ChangeLog 1.71 MB
Newer Older
1
2
3
Changes in version 0.4.3.1-alpha - 2020-01-2?
  This is the first alpha release in the 0.4.3.x series. BLURB MORE

Nick Mathewson's avatar
Nick Mathewson committed
4
5
6
7
8
  o New system requirements:
    - When building Tor, you now need to have Python 3 in order to run
      the integration tests. (Python 2 is officially unsupported
      upstream, as of 1 Jan 2020.) Closes ticket 32608.

9
10
  o Major feature (onion service, SOCKS5):
    - Introduce a new SocksPort flag named: ExtendedErrors. Detailed in
Nick Mathewson's avatar
Nick Mathewson committed
11
12
13
      proposal 304, a number of onion service error codes are now sent
      back, if this flag is set, with the SOCKS5 protocol using new
      custom error values. Closes ticket 30382;
14
15
16

  o Major features (build system):
    - Create an optional relay module, which can be disabled using the
Nick Mathewson's avatar
Nick Mathewson committed
17
18
19
      --disable-module-relay configure option. When it is set, also
      disable the dirauth module. Add a minimal implemention, which
      disables the relay and dircache modes in tor. Closes ticket 32123.
20
21

  o Major features (controller):
Nick Mathewson's avatar
Nick Mathewson committed
22
23
24
25
26
27
    - New ONION_CLIENT_AUTH_ADD control port command to add client-side
      onion service client authorization credentials. Closes part of
      ticket 30381.
    - New ONION_CLIENT_AUTH_REMOVE control port command to remove
      client-side onion service client authorization credentials. Closes
      part of ticket 30381.
28
    - New ONION_CLIENT_AUTH_VIEW control port command to view stored
Nick Mathewson's avatar
Nick Mathewson committed
29
30
      client-side onion service client authorization credentials. Closes
      part of ticket 30381.
31
32

  o Major features (directory authority, ed25519):
Nick Mathewson's avatar
Nick Mathewson committed
33
34
35
36
    - Add support for banning a relay's ed25519 keys in the approved-
      routers file. This will allow us to migrate away from RSA keys in
      the future. Previously, only RSA keys could be banned in approved-
      routers. Resolves ticket 22029. Patch by Neel Chauhan.
37
38
39

  o Major features (documentation):
    - Provide a Circuit Padding Framework quickstart guide and developer
Nick Mathewson's avatar
Nick Mathewson committed
40
41
      documentation for researchers to implement and study Circuit
      Padding machines. Closes ticket 28804.
42
43

  o Major features (proxy):
Nick Mathewson's avatar
Nick Mathewson committed
44
45
46
47
48
49
    - In addition to HTTP CONNECT, SOCKS4, and SOCKS5, Tor can make all
      OR connections through the HAProxy server. A new torrc option was
      added to specify the address/port of the server: TCPProxy
      <protocol> <host>:<port>. Currently the only supported protocol in
      the option is haproxy. Close ticket 31518. Patch done by Suphanat
      Chunhapanya (haxxpop).
50
51
52
53
54
55
56

  o Major bugfixes (networking):
    - Correctly handle IPv6 addresses in SOCKS5 RESOLVE_PTR requests,
      and accept strings as well as binary addresses. Fixes bug 32315;
      bugfix on 0.3.5.1-alpha.

  o Major bugfixes (onion service):
Nick Mathewson's avatar
Nick Mathewson committed
57
58
59
60
61
    - Report back HS circuit failure back into the HS subsytem so we
      take appropriate action with regards to the client introduction
      point failure cache. This improves reachability of onion services,
      since now clients notice failing introduction circuits properly.
      Fixes bug 32020; bugfix on 0.3.2.1-alpha;
62
63

  o Minor feature (configure, build system):
Nick Mathewson's avatar
Nick Mathewson committed
64
65
    - Output enabled/disabled features at the end of the configure
      process in a pleasing way. Closes ticket 31373.
66
67

  o Minor feature (heartbeat, onion service):
Nick Mathewson's avatar
Nick Mathewson committed
68
69
    - Add the DoS INTRODUCE2 defenses counter to the heartbeat DoS
      message. Closes ticket 31371.
70
71
72

  o Minor features (configuration validation):
    - Configuration validation can now be done by per-module callbacks,
Nick Mathewson's avatar
Nick Mathewson committed
73
74
75
      rather than a global validation function. This will let us reduce
      the size of config.c and some of its more cumbersome functions.
      Closes ticket 31241.
76
77

  o Minor features (configuration):
Nick Mathewson's avatar
Nick Mathewson committed
78
79
80
81
82
83
    - If the configured hardware crypto accelerator in AccelName is
      prefixed with "!", Tor now exits when it cannot be found. Closes
      ticket 32406.
    - We use a flag-driven logic to warn about obsolete configuration
      fields, so that we can include their names. In 0.4.2, we used a
      special type, which prevented us from generating good warnings.
84
85
86
      Implements ticket 32404.

  o Minor features (continuous integration):
Nick Mathewson's avatar
Nick Mathewson committed
87
88
    - Call the check_cocci_parse.sh script from Travis CI. Closes
      ticket 31919.
89
90
91

  o Minor features (controller):
    - Add stream isolation data to STREAM event. Closes ticket 19859.
Nick Mathewson's avatar
Nick Mathewson committed
92
93
    - Implement a new GETINFO command to fetch microdescriptor
      consensus. Closes ticket 31684.
94
95

  o Minor features (debugging, directory system):
Nick Mathewson's avatar
Nick Mathewson committed
96
97
98
    - Don't crash when we find a non-guard with a guard-fraction value
      set. Instead, log a bug warning, in an attempt to figure out how
      this happened. Diagnostic for ticket 32868.
99
100

  o Minor features (defense in depth):
Nick Mathewson's avatar
Nick Mathewson committed
101
102
103
    - Add additional sanity checks around tor_vasprintf() usage in case
      the function returns an error. Patch by Tobias Stoeckmann. Fixes
      ticket 31147.
104
105

  o Minor features (developer tooling):
Nick Mathewson's avatar
Nick Mathewson committed
106
107
108
    - Remove 0.2.9 series branches from git scripts (git-merge-
      forward.sh, git-pull-all.sh, git-push-all.sh, git-setup-dirs.sh).
      Closes ticket 32772.
109
110

  o Minor features (developer tools):
Nick Mathewson's avatar
Nick Mathewson committed
111
112
    - Add a check_cocci_parse.sh script that checks that new code is
      parseable by Coccinelle. Add an exceptions file for unparseable
113
114
115
116
117
118
      files. Closes ticket 31919.
    - Add a rename_c_identifiers.py tool to rename a bunch of C
      identifiers at once, and generate a well-formed commit message
      describing the change. This should help with refactoring. Closes
      ticket 32237.
    - Add some scripts in "scripts/coccinelle" to invoke the Coccinelle
Nick Mathewson's avatar
Nick Mathewson committed
119
120
121
      semantic patching tool with the correct flags. These flags are
      fairly easy to forget, and these scripts should help us use
      Coccinelle more effectively in the future. Closes ticket 31705.
122
123
124
125
    - Call the check_cocci_parse.sh script from a 'check-cocci' Makefile
      target. Closes ticket 31919.

  o Minor features (disabling relay support):
Nick Mathewson's avatar
Nick Mathewson committed
126
127
    - When Tor is compiled --disable-module-relay, we also omit the code
      used to act as a directory cache. Closes ticket 32487.
128
129

  o Minor features (documentation):
Nick Mathewson's avatar
Nick Mathewson committed
130
131
132
    - Make sure that doxygen outputs documentation for all of our C
      files. Previously, some were missing @file declarations, causing
      them to be ignored. Closes ticket 32307.
133
134
135

  o Minor features (Doxygen):
    - Update Doxygen configuration file to a more recent template (from
Nick Mathewson's avatar
Nick Mathewson committed
136
137
138
      1.8.15). Closes ticket 32110.
    - "make doxygen" now works with out-of-tree builds. Closes
      ticket 32113.
139
    - Our "make doxygen" target now respects --enable-fatal-warnings by
Nick Mathewson's avatar
Nick Mathewson committed
140
141
142
143
      default, and does not warn about items that are missing
      documentation. To warn about missing documentation, run configure
      with the "--enable-missing-doc-warnings" flag: doing so suspends
      fatal warnings for doxygen. Closes ticket 32385.
144
145
146
147

  o Minor features (git scripts):
    - Add TOR_EXTRA_CLONE_ARGS to git-setup-dirs.sh for git clone
      customisation. Closes ticket 32347.
Nick Mathewson's avatar
Nick Mathewson committed
148
149
150
151
152
153
154
155
    - Add TOR_EXTRA_REMOTE_* to git-setup-dirs.sh for a custom extra
      remote. Closes ticket 32347.
    - Add git-setup-dirs.sh, which sets up an upstream git repository
      and worktrees for tor maintainers. Closes ticket 29603.
    - Call the check_cocci_parse.sh script from the git commit and push
      hooks. Closes ticket 31919.
    - Make git-push-all.sh skip unchanged branches when pushing to
      upstream. The script already skipped unchanged test branches.
156
      Closes ticket 32216.
Nick Mathewson's avatar
Nick Mathewson committed
157
158
159
160
    - Make git-setup-dirs.sh create a master symlink in the worktree
      directory. Closes ticket 32347.
    - Skip unmodified source files when doing some existing git hook
      checks. Related to ticket 31919.
161
162
163

  o Minor features (IPv6, client):
    - Make Tor clients tell dual-stack exits that they prefer IPv6
Nick Mathewson's avatar
Nick Mathewson committed
164
165
166
167
      connections. This change is equivalent to setting the PreferIPv6
      flag on SOCKSPorts (and most other listener ports). Tor Browser
      has been setting this flag for some time, and we want to remove a
      client distinguisher at exits. Closes ticket 32637.
168
169

  o Minor features (portability, android):
Nick Mathewson's avatar
Nick Mathewson committed
170
171
    - When building for Android, disable some tests that depend on $HOME
      and/or pwdb, which Android doesn't have. Closes ticket 32825.
172
173
174
175
      Patch from Hans-Christoph Steiner.

  o Minor features (relay module):
    - Split the relay and server pluggable transport config code into
Nick Mathewson's avatar
Nick Mathewson committed
176
177
      separate files in the relay module. Disable this code when the
      relay module is disabled. Closes ticket 32213.
178
179
180
181
182
183
    - When the relay module is disabled, reject attempts to set the
      ORPort, DirPort, DirCache, BridgeRelay, ExtORPort, or
      ServerTransport* options, rather than ignoring the values of these
      options. Closes ticket 32213.

  o Minor features (relay):
Nick Mathewson's avatar
Nick Mathewson committed
184
185
    - When the relay module is disabled, change the default config so
      that DirCache is 0, and ClientOnly is 1. Closes ticket 32410.
186
187
188
189
190
191
192
193
194
195
196

  o Minor features (release tools):
    - Port our changelog formatting and sorting tools to Python 3.
      Closes ticket 32704.

  o Minor features (testing):
    - Add common failure cases for test_parseconf.sh in
      src/test/conf_failures. Closes ticket 32451.
    - Allow test_parseconf.sh to test expected log outputs for successful
      configs, as well as failed configs. Closes ticket 32451.
    - test_parseconf.sh now supports result variants for any combination
Nick Mathewson's avatar
Nick Mathewson committed
197
      of the optional libraries lzma, nss, and zstd. Closes ticket 32397.
198
199

  o Minor features (tests, Android):
Nick Mathewson's avatar
Nick Mathewson committed
200
201
202
    - When running the unit tests on Android, create temporary files in
      a subdirectory of /data/local/tmp. Closes ticket 32172. Based on a
      patch from Hans-Christoph Steiner.
203
204
205
206
207
208

  o Minor bugfix (configuration):
    - Check for multiplication overflow when parsing memory units inside
      configuration. Fixes bug 30920; bugfix on 0.0.9rc1~46.

  o Minor bugfixes (bridges):
Nick Mathewson's avatar
Nick Mathewson committed
209
210
    - Lowercase the value of BridgeDistribution from torrc before adding
      it to the descriptor. Fixes bug 32753; bugfix on 0.3.2.3-alpha.
211
212

  o Minor bugfixes (build):
Nick Mathewson's avatar
Nick Mathewson committed
213
214
    - Fix "make autostyle" for out-of-tree builds. Fixes bug 32370;
      bugfix on 0.4.1.2-alpha.
215
216

  o Minor bugfixes (config):
Nick Mathewson's avatar
Nick Mathewson committed
217
218
219
220
221
    - When dumping the config, stop adding a trailing space after the
      option name, when there is no option value. This issue only
      affects options that accept an empty value or list. (Most options
      reject empty values, or delete the entire line from the dumped
      options.) Fixes bug 32352; bugfix on 0.0.9pre6.
222
223

  o Minor bugfixes (configuration handling):
Nick Mathewson's avatar
Nick Mathewson committed
224
225
226
    - Make control_event_conf_changed() take in a config_line_t instead
      of a smartlist(k, v, k, v, ...) where keys are followed by values.
      Fixes bug 31531; bugfix on 0.2.3.3-alpha. Patch by Neel Chauhan.
227
228

  o Minor bugfixes (configuration):
Nick Mathewson's avatar
Nick Mathewson committed
229
230
231
    - Avoid changing the user's value of HardwareAccel as stored by
      SAVECONF, when AccelName is set but HardwareAccel is not. Fixes
      bug 32382; bugfix on 0.2.2.1-alpha.
232
233
    - When creating a KeyDirectory with the same location as the
      DataDirectory (not recommended), respect the DataDirectory's
Nick Mathewson's avatar
Nick Mathewson committed
234
235
      group-readable setting if one has not been set for the
      KeyDirectory. Fixes bug 27992; bugfix on 0.3.3.1-alpha.
236
237

  o Minor bugfixes (controller):
Nick Mathewson's avatar
Nick Mathewson committed
238
239
240
    - In routerstatus_has_changed(), check all the fields that are
      output over the control port. Fixes bug 20218; bugfix
      on 0.1.1.11-alpha
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259

  o Minor bugfixes (correctness checks):
    - Use GCC/Clang's printf-checking feature to make sure that
      tor_assertf() arguments are correctly typed. Fixes bug 32765;
      bugfix on 0.4.1.1-alpha.

  o Minor bugfixes (developer tools):
    - Allow paths starting with ./ in scripts/add_c_file.py. Fixes bug
      31336; bugfix on 0.4.1.2-alpha.

  o Minor bugfixes (dirauth module):
    - Split the dirauth config code into a separate file in the dirauth
      module. Disable this code when the dirauth module is disabled.
      Closes ticket 32213.
    - When the dirauth module is disabled, reject attempts to set the
      AuthoritativeDir option, rather than ignoring the value of the
      option. Fixes bug 32213; bugfix on 0.3.4.1-alpha.

  o Minor bugfixes (embedded Tor):
Nick Mathewson's avatar
Nick Mathewson committed
260
261
262
263
264
    - When starting Tor any time after the first time in a process,
      register the thread in which it is running as the main thread.
      Previously, we only did this on Windows, which could lead to bugs
      like 23081 on non-Windows platforms. Fixes bug 32884; bugfix
      on 0.3.3.1-alpha.
265
266

  o Minor bugfixes (git scripts):
Nick Mathewson's avatar
Nick Mathewson committed
267
268
    - Avoid sleeping before the last push in git-push-all.sh. Closes
      ticket 32216.
269
270
271
272
    - Forward all unrecognised arguments in git-push-all.sh to git push.
      Closes ticket 32216.

  o Minor bugfixes (hidden service v3):
Nick Mathewson's avatar
Nick Mathewson committed
273
274
275
276
    - Do not rely on a "circuit established" flag for intro circuit but
      instead always query the HS circuit map. This is to avoid sync
      issue with that flag and the map. Fixes bug 32094; bugfix
      on 0.3.2.1-alpha.
277
278
279
280

  o Minor bugfixes (linux seccomp sandbox):
    - Correct how we use libseccomp. Particularly, stop assuming that
      rules are applied in a particular order or that more rules are
Nick Mathewson's avatar
Nick Mathewson committed
281
282
283
284
285
286
      processed after the first match. Neither is the case! In
      libseccomp <2.4.0 this lead to some rules having no effect.
      Libseccomp 2.4.0 changed how rules are generated leading to a
      different ordering which in turn lead to a fatal crash during
      startup. Fixes bug 29819; bugfix on 0.2.5.1-alpha. Patch by
      Peter Gerber.
287
    - Fix crash when reloading logging configuration while the
Nick Mathewson's avatar
Nick Mathewson committed
288
289
      experimental sandbox is enabled. Fixes bug 32841; bugfix on
      0.4.1.7. Patch by Peter Gerber.
290
291

  o Minor bugfixes (logging, crash):
Nick Mathewson's avatar
Nick Mathewson committed
292
293
294
    - Avoid a possible crash when trying to log a (fatal) assertion
      failure about mismatched magic numbers in configuration objects.
      Fixes bug 32771; bugfix on 0.4.2.1-alpha.
295
296

  o Minor bugfixes (onion service v2):
Nick Mathewson's avatar
Nick Mathewson committed
297
298
299
300
301
    - When sending the INTRO cell for a v2 Onion Service, look at the
      failure cache alongside timeout values to check if the intro point
      is marked as failed. Previously, we only looked at if the relay
      timeout values. Fixes bug 25568; bugfix on 0.2.7.3-rc. Patch by
      Neel Chauhan.
302
303

  o Minor bugfixes (onion services v3, client):
Nick Mathewson's avatar
Nick Mathewson committed
304
305
306
307
308
309
    - Properly handle the client rendezvous circuit timeout. This
      results in better reachability because tor doesn't timeout a
      rendezvous circuit awaiting the introduction ACK and thus
      preventing tor to re-establish all circuits because the rendezvous
      circuit timed out too early. Fixes bug 32021; bugfix
      on 0.3.2.1-alpha.
310
311

  o Minor bugfixes (onion services):
Nick Mathewson's avatar
Nick Mathewson committed
312
313
314
    - In cancel_descriptor_fetches(), use
      connection_list_by_type_purpose() instead of
      connection_list_by_type_state(). Fixes bug 32639; bugfix on
315
316
317
      0.3.2.1-alpha. Patch by Neel Chauhan.

  o Minor bugfixes (scripts):
Nick Mathewson's avatar
Nick Mathewson committed
318
319
    - Fix update_versions.py for out-of-tree builds. Fixes bug 32371;
      bugfix on 0.4.0.1-alpha.
320
321

  o Minor bugfixes (test):
Nick Mathewson's avatar
Nick Mathewson committed
322
323
324
325
    - Use the same code to find the tor binary in all of our test
      scripts. This change makes sure we are always using the coverage
      binary, when coverage is enabled. Fixes bug 32368; bugfix
      on 0.2.7.3-rc.
326
327
328
329
330

  o Minor bugfixes (testing):
    - Stop ignoring "tor --dump-config" errors in test_parseconf.sh.
      Fixes bug 32468; bugfix on 0.4.2.1-alpha.
    - When TOR_DISABLE_PRACTRACKER is set, do not apply it to the
Nick Mathewson's avatar
Nick Mathewson committed
331
332
333
334
335
      test_practracker.sh script. Doing so caused a test failure. Fixes
      bug 32705; bugfix on 0.4.2.1-alpha.
    - When TOR_DISABLE_PRACTRACKER is set, log a notice to stderr when
      skipping practracker checks. Fixes bug 32705; bugfix
      on 0.4.2.1-alpha.
336
337

  o Minor bugfixes (tests):
Nick Mathewson's avatar
Nick Mathewson committed
338
339
340
341
342
    - Our option-validation tests no longer depend on specially
      configured non-default, non-passing set of options. Previously,
      the tests had been written to assume that options would _not_ be
      set to their defaults, which led to needless complexity and
      verbosity. Fixes bug 32175; bugfix on 0.2.8.1-alpha.
343
344

  o Minor bugfixes (windows service):
Nick Mathewson's avatar
Nick Mathewson committed
345
346
    - Initialize publish/subscribe system when running as a windows
      service. Fixes bug 32778; bugfix on 0.4.1.1-alpha.
347
348
349
350
351
352

  o Code simplification and refactoring:
    - Add numerous missing dependencies to our include files, so that
      they can be included in different reasonable orders and still
      compile. Addresses part of ticket 32764.
    - Create a new abstraction for formatting control protocol reply
Nick Mathewson's avatar
Nick Mathewson committed
353
354
355
356
357
358
359
360
      lines based on key-value pairs. Refactor some existing control
      protocol code to take advantage of this. Closes ticket 30984.
    - Disable relay_periodic when the relay module is disabled. Closes
      ticket 32244.
    - Disable relay_sys when the relay module is disabled. Closes
      ticket 32245.
    - Fix some parts of our code that were difficult for Coccinelle to
      parse. Related to ticket 31705.
361
    - Fix some small issues in our code that prevented automatic
Nick Mathewson's avatar
Nick Mathewson committed
362
363
364
365
      formatting tools from working. Addresses part of ticket 32764.
    - Immutability is now implemented as a flag on individual
      configuration options rather than as part of the option-transition
      checking code. Closes ticket 32344.
366
367
368
369
    - Instead of keeping a list of configuration options to check for
      relative paths, check all the options whose type is "FILENAME".
      Solves part of ticket 32339.
    - Make all the structs we declare follow the same naming convention
Nick Mathewson's avatar
Nick Mathewson committed
370
      of ending with "_t". Closes ticket 32415.
371
372
373
    - Move and rename some configuration-related code for clarity.
      Closes ticket 32304.
    - Our default log (which ordinarily sends NOTICE-level message to
Nick Mathewson's avatar
Nick Mathewson committed
374
375
376
377
378
379
380
      standard output) is now handled in a more logical manner.
      Previously, we replaced the configured log options if they were
      empty. Now, we interpret an empty set of log options as meaning
      "use the default log". Closes ticket 31999.
    - Our include.am files are now broken up by subdirectory.
      Previously, src/core/include.am covered all of the subdirectories
      in "core", "feature", and "app". Closes ticket 32137.
381
382
383
384
    - Remove some unused arguments from the options_validate() function,
      to simplify our code and tests. Closes ticket 32187.
    - Remove the last remaining HAVE_MODULE_DIRAUTH inside a function.
      Closes ticket 32163.
Nick Mathewson's avatar
Nick Mathewson committed
385
386
387
388
389
    - Remove underused NS*() macros from test code: they make our tests
      more confusing, especially for code-formatting tools. Closes
      ticket 32887.
    - Replace some confusing identifiers in process_descs.c. Closes
      ticket 29826.
390
    - Simplify some relay and dirauth config code. Closes ticket 32213.
Nick Mathewson's avatar
Nick Mathewson committed
391
392
393
394
395
396
397
398
399
400
    - Simplify the options_validate() code so that it looks at the
      default options directly, rather than taking default options as an
      argument. This change lets us simplify its interface. Closes
      ticket 32185.
    - Use our new configuration architecture to move most authority-
      related options to the directory authority module. Closes
      ticket 32806.
    - When parsing the command line, handle options that determine our
      "quiet level" and our mode of operation (e.g., --dump-config and
      so on) all in one table. Closes ticket 32003.
401
402

  o Deprecated features:
Nick Mathewson's avatar
Nick Mathewson committed
403
404
405
    - Deprecate the ClientAutoIPv6ORPort option. This option was not
      true Happy Eyeballs, and often failed on connections that weren't
      reliably dual-stack. Closes ticket 32942. Patch by Neel Chauhan.
406
407

  o Documentation:
Nick Mathewson's avatar
Nick Mathewson committed
408
409
    - Add documentation in 'HelpfulTools.md' to describe how to build a
      tag file. Closes ticket 32779.
410
    - Create a high-level description of the long-term software
Nick Mathewson's avatar
Nick Mathewson committed
411
412
413
      architecture goals. Closes ticket 32206.
    - Describe the --dump-config command in the manual page. Closes
      ticket 32467.
414
415
416
417
    - Unite coding advice from this_not_that.md in torguts repo into our
      coding standards document. Resolves ticket 31853.

  o Removed features:
Nick Mathewson's avatar
Nick Mathewson committed
418
    - Our Doxygen configuration no longer generates LaTeX output. The
419
      reference manual produced by doing this was over 4000 pages long,
Nick Mathewson's avatar
Nick Mathewson committed
420
421
422
423
424
      and generally unusable. Closes ticket 32099.
    - The option "TestingEstimatedDescriptorPropagationTime" is now
      marked as obsolete. It has had no effect since 0.3.0.7, when
      clients stopped rejecting consensuses "from the future". Closes
      ticket 32807.
425
426
427
428
429
430
    - We no longer support consensus methods before method 28; these
      methods were only used by authorities running versions of Tor that
      are now at end-of-life. In effect, this means that clients and
      relays, and authorities now assume that authorities will be
      running version 0.3.5.x or later. Closes ticket 32695.

Nick Mathewson's avatar
Nick Mathewson committed
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
  o Testing:
    - Add more test cases for tor's UTF-8 validation function. Also,
      check the arguments passed to the function for consistency. Closes
      ticket 32845.
    - Improve test coverage for relay and dirauth config code, focusing
      on option validation and normalization. Closes ticket 32213.
    - Improve the consistency of test_parseconf.sh output, and run all
      the tests, even if one fails. Closes ticket 32213.
    - Re-enable the Travis CI macOS Chutney build, but allow the job to
      finish before it finishes, because the Travis macOS jobs are slow.
      Closes ticket 32629.
    - Run the practracker unit tests in the pre-commit git hook. Closes
      ticket 32609.
    - Turn off Tor's Sandbox in Chutney jobs, and run those jobs on
      Ubuntu Bionic. Turning off the Sandbox is a work-around, until we
      fix the sandbox errors in 32722. Closes ticket 32240.

  o Code simplification and refactoring (channel):
    - Channel layer had a variable length cell handler that was not used
      and thus removed. Closes ticket 32892.

  o Code simplification and refactoring (controller):
    - Create a helper function that can fetch network status or
      microdesc consensuses. Closes ticket 31684.

  o Documentation (manpage):
    - Alphabetize the Client Options section of the tor manpage. Closes
      ticket 32846.
    - Alphabetize the General Options section of the tor manpage. Closes
      ticket 32708.
    - In the tor(1) manpage, reword and improve formatting of the
      COMMAND-LINE OPTIONS and DESCRIPTION sections. Closes ticket
      32277. Based on work by Swati Thacker as part of Google Season
      of Docs.
    - In the tor(1) manpage, reword and improve formatting of the FILES,
      SEE ALSO, and BUGS sections. Closes ticket 32176. Based on work by
      Swati Thacker as part of Google Season of Docs.

469
  o Testing (circuit, EWMA):
Nick Mathewson's avatar
Nick Mathewson committed
470
471
    - Add unit tests for circuitmux and EWMA subsystems. Closes
      ticket 32196.
472
473
474
475
476

  o Testing (continuous integration):
    - Use zstd in our Travis Linux builds. Closes ticket 32242.


477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
Changes in version 0.4.2.5 - 2019-12-09
  This is the first stable release in the 0.4.2.x series. This series
  improves reliability and stability, and includes several stability and
  correctness improvements for onion services. It also fixes many smaller
  bugs present in previous series.

  Per our support policy, we will support the 0.4.2.x series for nine
  months, or until three months after the release of a stable 0.4.3.x:
  whichever is longer. If you need longer-term support, please stick
  with 0.3.5.x, which will we plan to support until Feb 2022.

  Per our support policy, we will support the 0.4.2.x series for nine
  months, or until three months after the release of a stable 0.4.3.x:
  whichever is longer. If you need longer-term support, please stick
  with 0.3.5.x, which will we plan to support until Feb 2022.

  Below are the changes since 0.4.1.4-rc. For a complete list of changes
  since 0.4.1.5, see the ReleaseNotes file.

  o Minor features (geoip):
    - Update geoip and geoip6 to the December 3 2019 Maxmind GeoLite2
      Country database. Closes ticket 32685.

  o Testing:
    - Require C99 standards-conforming code in Travis CI, but allow GNU
      gcc extensions. Also activates clang's -Wtypedef-redefinition
      warnings. Build some jobs with -std=gnu99, and some jobs without.
      Closes ticket 32500.


Changes in version 0.4.1.7 - 2019-12-09
  This release backports several bugfixes to improve stability and
  correctness.  Anyone experiencing build problems or crashes with 0.4.1.6,
  including all relays relying on AccountingMax, should upgrade.

  o Major features (directory authorities, backport from 0.4.2.2-alpha):
    - Directory authorities now reject relays running all currently
      deprecated release series. The currently supported release series
      are: 0.2.9, 0.3.5, 0.4.0, 0.4.1, and 0.4.2. Closes ticket 31549.

  o Major bugfixes (embedded Tor, backport from 0.4.2.2-alpha):
    - Avoid a possible crash when restarting Tor in embedded mode and
      enabling a different set of publish/subscribe messages. Fixes bug
      31898; bugfix on 0.4.1.1-alpha.

  o Major bugfixes (relay, backport from 0.4.2.3-alpha):
    - Relays now respect their AccountingMax bandwidth again. When
      relays entered "soft" hibernation (which typically starts when
      we've hit 90% of our AccountingMax), we had stopped checking
      whether we should enter hard hibernation. Soft hibernation refuses
      new connections and new circuits, but the existing circuits can
      continue, meaning that relays could have exceeded their configured
      AccountingMax. Fixes bug 32108; bugfix on 0.4.0.1-alpha.

  o Major bugfixes (torrc parsing, backport from 0.4.2.2-alpha):
    - Stop ignoring torrc options after an %include directive, when the
      included directory ends with a file that does not contain any
      config options (but does contain comments or whitespace). Fixes
      bug 31408; bugfix on 0.3.1.1-alpha.

  o Major bugfixes (v3 onion services, backport from 0.4.2.3-alpha):
    - Onion services now always use the exact number of intro points
      configured with the HiddenServiceNumIntroductionPoints option (or
      fewer if nodes are excluded). Before, a service could sometimes
      pick more intro points than configured. Fixes bug 31548; bugfix
      on 0.3.2.1-alpha.

  o Minor features (continuous integration, backport from 0.4.2.2-alpha):
    - When building on Appveyor and Travis, pass the "-k" flag to make,
      so that we are informed of all compilation failures, not just the
      first one or two. Closes ticket 31372.

  o Minor features (geoip, backport from 0.4.2.5):
    - Update geoip and geoip6 to the December 3 2019 Maxmind GeoLite2
      Country database. Closes ticket 32685.

  o Minor bugfixes (Appveyor CI, backport from 0.4.2.2-alpha):
    - Avoid spurious errors when Appveyor CI fails before the install step.
      Fixes bug 31884; bugfix on 0.3.4.2-alpha.

  o Minor bugfixes (client, onion service v3, backport from 0.4.2.4-rc):
    - Fix a BUG() assertion that occurs within a very small race window
      between when a client intro circuit opens and when its descriptor
      gets cleaned up from the cache. The circuit is now closed early,
      which will trigger a re-fetch of the descriptor and continue the
      connection. Fixes bug 28970; bugfix on 0.3.2.1-alpha.

  o Minor bugfixes (connections, backport from 0.4.2.3-rc):
    - Avoid trying to read data from closed connections, which can cause
      needless loops in Libevent and infinite loops in Shadow. Fixes bug
      30344; bugfix on 0.1.1.1-alpha.

  o Minor bugfixes (error handling, backport from 0.4.2.1-alpha):
    - On abort, try harder to flush the output buffers of log messages.
      On some platforms (macOS), log messages could be discarded when
      the process terminates. Fixes bug 31571; bugfix on 0.3.5.1-alpha.
    - Report the tor version whenever an assertion fails. Previously, we
      only reported the Tor version on some crashes, and some non-fatal
      assertions. Fixes bug 31571; bugfix on 0.3.5.1-alpha.
    - When tor aborts due to an error, close log file descriptors before
      aborting. Closing the logs makes some OSes flush log file buffers,
      rather than deleting buffered log lines. Fixes bug 31594; bugfix
      on 0.2.5.2-alpha.

  o Minor bugfixes (logging, backport from 0.4.2.2-alpha):
    - Add a missing check for HAVE_PTHREAD_H, because the backtrace code
      uses mutexes. Fixes bug 31614; bugfix on 0.2.5.2-alpha.
    - Disable backtrace signal handlers when shutting down tor. Fixes
      bug 31614; bugfix on 0.2.5.2-alpha.
    - Rate-limit our the logging message about the obsolete .exit
      notation. Previously, there was no limit on this warning, which
      could potentially be triggered many times by a hostile website.
      Fixes bug 31466; bugfix on 0.2.2.1-alpha.

  o Minor bugfixes (logging, protocol violations, backport from 0.4.2.2-alpha):
    - Do not log a nonfatal assertion failure when receiving a VERSIONS
      cell on a connection using the obsolete v1 link protocol. Log a
      protocol_warn instead. Fixes bug 31107; bugfix on 0.2.4.4-alpha.

  o Minor bugfixes (mainloop, periodic events, in-process API, backport from 0.4.2.3-alpha):
    - Reset the periodic events' "enabled" flag when Tor is shut down
      cleanly. Previously, this flag was left on, which caused periodic
      events not to be re-enabled when Tor was relaunched in-process
      with tor_api.h after a shutdown. Fixes bug 32058; bugfix
      on 0.3.3.1-alpha.

  o Minor bugfixes (multithreading, backport from 0.4.2.2-alpha):
    - Avoid some undefined behaviour when freeing mutexes. Fixes bug
      31736; bugfix on 0.0.7.

  o Minor bugfixes (process management, backport from 0.4.2.3-alpha):
    - Remove overly strict assertions that triggered when a pluggable
      transport failed to launch. Fixes bug 31091; bugfix
      on 0.4.0.1-alpha.
    - Remove an assertion in the Unix process backend. This assertion
      would trigger when we failed to find the executable for a child
      process. Fixes bug 31810; bugfix on 0.4.0.1-alpha.

  o Minor bugfixes (relay, backport from 0.4.2.2-alpha):
    - Avoid crashing when starting with a corrupt keys directory where
      the old ntor key and the new ntor key are identical. Fixes bug
      30916; bugfix on 0.2.4.8-alpha.

  o Minor bugfixes (testing, backport from 0.4.2.3-alpha):
    - When testing port rebinding, don't busy-wait for tor to log.
      Instead, actually sleep for a short time before polling again.
      Also improve the formatting of control commands and log messages.
      Fixes bug 31837; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (tests, SunOS, backport from 0.4.2.2-alpha):
    - Avoid a map_anon_nofork test failure due to a signed/unsigned
      integer comparison. Fixes bug 31897; bugfix on 0.4.1.1-alpha.

  o Minor bugfixes (tls, logging, backport from 0.4.2.3-alpha):
    - Log bugs about the TLS read buffer's length only once, rather than
      filling the logs with similar warnings. Fixes bug 31939; bugfix
      on 0.3.0.4-rc.

  o Documentation (backport from 0.4.2.2-alpha):
    - Explain why we can't destroy the backtrace buffer mutex. Explain
      why we don't need to destroy the log mutex. Closes ticket 31736.

  o Testing (continuous integration, backport from 0.4.2.3-alpha):
    - Disable all but one Travis CI macOS build, to mitigate slow
      scheduling of Travis macOS jobs. Closes ticket 32177.
    - Run the chutney IPv6 networks as part of Travis CI. Closes
      ticket 30860.
    - Simplify the Travis CI build matrix, and optimise for build time.
      Closes ticket 31859.
    - Use Windows Server 2019 instead of Windows Server 2016 in our
      Appveyor builds. Closes ticket 32086.

  o Testing (continuous integration, backport from 0.4.2.4-rc):
    - In Travis, use Xcode 11.2 on macOS 10.14. Closes ticket 32241.
    - Use Ubuntu Bionic images for our Travis CI builds, so we can get a
      recent version of coccinelle. But leave chutney on Ubuntu Trusty,
      until we can fix some Bionic permissions issues (see ticket
      32240). Related to ticket 31919.
    - Install the mingw OpenSSL package in Appveyor. This makes sure
      that the OpenSSL headers and libraries match in Tor's Appveyor
      builds. (This bug was triggered by an Appveyor image update.)
      Fixes bug 32449; bugfix on 0.3.5.6-rc.

  o Testing (continuous integration, backport from 0.4.2.5):
    - Require C99 standards-conforming code in Travis CI, but allow GNU gcc
      extensions. Also activates clang's -Wtypedef-redefinition warnings.
      Build some jobs with -std=gnu99, and some jobs without.
      Closes ticket 32500.


Changes in version 0.4.0.6 - 2019-12-09
  This is the second stable release in the 0.4.0.x series. This release
  backports several bugfixes to improve stability and correctness.  Anyone
  experiencing build problems or crashes with 0.4.0.5, including all relays
  relying on AccountingMax, should upgrade.

  Note that, per our support policy, support for the 0.4.0.x series will end
  on 2 Feb 2020.  Anyone still running 0.4.0.x should plan to upgrade to the
  latest stable release, or downgrade to 0.3.5.x, which will get long-term
  support until 1 Feb 2022.

  o Directory authority changes (backport from 0.4.1.5):
    - The directory authority "dizum" has a new IP address. Closes
      ticket 31406.

  o Major bugfixes (bridges, backport from 0.4.1.2-alpha):
    - Consider our directory information to have changed when our list
      of bridges changes. Previously, Tor would not re-compute the
      status of its directory information when bridges changed, and
      therefore would not realize that it was no longer able to build
      circuits. Fixes part of bug 29875.
    - Do not count previously configured working bridges towards our
      total of working bridges. Previously, when Tor's list of bridges
      changed, it would think that the old bridges were still usable,
      and delay fetching router descriptors for the new ones. Fixes part
      of bug 29875; bugfix on 0.3.0.1-alpha.

  o Major bugfixes (circuit build, guard, backport from 0.4.1.4-rc):
    - When considering upgrading circuits from "waiting for guard" to
      "open", always ignore circuits that are marked for close. Otherwise,
      we can end up in the situation where a subsystem is notified that
      a closing circuit has just opened, leading to undesirable
      behavior. Fixes bug 30871; bugfix on 0.3.0.1-alpha.

  o Major bugfixes (Onion service reachability, backport from 0.4.1.3-alpha):
    - Properly clean up the introduction point map when circuits change
      purpose from onion service circuits to pathbias, measurement, or
      other circuit types. This should fix some service-side instances
      of introduction point failure. Fixes bug 29034; bugfix
      on 0.3.2.1-alpha.

  o Major bugfixes (onion service v3, backport from 0.4.1.1-alpha):
    - Fix an unreachable bug in which an introduction point could try to
      send an INTRODUCE_ACK with a status code that Trunnel would refuse
      to encode, leading the relay to assert(). We've consolidated the
      ABI values into Trunnel now. Fixes bug 30454; bugfix
      on 0.3.0.1-alpha.
    - Clients can now handle unknown status codes from INTRODUCE_ACK
      cells. (The NACK behavior will stay the same.) This will allow us
      to extend status codes in the future without breaking the normal
      client behavior. Fixes another part of bug 30454; bugfix
      on 0.3.0.1-alpha.

  o Major bugfixes (relay, backport from 0.4.2.3-alpha):
    - Relays now respect their AccountingMax bandwidth again. When
      relays entered "soft" hibernation (which typically starts when
      we've hit 90% of our AccountingMax), we had stopped checking
      whether we should enter hard hibernation. Soft hibernation refuses
      new connections and new circuits, but the existing circuits can
      continue, meaning that relays could have exceeded their configured
      AccountingMax. Fixes bug 32108; bugfix on 0.4.0.1-alpha.

  o Major bugfixes (torrc parsing, backport from 0.4.2.2-alpha):
    - Stop ignoring torrc options after an %include directive, when the
      included directory ends with a file that does not contain any
      config options (but does contain comments or whitespace). Fixes
      bug 31408; bugfix on 0.3.1.1-alpha.

  o Major bugfixes (v3 onion services, backport from 0.4.2.3-alpha):
    - Onion services now always use the exact number of intro points
      configured with the HiddenServiceNumIntroductionPoints option (or
      fewer if nodes are excluded). Before, a service could sometimes
      pick more intro points than configured. Fixes bug 31548; bugfix
      on 0.3.2.1-alpha.

  o Minor features (compile-time modules, backport from version 0.4.1.1-alpha):
    - Add a "--list-modules" command to print a list of which compile-
      time modules are enabled. Closes ticket 30452.

  o Minor features (continuous integration, backport from 0.4.1.1-alpha):
    - Remove sudo configuration lines from .travis.yml as they are no
      longer needed with current Travis build environment. Resolves
      issue 30213.

  o Minor features (continuous integration, backport from 0.4.1.4-rc):
    - Our Travis configuration now uses Chutney to run some network
      integration tests automatically. Closes ticket 29280.

  o Minor features (continuous integration, backport from 0.4.2.2-alpha):
    - When building on Appveyor and Travis, pass the "-k" flag to make,
      so that we are informed of all compilation failures, not just the
      first one or two. Closes ticket 31372.

  o Minor features (fallback directory list, backport from 0.4.1.4-rc):
    - Replace the 157 fallbacks originally introduced in Tor 0.3.5.6-rc
      in December 2018 (of which ~122 were still functional), with a
      list of 148 fallbacks (70 new, 78 existing, 79 removed) generated
      in June 2019. Closes ticket 28795.

  o Minor features (geoip, backport from 0.4.2.5):
    - Update geoip and geoip6 to the December 3 2019 Maxmind GeoLite2
      Country database. Closes ticket 32685.

  o Minor features (stem tests, backport from 0.4.2.1-alpha):
    - Change "make test-stem" so it only runs the stem tests that use
      tor. This change makes test-stem faster and more reliable. Closes
      ticket 31554.

  o Minor bugfixes (Appveyor CI, backport from 0.4.2.2-alpha):
    - Avoid spurious errors when Appveyor CI fails before the install step.
      Fixes bug 31884; bugfix on 0.3.4.2-alpha.

  o Minor bugfixes (build system, backport form 0.4.2.1-alpha):
    - Do not include the deprecated <sys/sysctl.h> on Linux or Windows
      systems. Fixes bug 31673; bugfix on 0.2.5.4-alpha.

  o Minor bugfixes (circuit isolation, backport from 0.4.1.3-alpha):
    - Fix a logic error that prevented the SessionGroup sub-option from
      being accepted. Fixes bug 22619; bugfix on 0.2.7.2-alpha.

  o Minor bugfixes (circuit padding, backport from 0.4.1.4-rc):
    - On relays, properly check that a padding machine is absent before
      logging a warning about it being absent. Fixes bug 30649; bugfix
      on 0.4.0.1-alpha.

  o Minor bugfixes (client, onion service v3, backport from 0.4.2.4-rc):
    - Fix a BUG() assertion that occurs within a very small race window
      between when a client intro circuit opens and when its descriptor
      gets cleaned up from the cache. The circuit is now closed early,
      which will trigger a re-fetch of the descriptor and continue the
      connection. Fixes bug 28970; bugfix on 0.3.2.1-alpha.

  o Minor bugfixes (clock skew detection, backport from 0.4.1.5):
    - Don't believe clock skew results from NETINFO cells that appear to
      arrive before we sent the VERSIONS cells they are responding to.
      Previously, we would accept them up to 3 minutes "in the past".
      Fixes bug 31343; bugfix on 0.2.4.4-alpha.

  o Minor bugfixes (compilation warning, backport from 0.4.1.5):
    - Fix a compilation warning on Windows about casting a function
      pointer for GetTickCount64(). Fixes bug 31374; bugfix
      on 0.2.9.1-alpha.

  o Minor bugfixes (compilation, backport from 0.4.1.5):
    - Avoid using labs() on time_t, which can cause compilation warnings
      on 64-bit Windows builds. Fixes bug 31343; bugfix on 0.2.4.4-alpha.

  o Minor bugfixes (compilation, backport from 0.4.2.1-alpha):
    - Suppress spurious float-conversion warnings from GCC when calling
      floating-point classifier functions on FreeBSD. Fixes part of bug
      31687; bugfix on 0.3.1.5-alpha.

  o Minor bugfixes (compilation, unusual configurations, backport from 0.4.1.1-alpha):
    - Avoid failures when building with the ALL_BUGS_ARE_FATAL option
      due to missing declarations of abort(), and prevent other such
      failures in the future. Fixes bug 30189; bugfix on 0.3.4.1-alpha.

  o Minor bugfixes (configuration, proxies, backport from 0.4.1.2-alpha):
    - Fix a bug that prevented us from supporting SOCKS5 proxies that
      want authentication along with configured (but unused!)
      ClientTransportPlugins. Fixes bug 29670; bugfix on 0.2.6.1-alpha.

  o Minor bugfixes (connections, backport from 0.4.2.3-rc):
    - Avoid trying to read data from closed connections, which can cause
      needless loops in Libevent and infinite loops in Shadow. Fixes bug
      30344; bugfix on 0.1.1.1-alpha.

  o Minor bugfixes (continuous integration, backport from 0.4.1.3-alpha):
    - Allow the test-stem job to fail in Travis, because it sometimes
      hangs. Fixes bug 30744; bugfix on 0.3.5.4-alpha.
    - Skip test_rebind on macOS in Travis, because it is unreliable on
      macOS on Travis. Fixes bug 30713; bugfix on 0.3.5.1-alpha.
    - Skip test_rebind when the TOR_SKIP_TEST_REBIND environment
      variable is set. Fixes bug 30713; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (crash on exit, backport from 0.4.1.4-rc):
    - Avoid a set of possible code paths that could try to use freed
      memory in routerlist_free() while Tor was exiting. Fixes bug
      31003; bugfix on 0.1.2.2-alpha.

  o Minor bugfixes (directory authorities, backport from 0.4.1.3-alpha):
    - Stop crashing after parsing an unknown descriptor purpose
      annotation. We think this bug can only be triggered by modifying a
      local file. Fixes bug 30781; bugfix on 0.2.0.8-alpha.

  o Minor bugfixes (directory authority, backport from 0.4.1.2-alpha):
    - Move the "bandwidth-file-headers" line in directory authority
      votes so that it conforms to dir-spec.txt. Fixes bug 30316; bugfix
      on 0.3.5.1-alpha.

  o Minor bugfixes (error handling, backport from 0.4.2.1-alpha):
    - On abort, try harder to flush the output buffers of log messages.
      On some platforms (macOS), log messages could be discarded when
      the process terminates. Fixes bug 31571; bugfix on 0.3.5.1-alpha.
    - Report the tor version whenever an assertion fails. Previously, we
      only reported the Tor version on some crashes, and some non-fatal
      assertions. Fixes bug 31571; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (FreeBSD, PF-based proxy, IPv6, backport from 0.4.2.1-alpha):
    - When extracting an IPv6 address from a PF-based proxy, verify that
      we are actually configured to receive an IPv6 address, and log an
      internal error if not. Fixes part of bug 31687; bugfix
      on 0.2.3.4-alpha.

  o Minor bugfixes (guards, backport from 0.4.2.1-alpha):
    - When tor is missing descriptors for some primary entry guards,
      make the log message less alarming. It's normal for descriptors to
      expire, as long as tor fetches new ones soon after. Fixes bug
      31657; bugfix on 0.3.3.1-alpha.

  o Minor bugfixes (logging, backport from 0.4.1.1-alpha):
    - Do not log a warning when running with an OpenSSL version other
      than the one Tor was compiled with, if the two versions should be
      compatible. Previously, we would warn whenever the version was
      different. Fixes bug 30190; bugfix on 0.2.4.2-alpha.

  o Minor bugfixes (logging, backport from 0.4.2.1-alpha):
    - Change log level of message "Hash of session info was not as
      expected" to LOG_PROTOCOL_WARN. Fixes bug 12399; bugfix
      on 0.1.1.10-alpha.

  o Minor bugfixes (logging, backport from 0.4.2.2-alpha):
    - Rate-limit our the logging message about the obsolete .exit
      notation. Previously, there was no limit on this warning, which
      could potentially be triggered many times by a hostile website.
      Fixes bug 31466; bugfix on 0.2.2.1-alpha.

  o Minor bugfixes (logging, protocol violations, backport from 0.4.2.2-alpha):
    - Do not log a nonfatal assertion failure when receiving a VERSIONS
      cell on a connection using the obsolete v1 link protocol. Log a
      protocol_warn instead. Fixes bug 31107; bugfix on 0.2.4.4-alpha.

  o Minor bugfixes (mainloop, periodic events, in-process API, backport from 0.4.2.3-alpha):
    - Reset the periodic events' "enabled" flag when Tor is shut down
      cleanly. Previously, this flag was left on, which caused periodic
      events not to be re-enabled when Tor was relaunched in-process
      with tor_api.h after a shutdown. Fixes bug 32058; bugfix
      on 0.3.3.1-alpha.

  o Minor bugfixes (memory leak, backport from 0.4.1.1-alpha):
    - Avoid a minor memory leak that could occur on relays when failing
      to create a "keys" directory. Fixes bug 30148; bugfix
      on 0.3.3.1-alpha.

  o Minor bugfixes (memory leak, backport from 0.4.1.4-rc):
    - Fix a trivial memory leak when parsing an invalid value
      from a download schedule in the configuration. Fixes bug
      30894; bugfix on 0.3.4.1-alpha.

  o Minor bugfixes (NetBSD, backport from 0.4.1.2-alpha):
    - Fix usage of minherit() on NetBSD and other platforms that define
      MAP_INHERIT_{ZERO,NONE} instead of INHERIT_{ZERO,NONE}. Fixes bug
      30614; bugfix on 0.4.0.2-alpha. Patch from Taylor Campbell.

  o Minor bugfixes (onion services, backport from 0.4.1.1-alpha):
    - Avoid a GCC 9.1.1 warning (and possible crash depending on libc
      implemenation) when failing to load an onion service client
      authorization file. Fixes bug 30475; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (out-of-memory handler, backport from 0.4.1.2-alpha):
    - When purging the DNS cache because of an out-of-memory condition,
      try purging just the older entries at first. Previously, we would
      always purge the whole thing. Fixes bug 29617; bugfix
      on 0.3.5.1-alpha.

  o Minor bugfixes (portability, backport from 0.4.1.2-alpha):
    - Avoid crashing in our tor_vasprintf() implementation on systems
      that define neither vasprintf() nor _vscprintf(). (This bug has
      been here long enough that we question whether people are running
      Tor on such systems, but we're applying the fix out of caution.)
      Fixes bug 30561; bugfix on 0.2.8.2-alpha. Found and fixed by
      Tobias Stoeckmann.

  o Minor bugfixes (process management, backport from 0.4.2.3-alpha):
    - Remove overly strict assertions that triggered when a pluggable
      transport failed to launch. Fixes bug 31091; bugfix
      on 0.4.0.1-alpha.
    - Remove an assertion in the Unix process backend. This assertion
      would trigger when we failed to find the executable for a child
      process. Fixes bug 31810; bugfix on 0.4.0.1-alpha.

  o Minor bugfixes (relay, backport from 0.4.2.2-alpha):
    - Avoid crashing when starting with a corrupt keys directory where
      the old ntor key and the new ntor key are identical. Fixes bug
      30916; bugfix on 0.2.4.8-alpha.

  o Minor bugfixes (rust, backport from 0.4.2.1-alpha):
    - Correctly exclude a redundant rust build job in Travis. Fixes bug
      31463; bugfix on 0.3.5.4-alpha.

  o Minor bugfixes (testing, backport from 0.4.2.3-alpha):
    - When testing port rebinding, don't busy-wait for tor to log.
      Instead, actually sleep for a short time before polling again.
      Also improve the formatting of control commands and log messages.
      Fixes bug 31837; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (tls, logging, backport from 0.4.2.3-alpha):
    - Log bugs about the TLS read buffer's length only once, rather than
      filling the logs with similar warnings. Fixes bug 31939; bugfix
      on 0.3.0.4-rc.

  o Minor bugfixes (v2 single onion services, backport from 0.4.2.1-alpha):
    - Always retry v2 single onion service intro and rend circuits with
      a 3-hop path. Previously, v2 single onion services used a 3-hop
      path when rendezvous circuits were retried after a remote or
      delayed failure, but a 1-hop path for immediate retries. Fixes bug
      23818; bugfix on 0.2.9.3-alpha.
    - Make v3 single onion services fall back to a 3-hop intro, when all
      intro points are unreachable via a 1-hop path. Previously, v3
      single onion services failed when all intro nodes were unreachable
      via a 1-hop path. Fixes bug 23507; bugfix on 0.3.2.1-alpha.

  o Documentation (backport from 0.4.2.1-alpha):
    - Use RFC 2397 data URL scheme to embed an image into tor-exit-
      notice.html so that operators no longer have to host it
      themselves. Closes ticket 31089.

  o Testing (backport from 0.4.1.2-alpha):
    - Specify torrc paths (with empty files) when launching tor in
      integration tests; refrain from reading user and system torrcs.
      Resolves issue 29702.

  o Testing (continuous integration, backport from 0.4.1.1-alpha):
    - In Travis, show stem's tor log after failure. Closes ticket 30234.

  o Testing (continuous integration, backport from 0.4.1.5):
    - In Travis, make stem log a controller trace to the console, and
      tail stem's tor log after failure. Closes ticket 30591.
    - In Travis, only run the stem tests that use a tor binary. Closes
      ticket 30694.

  o Testing (continuous integration, backport from 0.4.2.3-alpha):
    - Disable all but one Travis CI macOS build, to mitigate slow
      scheduling of Travis macOS jobs. Closes ticket 32177.
    - Run the chutney IPv6 networks as part of Travis CI. Closes
      ticket 30860.
    - Simplify the Travis CI build matrix, and optimise for build time.
      Closes ticket 31859.
    - Use Windows Server 2019 instead of Windows Server 2016 in our
      Appveyor builds. Closes ticket 32086.

  o Testing (continuous integration, backport from 0.4.2.4-rc):
    - Use Ubuntu Bionic images for our Travis CI builds, so we can get a
      recent version of coccinelle. But leave chutney on Ubuntu Trusty,
      until we can fix some Bionic permissions issues (see ticket
      32240). Related to ticket 31919.
    - Install the mingw OpenSSL package in Appveyor. This makes sure
      that the OpenSSL headers and libraries match in Tor's Appveyor
      builds. (This bug was triggered by an Appveyor image update.)
      Fixes bug 32449; bugfix on 0.3.5.6-rc.
    - In Travis, use Xcode 11.2 on macOS 10.14. Closes ticket 32241.

  o Testing (continuous integration, backport from 0.4.2.5):
    - Require C99 standards-conforming code in Travis CI, but allow GNU gcc
      extensions. Also activates clang's -Wtypedef-redefinition warnings.
      Build some jobs with -std=gnu99, and some jobs without.
      Closes ticket 32500.

Changes in version 0.3.5.9 - 2019-12-09
  Tor 0.3.5.9 backports serveral fixes from later releases, including
  several that affect bridge users, relay stability, onion services,
  and much more.

  o Directory authority changes (backport from 0.4.1.5):
    - The directory authority "dizum" has a new IP address. Closes
      ticket 31406.

  o Major bugfixes (bridges, backport from 0.4.1.2-alpha):
    - Consider our directory information to have changed when our list
      of bridges changes. Previously, Tor would not re-compute the
      status of its directory information when bridges changed, and
      therefore would not realize that it was no longer able to build
      circuits. Fixes part of bug 29875.
    - Do not count previously configured working bridges towards our
      total of working bridges. Previously, when Tor's list of bridges
      changed, it would think that the old bridges were still usable,
      and delay fetching router descriptors for the new ones. Fixes part
      of bug 29875; bugfix on 0.3.0.1-alpha.

  o Major bugfixes (circuit build, guard, backport from 0.4.1.4-rc):
    - When considering upgrading circuits from "waiting for guard" to
      "open", always ignore circuits that are marked for close. Otherwise,
      we can end up in the situation where a subsystem is notified that
      a closing circuit has just opened, leading to undesirable
      behavior. Fixes bug 30871; bugfix on 0.3.0.1-alpha.

  o Major bugfixes (NSS, relay, backport from 0.4.0.4-rc):
    - When running with NSS, disable TLS 1.2 ciphersuites that use
      SHA384 for their PRF. Due to an NSS bug, the TLS key exporters for
      these ciphersuites don't work -- which caused relays to fail to
      handshake with one another when these ciphersuites were enabled.
      Fixes bug 29241; bugfix on 0.3.5.1-alpha.

  o Major bugfixes (Onion service reachability, backport from 0.4.1.3-alpha):
    - Properly clean up the introduction point map when circuits change
      purpose from onion service circuits to pathbias, measurement, or
      other circuit types. This should fix some service-side instances
      of introduction point failure. Fixes bug 29034; bugfix
      on 0.3.2.1-alpha.

  o Major bugfixes (onion service v3, backport from 0.4.1.1-alpha):
    - Fix an unreachable bug in which an introduction point could try to
      send an INTRODUCE_ACK with a status code that Trunnel would refuse
      to encode, leading the relay to assert(). We've consolidated the
      ABI values into Trunnel now. Fixes bug 30454; bugfix
      on 0.3.0.1-alpha.
    - Clients can now handle unknown status codes from INTRODUCE_ACK
      cells. (The NACK behavior will stay the same.) This will allow us
      to extend status codes in the future without breaking the normal
      client behavior. Fixes another part of bug 30454; bugfix
      on 0.3.0.1-alpha.

  o Major bugfixes (torrc parsing, backport from 0.4.2.2-alpha):
    - Stop ignoring torrc options after an %include directive, when the
      included directory ends with a file that does not contain any
      config options (but does contain comments or whitespace). Fixes
      bug 31408; bugfix on 0.3.1.1-alpha.

  o Major bugfixes (v3 onion services, backport from 0.4.2.3-alpha):
    - Onion services now always use the exact number of intro points
      configured with the HiddenServiceNumIntroductionPoints option (or
      fewer if nodes are excluded). Before, a service could sometimes
      pick more intro points than configured. Fixes bug 31548; bugfix
      on 0.3.2.1-alpha.

  o Minor features (address selection, backport from 0.4.0.3-alpha):
    - Treat the subnet 100.64.0.0/10 as public for some purposes;
      private for others. This subnet is the RFC 6598 (Carrier Grade
      NAT) IP range, and is deployed by many ISPs as an alternative to
      RFC 1918 that does not break existing internal networks. Tor now
      blocks SOCKS and control ports on these addresses and warns users
      if client ports or ExtORPorts are listening on a RFC 6598 address.
      Closes ticket 28525. Patch by Neel Chauhan.

  o Minor features (bandwidth authority, backport from 0.4.0.4-rc):
    - Make bandwidth authorities ignore relays that are reported in the
      bandwidth file with the flag "vote=0". This change allows us to
      report unmeasured relays for diagnostic reasons without including
      their bandwidth in the bandwidth authorities' vote. Closes
      ticket 29806.

  o Minor features (compile-time modules, backport from version 0.4.1.1-alpha):
    - Add a "--list-modules" command to print a list of which compile-
      time modules are enabled. Closes ticket 30452.

  o Minor features (continuous integration, backport from 0.4.0.4-rc):
    - On Travis Rust builds, cleanup Rust registry and refrain from
      caching the "target/" directory to speed up builds. Resolves
      issue 29962.

  o Minor features (continuous integration, backport from 0.4.0.5):
    - In Travis, tell timelimit to use stem's backtrace signals, and
      launch python directly from timelimit, so python receives the
      signals from timelimit, rather than make. Closes ticket 30117.

  o Minor features (continuous integration, backport from 0.4.1.1-alpha):
    - Remove sudo configuration lines from .travis.yml as they are no
      longer needed with current Travis build environment. Resolves
      issue 30213.

  o Minor features (continuous integration, backport from 0.4.1.4-rc):
    - Our Travis configuration now uses Chutney to run some network
      integration tests automatically. Closes ticket 29280.

  o Minor features (continuous integration, backport from 0.4.2.2-alpha):
    - When building on Appveyor and Travis, pass the "-k" flag to make,
      so that we are informed of all compilation failures, not just the
      first one or two. Closes ticket 31372.

  o Minor features (fallback directory list, backport from 0.4.1.4-rc):
    - Replace the 157 fallbacks originally introduced in Tor 0.3.5.6-rc
      in December 2018 (of which ~122 were still functional), with a
      list of 148 fallbacks (70 new, 78 existing, 79 removed) generated
      in June 2019. Closes ticket 28795.

  o Minor features (geoip, backport from 0.4.2.5):
    - Update geoip and geoip6 to the December 3 2019 Maxmind GeoLite2
      Country database. Closes ticket 32685.

  o Minor features (NSS, diagnostic, backport from 0.4.0.4-rc):
    - Try to log an error from NSS (if there is any) and a more useful
      description of our situation if we are using NSS and a call to
      SSL_ExportKeyingMaterial() fails. Diagnostic for ticket 29241.

  o Minor features (stem tests, backport from 0.4.2.1-alpha):
    - Change "make test-stem" so it only runs the stem tests that use
      tor. This change makes test-stem faster and more reliable. Closes
      ticket 31554.

  o Minor bugfixes (security, backport from 0.4.0.4-rc):
    - Verify in more places that we are not about to create a buffer
      with more than INT_MAX bytes, to avoid possible OOB access in the
      event of bugs. Fixes bug 30041; bugfix on 0.2.0.16. Found and
      fixed by Tobias Stoeckmann.
    - Fix a potential double free bug when reading huge bandwidth files.
      The issue is not exploitable in the current Tor network because
      the vulnerable code is only reached when directory authorities
      read bandwidth files, but bandwidth files come from a trusted
      source (usually the authorities themselves). Furthermore, the
      issue is only exploitable in rare (non-POSIX) 32-bit architectures,
      which are not used by any of the current authorities. Fixes bug
      30040; bugfix on 0.3.5.1-alpha. Bug found and fixed by
      Tobias Stoeckmann.

  o Minor bugfix (continuous integration, backport from 0.4.0.4-rc):
    - Reset coverage state on disk after Travis CI has finished. This
      should prevent future coverage merge errors from causing the test
      suite for the "process" subsystem to fail. The process subsystem
      was introduced in 0.4.0.1-alpha. Fixes bug 29036; bugfix
      on 0.2.9.15.
    - Terminate test-stem if it takes more than 9.5 minutes to run.
      (Travis terminates the job after 10 minutes of no output.)
      Diagnostic for 29437. Fixes bug 30011; bugfix on 0.3.5.4-alpha.

  o Minor bugfixes (Appveyor CI, backport from 0.4.2.2-alpha):
    - Avoid spurious errors when Appveyor CI fails before the install step.
      Fixes bug 31884; bugfix on 0.3.4.2-alpha.

  o Minor bugfixes (build system, backport form 0.4.2.1-alpha):
    - Do not include the deprecated <sys/sysctl.h> on Linux or Windows
      systems. Fixes bug 31673; bugfix on 0.2.5.4-alpha.

  o Minor bugfixes (C correctness, backport from 0.4.0.4-rc):
    - Fix an unlikely memory leak in consensus_diff_apply(). Fixes bug
      29824; bugfix on 0.3.1.1-alpha. This is Coverity warning
      CID 1444119.

  o Minor bugfixes (circuit isolation, backport from 0.4.1.3-alpha):
    - Fix a logic error that prevented the SessionGroup sub-option from
      being accepted. Fixes bug 22619; bugfix on 0.2.7.2-alpha.

  o Minor bugfixes (client, onion service v3, backport from 0.4.2.4-rc):
    - Fix a BUG() assertion that occurs within a very small race window
      between when a client intro circuit opens and when its descriptor
      gets cleaned up from the cache. The circuit is now closed early,
      which will trigger a re-fetch of the descriptor and continue the
      connection. Fixes bug 28970; bugfix on 0.3.2.1-alpha.

  o Minor bugfixes (clock skew detection, backport from 0.4.1.5):
    - Don't believe clock skew results from NETINFO cells that appear to
      arrive before we sent the VERSIONS cells they are responding to.
      Previously, we would accept them up to 3 minutes "in the past".
      Fixes bug 31343; bugfix on 0.2.4.4-alpha.

  o Minor bugfixes (compilation warning, backport from 0.4.1.5):
    - Fix a compilation warning on Windows about casting a function
      pointer for GetTickCount64(). Fixes bug 31374; bugfix
      on 0.2.9.1-alpha.

  o Minor bugfixes (compilation, backport from 0.4.0.2-alpha):
    - Silence a compiler warning in test-memwipe.c on OpenBSD. Fixes bug
      29145; bugfix on 0.2.9.3-alpha. Patch from Kris Katterjohn.

  o Minor bugfixes (compilation, backport from 0.4.1.5):
    - Avoid using labs() on time_t, which can cause compilation warnings
      on 64-bit Windows builds. Fixes bug 31343; bugfix on 0.2.4.4-alpha.

  o Minor bugfixes (compilation, backport from 0.4.2.1-alpha):
    - Suppress spurious float-conversion warnings from GCC when calling
      floating-point classifier functions on FreeBSD. Fixes part of bug
      31687; bugfix on 0.3.1.5-alpha.

  o Minor bugfixes (compilation, unusual configurations, backport from 0.4.1.1-alpha):
    - Avoid failures when building with the ALL_BUGS_ARE_FATAL option
      due to missing declarations of abort(), and prevent other such
      failures in the future. Fixes bug 30189; bugfix on 0.3.4.1-alpha.

  o Minor bugfixes (configuration, proxies, backport from 0.4.1.2-alpha):
    - Fix a bug that prevented us from supporting SOCKS5 proxies that
      want authentication along with configured (but unused!)
      ClientTransportPlugins. Fixes bug 29670; bugfix on 0.2.6.1-alpha.

  o Minor bugfixes (connections, backport from 0.4.2.3-rc):
    - Avoid trying to read data from closed connections, which can cause
      needless loops in Libevent and infinite loops in Shadow. Fixes bug
      30344; bugfix on 0.1.1.1-alpha.

  o Minor bugfixes (continuous integration, backport from 0.4.1.3-alpha):
    - Allow the test-stem job to fail in Travis, because it sometimes
      hangs. Fixes bug 30744; bugfix on 0.3.5.4-alpha.
    - Skip test_rebind on macOS in Travis, because it is unreliable on
      macOS on Travis. Fixes bug 30713; bugfix on 0.3.5.1-alpha.
    - Skip test_rebind when the TOR_SKIP_TEST_REBIND environment
      variable is set. Fixes bug 30713; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (crash on exit, backport from 0.4.1.4-rc):
    - Avoid a set of possible code paths that could try to use freed
      memory in routerlist_free() while Tor was exiting. Fixes bug
      31003; bugfix on 0.1.2.2-alpha.

  o Minor bugfixes (directory authorities, backport from 0.4.1.3-alpha):
    - Stop crashing after parsing an unknown descriptor purpose
      annotation. We think this bug can only be triggered by modifying a
      local file. Fixes bug 30781; bugfix on 0.2.0.8-alpha.

  o Minor bugfixes (directory authority, backport from 0.4.1.2-alpha):
    - Move the "bandwidth-file-headers" line in directory authority
      votes so that it conforms to dir-spec.txt. Fixes bug 30316; bugfix
      on 0.3.5.1-alpha.

  o Minor bugfixes (error handling, backport from 0.4.2.1-alpha):
    - On abort, try harder to flush the output buffers of log messages.
      On some platforms (macOS), log messages could be discarded when
      the process terminates. Fixes bug 31571; bugfix on 0.3.5.1-alpha.
    - Report the tor version whenever an assertion fails. Previously, we
      only reported the Tor version on some crashes, and some non-fatal
      assertions. Fixes bug 31571; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (FreeBSD, PF-based proxy, IPv6, backport from 0.4.2.1-alpha):
    - When extracting an IPv6 address from a PF-based proxy, verify that
      we are actually configured to receive an IPv6 address, and log an
      internal error if not. Fixes part of bug 31687; bugfix
      on 0.2.3.4-alpha.

  o Minor bugfixes (guards, backport from 0.4.2.1-alpha):
    - When tor is missing descriptors for some primary entry guards,
      make the log message less alarming. It's normal for descriptors to
      expire, as long as tor fetches new ones soon after. Fixes bug
      31657; bugfix on 0.3.3.1-alpha.

  o Minor bugfixes (logging, backport from 0.4.0.2-alpha):
    - Avoid logging that we are relaxing a circuit timeout when that
      timeout is fixed. Fixes bug 28698; bugfix on 0.2.4.7-alpha.

  o Minor bugfixes (logging, backport from 0.4.0.3-alpha):
    - Correct a misleading error message when IPv4Only or IPv6Only is
      used but the resolved address can not be interpreted as an address
      of the specified IP version. Fixes bug 13221; bugfix on
      0.2.3.9-alpha. Patch from Kris Katterjohn.
    - Log the correct port number for listening sockets when "auto" is
      used to let Tor pick the port number. Previously, port 0 was
      logged instead of the actual port number. Fixes bug 29144; bugfix
      on 0.3.5.1-alpha. Patch from Kris Katterjohn.
    - Stop logging a BUG() warning when Tor is waiting for exit
      descriptors. Fixes bug 28656; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (logging, backport from 0.4.1.1-alpha):
    - Do not log a warning when running with an OpenSSL version other
      than the one Tor was compiled with, if the two versions should be
      compatible. Previously, we would warn whenever the version was
      different. Fixes bug 30190; bugfix on 0.2.4.2-alpha.

  o Minor bugfixes (logging, backport from 0.4.2.1-alpha):
    - Change log level of message "Hash of session info was not as
      expected" to LOG_PROTOCOL_WARN. Fixes bug 12399; bugfix
      on 0.1.1.10-alpha.

  o Minor bugfixes (logging, backport from 0.4.2.2-alpha):
    - Rate-limit our the logging message about the obsolete .exit
      notation. Previously, there was no limit on this warning, which
      could potentially be triggered many times by a hostile website.
      Fixes bug 31466; bugfix on 0.2.2.1-alpha.

  o Minor bugfixes (logging, protocol violations, backport from 0.4.2.2-alpha):
    - Do not log a nonfatal assertion failure when receiving a VERSIONS
      cell on a connection using the obsolete v1 link protocol. Log a
      protocol_warn instead. Fixes bug 31107; bugfix on 0.2.4.4-alpha.

  o Minor bugfixes (mainloop, periodic events, in-process API, backport from 0.4.2.3-alpha):
    - Reset the periodic events' "enabled" flag when Tor is shut down
      cleanly. Previously, this flag was left on, which caused periodic
      events not to be re-enabled when Tor was relaunched in-process
      with tor_api.h after a shutdown. Fixes bug 32058; bugfix
      on 0.3.3.1-alpha.

  o Minor bugfixes (memory leak, backport from 0.4.1.1-alpha):
    - Avoid a minor memory leak that could occur on relays when failing
      to create a "keys" directory. Fixes bug 30148; bugfix
      on 0.3.3.1-alpha.

  o Minor bugfixes (memory leak, backport from 0.4.1.4-rc):
    - Fix a trivial memory leak when parsing an invalid value
      from a download schedule in the configuration. Fixes bug
      30894; bugfix on 0.3.4.1-alpha.

  o Minor bugfixes (memory management, backport from 0.4.0.3-alpha):
    - Refactor the shared random state's memory management so that it
      actually takes ownership of the shared random value pointers.
      Fixes bug 29706; bugfix on 0.2.9.1-alpha.

  o Minor bugfixes (memory management, testing, backport from 0.4.0.3-alpha):
    - Stop leaking parts of the shared random state in the shared-random
      unit tests. Fixes bug 29599; bugfix on 0.2.9.1-alpha.

  o Minor bugfixes (onion services, backport from 0.4.1.1-alpha):
    - Avoid a GCC 9.1.1 warning (and possible crash depending on libc
      implemenation) when failing to load an onion service client
      authorization file. Fixes bug 30475; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (out-of-memory handler, backport from 0.4.1.2-alpha):
    - When purging the DNS cache because of an out-of-memory condition,
      try purging just the older entries at first. Previously, we would
      always purge the whole thing. Fixes bug 29617; bugfix
      on 0.3.5.1-alpha.

  o Minor bugfixes (portability, backport from 0.4.1.2-alpha):
    - Avoid crashing in our tor_vasprintf() implementation on systems
      that define neither vasprintf() nor _vscprintf(). (This bug has
      been here long enough that we question whether people are running
      Tor on such systems, but we're applying the fix out of caution.)
      Fixes bug 30561; bugfix on 0.2.8.2-alpha. Found and fixed by
      Tobias Stoeckmann.

  o Minor bugfixes (relay, backport from 0.4.2.2-alpha):
    - Avoid crashing when starting with a corrupt keys directory where
      the old ntor key and the new ntor key are identical. Fixes bug
      30916; bugfix on 0.2.4.8-alpha.

  o Minor bugfixes (rust, backport from 0.4.0.5):
    - Abort on panic in all build profiles, instead of potentially
      unwinding into C code. Fixes bug 27199; bugfix on 0.3.3.1-alpha.

  o Minor bugfixes (rust, backport from 0.4.2.1-alpha):
    - Correctly exclude a redundant rust build job in Travis. Fixes bug
      31463; bugfix on 0.3.5.4-alpha.

  o Minor bugfixes (single onion services, backport from 0.4.0.3-alpha):
    - Allow connections to single onion services to remain idle without
      being disconnected. Previously, relays acting as rendezvous points
      for single onion services were mistakenly closing idle rendezvous
      circuits after 60 seconds, thinking that they were unused
      directory-fetching circuits that had served their purpose. Fixes
      bug 29665; bugfix on 0.2.1.26.

  o Minor bugfixes (stats, backport from 0.4.0.3-alpha):
    - When ExtraInfoStatistics is 0, stop including PaddingStatistics in
      relay and bridge extra-info documents. Fixes bug 29017; bugfix
      on 0.3.1.1-alpha.

  o Minor bugfixes (testing, backport from 0.4.0.3-alpha):
    - Downgrade some LOG_ERR messages in the address/* tests to
      warnings. The LOG_ERR messages were occurring when we had no
      configured network. We were failing the unit tests, because we
      backported 28668 to 0.3.5.8, but did not backport 29530. Fixes bug
      29530; bugfix on 0.3.5.8.
    - Fix our gcov wrapper script to look for object files at the
      correct locations. Fixes bug 29435; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (testing, backport from 0.4.0.4-rc):
    - Backport the 0.3.4 src/test/test-network.sh to 0.2.9. We need a
      recent test-network.sh to use new chutney features in CI. Fixes
      bug 29703; bugfix on 0.2.9.1-alpha.
    - Fix a test failure on Windows caused by an unexpected "BUG"
      warning in our tests for tor_gmtime_r(-1). Fixes bug 29922; bugfix
      on 0.2.9.3-alpha.

  o Minor bugfixes (testing, backport from 0.4.2.3-alpha):
    - When testing port rebinding, don't busy-wait for tor to log.
      Instead, actually sleep for a short time before polling again.
      Also improve the formatting of control commands and log messages.
      Fixes bug 31837; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (TLS protocol, backport form 0.4.0.4-rc):
    - When classifying a client's selection of TLS ciphers, if the
      client ciphers are not yet available, do not cache the result.
      Previously, we had cached the unavailability of the cipher list
      and never looked again, which in turn led us to assume that the
      client only supported the ancient V1 link protocol. This, in turn,
      was causing Stem integration tests to stall in some cases. Fixes
      bug 30021; bugfix on 0.2.4.8-alpha.

  o Minor bugfixes (tls, logging, backport from 0.4.2.3-alpha):
    - Log bugs about the TLS read buffer's length only once, rather than
      filling the logs with similar warnings. Fixes bug 31939; bugfix
      on 0.3.0.4-rc.

  o Minor bugfixes (v2 single onion services, backport from 0.4.2.1-alpha):
    - Always retry v2 single onion service intro and rend circuits with
      a 3-hop path. Previously, v2 single onion services used a 3-hop
      path when rendezvous circuits were retried after a remote or
      delayed failure, but a 1-hop path for immediate retries. Fixes bug
      23818; bugfix on 0.2.9.3-alpha.
    - Make v3 single onion services fall back to a 3-hop intro, when all
      intro points are unreachable via a 1-hop path. Previously, v3
      single onion services failed when all intro nodes were unreachable
      via a 1-hop path. Fixes bug 23507; bugfix on 0.3.2.1-alpha.

  o Minor bugfixes (Windows, CI, backport from 0.4.0.3-alpha):
    - Skip the Appveyor 32-bit Windows Server 2016 job, and 64-bit
      Windows Server 2012 R2 job. The remaining 2 jobs still provide
      coverage of 64/32-bit, and Windows Server 2016/2012 R2. Also set
      fast_finish, so failed jobs terminate the build immediately. Fixes
      bug 29601; bugfix on 0.3.5.4-alpha.

  o Documentation (backport from 0.4.2.1-alpha):
    - Use RFC 2397 data URL scheme to embed an image into tor-exit-
      notice.html so that operators no longer have to host it
      themselves. Closes ticket 31089.

  o Testing (backport from 0.4.1.2-alpha):
    - Specify torrc paths (with empty files) when launching tor in
      integration tests; refrain from reading user and system torrcs.
      Resolves issue 29702.

  o Testing (continuous integration, backport from 0.4.1.1-alpha):
    - In Travis, show stem's tor log after failure. Closes ticket 30234.

  o Testing (continuous integration, backport from 0.4.1.5):
    - In Travis, make stem log a controller trace to the console, and
      tail stem's tor log after failure. Closes ticket 30591.
    - In Travis, only run the stem tests that use a tor binary. Closes
      ticket 30694.

  o Testing (continuous integration, backport from 0.4.2.3-alpha):
    - Disable all but one Travis CI macOS build, to mitigate slow
      scheduling of Travis macOS jobs. Closes ticket 32177.
    - Run the chutney IPv6 networks as part of Travis CI. Closes
      ticket 30860.
    - Simplify the Travis CI build matrix, and optimise for build time.
      Closes ticket 31859.
    - Use Windows Server 2019 instead of Windows Server 2016 in our
      Appveyor builds. Closes ticket 32086.

  o Testing (continuous integration, backport from 0.4.2.4-rc):
    - Use Ubuntu Bionic images for our Travis CI builds, so we can get a
      recent version of coccinelle. But leave chutney on Ubuntu Trusty,
      until we can fix some Bionic permissions issues (see ticket
      32240). Related to ticket 31919.
    - Install the mingw OpenSSL package in Appveyor. This makes sure
      that the OpenSSL headers and libraries match in Tor's Appveyor
      builds. (This bug was triggered by an Appveyor image update.)
      Fixes bug 32449; bugfix on 0.3.5.6-rc.
    - In Travis, use Xcode 11.2 on macOS 10.14. Closes ticket 32241.

  o Testing (continuous integration, backport from 0.4.2.5):
    - Require C99 standards-conforming code in Travis CI, but allow GNU gcc
      extensions. Also activates clang's -Wtypedef-redefinition warnings.
      Build some jobs with -std=gnu99, and some jobs without.
      Closes ticket 32500.

1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
Changes in version 0.4.2.4-rc - 2019-11-15
  Tor 0.4.2.4-rc is the first release candidate in its series. It fixes
  several bugs from earlier versions, including a few that would result in
  stack traces or incorrect behavior.

  o Minor features (build system):
    - Make pkg-config use --prefix when cross-compiling, if
      PKG_CONFIG_PATH is not set. Closes ticket 32191.

  o Minor features (geoip):
    - Update geoip and geoip6 to the November 6 2019 Maxmind GeoLite2
      Country database. Closes ticket 32440.

  o Minor bugfixes (client, onion service v3):
    - Fix a BUG() assertion that occurs within a very small race window
      between when a client intro circuit opens and when its descriptor
      gets cleaned up from the cache. The circuit is now closed early,
      which will trigger a re-fetch of the descriptor and continue the
      connection. Fixes bug 28970; bugfix on 0.3.2.1-alpha.

  o Minor bugfixes (code quality):
    - Fix "make check-includes" so it runs correctly on out-of-tree
      builds. Fixes bug 31335; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (configuration):
    - Log the option name when skipping an obsolete option. Fixes bug
      32295; bugfix on 0.4.2.1-alpha.

  o Minor bugfixes (crash):
    - When running Tor with an option like --verify-config or
      --dump-config that does not start the event loop, avoid crashing
      if we try to exit early because of an error. Fixes bug 32407;
      bugfix on 0.3.3.1-alpha.

  o Minor bugfixes (directory):
    - When checking if a directory connection is anonymous, test if the
      circuit was marked for close before looking at its channel. This
      avoids a BUG() stacktrace if the circuit was previously closed.
      Fixes bug 31958; bugfix on 0.4.2.1-alpha.

  o Minor bugfixes (shellcheck):
    - Fix minor shellcheck errors in the git-*.sh scripts. Fixes bug
      32402; bugfix on 0.4.2.1-alpha.
    - Start checking most scripts for shellcheck errors again. Fixes bug
      32402; bugfix on 0.4.2.1-alpha.

  o Testing (continuous integration):
    - Use Ubuntu Bionic images for our Travis CI builds, so we can get a
      recent version of coccinelle. But leave chutney on Ubuntu Trusty,
      until we can fix some Bionic permissions issues (see ticket
      32240). Related to ticket 31919.
    - Install the mingw OpenSSL package in Appveyor. This makes sure
      that the OpenSSL headers and libraries match in Tor's Appveyor
      builds. (This bug was triggered by an Appveyor image update.)
      Fixes bug 32449; bugfix on 0.3.5.6-rc.
    - In Travis, use Xcode 11.2 on macOS 10.14. Closes ticket 32241.


1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
Changes in version 0.4.2.3-alpha - 2019-10-24
  This release fixes several bugs from the previous alpha release, and
  from earlier versions of Tor.

  o Major bugfixes (relay):
    - Relays now respect their AccountingMax bandwidth again. When
      relays entered "soft" hibernation (which typically starts when
      we've hit 90% of our AccountingMax), we had stopped checking
      whether we should enter hard hibernation. Soft hibernation refuses
      new connections and new circuits, but the existing circuits can
      continue, meaning that relays could have exceeded their configured
      AccountingMax. Fixes bug 32108; bugfix on 0.4.0.1-alpha.

  o Major bugfixes (v3 onion services):
    - Onion services now always use the exact number of intro points
      configured with the HiddenServiceNumIntroductionPoints option (or
      fewer if nodes are excluded). Before, a service could sometimes
      pick more intro points than configured. Fixes bug 31548; bugfix
      on 0.3.2.1-alpha.

  o Minor feature (onion services, control port):
    - The ADD_ONION command's keyword "BEST" now defaults to ED25519-V3
      (v3) onion services. Previously it defaulted to RSA1024 (v2).
      Closes ticket 29669.

  o Minor features (testing):
    - When running tests that attempt to look up hostnames, replace the
      libc name lookup functions with ones that do not actually touch
      the network. This way, the tests complete more quickly in the
      presence of a slow or missing DNS resolver. Closes ticket 31841.

  o Minor features (testing, continuous integration):
    - Disable all but one Travis CI macOS build, to mitigate slow
      scheduling of Travis macOS jobs. Closes ticket 32177.
    - Run the chutney IPv6 networks as part of Travis CI. Closes
      ticket 30860.
    - Simplify the Travis CI build matrix, and optimise for build time.
      Closes ticket 31859.
    - Use Windows Server 2019 instead of Windows Server 2016 in our
      Appveyor builds. Closes ticket 32086.

  o Minor bugfixes (build system):
    - Interpret "--disable-module-dirauth=no" correctly. Fixes bug
      32124; bugfix on 0.3.4.1-alpha.
    - Interpret "--with-tcmalloc=no" correctly. Fixes bug 32124; bugfix
      on 0.2.0.20-rc.
    - Stop failing when jemalloc is requested, but tcmalloc is not
      found. Fixes bug 32124; bugfix on 0.3.5.1-alpha.
    - When pkg-config is not installed, or a library that depends on
      pkg-config is not found, tell the user what to do to fix the
      problem. Fixes bug 31922; bugfix on 0.3.1.1-alpha.

  o Minor bugfixes (connections):
    - Avoid trying to read data from closed connections, which can cause
      needless loops in Libevent and infinite loops in Shadow. Fixes bug
      30344; bugfix on 0.1.1.1-alpha.

  o Minor bugfixes (error handling):
    - Always lock the backtrace buffer before it is used. Fixes bug
      31734; bugfix on 0.2.5.3-alpha.

  o Minor bugfixes (mainloop, periodic events, in-process API):
    - Reset the periodic events' "enabled" flag when Tor is shut down
      cleanly. Previously, this flag was left on, which caused periodic
      events not to be re-enabled when Tor was relaunched in-process
      with tor_api.h after a shutdown. Fixes bug 32058; bugfix
      on 0.3.3.1-alpha.

  o Minor bugfixes (process management):
    - Remove overly strict assertions that triggered when a pluggable
      transport failed to launch. Fixes bug 31091; bugfix
      on 0.4.0.1-alpha.
    - Remove an assertion in the Unix process backend. This assertion
      would trigger when we failed to find the executable for a child
      process. Fixes bug 31810; bugfix on 0.4.0.1-alpha.

  o Minor bugfixes (testing):
    - Avoid intermittent test failures due to a test that had relied on
      inconsistent timing sources. Fixes bug 31995; bugfix
      on 0.3.1.3-alpha.
    - When testing port rebinding, don't busy-wait for tor to log.
      Instead, actually sleep for a short time before polling again.
      Also improve the formatting of control commands and log messages.
      Fixes bug 31837; bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (tls, logging):
    - Log bugs about the TLS read buffer's length only once, rather than
      filling the logs with similar warnings. Fixes bug 31939; bugfix
      on 0.3.0.4-rc.

  o Minor bugfixes (v3 onion services):
    - Fix an implicit conversion from ssize_t to size_t discovered by
      Coverity. Fixes bug 31682; bugfix on 0.4.2.1-alpha.
    - Fix a memory leak in an unlikely error code path when encoding HS
      DoS establish intro extension cell. Fixes bug 32063; bugfix
      on 0.4.2.1-alpha.
    - When cleaning up intro circuits for a v3 onion service, don't
      remove circuits that have an established or pending circuit, even
      if they ran out of retries. This way, we don't remove a circuit on
      its last retry. Fixes bug 31652; bugfix on 0.3.2.1-alpha.

  o Documentation:
    - Correct the description of "GuardLifetime". Fixes bug 31189;
      bugfix on 0.3.0.1-alpha.
    - Make clear in the man page, in both the bandwidth section and the
      AccountingMax section, that Tor counts in powers of two, not
      powers of ten: 1 GByte is 1024*1024*1024 bytes, not one billion
      bytes. Resolves ticket 32106.


1665
Changes in version 0.4.2.2-alpha - 2019-10-07
1666
1667
1668
  This release fixes several bugs from the previous alpha release, and
  from earlier versions. It also includes a change in authorities, so
  that they begin to reject the currently unsupported release series.
1669

1670
1671
1672
1673
1674
  o Major features (directory authorities):
    - Directory authorities now reject relays running all currently
      deprecated release series. The currently supported release series
      are: 0.2.9, 0.3.5, 0.4.0, 0.4.1, and 0.4.2. Closes ticket 31549.

1675
1676
1677
1678
1679
  o Major bugfixes (embedded Tor):
    - Avoid a possible crash when restarting Tor in embedded mode and
      enabling a different set of publish/subscribe messages. Fixes bug
      31898; bugfix on 0.4.1.1-alpha.

1680
  o Major bugfixes (torrc parsing):
1681
    - Stop ignoring torrc options after an %include directive, when the
Nick Mathewson's avatar
Nick Mathewson committed
1682
      included directory ends with a file that does not contain any
1683
      config options (but does contain comments or whitespace). Fixes
Nick Mathewson's avatar
Nick Mathewson committed
1684
      bug 31408; bugfix on 0.3.1.1-alpha.
1685
1686

  o Minor features (auto-formatting scripts):
Nick Mathewson's avatar
Nick Mathewson committed
1687
1688
    - When annotating C macros, never generate a line that our check-
      spaces script would reject. Closes ticket 31759.
1689
1690
1691
1692
    - When annotating C macros, try to remove cases of double-negation.
      Closes ticket 31779.

  o Minor features (continuous integration):
1693
1694
1695
    - When building on Appveyor and Travis, pass the "-k" flag to make,
      so that we are informed of all compilation failures, not just the
      first one or two. Closes ticket 31372.
1696
1697
1698
1699
1700
1701

  o Minor features (geoip):
    - Update geoip and geoip6 to the October 1 2019 Maxmind GeoLite2
      Country database. Closes ticket 31931.

  o Minor features (maintenance scripts):
1702
    - Add a Coccinelle script to detect bugs caused by incrementing or
Nick Mathewson's avatar
Nick Mathewson committed
1703
1704
1705
1706
1707
      decrementing a variable inside a call to log_debug(). Since
      log_debug() is a macro whose arguments are conditionally
      evaluated, it is usually an error to do this. One such bug was
      30628, in which SENDME cells were miscounted by a decrement
      operator inside a log_debug() call. Closes ticket 30743.
1708
1709
1710

  o Minor features (onion services v3):
    - Assist users who try to setup v2 client authorization in v3 onion
Nick Mathewson's avatar
Nick Mathewson committed
1711
1712
      services by pointing them to the right documentation. Closes
      ticket 28966.
1713

1714
  o Minor bugfixes (Appveyor continuous integration):
Nick Mathewson's avatar
Nick Mathewson committed
1715
1716
    - Avoid spurious errors when Appveyor CI fails before the install
      step. Fixes bug 31884; bugfix on 0.3.4.2-alpha.
1717
1718

  o Minor bugfixes (best practices tracker):
Nick Mathewson's avatar
Nick Mathewson committed
1719
1720
    - When listing overbroad exceptions, do not also list problems, and
      do not list insufficiently broad exceptions. Fixes bug 31338;
1721
1722
1723
1724
      bugfix on 0.4.2.1-alpha.

  o Minor bugfixes (controller protocol):
    - Fix the MAPADDRESS controller command to accept one or more
Nick Mathewson's avatar
Nick Mathewson committed
1725
1726
      arguments. Previously, it required two or more arguments, and
      ignored the first. Fixes bug 31772; bugfix on 0.4.1.1-alpha.
1727
1728

  o Minor bugfixes (logging):
Nick Mathewson's avatar
Nick Mathewson committed
1729
1730
1731
1732
1733
1734
1735
1736
    - Add a missing check for HAVE_PTHREAD_H, because the backtrace code
      uses mutexes. Fixes bug 31614; bugfix on 0.2.5.2-alpha.
    - Disable backtrace signal handlers when shutting down tor. Fixes
      bug 31614; bugfix on 0.2.5.2-alpha.
    - Rate-limit our the logging message about the obsolete .exit
      notation. Previously, there was no limit on this warning, which
      could potentially be triggered many times by a hostile website.
      Fixes bug 31466; bugfix on 0.2.2.1-alpha.
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
    - When initialising log domain masks, only set known log domains.
      Fixes bug 31854; bugfix on 0.2.1.1-alpha.

  o Minor bugfixes (logging, protocol violations):
    - Do not log a nonfatal assertion failure when receiving a VERSIONS
      cell on a connection using the obsolete v1 link protocol. Log a
      protocol_warn instead. Fixes bug 31107; bugfix on 0.2.4.4-alpha.

  o Minor bugfixes (modules):
    - Explain what the optional Directory Authority module is, and what
Nick Mathewson's avatar
Nick Mathewson committed
1747
1748
      happens when it is disabled. Fixes bug 31825; bugfix
      on 0.3.4.1-alpha.
1749
1750

  o Minor bugfixes (multithreading):
Nick Mathewson's avatar
Nick Mathewson committed
1751
1752
    - Avoid some undefined behaviour when freeing mutexes. Fixes bug
      31736; bugfix on 0.0.7.
1753
1754
1755

  o Minor bugfixes (relay):
    - Avoid crashing when starting with a corrupt keys directory where
Nick Mathewson's avatar
Nick Mathewson committed
1756
1757
      the old ntor key and the new ntor key are identical. Fixes bug
      30916; bugfix on 0.2.4.8-alpha.
1758
1759

  o Minor bugfixes (tests, SunOS):
Nick Mathewson's avatar
Nick Mathewson committed
1760
1761
    - Avoid a map_anon_nofork test failure due to a signed/unsigned
      integer comparison. Fixes bug 31897; bugfix on 0.4.1.1-alpha.
1762
1763

  o Code simplification and refactoring:
Nick Mathewson's avatar
Nick Mathewson committed
1764
1765
    - Refactor connection_control_process_inbuf() to reduce the size of
      a practracker exception. Closes ticket 31840.
1766
    - Refactor the microdescs_parse_from_string() function into smaller
Nick Mathewson's avatar
Nick Mathewson committed
1767
      pieces, for better comprehensibility. Closes ticket 31675.
1768
    - Use SEVERITY_MASK_IDX() to find the LOG_* mask indexes in the unit
Nick Mathewson's avatar
Nick Mathewson committed
1769
1770
      tests and fuzzers, rather than using hard-coded values. Closes
      ticket 31334.
1771
1772
    - Interface for function `decrypt_desc_layer` cleaned up. Closes
      ticket 31589.
1773
1774

  o Documentation:
Nick Mathewson's avatar
Nick Mathewson committed
1775
1776
1777
1778
1779
    - Document the signal-safe logging behaviour in the tor man page.
      Also add some comments to the relevant functions. Closes
      ticket 31839.
    - Explain why we can't destroy the backtrace buffer mutex. Explain
      why we don't need to destroy the log mutex. Closes ticket 31736.
1780
1781
1782
    - The Tor source code repository now includes a (somewhat dated)
      description of Tor's modular architecture, in doc/HACKING/design.
      This is based on the old "tor-guts.git" repository, which we are
Nick Mathewson's avatar
Nick Mathewson committed
1783
1784
      adopting and superseding. Closes ticket 31849.

1785

1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
Changes in version 0.4.1.6 - 2019-09-19
  This release backports several bugfixes to improve stability and
  correctness.  Anyone experiencing build problems or crashes with 0.4.1.5,
  or experiencing reliability issues with single onion services, should
  upgrade.

  o Major bugfixes (crash, Linux, Android, backport from 0.4.2.1-alpha):
    - Tolerate systems (including some Android installations) where
      madvise and MADV_DONTDUMP are available at build-time, but not at
      run time. Previously, these systems would notice a failed syscall
      and abort. Fixes bug 31570; bugfix on 0.4.1.1-alpha.
    - Tolerate systems (including some Linux installations) where
      madvise and/or MADV_DONTFORK are available at build-time, but not
      at run time. Previously, these systems would notice a failed
      syscall and abort. Fixes bug 31696; bugfix on 0.4.1.1-alpha.

  o Minor features (stem tests, backport from 0.4.2.1-alpha):
    - Change "make test-stem" so it only runs the stem tests that use
      tor. This change makes test-stem faster and more reliable. Closes
      ticket 31554.

  o Minor bugfixes (build system, backport form 0.4.2.1-alpha):
    - Do not include the deprecated <sys/sysctl.h> on Linux or Windows
      systems. Fixes bug 31673; bugfix on 0.2.5.4-alpha.

  o Minor bugfixes (compilation, backport from 0.4.2.1-alpha):
    - Add more stub functions to fix compilation on Android with link-
      time optimization when --disable-module-dirauth is used.
      Previously, these compilation settings would make the compiler
      look for functions that didn't exist. Fixes bug 31552; bugfix
      on 0.4.1.1-alpha.
    - Suppress spurious float-conversion warnings from GCC when calling
      floating-point classifier functions on FreeBSD. Fixes part of bug
      31687; bugfix on 0.3.1.5-alpha.

  o Minor bugfixes (controller protocol):
    - Fix the MAPADDRESS controller command to accept one or more
      arguments. Previously, it required two or more arguments, and ignored
      the first. Fixes bug 31772; bugfix on 0.4.1.1-alpha.

1826
1827
1828
1829
1830
1831
  o Minor bugfixes (FreeBSD, PF-based proxy, IPv6, backport from 0.4.2.1-alpha):
    - When extracting an IPv6 address from a PF-based proxy, verify that
      we are actually configured to receive an IPv6 address, and log an
      internal error if not. Fixes part of bug 31687; bugfix
      on 0.2.3.4-alpha.

1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
  o Minor bugfixes (guards, backport from 0.4.2.1-alpha):
    - When tor is missing descriptors for some primary entry guards,
      make the log message less alarming. It's normal for descriptors to
      expire, as long as tor fetches new ones soon after. Fixes bug
      31657; bugfix on 0.3.3.1-alpha.

  o Minor bugfixes (logging, backport from 0.4.2.1-alpha):
    - Change log level of message "Hash of session info was not as
      expected" to LOG_PROTOCOL_WARN. Fixes bug 12399; bugfix
      on 0.1.1.10-alpha.

  o Minor bugfixes (rust, backport from 0.4.2.1-alpha):
    - Correctly exclude a redundant rust build job in Travis. Fixes bug
      31463; bugfix on 0.3.5.4-alpha.

  o Minor bugfixes (v2 single onion services, backport from 0.4.2.1-alpha):
    - Always retry v2 single onion service intro and rend circuits with
      a 3-hop path. Previously, v2 single onion services used a 3-hop
      path when rendezvous circuits were retried after a remote or
      delayed failure, but a 1-hop path for immediate retries. Fixes bug
      23818; bugfix on 0.2.9.3-alpha.

  o Minor bugfixes (v3 single onion services, backport from 0.4.2.1-alpha):
    - Always retry v3 single onion service intro and rend circuits with
      a 3-hop path. Previously, v3 single onion services used a 3-hop
      path when rend circuits were retried after a remote or delayed
      failure, but a 1-hop path for immediate retries. Fixes bug 23818;
      bugfix on 0.3.2.1-alpha.
    - Make v3 single onion services fall back to a 3-hop intro, when all
      intro points are unreachable via a 1-hop path. Previously, v3
      single onion services failed when all intro nodes were unreachable
      via a 1-hop path. Fixes bug 23507; bugfix on 0.3.2.1-alpha.

  o Documentation (backport from 0.4.2.1-alpha):
    - Use RFC 2397 data URL scheme to embed an image into tor-exit-
      notice.html so that operators no longer have to host it
      themselves. Closes ticket 31089.


1871
Changes in version 0.4.2.1-alpha - 2019-09-17
1872
1873
1874
1875
  This is the first alpha release in the 0.4.2.x series. It adds new
  defenses for denial-of-service attacks against onion services. It also
  includes numerous kinds of bugfixes and refactoring to help improve
  Tor's stability and ease of development.
1876

1877
  o Major features (onion service v3, denial of service):
1878
1879
1880
    - Add onion service introduction denial of service defenses. Intro
      points can now rate-limit client introduction requests, using
      parameters that can be sent by the service within the
1881
1882
1883
      ESTABLISH_INTRO cell. If the cell extension for this is not used,
      the intro point will honor the consensus parameters. Closes
      ticket 30924.
1884
1885

  o Major bugfixes (circuit build, guard):
1886
    - When considering upgrading circuits from "waiting for guard" to
1887
1888
1889
1890
1891
      "open", always ignore circuits that are marked for close.
      Previously we could end up in the situation where a subsystem is
      notified of a circuit opening, but the circuit is still marked for
      close, leading to undesirable behavior. Fixes bug 30871; bugfix
      on 0.3.0.1-alpha.
1892

1893
  o Major bugfixes (crash, Linux, Android):
1894
1895
1896
1897
1898
1899
1900
1901
    - Tolerate systems (including some Android installations) where
      madvise and MADV_DONTDUMP are available at build-time, but not at
      run time. Previously, these systems would notice a failed syscall
      and abort. Fixes bug 31570; bugfix on 0.4.1.1-alpha.
    - Tolerate systems (including some Linux installations) where
      madvise and/or MADV_DONTFORK are available at build-time, but not
      at run time. Previously, these systems would notice a failed
      syscall and abort. Fixes bug 31696; bugfix on 0.4.1.1-alpha.
1902
1903

  o Minor features (best practices tracker):
1904
    - Our best-practices tracker now integrates with our include-checker
1905
1906
1907
      tool to keep track of how many layering violations we have not yet
      fixed. We hope to reduce this number over time to improve Tor's
      modularity. Closes ticket 31176.
1908
1909
1910
1911
    - Add a TOR_PRACTRACKER_OPTIONS variable for passing arguments to
      practracker from the environment. We may want this for continuous
      integration. Closes ticket 31309.
    - Give a warning rather than an error when a practracker exception
1912
      is violated by a small amount, add a --list-overbroad option to
1913
1914
      practracker that lists exceptions that are stricter than they need
      to be, and provide an environment variable for disabling
1915
1916
1917
      practracker. Closes ticket 30752.
    - Our best-practices tracker now looks at headers as well as C
      files. Closes ticket 31175.
1918
1919

  o Minor features (build system):
1920
1921
1922
    - Add --disable-manpage and --disable-html-manual options to
      configure script. This will enable shortening build times by not
      building documentation. Resolves issue 19381.
1923
1924

  o Minor features (compilation):
1925
1926
1927
    - Log a more useful error message when we are compiling and one of
      the compile-time hardening options we have selected can be linked
      but not executed. Closes ticket 27530.
1928
1929
1930
1931
1932

  o Minor features (configuration):
    - The configuration code has been extended to allow splitting
      configuration data across multiple objects. Previously, all
      configuration data needed to be kept in a single object, which
1933
      tended to become bloated. Closes ticket 31240.
1934
1935

  o Minor features (continuous integration):
1936
    - When running CI builds on Travis, put some random data in
1937
1938
      ~/.torrc, to make sure no tests are reading the Tor configuration
      file from its default location. Resolves issue 30102.
1939
1940
1941

  o Minor features (debugging):
    - Log a nonfatal assertion failure if we encounter a configuration
1942
1943
1944
      line whose command is "CLEAR" but which has a nonempty value. This
      should be impossible, according to the rules of our configuration
      line parsing. Closes ticket 31529.
1945
1946

  o Minor features (git hooks):
1947
1948
1949
1950
1951
    - Our pre-commit git hook now checks for a special file before
      running practracker, so that practracker only runs on branches
      that are based on master. Since the pre-push hook calls the pre-
      commit hook, practracker will also only run before pushes of
      branches based on master. Closes ticket 30979.
1952
1953

  o Minor features (git scripts):
1954
1955
1956
1957
1958
    - Add a "--" command-line argument, to separate git-push-all.sh
      script arguments from arguments that are passed through to git
      push. Closes ticket 31314.
    - Add a -r <remote-name> argument to git-push-all.sh, so the script
      can push test branches to a personal remote. Closes ticket 31314.
1959
    - Add a -t <test-branch-prefix> argument to git-merge-forward.sh and
1960
1961
1962
1963
      git-push-all.sh, which makes these scripts create, merge forward,
      and push test branches. Closes ticket 31314.
    - Add a -u argument to git-merge-forward.sh, so that the script can
      re-use existing test branches after a merge failure and fix.
1964
      Closes ticket 31314.
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
    - Add a TOR_GIT_PUSH env var, which sets the default git push
      command and arguments for git-push-all.sh. Closes ticket 31314.
    - Add a TOR_PUSH_DELAY variable to git-push-all.sh, which makes the
      script push master and maint branches with a delay between each
      branch. These delays trigger the CI jobs in a set order, which
      should show the most likely failures first. Also make pushes
      atomic by default, and make the script pass any command-line
      arguments to git push. Closes ticket 29879.
    - Call the shellcheck script from the pre-commit hook. Closes
      ticket 30967.
1975
    - Skip pushing test branches that are the same as a remote
1976
1977
1978
      maint/release/master branch in git-push-all.sh by default. Add a
      -s argument, so git-push-all.sh can push all test branches. Closes
      ticket 31314.
1979
1980

  o Minor features (IPv6, logging):
1981
    - Log IPv6 addresses as well as IPv4 addresses when describing
1982
1983
      routerinfos, routerstatuses, and nodes. Closes ticket 21003.

1984
  o Minor features (onion service v3):
1985
    - Do not allow single hop clients to fetch or post an HS descriptor
1986
1987
1988
1989
1990
      from an HSDir. Closes ticket 24964.

  o Minor features (onion service):
    - Disallow single-hop clients at the introduction point. We've
      removed Tor2web support a while back and single-hop rendezvous
1991
      attempts are blocked at the relays. This change should remove load
1992
1993
      off the network from spammy clients. Close ticket 24963.

1994
  o Minor features (stem tests):
1995
1996
1997
    - Change "make test-stem" so it only runs the stem tests that use
      tor. This change makes test-stem faster and more reliable. Closes
      ticket 31554.
1998
1999

  o Minor features (testing):
2000
2001
2002
2003
2004
    - Add a script to invoke "tor --dump-config" and "tor
      --verify-config" with various configuration options, and see
      whether tor's resulting configuration or error messages are what
      we expect. Use it for integration testing of our +Option and
      /Option flags. Closes ticket 31637.
2005
2006
    - Improve test coverage for our existing configuration parsing and
      management API. Closes ticket 30893.
2007
2008
    - Add integration tests to make sure that practracker gives the
      outputs we expect. Closes ticket 31477.
2009
2010
2011
2012
2013
2014
    - The practracker self-tests are now run as part of the Tor test
      suite. Closes ticket 31304.

  o Minor features (token bucket):
    - Implement a generic token bucket that uses a single counter, for
      use in anti-DoS onion service work. Closes ticket 30687.
2015
2016

  o Minor bugfixes (best practices tracker):
2017
2018
2019
    - Fix a few issues in the best-practices script, including tests,
      tab tolerance, error reporting, and directory-exclusion logic.
      Fixes bug 29746; bugfix on 0.4.1.1-alpha.
2020
2021
2022
2023
2024
2025
2026
2027
    - When running check-best-practices, only consider files in the src
      subdirectory. Previously we had recursively considered all
      subdirectories, which made us get confused by the temporary
      directories made by "make distcheck". Fixes bug 31578; bugfix
      on 0.4.1.1-alpha.

  o Minor bugfixes (build system):
    - Do not include the deprecated <sys/sysctl.h> on Linux or Windows
2028
      systems. Fixes bug 31673; bugfix on 0.2.5.4-alpha.
2029
2030

  o Minor bugfixes (chutney, makefiles, documentation):
2031
    - "make test-network-all" now shows the warnings from each test-
2032
      network.sh run on the console, so developers see new warnings
2033
2034
2035
      early. We've also improved the documentation for this feature, and
      renamed a Makefile variable so the code is self-documenting. Fixes
      bug 30455; bugfix on 0.3.0.4-rc.
2036
2037

  o Minor bugfixes (compilation):
2038
2039
2040
2041
2042
    - Add more stub functions to fix compilation on Android with link-
      time optimization when --disable-module-dirauth is used.
      Previously, these compilation settings would make the compiler
      look for functions that didn't exist. Fixes bug 31552; bugfix
      on 0.4.1.1-alpha.
2043
    - Suppress spurious float-conversion warnings from GCC when calling
Nick Mathewson's avatar
Nick Mathewson committed
2044
      floating-point classifier functions on FreeBSD. Fixes part of bug
2045
      31687; bugfix on 0.3.1.5-alpha.
2046
2047
2048

  o Minor bugfixes (configuration):
    - Invalid floating-point values in the configuration file are now
2049
2050
      treated as errors in the configuration. Previously, they were
      ignored and treated as zero. Fixes bug 31475; bugfix on 0.0.1.
2051

2052
  o Minor bugfixes (coverity):
2053
2054
2055
2056
2057
2058
2059
2060
2061
    - Add an assertion when parsing a BEGIN cell so that coverity can be
      sure that we are not about to dereference a NULL address. Fixes
      bug 31026; bugfix on 0.2.4.7-alpha. This is CID 1447296.
    - In our siphash implementation, when building for coverity, use
      memcpy in place of a switch statement, so that coverity can tell
      we are not accessing out-of-bounds memory. Fixes bug 31025; bugfix
      on 0.2.8.1-alpha. This is tracked as CID 1447293 and 1447295.
    - Fix several coverity warnings from our unit tests. Fixes bug
      31030; bugfix on 0.2.4.1-alpha, 0.3.2.1-alpha, and 0.4.0.1-alpha.
2062
2063

  o Minor bugfixes (developer tooling):
2064
2065
2066
    - Only log git script changes in the post-merge script when the
      merge was to the master branch. Fixes bug 31040; bugfix
      on 0.4.1.1-alpha.
2067
2068

  o Minor bugfixes (directory authorities):
2069
2070
    - Return a distinct status when formatting annotations fails. Fixes
      bug 30780; bugfix on 0.2.0.8-alpha.
2071
2072

  o Minor bugfixes (error handling):
2073
    - On abort, try harder to flush the output buffers of log messages.
2074
2075
      On some platforms (macOS), log messages could be discarded when
      the process terminates. Fixes bug 31571; bugfix on 0.3.5.1-alpha.
2076
2077
2078
    - Report the tor version whenever an assertion fails. Previously, we
      only reported the Tor version on some crashes, and some non-fatal
      assertions. Fixes bug 31571; bugfix on 0.3.5.1-alpha.
2079
2080
    - When tor aborts due to an error, close log file descriptors before
      aborting. Closing the logs makes some OSes flush log file buffers,
2081
2082
      rather than deleting buffered log lines. Fixes bug 31594; bugfix
      on 0.2.5.2-alpha.
2083

2084
  o Minor bugfixes (FreeBSD, PF-based proxy, IPv6):
Nick Mathewson's avatar
Nick Mathewson committed
2085
2086
2087
2088
    - When extracting an IPv6 address from a PF-based proxy, verify that
      we are actually configured to receive an IPv6 address, and log an
      internal error if not. Fixes part of bug 31687; bugfix
      on 0.2.3.4-alpha.
2089

2090
  o Minor bugfixes (git hooks):
2091
2092
    - Remove a duplicate call to practracker from the pre-push hook. The
      pre-push hook already calls the pre-commit hook, which calls
2093
2094
2095
2096
2097
2098
      practracker. Fixes bug 31462; bugfix on 0.4.1.1-alpha.

  o Minor bugfixes (git scripts):
    - Stop hard-coding the bash path in the git scripts. Some OSes don't
      have bash in /usr/bin, others have an ancient bash at this path.
      Fixes bug 30840; bugfix on 0.4.0.1-alpha.
2099
2100
    - Stop hard-coding the tor master branch name and worktree path in
      the git scripts. Fixes bug 30841; bugfix on 0.4.0.1-alpha.
2101
2102
2103
    - Allow git-push-all.sh to be run from any directory. Previously,
      the script only worked if run from an upstream worktree directory.
      Closes ticket 31678.
2104
2105

  o Minor bugfixes (guards):
2106
2107
2108
2109
    - When tor is missing descriptors for some primary entry guards,
      make the log message less alarming. It's normal for descriptors to
      expire, as long as tor fetches new ones soon after. Fixes bug
      31657; bugfix on 0.3.3.1-alpha.
2110
2111

  o Minor bugfixes (ipv6):
2112
    - Check for private IPv6 addresses alongside their IPv4 equivalents
2113
2114
2115
2116
2117
2118
2119
2120
      when authorities check descriptors. Previously, we only checked
      for private IPv4 addresses. Fixes bug 31088; bugfix on
      0.2.3.21-rc. Patch by Neel Chauhan.
    - When parsing microdescriptors, we should check the IPv6 exit
      policy alongside IPv4. Previously, we checked both exit policies
      for only router info structures, while microdescriptors were
      IPv4-only. Fixes bug 27284; bugfix on 0.2.3.1-alpha. Patch by
      Neel Chauhan.
2121
2122

  o Minor bugfixes (logging):
2123
2124
2125
2126
2127
2128
    - Change log level of message "Hash of session info was not as
      expected" to LOG_PROTOCOL_WARN. Fixes bug 12399; bugfix
      on 0.1.1.10-alpha.
    - Fix a code issue that would have broken our parsing of log domains
      as soon as we had 33 of them. Fortunately, we still only have 29.
      Fixes bug 31451; bugfix on 0.4.1.4-rc.
2129
2130
2131

  o Minor bugfixes (memory management):
    - Stop leaking a small amount of memory in nt_service_install(), in
2132
2133
      unreachable code. Fixes bug 30799; bugfix on 0.2.0.7-alpha. Patch
      by Xiaoyin Liu.
2134
2135

  o Minor bugfixes (networking, IP addresses):
2136
    - When parsing addresses via Tor's internal DNS lookup API, reject
2137
2138
2139
2140
2141
      IPv4 addresses in square brackets, and accept IPv6 addresses in
      square brackets. This change completes the work started in 23082,
      making address parsing consistent between tor's internal DNS
      lookup and address parsing APIs. Fixes bug 30721; bugfix
      on 0.2.1.5-alpha.
2142
    - When parsing addresses via Tor's internal address:port parsing and
2143
      DNS lookup APIs, require IPv6 addresses with ports to have square
2144
2145
2146
      brackets. But allow IPv6 addresses without ports, whether or not
      they have square brackets. Fixes bug 30721; bugfix
      on 0.2.1.5-alpha.
2147
2148

  o Minor bugfixes (onion service v3):
2149
2150
    - When purging the client descriptor cache, close any introduction
      point circuits associated with purged cache entries. This avoids
2151
2152
      picking those circuits later when connecting to the same
      introduction points. Fixes bug 30921; bugfix on 0.3.2.1-alpha.
2153
2154
2155
2156

  o Minor bugfixes (onion services):
    - In the hs_ident_circuit_t data structure, remove the unused field
      circuit_type and the respective argument in hs_ident_circuit_new().
2157
2158
      This field was set by clients (for introduction) and services (for
      introduction and rendezvous) but was never used afterwards. Fixes
2159
2160
2161
      bug 31490; bugfix on 0.3.2.1-alpha. Patch by Neel Chauhan.

  o Minor bugfixes (operator tools):
2162
2163
2164
    - Make tor-print-ed-signing-cert(1) print certificate expiration
      date in RFC 1123 and UNIX timestamp formats, to make output
      machine readable. Fixes bug 31012; bugfix on 0.3.5.1-alpha.
2165
2166

  o Minor bugfixes (rust):
2167
2168
    - Correctly exclude a redundant rust build job in Travis. Fixes bug
      31463; bugfix on 0.3.5.4-alpha.
2169
2170
2171
2172
2173
    - Raise the minimum rustc version to 1.31.0, as checked by configure
      and CI. Fixes bug 31442; bugfix on 0.3.5.4-alpha.

  o Minor bugfixes (sendme, code structure):
    - Rename the trunnel SENDME file definition from sendme.trunnel to
2174
2175
      sendme_cell.trunnel to avoid having twice sendme.{c|h} in the
      repository. Fixes bug 30769; bugfix on 0.4.1.1-alpha.
2176
2177

  o Minor bugfixes (statistics):
2178
2179
2180
2181
    - Stop removing the ed25519 signature if the extra info file is too
      big. If the signature data was removed, but the keyword was kept,
      this could result in an unparseable extra info file. Fixes bug
      30958; bugfix on 0.2.7.2-alpha.
2182
2183

  o Minor bugfixes (subsystems):
2184
2185
    - Make the subsystem init order match the subsystem module
      dependencies. Call windows process security APIs as early as
2186
2187
2188
      possible. Initialize logging before network and time, so that
      network and time can use logging. Fixes bug 31615; bugfix
      on 0.4.0.