ChangeLog 1.49 MB
Newer Older
1
2
Changes in version 0.3.5.3-alpha - 2018-10-17
  Tor 0.3.5.3-alpha fixes several bugs, mostly from previous 0.3.5.x
Nick Mathewson's avatar
Nick Mathewson committed
3
4
5
6
  versions. One important fix for relays addresses a problem with rate-
  limiting code from back in 0.3.4.x: If the fix works out, we'll be
  backporting it soon. This release is still an alpha, but we hope it's
  getting closer and closer to stability.
7

Nick Mathewson's avatar
Nick Mathewson committed
8
9
10
11
12
13
  o Major features (onion services):
    - Version 3 onion services can now use the per-service
      HiddenServiceExportCircuitID option to differentiate client
      circuits. It communicates with the service by using the HAProxy
      protocol to assign virtual IP addresses to inbound client
      circuits. Closes ticket 4700. Patch by Mahrud Sayrafi.
Nick Mathewson's avatar
Nick Mathewson committed
14

15
  o Major bugfixes (compilation):
Nick Mathewson's avatar
Nick Mathewson committed
16
17
    - Fix compilation on ARM (and other less-used CPUs) when compiling
      with OpenSSL before 1.1. Fixes bug 27781; bugfix on 0.3.4.1-alpha.
18
19

  o Major bugfixes (initialization, crash):
Nick Mathewson's avatar
Nick Mathewson committed
20
21
22
    - Fix an assertion crash that would stop Tor from starting up if it
      tried to activate a periodic event too early. Fixes bug 27861;
      bugfix on 0.3.5.1-alpha.
23
24

  o Major bugfixes (mainloop, bootstrap):
Nick Mathewson's avatar
Nick Mathewson committed
25
26
27
28
    - Make sure Tor bootstraps and works properly if only the
      ControlPort is set. Prior to this fix, Tor would only bootstrap
      when a client port was set (Socks, Trans, NATD, DNS or HTTPTunnel
      port). Fixes bug 27849; bugfix on 0.3.4.1-alpha.
29

Nick Mathewson's avatar
Nick Mathewson committed
30
31
32
33
34
35
36
  o Major bugfixes (relay):
    - When our write bandwidth limit is exhausted, stop writing on the
      connection. Previously, we had a typo in the code that would make
      us stop reading instead, leading to relay connections being stuck
      indefinitely and consuming kernel RAM. Fixes bug 28089; bugfix
      on 0.3.4.1-alpha.

37
38
  o Minor features (continuous integration):
    - Use the Travis Homebrew addon to install packages on macOS during
Nick Mathewson's avatar
Nick Mathewson committed
39
40
      Travis CI. The package list is the same, but the Homebrew addon
      does not do a `brew update` by default. Implements ticket 27738.
41
    - Report what program produced the mysterious core file that we
Nick Mathewson's avatar
Nick Mathewson committed
42
      occasionally see on Travis CI during make distcheck. Closes
43
44
45
46
47
48
49
      ticket 28024.

  o Minor features (geoip):
    - Update geoip and geoip6 to the October 9 2018 Maxmind GeoLite2
      Country database. Closes ticket 27991.

  o Minor bugfixes (code safety):
Nick Mathewson's avatar
Nick Mathewson committed
50
    - Rewrite our assertion macros so that they no longer suppress the
Nick Mathewson's avatar
Nick Mathewson committed
51
52
      compiler's -Wparentheses warnings. Fixes bug 27709; bugfix
      on 0.0.6.
53
54
55

  o Minor bugfixes (compilation):
    - Compile the ed25519-donna code with a correct declaration of
Nick Mathewson's avatar
Nick Mathewson committed
56
57
58
      crypto_strongest_rand(). Previously, we built it with one type,
      but linked it against another in the unit tests, which caused
      compilation failures with LTO enabled. This could have caused
Nick Mathewson's avatar
Nick Mathewson committed
59
60
      other undefined behavior in the tests. Fixes bug 27728; bugfix
      on 0.3.5.1-alpha.
61
62

  o Minor bugfixes (compilation, netbsd):
Nick Mathewson's avatar
Nick Mathewson committed
63
64
65
66
    - Add a missing include back into procmon.c. Fixes bug 27990; bugfix
      on 0.3.5.1-alpha.

  o Minor bugfixes (continuous integration, appveyor):
67
    - Install only the necessary mingw packages during our appveyor
Nick Mathewson's avatar
Nick Mathewson committed
68
69
      builds. This change makes the build a little faster, and prevents
      a conflict with a preinstalled mingw openssl that appveyor now
70
      ships. Fixes bugs 27765 and 27943; bugfix on 0.3.4.2-alpha.
71
72
73
74
75

  o Minor bugfixes (directory permissions):
    - When a user requests a group-readable DataDirectory, give it to
      them. Previously, when the DataDirectory and the CacheDirectory
      were the same, the default setting (0) for
Nick Mathewson's avatar
Nick Mathewson committed
76
      CacheDirectoryGroupReadable would override the setting for
Nick Mathewson's avatar
Nick Mathewson committed
77
78
      DataDirectoryGroupReadable. Fixes bug 26913; bugfix
      on 0.3.3.1-alpha.
79
80

  o Minor bugfixes (memory leaks):
Nick Mathewson's avatar
Nick Mathewson committed
81
82
    - Fix a small memory leak when calling Tor with --dump-config. Fixes
      bug 27893; bugfix on 0.3.2.1-alpha.
83
84

  o Minor bugfixes (networking):
Nick Mathewson's avatar
Nick Mathewson committed
85
    - In retry_listeners_ports(), make sure that we're removing a member
Nick Mathewson's avatar
Nick Mathewson committed
86
87
88
89
90
91
92
      of old_conns smartlist at most once. Fixes bug 27808; bugfix
      on 0.3.5.1-alpha.
    - Refrain from attempting socket rebinding when old and new
      listeners are in different address families. Fixes bug 27928;
      bugfix on 0.3.5.1-alpha.

  o Minor bugfixes (onion service v3):
Nick Mathewson's avatar
Nick Mathewson committed
93
94
95
    - Stop dumping a stack trace when trying to connect to an intro
      point without having a descriptor for it. Fixes bug 27774; bugfix
      on 0.3.2.1-alpha.
96
    - Don't warn so loudly when Tor is unable to decode an onion
Nick Mathewson's avatar
Nick Mathewson committed
97
98
      descriptor. This can now happen as a normal use case if a client
      gets a descriptor with client authorization but the client is not
Nick Mathewson's avatar
Nick Mathewson committed
99
      authorized. Fixes bug 27550; bugfix on 0.3.5.1-alpha.
Nick Mathewson's avatar
Nick Mathewson committed
100
101
102
    - When selecting a v3 rendezvous point, don't only look at the
      protover, but also check whether the curve25519 onion key is
      present. This way we avoid picking a relay that supports the v3
Nick Mathewson's avatar
Nick Mathewson committed
103
104
      rendezvous but for which we don't have the microdescriptor. Fixes
      bug 27797; bugfix on 0.3.2.1-alpha.
105
106

  o Minor bugfixes (protover):
Nick Mathewson's avatar
Nick Mathewson committed
107
108
109
    - Reject protocol names containing bytes other than alphanumeric
      characters and hyphens ([A-Za-z0-9-]). Fixes bug 27316; bugfix
      on 0.2.9.4-alpha.
110
111

  o Minor bugfixes (testing):
Nick Mathewson's avatar
Nick Mathewson committed
112
113
114
115
    - Make the hs_service tests use the same time source when creating
      the introduction point and when testing it. Now tests work better
      on very slow systems like ARM or Travis. Fixes bug 27810; bugfix
      on 0.3.2.1-alpha.
116
117
    - In test_rebind.py, check if the Python version is in the supported
      range. Fixes bug 27675; bugfix on 0.3.5.1-alpha.
118
119
120
121
122
123
124
125
126
127
128

  o Code simplification and refactoring:
    - Divide more large Tor source files -- especially ones that span
      multiple areas of functionality -- into smaller parts, including
      onion.c and main.c. Closes ticket 26747.
    - Divide the "routerparse.c" module into separate modules for each
      group of parsed objects. Closes ticket 27924.
    - Move protover_rust.c to the same place protover.c was moved to.
      Closes ticket 27814.
    - Split directory.c into separate pieces for client, server, and
      common functionality. Closes ticket 26744.
Nick Mathewson's avatar
Nick Mathewson committed
129
130
131
132
    - Split the non-statistics-related parts from the rephist.c and
      geoip.c modules. Closes ticket 27892.
    - Split the router.c file into relay-only and shared components, to
      help with future modularization. Closes ticket 27864.
133
134

  o Documentation:
Nick Mathewson's avatar
Nick Mathewson committed
135
136
    - In the tor-resolve(1) manpage, fix the reference to socks-
      extensions.txt by adding a web URL. Resolves ticket 27853.
Nick Mathewson's avatar
Nick Mathewson committed
137
138
    - Mention that we require Python to be 2.7 or newer for some
      integration tests that we ship with Tor. Resolves ticket 27677.
139
140


Nick Mathewson's avatar
Nick Mathewson committed
141
Changes in version 0.3.5.2-alpha - 2018-09-21
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
  Tor 0.3.5.2-alpha fixes several bugs in 0.3.5.1-alpha, including one
  that made Tor think it had run out of sockets. Anybody running a relay
  or an onion service on 0.3.5.1-alpha should upgrade.

  o Major bugfixes (relay bandwidth statistics):
    - When we close relayed circuits, report the data in the circuit
      queues as being written in our relay bandwidth stats. This
      mitigates guard discovery and other attacks that close circuits
      for the explicit purpose of noticing this discrepancy in
      statistics. Fixes bug 23512; bugfix on 0.0.8pre3.

  o Major bugfixes (socket accounting):
    - In our socket accounting code, count a socket as closed even when
      it is closed indirectly by the TLS layer. Previously, we would
      count these sockets as still in use, and incorrectly believe that
      we had run out of sockets. Fixes bug 27795; bugfix
      on 0.3.5.1-alpha.

  o Minor bugfixes (32-bit OSX and iOS, timing):
    - Fix an integer overflow bug in our optimized 32-bit millisecond-
      difference algorithm for 32-bit Apple platforms. Previously, it
      would overflow when calculating the difference between two times
      more than 47 days apart. Fixes part of bug 27139; bugfix
      on 0.3.4.1-alpha.
    - Improve the precision of our 32-bit millisecond difference
      algorithm for 32-bit Apple platforms. Fixes part of bug 27139;
      bugfix on 0.3.4.1-alpha.
    - Relax the tolerance on the mainloop/update_time_jumps test when
      running on 32-bit Apple platforms. Fixes part of bug 27139; bugfix
      on 0.3.4.1-alpha.

  o Minor bugfixes (onion service v3):
    - Close all SOCKS request (for the same .onion) if the newly fetched
      descriptor is unusable. Before that, we would close only the first
      one leaving the other hanging and let to time out by themselves.
      Fixes bug 27410; bugfix on 0.3.2.1-alpha.

  o Minor bugfixes (memory leak):
    - Fix an unlikely memory leak when trying to read a private key from
      a ridiculously large file. Fixes bug 27764; bugfix on
      0.3.5.1-alpha. This is CID 1439488.

  o Minor bugfixes (NSS):
    - Correctly detect failure to open a dummy TCP socket when stealing
      ownership of an fd from the NSS layer. Fixes bug 27782; bugfix
      on 0.3.5.1-alpha.

  o Minor bugfixes (rust):
    - protover_all_supported() would attempt to allocate up to 16GB on
      some inputs, leading to a potential memory DoS. Fixes bug 27206;
      bugfix on 0.3.3.5-rc.

  o Minor bugfixes (testing):
    - Revise the "conditionvar_timeout" test so that it succeeds even on
      heavily loaded systems where the test threads are not scheduled
      within 200 msec. Fixes bug 27073; bugfix on 0.2.6.3-alpha.

  o Code simplification and refactoring:
    - Divide the routerlist.c and dirserv.c modules into smaller parts.
      Closes ticket 27799.


Nick Mathewson's avatar
Nick Mathewson committed
204
Changes in version 0.3.5.1-alpha - 2018-09-18
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
  Tor 0.3.5.1-alpha is the first release of the 0.3.5.x series. It adds
  client authorization for modern (v3) onion services, improves
  bootstrap reporting, begins reorganizing Tor's codebase, adds optional
  support for NSS in place of OpenSSL, and much more.

  o Major features (onion services, UI change):
    - For a newly created onion service, the default version is now 3.
      Tor still supports existing version 2 services, but the operator
      now needs to set "HiddenServiceVersion 2" in order to create a new
      version 2 service. For existing services, Tor now learns the
      version by reading the key file. Closes ticket 27215.

  o Major features (relay, UI change):
    - Relays no longer run as exits by default. If the "ExitRelay"
      option is auto (or unset), and no exit policy is specified with
      ExitPolicy or ReducedExitPolicy, we now treat ExitRelay as 0.
      Previously in this case, we allowed exit traffic and logged a
      warning message. Closes ticket 21530. Patch by Neel Chauhan.
223
224
    - Tor now validates that the ContactInfo config option is valid UTF-
      8 when parsing torrc. Closes ticket 27428.
225

226
  o Major features (bootstrap):
227
228
229
230
    - Don't report directory progress until after a connection to a
      relay or bridge has succeeded. Previously, we'd report 80%
      progress based on cached directory information when we couldn't
      even connect to the network. Closes ticket 27169.
231
232
233
234
235
236
237
238
239
240
241
242
243
244

  o Major features (new code layout):
    - Nearly all of Tor's source code has been moved around into more
      logical places. The "common" directory is now divided into a set
      of libraries in "lib", and files in the "or" directory have been
      split into "core" (logic absolutely needed for onion routing),
      "feature" (independent modules in Tor), and "app" (to configure
      and invoke the rest of Tor). See doc/HACKING/CodeStructure.md for
      more information. Closes ticket 26481.

      This refactoring is not complete: although the libraries have been
      refactored to be acyclic, the main body of Tor is still too
      interconnected. We will attempt to improve this in the future.

245
  o Major features (onion services v3):
246
247
248
249
250
    - Implement onion service client authorization at the descriptor
      level: only authorized clients can decrypt a service's descriptor
      to find out how to contact it. A new torrc option was added to
      control this client side: ClientOnionAuthDir <path>. On the
      service side, if the "authorized_clients/" directory exists in the
Nick Mathewson's avatar
Nick Mathewson committed
251
      onion service directory path, client configurations are read from
252
253
      the files within. See the manpage for more details. Closes ticket
      27547. Patch done by Suphanat Chunhapanya (haxxpop).
254
255
256
257
258
259
260
261
262
263
264
265
    - Improve revision counter generation in next-gen onion services.
      Onion services can now scale by hosting multiple instances on
      different hosts without synchronization between them, which was
      previously impossible because descriptors would get rejected by
      HSDirs. Addresses ticket 25552.

  o Major features (portability, cryptography, experimental, TLS):
    - Tor now has the option to compile with the NSS library instead of
      OpenSSL. This feature is experimental, and we expect that bugs may
      remain. It is mainly intended for environments where Tor's
      performance is not CPU-bound, and where NSS is already known to be
      installed. To try it out, configure Tor with the --enable-nss
266
267
268
269
      flag. Closes tickets 26631, 26815, and 26816.

      If you are experimenting with this option and using an old cached
      consensus, Tor may fail to start. To solve this, delete your
270
271
      "cached-consensus" and "cached-microdesc-consensus" files,
      (if present), and restart Tor.
272
273

  o Major bugfixes (directory authority):
274
275
    - Actually check that the address we get from DirAuthority
      configuration line is valid IPv4. Explicitly disallow DirAuthority
Nick Mathewson's avatar
Nick Mathewson committed
276
      address to be a DNS hostname. Fixes bug 26488; bugfix
277
      on 0.1.2.10-rc.
278
279
280
281
282
283
284

  o Major bugfixes (restart-in-process):
    - Fix a use-after-free error that could be caused by passing Tor an
      impossible set of options that would fail during options_act().
      Fixes bug 27708; bugfix on 0.3.3.1-alpha.

  o Minor features (admin tools):
285
286
287
    - Add a new --key-expiration option to print the expiration date of
      the signing cert in an ed25519_signing_cert file. Resolves
      issue 19506.
288
289
290
291

  o Minor features (build):
    - If you pass the "--enable-pic" option to configure, Tor will try
      to tell the compiler to build position-independent code suitable
292
293
      to link into a dynamic library. (The default remains -fPIE, for
      code suitable for a relocatable executable.) Closes ticket 23846.
294
295
296
297
298
299
300
301

  o Minor features (code correctness, testing):
    - Tor's build process now includes a "check-includes" make target to
      verify that no module of Tor relies on any headers from a higher-
      level module. We hope to use this feature over time to help
      refactor our codebase. Closes ticket 26447.

  o Minor features (code layout):
302
303
    - We have a new "lowest-level" error-handling API for use by code
      invoked from within the logging module. With this interface, the
304
      logging code is no longer at risk of calling into itself if a
305
306
      failure occurs while it is trying to log something. Closes
      ticket 26427.
307
308
309
310
311
312
313
314

  o Minor features (compilation):
    - Tor's configure script now supports a --with-malloc= option to
      select your malloc implementation. Supported options are
      "tcmalloc", "jemalloc", "openbsd" (deprecated), and "system" (the
      default). Addresses part of ticket 20424. Based on a patch from
      Alex Xu.

315
  o Minor features (config):
316
    - The "auto" keyword in torrc is now case-insensitive. Closes
317
318
      ticket 26663.

319
320
321
322
323
324
325
326
  o Minor features (continuous integration):
    - Don't do a distcheck with --disable-module-dirauth in Travis.
      Implements ticket 27252.
    - Install libcap-dev and libseccomp2-dev so these optional
      dependencies get tested on Travis CI. Closes ticket 26560.
    - Only run one online rust build in Travis, to reduce network
      errors. Skip offline rust builds on Travis for Linux gcc, because
      they're redundant. Implements ticket 27252.
327
328
329
330
    - Skip gcc on OSX in Travis CI, because it's rarely used. Skip a
      duplicate hardening-off build in Travis on Tor 0.2.9. Skip gcc on
      Linux with default settings, because all the non-default builds
      use gcc on Linux. Implements ticket 27252.
331
332
333
334
335
336
337
338
339

  o Minor features (controller):
    - Emit CIRC_BW events as soon as we detect that we processed an
      invalid or otherwise dropped cell on a circuit. This allows
      vanguards and other controllers to react more quickly to dropped
      cells. Closes ticket 27678.
    - For purposes of CIRC_BW-based dropped cell detection, track half-
      closed stream ids, and allow their ENDs, SENDMEs, DATA and path
      bias check cells to arrive without counting it as dropped until
Nick Mathewson's avatar
Nick Mathewson committed
340
      either the END arrives, or the windows are empty. Closes
341
      ticket 25573.
342
    - Implement a 'GETINFO md/all' controller command to enable getting
Nick Mathewson's avatar
Nick Mathewson committed
343
      all known microdescriptors. Closes ticket 8323.
344
345
346
347
348
349
    - The GETINFO command now support an "uptime" argument, to return
      Tor's uptime in seconds. Closes ticket 25132.

  o Minor features (denial-of-service avoidance):
    - Make our OOM handler aware of the DNS cache so that it doesn't
      fill up the memory. This check is important for our DoS mitigation
Nick Mathewson's avatar
Nick Mathewson committed
350
      subsystem. Closes ticket 18642. Patch by Neel Chauhan.
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370

  o Minor features (development):
    - Tor's makefile now supports running the "clippy" Rust style tool
      on our Rust code. Closes ticket 22156.

  o Minor features (directory authority):
    - There is no longer an artificial upper limit on the length of
      bandwidth lines. Closes ticket 26223.
    - When a bandwidth file is used to obtain the bandwidth measurements,
      include this bandwidth file headers in the votes. Closes
      ticket 3723.
    - Improved support for networks with only a single authority or a
      single fallback directory. Patch from Gabriel Somlo. Closes
      ticket 25928.

  o Minor features (embedding API):
    - The Tor controller API now supports a function to launch Tor with
      a preconstructed owning controller FD, so that embedding
      applications don't need to manage controller ports and
      authentication. Closes ticket 24204.
371
372
373
    - The Tor controller API now has a function that returns the name
      and version of the backend implementing the API. Closes
      ticket 26947.
374
375
376
377
378
379

  o Minor features (geoip):
    - Update geoip and geoip6 to the September 6 2018 Maxmind GeoLite2
      Country database. Closes ticket 27631.

  o Minor features (memory management):
380
381
382
    - Get Libevent to use the same memory allocator as Tor, by calling
      event_set_mem_functions() during initialization. Resolves
      ticket 8415.
383
384
385
386
387
388

  o Minor features (memory usage):
    - When not using them, store legacy TAP public onion keys in DER-
      encoded format, rather than as expanded public keys. This should
      save several megabytes on typical clients. Closes ticket 27246.

389
390
  o Minor features (OpenSSL):
    - When possible, use RFC5869 HKDF implementation from OpenSSL rather
Nick Mathewson's avatar
Nick Mathewson committed
391
      than our own. Resolves ticket 19979.
392

393
  o Minor features (Rust, code quality):
394
    - Improve rust code quality in the rust protover implementation by
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
      making it more idiomatic. Includes changing an internal API to
      take &str instead of &String. Closes ticket 26492.

  o Minor features (testing):
    - Add scripts/test/chutney-git-bisect.sh, for bisecting using
      chutney. Implements ticket 27211.

  o Minor features (tor-resolve):
    - The tor-resolve utility can now be used with IPv6 SOCKS proxies.
      Side-effect of the refactoring for ticket 26526.

  o Minor features (UI):
    - Log each included configuration file or directory as we read it,
      to provide more visibility about where Tor is reading from. Patch
      from Unto Sten; closes ticket 27186.
Nick Mathewson's avatar
Nick Mathewson committed
410
    - Lower log level of "Scheduler type KIST has been enabled" to INFO.
411
      Closes ticket 26703.
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429

  o Minor bugfixes (bootstrap):
    - Try harder to get descriptors in non-exit test networks, by using
      the mid weight for the third hop when there are no exits. Fixes
      bug 27237; bugfix on 0.2.6.2-alpha.

  o Minor bugfixes (C correctness):
    - Avoid casting smartlist index to int implicitly, as it may trigger
      a warning (-Wshorten-64-to-32). Fixes bug 26282; bugfix on
      0.2.3.13-alpha, 0.2.7.1-alpha and 0.2.1.1-alpha.
    - Use time_t for all values in
      predicted_ports_prediction_time_remaining(). Rework the code that
      computes difference between durations/timestamps. Fixes bug 27165;
      bugfix on 0.3.1.1-alpha.

  o Minor bugfixes (client, memory usage):
    - When not running as a directory cache, there is no need to store
      the text of the current consensus networkstatus in RAM.
430
      Previously, however, clients would store it anyway, at a cost of
431
432
433
434
      over 5 MB. Now, they do not. Fixes bug 27247; bugfix
      on 0.3.0.1-alpha.

  o Minor bugfixes (client, reachableaddresses):
Nick Mathewson's avatar
Nick Mathewson committed
435
    - Instead of adding a "reject *:*" line to ReachableAddresses when
436
437
438
      loading the configuration, add one to the policy after parsing it
      in parse_reachable_addresses(). This prevents extra "reject *.*"
      lines from accumulating on reloads. Fixes bug 20874; bugfix on
439
      0.1.1.5-alpha. Patch by Neel Chauhan.
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475

  o Minor bugfixes (code quality):
    - Rename sandbox_getaddrinfo() and other functions to no longer
      misleadingly suggest that they are sandbox-only. Fixes bug 26525;
      bugfix on 0.2.7.1-alpha.

  o Minor bugfixes (configuration, Onion Services):
    - In rend_service_parse_port_config(), disallow any input to remain
      after address-port pair was parsed. This will catch address and
      port being whitespace-separated by mistake of the user. Fixes bug
      27044; bugfix on 0.2.9.10.

  o Minor bugfixes (continuous integration):
    - Stop reinstalling identical packages in our Windows CI. Fixes bug
      27464; bugfix on 0.3.4.1-alpha.

  o Minor bugfixes (controller):
    - Consider all routerinfo errors other than "not a server" to be
      transient for the purpose of "GETINFO exit-policy/*" controller
      request. Print stacktrace in the unlikely case of failing to
      recompute routerinfo digest. Fixes bug 27034; bugfix
      on 0.3.4.1-alpha.

  o Minor bugfixes (directory connection shutdown):
    - Avoid a double-close when shutting down a stalled directory
      connection. Fixes bug 26896; bugfix on 0.3.4.1-alpha.

  o Minor bugfixes (HTTP tunnel):
    - Fix a bug warning when closing an HTTP tunnel connection due to an
      HTTP request we couldn't handle. Fixes bug 26470; bugfix
      on 0.3.2.1-alpha.

  o Minor bugfixes (ipv6):
    - In addrs_in_same_network_family(), we choose the subnet size based
      on the IP version (IPv4 or IPv6). Previously, we chose a fixed
      subnet size of /16 for both IPv4 and IPv6 addresses. Fixes bug
476
      15518; bugfix on 0.2.3.1-alpha. Patch by Neel Chauhan.
477
478
479
480
481
482

  o Minor bugfixes (logging):
    - As a precaution, do an early return from log_addr_has_changed() if
      Tor is running as client. Also, log a stack trace for debugging as
      this function should only be called when Tor runs as server. Fixes
      bug 26892; bugfix on 0.1.1.9-alpha.
483
484
    - Refrain from mentioning bug 21018 in the logs, as it is already
      fixed. Fixes bug 25477; bugfix on 0.2.9.8.
485
486
487
488
489
490
491
492
493
494
495

  o Minor bugfixes (logging, documentation):
    - When SafeLogging is enabled, scrub IP address in
      channel_tls_process_netinfo_cell(). Also, add a note to manpage
      that scrubbing is not guaranteed on loglevels below Notice. Fixes
      bug 26882; bugfix on 0.2.4.10-alpha.

  o Minor bugfixes (netflow padding):
    - Ensure circuitmux queues are empty before scheduling or sending
      padding. Fixes bug 25505; bugfix on 0.3.1.1-alpha.

496
  o Minor bugfixes (onion service v2):
497
498
499
    - Log at level "info", not "warning", in the case that we do not
      have a consensus when a .onion request comes in. This can happen
      normally while bootstrapping. Fixes bug 27040; bugfix
500
501
502
      on 0.2.8.2-alpha.

  o Minor bugfixes (onion service v3):
503
504
505
    - When the onion service directory can't be created or has the wrong
      permissions, do not log a stack trace. Fixes bug 27335; bugfix
      on 0.3.2.1-alpha.
506

507
  o Minor bugfixes (OS compatibility):
508
509
510
511
    - Properly handle configuration changes that move a listener to/from
      wildcard IP address. If the first attempt to bind a socket fails,
      close the old listener and try binding the socket again. Fixes bug
      17873; bugfix on 0.0.8pre-1.
512
513
514
515
516
517
518
519

  o Minor bugfixes (performance)::
    - Rework node_is_a_configured_bridge() to no longer call
      node_get_all_orports(), which was performing too many memory
      allocations. Fixes bug 27224; bugfix on 0.2.3.9.

  o Minor bugfixes (relay statistics):
    - Update relay descriptor on bandwidth changes only when the uptime
520
      is smaller than 24h, in order to reduce the efficiency of guard
521
522
      discovery attacks. Fixes bug 24104; bugfix on 0.1.1.6-alpha.

523
  o Minor bugfixes (relays):
524
525
526
527
    - Consider the fact that we'll be making direct connections to our
      entry and guard nodes when computing the fraction of nodes that
      have their descriptors. Also, if we are using bridges and there is
      at least one bridge with a full descriptor, treat the fraction of
528
      guards available as 100%. Fixes bug 25886; bugfix on 0.2.4.10-alpha.
529
530
531
532
533
534
535
536
537
538
539
540
      Patch by Neel Chauhan.
    - Update the message logged on relays when DirCache is disabled.
      Since 0.3.3.5-rc, authorities require DirCache (V2Dir) for the
      Guard flag. Fixes bug 24312; bugfix on 0.3.3.5-rc.

  o Minor bugfixes (rust, protover):
    - Compute protover votes correctly in the rust version of the
      protover code. Previously, the protover rewrite in 24031 allowed
      repeated votes from the same voter for the same protocol version
      to be counted multiple times in protover_compute_vote(). Fixes bug
      27649; bugfix on 0.3.3.5-rc.
    - Reject protover names that contain invalid characters. Fixes bug
541
542
543
544
545
546
547
548
      27687; bugfix on 0.3.3.1-alpha.

  o Minor bugfixes (testing):
    - Fix two unit tests to work when HOME environment variable is not
      set. Fixes bug 27096; bugfix on 0.2.8.1-alpha.
    - If a unit test running in a subprocess exits abnormally or with a
      nonzero status code, treat the test as having failed, even if the
      test reported success. Without this fix, memory leaks don't cause
Nick Mathewson's avatar
Nick Mathewson committed
549
      the tests to fail, even with LeakSanitizer. Fixes bug 27658;
550
551
552
553
      bugfix on 0.2.2.4-alpha.
    - When logging a version mismatch in our openssl_version tests,
      report the actual offending version strings. Fixes bug 26152;
      bugfix on 0.2.9.1-alpha.
554
555
    - Fix forking tests on Windows when there is a space somewhere in
      the path. Fixes bug 26437; bugfix on 0.2.2.4-alpha.
556
557

  o Code simplification and refactoring:
Nick Mathewson's avatar
Nick Mathewson committed
558
559
    - 'updateFallbackDirs.py' now ignores the blacklist file, as it's not
      longer needed. Closes ticket 26502.
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
    - Include paths to header files within Tor are now qualified by
      directory within the top-level src directory.
    - Many structures have been removed from the centralized "or.h"
      header, and moved into their own headers. This will allow us to
      reduce the number of places in the code that rely on each
      structure's contents and layout. Closes ticket 26383.
    - Remove ATTR_NONNULL macro from codebase. Resolves ticket 26527.
    - Remove GetAdaptersAddresses_fn_t. The code that used it was
      removed as part of the 26481 refactor. Closes ticket 27467.
    - Rework Tor SOCKS server code to use Trunnel and benefit from
      autogenerated functions for parsing and generating SOCKS wire
      format. New implementation is cleaner, more maintainable and
      should be less prone to heartbleed-style vulnerabilities.
      Implements a significant fraction of ticket 3569.
    - Split sampled_guards_update_from_consensus() and
      select_entry_guard_for_circuit() into subfunctions. In
      entry_guards_update_primary() unite three smartlist enumerations
      into one and move smartlist comparison code out of the function.
      Closes ticket 21349.
    - Tor now assumes that you have standards-conformant stdint.h and
      inttypes.h headers when compiling. Closes ticket 26626.
    - Unify our bloom filter logic. Previously we had two copies of this
      code: one for routerlist filtering, and one for address set
      calculations. Closes ticket 26510.
    - Use the simpler strcmpstart() helper in
      rend_parse_v2_service_descriptor instead of strncmp(). Closes
      ticket 27630.
    - Utility functions that can perform a DNS lookup are now wholly
      separated from those that can't, in separate headers and C
      modules. Closes ticket 26526.

  o Documentation:
592
593
    - Copy paragraph and URL to Tor's code of conduct document from
      CONTRIBUTING to new CODE_OF_CONDUCT file. Resolves ticket 26638.
594
595
596
597
598
599
600
601
602
603
604
    - Remove old instructions from INSTALL document. Closes ticket 26588.
    - Warn users that they should not include MyFamily line(s) in their
      torrc when running Tor bridge. Closes ticket 26908.

  o Removed features:
    - Tor no longer supports building with the dmalloc library. For
      debugging memory issues, we suggest using gperftools or msan
      instead. Closes ticket 26426.
    - Tor no longer attempts to run on Windows environments without the
      GetAdaptersAddresses() function. This function has existed since
      Windows XP, which is itself already older than we support.
605
606
607
608
609
610
    - Remove Tor2web functionality for version 2 onion services. The
      Tor2webMode and Tor2webRendezvousPoints options are now obsolete.
      (This feature was never shipped in vanilla Tor and it was only
      possible to use this feature by building the support at compile
      time. Tor2webMode is not implemented for version 3 onion services.)
      Closes ticket 26367.
611
612


613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
Changes in version 0.2.9.17 - 2018-09-10
  Tor 0.2.9.17 backports numerous bugfixes from later versions of Tor.

  o Minor features (compatibility, backport from 0.3.4.8):
    - Tell OpenSSL to maintain backward compatibility with previous
      RSA1024/DH1024 users in Tor. With OpenSSL 1.1.1-pre6, these
      ciphers are disabled by default. Closes ticket 27344.

  o Minor features (continuous integration, backport from 0.3.4.7-rc):
    - Enable macOS builds in our Travis CI configuration. Closes
      ticket 24629.
    - Install libcap-dev and libseccomp2-dev so these optional
      dependencies get tested on Travis CI. Closes ticket 26560.
    - Run asciidoc during Travis CI. Implements ticket 27087.
    - Use ccache in our Travis CI configuration. Closes ticket 26952.

  o Minor features (geoip):
    - Update geoip and geoip6 to the August 7 2018 Maxmind GeoLite2
      Country database. Closes ticket 27089.

  o Minor bugfixes (compilation, backport from 0.3.4.6-rc):
    - When compiling with --enable-openbsd-malloc or --enable-tcmalloc,
      tell the compiler not to include the system malloc implementation.
      Fixes bug 20424; bugfix on 0.2.0.20-rc.

  o Minor bugfixes (compilation, backport from 0.3.4.7-rc):
    - Silence a spurious compiler warning on the GetAdaptersAddresses
      function pointer cast. This issue is already fixed by 26481 in
      0.3.5 and later, by removing the lookup and cast. Fixes bug 27465;
      bugfix on 0.2.3.11-alpha.
    - Stop calling SetProcessDEPPolicy() on 64-bit Windows. It is not
      supported, and always fails. Some compilers warn about the
      function pointer cast on 64-bit Windows. Fixes bug 27461; bugfix
      on 0.2.2.23-alpha.

  o Minor bugfixes (compilation, windows, backport from 0.3.4.7-rc):
    - Don't link or search for pthreads when building for Windows, even
      if we are using build environment (like mingw) that provides a
      pthreads library. Fixes bug 27081; bugfix on 0.1.0.1-rc.

  o Minor bugfixes (continuous integration, backport from 0.3.4.6-rc):
    - Skip a pair of unreliable key generation tests on Windows, until
      the underlying issue in bug 26076 is resolved. Fixes bug 26830 and
      bug 26853; bugfix on 0.2.7.3-rc and 0.3.2.1-alpha respectively.

  o Minor bugfixes (continuous integration, backport from 0.3.4.7-rc):
    - Pass the module flags to distcheck configure, and log the flags
      before running configure. (Backported to 0.2.9 and later as a
      precaution.) Fixes bug 27088; bugfix on 0.3.4.1-alpha.

  o Minor bugfixes (continuous integration, backport from 0.3.4.8):
    - When a Travis build fails, and showing a log fails, keep trying to
      show the other logs. Fixes bug 27453; bugfix on 0.3.4.7-rc.
    - When we use echo in Travis, don't pass a --flag as the first
      argument. Fixes bug 27418; bugfix on 0.3.4.7-rc.

  o Minor bugfixes (directory authority, backport from 0.3.4.6-rc):
    - When voting for recommended versions, make sure that all of the
      versions are well-formed and parsable. Fixes bug 26485; bugfix
      on 0.1.1.6-alpha.

  o Minor bugfixes (linux seccomp2 sandbox, backport from 0.3.4.7-rc):
    - Fix a bug in out sandboxing rules for the openat() syscall.
      Previously, no openat() call would be permitted, which would break
      filesystem operations on recent glibc versions. Fixes bug 25440;
      bugfix on 0.2.9.15. Diagnosis and patch from Daniel Pinto.

  o Minor bugfixes (onion services, backport from 0.3.4.8):
    - Silence a spurious compiler warning in
      rend_client_send_introduction(). Fixes bug 27463; bugfix
      on 0.1.1.2-alpha.

  o Minor bugfixes (single onion services, Tor2web, backport from 0.3.4.6-rc):
    - Log a protocol warning when single onion services or Tor2web clients
      fail to authenticate direct connections to relays.
      Fixes bug 26924; bugfix on 0.2.9.1-alpha.

  o Minor bugfixes (testing, backport from 0.3.4.6-rc):
    - Disable core dumps in test_bt.sh, to avoid failures in "make
      distcheck". Fixes bug 26787; bugfix on 0.2.5.2-alpha.

  o Minor bugfixes (testing, chutney, backport from 0.3.4.8):
    - Before running make test-network-all, delete old logs and test
      result files, to avoid spurious failures. Fixes bug 27295; bugfix
      on 0.2.7.3-rc.

  o Minor bugfixes (testing, openssl compatibility, backport from 0.3.4.7-rc):
    - Our "tortls/cert_matches_key" unit test no longer relies on
      OpenSSL internals. Previously, it relied on unsupported OpenSSL
      behavior in a way that caused it to crash with OpenSSL 1.0.2p.
      Fixes bug 27226; bugfix on 0.2.5.1-alpha.

  o Minor bugfixes (Windows, compilation, backport from 0.3.4.7-rc):
    - Silence a compilation warning on MSVC 2017 and clang-cl. Fixes bug
      27185; bugfix on 0.2.2.2-alpha.


Changes in version 0.3.2.12 - 2018-09-10
  Tor 0.3.2.12 backport numerous fixes from later versions of Tor.

  o Minor features (compatibility, backport from 0.3.4.8):
    - Tell OpenSSL to maintain backward compatibility with previous
      RSA1024/DH1024 users in Tor. With OpenSSL 1.1.1-pre6, these
      ciphers are disabled by default. Closes ticket 27344.

  o Minor features (continuous integration, backport from 0.3.4.7-rc):
    - Enable macOS builds in our Travis CI configuration. Closes
      ticket 24629.
    - Install libcap-dev and libseccomp2-dev so these optional
      dependencies get tested on Travis CI. Closes ticket 26560.
    - Run asciidoc during Travis CI. Implements ticket 27087.
    - Use ccache in our Travis CI configuration. Closes ticket 26952.

  o Minor features (continuous integration, rust, backport from 0.3.4.7-rc):
    - Use cargo cache in our Travis CI configuration. Closes
      ticket 26952.

  o Minor features (controller, backport from 0.3.4.6-rc):
    - The control port now exposes the list of HTTPTunnelPorts and
      ExtOrPorts via GETINFO net/listeners/httptunnel and
      net/listeners/extor respectively. Closes ticket 26647.

  o Minor features (directory authorities, backport from 0.3.4.7-rc):
    - Authorities no longer vote to make the subprotocol version
      "LinkAuth=1" a requirement: it is unsupportable with NSS, and
      hasn't been needed since Tor 0.3.0.1-alpha. Closes ticket 27286.

  o Minor features (geoip):
    - Update geoip and geoip6 to the August 7 2018 Maxmind GeoLite2
      Country database. Closes ticket 27089.

  o Minor bugfixes (compilation, backport from 0.3.4.6-rc):
    - When compiling with --enable-openbsd-malloc or --enable-tcmalloc,
      tell the compiler not to include the system malloc implementation.
      Fixes bug 20424; bugfix on 0.2.0.20-rc.
    - Don't try to use a pragma to temporarily disable the
      -Wunused-const-variable warning if the compiler doesn't support
      it. Fixes bug 26785; bugfix on 0.3.2.11.

  o Minor bugfixes (compilation, backport from 0.3.4.7-rc):
    - Silence a spurious compiler warning on the GetAdaptersAddresses
      function pointer cast. This issue is already fixed by 26481 in
      0.3.5 and later, by removing the lookup and cast. Fixes bug 27465;
      bugfix on 0.2.3.11-alpha.
    - Stop calling SetProcessDEPPolicy() on 64-bit Windows. It is not
      supported, and always fails. Some compilers warn about the
      function pointer cast on 64-bit Windows. Fixes bug 27461; bugfix
      on 0.2.2.23-alpha.

  o Minor bugfixes (compilation, windows, backport from 0.3.4.7-rc):
    - Don't link or search for pthreads when building for Windows, even
      if we are using build environment (like mingw) that provides a
      pthreads library. Fixes bug 27081; bugfix on 0.1.0.1-rc.

  o Minor bugfixes (continuous integration, backport from 0.3.4.6-rc):
    - Skip a pair of unreliable key generation tests on Windows, until
      the underlying issue in bug 26076 is resolved. Fixes bug 26830 and
      bug 26853; bugfix on 0.2.7.3-rc and 0.3.2.1-alpha respectively.

  o Minor bugfixes (continuous integration, backport from 0.3.4.7-rc):
    - Build with zstd on macOS. Fixes bug 27090; bugfix on 0.3.1.5-alpha.
    - Pass the module flags to distcheck configure, and log the flags
      before running configure. (Backported to 0.2.9 and later as a
      precaution.) Fixes bug 27088; bugfix on 0.3.4.1-alpha.

  o Minor bugfixes (continuous integration, backport from 0.3.4.8):
    - When a Travis build fails, and showing a log fails, keep trying to
      show the other logs. Fixes bug 27453; bugfix on 0.3.4.7-rc.
    - When we use echo in Travis, don't pass a --flag as the first
      argument. Fixes bug 27418; bugfix on 0.3.4.7-rc.

  o Minor bugfixes (directory authority, backport from 0.3.4.6-rc):
    - When voting for recommended versions, make sure that all of the
      versions are well-formed and parsable. Fixes bug 26485; bugfix
      on 0.1.1.6-alpha.

  o Minor bugfixes (linux seccomp2 sandbox, backport from 0.3.4.7-rc):
    - Fix a bug in out sandboxing rules for the openat() syscall.
      Previously, no openat() call would be permitted, which would break
      filesystem operations on recent glibc versions. Fixes bug 25440;
      bugfix on 0.2.9.15. Diagnosis and patch from Daniel Pinto.

  o Minor bugfixes (logging, backport from 0.3.4.6-rc):
    - Improve the log message when connection initiators fail to
      authenticate direct connections to relays. Fixes bug 26927; bugfix
      on 0.3.0.1-alpha.

  o Minor bugfixes (onion services, backport from 0.3.4.7-rc):
    - Fix bug that causes services to not ever rotate their descriptors
      if they were getting SIGHUPed often. Fixes bug 26932; bugfix
      on 0.3.2.1-alpha.

  o Minor bugfixes (onion services, backport from 0.3.4.8):
    - Silence a spurious compiler warning in
      rend_client_send_introduction(). Fixes bug 27463; bugfix
      on 0.1.1.2-alpha.

  o Minor bugfixes (rust, backport from 0.3.4.7-rc):
    - Backport test_rust.sh from master. Fixes bug 26497; bugfix
      on 0.3.1.5-alpha.
    - Consistently use ../../.. as a fallback for $abs_top_srcdir in
      test_rust.sh. Fixes bug 27093; bugfix on 0.3.4.3-alpha.
    - Stop setting $CARGO_HOME. cargo will use the user's $CARGO_HOME, or
      $HOME/.cargo by default. Fixes bug 26497; bugfix on 0.3.1.5-alpha.

  o Minor bugfixes (single onion services, Tor2web, backport from 0.3.4.6-rc):
    - Log a protocol warning when single onion services or Tor2web clients
      fail to authenticate direct connections to relays.
      Fixes bug 26924; bugfix on 0.2.9.1-alpha.

  o Minor bugfixes (testing, backport from 0.3.4.6-rc):
    - Disable core dumps in test_bt.sh, to avoid failures in "make
      distcheck". Fixes bug 26787; bugfix on 0.2.5.2-alpha.

  o Minor bugfixes (testing, chutney, backport from 0.3.4.8):
    - When running make test-network-all, use the mixed+hs-v2 network.
      (A previous fix to chutney removed v3 onion services from the
      mixed+hs-v23 network, so seeing "mixed+hs-v23" in tests is
      confusing.) Fixes bug 27345; bugfix on 0.3.2.1-alpha.
    - Before running make test-network-all, delete old logs and test
      result files, to avoid spurious failures. Fixes bug 27295; bugfix
      on 0.2.7.3-rc.

  o Minor bugfixes (testing, openssl compatibility):
    - Our "tortls/cert_matches_key" unit test no longer relies on OpenSSL
      internals.  Previously, it relied on unsupported OpenSSL behavior in
      a way that caused it to crash with OpenSSL 1.0.2p. Fixes bug 27226;
      bugfix on 0.2.5.1-alpha.

  o Minor bugfixes (testing, openssl compatibility, backport from 0.3.4.7-rc):
    - Our "tortls/cert_matches_key" unit test no longer relies on
      OpenSSL internals. Previously, it relied on unsupported OpenSSL
      behavior in a way that caused it to crash with OpenSSL 1.0.2p.
      Fixes bug 27226; bugfix on 0.2.5.1-alpha.

  o Minor bugfixes (Windows, compilation, backport from 0.3.4.7-rc):
    - Silence a compilation warning on MSVC 2017 and clang-cl. Fixes bug
      27185; bugfix on 0.2.2.2-alpha.


Changes in version 0.3.3.10 - 2018-09-10
  Tor 0.3.3.10 backports numerous fixes from later versions of Tor.

  o Minor features (bug workaround, backport from 0.3.4.7-rc):
    - Compile correctly on systems that provide the C11 stdatomic.h
      header, but where C11 atomic functions don't actually compile.
      Closes ticket 26779; workaround for Debian issue 903709.

  o Minor features (compatibility, backport from 0.3.4.8):
    - Tell OpenSSL to maintain backward compatibility with previous
      RSA1024/DH1024 users in Tor. With OpenSSL 1.1.1-pre6, these
      ciphers are disabled by default. Closes ticket 27344.

  o Minor features (continuous integration, backport from 0.3.4.7-rc):
    - Backport Travis rust distcheck to 0.3.3. Closes ticket 24629.
    - Enable macOS builds in our Travis CI configuration. Closes
      ticket 24629.
    - Install libcap-dev and libseccomp2-dev so these optional
      dependencies get tested on Travis CI. Closes ticket 26560.
    - Run asciidoc during Travis CI. Implements ticket 27087.
    - Use ccache in our Travis CI configuration. Closes ticket 26952.

  o Minor features (continuous integration, rust, backport from 0.3.4.7-rc):
    - Use cargo cache in our Travis CI configuration. Closes
      ticket 26952.

  o Minor features (controller, backport from 0.3.4.6-rc):
    - The control port now exposes the list of HTTPTunnelPorts and
      ExtOrPorts via GETINFO net/listeners/httptunnel and
      net/listeners/extor respectively. Closes ticket 26647.

  o Minor features (directory authorities, backport from 0.3.4.7-rc):
    - Authorities no longer vote to make the subprotocol version
      "LinkAuth=1" a requirement: it is unsupportable with NSS, and
      hasn't been needed since Tor 0.3.0.1-alpha. Closes ticket 27286.

  o Minor features (geoip):
    - Update geoip and geoip6 to the August 7 2018 Maxmind GeoLite2
      Country database. Closes ticket 27089.

  o Minor bugfixes (compilation, backport from 0.3.4.6-rc):
    - When compiling with --enable-openbsd-malloc or --enable-tcmalloc,
      tell the compiler not to include the system malloc implementation.
      Fixes bug 20424; bugfix on 0.2.0.20-rc.
    - Don't try to use a pragma to temporarily disable the
      -Wunused-const-variable warning if the compiler doesn't support
      it. Fixes bug 26785; bugfix on 0.3.2.11.

  o Minor bugfixes (compilation, backport from 0.3.4.7-rc):
    - Silence a spurious compiler warning on the GetAdaptersAddresses
      function pointer cast. This issue is already fixed by 26481 in
      0.3.5 and later, by removing the lookup and cast. Fixes bug 27465;
      bugfix on 0.2.3.11-alpha.
    - Stop calling SetProcessDEPPolicy() on 64-bit Windows. It is not
      supported, and always fails. Some compilers warn about the
      function pointer cast on 64-bit Windows. Fixes bug 27461; bugfix
      on 0.2.2.23-alpha.

  o Minor bugfixes (compilation, windows, backport from 0.3.4.7-rc):
    - Don't link or search for pthreads when building for Windows, even
      if we are using build environment (like mingw) that provides a
      pthreads library. Fixes bug 27081; bugfix on 0.1.0.1-rc.

  o Minor bugfixes (continuous integration, backport from 0.3.4.6-rc):
    - Skip a pair of unreliable key generation tests on Windows, until
      the underlying issue in bug 26076 is resolved. Fixes bug 26830 and
      bug 26853; bugfix on 0.2.7.3-rc and 0.3.2.1-alpha respectively.

  o Minor bugfixes (continuous integration, backport from 0.3.4.7-rc):
    - Build with zstd on macOS. Fixes bug 27090; bugfix on 0.3.1.5-alpha.
    - Pass the module flags to distcheck configure, and log the flags
      before running configure. (Backported to 0.2.9 and later as a
      precaution.) Fixes bug 27088; bugfix on 0.3.4.1-alpha.

  o Minor bugfixes (continuous integration, backport from 0.3.4.8):
    - When a Travis build fails, and showing a log fails, keep trying to
      show the other logs. Fixes bug 27453; bugfix on 0.3.4.7-rc.
    - When we use echo in Travis, don't pass a --flag as the first
      argument. Fixes bug 27418; bugfix on 0.3.4.7-rc.

  o Minor bugfixes (directory authority, backport from 0.3.4.6-rc):
    - When voting for recommended versions, make sure that all of the
      versions are well-formed and parsable. Fixes bug 26485; bugfix
      on 0.1.1.6-alpha.

  o Minor bugfixes (in-process restart, backport from 0.3.4.7-rc):
    - Always call tor_free_all() when leaving tor_run_main(). When we
      did not, restarting tor in-process would cause an assertion
      failure. Fixes bug 26948; bugfix on 0.3.3.1-alpha.

  o Minor bugfixes (linux seccomp2 sandbox, backport from 0.3.4.7-rc):
    - Fix a bug in our sandboxing rules for the openat() syscall.
      Previously, no openat() call would be permitted, which would break
      filesystem operations on recent glibc versions. Fixes bug 25440;
      bugfix on 0.2.9.15. Diagnosis and patch from Daniel Pinto.

  o Minor bugfixes (logging, backport from 0.3.4.6-rc):
    - Improve the log message when connection initiators fail to
      authenticate direct connections to relays. Fixes bug 26927; bugfix
      on 0.3.0.1-alpha.

  o Minor bugfixes (onion services, backport from 0.3.4.7-rc):
    - Fix bug that causes services to not ever rotate their descriptors
      if they were getting SIGHUPed often. Fixes bug 26932; bugfix
      on 0.3.2.1-alpha.

  o Minor bugfixes (onion services, backport from 0.3.4.8):
    - Silence a spurious compiler warning in
      rend_client_send_introduction(). Fixes bug 27463; bugfix
      on 0.1.1.2-alpha.

  o Minor bugfixes (portability, backport from 0.3.4.6-rc):
    - Work around two different bugs in the OS X 10.10 and later SDKs
      that would prevent us from successfully targeting earlier versions
      of OS X. Fixes bug 26876; bugfix on 0.3.3.1-alpha.

  o Minor bugfixes (portability, backport from 0.3.4.7-rc):
    - Fix compilation of the unit tests on GNU/Hurd, which does not
      define PATH_MAX. Fixes bug 26873; bugfix on 0.3.3.1-alpha. Patch
      from "paulusASol".

  o Minor bugfixes (rust, backport from 0.3.4.7-rc):
    - Backport test_rust.sh from master. Fixes bug 26497; bugfix
      on 0.3.1.5-alpha.
    - Consistently use ../../.. as a fallback for $abs_top_srcdir in
      test_rust.sh. Fixes bug 27093; bugfix on 0.3.4.3-alpha.
    - Protover parsing was accepting the presence of whitespace in
      version strings, which the C implementation would choke on, e.g.
      "Desc=1\t,2". Fixes bug 27177; bugfix on 0.3.3.5-rc.
    - Protover parsing was ignoring a 2nd hyphen and everything after
      it, accepting entries like "Link=1-5-foo". Fixes bug 27164; bugfix
      on 0.3.3.1-alpha.
    - Stop setting $CARGO_HOME. cargo will use the user's $CARGO_HOME, or
      $HOME/.cargo by default. Fixes bug 26497; bugfix on 0.3.1.5-alpha.
    - cd to ${abs_top_builddir}/src/rust before running cargo in
      src/test/test_rust.sh. This makes the working directory consistent
      between builds and tests. Fixes bug 26497; bugfix on 0.3.3.2-alpha.

  o Minor bugfixes (single onion services, Tor2web, backport from 0.3.4.6-rc):
    - Log a protocol warning when single onion services or Tor2web clients
      fail to authenticate direct connections to relays.
      Fixes bug 26924; bugfix on 0.2.9.1-alpha.

  o Minor bugfixes (testing, backport from 0.3.4.6-rc):
    - Disable core dumps in test_bt.sh, to avoid failures in "make
      distcheck". Fixes bug 26787; bugfix on 0.2.5.2-alpha.

  o Minor bugfixes (testing, chutney, backport from 0.3.4.8):
    - When running make test-network-all, use the mixed+hs-v2 network.
      (A previous fix to chutney removed v3 onion services from the
      mixed+hs-v23 network, so seeing "mixed+hs-v23" in tests is
      confusing.) Fixes bug 27345; bugfix on 0.3.2.1-alpha.
    - Before running make test-network-all, delete old logs and test
      result files, to avoid spurious failures. Fixes bug 27295; bugfix
      on 0.2.7.3-rc.

  o Minor bugfixes (testing, openssl compatibility, backport from 0.3.4.7-rc):
    - Our "tortls/cert_matches_key" unit test no longer relies on
      OpenSSL internals. Previously, it relied on unsupported OpenSSL
      behavior in a way that caused it to crash with OpenSSL 1.0.2p.
      Fixes bug 27226; bugfix on 0.2.5.1-alpha.

  o Minor bugfixes (v3 onion services, backport from 0.3.4.6-rc):
    - Stop sending ed25519 link specifiers in v3 onion service introduce
      cells and descriptors, when the rendezvous or introduction point
      doesn't support ed25519 link authentication. Fixes bug 26627;
      bugfix on 0.3.2.4-alpha.

  o Minor bugfixes (Windows, compilation, backport from 0.3.4.7-rc):
    - Silence a compilation warning on MSVC 2017 and clang-cl. Fixes bug
      27185; bugfix on 0.2.2.2-alpha.


Changes in version 0.3.4.8 - 2018-09-10
  Tor 0.3.4.8 is the first stable release in its series; it includes
  compilation and portability fixes.

  The Tor 0.3.4 series includes improvements for running Tor in
  low-power and embedded environments, which should help performance in
  general. We've begun work on better modularity, and included preliminary
  changes on the directory authority side to accommodate a new bandwidth
  measurement system.  We've also integrated more continuous-integration
  systems into our development process, and made corresponding changes to
  Tor's testing infrastructure.  Finally, we've continued to refine
  our anti-denial-of-service code.

  Below are the changes since 0.3.4.7-rc.  For a complete list of changes
  since 0.3.3.9, see the ReleaseNotes file.

  o Minor features (compatibility):
    - Tell OpenSSL to maintain backward compatibility with previous
      RSA1024/DH1024 users in Tor. With OpenSSL 1.1.1-pre6, these
      ciphers are disabled by default. Closes ticket 27344.

  o Minor features (continuous integration):
    - Log the compiler path and version during Appveyor builds.
      Implements ticket 27449.
    - Show config.log and test-suite.log after failed Appveyor builds.
      Also upload the zipped full logs as a build artifact. Implements
      ticket 27430.

  o Minor bugfixes (compilation):
    - Silence a spurious compiler warning on the GetAdaptersAddresses
      function pointer cast. This issue is already fixed by 26481 in
      0.3.5 and later, by removing the lookup and cast. Fixes bug 27465;
      bugfix on 0.2.3.11-alpha.
    - Stop calling SetProcessDEPPolicy() on 64-bit Windows. It is not
      supported, and always fails. Some compilers warn about the
      function pointer cast on 64-bit Windows. Fixes bug 27461; bugfix
      on 0.2.2.23-alpha.

  o Minor bugfixes (continuous integration):
    - Disable gcc hardening in Appveyor Windows 64-bit builds. As of
      August 29 2018, Appveyor images come with gcc 8.2.0 by default.
      Executables compiled for 64-bit Windows with this version of gcc
      crash when Tor's --enable-gcc-hardening flag is set. Fixes bug
      27460; bugfix on 0.3.4.1-alpha.
    - When a Travis build fails, and showing a log fails, keep trying to
      show the other logs. Fixes bug 27453; bugfix on 0.3.4.7-rc.
    - When we use echo in Travis, don't pass a --flag as the first
      argument. Fixes bug 27418; bugfix on 0.3.4.7-rc.

  o Minor bugfixes (onion services):
    - Silence a spurious compiler warning in
      rend_client_send_introduction(). Fixes bug 27463; bugfix
      on 0.1.1.2-alpha.

  o Minor bugfixes (testing, chutney):
    - When running make test-network-all, use the mixed+hs-v2 network.
      (A previous fix to chutney removed v3 onion services from the
      mixed+hs-v23 network, so seeing "mixed+hs-v23" in tests is
      confusing.) Fixes bug 27345; bugfix on 0.3.2.1-alpha.
    - Before running make test-network-all, delete old logs and test
      result files, to avoid spurious failures. Fixes bug 27295; bugfix
      on 0.2.7.3-rc.

1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
Changes in version 0.3.4.7-rc - 2018-08-24
  Tor 0.3.4.7-rc fixes several small compilation, portability, and
  correctness issues in previous versions of Tor. This version is a
  release candidate: if no serious bugs are found, we expect that the
  stable 0.3.4 release will be (almost) the same as this release.

  o Minor features (bug workaround):
    - Compile correctly on systems that provide the C11 stdatomic.h
      header, but where C11 atomic functions don't actually compile.
      Closes ticket 26779; workaround for Debian issue 903709.

  o Minor features (continuous integration):
    - Backport Travis rust distcheck to 0.3.3. Closes ticket 24629.
    - Enable macOS builds in our Travis CI configuration. Closes
      ticket 24629.
    - Install libcap-dev and libseccomp2-dev so these optional
      dependencies get tested on Travis CI. Closes ticket 26560.
    - Only post Appveyor IRC notifications when the build fails.
      Implements ticket 27275.
    - Run asciidoc during Travis CI. Implements ticket 27087.
    - Use ccache in our Travis CI configuration. Closes ticket 26952.

  o Minor features (continuous integration, rust):
    - Use cargo cache in our Travis CI configuration. Closes
      ticket 26952.

  o Minor features (directory authorities):
    - Authorities no longer vote to make the subprotocol version
      "LinkAuth=1" a requirement: it is unsupportable with NSS, and
      hasn't been needed since Tor 0.3.0.1-alpha. Closes ticket 27286.

  o Minor features (geoip):
    - Update geoip and geoip6 to the August 7 2018 Maxmind GeoLite2
      Country database. Closes ticket 27089.

  o Minor bugfixes (compilation, windows):
    - Don't link or search for pthreads when building for Windows, even
      if we are using build environment (like mingw) that provides a
      pthreads library. Fixes bug 27081; bugfix on 0.1.0.1-rc.

  o Minor bugfixes (continuous integration):
    - Improve Appveyor CI IRC logging. Generate correct branches and
      URLs for pull requests and tags. Use unambiguous short commits.
      Fixes bug 26979; bugfix on master.
    - Build with zstd on macOS. Fixes bug 27090; bugfix on 0.3.1.5-alpha.
    - Pass the module flags to distcheck configure, and log the flags
      before running configure. (Backported to 0.2.9 and later as a
      precaution.) Fixes bug 27088; bugfix on 0.3.4.1-alpha.

  o Minor bugfixes (in-process restart):
    - Always call tor_free_all() when leaving tor_run_main(). When we
      did not, restarting tor in-process would cause an assertion
      failure. Fixes bug 26948; bugfix on 0.3.3.1-alpha.

  o Minor bugfixes (linux seccomp2 sandbox):
    - Fix a bug in out sandboxing rules for the openat() syscall.
      Previously, no openat() call would be permitted, which would break
      filesystem operations on recent glibc versions. Fixes bug 25440;
      bugfix on 0.2.9.15. Diagnosis and patch from Daniel Pinto.

  o Minor bugfixes (onion services):
    - Fix bug that causes services to not ever rotate their descriptors
      if they were getting SIGHUPed often. Fixes bug 26932; bugfix
      on 0.3.2.1-alpha.

  o Minor bugfixes (portability):
    - Fix compilation of the unit tests on GNU/Hurd, which does not
      define PATH_MAX. Fixes bug 26873; bugfix on 0.3.3.1-alpha. Patch
      from "paulusASol".

  o Minor bugfixes (rust):
    - Backport test_rust.sh from master. Fixes bug 26497; bugfix
      on 0.3.1.5-alpha.
    - Consistently use ../../.. as a fallback for $abs_top_srcdir in
      test_rust.sh. Fixes bug 27093; bugfix on 0.3.4.3-alpha.
    - Protover parsing was accepting the presence of whitespace in
      version strings, which the C implementation would choke on, e.g.
      "Desc=1\t,2". Fixes bug 27177; bugfix on 0.3.3.5-rc.
    - Protover parsing was ignoring a 2nd hyphen and everything after
      it, accepting entries like "Link=1-5-foo". Fixes bug 27164; bugfix
      on 0.3.3.1-alpha.
    - Stop setting $CARGO_HOME. cargo will use the user's $CARGO_HOME, or
      $HOME/.cargo by default. Fixes bug 26497; bugfix on 0.3.1.5-alpha.
    - cd to ${abs_top_builddir}/src/rust before running cargo in
      src/test/test_rust.sh. This makes the working directory consistent
      between builds and tests. Fixes bug 26497; bugfix on 0.3.3.2-alpha.

  o Minor bugfixes (testing, bootstrap):
    - When calculating bootstrap progress, check exit policies and the
      exit flag. Previously, Tor would only check the exit flag, which
      caused race conditions in small and fast networks like chutney.
      Fixes bug 27236; bugfix on 0.2.6.3-alpha.

  o Minor bugfixes (testing, openssl compatibility):
    - Our "tortls/cert_matches_key" unit test no longer relies on
      OpenSSL internals. Previously, it relied on unsupported OpenSSL
      behavior in a way that caused it to crash with OpenSSL 1.0.2p.
      Fixes bug 27226; bugfix on 0.2.5.1-alpha.

  o Minor bugfixes (Windows, compilation):
    - Silence a compilation warning on MSVC 2017 and clang-cl. Fixes bug
      27185; bugfix on 0.2.2.2-alpha.


1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
Changes in version 0.3.4.6-rc - 2018-08-06
  Tor 0.3.4.6-rc fixes several small compilation, portability, and
  correctness issues in previous versions of Tor. This version is a
  release candidate: if no serious bugs are found, we expect that the
  stable 0.3.4 release will be (almost) the same as this release.

  o Major bugfixes (event scheduler):
    - When we enable a periodic event, schedule it in the event loop
      rather than running it immediately. Previously, we would re-run
      periodic events immediately in the middle of (for example)
      changing our options, with unpredictable effects. Fixes bug 27003;
      bugfix on 0.3.4.1-alpha.

  o Minor features (compilation):
    - When building Tor, prefer to use Python 3 over Python 2, and more
      recent (contemplated) versions over older ones. Closes
      ticket 26372.
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
    - When compiling with --enable-openbsd-malloc or --enable-tcmalloc,
      tell the compiler not to include the system malloc implementation.
      Fixes bug 20424; bugfix on 0.2.0.20-rc.
    - Don't try to use a pragma to temporarily disable the
      -Wunused-const-variable warning if the compiler doesn't support
      it. Fixes bug 26785; bugfix on 0.3.2.11.

  o Minor bugfixes (continuous integration):
    - Skip a pair of unreliable key generation tests on Windows, until
      the underlying issue in bug 26076 is resolved. Fixes bug 26830 and
      bug 26853; bugfix on 0.2.7.3-rc and 0.3.2.1-alpha respectively.

  o Minor features (controller):
    - The control port now exposes the list of HTTPTunnelPorts and
      ExtOrPorts via GETINFO net/listeners/httptunnel and
      net/listeners/extor respectively. Closes ticket 26647.

  o Minor bugfixes (directory authority):
    - When voting for recommended versions, make sure that all of the
      versions are well-formed and parsable. Fixes bug 26485; bugfix
      on 0.1.1.6-alpha.
1231
1232
1233
1234
1235
1236
1237
1238
1239

  o Minor features (geoip):
    - Update geoip and geoip6 to the July 3 2018 Maxmind GeoLite2
      Country database. Closes ticket 26674.

  o Minor features (Rust, portability):
    - Rust cross-compilation is now supported. Closes ticket 25895.

  o Minor bugfixes (compilation):
1240
1241
    - Update build system so that tor builds again with --disable-unittests
      after recent refactoring. Fixes bug 26789; bugfix on 0.3.4.3-alpha.
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
    - Fix a compilation warning on some versions of GCC when building
      code that calls routerinfo_get_my_routerinfo() twice, assuming
      that the second call will succeed if the first one did. Fixes bug
      26269; bugfix on 0.2.8.2-alpha.

  o Minor bugfixes (controller):
    - Report the port correctly when a port is configured to bind to
      "auto". Fixes bug 26568; bugfix on 0.3.4.1-alpha.
    - Parse the "HSADDRESS=" parameter in HSPOST commands properly.
      Previously, it was misparsed and ignored. Fixes bug 26523; bugfix
      on 0.3.3.1-alpha. Patch by "akwizgran".

  o Minor bugfixes (correctness, flow control):
    - Upon receiving a stream-level SENDME cell, verify that our window
      has not grown too large. Fixes bug 26214; bugfix on svn
1257
      r54 (pre-0.0.1).
1258
1259
1260
1261
1262

  o Minor bugfixes (memory, correctness):
    - Fix a number of small memory leaks identified by coverity. Fixes
      bug 26467; bugfix on numerous Tor versions.

1263
1264
1265
1266
1267
  o Minor bugfixes (logging):
    - Improve the log message when connection initiators fail to
      authenticate direct connections to relays. Fixes bug 26927; bugfix
      on 0.3.0.1-alpha.

1268
1269
1270
  o Minor bugfixes (portability):
    - Avoid a compilation error in test_bwmgt.c on Solaris 10. Fixes bug
      26994; bugfix on 0.3.4.1-alpha.
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
    - Work around two different bugs in the OS X 10.10 and later SDKs
      that would prevent us from successfully targeting earlier versions
      of OS X. Fixes bug 26876; bugfix on 0.3.3.1-alpha.

  o Minor bugfixes (single onion services, Tor2web):
    - Log a protocol warning when single onion services or Tor2web
      clients fail to authenticate direct connections to relays. Fixes
      bug 26924; bugfix on 0.2.9.1-alpha.

  o Minor bugfixes (testing):
    - Disable core dumps in test_bt.sh, to avoid failures in "make
      distcheck". Fixes bug 26787; bugfix on 0.2.5.2-alpha.
1283
1284
1285
1286
1287
1288
1289
1290

  o Minor bugfixes (testing, compatibility):
    - When running the ntor_ref.py and hs_ntor_ref.py tests, make sure
      only to pass strings (rather than "bytes" objects) to the Python
      subprocess module. Python 3 on Windows seems to require this.
      Fixes bug 26535; bugfix on 0.2.5.5-alpha (for ntor_ref.py) and
      0.3.1.1-alpha (for hs_ntor_ref.py).

1291
1292
1293
1294
1295
1296
  o Minor bugfixes (v3 onion services):
    - Stop sending ed25519 link specifiers in v3 onion service introduce
      cells and descriptors, when the rendezvous or introduction point
      doesn't support ed25519 link authentication. Fixes bug 26627;
      bugfix on 0.3.2.4-alpha.

1297

1298
1299
1300
Changes in version 0.3.4.5-rc - 2018-07-13
  Tor 0.3.4.5-rc moves to a new bridge authority, meaning people running
  bridge relays should upgrade.
1301

1302
1303
1304
1305
  o Directory authority changes:
    - The "Bifroest" bridge authority has been retired; the new bridge
      authority is "Serge", and it is operated by George from the
      TorBSD project. Closes ticket 26771.
1306

1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361

Changes in version 0.3.3.9 - 2018-07-13
  Tor 0.3.3.9 moves to a new bridge authority, meaning people running
  bridge relays should upgrade.

  o Directory authority changes:
    - The "Bifroest" bridge authority has been retired; the new bridge
      authority is "Serge", and it is operated by George from the
      TorBSD project. Closes ticket 26771.


Changes in version 0.3.2.11 - 2018-07-13
  Tor 0.3.2.11 moves to a new bridge authority, meaning people running
  bridge relays should upgrade. We also take this opportunity to backport
  other minor fixes.

  o Directory authority changes:
    - The "Bifroest" bridge authority has been retired; the new bridge
      authority is "Serge", and it is operated by George from the
      TorBSD project. Closes ticket 26771.

  o Directory authority changes (backport from 0.3.3.7):
    - Add an IPv6 address for the "dannenberg" directory authority.
      Closes ticket 26343.

  o Major bugfixes (directory authorities, backport from 0.3.4.1-alpha):
    - When directory authorities read a zero-byte bandwidth file, they
      would previously log a warning with the contents of an
      uninitialised buffer. They now log a warning about the empty file
      instead. Fixes bug 26007; bugfix on 0.2.2.1-alpha.

  o Major bugfixes (onion service, backport from 0.3.4.1-alpha):
    - Correctly detect when onion services get disabled after HUP. Fixes
      bug 25761; bugfix on 0.3.2.1.

  o Minor features (sandbox, backport from 0.3.3.4-alpha):
    - Explicitly permit the poll() system call when the Linux
      seccomp2-based sandbox is enabled: apparently, some versions of
      libc use poll() when calling getpwnam(). Closes ticket 25313.

  o Minor feature (continuous integration, backport from 0.3.3.5-rc):
    - Update the Travis CI configuration to use the stable Rust channel,
      now that we have decided to require that. Closes ticket 25714.

  o Minor features (continuous integration, backport from 0.3.4.1-alpha):
    - Our .travis.yml configuration now includes support for testing the
      results of "make distcheck". (It's not uncommon for "make check"
      to pass but "make distcheck" to fail.) Closes ticket 25814.
    - Our Travis CI configuration now integrates with the Coveralls
      coverage analysis tool. Closes ticket 25818.

  o Minor features (relay, diagnostic, backport from 0.3.4.3-alpha):
    - Add several checks to detect whether Tor relays are uploading
      their descriptors without specifying why they regenerated them.
      Diagnostic for ticket 25686.
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371

  o Minor features (compilation, backport from 0.3.4.4-rc):
    - When building Tor, prefer to use Python 3 over Python 2, and more
      recent (contemplated) versions over older ones. Closes
      ticket 26372.

  o Minor features (geoip):
    - Update geoip and geoip6 to the July 3 2018 Maxmind GeoLite2
      Country database. Closes ticket 26674.

1372
1373
1374
1375
1376
  o Minor bugfixes (correctness, client, backport from 0.3.4.1-alpha):
    - Upon receiving a malformed connected cell, stop processing the
      cell immediately. Previously we would mark the connection for
      close, but continue processing the cell as if the connection were
      open. Fixes bug 26072; bugfix on 0.2.4.7-alpha.
1377

1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
  o Minor bugfixes (Linux seccomp2 sandbox, backport from 0.3.4.1-alpha):
    - Allow the nanosleep() system call, which glibc uses to implement
      sleep() and usleep(). Fixes bug 24969; bugfix on 0.2.5.1-alpha.

  o Minor bugfixes (testing, compatibility, backport from 0.3.4.4-rc):
    - When running the hs_ntor_ref.py test, make sure only to pass
      strings (rather than "bytes" objects) to the Python subprocess
      module. Python 3 on Windows seems to require this. Fixes bug
      26535; bugfix on 0.3.1.1-alpha.
    - When running the ntor_ref.py test, make sure only to pass strings
      (rather than "bytes" objects) to the Python subprocess module.
      Python 3 on Windows seems to require this. Fixes bug 26535; bugfix
      on 0.2.5.5-alpha.

  o Minor bugfixes (compatibility, openssl, backport from 0.3.4.2-alpha):
    - Work around a change in OpenSSL 1.1.1 where return values that
      would previously indicate "no password" now indicate an empty
      password. Without this workaround, Tor instances running with
      OpenSSL 1.1.1 would accept descriptors that other Tor instances
      would reject. Fixes bug 26116; bugfix on 0.2.5.16.

  o Minor bugfixes (documentation, backport from 0.3.3.5-rc):
    - Document that the PerConnBW{Rate,Burst} options will fall back to
      their corresponding consensus parameters only if those parameters
      are set. Previously we had claimed that these values would always
      be set in the consensus. Fixes bug 25296; bugfix on 0.2.2.7-alpha.
1404
1405
1406
1407
1408
1409
1410

  o Minor bugfixes (compilation, backport from 0.3.4.4-rc):
    - Fix a compilation warning on some versions of GCC when building
      code that calls routerinfo_get_my_routerinfo() twice, assuming
      that the second call will succeed if the first one did. Fixes bug
      26269; bugfix on 0.2.8.2-alpha.

1411
1412
1413
1414
  o Minor bugfixes (client, backport from 0.3.4.1-alpha):
    - Don't consider Tor running as a client if the ControlPort is open,
      but no actual client ports are open. Fixes bug 26062; bugfix
      on 0.2.9.4-alpha.
1415

1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
  o Minor bugfixes (hardening, backport from 0.3.4.2-alpha):
    - Prevent a possible out-of-bounds smartlist read in
      protover_compute_vote(). Fixes bug 26196; bugfix on 0.2.9.4-alpha.

  o Minor bugfixes (C correctness, backport from 0.3.3.4-alpha):
    - Fix a very unlikely (impossible, we believe) null pointer
      dereference. Fixes bug 25629; bugfix on 0.2.9.15. Found by
      Coverity; this is CID 1430932.

  o Minor bugfixes (onion service, backport from 0.3.4.1-alpha):
    - Fix a memory leak when a v3 onion service is configured and gets a
      SIGHUP signal. Fixes bug 25901; bugfix on 0.3.2.1-alpha.
    - When parsing the descriptor signature, look for the token plus an
      extra white-space at the end. This is more correct but also will
      allow us to support new fields that might start with "signature".
      Fixes bug 26069; bugfix on 0.3.0.1-alpha.
1432
1433
1434
1435
1436
1437
1438

  o Minor bugfixes (relay, backport from 0.3.4.3-alpha):
    - Relays now correctly block attempts to re-extend to the previous
      relay by Ed25519 identity. Previously they would warn in this
      case, but not actually reject the attempt. Fixes bug 26158; bugfix
      on 0.3.0.1-alpha.

1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
  o Minor bugfixes (relay, crash, backport from 0.3.4.1-alpha):
    - Avoid a crash when running with DirPort set but ORPort turned off.
      Fixes a case of bug 23693; bugfix on 0.3.1.1-alpha.

  o Minor bugfixes (compilation, backport from 0.3.4.2-alpha):
    - Silence unused-const-variable warnings in zstd.h with some GCC
      versions. Fixes bug 26272; bugfix on 0.3.1.1-alpha.

  o Minor bugfixes (testing, backport from 0.3.3.4-alpha):
    - Avoid intermittent test failures due to a test that had relied on
      onion service introduction point creation finishing within 5
      seconds of real clock time. Fixes bug 25450; bugfix
      on 0.3.1.3-alpha.

  o Minor bugfixes (compilation, backport from 0.3.3.4-alpha):
    - Fix a C99 compliance issue in our configuration script that caused
      compilation issues when compiling Tor with certain versions of
      xtools. Fixes bug 25474; bugfix on 0.3.2.5-alpha.

  o Minor bugfixes (memory, correctness, backport from 0.3.4.4-rc):
    - Fix a number of small memory leaks identified by coverity. Fixes
      bug 26467; bugfix on numerous Tor versions.

  o Code simplification and refactoring (backport from 0.3.3.5-rc):
    - Move the list of default directory authorities to its own file.
      Closes ticket 24854. Patch by "beastr0".


Changes in version 0.2.9.16 - 2018-07-13
  Tor 0.2.9.16 moves to a new bridge authority, meaning people running
  bridge relays should upgrade. We also take this opportunity to backport
  other minor fixes.

  o Directory authority changes:
    - The "Bifroest" bridge authority has been retired; the new bridge
      authority is "Serge", and it is operated by George from the
      TorBSD project. Closes ticket 26771.

  o Directory authority changes (backport from 0.3.3.7):
    - Add an IPv6 address for the "dannenberg" directory authority.
      Closes ticket 26343.

  o Major bugfixes (directory authorities, backport from 0.3.4.1-alpha):
    - When directory authorities read a zero-byte bandwidth file, they
      would previously log a warning with the contents of an
      uninitialised buffer. They now log a warning about the empty file
      instead. Fixes bug 26007; bugfix on 0.2.2.1-alpha.

  o Minor features (sandbox, backport from 0.3.3.4-alpha):
    - Explicitly permit the poll() system call when the Linux
      seccomp2-based sandbox is enabled: apparently, some versions of
      libc use poll() when calling getpwnam(). Closes ticket 25313.

  o Minor features (continuous integration, backport from 0.3.4.1-alpha):
    - Our .travis.yml configuration now includes support for testing the
      results of "make distcheck". (It's not uncommon for "make check"
      to pass but "make distcheck" to fail.) Closes ticket 25814.
    - Our Travis CI configuration now integrates with the Coveralls
      coverage analysis tool. Closes ticket 25818.

  o Minor features (compilation, backport from 0.3.4.4-rc):
    - When building Tor, prefer to use Python 3 over Python 2, and more
      recent (contemplated) versions over older ones. Closes
      ticket 26372.

  o Minor features (geoip):
    - Update geoip and geoip6 to the July 3 2018 Maxmind GeoLite2
      Country database. Closes ticket 26674.

  o Minor bugfixes (correctness, client, backport from 0.3.4.1-alpha):
    - Upon receiving a malformed connected cell, stop processing the
      cell immediately. Previously we would mark the connection for
      close, but continue processing the cell as if the connection were
      open. Fixes bug 26072; bugfix on 0.2.4.7-alpha.

  o Minor bugfixes (Linux seccomp2 sandbox, backport from 0.3.4.1-alpha):
    - Allow the nanosleep() system call, which glibc uses to implement
      sleep() and usleep(). Fixes bug 24969; bugfix on 0.2.5.1-alpha.
1517
1518
1519
1520
1521
1522
1523

  o Minor bugfixes (testing, compatibility, backport from 0.3.4.4-rc):
    - When running the ntor_ref.py test, make sure only to pass strings
      (rather than "bytes" objects) to the Python subprocess module.
      Python 3 on Windows seems to require this. Fixes bug 26535; bugfix
      on 0.2.5.5-alpha.

1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
  o Minor bugfixes (compatibility, openssl, backport from 0.3.4.2-alpha):
    - Work around a change in OpenSSL 1.1.1 where return values that
      would previously indicate "no password" now indicate an empty
      password. Without this workaround, Tor instances running with
      OpenSSL 1.1.1 would accept descriptors that other Tor instances
      would reject. Fixes bug 26116; bugfix on 0.2.5.16.

  o Minor bugfixes (compilation, backport from 0.3.4.4-rc):
    - Fix a compilation warning on some versions of GCC when building
      code that calls routerinfo_get_my_routerinfo() twice, assuming
      that the second call will succeed if the first one did. Fixes bug
      26269; bugfix on 0.2.8.2-alpha.

  o Minor bugfixes (client, backport from 0.3.4.1-alpha):
    - Don't consider Tor running as a client if the ControlPort is open,
      but no actual client ports are open. Fixes bug 26062; bugfix
      on 0.2.9.4-alpha.

  o Minor bugfixes (hardening, backport from 0.3.4.2-alpha):
    - Prevent a possible out-of-bounds smartlist read in
      protover_compute_vote(). Fixes bug 26196; bugfix on 0.2.9.4-alpha.

  o Minor bugfixes (C correctness, backport from 0.3.3.4-alpha):
    - Fix a very unlikely (impossible, we believe) null pointer
      dereference. Fixes bug 25629; bugfix on 0.2.9.15. Found by
      Coverity; this is CID 1430932.

  o Minor bugfixes (memory, correctness, backport from 0.3.4.4-rc):
    - Fix a number of small memory leaks identified by coverity. Fixes
      bug 26467; bugfix on numerous Tor versions.

  o Code simplification and refactoring (backport from 0.3.3.5-rc):
    - Move the list of default directory authorities to its own file.
      Closes ticket 24854. Patch by "beastr0".

1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610

Changes in version 0.3.4.4-rc - 2018-07-09
  Tor 0.3.4.4-rc fixes several small compilation, portability, and
  correctness issues in previous versions of Tor. This version is a
  release candidate: if no serious bugs are found, we expect that the
  stable 0.3.4 release will be (almost) the same as this release.

  o Minor features (compilation):
    - When building Tor, prefer to use Python 3 over Python 2, and more
      recent (contemplated) versions over older ones. Closes
      ticket 26372.

  o Minor features (geoip):
    - Update geoip and geoip6 to the July 3 2018 Maxmind GeoLite2
      Country database. Closes ticket 26674.

  o Minor features (Rust, portability):
    - Rust cross-compilation is now supported. Closes ticket 25895.

  o Minor bugfixes (compilation):
    - Fix a compilation warning on some versions of GCC when building
      code that calls routerinfo_get_my_routerinfo() twice, assuming
      that the second call will succeed if the first one did. Fixes bug
      26269; bugfix on 0.2.8.2-alpha.

  o Minor bugfixes (control port):
    - Report the port correctly when a port is configured to bind to
      "auto". Fixes bug 26568; bugfix on 0.3.4.1-alpha.
    - Handle the HSADDRESS= argument to the HSPOST command properly.
      (Previously, this argument was misparsed and thus ignored.) Fixes
      bug 26523; bugfix on 0.3.3.1-alpha. Patch by "akwizgran".

  o Minor bugfixes (correctness, flow control):
    - Upon receiving a stream-level SENDME cell, verify that our window
      has not grown too large. Fixes bug 26214; bugfix on svn
      r54 (pre-0.0.1).

  o Minor bugfixes (memory, correctness):
    - Fix a number of small memory leaks identified by coverity. Fixes
      bug 26467; bugfix on numerous Tor versions.

  o Minor bugfixes (testing, compatibility):
    - When running the hs_ntor_ref.py test, make sure only to pass
      strings (rather than "bytes" objects) to the Python subprocess
      module. Python 3 on Windows seems to require this. Fixes bug
      26535; bugfix on 0.3.1.1-alpha.
    - When running the ntor_ref.py test, make sure only to pass strings
      (rather than "bytes" objects) to the Python subprocess module.
      Python 3 on Windows seems to require this. Fixes bug 26535; bugfix
      on 0.2.5.5-alpha.


1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
Changes in version 0.3.3.8 - 2018-07-09
  Tor 0.3.3.8 backports several changes from the 0.3.4.x series, including
  fixes for a memory leak affecting directory authorities.

  o Major bugfixes (directory authority, backport from 0.3.4.3-alpha):
    - Stop leaking memory on directory authorities when planning to
      vote. This bug was crashing authorities by exhausting their
      memory. Fixes bug 26435; bugfix on 0.3.3.6.

  o Major bugfixes (rust, testing, backport from 0.3.4.3-alpha):
    - Make sure that failing tests in Rust will actually cause the build
      to fail: previously, they were ignored. Fixes bug 26258; bugfix
      on 0.3.3.4-alpha.

  o Minor features (compilation, backport from 0.3.4.4-rc):
    - When building Tor, prefer to use Python 3 over Python 2, and more
      recent (contemplated) versions over older ones. Closes
      ticket 26372.

  o Minor features (geoip):
    - Update geoip and geoip6 to the July 3 2018 Maxmind GeoLite2
      Country database. Closes ticket 26674.

  o Minor features (relay, diagnostic, backport from 0.3.4.3-alpha):
    - Add several checks to detect whether Tor relays are uploading
      their descriptors without specifying why they regenerated them.
      Diagnostic for ticket 25686.

  o Minor bugfixes (circuit path selection, backport from 0.3.4.1-alpha):
    - Don't count path selection failures as circuit build failures.
      This change should eliminate cases where Tor blames its guard or
      the network for situations like insufficient microdescriptors
      and/or overly restrictive torrc settings. Fixes bug 25705; bugfix
      on 0.3.3.1-alpha.

  o Minor bugfixes (compilation, backport from 0.3.4.4-rc):
    - Fix a compilation warning on some versions of GCC when building
      code that calls routerinfo_get_my_routerinfo() twice, assuming
      that the second call will succeed if the first one did. Fixes bug
      26269; bugfix on 0.2.8.2-alpha.

  o Minor bugfixes (control port, backport from 0.3.4.4-rc):
    - Handle the HSADDRESS= argument to the HSPOST command properly.
      (Previously, this argument was misparsed and thus ignored.) Fixes
      bug 26523; bugfix on 0.3.3.1-alpha. Patch by "akwizgran".

  o Minor bugfixes (memory, correctness, backport from 0.3.4.4-rc):
    - Fix a number of small memory leaks identified by coverity. Fixes
      bug 26467; bugfix on numerous Tor versions.

  o Minor bugfixes (relay, backport from 0.3.4.3-alpha):
    - Relays now correctly block attempts to re-extend to the previous
      relay by Ed25519 identity. Previously they would warn in this
      case, but not actually reject the attempt. Fixes bug 26158; bugfix
      on 0.3.0.1-alpha.

  o Minor bugfixes (restart-in-process, backport from 0.3.4.1-alpha):
    - When shutting down, Tor now clears all the flags in the control.c
      module. This should prevent a bug where authentication cookies are
      not generated on restart. Fixes bug 25512; bugfix on 0.3.3.1-alpha.

  o Minor bugfixes (testing, compatibility, backport from 0.3.4.4-rc):
    - When running the hs_ntor_ref.py test, make sure only to pass
      strings (rather than "bytes" objects) to the Python subprocess
      module. Python 3 on Windows seems to require this. Fixes bug
      26535; bugfix on 0.3.1.1-alpha.
    - When running the ntor_ref.py test, make sure only to pass strings
      (rather than "bytes" objects) to the Python subprocess module.
      Python 3 on Windows seems to require this. Fixes bug 26535; bugfix
      on 0.2.5.5-alpha.


1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
Changes in version 0.3.4.3-alpha - 2018-06-26
  Tor 0.3.4.3-alpha fixes several bugs in earlier versions, including
  one that was causing stability issues on directory authorities.

  o Major bugfixes (directory authority):
    - Stop leaking memory on directory authorities when planning to
      vote. This bug was crashing authorities by exhausting their
      memory. Fixes bug 26435; bugfix on 0.3.3.6.

  o Major bugfixes (rust, testing):
    - Make sure that failing tests in Rust will actually cause the build
      to fail: previously, they were ignored. Fixes bug 26258; bugfix
      on 0.3.3.4-alpha.

  o Minor feature (directory authorities):
    - Stop warning about incomplete bw lines before the first complete
      bw line has been found, so that additional header lines can be
      ignored. Fixes bug 25960; bugfix on 0.2.2.1-alpha

  o Minor features (relay, diagnostic):
    - Add several checks to detect whether Tor relays are uploading
      their descriptors without specifying why they regenerated them.
      Diagnostic for ticket 25686.

  o Minor features (unit tests):
    - Test complete bandwidth measurements files, and test that
      incomplete bandwidth lines only give warnings when the end of the
      header has not been detected. Fixes bug 25947; bugfix
      on 0.2.2.1-alpha

  o Minor bugfixes (compilation):
    - Refrain from compiling unit testing related object files when
      --disable-unittests is set to configure script. Fixes bug 24891;
      bugfix on 0.2.5.1-alpha.
    - When linking the libtor_testing.a library, only include the
      dirauth object files once. Previously, they were getting added
      twice. Fixes bug 26402; bugfix on 0.3.4.1-alpha.
    - The --enable-fatal-warnings flag now affects Rust code as well.
      Closes ticket 26245.

  o Minor bugfixes (onion services):
    - Recompute some consensus information after detecting a clock jump,
      or after transitioning from a non-live consensus to a live
      consensus. We do this to avoid having an outdated state, and
      miscalculating the index for next-generation onion services. Fixes
      bug 24977; bugfix on 0.3.2.1-alpha.

  o Minor bugfixes (relay):
    - Relays now correctly block attempts to re-extend to the previous
      relay by Ed25519 identity. Previously they would warn in this
      case, but not actually reject the attempt. Fixes bug 26158; bugfix
      on 0.3.0.1-alpha.

  o Minor bugfixes (testing):
    - Fix compilation of the doctests in the Rust crypto crate. Fixes
      bug 26415; bugfix on 0.3.4.1-alpha.
    - Instead of trying to read the geoip configuration files from
      within the unit tests, instead create our own ersatz files with
      just enough geoip data in the format we expect. Trying to read
      from the source directory created problems on Windows with mingw,
      where the build system's paths are not the same as the platform's
      paths. Fixes bug 25787; bugfix on 0.3.4.1-alpha.
    - Refrain from trying to get an item from an empty smartlist in
      test_bridges_clear_bridge_list. Set DEBUG_SMARTLIST in unit tests
      to catch improper smartlist usage. Furthermore, enable
      DEBUG_SMARTLIST globally when build is configured with fragile
      hardening. Fixes bug 26196; bugfix on 0.3.4.1-alpha.


1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
Changes in version 0.3.3.7 - 2018-06-12
  Tor 0.3.3.7 backports several changes from the 0.3.4.x series, including
  fixes for bugs affecting compatibility and stability.

  o Directory authority changes:
    - Add an IPv6 address for the "dannenberg" directory authority.
      Closes ticket 26343.

  o Minor features (geoip):
    - Update geoip and geoip6 to the June 7 2018 Maxmind GeoLite2
      Country database. Closes ticket 26351.

  o Minor bugfixes (compatibility, openssl, backport from 0.3.4.2-alpha):
    - Work around a change in OpenSSL 1.1.1 where return values that
      would previously indicate "no password" now indicate an empty
      password. Without this workaround, Tor instances running with
      OpenSSL 1.1.1 would accept descriptors that other Tor instances
      would reject. Fixes bug 26116; bugfix on 0.2.5.16.

  o Minor bugfixes (compilation, backport from 0.3.4.2-alpha):
    - Silence unused-const-variable warnings in zstd.h with some GCC
      versions. Fixes bug 26272; bugfix on 0.3.1.1-alpha.

  o Minor bugfixes (controller, backport from 0.3.4.2-alpha):
    - Improve accuracy of the BUILDTIMEOUT_SET control port event's
      TIMEOUT_RATE and CLOSE_RATE fields. (We were previously
      miscounting the total number of circuits for these field values.)
      Fixes bug 26121; bugfix on 0.3.3.1-alpha.

  o Minor bugfixes (hardening, backport from 0.3.4.2-alpha):
    - Prevent a possible out-of-bounds smartlist read in
      protover_compute_vote(). Fixes bug 26196; bugfix on 0.2.9.4-alpha.

  o Minor bugfixes (path selection, backport from 0.3.4.1-alpha):
    - Only select relays when they have the descriptors we prefer to use
      for them. This change fixes a bug where we could select a relay
      because it had _some_ descriptor, but reject it later with a
      nonfatal assertion error because it didn't have the exact one we
      wanted. Fixes bugs 25691 and 25692; bugfix on 0.3.3.4-alpha.


1793
Changes in version 0.3.4.2-alpha - 2018-06-12
Nick Mathewson's avatar
Nick Mathewson committed
1794
1795
  Tor 0.3.4.2-alpha fixes several minor bugs in the previous alpha
  release, and forward-ports an authority-only security fix from 0.3.3.6.
1796

Nick Mathewson's avatar
Nick Mathewson committed
1797
1798
1799
1800
  o Directory authority changes:
    - Add an IPv6 address for the "dannenberg" directory authority.
      Closes ticket 26343.

1801
  o Major bugfixes (security, directory authority, denial-of-service, also in 0.3.3.6):
Nick Mathewson's avatar
Nick Mathewson committed
1802
1803
1804
1805
    - Fix a bug that could have allowed an attacker to force a directory
      authority to use up all its RAM by passing it a maliciously
      crafted protocol versions string. Fixes bug 25517; bugfix on
      0.2.9.4-alpha. This issue is also tracked as TROVE-2018-005.
1806
1807
1808

  o Minor features (continuous integration):
    - Add the necessary configuration files for continuous integration
Nick Mathewson's avatar
Nick Mathewson committed
1809
1810
      testing on Windows, via the Appveyor platform. Closes ticket
      25549. Patches from Marcin Cieślak and Isis Lovecruft.
Nick Mathewson's avatar
Nick Mathewson committed
1811
1812
1813
1814
1815

  o Minor features (geoip):
    - Update geoip and geoip6 to the June 7 2018 Maxmind GeoLite2
      Country database. Closes ticket 26351.

Nick Mathewson's avatar
Nick Mathewson committed
1816
1817
1818
1819
1820
1821
  o Minor bugfixes (compatibility, openssl):
    - Work around a change in OpenSSL 1.1.1 where return values that
      would previously indicate "no password" now indicate an empty
      password. Without this workaround, Tor instances running with
      OpenSSL 1.1.1 would accept descriptors that other Tor instances
      would reject. Fixes bug 26116; bugfix on 0.2.5.16.
Nick Mathewson's avatar
Nick Mathewson committed
1822

1823
  o Minor bugfixes (compilation):
Nick Mathewson's avatar
Nick Mathewson committed
1824
    - Silence unused-const-variable warnings in zstd.h with some GCC
Nick Mathewson's avatar
Nick Mathewson committed
1825
      versions. Fixes bug 26272; bugfix on 0.3.1.1-alpha.
Nick Mathewson's avatar
Nick Mathewson committed
1826
1827
1828
1829
1830
    - Fix compilation when using OpenSSL 1.1.0 with the "no-deprecated"
      flag enabled. Fixes bug 26156; bugfix on 0.3.4.1-alpha.
    - Avoid a compiler warning when casting the return value of
      smartlist_len() to double with DEBUG_SMARTLIST enabled. Fixes bug
      26283; bugfix on 0.2.4.10-alpha.
1831
1832

  o Minor bugfixes (control port):
Nick Mathewson's avatar
Nick Mathewson committed
1833
1834
1835
1836
    - Do not count 0-length RELAY_COMMAND_DATA cells as valid data in
      CIRC_BW events. Previously, such cells were counted entirely in
      the OVERHEAD field. Now they are not. Fixes bug 26259; bugfix
      on 0.3.4.1-alpha.
1837
1838
1839

  o Minor bugfixes (controller):
    - Improve accuracy of the BUILDTIMEOUT_SET control port event's
Nick Mathewson's avatar
Nick Mathewson committed
1840
1841
1842
      TIMEOUT_RATE and CLOSE_RATE fields. (We were previously
      miscounting the total number of circuits for these field values.)
      Fixes bug 26121; bugfix on 0.3.3.1-alpha.
1843
1844
1845

  o Minor bugfixes (hardening):
    - Prevent a possible out-of-bounds smartlist read in
Nick Mathewson's avatar
Nick Mathewson committed
1846
      protover_compute_vote(). Fixes bug 26196; bugfix on 0.2.9.4-alpha.
1847
1848

  o Minor bugfixes (onion services):
Nick Mathewson's avatar
Nick Mathewson committed
1849
1850
    - Fix a bug that blocked the creation of ephemeral v3 onion
      services. Fixes bug 25939; bugfix on 0.3.4.1-alpha.
1851
1852
1853
1854

  o Minor bugfixes (test coverage tools):
    - Update our "cov-diff" script to handle output from the latest
      version of gcov, and to remove extraneous timestamp information
Nick Mathewson's avatar
Nick Mathewson committed
1855
1856
      from its output. Fixes bugs 26101 and 26102; bugfix
      on 0.2.5.1-alpha.
1857
1858


1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
Changes in version 0.3.3.6 - 2018-05-22
  Tor 0.3.3.6 is the first stable release in the 0.3.3 series. It
  backports several important fixes from the 0.3.4.1-alpha.

  The Tor 0.3.3 series includes controller support and other
  improvements for v3 onion services, official support for embedding Tor
  within other applications, and our first non-trivial module written in
  the Rust programming language. (Rust is still not enabled by default
  when building Tor.) And as usual, there are numerous other smaller
  bugfixes, features, and improvements.

  Below are the changes since 0.3.3.5-rc. For a list of all changes
  since 0.3.2.10, see the ReleaseNotes file.

  o Major bugfixes (directory authorities, security, backport from 0.3.4.1-alpha):
    - When directory authorities read a zero-byte bandwidth file, they
      would previously log a warning with the contents of an
      uninitialised buffer. They now log a warning about the empty file
      instead. Fixes bug 26007; bugfix on 0.2.2.1-alpha.

  o Major bugfixes (security, directory authority, denial-of-service):
    - Fix a bug that could have allowed an attacker to force a directory
      authority to use up all its RAM by passing it a maliciously
      crafted protocol versions string. Fixes bug 25517; bugfix on
      0.2.9.4-alpha. This issue is also tracked as TROVE-2018-005.

  o Major bugfixes (crash, backport from 0.3.4.1-alpha):
    - Avoid a rare assertion failure in the circuit build timeout code
      if we fail to allow any circuits to actually complete. Fixes bug
      25733; bugfix on 0.2.2.2-alpha.

  o Major bugfixes (directory authorities, backport from 0.3.4.1-alpha):
    - Avoid a crash when testing router reachability on a router that
      could have an ed25519 ID, but which does not. Fixes bug 25415;
      bugfix on 0.3.3.2-alpha.

  o Major bugfixes (onion service, backport from 0.3.4.1-alpha):
    - Correctly detect when onion services get disabled after HUP. Fixes
      bug 25761; bugfix on 0.3.2.1.

  o Major bugfixes (relay, denial of service, backport from 0.3.4.1-alpha):
    - Impose a limit on circuit cell queue size. The limit can be
      controlled by a consensus parameter. Fixes bug 25226; bugfix
      on 0.2.4.14-alpha.

  o Minor features (compatibility, backport from 0.3.4.1-alpha):
    - Avoid some compilation warnings with recent versions of LibreSSL.
      Closes ticket 26006.

  o Minor features (continuous integration, backport from 0.3.4.1-alpha):
    - Our .travis.yml configuration now includes support for testing the
      results of "make distcheck". (It's not uncommon for "make check"
      to pass but "make distcheck" to fail.) Closes ticket 25814.
    - Our Travis CI configuration now integrates with the Coveralls
      coverage analysis tool. Closes ticket 25818.

  o Minor features (geoip):
    - Update geoip and geoip6 to the May 1 2018 Maxmind GeoLite2 Country
      database. Closes ticket 26104.

  o Minor bugfixes (client, backport from 0.3.4.1-alpha):
    - Don't consider Tor running as a client if the ControlPort is open,
      but no actual client ports are open. Fixes bug 26062; bugfix
      on 0.2.9.4-alpha.

  o Minor bugfixes (correctness, client, backport from 0.3.4.1-alpha):
    - Upon receiving a malformed connected cell, stop processing the
      cell immediately. Previously we would mark the connection for
      close, but continue processing the cell as if the connection were
      open. Fixes bug 26072; bugfix on 0.2.4.7-alpha.

  o Minor bugfixes (documentation, backport from 0.3.4.1-alpha):
    - Stop saying in the manual that clients cache ipv4 dns answers from
      exit relays. We haven't used them since 0.2.6.3-alpha, and in
      ticket 24050 we stopped even caching them as of 0.3.2.6-alpha, but
      we forgot to say so in the man page. Fixes bug 26052; bugfix
      on 0.3.2.6-alpha.

  o Minor bugfixes (Linux seccomp2 sandbox, backport from 0.3.4.1-alpha):
    - Allow the nanosleep() system call, which glibc uses to implement
      sleep() and usleep(). Fixes bug 24969; bugfix on 0.2.5.1-alpha.

  o Minor bugfixes (onion service, backport from 0.3.4.1-alpha):
    - Fix a memory leak when a v3 onion service is configured and gets a
      SIGHUP signal. Fixes bug 25901; bugfix on 0.3.2.1-alpha.
    - When parsing the descriptor signature, look for the token plus an
      extra white-space at the end. This is more correct but also will
      allow us to support new fields that might start with "signature".
      Fixes bug 26069; bugfix on 0.3.0.1-alpha.

  o Minor bugfixes (relay, crash, backport from 0.3.4.1-alpha):
1950
    - Avoid a crash when running with DirPort set but ORPort turned off.
1951
1952
1953
1954
1955
1956
1957
      Fixes a case of bug 23693; bugfix on 0.3.1.1-alpha.

  o Documentation (backport from 0.3.4.1-alpha):
    - Correct an IPv6 error in the documentation for ExitPolicy. Closes
      ticket 25857. Patch from "CTassisF".


Nick Mathewson's avatar
Nick Mathewson committed
1958
Changes in version 0.3.4.1-alpha - 2018-05-17
Nick Mathewson's avatar
Nick Mathewson committed
1959
1960
1961
1962
1963
  Tor 0.3.4.1-alpha is the first release in the 0.3.4.x series. It
  includes refactoring to begin reducing Tor's binary size and idle CPU
  usage on mobile, along with prep work for new bandwidth scanners,
  improvements to the experimental "vanguards" feature, and numerous
  other small features and bugfixes.
1964

Nick Mathewson's avatar
Nick Mathewson committed
1965
  o New system requirements:
Nick Mathewson's avatar
Nick Mathewson committed
1966
1967
1968
1969
    - Tor no longer tries to support old operating systems without
      mmap() or some local equivalent. Apparently, compilation on such
      systems has been broken for some time, without anybody noticing or
      complaining. Closes ticket 25398.
1970
1971

  o Major feature (directory authority, modularization):
Nick Mathewson's avatar
Nick Mathewson committed
1972
    - The directory authority subsystem has been modularized. The code
Nick Mathewson's avatar
Nick Mathewson committed
1973
      is now located in src/or/dirauth/, and is compiled in by default.
Nick Mathewson's avatar
Nick Mathewson committed
1974
      To disable the module, the configure option
Nick Mathewson's avatar
Nick Mathewson committed
1975
1976
1977
1978
      --disable-module-dirauth has been added. This module may be
      disabled by default in some future release. Closes ticket 25610.

  o Major features (main loop, CPU usage):
1979
    - When Tor is disabled (via DisableNetwork or via hibernation), it
Nick Mathewson's avatar
Nick Mathewson committed
1980
      no longer needs to run any per-second events. This change should
1981
      make it easier for mobile applications to disable Tor while the
Nick Mathewson's avatar
Nick Mathewson committed
1982
      device is sleeping, or Tor is not running. Closes ticket 26063.
Nick Mathewson's avatar
Nick Mathewson committed
1983
1984
1985
1986
1987
1988
1989
    - Tor no longer enables all of its periodic events by default.
      Previously, Tor would enable all possible main loop events,
      regardless of whether it needed them. Furthermore, many of these
      events are now disabled with Tor is hibernating or DisableNetwork
      is set. This is a big step towards reducing client CPU usage by
      reducing the amount of wake-ups the daemon does. Closes ticket
      25376 and 25762.
1990
    - The bandwidth-limitation logic has been refactored so that
Nick Mathewson's avatar
Nick Mathewson committed
1991
1992
1993
1994
1995
      bandwidth calculations are performed on-demand, rather than every
      TokenBucketRefillInterval milliseconds. This change should improve
      the granularity of our bandwidth calculations, and limit the
      number of times that the Tor process needs to wake up when it is
      idle. Closes ticket 25373.
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
    - Move responsibility for many operations from a once-per-second
      callback to a callback that is only scheduled as needed. Moving
      this functionality has allowed us to disable the callback when
      Tor's network is disabled. Once enough items are removed from our
      once-per-second callback, we can eliminate it entirely to conserve
      CPU when idle. The functionality removed includes: closing
      connections, circuits, and channels (ticket 25932); consensus
      voting (25937); flushing log callbacks (25951); honoring delayed
      SIGNEWNYM requests (25949); rescanning the consensus cache
      (25931); saving the state file to disk (25948); warning relay
      operators about unreachable ports (25952); and keeping track of
      Tor's uptime (26009).
2008
2009

  o Major bugfixes (directory authorities, security):
Nick Mathewson's avatar
Nick Mathewson committed
2010
    - When directory authorities read a zero-byte bandwidth file, they
Nick Mathewson's avatar
Nick Mathewson committed
2011
2012
2013
2014
2015
      would previously log a warning with the contents of an
      uninitialised buffer. They now log a warning about the empty file
      instead. Fixes bug 26007; bugfix on 0.2.2.1-alpha.

  o Major bugfixes (crash):
2016
    - Avoid a rare assertion failure in the circuit build timeout code
Nick Mathewson's avatar
Nick Mathewson committed
2017
2018
      if we fail to allow any circuits to actually complete. Fixes bug
      25733; bugfix on 0.2.2.2-alpha.
2019
2020

  o Major bugfixes (directory authority):
Nick Mathewson's avatar
Nick Mathewson committed
2021
2022
2023
    - Avoid a crash when testing router reachability on a router that
      could have an ed25519 ID, but which does not. Fixes bug 25415;
      bugfix on 0.3.3.2-alpha.
2024
2025

  o Major bugfixes (onion service):
Nick Mathewson's avatar
Nick Mathewson committed
2026
2027
    - Correctly detect when onion services get disabled after HUP. Fixes
      bug 25761; bugfix on 0.3.2.1.
2028
2029

  o Major bugfixes (protover, voting):
Nick Mathewson's avatar
Nick Mathewson committed
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
    - Revise Rust implementation of protover to use a more memory-
      efficient voting algorithm and corresponding data structures, thus
      avoiding a potential (but small impact) DoS attack where specially
      crafted protocol strings would expand to several potential
      megabytes in memory. In the process, several portions of code were
      revised to be methods on new, custom types, rather than functions
      taking interchangeable types, thus increasing type safety of the
      module. Custom error types and handling were added as well, in
      order to facilitate better error dismissal/handling in outside
      crates and avoid mistakenly passing an internal error string to C
      over the FFI boundary. Many tests were added, and some previous
2041
2042
2043
2044
      differences between the C and Rust implementations have been
      remedied. Fixes bug 24031; bugfix on 0.3.3.1-alpha.

  o Major bugfixes (relay, denial of service):
Nick Mathewson's avatar
Nick Mathewson committed
2045
2046
2047
    - Impose a limit on circuit cell queue size. The limit can be
      controlled by a consensus parameter. Fixes bug 25226; bugfix
      on 0.2.4.14-alpha.
2048
2049

  o Minor features (accounting):
Nick Mathewson's avatar
Nick Mathewson committed
2050
2051
2052
2053
    - When Tor becomes dormant, it now uses a scheduled event to wake up
      at the right time. Previously, we would use the per-second timer
      to check whether to wake up, but we no longer have any per-second
      timers enabled when the network is disabled. Closes ticket 26064.
2054
2055

  o Minor features (code quality):
Nick Mathewson's avatar
Nick Mathewson committed
2056
2057
    - Add optional spell-checking for the Tor codebase, using the
      "misspell" program. To use this feature, run "make check-typos".
2058
2059
2060
      Closes ticket 25024.

  o Minor features (compatibility):
Nick Mathewson's avatar
Nick Mathewson committed
2061
2062
    - Tor now detects versions of OpenSSL 1.1.0 and later compiled with
      the no-deprecated option, and builds correctly with them. Closes
2063
      tickets 19429, 19981, and 25353.
Nick Mathewson's avatar
Nick Mathewson committed
2064
2065
    - Avoid some compilation warnings with recent versions of LibreSSL.
      Closes ticket 26006.
2066
2067

  o Minor features (compression, zstd):
Nick Mathewson's avatar
Nick Mathewson committed
2068
2069
2070
2071
    - When running with zstd, Tor now considers using advanced functions
      that the zstd maintainers have labeled as potentially unstable. To
      prevent breakage, Tor will only use this functionality when the
      runtime version of the zstd library matches the version with which
Nick Mathewson's avatar
Nick Mathewson committed
2072
      Tor was compiled. Closes ticket 25162.
2073
2074
2075

  o Minor features (configuration):
    - The "DownloadSchedule" options have been renamed to end with
Nick Mathewson's avatar
Nick Mathewson committed
2076
      "DownloadInitialDelay". The old names are still allowed, but will
2077
      produce a warning. Comma-separated lists are still permitted for
Nick Mathewson's avatar
Nick Mathewson committed
2078
2079
      these options, but all values after the first are ignored (as they
      have been since 0.2.9). Closes ticket 23354.
2080
2081

  o Minor features (continuous integration):
Nick Mathewson's avatar
Nick Mathewson committed
2082
2083
2084
2085
2086
    - Our .travis.yml configuration now includes support for testing the
      results of "make distcheck". (It's not uncommon for "make check"
      to pass but "make distcheck" to fail.) Closes ticket 25814.
    - Our Travis CI configuration now integrates with the Coveralls
      coverage analysis tool. Closes ticket 25818.
2087
2088
2089
2090
2091
2092

  o Minor features (control port):
    - Introduce GETINFO "current-time/{local,utc}" to return the local
      and UTC times respectively in ISO format. This helps a controller
      like Tor Browser detect a time-related error. Closes ticket 25511.
      Patch by Neel Chauhan.
Nick Mathewson's avatar
Nick Mathewson committed
2093
2094
2095
2096
2097
2098
    - Introduce new fields to the CIRC_BW event. There are two new
      fields in each of the read and written directions. The DELIVERED
      fields report the total valid data on the circuit, as measured by
      the payload sizes of verified and error-checked relay command
      cells. The OVERHEAD fields report the total unused bytes in each
      of these cells. Closes ticket 25903.
2099
2100
2101

  o Minor features (directory authority):
    - Directory authorities now open their key-pinning files as O_SYNC,
Nick Mathewson's avatar
Nick Mathewson committed
2102
      to limit their chances of accidentally writing partial lines.
2103
2104
2105
      Closes ticket 23909.

  o Minor features (directory authority, forward compatibility):
Nick Mathewson's avatar
Nick Mathewson committed
2106
2107
2108
    - Make the lines of the measured bandwidth file able to contain
      their entries in any order. Previously, the node_id entry needed
      to come first. Closes ticket 26004.
2109

Nick Mathewson's avatar
Nick Mathewson committed
2110
2111
2112
2113
  o Minor features (entry guards):
    - Introduce a new torrc option NumPrimaryGuards for controlling the
      number of primary guards. Closes ticket 25843.

2114
  o Minor features (geoip):
Nick Mathewson's avatar
Nick Mathewson committed
2115
2116
    - Update geoip and geoip6 to the May 1 2018 Maxmind GeoLite2 Country
      database. Closes ticket 26104.
2117
2118
2119

  o Minor features (performance):
    - Avoid a needless call to malloc() when processing an incoming
Nick Mathewson's avatar
Nick Mathewson committed
2120
2121
2122
2123
      relay cell. Closes ticket 24914.
    - Make our timing-wheel code run a tiny bit faster on 32-bit
      platforms, by preferring 32-bit math to 64-bit. Closes
      ticket 24688.
2124
2125
2126
    - Avoid a needless malloc()/free() pair every time we handle an ntor
      handshake. Closes ticket 25150.

Nick Mathewson's avatar
Nick Mathewson committed
2127
  o Minor features (testing):
2128
    - Add a unit test for voting_schedule_get_start_of_next_interval().
Nick Mathewson's avatar
Nick Mathewson committed
2129
2130
2131
2132
2133
      Closes ticket 26014, and helps make unit test coverage
      more deterministic.
    - A new unittests module specifically for testing the functions in
      the (new-ish) bridges.c module has been created with new
      unittests, raising the code coverage percentages. Closes 25425.
2134
    - We now have improved testing for addressmap_get_virtual_address()
Nick Mathewson's avatar
Nick Mathewson committed
2135
      function. This should improve our test coverage, and make our test
2136
2137
2138
2139
      coverage more deterministic. Closes ticket 25993.

  o Minor features (timekeeping, circuit scheduling):
    - When keeping track of how busy each circuit have been recently on
Nick Mathewson's avatar
Nick Mathewson committed
2140
2141
2142
      a given connection, use coarse-grained monotonic timers rather
      than gettimeofday(). This change should marginally increase
      accuracy and performance. Implements part of ticket 25927.
2143
2144

  o Minor bugfixes (bandwidth management):
Nick Mathewson's avatar
Nick Mathewson committed
2145
2146
    - Consider ourselves "low on write bandwidth" if we have exhausted
      our write bandwidth some time in the last second. This was the
2147
      documented behavior before, but the actual behavior was to change
Nick Mathewson's avatar
Nick Mathewson committed
2148
2149
      this value every TokenBucketRefillInterval. Fixes bug 25828;
      bugfix on 0.2.3.5-alpha.
2150
2151

  o Minor bugfixes (C correctness):
Nick Mathewson's avatar
Nick Mathewson committed
2152
2153
2154
    - Add a missing lock acquisition in the shutdown code of the control
      subsystem. Fixes bug 25675; bugfix on 0.2.7.3-rc. Found by
      Coverity; this is CID 1433643.
2155
2156

  o Minor bugfixes (circuit path selection):
Nick Mathewson's avatar
Nick Mathewson committed
2157
    - Don't count path selection failures as circuit build failures.
Nick Mathewson's avatar
Nick Mathewson committed
2158
2159
2160
      This change should eliminate cases where Tor blames its guard or
      the network for situations like insufficient microdescriptors
      and/or overly restrictive torrc settings. Fixes bug 25705; bugfix
Nick Mathewson's avatar
Nick Mathewson committed
2161
      on 0.3.3.1-alpha.
2162
2163

  o Minor bugfixes (client):
Nick Mathewson's avatar
Nick Mathewson committed
2164
2165
2166
2167
2168
    - Don't consider Tor running as a client if the ControlPort is open,
      but no actual client ports are open. Fixes bug 26062; bugfix
      on 0.2.9.4-alpha.

  o Minor bugfixes (code style):
2169
    - Fixed multiple includes of transports.h in src/or/connection.c
Nick Mathewson's avatar
Nick Mathewson committed
2170
2171
2172
      Fixes bug 25261; bugfix on 0.2.5.1-alpha.
    - Remove the unused variable n_possible from the function
      channel_get_for_extend(). Fixes bug 25645; bugfix on 0.2.4.4-alpha
2173
2174

  o Minor bugfixes (control interface):
Nick Mathewson's avatar
Nick Mathewson committed
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
    - Respond with more human-readable error messages to GETINFO exit-
      policy/* requests. Also, let controller know if an error is
      transient (response code 551) or not (response code 552). Fixes
      bug 25852; bugfix on 0.2.8.1-alpha.

  o Minor bugfixes (controller):
    - Make CIRC_BW event reflect the total of all data sent on a
      circuit, including padding and dropped cells. Also fix a mis-
      counting bug when STREAM_BW events were enabled. Fixes bug 25400;
      bugfix on 0.2.5.2-alpha.
2185

2186
2187
2188
2189
2190
2191
  o Minor bugfixes (correctness, client):
    - Upon receiving a malformed connected cell, stop processing the cell
      immediately.  Previously we would mark the connection for close, but
      continue processing the cell as if the connection were open. Fixes bug
      26072; bugfix on 0.2.4.7-alpha.

2192
  o Minor bugfixes (directory client):
Nick Mathewson's avatar
Nick Mathewson committed
2193
2194
    - When unverified-consensus is verified, rename it to cached-
      consenus. Fixes bug 4187; bugfix on 0.2.0.3-alpha.