ChangeLog 1.31 MB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
Changes in version 0.3.2.8-rc - 2017-12-21
  Tor 0.3.2.8-rc fixes a pair of bugs in the KIST and KISTLite
  schedulers that had led servers under heavy load to overload their
  outgoing connections. All relay operators running earlier 0.3.2.x
  versions should upgrade. This version also includes a mitigation for
  over-full DESTROY queues leading to out-of-memory conditions: if it
  works, we will soon backport it to earlier release series.

  This is the second release candidate in the 0.3.2 series. If we find
  no new bugs or regression here, then the first stable 0.3.2 release
  will be nearly identical to this.

  o Major bugfixes (KIST, scheduler):
    - The KIST scheduler did not correctly account for data already
      enqueued in each connection's send socket buffer, particularly in
      cases when the TCP/IP congestion window was reduced between
      scheduler calls. This situation lead to excessive per-connection
      buffering in the kernel, and a potential memory DoS. Fixes bug
      24665; bugfix on 0.3.2.1-alpha.

  o Minor features (geoip):
    - Update geoip and geoip6 to the December 6 2017 Maxmind GeoLite2
      Country database.

  o Minor bugfixes (hidden service v3):
    - Bump hsdir_spread_store parameter from 3 to 4 in order to increase
      the probability of reaching a service for a client missing
      microdescriptors. Fixes bug 24425; bugfix on 0.3.2.1-alpha.

  o Minor bugfixes (memory usage):
    - When queuing DESTROY cells on a channel, only queue the circuit-id
      and reason fields: not the entire 514-byte cell. This fix should
      help mitigate any bugs or attacks that fill up these queues, and
      free more RAM for other uses. Fixes bug 24666; bugfix
      on 0.2.5.1-alpha.

  o Minor bugfixes (scheduler, KIST):
    - Use a sane write limit for KISTLite when writing onto a connection
      buffer instead of using INT_MAX and shoving as much as it can.
      Because the OOM handler cleans up circuit queues, we are better
      off at keeping them in that queue instead of the connection's
      buffer. Fixes bug 24671; bugfix on 0.3.2.1-alpha.


45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
Changes in version 0.3.2.7-rc - 2017-12-14
  Tor 0.3.2.7-rc fixes various bugs in earlier versions of Tor,
  including some that could affect reliability or correctness.

  This is the first release candidate in the 0.3.2 series. If we find no
  new bugs or regression here, then the first stable 0.3.2. release will
  be nearly identical to this.

  o Major bugfixes (circuit prediction):
    - Fix circuit prediction logic so that a client doesn't treat a port
      as being "handled" by a circuit if that circuit already has
      isolation settings on it. This change should make Tor clients more
      responsive by improving their chances of having a pre-created
      circuit ready for use when a request arrives. Fixes bug 18859;
      bugfix on 0.2.3.3-alpha.

  o Minor features (logging):
    - Provide better warnings when the getrandom() syscall fails. Closes
      ticket 24500.

  o Minor features (portability):
    - Tor now compiles correctly on arm64 with libseccomp-dev installed.
      (It doesn't yet work with the sandbox enabled.) Closes
      ticket 24424.

  o Minor bugfixes (bridge clients, bootstrap):
    - Retry directory downloads when we get our first bridge descriptor
      during bootstrap or while reconnecting to the network. Keep
      retrying every time we get a bridge descriptor, until we have a
      reachable bridge. Fixes part of bug 24367; bugfix on 0.2.0.3-alpha.
    - Stop delaying bridge descriptor fetches when we have cached bridge
      descriptors. Instead, only delay bridge descriptor fetches when we
      have at least one reachable bridge. Fixes part of bug 24367;
      bugfix on 0.2.0.3-alpha.
    - Stop delaying directory fetches when we have cached bridge
      descriptors. Instead, only delay bridge descriptor fetches when
      all our bridges are definitely unreachable. Fixes part of bug
      24367; bugfix on 0.2.0.3-alpha.

  o Minor bugfixes (compilation):
    - Fix a signed/unsigned comparison warning introduced by our fix to
      TROVE-2017-009. Fixes bug 24480; bugfix on 0.2.5.16.

  o Minor bugfixes (correctness):
    - Fix several places in our codebase where a C compiler would be
      likely to eliminate a check, based on assuming that undefined
      behavior had not happened elsewhere in the code. These cases are
      usually a sign of redundant checking or dubious arithmetic. Found
      by Georg Koppen using the "STACK" tool from Wang, Zeldovich,
      Kaashoek, and Solar-Lezama. Fixes bug 24423; bugfix on various
      Tor versions.

  o Minor bugfixes (onion service v3):
    - Fix a race where an onion service would launch a new intro circuit
      after closing an old one, but fail to register it before freeing
      the previously closed circuit. This bug was making the service
      unable to find the established intro circuit and thus not upload
      its descriptor, thus making a service unavailable for up to 24
      hours. Fixes bug 23603; bugfix on 0.3.2.1-alpha.

  o Minor bugfixes (scheduler, KIST):
    - Properly set the scheduler state of an unopened channel in the
      KIST scheduler main loop. This prevents a harmless but annoying
      log warning. Fixes bug 24502; bugfix on 0.3.2.4-alpha.
    - Avoid a possible integer overflow when computing the available
      space on the TCP buffer of a channel. This had no security
      implications; but could make KIST allow too many cells on a
      saturated connection. Fixes bug 24590; bugfix on 0.3.2.1-alpha.
    - Downgrade to "info" a harmless warning about the monotonic time
      moving backwards: This can happen on platform not supporting
      monotonic time. Fixes bug 23696; bugfix on 0.3.2.1-alpha.


118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
Changes in version 0.3.2.6-alpha - 2017-12-01
  This version of Tor is the latest in the 0.3.2 alpha series. It
  includes fixes for several important security issues. All Tor users
  should upgrade to this release, or to one of the other releases coming
  out today.

  o Major bugfixes (security):
    - Fix a denial of service bug where an attacker could use a
      malformed directory object to cause a Tor instance to pause while
      OpenSSL would try to read a passphrase from the terminal. (Tor
      instances run without a terminal, which is the case for most Tor
      packages, are not impacted.) Fixes bug 24246; bugfix on every
      version of Tor. Also tracked as TROVE-2017-011 and CVE-2017-8821.
      Found by OSS-Fuzz as testcase 6360145429790720.
    - Fix a denial of service issue where an attacker could crash a
      directory authority using a malformed router descriptor. Fixes bug
      24245; bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2017-010
      and CVE-2017-8820.
    - When checking for replays in the INTRODUCE1 cell data for a
      (legacy) onion service, correctly detect replays in the RSA-
      encrypted part of the cell. We were previously checking for
      replays on the entire cell, but those can be circumvented due to
      the malleability of Tor's legacy hybrid encryption. This fix helps
      prevent a traffic confirmation attack. Fixes bug 24244; bugfix on
      0.2.4.1-alpha. This issue is also tracked as TROVE-2017-009
      and CVE-2017-8819.

  o Major bugfixes (security, onion service v2):
    - Fix a use-after-free error that could crash v2 Tor onion services
      when they failed to open circuits while expiring introduction
      points. Fixes bug 24313; bugfix on 0.2.7.2-alpha. This issue is
      also tracked as TROVE-2017-013 and CVE-2017-8823.

  o Major bugfixes (security, relay):
    - When running as a relay, make sure that we never build a path
      through ourselves, even in the case where we have somehow lost the
      version of our descriptor appearing in the consensus. Fixes part
      of bug 21534; bugfix on 0.2.0.1-alpha. This issue is also tracked
      as TROVE-2017-012 and CVE-2017-8822.
    - When running as a relay, make sure that we never choose ourselves
      as a guard. Fixes part of bug 21534; bugfix on 0.3.0.1-alpha. This
      issue is also tracked as TROVE-2017-012 and CVE-2017-8822.

  o Minor feature (relay statistics):
    - Change relay bandwidth reporting stats interval from 4 hours to 24
      hours in order to reduce the efficiency of guard discovery
      attacks. Fixes ticket 23856.

  o Minor features (directory authority):
    - Add an IPv6 address for the "bastet" directory authority. Closes
      ticket 24394.

  o Minor bugfixes (client):
    - By default, do not enable storage of client-side DNS values. These
      values were unused by default previously, but they should not have
      been cached at all. Fixes bug 24050; bugfix on 0.2.6.3-alpha.


Changes in version 0.3.1.9 - 2017-12-01:
  Tor 0.3.1.9 backports important security and stability fixes from the
  0.3.2 development series. All Tor users should upgrade to this
  release, or to another of the releases coming out today.

  o Major bugfixes (security, backport from 0.3.2.6-alpha):
    - Fix a denial of service bug where an attacker could use a
      malformed directory object to cause a Tor instance to pause while
      OpenSSL would try to read a passphrase from the terminal. (Tor
      instances run without a terminal, which is the case for most Tor
      packages, are not impacted.) Fixes bug 24246; bugfix on every
      version of Tor. Also tracked as TROVE-2017-011 and CVE-2017-8821.
      Found by OSS-Fuzz as testcase 6360145429790720.
    - Fix a denial of service issue where an attacker could crash a
      directory authority using a malformed router descriptor. Fixes bug
      24245; bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2017-010
      and CVE-2017-8820.
    - When checking for replays in the INTRODUCE1 cell data for a
      (legacy) onion service, correctly detect replays in the RSA-
      encrypted part of the cell. We were previously checking for
      replays on the entire cell, but those can be circumvented due to
      the malleability of Tor's legacy hybrid encryption. This fix helps
      prevent a traffic confirmation attack. Fixes bug 24244; bugfix on
      0.2.4.1-alpha. This issue is also tracked as TROVE-2017-009
      and CVE-2017-8819.

  o Major bugfixes (security, onion service v2, backport from 0.3.2.6-alpha):
    - Fix a use-after-free error that could crash v2 Tor onion services
      when they failed to open circuits while expiring introduction
      points. Fixes bug 24313; bugfix on 0.2.7.2-alpha. This issue is
      also tracked as TROVE-2017-013 and CVE-2017-8823.

  o Major bugfixes (security, relay, backport from 0.3.2.6-alpha):
    - When running as a relay, make sure that we never build a path
      through ourselves, even in the case where we have somehow lost the
      version of our descriptor appearing in the consensus. Fixes part
      of bug 21534; bugfix on 0.2.0.1-alpha. This issue is also tracked
      as TROVE-2017-012 and CVE-2017-8822.
    - When running as a relay, make sure that we never choose ourselves
      as a guard. Fixes part of bug 21534; bugfix on 0.3.0.1-alpha. This
      issue is also tracked as TROVE-2017-012 and CVE-2017-8822.

  o Major bugfixes (exit relays, DNS, backport from 0.3.2.4-alpha):
    - Fix an issue causing DNS to fail on high-bandwidth exit nodes,
      making them nearly unusable. Fixes bugs 21394 and 18580; bugfix on
      0.1.2.2-alpha, which introduced eventdns. Thanks to Dhalgren for
      identifying and finding a workaround to this bug and to Moritz,
      Arthur Edelstein, and Roger for helping to track it down and
      analyze it.

  o Minor features (bridge):
    - Bridges now include notice in their descriptors that they are
      bridges, and notice of their distribution status, based on their
      publication settings. Implements ticket 18329. For more fine-
      grained control of how a bridge is distributed, upgrade to 0.3.2.x
      or later.

  o Minor features (directory authority, backport from 0.3.2.6-alpha):
    - Add an IPv6 address for the "bastet" directory authority. Closes
      ticket 24394.

  o Minor features (geoip):
    - Update geoip and geoip6 to the November 6 2017 Maxmind GeoLite2
      Country database.

  o Minor bugfix (relay address resolution, backport from 0.3.2.1-alpha):
    - Avoid unnecessary calls to directory_fetches_from_authorities() on
      relays, to prevent spurious address resolutions and descriptor
      rebuilds. This is a mitigation for bug 21789. Fixes bug 23470;
      bugfix on in 0.2.8.1-alpha.

  o Minor bugfixes (compilation, backport from 0.3.2.1-alpha):
    - Fix unused variable warnings in donna's Curve25519 SSE2 code.
      Fixes bug 22895; bugfix on 0.2.7.2-alpha.

  o Minor bugfixes (logging, relay shutdown, annoyance, backport from 0.3.2.2-alpha):
    - When a circuit is marked for close, do not attempt to package any
      cells for channels on that circuit. Previously, we would detect
      this condition lower in the call stack, when we noticed that the
      circuit had no attached channel, and log an annoying message.
      Fixes bug 8185; bugfix on 0.2.5.4-alpha.

  o Minor bugfixes (onion service, backport from 0.3.2.5-alpha):
    - Rename the consensus parameter "hsdir-interval" to "hsdir_interval"
      so it matches dir-spec.txt. Fixes bug 24262; bugfix
      on 0.3.1.1-alpha.

  o Minor bugfixes (relay, crash, backport from 0.3.2.4-alpha):
    - Avoid a crash when transitioning from client mode to bridge mode.
      Previously, we would launch the worker threads whenever our
      "public server" mode changed, but not when our "server" mode
      changed. Fixes bug 23693; bugfix on 0.2.6.3-alpha.


Changes in version 0.3.0.13 - 2017-12-01
  Tor 0.3.0.13 backports important security and stability bugfixes from
  later Tor releases. All Tor users should upgrade to this release, or
  to another of the releases coming out today.

  Note: the Tor 0.3.0 series will no longer be supported after 26 Jan
  2018. If you need a release with long-term support, please stick with
  the 0.2.9 series. Otherwise, please upgrade to 0.3.1 or later.

  o Major bugfixes (security, backport from 0.3.2.6-alpha):
    - Fix a denial of service bug where an attacker could use a
      malformed directory object to cause a Tor instance to pause while
      OpenSSL would try to read a passphrase from the terminal. (Tor
      instances run without a terminal, which is the case for most Tor
      packages, are not impacted.) Fixes bug 24246; bugfix on every
      version of Tor. Also tracked as TROVE-2017-011 and CVE-2017-8821.
      Found by OSS-Fuzz as testcase 6360145429790720.
    - Fix a denial of service issue where an attacker could crash a
      directory authority using a malformed router descriptor. Fixes bug
      24245; bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2017-010
      and CVE-2017-8820.
    - When checking for replays in the INTRODUCE1 cell data for a
      (legacy) onion service, correctly detect replays in the RSA-
      encrypted part of the cell. We were previously checking for
      replays on the entire cell, but those can be circumvented due to
      the malleability of Tor's legacy hybrid encryption. This fix helps
      prevent a traffic confirmation attack. Fixes bug 24244; bugfix on
      0.2.4.1-alpha. This issue is also tracked as TROVE-2017-009
      and CVE-2017-8819.

  o Major bugfixes (security, onion service v2, backport from 0.3.2.6-alpha):
    - Fix a use-after-free error that could crash v2 Tor onion services
      when they failed to open circuits while expiring introduction
      points. Fixes bug 24313; bugfix on 0.2.7.2-alpha. This issue is
      also tracked as TROVE-2017-013 and CVE-2017-8823.

  o Major bugfixes (security, relay, backport from 0.3.2.6-alpha):
    - When running as a relay, make sure that we never build a path
      through ourselves, even in the case where we have somehow lost the
      version of our descriptor appearing in the consensus. Fixes part
      of bug 21534; bugfix on 0.2.0.1-alpha. This issue is also tracked
      as TROVE-2017-012 and CVE-2017-8822.
    - When running as a relay, make sure that we never choose ourselves
      as a guard. Fixes part of bug 21534; bugfix on 0.3.0.1-alpha. This
      issue is also tracked as TROVE-2017-012 and CVE-2017-8822.

  o Major bugfixes (exit relays, DNS, backport from 0.3.2.4-alpha):
    - Fix an issue causing DNS to fail on high-bandwidth exit nodes,
      making them nearly unusable. Fixes bugs 21394 and 18580; bugfix on
      0.1.2.2-alpha, which introduced eventdns. Thanks to Dhalgren for
      identifying and finding a workaround to this bug and to Moritz,
      Arthur Edelstein, and Roger for helping to track it down and
      analyze it.

  o Minor features (security, windows, backport from 0.3.1.1-alpha):
    - Enable a couple of pieces of Windows hardening: one
      (HeapEnableTerminationOnCorruption) that has been on-by-default
      since Windows 8, and unavailable before Windows 7; and one
      (PROCESS_DEP_DISABLE_ATL_THUNK_EMULATION) which we believe doesn't
      affect us, but shouldn't do any harm. Closes ticket 21953.

  o Minor features (bridge, backport from 0.3.1.9):
    - Bridges now include notice in their descriptors that they are
      bridges, and notice of their distribution status, based on their
      publication settings. Implements ticket 18329. For more fine-
      grained control of how a bridge is distributed, upgrade to 0.3.2.x
      or later.

  o Minor features (directory authority, backport from 0.3.2.6-alpha):
    - Add an IPv6 address for the "bastet" directory authority. Closes
      ticket 24394.

  o Minor features (geoip):
    - Update geoip and geoip6 to the November 6 2017 Maxmind GeoLite2
      Country database.

  o Minor bugfix (relay address resolution, backport from 0.3.2.1-alpha):
    - Avoid unnecessary calls to directory_fetches_from_authorities() on
      relays, to prevent spurious address resolutions and descriptor
      rebuilds. This is a mitigation for bug 21789. Fixes bug 23470;
      bugfix on in 0.2.8.1-alpha.

  o Minor bugfixes (compilation, backport from 0.3.2.1-alpha):
    - Fix unused variable warnings in donna's Curve25519 SSE2 code.
      Fixes bug 22895; bugfix on 0.2.7.2-alpha.

  o Minor bugfixes (logging, relay shutdown, annoyance, backport from 0.3.2.2-alpha):
    - When a circuit is marked for close, do not attempt to package any
      cells for channels on that circuit. Previously, we would detect
      this condition lower in the call stack, when we noticed that the
      circuit had no attached channel, and log an annoying message.
      Fixes bug 8185; bugfix on 0.2.5.4-alpha.

  o Minor bugfixes (relay, crash, backport from 0.3.2.4-alpha):
    - Avoid a crash when transitioning from client mode to bridge mode.
      Previously, we would launch the worker threads whenever our
      "public server" mode changed, but not when our "server" mode
      changed. Fixes bug 23693; bugfix on 0.2.6.3-alpha.

  o Minor bugfixes (testing, backport from 0.3.1.6-rc):
    - Fix an undersized buffer in test-memwipe.c. Fixes bug 23291;
      bugfix on 0.2.7.2-alpha. Found and patched by Ties Stuij.


Changes in version 0.2.9.14 - 2017-12-01
  Tor 0.3.0.13 backports important security and stability bugfixes from
  later Tor releases. All Tor users should upgrade to this release, or
  to another of the releases coming out today.

  o Major bugfixes (exit relays, DNS, backport from 0.3.2.4-alpha):
    - Fix an issue causing DNS to fail on high-bandwidth exit nodes,
      making them nearly unusable. Fixes bugs 21394 and 18580; bugfix on
      0.1.2.2-alpha, which introduced eventdns. Thanks to Dhalgren for
      identifying and finding a workaround to this bug and to Moritz,
      Arthur Edelstein, and Roger for helping to track it down and
      analyze it.

  o Major bugfixes (security, backport from 0.3.2.6-alpha):
    - Fix a denial of service bug where an attacker could use a
      malformed directory object to cause a Tor instance to pause while
      OpenSSL would try to read a passphrase from the terminal. (Tor
      instances run without a terminal, which is the case for most Tor
      packages, are not impacted.) Fixes bug 24246; bugfix on every
      version of Tor. Also tracked as TROVE-2017-011 and CVE-2017-8821.
      Found by OSS-Fuzz as testcase 6360145429790720.
    - Fix a denial of service issue where an attacker could crash a
      directory authority using a malformed router descriptor. Fixes bug
      24245; bugfix on 0.2.9.4-alpha. Also tracked as TROVE-2017-010
      and CVE-2017-8820.
    - When checking for replays in the INTRODUCE1 cell data for a
      (legacy) onion service, correctly detect replays in the RSA-
      encrypted part of the cell. We were previously checking for
      replays on the entire cell, but those can be circumvented due to
      the malleability of Tor's legacy hybrid encryption. This fix helps
      prevent a traffic confirmation attack. Fixes bug 24244; bugfix on
      0.2.4.1-alpha. This issue is also tracked as TROVE-2017-009
      and CVE-2017-8819.

  o Major bugfixes (security, onion service v2, backport from 0.3.2.6-alpha):
    - Fix a use-after-free error that could crash v2 Tor onion services
      when they failed to open circuits while expiring introduction
      points. Fixes bug 24313; bugfix on 0.2.7.2-alpha. This issue is
      also tracked as TROVE-2017-013 and CVE-2017-8823.

  o Major bugfixes (security, relay, backport from 0.3.2.6-alpha):
    - When running as a relay, make sure that we never build a path
      through ourselves, even in the case where we have somehow lost the
      version of our descriptor appearing in the consensus. Fixes part
      of bug 21534; bugfix on 0.2.0.1-alpha. This issue is also tracked
      as TROVE-2017-012 and CVE-2017-8822.

  o Minor features (bridge, backport from 0.3.1.9):
    - Bridges now include notice in their descriptors that they are
      bridges, and notice of their distribution status, based on their
      publication settings. Implements ticket 18329. For more fine-
      grained control of how a bridge is distributed, upgrade to 0.3.2.x
      or later.

  o Minor features (directory authority, backport from 0.3.2.6-alpha):
    - Add an IPv6 address for the "bastet" directory authority. Closes
      ticket 24394.

  o Minor features (geoip):
    - Update geoip and geoip6 to the November 6 2017 Maxmind GeoLite2
      Country database.

  o Minor features (security, windows, backport from 0.3.1.1-alpha):
    - Enable a couple of pieces of Windows hardening: one
      (HeapEnableTerminationOnCorruption) that has been on-by-default
      since Windows 8, and unavailable before Windows 7; and one
      (PROCESS_DEP_DISABLE_ATL_THUNK_EMULATION) which we believe doesn't
      affect us, but shouldn't do any harm. Closes ticket 21953.

  o Minor bugfix (relay address resolution, backport from 0.3.2.1-alpha):
    - Avoid unnecessary calls to directory_fetches_from_authorities() on
      relays, to prevent spurious address resolutions and descriptor
      rebuilds. This is a mitigation for bug 21789. Fixes bug 23470;
      bugfix on in 0.2.8.1-alpha.

  o Minor bugfixes (compilation, backport from 0.3.2.1-alpha):
    - Fix unused variable warnings in donna's Curve25519 SSE2 code.
      Fixes bug 22895; bugfix on 0.2.7.2-alpha.

  o Minor bugfixes (logging, relay shutdown, annoyance, backport from 0.3.2.2-alpha):
    - When a circuit is marked for close, do not attempt to package any
      cells for channels on that circuit. Previously, we would detect
      this condition lower in the call stack, when we noticed that the
      circuit had no attached channel, and log an annoying message.
      Fixes bug 8185; bugfix on 0.2.5.4-alpha.

  o Minor bugfixes (relay, crash, backport from 0.3.2.4-alpha):
    - Avoid a crash when transitioning from client mode to bridge mode.
      Previously, we would launch the worker threads whenever our
      "public server" mode changed, but not when our "server" mode
      changed. Fixes bug 23693; bugfix on 0.2.6.3-alpha.

  o Minor bugfixes (testing, backport from 0.3.1.6-rc):
    - Fix an undersized buffer in test-memwipe.c. Fixes bug 23291;
      bugfix on 0.2.7.2-alpha. Found and patched by Ties Stuij.


Changes in version 0.2.8.17 - 2017-12-01
  Tor 0.2.8.17 backports important security and stability bugfixes from
  later Tor releases. All Tor users should upgrade to this release, or
  to another of the releases coming out today.

  Note: the Tor 0.2.8 series will no longer be supported after 1 Jan
  2018. If you need a release with long-term support, please upgrade with
  the 0.2.9 series. Otherwise, please upgrade to 0.3.1 or later.

  o Major bugfixes (security, backport from 0.3.2.6-alpha):
    - Fix a denial of service bug where an attacker could use a
      malformed directory object to cause a Tor instance to pause while
      OpenSSL would try to read a passphrase from the terminal. (Tor
      instances run without a terminal, which is the case for most Tor
      packages, are not impacted.) Fixes bug 24246; bugfix on every
      version of Tor. Also tracked as TROVE-2017-011 and CVE-2017-8821.
      Found by OSS-Fuzz as testcase 6360145429790720.
    - When checking for replays in the INTRODUCE1 cell data for a
      (legacy) onion service, correctly detect replays in the RSA-
      encrypted part of the cell. We were previously checking for
      replays on the entire cell, but those can be circumvented due to
      the malleability of Tor's legacy hybrid encryption. This fix helps
      prevent a traffic confirmation attack. Fixes bug 24244; bugfix on
      0.2.4.1-alpha. This issue is also tracked as TROVE-2017-009
      and CVE-2017-8819.

  o Major bugfixes (security, onion service v2, backport from 0.3.2.6-alpha):
    - Fix a use-after-free error that could crash v2 Tor onion services
      when they failed to open circuits while expiring introduction
      points. Fixes bug 24313; bugfix on 0.2.7.2-alpha. This issue is
      also tracked as TROVE-2017-013 and CVE-2017-8823.

  o Major bugfixes (security, relay, backport from 0.3.2.6-alpha):
    - When running as a relay, make sure that we never build a path through
      ourselves, even in the case where we have somehow lost the version of
      our descriptor appearing in the consensus. Fixes part of bug 21534;
      bugfix on 0.2.0.1-alpha. This issue is also tracked as TROVE-2017-012
      and CVE-2017-8822.

  o Minor features (bridge, backport from 0.3.1.9):
    - Bridges now include notice in their descriptors that they are
      bridges, and notice of their distribution status, based on their
      publication settings. Implements ticket 18329. For more fine-
      grained control of how a bridge is distributed, upgrade to 0.3.2.x
      or later.

  o Minor features (directory authority, backport from 0.3.2.6-alpha):
    - Add an IPv6 address for the "bastet" directory authority. Closes
      ticket 24394.

  o Minor features (geoip):
    - Update geoip and geoip6 to the November 6 2017 Maxmind GeoLite2
      Country database.

  o Minor bugfixes (testing, backport from 0.3.1.6-rc):
    - Fix an undersized buffer in test-memwipe.c. Fixes bug 23291;
      bugfix on 0.2.7.2-alpha. Found and patched by Ties Stuij.


Changes in version 0.2.5.16 - 2017-12-01
  Tor 0.2.5.13 backports important security and stability bugfixes from
  later Tor releases. All Tor users should upgrade to this release, or
  to another of the releases coming out today.

  Note: the Tor 0.2.5 series will no longer be supported after 1 May
  2018. If you need a release with long-term support, please upgrade to
  the 0.2.9 series. Otherwise, please upgrade to 0.3.1 or later.

  o Major bugfixes (security, backport from 0.3.2.6-alpha):
    - Fix a denial of service bug where an attacker could use a
      malformed directory object to cause a Tor instance to pause while
      OpenSSL would try to read a passphrase from the terminal. (Tor
      instances run without a terminal, which is the case for most Tor
      packages, are not impacted.) Fixes bug 24246; bugfix on every
      version of Tor. Also tracked as TROVE-2017-011 and CVE-2017-8821.
      Found by OSS-Fuzz as testcase 6360145429790720.
    - When checking for replays in the INTRODUCE1 cell data for a
      (legacy) onion service, correctly detect replays in the RSA-
      encrypted part of the cell. We were previously checking for
      replays on the entire cell, but those can be circumvented due to
      the malleability of Tor's legacy hybrid encryption. This fix helps
      prevent a traffic confirmation attack. Fixes bug 24244; bugfix on
      0.2.4.1-alpha. This issue is also tracked as TROVE-2017-009
      and CVE-2017-8819.

  o Major bugfixes (security, relay, backport from 0.3.2.6-alpha):
    - When running as a relay, make sure that we never build a path
      through ourselves, even in the case where we have somehow lost the
      version of our descriptor appearing in the consensus. Fixes part
      of bug 21534; bugfix on 0.2.0.1-alpha. This issue is also tracked
      as TROVE-2017-012 and CVE-2017-8822.

  o Minor features (bridge, backport from 0.3.1.9):
    - Bridges now include notice in their descriptors that they are
      bridges, and notice of their distribution status, based on their
      publication settings. Implements ticket 18329. For more fine-
      grained control of how a bridge is distributed, upgrade to 0.3.2.x
      or later.

  o Minor features (geoip):
    - Update geoip and geoip6 to the November 6 2017 Maxmind GeoLite2
      Country database.


Nick Mathewson's avatar
Nick Mathewson committed
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
Changes in version 0.3.2.5-alpha - 2017-11-22
  Tor 0.3.2.5-alpha is the fifth alpha release in the 0.3.2.x series. It
  fixes several stability and reliability bugs, including a fix for
  intermittent bootstrapping failures that some people have been seeing
  since the 0.3.0.x series.

  Please test this alpha out -- many of these fixes will soon be
  backported to stable Tor versions if no additional bugs are found
  in them.

  o Major bugfixes (bootstrapping):
    - Fetch descriptors aggressively whenever we lack enough to build
      circuits, regardless of how many descriptors we are missing.
      Previously, we would delay launching the fetch when we had fewer
      than 15 missing descriptors, even if some of those descriptors
      were blocking circuits from building. Fixes bug 23985; bugfix on
      0.1.1.11-alpha. The effects of this bug became worse in
      0.3.0.3-alpha, when we began treating missing descriptors from our
      primary guards as a reason to delay circuits.
    - Don't try fetching microdescriptors from relays that have failed
      to deliver them in the past. Fixes bug 23817; bugfix
      on 0.3.0.1-alpha.

  o Minor features (directory authority):
    - Make the "Exit" flag assignment only depend on whether the exit
      policy allows connections to ports 80 and 443. Previously relays
      would get the Exit flag if they allowed connections to one of
      these ports and also port 6667. Resolves ticket 23637.

  o Minor features (geoip):
    - Update geoip and geoip6 to the November 6 2017 Maxmind GeoLite2
      Country database.

  o Minor features (linux seccomp2 sandbox):
    - Update the sandbox rules so that they should now work correctly
      with Glibc 2.26. Closes ticket 24315.

  o Minor features (logging):
    - Downgrade a pair of log messages that could occur when an exit's
      resolver gave us an unusual (but not forbidden) response. Closes
      ticket 24097.
    - Improve the message we log when re-enabling circuit build timeouts
      after having received a consensus. Closes ticket 20963.

  o Minor bugfixes (compilation):
    - Fix a memory leak warning in one of the libevent-related
      configuration tests that could occur when manually specifying
      -fsanitize=address. Fixes bug 24279; bugfix on 0.3.0.2-alpha.
      Found and patched by Alex Xu.
    - When detecting OpenSSL on Windows from our configure script, make
      sure to try linking with the ws2_32 library. Fixes bug 23783;
      bugfix on 0.3.2.2-alpha.

  o Minor bugfixes (control port, linux seccomp2 sandbox):
    - Avoid a crash when attempting to use the seccomp2 sandbox together
      with the OwningControllerProcess feature. Fixes bug 24198; bugfix
      on 0.2.5.1-alpha.

  o Minor bugfixes (control port, onion services):
    - Report "FAILED" instead of "UPLOAD_FAILED" "FAILED" for the
      HS_DESC event when a service is not able to upload a descriptor.
      Fixes bug 24230; bugfix on 0.2.7.1-alpha.

  o Minor bugfixes (directory cache):
    - Recover better from empty or corrupt files in the consensus cache
      directory. Fixes bug 24099; bugfix on 0.3.1.1-alpha.
    - When a consensus diff calculation is only partially successful,
      only record the successful parts as having succeeded. Partial
      success can happen if (for example) one compression method fails
      but the others succeed. Previously we misrecorded all the
      calculations as having succeeded, which would later cause a
      nonfatal assertion failure. Fixes bug 24086; bugfix
      on 0.3.1.1-alpha.

  o Minor bugfixes (logging):
    - Only log once if we notice that KIST support is gone. Fixes bug
      24158; bugfix on 0.3.2.1-alpha.
    - Suppress a log notice when relay descriptors arrive. We already
      have a bootstrap progress for this so no need to log notice
      everytime tor receives relay descriptors. Microdescriptors behave
      the same. Fixes bug 23861; bugfix on 0.2.8.2-alpha.

  o Minor bugfixes (network layer):
    - When closing a connection via close_connection_immediately(), we
      mark it as "not blocked on bandwidth", to prevent later calls from
      trying to unblock it, and give it permission to read. This fixes a
      backtrace warning that can happen on relays under various
      circumstances. Fixes bug 24167; bugfix on 0.1.0.1-rc.

  o Minor bugfixes (onion services):
    - The introduction circuit was being timed out too quickly while
      waiting for the rendezvous circuit to complete. Keep the intro
      circuit around longer instead of timing out and reopening new ones
      constantly. Fixes bug 23681; bugfix on 0.2.4.8-alpha.
    - Rename the consensus parameter "hsdir-interval" to "hsdir_interval"
      so it matches dir-spec.txt. Fixes bug 24262; bugfix
      on 0.3.1.1-alpha.
    - Silence a warning about failed v3 onion descriptor uploads that
      can happen naturally under certain edge cases. Fixes part of bug
      23662; bugfix on 0.3.2.1-alpha.

  o Minor bugfixes (tests):
    - Fix a memory leak in one of the bridge-distribution test cases.
      Fixes bug 24345; bugfix on 0.3.2.3-alpha.
    - Fix a bug in our fuzzing mock replacement for crypto_pk_checksig(),
      to correctly handle cases where a caller gives it an RSA key of
      under 160 bits. (This is not actually a bug in Tor itself, but
      rather in our fuzzing code.) Fixes bug 24247; bugfix on
      0.3.0.3-alpha. Found by OSS-Fuzz as issue 4177.

  o Documentation:
    - Add notes in man page regarding OS support for the various
      scheduler types. Attempt to use less jargon in the scheduler
      section. Closes ticket 24254.


691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
Changes in version 0.3.2.4-alpha - 2017-11-08
  Tor 0.3.2.4-alpha is the fourth alpha release in the 0.3.2.x series.
  It fixes several stability and reliability bugs, especially including
  a major reliability issue that has been plaguing fast exit relays in
  recent months.

  o Major bugfixes (exit relays, DNS):
    - Fix an issue causing DNS to fail on high-bandwidth exit nodes,
      making them nearly unusable. Fixes bugs 21394 and 18580; bugfix on
      0.1.2.2-alpha, which introduced eventdns. Thanks to Dhalgren for
      identifying and finding a workaround to this bug and to Moritz,
      Arthur Edelstein, and Roger for helping to track it down and
      analyze it.

  o Major bugfixes (scheduler, channel):
    - Stop processing scheduled channels if they closed while flushing
      cells. This can happen if the write on the connection fails
      leading to the channel being closed while in the scheduler loop.
      Fixes bug 23751; bugfix on 0.3.2.1-alpha.

  o Minor features (logging, scheduler):
    - Introduce a SCHED_BUG() function to log extra information about
      the scheduler state if we ever catch a bug in the scheduler.
      Closes ticket 23753.

  o Minor features (removed deprecations):
    - The ClientDNSRejectInternalAddresses flag can once again be set in
      non-testing Tor networks, so long as they do not use the default
      directory authorities. This change also removes the deprecation of
      this flag from 0.2.9.2-alpha. Closes ticket 21031.

  o Minor features (testing):
    - Our fuzzing tests now test the encrypted portions of v3 onion
      service descriptors. Implements more of 21509.

  o Minor bugfixes (directory client):
    - On failure to download directory information, delay retry attempts
      by a random amount based on the "decorrelated jitter" algorithm.
      Our previous delay algorithm tended to produce extra-long delays
      too easily. Fixes bug 23816; bugfix on 0.2.9.1-alpha.

  o Minor bugfixes (IPv6, v3 single onion services):
    - Remove buggy code for IPv6-only v3 single onion services, and
      reject attempts to configure them. This release supports IPv4,
      dual-stack, and IPv6-only v3 onion services; and IPv4 and dual-
      stack v3 single onion services. Fixes bug 23820; bugfix
      on 0.3.2.1-alpha.

  o Minor bugfixes (logging, relay):
    - Give only a protocol warning when the ed25519 key is not
      consistent between the descriptor and microdescriptor of a relay.
      This can happen, for instance, if the relay has been flagged
      NoEdConsensus. Fixes bug 24025; bugfix on 0.3.2.1-alpha.

  o Minor bugfixes (manpage, onion service):
    - Document that the HiddenServiceNumIntroductionPoints option is
      0-10 for v2 services and 0-20 for v3 services. Fixes bug 24115;
      bugfix on 0.3.2.1-alpha.

  o Minor bugfixes (memory leaks):
    - Fix a minor memory leak at exit in the KIST scheduler. This bug
      should have no user-visible impact. Fixes bug 23774; bugfix
      on 0.3.2.1-alpha.
    - Fix a memory leak when decrypting a badly formatted v3 onion
      service descriptor. Fixes bug 24150; bugfix on 0.3.2.1-alpha.
      Found by OSS-Fuzz; this is OSS-Fuzz issue 3994.

  o Minor bugfixes (onion services):
    - Cache some needed onion service client information instead of
      constantly computing it over and over again. Fixes bug 23623;
      bugfix on 0.3.2.1-alpha.
    - Properly retry HSv3 descriptor fetches when missing required
      directory information. Fixes bug 23762; bugfix on 0.3.2.1-alpha.

  o Minor bugfixes (path selection):
    - When selecting relays by bandwidth, avoid a rounding error that
      could sometimes cause load to be imbalanced incorrectly.
      Previously, we would always round upwards; now, we round towards
      the nearest integer. This had the biggest effect when a relay's
      weight adjustments should have given it weight 0, but it got
      weight 1 instead. Fixes bug 23318; bugfix on 0.2.4.3-alpha.
    - When calculating the fraction of nodes that have descriptors, and
      all nodes in the network have zero bandwidths, count the number of
      nodes instead. Fixes bug 23318; bugfix on 0.2.4.10-alpha.
    - Actually log the total bandwidth in compute_weighted_bandwidths().
      Fixes bug 24170; bugfix on 0.2.4.3-alpha.

  o Minor bugfixes (relay, crash):
    - Avoid a crash when transitioning from client mode to bridge mode.
      Previously, we would launch the worker threads whenever our
      "public server" mode changed, but not when our "server" mode
      changed. Fixes bug 23693; bugfix on 0.2.6.3-alpha.

  o Minor bugfixes (testing):
    - Fix a spurious fuzzing-only use of an uninitialized value. Found
      by Brian Carpenter. Fixes bug 24082; bugfix on 0.3.0.3-alpha.
    - Test that IPv6-only clients can use microdescriptors when running
      "make test-network-all". Requires chutney master 61c28b9 or later.
      Closes ticket 24109.


792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
Changes in version 0.3.2.3-alpha - 2017-10-27
  Tor 0.3.2.3-alpha is the third release in the 0.3.2 series. It fixes
  numerous small bugs in earlier versions of 0.3.2.x, and adds a new
  directory authority, Bastet.

  o Directory authority changes:
    - Add "Bastet" as a ninth directory authority to the default list.
      Closes ticket 23910.
    - The directory authority "Longclaw" has changed its IP address.
      Closes ticket 23592.

  o Minor features (bridge):
    - Bridge relays can now set the BridgeDistribution config option to
      add a "bridge-distribution-request" line to their bridge
      descriptor, which tells BridgeDB how they'd like their bridge
      address to be given out. (Note that as of Oct 2017, BridgeDB does
      not yet implement this feature.) As a side benefit, this feature
      provides a way to distinguish bridge descriptors from non-bridge
      descriptors. Implements tickets 18329.

  o Minor features (client, entry guards):
    - Improve log messages when missing descriptors for primary guards.
      Resolves ticket 23670.

  o Minor features (geoip):
    - Update geoip and geoip6 to the October 4 2017 Maxmind GeoLite2
      Country database.

  o Minor bugfixes (bridge):
    - Overwrite the bridge address earlier in the process of retrieving
      its descriptor, to make sure we reach it on the configured
      address. Fixes bug 20532; bugfix on 0.2.0.10-alpha.

  o Minor bugfixes (documentation):
    - Document better how to read gcov, and what our gcov postprocessing
      scripts do. Fixes bug 23739; bugfix on 0.2.9.1-alpha.

  o Minor bugfixes (entry guards):
    - Tor now updates its guard state when it reads a consensus
      regardless of whether it's missing descriptors. That makes tor use
      its primary guards to fetch descriptors in some edge cases where
      it would previously have used fallback directories. Fixes bug
      23862; bugfix on 0.3.0.1-alpha.

  o Minor bugfixes (hidden service client):
    - When handling multiple SOCKS request for the same .onion address,
      only fetch the service descriptor once.
    - When a descriptor fetch fails with a non-recoverable error, close
      all pending SOCKS requests for that .onion. Fixes bug 23653;
      bugfix on 0.3.2.1-alpha.

  o Minor bugfixes (hidden service):
    - Always regenerate missing hidden service public key files. Prior
      to this, if the public key was deleted from disk, it wouldn't get
      recreated. Fixes bug 23748; bugfix on 0.3.2.2-alpha. Patch
      from "cathugger".
    - Make sure that we have a usable ed25519 key when the intro point
      relay supports ed25519 link authentication. Fixes bug 24002;
      bugfix on 0.3.2.1-alpha.

  o Minor bugfixes (hidden service, v2):
    - When reloading configured hidden services, copy all information
      from the old service object. Previously, some data was omitted,
      causing delays in descriptor upload, and other bugs. Fixes bug
      23790; bugfix on 0.2.1.9-alpha.

  o Minor bugfixes (memory safety, defensive programming):
    - Clear the target address when node_get_prim_orport() returns
      early. Fixes bug 23874; bugfix on 0.2.8.2-alpha.

  o Minor bugfixes (relay):
    - Avoid a BUG warning when receiving a dubious CREATE cell while an
      option transition is in progress. Fixes bug 23952; bugfix
      on 0.3.2.1-alpha.

  o Minor bugfixes (testing):
    - Adjust the GitLab CI configuration to more closely match that of
      Travis CI. Fixes bug 23757; bugfix on 0.3.2.2-alpha.
    - Prevent scripts/test/coverage from attempting to move gcov output
      to the root directory. Fixes bug 23741; bugfix on 0.2.5.1-alpha.
    - When running unit tests as root, skip a test that would fail
      because it expects a permissions error. This affects some
      continuous integration setups. Fixes bug 23758; bugfix
      on 0.3.2.2-alpha.
    - Stop unconditionally mirroring the tor repository in GitLab CI.
      This prevented developers from enabling GitLab CI on master. Fixes
      bug 23755; bugfix on 0.3.2.2-alpha.
    - Fix the hidden service v3 descriptor decoding fuzzing to use the
      latest decoding API correctly. Fixes bug 21509; bugfix
      on 0.3.2.1-alpha.

  o Minor bugfixes (warnings):
    - When we get an HTTP request on a SOCKS port, tell the user about
      the new HTTPTunnelPort option. Previously, we would give a "Tor is
      not an HTTP Proxy" message, which stopped being true when
      HTTPTunnelPort was introduced. Fixes bug 23678; bugfix
      on 0.3.2.1-alpha.


891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Changes in version 0.2.5.15 - 2017-10-25
  Tor 0.2.5.15 backports a collection of bugfixes from later Tor release
  series. It also adds a new directory authority, Bastet.

  Note: the Tor 0.2.5 series will no longer be supported after 1 May
  2018. If you need a release with long-term support, please upgrade to
  the 0.2.9 series. Otherwise, please upgrade to 0.3.1 or later.

  o Directory authority changes:
    - Add "Bastet" as a ninth directory authority to the default list.
      Closes ticket 23910.
    - The directory authority "Longclaw" has changed its IP address.
      Closes ticket 23592.

  o Major bugfixes (openbsd, denial-of-service, backport from 0.3.1.5-alpha):
    - Avoid an assertion failure bug affecting our implementation of
      inet_pton(AF_INET6) on certain OpenBSD systems whose strtol()
      handling of "0xx" differs from what we had expected. Fixes bug
      22789; bugfix on 0.2.3.8-alpha. Also tracked as TROVE-2017-007.

  o Minor features (geoip):
    - Update geoip and geoip6 to the October 4 2017 Maxmind GeoLite2
      Country database.

  o Minor bugfixes (defensive programming, undefined behavior, backport from 0.3.1.4-alpha):
    - Fix a memset() off the end of an array when packing cells. This
      bug should be harmless in practice, since the corrupted bytes are
      still in the same structure, and are always padding bytes,
      ignored, or immediately overwritten, depending on compiler
      behavior. Nevertheless, because the memset()'s purpose is to make
      sure that any other cell-handling bugs can't expose bytes to the
      network, we need to fix it. Fixes bug 22737; bugfix on
      0.2.4.11-alpha. Fixes CID 1401591.

  o Build features (backport from 0.3.1.5-alpha):
    - Tor's repository now includes a Travis Continuous Integration (CI)
      configuration file (.travis.yml). This is meant to help new
      developers and contributors who fork Tor to a Github repository be
      better able to test their changes, and understand what we expect
      to pass. To use this new build feature, you must fork Tor to your
      Github account, then go into the "Integrations" menu in the
      repository settings for your fork and enable Travis, then push
      your changes. Closes ticket 22636.


Changes in version 0.2.8.16 - 2017-10-25
  Tor 0.2.8.16 backports a collection of bugfixes from later Tor release
  series, including a bugfix for a crash issue that had affected relays
  under memory pressure. It also adds a new directory authority, Bastet.

  Note: the Tor 0.2.8 series will no longer be supported after 1 Jan
  2018. If you need a release with long-term support, please stick with
  the 0.2.9 series. Otherwise, please upgrade to 0.3.1 or later.

  o Directory authority changes:
    - Add "Bastet" as a ninth directory authority to the default list.
      Closes ticket 23910.
    - The directory authority "Longclaw" has changed its IP address.
      Closes ticket 23592.

  o Major bugfixes (relay, crash, assertion failure, backport from 0.3.2.2-alpha):
    - Fix a timing-based assertion failure that could occur when the
      circuit out-of-memory handler freed a connection's output buffer.
      Fixes bug 23690; bugfix on 0.2.6.1-alpha.

  o Minor features (directory authorities, backport from 0.3.2.2-alpha):
    - Remove longclaw's IPv6 address, as it will soon change. Authority
      IPv6 addresses were originally added in 0.2.8.1-alpha. This leaves
      3/8 directory authorities with IPv6 addresses, but there are also
      52 fallback directory mirrors with IPv6 addresses. Resolves 19760.

  o Minor features (geoip):
    - Update geoip and geoip6 to the October 4 2017 Maxmind GeoLite2
      Country database.


Changes in version 0.2.9.13 - 2017-10-25
  Tor 0.2.9.13 backports a collection of bugfixes from later Tor release
  series, including a bugfix for a crash issue that had affected relays
  under memory pressure. It also adds a new directory authority, Bastet.

  o Directory authority changes:
    - Add "Bastet" as a ninth directory authority to the default list.
      Closes ticket 23910.
    - The directory authority "Longclaw" has changed its IP address.
      Closes ticket 23592.

  o Major bugfixes (relay, crash, assertion failure, backport from 0.3.2.2-alpha):
    - Fix a timing-based assertion failure that could occur when the
      circuit out-of-memory handler freed a connection's output buffer.
      Fixes bug 23690; bugfix on 0.2.6.1-alpha.

  o Minor features (directory authorities, backport from 0.3.2.2-alpha):
    - Remove longclaw's IPv6 address, as it will soon change. Authority
      IPv6 addresses were originally added in 0.2.8.1-alpha. This leaves
      3/8 directory authorities with IPv6 addresses, but there are also
      52 fallback directory mirrors with IPv6 addresses. Resolves 19760.

  o Minor features (geoip):
    - Update geoip and geoip6 to the October 4 2017 Maxmind GeoLite2
      Country database.

  o Minor bugfixes (directory authority, backport from 0.3.1.5-alpha):
    - When a directory authority rejects a descriptor or extrainfo with
      a given digest, mark that digest as undownloadable, so that we do
      not attempt to download it again over and over. We previously
      tried to avoid downloading such descriptors by other means, but we
      didn't notice if we accidentally downloaded one anyway. This
      behavior became problematic in 0.2.7.2-alpha, when authorities
      began pinning Ed25519 keys. Fixes bug 22349; bugfix
For faster browsing, not all history is shown. View entire blame