ChangeLog 1.78 MB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
Changes in version 0.3.5.11 - 2020-07-09
  Tor 0.3.5.11 backports fixes from later tor releases, including several
  usability, portability, and reliability fixes.

  This release also fixes TROVE-2020-001, a medium-severity denial of
  service vulnerability affecting all versions of Tor when compiled with
  the NSS encryption library. (This is not the default configuration.)
  Using this vulnerability, an attacker could cause an affected Tor
  instance to crash remotely. This issue is also tracked as CVE-2020-
  15572. Anybody running a version of Tor built with the NSS library
  should upgrade to 0.3.5.11, 0.4.2.8, 0.4.3.6, or 0.4.4.2-alpha
  or later.

  o Major bugfixes (NSS, security, backport from 0.4.4.2-alpha):
    - Fix a crash due to an out-of-bound memory access when Tor is
      compiled with NSS support. Fixes bug 33119; bugfix on
      0.3.5.1-alpha. This issue is also tracked as TROVE-2020-001
      and CVE-2020-15572.

  o Major bugfixes (DoS defenses, bridges, pluggable transport, backport from 0.4.3.4-rc):
    - Fix a bug that was preventing DoS defenses from running on bridges
      with a pluggable transport. Previously, the DoS subsystem was not
      given the transport name of the client connection, thus failed to
      find the GeoIP cache entry for that client address. Fixes bug
      33491; bugfix on 0.3.3.2-alpha.

  o Minor features (testing, backport from 0.4.3.4-rc):
    - The unit tests now support a "TOR_SKIP_TESTCASES" environment
      variable to specify a list of space-separated test cases that
      should not be executed. We will use this to disable certain tests
      that are failing on Appveyor because of mismatched OpenSSL
      libraries. Part of ticket 33643.

  o Minor bugfix (CI, Windows, backport from 0.4.4.2-alpha):
    - Use the correct 64-bit printf format when compiling with MINGW on
      Appveyor. Fixes bug 40026; bugfix on 0.3.5.5-alpha.

  o Minor bugfix (relay, configuration, backport from 0.4.3.3-alpha):
    - Warn if the ContactInfo field is not set, and tell the relay
      operator that not having a ContactInfo field set might cause their
      relay to get rejected in the future. Fixes bug 33361; bugfix
      on 0.1.1.10-alpha.

  o Minor bugfixes (client performance, backport from 0.4.4.1-alpha):
    - Resume use of preemptively-built circuits when UseEntryGuards is set
      to 0. We accidentally disabled this feature with that config
      setting, leading to slower load times. Fixes bug 34303; bugfix
      on 0.3.3.2-alpha.

  o Minor bugfixes (compiler compatibility, backport from 0.4.3.5):
    - Avoid compiler warnings from Clang 10 related to the use of GCC-
      style "/* falls through */" comments. Both Clang and GCC allow
      __attribute__((fallthrough)) instead, so that's what we're using
      now. Fixes bug 34078; bugfix on 0.3.1.3-alpha.

  o Minor bugfixes (compiler warnings, backport from 0.4.4.2-alpha):
    - Fix a compiler warning on platforms with 32-bit time_t values.
      Fixes bug 40028; bugfix on 0.3.2.8-rc.

  o Minor bugfixes (embedded Tor, backport from 0.4.3.1-alpha):
    - When starting Tor any time after the first time in a process,
      register the thread in which it is running as the main thread.
      Previously, we only did this on Windows, which could lead to bugs
      like 23081 on non-Windows platforms. Fixes bug 32884; bugfix
      on 0.3.3.1-alpha.

  o Minor bugfixes (key portability, backport from 0.4.3.4-rc):
    - When reading PEM-encoded key data, tolerate CRLF line-endings even
      if we are not running on Windows. Previously, non-Windows hosts
      would reject these line-endings in certain positions, making
      certain key files hard to move from one host to another. Fixes bug
      33032; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (logging, backport from 0.4.4.2-alpha):
    - Downgrade a noisy log message that could occur naturally when
      receiving an extrainfo document that we no longer want. Fixes bug
      16016; bugfix on 0.2.6.3-alpha.

  o Minor bugfixes (onion service v3, client, backport from 0.4.3.3-alpha):
    - Remove a BUG() warning that would cause a stack trace if an onion
      service descriptor was freed while we were waiting for a
      rendezvous circuit to complete. Fixes bug 28992; bugfix
      on 0.3.2.1-alpha.

  o Testing (CI, backport from 0.4.3.4-rc):
    - In our Appveyor Windows CI, copy required DLLs to test and app
      directories, before running tor's tests. This ensures that tor.exe
      and test*.exe use the correct version of each DLL. This fix is not
      required, but we hope it will avoid DLL search issues in future.
      Fixes bug 33673; bugfix on 0.3.4.2-alpha.
    - On Appveyor, skip the crypto/openssl_version test, which is
      failing because of a mismatched library installation. Fix
      for 33643.


Changes in version 0.4.2.8 - 2020-07-09
  Tor 0.4.2.8 backports various fixes from later releases, including
  several that affect usability and portability.

  This release also fixes TROVE-2020-001, a medium-severity denial of
  service vulnerability affecting all versions of Tor when compiled with
  the NSS encryption library. (This is not the default configuration.)
  Using this vulnerability, an attacker could cause an affected Tor
  instance to crash remotely. This issue is also tracked as CVE-2020-
  15572. Anybody running a version of Tor built with the NSS library
  should upgrade to 0.3.5.11, 0.4.2.8, 0.4.3.6, or 0.4.4.2-alpha
  or later.

  o Major bugfixes (NSS, security, backport from 0.4.4.2-alpha):
    - Fix a crash due to an out-of-bound memory access when Tor is
      compiled with NSS support. Fixes bug 33119; bugfix on
      0.3.5.1-alpha. This issue is also tracked as TROVE-2020-001
      and CVE-2020-15572.

  o Major bugfixes (DoS defenses, bridges, pluggable transport, backport from 0.4.3.4-rc):
    - Fix a bug that was preventing DoS defenses from running on bridges
      with a pluggable transport. Previously, the DoS subsystem was not
      given the transport name of the client connection, thus failed to
      find the GeoIP cache entry for that client address. Fixes bug
      33491; bugfix on 0.3.3.2-alpha.

  o Minor feature (sendme, flow control, backport form 0.4.3.4-rc):
    - Default to sending SENDME version 1 cells. (Clients are already
      sending these, because of a consensus parameter telling them to do
      so: this change only affects what clients would do if the
      consensus didn't contain a recommendation.) Closes ticket 33623.

  o Minor features (diagnostic, backport from 0.4.3.3-alpha):
    - Improve assertions and add some memory-poisoning code to try to
      track down possible causes of a rare crash (32564) in the EWMA
      code. Closes ticket 33290.

  o Minor features (testing, backport from 0.4.3.4-rc):
    - The unit tests now support a "TOR_SKIP_TESTCASES" environment
      variable to specify a list of space-separated test cases that
      should not be executed. We will use this to disable certain tests
      that are failing on Appveyor because of mismatched OpenSSL
      libraries. Part of ticket 33643.

  o Minor bugfix (CI, Windows, backport from 0.4.4.2-alpha):
    - Use the correct 64-bit printf format when compiling with MINGW on
      Appveyor. Fixes bug 40026; bugfix on 0.3.5.5-alpha.

  o Minor bugfix (relay, configuration, backport from 0.4.3.3-alpha):
    - Warn if the ContactInfo field is not set, and tell the relay
      operator that not having a ContactInfo field set might cause their
      relay to get rejected in the future. Fixes bug 33361; bugfix
      on 0.1.1.10-alpha.

  o Minor bugfixes (client performance, backport from 0.4.4.1-alpha):
    - Resume use of preemptively-built circuits when UseEntryGuards is set
      to 0. We accidentally disabled this feature with that config
      setting, leading to slower load times. Fixes bug 34303; bugfix
      on 0.3.3.2-alpha.

  o Minor bugfixes (compiler compatibility, backport from 0.4.3.5):
    - Avoid compiler warnings from Clang 10 related to the use of GCC-
      style "/* falls through */" comments. Both Clang and GCC allow
      __attribute__((fallthrough)) instead, so that's what we're using
      now. Fixes bug 34078; bugfix on 0.3.1.3-alpha.
    - Fix compilation warnings with GCC 10.0.1. Fixes bug 34077; bugfix
      on 0.4.0.3-alpha.

  o Minor bugfixes (compiler warnings, backport from 0.4.4.2-alpha):
    - Fix a compiler warning on platforms with 32-bit time_t values.
      Fixes bug 40028; bugfix on 0.3.2.8-rc.

  o Minor bugfixes (controller protocol, backport from 0.4.3.2-alpha):
    - When receiving "ACTIVE" or "DORMANT" signals on the control port,
      report them as SIGNAL events. Previously we would log a bug
      warning. Fixes bug 33104; bugfix on 0.4.0.1-alpha.

  o Minor bugfixes (embedded Tor, backport from 0.4.3.1-alpha):
    - When starting Tor any time after the first time in a process,
      register the thread in which it is running as the main thread.
      Previously, we only did this on Windows, which could lead to bugs
      like 23081 on non-Windows platforms. Fixes bug 32884; bugfix
      on 0.3.3.1-alpha.

  o Minor bugfixes (key portability, backport from 0.4.3.4-rc):
    - When reading PEM-encoded key data, tolerate CRLF line-endings even
      if we are not running on Windows. Previously, non-Windows hosts
      would reject these line-endings in certain positions, making
      certain key files hard to move from one host to another. Fixes bug
      33032; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (logging, backport from 0.4.3.2-rc):
    - When logging a bug, do not say "Future instances of this warning
      will be silenced" unless we are actually going to silence them.
      Previously we would say this whenever a BUG() check failed in the
      code. Fixes bug 33095; bugfix on 0.4.1.1-alpha.

  o Minor bugfixes (logging, backport from 0.4.3.4-rc):
    - Flush stderr, stdout, and file logs during shutdown, if supported
      by the OS. This change helps make sure that any final logs are
      recorded. Fixes bug 33087; bugfix on 0.4.1.6.

  o Minor bugfixes (logging, backport from 0.4.4.2-alpha):
    - Downgrade a noisy log message that could occur naturally when
      receiving an extrainfo document that we no longer want. Fixes bug
      16016; bugfix on 0.2.6.3-alpha.

  o Minor bugfixes (onion service v3, client, backport from 0.4.3.3-alpha):
    - Remove a BUG() warning that would cause a stack trace if an onion
      service descriptor was freed while we were waiting for a
      rendezvous circuit to complete. Fixes bug 28992; bugfix
      on 0.3.2.1-alpha.

  o Testing (CI, backport from 0.4.3.4-rc):
    - In our Appveyor Windows CI, copy required DLLs to test and app
      directories, before running tor's tests. This ensures that tor.exe
      and test*.exe use the correct version of each DLL. This fix is not
      required, but we hope it will avoid DLL search issues in future.
      Fixes bug 33673; bugfix on 0.3.4.2-alpha.
    - On Appveyor, skip the crypto/openssl_version test, which is
      failing because of a mismatched library installation. Fix
      for 33643.


Changes in version 0.4.3.6 - 2020-07-09
  Tor 0.4.3.6 backports several bugfixes from later releases, including
  some affecting usability.

  This release also fixes TROVE-2020-001, a medium-severity denial of
  service vulnerability affecting all versions of Tor when compiled with
  the NSS encryption library. (This is not the default configuration.)
  Using this vulnerability, an attacker could cause an affected Tor
  instance to crash remotely. This issue is also tracked as CVE-2020-
  15572. Anybody running a version of Tor built with the NSS library
  should upgrade to 0.3.5.11, 0.4.2.8, 0.4.3.6, or 0.4.4.2-alpha
  or later.

  o Major bugfixes (NSS, security, backport from 0.4.4.2-alpha):
    - Fix a crash due to an out-of-bound memory access when Tor is
      compiled with NSS support. Fixes bug 33119; bugfix on
      0.3.5.1-alpha. This issue is also tracked as TROVE-2020-001
      and CVE-2020-15572.

  o Minor bugfix (CI, Windows, backport from 0.4.4.2-alpha):
    - Use the correct 64-bit printf format when compiling with MINGW on
      Appveyor. Fixes bug 40026; bugfix on 0.3.5.5-alpha.

  o Minor bugfixes (client performance, backport from 0.4.4.1-alpha):
    - Resume use of preemptively-built circuits when UseEntryGuards is set
      to 0. We accidentally disabled this feature with that config
      setting, leading to slower load times. Fixes bug 34303; bugfix
      on 0.3.3.2-alpha.

  o Minor bugfixes (compiler warnings, backport from 0.4.4.2-alpha):
    - Fix a compiler warning on platforms with 32-bit time_t values.
      Fixes bug 40028; bugfix on 0.3.2.8-rc.

  o Minor bugfixes (linux seccomp sandbox, nss, backport from 0.4.4.1-alpha):
    - Fix a startup crash when tor is compiled with --enable-nss and
      sandbox support is enabled. Fixes bug 34130; bugfix on
      0.3.5.1-alpha. Patch by Daniel Pinto.

  o Minor bugfixes (logging, backport from 0.4.4.2-alpha):
    - Downgrade a noisy log message that could occur naturally when
      receiving an extrainfo document that we no longer want. Fixes bug
      16016; bugfix on 0.2.6.3-alpha.

  o Minor bugfixes (manual page, backport from 0.4.4.1-alpha):
    - Update the man page to reflect that MinUptimeHidServDirectoryV2
      defaults to 96 hours. Fixes bug 34299; bugfix on 0.2.6.3-alpha.

  o Minor bugfixes (onion service v3, backport from 0.4.4.1-alpha):
    - Prevent an assert() that would occur when cleaning the client
      descriptor cache, and attempting to close circuits for a non-
      decrypted descriptor (lacking client authorization). Fixes bug
      33458; bugfix on 0.4.2.1-alpha.

  o Minor bugfixes (portability, backport from 0.4.4.1-alpha):
    - Fix a portability error in the configure script, where we were
      using "==" instead of "=". Fixes bug 34233; bugfix on 0.4.3.5.

  o Minor bugfixes (relays, backport from 0.4.4.1-alpha):
    - Stop advertising incorrect IPv6 ORPorts in relay and bridge
      descriptors, when the IPv6 port was configured as "auto". Fixes
      bug 32588; bugfix on 0.2.3.9-alpha.

  o Documentation (backport from 0.4.4.1-alpha):
    - Fix several doxygen warnings related to imbalanced groups. Closes
      ticket 34255.


Changes in version 0.4.4.2-alpha - 2020-07-09
  This is the second alpha release in the 0.4.4.x series. It fixes a few
  bugs in the previous release, and solves a few usability,
  compatibility, and portability issues.

  This release also fixes TROVE-2020-001, a medium-severity denial of
  service vulnerability affecting all versions of Tor when compiled with
  the NSS encryption library. (This is not the default configuration.)
  Using this vulnerability, an attacker could cause an affected Tor
  instance to crash remotely. This issue is also tracked as CVE-2020-
  15572. Anybody running a version of Tor built with the NSS library
  should upgrade to 0.3.5.11, 0.4.2.8, 0.4.3.6, or 0.4.4.2-alpha
  or later.

  o Major bugfixes (NSS, security):
    - Fix a crash due to an out-of-bound memory access when Tor is
      compiled with NSS support. Fixes bug 33119; bugfix on
      0.3.5.1-alpha. This issue is also tracked as TROVE-2020-001
      and CVE-2020-15572.

  o Minor features (bootstrap reporting):
    - Report more detailed reasons for bootstrap failure when the
      failure happens due to a TLS error. Previously we would just call
      these errors "MISC" when they happened during read, and "DONE"
      when they happened during any other TLS operation. Closes
      ticket 32622.

  o Minor features (directory authority):
    - Authorities now recommend the protocol versions that are supported
      by Tor 0.3.5 and later. (Earlier versions of Tor have been
      deprecated since January of this year.) This recommendation will
      cause older clients and relays to give a warning on startup, or
      when they download a consensus directory. Closes ticket 32696.

  o Minor features (entry guards):
    - Reinstate support for GUARD NEW/UP/DOWN control port events.
      Closes ticket 40001.

  o Minor features (linux seccomp2 sandbox, portability):
    - Allow Tor to build on platforms where it doesn't know how to
      report which syscall caused the linux seccomp2 sandbox to fail.
      This change should make the sandbox code more portable to less
      common Linux architectures. Closes ticket 34382.
    - Permit the unlinkat() syscall, which some Libc implementations use
      to implement unlink(). Closes ticket 33346.

  o Minor bugfix (CI, Windows):
    - Use the correct 64-bit printf format when compiling with MINGW on
      Appveyor. Fixes bug 40026; bugfix on 0.3.5.5-alpha.

  o Minor bugfix (onion service v3 client):
    - Remove a BUG() warning that could occur naturally. Fixes bug
      34087; bugfix on 0.3.2.1-alpha.

  o Minor bugfix (SOCKS, onion service client):
    - Detect v3 onion service addresses of the wrong length when
      returning the F6 ExtendedErrors code. Fixes bug 33873; bugfix
      on 0.4.3.1-alpha.

  o Minor bugfixes (compiler warnings):
    - Fix a compiler warning on platforms with 32-bit time_t values.
      Fixes bug 40028; bugfix on 0.3.2.8-rc.

  o Minor bugfixes (control port, onion service):
    - Consistently use 'address' in "Invalid v3 address" response to
      ONION_CLIENT_AUTH commands. Previously, we would sometimes say
      'addr'. Fixes bug 40005; bugfix on 0.4.3.1-alpha.

  o Minor bugfixes (logging):
    - Downgrade a noisy log message that could occur naturally when
      receiving an extrainfo document that we no longer want. Fixes bug
      16016; bugfix on 0.2.6.3-alpha.

  o Minor bugfixes (onion services v3):
    - Avoid a non-fatal assertion failure in certain edge-cases when
      opening an intro circuit as a client. Fixes bug 34084; bugfix
      on 0.3.2.1-alpha.

  o Deprecated features (onion service v2):
    - Add a deprecation warning for version 2 onion services. Closes
      ticket 40003.

  o Removed features (IPv6, revert):
    - Revert the change in the default value of ClientPreferIPv6OrPort:
      it breaks the torsocks use case. The SOCKS resolve command has no
      mechanism to ask for a specific address family (v4 or v6), and so
      prioritizing IPv6 when an IPv4 address is requested on the SOCKS
      interface resulted in a failure. Tor Browser explicitly sets
      PreferIPv6, so this should not affect the majority of our users.
      Closes ticket 33796; bugfix on 0.4.4.1-alpha.


379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
Changes in version 0.4.4.1-alpha - 2020-06-16
  This is the first alpha release in the 0.4.4.x series.  It improves
  our guard selection algorithms, improves the amount of code that
  can be disabled when running without relay support, and includes numerous
  small bugfixes and enhancements.  It also lays the ground for some IPv6
  features that we'll be developing more in the next (0.4.5) series.

  Here are the changes since 0.4.3.5.

  o Major features (Proposal 310, performance + security):
    - Implements Proposal 310, "Bandaid on guard selection". Proposal
      310 solves load-balancing issues with older versions of the guard
      selection algorithm, and improves its security. Under this new
      algorithm, a newly selected guard never becomes Primary unless all
      previously sampled guards are unreachable. Implements
      recommendation from 32088. (Proposal 310 is linked to the CLAPS
      project researching optimal client location-aware path selections.
      This project is a collaboration between the UCLouvain Crypto Group,
      the U.S. Naval Research Laboratory, and Princeton University.)

  o Major features (IPv6, relay):
    - Consider IPv6-only EXTEND2 cells valid on relays. Log a protocol
      warning if the IPv4 or IPv6 address is an internal address, and
      internal addresses are not allowed. But continue to use the other
      address, if it is valid. Closes ticket 33817.
    - If a relay can extend over IPv4 and IPv6, and both addresses are
      provided, it chooses between them uniformly at random. Closes
      ticket 33817.
    - Re-use existing IPv6 connections for circuit extends. Closes
      ticket 33817.
    - Relays may extend circuits over IPv6, if the relay has an IPv6
      ORPort, and the client supplies the other relay's IPv6 ORPort in
      the EXTEND2 cell. IPv6 extends will be used by the relay IPv6
      ORPort self-tests in 33222. Closes ticket 33817.

  o Major features (v3 onion services):
    - Allow v3 onion services to act as OnionBalance backend instances,
      by using the HiddenServiceOnionBalanceInstance torrc option.
      Closes ticket 32709.

  o Minor feature (developer tools):
    - Add a script to help check the alphabetical ordering of option
      names in the manual page. Closes ticket 33339.

  o Minor feature (onion service client, SOCKS5):
    - Add 3 new SocksPort ExtendedErrors (F2, F3, F7) that reports back
      new type of onion service connection failures. The semantics of
      these error codes are documented in proposal 309. Closes
      ticket 32542.

  o Minor feature (onion service v3):
    - If a service cannot upload its descriptor(s), log why at INFO
      level. Closes ticket 33400; bugfix on 0.3.2.1-alpha.

  o Minor feature (python scripts):
    - Stop assuming that /usr/bin/python exists. Instead of using a
      hardcoded path in scripts that still use Python 2, use
      /usr/bin/env, similarly to the scripts that use Python 3. Fixes
      bug 33192; bugfix on 0.4.2.

  o Minor features (client-only compilation):
    - Disable more code related to the ext_orport protocol when
      compiling without support for relay mode. Closes ticket 33368.
    - Disable more of our self-testing code when support for relay mode
      is disabled. Closes ticket 33370.

  o Minor features (code safety):
    - Check for failures of tor_inet_ntop() and tor_inet_ntoa()
      functions in DNS and IP address processing code, and adjust
      codepaths to make them less likely to crash entire Tor instances.
      Resolves issue 33788.

  o Minor features (compilation size):
    - Most server-side DNS code is now disabled when building without
      support for relay mode. Closes ticket 33366.

  o Minor features (continuous integration):
    - Run unit-test and integration test (Stem, Chutney) jobs with
      ALL_BUGS_ARE_FATAL macro being enabled on Travis and Appveyor.
      Resolves ticket 32143.

  o Minor features (control port):
    - Return a descriptive error message from the 'GETINFO status/fresh-
      relay-descs' command on the control port. Previously, we returned
      a generic error of "Error generating descriptor". Closes ticket
      32873. Patch by Neel Chauhan.

  o Minor features (developer tooling):
    - Refrain from listing all .a files that are generated by the Tor
      build in .gitignore. Add a single wildcard *.a entry that covers
      all of them for present and future. Closes ticket 33642.
    - Add a script ("git-install-tools.sh") to install git hooks and
      helper scripts. Closes ticket 33451.

  o Minor features (directory authority, shared random):
    - Refactor more authority-only parts of the shared-random scheduling
      code to reside in the dirauth module, and to be disabled when
      compiling with --disable-module-dirauth. Closes ticket 33436.

  o Minor features (directory):
    - Remember the number of bytes we have downloaded for each directory
      purpose while bootstrapping, and while fully bootstrapped. Log
      this information as part of the heartbeat message. Closes
      ticket 32720.

  o Minor features (IPv6 support):
    - Adds IPv6 support to tor_addr_is_valid(). Adds tests for the above
      changes and tor_addr_is_null(). Closes ticket 33679. Patch
      by MrSquanchee.
    - Allow clients and relays to send dual-stack and IPv6-only EXTEND2
      cells. Parse dual-stack and IPv6-only EXTEND2 cells on relays.
      Closes ticket 33901.

  o Minor features (logging):
    - When trying to find our own address, add debug-level logging to
      report the sources of candidate addresses. Closes ticket 32888.

  o Minor features (testing, architecture):
    - Our test scripts now double-check that subsystem initialization
      order is consistent with the inter-module dependencies established
      by our .may_include files. Implements ticket 31634.
    - Initialize all subsystems at the beginning of our unit test
      harness, to avoid crashes due to uninitialized subsystems. Follow-
      up from ticket 33316.

  o Minor features (v3 onion services):
    - Add v3 onion service status to the dumpstats() call which is
      triggered by a SIGUSR1 signal. Previously, we only did v2 onion
      services. Closes ticket 24844. Patch by Neel Chauhan.

  o Minor features (windows):
    - Add support for console control signals like Ctrl+C in Windows.
      Closes ticket 34211. Patch from Damon Harris (TheDcoder).

  o Minor bugfix (onion service v3):
    - Prevent an assert() that would occur when cleaning the client
      descriptor cache, and attempting to close circuits for a non-
      decrypted descriptor (lacking client authorization). Fixes bug
      33458; bugfix on 0.4.2.1-alpha.

  o Minor bugfix (refactoring):
    - Lift circuit_build_times_disabled() out of the
      circuit_expire_building() loop, to save CPU time when there are
      many circuits open. Fixes bug 33977; bugfix on 0.3.5.9.

  o Minor bugfixes (client performance):
    - Resume use of preemptively-built circuits when UseEntryGuards is set
      to 0. We accidentally disabled this feature with that config
      setting, leading to slower load times. Fixes bug 34303; bugfix
      on 0.3.3.2-alpha.

  o Minor bugfixes (directory authorities):
    - Directory authorities now reject votes that arrive too late. In
      particular, once an authority has started fetching missing votes,
      it no longer accepts new votes posted by other authorities. This
      change helps prevent a consensus split, where only some authorities
      have the late vote. Fixes bug 4631; bugfix on 0.2.0.5-alpha.

  o Minor bugfixes (git scripts):
    - Stop executing the checked-out pre-commit hook from the pre-push
      hook. Instead, execute the copy in the user's git directory. Fixes
      bug 33284; bugfix on 0.4.1.1-alpha.

  o Minor bugfixes (initialization):
    - Initialize the subsystems in our code in an order more closely
      corresponding to their dependencies, so that every system is
      initialized before the ones that (theoretically) depend on it.
      Fixes bug 33316; bugfix on 0.4.0.1-alpha.

  o Minor bugfixes (IPv4, relay):
    - Check for invalid zero IPv4 addresses and ports when sending and
      receiving extend cells. Fixes bug 33900; bugfix on 0.2.4.8-alpha.

  o Minor bugfixes (IPv6, relay):
    - Consider IPv6 addresses when checking if a connection is
      canonical. In 17604, relays assumed that a remote relay could
      consider an IPv6 connection canonical, but did not set the
      canonical flag on their side of the connection. Fixes bug 33899;
      bugfix on 0.3.1.1-alpha.
    - Log IPv6 addresses on connections where this relay is the
      responder. Previously, responding relays would replace the remote
      IPv6 address with the IPv4 address from the consensus. Fixes bug
      33899; bugfix on 0.3.1.1-alpha.

  o Minor bugfixes (linux seccomp sandbox nss):
    - Fix a startup crash when tor is compiled with --enable-nss and
      sandbox support is enabled. Fixes bug 34130; bugfix on
      0.3.5.1-alpha. Patch by Daniel Pinto.

  o Minor bugfixes (logging, testing):
    - Make all of tor's assertion macros support the ALL_BUGS_ARE_FATAL
      and DISABLE_ASSERTS_IN_UNIT_TESTS debugging modes. (IF_BUG_ONCE()
      used to log a non-fatal warning, regardless of the debugging
      mode.) Fixes bug 33917; bugfix on 0.2.9.1-alpha.

  o Minor bugfixes (logs):
    - Remove surprising empty line in the INFO-level log about circuit
      build timeout. Fixes bug 33531; bugfix on 0.3.3.1-alpha.

  o Minor bugfixes (mainloop):
    - Better guard against growing a buffer past its maximum 2GB in
      size. Fixes bug 33131; bugfix on 0.3.0.4-rc.

  o Minor bugfixes (manual page):
    - Update the man page to reflect that MinUptimeHidServDirectoryV2
      defaults to 96 hours. Fixes bug 34299; bugfix on 0.2.6.3-alpha.

  o Minor bugfixes (onion service v3, client):
    - Remove a BUG() that was causing a stacktrace when a descriptor
      changed at an unexpected time. Fixes bug 28992; bugfix
      on 0.3.2.1-alpha.

  o Minor bugfixes (onion service, logging):
    - Fix a typo in a log message PublishHidServDescriptors is set to 0.
      Fixes bug 33779; bugfix on 0.3.2.1-alpha.

  o Minor bugfixes (portability):
    - Fix a portability error in the configure script, where we were
      using "==" instead of "=". Fixes bug 34233; bugfix on 0.4.3.5.

  o Minor bugfixes (protocol versions):
    - Sort tor's supported protocol version lists, as recommended by the
      tor directory specification. Fixes bug 33285; bugfix
      on 0.4.0.1-alpha.

  o Minor bugfixes (relays):
    - Stop advertising incorrect IPv6 ORPorts in relay and bridge
      descriptors, when the IPv6 port was configured as "auto". Fixes
      bug 32588; bugfix on 0.2.3.9-alpha.

  o Code simplification and refactoring:
    - Define and use a new constant TOR_ADDRPORT_BUF_LEN which is like
      TOR_ADDR_BUF_LEN but includes enough space for an IP address,
      brackets, separating colon, and port number. Closes ticket 33956.
      Patch by Neel Chauhan.
    - Merge the orconn and ocirc events into the "core" subsystem, which
      manages or connections and origin circuits. Previously they were
      isolated in subsystems of their own.
    - Move LOG_PROTOCOL_WARN to app/config. Resolves a dependency
      inversion. Closes ticket 33633.
    - Move the circuit extend code to the relay module. Split the
      circuit extend function into smaller functions. Closes
      ticket 33633.
    - Rewrite port_parse_config() to use the default port flags from
      port_cfg_new(). Closes ticket 32994. Patch by MrSquanchee.
    - Updated comments in 'scheduler.c' to reflect old code changes, and
      simplified the scheduler channel state change code. Closes
      ticket 33349.

  o Documentation:
    - Document the limitations of using %include on config files with
      seccomp sandbox enabled. Fixes documentation bug 34133; bugfix on
      0.3.1.1-alpha. Patch by Daniel Pinto.
    - Fix several doxygen warnings related to imbalanced groups. Closes
      ticket 34255.

  o Removed features:
    - Remove the ClientAutoIPv6ORPort option. This option attempted to
      randomly choose between IPv4 and IPv6 for client connections, and
      wasn't a true implementation of Happy Eyeballs. Often, this option
      failed on IPv4-only or IPv6-only connections. Closes ticket 32905.
      Patch by Neel Chauhan.
    - Stop shipping contrib/dist/rc.subr file, as it is not being used
      on FreeBSD anymore. Closes issue 31576.

  o Testing:
    - Add a basic IPv6 test to "make test-network". This test only runs
      when the local machine has an IPv6 stack. Closes ticket 33300.
    - Add test-network-ipv4 and test-network-ipv6 jobs to the Makefile.
      These jobs run the IPv4-only and dual-stack chutney flavours from
      test-network-all. Closes ticket 33280.
    - Remove a redundant distcheck job. Closes ticket 33194.
    - Run the test-network-ipv6 Makefile target in the Travis CI IPv6
      chutney job. This job runs on macOS, so it's a bit slow. Closes
      ticket 33303.
    - Sort the Travis jobs in order of speed. Putting the slowest jobs
      first takes full advantage of Travis job concurrency. Closes
      ticket 33194.
    - Stop allowing the Chutney IPv6 Travis job to fail. This job was
      previously configured to fast_finish (which requires
      allow_failure), to speed up the build. Closes ticket 33195.
    - Test v3 onion services to tor's mixed IPv4 chutney network. And
      add a mixed IPv6 chutney network. These networks are used in the
      test-network-all, test-network-ipv4, and test-network-ipv6 make
      targets. Closes ticket 33334.
    - Use the "bridges+hs-v23" chutney network flavour in "make test-
      network". This test requires a recent version of chutney (mid-
      February 2020). Closes ticket 28208.
    - When a Travis chutney job fails, use chutney's new "diagnostics.sh"
      tool to produce detailed diagnostic output. Closes ticket 32792.

  o Code simplification and refactoring (onion service):
    - Refactor configuration parsing to use the new config subsystem
      code. Closes ticket 33014.

  o Code simplification and refactoring (relay address):
    - Move a series of functions related to address resolving into their
      own files. Closes ticket 33789.

  o Documentation (manual page):
    - Add cross reference links and a table of contents to the HTML tor
      manual page. Closes ticket 33369. Work by Swati Thacker as part of
      Google Season of Docs.
    - Alphabetize the Denial of Service Mitigation Options, Directory
      Authority Server Options, Hidden Service Options, and Testing
      Network Options sections of the tor(1) manual page. Closes ticket
      33275. Work by Swati Thacker as part of Google Season of Docs.
    - Refrain from mentioning nicknames in manpage section for MyFamily
      torrc option. Resolves issue 33417.
    - Updated the options set by TestingTorNetwork in the manual page.
      Closes ticket 33778.


692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
Changes in version 0.4.3.5 - 2020-05-15
  Tor 0.4.3.5 is the first stable release in the 0.4.3.x series. This
  series adds support for building without relay code enabled, and
  implements functionality needed for OnionBalance with v3 onion
  services. It includes significant refactoring of our configuration and
  controller functionality, and fixes numerous smaller bugs and
  performance issues.

  Per our support policy, we support each stable release series for nine
  months after its first stable release, or three months after the first
  stable release of the next series: whichever is longer. This means
  that 0.4.3.x will be supported until around February 2021--later, if
  0.4.4.x is later than anticipated.

  Note also that support for 0.4.1.x is about to end on May 20 of this
  year; 0.4.2.x will be supported until September 15. We still plan to
  continue supporting 0.3.5.x, our long-term stable series, until
  Feb 2022.

  Below are the changes since 0.4.3.4-rc. For a complete list of changes
  since 0.4.2.6, see the ReleaseNotes file.

  o Minor bugfixes (compiler compatibility):
    - Avoid compiler warnings from Clang 10 related to the use of GCC-
      style "/* falls through */" comments. Both Clang and GCC allow
      __attribute__((fallthrough)) instead, so that's what we're using
      now. Fixes bug 34078; bugfix on 0.3.1.3-alpha.
    - Fix compilation warnings with GCC 10.0.1. Fixes bug 34077; bugfix
      on 0.4.0.3-alpha.

  o Minor bugfixes (logging):
    - Stop truncating IPv6 addresses and ports in channel and connection
      logs. Fixes bug 33918; bugfix on 0.2.4.4-alpha.
    - Fix a logic error in a log message about whether an address was
      invalid. Previously, the code would never report that onion
      addresses were onion addresses. Fixes bug 34131; bugfix
      on 0.4.3.1-alpha.


731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
Changes in version 0.4.3.4-rc - 2020-04-13
  Tor 0.4.3.4-rc is the first release candidate in its series. It fixes
  several bugs from earlier versions, including one affecting DoS
  defenses on bridges using pluggable transports.

  o Major bugfixes (DoS defenses, bridges, pluggable transport):
    - Fix a bug that was preventing DoS defenses from running on bridges
      with a pluggable transport. Previously, the DoS subsystem was not
      given the transport name of the client connection, thus failed to
      find the GeoIP cache entry for that client address. Fixes bug
      33491; bugfix on 0.3.3.2-alpha.

  o Minor feature (sendme, flow control):
    - Default to sending SENDME version 1 cells. (Clients are already
      sending these, because of a consensus parameter telling them to do
      so: this change only affects what clients would do if the
      consensus didn't contain a recommendation.) Closes ticket 33623.

  o Minor features (testing):
    - The unit tests now support a "TOR_SKIP_TESTCASES" environment
      variable to specify a list of space-separated test cases that
      should not be executed. We will use this to disable certain tests
      that are failing on Appveyor because of mismatched OpenSSL
      libraries. Part of ticket 33643.

  o Minor bugfixes (--disable-module-relay):
    - Fix an assertion failure when Tor is built without the relay
      module, and then invoked with the "User" option. Fixes bug 33668;
      bugfix on 0.4.3.1-alpha.

  o Minor bugfixes (--disable-module-relay,--disable-module-dirauth):
    - Set some output arguments in the relay and dirauth module stubs,
      to guard against future stub argument handling bugs like 33668.
      Fixes bug 33674; bugfix on 0.4.3.1-alpha.

  o Minor bugfixes (build system):
    - Correctly output the enabled module in the configure summary.
      Before that, the list shown was just plain wrong. Fixes bug 33646;
      bugfix on 0.4.3.2-alpha.

  o Minor bugfixes (client, IPv6):
    - Stop forcing all non-SocksPorts to prefer IPv6 exit connections.
      Instead, prefer IPv6 connections by default, but allow users to
      change their configs using the "NoPreferIPv6" port flag. Fixes bug
      33608; bugfix on 0.4.3.1-alpha.
    - Revert PreferIPv6 set by default on the SocksPort because it broke
      the torsocks use case. Tor doesn't have a way for an application
      to request the hostname to be resolved for a specific IP version,
      but torsocks requires that. Up until now, IPv4 was used by default
      so torsocks is expecting that, and can't handle a possible IPv6
      being returned. Fixes bug 33804; bugfix on 0.4.3.1-alpha.

  o Minor bugfixes (key portability):
    - When reading PEM-encoded key data, tolerate CRLF line-endings even
      if we are not running on Windows. Previously, non-Windows hosts
      would reject these line-endings in certain positions, making
      certain key files hard to move from one host to another. Fixes bug
      33032; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (logging):
    - Flush stderr, stdout, and file logs during shutdown, if supported
      by the OS. This change helps make sure that any final logs are
      recorded. Fixes bug 33087; bugfix on 0.4.1.6.
    - Stop closing stderr and stdout during shutdown. Closing these file
      descriptors can hide sanitiser logs. Fixes bug 33087; bugfix
      on 0.4.1.6.

  o Minor bugfixes (onion services v3):
    - Relax severity of a log message that can appear naturally when
      decoding onion service descriptors as a relay. Also add some
      diagnostics to debug any future bugs in that area. Fixes bug
      31669; bugfix on 0.3.0.1-alpha.
    - Block a client-side assertion by disallowing the registration of
      an x25519 client auth key that's all zeroes. Fixes bug 33545;
      bugfix on 0.4.3.1-alpha. Based on patch from "cypherpunks".

  o Code simplification and refactoring:
    - Disable our coding standards best practices tracker in our git
      hooks. (0.4.3 branches only.) Closes ticket 33678.

  o Testing:
    - Avoid conflicts between the fake sockets in tor's unit tests, and
      real file descriptors. Resolves issues running unit tests with
      GitHub Actions, where the process that embeds or launches the
      tests has already opened a large number of file descriptors. Fixes
      bug 33782; bugfix on 0.2.8.1-alpha. Found and fixed by
      Putta Khunchalee.

  o Testing (CI):
    - In our Appveyor Windows CI, copy required DLLs to test and app
      directories, before running tor's tests. This ensures that tor.exe
      and test*.exe use the correct version of each DLL. This fix is not
      required, but we hope it will avoid DLL search issues in future.
      Fixes bug 33673; bugfix on 0.3.4.2-alpha.
    - On Appveyor, skip the crypto/openssl_version test, which is
      failing because of a mismatched library installation. Fix
      for 33643.


830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Changes in version 0.4.3.3-alpha - 2020-03-18
  Tor 0.4.3.3-alpha fixes several bugs in previous releases, including
  TROVE-2020-002, a major denial-of-service vulnerability that affected
  all released Tor instances since 0.2.1.5-alpha. Using this
  vulnerability, an attacker could cause Tor instances to consume a huge
  amount of CPU, disrupting their operations for several seconds or
  minutes. This attack could be launched by anybody against a relay, or
  by a directory cache against any client that had connected to it. The
  attacker could launch this attack as much as they wanted, thereby
  disrupting service or creating patterns that could aid in traffic
  analysis. This issue was found by OSS-Fuzz, and is also tracked
  as CVE-2020-10592.

  We do not have reason to believe that this attack is currently being
  exploited in the wild, but nonetheless we advise everyone to upgrade
  as soon as packages are available.

  o Major bugfixes (security, denial-of-service):
    - Fix a denial-of-service bug that could be used by anyone to
      consume a bunch of CPU on any Tor relay or authority, or by
      directories to consume a bunch of CPU on clients or hidden
      services. Because of the potential for CPU consumption to
      introduce observable timing patterns, we are treating this as a
      high-severity security issue. Fixes bug 33119; bugfix on
      0.2.1.5-alpha. Found by OSS-Fuzz. We are also tracking this issue
      as TROVE-2020-002 and CVE-2020-10592.

  o Major bugfixes (circuit padding, memory leak):
    - Avoid a remotely triggered memory leak in the case that a circuit
      padding machine is somehow negotiated twice on the same circuit.
      Fixes bug 33619; bugfix on 0.4.0.1-alpha. Found by Tobias Pulls.
      This is also tracked as TROVE-2020-004 and CVE-2020-10593.

  o Major bugfixes (directory authority):
    - Directory authorities will now send a 503 (not enough bandwidth)
      code to clients when under bandwidth pressure. Known relays and
      other authorities will always be answered regardless of the
      bandwidth situation. Fixes bug 33029; bugfix on 0.1.2.5-alpha.

  o Minor features (diagnostic):
    - Improve assertions and add some memory-poisoning code to try to
      track down possible causes of a rare crash (32564) in the EWMA
      code. Closes ticket 33290.

  o Minor features (directory authorities):
    - Directory authorities now reject descriptors from relays running
      Tor versions from the 0.2.9 and 0.4.0 series. The 0.3.5 series is
      still allowed. Resolves ticket 32672. Patch by Neel Chauhan.

  o Minor features (usability):
    - Include more information when failing to parse a configuration
      value. This should make it easier to tell what's going wrong when
      a configuration file doesn't parse. Closes ticket 33460.

  o Minor bugfix (relay, configuration):
    - Warn if the ContactInfo field is not set, and tell the relay
      operator that not having a ContactInfo field set might cause their
      relay to get rejected in the future. Fixes bug 33361; bugfix
      on 0.1.1.10-alpha.

  o Minor bugfixes (coding best practices checks):
    - Allow the "practracker" script to read unicode files when using
      Python 2. We made the script use unicode literals in 0.4.3.1-alpha,
      but didn't change the codec for opening files. Fixes bug 33374;
      bugfix on 0.4.3.1-alpha.

  o Minor bugfixes (continuous integration):
    - Remove the buggy and unused mirroring job. Fixes bug 33213; bugfix
      on 0.3.2.2-alpha.

  o Minor bugfixes (onion service v3, client):
    - Remove a BUG() warning that would cause a stack trace if an onion
      service descriptor was freed while we were waiting for a
      rendezvous circuit to complete. Fixes bug 28992; bugfix
      on 0.3.2.1-alpha.

  o Minor bugfixes (onion services v3):
    - Fix an assertion failure that could result from a corrupted
      ADD_ONION control port command. Found by Saibato. Fixes bug 33137;
      bugfix on 0.3.3.1-alpha. This issue is also tracked
      as TROVE-2020-003.

  o Documentation (manpage):
    - Alphabetize the Server and Directory server sections of the tor
      manpage. Also split Statistics options into their own section of
      the manpage. Closes ticket 33188. Work by Swati Thacker as part of
      Google Season of Docs.
    - Document the __OwningControllerProcess torrc option and specify
      its polling interval. Resolves issue 32971.

  o Testing (Travis CI):
    - Remove a redundant distcheck job. Closes ticket 33194.
    - Sort the Travis jobs in order of speed: putting the slowest jobs
      first takes full advantage of Travis job concurrency. Closes
      ticket 33194.
    - Stop allowing the Chutney IPv6 Travis job to fail. This job was
      previously configured to fast_finish (which requires
      allow_failure), to speed up the build. Closes ticket 33195.
    - When a Travis chutney job fails, use chutney's new "diagnostics.sh"
      tool to produce detailed diagnostic output. Closes ticket 32792.


Changes in version 0.4.2.7 - 2020-03-18
  This is the third stable release in the 0.4.2.x series. It backports
  numerous fixes from later releases, including a fix for TROVE-2020-
  002, a major denial-of-service vulnerability that affected all
  released Tor instances since 0.2.1.5-alpha. Using this vulnerability,
  an attacker could cause Tor instances to consume a huge amount of CPU,
  disrupting their operations for several seconds or minutes. This
  attack could be launched by anybody against a relay, or by a directory
  cache against any client that had connected to it. The attacker could
  launch this attack as much as they wanted, thereby disrupting service
  or creating patterns that could aid in traffic analysis. This issue
  was found by OSS-Fuzz, and is also tracked as CVE-2020-10592.

  We do not have reason to believe that this attack is currently being
  exploited in the wild, but nonetheless we advise everyone to upgrade
  as soon as packages are available.

  o Major bugfixes (security, denial-of-service, backport from 0.4.3.3-alpha):
    - Fix a denial-of-service bug that could be used by anyone to
      consume a bunch of CPU on any Tor relay or authority, or by
      directories to consume a bunch of CPU on clients or hidden
      services. Because of the potential for CPU consumption to
      introduce observable timing patterns, we are treating this as a
      high-severity security issue. Fixes bug 33119; bugfix on
      0.2.1.5-alpha. Found by OSS-Fuzz. We are also tracking this issue
      as TROVE-2020-002 and CVE-2020-10592.

  o Major bugfixes (circuit padding, memory leak, backport from 0.4.3.3-alpha):
    - Avoid a remotely triggered memory leak in the case that a circuit
      padding machine is somehow negotiated twice on the same circuit.
      Fixes bug 33619; bugfix on 0.4.0.1-alpha. Found by Tobias Pulls.
      This is also tracked as TROVE-2020-004 and CVE-2020-10593.

  o Major bugfixes (directory authority, backport from 0.4.3.3-alpha):
    - Directory authorities will now send a 503 (not enough bandwidth)
      code to clients when under bandwidth pressure. Known relays and
      other authorities will always be answered regardless of the
      bandwidth situation. Fixes bug 33029; bugfix on 0.1.2.5-alpha.

  o Minor features (continuous integration, backport from 0.4.3.2-alpha):
    - Stop allowing failures on the Travis CI stem tests job. It looks
      like all the stem hangs we were seeing before are now fixed.
      Closes ticket 33075.

  o Minor bugfixes (bridges, backport from 0.4.3.1-alpha):
    - Lowercase the configured value of BridgeDistribution before adding
      it to the descriptor. Fixes bug 32753; bugfix on 0.3.2.3-alpha.

  o Minor bugfixes (logging, backport from 0.4.3.2-alpha):
    - If we encounter a bug when flushing a buffer to a TLS connection,
      only log the bug once per invocation of the Tor process.
      Previously we would log with every occurrence, which could cause
      us to run out of disk space. Fixes bug 33093; bugfix
      on 0.3.2.2-alpha.

  o Minor bugfixes (onion services v3, backport from 0.4.3.3-alpha):
    - Fix an assertion failure that could result from a corrupted
      ADD_ONION control port command. Found by Saibato. Fixes bug 33137;
      bugfix on 0.3.3.1-alpha. This issue is also tracked
      as TROVE-2020-003.

  o Minor bugfixes (rust, build, backport from 0.4.3.2-alpha):
    - Fix a syntax warning given by newer versions of Rust that was
      creating problems for our continuous integration. Fixes bug 33212;
      bugfix on 0.3.5.1-alpha.

  o Testing (Travis CI, backport from 0.4.3.3-alpha):
    - Remove a redundant distcheck job. Closes ticket 33194.
    - Sort the Travis jobs in order of speed: putting the slowest jobs
For faster browsing, not all history is shown. View entire blame