Commit 03a709ea authored by David Goulet's avatar David Goulet 🐼
Browse files

Forward merge the latest ChangeLog/ReleaseNotes

parent 50e32a54
Loading
Loading
Loading
Loading
+127 −0
Original line number Diff line number Diff line
Changes in version 0.4.6.7 - 2021-08-16
  This version fixes several bugs from earlier versions of Tor,
  including one that could lead to a denial-of-service attack. Everyone
  running an earlier version, whether as a client, a relay, or an onion
  service, should upgrade to Tor 0.3.5.16, 0.4.5.10, or 0.4.6.7.
  o Major bugfixes (cryptography, security):
    - Resolve an assertion failure caused by a behavior mismatch between
      our batch-signature verification code and our single-signature
      verification code. This assertion failure could be triggered
      remotely, leading to a denial of service attack. We fix this issue
      by disabling batch verification. Fixes bug 40078; bugfix on
      0.2.6.1-alpha. This issue is also tracked as TROVE-2021-007 and
      CVE-2021-38385. Found by Henry de Valence.
  o Minor feature (fallbackdir):
    - Regenerate fallback directories list. Close ticket 40447.
  o Minor features (geoip data):
    - Update the geoip files to match the IPFire Location Database, as
      retrieved on 2021/08/12.
  o Minor bugfix (crypto):
    - Disable the unused batch verification feature of ed25519-donna.
      Fixes bug 40078; bugfix on 0.2.6.1-alpha. Found by Henry
      de Valence.
  o Minor bugfixes (onion service):
    - Send back the extended SOCKS error 0xF6 (Onion Service Invalid
      Address) for a v2 onion address. Fixes bug 40421; bugfix
      on 0.4.6.2-alpha.
  o Minor bugfixes (relay):
    - Reduce the compression level for data streaming from HIGH to LOW
      in order to reduce CPU load on the directory relays. Fixes bug
      40301; bugfix on 0.3.5.1-alpha.
  o Minor bugfixes (timekeeping):
    - Calculate the time of day correctly on systems where the time_t
      type includes leap seconds. (This is not the case on most
      operating systems, but on those where it occurs, our tor_timegm
      function did not correctly invert the system's gmtime function,
      which could result in assertion failures when calculating voting
      schedules.) Fixes bug 40383; bugfix on 0.2.0.3-alpha.
Changes in version 0.4.5.10 - 2021-08-16
  This version fixes several bugs from earlier versions of Tor,
  including one that could lead to a denial-of-service attack. Everyone
  running an earlier version, whether as a client, a relay, or an onion
  service, should upgrade to Tor 0.3.5.16, 0.4.5.10, or 0.4.6.7.
  o Major bugfixes (cryptography, security):
    - Resolve an assertion failure caused by a behavior mismatch between
      our batch-signature verification code and our single-signature
      verification code. This assertion failure could be triggered
      remotely, leading to a denial of service attack. We fix this issue
      by disabling batch verification. Fixes bug 40078; bugfix on
      0.2.6.1-alpha. This issue is also tracked as TROVE-2021-007 and
      CVE-2021-38385. Found by Henry de Valence.
  o Minor feature (fallbackdir):
    - Regenerate fallback directories list. Close ticket 40447.
  o Minor features (geoip data):
    - Update the geoip files to match the IPFire Location Database, as
      retrieved on 2021/08/12.
  o Minor features (testing):
    - Enable the deterministic RNG for unit tests that covers the
      address set bloomfilter-based API's. Fixes bug 40419; bugfix
      on 0.3.3.2-alpha.
  o Minor bugfix (crypto, backport from 0.4.6.7):
    - Disable the unused batch verification feature of ed25519-donna.
      Fixes bug 40078; bugfix on 0.2.6.1-alpha. Found by Henry
      de Valence.
  o Minor bugfixes (relay, backport from 0.4.6.7):
    - Reduce the compression level for data streaming from HIGH to LOW.
      Fixes bug 40301; bugfix on 0.3.5.1-alpha.
  o Minor bugfixes (timekeeping, backport from 0.4.6.7):
    - Calculate the time of day correctly on systems where the time_t
      type includes leap seconds. (This is not the case on most
      operating systems, but on those where it occurs, our tor_timegm
      function did not correctly invert the system's gmtime function,
      which could result in assertion failures when calculating voting
      schedules.) Fixes bug 40383; bugfix on 0.2.0.3-alpha.
  o Minor bugfixes (warnings, portability, backport from 0.4.6.6):
    - Suppress a strict-prototype warning when building with some
      versions of NSS. Fixes bug 40409; bugfix on 0.3.5.1-alpha.
Changes in version 0.3.5.16 - 2021-08-16
  This version fixes several bugs from earlier versions of Tor,
  including one that could lead to a denial-of-service attack. Everyone
  running an earlier version, whether as a client, a relay, or an onion
  service, should upgrade to Tor 0.3.5.16, 0.4.5.10, or 0.4.6.7.
  o Major bugfixes (cryptography, security):
    - Resolve an assertion failure caused by a behavior mismatch between
      our batch-signature verification code and our single-signature
      verification code. This assertion failure could be triggered
      remotely, leading to a denial of service attack. We fix this issue
      by disabling batch verification. Fixes bug 40078; bugfix on
      0.2.6.1-alpha. This issue is also tracked as TROVE-2021-007 and
      CVE-2021-38385. Found by Henry de Valence.
  o Minor feature (fallbackdir):
    - Regenerate fallback directories list. Close ticket 40447.
  o Minor features (geoip data):
    - Update the geoip files to match the IPFire Location Database, as
      retrieved on 2021/08/12.
  o Minor bugfix (crypto, backport from 0.4.6.7):
    - Disable the unused batch verification feature of ed25519-donna.
      Fixes bug 40078; bugfix on 0.2.6.1-alpha. Found by Henry
      de Valence.
  o Minor bugfixes (relay, backport from 0.4.6.7):
    - Reduce the compression level for data streaming from HIGH to LOW.
      Fixes bug 40301; bugfix on 0.3.5.1-alpha.
Changes in version 0.4.6.6 - 2021-06-30
  Tor 0.4.6.6 makes several small fixes on 0.4.6.5, including one that
  allows Tor to build correctly on older versions of GCC. You should
+122 −0
Original line number Diff line number Diff line
@@ -2,6 +2,128 @@ This document summarizes new features and bugfixes in each stable
release of Tor. If you want to see more detailed descriptions of the
changes in each development snapshot, see the ChangeLog file.
Changes in version 0.4.6.7 - 2021-08-16
  This version fixes several bugs from earlier versions of Tor, including one
  that could lead to a denial-of-service attack. Everyone running an earlier
  version, whether as a client, a relay, or an onion service, should upgrade
  to Tor 0.3.5.16, 0.4.5.10, or 0.4.6.7.
  o Major bugfixes (cryptography, security):
    - Resolve an assertion failure caused by a behavior mismatch between our
      batch-signature verification code and our single-signature verification
      code. This assertion failure could be triggered remotely, leading to a
      denial of service attack. We fix this issue by disabling batch
      verification. Fixes bug 40078; bugfix on 0.2.6.1-alpha. This issue is
      also tracked as TROVE-2021-007 and CVE-2021-38385. Found by Henry de
      Valence.
  o Minor feature (fallbackdir):
    - Regenerate fallback directories list. Close ticket 40447.
  o Minor features (geoip data):
    - Update the geoip files to match the IPFire Location Database,
      as retrieved on 2021/08/12.
  o Minor bugfix (crypto):
    - Disable the unused batch verification feature of ed25519-donna. Fixes
      bug 40078; bugfix on 0.2.6.1-alpha. Found by Henry de Valence.
  o Minor bugfixes (onion service):
    - Send back the extended SOCKS error 0xF6 (Onion Service Invalid Address)
      for a v2 onion address. Fixes bug 40421; bugfix on 0.4.6.2-alpha.
  o Minor bugfixes (relay):
    - Reduce the compression level for data streaming from HIGH to LOW in
      order to reduce CPU load on the directory relays. Fixes bug 40301;
      bugfix on 0.3.5.1-alpha.
  o Minor bugfixes (timekeeping):
    - Calculate the time of day correctly on systems where the time_t
      type includes leap seconds. (This is not the case on most
      operating systems, but on those where it occurs, our tor_timegm
      function did not correctly invert the system's gmtime function,
      which could result in assertion failures when calculating
      voting schedules.)  Fixes bug 40383; bugfix on 0.2.0.3-alpha.
Changes in version 0.4.5.10 - 2021-08-16
  This version fixes several bugs from earlier versions of Tor, including one
  that could lead to a denial-of-service attack. Everyone running an earlier
  version, whether as a client, a relay, or an onion service, should upgrade
  to Tor 0.3.5.16, 0.4.5.10, or 0.4.6.7.
  o Major bugfixes (cryptography, security):
    - Resolve an assertion failure caused by a behavior mismatch between our
      batch-signature verification code and our single-signature verification
      code. This assertion failure could be triggered remotely, leading to a
      denial of service attack. We fix this issue by disabling batch
      verification. Fixes bug 40078; bugfix on 0.2.6.1-alpha. This issue is
      also tracked as TROVE-2021-007 and CVE-2021-38385. Found by Henry de
      Valence.
  o Minor feature (fallbackdir):
    - Regenerate fallback directories list. Close ticket 40447.
  o Minor features (geoip data):
    - Update the geoip files to match the IPFire Location Database,
      as retrieved on 2021/08/12.
  o Minor features (testing):
    - Enable the deterministic RNG for unit tests that covers the address set
      bloomfilter-based API's. Fixes bug 40419; bugfix on 0.3.3.2-alpha.
  o Minor bugfix (crypto):
    - Disable the unused batch verification feature of ed25519-donna. Fixes
      bug 40078; bugfix on 0.2.6.1-alpha. Found by Henry de Valence.
  o Minor bugfixes (relay, backport from 0.4.6.x):
    - Reduce the compression level for data streaming from HIGH to LOW. Fixes
      bug 40301; bugfix on 0.3.5.1-alpha.
  o Minor bugfixes (timekeeping, backport from 0.4.6.x):
    - Calculate the time of day correctly on systems where the time_t
      type includes leap seconds. (This is not the case on most
      operating systems, but on those where it occurs, our tor_timegm
      function did not correctly invert the system's gmtime function,
      which could result in assertion failures when calculating
      voting schedules.)  Fixes bug 40383; bugfix on 0.2.0.3-alpha.
  o Minor bugfixes (warnings, portability, backport from 0.4.6.x):
    - Suppress a strict-prototype warning when building with some versions
      of NSS.  Fixes bug 40409; bugfix on 0.3.5.1-alpha.
Changes in version 0.3.5.16 - 2021-08-16
  This version fixes several bugs from earlier versions of Tor, including one
  that could lead to a denial-of-service attack. Everyone running an earlier
  version, whether as a client, a relay, or an onion service, should upgrade
  to Tor 0.3.5.16, 0.4.5.10, or 0.4.6.7.
  o Major bugfixes (cryptography, security):
    - Resolve an assertion failure caused by a behavior mismatch between our
      batch-signature verification code and our single-signature verification
      code. This assertion failure could be triggered remotely, leading to a
      denial of service attack. We fix this issue by disabling batch
      verification. Fixes bug 40078; bugfix on 0.2.6.1-alpha. This issue is
      also tracked as TROVE-2021-007 and CVE-2021-38385. Found by Henry de
      Valence.
  o Minor feature (fallbackdir):
    - Regenerate fallback directories list. Close ticket 40447.
  o Minor features (geoip data):
    - Update the geoip files to match the IPFire Location Database,
      as retrieved on 2021/08/12.
  o Minor bugfix (crypto):
    - Disable the unused batch verification feature of ed25519-donna. Fixes
      bug 40078; bugfix on 0.2.6.1-alpha. Found by Henry de Valence.
  o Minor bugfixes (relay, backport from 0.4.6.x):
    - Reduce the compression level for data streaming from HIGH to LOW. Fixes
      bug 40301; bugfix on 0.3.5.1-alpha.
Changes in version 0.4.6.6 - 2021-06-30
  Tor 0.4.6.6 makes several small fixes on 0.4.6.5, including one that
  allows Tor to build correctly on older versions of GCC. You should