ChangeLog 449 KB
Newer Older
1
Changes in version 0.2.2.11-alpha - 2010-04-??
2
3
4
5
6
7
8
  o Minor features:
    - Experiment with a more aggressive approach to preventing clients
      from making one-hop exit streams. Exit relays who want to try it
      out can set "RefuseUnknownExits 1" in their torrc, and then look
      for "Attempt by %s to open a stream" log messages. Let us know
      how it goes!

9
10
  o Minor bugfixes:
    - When we cleaned up the contrib/tor-exit-notice.html file, we left
11
12
13
14
15
16
17
18
19
20
      out the first line. Fixes bug 1295.
    - When building the manpage from a tarball, we required asciidoc, but
      the asciidoc -> roff/html conversion was already done for the
      tarball. Make 'make' complain only when we need asciidoc (either
      because we're compiling directly from git, or because we altered
      the asciidoc manpage in the tarball). Bugfix on 0.2.2.9-alpha.
    - When none of the directory authorities vote on any params, Tor
      segfaulted when trying to make the consensus from the votes. We
      didn't trigger the bug in practice, because authorities do include
      params in their votes. Bugfix on 0.2.2.10-alpha, fixes bug 1322.
Roger Dingledine's avatar
Roger Dingledine committed
21
22


23
Changes in version 0.2.2.10-alpha - 2010-03-07
Roger Dingledine's avatar
Roger Dingledine committed
24
25
26
27
28
29
  Tor 0.2.2.10-alpha fixes a regression introduced in 0.2.2.9-alpha that
  could prevent relays from guessing their IP address correctly. It also
  starts the groundwork for another client-side performance boost, since
  currently we're not making efficient use of relays that have both the
  Guard flag and the Exit flag.

30
31
32
33
34
35
  o Major bugfixes:
    - Fix a regression from our patch for bug 1244 that caused relays
      to guess their IP address incorrectly if they didn't set Address
      in their torrc and/or their address fails to resolve. Bugfix on
      0.2.2.9-alpha; fixes bug 1269.

36
  o Major features (performance):
37
38
39
40
41
42
43
    - Directory authorities now compute consensus weightings that instruct
      clients how to weight relays flagged as Guard, Exit, Guard+Exit,
      and no flag. Clients that use these weightings will distribute
      network load more evenly across these different relay types. The
      weightings are in the consensus so we can change them globally in
      the future. Extra thanks to "outofwords" for finding some nasty
      security bugs in the first implementation of this feature.
44
45

  o Minor features (performance):
46
    - Always perform router selections using weighted relay bandwidth,
47
      even if we don't need a high capacity circuit at the time. Non-fast
48
49
50
51
      circuits now only differ from fast ones in that they can use relays
      not marked with the Fast flag. This "feature" could turn out to
      be a horrible bug; we should investigate more before it goes into
      a stable release.
52

53
  o Minor features:
54
55
    - Allow disabling building of the manpages. Skipping the manpage
      speeds up the build considerably.
56

57
  o Minor bugfixes (on 0.2.2.x):
58
59
    - Fix a memleak in the EXTENDCIRCUIT logic. Spotted by coverity.
      Bugfix on 0.2.2.9-alpha.
60
61
    - Disallow values larger than INT32_MAX for PerConnBWRate|Burst
      config option. Bugfix on 0.2.2.7-alpha.
62
63
64
    - Ship the asciidoc-helper file in the tarball, so that people can
      build from source if they want to, and touching the .1.txt files
      doesn't break the build. Bugfix on 0.2.2.9-alpha.
65

66
67
68
69
70
71
72
73
74
  o Minor bugfixes (on 0.2.1.x or earlier):
    - Fix a dereference-then-NULL-check sequence when publishing
      descriptors. Bugfix on 0.2.1.5-alpha. Discovered by ekir; fixes
      bug 1255.
    - Fix another dereference-then-NULL-check sequence. Bugfix on
      0.2.1.14-rc. Discovered by ekir; fixes bug 1256.
    - Make sure we treat potentially not NUL-terminated strings correctly.
      Bugfix on 0.1.1.13-alpha. Discovered by rieo; fixes bug 1257.

75
76
77
  o Code simplifications and refactoring:
    - Fix some urls in the exit notice file and make it XHTML1.1 strict
      compliant. Based on a patch from Christian Kujau.
Sebastian Hahn's avatar
Sebastian Hahn committed
78
    - Don't use sed in asciidoc-helper anymore.
79
    - Make the build process fail if asciidoc cannot be found and
80
      building with asciidoc isn't disabled.
81

82

Roger Dingledine's avatar
Roger Dingledine committed
83
Changes in version 0.2.2.9-alpha - 2010-02-22
Roger Dingledine's avatar
Roger Dingledine committed
84
85
86
  Tor 0.2.2.9-alpha makes Tor work again on the latest OS X, updates the
  location of a directory authority, and cleans up a bunch of small bugs.

Roger Dingledine's avatar
Roger Dingledine committed
87
88
89
90
91
  o Directory authority changes:
    - Change IP address for dannenberg (v3 directory authority), and
      remove moria2 (obsolete v1, v2 directory authority and v0 hidden
      service directory authority) from the list.

92
  o Major bugfixes:
Roger Dingledine's avatar
Roger Dingledine committed
93
94
95
96
97
98
99
100
101
102
    - Make Tor work again on the latest OS X: when deciding whether to
      use strange flags to turn TLS renegotiation on, detect the OpenSSL
      version at run-time, not compile time. We need to do this because
      Apple doesn't update its dev-tools headers when it updates its
      libraries in a security patch.
    - Fix a potential buffer overflow in lookup_last_hid_serv_request()
      that could happen on 32-bit platforms with 64-bit time_t. Also fix
      a memory leak when requesting a hidden service descriptor we've
      requested before. Fixes bug 1242, bugfix on 0.2.0.18-alpha. Found
      by aakova.
103
    - Authorities could be tricked into giving out the Exit flag to relays
Roger Dingledine's avatar
Roger Dingledine committed
104
105
106
      that didn't allow exiting to any ports. This bug could screw
      with load balancing and stats. Bugfix on 0.1.1.6-alpha; fixes bug
      1238. Bug discovered by Martin Kowalczyk.
107
108
109
    - When freeing a session key, zero it out completely. We only zeroed
      the first ptrsize bytes. Bugfix on 0.0.2pre8. Discovered and
      patched by ekir. Fixes bug 1254.
110

111
  o Minor bugfixes:
112
    - Fix static compilation by listing the openssl libraries in the right
Roger Dingledine's avatar
Roger Dingledine committed
113
114
115
116
117
118
119
120
121
122
123
124
      order. Bugfix on Tor 0.2.2.8-alpha; fixes bug 1237.
    - Resume handling .exit hostnames in a special way: originally we
      stripped the .exit part and used the requested exit relay. In
      0.2.2.1-alpha we stopped treating them in any special way, meaning
      if you use a .exit address then Tor will pass it on to the exit
      relay. Now we reject the .exit stream outright, since that behavior
      might be more expected by the user. Found and diagnosed by Scott
      Bennett and Downie on or-talk.
    - Don't spam the controller with events when we have no file
      descriptors available. Bugfix on 0.2.1.5-alpha. (Rate-limiting
      for log messages was already solved from bug 748.)
    - Avoid a bogus overlapped memcpy in tor_addr_copy(). Reported by
125
      "memcpyfail".
126
127
    - Make the DNSPort option work with libevent 2.x. Don't alter the
      behaviour for libevent 1.x. Fixes bug 1143. Found by SwissTorExit.
Roger Dingledine's avatar
Roger Dingledine committed
128
129
130
131
132
    - Emit a GUARD DROPPED controller event for a case we missed.
    - Make more fields in the controller protocol case-insensitive, since
      control-spec.txt said they were.
    - Refactor resolve_my_address() to not use gethostbyname() anymore.
      Fixes bug 1244; bugfix on 0.0.2pre25. Reported by Mike Mestnik.
133
134
135
    - Fix a spec conformance issue: the network-status-version token
      must be the first token in a v3 consensus or vote. Discovered by
      parakeep. Bugfix on 0.2.0.3-alpha.
136

137
  o Code simplifications and refactoring:
Roger Dingledine's avatar
Roger Dingledine committed
138
139
140
141
142
143
    - Generate our manpage and HTML documentation using Asciidoc. This
      change should make it easier to maintain the documentation, and
      produce nicer HTML.
    - Remove the --enable-iphone option. According to reports from Marco
      Bonetti, Tor builds fine without any special tweaking on recent
      iPhone SDK versions.
144
    - Removed some unnecessary files from the source distribution. The
Roger Dingledine's avatar
Roger Dingledine committed
145
      AUTHORS file has now been merged into the people page on the
146
147
      website. The roadmaps and design doc can now be found in the
      projects directory in svn.
148
149
150
151
152
153
154
    - Enabled various circuit build timeout constants to be controlled
      by consensus parameters. Also set better defaults for these
      parameters based on experimentation on broadband and simulated
      high latency links.

  o Minor features:
    - The 'EXTENDCIRCUIT' control port command can now be used with
Roger Dingledine's avatar
Roger Dingledine committed
155
156
      a circ id of 0 and no path. This feature will cause Tor to build
      a new 'fast' general purpose circuit using its own path selection
157
      algorithms.
Roger Dingledine's avatar
Roger Dingledine committed
158
    - Added a BUILDTIMEOUT_SET controller event to describe changes
159
      to the circuit build timeout.
160
161
    - Future-proof the controller protocol a bit by ignoring keyword
      arguments we do not recognize.
162
163
164
    - Expand homedirs passed to tor-checkkey. This should silence a
      coverity complaint about passing a user-supplied string into
      open() without checking it.
165
166


167
Changes in version 0.2.1.25 - 2010-03-??
168
  o Major bugfixes:
169
170
171
172
173
174
175
    - Fix a regression from our patch for bug 1244 that caused relays
      to guess their IP address incorrectly if they didn't set Address
      in their torrc and/or their address fails to resolve. Bugfix on
      0.2.1.23; fixes bug 1269.
    - When freeing a session key, zero it out completely. We only zeroed
      the first ptrsize bytes. Bugfix on 0.0.2pre8. Discovered and
      patched by ekir. Fixes bug 1254.
Nick Mathewson's avatar
Nick Mathewson committed
176

177
178
  o Minor bugfixes:
    - Fix a dereference-then-NULL-check sequence when publishing
179
180
      descriptors. Bugfix on 0.2.1.5-alpha. Discovered by ekir; fixes
      bug 1255.
181
    - Fix another dereference-then-NULL-check sequence. Bugfix on
182
      0.2.1.14-rc. Discovered by ekir; fixes bug 1256.
183
    - Make sure we treat potentially not NUL-terminated strings correctly.
184
185
      Bugfix on 0.1.1.13-alpha. Discovered by rieo; fixes bug 1257.

186

187

Roger Dingledine's avatar
Roger Dingledine committed
188
189
190
Changes in version 0.2.1.24 - 2010-02-21
  Tor 0.2.1.24 makes Tor work again on the latest OS X -- this time
  for sure!
191

192
193
  o Minor bugfixes:
    - Work correctly out-of-the-box with even more vendor-patched versions
Roger Dingledine's avatar
Roger Dingledine committed
194
195
      of OpenSSL. In particular, make it so Debian and OS X don't need
      customized patches to run/build.
196
197


198
199
200
201
202
Changes in version 0.2.1.23 - 2010-02-13
  Tor 0.2.1.23 fixes a huge client-side performance bug, makes Tor work
  again on the latest OS X, and updates the location of a directory
  authority.

203
204
205
206
207
208
209
210
211
  o Major bugfixes (performance):
    - We were selecting our guards uniformly at random, and then weighting
      which of our guards we'd use uniformly at random. This imbalance
      meant that Tor clients were severely limited on throughput (and
      probably latency too) by the first hop in their circuit. Now we
      select guards weighted by currently advertised bandwidth. We also
      automatically discard guards picked using the old algorithm. Fixes
      bug 1217; bugfix on 0.2.1.3-alpha. Found by Mike Perry.

212
  o Major bugfixes:
Roger Dingledine's avatar
Roger Dingledine committed
213
214
215
216
217
    - Make Tor work again on the latest OS X: when deciding whether to
      use strange flags to turn TLS renegotiation on, detect the OpenSSL
      version at run-time, not compile time. We need to do this because
      Apple doesn't update its dev-tools headers when it updates its
      libraries in a security patch.
218
    - Fix a potential buffer overflow in lookup_last_hid_serv_request()
Roger Dingledine's avatar
Roger Dingledine committed
219
220
221
222
      that could happen on 32-bit platforms with 64-bit time_t. Also fix
      a memory leak when requesting a hidden service descriptor we've
      requested before. Fixes bug 1242, bugfix on 0.2.0.18-alpha. Found
      by aakova.
223

224
225
226
227
  o Directory authority changes:
    - Change IP address for dannenberg (v3 directory authority), and
      remove moria2 (obsolete v1, v2 directory authority and v0 hidden
      service directory authority) from the list.
228

229
  o Minor bugfixes:
Roger Dingledine's avatar
Roger Dingledine committed
230
231
    - Refactor resolve_my_address() to not use gethostbyname() anymore.
      Fixes bug 1244; bugfix on 0.0.2pre25. Reported by Mike Mestnik.
232

233
234
235
236
237
238
239
  o Minor features:
    - Avoid a mad rush at the beginning of each month when each client
      rotates half of its guards. Instead we spread the rotation out
      throughout the month, but we still avoid leaving a precise timestamp
      in the state file about when we first picked the guard. Improves
      over the behavior introduced in 0.1.2.17.

240

241
Changes in version 0.2.2.8-alpha - 2010-01-26
Roger Dingledine's avatar
Roger Dingledine committed
242
243
244
245
  Tor 0.2.2.8-alpha fixes a crash bug in 0.2.2.7-alpha that has been
  causing bridge relays to disappear. If you're running a bridge,
  please upgrade.

246
247
248
249
250
251
252
253
254
255
256
257
258
259
  o Major bugfixes:
    - Fix a memory corruption bug on bridges that occured during the
      inclusion of stats data in extra-info descriptors. Also fix the
      interface for geoip_get_bridge_stats* to prevent similar bugs in
      the future. Diagnosis by Tas, patch by Karsten and Sebastian.
      Fixes bug 1208; bugfix on 0.2.2.7-alpha.

  o Minor bugfixes:
    - Ignore OutboundBindAddress when connecting to localhost.
      Connections to localhost need to come _from_ localhost, or else
      local servers (like DNS and outgoing HTTP/SOCKS proxies) will often
      refuse to listen.


260
Changes in version 0.2.2.7-alpha - 2010-01-19
261
262
263
264
265
266
267
268
  Tor 0.2.2.7-alpha fixes a huge client-side performance bug, as well
  as laying the groundwork for further relay-side performance fixes. It
  also starts cleaning up client behavior with respect to the EntryNodes,
  ExitNodes, and StrictNodes config options.

  This release also rotates two directory authority keys, due to a
  security breach of some of the Torproject servers.

269
270
271
272
  o Directory authority changes:
    - Rotate keys (both v3 identity and relay identity) for moria1
      and gabelmoo.

273
  o Major features (performance):
274
275
276
277
278
279
280
    - We were selecting our guards uniformly at random, and then weighting
      which of our guards we'd use uniformly at random. This imbalance
      meant that Tor clients were severely limited on throughput (and
      probably latency too) by the first hop in their circuit. Now we
      select guards weighted by currently advertised bandwidth. We also
      automatically discard guards picked using the old algorithm. Fixes
      bug 1217; bugfix on 0.2.1.3-alpha. Found by Mike Perry.
281
282
283
284
285
286
287
    - When choosing which cells to relay first, relays can now favor
      circuits that have been quiet recently, to provide lower latency
      for low-volume circuits. By default, relays enable or disable this
      feature based on a setting in the consensus. You can override
      this default by using the new "CircuitPriorityHalflife" config
      option. Design and code by Ian Goldberg, Can Tang, and Chris
      Alexander.
288
289
290
    - Add separate per-conn write limiting to go with the per-conn read
      limiting. We added a global write limit in Tor 0.1.2.5-alpha,
      but never per-conn write limits.
291
292
293
294
    - New consensus params "bwconnrate" and "bwconnburst" to let us
      rate-limit client connections as they enter the network. It's
      controlled in the consensus so we can turn it on and off for
      experiments. It's starting out off. Based on proposal 163.
295

296
  o Major features (relay selection options):
297
    - Switch to a StrictNodes config option, rather than the previous
298
299
      "StrictEntryNodes" / "StrictExitNodes" separation that was missing a
      "StrictExcludeNodes" option.
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
    - If EntryNodes, ExitNodes, ExcludeNodes, or ExcludeExitNodes
      change during a config reload, mark and discard all our origin
      circuits. This fix should address edge cases where we change the
      config options and but then choose a circuit that we created before
      the change.
    - If EntryNodes or ExitNodes are set, be more willing to use an
      unsuitable (e.g. slow or unstable) circuit. The user asked for it,
      they get it.
    - Make EntryNodes config option much more aggressive even when
      StrictNodes is not set. Before it would prepend your requested
      entrynodes to your list of guard nodes, but feel free to use others
      after that. Now it chooses only from your EntryNodes if any of
      those are available, and only falls back to others if a) they're
      all down and b) StrictNodes is not set.
    - Now we refresh your entry guards from EntryNodes at each consensus
      fetch -- rather than just at startup and then they slowly rot as
      the network changes.

318
319
320
321
322
  o Major bugfixes:
    - Stop bridge directory authorities from answering dbg-stability.txt
      directory queries, which would let people fetch a list of all
      bridge identities they track. Bugfix on 0.2.1.6-alpha.

323
  o Minor features:
324
325
326
    - Log a notice when we get a new control connection. Now it's easier
      for security-conscious users to recognize when a local application
      is knocking on their controller door. Suggested by bug 1196.
327
328
329
330
    - New config option "CircuitStreamTimeout" to override our internal
      timeout schedule for how many seconds until we detach a stream from
      a circuit and try a new circuit. If your network is particularly
      slow, you might want to set this to a number like 60.
331
332
333
    - New controller command "getinfo config-text". It returns the
      contents that Tor would write if you send it a SAVECONF command,
      so the controller can write the file to disk itself.
334
335
    - New options for SafeLogging to allow scrubbing only log messages
      generated while acting as a relay.
336
    - Ship the bridges spec file in the tarball too.
337
338
339
340
341
    - Avoid a mad rush at the beginning of each month when each client
      rotates half of its guards. Instead we spread the rotation out
      throughout the month, but we still avoid leaving a precise timestamp
      in the state file about when we first picked the guard. Improves
      over the behavior introduced in 0.1.2.17.
342

343
  o Minor bugfixes (compiling):
344
    - Fix compilation on OS X 10.3, which has a stub mlockall() but
Roger Dingledine's avatar
Roger Dingledine committed
345
      hides it. Bugfix on 0.2.2.6-alpha.
346
347
    - Fix compilation on Solaris by removing support for the
      DisableAllSwap config option. Solaris doesn't have an rlimit for
348
349
350
351
      mlockall, so we cannot use it safely. Fixes bug 1198; bugfix on
      0.2.2.6-alpha.

  o Minor bugfixes (crashes):
352
353
354
    - Do not segfault when writing buffer stats when we haven't observed
      a single circuit to report about. Found by Fabian Lanze. Bugfix on
      0.2.2.1-alpha.
355
356
357
358
    - If we're in the pathological case where there's no exit bandwidth
      but there is non-exit bandwidth, or no guard bandwidth but there
      is non-guard bandwidth, don't crash during path selection. Bugfix
      on 0.2.0.3-alpha.
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
    - Fix an impossible-to-actually-trigger buffer overflow in relay
      descriptor generation. Bugfix on 0.1.0.15.

  o Minor bugfixes (privacy):
    - Fix an instance where a Tor directory mirror might accidentally
      log the IP address of a misbehaving Tor client. Bugfix on
      0.1.0.1-rc.
    - Don't list Windows capabilities in relay descriptors. We never made
      use of them, and maybe it's a bad idea to publish them. Bugfix
      on 0.1.1.8-alpha.

  o Minor bugfixes (other):
    - Resolve an edge case in path weighting that could make us misweight
      our relay selection. Fixes bug 1203; bugfix on 0.0.8rc1.
    - Fix statistics on client numbers by country as seen by bridges that
      were broken in 0.2.2.1-alpha. Also switch to reporting full 24-hour
      intervals instead of variable 12-to-48-hour intervals.
    - After we free an internal connection structure, overwrite it
      with a different memory value than we use for overwriting a freed
      internal circuit structure. Should help with debugging. Suggested
      by bug 1055.
    - Update our OpenSSL 0.9.8l fix so that it works with OpenSSL 0.9.8m
      too.
Roger Dingledine's avatar
Roger Dingledine committed
382

383
384
385
386
387
  o Removed features:
    - Remove the HSAuthorityRecordStats option that version 0 hidden
      service authorities could have used to track statistics of overall
      hidden service usage.

Nick Mathewson's avatar
Nick Mathewson committed
388

389
Changes in version 0.2.1.22 - 2010-01-19
390
391
392
393
394
  Tor 0.2.1.22 fixes a critical privacy problem in bridge directory
  authorities -- it would tell you its whole history of bridge descriptors
  if you make the right directory request. This stable update also
  rotates two of the seven v3 directory authority keys and locations.

395
396
397
398
  o Directory authority changes:
    - Rotate keys (both v3 identity and relay identity) for moria1
      and gabelmoo.

399
400
401
402
403
404
  o Major bugfixes:
    - Stop bridge directory authorities from answering dbg-stability.txt
      directory queries, which would let people fetch a list of all
      bridge identities they track. Bugfix on 0.2.1.6-alpha.


405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
Changes in version 0.2.1.21 - 2009-12-21
  Tor 0.2.1.21 fixes an incompatibility with the most recent OpenSSL
  library. If you use Tor on Linux / Unix and you're getting SSL
  renegotiation errors, upgrading should help. We also recommend an
  upgrade if you're an exit relay.

  o Major bugfixes:
    - Work around a security feature in OpenSSL 0.9.8l that prevents our
      handshake from working unless we explicitly tell OpenSSL that we
      are using SSL renegotiation safely. We are, of course, but OpenSSL
      0.9.8l won't work unless we say we are.
    - Avoid crashing if the client is trying to upload many bytes and the
      circuit gets torn down at the same time, or if the flip side
      happens on the exit relay. Bugfix on 0.2.0.1-alpha; fixes bug 1150.

  o Minor bugfixes:
    - Do not refuse to learn about authority certs and v2 networkstatus
      documents that are older than the latest consensus. This bug might
      have degraded client bootstrapping. Bugfix on 0.2.0.10-alpha.
      Spotted and fixed by xmux.
    - Fix a couple of very-hard-to-trigger memory leaks, and one hard-to-
      trigger platform-specific option misparsing case found by Coverity
      Scan.
    - Fix a compilation warning on Fedora 12 by removing an impossible-to-
      trigger assert. Fixes bug 1173.


Roger Dingledine's avatar
Roger Dingledine committed
432
Changes in version 0.2.2.6-alpha - 2009-11-19
433
434
435
436
437
438
  Tor 0.2.2.6-alpha lays the groundwork for many upcoming features:
  support for the new lower-footprint "microdescriptor" directory design,
  future-proofing our consensus format against new hash functions or
  other changes, and an Android port. It also makes Tor compatible with
  the upcoming OpenSSL 0.9.8l release, and fixes a variety of bugs.

439
  o Major features:
440
    - Directory authorities can now create, vote on, and serve multiple
441
      parallel formats of directory data as part of their voting process.
442
443
444
445
446
447
448
449
      Partially implements Proposal 162: "Publish the consensus in
      multiple flavors".
    - Directory authorities can now agree on and publish small summaries
      of router information that clients can use in place of regular
      server descriptors. This transition will eventually allow clients
      to use far less bandwidth for downloading information about the
      network. Begins the implementation of Proposal 158: "Clients
      download consensus + microdescriptors".
450
    - The directory voting system is now extensible to use multiple hash
451
452
453
      algorithms for signatures and resource selection. Newer formats
      are signed with SHA256, with a possibility for moving to a better
      hash algorithm in the future.
454
    - New DisableAllSwap option. If set to 1, Tor will attempt to lock all
455
456
457
458
459
460
461
462
      current and future memory pages via mlockall(). On supported
      platforms (modern Linux and probably BSD but not Windows or OS X),
      this should effectively disable any and all attempts to page out
      memory. This option requires that you start your Tor as root --
      if you use DisableAllSwap, please consider using the User option
      to properly reduce the privileges of your Tor.
    - Numerous changes, bugfixes, and workarounds from Nathan Freitas
      to help Tor build correctly for Android phones.
463

464
465
  o Major bugfixes:
    - Work around a security feature in OpenSSL 0.9.8l that prevents our
466
467
468
      handshake from working unless we explicitly tell OpenSSL that we
      are using SSL renegotiation safely. We are, but OpenSSL 0.9.8l
      won't work unless we say we are.
469

470
471
  o Minor bugfixes:
    - Fix a crash bug when trying to initialize the evdns module in
472
      Libevent 2. Bugfix on 0.2.1.16-rc.
473
474
475
476
    - Stop logging at severity 'warn' when some other Tor client tries
      to establish a circuit with us using weak DH keys. It's a protocol
      violation, but that doesn't mean ordinary users need to hear about
      it. Fixes the bug part of bug 1114. Bugfix on 0.1.0.13.
477
    - Do not refuse to learn about authority certs and v2 networkstatus
478
479
      documents that are older than the latest consensus. This bug might
      have degraded client bootstrapping. Bugfix on 0.2.0.10-alpha.
480
      Spotted and fixed by xmux.
481
    - Fix numerous small code-flaws found by Coverity Scan Rung 3.
Karsten Loesing's avatar
Karsten Loesing committed
482
483
484
485
    - If all authorities restart at once right before a consensus vote,
      nobody will vote about "Running", and clients will get a consensus
      with no usable relays. Instead, authorities refuse to build a
      consensus if this happens. Bugfix on 0.2.0.10-alpha; fixes bug 1066.
Karsten Loesing's avatar
Karsten Loesing committed
486
487
488
    - If your relay can't keep up with the number of incoming create
      cells, it would log one warning per failure into your logs. Limit
      warnings to 1 per minute. Bugfix on 0.0.2pre10; fixes bug 1042.
489
490
    - Bridges now use "reject *:*" as their default exit policy. Bugfix
      on 0.2.0.3-alpha; fixes bug 1113.
491
492
    - Fix a memory leak on directory authorities during voting that was
      introduced in 0.2.2.1-alpha. Found via valgrind.
493

494

495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
Changes in version 0.2.1.20 - 2009-10-15
  Tor 0.2.1.20 fixes a crash bug when you're accessing many hidden
  services at once, prepares for more performance improvements, and
  fixes a bunch of smaller bugs.

  The Windows and OS X bundles also include a more recent Vidalia,
  and switch from Privoxy to Polipo.

  The OS X installers are now drag and drop. It's best to un-install
  Tor/Vidalia and then install this new bundle, rather than upgrade. If
  you want to upgrade, you'll need to update the paths for Tor and Polipo
  in the Vidalia Settings window.

  o Major bugfixes:
    - Send circuit or stream sendme cells when our window has decreased
      by 100 cells, not when it has decreased by 101 cells. Bug uncovered
      by Karsten when testing the "reduce circuit window" performance
      patch. Bugfix on the 54th commit on Tor -- from July 2002,
      before the release of Tor 0.0.0. This is the new winner of the
      oldest-bug prize.
    - Fix a remotely triggerable memory leak when a consensus document
      contains more than one signature from the same voter. Bugfix on
      0.2.0.3-alpha.
    - Avoid segfault in rare cases when finishing an introduction circuit
      as a client and finding out that we don't have an introduction key
      for it. Fixes bug 1073. Reported by Aaron Swartz.

  o Major features:
    - Tor now reads the "circwindow" parameter out of the consensus,
      and uses that value for its circuit package window rather than the
      default of 1000 cells. Begins the implementation of proposal 168.

  o New directory authorities:
    - Set up urras (run by Jacob Appelbaum) as the seventh v3 directory
      authority.
    - Move moria1 and tonga to alternate IP addresses.

  o Minor bugfixes:
    - Fix a signed/unsigned compile warning in 0.2.1.19.
    - Fix possible segmentation fault on directory authorities. Bugfix on
      0.2.1.14-rc.
    - Fix an extremely rare infinite recursion bug that could occur if
      we tried to log a message after shutting down the log subsystem.
      Found by Matt Edman. Bugfix on 0.2.0.16-alpha.
    - Fix an obscure bug where hidden services on 64-bit big-endian
      systems might mis-read the timestamp in v3 introduce cells, and
      refuse to connect back to the client. Discovered by "rotor".
      Bugfix on 0.2.1.6-alpha.
    - We were triggering a CLOCK_SKEW controller status event whenever
      we connect via the v2 connection protocol to any relay that has
      a wrong clock. Instead, we should only inform the controller when
      it's a trusted authority that claims our clock is wrong. Bugfix
      on 0.2.0.20-rc; starts to fix bug 1074. Reported by SwissTorExit.
    - We were telling the controller about CHECKING_REACHABILITY and
      REACHABILITY_FAILED status events whenever we launch a testing
      circuit or notice that one has failed. Instead, only tell the
      controller when we want to inform the user of overall success or
      overall failure. Bugfix on 0.1.2.6-alpha. Fixes bug 1075. Reported
      by SwissTorExit.
    - Don't warn when we're using a circuit that ends with a node
      excluded in ExcludeExitNodes, but the circuit is not used to access
      the outside world. This should help fix bug 1090. Bugfix on
      0.2.1.6-alpha.
    - Work around a small memory leak in some versions of OpenSSL that
      stopped the memory used by the hostname TLS extension from being
      freed.

  o Minor features:
    - Add a "getinfo status/accepted-server-descriptor" controller
      command, which is the recommended way for controllers to learn
      whether our server descriptor has been successfully received by at
      least on directory authority. Un-recommend good-server-descriptor
      getinfo and status events until we have a better design for them.


570
Changes in version 0.2.2.5-alpha - 2009-10-11
571
572
  Tor 0.2.2.5-alpha fixes a few compile problems in 0.2.2.4-alpha.

573
574
575
576
577
578
579
  o Major bugfixes:
    - Make the tarball compile again. Oops. Bugfix on 0.2.2.4-alpha.

  o New directory authorities:
    - Move dizum to an alternate IP address.


Roger Dingledine's avatar
Roger Dingledine committed
580
Changes in version 0.2.2.4-alpha - 2009-10-10
581
582
583
584
585
  Tor 0.2.2.4-alpha fixes more crash bugs in 0.2.2.2-alpha. It also
  introduces a new unit test framework, shifts directry authority
  addresses around to reduce the impact from recent blocking events,
  and fixes a few smaller bugs.

586
  o Major bugfixes:
587
588
589
590
    - Fix several more asserts in the circuit_build_times code, for
      example one that causes Tor to fail to start once we have
      accumulated 5000 build times in the state file. Bugfixes on
      0.2.2.2-alpha; fixes bug 1108.
591

592
  o New directory authorities:
593
    - Move moria1 and Tonga to alternate IP addresses.
594

595
596
  o Minor features:
    - Log SSL state transitions at debug level during handshake, and
597
598
      include SSL states in error messages. This may help debug future
      SSL handshake issues.
599
600
    - Add a new "Handshake" log domain for activities that happen
      during the TLS handshake.
601
602
    - Revert to the "June 3 2009" ip-to-country file. The September one
      seems to have removed most US IP addresses.
603
604
605
    - Directory authorities now reject Tor relays with versions less than
      0.1.2.14. This step cuts out four relays from the current network,
      none of which are very big.
606

607
608
609
  o Minor bugfixes:
    - Fix a couple of smaller issues with gathering statistics. Bugfixes
      on 0.2.2.1-alpha.
Sebastian Hahn's avatar
Sebastian Hahn committed
610
    - Fix two memory leaks in the error case of
611
      circuit_build_times_parse_state(). Bugfix on 0.2.2.2-alpha.
612
613
614
    - Don't count one-hop circuits when we're estimating how long it
      takes circuits to build on average. Otherwise we'll set our circuit
      build timeout lower than we should. Bugfix on 0.2.2.2-alpha.
615
    - Directory authorities no longer change their opinion of, or vote on,
Roger Dingledine's avatar
Roger Dingledine committed
616
617
618
      whether a router is Running, unless they have themselves been
      online long enough to have some idea. Bugfix on 0.2.0.6-alpha.
      Fixes bug 1023.
619

620
621
622
  o Code simplifications and refactoring:
    - Revise our unit tests to use the "tinytest" framework, so we
      can run tests in their own processes, have smarter setup/teardown
623
      code, and so on. The unit test code has moved to its own
624
625
      subdirectory, and has been split into multiple modules.

626

627
Changes in version 0.2.2.3-alpha - 2009-09-23
628
629
  Tor 0.2.2.3-alpha fixes a few crash bugs in 0.2.2.2-alpha.

630
631
  o Major bugfixes:
    - Fix an overzealous assert in our new circuit build timeout code.
632
      Bugfix on 0.2.2.2-alpha; fixes bug 1103.
633

634
635
636
  o Minor bugfixes:
    - If the networkstatus consensus tells us that we should use a
      negative circuit package window, ignore it. Otherwise we'll
637
      believe it and then trigger an assert. Bugfix on 0.2.2.2-alpha.
638

639

Roger Dingledine's avatar
Roger Dingledine committed
640
Changes in version 0.2.2.2-alpha - 2009-09-21
641
642
643
644
645
646
  Tor 0.2.2.2-alpha introduces our latest performance improvement for
  clients: Tor tracks the average time it takes to build a circuit, and
  avoids using circuits that take too long to build. For fast connections,
  this feature can cut your expected latency in half. For slow or flaky
  connections, it could ruin your Tor experience. Let us know if it does!

647
  o Major features:
648
649
650
651
652
653
654
655
656
657
658
659
    - Tor now tracks how long it takes to build client-side circuits
      over time, and adapts its timeout to local network performance.
      Since a circuit that takes a long time to build will also provide
      bad performance, we get significant latency improvements by
      discarding the slowest 20% of circuits. Specifically, Tor creates
      circuits more aggressively than usual until it has enough data
      points for a good timeout estimate. Implements proposal 151.
      We are especially looking for reports (good and bad) from users with
      both EDGE and broadband connections that can move from broadband
      to EDGE and find out if the build-time data in the .tor/state gets
      reset without loss of Tor usability. You should also see a notice
      log message telling you that Tor has reset its timeout.
660
661
662
    - Directory authorities can now vote on arbitary integer values as
      part of the consensus process. This is designed to help set
      network-wide parameters. Implements proposal 167.
663
664
665
    - Tor now reads the "circwindow" parameter out of the consensus,
      and uses that value for its circuit package window rather than the
      default of 1000 cells. Begins the implementation of proposal 168.
666

667
668
669
670
671
  o Major bugfixes:
    - Fix a remotely triggerable memory leak when a consensus document
      contains more than one signature from the same voter. Bugfix on
      0.2.0.3-alpha.

672
673
674
675
  o Minor bugfixes:
    - Fix an extremely rare infinite recursion bug that could occur if
      we tried to log a message after shutting down the log subsystem.
      Found by Matt Edman. Bugfix on 0.2.0.16-alpha.
676
    - Fix parsing for memory or time units given without a space between
677
      the number and the unit. Bugfix on 0.2.2.1-alpha; fixes bug 1076.
678
679
    - A networkstatus vote must contain exactly one signature. Spec
      conformance issue. Bugfix on 0.2.0.3-alpha.
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
    - Fix an obscure bug where hidden services on 64-bit big-endian
      systems might mis-read the timestamp in v3 introduce cells, and
      refuse to connect back to the client. Discovered by "rotor".
      Bugfix on 0.2.1.6-alpha.
    - We were triggering a CLOCK_SKEW controller status event whenever
      we connect via the v2 connection protocol to any relay that has
      a wrong clock. Instead, we should only inform the controller when
      it's a trusted authority that claims our clock is wrong. Bugfix
      on 0.2.0.20-rc; starts to fix bug 1074. Reported by SwissTorExit.
    - We were telling the controller about CHECKING_REACHABILITY and
      REACHABILITY_FAILED status events whenever we launch a testing
      circuit or notice that one has failed. Instead, only tell the
      controller when we want to inform the user of overall success or
      overall failure. Bugfix on 0.1.2.6-alpha. Fixes bug 1075. Reported
      by SwissTorExit.
    - Don't warn when we're using a circuit that ends with a node
      excluded in ExcludeExitNodes, but the circuit is not used to access
Roger Dingledine's avatar
Roger Dingledine committed
697
698
      the outside world. This should help fix bug 1090, but more problems
      remain. Bugfix on 0.2.1.6-alpha.
699
700
701
    - Work around a small memory leak in some versions of OpenSSL that
      stopped the memory used by the hostname TLS extension from being
      freed.
702
703
704
    - Make our 'torify' script more portable; if we have only one of
      'torsocks' or 'tsocks' installed, don't complain to the user;
      and explain our warning about tsocks better.
705
706
707
708
709
710
711

  o Minor features:
    - Add a "getinfo status/accepted-server-descriptor" controller
      command, which is the recommended way for controllers to learn
      whether our server descriptor has been successfully received by at
      least on directory authority. Un-recommend good-server-descriptor
      getinfo and status events until we have a better design for them.
712
    - Update to the "September 4 2009" ip-to-country file.
713
714


715
Changes in version 0.2.2.1-alpha - 2009-08-26
716
717
718
719
720
  Tor 0.2.2.1-alpha disables ".exit" address notation by default, allows
  Tor clients to bootstrap on networks where only port 80 is reachable,
  makes it more straightforward to support hardware crypto accelerators,
  and starts the groundwork for gathering stats safely at relays.

721
722
723
724
725
726
  o Security fixes:
    - Start the process of disabling ".exit" address notation, since it
      can be used for a variety of esoteric application-level attacks
      on users. To reenable it, set "AllowDotExit 1" in your torrc. Fix
      on 0.0.9rc5.

727
728
729
730
  o New directory authorities:
    - Set up urras (run by Jacob Appelbaum) as the seventh v3 directory
      authority.

731
  o Major features:
732
733
734
735
736
737
738
739
740
741
742
743
744
    - New AccelName and AccelDir options add support for dynamic OpenSSL
      hardware crypto acceleration engines.
    - Tor now supports tunneling all of its outgoing connections over
      a SOCKS proxy, using the SOCKS4Proxy and/or SOCKS5Proxy
      configuration options. Code by Christopher Davis.

  o Major bugfixes:
    - Send circuit or stream sendme cells when our window has decreased
      by 100 cells, not when it has decreased by 101 cells. Bug uncovered
      by Karsten when testing the "reduce circuit window" performance
      patch. Bugfix on the 54th commit on Tor -- from July 2002,
      before the release of Tor 0.0.0. This is the new winner of the
      oldest-bug prize.
745

746
  o New options for gathering stats safely:
747
748
749
750
751
752
753
    - Directories that set "DirReqStatistics 1" write statistics on
      directory request to disk every 24 hours. As compared to the
      --enable-geoip-stats flag in 0.2.1.x, there are a few improvements:
      1) stats are written to disk exactly every 24 hours; 2) estimated
      shares of v2 and v3 requests are determined as mean values, not at
      the end of a measurement period; 3) unresolved requests are listed
      with country code '??'; 4) directories also measure download times.
754
755
756
    - Exit nodes that set "ExitPortStatistics 1" write statistics on the
      number of exit streams and transferred bytes per port to disk every
      24 hours.
757
758
759
760
761
    - Relays that set "CellStatistics 1" write statistics on how long
      cells spend in their circuit queues to disk every 24 hours.
    - Entry nodes that set "EntryStatistics 1" write statistics on the
      rough number and origins of connecting clients to disk every 24
      hours.
762
763
764
    - Relays that write any of the above statistics to disk and set
      "ExtraInfoStatistics 1" include the past 24 hours of statistics in
      their extra-info documents.
765

766
  o Minor features:
767
768
    - New --digests command-line switch to output the digests of the
      source files Tor was built with.
769
    - The "torify" script now uses torsocks where available.
770
    - The memarea code now uses a sentinel value at the end of each area
771
      to make sure nothing writes beyond the end of an area. This might
772
      help debug some conceivable causes of bug 930.
773
    - Time and memory units in the configuration file can now be set to
774
      fractional units. For example, "2.5 GB" is now a valid value for
775
      AccountingMax.
776
777
778
779
780
781
    - Certain Tor clients (such as those behind check.torproject.org) may
      want to fetch the consensus in an extra early manner. To enable this
      a user may now set FetchDirInfoExtraEarly to 1. This also depends on
      setting FetchDirInfoEarly to 1. Previous behavior will stay the same
      as only certain clients who must have this information sooner should
      set this option.
782
783
    - Instead of adding the svn revision to the Tor version string, report
      the git commit (when we're building from a git checkout).
784

785
786
787
788
  o Minor bugfixes:
    - If any the v3 certs we download are unparseable, we should actually
      notice the failure so we don't retry indefinitely. Bugfix on
      0.2.0.x; reported by "rotator".
789
    - If the cached cert file is unparseable, warn but don't exit.
790
791
    - Fix possible segmentation fault on directory authorities. Bugfix on
      0.2.1.14-rc.
792
793
    - When Tor fails to parse a descriptor of any kind, dump it to disk.
      Might help diagnosing bug 1051.
794

795
796
  o Deprecated and removed features:
    - The controller no longer accepts the old obsolete "addr-mappings/"
797
      or "unregistered-servers-" GETINFO values.
Karsten Loesing's avatar
Karsten Loesing committed
798
    - Hidden services no longer publish version 0 descriptors, and clients
799
800
801
      do not request or use version 0 descriptors. However, the old hidden
      service authorities still accept and serve version 0 descriptors
      when contacted by older hidden services/clients.
802
803
804
    - The EXTENDED_EVENTS and VERBOSE_NAMES controller features are now
      always on; using them is necessary for correct forward-compatible
      controllers.
805
806
807
    - Remove support for .noconnect style addresses. Nobody was using
      them, and they provided another avenue for detecting Tor users
      via application-level web tricks.
808

809
  o Packaging changes:
810
811
812
813
814
815
816
    - Upgrade Vidalia from 0.1.15 to 0.2.3 in the Windows and OS X
      installer bundles. See
      https://trac.vidalia-project.net/browser/vidalia/tags/vidalia-0.2.3/CHANGELOG
      for details of what's new in Vidalia 0.2.3.
    - Windows Vidalia Bundle: update Privoxy from 3.0.6 to 3.0.14-beta.
    - OS X Vidalia Bundle: move to Polipo 1.0.4 with Tor specific
      configuration file, rather than the old Privoxy.
817
    - OS X Vidalia Bundle: Vidalia, Tor, and Polipo are compiled as
818
      x86-only for better compatibility with OS X 10.6, aka Snow Leopard.
819
820
821
    - OS X Tor Expert Bundle: Tor is compiled as x86-only for
      better compatibility with OS X 10.6, aka Snow Leopard.
    - OS X Vidalia Bundle: The multi-package installer is now replaced
822
823
      by a simple drag and drop to the /Applications folder. This change
      occurred with the upgrade to Vidalia 0.2.3.
824

825

Roger Dingledine's avatar
Roger Dingledine committed
826
Changes in version 0.2.1.19 - 2009-07-28
827
828
829
  Tor 0.2.1.19 fixes a major bug with accessing and providing hidden
  services on Tor 0.2.1.3-alpha through 0.2.1.18.

830
  o Major bugfixes:
831
832
833
    - Make accessing hidden services on 0.2.1.x work right again.
      Bugfix on 0.2.1.3-alpha; workaround for bug 1038. Diagnosis and
      part of patch provided by "optimist".
834

835
836
837
838
839
840
  o Minor features:
    - When a relay/bridge is writing out its identity key fingerprint to
      the "fingerprint" file and to its logs, write it without spaces. Now
      it will look like the fingerprints in our bridges documentation,
      and confuse fewer users.

841
  o Minor bugfixes:
842
843
844
845
    - Relays no longer publish a new server descriptor if they change
      their MaxAdvertisedBandwidth config option but it doesn't end up
      changing their advertised bandwidth numbers. Bugfix on 0.2.0.28-rc;
      fixes bug 1026. Patch from Sebastian.
846
847
848
849
    - Avoid leaking memory every time we get a create cell but we have
      so many already queued that we refuse it. Bugfix on 0.2.0.19-alpha;
      fixes bug 1034. Reported by BarkerJr.

850

851
Changes in version 0.2.1.18 - 2009-07-24
852
853
854
855
856
857
  Tor 0.2.1.18 lays the foundations for performance improvements,
  adds status events to help users diagnose bootstrap problems, adds
  optional authentication/authorization for hidden services, fixes a
  variety of potential anonymity problems, and includes a huge pile of
  other features and bug fixes.

858
859
860
861
  o Build fixes:
    - Add LIBS=-lrt to Makefile.am so the Tor RPMs use a static libevent.


862
Changes in version 0.2.1.17-rc - 2009-07-07
863
864
865
866
867
868
869
870
871
872
873
  Tor 0.2.1.17-rc marks the fourth -- and hopefully last -- release
  candidate for the 0.2.1.x series. It lays the groundwork for further
  client performance improvements, and also fixes a big bug with directory
  authorities that were causing them to assign Guard and Stable flags
  poorly.

  The Windows bundles also finally include the geoip database that we
  thought we'd been shipping since 0.2.0.x (oops), and the OS X bundles
  should actually install Torbutton rather than giving you a cryptic
  failure message (oops).

874
875
876
877
878
879
880
  o Major features:
    - Clients now use the bandwidth values in the consensus, rather than
      the bandwidth values in each relay descriptor. This approach opens
      the door to more accurate bandwidth estimates once the directory
      authorities start doing active measurements. Implements more of
      proposal 141.

881
  o Major bugfixes:
882
883
884
885
886
887
888
    - When Tor clients restart after 1-5 days, they discard all their
      cached descriptors as too old, but they still use the cached
      consensus document. This approach is good for robustness, but
      bad for performance: since they don't know any bandwidths, they
      end up choosing at random rather than weighting their choice by
      speed. Fixed by the above feature of putting bandwidths in the
      consensus. Bugfix on 0.2.0.x.
889
890
891
892
893
894
895
896
897
    - Directory authorities were neglecting to mark relays down in their
      internal histories if the relays fall off the routerlist without
      ever being found unreachable. So there were relays in the histories
      that haven't been seen for eight months, and are listed as being
      up for eight months. This wreaked havoc on the "median wfu"
      and "median mtbf" calculations, in turn making Guard and Stable
      flags very wrong, hurting network performance. Fixes bugs 696 and
      969. Bugfix on 0.2.0.6-alpha.

898
899
  o Minor bugfixes:
    - Serve the DirPortFrontPage page even when we have been approaching
900
901
902
903
904
905
906
907
      our quotas recently. Fixes bug 1013; bugfix on 0.2.1.8-alpha.
    - The control port would close the connection before flushing long
      replies, such as the network consensus, if a QUIT command was issued
      before the reply had completed. Now, the control port flushes all
      pending replies before closing the connection. Also fixed a spurious
      warning when a QUIT command is issued after a malformed or rejected
      AUTHENTICATE command, but before the connection was closed. Patch
      by Marcus Griep. Bugfix on 0.2.0.x; fixes bugs 1015 and 1016.
908
909
    - When we can't find an intro key for a v2 hidden service descriptor,
      fall back to the v0 hidden service descriptor and log a bug message.
910
      Workaround for bug 1024.
911
912
    - Fix a log message that did not respect the SafeLogging option.
      Resolves bug 1027.
913

914
915
916
917
  o Minor features:
    - If we're a relay and we change our IP address, be more verbose
      about the reason that made us change. Should help track down
      further bugs for relays on dynamic IP addresses.
918

919

920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
Changes in version 0.2.0.35 - 2009-06-24
  o Security fix:
    - Avoid crashing in the presence of certain malformed descriptors.
      Found by lark, and by automated fuzzing.
    - Fix an edge case where a malicious exit relay could convince a
      controller that the client's DNS question resolves to an internal IP
      address. Bug found and fixed by "optimist"; bugfix on 0.1.2.8-beta.

  o Major bugfixes:
    - Finally fix the bug where dynamic-IP relays disappear when their
      IP address changes: directory mirrors were mistakenly telling
      them their old address if they asked via begin_dir, so they
      never got an accurate answer about their new address, so they
      just vanished after a day. For belt-and-suspenders, relays that
      don't set Address in their config now avoid using begin_dir for
      all direct connections. Should fix bugs 827, 883, and 900.
    - Fix a timing-dependent, allocator-dependent, DNS-related crash bug
      that would occur on some exit nodes when DNS failures and timeouts
      occurred in certain patterns. Fix for bug 957.

  o Minor bugfixes:
    - When starting with a cache over a few days old, do not leak
      memory for the obsolete router descriptors in it. Bugfix on
      0.2.0.33; fixes bug 672.
    - Hidden service clients didn't use a cached service descriptor that
      was older than 15 minutes, but wouldn't fetch a new one either,
      because there was already one in the cache. Now, fetch a v2
      descriptor unless the same descriptor was added to the cache within
      the last 15 minutes. Fixes bug 997; reported by Marcus Griep.


Nick Mathewson's avatar
Nick Mathewson committed
951
Changes in version 0.2.1.16-rc - 2009-06-20
952
953
954
  Tor 0.2.1.16-rc speeds up performance for fast exit relays, and fixes
  a bunch of minor bugs.

955
956
957
958
959
  o Security fixes:
    - Fix an edge case where a malicious exit relay could convince a
      controller that the client's DNS question resolves to an internal IP
      address. Bug found and fixed by "optimist"; bugfix on 0.1.2.8-beta.

960
961
  o Major performance improvements (on 0.2.0.x):
    - Disable and refactor some debugging checks that forced a linear scan
962
963
964
      over the whole server-side DNS cache. These accounted for over 50%
      of CPU time on a relatively busy exit node's gprof profile. Found
      by Jacob.
965
966
967
    - Disable some debugging checks that appeared in exit node profile
      data.

968
969
  o Minor features:
    - Update to the "June 3 2009" ip-to-country file.
970
    - Do not have tor-resolve automatically refuse all .onion addresses;
971
      if AutomapHostsOnResolve is set in your torrc, this will work fine.
972

973
974
975
  o Minor bugfixes (on 0.2.0.x):
    - Log correct error messages for DNS-related network errors on
      Windows.
976
977
978
    - Fix a race condition that could cause crashes or memory corruption
      when running as a server with a controller listening for log
      messages.
979
    - Avoid crashing when we have a policy specified in a DirPolicy or
980
981
      SocksPolicy or ReachableAddresses option with ports set on it,
      and we re-load the policy. May fix bug 996.
Karsten Loesing's avatar
Karsten Loesing committed
982
983
984
985
986
    - Hidden service clients didn't use a cached service descriptor that
      was older than 15 minutes, but wouldn't fetch a new one either,
      because there was already one in the cache. Now, fetch a v2
      descriptor unless the same descriptor was added to the cache within
      the last 15 minutes. Fixes bug 997; reported by Marcus Griep.
987

988
  o Minor bugfixes (on 0.2.1.x):
989
990
991
    - Don't warn users about low port and hibernation mix when they
      provide a *ListenAddress directive to fix that. Bugfix on
      0.2.1.15-rc.
992
993
    - When switching back and forth between bridge mode, do not start
      gathering GeoIP data until two hours have passed.
994
    - Do not complain that the user has requested an excluded node as
995
      an exit when the node is not really an exit. This could happen
996
997
      because the circuit was for testing, or an introduction point.
      Fix for bug 984.
998

999

1000
Changes in version 0.2.1.15-rc - 2009-05-25
For faster browsing, not all history is shown. View entire blame