Commit 12b1d64b authored by Nick Mathewson's avatar Nick Mathewson 🦀
Browse files

Revise changelog verbiage; try to tighten it up.

parent 7d6562fa
Loading
Loading
Loading
Loading
+113 −126
Original line number Diff line number Diff line
@@ -2,94 +2,86 @@ Changes in version 0.2.5.4-alpha - 2014-04-??
  This release includes several security and performance improvements
  for clients and relays, including XXX
  This release marks end-of-line for Tor 0.2.2.x; those Tor versions have
  accumulated many known flaws; everyone should upgrade.
  This release marks end-of-line for Tor 0.2.2.x; those Tor versions
  have accumulated many known flaws; everyone should upgrade.
  o Major features (security):
    - Block authority signing keys that were used on an authorities
      vulnerable to the "heartbleed" bug in openssl (CVE-2014-0160). (We
    - Block authority signing keys that were used on authorities
      vulnerable to the "heartbleed" bug in OpenSSL (CVE-2014-0160). (We
      don't have any evidence that these keys _were_ compromised; we're
      doing this to be prudent.) Resolves ticket 11464.
  o Major features (relay performance):
    - Faster server-side lookups of rendezvous and introduction point
      circuits by using hashtables instead of linear searches over all
      the circuits. These functions previously accounted between 3 and
      7% of CPU usage on some busy relays.
    - Avoid wasting cycles looking for usable circuit IDs. Previously,
      when allocating a new circuit ID, we would in the worst case do a
      linear scan over the entire possible range of circuit IDs before
      deciding that we had exhausted our possibilities. Now, we try 64
      circuit IDs at random before deciding that we probably won't
      succeed. Fix for a possible root cause of ticket #11553.
  o Major features (seccomp2 sandbox):
    - Refinements and improvements to the Linux seccomp2 sandbox code:
      the sandbox can now run a test network for multiple hours without
      crashing. (Previous crash reasons included: reseeding the OpenSSL
      PRNG, seeding the Libevent PRNG, using the wrong combination of
      CLOEXEC and NONBLOCK at the same place and time, having onion
      keys, being an authority, receiving a HUP, or using IPv6.) The
      sandbox is still experimental, and more bugs will probably turn
      up. To try it, enable "Sandbox 1" on a Linux host.
    - Strengthen the Linux seccomp2 sandbox code: the sandbox can now
      test the arguments for rename(), and blocks _sysctl() entirely.
    - When the Linux syscall sandbox finds an illegal system call, it
      now tries to log a stack trace before exiting. Resolves ticket
      11465.
    - Speed up server-side lookups of rendezvous and introduction point
      circuits by using hashtables instead of linear searches. These
      functions previously accounted between 3 and 7% of CPU usage on
      some busy relays. Resolves ticket 9841.
    - Avoid wasting CPU when extending a circuit over a channel that is
      nearly out of circuit IDs. Previously, we would in the worst case
      do a linear scan over all possible circuit IDs before deciding
      that we had exhausted our possibilities. Now, we try at most 64
      random circuit IDs before deciding that we probably won't succeed.
      Fix for a possible root cause of ticket #11553.
  o Major features (seccomp2 sandbox, Linux only):
    - The seccomp2 sandbox can now run a test network for multiple hours
      without crashing. The sandbox is still experimental, and more bugs
      will probably turn up. To try it, enable "Sandbox 1" on a Linux
      host.
    - Strengthen sandbox code: the sandbox can now test the arguments
      for rename(), and blocks _sysctl() entirely.
    - When the sandbox blocks a system call, it now tries to log a stack
      trace before exiting. Resolves ticket 11465.
  o Major bugfixes (TLS cipher selection):
    - Generate the relay's preference list for ciphersuites
      automatically based on uniform criteria, and considering all
      OpenSSL ciphersuites with acceptable strength and forward secrecy.
      (The sort order is: prefer AES to 3DES; break ties by preferring
      ECDHE to DHE; break ties by preferring GCM to CBC; break ties by
      preferring SHA384 to SHA256 to SHA1; and finally, break ties by
      preferring AES256 to AES128.) This resolves bugs #11513, #11492,
      #11498, #11499. Bugs reported by 'cypherpunks'. Bugfix on
    - The relay ciphersuite list is now generated automatically based on
      uniform criteria, and includes all OpenSSL ciphersuites with
      acceptable strength and forward secrecy. Previously, we had
      omitted some perfectly fine ciphersuites. Resolves bugs #11513,
      #11492, #11498, #11499. Bugs reported by 'cypherpunks'. Bugfix on
      0.2.4.8-alpha.
    - Relays now trust themselves to have a better view than clients of
      which TLS ciphersuites to choose. (Thanks to #11513, the relay
      list is now well-considered, whereas the client list has been
      chosen mainly for anti-fingerprinting purposes.) Resolves ticket
      11528.
    - Update the list of TLS ciphersuites that a client advertises to
      match those advertised by Firefox 28. This enables selection of
      (fast) GCM ciphersuites, disables some strange old ciphers, and
      disables the ECDH (not to be confused with ECDHE) ciphersuites.
      Resolves ticket 11438.
      which TLS ciphersuites are better than others. (Thanks to #11513,
      the relay list is now well-considered, whereas the client list has
      been chosen mainly for anti-fingerprinting purposes.) Relays
      prefer: AES over 3DES; then ECDHE over DHE; then GCM over CBC;
      then SHA384 over SHA256 over SHA1; and last, AES256 over AES128.
      Resolves ticket 11528.
    - Clients now try to advertise the same list of ciphersuites as
      Firefox 28. This change enables selection of (fast) GCM
      ciphersuites, disables some strange old ciphers, and disables the
      ECDH (not to be confused with ECDHE) ciphersuites. Resolves ticket
      11438.
  o Major bugfixes (undefined behavior):
    - Fix two instances of possible undefined behavior in channeltls.c
      that could, under unlucky circumstances, have led to a pointer
      overflow. Fixes bug #10363; bugfixes on 0.2.0.10-alpha and
      0.2.3.6-alpha. Reported by "bobnomnom".
    - Fix another possibly undefined pointer operations in tor_memmem
      fallback implementation. Another case of bug #10363; bugfix on
      0.1.1.1-alpha.
    - Fix another possibly undefined pointer operations in the eventdns
      fallback implementation. Another case of bug #10363; bugfix on
      0.1.2.1-alpha.
    - Use AddressSanitizer and Ubsan sanitizers (in clang-3.4) to fix
      some miscellaneous errors in our tests and codebase. Fix for bug
      11232. Bugfixes on versions back as far as 0.2.1.11-alpha.
    - Fix various instances of undefined behavior in channeltls.c,
      tor_memmem(), and eventdns.c, that would cause us to construct
      pointers to memory outside an allocated object. (These invalid
      pointers were not accessed, but C does not even allow them to
      exist.) Fixes bug #10363; bugfixes on 0.2.0.10-alpha,
      0.2.3.6-alpha, 0.1.1.1-alpha, and 0.1.2.1-alpha. Reported by
      "bobnomnom".
    - Use the AddressSanitizer and Ubsan sanitizers (in clang-3.4) to
      fix some miscellaneous errors in our tests and codebase. Fix for
      bug 11232. Bugfixes on versions back as far as 0.2.1.11-alpha.
  o Minor features (Transparent proxy, *BSD):
    - Support the ipfw firewall interface for transparent proxy support
      on FreeBSD. To enable it, set "TransProxyType ipfw" in your torrc.
      Resolves ticket 10267; patch from "yurivict".
    - Support OpenBSD's divert-to rules with the pf firewall, when
      "TransProxyType pf-divert" is specified. This allows Tor to run a
      TransPort transparent proxy port on OpenBSD 4.4 or later without
      root privileges. See the pf.conf(5) manual page for information on
      configuring pf to use divert-to rules. Closes ticket 10896; patch
      from Dana Koch.
    - Support FreeBSD's ipfw firewall interface for TransPort ports. on
      FreeBSD. To enable it, set "TransProxyType ipfw". Resolves ticket
      10267; patch from "yurivict".
    - Support OpenBSD's divert-to rules with the pf firewall for
      transparent proxy ports. To enable it, set "TransProxyType pf-
      divert". This allows Tor to run a TransPort transparent proxy port
      on OpenBSD 4.4 or later without root privileges. See the
      pf.conf(5) manual page for information on configuring pf to use
      divert-to rules. Closes ticket 10896; patch from Dana Koch.
  o Minor features (security):
    - New --enable-expensive-hardening option to turn on security
    - New --enable-expensive-hardening option to enable security
      hardening options that consume nontrivial amounts of CPU and
      memory. Right now, this includes AddressSanitizer and UbSan.
      Closes ticket 11477.
      memory. Right now, this includes AddressSanitizer and UbSan, which
      are supported in newer versions of GCC and Clang. Closes ticket
      11477.
    - If you don't specify MaxMemInQueues yourself, Tor now tries to
      pick a good value based on your total system memory. Previously,
      the default was always 8 GB. You can still override the default by
@@ -105,16 +97,14 @@ Changes in version 0.2.5.4-alpha - 2014-04-??
      at every 5% of progress. Fixes bug 9963.
  o Minor features (relay):
    - If a circuit timed out for at least 3 minutes check if we have a
      new external IP address the next time we run our routine checks.
      If our IP address has changed, then publish a new descriptor with
      the new IP address. Resolves ticket 2454.
    - If a circuit timed out for at least 3 minutes, check if we have a
      new external IP address, and publish a new descriptor with the new
      IP address if it changed. Resolves ticket 2454.
    - Warn less verbosely when receiving a malformed
      ESTABLISH_RENDEZVOUS cell. Fixes ticket 11279.
    - When we run out of usable circuit IDs on a channel, log only one
      warning for the whole channel, and include a description of how
      many circuits there were on the channel. Fix for part of ticket
      #11553.
      warning for the whole channel, and describe how many circuits
      there were on the channel. Fix for part of ticket #11553.
  o Minor features (controller):
    - Make the entire exit policy available from the control port via
@@ -131,36 +121,34 @@ Changes in version 0.2.5.4-alpha - 2014-04-??
      going unnoticed. Closes ticket 8787.
  o Minor features (bridge client):
    - Report a failure to connect to a bridge because its transport type
      has no configured pluggable transport as a new type of bootstrap
      failure. Resolves ticket 9665. Patch from Fábio J. Bertinatto.
    - Report a more useful failure message when we can't connect to a
      bridge because we don't have the right pluggable transport
      configured. Resolves ticket 9665. Patch from Fábio J. Bertinatto.
  o Minor features (diagnostic):
    - Try harder to diagnose a possible cause of bug 7164, which causes
    - Add more log messages to diagnose bug 7164, which causes
      intermittent "microdesc_free() called but md was still referenced"
      warnings. We now log more information about the likely error case,
      to try to figure out why we might be cleaning a microdescriptor as
      old if it's still referenced by a live node_t object.
      warnings. We now include more information, to figure out why we
      might be cleaning a microdescriptor for being too old if it's
      still referenced by a live node_t object.
  o Minor bugfixes (logging):
    - Log only one message when we start logging in an unsafe way.
      Previously, we would log as many messages as we had problems. Fix
      for #9870; bugfix on 0.2.5.1-alpha.
    - Warn only once we start logging in an unsafe way. Previously, we
      complain as many times we had problems. Fix for #9870; bugfix on
      0.2.5.1-alpha.
    - Using the Linux seccomp2 sandbox no longer prevents stack-trace
      logging on crashes or errors. Fixes part 11465; bugfix on
      0.2.5.1-alpha.
    - Only report the first fatal bootstrap error on a given OR
      connection. This prevents controllers from declaring that a
      connection has failed because of "DONE" or other junk reasons.
      Fixes bug 10431; bugfix on 0.2.1.1-alpha.
    - Improve the warning message when trying to enable the Linux
      sandbox code on a Tor built without libseccomp. Instead of saying
      "Sandbox is not implemented on this platform", we now explain that
      we to need be built with libseccomp. Fixes bug 11543; bugfix on
      0.2.5.1-alpha.
    - Avoid generating spurious warnings and failure messages when
      starting with DisableNetwork enabled. Fixes bug 11200 and bug
      10405; bugfix on 0.2.3.9-alpha.
      connection. This stops us from telling the controller bogus error
      messages like "DONE". Fixes bug 10431; bugfix on 0.2.1.1-alpha.
    - Be more helpful when trying to run sandboxed on Linux without
      libseccomp. Instead of saying "Sandbox is not implemented on this
      platform", we now explain that we to need be built with
      libseccomp. Fixes bug 11543; bugfix on 0.2.5.1-alpha.
    - Avoid generating spurious warnings when starting with
      DisableNetwork enabled. Fixes bug 11200 and bug 10405; bugfix on
      0.2.3.9-alpha.
  o Minor bugfixes (closing channels):
    - If write_to_buf() in connection_write_to_buf_impl_() ever fails,
@@ -169,12 +157,12 @@ Changes in version 0.2.5.4-alpha - 2014-04-??
      connection_mark_for_close() directly. Fixes bug #11304; bugfix on
      0.2.4.4-alpha.
    - When closing all connections on setting DisableNetwork to 1, use
      connection_or_close_normally() rather than closing OR connections out
      from under the channel layer. Fixes bug #11306; bugfix on
      connection_or_close_normally() rather than closing OR connections
      out from under the channel layer. Fixes bug #11306; bugfix on
      0.2.4.4-alpha.
  o Minor bugfixes (controller):
    - Avoid sending an garbage value to the controller when a circuit is
    - Avoid sending a garbage value to the controller when a circuit is
      cannibalized. Fixes bug 11519; bugfix on 0.2.3.11-alpha.
  o Minor bugfixes (tor-fw-helper):
@@ -187,24 +175,24 @@ Changes in version 0.2.5.4-alpha - 2014-04-??
      Fixes bug 9650; bugfix on 0.2.3.16-alpha.
  o Minor bugfixes (misc):
    - Don't re-initialize a second set of openssl mutexes when starting
      up. Fixes bug 11726; bugfix on 0.2.5.3-alpha.
  o Minor bugfixes (memory leaks):
    - Fix a minor memory leak that occurred when signing a directory
      object. Fixes bug 11275; bugfix on 0.2.4.13-alpha.
    - Don't re-initialize a second set of OpenSSL mutexes when starting
      up. Previously, we'd make one set of mutexes, and then immediately
      replace them with another. Fixes bug 11726; bugfix on
      0.2.5.3-alpha.
  o Minor bugfixes (platform-specific):
    - Fix compilation on Solaris, which does not have <endian.h>. Fixes
      bug 11426; bugfix on 0.2.5.3-alpha.
    - When dumping a malformed directory object to disk, save it in
      binary mode on windows, not text mode. Fixes bug 11342; bugfix on
      binary mode on Windows, not text mode. Fixes bug 11342; bugfix on
      0.2.2.1-alpha.
    - When reporting a failure from make_socket_reuseable(), don't
      report a warning when we get a failure from an incoming socket on
      OSX. Fix for bug 10081.
    - Don't report failures from make_socket_reuseable() on incoming
      sockets on OSX: this can happen when incoming connections close
      early. Fix for bug 10081.
  o Minor bugfixes (trivial memory leaks):
    - Fix a small memory leak when signing a directory object. Fixes bug
      11275; bugfix on 0.2.4.13-alpha.
    - Free placeholder entries in our circuit table at exit; fixes a
      harmless memory leak. Fixes bug 11278; bugfix on 0.2.5.1-alpha.
    - Resolve some memory leaks found by coverity in the unit tests, on
@@ -217,23 +205,22 @@ Changes in version 0.2.5.4-alpha - 2014-04-??
      times, not 30. Fixes bug #4241; bugfix on 0.1.0.1-rc.
  o Minor bugfixes (bridge client):
    - Stop accepting bridge lines containing hostnames. Doing so allowed
      clients to perform DNS requests on the hostnames, which was not
      sensible behavior. Fixes bug 10801; bugfix on 0.2.0.1-alpha.
    - Fix a bug where a client-side Tor with pluggable transports would
      take 60 seconds to bootstrap if a config re-read was triggered at
      just the right timing during bootstrap. Re-fixes bug 11156; bugfix
      on 0.2.5.3-alpha.
    - Stop accepting bridge lines containing hostnames. Doing so would
      cause clients to perform DNS requests on the hostnames, which was
      not sensible behavior. Fixes bug 10801; bugfix on 0.2.0.1-alpha.
    - Avoid a 60-second delay in the bootstrapping process when a Tor
      client with pluggable transports re-reads its configuration at
      just the wrong time. Re-fixes bug 11156; bugfix on 0.2.5.3-alpha.
    - Avoid 60-second delays in the bootstrapping process when Tor is
      launching for a second time while using bridges. Fixes bug 9229;
      bugfix on 0.2.0.3-alpha.
  o Minor bugfixes (DNS):
    - When receiving a DNS query for an unsupported type, reply with no
      answer rather than with a NOTIMPL error. This behavior isn't
      correct either, but it will break fewer client programs, we hope.
      Fixes bug 10268; bugfix on 0.2.0.1-alpha. Original patch from
      "epoch".
    - When receiving a DNS query for an unsupported record type, reply
      with no answer rather than with a NOTIMPL error. This behavior
      isn't correct either, but it will break fewer client programs, we
      hope. Fixes bug 10268; bugfix on 0.2.0.1-alpha. Original patch
      from "epoch".
  o Minor bugfixes (exit):
    - Stop leaking memory when we successfully resolve a PTR record.
@@ -266,8 +253,8 @@ Changes in version 0.2.5.4-alpha - 2014-04-??
  o Deprecated versions:
    - Tor 0.2.2.x has reached end-of-life; it has received no patches or
      attention for some while. Directory authorities no longer accept
      descriptors from relays running any version of Tor prior to
      Tor 0.2.3.16-alpha. Resolves ticket 11149.
      descriptors from relays running any version of Tor prior to Tor
      0.2.3.16-alpha. Resolves ticket 11149.
  o Testing:
    - New macros in test.h to simplify writing mock-functions for unit