ReleaseNotes 1.17 MB
Newer Older
1
2
3
4
This document summarizes new features and bugfixes in each stable
release of Tor. If you want to see more detailed descriptions of the
changes in each development snapshot, see the ChangeLog file.

5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
Changes in version 0.4.1.6 - 2019-09-19
  This release backports several bugfixes to improve stability and
  correctness.  Anyone experiencing build problems or crashes with 0.4.1.5,
  or experiencing reliability issues with single onion services, should
  upgrade.

  o Major bugfixes (crash, Linux, Android, backport from 0.4.2.1-alpha):
    - Tolerate systems (including some Android installations) where
      madvise and MADV_DONTDUMP are available at build-time, but not at
      run time. Previously, these systems would notice a failed syscall
      and abort. Fixes bug 31570; bugfix on 0.4.1.1-alpha.
    - Tolerate systems (including some Linux installations) where
      madvise and/or MADV_DONTFORK are available at build-time, but not
      at run time. Previously, these systems would notice a failed
      syscall and abort. Fixes bug 31696; bugfix on 0.4.1.1-alpha.

  o Minor features (stem tests, backport from 0.4.2.1-alpha):
    - Change "make test-stem" so it only runs the stem tests that use
      tor. This change makes test-stem faster and more reliable. Closes
      ticket 31554.

  o Minor bugfixes (build system, backport form 0.4.2.1-alpha):
    - Do not include the deprecated <sys/sysctl.h> on Linux or Windows
      systems. Fixes bug 31673; bugfix on 0.2.5.4-alpha.

  o Minor bugfixes (compilation, backport from 0.4.2.1-alpha):
    - Add more stub functions to fix compilation on Android with link-
      time optimization when --disable-module-dirauth is used.
      Previously, these compilation settings would make the compiler
      look for functions that didn't exist. Fixes bug 31552; bugfix
      on 0.4.1.1-alpha.
    - Suppress spurious float-conversion warnings from GCC when calling
      floating-point classifier functions on FreeBSD. Fixes part of bug
      31687; bugfix on 0.3.1.5-alpha.

  o Minor bugfixes (controller protocol):
    - Fix the MAPADDRESS controller command to accept one or more
      arguments. Previously, it required two or more arguments, and ignored
      the first. Fixes bug 31772; bugfix on 0.4.1.1-alpha.

  o Minor bugfixes (guards, backport from 0.4.2.1-alpha):
    - When tor is missing descriptors for some primary entry guards,
      make the log message less alarming. It's normal for descriptors to
      expire, as long as tor fetches new ones soon after. Fixes bug
      31657; bugfix on 0.3.3.1-alpha.

  o Minor bugfixes (logging, backport from 0.4.2.1-alpha):
    - Change log level of message "Hash of session info was not as
      expected" to LOG_PROTOCOL_WARN. Fixes bug 12399; bugfix
      on 0.1.1.10-alpha.

  o Minor bugfixes (rust, backport from 0.4.2.1-alpha):
    - Correctly exclude a redundant rust build job in Travis. Fixes bug
      31463; bugfix on 0.3.5.4-alpha.

  o Minor bugfixes (v2 single onion services, backport from 0.4.2.1-alpha):
    - Always retry v2 single onion service intro and rend circuits with
      a 3-hop path. Previously, v2 single onion services used a 3-hop
      path when rendezvous circuits were retried after a remote or
      delayed failure, but a 1-hop path for immediate retries. Fixes bug
      23818; bugfix on 0.2.9.3-alpha.

  o Minor bugfixes (v3 single onion services, backport from 0.4.2.1-alpha):
    - Always retry v3 single onion service intro and rend circuits with
      a 3-hop path. Previously, v3 single onion services used a 3-hop
      path when rend circuits were retried after a remote or delayed
      failure, but a 1-hop path for immediate retries. Fixes bug 23818;
      bugfix on 0.3.2.1-alpha.
    - Make v3 single onion services fall back to a 3-hop intro, when all
      intro points are unreachable via a 1-hop path. Previously, v3
      single onion services failed when all intro nodes were unreachable
      via a 1-hop path. Fixes bug 23507; bugfix on 0.3.2.1-alpha.

  o Documentation (backport from 0.4.2.1-alpha):
    - Use RFC 2397 data URL scheme to embed an image into tor-exit-
      notice.html so that operators no longer have to host it
      themselves. Closes ticket 31089.


84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
Changes in version 0.4.1.5 - 2019-08-20
  This is the first stable release in the 0.4.1.x series. This series
  adds experimental circuit-level padding, authenticated SENDME cells to
  defend against certain attacks, and several performance improvements
  to save on CPU consumption. It fixes bugs in bootstrapping and v3
  onion services. It also includes numerous smaller features and
  bugfixes on earlier versions.

  Per our support policy, we will support the 0.4.1.x series for nine
  months, or until three months after the release of a stable 0.4.2.x:
  whichever is longer. If you need longer-term support, please stick
  with 0.3.5.x, which will we plan to support until Feb 2022.

  Below are the changes since 0.4.0.5. For a list of only the changes
  since 0.4.1.4-rc, see the ChangeLog file.

  o Directory authority changes:
    - The directory authority "dizum" has a new IP address. Closes
      ticket 31406.

  o Major features (circuit padding):
    - Onion service clients now add padding cells at the start of their
      INTRODUCE and RENDEZVOUS circuits, to make those circuits' traffic
      look more like general purpose Exit traffic. The overhead for this
      is 2 extra cells in each direction for RENDEZVOUS circuits, and 1
      extra upstream cell and 10 downstream cells for INTRODUCE
      circuits. This feature is only enabled when also supported by the
      circuit's middle node. (Clients may specify fixed middle nodes
      with the MiddleNodes option, and may force-disable this feature
      with the CircuitPadding option.) Closes ticket 28634.

  o Major features (code organization):
    - Tor now includes a generic publish-subscribe message-passing
      subsystem that we can use to organize intermodule dependencies. We
      hope to use this to reduce dependencies between modules that don't
      need to be related, and to generally simplify our codebase. Closes
      ticket 28226.

  o Major features (controller protocol):
    - Controller commands are now parsed using a generalized parsing
      subsystem. Previously, each controller command was responsible for
      parsing its own input, which led to strange inconsistencies.
      Closes ticket 30091.

  o Major features (flow control):
    - Implement authenticated SENDMEs as detailed in proposal 289. A
      SENDME cell now includes the digest of the traffic that it
      acknowledges, so that once an end point receives the SENDME, it
      can confirm the other side's knowledge of the previous cells that
      were sent, and prevent certain types of denial-of-service attacks.
      This behavior is controlled by two new consensus parameters: see
      the proposal for more details. Fixes ticket 26288.

  o Major features (performance):
    - Our node selection algorithm now excludes nodes in linear time.
      Previously, the algorithm was quadratic, which could slow down
      heavily used onion services. Closes ticket 30307.

  o Major features (performance, RNG):
    - Tor now constructs a fast secure pseudorandom number generator for
      each thread, to use when performance is critical. This PRNG is
      based on AES-CTR, using a buffering construction similar to
      libottery and the (newer) OpenBSD arc4random() code. It
      outperforms OpenSSL 1.1.1a's CSPRNG by roughly a factor of 100 for
      small outputs. Although we believe it to be cryptographically
      strong, we are only using it when necessary for performance.
      Implements tickets 29023 and 29536.

  o Major bugfixes (bridges):
    - Consider our directory information to have changed when our list
      of bridges changes. Previously, Tor would not re-compute the
      status of its directory information when bridges changed, and
      therefore would not realize that it was no longer able to build
      circuits. Fixes part of bug 29875.
    - Do not count previously configured working bridges towards our
      total of working bridges. Previously, when Tor's list of bridges
      changed, it would think that the old bridges were still usable,
      and delay fetching router descriptors for the new ones. Fixes part
      of bug 29875; bugfix on 0.3.0.1-alpha.

  o Major bugfixes (circuit build, guard):
165
166
167
    - On relays, properly check that a padding machine is absent before
      logging a warning about it being absent. Fixes bug 30649; bugfix
      on 0.4.0.1-alpha.
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
    - When considering upgrading circuits from "waiting for guard" to
      "open", always ignore circuits that are marked for close. Otherwise,
      we can end up in the situation where a subsystem is notified that
      a closing circuit has just opened, leading to undesirable
      behavior. Fixes bug 30871; bugfix on 0.3.0.1-alpha.

  o Major bugfixes (onion service reachability):
    - Properly clean up the introduction point map when circuits change
      purpose from onion service circuits to pathbias, measurement, or
      other circuit types. This should fix some service-side instances
      of introduction point failure. Fixes bug 29034; bugfix
      on 0.3.2.1-alpha.

  o Major bugfixes (onion service v3):
    - Fix an unreachable bug in which an introduction point could try to
      send an INTRODUCE_ACK with a status code that Trunnel would refuse
      to encode, leading the relay to assert(). We've consolidated the
      ABI values into Trunnel now. Fixes bug 30454; bugfix
      on 0.3.0.1-alpha.
    - Clients can now handle unknown status codes from INTRODUCE_ACK
      cells. (The NACK behavior will stay the same.) This will allow us
      to extend status codes in the future without breaking the normal
      client behavior. Fixes another part of bug 30454; bugfix
      on 0.3.0.1-alpha.

  o Minor features (authenticated SENDME):
    - Ensure that there is enough randomness on every circuit to prevent
      an attacker from successfully predicting the hashes they will need
      to include in authenticated SENDME cells. At a random interval, if
      we have not sent randomness already, we now leave some extra space
      at the end of a cell that we can fill with random bytes. Closes
      ticket 26846.

  o Minor features (circuit padding logging):
    - Demote noisy client-side warn logs about circuit padding to protocol
      warnings. Add additional log messages and circuit ID fields to help
      with bug 30992 and any other future issues.

  o Minor features (circuit padding):
    - We now use a fast PRNG when scheduling circuit padding. Part of
      ticket 28636.
    - Allow the padding machine designer to pick the edges of their
      histogram instead of trying to compute them automatically using an
      exponential formula. Resolves some undefined behavior in the case
      of small histograms and allows greater flexibility on machine
      design. Closes ticket 29298; bugfix on 0.4.0.1-alpha.
    - Allow circuit padding machines to hold a circuit open until they
      are done padding it. Closes ticket 28780.

  o Minor features (compile-time modules):
    - Add a "--list-modules" command to print a list of which compile-
      time modules are enabled. Closes ticket 30452.

  o Minor features (continuous integration):
    - Our Travis configuration now uses Chutney to run some network
      integration tests automatically. Closes ticket 29280.
    - When running coverage builds on Travis, we now set
      TOR_TEST_RNG_SEED, to avoid RNG-based coverage differences. Part
      of ticket 28878.
    - Remove sudo configuration lines from .travis.yml as they are no
      longer needed with current Travis build environment. Resolves
      issue 30213.
    - In Travis, show stem's tor log after failure. Closes ticket 30234.

  o Minor features (controller):
    - Add onion service version 3 support to the HSFETCH command.
      Previously, only version 2 onion services were supported. Closes
      ticket 25417. Patch by Neel Chauhan.

  o Minor features (debugging):
    - Introduce tor_assertf() and tor_assertf_nonfatal() to enable
      logging of additional information during assert failure. Now we
      can use format strings to include information for trouble
      shooting. Resolves ticket 29662.

  o Minor features (defense in depth):
    - In smartlist_remove_keeporder(), set unused pointers to NULL, in
      case a bug causes them to be used later. Closes ticket 30176.
      Patch from Tobias Stoeckmann.
    - Tor now uses a cryptographically strong PRNG even for decisions
      that we do not believe are security-sensitive. Previously, for
      performance reasons, we had used a trivially predictable linear
      congruential generator algorithm for certain load-balancing and
      statistical sampling decisions. Now we use our fast RNG in those
      cases. Closes ticket 29542.

  o Minor features (developer tools):
    - Tor's "practracker" test script now checks for files and functions
      that seem too long and complicated. Existing overlong functions
      and files are accepted for now, but should eventually be
      refactored. Closes ticket 29221.
    - Add some scripts used for git maintenance to scripts/git. Closes
      ticket 29391.
    - Call practracker from pre-push and pre-commit git hooks to let
      developers know if they made any code style violations. Closes
      ticket 30051.
    - Add a script to check that each header has a well-formed and
      unique guard macro. Closes ticket 29756.

  o Minor features (fallback directory list):
    - Replace the 157 fallbacks originally introduced in Tor 0.3.5.6-rc
      in December 2018 (of which ~122 were still functional), with a
      list of 148 fallbacks (70 new, 78 existing, 79 removed) generated
      in June 2019. Closes ticket 28795.

  o Minor features (geoip):
    - Update geoip and geoip6 to the June 10 2019 Maxmind GeoLite2
      Country database. Closes ticket 30852.
    - Update geoip and geoip6 to the May 13 2019 Maxmind GeoLite2
      Country database. Closes ticket 30522.

  o Minor features (HTTP tunnel):
    - Return an informative web page when the HTTPTunnelPort is used as
      an HTTP proxy. Closes ticket 27821, patch by "eighthave".

  o Minor features (IPv6, v3 onion services):
    - Make v3 onion services put IPv6 addresses in service descriptors.
      Before this change, service descriptors only contained IPv4
      addresses. Implements 26992.

  o Minor features (logging):
    - Give a more useful assertion failure message if we think we have
      minherit() but we fail to make a region non-inheritable. Give a
      compile-time warning if our support for minherit() is incomplete.
      Closes ticket 30686.

  o Minor features (maintenance):
    - Add a new "make autostyle" target that developers can use to apply
      all automatic Tor style and consistency conversions to the
      codebase. Closes ticket 30539.

  o Minor features (modularity):
    - The "--disable-module-dirauth" compile-time option now disables
      even more dirauth-only code. Closes ticket 30345.

  o Minor features (performance):
    - Use OpenSSL's implementations of SHA3 when available (in OpenSSL
      1.1.1 and later), since they tend to be faster than tiny-keccak.
      Closes ticket 28837.

  o Minor features (testing):
    - The circuitpadding tests now use a reproducible RNG implementation,
      so that if a test fails, we can learn why. Part of ticket 28878.
    - Tor's tests now support an environment variable, TOR_TEST_RNG_SEED,
      to set the RNG seed for tests that use a reproducible RNG. Part of
      ticket 28878.
    - When running tests in coverage mode, take additional care to make
      our coverage deterministic, so that we can accurately track
      changes in code coverage. Closes ticket 30519.
    - Tor's unit test code now contains helper functions to replace the
      PRNG with a deterministic or reproducible version for testing.
      Previously, various tests implemented this in various ways.
      Implements ticket 29732.
    - We now have a script, cov-test-determinism.sh, to identify places
      where our unit test coverage has become nondeterministic. Closes
      ticket 29436.
    - Check that representative subsets of values of `int` and `unsigned
      int` can be represented by `void *`. Resolves issue 29537.

  o Minor bugfixes (bridge authority):
    - Bridge authorities now set bridges as running or non-running when
      about to dump their status to a file. Previously, they set bridges
      as running in response to a GETINFO command, but those shouldn't
      modify data structures. Fixes bug 24490; bugfix on 0.2.0.13-alpha.
      Patch by Neel Chauhan.

  o Minor bugfixes (channel padding statistics):
    - Channel padding write totals and padding-enabled totals are now
      counted properly in relay extrainfo descriptors. Fixes bug 29231;
      bugfix on 0.3.1.1-alpha.

  o Minor bugfixes (circuit isolation):
    - Fix a logic error that prevented the SessionGroup sub-option from
      being accepted. Fixes bug 22619; bugfix on 0.2.7.2-alpha.

  o Minor bugfixes (circuit padding):
    - Add a "CircuitPadding" torrc option to disable circuit padding.
      Fixes bug 28693; bugfix on 0.4.0.1-alpha.
    - Allow circuit padding machines to specify that they do not
      contribute much overhead, and provide consensus flags and torrc
      options to force clients to only use these low overhead machines.
      Fixes bug 29203; bugfix on 0.4.0.1-alpha.
    - Provide a consensus parameter to fully disable circuit padding, to
      be used in emergency network overload situations. Fixes bug 30173;
      bugfix on 0.4.0.1-alpha.
    - The circuit padding subsystem will no longer schedule padding if
      dormant mode is enabled. Fixes bug 28636; bugfix on 0.4.0.1-alpha.
    - Inspect a circuit-level cell queue before sending padding, to
      avoid sending padding while too much data is already queued. Fixes
      bug 29204; bugfix on 0.4.0.1-alpha.
    - Avoid calling monotime_absolute_usec() in circuit padding machines
      that do not use token removal or circuit RTT estimation. Fixes bug
      29085; bugfix on 0.4.0.1-alpha.

  o Minor bugfixes (clock skew detection):
    - Don't believe clock skew results from NETINFO cells that appear to
      arrive before we sent the VERSIONS cells they are responding to.
      Previously, we would accept them up to 3 minutes "in the past".
      Fixes bug 31343; bugfix on 0.2.4.4-alpha.

  o Minor bugfixes (compatibility, standards compliance):
    - Fix a bug that would invoke undefined behavior on certain
      operating systems when trying to asprintf() a string exactly
      INT_MAX bytes long. We don't believe this is exploitable, but it's
      better to fix it anyway. Fixes bug 31001; bugfix on 0.2.2.11-alpha.
      Found and fixed by Tobias Stoeckmann.

  o Minor bugfixes (compilation warning):
    - Fix a compilation warning on Windows about casting a function
      pointer for GetTickCount64(). Fixes bug 31374; bugfix on
      0.2.9.1-alpha.

  o Minor bugfixes (compilation):
    - Avoid using labs() on time_t, which can cause compilation warnings
      on 64-bit Windows builds.  Fixes bug 31343; bugfix on 0.2.4.4-alpha.

  o Minor bugfixes (compilation, unusual configurations):
    - Avoid failures when building with the ALL_BUGS_ARE_FATAL option
      due to missing declarations of abort(), and prevent other such
      failures in the future. Fixes bug 30189; bugfix on 0.3.4.1-alpha.

  o Minor bugfixes (configuration, proxies):
    - Fix a bug that prevented us from supporting SOCKS5 proxies that
      want authentication along with configured (but unused!)
      ClientTransportPlugins. Fixes bug 29670; bugfix on 0.2.6.1-alpha.

  o Minor bugfixes (continuous integration):
    - Allow the test-stem job to fail in Travis, because it sometimes
      hangs. Fixes bug 30744; bugfix on 0.3.5.4-alpha.
    - Skip test_rebind on macOS in Travis, because it is unreliable on
      macOS on Travis. Fixes bug 30713; bugfix on 0.3.5.1-alpha.
    - Skip test_rebind when the TOR_SKIP_TEST_REBIND environment
      variable is set. Fixes bug 30713; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (controller protocol):
    - Teach the controller parser to distinguish an object preceded by
      an argument list from one without. Previously, it couldn't
      distinguish an argument list from the first line of a multiline
      object. Fixes bug 29984; bugfix on 0.2.3.8-alpha.

  o Minor bugfixes (crash on exit):
    - Avoid a set of possible code paths that could try to use freed
      memory in routerlist_free() while Tor was exiting. Fixes bug
      31003; bugfix on 0.1.2.2-alpha.

  o Minor bugfixes (developer tooling):
    - Fix pre-push hook to allow fixup and squash commits when pushing
      to non-upstream git remote. Fixes bug 30286; bugfix
      on 0.4.0.1-alpha.

  o Minor bugfixes (directory authorities):
    - Stop crashing after parsing an unknown descriptor purpose
      annotation. We think this bug can only be triggered by modifying a
      local file. Fixes bug 30781; bugfix on 0.2.0.8-alpha.
    - Move the "bandwidth-file-headers" line in directory authority
      votes so that it conforms to dir-spec.txt. Fixes bug 30316; bugfix
      on 0.3.5.1-alpha.
    - Directory authorities with IPv6 support now always mark themselves
      as reachable via IPv6. Fixes bug 24338; bugfix on 0.2.4.1-alpha.
      Patch by Neel Chauhan.

  o Minor bugfixes (documentation):
    - Improve the documentation for using MapAddress with ".exit". Fixes
      bug 30109; bugfix on 0.1.0.1-rc.
    - Improve the monotonic time module and function documentation to
      explain what "monotonic" actually means, and document some results
      that have surprised people. Fixes bug 29640; bugfix
      on 0.2.9.1-alpha.
    - Use proper formatting when providing an example on quoting options
      that contain whitespace. Fixes bug 29635; bugfix on 0.2.3.18-rc.

  o Minor bugfixes (logging):
    - Do not log a warning when running with an OpenSSL version other
      than the one Tor was compiled with, if the two versions should be
      compatible. Previously, we would warn whenever the version was
      different. Fixes bug 30190; bugfix on 0.2.4.2-alpha.
    - Warn operators when the MyFamily option is set but ContactInfo is
      missing, as the latter should be set too. Fixes bug 25110; bugfix
      on 0.3.3.1-alpha.

  o Minor bugfixes (memory leaks):
    - Avoid a minor memory leak that could occur on relays when failing
      to create a "keys" directory. Fixes bug 30148; bugfix
      on 0.3.3.1-alpha.
    - Fix a trivial memory leak when parsing an invalid value from a
      download schedule in the configuration. Fixes bug 30894; bugfix
      on 0.3.4.1-alpha.

  o Minor bugfixes (NetBSD):
    - Fix usage of minherit() on NetBSD and other platforms that define
      MAP_INHERIT_{ZERO,NONE} instead of INHERIT_{ZERO,NONE}. Fixes bug
      30614; bugfix on 0.4.0.2-alpha. Patch from Taylor Campbell.

  o Minor bugfixes (onion services):
    - Avoid a GCC 9.1.1 warning (and possible crash depending on libc
      implemenation) when failing to load an onion service client
      authorization file. Fixes bug 30475; bugfix on 0.3.5.1-alpha.
    - When refusing to launch a controller's HSFETCH request because of
      rate-limiting, respond to the controller with a new response,
      "QUERY_RATE_LIMITED". Previously, we would log QUERY_NO_HSDIR for
      this case. Fixes bug 28269; bugfix on 0.3.1.1-alpha. Patch by
      Neel Chauhan.
    - When relaunching a circuit to a rendezvous service, mark the
      circuit as needing high-uptime routers as appropriate. Fixes bug
      17357; bugfix on 0.1.0.1-rc. Patch by Neel Chauhan.
    - Stop ignoring IPv6 link specifiers sent to v3 onion services.
      (IPv6 support for v3 onion services is still incomplete: see
      ticket 23493 for details.) Fixes bug 23588; bugfix on
      0.3.2.1-alpha. Patch by Neel Chauhan.

  o Minor bugfixes (onion services, performance):
    - When building circuits to onion services, call tor_addr_parse()
      less often. Previously, we called tor_addr_parse() in
      circuit_is_acceptable() even if its output wasn't used. This
      change should improve performance when building circuits. Fixes
      bug 22210; bugfix on 0.2.8.12. Patch by Neel Chauhan.

  o Minor bugfixes (out-of-memory handler):
    - When purging the DNS cache because of an out-of-memory condition,
      try purging just the older entries at first. Previously, we would
      always purge the whole thing. Fixes bug 29617; bugfix
      on 0.3.5.1-alpha.

  o Minor bugfixes (performance):
    - When checking whether a node is a bridge, use a fast check to make
      sure that its identity is set. Previously, we used a constant-time
      check, which is not necessary in this case. Fixes bug 30308;
      bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (pluggable transports):
    - Tor now sets TOR_PT_EXIT_ON_STDIN_CLOSE=1 for client transports as
      well as servers. Fixes bug 25614; bugfix on 0.2.7.1-alpha.

  o Minor bugfixes (portability):
    - Avoid crashing in our tor_vasprintf() implementation on systems
      that define neither vasprintf() nor _vscprintf(). (This bug has
      been here long enough that we question whether people are running
      Tor on such systems, but we're applying the fix out of caution.)
      Fixes bug 30561; bugfix on 0.2.8.2-alpha. Found and fixed by
      Tobias Stoeckmann.

  o Minor bugfixes (probability distributions):
    - Refactor and improve parts of the probability distribution code
      that made Coverity complain. Fixes bug 29805; bugfix
      on 0.4.0.1-alpha.

  o Minor bugfixes (python):
    - Stop assuming that /usr/bin/python3 exists. For scripts that work
      with python2, use /usr/bin/python. Otherwise, use /usr/bin/env
      python3. Fixes bug 29913; bugfix on 0.2.5.3-alpha.

  o Minor bugfixes (relay):
    - When running as a relay, if IPv6Exit is set to 1 while ExitRelay
      is auto, act as if ExitRelay is 1. Previously, we would ignore
      IPv6Exit if ExitRelay was 0 or auto. Fixes bug 29613; bugfix on
      0.3.5.1-alpha. Patch by Neel Chauhan.

  o Minor bugfixes (static analysis):
    - Fix several spurious Coverity warnings about the unit tests, to
      lower our chances of missing real warnings in the future. Fixes
      bug 30150; bugfix on 0.3.5.1-alpha and various other Tor versions.

  o Minor bugfixes (stats):
    - When ExtraInfoStatistics is 0, stop including bandwidth usage
      statistics, GeoIPFile hashes, ServerTransportPlugin lines, and
      bridge statistics by country in extra-info documents. Fixes bug
      29018; bugfix on 0.2.4.1-alpha.

  o Minor bugfixes (testing):
    - Call setrlimit() to disable core dumps in test_bt_cl.c. Previously
      we used `ulimit -c` in test_bt.sh, which violates POSIX shell
      compatibility. Fixes bug 29061; bugfix on 0.3.5.1-alpha.
    - Fix some incorrect code in the v3 onion service unit tests. Fixes
      bug 29243; bugfix on 0.3.2.1-alpha.
    - In the "routerkeys/*" tests, check the return values of mkdir()
      for possible failures. Fixes bug 29939; bugfix on 0.2.7.2-alpha.
      Found by Coverity as CID 1444254.
    - Split test_utils_general() into several smaller test functions.
      This makes it easier to perform resource deallocation on assert
      failure, and fixes Coverity warnings CID 1444117 and CID 1444118.
      Fixes bug 29823; bugfix on 0.2.9.1-alpha.

  o Minor bugfixes (tor-resolve):
    - Fix a memory leak in tor-resolve that could happen if Tor gave it
      a malformed SOCKS response. (Memory leaks in tor-resolve don't
      actually matter, but it's good to fix them anyway.) Fixes bug
      30151; bugfix on 0.4.0.1-alpha.

  o Code simplification and refactoring:
    - Abstract out the low-level formatting of replies on the control
      port. Implements ticket 30007.
    - Add several assertions in an attempt to fix some Coverity
      warnings. Closes ticket 30149.
    - Introduce a connection_dir_buf_add() helper function that checks
      for compress_state of dir_connection_t and automatically writes a
      string to directory connection with or without compression.
      Resolves issue 28816.
    - Make the base32_decode() API return the number of bytes written,
      for consistency with base64_decode(). Closes ticket 28913.
    - Move most relay-only periodic events out of mainloop.c into the
      relay subsystem. Closes ticket 30414.
    - Refactor and encapsulate parts of the codebase that manipulate
      crypt_path_t objects. Resolves issue 30236.
    - Refactor several places in our code that Coverity incorrectly
      believed might have memory leaks. Closes ticket 30147.
    - Remove redundant return values in crypto_format, and the
      associated return value checks elsewhere in the code. Make the
      implementations in crypto_format consistent, and remove redundant
      code. Resolves ticket 29660.
    - Rename tor_mem_is_zero() to fast_mem_is_zero(), to emphasize that
      it is not a constant-time function. Closes ticket 30309.
    - Replace hs_desc_link_specifier_t with link_specifier_t, and remove
      all hs_desc_link_specifier_t-specific code. Fixes bug 22781;
      bugfix on 0.3.2.1-alpha.
    - Simplify v3 onion service link specifier handling code. Fixes bug
      23576; bugfix on 0.3.2.1-alpha.
    - Split crypto_digest.c into NSS code, OpenSSL code, and shared
      code. Resolves ticket 29108.
    - Split control.c into several submodules, in preparation for
      distributing its current responsibilities throughout the codebase.
      Closes ticket 29894.
    - Start to move responsibility for knowing about periodic events to
      the appropriate subsystems, so that the mainloop doesn't need to
      know all the periodic events in the rest of the codebase.
      Implements tickets 30293 and 30294.

  o Documentation:
    - Mention URLs for Travis/Appveyor/Jenkins in ReleasingTor.md.
      Closes ticket 30630.
    - Document how to find git commits and tags for bug fixes in
      CodingStandards.md. Update some file documentation. Closes
      ticket 30261.

  o Removed features:
    - Remove the linux-tor-prio.sh script from contrib/operator-tools
      directory. Resolves issue 29434.
    - Remove the obsolete OpenSUSE initscript. Resolves issue 30076.
    - Remove the obsolete script at contrib/dist/tor.sh.in. Resolves
      issue 30075.

  o Testing:
    - Specify torrc paths (with empty files) when launching tor in
      integration tests; refrain from reading user and system torrcs.
      Resolves issue 29702.

  o Code simplification and refactoring (shell scripts):
    - Clean up many of our shell scripts to fix shellcheck warnings.
      These include autogen.sh (ticket 26069), test_keygen.sh (ticket
      29062), test_switch_id.sh (ticket 29065), test_rebind.sh (ticket
      29063), src/test/fuzz/minimize.sh (ticket 30079), test_rust.sh
      (ticket 29064), torify (ticket 29070), asciidoc-helper.sh (29926),
      fuzz_multi.sh (30077), fuzz_static_testcases.sh (ticket 29059),
      nagios-check-tor-authority-cert (ticket 29071),
      src/test/fuzz/fixup_filenames.sh (ticket 30078), test-network.sh
      (ticket 29060), test_key_expiration.sh (ticket 30002),
      zero_length_keys.sh (ticket 29068), and test_workqueue_*.sh
      (ticket 29067).

  o Testing (chutney):
    - In "make test-network-all", test IPv6-only v3 single onion
      services, using the chutney network single-onion-v23-ipv6-md.
      Closes ticket 27251.

  o Testing (continuous integration):
    - In Travis, make stem log a controller trace to the console, and tail
      stem's tor log after failure. Closes ticket 30591.
    - In Travis, only run the stem tests that use a tor binary.
      Closes ticket 30694.


638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
Changes in version 0.4.0.5 - 2019-05-02
  This is the first stable release in the 0.4.0.x series. It contains
  improvements for power management and bootstrap reporting, as well as
  preliminary backend support for circuit padding to prevent some kinds
  of traffic analysis. It also continues our work in refactoring Tor for
  long-term maintainability.

  Per our support policy, we will support the 0.4.0.x series for nine
  months, or until three months after the release of a stable 0.4.1.x:
  whichever is longer. If you need longer-term support, please stick
  with 0.3.5.x, which will we plan to support until Feb 2022.

  Below are the changes since 0.3.5.7. For a complete list of changes
  since 0.4.0.4-rc, see the ChangeLog file.

  o Major features (battery management, client, dormant mode):
    - When Tor is running as a client, and it is unused for a long time,
      it can now enter a "dormant" state. When Tor is dormant, it avoids
      network and CPU activity until it is reawoken either by a user
      request or by a controller command. For more information, see the
      configuration options starting with "Dormant". Implements tickets
      2149 and 28335.
    - The client's memory of whether it is "dormant", and how long it
      has spent idle, persists across invocations. Implements
      ticket 28624.
    - There is a DormantOnFirstStartup option that integrators can use
      if they expect that in many cases, Tor will be installed but
      not used.

  o Major features (bootstrap reporting):
    - When reporting bootstrap progress, report the first connection
      uniformly, regardless of whether it's a connection for building
      application circuits. This allows finer-grained reporting of early
      progress than previously possible, with the improvements of ticket
      27169. Closes tickets 27167 and 27103. Addresses ticket 27308.
    - When reporting bootstrap progress, treat connecting to a proxy or
      pluggable transport as separate from having successfully used that
      proxy or pluggable transport to connect to a relay. Closes tickets
      27100 and 28884.

  o Major features (circuit padding):
    - Implement preliminary support for the circuit padding portion of
      Proposal 254. The implementation supports Adaptive Padding (aka
      WTF-PAD) state machines for use between experimental clients and
      relays. Support is also provided for APE-style state machines that
      use probability distributions instead of histograms to specify
      inter-packet delay. At the moment, Tor does not provide any
      padding state machines that are used in normal operation: for now,
      this feature exists solely for experimentation. Closes
      ticket 28142.

  o Major features (refactoring):
    - Tor now uses an explicit list of its own subsystems when
      initializing and shutting down. Previously, these systems were
      managed implicitly in various places throughout the codebase.
      (There may still be some subsystems using the old system.) Closes
      ticket 28330.

  o Major bugfixes (cell scheduler, KIST, security):
    - Make KIST consider the outbuf length when computing what it can
      put in the outbuf. Previously, KIST acted as though the outbuf
      were empty, which could lead to the outbuf becoming too full. It
      is possible that an attacker could exploit this bug to cause a Tor
      client or relay to run out of memory and crash. Fixes bug 29168;
      bugfix on 0.3.2.1-alpha. This issue is also being tracked as
      TROVE-2019-001 and CVE-2019-8955.

  o Major bugfixes (networking):
    - Gracefully handle empty username/password fields in SOCKS5
Roger Dingledine's avatar
Roger Dingledine committed
707
      username/password auth message and allow SOCKS5 handshake to
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
      continue. Previously, we had rejected these handshakes, breaking
      certain applications. Fixes bug 29175; bugfix on 0.3.5.1-alpha.

  o Major bugfixes (NSS, relay):
    - When running with NSS, disable TLS 1.2 ciphersuites that use
      SHA384 for their PRF. Due to an NSS bug, the TLS key exporters for
      these ciphersuites don't work -- which caused relays to fail to
      handshake with one another when these ciphersuites were enabled.
      Fixes bug 29241; bugfix on 0.3.5.1-alpha.

  o Major bugfixes (windows, startup):
    - When reading a consensus file from disk, detect whether it was
      written in text mode, and re-read it in text mode if so. Always
      write consensus files in binary mode so that we can map them into
      memory later. Previously, we had written in text mode, which
      confused us when we tried to map the file on windows. Fixes bug
      28614; bugfix on 0.4.0.1-alpha.

  o Minor features (address selection):
    - Treat the subnet 100.64.0.0/10 as public for some purposes;
      private for others. This subnet is the RFC 6598 (Carrier Grade
      NAT) IP range, and is deployed by many ISPs as an alternative to
      RFC 1918 that does not break existing internal networks. Tor now
      blocks SOCKS and control ports on these addresses and warns users
      if client ports or ExtORPorts are listening on a RFC 6598 address.
      Closes ticket 28525. Patch by Neel Chauhan.

  o Minor features (bandwidth authority):
    - Make bandwidth authorities ignore relays that are reported in the
      bandwidth file with the flag "vote=0". This change allows us to
      report unmeasured relays for diagnostic reasons without including
      their bandwidth in the bandwidth authorities' vote. Closes
      ticket 29806.
    - When a directory authority is using a bandwidth file to obtain the
      bandwidth values that will be included in the next vote, serve
      this bandwidth file at /tor/status-vote/next/bandwidth. Closes
      ticket 21377.

  o Minor features (bootstrap reporting):
    - When reporting bootstrap progress, stop distinguishing between
      situations where only internal paths are available and situations
      where external paths are available. Previously, Tor would often
      erroneously report that it had only internal paths. Closes
      ticket 27402.

  o Minor features (compilation):
    - Compile correctly when OpenSSL is built with engine support
      disabled, or with deprecated APIs disabled. Closes ticket 29026.
      Patches from "Mangix".

  o Minor features (continuous integration):
    - On Travis Rust builds, cleanup Rust registry and refrain from
      caching the "target/" directory to speed up builds. Resolves
      issue 29962.
    - Log Python version during each Travis CI job. Resolves
      issue 28551.
    - In Travis, tell timelimit to use stem's backtrace signals, and
      launch python directly from timelimit, so python receives the
      signals from timelimit, rather than make. Closes ticket 30117.

  o Minor features (controller):
    - Add a DROPOWNERSHIP command to undo the effects of TAKEOWNERSHIP.
      Implements ticket 28843.

  o Minor features (developer tooling):
    - Check that bugfix versions in changes files look like Tor versions
      from the versions spec. Warn when bugfixes claim to be on a future
      release. Closes ticket 27761.
Roger Dingledine's avatar
Roger Dingledine committed
776
    - Provide a git pre-commit hook that disallows committing if we have
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
      any failures in our code and changelog formatting checks. It is
      now available in scripts/maint/pre-commit.git-hook. Implements
      feature 28976.
    - Provide a git hook script to prevent "fixup!" and "squash!"
      commits from ending up in the master branch, as scripts/main/pre-
      push.git-hook. Closes ticket 27993.

  o Minor features (diagnostic):
    - Add more diagnostic log messages in an attempt to solve the issue
      of NUL bytes appearing in a microdescriptor cache. Related to
      ticket 28223.

  o Minor features (directory authority):
    - When a directory authority is using a bandwidth file to obtain
      bandwidth values, include the digest of that file in the vote.
      Closes ticket 26698.
    - Directory authorities support a new consensus algorithm, under
      which the family lines in microdescriptors are encoded in a
      canonical form. This change makes family lines more compressible
      in transit, and on the client. Closes ticket 28266; implements
      proposal 298.

  o Minor features (directory authority, relay):
    - Authorities now vote on a "StaleDesc" flag to indicate that a
      relay's descriptor is so old that the relay should upload again
      soon. Relays treat this flag as a signal to upload a new
      descriptor. This flag will eventually let us remove the
      'published' date from routerstatus entries, and make our consensus
      diffs much smaller. Closes ticket 26770; implements proposal 293.

  o Minor features (dormant mode):
    - Add a DormantCanceledByStartup option to tell Tor that it should
      treat a startup event as cancelling any previous dormant state.
      Integrators should use this option with caution: it should only be
      used if Tor is being started because of something that the user
      did, and not if Tor is being automatically started in the
      background. Closes ticket 29357.

  o Minor features (fallback directory mirrors):
    - Update the fallback whitelist based on operator opt-ins and opt-
      outs. Closes ticket 24805, patch by Phoul.

  o Minor features (FreeBSD):
    - On FreeBSD-based systems, warn relay operators if the
      "net.inet.ip.random_id" sysctl (IP ID randomization) is disabled.
      Closes ticket 28518.

  o Minor features (geoip):
    - Update geoip and geoip6 to the April 2 2019 Maxmind GeoLite2
      Country database. Closes ticket 29992.

  o Minor features (HTTP standards compliance):
    - Stop sending the header "Content-type: application/octet-stream"
      along with transparently compressed documents: this confused
      browsers. Closes ticket 28100.

  o Minor features (IPv6):
    - We add an option ClientAutoIPv6ORPort, to make clients randomly
      prefer a node's IPv4 or IPv6 ORPort. The random preference is set
      every time a node is loaded from a new consensus or bridge config.
      We expect that this option will enable clients to bootstrap more
      quickly without having to determine whether they support IPv4,
      IPv6, or both. Closes ticket 27490. Patch by Neel Chauhan.
    - When using addrs_in_same_network_family(), avoid choosing circuit
      paths that pass through the same IPv6 subnet more than once.
      Previously, we only checked IPv4 subnets. Closes ticket 24393.
      Patch by Neel Chauhan.

  o Minor features (log messages):
    - Improve log message in v3 onion services that could print out
      negative revision counters. Closes ticket 27707. Patch
      by "ffmancera".

  o Minor features (memory usage):
    - Save memory by storing microdescriptor family lists with a more
      compact representation. Closes ticket 27359.
    - Tor clients now use mmap() to read consensus files from disk, so
      that they no longer need keep the full text of a consensus in
      memory when parsing it or applying a diff. Closes ticket 27244.

  o Minor features (NSS, diagnostic):
    - Try to log an error from NSS (if there is any) and a more useful
      description of our situation if we are using NSS and a call to
      SSL_ExportKeyingMaterial() fails. Diagnostic for ticket 29241.

  o Minor features (parsing):
    - Directory authorities now validate that router descriptors and
      ExtraInfo documents are in a valid subset of UTF-8, and reject
      them if they are not. Closes ticket 27367.

  o Minor features (performance):
    - Cache the results of summarize_protocol_flags(), so that we don't
      have to parse the same protocol-versions string over and over.
      This should save us a huge number of malloc calls on startup, and
      may reduce memory fragmentation with some allocators. Closes
      ticket 27225.
    - Remove a needless memset() call from get_token_arguments, thereby
      speeding up the tokenization of directory objects by about 20%.
      Closes ticket 28852.
    - Replace parse_short_policy() with a faster implementation, to
      improve microdescriptor parsing time. Closes ticket 28853.
    - Speed up directory parsing a little by avoiding use of the non-
      inlined strcmp_len() function. Closes ticket 28856.
    - Speed up microdescriptor parsing by about 30%, to help improve
      startup time. Closes ticket 28839.

  o Minor features (pluggable transports):
    - Add support for emitting STATUS updates to Tor's control port from
      a pluggable transport process. Closes ticket 28846.
    - Add support for logging to Tor's logging subsystem from a
      pluggable transport process. Closes ticket 28180.

  o Minor features (process management):
    - Add a new process API for handling child processes. This new API
      allows Tor to have bi-directional communication with child
      processes on both Unix and Windows. Closes ticket 28179.
    - Use the subsystem manager to initialize and shut down the process
      module. Closes ticket 28847.

  o Minor features (relay):
    - When listing relay families, list them in canonical form including
      the relay's own identity, and try to give a more useful set of
      warnings. Part of ticket 28266 and proposal 298.

  o Minor features (required protocols):
    - Before exiting because of a missing required protocol, Tor will
      now check the publication time of the consensus, and not exit
      unless the consensus is newer than the Tor program's own release
      date. Previously, Tor would not check the consensus publication
      time, and so might exit because of a missing protocol that might
      no longer be required in a current consensus. Implements proposal
      297; closes ticket 27735.

  o Minor features (testing):
    - Treat all unexpected ERR and BUG messages as test failures. Closes
      ticket 28668.
    - Allow a HeartbeatPeriod of less than 30 minutes in testing Tor
      networks. Closes ticket 28840. Patch by Rob Jansen.
    - Use the approx_time() function when setting the "Expires" header
      in directory replies, to make them more testable. Needed for
      ticket 30001.

  o Minor bugfixes (security):
    - Fix a potential double free bug when reading huge bandwidth files.
      The issue is not exploitable in the current Tor network because
      the vulnerable code is only reached when directory authorities
      read bandwidth files, but bandwidth files come from a trusted
      source (usually the authorities themselves). Furthermore, the
      issue is only exploitable in rare (non-POSIX) 32-bit architectures,
      which are not used by any of the current authorities. Fixes bug
      30040; bugfix on 0.3.5.1-alpha. Bug found and fixed by
      Tobias Stoeckmann.
    - Verify in more places that we are not about to create a buffer
      with more than INT_MAX bytes, to avoid possible OOB access in the
      event of bugs. Fixes bug 30041; bugfix on 0.2.0.16. Found and
      fixed by Tobias Stoeckmann.

  o Minor bugfix (continuous integration):
    - Reset coverage state on disk after Travis CI has finished. This
      should prevent future coverage merge errors from causing the test
      suite for the "process" subsystem to fail. The process subsystem
      was introduced in 0.4.0.1-alpha. Fixes bug 29036; bugfix
      on 0.2.9.15.
    - Terminate test-stem if it takes more than 9.5 minutes to run.
      (Travis terminates the job after 10 minutes of no output.)
      Diagnostic for 29437. Fixes bug 30011; bugfix on 0.3.5.4-alpha.

  o Minor bugfixes (build, compatibility, rust):
    - Update Cargo.lock file to match the version made by the latest
      version of Rust, so that "make distcheck" will pass again. Fixes
      bug 29244; bugfix on 0.3.3.4-alpha.

  o Minor bugfixes (C correctness):
    - Fix an unlikely memory leak in consensus_diff_apply(). Fixes bug
      29824; bugfix on 0.3.1.1-alpha. This is Coverity warning
      CID 1444119.

  o Minor bugfixes (client, clock skew):
    - Bootstrap successfully even when Tor's clock is behind the clocks
      on the authorities. Fixes bug 28591; bugfix on 0.2.0.9-alpha.
    - Select guards even if the consensus has expired, as long as the
      consensus is still reasonably live. Fixes bug 24661; bugfix
      on 0.3.0.1-alpha.

  o Minor bugfixes (compilation):
    - Fix compilation warnings in test_circuitpadding.c. Fixes bug
      29169; bugfix on 0.4.0.1-alpha.
    - Silence a compiler warning in test-memwipe.c on OpenBSD. Fixes bug
      29145; bugfix on 0.2.9.3-alpha. Patch from Kris Katterjohn.
    - Compile correctly on OpenBSD; previously, we were missing some
      headers required in order to detect it properly. Fixes bug 28938;
      bugfix on 0.3.5.1-alpha. Patch from Kris Katterjohn.

  o Minor bugfixes (directory clients):
    - Mark outdated dirservers when Tor only has a reasonably live
      consensus. Fixes bug 28569; bugfix on 0.3.2.5-alpha.

  o Minor bugfixes (directory mirrors):
    - Even when a directory mirror's clock is behind the clocks on the
      authorities, we now allow the mirror to serve "future"
      consensuses. Fixes bug 28654; bugfix on 0.3.0.1-alpha.

  o Minor bugfixes (DNS):
    - Gracefully handle an empty or absent resolve.conf file by falling
      back to using "localhost" as a DNS server (and hoping it works).
      Previously, we would just stop running as an exit. Fixes bug
      21900; bugfix on 0.2.1.10-alpha.

  o Minor bugfixes (documentation):
    - Describe the contents of the v3 onion service client authorization
      files correctly: They hold public keys, not private keys. Fixes
      bug 28979; bugfix on 0.3.5.1-alpha. Spotted by "Felixix".

  o Minor bugfixes (guards):
    - In count_acceptable_nodes(), the minimum number is now one bridge
      or guard node, and two non-guard nodes for a circuit. Previously,
      we had added up the sum of all nodes with a descriptor, but that
      could cause us to build failing circuits when we had either too
      many bridges or not enough guard nodes. Fixes bug 25885; bugfix on
996
      0.2.3.1-alpha. Patch by Neel Chauhan.
997
998
999
1000

  o Minor bugfixes (IPv6):
    - Fix tor_ersatz_socketpair on IPv6-only systems. Previously, the
      IPv6 socket was bound using an address family of AF_INET instead