Newer
Older
3001
3002
3003
3004
3005
3006
3007
3008
3009
3010
3011
3012
3013
3014
3015
3016
3017
3018
3019
3020
3021
3022
3023
3024
3025
3026
3027
3028
3029
3030
3031
3032
3033
3034
3035
3036
3037
3038
3039
3040
3041
3042
3043
3044
3045
3046
3047
3048
3049
3050
3051
3052
3053
3054
3055
3056
3057
3058
3059
3060
3061
3062
3063
3064
3065
3066
3067
3068
3069
3070
3071
Some users took this phrasing to mean that the mentioned guard was
under their control or responsibility, which it is not. Fixes bug
28895; bugfix on Tor 0.3.0.1-alpha.
Changes in version 0.3.4.11 - 2019-02-21
Tor 0.3.4.11 is the third stable release in its series. It includes
a fix for a medium-severity security bug affecting Tor 0.3.2.1-alpha and
later. All Tor instances running an affected release should upgrade to
0.3.3.12, 0.3.4.11, 0.3.5.8, or 0.4.0.2-alpha.
o Major bugfixes (cell scheduler, KIST, security):
- Make KIST consider the outbuf length when computing what it can
put in the outbuf. Previously, KIST acted as though the outbuf
were empty, which could lead to the outbuf becoming too full. It
is possible that an attacker could exploit this bug to cause a Tor
client or relay to run out of memory and crash. Fixes bug 29168;
bugfix on 0.3.2.1-alpha. This issue is also being tracked as
TROVE-2019-001 and CVE-2019-8955.
o Minor features (geoip):
- Update geoip and geoip6 to the February 5 2019 Maxmind GeoLite2
Country database. Closes ticket 29478.
o Minor bugfixes (build, compatibility, rust, backport from 0.4.0.2-alpha):
- Update Cargo.lock file to match the version made by the latest
version of Rust, so that "make distcheck" will pass again. Fixes
bug 29244; bugfix on 0.3.3.4-alpha.
o Minor bugfixes (onion services, backport from 0.4.0.2-alpha):
- Stop logging "Tried to establish rendezvous on non-OR circuit..."
as a warning. Instead, log it as a protocol warning, because there
is nothing that relay operators can do to fix it. Fixes bug 29029;
bugfix on 0.2.5.7-rc.
Changes in version 0.3.3.12 - 2019-02-21
Tor 0.3.3.12 fixes a medium-severity security bug affecting Tor
0.3.2.1-alpha and later. All Tor instances running an affected release
should upgrade to 0.3.3.12, 0.3.4.11, 0.3.5.8, or 0.4.0.2-alpha.
This release marks the end of support for the Tor 0.3.3.x series. We
recommend that users switch to either the Tor 0.3.4 series (supported
until at least 10 June 2019), or the Tor 0.3.5 series, which will
receive long-term support until at least 1 Feb 2022.
o Major bugfixes (cell scheduler, KIST, security):
- Make KIST consider the outbuf length when computing what it can
put in the outbuf. Previously, KIST acted as though the outbuf
were empty, which could lead to the outbuf becoming too full. It
is possible that an attacker could exploit this bug to cause a Tor
client or relay to run out of memory and crash. Fixes bug 29168;
bugfix on 0.3.2.1-alpha. This issue is also being tracked as
TROVE-2019-001 and CVE-2019-8955.
o Minor features (geoip):
- Update geoip and geoip6 to the February 5 2019 Maxmind GeoLite2
Country database. Closes ticket 29478.
o Minor bugfixes (build, compatibility, rust, backport from 0.4.0.2-alpha):
- Update Cargo.lock file to match the version made by the latest
version of Rust, so that "make distcheck" will pass again. Fixes
bug 29244; bugfix on 0.3.3.4-alpha.
o Minor bugfixes (onion services, backport from 0.4.0.2-alpha):
- Stop logging "Tried to establish rendezvous on non-OR circuit..."
as a warning. Instead, log it as a protocol warning, because there
is nothing that relay operators can do to fix it. Fixes bug 29029;
bugfix on 0.2.5.7-rc.
Changes in version 0.3.3.11 - 2019-01-07
3073
3074
3075
3076
3077
3078
3079
3080
3081
3082
3083
3084
3085
3086
3087
3088
3089
3090
3091
3092
3093
3094
3095
3096
3097
3098
3099
3100
3101
3102
3103
3104
3105
3106
3107
3108
3109
3110
3111
3112
3113
3114
3115
3116
3117
3118
3119
3120
3121
3122
3123
3124
3125
3126
3127
3128
3129
3130
3131
3132
3133
3134
3135
3136
3137
3138
3139
3140
3141
3142
3143
3144
3145
3146
3147
3148
3149
3150
3151
3152
3153
3154
3155
3156
3157
3158
3159
3160
3161
3162
3163
3164
3165
3166
3167
3168
3169
3170
3171
3172
3173
3174
3175
3176
3177
3178
3179
3180
3181
3182
3183
3184
3185
3186
3187
3188
3189
3190
3191
3192
3193
3194
3195
3196
3197
3198
3199
3200
3201
3202
3203
3204
3205
3206
3207
3208
3209
3210
3211
3212
3213
3214
3215
3216
3217
3218
3219
3220
3221
3222
3223
3224
3225
3226
3227
3228
3229
3230
3231
3232
3233
3234
3235
3236
3237
3238
3239
3240
3241
3242
3243
3244
Tor 0.3.3.11 backports numerous fixes from later versions of Tor.
numerous fixes, including an important fix for anyone using OpenSSL
1.1.1. Anyone running an earlier version of Tor 0.3.3 should upgrade
to this version, or to a later series.
As a reminder, support the Tor 0.3.3 series will end on 22 Feb 2019.
We anticipate that this will be the last release of Tor 0.3.3, unless
some major bug is before then. Some time between now and then, users
should switch to either the Tor 0.3.4 series (supported until at least
10 June 2019), or the Tor 0.3.5 series, which will receive long-term
support until at least 1 Feb 2022.
o Major bugfixes (OpenSSL, portability, backport from 0.3.5.5-alpha):
- Fix our usage of named groups when running as a TLS 1.3 client in
OpenSSL 1.1.1. Previously, we only initialized EC groups when
running as a relay, which caused clients to fail to negotiate TLS
1.3 with relays. Fixes bug 28245; bugfix on 0.2.9.15 (when TLS 1.3
support was added).
o Major bugfixes (restart-in-process, backport from 0.3.5.1-alpha):
- Fix a use-after-free error that could be caused by passing Tor an
impossible set of options that would fail during options_act().
Fixes bug 27708; bugfix on 0.3.3.1-alpha.
o Minor features (continuous integration, backport from 0.3.5.1-alpha):
- Only run one online rust build in Travis, to reduce network
errors. Skip offline rust builds on Travis for Linux gcc, because
they're redundant. Implements ticket 27252.
- Skip gcc on OSX in Travis CI, because it's rarely used. Skip a
duplicate hardening-off build in Travis on Tor 0.2.9. Skip gcc on
Linux with default settings, because all the non-default builds
use gcc on Linux. Implements ticket 27252.
o Minor features (continuous integration, backport from 0.3.5.3-alpha):
- Use the Travis Homebrew addon to install packages on macOS during
Travis CI. The package list is the same, but the Homebrew addon
does not do a `brew update` by default. Implements ticket 27738.
o Minor features (fallback directory list, backport from 0.3.5.6-rc):
- Replace the 150 fallbacks originally introduced in Tor
0.3.3.1-alpha in January 2018 (of which ~115 were still
functional), with a list of 157 fallbacks (92 new, 65 existing, 85
removed) generated in December 2018. Closes ticket 24803.
o Minor features (geoip):
- Update geoip and geoip6 to the January 3 2019 Maxmind GeoLite2
Country database. Closes ticket 29012.
o Minor features (OpenSSL bug workaround, backport from 0.3.5.7):
- Work around a bug in OpenSSL 1.1.1a, which prevented the TLS 1.3
key export function from handling long labels. When this bug is
detected, Tor will disable TLS 1.3. We recommend upgrading to a
version of OpenSSL without this bug when it becomes available.
Closes ticket 28973.
o Minor bugfixes (relay statistics, backport from 0.3.5.7):
- Update relay descriptor on bandwidth changes only when the uptime
is smaller than 24h, in order to reduce the efficiency of guard
discovery attacks. Fixes bug 24104; bugfix on 0.1.1.6-alpha.
o Minor bugfixes (C correctness, backport from 0.3.5.4-alpha):
- Avoid undefined behavior in an end-of-string check when parsing
the BEGIN line in a directory object. Fixes bug 28202; bugfix
on 0.2.0.3-alpha.
o Minor bugfixes (code safety, backport from 0.3.5.3-alpha):
- Rewrite our assertion macros so that they no longer suppress the
compiler's -Wparentheses warnings. Fixes bug 27709; bugfix
o Minor bugfixes (compilation, backport from 0.3.5.5-alpha):
- Initialize a variable unconditionally in aes_new_cipher(), since
some compilers cannot tell that we always initialize it before
use. Fixes bug 28413; bugfix on 0.2.9.3-alpha.
o Minor bugfixes (directory authority, backport from 0.3.5.4-alpha):
- Log additional info when we get a relay that shares an ed25519 ID
with a different relay, instead making a BUG() warning. Fixes bug
27800; bugfix on 0.3.2.1-alpha.
o Minor bugfixes (directory permissions, backport form 0.3.5.3-alpha):
- When a user requests a group-readable DataDirectory, give it to
them. Previously, when the DataDirectory and the CacheDirectory
were the same, the default setting (0) for
CacheDirectoryGroupReadable would override the setting for
DataDirectoryGroupReadable. Fixes bug 26913; bugfix
on 0.3.3.1-alpha.
o Minor bugfixes (onion service v3, backport from 0.3.5.1-alpha):
- When the onion service directory can't be created or has the wrong
permissions, do not log a stack trace. Fixes bug 27335; bugfix
on 0.3.2.1-alpha.
o Minor bugfixes (onion service v3, backport from 0.3.5.2-alpha):
- Close all SOCKS request (for the same .onion) if the newly fetched
descriptor is unusable. Before that, we would close only the first
one leaving the other hanging and let to time out by themselves.
Fixes bug 27410; bugfix on 0.3.2.1-alpha.
o Minor bugfixes (onion service v3, backport from 0.3.5.3-alpha):
- Don't warn so loudly when Tor is unable to decode an onion
descriptor. This can now happen as a normal use case if a client
gets a descriptor with client authorization but the client is not
authorized. Fixes bug 27550; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (onion service v3, backport from 0.3.5.6-rc):
- When deleting an ephemeral onion service (DEL_ONION), do not close
any rendezvous circuits in order to let the existing client
connections finish by themselves or closed by the application. The
HS v2 is doing that already so now we have the same behavior for
all versions. Fixes bug 28619; bugfix on 0.3.3.1-alpha.
o Minor bugfixes (HTTP tunnel):
- Fix a bug warning when closing an HTTP tunnel connection due to
an HTTP request we couldn't handle. Fixes bug 26470; bugfix on
0.3.2.1-alpha.
o Minor bugfixes (memory leaks, backport from 0.3.5.5-alpha):
- Fix a harmless memory leak in libtorrunner.a. Fixes bug 28419;
bugfix on 0.3.3.1-alpha. Patch from Martin Kepplinger.
o Minor bugfixes (netflow padding, backport from 0.3.5.1-alpha):
- Ensure circuitmux queues are empty before scheduling or sending
padding. Fixes bug 25505; bugfix on 0.3.1.1-alpha.
o Minor bugfixes (protover, backport from 0.3.5.3-alpha):
- Reject protocol names containing bytes other than alphanumeric
characters and hyphens ([A-Za-z0-9-]). Fixes bug 27316; bugfix
on 0.2.9.4-alpha.
o Minor bugfixes (rust, backport from 0.3.5.1-alpha):
- Compute protover votes correctly in the rust version of the
protover code. Previously, the protover rewrite in 24031 allowed
repeated votes from the same voter for the same protocol version
to be counted multiple times in protover_compute_vote(). Fixes bug
27649; bugfix on 0.3.3.5-rc.
- Reject protover names that contain invalid characters. Fixes bug
27687; bugfix on 0.3.3.1-alpha.
o Minor bugfixes (rust, backport from 0.3.5.2-alpha):
- protover_all_supported() would attempt to allocate up to 16GB on
some inputs, leading to a potential memory DoS. Fixes bug 27206;
bugfix on 0.3.3.5-rc.
o Minor bugfixes (rust, backport from 0.3.5.4-alpha):
- Fix a potential null dereference in protover_all_supported(). Add
a test for it. Fixes bug 27804; bugfix on 0.3.3.1-alpha.
- Return a string that can be safely freed by C code, not one
created by the rust allocator, in protover_all_supported(). Fixes
bug 27740; bugfix on 0.3.3.1-alpha.
- Fix an API mismatch in the rust implementation of
protover_compute_vote(). This bug could have caused crashes on any
directory authorities running Tor with Rust (which we do not yet
recommend). Fixes bug 27741; bugfix on 0.3.3.6.
o Minor bugfixes (testing, backport from 0.3.5.1-alpha):
- If a unit test running in a subprocess exits abnormally or with a
nonzero status code, treat the test as having failed, even if the
test reported success. Without this fix, memory leaks don't cause
the tests to fail, even with LeakSanitizer. Fixes bug 27658;
bugfix on 0.2.2.4-alpha.
o Minor bugfixes (testing, backport from 0.3.5.4-alpha):
- Treat backtrace test failures as expected on BSD-derived systems
(NetBSD, OpenBSD, and macOS/Darwin) until we solve bug 17808.
(FreeBSD failures have been treated as expected since 18204 in
0.2.8.) Fixes bug 27948; bugfix on 0.2.5.2-alpha.
o Minor bugfixes (unit tests, guard selection, backport from 0.3.5.6-rc):
- Stop leaking memory in an entry guard unit test. Fixes bug 28554;
bugfix on 0.3.0.1-alpha.
Changes in version 0.3.4.10 - 2019-01-07
3246
3247
3248
3249
3250
3251
3252
3253
3254
3255
3256
3257
3258
3259
3260
3261
3262
3263
3264
3265
3266
3267
3268
3269
3270
3271
3272
3273
3274
3275
3276
3277
3278
3279
3280
3281
3282
3283
3284
3285
3286
3287
3288
3289
3290
3291
3292
3293
3294
3295
3296
3297
3298
3299
3300
3301
3302
3303
3304
3305
3306
3307
3308
3309
3310
3311
3312
3313
3314
3315
3316
3317
3318
3319
3320
3321
3322
3323
3324
3325
3326
3327
3328
3329
3330
3331
3332
3333
3334
3335
3336
3337
3338
3339
3340
3341
3342
3343
3344
3345
3346
3347
3348
3349
3350
3351
3352
3353
3354
3355
3356
3357
3358
3359
3360
3361
3362
3363
3364
3365
3366
3367
3368
3369
3370
3371
3372
3373
3374
3375
3376
3377
3378
3379
3380
3381
3382
3383
3384
3385
3386
3387
3388
3389
3390
3391
3392
3393
3394
3395
3396
3397
3398
3399
3400
3401
3402
3403
3404
3405
3406
3407
3408
3409
3410
3411
3412
3413
3414
3415
3416
3417
3418
3419
3420
3421
3422
3423
3424
3425
3426
3427
3428
3429
3430
3431
3432
3433
3434
3435
3436
3437
3438
3439
3440
3441
3442
3443
3444
3445
3446
3447
3448
3449
3450
3451
3452
3453
3454
3455
3456
3457
3458
3459
3460
3461
3462
3463
3464
3465
3466
3467
3468
3469
3470
3471
3472
3473
3474
3475
3476
3477
3478
3479
3480
3481
3482
3483
3484
3485
3486
3487
3488
3489
3490
3491
3492
3493
3494
3495
3496
3497
3498
3499
3500
3501
3502
3503
3504
3505
3506
3507
3508
3509
3510
3511
3512
3513
3514
3515
3516
3517
3518
3519
3520
3521
3522
3523
3524
3525
3526
3527
3528
3529
3530
3531
3532
3533
3534
3535
3536
3537
3538
3539
3540
3541
3542
3543
3544
3545
3546
3547
3548
3549
3550
3551
3552
3553
3554
3555
3556
3557
3558
3559
3560
3561
3562
3563
3564
3565
3566
3567
3568
3569
3570
3571
3572
3573
3574
3575
3576
3577
3578
3579
3580
3581
3582
3583
3584
3585
3586
3587
3588
3589
3590
3591
3592
3593
3594
3595
3596
3597
3598
3599
3600
3601
3602
3603
3604
3605
3606
3607
3608
3609
3610
3611
3612
3613
3614
3615
3616
3617
3618
3619
3620
3621
3622
3623
3624
3625
3626
3627
3628
3629
3630
3631
3632
3633
3634
3635
3636
3637
3638
3639
3640
3641
3642
3643
3644
3645
3646
3647
3648
3649
3650
3651
3652
3653
3654
3655
3656
3657
3658
3659
3660
3661
3662
3663
3664
3665
3666
3667
3668
3669
3670
3671
3672
3673
3674
3675
3676
3677
3678
3679
3680
3681
3682
3683
3684
3685
3686
3687
3688
3689
3690
3691
3692
3693
3694
3695
3696
3697
3698
3699
3700
3701
3702
3703
3704
3705
3706
3707
3708
3709
3710
3711
3712
3713
3714
3715
3716
3717
3718
3719
3720
3721
3722
3723
3724
3725
3726
3727
3728
3729
3730
3731
3732
3733
3734
3735
3736
3737
3738
3739
3740
3741
3742
3743
3744
3745
3746
3747
3748
3749
3750
3751
3752
3753
3754
3755
3756
3757
3758
3759
3760
3761
3762
3763
3764
3765
3766
3767
3768
3769
3770
3771
3772
3773
3774
3775
3776
3777
3778
3779
3780
3781
3782
3783
3784
3785
3786
3787
3788
3789
3790
3791
3792
3793
3794
3795
3796
3797
3798
3799
3800
3801
3802
3803
3804
3805
3806
3807
3808
3809
3810
3811
3812
3813
3814
3815
3816
3817
3818
3819
3820
3821
3822
3823
3824
3825
3826
3827
3828
3829
3830
3831
3832
3833
3834
3835
3836
3837
3838
3839
3840
3841
3842
3843
3844
3845
3846
3847
3848
3849
3850
3851
3852
3853
3854
3855
3856
3857
3858
3859
3860
3861
3862
3863
3864
3865
3866
3867
3868
3869
3870
3871
3872
3873
3874
3875
3876
3877
3878
3879
3880
3881
3882
3883
3884
3885
3886
3887
3888
3889
3890
3891
3892
3893
3894
3895
3896
3897
3898
3899
3900
3901
3902
3903
3904
3905
3906
3907
3908
3909
3910
3911
3912
3913
3914
3915
3916
3917
3918
3919
3920
3921
3922
3923
3924
3925
3926
3927
3928
3929
3930
3931
3932
3933
3934
3935
3936
3937
3938
3939
3940
3941
3942
3943
3944
3945
3946
3947
3948
3949
3950
3951
3952
3953
3954
3955
3956
3957
3958
3959
3960
3961
3962
3963
3964
3965
3966
3967
3968
3969
3970
3971
3972
3973
3974
3975
3976
3977
3978
3979
3980
3981
3982
3983
3984
3985
3986
3987
3988
3989
3990
3991
3992
3993
3994
3995
3996
3997
3998
3999
4000
Tor 0.3.4.9 is the second stable release in its series; it backports
numerous fixes, including an important fix for relays, and for anyone
using OpenSSL 1.1.1. Anyone running an earlier version of Tor 0.3.4
should upgrade.
As a reminder, the Tor 0.3.4 series will be supported until 10 June
2019. Some time between now and then, users should switch to the Tor
0.3.5 series, which will receive long-term support until at least 1
Feb 2022.
o Major bugfixes (OpenSSL, portability, backport from 0.3.5.5-alpha):
- Fix our usage of named groups when running as a TLS 1.3 client in
OpenSSL 1.1.1. Previously, we only initialized EC groups when
running as a relay, which caused clients to fail to negotiate TLS
1.3 with relays. Fixes bug 28245; bugfix on 0.2.9.15 (when TLS 1.3
support was added).
o Major bugfixes (relay, directory, backport from 0.3.5.7):
- Always reactivate linked connections in the main loop so long as
any linked connection has been active. Previously, connections
serving directory information wouldn't get reactivated after the
first chunk of data was sent (usually 32KB), which would prevent
clients from bootstrapping. Fixes bug 28912; bugfix on
0.3.4.1-alpha. Patch by "cypherpunks3".
o Minor features (continuous integration, Windows, backport from 0.3.5.6-rc):
- Always show the configure and test logs, and upload them as build
artifacts, when building for Windows using Appveyor CI.
Implements 28459.
o Minor features (controller, backport from 0.3.5.1-alpha):
- For purposes of CIRC_BW-based dropped cell detection, track half-
closed stream ids, and allow their ENDs, SENDMEs, DATA and path
bias check cells to arrive without counting it as dropped until
either the END arrives, or the windows are empty. Closes
ticket 25573.
o Minor features (fallback directory list, backport from 0.3.5.6-rc):
- Replace the 150 fallbacks originally introduced in Tor
0.3.3.1-alpha in January 2018 (of which ~115 were still
functional), with a list of 157 fallbacks (92 new, 65 existing, 85
removed) generated in December 2018. Closes ticket 24803.
o Minor features (geoip):
- Update geoip and geoip6 to the November 6 2018 Maxmind GeoLite2
Country database. Closes ticket 28395.
o Minor features (OpenSSL bug workaround, backport from 0.3.5.7):
- Work around a bug in OpenSSL 1.1.1a, which prevented the TLS 1.3
key export function from handling long labels. When this bug is
detected, Tor will disable TLS 1.3. We recommend upgrading to a
version of OpenSSL without this bug when it becomes available.
Closes ticket 28973.
o Minor bugfixes (compilation, backport from 0.3.5.5-alpha):
- Initialize a variable unconditionally in aes_new_cipher(), since
some compilers cannot tell that we always initialize it before
use. Fixes bug 28413; bugfix on 0.2.9.3-alpha.
o Minor bugfixes (connection, relay, backport from 0.3.5.5-alpha):
- Avoid a logging a BUG() stacktrace when closing connection held
open because the write side is rate limited but not the read side.
Now, the connection read side is simply shut down until Tor is
able to flush the connection and close it. Fixes bug 27750; bugfix
on 0.3.4.1-alpha.
o Minor bugfixes (continuous integration, Windows, backport from 0.3.5.5-alpha):
- Manually configure the zstd compiler options, when building using
mingw on Appveyor Windows CI. The MSYS2 mingw zstd package does
not come with a pkg-config file. Fixes bug 28454; bugfix
on 0.3.4.1-alpha.
- Stop using an external OpenSSL install, and stop installing MSYS2
packages, when building using mingw on Appveyor Windows CI. Fixes
bug 28399; bugfix on 0.3.4.1-alpha.
o Minor bugfixes (continuous integration, Windows, backport from 0.3.5.6-rc):
- Explicitly specify the path to the OpenSSL library and do not
download OpenSSL from Pacman, but instead use the library that is
already provided by AppVeyor. Fixes bug 28574; bugfix on master.
o Minor bugfixes (directory permissions, backport form 0.3.5.3-alpha):
- When a user requests a group-readable DataDirectory, give it to
them. Previously, when the DataDirectory and the CacheDirectory
were the same, the default setting (0) for
CacheDirectoryGroupReadable would override the setting for
DataDirectoryGroupReadable. Fixes bug 26913; bugfix
on 0.3.3.1-alpha.
o Minor bugfixes (memory leaks, backport from 0.3.5.5-alpha):
- Fix a harmless memory leak in libtorrunner.a. Fixes bug 28419;
bugfix on 0.3.3.1-alpha. Patch from Martin Kepplinger.
o Minor bugfixes (onion service v3, backport from 0.3.5.3-alpha):
- Don't warn so loudly when Tor is unable to decode an onion
descriptor. This can now happen as a normal use case if a client
gets a descriptor with client authorization but the client is not
authorized. Fixes bug 27550; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (onion service v3, backport from 0.3.5.6-rc):
- When deleting an ephemeral onion service (DEL_ONION), do not close
any rendezvous circuits in order to let the existing client
connections finish by themselves or closed by the application. The
HS v2 is doing that already so now we have the same behavior for
all versions. Fixes bug 28619; bugfix on 0.3.3.1-alpha.
o Minor bugfixes (relay statistics, backport from 0.3.5.7):
- Update relay descriptor on bandwidth changes only when the uptime
is smaller than 24h, in order to reduce the efficiency of guard
discovery attacks. Fixes bug 24104; bugfix on 0.1.1.6-alpha.
o Minor bugfixes (unit tests, guard selection, backport from 0.3.5.6-rc):
- Stop leaking memory in an entry guard unit test. Fixes bug 28554;
bugfix on 0.3.0.1-alpha.
Changes in version 0.3.5.7 - 2019-01-07
Tor 0.3.5.7 is the first stable release in its series; it includes
compilation and portability fixes, and a fix for a severe problem
affecting directory caches.
The Tor 0.3.5 series includes several new features and performance
improvements, including client authorization for v3 onion services,
cleanups to bootstrap reporting, support for improved bandwidth-
measurement tools, experimental support for NSS in place of OpenSSL,
and much more. It also begins a full reorganization of Tor's code
layout, for improved modularity and maintainability in the future.
Finally, there is the usual set of performance improvements and
bugfixes that we try to do in every release series.
There are a couple of changes in the 0.3.5 that may affect
compatibility. First, the default version for newly created onion
services is now v3. Use the HiddenServiceVersion option if you want to
override this. Second, some log messages related to bootstrapping have
changed; if you use stem, you may need to update to the latest version
so it will recognize them.
We have designated 0.3.5 as a "long-term support" (LTS) series: we
will continue to patch major bugs in typical configurations of 0.3.5
until at least 1 Feb 2022. (We do not plan to provide long-term
support for embedding, Rust support, NSS support, running a directory
authority, or unsupported platforms. For these, you will need to stick
with the latest stable release.)
Below are the changes since 0.3.4.9. For a complete list of changes
since 0.3.5.6-rc, see the ChangeLog file.
o Major features (bootstrap):
- Don't report directory progress until after a connection to a
relay or bridge has succeeded. Previously, we'd report 80%
progress based on cached directory information when we couldn't
even connect to the network. Closes ticket 27169.
o Major features (new code layout):
- Nearly all of Tor's source code has been moved around into more
logical places. The "common" directory is now divided into a set
of libraries in "lib", and files in the "or" directory have been
split into "core" (logic absolutely needed for onion routing),
"feature" (independent modules in Tor), and "app" (to configure
and invoke the rest of Tor). See doc/HACKING/CodeStructure.md for
more information. Closes ticket 26481.
This refactoring is not complete: although the libraries have been
refactored to be acyclic, the main body of Tor is still too
interconnected. We will attempt to improve this in the future.
o Major features (onion services v3):
- Implement onion service client authorization at the descriptor
level: only authorized clients can decrypt a service's descriptor
to find out how to contact it. A new torrc option was added to
control this client side: ClientOnionAuthDir <path>. On the
service side, if the "authorized_clients/" directory exists in the
onion service directory path, client configurations are read from
the files within. See the manpage for more details. Closes ticket
27547. Patch done by Suphanat Chunhapanya (haxxpop).
- Improve revision counter generation in next-gen onion services.
Onion services can now scale by hosting multiple instances on
different hosts without synchronization between them, which was
previously impossible because descriptors would get rejected by
HSDirs. Addresses ticket 25552.
- Version 3 onion services can now use the per-service
HiddenServiceExportCircuitID option to differentiate client
circuits. It communicates with the service by using the HAProxy
protocol to assign virtual IP addresses to inbound client
circuits. Closes ticket 4700. Patch by Mahrud Sayrafi.
o Major features (onion services, UI change):
- For a newly created onion service, the default version is now 3.
Tor still supports existing version 2 services, but the operator
now needs to set "HiddenServiceVersion 2" in order to create a new
version 2 service. For existing services, Tor now learns the
version by reading the key file. Closes ticket 27215.
o Major features (portability, cryptography, experimental, TLS):
- Tor now has the option to compile with the NSS library instead of
OpenSSL. This feature is experimental, and we expect that bugs may
remain. It is mainly intended for environments where Tor's
performance is not CPU-bound, and where NSS is already known to be
installed. To try it out, configure Tor with the --enable-nss
flag. Closes tickets 26631, 26815, and 26816.
If you are experimenting with this option and using an old cached
consensus, Tor may fail to start. To solve this, delete your
"cached-consensus" and "cached-microdesc-consensus" files,
(if present), and restart Tor.
o Major features (relay, UI change):
- Relays no longer run as exits by default. If the "ExitRelay"
option is auto (or unset), and no exit policy is specified with
ExitPolicy or ReducedExitPolicy, we now treat ExitRelay as 0.
Previously in this case, we allowed exit traffic and logged a
warning message. Closes ticket 21530. Patch by Neel Chauhan.
- Tor now validates that the ContactInfo config option is valid UTF-
8 when parsing torrc. Closes ticket 27428.
o Major bugfixes (compilation):
- Fix compilation on ARM (and other less-used CPUs) when compiling
with OpenSSL before 1.1. Fixes bug 27781; bugfix on 0.3.4.1-alpha.
o Major bugfixes (compilation, rust):
- Rust tests can now build and run successfully with the
--enable-fragile-hardening option enabled. Doing this currently
requires the rust beta channel; it will be possible with stable
rust once Rust version 1.31 is released. Patch from Alex Crichton.
Fixes bugs 27272, 27273, and 27274. Bugfix on 0.3.1.1-alpha.
o Major bugfixes (directory authority):
- Actually check that the address we get from DirAuthority
configuration line is valid IPv4. Explicitly disallow DirAuthority
address to be a DNS hostname. Fixes bug 26488; bugfix
on 0.1.2.10-rc.
o Major bugfixes (embedding, main loop):
- When DisableNetwork becomes set, actually disable periodic events
that are already enabled. (Previously, we would refrain from
enabling new ones, but we would leave the old ones turned on.)
Fixes bug 28348; bugfix on 0.3.4.1-alpha.
o Major bugfixes (main loop, bootstrap):
- Make sure Tor bootstraps and works properly if only the
ControlPort is set. Prior to this fix, Tor would only bootstrap
when a client port was set (Socks, Trans, NATD, DNS or HTTPTunnel
port). Fixes bug 27849; bugfix on 0.3.4.1-alpha.
o Major bugfixes (onion service v3):
- On an intro point for a version 3 onion service, stop closing
introduction circuits on a NACK. This lets the client decide
whether to reuse the circuit or discard it. Previously, we closed
intro circuits when sending NACKs. Fixes bug 27841; bugfix on
0.3.2.1-alpha. Patch by Neel Chaunan.
o Major bugfixes (OpenSSL, portability):
- Fix our usage of named groups when running as a TLS 1.3 client in
OpenSSL 1.1.1. Previously, we only initialized EC groups when
running as a relay, which caused clients to fail to negotiate TLS
1.3 with relays. Fixes bug 28245; bugfix on 0.2.9.15 (when TLS 1.3
support was added).
o Major bugfixes (relay bandwidth statistics):
- When we close relayed circuits, report the data in the circuit
queues as being written in our relay bandwidth stats. This
mitigates guard discovery and other attacks that close circuits
for the explicit purpose of noticing this discrepancy in
statistics. Fixes bug 23512; bugfix on 0.0.8pre3.
o Major bugfixes (relay):
- When our write bandwidth limit is exhausted, stop writing on the
connection. Previously, we had a typo in the code that would make
us stop reading instead, leading to relay connections being stuck
indefinitely and consuming kernel RAM. Fixes bug 28089; bugfix
on 0.3.4.1-alpha.
- Always reactivate linked connections in the main loop so long as
any linked connection has been active. Previously, connections
serving directory information wouldn't get reactivated after the
first chunk of data was sent (usually 32KB), which would prevent
clients from bootstrapping. Fixes bug 28912; bugfix on
0.3.4.1-alpha. Patch by "cypherpunks3".
o Major bugfixes (restart-in-process):
- Fix a use-after-free error that could be caused by passing Tor an
impossible set of options that would fail during options_act().
Fixes bug 27708; bugfix on 0.3.3.1-alpha.
o Minor features (admin tools):
- Add a new --key-expiration option to print the expiration date of
the signing cert in an ed25519_signing_cert file. Resolves
issue 19506.
o Minor features (build):
- If you pass the "--enable-pic" option to configure, Tor will try
to tell the compiler to build position-independent code suitable
to link into a dynamic library. (The default remains -fPIE, for
code suitable for a relocatable executable.) Closes ticket 23846.
o Minor features (code correctness, testing):
- Tor's build process now includes a "check-includes" make target to
verify that no module of Tor relies on any headers from a higher-
level module. We hope to use this feature over time to help
refactor our codebase. Closes ticket 26447.
o Minor features (code layout):
- We have a new "lowest-level" error-handling API for use by code
invoked from within the logging module. With this interface, the
logging code is no longer at risk of calling into itself if a
failure occurs while it is trying to log something. Closes
ticket 26427.
o Minor features (compilation):
- When possible, place our warning flags in a separate file, to
avoid flooding verbose build logs. Closes ticket 28924.
- Tor's configure script now supports a --with-malloc= option to
select your malloc implementation. Supported options are
"tcmalloc", "jemalloc", "openbsd" (deprecated), and "system" (the
default). Addresses part of ticket 20424. Based on a patch from
Alex Xu.
o Minor features (config):
- The "auto" keyword in torrc is now case-insensitive. Closes
ticket 26663.
o Minor features (continuous integration):
- Add a Travis CI build for --enable-nss on Linux gcc. Closes
ticket 27751.
- Add new CI job to Travis configuration to run stem-based
integration tests. Closes ticket 27913.
- Use the Travis Homebrew addon to install packages on macOS during
Travis CI. The package list is the same, but the Homebrew addon
does not do a `brew update` by default. Implements ticket 27738.
- Report what program produced the mysterious core file that we
occasionally see on Travis CI during make distcheck. Closes
ticket 28024.
- Don't do a distcheck with --disable-module-dirauth in Travis.
Implements ticket 27252.
- Install libcap-dev and libseccomp2-dev so these optional
dependencies get tested on Travis CI. Closes ticket 26560.
- Only run one online rust build in Travis, to reduce network
errors. Skip offline rust builds on Travis for Linux gcc, because
they're redundant. Implements ticket 27252.
- Skip gcc on OSX in Travis CI, because it's rarely used. Skip a
duplicate hardening-off build in Travis on Tor 0.2.9. Skip gcc on
Linux with default settings, because all the non-default builds
use gcc on Linux. Implements ticket 27252.
o Minor features (continuous integration, Windows):
- Always show the configure and test logs, and upload them as build
artifacts, when building for Windows using Appveyor CI.
Implements 28459.
- Build tor on Windows Server 2012 R2 and Windows Server 2016 using
Appveyor's CI. Closes ticket 28318.
o Minor features (controller):
- Emit CIRC_BW events as soon as we detect that we processed an
invalid or otherwise dropped cell on a circuit. This allows
vanguards and other controllers to react more quickly to dropped
cells. Closes ticket 27678.
- For purposes of CIRC_BW-based dropped cell detection, track half-
closed stream ids, and allow their ENDs, SENDMEs, DATA and path
bias check cells to arrive without counting it as dropped until
either the END arrives, or the windows are empty. Closes
ticket 25573.
- Implement a 'GETINFO md/all' controller command to enable getting
all known microdescriptors. Closes ticket 8323.
- The GETINFO command now support an "uptime" argument, to return
Tor's uptime in seconds. Closes ticket 25132.
o Minor features (denial-of-service avoidance):
- Make our OOM handler aware of the DNS cache so that it doesn't
fill up the memory. This check is important for our DoS mitigation
subsystem. Closes ticket 18642. Patch by Neel Chauhan.
o Minor features (development):
- Tor's makefile now supports running the "clippy" Rust style tool
on our Rust code. Closes ticket 22156.
o Minor features (directory authority):
- There is no longer an artificial upper limit on the length of
bandwidth lines. Closes ticket 26223.
- When a bandwidth file is used to obtain the bandwidth measurements,
include this bandwidth file headers in the votes. Closes
ticket 3723.
- Improved support for networks with only a single authority or a
single fallback directory. Patch from Gabriel Somlo. Closes
ticket 25928.
o Minor features (embedding API):
- The Tor controller API now supports a function to launch Tor with
a preconstructed owning controller FD, so that embedding
applications don't need to manage controller ports and
authentication. Closes ticket 24204.
- The Tor controller API now has a function that returns the name
and version of the backend implementing the API. Closes
ticket 26947.
o Minor features (fallback directory list):
- Replace the 150 fallbacks originally introduced in Tor
0.3.3.1-alpha in January 2018 (of which ~115 were still
functional), with a list of 157 fallbacks (92 new, 65 existing, 85
removed) generated in December 2018. Closes ticket 24803.
o Minor features (geoip):
- Update geoip and geoip6 to the January 3 2019 Maxmind GeoLite2
Country database. Closes ticket 29012.
o Minor features (memory management):
- Get Libevent to use the same memory allocator as Tor, by calling
event_set_mem_functions() during initialization. Resolves
ticket 8415.
o Minor features (memory usage):
- When not using them, store legacy TAP public onion keys in DER-
encoded format, rather than as expanded public keys. This should
save several megabytes on typical clients. Closes ticket 27246.
o Minor features (OpenSSL bug workaround):
- Work around a bug in OpenSSL 1.1.1a, which prevented the TLS 1.3
key export function from handling long labels. When this bug is
detected, Tor will disable TLS 1.3. We recommend upgrading to a
version of OpenSSL without this bug when it becomes available.
Closes ticket 28973.
o Minor features (OpenSSL):
- When possible, use RFC5869 HKDF implementation from OpenSSL rather
than our own. Resolves ticket 19979.
o Minor features (performance):
- Remove about 96% of the work from the function that we run at
startup to test our curve25519_basepoint implementation. Since
this function has yet to find an actual failure, we now only run
it for 8 iterations instead of 200. Based on our profile
information, this change should save around 8% of our startup time
on typical desktops, and may have a similar effect on other
platforms. Closes ticket 28838.
- Stop re-validating our hardcoded Diffie-Hellman parameters on
every startup. Doing this wasted time and cycles, especially on
low-powered devices. Closes ticket 28851.
o Minor features (Rust, code quality):
- Improve rust code quality in the rust protover implementation by
making it more idiomatic. Includes changing an internal API to
take &str instead of &String. Closes ticket 26492.
o Minor features (testing):
- Add scripts/test/chutney-git-bisect.sh, for bisecting using
chutney. Implements ticket 27211.
o Minor features (tor-resolve):
- The tor-resolve utility can now be used with IPv6 SOCKS proxies.
Side-effect of the refactoring for ticket 26526.
o Minor features (UI):
- Log each included configuration file or directory as we read it,
to provide more visibility about where Tor is reading from. Patch
from Unto Sten; closes ticket 27186.
- Lower log level of "Scheduler type KIST has been enabled" to INFO.
Closes ticket 26703.
o Minor bugfixes (32-bit OSX and iOS, timing):
- Fix an integer overflow bug in our optimized 32-bit millisecond-
difference algorithm for 32-bit Apple platforms. Previously, it
would overflow when calculating the difference between two times
more than 47 days apart. Fixes part of bug 27139; bugfix
on 0.3.4.1-alpha.
- Improve the precision of our 32-bit millisecond difference
algorithm for 32-bit Apple platforms. Fixes part of bug 27139;
bugfix on 0.3.4.1-alpha.
- Relax the tolerance on the mainloop/update_time_jumps test when
running on 32-bit Apple platforms. Fixes part of bug 27139; bugfix
on 0.3.4.1-alpha.
o Minor bugfixes (bootstrap):
- Try harder to get descriptors in non-exit test networks, by using
the mid weight for the third hop when there are no exits. Fixes
bug 27237; bugfix on 0.2.6.2-alpha.
o Minor bugfixes (C correctness):
- Avoid casting smartlist index to int implicitly, as it may trigger
a warning (-Wshorten-64-to-32). Fixes bug 26282; bugfix on
0.2.3.13-alpha, 0.2.7.1-alpha and 0.2.1.1-alpha.
- Use time_t for all values in
predicted_ports_prediction_time_remaining(). Rework the code that
computes difference between durations/timestamps. Fixes bug 27165;
bugfix on 0.3.1.1-alpha.
o Minor bugfixes (client, memory usage):
- When not running as a directory cache, there is no need to store
the text of the current consensus networkstatus in RAM.
Previously, however, clients would store it anyway, at a cost of
over 5 MB. Now, they do not. Fixes bug 27247; bugfix
on 0.3.0.1-alpha.
o Minor bugfixes (client, ReachableAddresses):
- Instead of adding a "reject *:*" line to ReachableAddresses when
loading the configuration, add one to the policy after parsing it
in parse_reachable_addresses(). This prevents extra "reject *.*"
lines from accumulating on reloads. Fixes bug 20874; bugfix on
0.1.1.5-alpha. Patch by Neel Chauhan.
o Minor bugfixes (code quality):
- Rename sandbox_getaddrinfo() and other functions to no longer
misleadingly suggest that they are sandbox-only. Fixes bug 26525;
bugfix on 0.2.7.1-alpha.
o Minor bugfixes (code safety):
- Rewrite our assertion macros so that they no longer suppress the
compiler's -Wparentheses warnings. Fixes bug 27709; bugfix
on 0.0.6.
o Minor bugfixes (compilation):
- Initialize a variable unconditionally in aes_new_cipher(), since
some compilers cannot tell that we always initialize it before
use. Fixes bug 28413; bugfix on 0.2.9.3-alpha.
o Minor bugfixes (configuration):
- Refuse to start with relative file paths and RunAsDaemon set
(regression from the fix for bug 22731). Fixes bug 28298; bugfix
on 0.3.3.1-alpha.
o Minor bugfixes (configuration, Onion Services):
- In rend_service_parse_port_config(), disallow any input to remain
after address-port pair was parsed. This will catch address and
port being whitespace-separated by mistake of the user. Fixes bug
27044; bugfix on 0.2.9.10.
o Minor bugfixes (connection, relay):
- Avoid a logging a BUG() stacktrace when closing connection held
open because the write side is rate limited but not the read side.
Now, the connection read side is simply shut down until Tor is
able to flush the connection and close it. Fixes bug 27750; bugfix
on 0.3.4.1-alpha.
o Minor bugfixes (continuous integration, Windows):
- Stop reinstalling identical packages in our Windows CI. Fixes bug
27464; bugfix on 0.3.4.1-alpha.
- Install only the necessary mingw packages during our appveyor
builds. This change makes the build a little faster, and prevents
a conflict with a preinstalled mingw openssl that appveyor now
ships. Fixes bugs 27765 and 27943; bugfix on 0.3.4.2-alpha.
- Explicitly specify the path to the OpenSSL library and do not
download OpenSSL from Pacman, but instead use the library that is
already provided by AppVeyor. Fixes bug 28574; bugfix on master.
- Manually configure the zstd compiler options, when building using
mingw on Appveyor Windows CI. The MSYS2 mingw zstd package does
not come with a pkg-config file. Fixes bug 28454; bugfix
on 0.3.4.1-alpha.
- Stop using an external OpenSSL install, and stop installing MSYS2
packages, when building using mingw on Appveyor Windows CI. Fixes
bug 28399; bugfix on 0.3.4.1-alpha.
o Minor bugfixes (controller):
- Consider all routerinfo errors other than "not a server" to be
transient for the purpose of "GETINFO exit-policy/*" controller
request. Print stacktrace in the unlikely case of failing to
recompute routerinfo digest. Fixes bug 27034; bugfix
on 0.3.4.1-alpha.
o Minor bugfixes (correctness):
- Fix an unreached code path where we checked the value of
"hostname" inside send_resolved_hostname_cell(). Previously, we
used it before checking it; now we check it first. Fixes bug
28879; bugfix on 0.1.2.7-alpha.
o Minor bugfixes (directory connection shutdown):
- Avoid a double-close when shutting down a stalled directory
connection. Fixes bug 26896; bugfix on 0.3.4.1-alpha.
o Minor bugfixes (directory permissions):
- When a user requests a group-readable DataDirectory, give it to
them. Previously, when the DataDirectory and the CacheDirectory
were the same, the default setting (0) for
CacheDirectoryGroupReadable would override the setting for
DataDirectoryGroupReadable. Fixes bug 26913; bugfix
on 0.3.3.1-alpha.
o Minor bugfixes (HTTP tunnel):
- Fix a bug warning when closing an HTTP tunnel connection due to an
HTTP request we couldn't handle. Fixes bug 26470; bugfix
on 0.3.2.1-alpha.
o Minor bugfixes (ipv6):
- In addrs_in_same_network_family(), we choose the subnet size based
on the IP version (IPv4 or IPv6). Previously, we chose a fixed
subnet size of /16 for both IPv4 and IPv6 addresses. Fixes bug
15518; bugfix on 0.2.3.1-alpha. Patch by Neel Chauhan.
o Minor bugfixes (Linux seccomp2 sandbox):
- Permit the "shutdown()" system call, which is apparently used by
OpenSSL under some circumstances. Fixes bug 28183; bugfix
on 0.2.5.1-alpha.
o Minor bugfixes (logging):
- Stop talking about the Named flag in log messages. Clients have
ignored the Named flag since 0.3.2. Fixes bug 28441; bugfix
on 0.3.2.1-alpha.
- As a precaution, do an early return from log_addr_has_changed() if
Tor is running as client. Also, log a stack trace for debugging as
this function should only be called when Tor runs as server. Fixes
bug 26892; bugfix on 0.1.1.9-alpha.
- Refrain from mentioning bug 21018 in the logs, as it is already
fixed. Fixes bug 25477; bugfix on 0.2.9.8.
o Minor bugfixes (logging, documentation):
- When SafeLogging is enabled, scrub IP address in
channel_tls_process_netinfo_cell(). Also, add a note to manpage
that scrubbing is not guaranteed on loglevels below Notice. Fixes
bug 26882; bugfix on 0.2.4.10-alpha.
o Minor bugfixes (memory leaks):
- Fix a harmless memory leak in libtorrunner.a. Fixes bug 28419;
bugfix on 0.3.3.1-alpha. Patch from Martin Kepplinger.
- Fix a small memory leak when calling Tor with --dump-config. Fixes
bug 27893; bugfix on 0.3.2.1-alpha.
o Minor bugfixes (netflow padding):
- Ensure circuitmux queues are empty before scheduling or sending
padding. Fixes bug 25505; bugfix on 0.3.1.1-alpha.
o Minor bugfixes (onion service v2):
- Log at level "info", not "warning", in the case that we do not
have a consensus when a .onion request comes in. This can happen
normally while bootstrapping. Fixes bug 27040; bugfix
on 0.2.8.2-alpha.
o Minor bugfixes (onion service v3):
- When deleting an ephemeral onion service (DEL_ONION), do not close
any rendezvous circuits in order to let the existing client
connections finish by themselves or closed by the application. The
HS v2 is doing that already so now we have the same behavior for
all versions. Fixes bug 28619; bugfix on 0.3.3.1-alpha.
- Build the service descriptor's signing key certificate before
uploading, so we always have a fresh one: leaving no chances for
it to expire service side. Fixes bug 27838; bugfix
on 0.3.2.1-alpha.
- Stop dumping a stack trace when trying to connect to an intro
point without having a descriptor for it. Fixes bug 27774; bugfix
on 0.3.2.1-alpha.
- When selecting a v3 rendezvous point, don't only look at the
protover, but also check whether the curve25519 onion key is
present. This way we avoid picking a relay that supports the v3
rendezvous but for which we don't have the microdescriptor. Fixes
bug 27797; bugfix on 0.3.2.1-alpha.
- Close all SOCKS request (for the same .onion) if the newly fetched
descriptor is unusable. Before that, we would close only the first
one leaving the other hanging and let to time out by themselves.
Fixes bug 27410; bugfix on 0.3.2.1-alpha.
- When the onion service directory can't be created or has the wrong
permissions, do not log a stack trace. Fixes bug 27335; bugfix
on 0.3.2.1-alpha.
- When replacing a descriptor in the client cache, make sure to
close all client introduction circuits for the old descriptor, so
we don't end up with unusable leftover circuits. Fixes bug 27471;
bugfix on 0.3.2.1-alpha.
o Minor bugfixes (OS compatibility):
- Properly handle configuration changes that move a listener to/from
wildcard IP address. If the first attempt to bind a socket fails,
close the old listener and try binding the socket again. Fixes bug
17873; bugfix on 0.0.8pre-1.
o Minor bugfixes (performance)::
- Rework node_is_a_configured_bridge() to no longer call
node_get_all_orports(), which was performing too many memory
allocations. Fixes bug 27224; bugfix on 0.2.3.9.
o Minor bugfixes (protover):
- Reject protocol names containing bytes other than alphanumeric
characters and hyphens ([A-Za-z0-9-]). Fixes bug 27316; bugfix
on 0.2.9.4-alpha.
o Minor bugfixes (protover, rust):
- Reject extra commas in version strings. Fixes bug 27197; bugfix
on 0.3.3.3-alpha.
- protover_all_supported() would attempt to allocate up to 16GB on
some inputs, leading to a potential memory DoS. Fixes bug 27206;
bugfix on 0.3.3.5-rc.
- Compute protover votes correctly in the rust version of the
protover code. Previously, the protover rewrite in 24031 allowed
repeated votes from the same voter for the same protocol version
to be counted multiple times in protover_compute_vote(). Fixes bug
27649; bugfix on 0.3.3.5-rc.
- Reject protover names that contain invalid characters. Fixes bug
27687; bugfix on 0.3.3.1-alpha.
o Minor bugfixes (relay shutdown, systemd):
- Notify systemd of ShutdownWaitLength so it can be set to longer
than systemd's TimeoutStopSec. In Tor's systemd service file, set
TimeoutSec to 60 seconds to allow Tor some time to shut down.
Fixes bug 28113; bugfix on 0.2.6.2-alpha.
o Minor bugfixes (relay statistics):
- Update relay descriptor on bandwidth changes only when the uptime
is smaller than 24h, in order to reduce the efficiency of guard
discovery attacks. Fixes bug 24104; bugfix on 0.1.1.6-alpha.
o Minor bugfixes (relay):
- Consider the fact that we'll be making direct connections to our
entry and guard nodes when computing the fraction of nodes that
have their descriptors. Also, if we are using bridges and there is
at least one bridge with a full descriptor, treat the fraction of
guards available as 100%. Fixes bug 25886; bugfix on 0.2.4.10-alpha.
Patch by Neel Chauhan.
- Update the message logged on relays when DirCache is disabled.
Since 0.3.3.5-rc, authorities require DirCache (V2Dir) for the
Guard flag. Fixes bug 24312; bugfix on 0.3.3.5-rc.
o Minor bugfixes (testing):
- Stop running stem's unit tests as part of "make test-stem", but
continue to run stem's unit and online tests during "make test-
stem-full". Fixes bug 28568; bugfix on 0.2.6.3-alpha.
- Stop leaking memory in an entry guard unit test. Fixes bug 28554;
bugfix on 0.3.0.1-alpha.
- Make the hs_service tests use the same time source when creating
the introduction point and when testing it. Now tests work better
on very slow systems like ARM or Travis. Fixes bug 27810; bugfix
on 0.3.2.1-alpha.
- Revise the "conditionvar_timeout" test so that it succeeds even on
heavily loaded systems where the test threads are not scheduled
within 200 msec. Fixes bug 27073; bugfix on 0.2.6.3-alpha.
- Fix two unit tests to work when HOME environment variable is not
set. Fixes bug 27096; bugfix on 0.2.8.1-alpha.
- If a unit test running in a subprocess exits abnormally or with a
nonzero status code, treat the test as having failed, even if the
test reported success. Without this fix, memory leaks don't cause
the tests to fail, even with LeakSanitizer. Fixes bug 27658;
bugfix on 0.2.2.4-alpha.
- When logging a version mismatch in our openssl_version tests,
report the actual offending version strings. Fixes bug 26152;
bugfix on 0.2.9.1-alpha.
- Fix forking tests on Windows when there is a space somewhere in
the path. Fixes bug 26437; bugfix on 0.2.2.4-alpha.
o Minor bugfixes (Windows):
- Correctly identify Windows 8.1, Windows 10, and Windows Server
2008 and later from their NT versions. Fixes bug 28096; bugfix on
0.2.2.34; reported by Keifer Bly.
- On recent Windows versions, the GetVersionEx() function may report
an earlier Windows version than the running OS. To avoid user
confusion, add "[or later]" to Tor's version string on affected
versions of Windows. Fixes bug 28096; bugfix on 0.2.2.34; reported
by Keifer Bly.
- Remove Windows versions that were never supported by the
GetVersionEx() function. Stop duplicating the latest Windows
version in get_uname(). Fixes bug 28096; bugfix on 0.2.2.34;
reported by Keifer Bly.
o Code simplification and refactoring:
- When parsing a port configuration, make it more obvious to static
analyzer tools that we always initialize the address. Closes
ticket 28881.
- Divide more large Tor source files -- especially ones that span
multiple areas of functionality -- into smaller parts, including
onion.c and main.c. Closes ticket 26747.
- Divide the "routerparse.c" module into separate modules for each
group of parsed objects. Closes ticket 27924.
- Move protover_rust.c to the same place protover.c was moved to.
Closes ticket 27814.
- Split directory.c into separate pieces for client, server, and