ChangeLog 1.86 MB
Newer Older
1
Changes in version 0.4.6.2-alpha - 2021-04-15
Nick Mathewson's avatar
Nick Mathewson committed
2
3
4
5
  Tor 0.4.6.2-alpha is the second alpha in its series. It fixes several
  small bugs in previous releases, and solves other issues that had
  enabled denial-of-service attacks and affected integration with
  other tools.
6
7
8

  o Minor features (client):
    - Clients now check whether their streams are attempting to re-enter
Nick Mathewson's avatar
Nick Mathewson committed
9
10
      the Tor network (i.e. to send Tor traffic over Tor), and close
      them preemptively if they think exit relays will refuse them for
Nick Mathewson's avatar
Nick Mathewson committed
11
      this reason. See ticket 2667 for details. Closes ticket 40271.
12
13

  o Minor features (command line):
Nick Mathewson's avatar
Nick Mathewson committed
14
15
16
    - Add long format name "--torrc-file" equivalent to the existing
      command-line option "-f". Closes ticket 40324. Patch by
      Daniel Pinto.
17
18
19
20
21
22

  o Minor features (dormant mode):
    - Add a new 'DormantTimeoutEnabled' option to allow coarse-grained
      control over whether the client ever becomes dormant from
      inactivity. Most people won't need this. Closes ticket 40228.

Nick Mathewson's avatar
Nick Mathewson committed
23
24
25
  o Minor features (fallback directory list):
    - Renegerate the list of fallback directories to contain a new set
      of 200 relays. Closes ticket 40265.
26
27
28
29
30
31
32
33
34
35
36

  o Minor features (geoip data):
    - Update the geoip files to match the IPFire Location Database, as
      retrieved on 2021/04/13.

  o Minor features (logging):
    - Edit heartbeat log messages so that more of them begin with the
      string "Heartbeat: ". Closes ticket 40322; patch
      from 'cypherpunks'.

  o Minor bugfixes (bridge, pluggable transport):
Nick Mathewson's avatar
Nick Mathewson committed
37
38
    - Fix a regression that made it impossible start Tor using a bridge
      line with a transport name and no a fingerprint. Fixes bug 40360;
39
40
41
      bugfix on 0.4.5.4-rc.

  o Minor bugfixes (channel, DoS):
Nick Mathewson's avatar
Nick Mathewson committed
42
43
    - Fix a non-fatal BUG() message due to a too-early free of a string,
      when listing a client connection from the DoS defenses subsystem.
Nick Mathewson's avatar
Nick Mathewson committed
44
      Fixes bug 40345; bugfix on 0.4.3.4-rc.
45
46
47
48
49
50
51

  o Minor bugfixes (compilation):
    - Fix a compilation warning about unused functions when building
      with a libc that lacks the GLOB_ALTDIRFUNC constant. Fixes bug
      40354; bugfix on 0.4.5.1-alpha. Patch by Daniel Pinto.

  o Minor bugfixes (configuration):
Nick Mathewson's avatar
Nick Mathewson committed
52
53
54
    - Fix pattern-matching for directories on all platforms when using
      %include options in configuration files. This patch also fixes
      compilation on musl libc based systems. Fixes bug 40141; bugfix
55
56
57
58
59
60
61
      on 0.4.5.1-alpha.

  o Minor bugfixes (relay):
    - Move the "overload-general" line from extrainfo to the server
      descriptor. Fixes bug 40364; bugfix on 0.4.6.1-alpha.

  o Minor bugfixes (testing, BSD):
Nick Mathewson's avatar
Nick Mathewson committed
62
63
    - Fix pattern-matching errors when patterns expand to invalid paths
      on BSD systems. Fixes bug 40318; bugfix on 0.4.5.1-alpha. Patch by
64
65
66
      Daniel Pinto.

  o Documentation (manual):
Nick Mathewson's avatar
Nick Mathewson committed
67
    - Move the ServerTransport* options to the "SERVER OPTIONS" section.
68
      Closes issue 40331.
Nick Mathewson's avatar
Nick Mathewson committed
69
70
71
72
    - Indicate that the HiddenServiceStatistics option also applies to
      bridges. Closes ticket 40346.
    - Move the description of BridgeRecordUsageByCountry to the section
      "STATISTICS OPTIONS". Closes ticket 40323.
73
74


75
Changes in version 0.4.6.1-alpha - 2021-03-18
76
77
78
79
80
  Tor 0.4.6.1-alpha is the first alpha release in the 0.4.6.x series. It
  improves client circuit performance, adds missing features, and
  improves some of our DoS handling and statistics reporting. It also
  includes numerous smaller bugfixes.

81
82
83
  Below are the changes since 0.4.5.7. (Note that this release DOES
  include the fixes for the security bugs already fixed in 0.4.5.7.)

84
85
86
87
88
89
  o Major features (control port, onion services):
    - Add controller support for creating version 3 onion services with
      client authorization. Previously, only v2 onion services could be
      created with client authorization. Closes ticket 40084. Patch by
      Neel Chauhan.

Roger Dingledine's avatar
Roger Dingledine committed
90
  o Major features (directory authority):
Nick Mathewson's avatar
Nick Mathewson committed
91
92
93
94
    - When voting on a relay with a Sybil-like appearance, add the Sybil
      flag when clearing out the other flags. This lets a relay operator
      know why their relay hasn't been included in the consensus. Closes
      ticket 40255. Patch by Neel Chauhan.
95

96
  o Major features (metrics):
Nick Mathewson's avatar
Nick Mathewson committed
97
    - Relays now report how overloaded they are in their extrainfo
98
99
100
101
102
      documents. This information is controlled with the
      OverloadStatistics torrc option, and it will be used to improve
      decisions about the network's load balancing. Implements proposal
      328; closes ticket 40222.

103
104
105
106
107
  o Major features (relay, denial of service):
    - Add a new DoS subsystem feature to control the rate of client
      connections for relays. Closes ticket 40253.

  o Major features (statistics):
Nick Mathewson's avatar
Nick Mathewson committed
108
    - Relays now publish statistics about the number of v3 onion
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
      services and volume of v3 onion service traffic, in the same
      manner they already do for v2 onions. Closes ticket 23126.

  o Major bugfixes (circuit build timeout):
    - Improve the accuracy of our circuit build timeout calculation for
      60%, 70%, and 80% build rates for various guard choices. We now
      use a maximum likelihood estimator for Pareto parameters of the
      circuit build time distribution, instead of a "right-censored
      estimator". This causes clients to ignore circuits that never
      finish building in their timeout calculations. Previously, clients
      were counting such unfinished circuits as having the highest
      possible build time value, when in reality these circuits most
      likely just contain relays that are offline. We also now wait a
      bit longer to let circuits complete for measurement purposes,
      lower the minimum possible effective timeout from 1.5 seconds to
      10ms, and increase the resolution of the circuit build time
      histogram from 50ms bin widths to 10ms bin widths. Additionally,
      we alter our estimate Xm by taking the maximum of the top 10 most
      common build time values of the 10ms histogram, and compute Xm as
      the average of these. Fixes bug 40168; bugfix on 0.2.2.14-alpha.
Nick Mathewson's avatar
Nick Mathewson committed
129
130
131
    - Remove max_time calculation and associated warning from circuit
      build timeout 'alpha' parameter estimation, as this is no longer
      needed by our new estimator from 40168. Fixes bug 34088; bugfix
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
      on 0.2.2.9-alpha.

  o Major bugfixes (signing key):
    - In the tor-gencert utility, give an informative error message if
      the passphrase given in `--create-identity-key` is too short.
      Fixes bug 40189; bugfix on 0.2.0.1-alpha. Patch by Neel Chauhan.

  o Minor features (bridge):
    - We now announce the URL to Tor's new bridge status at
      https://bridges.torproject.org/ when Tor is configured to run as a
      bridge relay. Closes ticket 30477.

  o Minor features (build system):
    - New "make lsp" command to auto generate the compile_commands.json
      file used by the ccls server. The "bear" program is needed for
      this. Closes ticket 40227.

  o Minor features (command-line interface):
    - Add build informations to `tor --version` in order to ease
      reproducible builds. Closes ticket 32102.
    - When parsing command-line flags that take an optional argument,
      treat the argument as absent if it would start with a '-'
      character. Arguments in that form are not intelligible for any of
      our optional-argument flags. Closes ticket 40223.
    - Allow a relay operator to list the ed25519 keys on the command
      line by adding the `rsa` and `ed25519` arguments to the
      --list-fingerprint flag to show the respective RSA and ed25519
      relay fingerprint. Closes ticket 33632. Patch by Neel Chauhan.

  o Minor features (control port, stream handling):
Nick Mathewson's avatar
Nick Mathewson committed
162
163
    - Add the stream ID to the event line in the ADDRMAP control event.
      Closes ticket 40249. Patch by Neel Chauhan.
164

165
  o Minor features (dormant mode):
Nick Mathewson's avatar
Nick Mathewson committed
166
167
    - Add a new 'DormantTimeoutEnabled' option for coarse-grained
      control over whether the client can become dormant from
168
169
      inactivity. Most people won't need this. Closes ticket 40228.

170
  o Minor features (logging):
Nick Mathewson's avatar
Nick Mathewson committed
171
172
173
    - Change the DoS subsystem heartbeat line format to be more clear on
      what has been detected/rejected, and which option is disabled (if
      any). Closes ticket 40308.
174
175
176
177
178
179
    - In src/core/mainloop/mainloop.c and src/core/mainloop/connection.c,
      put brackets around IPv6 addresses in log messages. Closes ticket
      40232. Patch by Neel Chauhan.

  o Minor features (performance, windows):
    - Use SRWLocks to implement locking on Windows. Replaces the
Nick Mathewson's avatar
Nick Mathewson committed
180
181
182
      "critical section" locking implementation with the faster
      SRWLocks, available since Windows Vista. Closes ticket 17927.
      Patch by Daniel Pinto.
183
184
185
186
187
188
189
190
191
192

  o Minor features (protocol, proxy support, defense in depth):
    - Close HAProxy connections if they somehow manage to send us data
      before we start reading. Closes another case of ticket 40017.

  o Minor features (tests, portability):
    - Port the hs_build_address.py test script to work with recent
      versions of python. Closes ticket 40213. Patch from
      Samanta Navarro.

193
194
  o Minor features (vote document):
    - Add a "stats" line to directory authority votes, to report various
Nick Mathewson's avatar
Nick Mathewson committed
195
      statistics that authorities compute about the relays. This will
196
197
      help us diagnose the network better. Closes ticket 40314.

198
  o Minor bugfixes (build):
Nick Mathewson's avatar
Nick Mathewson committed
199
200
201
    - The configure script now shows whether or not lzma and zstd have
      been used, not just if the enable flag was passed in. Fixes bug
      40236; bugfix on 0.4.3.1-alpha.
202
203

  o Minor bugfixes (compatibility):
Nick Mathewson's avatar
Nick Mathewson committed
204
    - Fix a failure in the test cases when running on the "hppa"
205
206
207
208
      architecture, along with a related test that might fail on other
      architectures in the future. Fixes bug 40274; bugfix
      on 0.2.5.1-alpha.

209
210
211
212
213
  o Minor bugfixes (controller):
    - Fix a "BUG" warning that would appear when a controller chooses
      the first hop for a circuit, and that circuit completes. Fixes bug
      40285; bugfix on 0.3.2.1-alpha.

214
215
216
217
218
219
220
221
  o Minor bugfixes (directory authorities, voting):
    - Add a new consensus method (31) to support any future changes that
      authorities decide to make to the value of bwweightscale or
      maxunmeasuredbw. Previously, there was a bug that prevented the
      authorities from parsing these consensus parameters correctly under
      most circumstances. Fixes bug 19011; bugfix on 0.2.2.10-alpha.

  o Minor bugfixes (ipv6):
Nick Mathewson's avatar
Nick Mathewson committed
222
223
    - Allow non-SOCKSPorts to disable IPv4, IPv6, and PreferIPv4. Some
      rare configurations might break, but in this case you can disable
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
      NoIPv4Traffic and NoIPv6Traffic as needed. Fixes bug 33607; bugfix
      on 0.4.1.1-alpha. Patch by Neel Chauhan.

  o Minor bugfixes (key generation):
    - Do not require a valid torrc when using the `--keygen` argument to
      generate a signing key. This allows us to generate keys on systems
      or users which may not run Tor. Fixes bug 40235; bugfix on
      0.2.7.2-alpha. Patch by Neel Chauhan.

  o Minor bugfixes (onion services, logging):
    - Downgrade the severity of a few rendezvous circuit-related
      warnings from warning to info. Fixes bug 40207; bugfix on
      0.3.2.1-alpha. Patch by Neel Chauhan.

  o Minor bugfixes (relay):
    - Reduce the compression level for data streaming from HIGH to LOW.
Nick Mathewson's avatar
Nick Mathewson committed
240
      This should reduce the CPU and memory burden for directory caches.
241
242
243
244
      Fixes bug 40301; bugfix on 0.3.5.1-alpha.

  o Code simplification and refactoring:
    - Remove the orconn_ext_or_id_map structure and related functions.
Nick Mathewson's avatar
Nick Mathewson committed
245
246
      (Nothing outside of unit tests used them.) Closes ticket 33383.
      Patch by Neel Chauhan.
247

248
249
250
251
252
253
254
255
256
257
  o Removed features:
    - As of this release, Tor no longer supports the old v2 onion
      services. They were deprecated last July for security, and support
      will be removed entirely later this year. We strongly encourage
      everybody to migrate to v3 onion services. For more information,
      see https://blog.torproject.org/v2-deprecation-timeline . Closes
      ticket 40266. (NOTE: We accidentally released an earlier version
      of the 0.4.6.1-alpha changelog without this entry. Sorry for
      the confusion!)

258
  o Code simplification and refactoring (metrics, DoS):
Nick Mathewson's avatar
Nick Mathewson committed
259
    - Move the DoS subsystem into the subsys manager, including its
260
261
262
263
264
265
266
267
268
      configuration options. Closes ticket 40261.

  o Removed features (relay):
    - Because DirPorts are only used on authorities, relays no longer
      advertise them. Similarly, self-testing for DirPorts has been
      disabled, since an unreachable DirPort is no reason for a relay
      not to advertise itself. (Configuring a DirPort will still work,
      for now.) Closes ticket 40282.

269

270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
Changes in version 0.3.5.14 - 2021-03-16
  Tor 0.3.5.14 backports fixes for two important denial-of-service bugs
  in earlier versions of Tor.

  One of these vulnerabilities (TROVE-2021-001) would allow an attacker
  who can send directory data to a Tor instance to force that Tor
  instance to consume huge amounts of CPU. This is easiest to exploit
  against authorities, since anybody can upload to them, but directory
  caches could also exploit this vulnerability against relays or clients
  when they download. The other vulnerability (TROVE-2021-002) only
  affects directory authorities, and would allow an attacker to remotely
  crash the authority with an assertion failure. Patches have already
  been provided to the authority operators, to help ensure
  network stability.

  We recommend that everybody upgrade to one of the releases that fixes
  these issues (0.3.5.14, 0.4.4.8, or 0.4.5.7) as they become available
  to you.

  This release also updates our GeoIP data source, and fixes a
  compatibility issue.

  o Major bugfixes (security, denial of service, backport from 0.4.5.7):
    - Disable the dump_desc() function that we used to dump unparseable
      information to disk. It was called incorrectly in several places,
      in a way that could lead to excessive CPU usage. Fixes bug 40286;
      bugfix on 0.2.2.1-alpha. This bug is also tracked as TROVE-2021-
      001 and CVE-2021-28089.
    - Fix a bug in appending detached signatures to a pending consensus
      document that could be used to crash a directory authority. Fixes
      bug 40316; bugfix on 0.2.2.6-alpha. Tracked as TROVE-2021-002
      and CVE-2021-28090.

  o Minor features (geoip data, backport from 0.4.5.7):
    - We have switched geoip data sources. Previously we shipped IP-to-
      country mappings from Maxmind's GeoLite2, but in 2019 they changed
      their licensing terms, so we were unable to update them after that
      point. We now ship geoip files based on the IPFire Location
      Database instead. (See https://location.ipfire.org/ for more
      information). This release updates our geoip files to match the
      IPFire Location Database as retrieved on 2021/03/12. Closes
      ticket 40224.

  o Removed features (mallinfo deprecated, backport from 0.4.5.7):
    - Remove mallinfo() usage entirely. Libc 2.33+ now deprecates it.
      Closes ticket 40309.


Changes in version 0.4.4.8 - 2021-03-16
  Tor 0.4.4.8 backports fixes for two important denial-of-service bugs
  in earlier versions of Tor.

  One of these vulnerabilities (TROVE-2021-001) would allow an attacker
  who can send directory data to a Tor instance to force that Tor
  instance to consume huge amounts of CPU. This is easiest to exploit
  against authorities, since anybody can upload to them, but directory
  caches could also exploit this vulnerability against relays or clients
  when they download. The other vulnerability (TROVE-2021-002) only
  affects directory authorities, and would allow an attacker to remotely
  crash the authority with an assertion failure. Patches have already
  been provided to the authority operators, to help ensure
  network stability.

  We recommend that everybody upgrade to one of the releases that fixes
  these issues (0.3.5.14, 0.4.4.8, or 0.4.5.7) as they become available
  to you.

  This release also updates our GeoIP data source, and fixes a
  compatibility issue.

  o Major bugfixes (security, denial of service, backport from 0.4.5.7):
    - Disable the dump_desc() function that we used to dump unparseable
      information to disk. It was called incorrectly in several places,
      in a way that could lead to excessive CPU usage. Fixes bug 40286;
      bugfix on 0.2.2.1-alpha. This bug is also tracked as TROVE-2021-
      001 and CVE-2021-28089.
    - Fix a bug in appending detached signatures to a pending consensus
      document that could be used to crash a directory authority. Fixes
      bug 40316; bugfix on 0.2.2.6-alpha. Tracked as TROVE-2021-002
      and CVE-2021-28090.

  o Minor features (geoip data, backport from 0.4.5.7):
    - We have switched geoip data sources. Previously we shipped IP-to-
      country mappings from Maxmind's GeoLite2, but in 2019 they changed
      their licensing terms, so we were unable to update them after that
      point. We now ship geoip files based on the IPFire Location
      Database instead. (See https://location.ipfire.org/ for more
      information). This release updates our geoip files to match the
      IPFire Location Database as retrieved on 2021/03/12. Closes
      ticket 40224.

  o Removed features (mallinfo deprecated, backport from 0.4.5.7):
    - Remove mallinfo() usage entirely. Libc 2.33+ now deprecates it.
      Closes ticket 40309.


Changes in version 0.4.5.7 - 2021-03-16
  Tor 0.4.5.7 fixes two important denial-of-service bugs in earlier
  versions of Tor.

  One of these vulnerabilities (TROVE-2021-001) would allow an attacker
  who can send directory data to a Tor instance to force that Tor
  instance to consume huge amounts of CPU. This is easiest to exploit
  against authorities, since anybody can upload to them, but directory
  caches could also exploit this vulnerability against relays or clients
  when they download. The other vulnerability (TROVE-2021-002) only
  affects directory authorities, and would allow an attacker to remotely
  crash the authority with an assertion failure. Patches have already
  been provided to the authority operators, to help ensure
  network stability.

  We recommend that everybody upgrade to one of the releases that fixes
  these issues (0.3.5.14, 0.4.4.8, or 0.4.5.7) as they become available
  to you.

  This release also updates our GeoIP data source, and fixes a few
  smaller bugs in earlier releases.

  o Major bugfixes (security, denial of service):
    - Disable the dump_desc() function that we used to dump unparseable
      information to disk. It was called incorrectly in several places,
      in a way that could lead to excessive CPU usage. Fixes bug 40286;
      bugfix on 0.2.2.1-alpha. This bug is also tracked as TROVE-2021-
      001 and CVE-2021-28089.
    - Fix a bug in appending detached signatures to a pending consensus
      document that could be used to crash a directory authority. Fixes
      bug 40316; bugfix on 0.2.2.6-alpha. Tracked as TROVE-2021-002
      and CVE-2021-28090.

  o Minor features (geoip data):
    - We have switched geoip data sources. Previously we shipped IP-to-
      country mappings from Maxmind's GeoLite2, but in 2019 they changed
      their licensing terms, so we were unable to update them after that
      point. We now ship geoip files based on the IPFire Location
      Database instead. (See https://location.ipfire.org/ for more
      information). This release updates our geoip files to match the
      IPFire Location Database as retrieved on 2021/03/12. Closes
      ticket 40224.

  o Minor bugfixes (directory authority):
    - Now that exit relays don't allow exit connections to directory
      authority DirPorts (to prevent network reentry), disable
      authorities' reachability self test on the DirPort. Fixes bug
      40287; bugfix on 0.4.5.5-rc.

  o Minor bugfixes (documentation):
    - Fix a formatting error in the documentation for
      VirtualAddrNetworkIPv6. Fixes bug 40256; bugfix on 0.2.9.4-alpha.

  o Minor bugfixes (Linux, relay):
    - Fix a bug in determining total available system memory that would
      have been triggered if the format of Linux's /proc/meminfo file
      had ever changed to include "MemTotal:" in the middle of a line.
      Fixes bug 40315; bugfix on 0.2.5.4-alpha.

  o Minor bugfixes (metrics port):
    - Fix a BUG() warning on the MetricsPort for an internal missing
      handler. Fixes bug 40295; bugfix on 0.4.5.1-alpha.

  o Minor bugfixes (onion service):
    - Remove a harmless BUG() warning when reloading tor configured with
      onion services. Fixes bug 40334; bugfix on 0.4.5.1-alpha.

  o Minor bugfixes (portability):
    - Fix a non-portable usage of "==" with "test" in the configure
      script. Fixes bug 40298; bugfix on 0.4.5.1-alpha.

  o Minor bugfixes (relay):
    - Remove a spammy log notice falsely claiming that the IPv4/v6
      address was missing. Fixes bug 40300; bugfix on 0.4.5.1-alpha.
    - Do not query the address cache early in the boot process when
      deciding if a relay needs to fetch early directory information
      from an authority. This bug resulted in a relay falsely believing
      it didn't have an address and thus triggering an authority fetch
      at each boot. Related to our fix for 40300.

  o Removed features (mallinfo deprecated):
    - Remove mallinfo() usage entirely. Libc 2.33+ now deprecates it.
      Closes ticket 40309.


451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
Changes in version 0.4.5.6 - 2021-02-15
  The Tor 0.4.5.x release series is dedicated to the memory of Karsten
  Loesing (1979-2020), Tor developer, cypherpunk, husband, and father.
  Karsten is best known for creating the Tor metrics portal and leading
  the metrics team, but he was involved in Tor from the early days. For
  example, while he was still a student he invented and implemented the
  v2 onion service directory design, and he also served as an ambassador
  to the many German researchers working in the anonymity field. We
  loved him and respected him for his patience, his consistency, and his
  welcoming approach to growing our community.

  This release series introduces significant improvements in relay IPv6
  address discovery, a new "MetricsPort" mechanism for relay operators
  to measure performance, LTTng support, build system improvements to
  help when using Tor as a static library, and significant bugfixes
  related to Windows relay performance. It also includes numerous
  smaller features and bugfixes.

  Below are the changes since 0.4.4.4-rc. For a complete list of changes
  since 0.4.4.7, see the ReleaseNotes file.

  o Major bugfixes (IPv6, relay):
    - Fix a bug that prevented a relay from publishing its descriptor if
      an auto-discovered IPv6 that was found unreachable. Fixes bug
      40279; bugfix on 0.4.5.1-alpha.

  o Minor features (protocol versions):
    - Stop claiming to support the "DirCache=1" subprotocol version.
      Technically, we stopped supporting this subprotocol back in
      0.4.5.1-alpha, but we needed to wait for the authorities to stop
      listing it as "required" before we could drop it from the list.
      Closes ticket 40221.

  o Minor bugfixes (logging):
    - Avoid a spurious log message about missing subprotocol versions,
      when the consensus that we're reading from is older than the
      current release. Previously we had made this message nonfatal, but
      in practice, it is never relevant when the consensus is older than
      the current release. Fixes bug 40281; bugfix on 0.4.0.1-alpha.

  o Minor bugfixes (metrics port):
    - Fix a bug warning when a metrics port socket was unexpectedly
      closed. Fixes bug 40257; bugfix on 0.4.5.1-alpha

  o Minor bugfixes (relay):
    - Allow relays to have a RFC1918 address if PublishServerDescriptor
      is set to 0 and AssumeReachable is set to 1. This is to support
      the use case of a bridge on a local network, exposed via a
      pluggable transport. Fixes bug 40208; bugfix on 0.4.5.1-alpha.

  o Minor bugfixes (relay, config):
    - Fix a problem in the removal of duplicate ORPorts from the
      internal port list when loading the config file. We were removing
      the wrong ports, breaking valid torrc uses cases for multiple
      ORPorts of the same address family. Fixes bug 40289; bugfix
      on 0.4.5.1-alpha.


509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
Changes in version 0.4.4.7 - 2021-02-03
  Tor 0.4.4.7 backports numerous bugfixes from later releases,
  including one that made v3 onion services more susceptible to
  denial-of-service attacks, and a feature that makes some kinds of
  DoS attacks harder to perform.

  o Major bugfixes (onion service v3, backport from 0.4.5.3-rc):
    - Stop requiring a live consensus for v3 clients and services, and
      allow a "reasonably live" consensus instead. This allows v3 onion
      services to work even if the authorities fail to generate a
      consensus for more than 2 hours in a row. Fixes bug 40237; bugfix
      on 0.3.5.1-alpha.

  o Major feature (exit, backport from 0.4.5.5-rc):
    - Re-entry into the network is now denied at the Exit level to all
      relays' ORPorts and authorities' ORPorts and DirPorts. This change
      should help mitgate a set of denial-of-service attacks. Closes
      ticket 2667.

  o Minor feature (build system, backport from 0.4.5.4-rc):
    - New "make lsp" command to generate the compile_commands.json file
      used by the ccls language server. The "bear" program is needed for
      this. Closes ticket 40227.

  o Minor features (compilation, backport from 0.4.5.2-rc):
    - Disable deprecation warnings when building with OpenSSL 3.0.0 or
      later. There are a number of APIs newly deprecated in OpenSSL
      3.0.0 that Tor still requires. (A later version of Tor will try to
      stop depending on these APIs.) Closes ticket 40165.

  o Minor features (crypto, backport from 0.4.5.3-rc):
    - Fix undefined behavior on our Keccak library. The bug only
      appeared on platforms with 32-byte CPU cache lines (e.g. armv5tel)
      and would result in wrong digests. Fixes bug 40210; bugfix on
      0.2.8.1-alpha. Thanks to Bernhard Übelacker, Arnd Bergmann and
      weasel for diagnosing this.

  o Minor bugfixes (compatibility, backport from 0.4.5.1-rc):
    - Strip '\r' characters when reading text files on Unix platforms.
      This should resolve an issue where a relay operator migrates a
      relay from Windows to Unix, but does not change the line ending of
      Tor's various state files to match the platform, and the CRLF line
      endings from Windows end up leaking into other files such as the
      extra-info document. Fixes bug 33781; bugfix on 0.0.9pre5.

  o Minor bugfixes (compilation, backport from 0.4.5.3-rc):
    - Fix a compilation warning about unreachable fallthrough
      annotations when building with "--enable-all-bugs-are-fatal" on
      some compilers. Fixes bug 40241; bugfix on 0.3.5.4-alpha.

  o Minor bugfixes (SOCKS5, backport from 0.4.5.3-rc):
    - Handle partial SOCKS5 messages correctly. Previously, our code
      would send an incorrect error message if it got a SOCKS5 request
      that wasn't complete. Fixes bug 40190; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (testing, backport from 0.4.5.2-alpha):
    - Fix the `config/parse_tcp_proxy_line` test so that it works
      correctly on systems where the DNS provider hijacks invalid
      queries. Fixes part of bug 40179; bugfix on 0.4.3.1-alpha.
    - Fix our Python reference-implementation for the v3 onion service
      handshake so that it works correctly with the version of hashlib
      provided by Python 3.9. Fixes part of bug 40179; bugfix
      on 0.3.1.6-rc.
    - Fix the `tortls/openssl/log_one_error` test to work with OpenSSL
      3.0.0. Fixes bug 40170; bugfix on 0.2.8.1-alpha.


Changes in version 0.4.3.8 - 2021-02-03
  Tor 0.4.3.8 backports numerous bugfixes from later releases,
  including one that made v3 onion services more susceptible to
  denial-of-service attacks, and a feature that makes some kinds of
  DoS attacks harder to perform.

  Note that this is, in all likelihood, the last release of Tor 0.4.3.x,
  which will reach end-of-life on 15 Feb 2021.

  o Major bugfixes (onion service v3, backport from 0.4.5.3-rc):
    - Stop requiring a live consensus for v3 clients and services, and
      allow a "reasonably live" consensus instead. This allows v3 onion
      services to work even if the authorities fail to generate a
      consensus for more than 2 hours in a row. Fixes bug 40237; bugfix
      on 0.3.5.1-alpha.

  o Major bugfixes (stats, onion services, backport from 0.4.4.5):
    - Fix a bug where we were undercounting the Tor network's total
      onion service traffic, by ignoring any traffic originating from
      clients. Now we count traffic from both clients and services.
      Fixes bug 40117; bugfix on 0.2.6.2-alpha.

  o Major feature (exit, backport from 0.4.5.5-rc):
    - Re-entry into the network is now denied at the Exit level to all
      relays' ORPorts and authorities' ORPorts and DirPorts. This change
      should help mitgate a set of denial-of-service attacks. Closes
      ticket 2667.

  o Minor feature (build system, backport from 0.4.5.4-rc):
    - New "make lsp" command to generate the compile_commands.json file
      used by the ccls language server. The "bear" program is needed for
      this. Closes ticket 40227.

  o Minor features (compilation, backport from 0.4.5.2-rc):
    - Disable deprecation warnings when building with OpenSSL 3.0.0 or
      later. There are a number of APIs newly deprecated in OpenSSL
      3.0.0 that Tor still requires. (A later version of Tor will try to
      stop depending on these APIs.) Closes ticket 40165.

  o Minor features (crypto, backport from 0.4.5.3-rc):
    - Fix undefined behavior on our Keccak library. The bug only
      appeared on platforms with 32-byte CPU cache lines (e.g. armv5tel)
      and would result in wrong digests. Fixes bug 40210; bugfix on
      0.2.8.1-alpha. Thanks to Bernhard Übelacker, Arnd Bergmann and
      weasel for diagnosing this.

  o Minor bugfixes (compatibility, backport from 0.4.5.1-rc):
    - Strip '\r' characters when reading text files on Unix platforms.
      This should resolve an issue where a relay operator migrates a
      relay from Windows to Unix, but does not change the line ending of
      Tor's various state files to match the platform, and the CRLF line
      endings from Windows end up leaking into other files such as the
      extra-info document. Fixes bug 33781; bugfix on 0.0.9pre5.

  o Minor bugfixes (compilation, backport from 0.4.5.1-rc):
    - Resolve a compilation warning that could occur in
      test_connection.c. Fixes bug 40113; bugfix on 0.2.9.3-alpha.

  o Minor bugfixes (compilation, backport from 0.4.5.3-rc):
    - Fix a compilation warning about unreachable fallthrough
      annotations when building with "--enable-all-bugs-are-fatal" on
      some compilers. Fixes bug 40241; bugfix on 0.3.5.4-alpha.

  o Minor bugfixes (SOCKS5, backport from 0.4.5.3-rc):
    - Handle partial SOCKS5 messages correctly. Previously, our code
      would send an incorrect error message if it got a SOCKS5 request
      that wasn't complete. Fixes bug 40190; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (testing, backport from 0.4.5.2-alpha):
    - Fix the `config/parse_tcp_proxy_line` test so that it works
      correctly on systems where the DNS provider hijacks invalid
      queries. Fixes part of bug 40179; bugfix on 0.4.3.1-alpha.
    - Fix our Python reference-implementation for the v3 onion service
      handshake so that it works correctly with the version of hashlib
      provided by Python 3.9. Fixes part of bug 40179; bugfix
      on 0.3.1.6-rc.
    - Fix the `tortls/openssl/log_one_error` test to work with OpenSSL
      3.0.0. Fixes bug 40170; bugfix on 0.2.8.1-alpha.


Changes in version 0.3.5.13 - 2020-02-03
  Tor 0.3.5.13 backports numerous bugfixes from later releases,
  including one that made v3 onion services more susceptible to
  denial-of-service attacks, and a feature that makes some kinds of
  DoS attacks harder to perform.

  o Major bugfixes (onion service v3, backport from 0.4.5.3-rc):
    - Stop requiring a live consensus for v3 clients and services, and
      allow a "reasonably live" consensus instead. This allows v3 onion
      services to work even if the authorities fail to generate a
      consensus for more than 2 hours in a row. Fixes bug 40237; bugfix
      on 0.3.5.1-alpha.

  o Major bugfixes (stats, onion services, backport from 0.4.4.5):
    - Fix a bug where we were undercounting the Tor network's total
      onion service traffic, by ignoring any traffic originating from
      clients. Now we count traffic from both clients and services.
      Fixes bug 40117; bugfix on 0.2.6.2-alpha.

  o Major feature (exit, backport from 0.4.5.5-rc):
    - Re-entry into the network is now denied at the Exit level to all
      relays' ORPorts and authorities' ORPorts and DirPorts. This change
      should help mitgate a set of denial-of-service attacks. Closes
      ticket 2667.

  o Minor feature (build system, backport from 0.4.5.4-rc):
    - New "make lsp" command to generate the compile_commands.json file
      used by the ccls language server. The "bear" program is needed for
      this. Closes ticket 40227.

  o Minor features (compilation, backport from 0.4.5.2-rc):
    - Disable deprecation warnings when building with OpenSSL 3.0.0 or
      later. There are a number of APIs newly deprecated in OpenSSL
      3.0.0 that Tor still requires. (A later version of Tor will try to
      stop depending on these APIs.) Closes ticket 40165.

  o Minor features (crypto, backport from 0.4.5.3-rc):
    - Fix undefined behavior on our Keccak library. The bug only
      appeared on platforms with 32-byte CPU cache lines (e.g. armv5tel)
      and would result in wrong digests. Fixes bug 40210; bugfix on
      0.2.8.1-alpha. Thanks to Bernhard Übelacker, Arnd Bergmann and
      weasel for diagnosing this.

  o Minor bugfixes (compatibility, backport from 0.4.5.1-rc):
    - Strip '\r' characters when reading text files on Unix platforms.
      This should resolve an issue where a relay operator migrates a
      relay from Windows to Unix, but does not change the line ending of
      Tor's various state files to match the platform, and the CRLF line
      endings from Windows end up leaking into other files such as the
      extra-info document. Fixes bug 33781; bugfix on 0.0.9pre5.

  o Minor bugfixes (compilation, backport from 0.4.5.1-rc):
    - Resolve a compilation warning that could occur in
      test_connection.c. Fixes bug 40113; bugfix on 0.2.9.3-alpha.

  o Minor bugfixes (compilation, backport from 0.4.5.3-rc):
    - Fix a compilation warning about unreachable fallthrough
      annotations when building with "--enable-all-bugs-are-fatal" on
      some compilers. Fixes bug 40241; bugfix on 0.3.5.4-alpha.

  o Minor bugfixes (SOCKS5, backport from 0.4.5.3-rc):
    - Handle partial SOCKS5 messages correctly. Previously, our code
      would send an incorrect error message if it got a SOCKS5 request
      that wasn't complete. Fixes bug 40190; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (testing, backport from 0.4.5.2-alpha):
    - Fix our Python reference-implementation for the v3 onion service
      handshake so that it works correctly with the version of hashlib
      provided by Python 3.9. Fixes part of bug 40179; bugfix
      on 0.3.1.6-rc.
    - Fix the `tortls/openssl/log_one_error` test to work with OpenSSL
      3.0.0. Fixes bug 40170; bugfix on 0.2.8.1-alpha.


730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
Changes in version 0.4.5.5-rc - 2021-02-01
  Tor 0.4.5.5-rc is the third release candidate in its series. We're
  coming closer and closer to a stable release series. This release
  fixes an annoyance with address detection code, and somewhat mitigates
  an ongoing denial-of-service attack.

  We anticipate no more code changes between this and the stable
  release, though of course that could change.

  o Major feature (exit):
    - Re-entry into the network is now denied at the Exit level to all
      relays' ORPorts and authorities' ORPorts and DirPorts. This change
      should help mitgate a set of denial-of-service attacks. Closes
      ticket 2667.

  o Minor bugfixes (relay, configuration):
    - Don't attempt to discover our address (IPv4 or IPv6) if no ORPort
      for it can be found in the configuration. Fixes bug 40254; bugfix
      on 0.4.5.1-alpha.


Nick Mathewson's avatar
Nick Mathewson committed
751
752
753
754
755
Changes in version 0.4.5.4-rc - 2021-01-22
  Tor 0.4.5.4-rc is the second release candidate in its series. It fixes
  several bugs present in previous releases.

  We expect that the stable release will be the same, or almost the
756
  same, as this release candidate, unless serious bugs are found.
Nick Mathewson's avatar
Nick Mathewson committed
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806

  o Major bugfixes (authority, IPv6):
    - Do not consider multiple relays in the same IPv6 /64 network to be
      sybils. Fixes bug 40243; bugfix on 0.4.5.1-alpha.

  o Major bugfixes (directory cache, performance, windows):
    - Limit the number of items in the consensus diff cache to 64 on
      Windows. We hope this will mitigate an issue where Windows relay
      operators reported Tor using 100% CPU, while we investigate better
      solutions. Fixes bug 24857; bugfix on 0.3.1.1-alpha.

  o Minor feature (build system):
    - New "make lsp" command to generate the compile_commands.json file
      used by the ccls language server. The "bear" program is needed for
      this. Closes ticket 40227.

  o Minor features (authority, logging):
    - Log more information for directory authority operators during the
      consensus voting process, and while processing relay descriptors.
      Closes ticket 40245.
    - Reject obsolete router/extrainfo descriptors earlier and more
      quietly, to avoid spamming the logs. Fixes bug 40238; bugfix
      on 0.4.5.1-alpha.

  o Minor bugfixes (compilation):
    - Fix another warning about unreachable fallthrough annotations when
      building with "--enable-all-bugs-are-fatal" on some compilers.
      Fixes bug 40241; bugfix on 0.4.5.3-rc.
    - Change the linker flag ordering in our library search code so that
      it works for compilers that need the libraries to be listed in the
      right order. Fixes bug 33624; bugfix on 0.1.1.0-alpha.

  o Minor bugfixes (config, bridge):
    - Don't initiate a connection to a bridge configured to use a
      missing transport. This change reverts an earlier fix that would
      try to avoid such situations during configuration chcecking, but
      which doesn't work with DisableNetwork. Fixes bug 40106; bugfix
      on 0.4.5.1-alpha.

  o Minor bugfixes (onion services):
    - Avoid a non-fatal assertion in certain edge-cases when
      establishing a circuit to an onion service. Fixes bug 32666;
      bugfix on 0.3.0.3-alpha.

  o Minor bugfixes (relay):
    - If we were unable to build our descriptor, don't mark it as having
      been advertised. Also remove an harmless BUG(). Fixes bug 40231;
      bugfix on 0.4.5.1-alpha.


807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
Changes in version 0.4.5.3-rc - 2021-01-12
  Tor 0.4.5.3-rc is the first release candidate in its series. It fixes
  several bugs, including one that broke onion services on certain older
  ARM CPUs, and another that made v3 onion services less reliable.

  Though we anticipate that we'll be doing a bit more clean-up between
  now and the stable release, we expect that our remaining changes will
  be fairly simple. There will be at least one more release candidate
  before 0.4.5.x is stable.

  o Major bugfixes (onion service v3):
    - Stop requiring a live consensus for v3 clients and services, and
      allow a "reasonably live" consensus instead. This allows v3 onion
      services to work even if the authorities fail to generate a
      consensus for more than 2 hours in a row. Fixes bug 40237; bugfix
      on 0.3.5.1-alpha.

  o Minor features (crypto):
    - Fix undefined behavior on our Keccak library. The bug only
      appeared on platforms with 32-byte CPU cache lines (e.g. armv5tel)
      and would result in wrong digests. Fixes bug 40210; bugfix on
      0.2.8.1-alpha. Thanks to Bernhard Übelacker, Arnd Bergmann and
      weasel for diagnosing this.

  o Minor features (documentation):
    - Mention the "!badexit" directive that can appear in an authority's
      approved-routers file, and update the description of the
      "!invalid" directive. Closes ticket 40188.

  o Minor bugfixes (compilation):
    - Fix a compilation warning about unreachable fallthrough
      annotations when building with "--enable-all-bugs-are-fatal" on
      some compilers. Fixes bug 40241; bugfix on 0.3.5.4-alpha.
    - Fix the "--enable-static-tor" switch to properly set the "-static"
      compile option onto the tor binary only. Fixes bug 40111; bugfix
      on 0.2.3.1-alpha.

  o Minor bugfixes (config, bridge):
    - Really fix the case where torrc has a missing ClientTransportPlugin
      but is configured with a Bridge line and UseBridges. Previously,
      we didn't look at the managed proxy list and thus would fail for
      the "exec" case. Fixes bug 40106; bugfix on 0.4.5.1-alpha.

  o Minor bugfixes (logging, relay):
    - Log our address as reported by the directory authorities, if none
      was configured or detected before. Fixes bug 40201; bugfix
      on 0.4.5.1-alpha.
    - When a launching bandwidth testing circuit, don't incorrectly call
      it a reachability test, or trigger a "CHECKING_REACHABILITY"
      control event. Fixes bug 40205; bugfix on 0.4.5.1-alpha.

  o Minor bugfixes (relay, statistics):
    - Report the correct connection statistics in our extrainfo
      documents. Previously there was a problem in the file loading
      function which would wrongly truncate a state file, causing the
      wrong information to be reported. Fixes bug 40226; bugfix
      on 0.4.5.1-alpha.

  o Minor bugfixes (SOCKS5):
    - Handle partial SOCKS5 messages correctly. Previously, our code
      would send an incorrect error message if it got a SOCKS5 request
      that wasn't complete. Fixes bug 40190; bugfix on 0.3.5.1-alpha.


871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
Changes in version 0.4.5.2-alpha - 2020-11-23
  Tor 0.4.5.2-alpha is the second alpha release in the 0.4.5.x series.
  It fixes several bugs present in earlier releases, including one that
  made it impractical to run relays on Windows. It also adds a few small
  safety features to improve Tor's behavior in the presence of strange
  compile-time options, misbehaving proxies, and future versions
  of OpenSSL.

  o Major bugfixes (relay, windows):
    - Fix a bug in our implementation of condition variables on Windows.
      Previously, a relay on Windows would use 100% CPU after running
      for some time. Because of this change, Tor now require Windows
      Vista or later to build and run. Fixes bug 30187; bugfix on
      0.2.6.3-alpha. (This bug became more serious in 0.3.1.1-alpha with
      the introduction of consensus diffs.) Patch by Daniel Pinto.

  o Minor features (compilation):
    - Disable deprecation warnings when building with OpenSSL 3.0.0 or
      later. There are a number of APIs newly deprecated in OpenSSL
      3.0.0 that Tor still requires. (A later version of Tor will try to
      stop depending on these APIs.) Closes ticket 40165.

  o Minor features (protocol, proxy support, defense in depth):
    - Respond more deliberately to misbehaving proxies that leave
      leftover data on their connections, so as to make Tor even less
      likely to allow the proxies to pass their data off as having come
      from a relay. Closes ticket 40017.

  o Minor features (safety):
    - Log a warning at startup if Tor is built with compile-time options
      that are likely to make it less stable or reliable. Closes
      ticket 18888.

  o Minor bugfixes (circuit, handshake):
    - In the v3 handshaking code, use connection_or_change_state() to
      change the state. Previously, we changed the state directly, but
      this did not pass the state change to the pubsub or channel
      objects, potentially leading to bugs. Fixes bug 32880; bugfix on
      0.2.3.6-alpha. Patch by Neel Chauhan.

  o Minor bugfixes (compilation):
    - Use the correct 'ranlib' program when building libtor.a.
      Previously we used the default ranlib, which broke some kinds of
      cross-compilation. Fixes bug 40172; bugfix on 0.4.5.1-alpha.
    - Remove a duplicate typedef in metrics_store.c. Fixes bug 40177;
      bugfix on 0.4.5.1-alpha.
    - When USDT tracing is enabled, and STAP_PROBEV() is missing, don't
      attempt to build. Linux supports that macro but not the BSDs.
      Fixes bug 40174; bugfix on 0.4.5.1-alpha.

  o Minor bugfixes (configuration):
    - Exit Tor on a misconfiguration when the Bridge line is configured
      to use a transport but no corresponding ClientTransportPlugin can
      be found. Prior to this fix, Tor would attempt to connect to the
      bridge directly without using the transport, making it easier for
      adversaries to notice the bridge. Fixes bug 25528; bugfix
      on 0.2.6.1-alpha.
    - Fix an issue where an ORPort was compared with other kinds of
      ports, when it should have been only checked against other
      ORPorts. This bug would lead to "DirPort auto" getting ignored.
      Fixes bug 40195; bugfix on 0.4.5.1-alpha.
    - Fix a bug where a second non-ORPort with a variant family (ex:
      SocksPort [::1]:9050) would be ignored due to a configuration
      parsing error. Fixes bug 40183; bugfix on 0.4.5.1-alpha.

  o Minor bugfixes (crash, relay, signing key):
    - Avoid assertion failures when we run Tor from the command line
      with `--key-expiration sign`, but an ORPort is not set. Fixes bug
      40015; bugfix on 0.3.2.1-alpha. Patch by Neel Chauhan.

  o Minor bugfixes (logging):
    - Remove trailing whitespace from control event log messages. Fixes
      bug 32178; bugfix on 0.1.1.1-alpha. Based on a patch by
      Amadeusz Pawlik.
    - Turn warning-level log message about SENDME failure into a debug-
      level message. (This event can happen naturally, and is no reason
      for concern). Fixes bug 40142; bugfix on 0.4.1.1-alpha.

  o Minor bugfixes (relay, address discovery):
    - Don't trigger an IP change when no new valid IP can be found.
      Fixes bug 40071; bugfix on 0.4.5.1-alpha.
    - When attempting to discover our IP, use a simple test circuit,
      rather than a descriptor fetch: the same address information is
      present in NETINFO cells, and is better authenticated there. Fixes
      bug 40071; bugfix on 0.4.5.1-alpha.

  o Minor bugfixes (testing):
    - Fix the `config/parse_tcp_proxy_line` test so that it works
      correctly on systems where the DNS provider hijacks invalid
      queries. Fixes part of bug 40179; bugfix on 0.4.3.1-alpha.
    - Fix unit tests that used newly generated list of routers so that
      they check them with respect to the date when they were generated,
      not with respect to the current time. Fixes bug 40187; bugfix
      on 0.4.5.1-alpha.
    - Fix our Python reference-implementation for the v3 onion service
      handshake so that it works correctly with the version of hashlib
      provided by Python 3.9. Fixes part of bug 40179; bugfix
      on 0.3.1.6-rc.
    - Fix the `tortls/openssl/log_one_error` test to work with OpenSSL
      3.0.0. Fixes bug 40170; bugfix on 0.2.8.1-alpha.

  o Removed features (controller):
    - Remove the "GETINFO network-status" controller command. It has
      been deprecated since 0.3.1.1-alpha. Closes ticket 22473.


977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Changes in version 0.4.4.6 - 2020-11-12
  Tor 0.4.4.6 is the second stable release in the 0.4.4.x series. It
  backports fixes from later releases, including a fix for TROVE-2020-
  005, a security issue that could be used, under certain cases, by an
  adversary to observe traffic patterns on a limited number of circuits
  intended for a different relay.

  o Major bugfixes (security, backport from 0.4.5.1-alpha):
    - When completing a channel, relays now check more thoroughly to
      make sure that it matches any pending circuits before attaching
      those circuits. Previously, address correctness and Ed25519
      identities were not checked in this case, but only when extending
      circuits on an existing channel. Fixes bug 40080; bugfix on
      0.2.7.2-alpha. Resolves TROVE-2020-005.

  o Minor features (directory authorities, backport from 0.4.5.1-alpha):
    - Authorities now list a different set of protocols as required and
      recommended. These lists have been chosen so that only truly
      recommended and/or required protocols are included, and so that
      clients using 0.2.9 or later will continue to work (even though
      they are not supported), whereas only relays running 0.3.5 or
      later will meet the requirements. Closes ticket 40162.
    - Make it possible to specify multiple ConsensusParams torrc lines.
      Now directory authority operators can for example put the main
For faster browsing, not all history is shown. View entire blame