ChangeLog 410 KB
Newer Older
1
Changes in version 0.2.1.20 - 2009-??-??
2
3
4
5
6
7
8
  o Major bugfixes:
    - Send circuit or stream sendme cells when our window has decreased
      by 100 cells, not when it has decreased by 101 cells. Bug uncovered
      by Karsten when testing the "reduce circuit window" performance
      patch. Bugfix on the 54th commit on Tor -- from July 2002,
      before the release of Tor 0.0.0. This is the new winner of the
      oldest-bug prize.
9
10
11
    - Fix a remotely triggerable memory leak when a consensus document
      contains more than one signature from the same voter. Bugfix on
      0.2.0.3-alpha.
12

13
14
15
16
  o New directory authorities:
    - Set up urras (run by Jacob Appelbaum) as the seventh v3 directory
      authority.

17
18
  o Minor bugfixes:
    - Fix a signed/unsigned compile warning in 0.2.1.19.
19
20
    - Fix possible segmentation fault on directory authorities. Bugfix on
      0.2.1.14-rc.
21
22
23
    - Fix an extremely rare infinite recursion bug that could occur if
      we tried to log a message after shutting down the log subsystem.
      Found by Matt Edman. Bugfix on 0.2.0.16-alpha.
24
25
26
27
    - Fix an obscure bug where hidden services on 64-bit big-endian
      systems might mis-read the timestamp in v3 introduce cells, and
      refuse to connect back to the client. Discovered by "rotor".
      Bugfix on 0.2.1.6-alpha.
28
29
30
31
32
    - We were triggering a CLOCK_SKEW controller status event whenever
      we connect via the v2 connection protocol to any relay that has
      a wrong clock. Instead, we should only inform the controller when
      it's a trusted authority that claims our clock is wrong. Bugfix
      on 0.2.0.20-rc; starts to fix bug 1074. Reported by SwissTorExit.
33
34
35
36
37
38
    - We were telling the controller about CHECKING_REACHABILITY and
      REACHABILITY_FAILED status events whenever we launch a testing
      circuit or notice that one has failed. Instead, only tell the
      controller when we want to inform the user of overall success or
      overall failure. Bugfix on 0.1.2.6-alpha. Fixes bug 1075. Reported
      by SwissTorExit.
39
40
41
42
    - Don't warn when we're using a circuit that ends with a node
      excluded in ExcludeExitNodes, but the circuit is not used to access
      the outside world. This should help fix bug 1090. Bugfix on
      0.2.1.6-alpha.
43
44
45
    - Avoid segfault in rare cases when finishing an introduction circuit
      as a client and finding out that we don't have an introduction key
      for it. Fixes bug 1073. Reported by Aaron Swartz.
46
47
48
    - Work around a small memory leak in some versions of OpenSSL that
      stopped the memory used by the hostname TLS extension from being
      freed.
49

50
51
52
53
54
55
56
  o Minor features:
    - Add a "getinfo status/accepted-server-descriptor" controller
      command, which is the recommended way for controllers to learn
      whether our server descriptor has been successfully received by at
      least on directory authority. Un-recommend good-server-descriptor
      getinfo and status events until we have a better design for them.

57

Roger Dingledine's avatar
Roger Dingledine committed
58
Changes in version 0.2.1.19 - 2009-07-28
59
60
61
  Tor 0.2.1.19 fixes a major bug with accessing and providing hidden
  services on Tor 0.2.1.3-alpha through 0.2.1.18.

62
  o Major bugfixes:
63
64
65
    - Make accessing hidden services on 0.2.1.x work right again.
      Bugfix on 0.2.1.3-alpha; workaround for bug 1038. Diagnosis and
      part of patch provided by "optimist".
66

67
68
69
70
71
72
  o Minor features:
    - When a relay/bridge is writing out its identity key fingerprint to
      the "fingerprint" file and to its logs, write it without spaces. Now
      it will look like the fingerprints in our bridges documentation,
      and confuse fewer users.

73
  o Minor bugfixes:
74
75
76
77
    - Relays no longer publish a new server descriptor if they change
      their MaxAdvertisedBandwidth config option but it doesn't end up
      changing their advertised bandwidth numbers. Bugfix on 0.2.0.28-rc;
      fixes bug 1026. Patch from Sebastian.
78
79
80
81
    - Avoid leaking memory every time we get a create cell but we have
      so many already queued that we refuse it. Bugfix on 0.2.0.19-alpha;
      fixes bug 1034. Reported by BarkerJr.

82

83
Changes in version 0.2.1.18 - 2009-07-24
84
85
86
87
88
89
  Tor 0.2.1.18 lays the foundations for performance improvements,
  adds status events to help users diagnose bootstrap problems, adds
  optional authentication/authorization for hidden services, fixes a
  variety of potential anonymity problems, and includes a huge pile of
  other features and bug fixes.

90
91
92
93
  o Build fixes:
    - Add LIBS=-lrt to Makefile.am so the Tor RPMs use a static libevent.


94
Changes in version 0.2.1.17-rc - 2009-07-07
95
96
97
98
99
100
101
102
103
104
105
  Tor 0.2.1.17-rc marks the fourth -- and hopefully last -- release
  candidate for the 0.2.1.x series. It lays the groundwork for further
  client performance improvements, and also fixes a big bug with directory
  authorities that were causing them to assign Guard and Stable flags
  poorly.

  The Windows bundles also finally include the geoip database that we
  thought we'd been shipping since 0.2.0.x (oops), and the OS X bundles
  should actually install Torbutton rather than giving you a cryptic
  failure message (oops).

106
107
108
109
110
111
112
  o Major features:
    - Clients now use the bandwidth values in the consensus, rather than
      the bandwidth values in each relay descriptor. This approach opens
      the door to more accurate bandwidth estimates once the directory
      authorities start doing active measurements. Implements more of
      proposal 141.

113
  o Major bugfixes:
114
115
116
117
118
119
120
    - When Tor clients restart after 1-5 days, they discard all their
      cached descriptors as too old, but they still use the cached
      consensus document. This approach is good for robustness, but
      bad for performance: since they don't know any bandwidths, they
      end up choosing at random rather than weighting their choice by
      speed. Fixed by the above feature of putting bandwidths in the
      consensus. Bugfix on 0.2.0.x.
121
122
123
124
125
126
127
128
129
    - Directory authorities were neglecting to mark relays down in their
      internal histories if the relays fall off the routerlist without
      ever being found unreachable. So there were relays in the histories
      that haven't been seen for eight months, and are listed as being
      up for eight months. This wreaked havoc on the "median wfu"
      and "median mtbf" calculations, in turn making Guard and Stable
      flags very wrong, hurting network performance. Fixes bugs 696 and
      969. Bugfix on 0.2.0.6-alpha.

130
131
  o Minor bugfixes:
    - Serve the DirPortFrontPage page even when we have been approaching
132
133
134
135
136
137
138
139
      our quotas recently. Fixes bug 1013; bugfix on 0.2.1.8-alpha.
    - The control port would close the connection before flushing long
      replies, such as the network consensus, if a QUIT command was issued
      before the reply had completed. Now, the control port flushes all
      pending replies before closing the connection. Also fixed a spurious
      warning when a QUIT command is issued after a malformed or rejected
      AUTHENTICATE command, but before the connection was closed. Patch
      by Marcus Griep. Bugfix on 0.2.0.x; fixes bugs 1015 and 1016.
140
141
    - When we can't find an intro key for a v2 hidden service descriptor,
      fall back to the v0 hidden service descriptor and log a bug message.
142
      Workaround for bug 1024.
143
144
    - Fix a log message that did not respect the SafeLogging option.
      Resolves bug 1027.
145

146
147
148
149
  o Minor features:
    - If we're a relay and we change our IP address, be more verbose
      about the reason that made us change. Should help track down
      further bugs for relays on dynamic IP addresses.
150

151

152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
Changes in version 0.2.0.35 - 2009-06-24
  o Security fix:
    - Avoid crashing in the presence of certain malformed descriptors.
      Found by lark, and by automated fuzzing.
    - Fix an edge case where a malicious exit relay could convince a
      controller that the client's DNS question resolves to an internal IP
      address. Bug found and fixed by "optimist"; bugfix on 0.1.2.8-beta.

  o Major bugfixes:
    - Finally fix the bug where dynamic-IP relays disappear when their
      IP address changes: directory mirrors were mistakenly telling
      them their old address if they asked via begin_dir, so they
      never got an accurate answer about their new address, so they
      just vanished after a day. For belt-and-suspenders, relays that
      don't set Address in their config now avoid using begin_dir for
      all direct connections. Should fix bugs 827, 883, and 900.
    - Fix a timing-dependent, allocator-dependent, DNS-related crash bug
      that would occur on some exit nodes when DNS failures and timeouts
      occurred in certain patterns. Fix for bug 957.

  o Minor bugfixes:
    - When starting with a cache over a few days old, do not leak
      memory for the obsolete router descriptors in it. Bugfix on
      0.2.0.33; fixes bug 672.
    - Hidden service clients didn't use a cached service descriptor that
      was older than 15 minutes, but wouldn't fetch a new one either,
      because there was already one in the cache. Now, fetch a v2
      descriptor unless the same descriptor was added to the cache within
      the last 15 minutes. Fixes bug 997; reported by Marcus Griep.


Nick Mathewson's avatar
Nick Mathewson committed
183
Changes in version 0.2.1.16-rc - 2009-06-20
184
185
186
  Tor 0.2.1.16-rc speeds up performance for fast exit relays, and fixes
  a bunch of minor bugs.

187
188
189
190
191
  o Security fixes:
    - Fix an edge case where a malicious exit relay could convince a
      controller that the client's DNS question resolves to an internal IP
      address. Bug found and fixed by "optimist"; bugfix on 0.1.2.8-beta.

192
193
  o Major performance improvements (on 0.2.0.x):
    - Disable and refactor some debugging checks that forced a linear scan
194
195
196
      over the whole server-side DNS cache. These accounted for over 50%
      of CPU time on a relatively busy exit node's gprof profile. Found
      by Jacob.
197
198
199
    - Disable some debugging checks that appeared in exit node profile
      data.

200
201
  o Minor features:
    - Update to the "June 3 2009" ip-to-country file.
202
    - Do not have tor-resolve automatically refuse all .onion addresses;
203
      if AutomapHostsOnResolve is set in your torrc, this will work fine.
204

205
206
207
  o Minor bugfixes (on 0.2.0.x):
    - Log correct error messages for DNS-related network errors on
      Windows.
208
209
210
    - Fix a race condition that could cause crashes or memory corruption
      when running as a server with a controller listening for log
      messages.
211
    - Avoid crashing when we have a policy specified in a DirPolicy or
212
213
      SocksPolicy or ReachableAddresses option with ports set on it,
      and we re-load the policy. May fix bug 996.
Karsten Loesing's avatar
Karsten Loesing committed
214
215
216
217
218
    - Hidden service clients didn't use a cached service descriptor that
      was older than 15 minutes, but wouldn't fetch a new one either,
      because there was already one in the cache. Now, fetch a v2
      descriptor unless the same descriptor was added to the cache within
      the last 15 minutes. Fixes bug 997; reported by Marcus Griep.
219

220
  o Minor bugfixes (on 0.2.1.x):
221
222
223
    - Don't warn users about low port and hibernation mix when they
      provide a *ListenAddress directive to fix that. Bugfix on
      0.2.1.15-rc.
224
225
    - When switching back and forth between bridge mode, do not start
      gathering GeoIP data until two hours have passed.
226
    - Do not complain that the user has requested an excluded node as
227
      an exit when the node is not really an exit. This could happen
228
229
      because the circuit was for testing, or an introduction point.
      Fix for bug 984.
230

231

232
Changes in version 0.2.1.15-rc - 2009-05-25
233
234
235
236
  Tor 0.2.1.15-rc marks the second release candidate for the 0.2.1.x
  series. It fixes a major bug on fast exit relays, as well as a variety
  of more minor bugs.

237
  o Major bugfixes (on 0.2.0.x):
238
239
    - Fix a timing-dependent, allocator-dependent, DNS-related crash bug
      that would occur on some exit nodes when DNS failures and timeouts
240
      occurred in certain patterns. Fix for bug 957.
241

242
  o Minor bugfixes (on 0.2.0.x):
243
244
245
    - Actually return -1 in the error case for read_bandwidth_usage().
      Harmless bug, since we currently don't care about the return value
      anywhere. Bugfix on 0.2.0.9-alpha.
246
247
    - Provide a more useful log message if bug 977 (related to buffer
      freelists) ever reappears, and do not crash right away.
248
249
250
    - Fix an assertion failure on 64-bit platforms when we allocated
      memory right up to the end of a memarea, then realigned the memory
      one step beyond the end. Fixes a possible cause of bug 930.
251
252
    - Protect the count of open sockets with a mutex, so we can't
      corrupt it when two threads are closing or opening sockets at once.
253
254
255
      Fix for bug 939. Bugfix on 0.2.0.1-alpha.
    - Don't allow a bridge to publish its router descriptor to a
      non-bridge directory authority. Fixes part of bug 932.
256
    - When we change to or from being a bridge, reset our counts of
257
      client usage by country. Fixes bug 932.
258
259
    - Fix a bug that made stream bandwidth get misreported to the
      controller.
260
    - Stop using malloc_usable_size() to use more area than we had
261
      actually allocated: it was safe, but made valgrind really unhappy.
262
263
    - Fix a memory leak when v3 directory authorities load their keys
      and cert from disk. Bugfix on 0.2.0.1-alpha.
264

265
266
267
268
  o Minor bugfixes (on 0.2.1.x):
    - Fix use of freed memory when deciding to mark a non-addable
      descriptor as never-downloadable. Bugfix on 0.2.1.9-alpha.

269

270
Changes in version 0.2.1.14-rc - 2009-04-12
Roger Dingledine's avatar
Roger Dingledine committed
271
272
273
274
275
  Tor 0.2.1.14-rc marks the first release candidate for the 0.2.1.x
  series. It begins fixing some major performance problems, and also
  finally addresses the bug that was causing relays on dynamic IP
  addresses to fall out of the directory.

276
277
278
279
280
281
  o Major features:
    - Clients replace entry guards that were chosen more than a few months
      ago. This change should significantly improve client performance,
      especially once more people upgrade, since relays that have been
      a guard for a long time are currently overloaded.

282
283
  o Major bugfixes (on 0.2.0):
    - Finally fix the bug where dynamic-IP relays disappear when their
284
285
286
287
288
289
      IP address changes: directory mirrors were mistakenly telling
      them their old address if they asked via begin_dir, so they
      never got an accurate answer about their new address, so they
      just vanished after a day. For belt-and-suspenders, relays that
      don't set Address in their config now avoid using begin_dir for
      all direct connections. Should fix bugs 827, 883, and 900.
290
    - Relays were falling out of the networkstatus consensus for
291
292
293
294
      part of a day if they changed their local config but the
      authorities discarded their new descriptor as "not sufficiently
      different". Now directory authorities accept a descriptor as changed
      if bandwidthrate or bandwidthburst changed. Partial fix for bug 962;
295
      patch by Sebastian.
296
297
    - Avoid crashing in the presence of certain malformed descriptors.
      Found by lark, and by automated fuzzing.
298

299
  o Minor features:
Roger Dingledine's avatar
Roger Dingledine committed
300
301
302
303
    - When generating circuit events with verbose nicknames for
      controllers, try harder to look up nicknames for routers on a
      circuit. (Previously, we would look in the router descriptors we had
      for nicknames, but not in the consensus.) Partial fix for bug 941.
304
305
306
    - If the bridge config line doesn't specify a port, assume 443.
      This makes bridge lines a bit smaller and easier for users to
      understand.
307
308
309
310
311
312
    - Raise the minimum bandwidth to be a relay from 20000 bytes to 20480
      bytes (aka 20KB/s), to match our documentation. Also update
      directory authorities so they always assign the Fast flag to relays
      with 20KB/s of capacity. Now people running relays won't suddenly
      find themselves not seeing any use, if the network gets faster
      on average.
313
    - Update to the "April 3 2009" ip-to-country file.
314

Roger Dingledine's avatar
Roger Dingledine committed
315
316
317
318
  o Minor bugfixes:
    - Avoid trying to print raw memory to the logs when we decide to
      give up on downloading a given relay descriptor. Bugfix on
      0.2.1.9-alpha.
319
320
321
    - In tor-resolve, when the Tor client to use is specified by
      <hostname>:<port>, actually use the specified port rather than
      defaulting to 9050. Bugfix on 0.2.1.6-alpha.
322
    - Make directory usage recording work again. Bugfix on 0.2.1.6-alpha.
323
    - When starting with a cache over a few days old, do not leak
Roger Dingledine's avatar
Roger Dingledine committed
324
      memory for the obsolete router descriptors in it. Bugfix on
325
      0.2.0.33.
326
    - Avoid double-free on list of successfully uploaded hidden
Roger Dingledine's avatar
Roger Dingledine committed
327
      service discriptors. Fix for bug 948. Bugfix on 0.2.1.6-alpha.
328
    - Change memarea_strndup() implementation to work even when
Roger Dingledine's avatar
Roger Dingledine committed
329
      duplicating a string at the end of a page. This bug was
330
      harmless for now, but could have meant crashes later. Fix by
Roger Dingledine's avatar
Roger Dingledine committed
331
      lark. Bugfix on 0.2.1.1-alpha.
332
333
334
335
    - Limit uploaded directory documents to be 16M rather than 500K.
      The directory authorities were refusing v3 consensus votes from
      other authorities, since the votes are now 504K. Fixes bug 959;
      bugfix on 0.0.2pre17 (where we raised it from 50K to 500K ;).
336
337
338
    - Directory authorities should never send a 503 "busy" response to
      requests for votes or keys. Bugfix on 0.2.0.8-alpha; exposed by
      bug 959.
Roger Dingledine's avatar
Roger Dingledine committed
339
340


Roger Dingledine's avatar
Roger Dingledine committed
341
Changes in version 0.2.1.13-alpha - 2009-03-09
Roger Dingledine's avatar
Roger Dingledine committed
342
343
344
  Tor 0.2.1.13-alpha includes another big pile of minor bugfixes and
  cleanups. We're finally getting close to a release candidate.

345
  o Major bugfixes:
346
347
348
    - Correctly update the list of which countries we exclude as
      exits, when the GeoIP file is loaded or reloaded. Diagnosed by
      lark. Bugfix on 0.2.1.6-alpha.
349

350
  o Minor bugfixes (on 0.2.0.x and earlier):
351
352
353
    - Automatically detect MacOSX versions earlier than 10.4.0, and
      disable kqueue from inside Tor when running with these versions.
      We previously did this from the startup script, but that was no
354
      help to people who didn't use the startup script. Resolves bug 863.
355
356
    - When we had picked an exit node for a connection, but marked it as
      "optional", and it turned out we had no onion key for the exit,
357
358
359
      stop wanting that exit and try again. This situation may not
      be possible now, but will probably become feasible with proposal
      158. Spotted by rovv. Fixes another case of bug 752.
360
    - Clients no longer cache certificates for authorities they do not
361
      recognize. Bugfix on 0.2.0.9-alpha.
362
    - When we can't transmit a DNS request due to a network error, retry
363
364
      it after a while, and eventually transmit a failing response to
      the RESOLVED cell. Bugfix on 0.1.2.5-alpha.
365
366
367
368
    - If the controller claimed responsibility for a stream, but that
      stream never finished making its connection, it would live
      forever in circuit_wait state. Now we close it after SocksTimeout
      seconds. Bugfix on 0.1.2.7-alpha; reported by Mike Perry.
369
370
371
372
    - Drop begin cells to a hidden service if they come from the middle
      of a circuit. Patch from lark.
    - When we erroneously receive two EXTEND cells for the same circuit
      ID on the same connection, drop the second. Patch from lark.
Nick Mathewson's avatar
Nick Mathewson committed
373
    - Fix a crash that occurs on exit nodes when a nameserver request
374
375
376
      timed out. Bugfix on 0.1.2.1-alpha; our CLEAR debugging code had
      been suppressing the bug since 0.1.2.10-alpha. Partial fix for
      bug 929.
377
378
    - Do not assume that a stack-allocated character array will be
      64-bit aligned on platforms that demand that uint64_t access is
379
      aligned. Possible fix for bug 604.
380
381
    - Parse dates and IPv4 addresses in a locale- and libc-independent
      manner, to avoid platform-dependent behavior on malformed input.
382
    - Build correctly when configured to build outside the main source
383
      path. Patch from Michael Gold.
384
385
386
    - We were already rejecting relay begin cells with destination port
      of 0. Now also reject extend cells with destination port or address
      of 0. Suggested by lark.
387
388
389
390
391
392

  o Minor bugfixes (on 0.2.1.x):
    - Don't re-extend introduction circuits if we ran out of RELAY_EARLY
      cells. Bugfix on 0.2.1.3-alpha. Fixes more of bug 878.
    - If we're an exit node, scrub the IP address to which we are exiting
      in the logs. Bugfix on 0.2.1.8-alpha.
393

394
395
396
  o Minor features:
    - On Linux, use the prctl call to re-enable core dumps when the user
      is option is set.
397
398
399
    - New controller event NEWCONSENSUS that lists the networkstatus
      lines for every recommended relay. Now controllers like Torflow
      can keep up-to-date on which relays they should be using.
400
    - Update to the "February 26 2009" ip-to-country file.
401

402

403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
Changes in version 0.2.0.34 - 2009-02-08
  Tor 0.2.0.34 features several more security-related fixes. You should
  upgrade, especially if you run an exit relay (remote crash) or a
  directory authority (remote infinite loop), or you're on an older
  (pre-XP) or not-recently-patched Windows (remote exploit).

  This release marks end-of-life for Tor 0.1.2.x. Those Tor versions
  have many known flaws, and nobody should be using them. You should
  upgrade. If you're using a Linux or BSD and its packages are obsolete,
  stop using those packages and upgrade anyway.

  o Security fixes:
    - Fix an infinite-loop bug on handling corrupt votes under certain
      circumstances. Bugfix on 0.2.0.8-alpha.
    - Fix a temporary DoS vulnerability that could be performed by
      a directory mirror. Bugfix on 0.2.0.9-alpha; reported by lark.
    - Avoid a potential crash on exit nodes when processing malformed
      input. Remote DoS opportunity. Bugfix on 0.2.0.33.
    - Do not accept incomplete ipv4 addresses (like 192.168.0) as valid.
      Spec conformance issue. Bugfix on Tor 0.0.2pre27.

  o Minor bugfixes:
    - Fix compilation on systems where time_t is a 64-bit integer.
      Patch from Matthias Drochner.
    - Don't consider expiring already-closed client connections. Fixes
      bug 893. Bugfix on 0.0.2pre20.


431
Changes in version 0.2.1.12-alpha - 2009-02-08
432
433
434
435
436
437
  Tor 0.2.1.12-alpha features several more security-related fixes. You
  should upgrade, especially if you run an exit relay (remote crash) or
  a directory authority (remote infinite loop), or you're on an older
  (pre-XP) or not-recently-patched Windows (remote exploit). It also
  includes a big pile of minor bugfixes and cleanups.

438
  o Security fixes:
439
    - Fix an infinite-loop bug on handling corrupt votes under certain
Roger Dingledine's avatar
Roger Dingledine committed
440
      circumstances. Bugfix on 0.2.0.8-alpha.
Roger Dingledine's avatar
Roger Dingledine committed
441
442
    - Fix a temporary DoS vulnerability that could be performed by
      a directory mirror. Bugfix on 0.2.0.9-alpha; reported by lark.
443
    - Avoid a potential crash on exit nodes when processing malformed
Roger Dingledine's avatar
Roger Dingledine committed
444
      input. Remote DoS opportunity. Bugfix on 0.2.1.7-alpha.
445

446
  o Minor bugfixes:
447
448
449
    - Let controllers actually ask for the "clients_seen" event for
      getting usage summaries on bridge relays. Bugfix on 0.2.1.10-alpha;
      reported by Matt Edman.
Roger Dingledine's avatar
Roger Dingledine committed
450
    - Fix a compile warning on OSX Panther. Fixes bug 913; bugfix against
451
      0.2.1.11-alpha.
452
453
    - Fix a bug in address parsing that was preventing bridges or hidden
      service targets from being at IPv6 addresses.
454
    - Solve a bug that kept hardware crypto acceleration from getting
Roger Dingledine's avatar
Roger Dingledine committed
455
      enabled when accounting was turned on. Fixes bug 907. Bugfix on
456
      0.0.9pre6.
457
    - Remove a bash-ism from configure.in to build properly on non-Linux
Roger Dingledine's avatar
Roger Dingledine committed
458
      platforms. Bugfix on 0.2.1.1-alpha.
459
    - Fix code so authorities _actually_ send back X-Descriptor-Not-New
Roger Dingledine's avatar
Roger Dingledine committed
460
      headers. Bugfix on 0.2.0.10-alpha.
461
462
    - Don't consider expiring already-closed client connections. Fixes
      bug 893. Bugfix on 0.0.2pre20.
463
    - Fix another interesting corner-case of bug 891 spotted by rovv:
Roger Dingledine's avatar
Roger Dingledine committed
464
465
466
467
      Previously, if two hosts had different amounts of clock drift, and
      one of them created a new connection with just the wrong timing,
      the other might decide to deprecate the new connection erroneously.
      Bugfix on 0.1.1.13-alpha.
468
469
    - Resolve a very rare crash bug that could occur when the user forced
      a nameserver reconfiguration during the middle of a nameserver
Roger Dingledine's avatar
Roger Dingledine committed
470
      probe. Fixes bug 526. Bugfix on 0.1.2.1-alpha.
471
472
    - Support changing value of ServerDNSRandomizeCase during SIGHUP.
      Bugfix on 0.2.1.7-alpha.
473
474
475
    - If we're using bridges and our network goes away, be more willing
      to forgive our bridges and try again when we get an application
      request. Bugfix on 0.2.0.x.
476

477
478
  o Minor features:
    - Support platforms where time_t is 64 bits long. (Congratulations,
Roger Dingledine's avatar
Roger Dingledine committed
479
480
481
      NetBSD!) Patch from Matthias Drochner.
    - Add a 'getinfo status/clients-seen' controller command, in case
      controllers want to hear clients_seen events but connect late.
482

Roger Dingledine's avatar
Roger Dingledine committed
483
  o Build changes:
484
485
486
487
    - Disable GCC's strict alias optimization by default, to avoid the
      likelihood of its introducing subtle bugs whenever our code violates
      the letter of C99's alias rules.

488

489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
Changes in version 0.2.0.33 - 2009-01-21
  Tor 0.2.0.33 fixes a variety of bugs that were making relays less
  useful to users. It also finally fixes a bug where a relay or client
  that's been off for many days would take a long time to bootstrap.

  This update also fixes an important security-related bug reported by
  Ilja van Sprundel. You should upgrade. (We'll send out more details
  about the bug once people have had some time to upgrade.)

  o Security fixes:
    - Fix a heap-corruption bug that may be remotely triggerable on
      some platforms. Reported by Ilja van Sprundel.

  o Major bugfixes:
    - When a stream at an exit relay is in state "resolving" or
      "connecting" and it receives an "end" relay cell, the exit relay
      would silently ignore the end cell and not close the stream. If
      the client never closes the circuit, then the exit relay never
      closes the TCP connection. Bug introduced in Tor 0.1.2.1-alpha;
      reported by "wood".
    - When sending CREATED cells back for a given circuit, use a 64-bit
      connection ID to find the right connection, rather than an addr:port
      combination. Now that we can have multiple OR connections between
      the same ORs, it is no longer possible to use addr:port to uniquely
      identify a connection.
    - Bridge relays that had DirPort set to 0 would stop fetching
      descriptors shortly after startup, and then briefly resume
      after a new bandwidth test and/or after publishing a new bridge
      descriptor. Bridge users that try to bootstrap from them would
      get a recent networkstatus but would get descriptors from up to
      18 hours earlier, meaning most of the descriptors were obsolete
      already. Reported by Tas; bugfix on 0.2.0.13-alpha.
    - Prevent bridge relays from serving their 'extrainfo' document
      to anybody who asks, now that extrainfo docs include potentially
      sensitive aggregated client geoip summaries. Bugfix on
      0.2.0.13-alpha.
    - If the cached networkstatus consensus is more than five days old,
      discard it rather than trying to use it. In theory it could be
      useful because it lists alternate directory mirrors, but in practice
      it just means we spend many minutes trying directory mirrors that
      are long gone from the network. Also discard router descriptors as
      we load them if they are more than five days old, since the onion
      key is probably wrong by now. Bugfix on 0.2.0.x. Fixes bug 887.

  o Minor bugfixes:
    - Do not mark smartlist_bsearch_idx() function as ATTR_PURE. This bug
      could make gcc generate non-functional binary search code. Bugfix
      on 0.2.0.10-alpha.
    - Build correctly on platforms without socklen_t.
    - Compile without warnings on solaris.
    - Avoid potential crash on internal error during signature collection.
      Fixes bug 864. Patch from rovv.
    - Correct handling of possible malformed authority signing key
      certificates with internal signature types. Fixes bug 880.
      Bugfix on 0.2.0.3-alpha.
    - Fix a hard-to-trigger resource leak when logging credential status.
      CID 349.
    - When we can't initialize DNS because the network is down, do not
      automatically stop Tor from starting. Instead, we retry failed
      dns_init() every 10 minutes, and change the exit policy to reject
      *:* until one succeeds. Fixes bug 691.
    - Use 64 bits instead of 32 bits for connection identifiers used with
      the controller protocol, to greatly reduce risk of identifier reuse.
    - When we're choosing an exit node for a circuit, and we have
      no pending streams, choose a good general exit rather than one that
      supports "all the pending streams". Bugfix on 0.1.1.x. Fix by rovv.
    - Fix another case of assuming, when a specific exit is requested,
      that we know more than the user about what hosts it allows.
      Fixes one case of bug 752. Patch from rovv.
    - Clip the MaxCircuitDirtiness config option to a minimum of 10
      seconds. Warn the user if lower values are given in the
      configuration. Bugfix on 0.1.0.1-rc. Patch by Sebastian.
    - Clip the CircuitBuildTimeout to a minimum of 30 seconds. Warn the
      user if lower values are given in the configuration. Bugfix on
      0.1.1.17-rc. Patch by Sebastian.
    - Fix a memory leak when we decline to add a v2 rendezvous descriptor to
      the cache because we already had a v0 descriptor with the same ID.
      Bugfix on 0.2.0.18-alpha.
    - Fix a race condition when freeing keys shared between main thread
      and CPU workers that could result in a memory leak. Bugfix on
      0.1.0.1-rc. Fixes bug 889.
    - Send a valid END cell back when a client tries to connect to a
      nonexistent hidden service port. Bugfix on 0.1.2.15. Fixes bug
      840. Patch from rovv.
    - Check which hops rendezvous stream cells are associated with to
      prevent possible guess-the-streamid injection attacks from
      intermediate hops. Fixes another case of bug 446. Based on patch
      from rovv.
    - If a broken client asks a non-exit router to connect somewhere,
      do not even do the DNS lookup before rejecting the connection.
      Fixes another case of bug 619. Patch from rovv.
    - When a relay gets a create cell it can't decrypt (e.g. because it's
      using the wrong onion key), we were dropping it and letting the
      client time out. Now actually answer with a destroy cell. Fixes
      bug 904. Bugfix on 0.0.2pre8.

  o Minor bugfixes (hidden services):
    - Do not throw away existing introduction points on SIGHUP. Bugfix on
      0.0.6pre1. Patch by Karsten. Fixes bug 874.

  o Minor features:
    - Report the case where all signatures in a detached set are rejected
      differently than the case where there is an error handling the
      detached set.
    - When we realize that another process has modified our cached
      descriptors, print out a more useful error message rather than
      triggering an assertion. Fixes bug 885. Patch from Karsten.
    - Implement the 0x20 hack to better resist DNS poisoning: set the
      case on outgoing DNS requests randomly, and reject responses that do
      not match the case correctly. This logic can be disabled with the
      ServerDNSRamdomizeCase setting, if you are using one of the 0.3%
      of servers that do not reliably preserve case in replies. See
      "Increased DNS Forgery Resistance through 0x20-Bit Encoding"
      for more info.
    - Check DNS replies for more matching fields to better resist DNS
      poisoning.
    - Never use OpenSSL compression: it wastes RAM and CPU trying to
      compress cells, which are basically all encrypted, compressed, or
      both.


610
Changes in version 0.2.1.11-alpha - 2009-01-20
611
612
613
614
615
616
  Tor 0.2.1.11-alpha finishes fixing the "if your Tor is off for a
  week it will take a long time to bootstrap again" bug. It also fixes
  an important security-related bug reported by Ilja van Sprundel. You
  should upgrade. (We'll send out more details about the bug once people
  have had some time to upgrade.)

617
618
619
620
  o Security fixes:
    - Fix a heap-corruption bug that may be remotely triggerable on
      some platforms. Reported by Ilja van Sprundel.

621
622
623
624
625
626
627
  o Major bugfixes:
    - Discard router descriptors as we load them if they are more than
      five days old. Otherwise if Tor is off for a long time and then
      starts with cached descriptors, it will try to use the onion
      keys in those obsolete descriptors when building circuits. Bugfix
      on 0.2.0.x. Fixes bug 887.

628
629
  o Minor features:
    - Try to make sure that the version of Libevent we're running with
630
      is binary-compatible with the one we built with. May address bug
631
      897 and others.
632
633
    - Make setting ServerDNSRandomizeCase to 0 actually work. Bugfix
      for bug 905. Bugfix on 0.2.1.7-alpha.
634
635
    - Add a new --enable-local-appdata configuration switch to change
      the default location of the datadir on win32 from APPDATA to
636
637
      LOCAL_APPDATA. In the future, we should migrate to LOCAL_APPDATA
      entirely. Patch from coderman.
638

639
640
  o Minor bugfixes:
    - Make outbound DNS packets respect the OutboundBindAddress setting.
641
642
643
644
645
      Fixes the bug part of bug 798. Bugfix on 0.1.2.2-alpha.
    - When our circuit fails at the first hop (e.g. we get a destroy
      cell back), avoid using that OR connection anymore, and also
      tell all the one-hop directory requests waiting for it that they
      should fail. Bugfix on 0.2.1.3-alpha.
646
    - In the torify(1) manpage, mention that tsocks will leak your
647
      DNS requests.
648

649

650
Changes in version 0.2.1.10-alpha - 2009-01-06
651
652
653
654
655
656
657
  Tor 0.2.1.10-alpha fixes two major bugs in bridge relays (one that
  would make the bridge relay not so useful if it had DirPort set to 0,
  and one that could let an attacker learn a little bit of information
  about the bridge's users), and a bug that would cause your Tor relay
  to ignore a circuit create request it can't decrypt (rather than reply
  with an error). It also fixes a wide variety of other bugs.

658
659
660
661
662
663
664
  o Major bugfixes:
    - If the cached networkstatus consensus is more than five days old,
      discard it rather than trying to use it. In theory it could
      be useful because it lists alternate directory mirrors, but in
      practice it just means we spend many minutes trying directory
      mirrors that are long gone from the network. Helps bug 887 a bit;
      bugfix on 0.2.0.x.
665
666
667
668
669
670
671
    - Bridge relays that had DirPort set to 0 would stop fetching
      descriptors shortly after startup, and then briefly resume
      after a new bandwidth test and/or after publishing a new bridge
      descriptor. Bridge users that try to bootstrap from them would
      get a recent networkstatus but would get descriptors from up to
      18 hours earlier, meaning most of the descriptors were obsolete
      already. Reported by Tas; bugfix on 0.2.0.13-alpha.
672
673
    - Prevent bridge relays from serving their 'extrainfo' document
      to anybody who asks, now that extrainfo docs include potentially
674
675
      sensitive aggregated client geoip summaries. Bugfix on
      0.2.0.13-alpha.
676

677
678
679
680
681
  o Minor features:
    - New controller event "clients_seen" to report a geoip-based summary
      of which countries we've seen clients from recently. Now controllers
      like Vidalia can show bridge operators that they're actually making
      a difference.
682
683
    - Build correctly against versions of OpenSSL 0.9.8 or later built
      without support for deprecated functions.
684
    - Update to the "December 19 2008" ip-to-country file.
685

686
  o Minor bugfixes (on 0.2.0.x):
687
    - Authorities now vote for the Stable flag for any router whose
688
      weighted MTBF is at least 5 days, regardless of the mean MTBF.
689
    - Do not remove routers as too old if we do not have any consensus
690
      document. Bugfix on 0.2.0.7-alpha.
691
    - Do not accept incomplete ipv4 addresses (like 192.168.0) as valid.
692
693
694
      Spec conformance issue. Bugfix on Tor 0.0.2pre27.
    - When an exit relay resolves a stream address to a local IP address,
      do not just keep retrying that same exit relay over and
695
696
      over. Instead, just close the stream. Addresses bug 872. Bugfix
      on 0.2.0.32. Patch from rovv.
697
    - If a hidden service sends us an END cell, do not consider
698
      retrying the connection; just close it. Patch from rovv.
699
700
701
702
    - When we made bridge authorities stop serving bridge descriptors over
      unencrypted links, we also broke DirPort reachability testing for
      bridges. So bridges with a non-zero DirPort were printing spurious
      warns to their logs. Bugfix on 0.2.0.16-alpha. Fixes bug 709.
703
704
    - When a relay gets a create cell it can't decrypt (e.g. because it's
      using the wrong onion key), we were dropping it and letting the
705
706
      client time out. Now actually answer with a destroy cell. Fixes
      bug 904. Bugfix on 0.0.2pre8.
707
708
709
710
711
712
713
714
    - Squeeze 2-5% out of client performance (according to oprofile) by
      improving the implementation of some policy-manipulation functions.

  o Minor bugfixes (on 0.2.1.x):
    - Make get_interface_address() function work properly again; stop
      guessing the wrong parts of our address as our address.
    - Do not cannibalize a circuit if we're out of RELAY_EARLY cells to
      send on that circuit. Otherwise we might violate the proposal-110
715
      limit. Bugfix on 0.2.1.3-alpha. Partial fix for bug 878. Diagnosis
716
717
718
719
720
721
722
723
724
725
726
727
728
729
      thanks to Karsten.
    - When we're sending non-EXTEND cells to the first hop in a circuit,
      for example to use an encrypted directory connection, we don't need
      to use RELAY_EARLY cells: the first hop knows what kind of cell
      it is, and nobody else can even see the cell type. Conserving
      RELAY_EARLY cells makes it easier to cannibalize circuits like
      this later.
    - Stop logging nameserver addresses in reverse order.
    - If we are retrying a directory download slowly over and over, do
      not automatically give up after the 254th failure. Bugfix on
      0.2.1.9-alpha.
    - Resume reporting accurate "stream end" reasons to the local control
      port. They were lost in the changes for Proposal 148. Bugfix on
      0.2.1.9-alpha.
730

731
  o Deprecated and removed features:
732
733
    - The old "tor --version --version" command, which would print out
      the subversion "Id" of most of the source files, is now removed. It
734
735
736
      turned out to be less useful than we'd expected, and harder to
      maintain.

737
738
  o Code simplifications and refactoring:
    - Change our header file guard macros to be less likely to conflict
739
      with system headers. Adam Langley noticed that we were conflicting
740
      with log.h on Android.
741
742
    - Tool-assisted documentation cleanup. Nearly every function or
      static variable in Tor should have its own documentation now.
743

744

Roger Dingledine's avatar
Roger Dingledine committed
745
Changes in version 0.2.1.9-alpha - 2008-12-25
746
747
  Tor 0.2.1.9-alpha fixes many more bugs, some of them security-related.

Roger Dingledine's avatar
Roger Dingledine committed
748
749
750
751
  o New directory authorities:
    - gabelmoo (the authority run by Karsten Loesing) now has a new
      IP address.

752
  o Security fixes:
753
    - Never use a connection with a mismatched address to extend a
754
      circuit, unless that connection is canonical. A canonical
755
756
      connection is one whose address is authenticated by the router's
      identity key, either in a NETINFO cell or in a router descriptor.
Roger Dingledine's avatar
Roger Dingledine committed
757
758
    - Avoid a possible memory corruption bug when receiving hidden service
      descriptors. Bugfix on 0.2.1.6-alpha.
759

760
761
  o Major bugfixes:
    - Fix a logic error that would automatically reject all but the first
762
763
      configured DNS server. Bugfix on 0.2.1.5-alpha. Possible fix for
      part of bug 813/868. Bug spotted by coderman.
764
765
766
767
    - When a stream at an exit relay is in state "resolving" or
      "connecting" and it receives an "end" relay cell, the exit relay
      would silently ignore the end cell and not close the stream. If
      the client never closes the circuit, then the exit relay never
Roger Dingledine's avatar
Roger Dingledine committed
768
      closes the TCP connection. Bug introduced in 0.1.2.1-alpha;
769
      reported by "wood".
Roger Dingledine's avatar
Roger Dingledine committed
770
771
    - When we can't initialize DNS because the network is down, do not
      automatically stop Tor from starting. Instead, retry failed
772
      dns_init() every 10 minutes, and change the exit policy to reject
Roger Dingledine's avatar
Roger Dingledine committed
773
      *:* until one succeeds. Fixes bug 691.
774

775
  o Minor features:
776
777
778
    - Give a better error message when an overzealous init script says
      "sudo -u username tor --user username". Makes Bug 882 easier for
      users to diagnose.
779
780
781
    - When a directory authority gives us a new guess for our IP address,
      log which authority we used. Hopefully this will help us debug
      the recent complaints about bad IP address guesses.
782
    - Detect svn revision properly when we're using git-svn.
783
784
785
    - Try not to open more than one descriptor-downloading connection
      to an authority at once. This should reduce load on directory
      authorities. Fixes bug 366.
786
    - Add cross-certification to newly generated certificates, so that
Roger Dingledine's avatar
Roger Dingledine committed
787
      a signing key is enough information to look up a certificate.
788
      Partial implementation of proposal 157.
789
    - Start serving certificates by <identity digest, signing key digest>
790
      pairs. Partial implementation of proposal 157.
791
792
    - Clients now never report any stream end reason except 'MISC'.
      Implements proposal 148.
793
794
795
    - On platforms with a maximum syslog string length, truncate syslog
      messages to that length ourselves, rather than relying on the
      system to do it for us.
Roger Dingledine's avatar
Roger Dingledine committed
796
    - Optimize out calls to time(NULL) that occur for every IO operation,
Roger Dingledine's avatar
Roger Dingledine committed
797
798
      or for every cell. On systems where time() is a slow syscall,
      this fix will be slightly helpful.
799
    - Exit servers can now answer resolve requests for ip6.arpa addresses.
Roger Dingledine's avatar
Roger Dingledine committed
800
801
802
803
804
805
806
    - When we download a descriptor that we then immediately (as
      a directory authority) reject, do not retry downloading it right
      away. Should save some bandwidth on authorities. Fix for bug
      888. Patch by Sebastian Hahn.
    - When a download gets us zero good descriptors, do not notify
      Tor that new directory information has arrived.
    - Avoid some nasty corner cases in the logic for marking connections
807
808
      as too old or obsolete or noncanonical for circuits.  Partial
      bugfix on bug 891.
809

810
  o Minor features (controller):
811
812
    - New CONSENSUS_ARRIVED event to note when a new consensus has
      been fetched and validated.
813
    - When we realize that another process has modified our cached
Roger Dingledine's avatar
Roger Dingledine committed
814
815
      descriptors file, print out a more useful error message rather
      than triggering an assertion. Fixes bug 885. Patch from Karsten.
816
817
818
    - Add an internal-use-only __ReloadTorrcOnSIGHUP option for
      controllers to prevent SIGHUP from reloading the
      configuration. Fixes bug 856.
819

820
821
822
  o Minor bugfixes:
    - Resume using the correct "REASON=" stream when telling the
      controller why we closed a stream. Bugfix in 0.2.1.1-alpha.
823
824
    - When a canonical connection appears later in our internal list
      than a noncanonical one for a given OR ID, always use the
825
      canonical one. Bugfix on 0.2.0.12-alpha. Fixes bug 805.
826
      Spotted by rovv.
827
828
829
830
831
832
    - Clip the MaxCircuitDirtiness config option to a minimum of 10
      seconds. Warn the user if lower values are given in the
      configuration. Bugfix on 0.1.0.1-rc. Patch by Sebastian.
    - Clip the CircuitBuildTimeout to a minimum of 30 seconds. Warn the
      user if lower values are given in the configuration. Bugfix on
      0.1.1.17-rc. Patch by Sebastian.
833
    - Fix a race condition when freeing keys shared between main thread
Roger Dingledine's avatar
Roger Dingledine committed
834
835
      and CPU workers that could result in a memory leak. Bugfix on
      0.1.0.1-rc. Fixes bug 889.
836

837
  o Minor bugfixes (hidden services):
Roger Dingledine's avatar
Roger Dingledine committed
838
839
840
    - Do not throw away existing introduction points on SIGHUP (bugfix on
      0.0.6pre1); also, do not stall hidden services because we're
      throwing away introduction points; bugfix on 0.2.1.7-alpha. Spotted
841
      by John Brooks. Patch by Karsten. Fixes bug 874.
Roger Dingledine's avatar
Roger Dingledine committed
842
843
844
    - Fix a memory leak when we decline to add a v2 rendezvous
      descriptor to the cache because we already had a v0 descriptor
      with the same ID. Bugfix on 0.2.0.18-alpha.
845

846
  o Deprecated and removed features:
847
848
849
850
    - RedirectExits has been removed. It was deprecated since
      0.2.0.3-alpha.
    - Finally remove deprecated "EXTENDED_FORMAT" controller feature. It
      has been called EXTENDED_EVENTS since 0.1.2.4-alpha.
Nick Mathewson's avatar
Nick Mathewson committed
851
    - Cell pools are now always enabled; --disable-cell-pools is ignored.
852

853
854
  o Code simplifications and refactoring:
    - Rename the confusing or_is_obsolete field to the more appropriate
855
856
      is_bad_for_new_circs, and move it to or_connection_t where it
      belongs.
857
858
    - Move edge-only flags from connection_t to edge_connection_t: not
      only is this better coding, but on machines of plausible alignment,
859
      it should save 4-8 bytes per connection_t. "Every little bit helps."
860
861
    - Rename ServerDNSAllowBrokenResolvConf to ServerDNSAllowBrokenConfig
      for consistency; keep old option working for backward compatibility.
862
    - Simplify the code for finding connections to use for a circuit.
863

864

865
Changes in version 0.2.1.8-alpha - 2008-12-08
866
867
868
869
  Tor 0.2.1.8-alpha fixes some crash bugs in earlier alpha releases,
  builds better on unusual platforms like Solaris and old OS X, and
  fixes a variety of other issues.

Roger Dingledine's avatar
Roger Dingledine committed
870
871
872
873
874
  o Major features:
    - New DirPortFrontPage option that takes an html file and publishes
      it as "/" on the DirPort. Now relay operators can provide a
      disclaimer without needing to set up a separate webserver. There's
      a sample disclaimer in contrib/tor-exit-notice.html.
875

876
877
878
879
880
881
  o Security fixes:
    - When the client is choosing entry guards, now it selects at most
      one guard from a given relay family. Otherwise we could end up with
      all of our entry points into the network run by the same operator.
      Suggested by Camilo Viecco. Fix on 0.1.1.11-alpha.

882
883
884
  o Major bugfixes:
    - Fix a DOS opportunity during the voting signature collection process
      at directory authorities. Spotted by rovv. Bugfix on 0.2.0.x.
885
886
    - Fix a possible segfault when establishing an exit connection. Bugfix
      on 0.2.1.5-alpha.
887

888
  o Minor bugfixes:
889
    - Get file locking working on win32. Bugfix on 0.2.1.6-alpha. Fixes
890
      bug 859.
891
892
    - Made Tor a little less aggressive about deleting expired
      certificates. Partial fix for bug 854.
893
    - Stop doing unaligned memory access that generated bus errors on
894
895
896
897
      sparc64. Bugfix on 0.2.0.10-alpha. Fix for bug 862.
    - Fix a crash bug when changing EntryNodes from the controller. Bugfix
      on 0.2.1.6-alpha. Fix for bug 867. Patched by Sebastian.
    - Make USR2 log-level switch take effect immediately. Bugfix on
898
      0.1.2.8-beta.
899
900
    - If one win32 nameserver fails to get added, continue adding the
      rest, and don't automatically fail.
901
902
903
    - Use fcntl() for locking when flock() is not available. Should fix
      compilation on Solaris. Should fix Bug 873. Bugfix on 0.2.1.6-alpha.
    - Do not mark smartlist_bsearch_idx() function as ATTR_PURE. This bug
904
905
      could make gcc generate non-functional binary search code. Bugfix
      on 0.2.0.10-alpha.
906
    - Build correctly on platforms without socklen_t.
907
    - Avoid potential crash on internal error during signature collection.
908
909
910
911
      Fixes bug 864. Patch from rovv.
    - Do not use C's stdio library for writing to log files. This will
      improve logging performance by a minute amount, and will stop
      leaking fds when our disk is full. Fixes bug 861.
912
913
    - Stop erroneous use of O_APPEND in cases where we did not in fact
      want to re-seek to the end of a file before every last write().
914
    - Correct handling of possible malformed authority signing key
915
916
      certificates with internal signature types. Fixes bug 880. Bugfix
      on 0.2.0.3-alpha.
917
918
    - Fix a hard-to-trigger resource leak when logging credential status.
      CID 349.
919
920

  o Minor features:
921
922
923
    - Directory mirrors no longer fetch the v1 directory or
      running-routers files. They are obsolete, and nobody asks for them
      anymore. This is the first step to making v1 authorities obsolete.
924

925
  o Minor features (controller):
926
    - Return circuit purposes in response to GETINFO circuit-status. Fixes
927
      bug 858.
928

Roger Dingledine's avatar
Roger Dingledine committed
929
930

Changes in version 0.2.0.32 - 2008-11-20
931
932
933
934
935
936
  Tor 0.2.0.32 fixes a major security problem in Debian and Ubuntu
  packages (and maybe other packages) noticed by Theo de Raadt, fixes
  a smaller security flaw that might allow an attacker to access local
  services, further improves hidden service performance, and fixes a
  variety of other issues.

Roger Dingledine's avatar
Roger Dingledine committed
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
  o Security fixes:
    - The "User" and "Group" config options did not clear the
      supplementary group entries for the Tor process. The "User" option
      is now more robust, and we now set the groups to the specified
      user's primary group. The "Group" option is now ignored. For more
      detailed logging on credential switching, set CREDENTIAL_LOG_LEVEL
      in common/compat.c to LOG_NOTICE or higher. Patch by Jacob Appelbaum
      and Steven Murdoch. Bugfix on 0.0.2pre14. Fixes bug 848 and 857.
    - The "ClientDNSRejectInternalAddresses" config option wasn't being
      consistently obeyed: if an exit relay refuses a stream because its
      exit policy doesn't allow it, we would remember what IP address
      the relay said the destination address resolves to, even if it's
      an internal IP address. Bugfix on 0.2.0.7-alpha; patch by rovv.

  o Major bugfixes:
    - Fix a DOS opportunity during the voting signature collection process
      at directory authorities. Spotted by rovv. Bugfix on 0.2.0.x.

  o Major bugfixes (hidden services):
    - When fetching v0 and v2 rendezvous service descriptors in parallel,
      we were failing the whole hidden service request when the v0
      descriptor fetch fails, even if the v2 fetch is still pending and
      might succeed. Similarly, if the last v2 fetch fails, we were
      failing the whole hidden service request even if a v0 fetch is
      still pending. Fixes bug 814. Bugfix on 0.2.0.10-alpha.
    - When extending a circuit to a hidden service directory to upload a
      rendezvous descriptor using a BEGIN_DIR cell, almost 1/6 of all
      requests failed, because the router descriptor has not been
      downloaded yet. In these cases, do not attempt to upload the
      rendezvous descriptor, but wait until the router descriptor is
      downloaded and retry. Likewise, do not attempt to fetch a rendezvous
      descriptor from a hidden service directory for which the router
      descriptor has not yet been downloaded. Fixes bug 767. Bugfix
      on 0.2.0.10-alpha.

  o Minor bugfixes:
    - Fix several infrequent memory leaks spotted by Coverity.
    - When testing for libevent functions, set the LDFLAGS variable
      correctly. Found by Riastradh.
    - Avoid a bug where the FastFirstHopPK 0 option would keep Tor from
      bootstrapping with tunneled directory connections. Bugfix on
      0.1.2.5-alpha. Fixes bug 797. Found by Erwin Lam.
    - When asked to connect to A.B.exit:80, if we don't know the IP for A
      and we know that server B rejects most-but-not all connections to
      port 80, we would previously reject the connection. Now, we assume
      the user knows what they were asking for. Fixes bug 752. Bugfix
      on 0.0.9rc5. Diagnosed by BarkerJr.
    - If we overrun our per-second write limits a little, count this as
      having used up our write allocation for the second, and choke
      outgoing directory writes. Previously, we had only counted this when
      we had met our limits precisely. Fixes bug 824. Patch from by rovv.
      Bugfix on 0.2.0.x (??).
    - Remove the old v2 directory authority 'lefkada' from the default
      list. It has been gone for many months.
    - Stop doing unaligned memory access that generated bus errors on
      sparc64. Bugfix on 0.2.0.10-alpha. Fixes bug 862.
    - Make USR2 log-level switch take effect immediately. Bugfix on
      0.1.2.8-beta.

  o Minor bugfixes (controller):
    - Make DNS resolved events into "CLOSED", not "FAILED". Bugfix on
      0.1.2.5-alpha. Fix by Robert Hogan. Resolves bug 807.


Roger Dingledine's avatar
Roger Dingledine committed
1001
Changes in version 0.2.1.7-alpha - 2008-11-08
1002
1003
1004
1005
1006
1007
1008
  Tor 0.2.1.7-alpha fixes a major security problem in Debian and Ubuntu
  packages (and maybe other packages) noticed by Theo de Raadt, fixes
  a smaller security flaw that might allow an attacker to access local
  services, adds better defense against DNS poisoning attacks on exit
  relays, further improves hidden service performance, and fixes a
  variety of other issues.

Roger Dingledine's avatar
Roger Dingledine committed
1009
1010
1011
1012
1013
1014
  o Security fixes:
    - The "ClientDNSRejectInternalAddresses" config option wasn't being
      consistently obeyed: if an exit relay refuses a stream because its
      exit policy doesn't allow it, we would remember what IP address
      the relay said the destination address resolves to, even if it's
      an internal IP address. Bugfix on 0.2.0.7-alpha; patch by rovv.
1015
    - The "User" and "Group" config options did not clear the
1016
1017
1018
1019
1020
      supplementary group entries for the Tor process. The "User" option
      is now more robust, and we now set the groups to the specified
      user's primary group. The "Group" option is now ignored. For more
      detailed logging on credential switching, set CREDENTIAL_LOG_LEVEL
      in common/compat.c to LOG_NOTICE or higher. Patch by Jacob Appelbaum
Roger Dingledine's avatar
Roger Dingledine committed
1021
1022
1023
      and Steven Murdoch. Bugfix on 0.0.2pre14. Fixes bug 848.
    - Do not use or believe expired v3 authority certificates. Patch
      from Karsten. Bugfix in 0.2.0.x. Fixes bug 851.
Roger Dingledine's avatar
Roger Dingledine committed
1024

1025
1026
1027
1028
  o Minor features:
    - Now NodeFamily and MyFamily config options allow spaces in
      identity fingerprints, so it's easier to paste them in.
      Suggested by Lucky Green.
1029
1030
1031
    - Implement the 0x20 hack to better resist DNS poisoning: set the
      case on outgoing DNS requests randomly, and reject responses that do
      not match the case correctly. This logic can be disabled with the
1032
      ServerDNSRandomizeCase setting, if you are using one of the 0.3%
1033
1034
1035
      of servers that do not reliably preserve case in replies. See
      "Increased DNS Forgery Resistance through 0x20-Bit Encoding"
      for more info.
1036
1037
    - Preserve case in replies to DNSPort requests in order to support
      the 0x20 hack for resisting DNS poisoning attacks.
Roger Dingledine's avatar
Roger Dingledine committed
1038
1039

  o Hidden service performance improvements:
1040
1041
    - When the client launches an introduction circuit, retry with a
      new circuit after 30 seconds rather than 60 seconds.
1042
1043
    - Launch a second client-side introduction circuit in parallel
      after a delay of 15 seconds (based on work by Christian Wilms).
Roger Dingledine's avatar
Roger Dingledine committed
1044
1045
1046
1047
    - Hidden services start out building five intro circuits rather
      than three, and when the first three finish they publish a service
      descriptor using those. Now we publish our service descriptor much
      faster after restart.
1048

1049
1050
1051
1052
  o Minor bugfixes:
    - Minor fix in the warning messages when you're having problems
      bootstrapping; also, be more forgiving of bootstrap problems when
      we're still making incremental progress on a given bootstrap phase.
Roger Dingledine's avatar
Roger Dingledine committed
1053
1054
1055
    - When we're choosing an exit node for a circuit, and we have
      no pending streams, choose a good general exit rather than one that
      supports "all the pending streams". Bugfix on 0.1.1.x. Fix by rovv.
1056
    - Send a valid END cell back when a client tries to connect to a
1057
1058
      nonexistent hidden service port. Bugfix on 0.1.2.15. Fixes bug
      840. Patch from rovv.
1059
1060
    - If a broken client asks a non-exit router to connect somewhere,
      do not even do the DNS lookup before rejecting the connection.
1061
      Fixes another case of bug 619. Patch from rovv.
1062
1063
    - Fix another case of assuming, when a specific exit is requested,
      that we know more than the user about what hosts it allows.
1064
      Fixes another case of bug 752. Patch from rovv.
1065
1066
    - Check which hops rendezvous stream cells are associated with to
      prevent possible guess-the-streamid injection attacks from
1067
      intermediate hops. Fixes another case of bug 446. Based on patch
1068
      from rovv.
1069
    - Avoid using a negative right-shift when comparing 32-bit
1070
      addresses. Possible fix for bug 845 and bug 811.
1071
1072
    - Make the assert_circuit_ok() function work correctly on circuits that
      have already been marked for close.
1073
1074
    - Fix read-off-the-end-of-string error in unit tests when decoding
      introduction points.
1075
1076
    - Fix uninitialized size field for memory area allocation: may improve
      memory performance during directory parsing.
1077
1078
1079
1080
    - Treat duplicate certificate fetches as failures, so that we do
      not try to re-fetch an expired certificate over and over and over.
    - Do not say we're fetching a certificate when we'll in fact skip it
      because of a pending download.
1081

1082

1083
Changes in version 0.2.1.6-alpha - 2008-09-30
1084
1085
1086
1087
  Tor 0.2.1.6-alpha further improves performance and robustness of
  hidden services, starts work on supporting per-country relay selection,
  and fixes a variety of smaller issues.

1088
1089
  o Major features:
    - Implement proposal 121: make it possible to build hidden services
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
      that only certain clients are allowed to connect to. This is
      enforced at several points, so that unauthorized clients are unable
      to send INTRODUCE cells to the service, or even (depending on the
      type of authentication) to learn introduction points. This feature
      raises the bar for certain kinds of active attacks against hidden
      services. Code by Karsten Loesing.
    - Relays now store and serve v2 hidden service descriptors by default,
      i.e., the new default value for HidServDirectoryV2 is 1. This is
      the last step in proposal 114, which aims to make hidden service
      lookups more reliable.
1100
1101
1102
1103
1104
    - Start work to allow node restrictions to include country codes. The
      syntax to exclude nodes in a country with country code XX is
      "ExcludeNodes {XX}". Patch from Robert Hogan. It still needs some
      refinement to decide what config options should take priority if
      you ask to both use a particular node and exclude it.
1105
1106
    - Allow ExitNodes list to include IP ranges and country codes, just
      like the Exclude*Nodes lists. Patch from Robert Hogan.
1107

1108
1109
1110
1111
  o Major bugfixes:
    - Fix a bug when parsing ports in tor_addr_port_parse() that caused
      Tor to fail to start if you had it configured to use a bridge
      relay. Fixes bug 809. Bugfix on 0.2.1.5-alpha.
1112
1113
    - When extending a circuit to a hidden service directory to upload a
      rendezvous descriptor using a BEGIN_DIR cell, almost 1/6 of all
1114
1115
1116
1117
1118
1119
      requests failed, because the router descriptor had not been
      downloaded yet. In these cases, we now wait until the router
      descriptor is downloaded, and then retry. Likewise, clients
      now skip over a hidden service directory if they don't yet have
      its router descriptor, rather than futilely requesting it and
      putting mysterious complaints in the logs. Fixes bug 767. Bugfix
1120
      on 0.2.0.10-alpha.
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
    - When fetching v0 and v2 rendezvous service descriptors in parallel,
      we were failing the whole hidden service request when the v0
      descriptor fetch fails, even if the v2 fetch is still pending and
      might succeed. Similarly, if the last v2 fetch fails, we were
      failing the whole hidden service request even if a v0 fetch is
      still pending. Fixes bug 814. Bugfix on 0.2.0.10-alpha.
    - DNS replies need to have names matching their requests, but
      these names should be in the questions section, not necessarily
      in the answers section. Fixes bug 823. Bugfix on 0.2.1.5-alpha.

1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
  o Minor features:
    - Update to the "September 1 2008" ip-to-country file.
    - Allow ports 465 and 587 in the default exit policy again. We had
      rejected them in 0.1.0.15, because back in 2005 they were commonly
      misconfigured and ended up as spam targets. We hear they are better
      locked down these days.
    - Use a lockfile to make sure that two Tor processes are not
      simultaneously running with the same datadir.
    - Serve the latest v3 networkstatus consensus via the control
      port. Use "getinfo dir/status-vote/current/consensus" to fetch it.
    - Better logging about stability/reliability calculations on directory
      servers.
    - Drop the requirement to have an open dir port for storing and
      serving v2 hidden service descriptors.
    - Directory authorities now serve a /tor/dbg-stability.txt URL to
      help debug WFU and MTBF calculations.
    - Implement most of Proposal 152: allow specialized servers to permit
      single-hop circuits, and clients to use those servers to build
      single-hop circuits when using a specialized controller. Patch
      from Josh Albrecht. Resolves feature request 768.
1151
1152
    - Add a -p option to tor-resolve for specifying the SOCKS port: some
      people find host:port too confusing.
1153
    - Make TrackHostExit mappings expire a while after their last use, not
1154
      after their creation. Patch from Robert Hogan.
1155
    - Provide circuit purposes along with circuit events to the controller.
1156

1157
1158
1159
  o Minor bugfixes:
    - Fix compile on OpenBSD 4.4-current. Bugfix on 0.2.1.5-alpha.
      Reported by Tas.
1160
1161
    - Fixed some memory leaks -- some quite frequent, some almost
      impossible to trigger -- based on results from Coverity.
1162
    - When testing for libevent functions, set the LDFLAGS variable
1163
      correctly. Found by Riastradh.
1164
1165
    - Fix an assertion bug in parsing policy-related options; possible fix
      for bug 811.
1166
1167
    - Catch and report a few more bootstrapping failure cases when Tor
      fails to establish a TCP connection. Cleanup on 0.2.1.x.
1168
1169
1170
    - Avoid a bug where the FastFirstHopPK 0 option would keep Tor from
      bootstrapping with tunneled directory connections. Bugfix on
      0.1.2.5-alpha. Fixes bug 797. Found by Erwin Lam.
1171
    - When asked to connect to A.B.exit:80, if we don't know the IP for A
1172
1173
1174
1175
      and we know that server B rejects most-but-not all connections to
      port 80, we would previously reject the connection. Now, we assume
      the user knows what they were asking for. Fixes bug 752. Bugfix
      on 0.0.9rc5. Diagnosed by BarkerJr.
1176
    - If we are not using BEGIN_DIR cells, don't attempt to contact hidden
1177
1178
      service directories if they have no advertised dir port. Bugfix
      on 0.2.0.10-alpha.
Nick Mathewson's avatar
Nick Mathewson committed
1179
    - If we overrun our per-second write limits a little, count this as
1180
1181
      having used up our write allocation for the second, and choke
      outgoing directory writes. Previously, we had only counted this when
Roger Dingledine's avatar
Roger Dingledine committed
1182
      we had met our limits precisely. Fixes bug 824. Patch by rovv.
Nick Mathewson's avatar
Nick Mathewson committed
1183
      Bugfix on 0.2.0.x (??).
1184
1185
    - Avoid a "0 divided by 0" calculation when calculating router uptime
      at directory authorities. Bugfix on 0.2.0.8-alpha.
1186
1187
1188
    - Make DNS resolved controller events into "CLOSED", not
      "FAILED". Bugfix on 0.1.2.5-alpha. Fix by Robert Hogan. Resolves
      bug 807.
1189
1190
1191
1192
1193
1194
    - Fix a bug where an unreachable relay would establish enough
      reachability testing circuits to do a bandwidth test -- if
      we already have a connection to the middle hop of the testing
      circuit, then it could establish the last hop by using the existing
      connection. Bugfix on 0.1.2.2-alpha, exposed when we made testing
      circuits no longer use entry guards in 0.2.1.3-alpha.
1195
1196
1197
1198
1199
    - If we have correct permissions on $datadir, we complain to stdout
      and fail to start. But dangerous permissions on
      $datadir/cached-status/ would cause us to open a log and complain
      there. Now complain to stdout and fail to start in both cases. Fixes
      bug 820, reported by seeess.
1200
1201
    - Remove the old v2 directory authority 'lefkada' from the default
      list. It has been gone for many months.
1202

1203
1204
  o Code simplifications and refactoring:
    - Revise the connection_new functions so that a more typesafe variant
1205
      exists. This will work better with Coverity, and let us find any
1206
      actual mistakes we're making here.
1207
1208
    - Refactor unit testing logic so that dmalloc can be used sensibly
      with unit tests to check for memory leaks.
1209
1210
    - Move all hidden-service related fields from connection and circuit
      structure to substructures: this way they won't eat so much memory.
1211

1212

1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
Changes in version 0.2.0.31 - 2008-09-03
  Tor 0.2.0.31 addresses two potential anonymity issues, starts to fix
  a big bug we're seeing where in rare cases traffic from one Tor stream
  gets mixed into another stream, and fixes a variety of smaller issues.

  o Major bugfixes:
    - Make sure that two circuits can never exist on the same connection
      with the same circuit ID, even if one is marked for close. This
      is conceivably a bugfix for bug 779. Bugfix on 0.1.0.4-rc.
    - Relays now reject risky extend cells: if the extend cell includes
      a digest of all zeroes, or asks to extend back to the relay that
      sent the extend cell, tear down the circuit. Ideas suggested
      by rovv.
    - If not enough of our entry guards are available so we add a new
      one, we might use the new one even if it overlapped with the
      current circuit's exit relay (or its family). Anonymity bugfix
      pointed out by rovv.

  o Minor bugfixes:
    - Recover 3-7 bytes that were wasted per memory chunk. Fixes bug
      794; bug spotted by rovv. Bugfix on 0.2.0.1-alpha.
    - Correctly detect the presence of the linux/netfilter_ipv4.h header
      when building against recent kernels. Bugfix on 0.1.2.1-alpha.
    - Pick size of default geoip filename string correctly on windows.
      Fixes bug 806. Bugfix on 0.2.0.30.
    - Make the autoconf script accept the obsolete --with-ssl-dir
      option as an alias for the actually-working --with-openssl-dir
      option. Fix the help documentation to recommend --with-openssl-dir.
      Based on a patch by "Dave". Bugfix on 0.2.0.1-alpha.
    - When using the TransPort option on OpenBSD, and using the User
      option to change UID and drop privileges, make sure to open
      /dev/pf before dropping privileges. Fixes bug 782. Patch from
      Christopher Davis. Bugfix on 0.1.2.1-alpha.
    - Try to attach connections immediately upon receiving a RENDEZVOUS2
      or RENDEZVOUS_ESTABLISHED cell. This can save a second or two
      on the client side when connecting to a hidden service. Bugfix
      on 0.0.6pre1. Found and fixed by Christian Wilms; resolves bug 743.
    - When closing an application-side connection because its circuit is
      getting torn down, generate the stream event correctly. Bugfix on
      0.1.2.x. Anonymous patch.


1255
Changes in version 0.2.1.5-alpha - 2008-08-31
Roger Dingledine's avatar
Roger Dingledine committed
1256
1257
1258
1259
1260
1261
1262
  Tor 0.2.1.5-alpha moves us closer to handling IPv6 destinations, puts
  in a lot of the infrastructure for adding authorization to hidden
  services, lays the groundwork for having clients read their load
  balancing information out of the networkstatus consensus rather than
  the individual router descriptors, addresses two potential anonymity
  issues, and fixes a variety of smaller issues.

1263
  o Major features:
1264
1265
1266
    - Convert many internal address representations to optionally hold
      IPv6 addresses.
    - Generate and accept IPv6 addresses in many protocol elements.
1267
    - Make resolver code handle nameservers located at ipv6 addresses.
Roger Dingledine's avatar
Roger Dingledine committed
1268
1269
    - Begin implementation of proposal 121 ("Client authorization for
      hidden services"): configure hidden services with client
1270
      authorization, publish descriptors for them, and configure
Roger Dingledine's avatar
Roger Dingledine committed
1271
1272
1273
1274
1275
1276
1277
1278
      authorization data for hidden services at clients. The next
      step is to actually access hidden services that perform client
      authorization.
    - More progress toward proposal 141: Network status consensus
      documents and votes now contain bandwidth information for each
      router and a summary of that router's exit policy. Eventually this
      will be used by clients so that they do not have to download every
      known descriptor before building circuits.
1279

1280
  o Major bugfixes (on 0.2.0.x and before):