Loading ChangeLog +113 −126 Original line number Diff line number Diff line Loading @@ -2,94 +2,86 @@ Changes in version 0.2.5.4-alpha - 2014-04-?? This release includes several security and performance improvements for clients and relays, including XXX This release marks end-of-line for Tor 0.2.2.x; those Tor versions have accumulated many known flaws; everyone should upgrade. This release marks end-of-line for Tor 0.2.2.x; those Tor versions have accumulated many known flaws; everyone should upgrade. o Major features (security): - Block authority signing keys that were used on an authorities vulnerable to the "heartbleed" bug in openssl (CVE-2014-0160). (We - Block authority signing keys that were used on authorities vulnerable to the "heartbleed" bug in OpenSSL (CVE-2014-0160). (We don't have any evidence that these keys _were_ compromised; we're doing this to be prudent.) Resolves ticket 11464. o Major features (relay performance): - Faster server-side lookups of rendezvous and introduction point circuits by using hashtables instead of linear searches over all the circuits. These functions previously accounted between 3 and 7% of CPU usage on some busy relays. - Avoid wasting cycles looking for usable circuit IDs. Previously, when allocating a new circuit ID, we would in the worst case do a linear scan over the entire possible range of circuit IDs before deciding that we had exhausted our possibilities. Now, we try 64 circuit IDs at random before deciding that we probably won't succeed. Fix for a possible root cause of ticket #11553. o Major features (seccomp2 sandbox): - Refinements and improvements to the Linux seccomp2 sandbox code: the sandbox can now run a test network for multiple hours without crashing. (Previous crash reasons included: reseeding the OpenSSL PRNG, seeding the Libevent PRNG, using the wrong combination of CLOEXEC and NONBLOCK at the same place and time, having onion keys, being an authority, receiving a HUP, or using IPv6.) The sandbox is still experimental, and more bugs will probably turn up. To try it, enable "Sandbox 1" on a Linux host. - Strengthen the Linux seccomp2 sandbox code: the sandbox can now test the arguments for rename(), and blocks _sysctl() entirely. - When the Linux syscall sandbox finds an illegal system call, it now tries to log a stack trace before exiting. Resolves ticket 11465. - Speed up server-side lookups of rendezvous and introduction point circuits by using hashtables instead of linear searches. These functions previously accounted between 3 and 7% of CPU usage on some busy relays. Resolves ticket 9841. - Avoid wasting CPU when extending a circuit over a channel that is nearly out of circuit IDs. Previously, we would in the worst case do a linear scan over all possible circuit IDs before deciding that we had exhausted our possibilities. Now, we try at most 64 random circuit IDs before deciding that we probably won't succeed. Fix for a possible root cause of ticket #11553. o Major features (seccomp2 sandbox, Linux only): - The seccomp2 sandbox can now run a test network for multiple hours without crashing. The sandbox is still experimental, and more bugs will probably turn up. To try it, enable "Sandbox 1" on a Linux host. - Strengthen sandbox code: the sandbox can now test the arguments for rename(), and blocks _sysctl() entirely. - When the sandbox blocks a system call, it now tries to log a stack trace before exiting. Resolves ticket 11465. o Major bugfixes (TLS cipher selection): - Generate the relay's preference list for ciphersuites automatically based on uniform criteria, and considering all OpenSSL ciphersuites with acceptable strength and forward secrecy. (The sort order is: prefer AES to 3DES; break ties by preferring ECDHE to DHE; break ties by preferring GCM to CBC; break ties by preferring SHA384 to SHA256 to SHA1; and finally, break ties by preferring AES256 to AES128.) This resolves bugs #11513, #11492, #11498, #11499. Bugs reported by 'cypherpunks'. Bugfix on - The relay ciphersuite list is now generated automatically based on uniform criteria, and includes all OpenSSL ciphersuites with acceptable strength and forward secrecy. Previously, we had omitted some perfectly fine ciphersuites. Resolves bugs #11513, #11492, #11498, #11499. Bugs reported by 'cypherpunks'. Bugfix on 0.2.4.8-alpha. - Relays now trust themselves to have a better view than clients of which TLS ciphersuites to choose. (Thanks to #11513, the relay list is now well-considered, whereas the client list has been chosen mainly for anti-fingerprinting purposes.) Resolves ticket 11528. - Update the list of TLS ciphersuites that a client advertises to match those advertised by Firefox 28. This enables selection of (fast) GCM ciphersuites, disables some strange old ciphers, and disables the ECDH (not to be confused with ECDHE) ciphersuites. Resolves ticket 11438. which TLS ciphersuites are better than others. (Thanks to #11513, the relay list is now well-considered, whereas the client list has been chosen mainly for anti-fingerprinting purposes.) Relays prefer: AES over 3DES; then ECDHE over DHE; then GCM over CBC; then SHA384 over SHA256 over SHA1; and last, AES256 over AES128. Resolves ticket 11528. - Clients now try to advertise the same list of ciphersuites as Firefox 28. This change enables selection of (fast) GCM ciphersuites, disables some strange old ciphers, and disables the ECDH (not to be confused with ECDHE) ciphersuites. Resolves ticket 11438. o Major bugfixes (undefined behavior): - Fix two instances of possible undefined behavior in channeltls.c that could, under unlucky circumstances, have led to a pointer overflow. Fixes bug #10363; bugfixes on 0.2.0.10-alpha and 0.2.3.6-alpha. Reported by "bobnomnom". - Fix another possibly undefined pointer operations in tor_memmem fallback implementation. Another case of bug #10363; bugfix on 0.1.1.1-alpha. - Fix another possibly undefined pointer operations in the eventdns fallback implementation. Another case of bug #10363; bugfix on 0.1.2.1-alpha. - Use AddressSanitizer and Ubsan sanitizers (in clang-3.4) to fix some miscellaneous errors in our tests and codebase. Fix for bug 11232. Bugfixes on versions back as far as 0.2.1.11-alpha. - Fix various instances of undefined behavior in channeltls.c, tor_memmem(), and eventdns.c, that would cause us to construct pointers to memory outside an allocated object. (These invalid pointers were not accessed, but C does not even allow them to exist.) Fixes bug #10363; bugfixes on 0.2.0.10-alpha, 0.2.3.6-alpha, 0.1.1.1-alpha, and 0.1.2.1-alpha. Reported by "bobnomnom". - Use the AddressSanitizer and Ubsan sanitizers (in clang-3.4) to fix some miscellaneous errors in our tests and codebase. Fix for bug 11232. Bugfixes on versions back as far as 0.2.1.11-alpha. o Minor features (Transparent proxy, *BSD): - Support the ipfw firewall interface for transparent proxy support on FreeBSD. To enable it, set "TransProxyType ipfw" in your torrc. Resolves ticket 10267; patch from "yurivict". - Support OpenBSD's divert-to rules with the pf firewall, when "TransProxyType pf-divert" is specified. This allows Tor to run a TransPort transparent proxy port on OpenBSD 4.4 or later without root privileges. See the pf.conf(5) manual page for information on configuring pf to use divert-to rules. Closes ticket 10896; patch from Dana Koch. - Support FreeBSD's ipfw firewall interface for TransPort ports. on FreeBSD. To enable it, set "TransProxyType ipfw". Resolves ticket 10267; patch from "yurivict". - Support OpenBSD's divert-to rules with the pf firewall for transparent proxy ports. To enable it, set "TransProxyType pf- divert". This allows Tor to run a TransPort transparent proxy port on OpenBSD 4.4 or later without root privileges. See the pf.conf(5) manual page for information on configuring pf to use divert-to rules. Closes ticket 10896; patch from Dana Koch. o Minor features (security): - New --enable-expensive-hardening option to turn on security - New --enable-expensive-hardening option to enable security hardening options that consume nontrivial amounts of CPU and memory. Right now, this includes AddressSanitizer and UbSan. Closes ticket 11477. memory. Right now, this includes AddressSanitizer and UbSan, which are supported in newer versions of GCC and Clang. Closes ticket 11477. - If you don't specify MaxMemInQueues yourself, Tor now tries to pick a good value based on your total system memory. Previously, the default was always 8 GB. You can still override the default by Loading @@ -105,16 +97,14 @@ Changes in version 0.2.5.4-alpha - 2014-04-?? at every 5% of progress. Fixes bug 9963. o Minor features (relay): - If a circuit timed out for at least 3 minutes check if we have a new external IP address the next time we run our routine checks. If our IP address has changed, then publish a new descriptor with the new IP address. Resolves ticket 2454. - If a circuit timed out for at least 3 minutes, check if we have a new external IP address, and publish a new descriptor with the new IP address if it changed. Resolves ticket 2454. - Warn less verbosely when receiving a malformed ESTABLISH_RENDEZVOUS cell. Fixes ticket 11279. - When we run out of usable circuit IDs on a channel, log only one warning for the whole channel, and include a description of how many circuits there were on the channel. Fix for part of ticket #11553. warning for the whole channel, and describe how many circuits there were on the channel. Fix for part of ticket #11553. o Minor features (controller): - Make the entire exit policy available from the control port via Loading @@ -131,36 +121,34 @@ Changes in version 0.2.5.4-alpha - 2014-04-?? going unnoticed. Closes ticket 8787. o Minor features (bridge client): - Report a failure to connect to a bridge because its transport type has no configured pluggable transport as a new type of bootstrap failure. Resolves ticket 9665. Patch from Fábio J. Bertinatto. - Report a more useful failure message when we can't connect to a bridge because we don't have the right pluggable transport configured. Resolves ticket 9665. Patch from Fábio J. Bertinatto. o Minor features (diagnostic): - Try harder to diagnose a possible cause of bug 7164, which causes - Add more log messages to diagnose bug 7164, which causes intermittent "microdesc_free() called but md was still referenced" warnings. We now log more information about the likely error case, to try to figure out why we might be cleaning a microdescriptor as old if it's still referenced by a live node_t object. warnings. We now include more information, to figure out why we might be cleaning a microdescriptor for being too old if it's still referenced by a live node_t object. o Minor bugfixes (logging): - Log only one message when we start logging in an unsafe way. Previously, we would log as many messages as we had problems. Fix for #9870; bugfix on 0.2.5.1-alpha. - Warn only once we start logging in an unsafe way. Previously, we complain as many times we had problems. Fix for #9870; bugfix on 0.2.5.1-alpha. - Using the Linux seccomp2 sandbox no longer prevents stack-trace logging on crashes or errors. Fixes part 11465; bugfix on 0.2.5.1-alpha. - Only report the first fatal bootstrap error on a given OR connection. This prevents controllers from declaring that a connection has failed because of "DONE" or other junk reasons. Fixes bug 10431; bugfix on 0.2.1.1-alpha. - Improve the warning message when trying to enable the Linux sandbox code on a Tor built without libseccomp. Instead of saying "Sandbox is not implemented on this platform", we now explain that we to need be built with libseccomp. Fixes bug 11543; bugfix on 0.2.5.1-alpha. - Avoid generating spurious warnings and failure messages when starting with DisableNetwork enabled. Fixes bug 11200 and bug 10405; bugfix on 0.2.3.9-alpha. connection. This stops us from telling the controller bogus error messages like "DONE". Fixes bug 10431; bugfix on 0.2.1.1-alpha. - Be more helpful when trying to run sandboxed on Linux without libseccomp. Instead of saying "Sandbox is not implemented on this platform", we now explain that we to need be built with libseccomp. Fixes bug 11543; bugfix on 0.2.5.1-alpha. - Avoid generating spurious warnings when starting with DisableNetwork enabled. Fixes bug 11200 and bug 10405; bugfix on 0.2.3.9-alpha. o Minor bugfixes (closing channels): - If write_to_buf() in connection_write_to_buf_impl_() ever fails, Loading @@ -169,12 +157,12 @@ Changes in version 0.2.5.4-alpha - 2014-04-?? connection_mark_for_close() directly. Fixes bug #11304; bugfix on 0.2.4.4-alpha. - When closing all connections on setting DisableNetwork to 1, use connection_or_close_normally() rather than closing OR connections out from under the channel layer. Fixes bug #11306; bugfix on connection_or_close_normally() rather than closing OR connections out from under the channel layer. Fixes bug #11306; bugfix on 0.2.4.4-alpha. o Minor bugfixes (controller): - Avoid sending an garbage value to the controller when a circuit is - Avoid sending a garbage value to the controller when a circuit is cannibalized. Fixes bug 11519; bugfix on 0.2.3.11-alpha. o Minor bugfixes (tor-fw-helper): Loading @@ -187,24 +175,24 @@ Changes in version 0.2.5.4-alpha - 2014-04-?? Fixes bug 9650; bugfix on 0.2.3.16-alpha. o Minor bugfixes (misc): - Don't re-initialize a second set of openssl mutexes when starting up. Fixes bug 11726; bugfix on 0.2.5.3-alpha. o Minor bugfixes (memory leaks): - Fix a minor memory leak that occurred when signing a directory object. Fixes bug 11275; bugfix on 0.2.4.13-alpha. - Don't re-initialize a second set of OpenSSL mutexes when starting up. Previously, we'd make one set of mutexes, and then immediately replace them with another. Fixes bug 11726; bugfix on 0.2.5.3-alpha. o Minor bugfixes (platform-specific): - Fix compilation on Solaris, which does not have <endian.h>. Fixes bug 11426; bugfix on 0.2.5.3-alpha. - When dumping a malformed directory object to disk, save it in binary mode on windows, not text mode. Fixes bug 11342; bugfix on binary mode on Windows, not text mode. Fixes bug 11342; bugfix on 0.2.2.1-alpha. - When reporting a failure from make_socket_reuseable(), don't report a warning when we get a failure from an incoming socket on OSX. Fix for bug 10081. - Don't report failures from make_socket_reuseable() on incoming sockets on OSX: this can happen when incoming connections close early. Fix for bug 10081. o Minor bugfixes (trivial memory leaks): - Fix a small memory leak when signing a directory object. Fixes bug 11275; bugfix on 0.2.4.13-alpha. - Free placeholder entries in our circuit table at exit; fixes a harmless memory leak. Fixes bug 11278; bugfix on 0.2.5.1-alpha. - Resolve some memory leaks found by coverity in the unit tests, on Loading @@ -217,23 +205,22 @@ Changes in version 0.2.5.4-alpha - 2014-04-?? times, not 30. Fixes bug #4241; bugfix on 0.1.0.1-rc. o Minor bugfixes (bridge client): - Stop accepting bridge lines containing hostnames. Doing so allowed clients to perform DNS requests on the hostnames, which was not sensible behavior. Fixes bug 10801; bugfix on 0.2.0.1-alpha. - Fix a bug where a client-side Tor with pluggable transports would take 60 seconds to bootstrap if a config re-read was triggered at just the right timing during bootstrap. Re-fixes bug 11156; bugfix on 0.2.5.3-alpha. - Stop accepting bridge lines containing hostnames. Doing so would cause clients to perform DNS requests on the hostnames, which was not sensible behavior. Fixes bug 10801; bugfix on 0.2.0.1-alpha. - Avoid a 60-second delay in the bootstrapping process when a Tor client with pluggable transports re-reads its configuration at just the wrong time. Re-fixes bug 11156; bugfix on 0.2.5.3-alpha. - Avoid 60-second delays in the bootstrapping process when Tor is launching for a second time while using bridges. Fixes bug 9229; bugfix on 0.2.0.3-alpha. o Minor bugfixes (DNS): - When receiving a DNS query for an unsupported type, reply with no answer rather than with a NOTIMPL error. This behavior isn't correct either, but it will break fewer client programs, we hope. Fixes bug 10268; bugfix on 0.2.0.1-alpha. Original patch from "epoch". - When receiving a DNS query for an unsupported record type, reply with no answer rather than with a NOTIMPL error. This behavior isn't correct either, but it will break fewer client programs, we hope. Fixes bug 10268; bugfix on 0.2.0.1-alpha. Original patch from "epoch". o Minor bugfixes (exit): - Stop leaking memory when we successfully resolve a PTR record. Loading Loading @@ -266,8 +253,8 @@ Changes in version 0.2.5.4-alpha - 2014-04-?? o Deprecated versions: - Tor 0.2.2.x has reached end-of-life; it has received no patches or attention for some while. Directory authorities no longer accept descriptors from relays running any version of Tor prior to Tor 0.2.3.16-alpha. Resolves ticket 11149. descriptors from relays running any version of Tor prior to Tor 0.2.3.16-alpha. Resolves ticket 11149. o Testing: - New macros in test.h to simplify writing mock-functions for unit Loading Loading
ChangeLog +113 −126 Original line number Diff line number Diff line Loading @@ -2,94 +2,86 @@ Changes in version 0.2.5.4-alpha - 2014-04-?? This release includes several security and performance improvements for clients and relays, including XXX This release marks end-of-line for Tor 0.2.2.x; those Tor versions have accumulated many known flaws; everyone should upgrade. This release marks end-of-line for Tor 0.2.2.x; those Tor versions have accumulated many known flaws; everyone should upgrade. o Major features (security): - Block authority signing keys that were used on an authorities vulnerable to the "heartbleed" bug in openssl (CVE-2014-0160). (We - Block authority signing keys that were used on authorities vulnerable to the "heartbleed" bug in OpenSSL (CVE-2014-0160). (We don't have any evidence that these keys _were_ compromised; we're doing this to be prudent.) Resolves ticket 11464. o Major features (relay performance): - Faster server-side lookups of rendezvous and introduction point circuits by using hashtables instead of linear searches over all the circuits. These functions previously accounted between 3 and 7% of CPU usage on some busy relays. - Avoid wasting cycles looking for usable circuit IDs. Previously, when allocating a new circuit ID, we would in the worst case do a linear scan over the entire possible range of circuit IDs before deciding that we had exhausted our possibilities. Now, we try 64 circuit IDs at random before deciding that we probably won't succeed. Fix for a possible root cause of ticket #11553. o Major features (seccomp2 sandbox): - Refinements and improvements to the Linux seccomp2 sandbox code: the sandbox can now run a test network for multiple hours without crashing. (Previous crash reasons included: reseeding the OpenSSL PRNG, seeding the Libevent PRNG, using the wrong combination of CLOEXEC and NONBLOCK at the same place and time, having onion keys, being an authority, receiving a HUP, or using IPv6.) The sandbox is still experimental, and more bugs will probably turn up. To try it, enable "Sandbox 1" on a Linux host. - Strengthen the Linux seccomp2 sandbox code: the sandbox can now test the arguments for rename(), and blocks _sysctl() entirely. - When the Linux syscall sandbox finds an illegal system call, it now tries to log a stack trace before exiting. Resolves ticket 11465. - Speed up server-side lookups of rendezvous and introduction point circuits by using hashtables instead of linear searches. These functions previously accounted between 3 and 7% of CPU usage on some busy relays. Resolves ticket 9841. - Avoid wasting CPU when extending a circuit over a channel that is nearly out of circuit IDs. Previously, we would in the worst case do a linear scan over all possible circuit IDs before deciding that we had exhausted our possibilities. Now, we try at most 64 random circuit IDs before deciding that we probably won't succeed. Fix for a possible root cause of ticket #11553. o Major features (seccomp2 sandbox, Linux only): - The seccomp2 sandbox can now run a test network for multiple hours without crashing. The sandbox is still experimental, and more bugs will probably turn up. To try it, enable "Sandbox 1" on a Linux host. - Strengthen sandbox code: the sandbox can now test the arguments for rename(), and blocks _sysctl() entirely. - When the sandbox blocks a system call, it now tries to log a stack trace before exiting. Resolves ticket 11465. o Major bugfixes (TLS cipher selection): - Generate the relay's preference list for ciphersuites automatically based on uniform criteria, and considering all OpenSSL ciphersuites with acceptable strength and forward secrecy. (The sort order is: prefer AES to 3DES; break ties by preferring ECDHE to DHE; break ties by preferring GCM to CBC; break ties by preferring SHA384 to SHA256 to SHA1; and finally, break ties by preferring AES256 to AES128.) This resolves bugs #11513, #11492, #11498, #11499. Bugs reported by 'cypherpunks'. Bugfix on - The relay ciphersuite list is now generated automatically based on uniform criteria, and includes all OpenSSL ciphersuites with acceptable strength and forward secrecy. Previously, we had omitted some perfectly fine ciphersuites. Resolves bugs #11513, #11492, #11498, #11499. Bugs reported by 'cypherpunks'. Bugfix on 0.2.4.8-alpha. - Relays now trust themselves to have a better view than clients of which TLS ciphersuites to choose. (Thanks to #11513, the relay list is now well-considered, whereas the client list has been chosen mainly for anti-fingerprinting purposes.) Resolves ticket 11528. - Update the list of TLS ciphersuites that a client advertises to match those advertised by Firefox 28. This enables selection of (fast) GCM ciphersuites, disables some strange old ciphers, and disables the ECDH (not to be confused with ECDHE) ciphersuites. Resolves ticket 11438. which TLS ciphersuites are better than others. (Thanks to #11513, the relay list is now well-considered, whereas the client list has been chosen mainly for anti-fingerprinting purposes.) Relays prefer: AES over 3DES; then ECDHE over DHE; then GCM over CBC; then SHA384 over SHA256 over SHA1; and last, AES256 over AES128. Resolves ticket 11528. - Clients now try to advertise the same list of ciphersuites as Firefox 28. This change enables selection of (fast) GCM ciphersuites, disables some strange old ciphers, and disables the ECDH (not to be confused with ECDHE) ciphersuites. Resolves ticket 11438. o Major bugfixes (undefined behavior): - Fix two instances of possible undefined behavior in channeltls.c that could, under unlucky circumstances, have led to a pointer overflow. Fixes bug #10363; bugfixes on 0.2.0.10-alpha and 0.2.3.6-alpha. Reported by "bobnomnom". - Fix another possibly undefined pointer operations in tor_memmem fallback implementation. Another case of bug #10363; bugfix on 0.1.1.1-alpha. - Fix another possibly undefined pointer operations in the eventdns fallback implementation. Another case of bug #10363; bugfix on 0.1.2.1-alpha. - Use AddressSanitizer and Ubsan sanitizers (in clang-3.4) to fix some miscellaneous errors in our tests and codebase. Fix for bug 11232. Bugfixes on versions back as far as 0.2.1.11-alpha. - Fix various instances of undefined behavior in channeltls.c, tor_memmem(), and eventdns.c, that would cause us to construct pointers to memory outside an allocated object. (These invalid pointers were not accessed, but C does not even allow them to exist.) Fixes bug #10363; bugfixes on 0.2.0.10-alpha, 0.2.3.6-alpha, 0.1.1.1-alpha, and 0.1.2.1-alpha. Reported by "bobnomnom". - Use the AddressSanitizer and Ubsan sanitizers (in clang-3.4) to fix some miscellaneous errors in our tests and codebase. Fix for bug 11232. Bugfixes on versions back as far as 0.2.1.11-alpha. o Minor features (Transparent proxy, *BSD): - Support the ipfw firewall interface for transparent proxy support on FreeBSD. To enable it, set "TransProxyType ipfw" in your torrc. Resolves ticket 10267; patch from "yurivict". - Support OpenBSD's divert-to rules with the pf firewall, when "TransProxyType pf-divert" is specified. This allows Tor to run a TransPort transparent proxy port on OpenBSD 4.4 or later without root privileges. See the pf.conf(5) manual page for information on configuring pf to use divert-to rules. Closes ticket 10896; patch from Dana Koch. - Support FreeBSD's ipfw firewall interface for TransPort ports. on FreeBSD. To enable it, set "TransProxyType ipfw". Resolves ticket 10267; patch from "yurivict". - Support OpenBSD's divert-to rules with the pf firewall for transparent proxy ports. To enable it, set "TransProxyType pf- divert". This allows Tor to run a TransPort transparent proxy port on OpenBSD 4.4 or later without root privileges. See the pf.conf(5) manual page for information on configuring pf to use divert-to rules. Closes ticket 10896; patch from Dana Koch. o Minor features (security): - New --enable-expensive-hardening option to turn on security - New --enable-expensive-hardening option to enable security hardening options that consume nontrivial amounts of CPU and memory. Right now, this includes AddressSanitizer and UbSan. Closes ticket 11477. memory. Right now, this includes AddressSanitizer and UbSan, which are supported in newer versions of GCC and Clang. Closes ticket 11477. - If you don't specify MaxMemInQueues yourself, Tor now tries to pick a good value based on your total system memory. Previously, the default was always 8 GB. You can still override the default by Loading @@ -105,16 +97,14 @@ Changes in version 0.2.5.4-alpha - 2014-04-?? at every 5% of progress. Fixes bug 9963. o Minor features (relay): - If a circuit timed out for at least 3 minutes check if we have a new external IP address the next time we run our routine checks. If our IP address has changed, then publish a new descriptor with the new IP address. Resolves ticket 2454. - If a circuit timed out for at least 3 minutes, check if we have a new external IP address, and publish a new descriptor with the new IP address if it changed. Resolves ticket 2454. - Warn less verbosely when receiving a malformed ESTABLISH_RENDEZVOUS cell. Fixes ticket 11279. - When we run out of usable circuit IDs on a channel, log only one warning for the whole channel, and include a description of how many circuits there were on the channel. Fix for part of ticket #11553. warning for the whole channel, and describe how many circuits there were on the channel. Fix for part of ticket #11553. o Minor features (controller): - Make the entire exit policy available from the control port via Loading @@ -131,36 +121,34 @@ Changes in version 0.2.5.4-alpha - 2014-04-?? going unnoticed. Closes ticket 8787. o Minor features (bridge client): - Report a failure to connect to a bridge because its transport type has no configured pluggable transport as a new type of bootstrap failure. Resolves ticket 9665. Patch from Fábio J. Bertinatto. - Report a more useful failure message when we can't connect to a bridge because we don't have the right pluggable transport configured. Resolves ticket 9665. Patch from Fábio J. Bertinatto. o Minor features (diagnostic): - Try harder to diagnose a possible cause of bug 7164, which causes - Add more log messages to diagnose bug 7164, which causes intermittent "microdesc_free() called but md was still referenced" warnings. We now log more information about the likely error case, to try to figure out why we might be cleaning a microdescriptor as old if it's still referenced by a live node_t object. warnings. We now include more information, to figure out why we might be cleaning a microdescriptor for being too old if it's still referenced by a live node_t object. o Minor bugfixes (logging): - Log only one message when we start logging in an unsafe way. Previously, we would log as many messages as we had problems. Fix for #9870; bugfix on 0.2.5.1-alpha. - Warn only once we start logging in an unsafe way. Previously, we complain as many times we had problems. Fix for #9870; bugfix on 0.2.5.1-alpha. - Using the Linux seccomp2 sandbox no longer prevents stack-trace logging on crashes or errors. Fixes part 11465; bugfix on 0.2.5.1-alpha. - Only report the first fatal bootstrap error on a given OR connection. This prevents controllers from declaring that a connection has failed because of "DONE" or other junk reasons. Fixes bug 10431; bugfix on 0.2.1.1-alpha. - Improve the warning message when trying to enable the Linux sandbox code on a Tor built without libseccomp. Instead of saying "Sandbox is not implemented on this platform", we now explain that we to need be built with libseccomp. Fixes bug 11543; bugfix on 0.2.5.1-alpha. - Avoid generating spurious warnings and failure messages when starting with DisableNetwork enabled. Fixes bug 11200 and bug 10405; bugfix on 0.2.3.9-alpha. connection. This stops us from telling the controller bogus error messages like "DONE". Fixes bug 10431; bugfix on 0.2.1.1-alpha. - Be more helpful when trying to run sandboxed on Linux without libseccomp. Instead of saying "Sandbox is not implemented on this platform", we now explain that we to need be built with libseccomp. Fixes bug 11543; bugfix on 0.2.5.1-alpha. - Avoid generating spurious warnings when starting with DisableNetwork enabled. Fixes bug 11200 and bug 10405; bugfix on 0.2.3.9-alpha. o Minor bugfixes (closing channels): - If write_to_buf() in connection_write_to_buf_impl_() ever fails, Loading @@ -169,12 +157,12 @@ Changes in version 0.2.5.4-alpha - 2014-04-?? connection_mark_for_close() directly. Fixes bug #11304; bugfix on 0.2.4.4-alpha. - When closing all connections on setting DisableNetwork to 1, use connection_or_close_normally() rather than closing OR connections out from under the channel layer. Fixes bug #11306; bugfix on connection_or_close_normally() rather than closing OR connections out from under the channel layer. Fixes bug #11306; bugfix on 0.2.4.4-alpha. o Minor bugfixes (controller): - Avoid sending an garbage value to the controller when a circuit is - Avoid sending a garbage value to the controller when a circuit is cannibalized. Fixes bug 11519; bugfix on 0.2.3.11-alpha. o Minor bugfixes (tor-fw-helper): Loading @@ -187,24 +175,24 @@ Changes in version 0.2.5.4-alpha - 2014-04-?? Fixes bug 9650; bugfix on 0.2.3.16-alpha. o Minor bugfixes (misc): - Don't re-initialize a second set of openssl mutexes when starting up. Fixes bug 11726; bugfix on 0.2.5.3-alpha. o Minor bugfixes (memory leaks): - Fix a minor memory leak that occurred when signing a directory object. Fixes bug 11275; bugfix on 0.2.4.13-alpha. - Don't re-initialize a second set of OpenSSL mutexes when starting up. Previously, we'd make one set of mutexes, and then immediately replace them with another. Fixes bug 11726; bugfix on 0.2.5.3-alpha. o Minor bugfixes (platform-specific): - Fix compilation on Solaris, which does not have <endian.h>. Fixes bug 11426; bugfix on 0.2.5.3-alpha. - When dumping a malformed directory object to disk, save it in binary mode on windows, not text mode. Fixes bug 11342; bugfix on binary mode on Windows, not text mode. Fixes bug 11342; bugfix on 0.2.2.1-alpha. - When reporting a failure from make_socket_reuseable(), don't report a warning when we get a failure from an incoming socket on OSX. Fix for bug 10081. - Don't report failures from make_socket_reuseable() on incoming sockets on OSX: this can happen when incoming connections close early. Fix for bug 10081. o Minor bugfixes (trivial memory leaks): - Fix a small memory leak when signing a directory object. Fixes bug 11275; bugfix on 0.2.4.13-alpha. - Free placeholder entries in our circuit table at exit; fixes a harmless memory leak. Fixes bug 11278; bugfix on 0.2.5.1-alpha. - Resolve some memory leaks found by coverity in the unit tests, on Loading @@ -217,23 +205,22 @@ Changes in version 0.2.5.4-alpha - 2014-04-?? times, not 30. Fixes bug #4241; bugfix on 0.1.0.1-rc. o Minor bugfixes (bridge client): - Stop accepting bridge lines containing hostnames. Doing so allowed clients to perform DNS requests on the hostnames, which was not sensible behavior. Fixes bug 10801; bugfix on 0.2.0.1-alpha. - Fix a bug where a client-side Tor with pluggable transports would take 60 seconds to bootstrap if a config re-read was triggered at just the right timing during bootstrap. Re-fixes bug 11156; bugfix on 0.2.5.3-alpha. - Stop accepting bridge lines containing hostnames. Doing so would cause clients to perform DNS requests on the hostnames, which was not sensible behavior. Fixes bug 10801; bugfix on 0.2.0.1-alpha. - Avoid a 60-second delay in the bootstrapping process when a Tor client with pluggable transports re-reads its configuration at just the wrong time. Re-fixes bug 11156; bugfix on 0.2.5.3-alpha. - Avoid 60-second delays in the bootstrapping process when Tor is launching for a second time while using bridges. Fixes bug 9229; bugfix on 0.2.0.3-alpha. o Minor bugfixes (DNS): - When receiving a DNS query for an unsupported type, reply with no answer rather than with a NOTIMPL error. This behavior isn't correct either, but it will break fewer client programs, we hope. Fixes bug 10268; bugfix on 0.2.0.1-alpha. Original patch from "epoch". - When receiving a DNS query for an unsupported record type, reply with no answer rather than with a NOTIMPL error. This behavior isn't correct either, but it will break fewer client programs, we hope. Fixes bug 10268; bugfix on 0.2.0.1-alpha. Original patch from "epoch". o Minor bugfixes (exit): - Stop leaking memory when we successfully resolve a PTR record. Loading Loading @@ -266,8 +253,8 @@ Changes in version 0.2.5.4-alpha - 2014-04-?? o Deprecated versions: - Tor 0.2.2.x has reached end-of-life; it has received no patches or attention for some while. Directory authorities no longer accept descriptors from relays running any version of Tor prior to Tor 0.2.3.16-alpha. Resolves ticket 11149. descriptors from relays running any version of Tor prior to Tor 0.2.3.16-alpha. Resolves ticket 11149. o Testing: - New macros in test.h to simplify writing mock-functions for unit Loading