
166
167
168
      addresses. This makes ExcludeNodes capable of excluding an IPv6
      adddress. Previously, ExcludeNodes ignored IPv6 addresses. Closes
      ticket 34065. Patch by Neel Chauhan.
169
170
171

  o Minor features (IPv6, relay):
    - Allow relays to send IPv6-only extend cells. Closes ticket 33222.
Nick Mathewson's avatar
Nick Mathewson committed
172
173
    - Declare support for the Relay=3 subprotocol version. Closes
      ticket 33226.
174
175
176
177
    - When launching IPv6 ORPort self-test circuits, make sure that the
      second-last hop can initiate an IPv6 extend. Closes ticket 33222.

  o Minor features (logging):
Nick Mathewson's avatar
Nick Mathewson committed
178
179
180
181
182
183
184
185
186
    - Adds the running glibc version to the log. Also adds the running
      and compiled glibc version to the library list returned when using
      the flag --library-versions. Patch from Daniel Pinto. Closes
      ticket 40047; bugfix on 0.4.5.0-alpha-dev.
    - Consider 301 as an error like a 404 when processing the response
      to a request for a group of server descriptors or an extrainfo
      documents. Closes ticket 40053.
    - Print directory fetch information a single line. Closes
      ticket 40159.
187
188
    - Provide more complete descriptions of our connections when logging
      about them. Closes ticket 40041.
Nick Mathewson's avatar
Nick Mathewson committed
189
190
    - When describing a relay in th elogs, we now include its ed25519
      identity. Closes ticket 22668.
191
192
193
194
195
196
197
198
199

  o Minor features (onion services):
    - When writing an onion service hostname file, first read it to make
      sure it contains what we want before attempting to write it. Now
      onion services can set their existing onion service directories to
      read-only and Tor will still work. Resolves ticket 40062. Patch by
      Neel Chauhan.

  o Minor features (pluggable transports):
Nick Mathewson's avatar
Nick Mathewson committed
200
201
202
203
204
205
    - Added option OutboundBindAddressPT to torrc. This option allows
      users to specify which IPv4 and IPv6 address they want pluggable
      transports to use for outgoing IP packets. Tor does not have a way
      to enforce that the pluggable transport honors this option so each
      pluggable transport will have to implement support for this
      feature. Closes ticket 5304.
206
207

  o Minor features (protocol simplification):
Nick Mathewson's avatar
Nick Mathewson committed
208
209
210
211
    - Tor no longer allows subprotocol versions larger than 63.
      Previously versions up to UINT32_MAX were allowed, which
      significantly complicated our code. Implements proposal 318;
      closes ticket 40133.
212
213
214
215
216

  o Minor features (relay address tracking):
    - We store relay addresses for OR connections in a more logical way.
      Previously we would sometimes overwrite the actual address of a
      connection with a "canonical address", and then store the "real
Nick Mathewson's avatar
Nick Mathewson committed
217
218
219
      address" elsewhere to remember it. We now track the "canonical
      address" elsewhere for the cases where we need it, and leave the
      connection's address alone. Closes ticket 33898.
220
221

  o Minor features (relay):
Nick Mathewson's avatar
Nick Mathewson committed
222
223
224
225
226
227
228
229
230
231
    - If a relay is unable to discover its address, attempt to learn it
      from the NETINFO cell. Closes ticket 40022.
    - Log immediately when launching a relay self-check. Previously we
      would try to log before launching checks, or approximately when we
      intended to launch checks, but this tended to be error-prone.
      Closes ticket 34137.

  o Minor features (relay, address discovery):
    - If Address is not found in torrc, attempt to learn our address
      with the configured ORPort address if any. Closes ticket 33236.
232
233
234
235
236
237

  o Minor features (relay, IPv6):
    - Add an AssumeReachableIPv6 option to disable self-checking IPv6
      reachability. Closes part of ticket 33224.
    - Add new "assume-reachable" and "assume-reachable-ipv6" parameters
      to be used in an emergency to tell relays that they should publish
Nick Mathewson's avatar
Nick Mathewson committed
238
239
      even if they cannot complete their ORPort self-checks. Closes
      ticket 34064 and part of 33224.
240
241

  o Minor features (specification update):
Nick Mathewson's avatar
Nick Mathewson committed
242
243
244
    - Several fields in microdescriptors, router descriptors, and
      consensus documents that were formerly optional are now required.
      Implements proposal 315; closes ticket 40132.
245
246

  o Minor features (state):
Nick Mathewson's avatar
Nick Mathewson committed
247
248
    - When loading the state file, remove entries from the statefile
      that have been obsolete for a long time. Ordinarily Tor preserves
249
250
251
252
253
      unrecognized entries in order to keep forward-compatibility, but
      these statefile entries have not actually been used in any release
      since before the 0.3.5.x. Closes ticket 40137.

  o Minor features (statistics, ipv6):
Nick Mathewson's avatar
Nick Mathewson committed
254
255
    - Relays now publish IPv6-specific counts of single-direction versus
      bidirectional relay connections. Closes ticket 33264.
256
    - Relays now publish their IPv6 read and write statistics over time,
Nick Mathewson's avatar
Nick Mathewson committed
257
      if statistics are enabled. Closes ticket 33263.
258
259
260

  o Minor features (subprotocol versions):
    - Use the new limitations on subprotocol versions due to proposal
Nick Mathewson's avatar
Nick Mathewson committed
261
      318 to simplify our implementation. Part of ticket 40133.
262
263

  o Minor features (testing configuration):
Nick Mathewson's avatar
Nick Mathewson committed
264
265
266
267
    - The TestingTorNetwork no longer implicitly sets AssumeReachable to
      1. This change will allow us to test relays' self-testing
      mechanisms, and eventually to test authorities' relay-testing
      functionality. Closes ticket 34446.
268
269
270
271
272

  o Minor features (testing):
    - Added unit tests for channel_matches_target_addr_for_extend().
      Closes Ticket 33919. Patch by MrSquanchee.

Nick Mathewson's avatar
Nick Mathewson committed
273
274
275
276
277
278
279
  o Minor bugfixes (security):
    - When completing a channel, relays now check more thoroughly to
      make sure that it matches any pending circuits before attaching
      those circuits. Previously, address correctness and Ed25519
      identities were not checked in this case, but only when extending
      circuits on an existing channel. Fixes bug 40080; bugfix
      on 0.2.7.2-alpha.
280
281
282

  o Minor bugfixes (circuit padding):
    - When circpad_send_padding_cell_for_callback is called,
Nick Mathewson's avatar
Nick Mathewson committed
283
284
285
      `is_padding_timer_scheduled` flag was not reset. Now it is set to
      0 at the top of that function. Fixes bug 32671; bugfix
      on 0.4.0.1-alpha.
286
    - Add a per-circuit padding machine instance counter, so we can
Nick Mathewson's avatar
Nick Mathewson committed
287
288
289
290
291
292
293
294
      differentiate between shutdown requests for old machines on a
      circuit; Fixes bug 30992; bugfix on 0.4.1.1-alpha.
    - Add the abilility to keep circuit padding machines if they match a
      set of circuit state or purposes. This allows us to have machines
      that start up under some conditions but don't shut down under
      others. We now use this mask to avoid starting up introduction
      circuit padding again after the machines have already completed.
      Fixes bug 32040; bugfix on 0.4.1.1-alpha.
295
296
297

  o Minor bugfixes (compatibility):
    - Strip '\r' characters when reading text files on Unix platforms.
Nick Mathewson's avatar
Nick Mathewson committed
298
299
300
301
302
      This should resolve an issue where a relay operator migrates a
      relay from Windows to Unix, but does not change the line ending of
      Tor's various state files to match the platform, the CRLF line
      endings from Windows ends up leaking into other files such as the
      extra-info document. Fixes bug 33781; bugfix on 0.0.9pre5.
303
304
305

  o Minor bugfixes (compilation):
    - Fix compiler warnings that would occur when building with
Nick Mathewson's avatar
Nick Mathewson committed
306
307
308
309
      "--enable-all-bugs-are-fatal" and "--disable-module-relay" at the
      same time. Fixes bug 40129; bugfix on 0.4.4.1-alpha.
    - Resolve a compilation warning that could occur in
      test_connection.c. Fixes bug 40113; bugfix on 0.2.9.3-alpha.
310
311

  o Minor bugfixes (configuration):
Nick Mathewson's avatar
Nick Mathewson committed
312
313
314
315
    - Fix bug where %including a pattern ending with */ would include
      files and folders (instead of folders only) in versions of glibc <
      2.19. Fixes bug 40141; bugfix on 0.4.5.0-alpha-dev. Patch by
      Daniel Pinto.
316
317

  o Minor bugfixes (logging):
Nick Mathewson's avatar
Nick Mathewson committed
318
319
320
321
322
323
324
325
    - Remove a debug logging statement that uselessly spam the logs.
      Fixes bug 40135; bugfix on 0.3.5.0-alpha.
    - When logging a rate-limited message about how many messages have
      been suppressed in the last N seconds, give an accurate value for
      N, rounded up to the nearest minute. Previously we would report
      the size of the rate-limiting interval, regardless of when the
      messages started to occur. Fixes bug 19431; bugfix
      on 0.2.2.16-alpha.
326
327

  o Minor bugfixes (protover):
Nick Mathewson's avatar
Nick Mathewson committed
328
329
    - Consistently reject extra commas, instead of only rejecting
      leading commas. Fixes bug 27194; bugfix on 0.2.9.4-alpha.
330
331

  o Minor bugfixes (relay configuration, crash):
Nick Mathewson's avatar
Nick Mathewson committed
332
333
334
    - Avoid a fatal assert() when failing to create a listener
      connection for an address that was in use. Fixes bug 40073; bugfix
      on 0.3.5.1-alpha.
335
336
337

  o Minor bugfixes (rust, protocol versions):
    - Declare support for the onion service introduction point denial of
Nick Mathewson's avatar
Nick Mathewson committed
338
339
      service extensions, when building tor with Rust. Fixes bug 34248;
      bugfix on 0.4.2.1-alpha.
340
    - Make Rust protocol version support checks consistent with the
Nick Mathewson's avatar
Nick Mathewson committed
341
342
      undocumented error behaviour of the corresponding C code. Fixes
      bug 34251; bugfix on 0.3.3.5-rc.
343
344

  o Minor bugfixes (self-testing):
Nick Mathewson's avatar
Nick Mathewson committed
345
346
347
348
349
    - When receiving an incoming circuit, only accept it as evidence
      that we are reachable if the declared address of its channel is
      the same address we think that we have. Otherwise, it could be
      evidence that we're reachable on some other address. Fixes bug
      20165; bugfix on 0.1.0.1-rc.
350
351

  o Minor bugfixes (SOCKS, onion services):
Nick Mathewson's avatar
Nick Mathewson committed
352
353
354
355
    - Make sure we send the SOCKS request address in relay begin cells
      when a stream is attached with the purpose
      CIRCUIT_PURPOSE_CONTROLLER. Fixes bug 33124; bugfix on 0.0.5.
      Patch by Neel Chauhan.
356
357
358

  o Minor bugfixes (spec conformance):
    - Use the correct key type when generating signing->link
Nick Mathewson's avatar
Nick Mathewson committed
359
      certificates. Fixes bug 40124; bugfix on 0.2.7.2-alpha.
360
361

  o Minor bugfixes (string handling):
Nick Mathewson's avatar
Nick Mathewson committed
362
363
364
365
366
    - In summarize_protover_flags(), treat empty strings the same as
      NULL. This prevents protocols_known from being set. Previously, we
      treated empty strings as normal strings, which led to
      protocols_known being set. Fixes bug 34232; bugfix on
      0.3.3.2-alpha. Patch by Neel Chauhan.
367
368

  o Minor bugfixes (v2 onion services):
Nick Mathewson's avatar
Nick Mathewson committed
369
370
371
372
373
    - For HSFETCH commands on v2 onion services addresses, check the
      length of bytes decoded, not the base32 length. This takes the
      behavior introduced in commit
      a517daa56f5848d25ba79617a1a7b82ed2b0a7c0 into consideration. Fixes
      bug 34400; bugfix on 0.4.1.1-alpha. Patch by Neel Chauhan.
374
375
376
377

  o Code simplification and refactoring:
    - Add and use a set of functions to perform downcasts on constant
      connection and channel pointers. Closes ticket 40046.
Nick Mathewson's avatar
Nick Mathewson committed
378
379
380
381
    - Refactor our code that logs a descriptions of connections,
      channels, and the peers on them, to use a single call path. This
      change enables us to refactor the data types that they use, and
      eliminate many confusing users of those types. Closes ticket 40041.
382
383
    - Refactor some common node selection code into a single function.
      Closes ticket 34200.
Nick Mathewson's avatar
Nick Mathewson committed
384
385
386
387
388
    - Remove the now-redundant 'outbuf_flushlen' field from our
      connection type. It was previously used for an older version of
      our rate-limiting logic. Closes ticket 33097.
    - Rename "fascist_firewall_*" identifiers to "reachable_addr_*"
      instead, for consistency with other code. Closes ticket 18106.
389
390
391
392
    - Rename functions about "advertised" ports which are not in fact
      guaranteed to return the ports have been advertised. Closes
      ticket 40055.
    - Split implementation of several command line options from
Nick Mathewson's avatar
Nick Mathewson committed
393
394
395
396
397
398
      options_init_from_torrc into smaller isolated functions. Patch by
      Daniel Pinto. Closes ticket 40102.
    - When an extend cell is missing an IPv4 or IPv6 address, fill in
      the address from the extend info. This is similar to what was done
      in ticket 33633 for ed25519 keys. Closes ticket 33816. Patch by
      Neel Chauhan.
399
400
401

  o Deprecated features:
    - The "non-builtin" argument to the "--dump-config" command is now
Nick Mathewson's avatar
Nick Mathewson committed
402
      deprecated. When it works, it behaves the same as "short", which
403
404
      you should use instead. Closes ticket 33398.

Nick Mathewson's avatar
Nick Mathewson committed
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
  o Documentation:
    - Replace URLs from our old bugtracker so that they refer to the new
      bugtracker and wiki. Closes ticket 40101.

  o Removed features:
    - We no longer ship or build a "tor.service" file for use with
      systemd. No distribution included this script unmodified, and we
      don't have the expertise ourselves to maintain this in a way that
      all the various systemd-based distributions can use. Closes
      ticket 30797.
    - We no longer ship support for the Android logging API. Modern
      versions of Android can use the syslog API instead. Closes
      ticket 32181.

  o Testing:
    - Add unit tests for bandwidth statistics manipulation functions.
      Closes ticket 33812. Patch by MrSquanchee.

  o Code simplification and refactoring (autoconf):
    - Remove autoconf checks for unused funcs and headers. Closes ticket
      31699; Patch by @bduszel

  o Code simplification and refactoring (maintainer scripts):
    - Disable by default the pre-commit hook. Use the environment
      variable TOR_EXTRA_PRE_COMMIT_CHECKS in order to run it.
      Furthermore, stop running practracker in the pre-commit hook and
      make check-local. Closes ticket 40019.

  o Code simplification and refactoring (relay address):
    - Most of IPv4 representation was using "uint32_t". It has now been
      moved to use the internal "tor_addr_t" interface instead. This is
      so we can properly integrate IPv6 along IPv4 with common
      interfaces. Closes ticket 40043.

439
440
441
442
  o Documentation (manpages):
    - Move them from doc/ to doc/man/. Closes ticket 40044.

  o Documentation (manual page):
Nick Mathewson's avatar
Nick Mathewson committed
443
444
    - Describe the status of the "Sandbox" option more accurately. It is
      no longer "experimental", but it _is_ dependent on kernel and libc
445
446
447
448
449
450
451
452
453
454
455
456
      versions. Closes ticket 23378.

  o Documentation (tracing):
    - Document in depth the circuit subsystem trace events in the new
      doc/tracing/EventsCircuit.md. Closes ticket 40036.

  o Removed features (network parameters):

  o Testing (CI):
    - Build tracing configure option into our CI. Closes ticket 40038.

  o Testing (onion service v2):
Nick Mathewson's avatar
Nick Mathewson committed
457
458
459
460
461
462
    - Fix a rendezvous cache unit test that was triggering an underflow
      on the global rend cache allocation. Fixes bug 40125; bugfix
      on 0.2.8.1-alpha.
    - Fix another rendezvous cache unit test that was triggering an
      underflow on the global rend cache allocation. Fixes bug 40126;
      bugfix on 0.2.8.1-alpha.
463
464


465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
Changes in version 0.4.4.5 - 2020-09-15
  Tor 0.4.4.5 is the first stable release in the 0.4.4.x series. This
  series improves our guard selection algorithms, adds v3 onion balance
  support, improves the amount of code that can be disabled when running
  without relay support, and includes numerous small bugfixes and
  enhancements. It also lays the ground for some IPv6 features that
  we'll be developing more in the next (0.4.5) series.

  Per our support policy, we support each stable release series for nine
  months after its first stable release, or three months after the first
  stable release of the next series: whichever is longer. This means
  that 0.4.4.x will be supported until around June 2021--or later, if
  0.4.5.x is later than anticipated.

  Note also that support for 0.4.2.x has just ended; support for 0.4.3
  will continue until Feb 15, 2021. We still plan to continue supporting
  0.3.5.x, our long-term stable series, until Feb 2022.

  Below are the changes since 0.4.4.4-rc. For a complete list of changes
  since 0.4.3.6, see the ReleaseNotes file.

  o Major bugfixes (onion services, DoS):
    - Correct handling of parameters for the onion service DoS defense.
      Previously, the consensus parameters for the onion service DoS
      defenses were overwriting the parameters set by the service
      operator using HiddenServiceEnableIntroDoSDefense. Fixes bug
      40109; bugfix on 0.4.2.1-alpha.

  o Major bugfixes (stats, onion services):
    - Fix a bug where we were undercounting the Tor network's total
      onion service traffic, by ignoring any traffic originating from
      clients. Now we count traffic from both clients and services.
      Fixes bug 40117; bugfix on 0.2.6.2-alpha.

  o Minor features (control port):
    - If a ClientName was specified in ONION_CLIENT_AUTH_ADD for an
      onion service, display it when we use ONION_CLIENT_AUTH_VIEW.
      Closes ticket 40089. Patch by Neel Chauhan.

  o Minor features (denial-of-service memory limiter):
    - Allow the user to configure even lower values for the
      MaxMemInQueues parameter. Relays now enforce a minimum of 64 MB,
      when previously the minimum was 256 MB. On clients, there is no
      minimum. Relays and clients will both warn if the value is set so
      low that Tor is likely to stop working. Closes ticket 24308.

  o Minor features (tests):
    - Our "make check" target now runs the unit tests in 8 parallel
      chunks. Doing this speeds up hardened CI builds by more than a
      factor of two. Closes ticket 40098.

  o Minor bugfixes (guard selection algorithm):
    - Avoid needless guard-related warning when upgrading from 0.4.3 to
      0.4.4. Fixes bug 40105; bugfix on 0.4.4.1-alpha.

  o Minor bugfixes (tests):
    - Fix the behavior of the rend_cache/clean_v2_descs_as_dir when run
      on its own. Previously, it would exit with an error. Fixes bug
      40099; bugfix on 0.2.8.1-alpha.


526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
Changes in version 0.4.4.3-alpha - 2020-07-27
  Tor 0.4.4.3-alpha fixes several annoyances in previous versions,
  including one affecting NSS users, and several affecting the Linux
  seccomp2 sandbox.

  o Major features (fallback directory list):
    - Replace the 148 fallback directories originally included in Tor
      0.4.1.4-rc (of which around 105 are still functional) with a list
      of 144 fallbacks generated in July 2020. Closes ticket 40061.

  o Major bugfixes (NSS):
    - When running with NSS enabled, make sure that NSS knows to expect
      nonblocking sockets. Previously, we set our TCP sockets as
      nonblocking, but did not tell NSS, which in turn could lead to
      unexpected blocking behavior. Fixes bug 40035; bugfix
      on 0.3.5.1-alpha.

  o Minor bugfixes (linux seccomp2 sandbox):
    - Fix a regression on sandboxing rules for the openat() syscall. The
      fix for bug 25440 fixed the problem on systems with glibc >= 2.27
      but broke with versions of glibc. We now choose a rule based on
      the glibc version. Patch from Daniel Pinto. Fixes bug 27315;
      bugfix on 0.3.5.11.
    - Makes the seccomp sandbox allow the correct syscall for opendir
      according to the running glibc version. This fixes crashes when
      reloading torrc with sandbox enabled when running on glibc 2.15 to
      2.21 and 2.26. Patch from Daniel Pinto. Fixes bug 40020; bugfix
      on 0.3.5.11.

  o Minor bugfixes (relay, usability):
    - Adjust the rules for when to warn about having too many
      connections to other relays. Previously we'd tolerate up to 1.5
      connections per relay on average. Now we tolerate more connections
      for directory authorities, and raise the number of total
      connections we need to see before we warn. Fixes bug 33880; bugfix
      on 0.3.1.1-alpha.

  o Documentation:
    - Replace most http:// URLs in our code and documentation with
      https:// URLs. (We have left unchanged the code in src/ext/, and
      the text in LICENSE.) Closes ticket 31812. Patch from Jeremy Rand.

  o Removed features:
    - Our "check-local" test target no longer tries to use the
      Coccinelle semantic patching tool parse all the C files. While it
      is a good idea to try to make sure Coccinelle works on our C
      before we run a Coccinelle patch, doing so on every test run has
      proven to be disruptive. You can still run this tool manually with
      "make check-cocci". Closes ticket 40030.


577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
Changes in version 0.3.5.11 - 2020-07-09
  Tor 0.3.5.11 backports fixes from later tor releases, including several
  usability, portability, and reliability fixes.

  This release also fixes TROVE-2020-001, a medium-severity denial of
  service vulnerability affecting all versions of Tor when compiled with
  the NSS encryption library. (This is not the default configuration.)
  Using this vulnerability, an attacker could cause an affected Tor
  instance to crash remotely. This issue is also tracked as CVE-2020-
  15572. Anybody running a version of Tor built with the NSS library
  should upgrade to 0.3.5.11, 0.4.2.8, 0.4.3.6, or 0.4.4.2-alpha
  or later.

  o Major bugfixes (NSS, security, backport from 0.4.4.2-alpha):
    - Fix a crash due to an out-of-bound memory access when Tor is
      compiled with NSS support. Fixes bug 33119; bugfix on
      0.3.5.1-alpha. This issue is also tracked as TROVE-2020-001
      and CVE-2020-15572.

  o Major bugfixes (DoS defenses, bridges, pluggable transport, backport from 0.4.3.4-rc):
    - Fix a bug that was preventing DoS defenses from running on bridges
      with a pluggable transport. Previously, the DoS subsystem was not
      given the transport name of the client connection, thus failed to
      find the GeoIP cache entry for that client address. Fixes bug
      33491; bugfix on 0.3.3.2-alpha.

  o Minor features (testing, backport from 0.4.3.4-rc):
    - The unit tests now support a "TOR_SKIP_TESTCASES" environment
      variable to specify a list of space-separated test cases that
      should not be executed. We will use this to disable certain tests
      that are failing on Appveyor because of mismatched OpenSSL
      libraries. Part of ticket 33643.

  o Minor bugfix (CI, Windows, backport from 0.4.4.2-alpha):
    - Use the correct 64-bit printf format when compiling with MINGW on
      Appveyor. Fixes bug 40026; bugfix on 0.3.5.5-alpha.

  o Minor bugfix (relay, configuration, backport from 0.4.3.3-alpha):
    - Warn if the ContactInfo field is not set, and tell the relay
      operator that not having a ContactInfo field set might cause their
      relay to get rejected in the future. Fixes bug 33361; bugfix
      on 0.1.1.10-alpha.

  o Minor bugfixes (client performance, backport from 0.4.4.1-alpha):
    - Resume use of preemptively-built circuits when UseEntryGuards is set
      to 0. We accidentally disabled this feature with that config
      setting, leading to slower load times. Fixes bug 34303; bugfix
      on 0.3.3.2-alpha.

  o Minor bugfixes (compiler compatibility, backport from 0.4.3.5):
    - Avoid compiler warnings from Clang 10 related to the use of GCC-
      style "/* falls through */" comments. Both Clang and GCC allow
      __attribute__((fallthrough)) instead, so that's what we're using
      now. Fixes bug 34078; bugfix on 0.3.1.3-alpha.

  o Minor bugfixes (compiler warnings, backport from 0.4.4.2-alpha):
    - Fix a compiler warning on platforms with 32-bit time_t values.
      Fixes bug 40028; bugfix on 0.3.2.8-rc.

  o Minor bugfixes (embedded Tor, backport from 0.4.3.1-alpha):
    - When starting Tor any time after the first time in a process,
      register the thread in which it is running as the main thread.
      Previously, we only did this on Windows, which could lead to bugs
      like 23081 on non-Windows platforms. Fixes bug 32884; bugfix
      on 0.3.3.1-alpha.

  o Minor bugfixes (key portability, backport from 0.4.3.4-rc):
    - When reading PEM-encoded key data, tolerate CRLF line-endings even
      if we are not running on Windows. Previously, non-Windows hosts
      would reject these line-endings in certain positions, making
      certain key files hard to move from one host to another. Fixes bug
      33032; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (logging, backport from 0.4.4.2-alpha):
    - Downgrade a noisy log message that could occur naturally when
      receiving an extrainfo document that we no longer want. Fixes bug
      16016; bugfix on 0.2.6.3-alpha.

  o Minor bugfixes (onion service v3, client, backport from 0.4.3.3-alpha):
    - Remove a BUG() warning that would cause a stack trace if an onion
      service descriptor was freed while we were waiting for a
      rendezvous circuit to complete. Fixes bug 28992; bugfix
      on 0.3.2.1-alpha.

  o Testing (CI, backport from 0.4.3.4-rc):
    - In our Appveyor Windows CI, copy required DLLs to test and app
      directories, before running tor's tests. This ensures that tor.exe
      and test*.exe use the correct version of each DLL. This fix is not
      required, but we hope it will avoid DLL search issues in future.
      Fixes bug 33673; bugfix on 0.3.4.2-alpha.
    - On Appveyor, skip the crypto/openssl_version test, which is
      failing because of a mismatched library installation. Fix
      for 33643.


Changes in version 0.4.2.8 - 2020-07-09
  Tor 0.4.2.8 backports various fixes from later releases, including
  several that affect usability and portability.

  This release also fixes TROVE-2020-001, a medium-severity denial of
  service vulnerability affecting all versions of Tor when compiled with
  the NSS encryption library. (This is not the default configuration.)
  Using this vulnerability, an attacker could cause an affected Tor
  instance to crash remotely. This issue is also tracked as CVE-2020-
  15572. Anybody running a version of Tor built with the NSS library
  should upgrade to 0.3.5.11, 0.4.2.8, 0.4.3.6, or 0.4.4.2-alpha
  or later.

  o Major bugfixes (NSS, security, backport from 0.4.4.2-alpha):
    - Fix a crash due to an out-of-bound memory access when Tor is
      compiled with NSS support. Fixes bug 33119; bugfix on
      0.3.5.1-alpha. This issue is also tracked as TROVE-2020-001
      and CVE-2020-15572.

  o Major bugfixes (DoS defenses, bridges, pluggable transport, backport from 0.4.3.4-rc):
    - Fix a bug that was preventing DoS defenses from running on bridges
      with a pluggable transport. Previously, the DoS subsystem was not
      given the transport name of the client connection, thus failed to
      find the GeoIP cache entry for that client address. Fixes bug
      33491; bugfix on 0.3.3.2-alpha.

  o Minor feature (sendme, flow control, backport form 0.4.3.4-rc):
    - Default to sending SENDME version 1 cells. (Clients are already
      sending these, because of a consensus parameter telling them to do
      so: this change only affects what clients would do if the
      consensus didn't contain a recommendation.) Closes ticket 33623.

  o Minor features (diagnostic, backport from 0.4.3.3-alpha):
    - Improve assertions and add some memory-poisoning code to try to
      track down possible causes of a rare crash (32564) in the EWMA
      code. Closes ticket 33290.

  o Minor features (testing, backport from 0.4.3.4-rc):
    - The unit tests now support a "TOR_SKIP_TESTCASES" environment
      variable to specify a list of space-separated test cases that
      should not be executed. We will use this to disable certain tests
      that are failing on Appveyor because of mismatched OpenSSL
      libraries. Part of ticket 33643.

  o Minor bugfix (CI, Windows, backport from 0.4.4.2-alpha):
    - Use the correct 64-bit printf format when compiling with MINGW on
      Appveyor. Fixes bug 40026; bugfix on 0.3.5.5-alpha.

  o Minor bugfix (relay, configuration, backport from 0.4.3.3-alpha):
    - Warn if the ContactInfo field is not set, and tell the relay
      operator that not having a ContactInfo field set might cause their
      relay to get rejected in the future. Fixes bug 33361; bugfix
      on 0.1.1.10-alpha.

  o Minor bugfixes (client performance, backport from 0.4.4.1-alpha):
    - Resume use of preemptively-built circuits when UseEntryGuards is set
      to 0. We accidentally disabled this feature with that config
      setting, leading to slower load times. Fixes bug 34303; bugfix
      on 0.3.3.2-alpha.

  o Minor bugfixes (compiler compatibility, backport from 0.4.3.5):
    - Avoid compiler warnings from Clang 10 related to the use of GCC-
      style "/* falls through */" comments. Both Clang and GCC allow
      __attribute__((fallthrough)) instead, so that's what we're using
      now. Fixes bug 34078; bugfix on 0.3.1.3-alpha.
    - Fix compilation warnings with GCC 10.0.1. Fixes bug 34077; bugfix
      on 0.4.0.3-alpha.

  o Minor bugfixes (compiler warnings, backport from 0.4.4.2-alpha):
    - Fix a compiler warning on platforms with 32-bit time_t values.
      Fixes bug 40028; bugfix on 0.3.2.8-rc.

  o Minor bugfixes (controller protocol, backport from 0.4.3.2-alpha):
    - When receiving "ACTIVE" or "DORMANT" signals on the control port,
      report them as SIGNAL events. Previously we would log a bug
      warning. Fixes bug 33104; bugfix on 0.4.0.1-alpha.

  o Minor bugfixes (embedded Tor, backport from 0.4.3.1-alpha):
    - When starting Tor any time after the first time in a process,
      register the thread in which it is running as the main thread.
      Previously, we only did this on Windows, which could lead to bugs
      like 23081 on non-Windows platforms. Fixes bug 32884; bugfix
      on 0.3.3.1-alpha.

  o Minor bugfixes (key portability, backport from 0.4.3.4-rc):
    - When reading PEM-encoded key data, tolerate CRLF line-endings even
      if we are not running on Windows. Previously, non-Windows hosts
      would reject these line-endings in certain positions, making
      certain key files hard to move from one host to another. Fixes bug
      33032; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (logging, backport from 0.4.3.2-rc):
    - When logging a bug, do not say "Future instances of this warning
      will be silenced" unless we are actually going to silence them.
      Previously we would say this whenever a BUG() check failed in the
      code. Fixes bug 33095; bugfix on 0.4.1.1-alpha.

  o Minor bugfixes (logging, backport from 0.4.3.4-rc):
    - Flush stderr, stdout, and file logs during shutdown, if supported
      by the OS. This change helps make sure that any final logs are
      recorded. Fixes bug 33087; bugfix on 0.4.1.6.

  o Minor bugfixes (logging, backport from 0.4.4.2-alpha):
    - Downgrade a noisy log message that could occur naturally when
      receiving an extrainfo document that we no longer want. Fixes bug
      16016; bugfix on 0.2.6.3-alpha.

  o Minor bugfixes (onion service v3, client, backport from 0.4.3.3-alpha):
    - Remove a BUG() warning that would cause a stack trace if an onion
      service descriptor was freed while we were waiting for a
      rendezvous circuit to complete. Fixes bug 28992; bugfix
      on 0.3.2.1-alpha.

  o Testing (CI, backport from 0.4.3.4-rc):
    - In our Appveyor Windows CI, copy required DLLs to test and app
      directories, before running tor's tests. This ensures that tor.exe
      and test*.exe use the correct version of each DLL. This fix is not
      required, but we hope it will avoid DLL search issues in future.
      Fixes bug 33673; bugfix on 0.3.4.2-alpha.
    - On Appveyor, skip the crypto/openssl_version test, which is
      failing because of a mismatched library installation. Fix
      for 33643.


Changes in version 0.4.3.6 - 2020-07-09
  Tor 0.4.3.6 backports several bugfixes from later releases, including
  some affecting usability.

  This release also fixes TROVE-2020-001, a medium-severity denial of
  service vulnerability affecting all versions of Tor when compiled with
  the NSS encryption library. (This is not the default configuration.)
  Using this vulnerability, an attacker could cause an affected Tor
  instance to crash remotely. This issue is also tracked as CVE-2020-
  15572. Anybody running a version of Tor built with the NSS library
  should upgrade to 0.3.5.11, 0.4.2.8, 0.4.3.6, or 0.4.4.2-alpha
  or later.

  o Major bugfixes (NSS, security, backport from 0.4.4.2-alpha):
    - Fix a crash due to an out-of-bound memory access when Tor is
      compiled with NSS support. Fixes bug 33119; bugfix on
      0.3.5.1-alpha. This issue is also tracked as TROVE-2020-001
      and CVE-2020-15572.

  o Minor bugfix (CI, Windows, backport from 0.4.4.2-alpha):
    - Use the correct 64-bit printf format when compiling with MINGW on
      Appveyor. Fixes bug 40026; bugfix on 0.3.5.5-alpha.

  o Minor bugfixes (client performance, backport from 0.4.4.1-alpha):
    - Resume use of preemptively-built circuits when UseEntryGuards is set
      to 0. We accidentally disabled this feature with that config
      setting, leading to slower load times. Fixes bug 34303; bugfix
      on 0.3.3.2-alpha.

  o Minor bugfixes (compiler warnings, backport from 0.4.4.2-alpha):
    - Fix a compiler warning on platforms with 32-bit time_t values.
      Fixes bug 40028; bugfix on 0.3.2.8-rc.

  o Minor bugfixes (linux seccomp sandbox, nss, backport from 0.4.4.1-alpha):
    - Fix a startup crash when tor is compiled with --enable-nss and
      sandbox support is enabled. Fixes bug 34130; bugfix on
      0.3.5.1-alpha. Patch by Daniel Pinto.

  o Minor bugfixes (logging, backport from 0.4.4.2-alpha):
    - Downgrade a noisy log message that could occur naturally when
      receiving an extrainfo document that we no longer want. Fixes bug
      16016; bugfix on 0.2.6.3-alpha.

  o Minor bugfixes (manual page, backport from 0.4.4.1-alpha):
    - Update the man page to reflect that MinUptimeHidServDirectoryV2
      defaults to 96 hours. Fixes bug 34299; bugfix on 0.2.6.3-alpha.

  o Minor bugfixes (onion service v3, backport from 0.4.4.1-alpha):
    - Prevent an assert() that would occur when cleaning the client
      descriptor cache, and attempting to close circuits for a non-
      decrypted descriptor (lacking client authorization). Fixes bug
      33458; bugfix on 0.4.2.1-alpha.

  o Minor bugfixes (portability, backport from 0.4.4.1-alpha):
    - Fix a portability error in the configure script, where we were
      using "==" instead of "=". Fixes bug 34233; bugfix on 0.4.3.5.

  o Minor bugfixes (relays, backport from 0.4.4.1-alpha):
    - Stop advertising incorrect IPv6 ORPorts in relay and bridge
      descriptors, when the IPv6 port was configured as "auto". Fixes
      bug 32588; bugfix on 0.2.3.9-alpha.

  o Documentation (backport from 0.4.4.1-alpha):
    - Fix several doxygen warnings related to imbalanced groups. Closes
      ticket 34255.


Changes in version 0.4.4.2-alpha - 2020-07-09
  This is the second alpha release in the 0.4.4.x series. It fixes a few
  bugs in the previous release, and solves a few usability,
  compatibility, and portability issues.

  This release also fixes TROVE-2020-001, a medium-severity denial of
  service vulnerability affecting all versions of Tor when compiled with
  the NSS encryption library. (This is not the default configuration.)
  Using this vulnerability, an attacker could cause an affected Tor
  instance to crash remotely. This issue is also tracked as CVE-2020-
  15572. Anybody running a version of Tor built with the NSS library
  should upgrade to 0.3.5.11, 0.4.2.8, 0.4.3.6, or 0.4.4.2-alpha
  or later.

  o Major bugfixes (NSS, security):
    - Fix a crash due to an out-of-bound memory access when Tor is
      compiled with NSS support. Fixes bug 33119; bugfix on
      0.3.5.1-alpha. This issue is also tracked as TROVE-2020-001
      and CVE-2020-15572.

  o Minor features (bootstrap reporting):
    - Report more detailed reasons for bootstrap failure when the
      failure happens due to a TLS error. Previously we would just call
      these errors "MISC" when they happened during read, and "DONE"
      when they happened during any other TLS operation. Closes
      ticket 32622.

  o Minor features (directory authority):
    - Authorities now recommend the protocol versions that are supported
      by Tor 0.3.5 and later. (Earlier versions of Tor have been
      deprecated since January of this year.) This recommendation will
      cause older clients and relays to give a warning on startup, or
      when they download a consensus directory. Closes ticket 32696.

  o Minor features (entry guards):
    - Reinstate support for GUARD NEW/UP/DOWN control port events.
      Closes ticket 40001.

  o Minor features (linux seccomp2 sandbox, portability):
    - Allow Tor to build on platforms where it doesn't know how to
      report which syscall caused the linux seccomp2 sandbox to fail.
      This change should make the sandbox code more portable to less
      common Linux architectures. Closes ticket 34382.
    - Permit the unlinkat() syscall, which some Libc implementations use
      to implement unlink(). Closes ticket 33346.

  o Minor bugfix (CI, Windows):
    - Use the correct 64-bit printf format when compiling with MINGW on
      Appveyor. Fixes bug 40026; bugfix on 0.3.5.5-alpha.

  o Minor bugfix (onion service v3 client):
    - Remove a BUG() warning that could occur naturally. Fixes bug
      34087; bugfix on 0.3.2.1-alpha.

  o Minor bugfix (SOCKS, onion service client):
    - Detect v3 onion service addresses of the wrong length when
      returning the F6 ExtendedErrors code. Fixes bug 33873; bugfix
      on 0.4.3.1-alpha.

  o Minor bugfixes (compiler warnings):
    - Fix a compiler warning on platforms with 32-bit time_t values.
      Fixes bug 40028; bugfix on 0.3.2.8-rc.

  o Minor bugfixes (control port, onion service):
    - Consistently use 'address' in "Invalid v3 address" response to
      ONION_CLIENT_AUTH commands. Previously, we would sometimes say
      'addr'. Fixes bug 40005; bugfix on 0.4.3.1-alpha.

  o Minor bugfixes (logging):
    - Downgrade a noisy log message that could occur naturally when
      receiving an extrainfo document that we no longer want. Fixes bug
      16016; bugfix on 0.2.6.3-alpha.

  o Minor bugfixes (onion services v3):
    - Avoid a non-fatal assertion failure in certain edge-cases when
      opening an intro circuit as a client. Fixes bug 34084; bugfix
      on 0.3.2.1-alpha.

  o Deprecated features (onion service v2):
    - Add a deprecation warning for version 2 onion services. Closes
      ticket 40003.

  o Removed features (IPv6, revert):
    - Revert the change in the default value of ClientPreferIPv6OrPort:
      it breaks the torsocks use case. The SOCKS resolve command has no
      mechanism to ask for a specific address family (v4 or v6), and so
      prioritizing IPv6 when an IPv4 address is requested on the SOCKS
      interface resulted in a failure. Tor Browser explicitly sets
      PreferIPv6, so this should not affect the majority of our users.
      Closes ticket 33796; bugfix on 0.4.4.1-alpha.


955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Changes in version 0.4.4.1-alpha - 2020-06-16
  This is the first alpha release in the 0.4.4.x series.  It improves
  our guard selection algorithms, improves the amount of code that
  can be disabled when running without relay support, and includes numerous
  small bugfixes and enhancements.  It also lays the ground for some IPv6
  features that we'll be developing more in the next (0.4.5) series.

  Here are the changes since 0.4.3.5.

  o Major features (Proposal 310, performance + security):
    - Implements Proposal 310, "Bandaid on guard selection". Proposal
      310 solves load-balancing issues with older versions of the guard
      selection algorithm, and improves its security. Under this new
      algorithm, a newly selected guard never becomes Primary unless all
      previously sampled guards are unreachable. Implements
      recommendation from 32088. (Proposal 310 is linked to the CLAPS
      project researching optimal client location-aware path selections.
      This project is a collaboration between the UCLouvain Crypto Group,
      the U.S. Naval Research Laboratory, and Princeton University.)

  o Major features (IPv6, relay):
    - Consider IPv6-only EXTEND2 cells valid on relays. Log a protocol
      warning if the IPv4 or IPv6 address is an internal address, and
      internal addresses are not allowed. But continue to use the other
      address, if it is valid. Closes ticket 33817.
    - If a relay can extend over IPv4 and IPv6, and both addresses are
      provided, it chooses between them uniformly at random. Closes
      ticket 33817.
    - Re-use existing IPv6 connections for circuit extends. Closes
      ticket 33817.
    - Relays may extend circuits over IPv6, if the relay has an IPv6
      ORPort, and the client supplies the other relay's IPv6 ORPort in
      the EXTEND2 cell. IPv6 extends will be used by the relay IPv6
      ORPort self-tests in 33222. Closes ticket 33817.

  o Major features (v3 onion services):
    - Allow v3 onion services to act as OnionBalance backend instances,
      by using the HiddenServiceOnionBalanceInstance torrc option.
      Closes ticket 32709.

  o Minor feature (developer tools):
    - Add a script to help check the alphabetical ordering of option
      names in the manual page. Closes ticket 33339.

  o Minor feature (onion service client, SOCKS5):
    - Add 3 new SocksPort ExtendedErrors (F2, F3, F7) that reports back
For faster browsing, not all history is shown. View entire blame