ChangeLog 1.86 MB
Newer Older
1
Changes in version 0.4.6.1-alpha - 2021-03-18
2
3
4
5
6
  Tor 0.4.6.1-alpha is the first alpha release in the 0.4.6.x series. It
  improves client circuit performance, adds missing features, and
  improves some of our DoS handling and statistics reporting. It also
  includes numerous smaller bugfixes.

7
8
9
  Below are the changes since 0.4.5.7. (Note that this release DOES
  include the fixes for the security bugs already fixed in 0.4.5.7.)

10
11
12
13
14
15
16
17
18
19
20
21
  o Major features (control port, onion services):
    - Add controller support for creating version 3 onion services with
      client authorization. Previously, only v2 onion services could be
      created with client authorization. Closes ticket 40084. Patch by
      Neel Chauhan.

  o Major features (directory authorityl):
    - When voting for a relay with a Sybil-like appearance, add the
      Sybil flag when clearing out the other flags. This lets a relay
      operator know why their relay hasn't been voted on. Closes ticket
      40255. Patch by Neel Chauhan.

22
23
24
25
26
27
28
  o Major features (metrics):
    - Relays now report how overloaded they are in their extra-info
      documents. This information is controlled with the
      OverloadStatistics torrc option, and it will be used to improve
      decisions about the network's load balancing. Implements proposal
      328; closes ticket 40222.

29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
  o Major features (relay, denial of service):
    - Add a new DoS subsystem feature to control the rate of client
      connections for relays. Closes ticket 40253.

  o Major features (statistics):
    - Relays now also publish statistics about the number of v3 onion
      services and volume of v3 onion service traffic, in the same
      manner they already do for v2 onions. Closes ticket 23126.

  o Major bugfixes (circuit build timeout):
    - Improve the accuracy of our circuit build timeout calculation for
      60%, 70%, and 80% build rates for various guard choices. We now
      use a maximum likelihood estimator for Pareto parameters of the
      circuit build time distribution, instead of a "right-censored
      estimator". This causes clients to ignore circuits that never
      finish building in their timeout calculations. Previously, clients
      were counting such unfinished circuits as having the highest
      possible build time value, when in reality these circuits most
      likely just contain relays that are offline. We also now wait a
      bit longer to let circuits complete for measurement purposes,
      lower the minimum possible effective timeout from 1.5 seconds to
      10ms, and increase the resolution of the circuit build time
      histogram from 50ms bin widths to 10ms bin widths. Additionally,
      we alter our estimate Xm by taking the maximum of the top 10 most
      common build time values of the 10ms histogram, and compute Xm as
      the average of these. Fixes bug 40168; bugfix on 0.2.2.14-alpha.
    - Remove max_time calculation and associated warn from circuit build
      timeout 'alpha' parameter estimation, as this is no longer needed
      by our new estimator from 40168. Fixes bug 34088; bugfix
      on 0.2.2.9-alpha.

  o Major bugfixes (signing key):
    - In the tor-gencert utility, give an informative error message if
      the passphrase given in `--create-identity-key` is too short.
      Fixes bug 40189; bugfix on 0.2.0.1-alpha. Patch by Neel Chauhan.

  o Minor features (bridge):
    - We now announce the URL to Tor's new bridge status at
      https://bridges.torproject.org/ when Tor is configured to run as a
      bridge relay. Closes ticket 30477.

  o Minor features (build system):
    - New "make lsp" command to auto generate the compile_commands.json
      file used by the ccls server. The "bear" program is needed for
      this. Closes ticket 40227.

  o Minor features (command-line interface):
    - Add build informations to `tor --version` in order to ease
      reproducible builds. Closes ticket 32102.
    - When parsing command-line flags that take an optional argument,
      treat the argument as absent if it would start with a '-'
      character. Arguments in that form are not intelligible for any of
      our optional-argument flags. Closes ticket 40223.
    - Allow a relay operator to list the ed25519 keys on the command
      line by adding the `rsa` and `ed25519` arguments to the
      --list-fingerprint flag to show the respective RSA and ed25519
      relay fingerprint. Closes ticket 33632. Patch by Neel Chauhan.

  o Minor features (control port, stream handling):
    - Add the stream ID argument to the event line in the ADDRMAP
      control event. Closes ticket 40249. Patch by Neel Chauhan.

91
92
93
94
95
  o Minor features (dormant mode):
    - Add a new 'DormantTimeoutEnabled' option to allow coarse-grained
      control over whether the client ever becomes dormant from
      inactivity. Most people won't need this. Closes ticket 40228.

96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
  o Minor features (logging):
    - Change the DoS subsystem heartbeat line format so be more clear on
      what has been detected/rejected and which option is disabled if
      any. Closes ticket 40308.
    - In src/core/mainloop/mainloop.c and src/core/mainloop/connection.c,
      put brackets around IPv6 addresses in log messages. Closes ticket
      40232. Patch by Neel Chauhan.

  o Minor features (performance, windows):
    - Use SRWLocks to implement locking on Windows. Replaces the
      critical section locking implementation with the faster SRWLocks
      available since Windows Vista. Closes ticket 17927. Patch by
      Daniel Pinto.

  o Minor features (protocol, proxy support, defense in depth):
    - Close HAProxy connections if they somehow manage to send us data
      before we start reading. Closes another case of ticket 40017.

  o Minor features (tests, portability):
    - Port the hs_build_address.py test script to work with recent
      versions of python. Closes ticket 40213. Patch from
      Samanta Navarro.

119
120
121
122
123
  o Minor features (vote document):
    - Add a "stats" line to directory authority votes, to report various
      statistics that authorities computed about the relays. This will
      help us diagnose the network better. Closes ticket 40314.

124
125
126
127
128
129
130
131
132
133
134
  o Minor bugfixes (build):
    - Mini-report in the configure script now shows whether or not lzma
      and zstd have been used, not just if enable flag passed in. Fixes
      bug 40236; bugfix on 0.4.3.1-alpha.

  o Minor bugfixes (compatibility):
    - Fix a failure in the test cases when running on the hppa
      architecture, along with a related test that might fail on other
      architectures in the future. Fixes bug 40274; bugfix
      on 0.2.5.1-alpha.

135
136
137
138
139
  o Minor bugfixes (controller):
    - Fix a "BUG" warning that would appear when a controller chooses
      the first hop for a circuit, and that circuit completes. Fixes bug
      40285; bugfix on 0.3.2.1-alpha.

140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
  o Minor bugfixes (directory authorities, voting):
    - Add a new consensus method (31) to support any future changes that
      authorities decide to make to the value of bwweightscale or
      maxunmeasuredbw. Previously, there was a bug that prevented the
      authorities from parsing these consensus parameters correctly under
      most circumstances. Fixes bug 19011; bugfix on 0.2.2.10-alpha.

  o Minor bugfixes (ipv6):
    - Allow non-SOCKSPorts to disable IPv4, IPv6, and Prefer IPv4. Some
      rare configs might break, but in this case you can disable
      NoIPv4Traffic and NoIPv6Traffic as needed. Fixes bug 33607; bugfix
      on 0.4.1.1-alpha. Patch by Neel Chauhan.

  o Minor bugfixes (key generation):
    - Do not require a valid torrc when using the `--keygen` argument to
      generate a signing key. This allows us to generate keys on systems
      or users which may not run Tor. Fixes bug 40235; bugfix on
      0.2.7.2-alpha. Patch by Neel Chauhan.

  o Minor bugfixes (onion services, logging):
    - Downgrade the severity of a few rendezvous circuit-related
      warnings from warning to info. Fixes bug 40207; bugfix on
      0.3.2.1-alpha. Patch by Neel Chauhan.

  o Minor bugfixes (relay):
    - Reduce the compression level for data streaming from HIGH to LOW.
      Fixes bug 40301; bugfix on 0.3.5.1-alpha.

  o Code simplification and refactoring:
    - Remove the orconn_ext_or_id_map structure and related functions.
      Nothing outside of unit tests looks up anything in this structure.
      Closes ticket 33383. Patch by Neel Chauhan.

  o Code simplification and refactoring (metrics, DoS):
    - Move the DoS subsystem into the subsys manager including its
      configuration options. Closes ticket 40261.

  o Removed features (relay):
    - Because DirPorts are only used on authorities, relays no longer
      advertise them. Similarly, self-testing for DirPorts has been
      disabled, since an unreachable DirPort is no reason for a relay
      not to advertise itself. (Configuring a DirPort will still work,
      for now.) Closes ticket 40282.

184

185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
Changes in version 0.3.5.14 - 2021-03-16
  Tor 0.3.5.14 backports fixes for two important denial-of-service bugs
  in earlier versions of Tor.

  One of these vulnerabilities (TROVE-2021-001) would allow an attacker
  who can send directory data to a Tor instance to force that Tor
  instance to consume huge amounts of CPU. This is easiest to exploit
  against authorities, since anybody can upload to them, but directory
  caches could also exploit this vulnerability against relays or clients
  when they download. The other vulnerability (TROVE-2021-002) only
  affects directory authorities, and would allow an attacker to remotely
  crash the authority with an assertion failure. Patches have already
  been provided to the authority operators, to help ensure
  network stability.

  We recommend that everybody upgrade to one of the releases that fixes
  these issues (0.3.5.14, 0.4.4.8, or 0.4.5.7) as they become available
  to you.

  This release also updates our GeoIP data source, and fixes a
  compatibility issue.

  o Major bugfixes (security, denial of service, backport from 0.4.5.7):
    - Disable the dump_desc() function that we used to dump unparseable
      information to disk. It was called incorrectly in several places,
      in a way that could lead to excessive CPU usage. Fixes bug 40286;
      bugfix on 0.2.2.1-alpha. This bug is also tracked as TROVE-2021-
      001 and CVE-2021-28089.
    - Fix a bug in appending detached signatures to a pending consensus
      document that could be used to crash a directory authority. Fixes
      bug 40316; bugfix on 0.2.2.6-alpha. Tracked as TROVE-2021-002
      and CVE-2021-28090.

  o Minor features (geoip data, backport from 0.4.5.7):
    - We have switched geoip data sources. Previously we shipped IP-to-
      country mappings from Maxmind's GeoLite2, but in 2019 they changed
      their licensing terms, so we were unable to update them after that
      point. We now ship geoip files based on the IPFire Location
      Database instead. (See https://location.ipfire.org/ for more
      information). This release updates our geoip files to match the
      IPFire Location Database as retrieved on 2021/03/12. Closes
      ticket 40224.

  o Removed features (mallinfo deprecated, backport from 0.4.5.7):
    - Remove mallinfo() usage entirely. Libc 2.33+ now deprecates it.
      Closes ticket 40309.


Changes in version 0.4.4.8 - 2021-03-16
  Tor 0.4.4.8 backports fixes for two important denial-of-service bugs
  in earlier versions of Tor.

  One of these vulnerabilities (TROVE-2021-001) would allow an attacker
  who can send directory data to a Tor instance to force that Tor
  instance to consume huge amounts of CPU. This is easiest to exploit
  against authorities, since anybody can upload to them, but directory
  caches could also exploit this vulnerability against relays or clients
  when they download. The other vulnerability (TROVE-2021-002) only
  affects directory authorities, and would allow an attacker to remotely
  crash the authority with an assertion failure. Patches have already
  been provided to the authority operators, to help ensure
  network stability.

  We recommend that everybody upgrade to one of the releases that fixes
  these issues (0.3.5.14, 0.4.4.8, or 0.4.5.7) as they become available
  to you.

  This release also updates our GeoIP data source, and fixes a
  compatibility issue.

  o Major bugfixes (security, denial of service, backport from 0.4.5.7):
    - Disable the dump_desc() function that we used to dump unparseable
      information to disk. It was called incorrectly in several places,
      in a way that could lead to excessive CPU usage. Fixes bug 40286;
      bugfix on 0.2.2.1-alpha. This bug is also tracked as TROVE-2021-
      001 and CVE-2021-28089.
    - Fix a bug in appending detached signatures to a pending consensus
      document that could be used to crash a directory authority. Fixes
      bug 40316; bugfix on 0.2.2.6-alpha. Tracked as TROVE-2021-002
      and CVE-2021-28090.

  o Minor features (geoip data, backport from 0.4.5.7):
    - We have switched geoip data sources. Previously we shipped IP-to-
      country mappings from Maxmind's GeoLite2, but in 2019 they changed
      their licensing terms, so we were unable to update them after that
      point. We now ship geoip files based on the IPFire Location
      Database instead. (See https://location.ipfire.org/ for more
      information). This release updates our geoip files to match the
      IPFire Location Database as retrieved on 2021/03/12. Closes
      ticket 40224.

  o Removed features (mallinfo deprecated, backport from 0.4.5.7):
    - Remove mallinfo() usage entirely. Libc 2.33+ now deprecates it.
      Closes ticket 40309.


Changes in version 0.4.5.7 - 2021-03-16
  Tor 0.4.5.7 fixes two important denial-of-service bugs in earlier
  versions of Tor.

  One of these vulnerabilities (TROVE-2021-001) would allow an attacker
  who can send directory data to a Tor instance to force that Tor
  instance to consume huge amounts of CPU. This is easiest to exploit
  against authorities, since anybody can upload to them, but directory
  caches could also exploit this vulnerability against relays or clients
  when they download. The other vulnerability (TROVE-2021-002) only
  affects directory authorities, and would allow an attacker to remotely
  crash the authority with an assertion failure. Patches have already
  been provided to the authority operators, to help ensure
  network stability.

  We recommend that everybody upgrade to one of the releases that fixes
  these issues (0.3.5.14, 0.4.4.8, or 0.4.5.7) as they become available
  to you.

  This release also updates our GeoIP data source, and fixes a few
  smaller bugs in earlier releases.

  o Major bugfixes (security, denial of service):
    - Disable the dump_desc() function that we used to dump unparseable
      information to disk. It was called incorrectly in several places,
      in a way that could lead to excessive CPU usage. Fixes bug 40286;
      bugfix on 0.2.2.1-alpha. This bug is also tracked as TROVE-2021-
      001 and CVE-2021-28089.
    - Fix a bug in appending detached signatures to a pending consensus
      document that could be used to crash a directory authority. Fixes
      bug 40316; bugfix on 0.2.2.6-alpha. Tracked as TROVE-2021-002
      and CVE-2021-28090.

  o Minor features (geoip data):
    - We have switched geoip data sources. Previously we shipped IP-to-
      country mappings from Maxmind's GeoLite2, but in 2019 they changed
      their licensing terms, so we were unable to update them after that
      point. We now ship geoip files based on the IPFire Location
      Database instead. (See https://location.ipfire.org/ for more
      information). This release updates our geoip files to match the
      IPFire Location Database as retrieved on 2021/03/12. Closes
      ticket 40224.

  o Minor bugfixes (directory authority):
    - Now that exit relays don't allow exit connections to directory
      authority DirPorts (to prevent network reentry), disable
      authorities' reachability self test on the DirPort. Fixes bug
      40287; bugfix on 0.4.5.5-rc.

  o Minor bugfixes (documentation):
    - Fix a formatting error in the documentation for
      VirtualAddrNetworkIPv6. Fixes bug 40256; bugfix on 0.2.9.4-alpha.

  o Minor bugfixes (Linux, relay):
    - Fix a bug in determining total available system memory that would
      have been triggered if the format of Linux's /proc/meminfo file
      had ever changed to include "MemTotal:" in the middle of a line.
      Fixes bug 40315; bugfix on 0.2.5.4-alpha.

  o Minor bugfixes (metrics port):
    - Fix a BUG() warning on the MetricsPort for an internal missing
      handler. Fixes bug 40295; bugfix on 0.4.5.1-alpha.

  o Minor bugfixes (onion service):
    - Remove a harmless BUG() warning when reloading tor configured with
      onion services. Fixes bug 40334; bugfix on 0.4.5.1-alpha.

  o Minor bugfixes (portability):
    - Fix a non-portable usage of "==" with "test" in the configure
      script. Fixes bug 40298; bugfix on 0.4.5.1-alpha.

  o Minor bugfixes (relay):
    - Remove a spammy log notice falsely claiming that the IPv4/v6
      address was missing. Fixes bug 40300; bugfix on 0.4.5.1-alpha.
    - Do not query the address cache early in the boot process when
      deciding if a relay needs to fetch early directory information
      from an authority. This bug resulted in a relay falsely believing
      it didn't have an address and thus triggering an authority fetch
      at each boot. Related to our fix for 40300.

  o Removed features (mallinfo deprecated):
    - Remove mallinfo() usage entirely. Libc 2.33+ now deprecates it.
      Closes ticket 40309.


366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
Changes in version 0.4.5.6 - 2021-02-15
  The Tor 0.4.5.x release series is dedicated to the memory of Karsten
  Loesing (1979-2020), Tor developer, cypherpunk, husband, and father.
  Karsten is best known for creating the Tor metrics portal and leading
  the metrics team, but he was involved in Tor from the early days. For
  example, while he was still a student he invented and implemented the
  v2 onion service directory design, and he also served as an ambassador
  to the many German researchers working in the anonymity field. We
  loved him and respected him for his patience, his consistency, and his
  welcoming approach to growing our community.

  This release series introduces significant improvements in relay IPv6
  address discovery, a new "MetricsPort" mechanism for relay operators
  to measure performance, LTTng support, build system improvements to
  help when using Tor as a static library, and significant bugfixes
  related to Windows relay performance. It also includes numerous
  smaller features and bugfixes.

  Below are the changes since 0.4.4.4-rc. For a complete list of changes
  since 0.4.4.7, see the ReleaseNotes file.

  o Major bugfixes (IPv6, relay):
    - Fix a bug that prevented a relay from publishing its descriptor if
      an auto-discovered IPv6 that was found unreachable. Fixes bug
      40279; bugfix on 0.4.5.1-alpha.

  o Minor features (protocol versions):
    - Stop claiming to support the "DirCache=1" subprotocol version.
      Technically, we stopped supporting this subprotocol back in
      0.4.5.1-alpha, but we needed to wait for the authorities to stop
      listing it as "required" before we could drop it from the list.
      Closes ticket 40221.

  o Minor bugfixes (logging):
    - Avoid a spurious log message about missing subprotocol versions,
      when the consensus that we're reading from is older than the
      current release. Previously we had made this message nonfatal, but
      in practice, it is never relevant when the consensus is older than
      the current release. Fixes bug 40281; bugfix on 0.4.0.1-alpha.

  o Minor bugfixes (metrics port):
    - Fix a bug warning when a metrics port socket was unexpectedly
      closed. Fixes bug 40257; bugfix on 0.4.5.1-alpha

  o Minor bugfixes (relay):
    - Allow relays to have a RFC1918 address if PublishServerDescriptor
      is set to 0 and AssumeReachable is set to 1. This is to support
      the use case of a bridge on a local network, exposed via a
      pluggable transport. Fixes bug 40208; bugfix on 0.4.5.1-alpha.

  o Minor bugfixes (relay, config):
    - Fix a problem in the removal of duplicate ORPorts from the
      internal port list when loading the config file. We were removing
      the wrong ports, breaking valid torrc uses cases for multiple
      ORPorts of the same address family. Fixes bug 40289; bugfix
      on 0.4.5.1-alpha.


424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
Changes in version 0.4.4.7 - 2021-02-03
  Tor 0.4.4.7 backports numerous bugfixes from later releases,
  including one that made v3 onion services more susceptible to
  denial-of-service attacks, and a feature that makes some kinds of
  DoS attacks harder to perform.

  o Major bugfixes (onion service v3, backport from 0.4.5.3-rc):
    - Stop requiring a live consensus for v3 clients and services, and
      allow a "reasonably live" consensus instead. This allows v3 onion
      services to work even if the authorities fail to generate a
      consensus for more than 2 hours in a row. Fixes bug 40237; bugfix
      on 0.3.5.1-alpha.

  o Major feature (exit, backport from 0.4.5.5-rc):
    - Re-entry into the network is now denied at the Exit level to all
      relays' ORPorts and authorities' ORPorts and DirPorts. This change
      should help mitgate a set of denial-of-service attacks. Closes
      ticket 2667.

  o Minor feature (build system, backport from 0.4.5.4-rc):
    - New "make lsp" command to generate the compile_commands.json file
      used by the ccls language server. The "bear" program is needed for
      this. Closes ticket 40227.

  o Minor features (compilation, backport from 0.4.5.2-rc):
    - Disable deprecation warnings when building with OpenSSL 3.0.0 or
      later. There are a number of APIs newly deprecated in OpenSSL
      3.0.0 that Tor still requires. (A later version of Tor will try to
      stop depending on these APIs.) Closes ticket 40165.

  o Minor features (crypto, backport from 0.4.5.3-rc):
    - Fix undefined behavior on our Keccak library. The bug only
      appeared on platforms with 32-byte CPU cache lines (e.g. armv5tel)
      and would result in wrong digests. Fixes bug 40210; bugfix on
      0.2.8.1-alpha. Thanks to Bernhard Übelacker, Arnd Bergmann and
      weasel for diagnosing this.

  o Minor bugfixes (compatibility, backport from 0.4.5.1-rc):
    - Strip '\r' characters when reading text files on Unix platforms.
      This should resolve an issue where a relay operator migrates a
      relay from Windows to Unix, but does not change the line ending of
      Tor's various state files to match the platform, and the CRLF line
      endings from Windows end up leaking into other files such as the
      extra-info document. Fixes bug 33781; bugfix on 0.0.9pre5.

  o Minor bugfixes (compilation, backport from 0.4.5.3-rc):
    - Fix a compilation warning about unreachable fallthrough
      annotations when building with "--enable-all-bugs-are-fatal" on
      some compilers. Fixes bug 40241; bugfix on 0.3.5.4-alpha.

  o Minor bugfixes (SOCKS5, backport from 0.4.5.3-rc):
    - Handle partial SOCKS5 messages correctly. Previously, our code
      would send an incorrect error message if it got a SOCKS5 request
      that wasn't complete. Fixes bug 40190; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (testing, backport from 0.4.5.2-alpha):
    - Fix the `config/parse_tcp_proxy_line` test so that it works
      correctly on systems where the DNS provider hijacks invalid
      queries. Fixes part of bug 40179; bugfix on 0.4.3.1-alpha.
    - Fix our Python reference-implementation for the v3 onion service
      handshake so that it works correctly with the version of hashlib
      provided by Python 3.9. Fixes part of bug 40179; bugfix
      on 0.3.1.6-rc.
    - Fix the `tortls/openssl/log_one_error` test to work with OpenSSL
      3.0.0. Fixes bug 40170; bugfix on 0.2.8.1-alpha.


Changes in version 0.4.3.8 - 2021-02-03
  Tor 0.4.3.8 backports numerous bugfixes from later releases,
  including one that made v3 onion services more susceptible to
  denial-of-service attacks, and a feature that makes some kinds of
  DoS attacks harder to perform.

  Note that this is, in all likelihood, the last release of Tor 0.4.3.x,
  which will reach end-of-life on 15 Feb 2021.

  o Major bugfixes (onion service v3, backport from 0.4.5.3-rc):
    - Stop requiring a live consensus for v3 clients and services, and
      allow a "reasonably live" consensus instead. This allows v3 onion
      services to work even if the authorities fail to generate a
      consensus for more than 2 hours in a row. Fixes bug 40237; bugfix
      on 0.3.5.1-alpha.

  o Major bugfixes (stats, onion services, backport from 0.4.4.5):
    - Fix a bug where we were undercounting the Tor network's total
      onion service traffic, by ignoring any traffic originating from
      clients. Now we count traffic from both clients and services.
      Fixes bug 40117; bugfix on 0.2.6.2-alpha.

  o Major feature (exit, backport from 0.4.5.5-rc):
    - Re-entry into the network is now denied at the Exit level to all
      relays' ORPorts and authorities' ORPorts and DirPorts. This change
      should help mitgate a set of denial-of-service attacks. Closes
      ticket 2667.

  o Minor feature (build system, backport from 0.4.5.4-rc):
    - New "make lsp" command to generate the compile_commands.json file
      used by the ccls language server. The "bear" program is needed for
      this. Closes ticket 40227.

  o Minor features (compilation, backport from 0.4.5.2-rc):
    - Disable deprecation warnings when building with OpenSSL 3.0.0 or
      later. There are a number of APIs newly deprecated in OpenSSL
      3.0.0 that Tor still requires. (A later version of Tor will try to
      stop depending on these APIs.) Closes ticket 40165.

  o Minor features (crypto, backport from 0.4.5.3-rc):
    - Fix undefined behavior on our Keccak library. The bug only
      appeared on platforms with 32-byte CPU cache lines (e.g. armv5tel)
      and would result in wrong digests. Fixes bug 40210; bugfix on
      0.2.8.1-alpha. Thanks to Bernhard Übelacker, Arnd Bergmann and
      weasel for diagnosing this.

  o Minor bugfixes (compatibility, backport from 0.4.5.1-rc):
    - Strip '\r' characters when reading text files on Unix platforms.
      This should resolve an issue where a relay operator migrates a
      relay from Windows to Unix, but does not change the line ending of
      Tor's various state files to match the platform, and the CRLF line
      endings from Windows end up leaking into other files such as the
      extra-info document. Fixes bug 33781; bugfix on 0.0.9pre5.

  o Minor bugfixes (compilation, backport from 0.4.5.1-rc):
    - Resolve a compilation warning that could occur in
      test_connection.c. Fixes bug 40113; bugfix on 0.2.9.3-alpha.

  o Minor bugfixes (compilation, backport from 0.4.5.3-rc):
    - Fix a compilation warning about unreachable fallthrough
      annotations when building with "--enable-all-bugs-are-fatal" on
      some compilers. Fixes bug 40241; bugfix on 0.3.5.4-alpha.

  o Minor bugfixes (SOCKS5, backport from 0.4.5.3-rc):
    - Handle partial SOCKS5 messages correctly. Previously, our code
      would send an incorrect error message if it got a SOCKS5 request
      that wasn't complete. Fixes bug 40190; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (testing, backport from 0.4.5.2-alpha):
    - Fix the `config/parse_tcp_proxy_line` test so that it works
      correctly on systems where the DNS provider hijacks invalid
      queries. Fixes part of bug 40179; bugfix on 0.4.3.1-alpha.
    - Fix our Python reference-implementation for the v3 onion service
      handshake so that it works correctly with the version of hashlib
      provided by Python 3.9. Fixes part of bug 40179; bugfix
      on 0.3.1.6-rc.
    - Fix the `tortls/openssl/log_one_error` test to work with OpenSSL
      3.0.0. Fixes bug 40170; bugfix on 0.2.8.1-alpha.


Changes in version 0.3.5.13 - 2020-02-03
  Tor 0.3.5.13 backports numerous bugfixes from later releases,
  including one that made v3 onion services more susceptible to
  denial-of-service attacks, and a feature that makes some kinds of
  DoS attacks harder to perform.

  o Major bugfixes (onion service v3, backport from 0.4.5.3-rc):
    - Stop requiring a live consensus for v3 clients and services, and
      allow a "reasonably live" consensus instead. This allows v3 onion
      services to work even if the authorities fail to generate a
      consensus for more than 2 hours in a row. Fixes bug 40237; bugfix
      on 0.3.5.1-alpha.

  o Major bugfixes (stats, onion services, backport from 0.4.4.5):
    - Fix a bug where we were undercounting the Tor network's total
      onion service traffic, by ignoring any traffic originating from
      clients. Now we count traffic from both clients and services.
      Fixes bug 40117; bugfix on 0.2.6.2-alpha.

  o Major feature (exit, backport from 0.4.5.5-rc):
    - Re-entry into the network is now denied at the Exit level to all
      relays' ORPorts and authorities' ORPorts and DirPorts. This change
      should help mitgate a set of denial-of-service attacks. Closes
      ticket 2667.

  o Minor feature (build system, backport from 0.4.5.4-rc):
    - New "make lsp" command to generate the compile_commands.json file
      used by the ccls language server. The "bear" program is needed for
      this. Closes ticket 40227.

  o Minor features (compilation, backport from 0.4.5.2-rc):
    - Disable deprecation warnings when building with OpenSSL 3.0.0 or
      later. There are a number of APIs newly deprecated in OpenSSL
      3.0.0 that Tor still requires. (A later version of Tor will try to
      stop depending on these APIs.) Closes ticket 40165.

  o Minor features (crypto, backport from 0.4.5.3-rc):
    - Fix undefined behavior on our Keccak library. The bug only
      appeared on platforms with 32-byte CPU cache lines (e.g. armv5tel)
      and would result in wrong digests. Fixes bug 40210; bugfix on
      0.2.8.1-alpha. Thanks to Bernhard Übelacker, Arnd Bergmann and
      weasel for diagnosing this.

  o Minor bugfixes (compatibility, backport from 0.4.5.1-rc):
    - Strip '\r' characters when reading text files on Unix platforms.
      This should resolve an issue where a relay operator migrates a
      relay from Windows to Unix, but does not change the line ending of
      Tor's various state files to match the platform, and the CRLF line
      endings from Windows end up leaking into other files such as the
      extra-info document. Fixes bug 33781; bugfix on 0.0.9pre5.

  o Minor bugfixes (compilation, backport from 0.4.5.1-rc):
    - Resolve a compilation warning that could occur in
      test_connection.c. Fixes bug 40113; bugfix on 0.2.9.3-alpha.

  o Minor bugfixes (compilation, backport from 0.4.5.3-rc):
    - Fix a compilation warning about unreachable fallthrough
      annotations when building with "--enable-all-bugs-are-fatal" on
      some compilers. Fixes bug 40241; bugfix on 0.3.5.4-alpha.

  o Minor bugfixes (SOCKS5, backport from 0.4.5.3-rc):
    - Handle partial SOCKS5 messages correctly. Previously, our code
      would send an incorrect error message if it got a SOCKS5 request
      that wasn't complete. Fixes bug 40190; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (testing, backport from 0.4.5.2-alpha):
    - Fix our Python reference-implementation for the v3 onion service
      handshake so that it works correctly with the version of hashlib
      provided by Python 3.9. Fixes part of bug 40179; bugfix
      on 0.3.1.6-rc.
    - Fix the `tortls/openssl/log_one_error` test to work with OpenSSL
      3.0.0. Fixes bug 40170; bugfix on 0.2.8.1-alpha.


645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
Changes in version 0.4.5.5-rc - 2021-02-01
  Tor 0.4.5.5-rc is the third release candidate in its series. We're
  coming closer and closer to a stable release series. This release
  fixes an annoyance with address detection code, and somewhat mitigates
  an ongoing denial-of-service attack.

  We anticipate no more code changes between this and the stable
  release, though of course that could change.

  o Major feature (exit):
    - Re-entry into the network is now denied at the Exit level to all
      relays' ORPorts and authorities' ORPorts and DirPorts. This change
      should help mitgate a set of denial-of-service attacks. Closes
      ticket 2667.

  o Minor bugfixes (relay, configuration):
    - Don't attempt to discover our address (IPv4 or IPv6) if no ORPort
      for it can be found in the configuration. Fixes bug 40254; bugfix
      on 0.4.5.1-alpha.


Nick Mathewson's avatar
Nick Mathewson committed
666
667
668
669
670
Changes in version 0.4.5.4-rc - 2021-01-22
  Tor 0.4.5.4-rc is the second release candidate in its series. It fixes
  several bugs present in previous releases.

  We expect that the stable release will be the same, or almost the
671
  same, as this release candidate, unless serious bugs are found.
Nick Mathewson's avatar
Nick Mathewson committed
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721

  o Major bugfixes (authority, IPv6):
    - Do not consider multiple relays in the same IPv6 /64 network to be
      sybils. Fixes bug 40243; bugfix on 0.4.5.1-alpha.

  o Major bugfixes (directory cache, performance, windows):
    - Limit the number of items in the consensus diff cache to 64 on
      Windows. We hope this will mitigate an issue where Windows relay
      operators reported Tor using 100% CPU, while we investigate better
      solutions. Fixes bug 24857; bugfix on 0.3.1.1-alpha.

  o Minor feature (build system):
    - New "make lsp" command to generate the compile_commands.json file
      used by the ccls language server. The "bear" program is needed for
      this. Closes ticket 40227.

  o Minor features (authority, logging):
    - Log more information for directory authority operators during the
      consensus voting process, and while processing relay descriptors.
      Closes ticket 40245.
    - Reject obsolete router/extrainfo descriptors earlier and more
      quietly, to avoid spamming the logs. Fixes bug 40238; bugfix
      on 0.4.5.1-alpha.

  o Minor bugfixes (compilation):
    - Fix another warning about unreachable fallthrough annotations when
      building with "--enable-all-bugs-are-fatal" on some compilers.
      Fixes bug 40241; bugfix on 0.4.5.3-rc.
    - Change the linker flag ordering in our library search code so that
      it works for compilers that need the libraries to be listed in the
      right order. Fixes bug 33624; bugfix on 0.1.1.0-alpha.

  o Minor bugfixes (config, bridge):
    - Don't initiate a connection to a bridge configured to use a
      missing transport. This change reverts an earlier fix that would
      try to avoid such situations during configuration chcecking, but
      which doesn't work with DisableNetwork. Fixes bug 40106; bugfix
      on 0.4.5.1-alpha.

  o Minor bugfixes (onion services):
    - Avoid a non-fatal assertion in certain edge-cases when
      establishing a circuit to an onion service. Fixes bug 32666;
      bugfix on 0.3.0.3-alpha.

  o Minor bugfixes (relay):
    - If we were unable to build our descriptor, don't mark it as having
      been advertised. Also remove an harmless BUG(). Fixes bug 40231;
      bugfix on 0.4.5.1-alpha.


722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
Changes in version 0.4.5.3-rc - 2021-01-12
  Tor 0.4.5.3-rc is the first release candidate in its series. It fixes
  several bugs, including one that broke onion services on certain older
  ARM CPUs, and another that made v3 onion services less reliable.

  Though we anticipate that we'll be doing a bit more clean-up between
  now and the stable release, we expect that our remaining changes will
  be fairly simple. There will be at least one more release candidate
  before 0.4.5.x is stable.

  o Major bugfixes (onion service v3):
    - Stop requiring a live consensus for v3 clients and services, and
      allow a "reasonably live" consensus instead. This allows v3 onion
      services to work even if the authorities fail to generate a
      consensus for more than 2 hours in a row. Fixes bug 40237; bugfix
      on 0.3.5.1-alpha.

  o Minor features (crypto):
    - Fix undefined behavior on our Keccak library. The bug only
      appeared on platforms with 32-byte CPU cache lines (e.g. armv5tel)
      and would result in wrong digests. Fixes bug 40210; bugfix on
      0.2.8.1-alpha. Thanks to Bernhard Übelacker, Arnd Bergmann and
      weasel for diagnosing this.

  o Minor features (documentation):
    - Mention the "!badexit" directive that can appear in an authority's
      approved-routers file, and update the description of the
      "!invalid" directive. Closes ticket 40188.

  o Minor bugfixes (compilation):
    - Fix a compilation warning about unreachable fallthrough
      annotations when building with "--enable-all-bugs-are-fatal" on
      some compilers. Fixes bug 40241; bugfix on 0.3.5.4-alpha.
    - Fix the "--enable-static-tor" switch to properly set the "-static"
      compile option onto the tor binary only. Fixes bug 40111; bugfix
      on 0.2.3.1-alpha.

  o Minor bugfixes (config, bridge):
    - Really fix the case where torrc has a missing ClientTransportPlugin
      but is configured with a Bridge line and UseBridges. Previously,
      we didn't look at the managed proxy list and thus would fail for
      the "exec" case. Fixes bug 40106; bugfix on 0.4.5.1-alpha.

  o Minor bugfixes (logging, relay):
    - Log our address as reported by the directory authorities, if none
      was configured or detected before. Fixes bug 40201; bugfix
      on 0.4.5.1-alpha.
    - When a launching bandwidth testing circuit, don't incorrectly call
      it a reachability test, or trigger a "CHECKING_REACHABILITY"
      control event. Fixes bug 40205; bugfix on 0.4.5.1-alpha.

  o Minor bugfixes (relay, statistics):
    - Report the correct connection statistics in our extrainfo
      documents. Previously there was a problem in the file loading
      function which would wrongly truncate a state file, causing the
      wrong information to be reported. Fixes bug 40226; bugfix
      on 0.4.5.1-alpha.

  o Minor bugfixes (SOCKS5):
    - Handle partial SOCKS5 messages correctly. Previously, our code
      would send an incorrect error message if it got a SOCKS5 request
      that wasn't complete. Fixes bug 40190; bugfix on 0.3.5.1-alpha.


786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
Changes in version 0.4.5.2-alpha - 2020-11-23
  Tor 0.4.5.2-alpha is the second alpha release in the 0.4.5.x series.
  It fixes several bugs present in earlier releases, including one that
  made it impractical to run relays on Windows. It also adds a few small
  safety features to improve Tor's behavior in the presence of strange
  compile-time options, misbehaving proxies, and future versions
  of OpenSSL.

  o Major bugfixes (relay, windows):
    - Fix a bug in our implementation of condition variables on Windows.
      Previously, a relay on Windows would use 100% CPU after running
      for some time. Because of this change, Tor now require Windows
      Vista or later to build and run. Fixes bug 30187; bugfix on
      0.2.6.3-alpha. (This bug became more serious in 0.3.1.1-alpha with
      the introduction of consensus diffs.) Patch by Daniel Pinto.

  o Minor features (compilation):
    - Disable deprecation warnings when building with OpenSSL 3.0.0 or
      later. There are a number of APIs newly deprecated in OpenSSL
      3.0.0 that Tor still requires. (A later version of Tor will try to
      stop depending on these APIs.) Closes ticket 40165.

  o Minor features (protocol, proxy support, defense in depth):
    - Respond more deliberately to misbehaving proxies that leave
      leftover data on their connections, so as to make Tor even less
      likely to allow the proxies to pass their data off as having come
      from a relay. Closes ticket 40017.

  o Minor features (safety):
    - Log a warning at startup if Tor is built with compile-time options
      that are likely to make it less stable or reliable. Closes
      ticket 18888.

  o Minor bugfixes (circuit, handshake):
    - In the v3 handshaking code, use connection_or_change_state() to
      change the state. Previously, we changed the state directly, but
      this did not pass the state change to the pubsub or channel
      objects, potentially leading to bugs. Fixes bug 32880; bugfix on
      0.2.3.6-alpha. Patch by Neel Chauhan.

  o Minor bugfixes (compilation):
    - Use the correct 'ranlib' program when building libtor.a.
      Previously we used the default ranlib, which broke some kinds of
      cross-compilation. Fixes bug 40172; bugfix on 0.4.5.1-alpha.
    - Remove a duplicate typedef in metrics_store.c. Fixes bug 40177;
      bugfix on 0.4.5.1-alpha.
    - When USDT tracing is enabled, and STAP_PROBEV() is missing, don't
      attempt to build. Linux supports that macro but not the BSDs.
      Fixes bug 40174; bugfix on 0.4.5.1-alpha.

  o Minor bugfixes (configuration):
    - Exit Tor on a misconfiguration when the Bridge line is configured
      to use a transport but no corresponding ClientTransportPlugin can
      be found. Prior to this fix, Tor would attempt to connect to the
      bridge directly without using the transport, making it easier for
      adversaries to notice the bridge. Fixes bug 25528; bugfix
      on 0.2.6.1-alpha.
    - Fix an issue where an ORPort was compared with other kinds of
      ports, when it should have been only checked against other
      ORPorts. This bug would lead to "DirPort auto" getting ignored.
      Fixes bug 40195; bugfix on 0.4.5.1-alpha.
    - Fix a bug where a second non-ORPort with a variant family (ex:
      SocksPort [::1]:9050) would be ignored due to a configuration
      parsing error. Fixes bug 40183; bugfix on 0.4.5.1-alpha.

  o Minor bugfixes (crash, relay, signing key):
    - Avoid assertion failures when we run Tor from the command line
      with `--key-expiration sign`, but an ORPort is not set. Fixes bug
      40015; bugfix on 0.3.2.1-alpha. Patch by Neel Chauhan.

  o Minor bugfixes (logging):
    - Remove trailing whitespace from control event log messages. Fixes
      bug 32178; bugfix on 0.1.1.1-alpha. Based on a patch by
      Amadeusz Pawlik.
    - Turn warning-level log message about SENDME failure into a debug-
      level message. (This event can happen naturally, and is no reason
      for concern). Fixes bug 40142; bugfix on 0.4.1.1-alpha.

  o Minor bugfixes (relay, address discovery):
    - Don't trigger an IP change when no new valid IP can be found.
      Fixes bug 40071; bugfix on 0.4.5.1-alpha.
    - When attempting to discover our IP, use a simple test circuit,
      rather than a descriptor fetch: the same address information is
      present in NETINFO cells, and is better authenticated there. Fixes
      bug 40071; bugfix on 0.4.5.1-alpha.

  o Minor bugfixes (testing):
    - Fix the `config/parse_tcp_proxy_line` test so that it works
      correctly on systems where the DNS provider hijacks invalid
      queries. Fixes part of bug 40179; bugfix on 0.4.3.1-alpha.
    - Fix unit tests that used newly generated list of routers so that
      they check them with respect to the date when they were generated,
      not with respect to the current time. Fixes bug 40187; bugfix
      on 0.4.5.1-alpha.
    - Fix our Python reference-implementation for the v3 onion service
      handshake so that it works correctly with the version of hashlib
      provided by Python 3.9. Fixes part of bug 40179; bugfix
      on 0.3.1.6-rc.
    - Fix the `tortls/openssl/log_one_error` test to work with OpenSSL
      3.0.0. Fixes bug 40170; bugfix on 0.2.8.1-alpha.

  o Removed features (controller):
    - Remove the "GETINFO network-status" controller command. It has
      been deprecated since 0.3.1.1-alpha. Closes ticket 22473.


892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
Changes in version 0.4.4.6 - 2020-11-12
  Tor 0.4.4.6 is the second stable release in the 0.4.4.x series. It
  backports fixes from later releases, including a fix for TROVE-2020-
  005, a security issue that could be used, under certain cases, by an
  adversary to observe traffic patterns on a limited number of circuits
  intended for a different relay.

  o Major bugfixes (security, backport from 0.4.5.1-alpha):
    - When completing a channel, relays now check more thoroughly to
      make sure that it matches any pending circuits before attaching
      those circuits. Previously, address correctness and Ed25519
      identities were not checked in this case, but only when extending
      circuits on an existing channel. Fixes bug 40080; bugfix on
      0.2.7.2-alpha. Resolves TROVE-2020-005.

  o Minor features (directory authorities, backport from 0.4.5.1-alpha):
    - Authorities now list a different set of protocols as required and
      recommended. These lists have been chosen so that only truly
      recommended and/or required protocols are included, and so that
      clients using 0.2.9 or later will continue to work (even though
      they are not supported), whereas only relays running 0.3.5 or
      later will meet the requirements. Closes ticket 40162.
    - Make it possible to specify multiple ConsensusParams torrc lines.
      Now directory authority operators can for example put the main
      ConsensusParams config in one torrc file and then add to it from a
      different torrc file. Closes ticket 40164.

  o Minor features (subprotocol versions, backport from 0.4.5.1-alpha):
    - Tor no longer allows subprotocol versions larger than 63.
      Previously version numbers up to UINT32_MAX were allowed, which
      significantly complicated our code. Implements proposal 318;
      closes ticket 40133.

  o Minor features (tests, v2 onion services, backport from 0.4.5.1-alpha):
    - Fix a rendezvous cache unit test that was triggering an underflow
      on the global rend cache allocation. Fixes bug 40125; bugfix
      on 0.2.8.1-alpha.
    - Fix another rendezvous cache unit test that was triggering an
      underflow on the global rend cache allocation. Fixes bug 40126;
      bugfix on 0.2.8.1-alpha.

  o Minor bugfixes (compilation, backport from 0.4.5.1-alpha):
    - Fix compiler warnings that would occur when building with
      "--enable-all-bugs-are-fatal" and "--disable-module-relay" at the
      same time. Fixes bug 40129; bugfix on 0.4.4.1-alpha.
    - Resolve a compilation warning that could occur in
      test_connection.c. Fixes bug 40113; bugfix on 0.2.9.3-alpha.

  o Minor bugfixes (logging, backport from 0.4.5.1-alpha):
    - Remove a debug logging statement that uselessly spammed the logs.
      Fixes bug 40135; bugfix on 0.3.5.0-alpha.

  o Minor bugfixes (relay configuration, crash, backport from 0.4.5.1-alpha):
    - Avoid a fatal assert() when failing to create a listener
      connection for an address that was in use. Fixes bug 40073; bugfix
      on 0.3.5.1-alpha.

  o Minor bugfixes (v2 onion services, backport from 0.4.5.1-alpha):
    - For HSFETCH commands on v2 onion services addresses, check the
      length of bytes decoded, not the base32 length. Fixes bug 34400;
      bugfix on 0.4.1.1-alpha. Patch by Neel Chauhan.


Changes in version 0.4.3.7 - 2020-11-12
  Tor 0.4.3.7 backports several bugfixes from later releases. It
  includes a fix for TROVE-2020-005, a security issue that could be
  used, under certain cases, by an adversary to observe traffic patterns
  on a limited number of circuits intended for a different relay.

  Please be aware that support for the 0.4.3.x series will end on 15
Nick Mathewson's avatar
Nick Mathewson committed
962
  February 2021. Please upgrade to 0.4.4.x or 0.4.5.x before then, or
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
  downgrade to 0.3.5.x, which will be supported until at least 1
  February 2022.

  o Major features (fallback directory list, backport form 0.4.4.3-alpha):
    - Replace the 148 fallback directories originally included in Tor
      0.4.1.4-rc (of which around 105 are still functional) with a list
      of 144 fallbacks generated in July 2020. Closes ticket 40061.

  o Major bugfixes (security, backport from 0.4.5.1-alpha):
    - When completing a channel, relays now check more thoroughly to
      make sure that it matches any pending circuits before attaching
      those circuits. Previously, address correctness and Ed25519
      identities were not checked in this case, but only when extending
      circuits on an existing channel. Fixes bug 40080; bugfix on
      0.2.7.2-alpha. Resolves TROVE-2020-005.

  o Major bugfixes (NSS, backport from 0.4.4.3-alpha):
    - When running with NSS enabled, make sure that NSS knows to expect
      nonblocking sockets. Previously, we set our TCP sockets as
      nonblocking, but did not tell NSS, which in turn could lead to
      unexpected blocking behavior. Fixes bug 40035; bugfix
      on 0.3.5.1-alpha.

  o Minor features (security, backport from 0.4.4.4-rc):
    - Channels using obsolete versions of the Tor link protocol are no
      longer allowed to circumvent address-canonicity checks. (This is
      only a minor issue, since such channels have no way to set ed25519
      keys, and therefore should always be rejected for circuits that
      specify ed25519 identities.) Closes ticket 40081.

  o Minor features (subprotocol versions, backport from 0.4.5.1-alpha):
    - Tor no longer allows subprotocol versions larger than 63.
      Previously version numbers up to UINT32_MAX were allowed, which
      significantly complicated our code. Implements proposal 318;
      closes ticket 40133.

  o Minor features (tests, backport from 0.4.4.5):
    - Our "make check" target now runs the unit tests in 8 parallel
For faster browsing, not all history is shown. View entire blame